test: Use more //test/hierarchy/ key material in tests (#7318)
The `//ca/ca_test.go` `setup` function will now create issuers that each
have a unique private key from `//test/hierarchy/`, rather than multiple
issuers sharing a private key. This was spotted while reviewing an [OCSP
test](10e894a172/ca/ocsp_test.go (L53-L87)).
Some now unnecessary key material has been deleted from `//test/`.
Fixes https://github.com/letsencrypt/boulder/issues/7304
This commit is contained in:
Phil Porada
GitHub
parent
ef1e9a3412
commit
aece244f3b
|
|
@ -96,9 +96,10 @@ var (
|
|||
const arbitraryRegID int64 = 1001
|
||||
|
||||
// Useful key and certificate files.
|
||||
const caKeyFile = "../test/test-ca.key"
|
||||
const caCertFile = "../test/test-ca.pem"
|
||||
const caCertFile2 = "../test/test-ca2.pem"
|
||||
const rsaIntKey = "../test/hierarchy/int-r3.key.pem"
|
||||
const rsaIntCert = "../test/hierarchy/int-r3.cert.pem"
|
||||
const ecdsaIntKey = "../test/hierarchy/int-e1.key.pem"
|
||||
const ecdsaIntCert = "../test/hierarchy/int-e1.cert.pem"
|
||||
|
||||
func mustRead(path string) []byte {
|
||||
return must.Do(os.ReadFile(path))
|
||||
|
|
@ -185,7 +186,7 @@ func setup(t *testing.T) *testCtx {
|
|||
IssuerURL: "http://not-example.com/issuer-url",
|
||||
OCSPURL: "http://not-example.com/ocsp",
|
||||
CRLURL: "http://not-example.com/crl",
|
||||
Location: issuance.IssuerLoc{File: caKeyFile, CertFile: caCertFile2},
|
||||
Location: issuance.IssuerLoc{File: ecdsaIntKey, CertFile: ecdsaIntCert},
|
||||
}, fc)
|
||||
test.AssertNotError(t, err, "Couldn't load test issuer")
|
||||
|
||||
|
|
@ -195,7 +196,7 @@ func setup(t *testing.T) *testCtx {
|
|||
IssuerURL: "http://not-example.com/issuer-url",
|
||||
OCSPURL: "http://not-example.com/ocsp",
|
||||
CRLURL: "http://not-example.com/crl",
|
||||
Location: issuance.IssuerLoc{File: caKeyFile, CertFile: caCertFile},
|
||||
Location: issuance.IssuerLoc{File: rsaIntKey, CertFile: rsaIntCert},
|
||||
}, fc)
|
||||
test.AssertNotError(t, err, "Couldn't load test issuer")
|
||||
|
||||
|
|
|
|||
|
|
@ -50,7 +50,7 @@ func TestOCSP(t *testing.T) {
|
|||
test.AssertNotError(t, err, "Failed to create CA")
|
||||
ocspi := testCtx.ocsp
|
||||
|
||||
// Issue a certificate from the RSA issuer caCert, then check OCSP comes from the same issuer.
|
||||
// Issue a certificate from the RSA issuer, then check OCSP comes from that same issuer.
|
||||
rsaIssuerID := ca.issuers.byAlg[x509.RSA].NameID()
|
||||
rsaCertPB, err := ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID})
|
||||
test.AssertNotError(t, err, "Failed to issue certificate")
|
||||
|
|
@ -68,7 +68,11 @@ func TestOCSP(t *testing.T) {
|
|||
test.AssertEquals(t, rsaOCSP.RevocationReason, 0)
|
||||
test.AssertEquals(t, rsaOCSP.SerialNumber.Cmp(rsaCert.SerialNumber), 0)
|
||||
|
||||
// Issue a certificate from the ECDSA issuer caCert2, then check OCSP comes from the same issuer.
|
||||
// Check that a different issuer cannot validate the OCSP response
|
||||
_, err = ocsp.ParseResponse(rsaOCSPPB.Response, testCtx.boulderIssuers[0].Cert.Certificate)
|
||||
test.AssertError(t, err, "Parsed / validated OCSP for rsaCert, but should not have")
|
||||
|
||||
// Issue a certificate from an ECDSA issuer, then check OCSP comes from that same issuer.
|
||||
ecdsaIssuerID := ca.issuers.byAlg[x509.ECDSA].NameID()
|
||||
ecdsaCertPB, err := ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: ECDSACSR, RegistrationID: arbitraryRegID})
|
||||
test.AssertNotError(t, err, "Failed to issue certificate")
|
||||
|
|
|
|||
|
|
@ -276,13 +276,13 @@ func TestLoadCert(t *testing.T) {
|
|||
test.AssertError(t, err, "Loading non-PEM file did not error")
|
||||
test.AssertEquals(t, err.Error(), "no data in cert PEM file \"../test/test-ca.der\"")
|
||||
|
||||
_, err = LoadCert("../test/test-ca.key")
|
||||
_, err = LoadCert("../test/hierarchy/int-e1.key.pem")
|
||||
test.AssertError(t, err, "Loading non-cert file did not error")
|
||||
test.AssertEquals(t, err.Error(), "x509: malformed tbs certificate")
|
||||
|
||||
cert, err := LoadCert("../test/test-ca.pem")
|
||||
cert, err := LoadCert("../test/hierarchy/int-r3.cert.pem")
|
||||
test.AssertNotError(t, err, "Failed to load cert file")
|
||||
test.AssertEquals(t, cert.Subject.CommonName, "happy hacker fake CA")
|
||||
test.AssertEquals(t, cert.Subject.CommonName, "(TEST) Radical Rhino R3")
|
||||
}
|
||||
|
||||
func TestRetryBackoff(t *testing.T) {
|
||||
|
|
|
|||
|
|
@ -75,7 +75,7 @@
|
|||
"issuerURL": "http://127.0.0.1:4001/aia/issuer/6605440498369741",
|
||||
"ocspURL": "http://127.0.0.1:4002/",
|
||||
"location": {
|
||||
"configFile": "test/test-ca.key-pkcs11.json",
|
||||
"configFile": "/hierarchy/intermediate-signing-key-rsa.pkcs11.json",
|
||||
"certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
|
||||
"numSessions": 2
|
||||
}
|
||||
|
|
@ -86,7 +86,7 @@
|
|||
"issuerURL": "http://127.0.0.1:4001/aia/issuer/41127673797486028",
|
||||
"ocspURL": "http://127.0.0.1:4002/",
|
||||
"location": {
|
||||
"configFile": "test/test-ca.key-pkcs11.json",
|
||||
"configFile": "/hierarchy/intermediate-signing-key-rsa.pkcs11.json",
|
||||
"certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
|
||||
"numSessions": 2
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,7 +26,9 @@ blocked:
|
|||
- cuwGhNNI6nfob5aqY90e7BleU6l7rfxku4X3UTJ3Z7M=
|
||||
# test/block-a-key/test/test.rsa.jwk.json
|
||||
- Qebc1V3SkX3izkYRGNJilm9Bcuvf0oox4U2Rn+b4JOE=
|
||||
# test/hierarchy/int-r4.cert.pem
|
||||
- +//lPMatuGvtf7yesXNv6FSf0UovKbP3BKdQZ23L4BY=
|
||||
blockedHashesHex:
|
||||
- 41e6dcd55dd2917de2ce461118d262966f4172ebdfd28a31e14d919fe6f824e1
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,28 +0,0 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDCCkd5mgXFErJ3
|
||||
F2M0E9dw+Ta/md5i8TDId01HberAApqmydG7UZYF3zLTSzNjlNSOmtybvrSGUnZ9
|
||||
r9tSQcL8VM6WUOM8tnIpiIjEA2QkBycMwvRmZ/B2ltPdYs/R9BqNwO1g18GDZrHS
|
||||
zUYtNKNeFI6Glamj7GK2Vr0SmiEamlNIR5ktAFsEErzf/d4jCF7sosMsJpMCm1p5
|
||||
8QkP4LHLShVLXDa8BMfVoI+ipYcA08iNUFkgW8VWDclIDxcysa0psDDtMjX3+4aP
|
||||
kE/cefmP+1xOfUuDHOGV8XFynsP4EpTfVOZr0/g9gYQ7ZArqXX7GTQkFqduwPm/w
|
||||
5qxSPTarAgMBAAECggEAZh00uhjFOo35X1TufwSGF0z/c9uMvfMB4i1ufM2qgXud
|
||||
WXLSLcrksZhhTfLAS4KSTa3PtSKqLBoPg1tdhy9WZqZWxaIxw8ybzaGtn8HNHGyr
|
||||
LzsVlSLT2ATN4C7VAT9+DeVext0kWHtdz3r5mGagJq2Yx9jRGpQW6rBA9h4ol699
|
||||
