func setup(t *testing.T) testCtx { log := blog.UseMock() // Using DBConnSAFullPerms to be able to insert registrations and certificates dbMap, err := sa.NewDbMap(vars.DBConnSAFullPerms, 0) if err != nil { t.Fatalf("Couldn't connect the database: %s", err) } cleanUp := test.ResetSATestDatabase(t) fc := newFakeClock(t) ssa, err := sa.NewSQLStorageAuthority(dbMap, fc, log) if err != nil { t.Fatalf("unable to create SQLStorageAuthority: %s", err) } return testCtx{ c: contactExporter{ dbMap: dbMap, log: log, clk: fc, }, ssa: ssa, cleanUp: cleanUp, } }
func setup(t *testing.T) (OCSPUpdater, core.StorageAuthority, *gorp.DbMap, clock.FakeClock, func()) { dbMap, err := sa.NewDbMap(dbConnStr) test.AssertNotError(t, err, "Failed to create dbMap") fc := clock.NewFake() fc.Add(1 * time.Hour) sa, err := sa.NewSQLStorageAuthority(dbMap, fc) test.AssertNotError(t, err, "Failed to create SA") cleanUp := test.ResetSATestDatabase(t) stats, _ := statsd.NewNoopClient(nil) updater := OCSPUpdater{ dbMap: dbMap, clk: fc, cac: &mockCA{}, pubc: &mockPub{sa}, sac: sa, stats: stats, log: blog.GetAuditLogger(), } return updater, sa, dbMap, fc, cleanUp }
func TestParseLine(t *testing.T) { dbMap, err := sa.NewDbMap(vars.DBConnSA) if err != nil { t.Fatalf("Failed to create dbMap: %s", err) } fc := clock.NewFake() fc.Set(time.Date(2015, 3, 4, 5, 0, 0, 0, time.UTC)) sa, err := sa.NewSQLStorageAuthority(dbMap, fc) if err != nil { t.Fatalf("Failed to create SA: %s", err) } defer test.ResetSATestDatabase(t)() logger := blog.GetAuditLogger() found, added := parseLogLine(sa, logger, "") test.AssertEquals(t, found, false) test.AssertEquals(t, added, false) found, added = parseLogLine(sa, logger, "0000-00-00T00:00:00+00:00 hostname boulder-ca[pid]: [AUDIT] Failed RPC to store at SA, orphaning certificate: b64der=[] err=[AMQP-RPC timeout], regID=[1337]") test.AssertEquals(t, found, true) test.AssertEquals(t, added, false) found, added = parseLogLine(sa, logger, "0000-00-00T00:00:00+00:00 hostname boulder-ca[pid]: [AUDIT] Failed RPC to store at SA, orphaning certificate: b64der=[deadbeef] err=[AMQP-RPC timeout], regID=[]") test.AssertEquals(t, found, true) test.AssertEquals(t, added, false) reg := satest.CreateWorkingRegistration(t, sa) found, added = parseLogLine(sa, logger, fmt.Sprintf("0000-00-00T00:00:00+00:00 hostname boulder-ca[pid]: [AUDIT] Failed RPC to store at SA, orphaning certificate: b64der=[MIIEWzCCA0OgAwIBAgITAP+gFgYw1hiy61wFEIJLFCdIVjANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRoYXBweSBoYWNrZXIgZmFrZSBDQTAeFw0xNTEwMDMwNTIxMDBaFw0xNjAxMDEwNTIxMDBaMBgxFjAUBgNVBAMTDWV4YW1wbGUuY28uYm4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCeo/HSH63lWW42pqdwlalHWOS3JGa3REraT3xM9v3psdRwuTtlwf3YlpF/JIzK5JtXyA3CHGSwEGmUMhMNBZ0tg5I0booXnHyUeDVUnGSnpWgMUY+vCly+pI5oT8pjBHdcj6kjnDTx1cstBjsJi9HBcYPHUh78iEZBsvC0FAKsh8cHaEjUNHzvWd1anBdK0lRn25M8le9IxXi6di9SeyFmahmPteH+LYKZtNzrF5HpatB14+ywV8d212T62PCCnUPDLd+YWjo2+t5pZs7IlGhyGh7EerOOrI2kUUBg3tUdKDp4e3xplxvaAfSfdrqkGx+bQ0iqQnng+lVkXWYWRB8NAgMBAAGjggGVMIIBkTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFDadDBAEUrnrP/566FLp6DmjrlrbMB8GA1UdIwQYMBaAFPt4TxL5YBWDLJ8XfzQZsy426kGJMGoGCCsGAQUFBwEBBF4wXDAmBggrBgEFBQcwAYYaaHR0cDovL2xvY2FsaG9zdDo0MDAyL29jc3AwMgYIKwYBBQUHMAKGJmh0dHA6Ly9sb2NhbGhvc3Q6NDAwMC9hY21lL2lzc3Vlci1jZXJ0MBgGA1UdEQQRMA+CDWV4YW1wbGUuY28uYm4wJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL2V4YW1wbGUuY29tL2NybDBjBgNVHSAEXDBaMAoGBmeBDAECATAAMEwGAyoDBDBFMCIGCCsGAQUFBwIBFhZodHRwOi8vZXhhbXBsZS5jb20vY3BzMB8GCCsGAQUFBwICMBMMEURvIFdoYXQgVGhvdSBXaWx0MA0GCSqGSIb3DQEBCwUAA4IBAQC7tLmUlxyvouVuIljbRtiL+zYdi/zXVSHAMXTkceqp8/8ucZBZu1fMBkB5SW2FUFd8EnuqhKGOeS3dNr9Pe4dLbUDR0UKIwV045Na+Jet4BbHDdWs3NXAutFhdGIa8ivLBQIbTzlBuVRhJE8g6qqjf5hYL0DXkLNptl2l+0+4xJMm/liCp/mYCGRwbdGUzwdSjACO76QLLSqZhkBF37ZJOuDbJTMBi3QzkOcTs6e4d/gSZpCy7yy6nJDxZ9N9P3XBYIpus+aZAYy29d2shYzE3st8cQfB2Wmb0SHd67sftTAzeudiiNW/4E4IKKH4R1S794apUO07y7pkqep1cz32k] err=[AMQP-RPC timeout], regID=[%d]", reg.ID)) test.AssertEquals(t, found, true) test.AssertEquals(t, added, true) }
func setup(t *testing.T) (*OCSPUpdater, core.StorageAuthority, *gorp.DbMap, clock.FakeClock, func()) { dbMap, err := sa.NewDbMap(vars.DBConnSA) test.AssertNotError(t, err, "Failed to create dbMap") fc := clock.NewFake() fc.Add(1 * time.Hour) sa, err := sa.NewSQLStorageAuthority(dbMap, fc) test.AssertNotError(t, err, "Failed to create SA") cleanUp := test.ResetSATestDatabase(t) stats, _ := statsd.NewNoopClient(nil) updater, err := newUpdater( stats, fc, dbMap, &mockCA{}, &mockPub{sa}, sa, cmd.OCSPUpdaterConfig{ NewCertificateBatchSize: 1, OldOCSPBatchSize: 1, MissingSCTBatchSize: 1, NewCertificateWindow: cmd.ConfigDuration{Duration: time.Second}, OldOCSPWindow: cmd.ConfigDuration{Duration: time.Second}, MissingSCTWindow: cmd.ConfigDuration{Duration: time.Second}, }, 0, "", ) return updater, sa, dbMap, fc, cleanUp }
func BenchmarkCheckCert(b *testing.B) { saDbMap, err := sa.NewDbMap(vars.DBConnSA, 0) if err != nil { fmt.Println("Couldn't connect to database") return } defer func() { test.ResetSATestDatabase(b)() }() checker := newChecker(saDbMap, clock.Default(), pa, expectedValidityPeriod) testKey, _ := rsa.GenerateKey(rand.Reader, 1024) expiry := time.Now().AddDate(0, 0, 1) serial := big.NewInt(1337) rawCert := x509.Certificate{ Subject: pkix.Name{ CommonName: "example.com", }, NotAfter: expiry, DNSNames: []string{"example-a.com"}, SerialNumber: serial, } certDer, _ := x509.CreateCertificate(rand.Reader, &rawCert, &rawCert, &testKey.PublicKey, testKey) cert := core.Certificate{ Serial: core.SerialToString(serial), Digest: core.Fingerprint256(certDer), DER: certDer, Issued: time.Now(), Expires: expiry, } b.ResetTimer() for i := 0; i < b.N; i++ { checker.checkCert(cert) } }
func TestGetAndProcessCerts(t *testing.T) { saDbMap, err := sa.NewDbMap(vars.DBConnSA) test.AssertNotError(t, err, "Couldn't connect to database") paDbMap, err := sa.NewDbMap(vars.DBConnPolicy) test.AssertNotError(t, err, "Couldn't connect to policy database") fc := clock.NewFake() checker := newChecker(saDbMap, paDbMap, fc, false, nil) sa, err := sa.NewSQLStorageAuthority(saDbMap, fc) test.AssertNotError(t, err, "Couldn't create SA to insert certificates") saCleanUp := test.ResetSATestDatabase(t) paCleanUp := test.ResetPolicyTestDatabase(t) defer func() { saCleanUp() paCleanUp() }() testKey, _ := rsa.GenerateKey(rand.Reader, 1024) // Problems // Expiry period is too long rawCert := x509.Certificate{ Subject: pkix.Name{ CommonName: "not-blacklisted.com", }, BasicConstraintsValid: true, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, } reg := satest.CreateWorkingRegistration(t, sa) test.AssertNotError(t, err, "Couldn't create registration") for i := int64(0); i < 5; i++ { rawCert.SerialNumber = big.NewInt(i) certDER, err := x509.CreateCertificate(rand.Reader, &rawCert, &rawCert, &testKey.PublicKey, testKey) test.AssertNotError(t, err, "Couldn't create certificate") _, err = sa.AddCertificate(certDER, reg.ID) test.AssertNotError(t, err, "Couldn't add certificate") } err = checker.getCerts() test.AssertNotError(t, err, "Failed to retrieve certificates") test.AssertEquals(t, len(checker.certs), 5) wg := new(sync.WaitGroup) wg.Add(1) checker.processCerts(wg) test.AssertEquals(t, checker.issuedReport.BadCerts, int64(5)) test.AssertEquals(t, len(checker.issuedReport.Entries), 5) }
// initSA constructs a SQLStorageAuthority and a clean up function // that should be defer'ed to the end of the test. func initSA(t *testing.T) (*SQLStorageAuthority, clock.FakeClock, func()) { dbMap, err := NewDbMap(vars.DBConnSA, 0) if err != nil { t.Fatalf("Failed to create dbMap: %s", err) } fc := clock.NewFake() fc.Set(time.Date(2015, 3, 4, 5, 0, 0, 0, time.UTC)) sa, err := NewSQLStorageAuthority(dbMap, fc, log) if err != nil { t.Fatalf("Failed to create SA: %s", err) } cleanUp := test.ResetSATestDatabase(t) return sa, fc, cleanUp }
// initSA constructs a SQLStorageAuthority and a clean up function // that should be defer'ed to the end of the test. func initSA(t *testing.T) (*SQLStorageAuthority, clock.FakeClock, func()) { dbMap, err := NewDbMap(dbConnStr) if err != nil { t.Fatalf("Failed to create dbMap: %s", err) } dbMap.TraceOn("SQL: ", &SQLLogger{log}) fc := clock.NewFake() fc.Set(time.Date(2015, 3, 4, 5, 0, 0, 0, time.UTC)) sa, err := NewSQLStorageAuthority(dbMap, fc) if err != nil { t.Fatalf("Failed to create SA: %s", err) } cleanUp := test.ResetSATestDatabase(t) return sa, fc, cleanUp }
func setup(t *testing.T, nagTimes []time.Duration) *testCtx { // We use the test_setup user (which has full permissions to everything) // because the SA we return is used for inserting data to set up the test. dbMap, err := sa.NewDbMap(vars.DBConnSAFullPerms) if err != nil { t.Fatalf("Couldn't connect the database: %s", err) } fc := newFakeClock(t) ssa, err := sa.NewSQLStorageAuthority(dbMap, fc) if err != nil { t.Fatalf("unable to create SQLStorageAuthority: %s", err) } cleanUp := test.ResetSATestDatabase(t) stats, _ := statsd.NewNoopClient(nil) mc := &mocks.Mailer{} offsetNags := make([]time.Duration, len(nagTimes)) for i, t := range nagTimes { offsetNags[i] = t + defaultNagCheckInterval } m := &mailer{ log: blog.GetAuditLogger(), stats: stats, mailer: mc, emailTemplate: tmpl, dbMap: dbMap, rs: ssa, nagTimes: offsetNags, limit: 100, clk: fc, } return &testCtx{ dbMap: dbMap, ssa: ssa, mc: mc, fc: fc, m: m, cleanUp: cleanUp, } }
