Add a mock OCSP signer and better OCSP HSM fault tests
This commit is contained in:
Richard Barnes
parent
be7c7aebbb
commit
28be8023cf
|
|
@ -430,9 +430,11 @@ func TestHSMFaultTimeout(t *testing.T) {
|
|||
// Swap in a bad signer
|
||||
goodSigner := ca.Signer
|
||||
badHSMErrorMessage := "This is really serious. You should wait"
|
||||
ca.Signer = mocks.BadHSMSigner(badHSMErrorMessage)
|
||||
badSigner := mocks.BadHSMSigner(badHSMErrorMessage)
|
||||
badOCSPSigner := mocks.BadHSMOCSPSigner(badHSMErrorMessage)
|
||||
|
||||
// Cause the CA to enter the HSM fault condition
|
||||
ca.Signer = badSigner
|
||||
_, err = ca.IssueCertificate(*csr, ctx.reg.ID)
|
||||
test.AssertError(t, err, "CA failed to return HSM error")
|
||||
test.AssertEquals(t, err.Error(), "pkcs11: "+badHSMErrorMessage)
|
||||
|
|
@ -454,9 +456,21 @@ func TestHSMFaultTimeout(t *testing.T) {
|
|||
// Check that the CA has recovered
|
||||
_, err = ca.IssueCertificate(*csr, ctx.reg.ID)
|
||||
test.AssertNotError(t, err, "CA failed to recover from HSM fault")
|
||||
|
||||
_, err = ca.GenerateOCSP(ocspRequest)
|
||||
test.AssertNotError(t, err, "CA failed to recover from HSM fault")
|
||||
|
||||
test.AssertEquals(t, ca.hsmFaultTimeout, hsmFaultMinTimeout)
|
||||
|
||||
// Check that GenerateOCSP can also trigger an HSM failure, in the same way
|
||||
ca.OCSPSigner = badOCSPSigner
|
||||
_, err = ca.GenerateOCSP(ocspRequest)
|
||||
test.AssertError(t, err, "CA failed to return HSM error")
|
||||
test.AssertEquals(t, err.Error(), "pkcs11: "+badHSMErrorMessage)
|
||||
|
||||
_, err = ca.IssueCertificate(*csr, ctx.reg.ID)
|
||||
test.AssertError(t, err, "CA failed to persist HSM fault")
|
||||
test.AssertEquals(t, err.Error(), "IssueCertificate call rejected; HSM is unavailable")
|
||||
|
||||
_, err = ca.GenerateOCSP(ocspRequest)
|
||||
test.AssertError(t, err, "CA failed to persist HSM fault")
|
||||
test.AssertEquals(t, err.Error(), "GenerateOCSP call rejected; HSM is unavailable")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ import (
|
|||
|
||||
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/config"
|
||||
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/info"
|
||||
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/ocsp"
|
||||
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/cloudflare/cfssl/signer"
|
||||
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/jmhodges/clock"
|
||||
"github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/letsencrypt/go-jose"
|
||||
|
|
@ -403,3 +404,11 @@ func (bhs BadHSMSigner) SigAlgo() x509.SignatureAlgorithm {
|
|||
func (bhs BadHSMSigner) Sign(req signer.SignRequest) (cert []byte, err error) {
|
||||
return nil, fmt.Errorf("pkcs11: " + string(bhs))
|
||||
}
|
||||
|
||||
// BadHSMOCSPSigner represents a CFSSL OCSP signer that always returns a
|
||||
// PKCS#11 error
|
||||
type BadHSMOCSPSigner string
|
||||
|
||||
func (bhos BadHSMOCSPSigner) Sign(ocsp.SignRequest) ([]byte, error) {
|
||||
return nil, fmt.Errorf("pkcs11: " + string(bhos))
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue