func TestGenerateAndStoreOCSPResponse(t *testing.T) { updater, sa, _, _, cleanUp := setup(t) defer cleanUp() reg := satest.CreateWorkingRegistration(t, sa) parsedCert, err := core.LoadCert("test-cert.pem") test.AssertNotError(t, err, "Couldn't read test certificate") _, err = sa.AddCertificate(parsedCert.Raw, reg.ID) test.AssertNotError(t, err, "Couldn't add www.eff.org.der") status, err := sa.GetCertificateStatus(core.SerialToString(parsedCert.SerialNumber)) test.AssertNotError(t, err, "Couldn't get the core.CertificateStatus from the database") meta, err := updater.generateResponse(status) test.AssertNotError(t, err, "Couldn't generate OCSP response") err = updater.storeResponse(meta) test.AssertNotError(t, err, "Couldn't store certificate status") secondMeta, err := updater.generateRevokedResponse(status) test.AssertNotError(t, err, "Couldn't generate revoked OCSP response") err = updater.storeResponse(secondMeta) test.AssertNotError(t, err, "Couldn't store certificate status") newStatus, err := sa.GetCertificateStatus(status.Serial) test.AssertNotError(t, err, "Couldn't retrieve certificate status") test.AssertByteEquals(t, meta.OCSPResponse, newStatus.OCSPResponse) }
func TestStoreResponseGuard(t *testing.T) { updater, sa, _, _, cleanUp := setup(t) defer cleanUp() reg := satest.CreateWorkingRegistration(t, sa) parsedCert, err := core.LoadCert("test-cert.pem") test.AssertNotError(t, err, "Couldn't read test certificate") _, err = sa.AddCertificate(parsedCert.Raw, reg.ID) test.AssertNotError(t, err, "Couldn't add www.eff.org.der") status, err := sa.GetCertificateStatus(core.SerialToString(parsedCert.SerialNumber)) test.AssertNotError(t, err, "Failed to get certificate status") status.OCSPResponse = []byte{0} err = updater.storeResponse(&status, core.OCSPStatusRevoked) test.AssertNotError(t, err, "Failed to update certificate status") unchangedStatus, err := sa.GetCertificateStatus(core.SerialToString(parsedCert.SerialNumber)) test.AssertNotError(t, err, "Failed to get certificate status") test.AssertEquals(t, len(unchangedStatus.OCSPResponse), 0) err = updater.storeResponse(&status, core.OCSPStatusGood) test.AssertNotError(t, err, "Failed to updated certificate status") changedStatus, err := sa.GetCertificateStatus(core.SerialToString(parsedCert.SerialNumber)) test.AssertNotError(t, err, "Failed to get certificate status") test.AssertEquals(t, len(changedStatus.OCSPResponse), 1) }
func TestFindStaleOCSPResponses(t *testing.T) { updater, sa, _, fc, cleanUp := setup(t) defer cleanUp() reg := satest.CreateWorkingRegistration(t, sa) parsedCert, err := core.LoadCert("test-cert.pem") test.AssertNotError(t, err, "Couldn't read test certificate") _, err = sa.AddCertificate(parsedCert.Raw, reg.ID) test.AssertNotError(t, err, "Couldn't add www.eff.org.der") earliest := fc.Now().Add(-time.Hour) certs, err := updater.findStaleOCSPResponses(earliest, 10) test.AssertNotError(t, err, "Couldn't find certificate") test.AssertEquals(t, len(certs), 1) status, err := sa.GetCertificateStatus(core.SerialToString(parsedCert.SerialNumber)) test.AssertNotError(t, err, "Couldn't get the core.Certificate from the database") meta, err := updater.generateResponse(status) test.AssertNotError(t, err, "Couldn't generate OCSP response") err = updater.storeResponse(meta) test.AssertNotError(t, err, "Couldn't store OCSP response") certs, err = updater.findStaleOCSPResponses(earliest, 10) test.AssertNotError(t, err, "Failed to find stale responses") test.AssertEquals(t, len(certs), 0) }
func TestStoreResponseGuard(t *testing.T) { updater, sa, _, _, cleanUp := setup(t) defer cleanUp() reg := satest.CreateWorkingRegistration(t, sa) parsedCert, err := core.LoadCert("test-cert.pem") test.AssertNotError(t, err, "Couldn't read test certificate") _, err = sa.AddCertificate(parsedCert.Raw, reg.ID) test.AssertNotError(t, err, "Couldn't add www.eff.org.der") status, err := sa.GetCertificateStatus(core.SerialToString(parsedCert.SerialNumber)) test.AssertNotError(t, err, "Failed to get certificate status") err = sa.MarkCertificateRevoked(core.SerialToString(parsedCert.SerialNumber), 0) test.AssertNotError(t, err, "Failed to revoked certificate") // Attempt to update OCSP response where status.Status is good but stored status // is revoked, this should fail silently status.OCSPResponse = []byte{0, 1, 1} err = updater.storeResponse(&status) test.AssertNotError(t, err, "Failed to update certificate status") // Make sure the OCSP response hasn't actually changed unchangedStatus, err := sa.GetCertificateStatus(core.SerialToString(parsedCert.SerialNumber)) test.AssertNotError(t, err, "Failed to get certificate status") test.AssertEquals(t, len(unchangedStatus.OCSPResponse), 0) // Changing the status to the stored status should allow the update to occur status.Status = core.OCSPStatusRevoked err = updater.storeResponse(&status) test.AssertNotError(t, err, "Failed to updated certificate status") // Make sure the OCSP response has been updated changedStatus, err := sa.GetCertificateStatus(core.SerialToString(parsedCert.SerialNumber)) test.AssertNotError(t, err, "Failed to get certificate status") test.AssertEquals(t, len(changedStatus.OCSPResponse), 3) }
func TestRevokedCertificatesTick(t *testing.T) { updater, sa, _, _, cleanUp := setup(t) defer cleanUp() reg := satest.CreateWorkingRegistration(t, sa) parsedCert, err := core.LoadCert("test-cert.pem") test.AssertNotError(t, err, "Couldn't read test certificate") _, err = sa.AddCertificate(parsedCert.Raw, reg.ID) test.AssertNotError(t, err, "Couldn't add www.eff.org.der") err = sa.MarkCertificateRevoked(core.SerialToString(parsedCert.SerialNumber), core.RevocationCode(1)) test.AssertNotError(t, err, "Failed to revoke certificate") statuses, err := updater.findRevokedCertificatesToUpdate(10) test.AssertNotError(t, err, "Failed to find revoked certificates") test.AssertEquals(t, len(statuses), 1) updater.revokedCertificatesTick(10) status, err := sa.GetCertificateStatus(core.SerialToString(parsedCert.SerialNumber)) test.AssertNotError(t, err, "Failed to get certificate status") test.AssertEquals(t, status.Status, core.OCSPStatusRevoked) test.Assert(t, len(status.OCSPResponse) != 0, "Certificate status doesn't contain OCSP response") }