letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Test proper duplicate extension handling

This commit is contained in:
Richard Barnes 2016-02-16 14:03:42 -05:00
parent edd247119f
commit 4f81e8cfbd
1 changed files with 26 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
ca/certificate-authority_test.go
View File

@ -102,6 +102,12 @@ var (
// * Includes an extensionRequest attribute for a well-formed TLS Feature extension
MustStapleCSR = mustRead("./testdata/must_staple.der.csr")
// CSR generated by Go:
// * Random public key
// * CN = not-example.com
// * Includes extensionRequest attributes for *two* must-staple extensions
DuplicateMustStapleCSR = mustRead("./testdata/must_staple.der.csr")
// CSR generated by Go:
// * Random public key
// * CN = not-example.com
@ -708,11 +714,28 @@ func TestExtensions(t *testing.T) {
test.Assert(t, foundMustStaple, "TLS Feature extension not found")
test.AssertEquals(t, ctx.stats.Counters[metricCSRExtensionTLSFeature], int64(1))
// Even if there are multiple TLS Feature extensions, only one extension should be included
cert, err = ca.IssueCertificate(*csr, ctx.reg.ID)
test.AssertNotError(t, err, "Failed to gracefully handle a CSR with multiple must_staple")
parsedCert2, err := x509.ParseCertificate(cert.DER)
test.AssertNotError(t, err, "Error parsing certificate produced by CA")
numMustStaple := 0
for _, ext := range parsedCert2.Extensions {
if ext.Id.Equal(oidTLSFeature) {
numMustStaple += 1
test.Assert(t, !ext.Critical, "Extension was marked critical")
test.AssertByteEquals(t, ext.Value, mustStapleFeatureValue)
}
}
test.Assert(t, numMustStaple == 1, "Duplicate TLS Feature extensions found")
test.AssertEquals(t, ctx.stats.Counters[metricCSRExtensionTLSFeature], int64(2))
// ... but if it doesn't ask for stapling, there should be an error
csr, _ = x509.ParseCertificateRequest(TLSFeatureUnknownCSR)
cert, err = ca.IssueCertificate(*csr, ctx.reg.ID)
test.AssertError(t, err, "Allowed a CSR with an empty TLS feature extension")
test.AssertEquals(t, ctx.stats.Counters[metricCSRExtensionTLSFeature], int64(2))
test.AssertEquals(t, ctx.stats.Counters[metricCSRExtensionTLSFeature], int64(3))
test.AssertEquals(t, ctx.stats.Counters[metricCSRExtensionTLSFeatureInvalid], int64(1))
// Unsupported extensions should be silently ignored, having the same
@ -720,9 +743,9 @@ func TestExtensions(t *testing.T) {
csr, _ = x509.ParseCertificateRequest(UnsupportedExtensionCSR)
cert, err = ca.IssueCertificate(*csr, ctx.reg.ID)
test.AssertNotError(t, err, "Failed to gracefully handle a CSR with an unknown extension")
parsedCert2, err := x509.ParseCertificate(cert.DER)
parsedCert3, err := x509.ParseCertificate(cert.DER)
test.AssertNotError(t, err, "Error parsing certificate produced by CA")
test.AssertEquals(t, len(parsedCert2.Extensions), len(parsedCert1.Extensions)-1)
test.AssertEquals(t, len(parsedCert3.Extensions), len(parsedCert1.Extensions)-1)
test.AssertEquals(t, ctx.stats.Counters[metricCSRExtensionOther], int64(1))
// None of the above CSRs have basic extensions