func TestDBHandler(t *testing.T) { src, err := makeDBSource("mysql+tcp://ocsp_resp@localhost:3306/boulder_sa_test", "./testdata/test-ca.der.pem", false) if err != nil { t.Fatalf("makeDBSource: %s", err) } defer test.ResetSATestDatabase(t) ocspResp, err := ocsp.ParseResponse(resp, nil) if err != nil { t.Fatalf("ocsp.ParseResponse: %s", err) } status := &core.CertificateStatus{ Serial: core.SerialToString(ocspResp.SerialNumber), OCSPLastUpdated: time.Now(), OCSPResponse: resp, } setupDBMap, err := sa.NewDbMap("mysql+tcp://test_setup@localhost:3306/boulder_sa_test") if err != nil { t.Fatal(err) } err = setupDBMap.Insert(status) if err != nil { t.Fatalf("unable to insert response: %s", err) } h := handler(src, 10*time.Second) w := httptest.NewRecorder() r, err := http.NewRequest("POST", "/", bytes.NewReader(req)) if err != nil { t.Fatal(err) } h.ServeHTTP(w, r) if w.Code != http.StatusOK { t.Errorf("Code: want %d, got %d", http.StatusOK, w.Code) } if !bytes.Equal(w.Body.Bytes(), resp) { t.Errorf("Mismatched body: want %#v, got %#v", resp, w.Body.Bytes()) } }
func TestPurgeAuthzs(t *testing.T) { dbMap, err := sa.NewDbMap(vars.DBConnSAFullPerms, 0) if err != nil { t.Fatalf("Couldn't connect the database: %s", err) } log := blog.UseMock() fc := clock.NewFake() fc.Add(time.Hour) ssa, err := sa.NewSQLStorageAuthority(dbMap, fc, log) if err != nil { t.Fatalf("unable to create SQLStorageAuthority: %s", err) } cleanUp := test.ResetSATestDatabase(t) defer cleanUp() stats := metrics.NewNoopScope() p := expiredAuthzPurger{stats, log, fc, dbMap, 1} rows, err := p.purgeAuthzs(time.Time{}, true) test.AssertNotError(t, err, "purgeAuthzs failed") test.AssertEquals(t, rows, int64(0)) old, new := fc.Now().Add(-time.Hour), fc.Now().Add(time.Hour) reg := satest.CreateWorkingRegistration(t, ssa) _, err = ssa.NewPendingAuthorization(context.Background(), core.Authorization{RegistrationID: reg.ID, Expires: &old}) test.AssertNotError(t, err, "NewPendingAuthorization failed") _, err = ssa.NewPendingAuthorization(context.Background(), core.Authorization{RegistrationID: reg.ID, Expires: &old}) test.AssertNotError(t, err, "NewPendingAuthorization failed") _, err = ssa.NewPendingAuthorization(context.Background(), core.Authorization{RegistrationID: reg.ID, Expires: &new}) test.AssertNotError(t, err, "NewPendingAuthorization failed") rows, err = p.purgeAuthzs(fc.Now(), true) test.AssertNotError(t, err, "purgeAuthzs failed") test.AssertEquals(t, rows, int64(2)) rows, err = p.purgeAuthzs(fc.Now().Add(time.Hour), true) test.AssertNotError(t, err, "purgeAuthzs failed") test.AssertEquals(t, rows, int64(1)) }
func setup(t *testing.T, nagTimes []time.Duration) *testCtx { // We use the test_setup user (which has full permissions to everything) // because the SA we return is used for inserting data to set up the test. dbMap, err := sa.NewDbMap("mysql+tcp://test_setup@localhost:3306/boulder_sa_test") if err != nil { t.Fatalf("Couldn't connect the database: %s", err) } fc := clock.NewFake() ssa, err := sa.NewSQLStorageAuthority(dbMap, fc) if err != nil { t.Fatalf("unable to create SQLStorageAuthority: %s", err) } cleanUp := test.ResetSATestDatabase(t) stats, _ := statsd.NewNoopClient(nil) mc := &mockMail{} m := &mailer{ log: blog.GetAuditLogger(), stats: stats, mailer: mc, emailTemplate: tmpl, dbMap: dbMap, rs: ssa, nagTimes: nagTimes, limit: 100, clk: fc, } return &testCtx{ dbMap: dbMap, ssa: ssa, mc: mc, fc: fc, m: m, cleanUp: cleanUp, } }
