func TestUniversalRemoteAndLocalSign(t *testing.T) {
// set up remote server
remoteConfig := testsuite.NewConfig(t, []byte(validNoAuthRemoteConfig))
remoteServer := newTestSignServer(t, newTestUniversalSigner(t, remoteConfig.Signing))
defer closeTestServer(t, remoteServer)
universalConfig := testsuite.NewConfig(t, []byte(validNoAuthUniversalConfig))
// override with test server address, ignore url prefix "http://"
for name, profile := range universalConfig.Signing.Profiles {
if profile.RemoteServer != "" {
universalConfig.Signing.Profiles[name].RemoteServer = remoteServer.URL[7:]
}
}
s := newTestUniversalSigner(t, universalConfig.Signing)
checkSign := func(name string, profile *config.SigningProfile) {
hosts := []string{"cloudflare.com"}
for _, test := range testsuite.CSRTests {
csr, err := ioutil.ReadFile(test.File)
if err != nil {
t.Fatalf("CSR loading error (%s): %v", name, err)
}
testSerial := big.NewInt(0x7007F)
certBytes, err := s.Sign(signer.SignRequest{
Hosts: hosts,
Request: string(csr),
Serial: testSerial,
Profile: name,
})
if test.ErrorCallback != nil {
test.ErrorCallback(t, err)
} else {
if err != nil {
t.Fatalf("Expected no error. Got %s. Param %s %d", err.Error(), test.KeyAlgo, test.KeyLen)
}
cert, err := helpers.ParseCertificatePEM(certBytes)
if err != nil {
t.Fatal("Fail to parse returned certificate:", err)
}
ku, _, _ := profile.Usages()
if cert.KeyUsage != ku {
t.Fatalf("Key usage was incorrect expected %+v, got %+v", ku, cert.KeyUsage)
}
}
}
}
for name, profile := range universalConfig.Signing.Profiles {
checkSign(name, profile)
}
// add check for default profile
checkSign("", universalConfig.Signing.Default)
}
func TestRemoteSignBadServerAndOverride(t *testing.T) {
remoteServer := newTestSignServer(t)
defer closeTestServer(t, remoteServer)
// remoteConfig contains port 80 that no test server will listen on
remoteConfig := testsuite.NewConfig(t, []byte(validMinimalRemoteConfig))
s := newRemoteSigner(t, remoteConfig.Signing)
hosts := []string{"cloudflare.com"}
csr, err := ioutil.ReadFile("../local/testdata/rsa2048.csr")
if err != nil {
t.Fatal("CSR loading error:", err)
}
_, err = s.Sign(signer.SignRequest{Hosts: hosts, Request: string(csr)})
if err == nil {
t.Fatal("Should return error")
}
remoteConfig.Signing.OverrideRemotes(remoteServer.URL[7:])
s.SetPolicy(remoteConfig.Signing)
certBytes, err := s.Sign(signer.SignRequest{
Hosts: hosts,
Request: string(csr),
Serial: big.NewInt(1),
})
if err != nil {
t.Fatalf("Expected no error. Got %s.", err.Error())
}
_, err = helpers.ParseCertificatePEM(certBytes)
if err != nil {
t.Fatal("Fail to parse returned certificate:", err)
}
}
func TestNewAuthSigner(t *testing.T) {
remoteAuthConfig := testsuite.NewConfig(t, []byte(validMinimalAuthRemoteConfig))
_, err := NewSigner(remoteAuthConfig.Signing)
if err != nil {
t.Fatal("fail to init remote signer:", err)
}
}
func TestRemoteInfo(t *testing.T) {
remoteServer := newTestInfoServer(t, false, nil)
defer closeTestServer(t, remoteServer)
remoteConfig := testsuite.NewConfig(t, []byte(validMinimalRemoteConfig))
// override with test server address, ignore url prefix "http://"
remoteConfig.Signing.OverrideRemotes(remoteServer.URL[7:])
verifyRemoteInfo(t, remoteConfig)
}
func TestUniversalMultipleRemoteAndLocalInfo(t *testing.T) {
