func TestAddCertificate(t *testing.T) { // Enable the feature for the `CertStatusOptimizationsMigrated` flag so that // adding a new certificate will populate the `certificateStatus.NotAfter` // field correctly. This will let the unit test assertion for `NotAfter` // pass provided everything is working as intended. Note: this must be done // **before** the DbMap is created in `initSA()` or the feature flag won't be // set correctly at the time the table maps are set up. _ = features.Set(map[string]bool{"CertStatusOptimizationsMigrated": true}) defer features.Reset() sa, _, cleanUp := initSA(t) defer cleanUp() reg := satest.CreateWorkingRegistration(t, sa) // An example cert taken from EFF's website certDER, err := ioutil.ReadFile("www.eff.org.der") test.AssertNotError(t, err, "Couldn't read example cert DER") digest, err := sa.AddCertificate(ctx, certDER, reg.ID) test.AssertNotError(t, err, "Couldn't add www.eff.org.der") test.AssertEquals(t, digest, "qWoItDZmR4P9eFbeYgXXP3SR4ApnkQj8x4LsB_ORKBo") retrievedCert, err := sa.GetCertificate(ctx, "000000000000000000000000000000021bd4") test.AssertNotError(t, err, "Couldn't get www.eff.org.der by full serial") test.AssertByteEquals(t, certDER, retrievedCert.DER) certificateStatus, err := sa.GetCertificateStatus(ctx, "000000000000000000000000000000021bd4") test.AssertNotError(t, err, "Couldn't get status for www.eff.org.der") test.Assert(t, !certificateStatus.SubscriberApproved, "SubscriberApproved should be false") test.Assert(t, certificateStatus.Status == core.OCSPStatusGood, "OCSP Status should be good") test.Assert(t, certificateStatus.OCSPLastUpdated.IsZero(), "OCSPLastUpdated should be nil") test.AssertEquals(t, certificateStatus.NotAfter, retrievedCert.Expires) // Test cert generated locally by Boulder / CFSSL, names [example.com, // www.example.com, admin.example.com] certDER2, err := ioutil.ReadFile("test-cert.der") test.AssertNotError(t, err, "Couldn't read example cert DER") serial := "ffdd9b8a82126d96f61d378d5ba99a0474f0" digest2, err := sa.AddCertificate(ctx, certDER2, reg.ID) test.AssertNotError(t, err, "Couldn't add test-cert.der") test.AssertEquals(t, digest2, "vrlPN5wIPME1D2PPsCy-fGnTWh8dMyyYQcXPRkjHAQI") retrievedCert2, err := sa.GetCertificate(ctx, serial) test.AssertNotError(t, err, "Couldn't get test-cert.der") test.AssertByteEquals(t, certDER2, retrievedCert2.DER) certificateStatus2, err := sa.GetCertificateStatus(ctx, serial) test.AssertNotError(t, err, "Couldn't get status for test-cert.der") test.Assert(t, !certificateStatus2.SubscriberApproved, "SubscriberApproved should be false") test.Assert(t, certificateStatus2.Status == core.OCSPStatusGood, "OCSP Status should be good") test.Assert(t, certificateStatus2.OCSPLastUpdated.IsZero(), "OCSPLastUpdated should be nil") }
func TestAddCertificate(t *testing.T) { sa, _, cleanUp := initSA(t) defer cleanUp() reg := satest.CreateWorkingRegistration(t, sa) // An example cert taken from EFF's website certDER, err := ioutil.ReadFile("www.eff.org.der") test.AssertNotError(t, err, "Couldn't read example cert DER") digest, err := sa.AddCertificate(certDER, reg.ID) test.AssertNotError(t, err, "Couldn't add www.eff.org.der") test.AssertEquals(t, digest, "qWoItDZmR4P9eFbeYgXXP3SR4ApnkQj8x4LsB_ORKBo") // Example cert serial is 0x21bd4, so a prefix of all zeroes should fetch