func TestCheckCAAFallback(t *testing.T) {
testSrv := httptest.NewServer(http.HandlerFunc(mocks.GPDNSHandler))
defer testSrv.Close()
stats := mocks.NewStatter()
scope := metrics.NewStatsdScope(stats, "VA")
logger := blog.NewMock()
caaDR, err := cdr.New(metrics.NewNoopScope(), time.Second, 1, nil, blog.NewMock())
test.AssertNotError(t, err, "Failed to create CAADistributedResolver")
caaDR.URI = testSrv.URL
caaDR.Clients["1.1.1.1"] = new(http.Client)
va := NewValidationAuthorityImpl(
&cmd.PortConfig{},
nil,
caaDR,
&bdns.MockDNSResolver{},
"user agent 1.0",
"ca.com",
scope,
clock.Default(),
logger)
prob := va.checkCAA(ctx, core.AcmeIdentifier{Value: "bad-local-resolver.com", Type: "dns"})
test.Assert(t, prob == nil, fmt.Sprintf("returned ProblemDetails was non-nil: %#v", prob))
va.caaDR = nil
prob = va.checkCAA(ctx, core.AcmeIdentifier{Value: "bad-local-resolver.com", Type: "dns"})
test.Assert(t, prob != nil, "returned ProblemDetails was nil")
test.AssertEquals(t, prob.Type, probs.ConnectionProblem)
test.AssertEquals(t, prob.Detail, "server failure at resolver")
}
func TestAllowNilInIsSafeDomain(t *testing.T) {
stats, _ := statsd.NewNoopClient()
va := NewValidationAuthorityImpl(
&cmd.PortConfig{},
nil,
nil,
nil,
nil,
"user agent 1.0",
"letsencrypt.org",
stats,
clock.NewFake(),
blog.NewMock())
// Be cool with a nil SafeBrowsing. This will happen in prod when we have
// flag mismatch between the VA and RA.
domain := "example.com"
resp, err := va.IsSafeDomain(ctx, &vaPB.IsSafeDomainRequest{Domain: &domain})
if err != nil {
t.Errorf("nil SafeBrowsing, unexpected error: %s", err)
}
if !resp.GetIsSafe() {
t.Errorf("nil Safebrowsing, should fail open but failed closed")
}
}
func TestGetCAASetFallback(t *testing.T) {
testSrv := httptest.NewServer(http.HandlerFunc(mocks.GPDNSHandler))
defer testSrv.Close()
caaDR, err := cdr.New(metrics.NewNoopScope(), time.Second, 1, nil, blog.NewMock())
test.AssertNotError(t, err, "Failed to create CAADistributedResolver")
caaDR.URI = testSrv.URL
caaDR.Clients["1.1.1.1"] = new(http.Client)
va, _, _ := setup()
va.caaDR = caaDR
set, err := va.getCAASet(ctx, "bad-local-resolver.com")
test.AssertNotError(t, err, "getCAASet failed to fail back to cdr on timeout")
test.AssertEquals(t, len(set.Issue), 1)
}
func setup() (*ValidationAuthorityImpl, *mocks.Statter, *blog.Mock) {
stats := mocks.NewStatter()
scope := metrics.NewStatsdScope(stats, "VA")
logger := blog.NewMock()
va := NewValidationAuthorityImpl(
&cmd.PortConfig{},
nil,
nil,
&bdns.MockDNSResolver{},
"user agent 1.0",
"letsencrypt.org",
scope,
clock.Default(),
logger)
return va, stats, logger
}
func TestGetAndProcessCerts(t *testing.T) {
saDbMap, err := sa.NewDbMap(vars.DBConnSA, 0)
test.AssertNotError(t, err, "Couldn't connect to database")
fc := clock.NewFake()
checker := newChecker(saDbMap, fc, pa, expectedValidityPeriod)
sa, err := sa.NewSQLStorageAuthority(saDbMap, fc, blog.NewMock())
test.AssertNotError(t, err, "Couldn't create SA to insert certificates")
saCleanUp := test.ResetSATestDatabase(t)
defer func() {
saCleanUp()
}()
testKey, _ := rsa.GenerateKey(rand.Reader, 1024)
// Problems
// Expiry period is too long
rawCert := x509.Certificate{
Subject: pkix.Name{
CommonName: "not-blacklisted.com",
},
BasicConstraintsValid: true,
DNSNames: []string{"not-blacklisted.com"},
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
}
reg := satest.CreateWorkingRegistration(t, sa)
test.AssertNotError(t, err, "Couldn't create registration")
for i := int64(0); i < 5; i++ {
rawCert.SerialNumber = big.NewInt(mrand.Int63())
certDER, err := x509.CreateCertificate(rand.Reader, &rawCert, &rawCert, &testKey.PublicKey, testKey)
test.AssertNotError(t, err, "Couldn't create certificate")
_, err = sa.AddCertificate(context.Background(), certDER, reg.ID)
test.AssertNotError(t, err, "Couldn't add certificate")
}
batchSize = 2
err = checker.getCerts(false)
test.AssertNotError(t, err, "Failed to retrieve certificates")
test.AssertEquals(t, len(checker.certs), 5)
wg := new(sync.WaitGroup)
wg.Add(1)
checker.processCerts(wg, false)
test.AssertEquals(t, checker.issuedReport.BadCerts, int64(5))
test.AssertEquals(t, len(checker.issuedReport.Entries), 5)
}
func TestIsSafeDomain(t *testing.T) {
// TODO(jmhodges): use more of the GSB lib by teaching it how to not make
// http requests
// This test is mocked out at the wrong level (SafeBrowsing) because the gsb lib
// we rely on is a little funny and overcomplicated, but still hasn't
// learned out how not make HTTP requests in tests.
