/** * In this case, we have an app whose cert appears valid, but Mallory * has tried to swap out the CRL (so that she can replay revoked certs). */ public function testCRL_SignedByUnknownDist() { // create CA $caKeyPairPems = KeyPair::create(); $caCertPem = CA::create($caKeyPairPems, '/O=test'); $this->assertNotEmpty($caCertPem); // create malloryCA $malloryCaKeyPairPems = KeyPair::create(); $malloryCaCertPem = CA::create($malloryCaKeyPairPems, '/O=test'); $this->assertNotEmpty($caCertPem); // create CRL dist authority - signed by malloryCA $crlDistKeyPairPems = KeyPair::create(); $crlDistCertPem = CA::signCSR($malloryCaKeyPairPems, $malloryCaCertPem, CA::createCrlDistCSR($crlDistKeyPairPems, '/O=test')); $this->assertNotEmpty($crlDistCertPem); // create CRL - ultimately authorized on malloryCA $crlDistCertObj = X509Util::loadCert($crlDistCertPem, $crlDistKeyPairPems, $caCertPem); $this->assertNotEmpty($crlDistCertObj); $crlObj = new \File_X509(); $crlObj->setSerialNumber(1, 10); $crlObj->setEndDate('+2 days'); $crlPem = $crlObj->saveCRL($crlObj->signCRL($crlDistCertObj, $crlObj)); $this->assertNotEmpty($crlPem); $crlObj->loadCRL($crlPem); // create cert $appKeyPair = KeyPair::create(); $appCertPem = CA::signCSR($caKeyPairPems, $caCertPem, CA::createAppCSR($appKeyPair, '/O=Application Provider'), 4321); // check for exception try { $certValidator = new DefaultCertificateValidator($caCertPem, $crlDistCertPem, $crlPem); $certValidator->validateCert($appCertPem); $this->fail('Expected InvalidCertException, but no exception was reported.'); } catch (InvalidCertException $e) { $this->assertRegExp('/CRL distributor has an invalid certificate/', $e->getMessage()); } }