func setup(t *testing.T) *testCtx { // Create an SA dbMap, err := sa.NewDbMap(vars.DBConnSA) if err != nil { t.Fatalf("Failed to create dbMap: %s", err) } fc := clock.NewFake() fc.Add(1 * time.Hour) ssa, err := sa.NewSQLStorageAuthority(dbMap, fc) if err != nil { t.Fatalf("Failed to create SA: %s", err) } saDBCleanUp := test.ResetSATestDatabase(t) paDbMap, err := sa.NewDbMap(vars.DBConnPolicy) test.AssertNotError(t, err, "Could not construct dbMap") pa, err := policy.NewPolicyAuthorityImpl(paDbMap, false, nil) test.AssertNotError(t, err, "Couldn't create PADB") paDBCleanUp := test.ResetPolicyTestDatabase(t) cleanUp := func() { saDBCleanUp() paDBCleanUp() } // TODO(jmhodges): use of this pkg here is a bug caused by using a real SA reg := satest.CreateWorkingRegistration(t, ssa) // Create a CA caConfig := cmd.CAConfig{ RSAProfile: rsaProfileName, ECDSAProfile: ecdsaProfileName, SerialPrefix: 17, Expiry: "8760h", LifespanOCSP: "45m", MaxNames: 2, HSMFaultTimeout: cmd.ConfigDuration{Duration: 60 * time.Second}, CFSSL: cfsslConfig.Config{ Signing: &cfsslConfig.Signing{ Profiles: map[string]*cfsslConfig.SigningProfile{ rsaProfileName: &cfsslConfig.SigningProfile{ Usage: []string{"digital signature", "key encipherment", "server auth"}, CA: false, IssuerURL: []string{"http://not-example.com/issuer-url"}, OCSP: "http://not-example.com/ocsp", CRL: "http://not-example.com/crl", Policies: []cfsslConfig.CertificatePolicy{ cfsslConfig.CertificatePolicy{ ID: cfsslConfig.OID(asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1}), }, }, ExpiryString: "8760h", Backdate: time.Hour, CSRWhitelist: &cfsslConfig.CSRWhitelist{ PublicKeyAlgorithm: true, PublicKey: true, SignatureAlgorithm: true, }, ClientProvidesSerialNumbers: true, }, ecdsaProfileName: &cfsslConfig.SigningProfile{ Usage: []string{"digital signature", "server auth"}, CA: false, IssuerURL: []string{"http://not-example.com/issuer-url"}, OCSP: "http://not-example.com/ocsp", CRL: "http://not-example.com/crl", Policies: []cfsslConfig.CertificatePolicy{ cfsslConfig.CertificatePolicy{ ID: cfsslConfig.OID(asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1}), }, }, ExpiryString: "8760h", Backdate: time.Hour, CSRWhitelist: &cfsslConfig.CSRWhitelist{ PublicKeyAlgorithm: true, PublicKey: true, SignatureAlgorithm: true, }, ClientProvidesSerialNumbers: true, }, }, Default: &cfsslConfig.SigningProfile{ ExpiryString: "8760h", }, }, OCSP: &ocspConfig.Config{ CACertFile: caCertFile, ResponderCertFile: caCertFile, KeyFile: caKeyFile, }, }, } stats := mocks.NewStatter() keyPolicy := core.KeyPolicy{ AllowRSA: true, AllowECDSANISTP256: true, AllowECDSANISTP384: true, } return &testCtx{ ssa, caConfig, reg, pa, keyPolicy, fc, &stats, cleanUp, } }
func initAuthorities(t *testing.T) (*DummyValidationAuthority, *sa.SQLStorageAuthority, *RegistrationAuthorityImpl, clock.FakeClock, func()) { err := json.Unmarshal(AccountKeyJSONA, &AccountKeyA) test.AssertNotError(t, err, "Failed to unmarshal public JWK") err = json.Unmarshal(AccountKeyJSONB, &AccountKeyB) test.AssertNotError(t, err, "Failed to unmarshal public JWK") err = json.Unmarshal(AccountKeyJSONC, &AccountKeyC) test.AssertNotError(t, err, "Failed to unmarshal public JWK") err = json.Unmarshal(AccountPrivateKeyJSON, &AccountPrivateKey) test.AssertNotError(t, err, "Failed to unmarshal private JWK") err = json.Unmarshal(ShortKeyJSON, &ShortKey) test.AssertNotError(t, err, "Failed to unmarshal