stats := metrics.NewNoopScope()
ctrl := gomock.NewController(t)
defer ctrl.Finish()
sbc := NewMockSafeBrowsing(ctrl)
sbc.EXPECT().IsListed("good.com").Return("", nil)
sbc.EXPECT().IsListed("bad.com").Return("bad", nil)
sbc.EXPECT().IsListed("errorful.com").Return("", errors.New("welp"))
sbc.EXPECT().IsListed("outofdate.com").Return("", safebrowsing.ErrOutOfDateHashes)
va := NewValidationAuthorityImpl(
&cmd.PortConfig{},
sbc,
nil,
nil,
"user agent 1.0",
"letsencrypt.org",
stats,
clock.NewFake(),
blog.NewMock())
domain := "good.com"
resp, err := va.IsSafeDomain(ctx, &vaPB.IsSafeDomainRequest{Domain: &domain})
if err != nil {
t.Errorf("good.com: want no error, got '%s'", err)
}
if !resp.GetIsSafe() {
t.Errorf("good.com: want true, got %t", resp.GetIsSafe())
}
domain = "bad.com"
resp, err = va.IsSafeDomain(ctx, &vaPB.IsSafeDomainRequest{Domain: &domain})
if err != nil {
t.Errorf("bad.com: want no error, got '%s'", err)
}
if resp.GetIsSafe() {
t.Errorf("bad.com: want false, got %t", resp.GetIsSafe())
}
domain = "errorful.com"
resp, err = va.IsSafeDomain(ctx, &vaPB.IsSafeDomainRequest{Domain: &domain})
if err == nil {
t.Errorf("errorful.com: want error, got none")
}
if resp != nil {
t.Errorf("errorful.com: want resp == nil, got %v", resp)
}
domain = "outofdate.com"
resp, err = va.IsSafeDomain(ctx, &vaPB.IsSafeDomainRequest{Domain: &domain})
if err != nil {
t.Errorf("outofdate.com: want no error, got '%s'", err)
}
if !resp.GetIsSafe() {
t.Errorf("outofdate.com: IsSafeDomain should fail open on out of date hashes")
}
}
func setup(t *testing.T) *testCtx {
fc := clock.NewFake()
fc.Add(1 * time.Hour)
pa, err := policy.New(nil)
test.AssertNotError(t, err, "Couldn't create PA")
err = pa.SetHostnamePolicyFile("../test/hostname-policy.json")
test.AssertNotError(t, err, "Couldn't set hostname policy")
// Create a CA
caConfig := cmd.CAConfig{
RSAProfile: rsaProfileName,
ECDSAProfile: ecdsaProfileName,
SerialPrefix: 17,
Expiry: "8760h",
LifespanOCSP: cmd.ConfigDuration{Duration: 45 * time.Minute},
MaxNames: 2,
CFSSL: cfsslConfig.Config{
Signing: &cfsslConfig.Signing{
Profiles: map[string]*cfsslConfig.SigningProfile{
rsaProfileName: {
Usage: []string{"digital signature", "key encipherment", "server auth"},
CA: false,
IssuerURL: []string{"http://not-example.com/issuer-url"},
OCSP: "http://not-example.com/ocsp",
CRL: "http://not-example.com/crl",
Policies: []cfsslConfig.CertificatePolicy{
{
ID: cfsslConfig.OID(asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1}),
},
},
ExpiryString: "8760h",
Backdate: time.Hour,
CSRWhitelist: &cfsslConfig.CSRWhitelist{
PublicKeyAlgorithm: true,
PublicKey: true,
SignatureAlgorithm: true,
},
ClientProvidesSerialNumbers: true,
AllowedExtensions: []cfsslConfig.OID{
cfsslConfig.OID(oidTLSFeature),
},
},
ecdsaProfileName: {
Usage: []string{"digital signature", "server auth"},
CA: false,
IssuerURL: []string{"http://not-example.com/issuer-url"},
OCSP: "http://not-example.com/ocsp",
CRL: "http://not-example.com/crl",
Policies: []cfsslConfig.CertificatePolicy{
{
ID: cfsslConfig.OID(asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1}),
},
},
ExpiryString: "8760h",
Backdate: time.Hour,
CSRWhitelist: &cfsslConfig.CSRWhitelist{
PublicKeyAlgorithm: true,
PublicKey: true,
SignatureAlgorithm: true,
},
ClientProvidesSerialNumbers: true,
},
},
Default: &cfsslConfig.SigningProfile{
ExpiryString: "8760h",
},
},
},
}
issuers := []Issuer{{caKey, caCert}}
keyPolicy := goodkey.KeyPolicy{
AllowRSA: true,
AllowECDSANISTP256: true,
AllowECDSANISTP384: true,
}
logger := blog.NewMock()
return &testCtx{
caConfig,
pa,
issuers,
keyPolicy,
fc,
metrics.NewNoopScope(),
logger,
}
}