func TestCertificateKeyNotEqualAccountKey(t *testing.T) { _, _, sa, ra, cleanUp := initAuthorities(t) defer cleanUp() authz := core.Authorization{} authz, _ = sa.NewPendingAuthorization(authz) authz.Identifier = core.AcmeIdentifier{ Type: core.IdentifierDNS, Value: "www.example.com", } csr := x509.CertificateRequest{ SignatureAlgorithm: x509.SHA256WithRSA, PublicKey: AccountKeyA.Key, DNSNames: []string{"www.example.com"}, } csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &csr, AccountPrivateKey.Key) test.AssertNotError(t, err, "Failed to sign CSR") parsedCSR, err := x509.ParseCertificateRequest(csrBytes) test.AssertNotError(t, err, "Failed to parse CSR") sa.UpdatePendingAuthorization(authz) sa.FinalizeAuthorization(authz) certRequest := core.CertificateRequest{ CSR: parsedCSR, } // Registration id 1 has key == AccountKeyA _, err = ra.NewCertificate(certRequest, 1) test.AssertError(t, err, "Should have rejected cert with key = account key") test.AssertEquals(t, err.Error(), "Certificate public key must be different than account key") t.Log("DONE TestCertificateKeyNotEqualAccountKey") }
func TestTotalCertRateLimit(t *testing.T) { _, sa, ra, fc, cleanUp := initAuthorities(t) defer cleanUp() ra.rlPolicies = cmd.RateLimitConfig{ TotalCertificates: cmd.RateLimitPolicy{ Threshold: 1, Window: cmd.ConfigDuration{Duration: 24 * 90 * time.Hour}, }, } fc.Add(24 * 90 * time.Hour) AuthzFinal.RegistrationID = Registration.ID AuthzFinal, _ = sa.NewPendingAuthorization(AuthzFinal) sa.UpdatePendingAuthorization(AuthzFinal) sa.FinalizeAuthorization(AuthzFinal) // Inject another final authorization to cover www.example.com authzFinalWWW := AuthzFinal authzFinalWWW.Identifier.Value = "www.not-example.com" authzFinalWWW, _ = sa.NewPendingAuthorization(authzFinalWWW) sa.FinalizeAuthorization(authzFinalWWW) certRequest := core.CertificateRequest{ CSR: ExampleCSR, } _, err := ra.NewCertificate(certRequest, Registration.ID) test.AssertNotError(t, err, "Failed to issue certificate") fc.Add(time.Hour) _, err = ra.NewCertificate(certRequest, Registration.ID) test.AssertError(t, err, "Total certificate rate limit failed") }
func TestOnValidationUpdateSuccess(t *testing.T) { _, sa, ra, fclk, cleanUp := initAuthorities(t) defer cleanUp() authzUpdated, err := sa.NewPendingAuthorization(AuthzInitial) test.AssertNotError(t, err, "Failed to create new pending authz") expires := fclk.Now().Add(300 * 24 * time.Hour) authzUpdated.Expires = &expires sa.UpdatePendingAuthorization(authzUpdated) // Simulate a successful simpleHTTP challenge authzFromVA := authzUpdated authzFromVA.Challenges[0].Status = core.StatusValid ra.OnValidationUpdate(authzFromVA) // Verify that the Authz in the DB is the same except for Status->StatusValid authzFromVA.Status = core.StatusValid dbAuthz, err := sa.GetAuthorization(authzFromVA.ID) test.AssertNotError(t, err, "Could not fetch authorization from database") t.Log("authz from VA: ", authzFromVA) t.Log("authz from DB: ", dbAuthz) assertAuthzEqual(t, authzFromVA, dbAuthz) }
