0

I have written some code for testing if a certificate has been revoked. It works, but now I have to write a unit test for it.

Is there a way for me to add a new line to my CRL on the client side, in order to break it on purpose to show that it would fail?

MickeyThreeSheds
  • 986
  • 4
  • 23
  • 42

1 Answers1

0

If you modify a CRL then you will break the signature and the CRL becomes invalid, and won't be useful for your test case.

If you are using an external certificate authority, you can request a set of test certificates. Usually CAs provide them. If not, you can generate your own CA and CRL with OpenSSL. See Howto: Make Your Own Cert And Revocation List With OpenSSL

pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • Is there a way for me to get all of the revoked serials as an array of strings? – MickeyThreeSheds Feb 13 '17 at 20:55
  • The CRL is basically a list. Once loaded you can get a list with all entries from CRL using `getRevokedCertificates()` – pedrofb Feb 13 '17 at 21:48
  • I kind of see what you are talking about - but I opened up another stackoverflow question because I am a little stuck with how I am actually going to implement the tests... Here is a link : http://stackoverflow.com/questions/42235398/how-might-i-go-about-having-a-localtestserver-create-an-x509-certificate-and-al – MickeyThreeSheds Feb 14 '17 at 22:08
  • I commented there. I see you want to generate your own certificates and CRLs without using OpenSSL as I proposed. It is possible but requires a lot of effort. You will need to use bouncycastle. If your main objective is not provide your own certificates, I suggest to use OpenSSL – pedrofb Feb 15 '17 at 07:09
  • Thanks - I will look into this now. The reason I can't use open ssl though, is because I need this to be just on a unit test basis. Creating certs and CRLs in the terminal would be limiting me to one machine, no? – MickeyThreeSheds Feb 15 '17 at 14:29
  • You said in this question that the objective is revocation testing, not generate certificates. Then you only need to generate certs&CRLs with OpenSSL once. Include them as resources in your test – pedrofb Feb 15 '17 at 17:01
  • But in the other question you want to generate programmatically your own certificates, crl and check revocation. Is this really your use case? Generating certificates requires bouncycastle and is a little complex. I suggest to split your unit tests – pedrofb Feb 15 '17 at 17:08
  • This is the question that matters, I just want to create a cert, create a crl, add that cert to the crl, and attemp to call my method, which I will pass both of these into, and assert that the boolean is of a certain value. These certs will not be used for anything, just unit testing... can I do this programatically? – MickeyThreeSheds Feb 15 '17 at 18:35
  • It is possible, but not simple. Generate certificates using Bouncycastle's `X509V3CertificateGenerator`. See http://stackoverflow.com/questions/29852290/self-signed-x509-certificate-with-bouncy-castle-in-java See also this link to generate a CRL http://www.bouncycastle.org/wiki/plugins/servlet/mobile#content/view/362279 I suggest to try to use that code and answer a new question if you have problems – pedrofb Feb 15 '17 at 19:58