func TestValidationResult(t *testing.T) { ip := net.ParseIP("1.1.1.1") vrA := core.ValidationRecord{ Hostname: "hostA", Port: "2020", AddressesResolved: []net.IP{ip}, AddressUsed: ip, URL: "urlA", Authorities: []string{"authA"}, } vrB := core.ValidationRecord{ Hostname: "hostB", Port: "2020", AddressesResolved: []net.IP{ip}, AddressUsed: ip, URL: "urlB", Authorities: []string{"authB"}, } result := []core.ValidationRecord{vrA, vrB} prob := &probs.ProblemDetails{Type: probs.TLSProblem, Detail: "asd", HTTPStatus: 200} pb, err := validationResultToPB(result, prob) test.AssertNotError(t, err, "validationResultToPB failed") test.Assert(t, pb != nil, "Returned vapb.ValidationResult is nil") reconResult, reconProb, err := pbToValidationResult(pb) test.AssertNotError(t, err, "pbToValidationResult failed") test.AssertDeepEquals(t, reconResult, result) test.AssertDeepEquals(t, reconProb, prob) }
func TestPerformValidationReq(t *testing.T) { var jwk jose.JsonWebKey err := json.Unmarshal([]byte(JWK1JSON), &jwk) test.AssertNotError(t, err, "Failed to unmarshal test key") domain := "example.com" chall := core.Challenge{ AccountKey: &jwk, ID: 10, Type: core.ChallengeTypeDNS01, Status: core.StatusPending, Token: "asd", ProvidedKeyAuthorization: "keyauth", } authz := core.Authorization{ID: "asd", RegistrationID: 10} pb, err := argsToPerformValidationRequest(domain, chall, authz) test.AssertNotError(t, err, "argsToPerformValidationRequest failed") test.Assert(t, pb != nil, "Return vapb.PerformValidationRequest is nil") reconDomain, reconChall, reconAuthz, err := performValidationReqToArgs(pb) test.AssertNotError(t, err, "performValidationReqToArgs failed") test.AssertEquals(t, reconDomain, domain) test.AssertDeepEquals(t, reconChall, chall) test.AssertDeepEquals(t, reconAuthz, authz) }
func TestProblemDetails(t *testing.T) { pb, err := problemDetailsToPB(nil) test.AssertNotEquals(t, err, "problemDetailToPB failed") test.Assert(t, pb == nil, "Returned corepb.ProblemDetails is not nil") prob := &probs.ProblemDetails{Type: probs.TLSProblem, Detail: "asd", HTTPStatus: 200} pb, err = problemDetailsToPB(prob) test.AssertNotError(t, err, "problemDetailToPB failed") test.Assert(t, pb != nil, "return corepb.ProblemDetails is nill") test.AssertDeepEquals(t, *pb.ProblemType, string(prob.Type)) test.AssertEquals(t, *pb.Detail, prob.Detail) test.AssertEquals(t, int(*pb.HttpStatus), prob.HTTPStatus) recon, err := pbToProblemDetails(pb) test.AssertNotError(t, err, "pbToProblemDetails failed") test.AssertDeepEquals(t, recon, prob) recon, err = pbToProblemDetails(nil) test.AssertNotError(t, err, "pbToProblemDetails failed") test.Assert(t, recon == nil, "Returned core.PRoblemDetails is not nil") _, err = pbToProblemDetails(&corepb.ProblemDetails{}) test.AssertError(t, err, "pbToProblemDetails did not fail") test.AssertEquals(t, err, ErrMissingParameters) empty := "" _, err = pbToProblemDetails(&corepb.ProblemDetails{ProblemType: &empty}) test.AssertError(t, err, "pbToProblemDetails did not fail") test.AssertEquals(t, err, ErrMissingParameters) _, err = pbToProblemDetails(&corepb.ProblemDetails{Detail: &empty}) test.AssertError(t, err, "pbToProblemDetails did not fail") test.AssertEquals(t, err, ErrMissingParameters) }