func TestUpdateAuthorization(t *testing.T) { _, va, sa, ra := initAuthorities(t) AuthzInitial.ID, _ = sa.NewPendingAuthorization() sa.UpdatePendingAuthorization(AuthzInitial) authz, err := ra.UpdateAuthorization(AuthzInitial, ResponseIndex, Response) test.AssertNotError(t, err, "UpdateAuthorization failed") // Verify that returned authz same as DB dbAuthz, err := sa.GetAuthorization(authz.ID) test.AssertNotError(t, err, "Could not fetch authorization from database") assertAuthzEqual(t, authz, dbAuthz) // Verify that the VA got the authz, and it's the same as the others test.Assert(t, va.Called, "Authorization was not passed to the VA") assertAuthzEqual(t, authz, va.Argument) // Verify that the responses are reflected test.Assert(t, len(va.Argument.Challenges) > 0, "Authz passed to VA has no challenges") simpleHttps := va.Argument.Challenges[0] test.Assert(t, simpleHttps.Path == Response.Path, "simpleHttps changed") // If we get to here, we'll use this authorization for the next test AuthzUpdated = authz // TODO Test failure cases t.Log("DONE TestUpdateAuthorization") }
func TestOnValidationUpdate(t *testing.T) { _, _, sa, ra := initAuthorities(t) AuthzUpdated.ID, _ = sa.NewPendingAuthorization() sa.UpdatePendingAuthorization(AuthzUpdated) // Simulate a successful simpleHTTPS challenge AuthzFromVA = AuthzUpdated AuthzFromVA.Challenges[0].Status = core.StatusValid ra.OnValidationUpdate(AuthzFromVA) // Verify that the Authz in the DB is the same except for Status->StatusValid AuthzFromVA.Status = core.StatusValid dbAuthz, err := sa.GetAuthorization(AuthzFromVA.ID) test.AssertNotError(t, err, "Could not fetch authorization from database") assertAuthzEqual(t, AuthzFromVA, dbAuthz) t.Log(" ~~> from VA: ", AuthzFromVA.Status) t.Log(" ~~> from DB: ", dbAuthz.Status) // If we get to here, we'll use this authorization for the next test AuthzFinal = dbAuthz // TODO Test failure cases t.Log("DONE TestOnValidationUpdate") }
func TestNewCertificate(t *testing.T) { _, sa, ra, _, cleanUp := initAuthorities(t) defer cleanUp() AuthzFinal.RegistrationID = Registration.ID AuthzFinal, _ = sa.NewPendingAuthorization(AuthzFinal) sa.UpdatePendingAuthorization(AuthzFinal) sa.FinalizeAuthorization(AuthzFinal) // Inject another final authorization to cover www.example.com authzFinalWWW := AuthzFinal authzFinalWWW.Identifier.Value = "www.not-example.com" authzFinalWWW, _ = sa.NewPendingAuthorization(authzFinalWWW) sa.FinalizeAuthorization(authzFinalWWW) // Check that we fail if the CSR signature is invalid ExampleCSR.Signature[0] += 1 certRequest := core.CertificateRequest{ CSR: ExampleCSR, } _, err := ra.NewCertificate(certRequest, Registration.ID) ExampleCSR.Signature[0] -= 1 test.AssertError(t, err, "Failed to check CSR signature") // Check that we don't fail on case mismatches ExampleCSR.Subject.CommonName = "www.NOT-example.com" certRequest = core.CertificateRequest{ CSR: ExampleCSR, } cert, err := ra.NewCertificate(certRequest, Registration.ID) test.AssertNotError(t, err, "Failed to issue certificate") if err != nil { return } parsedCert, err := x509.ParseCertificate(cert.DER) test.AssertNotError(t, err, "Failed to parse certificate") if err != nil { return } // Verify that cert shows up and is as expected dbCert, err := sa.GetCertificate(core.SerialToString(parsedCert.SerialNumber)) test.AssertNotError(t, err, fmt.Sprintf("Could not fetch certificate %032x from database", parsedCert.SerialNumber)) if err != nil { return } test.Assert(t, bytes.Compare(cert.DER, dbCert.DER) == 0, "Certificates differ") t.Log("DONE TestOnValidationUpdate") }
