/**
* In this case, we have an app whose cert appears valid, but Mallory
* has tried to swap out the CRL (so that she can replay revoked certs).
*/
public function testCRL_SignedByUnknownDist()
{
// create CA
$caKeyPairPems = KeyPair::create();
$caCertPem = CA::create($caKeyPairPems, '/O=test');
$this->assertNotEmpty($caCertPem);
// create malloryCA
$malloryCaKeyPairPems = KeyPair::create();
$malloryCaCertPem = CA::create($malloryCaKeyPairPems, '/O=test');
$this->assertNotEmpty($caCertPem);
// create CRL dist authority - signed by malloryCA
$crlDistKeyPairPems = KeyPair::create();
$crlDistCertPem = CA::signCSR($malloryCaKeyPairPems, $malloryCaCertPem, CA::createCrlDistCSR($crlDistKeyPairPems, '/O=test'));
$this->assertNotEmpty($crlDistCertPem);
// create CRL - ultimately authorized on malloryCA
$crlDistCertObj = X509Util::loadCert($crlDistCertPem, $crlDistKeyPairPems, $caCertPem);
$this->assertNotEmpty($crlDistCertObj);
$crlObj = new \File_X509();
$crlObj->setSerialNumber(1, 10);
$crlObj->setEndDate('+2 days');
$crlPem = $crlObj->saveCRL($crlObj->signCRL($crlDistCertObj, $crlObj));
$this->assertNotEmpty($crlPem);
$crlObj->loadCRL($crlPem);
// create cert
$appKeyPair = KeyPair::create();
$appCertPem = CA::signCSR($caKeyPairPems, $caCertPem, CA::createAppCSR($appKeyPair, '/O=Application Provider'), 4321);
// check for exception
try {
$certValidator = new DefaultCertificateValidator($caCertPem, $crlDistCertPem, $crlPem);
$certValidator->validateCert($appCertPem);
$this->fail('Expected InvalidCertException, but no exception was reported.');
} catch (InvalidCertException $e) {
$this->assertRegExp('/CRL distributor has an invalid certificate/', $e->getMessage());
}
}