func TestChallengesFor(t *testing.T) { pa := paImpl(t) var accountKey *jose.JsonWebKey err := json.Unmarshal([]byte(accountKeyJSON), &accountKey) if err != nil { t.Errorf("Error unmarshaling JWK: %v", err) } challenges, combinations := pa.ChallengesFor(core.AcmeIdentifier{}, accountKey) test.Assert(t, len(challenges) == len(enabledChallenges), "Wrong number of challenges returned") test.Assert(t, len(combinations) == len(enabledChallenges), "Wrong number of combinations returned") seenChalls := make(map[string]bool) // Expected only if the pseudo-RNG is seeded with 99. expectedCombos := [][]int{{1}, {2}, {0}} for _, challenge := range challenges { test.Assert(t, !seenChalls[challenge.Type], "should not already have seen this type") seenChalls[challenge.Type] = true test.Assert(t, enabledChallenges[challenge.Type], "Unsupported challenge returned") } test.AssertEquals(t, len(seenChalls), len(enabledChallenges)) test.AssertDeepEquals(t, expectedCombos, combinations) }
func TestVAChallenge(t *testing.T) { var jwk jose.JsonWebKey err := json.Unmarshal([]byte(JWK1JSON), &jwk) test.AssertNotError(t, err, "Failed to unmarshal test key") chall := core.Challenge{ AccountKey: &jwk, ID: 10, Type: core.ChallengeTypeDNS01, Status: core.StatusPending, Token: "asd", ProvidedKeyAuthorization: "keyauth", } pb, err := vaChallengeToPB(chall) test.AssertNotError(t, err, "vaChallengeToPB failed") test.Assert(t, pb != nil, "Returned corepb.Challenge is nil") recon, err := pbToVAChallenge(pb) test.AssertNotError(t, err, "pbToVAChallenge failed") test.AssertDeepEquals(t, recon, chall) _, err = pbToVAChallenge(nil) test.AssertError(t, err, "pbToVAChallenge did not fail") test.AssertEquals(t, err, ErrMissingParameters) _, err = pbToVAChallenge(&corepb.Challenge{}) test.AssertError(t, err, "pbToVAChallenge did not fail") test.AssertEquals(t, err, ErrMissingParameters) }
func TestAuthz(t *testing.T) { exp := time.Now().AddDate(0, 0, 1) identifier := core.AcmeIdentifier{Type: core.IdentifierDNS, Value: "example.com"} combos := make([][]int, 1) combos[0] = []int{0, 1} challA := core.Challenge{ ID: 10, Type: core.ChallengeTypeDNS01, Status: core.StatusPending, Token: "asd", ProvidedKeyAuthorization: "keyauth", } challB := core.Challenge{ ID: 11, Type: core.ChallengeTypeDNS01, Status: core.StatusPending, Token: "asd2", ProvidedKeyAuthorization: "keyauth4", } inAuthz := core.Authorization{ ID: "1", Identifier: identifier, RegistrationID: 5, Status: core.StatusPending, Expires: &exp, Challenges: []core.Challenge{challA, challB}, Combinations: combos, } pbAuthz, err := authzToPB(inAuthz) test.AssertNotError(t, err, "authzToPB failed") outAuthz, err := pbToAuthz(pbAuthz) test.AssertNotError(t, err, "pbToAuthz failed") test.AssertDeepEquals(t, inAuthz, outAuthz) }