JWK") fc := clock.NewFake() dbMap, err := sa.NewDbMap(vars.DBConnSA) if err != nil { t.Fatalf("Failed to create dbMap: %s", err) } ssa, err := sa.NewSQLStorageAuthority(dbMap, fc) if err != nil { t.Fatalf("Failed to create SA: %s", err) } saDBCleanUp := test.ResetSATestDatabase(t) va := &DummyValidationAuthority{} // PEM files in certificate-authority_test.go caKeyPEM, _ := pem.Decode([]byte(CAkeyPEM)) caKey, _ := x509.ParsePKCS1PrivateKey(caKeyPEM.Bytes) caCertPEM, _ := pem.Decode([]byte(CAcertPEM)) caCert, _ := x509.ParseCertificate(caCertPEM.Bytes) basicPolicy := &cfsslConfig.Signing{ Default: &cfsslConfig.SigningProfile{ Usage: []string{"server auth", "client auth"}, Expiry: 1 * time.Hour, CSRWhitelist: &cfsslConfig.CSRWhitelist{ PublicKey: true, PublicKeyAlgorithm: true, SignatureAlgorithm: true, DNSNames: true, }, }, } signer, _ := local.NewSigner(caKey, caCert, x509.SHA256WithRSA, basicPolicy) ocspSigner, _ := ocsp.NewSigner(caCert, caCert, caKey, time.Hour) paDbMap, err := sa.NewDbMap(vars.DBConnPolicy) if err != nil { t.Fatalf("Failed to create dbMap: %s", err) } policyDBCleanUp := test.ResetPolicyTestDatabase(t) pa, err := policy.NewPolicyAuthorityImpl(paDbMap, false, SupportedChallenges) test.AssertNotError(t, err, "Couldn't create PA") ca := ca.CertificateAuthorityImpl{ Signer: signer, OCSPSigner: ocspSigner, SA: ssa, PA: pa, ValidityPeriod: time.Hour * 2190, NotAfter: time.Now().Add(time.Hour * 8761), Clk: fc, Publisher: &mocks.Publisher{}, } cleanUp := func() { saDBCleanUp() policyDBCleanUp() } csrDER, _ := hex.DecodeString(CSRhex) ExampleCSR, _ = x509.ParseCertificateRequest(csrDER) Registration, _ = ssa.NewRegistration(core.Registration{ Key: AccountKeyA, InitialIP: net.ParseIP("3.2.3.3"), }) stats, _ := statsd.NewNoopClient() ra := NewRegistrationAuthorityImpl(fc, blog.GetAuditLogger(), stats, &DomainCheck{va}, cmd.RateLimitConfig{ TotalCertificates: cmd.RateLimitPolicy{ Threshold: 100, Window: cmd.ConfigDuration{Duration: 24 * 90 * time.Hour}, }, }, 1) ra.SA = ssa ra.VA = va ra.CA = &ca ra.PA = pa ra.DNSResolver = &mocks.DNSResolver{} AuthzInitial.RegistrationID = Registration.ID challenges, combinations, err := pa.ChallengesFor(AuthzInitial.Identifier, &Registration.Key) AuthzInitial.Challenges = challenges AuthzInitial.Combinations = combinations AuthzFinal = AuthzInitial AuthzFinal.Status = "valid" exp := time.Now().Add(365 * 24 * time.Hour) AuthzFinal.Expires = &exp AuthzFinal.Challenges[0].Status = "valid" return va, ssa, ra, fc, cleanUp }
func TestCheckCert(t *testing.T) { saDbMap, err := sa.NewDbMap(vars.DBConnSA, 0) test.AssertNotError(t, err, "Couldn't connect to database") saCleanup := test.ResetSATestDatabase(t) defer func() { saCleanup() }() testKey, _ := rsa.GenerateKey(rand.Reader, 1024) fc := clock.NewFake() fc.Add(time.Hour * 24 * 90) checker := newChecker(saDbMap, fc, pa, expectedValidityPeriod) issued := checker.clock.Now().Add(-time.Hour * 24 * 45) goodExpiry := issued.Add(expectedValidityPeriod) serial := big.NewInt(1337) // Problems // Expiry period is too long // Basic Constraints aren't set // Wrong key usage (none) rawCert := x509.Certificate{ Subject: pkix.Name{ CommonName: "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeexample.com", }, NotBefore: issued, NotAfter: goodExpiry.AddDate(0, 0, 1), // Period too long DNSNames: []string{"example-a.com"}, SerialNumber: serial, BasicConstraintsValid: false, } brokenCertDer, err := x509.CreateCertificate(rand.Reader, &rawCert, &rawCert, &testKey.PublicKey, testKey) test.AssertNotError(t, err, "Couldn't create certificate") // Problems // Digest doesn't match // Serial doesn't match // Expiry doesn't match // Issued doesn't match cert := core.Certificate{ Serial: "8485f2687eba29ad455ae4e31c8679206fec", DER: brokenCertDer, Issued: issued.Add(12 * time.Hour), Expires: goodExpiry.AddDate(0, 0, 2), // Expiration doesn't match } problems := checker.checkCert(cert) problemsMap := map[string]int{ "Stored digest doesn't match certificate digest": 1, "Stored serial doesn't match certificate serial": 1, "Stored expiration doesn't match certificate NotAfter": 1, "Certificate doesn't have basic constraints set": 1, "Certificate has a validity period longer than 2160h0m0s": 1, "Stored issuance date is outside of 6 hour window of certificate NotBefore": 1, "Certificate has incorrect key usage extensions": 1, "Certificate has common name >64 characters long (65)": 1, } for _, p := range problems { _, ok := problemsMap[p] if !ok { t.Errorf("Found unexpected problem '%s'.", p) } delete(problemsMap, p) } for k := range problemsMap { t.Errorf("Expected problem but didn't find it: '%s'.", k) } test.AssertEquals(t, len(problems), 8) // Same settings as above, but the stored serial number in the DB is invalid. cert.Serial = "not valid" problems = checker.checkCert(cert) foundInvalidSerialProblem := false for _, p := range problems { if p == "Stored serial is invalid" { foundInvalidSerialProblem = true } } test.Assert(t, foundInvalidSerialProblem, "Invalid certificate serial number in DB did not trigger problem.") // Fix the problems rawCert.Subject.CommonName = "example-a.com" rawCert.NotAfter = goodExpiry rawCert.BasicConstraintsValid = true rawCert.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth} goodCertDer, err := x509.CreateCertificate(rand.Reader, &rawCert, &rawCert, &testKey.PublicKey, testKey) test.AssertNotError(t, err, "Couldn't create certificate") parsed, err := x509.ParseCertificate(goodCertDer) test.AssertNotError(t, err, "Couldn't parse created certificate") cert.Serial = core.SerialToString(serial) cert.Digest = core.Fingerprint256(goodCertDer) cert.DER = goodCertDer cert.Expires = parsed.NotAfter cert.Issued = parsed.NotBefore problems = checker.checkCert(cert) test.AssertEquals(t, len(problems), 0) }
func setup(t *testing.T) *testCtx { // Create an SA dbMap, err := sa.NewDbMap(saDBConnStr) if err != nil { t.Fatalf("Failed to create dbMap: %s", err) } fc := clock.NewFake() fc.Add(1 * time.Hour) ssa, err := sa.NewSQLStorageAuthority(dbMap, fc) if err != nil { t.Fatalf("Failed to create SA: %s", err) } saDBCleanUp := test.ResetSATestDatabase(t) paDbMap, err := sa.NewDbMap(paDBConnStr) test.AssertNotError(t, err, "Could not construct dbMap") pa, err := policy.NewPolicyAuthorityImpl(paDbMap, false) test.AssertNotError(t, err, "Couldn't create PADB") paDBCleanUp := test.ResetPolicyTestDatabase(t) cleanUp := func() { saDBCleanUp() paDBCleanUp() } // TODO(jmhodges): use of this pkg here is a bug caused by using