func TestAddCertificate(t *testing.T) {
// Enable the feature for the `CertStatusOptimizationsMigrated` flag so that
// adding a new certificate will populate the `certificateStatus.NotAfter`
// field correctly. This will let the unit test assertion for `NotAfter`
// pass provided everything is working as intended. Note: this must be done
// **before** the DbMap is created in `initSA()` or the feature flag won't be
// set correctly at the time the table maps are set up.
_ = features.Set(map[string]bool{"CertStatusOptimizationsMigrated": true})
defer features.Reset()
sa, _, cleanUp := initSA(t)
defer cleanUp()
reg := satest.CreateWorkingRegistration(t, sa)
// An example cert taken from EFF's website
certDER, err := ioutil.ReadFile("www.eff.org.der")
test.AssertNotError(t, err, "Couldn't read example cert DER")
digest, err := sa.AddCertificate(ctx, certDER, reg.ID)
test.AssertNotError(t, err, "Couldn't add www.eff.org.der")
test.AssertEquals(t, digest, "qWoItDZmR4P9eFbeYgXXP3SR4ApnkQj8x4LsB_ORKBo")
retrievedCert, err := sa.GetCertificate(ctx, "000000000000000000000000000000021bd4")
test.AssertNotError(t, err, "Couldn't get www.eff.org.der by full serial")
test.AssertByteEquals(t, certDER, retrievedCert.DER)
certificateStatus, err := sa.GetCertificateStatus(ctx, "000000000000000000000000000000021bd4")
test.AssertNotError(t, err, "Couldn't get status for www.eff.org.der")
test.Assert(t, !certificateStatus.SubscriberApproved, "SubscriberApproved should be false")
test.Assert(t, certificateStatus.Status == core.OCSPStatusGood, "OCSP Status should be good")
test.Assert(t, certificateStatus.OCSPLastUpdated.IsZero(), "OCSPLastUpdated should be nil")
test.AssertEquals(t, certificateStatus.NotAfter, retrievedCert.Expires)
// Test cert generated locally by Boulder / CFSSL, names [example.com,
// www.example.com, admin.example.com]
certDER2, err := ioutil.ReadFile("test-cert.der")
test.AssertNotError(t, err, "Couldn't read example cert DER")
serial := "ffdd9b8a82126d96f61d378d5ba99a0474f0"
digest2, err := sa.AddCertificate(ctx, certDER2, reg.ID)
test.AssertNotError(t, err, "Couldn't add test-cert.der")
test.AssertEquals(t, digest2, "vrlPN5wIPME1D2PPsCy-fGnTWh8dMyyYQcXPRkjHAQI")
retrievedCert2, err := sa.GetCertificate(ctx, serial)
test.AssertNotError(t, err, "Couldn't get test-cert.der")
test.AssertByteEquals(t, certDER2, retrievedCert2.DER)
certificateStatus2, err := sa.GetCertificateStatus(ctx, serial)
test.AssertNotError(t, err, "Couldn't get status for test-cert.der")
test.Assert(t, !certificateStatus2.SubscriberApproved, "SubscriberApproved should be false")
test.Assert(t, certificateStatus2.Status == core.OCSPStatusGood, "OCSP Status should be good")
test.Assert(t, certificateStatus2.OCSPLastUpdated.IsZero(), "OCSPLastUpdated should be nil")
}
func TestDeactivateAccount(t *testing.T) {
_ = features.Set(map[string]bool{"AllowAccountDeactivation": true})
defer features.Reset()
sa, _, cleanUp := initSA(t)
defer cleanUp()
reg := satest.CreateWorkingRegistration(t, sa)
err := sa.DeactivateRegistration(context.Background(), reg.ID)
test.AssertNotError(t, err, "DeactivateRegistration failed")
dbReg, err := sa.GetRegistration(context.Background(), reg.ID)
