func TestUniversalRemoteAndLocalSign(t *testing.T) {
	// set up remote server
	remoteConfig := testsuite.NewConfig(t, []byte(validNoAuthRemoteConfig))
	remoteServer := newTestSignServer(t, newTestUniversalSigner(t, remoteConfig.Signing))
	defer closeTestServer(t, remoteServer)

	universalConfig := testsuite.NewConfig(t, []byte(validNoAuthUniversalConfig))
	// override with test server address, ignore url prefix "http://"
	for name, profile := range universalConfig.Signing.Profiles {
		if profile.RemoteServer != "" {
			universalConfig.Signing.Profiles[name].RemoteServer = remoteServer.URL[7:]
		}
	}
	s := newTestUniversalSigner(t, universalConfig.Signing)

	checkSign := func(name string, profile *config.SigningProfile) {
		hosts := []string{"cloudflare.com"}
		for _, test := range testsuite.CSRTests {
			csr, err := ioutil.ReadFile(test.File)
			if err != nil {
				t.Fatalf("CSR loading error (%s): %v", name, err)
			}
			testSerial := big.NewInt(0x7007F)

			certBytes, err := s.Sign(signer.SignRequest{
				Hosts:   hosts,
				Request: string(csr),
				Serial:  testSerial,
				Profile: name,
			})
			if test.ErrorCallback != nil {
				test.ErrorCallback(t, err)
			} else {
				if err != nil {
					t.Fatalf("Expected no error. Got %s. Param %s %d", err.Error(), test.KeyAlgo, test.KeyLen)
				}
				cert, err := helpers.ParseCertificatePEM(certBytes)
				if err != nil {
					t.Fatal("Fail to parse returned certificate:", err)
				}
				ku, _, _ := profile.Usages()
				if cert.KeyUsage != ku {
					t.Fatalf("Key usage was incorrect expected %+v, got %+v", ku, cert.KeyUsage)
				}
			}
		}
	}

	for name, profile := range universalConfig.Signing.Profiles {
		checkSign(name, profile)
	}

	// add check for default profile
	checkSign("", universalConfig.Signing.Default)
}
Exemple #2
0
func TestRemoteSignBadServerAndOverride(t *testing.T) {
	remoteServer := newTestSignServer(t)
	defer closeTestServer(t, remoteServer)

	// remoteConfig contains port 80 that no test server will listen on
	remoteConfig := testsuite.NewConfig(t, []byte(validMinimalRemoteConfig))
	s := newRemoteSigner(t, remoteConfig.Signing)

	hosts := []string{"cloudflare.com"}
	csr, err := ioutil.ReadFile("../local/testdata/rsa2048.csr")
	if err != nil {
		t.Fatal("CSR loading error:", err)
	}

	_, err = s.Sign(signer.SignRequest{Hosts: hosts, Request: string(csr)})
	if err == nil {
		t.Fatal("Should return error")
	}

	remoteConfig.Signing.OverrideRemotes(remoteServer.URL[7:])
	s.SetPolicy(remoteConfig.Signing)
	certBytes, err := s.Sign(signer.SignRequest{
		Hosts:   hosts,
		Request: string(csr),
		Serial:  big.NewInt(1),
	})
	if err != nil {
		t.Fatalf("Expected no error. Got %s.", err.Error())
	}
	_, err = helpers.ParseCertificatePEM(certBytes)
	if err != nil {
		t.Fatal("Fail to parse returned certificate:", err)
	}

}
Exemple #3
0
func TestNewAuthSigner(t *testing.T) {
	remoteAuthConfig := testsuite.NewConfig(t, []byte(validMinimalAuthRemoteConfig))

	_, err := NewSigner(remoteAuthConfig.Signing)
	if err != nil {
		t.Fatal("fail to init remote signer:", err)
	}
}
Exemple #4
0
func TestRemoteInfo(t *testing.T) {
	remoteServer := newTestInfoServer(t, false, nil)
	defer closeTestServer(t, remoteServer)

	remoteConfig := testsuite.NewConfig(t, []byte(validMinimalRemoteConfig))
	// override with test server address, ignore url prefix "http://"
	remoteConfig.Signing.OverrideRemotes(remoteServer.URL[7:])
	verifyRemoteInfo(t, remoteConfig)
}
func TestUniversalMultipleRemoteAndLocalInfo(t *testing.T) {
	// set up remote server
	remoteConfig := testsuite.NewConfig(t, []byte(validRemoteConfig))
	remoteServer := newTestInfoServer(t, newTestUniversalSigner(t, remoteConfig.Signing))
	defer closeTestServer(t, remoteServer)

