func TestBasicSuccessful(t *testing.T) {
pub, leaf, k := setup(t)
ctrl := gomock.NewController(t)
defer ctrl.Finish()
scope := mock_metrics.NewMockScope(ctrl)
pub.stats = scope
server := logSrv(leaf.Raw, k)
defer server.Close()
port, err := getPort(server)
test.AssertNotError(t, err, "Failed to get test server port")
addLog(t, pub, port, &k.PublicKey)
statName := pub.ctLogs[0].statName
log.Clear()
scope.EXPECT().NewScope(statName).Return(scope)
scope.EXPECT().Inc("Submits", int64(1)).Return(nil)
scope.EXPECT().TimingDuration("SubmitLatency", gomock.Any()).Return(nil)
err = pub.SubmitToCT(ctx, leaf.Raw)
test.AssertNotError(t, err, "Certificate submission failed")
test.AssertEquals(t, len(log.GetAllMatching("Failed to.*")), 0)
// No Intermediate
pub.issuerBundle = []ct.ASN1Cert{}
log.Clear()
scope.EXPECT().NewScope(statName).Return(scope)
scope.EXPECT().Inc("Submits", int64(1)).Return(nil)
scope.EXPECT().TimingDuration("SubmitLatency", gomock.Any()).Return(nil)
err = pub.SubmitToCT(ctx, leaf.Raw)
test.AssertNotError(t, err, "Certificate submission failed")
test.AssertEquals(t, len(log.GetAllMatching("Failed to.*")), 0)
}
func TestUnexpectedError(t *testing.T) {
pub, leaf, k := setup(t)
ctrl := gomock.NewController(t)
defer ctrl.Finish()
scope := mock_metrics.NewMockScope(ctrl)
pub.stats = scope
srv := errorLogSrv()
defer srv.Close()
port, err := getPort(srv)
test.AssertNotError(t, err, "Failed to get test server port")
addLog(t, pub, port, &k.PublicKey)
statName := pub.ctLogs[0].statName
log.Clear()
scope.EXPECT().NewScope(statName).Return(scope)
scope.EXPECT().Inc("Submits", int64(1)).Return(nil)
scope.EXPECT().Inc("Errors", int64(1)).Return(nil)
scope.EXPECT().TimingDuration("SubmitLatency", gomock.Any()).Return(nil)
err = pub.SubmitToCT(ctx, leaf.Raw)
test.AssertNotError(t, err, "Certificate submission failed")
test.AssertEquals(t, len(log.GetAllMatching("Failed .*http://localhost:"+strconv.Itoa(port))), 1)
}
func TestExtensions(t *testing.T) {
testCtx := setup(t)
testCtx.caConfig.MaxNames = 3
ctrl := gomock.NewController(t)
defer ctrl.Finish()
stats := mock_metrics.NewMockScope(ctrl)
ca, err := NewCertificateAuthorityImpl(
testCtx.caConfig,
testCtx.fc,
stats,
testCtx.issuers,
testCtx.keyPolicy,
testCtx.logger)
ca.Publisher = &mocks.Publisher{}
ca.PA = testCtx.pa
ca.SA = &mockSA{}
mustStapleCSR, err := x509.ParseCertificateRequest(MustStapleCSR)
test.AssertNotError(t, err, "Error parsing MustStapleCSR")
duplicateMustStapleCSR, err := x509.ParseCertificateRequest(DuplicateMustStapleCSR)
test.AssertNotError(t, err, "Error parsing DuplicateMustStapleCSR")
tlsFeatureUnknownCSR, err := x509.ParseCertificateRequest(TLSFeatureUnknownCSR)
test.AssertNotError(t, err, "Error parsing TLSFeatureUnknownCSR")
unsupportedExtensionCSR, err := x509.ParseCertificateRequest(UnsupportedExtensionCSR)
test.AssertNotError(t, err, "Error parsing UnsupportedExtensionCSR")
sign := func(csr *x509.CertificateRequest) *x509.Certificate {
coreCert, err := ca.IssueCertificate(ctx, *csr, 1001)
test.AssertNotError(t, err, "Failed to issue")
cert, err := x509.ParseCertificate(coreCert.DER)
test.AssertNotError(t, err, "Error parsing certificate produced by CA")
return cert
}
// With ca.enableMustStaple = false, should issue successfully and not add
// Must Staple.
stats.EXPECT().Inc(metricCSRExtensionTLSFeature, int64(1)).Return(nil)
noStapleCert := sign(mustStapleCSR)
test.AssertEquals(t, countMustStaple(t, noStapleCert), 0)
// With ca.enableMustStaple = true, a TLS feature extension should put a must-staple
// extension into the cert
ca.enableMustStaple = true
stats.EXPECT().Inc(metricCSRExtensionTLSFeature, int64(1)).Return(nil)
singleStapleCert := sign(mustStapleCSR)
test.AssertEquals(t, countMustStaple(t, singleStapleCert), 1)
// Even if there are multiple TLS Feature extensions, only one extension should be included
stats.EXPECT().Inc(metricCSRExtensionTLSFeature, int64(1)).Return(nil)
duplicateMustStapleCert := sign(duplicateMustStapleCSR)
test.AssertEquals(t, countMustStaple(t, duplicateMustStapleCert), 1)
// ... but if it doesn't ask for stapling, there should be an error
stats.EXPECT().Inc(metricCSRExtensionTLSFeature, int64(1)).Return(nil)
stats.EXPECT().Inc(metricCSRExtensionTLSFeatureInvalid, int64(1)).Return(nil)
_, err = ca.IssueCertificate(ctx, *tlsFeatureUnknownCSR, 1001)
test.AssertError(t, err, "Allowed a CSR with an empty TLS feature extension")
if _, ok := err.(core.MalformedRequestError); !ok {
t.Errorf("Wrong error type when rejecting a CSR with empty TLS feature extension")
}
// Unsupported extensions should be silently ignored, having the same
// extensions as the TLS Feature cert above, minus the TLS Feature Extension
stats.EXPECT().Inc(metricCSRExtensionOther, int64(1)).Return(nil)
unsupportedExtensionCert := sign(unsupportedExtensionCSR)
test.AssertEquals(t, len(unsupportedExtensionCert.Extensions), len(singleStapleCert.Extensions)-1)
}