func TestCapitalizedLetters(t *testing.T) { testCtx := setup(t) testCtx.caConfig.MaxNames = 3 ca, err := NewCertificateAuthorityImpl( testCtx.caConfig, testCtx.fc, testCtx.stats, testCtx.issuers, testCtx.keyPolicy) ca.Publisher = &mocks.Publisher{} ca.PA = testCtx.pa ca.SA = &mockSA{} csr, _ := x509.ParseCertificateRequest(CapitalizedCSR) cert, err := ca.IssueCertificate(ctx, *csr, 1001) test.AssertNotError(t, err, "Failed to gracefully handle a CSR with capitalized names") parsedCert, err := x509.ParseCertificate(cert.DER) test.AssertNotError(t, err, "Error parsing certificate produced by CA") test.AssertEquals(t, "capitalizedletters.com", parsedCert.Subject.CommonName) sort.Strings(parsedCert.DNSNames) expected := []string{"capitalizedletters.com", "evenmorecaps.com", "morecaps.com"} test.AssertDeepEquals(t, expected, parsedCert.DNSNames) t.Logf("subject serial number %#v", parsedCert.Subject.SerialNumber) }
func TestProblemDetailsFromError(t *testing.T) { testCases := []struct { err error statusCode int problem probs.ProblemType }{ {InternalServerError("foo"), 500, probs.ServerInternalProblem}, {NotSupportedError("foo"), 501, probs.ServerInternalProblem}, {MalformedRequestError("foo"), 400, probs.MalformedProblem}, {UnauthorizedError("foo"), 403, probs.UnauthorizedProblem}, {NotFoundError("foo"), 404, probs.MalformedProblem}, {SignatureValidationError("foo"), 400, probs.MalformedProblem}, {RateLimitedError("foo"), 429, probs.RateLimitedProblem}, {LengthRequiredError("foo"), 411, probs.MalformedProblem}, {BadNonceError("foo"), 400, probs.BadNonceProblem}, } for _, c := range testCases { p := ProblemDetailsForError(c.err, "k") if p.HTTPStatus != c.statusCode { t.Errorf("Incorrect status code for %s. Expected %d, got %d", reflect.TypeOf(c.err).Name(), c.statusCode, p.HTTPStatus) } if probs.ProblemType(p.Type) != c.problem { t.Errorf("Expected problem urn %#v, got %#v", c.problem, p.Type) } } expected := &probs.ProblemDetails{ Type: probs.MalformedProblem, HTTPStatus: 200, Detail: "gotcha", } p := ProblemDetailsForError(expected, "k") test.AssertDeepEquals(t, expected, p) }
func TestAddRegistration(t *testing.T) { sa, clk, cleanUp := initSA(t) defer cleanUp() jwk := satest.GoodJWK() contact, err := core.ParseAcmeURL("mailto:[email protected]") if err != nil { t.Fatalf("unable to parse contact link: %s", err) } contacts := []*core.AcmeURL{contact} reg, err := sa.NewRegistration(core.Registration{ Key: jwk, Contact: contacts, InitialIP: net.ParseIP("43.34.43.34"), }) if err != nil { t.Fatalf("Couldn't create new registration: %s", err) } test.Assert(t, reg.ID != 0, "ID shouldn't be 0") test.AssertDeepEquals(t, reg.Contact, contacts) _, err = sa.GetRegistration(0) test.AssertError(t, err, "Registration object for ID 0 was returned") dbReg, err := sa.GetRegistration(reg.ID) test.AssertNotError(t, err, fmt.Sprintf("Couldn't get registration with ID %v", reg.ID)) expectedReg := core.Registration{ ID: reg.ID, Key: jwk, InitialIP: net.ParseIP("43.34.43.34"), CreatedAt: clk.Now(), } test.AssertEquals(t, dbReg.ID, expectedReg.ID) test.Assert(t, core.KeyDigestEquals(dbReg.Key, expectedReg.Key), "Stored key != expected") u, _ := core.ParseAcmeURL("test.com") newReg := core.Registration{ ID: reg.ID, Key: jwk, Contact: []*core.AcmeURL{u}, InitialIP: net.ParseIP("72.72.72.72"), Agreement: "yes", } err = sa.UpdateRegistration(newReg) test.AssertNotError(t, err, fmt.Sprintf("Couldn't get registration with ID %v", reg.ID)) dbReg, err = sa.GetRegistrationByKey(jwk) test.AssertNotError(t, err, "Couldn't get registration by key") test.AssertEquals(t, dbReg.ID, newReg.ID) test.AssertEquals(t, dbReg.Agreement, newReg.Agreement) var anotherJWK jose.JsonWebKey err = json.Unmarshal([]byte(anotherKey), &anotherJWK) test.AssertNotError(t, err, "couldn't unmarshal anotherJWK") _, err = sa.GetRegistrationByKey(anotherJWK) test.AssertError(t, err, "Registration object for invalid key was returned") }