test.AssertNotError(t, err, "GetRegistration failed")
test.AssertEquals(t, dbReg.Status, core.StatusDeactivated)
}
func TestModelToRegistrationNilContact(t *testing.T) {
_ = features.Set(map[string]bool{"AllowAccountDeactivation": true})
defer features.Reset()
reg, err := modelToRegistration(®Modelv2{
regModelv1: regModelv1{
Key: []byte(`{"kty":"RSA","n":"AQAB","e":"AQAB"}`),
Contact: nil,
}})
if err != nil {
t.Errorf("Got error from modelToRegistration: %s", err)
}
if reg.Contact == nil {
t.Errorf("Expected non-nil Contact field, got %#v", reg.Contact)
}
if len(*reg.Contact) != 0 {
t.Errorf("Expected empty Contact field, got %#v", reg.Contact)
}
}
func TestWillingToIssue(t *testing.T) {
testCases := []struct {
domain string
err error
}{
{``, errEmptyName}, // Empty name
{`zomb!.com`, errInvalidDNSCharacter}, // ASCII character out of range
{`[email protected]`, errInvalidDNSCharacter},
{`user:[email protected]`, errInvalidDNSCharacter},
{`zömbo.com`, errInvalidDNSCharacter}, // non-ASCII character
{`127.0.0.1`, errIPAddress}, // IPv4 address
{`fe80::1:1`, errInvalidDNSCharacter}, // IPv6 addresses
{`[2001:db8:85a3:8d3:1319:8a2e:370:7348]`, errInvalidDNSCharacter}, // unexpected IPv6 variants
{`[2001:db8:85a3:8d3:1319:8a2e:370:7348]:443`, errInvalidDNSCharacter},
{`2001:db8::/32`, errInvalidDNSCharacter},
{`a.b.c.d.e.f.g.h.i.j.k`, errTooManyLabels}, // Too many labels (>10)
{`www.0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef012345.com`, errNameTooLong}, // Too long (254 characters)
{`www.abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz.com`, errLabelTooLong}, // Label too long (>63 characters)
{`www.-ombo.com`, errInvalidDNSCharacter}, // Label starts with '-'
{`www.zomb-.com`, errInvalidDNSCharacter}, // Label ends with '-'
{`xn--.net`, errInvalidDNSCharacter}, // Label ends with '-'
{`0`, errTooFewLabels},
{`1`, errTooFewLabels},
{`*`, errInvalidDNSCharacter},
{`**`, errInvalidDNSCharacter},
{`*.*`, errInvalidDNSCharacter},
{`zombo*com`, errInvalidDNSCharacter},
{`*.com`, errInvalidDNSCharacter},
{`*.zombo.com`, errInvalidDNSCharacter},
{`..a`, errLabelTooShort},
{`a..a`, errLabelTooShort},
{`.a..a`, errLabelTooShort},
{`..foo.com`, errLabelTooShort},
{`.`, errNameEndsInDot},
{`..`, errNameEndsInDot},
{`a..`, errNameEndsInDot},
{`.....`, errNameEndsInDot},
{`.a.`, errNameEndsInDot},
{`www.zombo.com.`, errNameEndsInDot},
{`www.zombo_com.com`, errInvalidDNSCharacter},
{`\uFEFF`, errInvalidDNSCharacter}, // Byte order mark
{`\uFEFFwww.zombo.com`, errInvalidDNSCharacter},
{`www.zom\u202Ebo.com`, errInvalidDNSCharacter}, // Right-to-Left Override
{`\u202Ewww.zombo.com`, errInvalidDNSCharacter},
{`www.zom\u200Fbo.com`, errInvalidDNSCharacter}, // Right-to-Left Mark
{`\u200Fwww.zombo.com`, errInvalidDNSCharacter},
// Underscores are technically disallowed in DNS. Some DNS
// implementations accept them but we will be conservative.
{`www.zom_bo.com`, errInvalidDNSCharacter},
{`zombocom`, errTooFewLabels},
{`localhost`, errTooFewLabels},
{`mail`, errTooFewLabels},
// disallow capitalized letters for #927
{`CapitalizedLetters.com`, errInvalidDNSCharacter},
{`example.acting`, errNonPublic},
{`example.internal`, errNonPublic},
// All-numeric final label not okay.
