Esempio n. 1
0
func TestGuess(t *testing.T) {
	crt := &x509.Certificate{
		OCSPServer: []string{
			"https://example.com/",
		},
		SerialNumber: big.NewInt(0xdeadb33f),
	}

	endp, certain, err := CertificateToEndpoints(crt)
	if err != ErrNotFound || endp != nil || certain {
		t.Fail()
	}

	e, err := CreateByDirectoryURL("https://unknown-boulder.test/directory")
	if err != nil {
		t.Fail()
	}

	RegisterEndpoint(e)

	e2, err := CreateByDirectoryURL("https://unknown-boulder.test/directory")
	if e2 != e || err != nil {
		t.Fatal()
	}

	e3, err := CreateByDirectoryURL("https://unknown-boulder3.test/")
	if err != nil {
		t.Fatal()
	}

	RegisterEndpoint(e3)

	e4, err := CreateByDirectoryURL("https://unknown-boulder4.test/directory")
	if err != nil {
		t.Fatal()
	}

	RegisterEndpoint(e4)

	du, err := CertificateURLToDirectoryURL("https://unknown-boulder.test/acme/cert/deadb33f")
	if err != nil {
		t.Fatal()
	}
	if du != e.DirectoryURL {
		t.Fatal()
	}

	du, err = CertificateURLToDirectoryURL("https://other-boulder.test/acme/cert/deadb33f")
	if err != ErrNotFound {
		t.Fatal()
	}

	endp, certain, err = CertificateToEndpoints(crt)
	if err != nil || certain || len(endp) != 3 {
		t.Fatal()
	}
	if endp[0] != e || endp[1] != e3 {
		t.Fail()
	}

	privKey, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	crtb, err := x509.CreateCertificate(rand.Reader, crt, crt, &privKey.PublicKey, privKey)
	if err != nil {
		t.Fatalf("%v", err)
	}

	crtb2 := make([]byte, len(crtb))
	copy(crtb2, crtb)
	mt := test.HTTPMockTransport{}
	mt.Add("unknown-boulder4.test/acme/cert/0000000000000000000000000000deadb33f", &http.Response{
		StatusCode: 200,
		Header: http.Header{
			"Content-Type": []string{"application/pkix-cert"},
		},
	}, crtb2)
	crt, _ = x509.ParseCertificate(crtb)
	cl := &acmeapi.Client{
		HTTPClient: &http.Client{
			Transport: &mt,
		},
	}
	_, cURL, err := CertificateToEndpointURL(cl, crt, context.TODO())
	if err != nil {
		t.Fatalf("%v", err)
	}
	if cURL != "https://unknown-boulder4.test/acme/cert/0000000000000000000000000000deadb33f" {
		t.Fatalf("curl %v", cURL)
	}
	mt.Clear()
	mt.Add("unknown-boulder.test/acme/cert/0000000000000000000000000000deadb33f", &http.Response{
		StatusCode: 200,
		Header: http.Header{
			"Content-Type": []string{"application/pkix-cert"},
		},
	}, crtb2)
	_, cURL, err = CertificateToEndpointURL(cl, crt, context.TODO())
	if err != nil {
		t.Fatalf("%v", err)
	}
	if cURL != "https://unknown-boulder.test/acme/cert/0000000000000000000000000000deadb33f" {
		t.Fatalf("curl %v", cURL)
	}
	crtb2[5] ^= 1
	_, cURL, err = CertificateToEndpointURL(cl, crt, context.TODO())
	if err == nil {
		t.Fatal()
	}
	mt.Clear()
	_, cURL, err = CertificateToEndpointURL(cl, crt, context.TODO())
	if err == nil {
		t.Fatal()
	}
}
Esempio n. 2
0
func TestAPI(t *testing.T) {
	Log.SetSeverity(xlog.SevDebug)

	mt := test.HTTPMockTransport{}

	cl := &Client{
		HTTPClient: &http.Client{
			Transport: &mt,
		},
	}

	issuedNonces := map[string]struct{}{}
	issueNonce := func() string {
		var b [8]byte
		_, err := rand.Read(b[:])
		if err != nil {
			panic(err)
		}

		s := fmt.Sprintf("nonce-%s", hex.EncodeToString(b[:]))
		issuedNonces[s] = struct{}{}
		return s
	}

	checkNonce := func(rw http.ResponseWriter, req *http.Request) bool {
		b, err := ioutil.ReadAll(req.Body)
		if err != nil {
			log.Fatalf("cannot read body: %v", err)
		}

		jws, err := jose.ParseSigned(string(b))
		if err != nil {
			log.Fatalf("malformed request body: %v", err)
		}

		if len(jws.Signatures) != 1 {
			log.Fatalf("wrong number of signatures: %v", err)
		}

		n := jws.Signatures[0].Header.Nonce

		_, ok := issuedNonces[n]
		if !ok {
			rw.Header().Set("Content-Type", "application/json")
			rw.WriteHeader(400)
			rw.Write([]byte(`{"type":"bad-nonce","message":"Bad nonce."}`))
			t.Logf("invalid nonce: %#v", n)
			t.Fail()
			return false
		}
		delete(issuedNonces, n)
		return true
	}