func TestRegistration(t *testing.T) { contacts := []string{"email"} var key jose.JsonWebKey err := json.Unmarshal([]byte(` { "e": "AQAB", "kty": "RSA", "n": "tSwgy3ORGvc7YJI9B2qqkelZRUC6F1S5NwXFvM4w5-M0TsxbFsH5UH6adigV0jzsDJ5imAechcSoOhAh9POceCbPN1sTNwLpNbOLiQQ7RD5mY_pSUHWXNmS9R4NZ3t2fQAzPeW7jOfF0LKuJRGkekx6tXP1uSnNibgpJULNc4208dgBaCHo3mvaE2HV2GmVl1yxwWX5QZZkGQGjNDZYnjFfa2DKVvFs0QbAk21ROm594kAxlRlMMrvqlf24Eq4ERO0ptzpZgm_3j_e4hGRD39gJS7kAzK-j2cacFQ5Qi2Y6wZI2p-FCq_wiYsfEAIkATPBiLKl_6d_Jfcvs_impcXQ" } `), &key) test.AssertNotError(t, err, "Could not unmarshal testing key") inReg := core.Registration{ ID: 1, Key: &key, Contact: &contacts, Agreement: "yup", InitialIP: net.ParseIP("1.1.1.1"), CreatedAt: time.Now(), Status: core.StatusValid, } pbReg, err := registrationToPB(inReg) test.AssertNotError(t, err, "registrationToPB failed") outReg, err := pbToRegistration(pbReg) test.AssertNotError(t, err, "pbToRegistration failed") test.AssertDeepEquals(t, inReg, outReg) inReg.Contact = nil pbReg, err = registrationToPB(inReg) test.AssertNotError(t, err, "registrationToPB failed") pbReg.Contact = []string{} outReg, err = pbToRegistration(pbReg) test.AssertNotError(t, err, "pbToRegistration failed") test.AssertDeepEquals(t, inReg, outReg) var empty []string inReg.Contact = &empty pbReg, err = registrationToPB(inReg) test.AssertNotError(t, err, "registrationToPB failed") outReg, err = pbToRegistration(pbReg) test.AssertNotError(t, err, "pbToRegistration failed") test.Assert(t, *outReg.Contact != nil, "Empty slice was converted to a nil slice") }
func TestJWK(t *testing.T) { var jwk jose.JsonWebKey err := json.Unmarshal([]byte(JWK1JSON), &jwk) test.AssertNotError(t, err, "Failed to unmarshal test key") str, err := jwkToString(&jwk) test.AssertNotError(t, err, "jwkToString failed") test.AssertEquals(t, str, JWK1JSON) recon, err := stringToJWK(str) test.AssertNotError(t, err, "stringToJWK failed") test.AssertDeepEquals(t, recon.Key, jwk.Key) }
func TestCert(t *testing.T) { now := time.Now() cert := core.Certificate{ RegistrationID: 1, Serial: "serial", Digest: "digest", DER: []byte{255}, Issued: now, Expires: now.Add(time.Hour), } certPB := certToPB(cert) outCert := pbToCert(certPB) test.AssertDeepEquals(t, cert, outCert) }
func TestSCT(t *testing.T) { sct := core.SignedCertificateTimestamp{ ID: 10, SCTVersion: 1, LogID: "logid", Timestamp: 100, Extensions: []byte{255}, Signature: []byte{1}, CertificateSerial: "serial", } sctPB := sctToPB(sct) outSCT := pbToSCT(sctPB) test.AssertDeepEquals(t, sct, outSCT) }