a real SA reg := satest.CreateWorkingRegistration(t, ssa) // Create a CA caConfig := cmd.CAConfig{ Profile: profileName, SerialPrefix: 17, Key: cmd.KeyConfig{ File: caKeyFile, }, Expiry: "8760h", LifespanOCSP: "45m", MaxNames: 2, CFSSL: cfsslConfig.Config{ Signing: &cfsslConfig.Signing{ Profiles: map[string]*cfsslConfig.SigningProfile{ profileName: &cfsslConfig.SigningProfile{ Usage: []string{"server auth"}, CA: false, IssuerURL: []string{"http://not-example.com/issuer-url"}, OCSP: "http://not-example.com/ocsp", CRL: "http://not-example.com/crl", Policies: []cfsslConfig.CertificatePolicy{ cfsslConfig.CertificatePolicy{ ID: cfsslConfig.OID(asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1}), }, }, ExpiryString: "8760h", Backdate: time.Hour, CSRWhitelist: &cfsslConfig.CSRWhitelist{ PublicKeyAlgorithm: true, PublicKey: true, SignatureAlgorithm: true, }, }, }, Default: &cfsslConfig.SigningProfile{ ExpiryString: "8760h", }, }, OCSP: &ocspConfig.Config{ CACertFile: caCertFile, ResponderCertFile: caCertFile, KeyFile: caKeyFile, }, }, } return &testCtx{ssa, caConfig, reg, pa, fc, cleanUp} }
func initAuthorities(t *testing.T) (*DummyValidationAuthority, *sa.SQLStorageAuthority, *RegistrationAuthorityImpl, clock.FakeClock, func()) { err := json.Unmarshal(AccountKeyJSONA, &AccountKeyA) test.AssertNotError(t, err, "Failed to unmarshal public JWK") err = json.Unmarshal(AccountKeyJSONB, &AccountKeyB) test.AssertNotError(t, err, "Failed to unmarshal public JWK") err = json.Unmarshal(AccountKeyJSONC, &AccountKeyC) test.AssertNotError(t, err, "Failed to unmarshal public JWK") err = json.Unmarshal(AccountPrivateKeyJSON, &AccountPrivateKey) test.AssertNotError(t, err, "Failed to unmarshal private JWK") err = json.Unmarshal(ShortKeyJSON, &ShortKey) test.AssertNotError(t, err, "Failed to unmarshal JWK") fc := clock.NewFake() dbMap, err := sa.NewDbMap(vars.DBConnSA, 0) if err != nil { t.Fatalf("Failed to create dbMap: %s", err) } ssa, err := sa.NewSQLStorageAuthority(dbMap, fc, log) if err != nil { t.Fatalf("Failed to create SA: %s", err) } saDBCleanUp := test.ResetSATestDatabase(t) va := &DummyValidationAuthority{} pa, err := policy.New(SupportedChallenges) test.AssertNotError(t, err, "Couldn't create PA") err = pa.SetHostnamePolicyFile("../test/hostname-policy.json") test.AssertNotError(t, err, "Couldn't set hostname policy") stats, _ := statsd.NewNoopClient() ca := &mocks.MockCA{ PEM: eeCertPEM, } cleanUp := func() { saDBCleanUp() } block, _ := pem.Decode(CSRPEM) ExampleCSR, _ = x509.ParseCertificateRequest(block.Bytes) Registration, _ = ssa.NewRegistration(ctx, core.Registration{ Key: AccountKeyA, InitialIP: net.ParseIP("3.2.3.3"), }) ra := NewRegistrationAuthorityImpl(fc, log, stats, 1, testKeyPolicy, 0, true, false) ra.SA = ssa ra.VA = va ra.CA = ca ra.PA = pa ra.DNSResolver = &bdns.MockDNSResolver{} AuthzInitial.RegistrationID = Registration.ID challenges, combinations := pa.ChallengesFor(AuthzInitial.Identifier, &Registration.Key) AuthzInitial.Challenges = challenges AuthzInitial.Combinations = combinations AuthzFinal = AuthzInitial AuthzFinal.Status = "valid" exp := time.Now().Add(365 * 24 * time.Hour) AuthzFinal.Expires = &exp AuthzFinal.Challenges[0].Status = "valid" return va, ssa, ra, fc, cleanUp }