it. retrievedCert, err := sa.GetCertificateByShortSerial("0000000000000000") test.AssertNotError(t, err, "Couldn't get www.eff.org.der by short serial") test.AssertByteEquals(t, certDER, retrievedCert.DER) retrievedCert, err = sa.GetCertificate("00000000000000000000000000021bd4") test.AssertNotError(t, err, "Couldn't get www.eff.org.der by full serial") test.AssertByteEquals(t, certDER, retrievedCert.DER) certificateStatus, err := sa.GetCertificateStatus("00000000000000000000000000021bd4") test.AssertNotError(t, err, "Couldn't get status for www.eff.org.der") test.Assert(t, !certificateStatus.SubscriberApproved, "SubscriberApproved should be false") test.Assert(t, certificateStatus.Status == core.OCSPStatusGood, "OCSP Status should be good") test.Assert(t, certificateStatus.OCSPLastUpdated.IsZero(), "OCSPLastUpdated should be nil") // Test cert generated locally by Boulder / CFSSL, serial "ff00000000000002238054509817da5a" certDER2, err := ioutil.ReadFile("test-cert.der") test.AssertNotError(t, err, "Couldn't read example cert DER") digest2, err := sa.AddCertificate(certDER2, reg.ID) test.AssertNotError(t, err, "Couldn't add test-cert.der") test.AssertEquals(t, digest2, "CMVYqWzyqUW7pfBF2CxL0Uk6I0Upsk7p4EWSnd_vYx4") // Example cert serial is 0x21bd4, so a prefix of all zeroes should fetch it. retrievedCert2, err := sa.GetCertificateByShortSerial("ff00000000000002") test.AssertNotError(t, err, "Couldn't get test-cert.der") test.AssertByteEquals(t, certDER2, retrievedCert2.DER) retrievedCert2, err = sa.GetCertificate("ff00000000000002238054509817da5a") test.AssertNotError(t, err, "Couldn't get test-cert.der") test.AssertByteEquals(t, certDER2, retrievedCert2.DER) certificateStatus2, err := sa.GetCertificateStatus("ff00000000000002238054509817da5a") test.AssertNotError(t, err, "Couldn't get status for test-cert.der") test.Assert(t, !certificateStatus2.SubscriberApproved, "SubscriberApproved should be false") test.Assert(t, certificateStatus2.Status == core.OCSPStatusGood, "OCSP Status should be good") test.Assert(t, certificateStatus2.OCSPLastUpdated.IsZero(), "OCSPLastUpdated should be nil") }
func TestGenerateAndStoreOCSPResponse(t *testing.T) { updater, sa, _, _, cleanUp := setup(t) defer cleanUp() reg := satest.CreateWorkingRegistration(t, sa) parsedCert, err := core.LoadCert("test-cert.pem") test.AssertNotError(t, err, "Couldn't read test certificate") _, err = sa.AddCertificate(parsedCert.Raw, reg.ID) test.AssertNotError(t, err, "Couldn't add www.eff.org.der") status, err := sa.GetCertificateStatus(core.SerialToString(parsedCert.SerialNumber)) test.AssertNotError(t, err, "Couldn't get the core.CertificateStatus from the database") meta, err := updater.generateResponse(status) test.AssertNotError(t, err, "Couldn't generate OCSP response") err = updater.storeResponse(meta) test.AssertNotError(t, err, "Couldn't store certificate status") secondMeta, err := updater.generateRevokedResponse(status) test.AssertNotError(t, err, "Couldn't generate revoked OCSP response") err = updater.storeResponse(secondMeta) test.AssertNotError(t, err, "Couldn't store certificate status") newStatus, err := sa.GetCertificateStatus(status.Serial) test.AssertNotError(t, err, "Couldn't retrieve certificate status") test.AssertByteEquals(t, meta.OCSPResponse, newStatus.OCSPResponse) }