func TestNormalizeCSR(t *testing.T) { cases := []struct { csr *x509.CertificateRequest forceCN bool expectedCN string expectedNames []string }{ { &x509.CertificateRequest{DNSNames: []string{"a.com"}}, true, "a.com", []string{"a.com"}, }, { &x509.CertificateRequest{Subject: pkix.Name{CommonName: "A.com"}, DNSNames: []string{"a.com"}}, true, "a.com", []string{"a.com"}, }, { &x509.CertificateRequest{DNSNames: []string{"a.com"}}, false, "", []string{"a.com"}, }, { &x509.CertificateRequest{DNSNames: []string{"a.com", "a.com"}}, false, "", []string{"a.com"}, }, { &x509.CertificateRequest{Subject: pkix.Name{CommonName: "A.com"}, DNSNames: []string{"B.com"}}, false, "a.com", []string{"a.com", "b.com"}, }, } for _, c := range cases { normalizeCSR(c.csr, c.forceCN) test.AssertEquals(t, c.expectedCN, c.csr.Subject.CommonName) test.AssertDeepEquals(t, c.expectedNames, c.expectedNames) } }
func TestValidationRecord(t *testing.T) { ip := net.ParseIP("1.1.1.1") vr := core.ValidationRecord{ Hostname: "host", Port: "2020", AddressesResolved: []net.IP{ip}, AddressUsed: ip, URL: "url", Authorities: []string{"auth"}, } pb, err := validationRecordToPB(vr) test.AssertNotError(t, err, "validationRecordToPB failed") test.Assert(t, pb != nil, "Return core.ValidationRecord is nil") recon, err := pbToValidationRecord(pb) test.AssertNotError(t, err, "pbToValidationRecord failed") test.AssertDeepEquals(t, recon, vr) }
func TestChallengesFor(t *testing.T) { pa := paImpl(t) challenges, combinations := pa.ChallengesFor(core.AcmeIdentifier{}) test.Assert(t, len(challenges) == len(enabledChallenges), "Wrong number of challenges returned") test.Assert(t, len(combinations) == len(enabledChallenges), "Wrong number of combinations returned") seenChalls := make(map[string]bool) // Expected only if the pseudo-RNG is seeded with 99. expectedCombos := [][]int{{1}, {2}, {0}} for _, challenge := range challenges { test.Assert(t, !seenChalls[challenge.Type], "should not already have seen this type") seenChalls[challenge.Type] = true test.Assert(t, enabledChallenges[challenge.Type], "Unsupported challenge returned") } test.AssertEquals(t, len(seenChalls), len(enabledChallenges)) test.AssertDeepEquals(t, expectedCombos, combinations) }
func TestCapitalizedLetters(t *testing.T) { ctx := setup(t) defer ctx.cleanUp() ctx.caConfig.MaxNames = 3 ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCert, caKey, ctx.keyPolicy) ca.Publisher = &mocks.Publisher{} ca.PA = ctx.pa ca.SA = ctx.sa csr, _ := x509.ParseCertificateRequest(CapitalizedCSR) cert, err := ca.IssueCertificate(*csr, ctx.reg.ID) test.AssertNotError(t, err, "Failed to gracefully handle a CSR with capitalized names") parsedCert, err := x509.ParseCertificate(cert.DER) test.AssertNotError(t, err, "Error parsing certificate produced by CA") test.AssertEquals(t, "capitalizedletters.com", parsedCert.Subject.CommonName) sort.Strings(parsedCert.DNSNames) expected := []string{"capitalizedletters.com", "evenmorecaps.com", "morecaps.com"} test.AssertDeepEquals(t, expected, parsedCert.DNSNames) }
func TestAllowNoCN(t *testing.T) { testCtx := setup(t) ca, err := NewCertificateAuthorityImpl( testCtx.caConfig, testCtx.fc, testCtx.stats, testCtx.issuers, testCtx.keyPolicy, testCtx.logger) test.AssertNotError(t, err, "Couldn't create new CA") ca.forceCNFromSAN = false ca.Publisher = &mocks.Publisher{} ca.PA = testCtx.pa ca.SA = &mockSA{} csr, err := x509.ParseCertificateRequest(NoCNCSR) test.AssertNotError(t, err, "Couldn't parse CSR") issuedCert, err := ca.IssueCertificate(ctx, *csr, 