	universalConfig := testsuite.NewConfig(t, []byte(validUniversalConfig))
	// override with test server address, ignore url prefix "http://"
	for name, profile := range universalConfig.Signing.Profiles {
		if profile.RemoteServer != "" {
			universalConfig.Signing.Profiles[name].RemoteServer = remoteServer.URL[7:]
		}
	}
	s := newTestUniversalSigner(t, universalConfig.Signing)

	for name, profile := range universalConfig.Signing.Profiles {
		checkInfo(t, s, name, profile)
	}

	// add check for default profile
	checkInfo(t, s, "", universalConfig.Signing.Default)
}
Exemple #6
0
func remoteTLSSign(t *testing.T, isMutual bool) {
	certPool, err := helpers.LoadPEMCertPool(testCaFile)
	if err != nil {
		t.Fatal(err)
	}
	var clientCA *x509.CertPool
	if isMutual {
		clientCA = certPool
	}
	remoteServer := newTestSignServer(t, true, clientCA)
	defer closeTestServer(t, remoteServer)

	remoteConfig := testsuite.NewConfig(t, []byte(validMinimalRemoteConfig))
	// override with full server URL to get https in protocol"
	remoteConfig.Signing.OverrideRemotes(remoteServer.URL)
	remoteConfig.Signing.SetRemoteCAs(certPool)
	if isMutual {
		remoteConfig.Signing.SetClientCertKeyPairFromFile(testClientFile, testClientKeyFile)
	}
	verifyRemoteSign(t, remoteConfig)
}
Exemple #7
0
func TestRemoteSign(t *testing.T) {
	remoteServer := newTestSignServer(t)
	defer closeTestServer(t, remoteServer)

	remoteConfig := testsuite.NewConfig(t, []byte(validMinimalRemoteConfig))
	// override with test server address, ignore url prefix "http://"
	remoteConfig.Signing.OverrideRemotes(remoteServer.URL[7:])
	s := newRemoteSigner(t, remoteConfig.Signing)

	hosts := []string{"cloudflare.com"}
	for _, test := range testsuite.CSRTests {
		csr, err := ioutil.ReadFile(test.File)
		if err != nil {
			t.Fatal("CSR loading error:", err)
		}
		testSerial := big.NewInt(0x7007F)
		certBytes, err := s.Sign(signer.SignRequest{
			Hosts:   hosts,
			Request: string(csr),
			Serial:  testSerial,
		})
		if test.ErrorCallback != nil {
			test.ErrorCallback(t, err)
		} else {
			if err != nil {
				t.Fatalf("Expected no error. Got %s. Param %s %d", err.Error(), test.KeyAlgo, test.KeyLen)
			}
			cert, err := helpers.ParseCertificatePEM(certBytes)
			if err != nil {
				t.Fatal("Fail to parse returned certificate:", err)
			}
			sn := fmt.Sprintf("%X", cert.SerialNumber)
			if sn != "7007F" {
				t.Fatal("Serial Number was incorrect:", sn)
			}
		}
	}
}
Exemple #8
0
func TestRemoteInfo(t *testing.T) {
	remoteServer := newTestInfoServer(t)
	defer closeTestServer(t, remoteServer)

	remoteConfig := testsuite.NewConfig(t, []byte(validMinimalRemoteConfig))
	// override with test server address, ignore url prefix "http://"
	remoteConfig.Signing.OverrideRemotes(remoteServer.URL[7:])
	s := newRemoteSigner(t, remoteConfig.Signing)
	req := info.Req{}
	resp, err := s.Info(req)
	if err != nil {
		t.Fatal("remote info failed:", err)
	}

	caBytes, err := ioutil.ReadFile(testCaFile)
	caBytes = bytes.TrimSpace(caBytes)
	if err != nil {
		t.Fatal("fail to read test CA cert:", err)
	}

	if bytes.Compare(caBytes, []byte(resp.Certificate)) != 0 {
		t.Fatal("Get a different CA cert through info api.", len(resp.Certificate), len(caBytes))
	}
}