func TestNewCertGeneratorHandlerFromSigner(t *testing.T) {
var expiry = 1 * time.Minute
var CAConfig = &config.Config{
Signing: &config.Signing{
Profiles: map[string]*config.SigningProfile{
"signature": &config.SigningProfile{
Usage: []string{"digital signature"},
Expiry: expiry,
},
},
Default: &config.SigningProfile{
Usage: []string{"cert sign", "crl sign"},
ExpiryString: "43800h",
Expiry: expiry,
CA: true,
ClientProvidesSerialNumbers: true,
},
},
}
s, err := local.NewSignerFromFile(testCaFile, testCaKeyFile, CAConfig.Signing)
if err != nil {
t.Fatal(err)
}
h := NewCertGeneratorHandlerFromSigner(CSRValidate, s)
_, ok := h.(http.Handler)
if !ok {
t.Fatal("A HTTP handler has not been returned")
}
}
// newHandler generates a new sign handler (or info handler) using the certificate
// authority private key and certficate to sign certificates.
func newHandler(t *testing.T, caFile, caKeyFile, op string) (http.Handler, error) {
var expiry = 1 * time.Minute
var CAConfig = &config.Config{
Signing: &config.Signing{
Profiles: map[string]*config.SigningProfile{
"signature": &config.SigningProfile{
Usage: []string{"digital signature"},
Expiry: expiry,
},
},
Default: &config.SigningProfile{
Usage: []string{"cert sign", "crl sign"},
ExpiryString: "43800h",
Expiry: expiry,
CA: true,
ClientProvidesSerialNumbers: true,
},
},
}
s, err := local.NewSignerFromFile(testCaFile, testCaKeyFile, CAConfig.Signing)
if err != nil {
t.Fatal(err)
}
if op == "sign" {
return apisign.NewHandlerFromSigner(s)
} else if op == "info" {
return apiinfo.NewHandler(s)
}
t.Fatal("Bad op code")
return nil, nil
}
func TestChromeWarning(t *testing.T) {
b := newCustomizedBundlerFromFile(t, sha1CA, sha1Intermediate, "")
s, err := local.NewSignerFromFile(sha1Intermediate, intermediateKey, nil)
if err != nil {
t.Fatal(err)
}
csrBytes, err := ioutil.ReadFile(leafCSR)
if err != nil {
t.Fatal(err)
}
signingRequest := signer.SignRequest{Request: string(csrBytes)}
certBytes, err := s.Sign(signingRequest)
if err != nil {
t.Fatal(err)
}
// Bundle a leaf cert with default 1 year expiration
bundle, err := b.BundleFromPEMorDER(certBytes, nil, Ubiquitous, "")
if err != nil {
t.Fatal("bundling failed: ", err)
}
// should be not ubiquitous due to SHA2 and ECDSA support issues in legacy platforms
if bundle.Status.Code&errors.BundleNotUbiquitousBit != errors.BundleNotUbiquitousBit {
t.Fatal("Incorrect bundle status code. Bundle status code:", bundle.Status.Code)
}
fullChain := append(bundle.Chain, bundle.Root)
sha1Msgs := ubiquity.SHA1DeprecationMessages(fullChain)
// Since the new SHA-1 cert is expired after 2015, it definitely trigger Chrome's deprecation policies.
if len(sha1Msgs) == 0 {
t.Fatal("SHA1 Deprecation Message should not be empty")
}
// check SHA1 deprecation warnings
var sha1MsgNotFound bool
for _, sha1Msg := range sha1Msgs {
foundMsg := false
for _, message := range bundle.Status.Messages {
if message == sha1Msg {
foundMsg = true
}
}
if !foundMsg {
sha1MsgNotFound = true
break
}
}
if sha1MsgNotFound {
t.Fatalf("Incorrect bundle status messages. Bundle status messages:%v, expected to contain: %v\n", bundle.Status.Messages, sha1Msgs)
}
}
// fileBackedSigner determines whether a file-backed local signer is supported.
func fileBackedSigner(root *Root, policy *config.Signing) (signer.Signer, bool, error) {
keyFile := root.Config["key-file"]
certFile := root.Config["cert-file"]
if keyFile == "" {
return nil, false, nil
}
signer, err := local.NewSignerFromFile(certFile, keyFile, policy)
return signer, true, err
}
func newTestHandler(t *testing.T) (h http.Handler) {
signer, err := local.NewSignerFromFile(testCaFile, testCaKeyFile, nil)
if err != nil {
t.Fatal(err)
}
h, err = NewHandler(signer)
if err != nil {
t.Fatal(err)
}
return
}
func newTestMultiHandler(t *testing.T) (h http.Handler) {
signer1, err := local.NewSignerFromFile(testCaFile, testCaKeyFile, nil)
if err != nil {
t.Fatal(err)
}
signer2, err := local.NewSignerFromFile(testCaFile2, testCaKeyFile2, nil)
if err != nil {
t.Fatal(err)
}
signers := map[string]signer.Signer{
"test1": signer1,
"test2": signer2,
}
h, err = NewMultiHandler(signers, "test1")
if err != nil {
t.Fatalf("%v", err)
}
return
}
// create a test intermediate cert in PEM
func createInterCert(t *testing.T, csrFile string, policy *config.Signing, profileName string) (certPEM []byte) {
s, err := local.NewSignerFromFile(testCAFile, testCAKeyFile, policy)
if err != nil {
t.Fatal(err)
}
csr, err := ioutil.ReadFile(csrFile)
if err != nil {
t.Fatal(err)
}
req := signer.SignRequest{
Hosts: []string{"cloudflare-inter.com"},
Request: string(csr),
Profile: profileName,
Label: "",
}
certPEM, err = s.Sign(req)
if err != nil {
t.Fatal(err)
}
return
}
func TestSignerDBPersistence(t *testing.T) {
conf, err := config.LoadConfig([]byte(validLocalConfigLongerExpiry))
if err != nil {
t.Fatal(err)
}
var s *local.Signer
s, err = local.NewSignerFromFile(testCaFile, testCaKeyFile, conf.Signing)
if err != nil {
t.Fatal(err)
}
db := testdb.SQLiteDB("../../certdb/testdb/certstore_development.db")
if err != nil {
t.Fatal(err)
}
s.SetDB(db)
var handler *api.HTTPHandler
handler, err = NewHandlerFromSigner(signer.Signer(s))
if err != nil {
t.Fatal(err)
}
ts := httptest.NewServer(handler)
defer ts.Close()
var csrPEM, body []byte
csrPEM, err = ioutil.ReadFile(testCSRFile)
if err != nil {
t.Fatal(err)
}
blob, err := json.Marshal(&map[string]string{"certificate_request": string(csrPEM)})
if err != nil {
t.Fatal(err)
}
var resp *http.Response
resp, err = http.Post(ts.URL, "application/json", bytes.NewReader(blob))
if err != nil {
t.Fatal(err)
}
body, err = ioutil.ReadAll(resp.Body)
if err != nil {
t.Fatal(err)
}
if resp.StatusCode != http.StatusOK {
t.Fatal(resp.Status, string(body))
}
message := new(api.Response)
err = json.Unmarshal(body, message)
if err != nil {
t.Fatalf("failed to read response body: %v", err)
}
if !message.Success {
t.Fatal("API operation failed")
}
var crs []*certdb.CertificateRecord
crs, err = certdb.GetUnexpiredCertificates(db)
if err != nil {
t.Fatal("Failed to get unexpired certificates")
}
if len(crs) != 1 {
t.Fatal("Expected 1 unexpired certificate in the database after signing 1")
}
}