	// Load Certificate

	mt.Add("boulder.test/acme/cert/some-certificate", &http.Response{
		StatusCode: 200,
		Header: http.Header{
			"Content-Type": []string{"application/pkix-cert"},
			"Link":         []string{"</acme/issuer-cert>; rel=\"up\""},
		},
	}, []byte("cert-data"))

	mt.Add("boulder.test/acme/issuer-cert", &http.Response{
		StatusCode: 200,
		Header: http.Header{
			"Content-Type": []string{"application/pkix-cert"},
			"Link":         []string{"</acme/root-cert>; rel=\"up\""},
		},
	}, []byte("issuer-cert-data"))

	mt.Add("boulder.test/acme/root-cert", &http.Response{
		StatusCode: 200,
		Header: http.Header{
			"Content-Type": []string{"application/pkix-cert"},
			//"Replay-Nonce": []string{"some-nonce-root"},
		},
	}, []byte("root-cert-data"))

	crt := &Certificate{
		URI: "https://boulder.test/acme/cert/some-certificate",
	}

	correctCrt := *crt
	err := cl.WaitForCertificate(crt, context.TODO())
	if err != nil {
		t.Fatalf("%v", err)
	}

	someCrt := *crt
	correctCrt.Certificate = []byte("cert-data")
	correctCrt.ExtraCertificates = [][]byte{
		[]byte("issuer-cert-data"),
		[]byte("root-cert-data"),
	}

	crt.retryAt = time.Time{}
	if !reflect.DeepEqual(&correctCrt, crt) {
		t.Fatalf("%v != %v", &correctCrt, crt)
	}

	// Load Authorization

	mt.Add("boulder.test/acme/authz/some-authz", &http.Response{
		StatusCode: 200,
		Header: http.Header{
			"Content-Type": []string{"application/json"},
		},
	}, []byte(`{"challenges":[
    {
      "type": "http-01",
      "uri": "https://boulder.test/acme/challenge/some-challenge"
    }
  ],
  "identifier": {
    "type": "dns",
    "value": "example.com"
  },
  "status": "pending",
  "expires": "2015-01-01T18:26:57Z"
  }`))

	az := &Authorization{
		URI: "https://boulder.test/acme/authz/some-authz",
	}

	correctAZ := *az
	correctAZ.Combinations = [][]int{[]int{0}}
	correctAZ.Identifier.Type = "dns"
	correctAZ.Identifier.Value = "example.com"
	correctAZ.Status = "pending"
	correctAZ.Expires = time.Date(2015, 1, 1, 18, 26, 57, 0, time.UTC)
	correctAZ.Challenges = []*Challenge{
		{
			Type: "http-01",
			URI:  "https://boulder.test/acme/challenge/some-challenge",
		},
	}

	err = cl.WaitLoadAuthorization(az, context.TODO())
	if err != nil {
		t.Fatalf("%v", err)
	}

	az.retryAt = time.Time{}
	if !reflect.DeepEqual(&correctAZ, az) {
		t.Fatal("%v != %v", &correctAZ, az)
	}

	// Load Challenge

	mt.Add("boulder.test/acme/challenge/some-challenge", &http.Response{
		StatusCode: 200,
		Header: http.Header{
			"Content-Type": []string{"application/json"},
		},
	}, []byte(`{
    "type": "http-01"
  }`))

	ch := &Challenge{
		URI: "https://boulder.test/acme/challenge/some-challenge",
	}
	err = cl.WaitLoadChallenge(ch, context.TODO())
	if err != nil {
		t.Fatalf("%v", err)
	}

	// Request Certificate

	mt.AddHandlerFunc("boulder.test/directory", func(rw http.ResponseWriter, req *http.Request) {
		rw.Header().Set("Content-Type", "application/json")
		rw.Header().Set("Replay-Nonce", issueNonce())
		rw.WriteHeader(200)
		rw.Write([]byte(`{
      "new-reg": "https://boulder.test/acme/new-reg",
      "new-cert": "https://boulder.test/acme/new-cert",
      "new-authz": "https://boulder.test/acme/new-authz",
      "revoke-cert": "https://boulder.test/acme/revoke-cert"
    }`))
	})

	mt.AddHandlerFunc("boulder.test/acme/new-cert", func(rw http.ResponseWriter, req *http.Request) {
		rw.Header().Set("Location", "https://boulder.test/acme/cert/some-certificate")
		rw.WriteHeader(201)
	})

	epk, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	cl.AccountKey = epk

	cl.DirectoryURL = "https://boulder.test/directory"
	crt, err = cl.RequestCertificate([]byte("csr"), context.TODO())
	if err != nil {
		t.Fatalf("%v", err)
	}

	err = cl.LoadCertificate(crt, context.TODO())
	if err != nil {
		t.Fatalf("%v", err)
	}

	crt.CSR = nil
	crt.Resource = ""
	crt.retryAt = someCrt.retryAt
	if !reflect.DeepEqual(&someCrt, crt) {
		t.Fatalf("mismatch %#v\n\n%#v", &someCrt, crt)
	}

	t.Logf("%v", crt)

