func TestCheckCAAFallback(t *testing.T) { testSrv := httptest.NewServer(http.HandlerFunc(mocks.GPDNSHandler)) defer testSrv.Close() stats := mocks.NewStatter() scope := metrics.NewStatsdScope(stats, "VA") logger := blog.NewMock() caaDR, err := cdr.New(metrics.NewNoopScope(), time.Second, 1, nil, blog.NewMock()) test.AssertNotError(t, err, "Failed to create CAADistributedResolver") caaDR.URI = testSrv.URL caaDR.Clients["1.1.1.1"] = new(http.Client) va := NewValidationAuthorityImpl( &cmd.PortConfig{}, nil, caaDR, &bdns.MockDNSResolver{}, "user agent 1.0", "ca.com", scope, clock.Default(), logger) prob := va.checkCAA(ctx, core.AcmeIdentifier{Value: "bad-local-resolver.com", Type: "dns"}) test.Assert(t, prob == nil, fmt.Sprintf("returned ProblemDetails was non-nil: %#v", prob)) va.caaDR = nil prob = va.checkCAA(ctx, core.AcmeIdentifier{Value: "bad-local-resolver.com", Type: "dns"}) test.Assert(t, prob != nil, "returned ProblemDetails was nil") test.AssertEquals(t, prob.Type, probs.ConnectionProblem) test.AssertEquals(t, prob.Detail, "server failure at resolver") }
func TestDNSValidationOK(t *testing.T) { stats := mocks.NewStatter() va := NewValidationAuthorityImpl(&cmd.PortConfig{}, nil, nil, stats, clock.Default()) va.DNSResolver = &bdns.MockDNSResolver{} mockRA := &MockRegistrationAuthority{} va.RA = mockRA // create a challenge with well known token chalDNS := core.DNSChallenge01(accountKey) chalDNS.Token = expectedToken chalDNS.ProvidedKeyAuthorization, _ = chalDNS.ExpectedKeyAuthorization() goodIdent := core.AcmeIdentifier{ Type: core.IdentifierDNS, Value: "good-dns01.com", } var authz = core.Authorization{ ID: core.NewToken(), RegistrationID: 1, Identifier: goodIdent, Challenges: []core.Challenge{chalDNS}, } va.validate(ctx, authz, 0) test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization") test.Assert(t, authz.Challenges[0].Status == core.StatusValid, "Should be valid.") test.AssertEquals(t, stats.TimingDurationCalls[0].Metric, "VA.Validations.dns-01.valid") }
func setup() (*ValidationAuthorityImpl, *mocks.Statter, *blog.Mock) { stats := mocks.NewStatter() scope := metrics.NewStatsdScope(stats, "VA") logger := blog.NewMock() va := NewValidationAuthorityImpl( &cmd.PortConfig{}, nil, nil, &bdns.MockDNSResolver{}, "user agent 1.0", "letsencrypt.org", scope, clock.Default(), logger) return va, stats, logger }
func TestDNSValidationFailure(t *testing.T) { stats := mocks.NewStatter() va := NewValidationAuthorityImpl(&cmd.PortConfig{}, nil, nil, stats, clock.Default()) va.DNSResolver = &bdns.MockDNSResolver{} mockRA := &MockRegistrationAuthority{} va.RA = mockRA chalDNS := createChallenge(core.ChallengeTypeDNS01) var authz = core.Authorization{ ID: core.NewToken(), RegistrationID: 1, Identifier: ident, Challenges: []core.Challenge{chalDNS}, } va.validate(ctx, authz, 0) t.Logf("Resulting Authz: %+v", authz) test.AssertNotNil(t, mockRA.lastAuthz, "Should have gotten an authorization") test.Assert(t, authz.Challenges[0].Status == core.StatusInvalid, "Should be invalid.") test.AssertEquals(t, authz.Challenges[0].Error.Type, probs.UnauthorizedProblem) test.AssertEquals(t, stats.TimingDurationCalls[0].Metric, "VA.Validations.dns-01.invalid") }
func setup(t *testing.T) *testCtx { // Create an SA dbMap, err := sa.NewDbMap(vars.DBConnSA) if err != nil { t.Fatalf("Failed to create dbMap: %s", err) } fc := clock.NewFake() fc.Add(1 * time.Hour) ssa, err := sa.NewSQLStorageAuthority(dbMap, fc) if err != nil { t.Fatalf("Failed to create SA: %s", err) } saDBCleanUp := test.ResetSATestDatabase(t) paDbMap, err := sa.NewDbMap(vars.DBConnPolicy) test.AssertNotError(t, err, "Could not construct dbMap") pa, err := policy.NewPolicyAuthorityImpl(paDbMap, false, nil) test.AssertNotError(t, err, "Couldn't create PADB") paDBCleanUp := test.ResetPolicyTestDatabase(t) cleanUp := func() { saDBCleanUp() paDBCleanUp() } // TODO(jmhodges): use of this pkg here is a bug caused by using a real SA reg := satest.CreateWorkingRegistration(t, ssa) // Create a CA caConfig := cmd.CAConfig{ RSAProfile: rsaProfileName, ECDSAProfile: ecdsaProfileName, SerialPrefix: 17, Expiry: "8760h", LifespanOCSP: "45m", MaxNames: 2, HSMFaultTimeout: cmd.ConfigDuration{Duration: 60 * time.Second}, CFSSL: cfsslConfig.Config{ Signing: &cfsslConfig.Signing{ Profiles: map[string]*cfsslConfig.SigningProfile{ rsaProfileName: &cfsslConfig.SigningProfile{ Usage: []string{"digital signature", "key encipherment", "server auth"}, CA: false, IssuerURL: []string{"http://not-example.com/issuer-url"}, OCSP: "http://not-example.com/ocsp", CRL: "http://not-example.com/crl", Policies: []cfsslConfig.CertificatePolicy{ cfsslConfig.CertificatePolicy{ ID: cfsslConfig.OID(asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1}), }, }, ExpiryString: "8760h", Backdate: time.Hour, CSRWhitelist: &cfsslConfig.CSRWhitelist{ PublicKeyAlgorithm: true, PublicKey: true, SignatureAlgorithm: true, }, ClientProvidesSerialNumbers: true, }, ecdsaProfileName: &cfsslConfig.SigningProfile{ Usage: []string{"digital signature", "server auth"}, CA: false, IssuerURL: []string{"http://not-example.com/issuer-url"}, OCSP: "http://not-example.com/ocsp", CRL: "http://not-example.com/crl", Policies: []cfsslConfig.CertificatePolicy{ cfsslConfig.CertificatePolicy{ ID: cfsslConfig.OID(asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1}), }, }, ExpiryString: "8760h", Backdate: time.Hour, CSRWhitelist: &cfsslConfig.CSRWhitelist{ PublicKeyAlgorithm: true, PublicKey: true, SignatureAlgorithm: true, }, ClientProvidesSerialNumbers: true, }, }, Default: &cfsslConfig.SigningProfile{ ExpiryString: "8760h", }, }, OCSP: &ocspConfig.Config{ CACertFile: caCertFile, ResponderCertFile: caCertFile, KeyFile: caKeyFile, }, }, } stats := mocks.NewStatter() keyPolicy := core.KeyPolicy{ AllowRSA: true, AllowECDSANISTP256: true, AllowECDSANISTP384: true, } return &testCtx{ ssa, caConfig, reg, pa, keyPolicy, fc, &stats, cleanUp, } }
func setup(t *testing.T) *testCtx { fc := clock.NewFake() fc.Add(1 * time.Hour) pa, err := policy.New(nil) test.AssertNotError(t, err, "Couldn't create PA") err = pa.SetHostnamePolicyFile("../test/hostname-policy.json") test.AssertNotError(t, err, "Couldn't set hostname policy") // Create a CA caConfig := cmd.CAConfig{ RSAProfile: rsaProfileName, ECDSAProfile: ecdsaProfileName, SerialPrefix: 17, Expiry: "8760h", LifespanOCSP: cmd.ConfigDuration{Duration: 45 * time.Minute}, MaxNames: 2, DoNotForceCN: true, CFSSL: cfsslConfig.Config{ Signing: &cfsslConfig.Signing{ Profiles: map[string]*cfsslConfig.SigningProfile{ rsaProfileName: { Usage: []string{"digital signature", "key encipherment", "server auth"}, CA: false, IssuerURL: []string{"http://not-example.com/issuer-url"}, OCSP: "http://not-example.com/ocsp", CRL: "http://not-example.com/crl", Policies: []cfsslConfig.CertificatePolicy{ { ID: cfsslConfig.OID(asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1}), }, }, ExpiryString: "8760h", Backdate: time.Hour, CSRWhitelist: &cfsslConfig.CSRWhitelist{ PublicKeyAlgorithm: true, PublicKey: true, SignatureAlgorithm: true, }, ClientProvidesSerialNumbers: true, AllowedExtensions: []cfsslConfig.OID{ cfsslConfig.OID(oidTLSFeature), }, }, ecdsaProfileName: { Usage: []string{"digital signature", "server auth"}, CA: false, IssuerURL: []string{"http://not-example.com/issuer-url"}, OCSP: "http://not-example.com/ocsp", CRL: "http://not-example.com/crl", Policies: []cfsslConfig.CertificatePolicy{ { ID: cfsslConfig.OID(asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1}), }, }, ExpiryString: "8760h", Backdate: time.Hour, CSRWhitelist: &cfsslConfig.CSRWhitelist{ PublicKeyAlgorithm: true, PublicKey: true, SignatureAlgorithm: true, }, ClientProvidesSerialNumbers: true, }, }, Default: &cfsslConfig.SigningProfile{ ExpiryString: "8760h", }, }, }, } stats := mocks.NewStatter() issuers := []Issuer{{caKey, caCert}} keyPolicy := core.KeyPolicy{ AllowRSA: true, AllowECDSANISTP256: true, AllowECDSANISTP384: true, } return &testCtx{ caConfig, pa, issuers, keyPolicy, fc, stats, } }