{`www.zombo.163`, errNonPublic},
}
shouldBeTLDError := []string{
`co.uk`,
`foo.bn`,
}
shouldBeBlacklisted := []string{
`highvalue.website1.org`,
`website2.co.uk`,
`www.website3.com`,
`lots.of.labels.website4.com`,
}
blacklistContents := []string{
`website2.com`,
`website2.org`,
`website2.co.uk`,
`website3.com`,
`website4.com`,
}
exactBlacklistContents := []string{
`www.website1.org`,
`highvalue.website1.org`,
`dl.website1.org`,
}
shouldBeAccepted := []string{
`lowvalue.website1.org`,
`website4.sucks`,
"www.unrelated.com",
"unrelated.com",
"www.8675309.com",
"8675309.com",
"web5ite2.com",
"www.web-site2.com",
}
pa := paImpl(t)
blacklistBytes, err := json.Marshal(blacklistJSON{
Blacklist: blacklistContents,
ExactBlacklist: exactBlacklistContents,
})
test.AssertNotError(t, err, "Couldn't serialize blacklist")
f, _ := ioutil.TempFile("", "test-blacklist.txt")
defer os.Remove(f.Name())
err = ioutil.WriteFile(f.Name(), blacklistBytes, 0640)
test.AssertNotError(t, err, "Couldn't write blacklist")
err = pa.SetHostnamePolicyFile(f.Name())
test.AssertNotError(t, err, "Couldn't load rules")
// Test for invalid identifier type
identifier := core.AcmeIdentifier{Type: "ip", Value: "example.com"}
err = pa.WillingToIssue(identifier)
if err != errInvalidIdentifier {
t.Error("Identifier was not correctly forbidden: ", identifier)
}
// Test syntax errors
for _, tc := range testCases {
identifier := core.AcmeIdentifier{Type: core.IdentifierDNS, Value: tc.domain}
err := pa.WillingToIssue(identifier)
if err != tc.err {
t.Errorf("WillingToIssue(%q) = %q, expected %q", tc.domain, err, tc.err)
}
}
// Test IDNs
err = pa.WillingToIssue(core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "www.xn--mnich-kva.com"})
test.AssertError(t, err, "WillingToIssue didn't fail on a IDN with features.IDNASupport disabled")
_ = features.Set(map[string]bool{"IDNASupport": true})
// Invalid encoding
err = pa.WillingToIssue(core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "www.xn--m.com"})
test.AssertError(t, err, "WillingToIssue didn't fail on a malformed IDN")
// Valid encoding
err = pa.WillingToIssue(core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "www.xn--mnich-kva.com"})
test.AssertNotError(t, err, "WillingToIssue failed on a properly formed IDN")
// IDN TLD
err = pa.WillingToIssue(core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "xn--example--3bhk5a.xn--p1ai"})
test.AssertNotError(t, err, "WillingToIssue failed on a properly formed domain with IDN TLD")
features.Reset()
// Test domains that are equal to public suffixes
for _, domain := range shouldBeTLDError {
identifier := core.AcmeIdentifier{Type: core.IdentifierDNS, Value: domain}
err := pa.WillingToIssue(identifier)
if err != errICANNTLD {
t.Error("Identifier was not correctly forbidden: ", identifier, err)
}
}
// Test blacklisting
for _, domain := range shouldBeBlacklisted {
identifier := core.AcmeIdentifier{Type: core.IdentifierDNS, Value: domain}
err := pa.WillingToIssue(identifier)
if err != errBlacklisted {
t.Error("Identifier was not correctly forbidden: ", identifier, err)
}
}
// Test acceptance of good names
for _, domain := range shouldBeAccepted {
identifier := core.AcmeIdentifier{Type: core.IdentifierDNS, Value: domain}
if err := pa.WillingToIssue(identifier); err != nil {
t.Error("Identifier was incorrectly forbidden: ", identifier, err)
}
}
}