func TestSaveReport(t *testing.T) { r := report{ begin: time.Time{}, end: time.Time{}, GoodCerts: 2, BadCerts: 1, Entries: map[string]reportEntry{ "020000000000004b475da49b91da5c17": reportEntry{ Valid: true, }, "020000000000004d1613e581432cba7e": reportEntry{ Valid: true, }, "020000000000004e402bc21035c6634a": reportEntry{ Valid: false, Problems: []string{"None really..."}, }, }, } tmpDir, err := ioutil.TempDir("", "cert-checker") test.AssertNotError(t, err, "Couldn't create temporary directory") defer os.RemoveAll(tmpDir) err = r.save(tmpDir) test.AssertNotError(t, err, "Couldn't save report") reportContent, err := ioutil.ReadFile(path.Join(tmpDir, "00010101-00010101-report.json")) test.AssertNotError(t, err, "Couldn't read report file") expectedContent, err := json.Marshal(r) test.AssertNotError(t, err, "Couldn't unmarshal report file") test.AssertByteEquals(t, expectedContent, reportContent) }
func TestAddCertificate(t *testing.T) { sa, _, cleanUp := initSA(t) defer cleanUp() reg := satest.CreateWorkingRegistration(t, sa) // An example cert taken from EFF's website certDER, err := ioutil.ReadFile("www.eff.org.der") test.AssertNotError(t, err, "Couldn't read example cert DER") digest, err := sa.AddCertificate(certDER, reg.ID) test.AssertNotError(t, err, "Couldn't add www.eff.org.der") test.AssertEquals(t, digest, "qWoItDZmR4P9eFbeYgXXP3SR4ApnkQj8x4LsB_ORKBo") retrievedCert, err := sa.GetCertificate("000000000000000000000000000000021bd4") test.AssertNotError(t, err, "Couldn't get www.eff.org.der by full serial") test.AssertByteEquals(t, certDER, retrievedCert.DER) certificateStatus, err := sa.GetCertificateStatus("000000000000000000000000000000021bd4") test.AssertNotError(t, err, "Couldn't get status for www.eff.org.der") test.Assert(t, !certificateStatus.SubscriberApproved, "SubscriberApproved should be false") test.Assert(t, certificateStatus.Status == core.OCSPStatusGood, "OCSP Status should be good") test.Assert(t, certificateStatus.OCSPLastUpdated.IsZero(), "OCSPLastUpdated should be nil") // Test cert generated locally by Boulder / CFSSL, names [example.com, // www.example.com, admin.example.com] certDER2, err := ioutil.ReadFile("test-cert.der") test.AssertNotError(t, err, "Couldn't read example cert DER") serial := "ffdd9b8a82126d96f61d378d5ba99a0474f0" digest2, err := sa.AddCertificate(certDER2, reg.ID) test.AssertNotError(t, err, "Couldn't add test-cert.der") test.AssertEquals(t, digest2, "vrlPN5wIPME1D2PPsCy-fGnTWh8dMyyYQcXPRkjHAQI") retrievedCert2, err := sa.GetCertificate(serial) test.AssertNotError(t, err, "Couldn't get test-cert.der") test.AssertByteEquals(t, certDER2, retrievedCert2.DER) certificateStatus2, err := sa.GetCertificateStatus(serial) test.AssertNotError(t, err, "Couldn't get status for test-cert.der") test.Assert(t, !certificateStatus2.SubscriberApproved, "SubscriberApproved should be false") test.Assert(t, certificateStatus2.Status == core.OCSPStatusGood, "OCSP Status should be good") test.Assert(t, certificateStatus2.OCSPLastUpdated.IsZero(), "OCSPLastUpdated should be nil") }
func countMustStaple(t *testing.T, cert *x509.Certificate) (count int) { for _, ext := range cert.Extensions { if ext.Id.Equal(oidTLSFeature) { test.Assert(t, !ext.Critical, "Extension was marked critical") test.AssertByteEquals(t, ext.Value, mustStapleFeatureValue) count++ } } return count }