	// Upsert Registration

	mt.AddHandlerFunc("boulder.test/acme/new-reg", func(rw http.ResponseWriter, req *http.Request) {
		if req.Method != "POST" {
			t.Fatal()
		}
		if !checkNonce(rw, req) {
			return
		}

		rw.Header().Set("Location", "https://boulder.test/acme/reg/1")
		rw.Header().Set("Replay-Nonce", issueNonce())
		rw.WriteHeader(409)
	})

	mt.AddHandlerFunc("boulder.test/acme/reg/1", func(rw http.ResponseWriter, req *http.Request) {
		if req.Method != "POST" {
			t.Fatal()
		}
		if !checkNonce(rw, req) {
			return
		}

		rw.Header().Set("Replay-Nonce", issueNonce())
		rw.Header().Set("Content-Type", "application/json")
		rw.Header().Set("Link", "<urn:some:boulder:terms/of/service>; rel=\"terms-of-service\"")
		rw.WriteHeader(200)
		rw.Write([]byte(`{}`))
	})

	reg := &Registration{}
	err = cl.AgreeRegistration(reg, nil, context.TODO())
	ae, ok := err.(*AgreementError)
	if !ok || ae.URI != "urn:some:boulder:terms/of/service" {
		t.Fatalf("expected agreement error")
	}

	agreementURIs := map[string]struct{}{
		"urn:some:boulder:terms/of/service": struct{}{},
	}
	err = cl.AgreeRegistration(reg, agreementURIs, context.TODO())
	if err != nil {
		t.Fatalf("%v", err)
	}

	// New Authorization
	e503Count := 0
	total503 := 3

	mt.AddHandlerFunc("boulder.test/acme/new-authz", func(rw http.ResponseWriter, req *http.Request) {
		if req.Method != "POST" {
			t.Fatal()
		}
		if !checkNonce(rw, req) {
			return
		}

		rw.Header().Set("Content-Type", "application/json")

		if e503Count < total503 {
			rw.WriteHeader(503)
			rw.Write([]byte(`{"type":"urn:acme:error:serverInternal","detail":"Down"}`))
			e503Count++
			return
		}

		rw.Header().Set("Location", "https://boulder.test/acme/authz/1")
		rw.Header().Set("Replay-Nonce", issueNonce())
		rw.WriteHeader(201)
		rw.Write([]byte(`{
  "challenges": [
    {
      "type": "http-01",
      "uri": "https://boulder.test/acme/challenge/some-challenge2"
    }
  ],
  "identifier": {
    "type": "dns",
    "value": "example.com"
  },
  "status": "pending",
  "expires": "2015-01-01T18:26:57Z"
}`))

	})

	mt.AddHandlerFunc("boulder.test/acme/challenge/some-challenge2", func(rw http.ResponseWriter, req *http.Request) {
		rw.Header().Set("Replay-Nonce", issueNonce())
		rw.Header().Set("Content-Type", "application/json")
		rw.WriteHeader(200)
		rw.Write([]byte(`{}`))
	})

	for i := 0; i < total503; i++ {
		az, err = cl.NewAuthorization("example.com", context.TODO())
		if err == nil {
			t.Fatalf("no error when expected")
		}
	}

	az, err = cl.NewAuthorization("example.com", context.TODO())
	if err != nil {
		t.Fatalf("%v", err)
	}

	err = cl.RespondToChallenge(az.Challenges[0], json.RawMessage(`{}`), nil, context.TODO())
	if err != nil {
		t.Fatalf("%v", err)
	}

	mt.AddHandlerFunc("boulder.test/acme/revoke-cert", func(rw http.ResponseWriter, req *http.Request) {
		if req.Method != "POST" {
			t.Fatal()
		}
		if !checkNonce(rw, req) {
			return
		}

		rw.Header().Set("Replay-Nonce", issueNonce())
		rw.Header().Set("Content-Type", "application/json")
		rw.WriteHeader(200)
		rw.Write([]byte(`{}`))
	})

	err = cl.Revoke([]byte("revoke-der"), nil, context.TODO())
	if err != nil {
		t.Fatalf("%v", err)
	}
}