func TestAuthSign(t *testing.T) { conf, err := config.LoadConfig([]byte(validAuthLocalConfig)) if err != nil { t.Fatal(err) } for i, test := range signTests { resp, body := testAuthSignFile(t, test.Hosts, test.Subject, test.CSRFile, conf.Signing.Default) if resp.StatusCode != test.ExpectedHTTPStatus { t.Logf("Test %d: expected: %d, have %d", i, test.ExpectedHTTPStatus, resp.StatusCode) t.Fatal(resp.Status, test.ExpectedHTTPStatus, string(body)) } message := new(api.Response) err := json.Unmarshal(body, message) if err != nil { t.Logf("failed to read response body: %v", err) t.Fatal(resp.Status, test.ExpectedHTTPStatus, message) } if test.ExpectedSuccess != message.Success { t.Fatalf("Test %d: expected: %v, have %v", i, test.ExpectedSuccess, message.Success) t.Fatal(resp.Status, test.ExpectedHTTPStatus, message) } if test.ExpectedSuccess == true { continue } if test.ExpectedErrorCode != message.Errors[0].Code { t.Fatalf("Test %d: expected: %v, have %v", i, test.ExpectedErrorCode, message.Errors[0].Code) t.Fatal(resp.Status, test.ExpectedHTTPStatus, message) } } }
// helper functions func newConfig(t *testing.T, configBytes []byte) *config.Config { conf, err := config.LoadConfig([]byte(configBytes)) if err != nil { t.Fatal("config loading error:", err) } if !conf.Valid() { t.Fatal("config is not valid") } return conf }
func TestNewAuthHandlerWithNonAuthProfile(t *testing.T) { conf, err := config.LoadConfig([]byte(validLocalConfig)) if err != nil { t.Fatal(err) } _, err = NewAuthHandler(testCaFile, testCaKeyFile, conf.Signing) if err == nil { t.Fatal("No profile have auth keys. Should have failed to create auth sign handler.") } }
func TestNewHandlerWithProfile(t *testing.T) { conf, err := config.LoadConfig([]byte(validLocalConfig)) if err != nil { t.Fatal(err) } _, err = NewHandler(testCaFile, testCaKeyFile, conf.Signing) if err != nil { t.Fatal(err) } }
func TestNewAuthHandlerWithNoAuthConfig(t *testing.T) { conf, err := config.LoadConfig([]byte(validLocalConfig)) if err != nil { t.Fatal(err) } _, err = NewAuthHandler(testCaFile, testCaKeyFile, conf.Signing) if err == nil { t.Fatal("Config doesn't have auth keys. Should have failed.") } return }
func newTestAuthHandler(t *testing.T) http.Handler { conf, err := config.LoadConfig([]byte(validAuthLocalConfig)) if err != nil { t.Fatal(err) } h, err := NewAuthHandler(testCaFile, testCaKeyFile, conf.Signing) if err != nil { t.Fatal(err) } return h }
func TestNewHandlersWithAnotherMixedProfile(t *testing.T) { conf, err := config.LoadConfig([]byte(alsoValidMixedLocalConfig)) if err != nil { t.Fatal(err) } _, err = NewHandler(testCaFile, testCaKeyFile, conf.Signing) if err != nil { t.Fatal("Should be able to create non-auth sign handler.") } _, err = NewAuthHandler(testCaFile, testCaKeyFile, conf.Signing) if err != nil { t.Fatal("Should be able to create auth sign handler.") } }
func TestSignerDBPersistence(t *testing.T) { conf, err := config.LoadConfig([]byte(validLocalConfigLongerExpiry)) if err != nil { t.Fatal(err) } var s *local.Signer s, err = local.NewSignerFromFile(testCaFile, testCaKeyFile, conf.Signing) if err != nil { t.Fatal(err) } db := testdb.SQLiteDB("../../certdb/testdb/certstore_development.db") if err != nil { t.Fatal(err) } dbAccessor = sql.NewAccessor(db) s.SetDBAccessor(dbAccessor) var handler *api.HTTPHandler handler, err = NewHandlerFromSigner(signer.Signer(s)) if err != nil { t.Fatal(err) } ts := httptest.NewServer(handler) defer ts.Close() var csrPEM, body []byte csrPEM, err = ioutil.ReadFile(testCSRFile) if err != nil { t.Fatal(err) } blob, err := json.Marshal(&map[string]string{"certificate_request": string(csrPEM)}) if err != nil { t.Fatal(err) } var resp *http.Response resp, err = http.Post(ts.URL, "application/json", bytes.NewReader(blob)) if err != nil { t.Fatal(err) } body, err = ioutil.ReadAll(resp.Body) if err != nil { t.Fatal(err) } if resp.StatusCode != http.StatusOK { t.Fatal(resp.Status, string(body)) } message := new(api.Response) err = json.Unmarshal(body, message) if err != nil { t.Fatalf("failed to read response body: %v", err) } if !message.Success { t.Fatal("API operation failed") } crs, err := dbAccessor.GetUnexpiredCertificates() if err != nil { t.Fatal("Failed to get unexpired certificates") } if len(crs) != 1 { t.Fatal("Expected 1 unexpired certificate in the database after signing 1: len(crs)=", len(crs)) } }
// NewCertificateAuthorityImpl creates a CA instance that can sign certificates // from a single issuer (the first first in the issers slice), and can sign OCSP // for any of the issuer certificates provided. func NewCertificateAuthorityImpl( config cmd.CAConfig, clk clock.Clock, stats statsd.Statter, issuers []Issuer, keyPolicy core.KeyPolicy, ) (*CertificateAuthorityImpl, error) { var ca *CertificateAuthorityImpl var err error logger := blog.Get() if config.SerialPrefix <= 0 || config.SerialPrefix >= 256 { err = errors.New("Must have a positive non-zero serial prefix less than 256 for CA.") return nil, err } // CFSSL requires processing JSON configs through its own LoadConfig, so we // serialize and then deserialize. cfsslJSON, err := json.Marshal(config.CFSSL) if err != nil { return nil, err } cfsslConfigObj, err := cfsslConfig.LoadConfig(cfsslJSON) if err != nil { return nil, err } if config.LifespanOCSP.Duration == 0 { return nil, errors.New("Config must specify an OCSP lifespan period.") } internalIssuers, err := makeInternalIssuers( issuers, cfsslConfigObj.Signing, config.LifespanOCSP.Duration) if err != nil { return nil, err } defaultIssuer := internalIssuers[issuers[0].Cert.Subject.CommonName] rsaProfile := config.RSAProfile ecdsaProfile := config.ECDSAProfile if rsaProfile == "" || ecdsaProfile == "" { return nil, errors.New("must specify rsaProfile and ecdsaProfile") } ca = &CertificateAuthorityImpl{ issuers: internalIssuers, defaultIssuer: defaultIssuer, rsaProfile: rsaProfile, ecdsaProfile: ecdsaProfile, prefix: config.SerialPrefix, clk: clk, log: logger, stats: stats, keyPolicy: keyPolicy, forceCNFromSAN: !config.DoNotForceCN, // Note the inversion here enableMustStaple: config.EnableMustStaple, } if config.Expiry == "" { return nil, errors.New("Config must specify an expiry period.") } ca.validityPeriod, err = time.ParseDuration(config.Expiry) if err != nil { return nil, err } ca.maxNames = config.MaxNames return ca, nil }