1001) test.AssertNotError(t, err, "Failed to sign certificate") cert, err := x509.ParseCertificate(issuedCert.DER) test.AssertNotError(t, err, fmt.Sprintf("unable to parse no CN cert: %s", err)) if cert.Subject.CommonName != "" { t.Errorf("want no CommonName, got %#v", cert.Subject.CommonName) } serial := core.SerialToString(cert.SerialNumber) if cert.Subject.SerialNumber != serial { t.Errorf("SerialNumber: want %#v, got %#v", serial, cert.Subject.SerialNumber) } expected := []string{} for _, name := range csr.DNSNames { expected = append(expected, name) } sort.Strings(expected) actual := []string{} for _, name := range cert.DNSNames { actual = append(actual, name) } sort.Strings(actual) test.AssertDeepEquals(t, actual, expected) }
func TestLoadPolicies(t *testing.T) { policy := New() policyContent, readErr := ioutil.ReadFile("../test/rate-limit-policies.yml") test.AssertNotError(t, readErr, "Failed to load rate-limit-policies.yml") // Test that loading a good policy from YAML doesn't error err := policy.LoadPolicies(policyContent) test.AssertNotError(t, err, "Failed to parse rate-limit-policies.yml") // Test that the TotalCertificates section parsed correctly totalCerts := policy.TotalCertificates() test.AssertEquals(t, totalCerts.Threshold, 100000) test.AssertEquals(t, len(totalCerts.Overrides), 0) test.AssertEquals(t, len(totalCerts.RegistrationOverrides), 0) // Test that the CertificatesPerName section parsed correctly certsPerName := policy.CertificatesPerName() test.AssertEquals(t, certsPerName.Threshold, 2) test.AssertDeepEquals(t, certsPerName.Overrides, map[string]int{ "ratelimit.me": 1, "le.wtf": 10000, "le1.wtf": 10000, "le2.wtf": 10000, "le3.wtf": 10000, "nginx.wtf": 10000, "good-caa-reserved.com": 10000, "bad-caa-reserved.com": 10000, "ecdsa.le.wtf": 10000, "must-staple.le.wtf": 10000, }) test.AssertDeepEquals(t, certsPerName.RegistrationOverrides, map[int64]int{ 101: 1000, }) // Test that the RegistrationsPerIP section parsed correctly regsPerIP := policy.RegistrationsPerIP() test.AssertEquals(t, regsPerIP.Threshold, 10000) test.AssertDeepEquals(t, regsPerIP.Overrides, map[string]int{ "127.0.0.1": 1000000, }) test.AssertEquals(t, len(regsPerIP.RegistrationOverrides), 0) // Test that the PendingAuthorizationsPerAccount section parsed correctly pendingAuthsPerAcct := policy.PendingAuthorizationsPerAccount() test.AssertEquals(t, pendingAuthsPerAcct.Threshold, 3) test.AssertEquals(t, len(pendingAuthsPerAcct.Overrides), 0) test.AssertEquals(t, len(pendingAuthsPerAcct.RegistrationOverrides), 0) // Test that the CertificatesPerFQDN section parsed correctly certsPerFQDN := policy.CertificatesPerFQDNSet() test.AssertEquals(t, certsPerFQDN.Threshold, 5) test.AssertDeepEquals(t, certsPerFQDN.Overrides, map[string]int{ "le.wtf": 10000, "le1.wtf": 10000, "le2.wtf": 10000, "le3.wtf": 10000, "le.wtf,le1.wtf": 10000, "good-caa-reserved.com": 10000, "nginx.wtf": 10000, "ecdsa.le.wtf": 10000, "must-staple.le.wtf": 10000, }) test.AssertEquals(t, len(certsPerFQDN.RegistrationOverrides), 0) // Test that loading invalid YAML generates an error err = policy.LoadPolicies([]byte("err")) test.AssertError(t, err, "Failed to generate error loading invalid yaml