Esempio n. 1
0
 /**
  * In this case, we have an app whose $appCertPem appears valid, and we have CRL
  * whose $crlDistCertPem is signed, but the $crlDistCertPem has usage rules
  * which do not allow signing CRLs.
  */
 public function testCRL_SignedByNonDist()
 {
     // create CA
     $caKeyPairPems = KeyPair::create();
     $caCertPem = CA::create($caKeyPairPems, '/O=test');
     $this->assertNotEmpty($caCertPem);
     // create would-be CRL dist authority -- but not really authorized for signing CRLs.
     // note createCSR() instead of createCrlDistCSR().
     $crlDistKeyPairPems = KeyPair::create();
     $crlDistCertPem = CA::signCSR($caKeyPairPems, $caCertPem, CA::createAppCSR($crlDistKeyPairPems, '/O=test'));
     $this->assertNotEmpty($crlDistCertPem);
     $certValidator = new DefaultCertificateValidator($caCertPem, NULL, NULL);
     $certValidator->validateCert($crlDistCertPem);
     // create CRL
     $crlDistCertObj = X509Util::loadCert($crlDistCertPem, $crlDistKeyPairPems, $caCertPem);
     $this->assertNotEmpty($crlDistCertObj);
     $crlObj = new \File_X509();
     $crlObj->setSerialNumber(1, 10);
     $crlObj->setEndDate('+2 days');
     $crlPem = $crlObj->saveCRL($crlObj->signCRL($crlDistCertObj, $crlObj));
     $this->assertNotEmpty($crlPem);
     $crlObj->loadCRL($crlPem);
     // create cert
     $appKeyPair = KeyPair::create();
     $appCertPem = CA::signCSR($caKeyPairPems, $caCertPem, CA::createAppCSR($appKeyPair, '/O=Application Provider'), 4321);
     // validate cert - fails due to improper CRL
     try {
         $certValidator = new DefaultCertificateValidator($caCertPem, $crlDistCertPem, $crlPem);
         $certValidator->validateCert($appCertPem);
         $this->fail('Expected InvalidCertException, but no exception was reported.');
     } catch (InvalidCertException $e) {
         $this->assertRegExp('/CRL-signing certificate is not a CRL-signing certificate/', $e->getMessage());
     }
 }