func TestOnValidationUpdateFailure(t *testing.T) { _, sa, ra, _, cleanUp := initAuthorities(t) defer cleanUp() authzFromVA, _ := sa.NewPendingAuthorization(AuthzUpdated) sa.UpdatePendingAuthorization(AuthzUpdated) authzFromVA.Challenges[0].Status = core.StatusInvalid err := ra.OnValidationUpdate(authzFromVA) test.AssertNotError(t, err, "unable to update validation") authzFromVA.Status = core.StatusInvalid dbAuthz, err := sa.GetAuthorization(authzFromVA.ID) test.AssertNotError(t, err, "Could not fetch authorization from database") assertAuthzEqual(t, authzFromVA, dbAuthz) }
func TestOnValidationUpdateFailure(t *testing.T) { _, sa, ra, fclk, cleanUp := initAuthorities(t) defer cleanUp() authzFromVA, _ := sa.NewPendingAuthorization(AuthzInitial) expires := fclk.Now().Add(300 * 24 * time.Hour) authzFromVA.Expires = &expires sa.UpdatePendingAuthorization(authzFromVA) authzFromVA.Challenges[0].Status = core.StatusInvalid err := ra.OnValidationUpdate(authzFromVA) test.AssertNotError(t, err, "unable to update validation") authzFromVA.Status = core.StatusInvalid dbAuthz, err := sa.GetAuthorization(authzFromVA.ID) test.AssertNotError(t, err, "Could not fetch authorization from database") assertAuthzEqual(t, authzFromVA, dbAuthz) }
func TestNewCertificate(t *testing.T) { _, _, sa, ra := initAuthorities(t) AuthzFinal.RegistrationID = 1 AuthzFinal, _ = sa.NewPendingAuthorization(AuthzFinal) sa.UpdatePendingAuthorization(AuthzFinal) sa.FinalizeAuthorization(AuthzFinal) // Inject another final authorization to cover www.example.com authzFinalWWW := AuthzFinal authzFinalWWW.Identifier.Value = "www.not-example.com" authzFinalWWW, _ = sa.NewPendingAuthorization(authzFinalWWW) sa.FinalizeAuthorization(authzFinalWWW) // Construct a cert request referencing the two authorizations url1, _ := url.Parse("http://doesnt.matter/" + AuthzFinal.ID) url2, _ := url.Parse("http://doesnt.matter/" + authzFinalWWW.ID) certRequest := core.CertificateRequest{ CSR: ExampleCSR, Authorizations: []core.AcmeURL{core.AcmeURL(*url1), core.AcmeURL(*url2)}, } cert, err := ra.NewCertificate(certRequest, 1) test.AssertNotError(t, err, "Failed to issue certificate") if err != nil { return } parsedCert, err := x509.ParseCertificate(cert.DER) test.AssertNotError(t, err, "Failed to parse certificate") if err != nil { return } // Verify that cert shows up and is as expected dbCert, err := sa.GetCertificate(core.SerialToString(parsedCert.SerialNumber)) test.AssertNotError(t, err, fmt.Sprintf("Could not fetch certificate %032x from database", parsedCert.SerialNumber)) if err != nil { return } test.Assert(t, bytes.Compare(cert.DER, dbCert.DER) == 0, "Certificates differ") t.Log("DONE TestOnValidationUpdate") }
func TestAuthorizationRequired(t *testing.T) { _, _, sa, ra, cleanUp := initAuthorities(t) defer cleanUp() AuthzFinal.RegistrationID = 1 AuthzFinal, _ = sa.NewPendingAuthorization(AuthzFinal) sa.UpdatePendingAuthorization(AuthzFinal) sa.FinalizeAuthorization(AuthzFinal) // ExampleCSR requests not-example.com and www.not-example.com, // but the authorization only covers not-example.com certRequest := core.CertificateRequest{ CSR: ExampleCSR, } _, err := ra.NewCertificate(certRequest, 1) test.Assert(t, err != nil, "Issued certificate with insufficient authorization") t.Log("DONE TestAuthorizationRequired") }