policy file") // Re-check a field of policy to make sure a LoadPolicies error doesn't // corrupt the existing policies test.AssertDeepEquals(t, policy.RegistrationsPerIP().Overrides, map[string]int{ "127.0.0.1": 1000000, }) // Test that the RateLimitConfig accessors do not panic when there has been no // `LoadPolicy` call, and instead return empty RateLimitPolicy objects with default // values. emptyPolicy := New() test.AssertEquals(t, emptyPolicy.TotalCertificates().Threshold, 0) test.AssertEquals(t, emptyPolicy.CertificatesPerName().Threshold, 0) test.AssertEquals(t, emptyPolicy.RegistrationsPerIP().Threshold, 0) test.AssertEquals(t, emptyPolicy.RegistrationsPerIP().Threshold, 0) test.AssertEquals(t, emptyPolicy.PendingAuthorizationsPerAccount().Threshold, 0) test.AssertEquals(t, emptyPolicy.CertificatesPerFQDNSet().Threshold, 0) }
func TestVerifyCSR(t *testing.T) { private, err := rsa.GenerateKey(rand.Reader, 2048) test.AssertNotError(t, err, "error generating test key") signedReqBytes, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{PublicKey: private.PublicKey, SignatureAlgorithm: x509.SHA256WithRSA}, private) test.AssertNotError(t, err, "error generating test CSR") signedReq, err := x509.ParseCertificateRequest(signedReqBytes) test.AssertNotError(t, err, "error parsing test CSR") brokenSignedReq := new(x509.CertificateRequest) *brokenSignedReq = *signedReq brokenSignedReq.Signature = []byte{1, 1, 1, 1} signedReqWithHosts := new(x509.CertificateRequest) *signedReqWithHosts = *signedReq signedReqWithHosts.DNSNames = []string{"a.com", "b.com"} signedReqWithLongCN := new(x509.CertificateRequest) *signedReqWithLongCN = *signedReq signedReqWithLongCN.Subject.CommonName = strings.Repeat("a", maxCNLength+1) signedReqWithBadName := new(x509.CertificateRequest) *signedReqWithBadName = *signedReq signedReqWithBadName.DNSNames = []string{"bad-name.com"} cases := []struct { csr *x509.CertificateRequest maxNames int keyPolicy *goodkey.KeyPolicy pa core.PolicyAuthority regID int64 expectedError error }{ { &x509.CertificateRequest{}, 0, testingPolicy, &mockPA{}, 0, errors.New("invalid public key in CSR"), }, { &x509.CertificateRequest{PublicKey: private.PublicKey}, 1, testingPolicy, &mockPA{}, 0, errors.New("signature algorithm not supported"), }, { brokenSignedReq, 1, testingPolicy, &mockPA{}, 0, errors.New("invalid signature on CSR"), }, { signedReq, 1, testingPolicy, &mockPA{}, 0, errors.New("at least one DNS name is required"), }, { signedReqWithLongCN, 1, testingPolicy, &mockPA{}, 0, errors.New("CN was longer than 64 bytes"), }, { signedReqWithHosts, 1, testingPolicy, &mockPA{}, 0, errors.New("CSR contains more than 1 DNS names"), }, { signedReqWithBadName, 1, testingPolicy, &mockPA{}, 0, errors.New("policy forbids issuing for: bad-name.com"), }, } for _, c := range cases { err := VerifyCSR(c.csr, c.maxNames, c.keyPolicy, c.pa, false, c.regID) test.AssertDeepEquals(t, c.expectedError, err) } }
func TestUniqueLowerNames(t *testing.T) { u := UniqueLowerNames([]string{"foobar.com", "fooBAR.com", "baz.com", "foobar.com", "bar.com", "bar.com", "a.com"}) sort.Strings(u) test.AssertDeepEquals(t, []string{"a.com", "bar.com", "baz.com", "foobar.com"}, u) }