[GitHub] [ozone] xiaoyuyao commented on a change in pull request #1874: HDDS-4482. SCM should be able to persist CRL

Tue, 02 Feb 2021 10:05:09 -0800 


xiaoyuyao commented on a change in pull request #1874:
URL: https://github.com/apache/ozone/pull/1874#discussion_r568818004



##########
File path: 
hadoop-hdds/framework/src/test/java/org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.java
##########
@@ -213,6 +224,55 @@ public void testRequestCertificateWithInvalidSubject() 
throws IOException,
     assertNotNull(holder.get());
   }
 
+  @Test
+  public void testRevokeCertificates() throws Exception {
+    String scmId =  RandomStringUtils.randomAlphabetic(4);
+    String clusterId =  RandomStringUtils.randomAlphabetic(4);
+
+    CertificateServer testCA = new DefaultCAServer("testCA",
+        clusterId, scmId, caStore);
+    testCA.init(new SecurityConfig(conf),
+        CertificateServer.CAType.SELF_SIGNED_CA);
+
+    KeyPair keyPair =
+        new HDDSKeyGenerator(conf).generateKey();
+    PKCS10CertificationRequest csr = new CertificateSignRequest.Builder()
+        .addDnsName("hadoop.apache.org")
+        .addIpAddress("8.8.8.8")
+        .setCA(false)
+        .setSubject("testCA")
+        .setConfiguration(conf)
+        .setKey(keyPair)
+        .build();
+
+    // Let us convert this to a string to mimic the common use case.
+    String csrString = CertificateSignRequest.getEncodedString(csr);
+
+    Future<X509CertificateHolder> holder = testCA.requestCertificate(csrString,
+        CertificateApprover.ApprovalType.TESTING_AUTOMATIC);
+
+    X509Certificate certificate =
+        new JcaX509CertificateConverter().getCertificate(holder.get());
+    List<X509Certificate> certs = new ArrayList<>();
+    certs.add(certificate);
+    Future<Boolean> revoked = testCA.revokeCertificates(certs,
+        CRLReason.keyCompromise, new SecurityConfig(conf));
+
+    // Revoking a valid certificate should return true.
+    assertTrue(revoked.get());
+

Review comment:
       can we verify that after revoke, getCertificateByID from ca with valid  
and invalid type, respectively?




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to