func TestNewCertificate(t *testing.T) { _, _, sa, ra, cleanUp := initAuthorities(t) defer cleanUp() AuthzFinal.RegistrationID = 1 AuthzFinal, _ = sa.NewPendingAuthorization(AuthzFinal) sa.UpdatePendingAuthorization(AuthzFinal) sa.FinalizeAuthorization(AuthzFinal) // Inject another final authorization to cover www.example.com authzFinalWWW := AuthzFinal authzFinalWWW.Identifier.Value = "www.not-example.com" authzFinalWWW, _ = sa.NewPendingAuthorization(authzFinalWWW) sa.FinalizeAuthorization(authzFinalWWW) certRequest := core.CertificateRequest{ CSR: ExampleCSR, } cert, err := ra.NewCertificate(certRequest, 1) test.AssertNotError(t, err, "Failed to issue certificate") if err != nil { return } parsedCert, err := x509.ParseCertificate(cert.DER) test.AssertNotError(t, err, "Failed to parse certificate") if err != nil { return } // Verify that cert shows up and is as expected dbCert, err := sa.GetCertificate(core.SerialToString(parsedCert.SerialNumber)) test.AssertNotError(t, err, fmt.Sprintf("Could not fetch certificate %032x from database", parsedCert.SerialNumber)) if err != nil { return } test.Assert(t, bytes.Compare(cert.DER, dbCert.DER) == 0, "Certificates differ") t.Log("DONE TestOnValidationUpdate") }
func TestOnValidationUpdate(t *testing.T) { _, _, sa, ra := initAuthorities(t) AuthzUpdated, _ = sa.NewPendingAuthorization(AuthzUpdated) sa.UpdatePendingAuthorization(AuthzUpdated) // Simulate a successful simpleHTTP challenge authzFromVA := AuthzUpdated authzFromVA.Challenges[0].Status = core.StatusValid ra.OnValidationUpdate(authzFromVA) // Verify that the Authz in the DB is the same except for Status->StatusValid authzFromVA.Status = core.StatusValid dbAuthz, err := sa.GetAuthorization(authzFromVA.ID) test.AssertNotError(t, err, "Could not fetch authorization from database") assertAuthzEqual(t, authzFromVA, dbAuthz) t.Log(" ~~> from VA: ", authzFromVA.Status) t.Log(" ~~> from DB: ", dbAuthz.Status) t.Log("DONE TestOnValidationUpdate") }
func TestAuthorizationRequired(t *testing.T) { _, _, sa, ra := initAuthorities(t) AuthzFinal.RegistrationID = 1 AuthzFinal, _ = sa.NewPendingAuthorization(AuthzFinal) sa.UpdatePendingAuthorization(AuthzFinal) sa.FinalizeAuthorization(AuthzFinal) // Construct a cert request referencing the authorization url1, _ := url.Parse("http://doesnt.matter/" + AuthzFinal.ID) // ExampleCSR requests not-example.com and www.not-example.com, // but the authorization only covers not-example.com certRequest := core.CertificateRequest{ CSR: ExampleCSR, Authorizations: []core.AcmeURL{core.AcmeURL(*url1)}, } _, err := ra.NewCertificate(certRequest, 1) test.Assert(t, err != nil, "Issued certificate with insufficient authorization") t.Log("DONE TestAuthorizationRequired") }
func TestUpdateAuthorization(t *testing.T) { _, va, sa, ra, cleanUp := initAuthorities(t) defer cleanUp() AuthzInitial, _ = sa.NewPendingAuthorization(AuthzInitial) sa.UpdatePendingAuthorization(AuthzInitial) authz, err := ra.UpdateAuthorization(AuthzInitial, ResponseIndex, Response) test.AssertNotError(t, err, "UpdateAuthorization failed") // Verify that returned authz same as DB dbAuthz, err := sa.GetAuthorization(authz.ID) test.AssertNotError(t, err, "Could not fetch authorization from database") assertAuthzEqual(t, authz, dbAuthz) // Verify that the VA got the authz, and it's the same as the others test.Assert(t, va.Called, "Authorization was not passed to the VA") assertAuthzEqual(t, authz, va.Argument) // Verify that the responses are reflected test.Assert(t, len(va.Argument.Challenges) > 0, "Authz passed to VA has no challenges") t.Log("DONE TestUpdateAuthorization") }