From 6b109c52b57b057a760c7753082d438ec925ac47 Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Thu, 24 Aug 2023 08:59:29 -0400 Subject: [PATCH] tests: fix webpki CRL test. Previously the `test_crl` fn generated a certificate revocation list that had a revoked certificate entry with the serial number `0xC0FFEE` - this constant has a binary representation of `110000001111111111101110`, where the MSB is 1. This makes the serial number negative, in contradiction to RFC 5280's requirements for serial numbers. The Yasna-based encoder that rcgen uses for emitting the serial number accounted for this by prepending 0x00 automatically. This should have resulted in a failure to find the literal serial `0xC0FFEE` in the webpki CRL, except that webpki was incorrectly canonicalizing the serial number for the CRL representation, meaning the `0x00C0FFEE` serial emitted by rcgen was stored as `0xC0FFEE`, matching our lookup and allowing the test to pass. In Webpki v0.101.2 we removed the inappropriate canonicalization, meaning the rcgen emitted serial of `0x00C0FFEE` was stored as-is, and a lookup for `0xC0FFEE` no longer found a revoked certificate, making the test fail. This commit fixes the above by explicitly using `0x00C0FFEE` as the serial number used for encoding of the revoked certificate's serial, and the lookup operation. --- tests/util.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/util.rs b/tests/util.rs index c8f1ebad..6c4ca298 100644 --- a/tests/util.rs +++ b/tests/util.rs @@ -82,7 +82,7 @@ pub fn test_crl() -> (CertificateRevocationList, Certificate) { let now = OffsetDateTime::now_utc(); let next_week = now + Duration::weeks(1); let revoked_cert = RevokedCertParams{ - serial_number: SerialNumber::from_slice(&[0xC0, 0xFF, 0xEE]), + serial_number: SerialNumber::from_slice(&[0x00, 0xC0, 0xFF, 0xEE]), revocation_time: now, reason_code: Some(RevocationReason::KeyCompromise), invalidity_date: None,