Beispiel #1
0
func TestBasicSuccessful(t *testing.T) {
	pub, leaf, k := setup(t)

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()
	scope := mock_metrics.NewMockScope(ctrl)
	pub.stats = scope

	server := logSrv(leaf.Raw, k)
	defer server.Close()
	port, err := getPort(server)
	test.AssertNotError(t, err, "Failed to get test server port")
	addLog(t, pub, port, &k.PublicKey)

	statName := pub.ctLogs[0].statName
	log.Clear()
	scope.EXPECT().NewScope(statName).Return(scope)
	scope.EXPECT().Inc("Submits", int64(1)).Return(nil)
	scope.EXPECT().TimingDuration("SubmitLatency", gomock.Any()).Return(nil)
	err = pub.SubmitToCT(ctx, leaf.Raw)
	test.AssertNotError(t, err, "Certificate submission failed")
	test.AssertEquals(t, len(log.GetAllMatching("Failed to.*")), 0)

	// No Intermediate
	pub.issuerBundle = []ct.ASN1Cert{}
	log.Clear()
	scope.EXPECT().NewScope(statName).Return(scope)
	scope.EXPECT().Inc("Submits", int64(1)).Return(nil)
	scope.EXPECT().TimingDuration("SubmitLatency", gomock.Any()).Return(nil)
	err = pub.SubmitToCT(ctx, leaf.Raw)
	test.AssertNotError(t, err, "Certificate submission failed")
	test.AssertEquals(t, len(log.GetAllMatching("Failed to.*")), 0)
}
Beispiel #2
0
func TestUnexpectedError(t *testing.T) {
	pub, leaf, k := setup(t)

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()
	scope := mock_metrics.NewMockScope(ctrl)
	pub.stats = scope

	srv := errorLogSrv()
	defer srv.Close()
	port, err := getPort(srv)
	test.AssertNotError(t, err, "Failed to get test server port")
	addLog(t, pub, port, &k.PublicKey)
	statName := pub.ctLogs[0].statName

	log.Clear()
	scope.EXPECT().NewScope(statName).Return(scope)
	scope.EXPECT().Inc("Submits", int64(1)).Return(nil)
	scope.EXPECT().Inc("Errors", int64(1)).Return(nil)
	scope.EXPECT().TimingDuration("SubmitLatency", gomock.Any()).Return(nil)
	err = pub.SubmitToCT(ctx, leaf.Raw)
	test.AssertNotError(t, err, "Certificate submission failed")
	test.AssertEquals(t, len(log.GetAllMatching("Failed .*http://localhost:"+strconv.Itoa(port))), 1)
}
Beispiel #3
0
func TestExtensions(t *testing.T) {
	testCtx := setup(t)
	testCtx.caConfig.MaxNames = 3

	ctrl := gomock.NewController(t)
	defer ctrl.Finish()
	stats := mock_metrics.NewMockScope(ctrl)

	ca, err := NewCertificateAuthorityImpl(
		testCtx.caConfig,
		testCtx.fc,
		stats,
		testCtx.issuers,
		testCtx.keyPolicy,
		testCtx.logger)
	ca.Publisher = &mocks.Publisher{}
	ca.PA = testCtx.pa
	ca.SA = &mockSA{}

	mustStapleCSR, err := x509.ParseCertificateRequest(MustStapleCSR)
	test.AssertNotError(t, err, "Error parsing MustStapleCSR")

	duplicateMustStapleCSR, err := x509.ParseCertificateRequest(DuplicateMustStapleCSR)
	test.AssertNotError(t, err, "Error parsing DuplicateMustStapleCSR")

	tlsFeatureUnknownCSR, err := x509.ParseCertificateRequest(TLSFeatureUnknownCSR)
	test.AssertNotError(t, err, "Error parsing TLSFeatureUnknownCSR")

	unsupportedExtensionCSR, err := x509.ParseCertificateRequest(UnsupportedExtensionCSR)
	test.AssertNotError(t, err, "Error parsing UnsupportedExtensionCSR")

	sign := func(csr *x509.CertificateRequest) *x509.Certificate {
		coreCert, err := ca.IssueCertificate(ctx, *csr, 1001)
		test.AssertNotError(t, err, "Failed to issue")
		cert, err := x509.ParseCertificate(coreCert.DER)
		test.AssertNotError(t, err, "Error parsing certificate produced by CA")
		return cert
	}

	// With ca.enableMustStaple = false, should issue successfully and not add
	// Must Staple.
	stats.EXPECT().Inc(metricCSRExtensionTLSFeature, int64(1)).Return(nil)
	noStapleCert := sign(mustStapleCSR)
	test.AssertEquals(t, countMustStaple(t, noStapleCert), 0)

	// With ca.enableMustStaple = true, a TLS feature extension should put a must-staple
	// extension into the cert
	ca.enableMustStaple = true
	stats.EXPECT().Inc(metricCSRExtensionTLSFeature, int64(1)).Return(nil)
	singleStapleCert := sign(mustStapleCSR)
	test.AssertEquals(t, countMustStaple(t, singleStapleCert), 1)

	// Even if there are multiple TLS Feature extensions, only one extension should be included
	stats.EXPECT().Inc(metricCSRExtensionTLSFeature, int64(1)).Return(nil)
	duplicateMustStapleCert := sign(duplicateMustStapleCSR)
	test.AssertEquals(t, countMustStaple(t, duplicateMustStapleCert), 1)

	// ... but if it doesn't ask for stapling, there should be an error
	stats.EXPECT().Inc(metricCSRExtensionTLSFeature, int64(1)).Return(nil)
	stats.EXPECT().Inc(metricCSRExtensionTLSFeatureInvalid, int64(1)).Return(nil)
	_, err = ca.IssueCertificate(ctx, *tlsFeatureUnknownCSR, 1001)
	test.AssertError(t, err, "Allowed a CSR with an empty TLS feature extension")
	if _, ok := err.(core.MalformedRequestError); !ok {
		t.Errorf("Wrong error type when rejecting a CSR with empty TLS feature extension")
	}

	// Unsupported extensions should be silently ignored, having the same
	// extensions as the TLS Feature cert above, minus the TLS Feature Extension
	stats.EXPECT().Inc(metricCSRExtensionOther, int64(1)).Return(nil)
	unsupportedExtensionCert := sign(unsupportedExtensionCSR)
	test.AssertEquals(t, len(unsupportedExtensionCert.Extensions), len(singleStapleCert.Extensions)-1)
}