// set up remote server
remoteConfig := testsuite.NewConfig(t, []byte(validRemoteConfig))
remoteServer := newTestInfoServer(t, newTestUniversalSigner(t, remoteConfig.Signing))
defer closeTestServer(t, remoteServer)
universalConfig := testsuite.NewConfig(t, []byte(validUniversalConfig))
// override with test server address, ignore url prefix "http://"
for name, profile := range universalConfig.Signing.Profiles {
if profile.RemoteServer != "" {
universalConfig.Signing.Profiles[name].RemoteServer = remoteServer.URL[7:]
}
}
s := newTestUniversalSigner(t, universalConfig.Signing)
for name, profile := range universalConfig.Signing.Profiles {
checkInfo(t, s, name, profile)
}
// add check for default profile
checkInfo(t, s, "", universalConfig.Signing.Default)
}
func remoteTLSSign(t *testing.T, isMutual bool) {
certPool, err := helpers.LoadPEMCertPool(testCaFile)
if err != nil {
t.Fatal(err)
}
var clientCA *x509.CertPool
if isMutual {
clientCA = certPool
}
remoteServer := newTestSignServer(t, true, clientCA)
defer closeTestServer(t, remoteServer)
remoteConfig := testsuite.NewConfig(t, []byte(validMinimalRemoteConfig))
// override with full server URL to get https in protocol"
remoteConfig.Signing.OverrideRemotes(remoteServer.URL)
remoteConfig.Signing.SetRemoteCAs(certPool)
if isMutual {
remoteConfig.Signing.SetClientCertKeyPairFromFile(testClientFile, testClientKeyFile)
}
verifyRemoteSign(t, remoteConfig)
}
func TestRemoteSign(t *testing.T) {
remoteServer := newTestSignServer(t)
defer closeTestServer(t, remoteServer)
remoteConfig := testsuite.NewConfig(t, []byte(validMinimalRemoteConfig))
// override with test server address, ignore url prefix "http://"
remoteConfig.Signing.OverrideRemotes(remoteServer.URL[7:])
s := newRemoteSigner(t, remoteConfig.Signing)
hosts := []string{"cloudflare.com"}
for _, test := range testsuite.CSRTests {
csr, err := ioutil.ReadFile(test.File)
if err != nil {
t.Fatal("CSR loading error:", err)
}
testSerial := big.NewInt(0x7007F)
certBytes, err := s.Sign(signer.SignRequest{
Hosts: hosts,
Request: string(csr),
Serial: testSerial,
})
if test.ErrorCallback != nil {
test.ErrorCallback(t, err)
} else {
if err != nil {
t.Fatalf("Expected no error. Got %s. Param %s %d", err.Error(), test.KeyAlgo, test.KeyLen)
}
cert, err := helpers.ParseCertificatePEM(certBytes)
if err != nil {
t.Fatal("Fail to parse returned certificate:", err)
}
sn := fmt.Sprintf("%X", cert.SerialNumber)
if sn != "7007F" {
t.Fatal("Serial Number was incorrect:", sn)
}
}
}
}
func TestRemoteInfo(t *testing.T) {
remoteServer := newTestInfoServer(t)
defer closeTestServer(t, remoteServer)
remoteConfig := testsuite.NewConfig(t, []byte(validMinimalRemoteConfig))
// override with test server address, ignore url prefix "http://"
remoteConfig.Signing.OverrideRemotes(remoteServer.URL[7:])
s := newRemoteSigner(t, remoteConfig.Signing)
req := info.Req{}
resp, err := s.Info(req)
if err != nil {
t.Fatal("remote info failed:", err)
}
caBytes, err := ioutil.ReadFile(testCaFile)
caBytes = bytes.TrimSpace(caBytes)
if err != nil {
t.Fatal("fail to read test CA cert:", err)
}
if bytes.Compare(caBytes, []byte(resp.Certificate)) != 0 {
t.Fatal("Get a different CA cert through info api.", len(resp.Certificate), len(caBytes))
}
}