tests: add CRL mTLS test.

cpu · cpu · commit d80c42b20549 · 2023-07-13T13:32:47.000-04:00
This commit adds a simple test CRL (`testdata/test.crl.pem`) that lists
the `testdata/localhost/cert.pem` certificate as revoked, but _not_ the
`testdata/example.com/cert.pem` certificate.

The `client-server.py` integration test driver is then updated with
a suite that will start the server binary in a mode that requires mTLS,
and that loads the test crl. Two connection attempts are made with the
client binary: one using the `example.com` client cert that isn't
expected to error, and one using the `localhost` client cert that _is_
expected to error (since it's revoked).
diff --git a/testdata/test.crl.pem b/testdata/test.crl.pem
@@ -0,0 +1,12 @@
+-----BEGIN X509 CRL-----
+MIIBxjCBrwIBATANBgkqhkiG9w0BAQsFADAgMR4wHAYDVQQDExVtaW5pY2Egcm9v
+dCBjYSAxMGE3YTAXDTIzMDcwMzE3MTgxMloXDTIzMDcxMDE3MTgxMlowKTAnAghT
+E+2CSHaYmBcNMjMwNzAzMTcxNzU5WjAMMAoGA1UdFQQDCgEBoDAwLjAfBgNVHSME
+GDAWgBQ19H4hMuTID22xvBfISviOa+S+EDALBgNVHRQEBAICEAEwDQYJKoZIhvcN
+AQELBQADggEBAF5fOpNZGLsHGAUasx5Il79My6EU66igE0YZWVzgX8EaCt1RMCFx
+osumXkaPiohICSsczFlnJolpwacsHx/K/IMYvthna8lbAxhuWharRqoHUK+BdTDD
+wtThMBC2dCNoLro/6cIpMov9OXjh8291ogIy0qIiSm20JiaWTB+0V7A6gA7riTXC
+yzJTyGECLS9XP6rt+SYmcDn0D1jxfsIli0kYBJdKb3O0xF05oBaWadSLuXbcA41+
+Kcw07HACaUrR6BCrR3CjnnlTl6Pr25cQi3zPya7lNDQWqhLNx0sU2jviVZQe1nIA
+Ie8Ha2syCv0aa33s0dUY6hOKDbLTGpI8f/E=
+-----END X509 CRL-----
diff --git a/tests/client-server.py b/tests/client-server.py
@@ -131,6 +131,38 @@ def run_mtls_client_tests(client, valgrind):
     )
 
 
+def run_mtls_client_crl_tests(client, valgrind):
+    run_with_maybe_valgrind(
+        [
+            client,
+            HOST,
+            str(PORT),
+            "/"
+        ],
+        {
+            "CA_FILE": "testdata/minica.pem",
+            "AUTH_CERT": "testdata/example.com/cert.pem",
+            "AUTH_KEY": "testdata/example.com/key.pem",
+        },
+        valgrind
+    )
+    run_with_maybe_valgrind(
+        [
+            client,
+            HOST,
+            str(PORT),
+            "/"
+        ],
+        {
+            "CA_FILE": "testdata/minica.pem",
+            "AUTH_CERT": "testdata/localhost/cert.pem",
+            "AUTH_KEY": "testdata/localhost/key.pem",
+        },
+        valgrind,
+        expect_error=True  # Client connecting w/ revoked cert should err.
+    )
+
+
 def run_server(server, valgrind, env):
     args = [
         server,
@@ -181,10 +213,19 @@ def main():
     server_popen.wait()
 
     # Client/server tests w/ mandatory client authentication.
-    run_server(server, valgrind, {
+    server_popen = run_server(server, valgrind, {
         "AUTH_CERT": "testdata/minica.pem",
     })
     run_mtls_client_tests(client, valgrind)
+    server_popen.kill()
+    server_popen.wait()
+
+    # Client/server tests w/ mandatory client authentication & CRL.
+    run_server(server, valgrind, {
+        "AUTH_CERT": "testdata/minica.pem",
+        "AUTH_CRL": "testdata/test.crl.pem",
+    })
+    run_mtls_client_crl_tests(client, valgrind)
 
 
 if __name__ == "__main__":
