func TestNewCertGeneratorHandlerFromSigner(t *testing.T) { var expiry = 1 * time.Minute var CAConfig = &config.Config{ Signing: &config.Signing{ Profiles: map[string]*config.SigningProfile{ "signature": &config.SigningProfile{ Usage: []string{"digital signature"}, Expiry: expiry, }, }, Default: &config.SigningProfile{ Usage: []string{"cert sign", "crl sign"}, ExpiryString: "43800h", Expiry: expiry, CA: true, ClientProvidesSerialNumbers: true, }, }, } s, err := local.NewSignerFromFile(testCaFile, testCaKeyFile, CAConfig.Signing) if err != nil { t.Fatal(err) } h := NewCertGeneratorHandlerFromSigner(CSRValidate, s) _, ok := h.(http.Handler) if !ok { t.Fatal("A HTTP handler has not been returned") } }
// newHandler generates a new sign handler (or info handler) using the certificate // authority private key and certficate to sign certificates. func newHandler(t *testing.T, caFile, caKeyFile, op string) (http.Handler, error) { var expiry = 1 * time.Minute var CAConfig = &config.Config{ Signing: &config.Signing{ Profiles: map[string]*config.SigningProfile{ "signature": &config.SigningProfile{ Usage: []string{"digital signature"}, Expiry: expiry, }, }, Default: &config.SigningProfile{ Usage: []string{"cert sign", "crl sign"}, ExpiryString: "43800h", Expiry: expiry, CA: true, ClientProvidesSerialNumbers: true, }, }, } s, err := local.NewSignerFromFile(testCaFile, testCaKeyFile, CAConfig.Signing) if err != nil { t.Fatal(err) } if op == "sign" { return apisign.NewHandlerFromSigner(s) } else if op == "info" { return apiinfo.NewHandler(s) } t.Fatal("Bad op code") return nil, nil }
func TestChromeWarning(t *testing.T) { b := newCustomizedBundlerFromFile(t, sha1CA, sha1Intermediate, "") s, err := local.NewSignerFromFile(sha1Intermediate, intermediateKey, nil) if err != nil { t.Fatal(err) } csrBytes, err := ioutil.ReadFile(leafCSR) if err != nil { t.Fatal(err) } signingRequest := signer.SignRequest{Request: string(csrBytes)} certBytes, err := s.Sign(signingRequest) if err != nil { t.Fatal(err) } // Bundle a leaf cert with default 1 year expiration bundle, err := b.BundleFromPEMorDER(certBytes, nil, Ubiquitous, "") if err != nil { t.Fatal("bundling failed: ", err) } // should be not ubiquitous due to SHA2 and ECDSA support issues in legacy platforms if bundle.Status.Code&errors.BundleNotUbiquitousBit != errors.BundleNotUbiquitousBit { t.Fatal("Incorrect bundle status code. Bundle status code:", bundle.Status.Code) } fullChain := append(bundle.Chain, bundle.Root) sha1Msgs := ubiquity.SHA1DeprecationMessages(fullChain) // Since the new SHA-1 cert is expired after 2015, it definitely trigger Chrome's deprecation policies. if len(sha1Msgs) == 0 { t.Fatal("SHA1 Deprecation Message should not be empty") } // check SHA1 deprecation warnings var sha1MsgNotFound bool for _, sha1Msg := range sha1Msgs { foundMsg := false for _, message := range bundle.Status.Messages { if message == sha1Msg { foundMsg = true } } if !foundMsg { sha1MsgNotFound = true break } } if sha1MsgNotFound { t.Fatalf("Incorrect bundle status messages. Bundle status messages:%v, expected to contain: %v\n", bundle.Status.Messages, sha1Msgs) } }
// fileBackedSigner determines whether a file-backed local signer is supported. func fileBackedSigner(root *Root, policy *config.Signing) (signer.Signer, bool, error) { keyFile := root.Config["key-file"] certFile := root.Config["cert-file"] if keyFile == "" { return nil, false, nil } signer, err := local.NewSignerFromFile(certFile, keyFile, policy) return signer, true, err }
func newTestHandler(t *testing.T) (h http.Handler) { signer, err := local.NewSignerFromFile(testCaFile, testCaKeyFile, nil) if err != nil { t.Fatal(err) } h, err = NewHandler(signer) if err != nil { t.Fatal(err) } return }
func newTestMultiHandler(t *testing.T) (h http.Handler) { signer1, err := local.NewSignerFromFile(testCaFile, testCaKeyFile, nil) if err != nil { t.Fatal(err) } signer2, err := local.NewSignerFromFile(testCaFile2, testCaKeyFile2, nil) if err != nil { t.Fatal(err) } signers := map[string]signer.Signer{ "test1": signer1, "test2": signer2, } h, err = NewMultiHandler(signers, "test1") if err != nil { t.Fatalf("%v", err) } return }
// create a test intermediate cert in PEM func createInterCert(t *testing.T, csrFile string, policy *config.Signing, profileName string) (certPEM []byte) { s, err := local.NewSignerFromFile(testCAFile, testCAKeyFile, policy) if err != nil { t.Fatal(err) } csr, err := ioutil.ReadFile(csrFile) if err != nil { t.Fatal(err) } req := signer.SignRequest{ Hosts: []string{"cloudflare-inter.com"}, Request: string(csr), Profile: profileName, Label: "", } certPEM, err = s.Sign(req) if err != nil { t.Fatal(err) } return }
func TestSignerDBPersistence(t *testing.T) { conf, err := config.LoadConfig([]byte(validLocalConfigLongerExpiry)) if err != nil { t.Fatal(err) } var s *local.Signer s, err = local.NewSignerFromFile(testCaFile, testCaKeyFile, conf.Signing) if err != nil { t.Fatal(err) } db := testdb.SQLiteDB("../../certdb/testdb/certstore_development.db") if err != nil { t.Fatal(err) } s.SetDB(db) var handler *api.HTTPHandler handler, err = NewHandlerFromSigner(signer.Signer(s)) if err != nil { t.Fatal(err) } ts := httptest.NewServer(handler) defer ts.Close() var csrPEM, body []byte csrPEM, err = ioutil.ReadFile(testCSRFile) if err != nil { t.Fatal(err) } blob, err := json.Marshal(&map[string]string{"certificate_request": string(csrPEM)}) if err != nil { t.Fatal(err) } var resp *http.Response resp, err = http.Post(ts.URL, "application/json", bytes.NewReader(blob)) if err != nil { t.Fatal(err) } body, err = ioutil.ReadAll(resp.Body) if err != nil { t.Fatal(err) } if resp.StatusCode != http.StatusOK { t.Fatal(resp.Status, string(body)) } message := new(api.Response) err = json.Unmarshal(body, message) if err != nil { t.Fatalf("failed to read response body: %v", err) } if !message.Success { t.Fatal("API operation failed") } var crs []*certdb.CertificateRecord crs, err = certdb.GetUnexpiredCertificates(db) if err != nil { t.Fatal("Failed to get unexpired certificates") } if len(crs) != 1 { t.Fatal("Expected 1 unexpired certificate in the database after signing 1") } }