BM09UPCcdlGmpdrb0jDjyfohG139EBSmEeB+Jim+oLO1sXe/LvWllU0UL527CExp
|
||||
ykiIjASd4s7tFErV9sVJ+bDI97GOyBUGcVMiQ+TRPKFr0kfLgbJz24l8ycPI4odp
|
||||
IGY+6igicg67n5BktAH+UfCQlUIpWbF2SwRAMht0AQKBgQD8gocy2VuCPj285hBY
|
||||
8g/1GFd58HkCh54bOhAOb2PK+NE4mRuHCBlBj/tQOmgYz2Pna2k5ldJSUwXsUKkx
|
||||
9R7hutnwXbcQTSQIRcjhYDLeGetJYXR96ylDig+6XjdW3A5SIc2JzlbVThP39TTm
|
||||
gRqE/rj9G4ARMfHxffp7YT5AqwKBgQDEuN0pYMKjaW0xvc7WYUOqGHqt2di/BwMr
|
||||
Ur438MtePArELY35P6kDcrfnlacDToA3Tebk9Rw18y1kl3BFO7VdJbQJSa6RWbp5
|
||||
aK7E5lq1pCrdyhGwiaI1f5VgzeY8ywS3TqGqU9GOqpENiZqgs1ly9l8gZSaw8/yF
|
||||
uDWGg7jiAQKBgQCyLtGEmkiuoYkjUR1cBoQoKeMgkwZxOI3jHJfT99ptkiLhU3lP
|
||||
UfGwiA+JT43BZCdVWEBKeGSP3zIgzdJ3BEekdhvwN9FEWYsBo2zbTOzYOWYExBZV
|
||||
/KmDlVr/4hge3O3mGyBVDBvOLWh94rRPq+6wxqZ3RP6cI6hdBs7IXZh2PQKBgQDB
|
||||
rav4kA4xKpvaDCC2yj3/Gmi1/zO5J2NEZQtoMgdXeM+0w5Dy4204Otq7A4jR5Ziw
|
||||
Wl9H7dZfe1Kmpb5gO1/dHEC7oDJhYjEIVTs0GgMWsFGP2OE/qNHtz/W2wCC8m7jB
|
||||
7IWYFzvLNTzoUiDNtKYNXGjdkRjdwOlOkcUI8Wi2AQKBgQC9EJsMz/ySt58IvwWy
|
||||
fQJyg742j21pXHqlMnmHygnSgNa7f3yPQK3FxjvhIPmgu7x8+sSUtXHOjKhZML3p
|
||||
SdTm/yN487hOYp03jy/wVXLcCDp9XhBeIt/z/TZMPMjAHOLG9xG6cF8AOVq7mLBc
|
||||
tsDWUHoXPZj/YciXZLq3fPuXyw==
|
||||
-----END PRIVATE KEY-----
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
{
|
||||
"module": "/usr/lib/softhsm/libsofthsm2.so",
|
||||
"tokenLabel": "intermediate signing key (rsa)",
|
||||
"pin": "1234"
|
||||
}
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEijCCA3KgAwIBAgICEk0wDQYJKoZIhvcNAQELBQAwKzEpMCcGA1UEAwwgY2Fj
|
||||
a2xpbmcgY3J5cHRvZ3JhcGhlciBmYWtlIFJPT1QwHhcNMTUxMDIxMjAxMTUyWhcN
|
||||
MjAxMDE5MjAxMTUyWjAfMR0wGwYDVQQDExRoYXBweSBoYWNrZXIgZmFrZSBDQTCC
|
||||
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMIKR3maBcUSsncXYzQT13D5
|
||||
Nr+Z3mLxMMh3TUdt6sACmqbJ0btRlgXfMtNLM2OU1I6a3Ju+tIZSdn2v21JBwvxU
|
||||
zpZQ4zy2cimIiMQDZCQHJwzC9GZn8HaW091iz9H0Go3A7WDXwYNmsdLNRi00o14U
|
||||
joaVqaPsYrZWvRKaIRqaU0hHmS0AWwQSvN/93iMIXuyiwywmkwKbWnnxCQ/gsctK
|
||||
FUtcNrwEx9Wgj6KlhwDTyI1QWSBbxVYNyUgPFzKxrSmwMO0yNff7ho+QT9x5+Y/7
|
||||
XE59S4Mc4ZXxcXKew/gSlN9U5mvT+D2BhDtkCupdfsZNCQWp27A+b/DmrFI9NqsC
|
||||
AwEAAaOCAcIwggG+MBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0eBDwwOqE4MAaC
|
||||
BC5taWwwCocIAAAAAAAAAAAwIocgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
AAAAAAAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAyBggrBgEFBQcw
|
||||
AYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5jb20wOwYIKwYB
|
||||
BQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMvZHN0cm9vdGNh
|
||||
eDMucDdjMB8GA1UdIwQYMBaAFOmkP+6epeby1dd5YDyTpi4kjpeqMFQGA1UdIARN
|
||||
MEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUHAgEWImh0dHA6
|
||||
Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUwMzAxoC+gLYYr
|
||||
aHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JMLmNybDAdBgNV
|
||||
HQ4EFgQU+3hPEvlgFYMsnxd/NBmzLjbqQYkwDQYJKoZIhvcNAQELBQADggEBAA0Y
|
||||
AeLXOklx4hhCikUUl+BdnFfn1g0W5AiQLVNIOL6PnqXu0wjnhNyhqdwnfhYMnoy4
|
||||
idRh4lB6pz8Gf9pnlLd/DnWSV3gS+/I/mAl1dCkKby6H2V790e6IHmIK2KYm3jm+
|
||||
U++FIdGpBdsQTSdmiX/rAyuxMDM0adMkNBwTfQmZQCz6nGHw1QcSPZMvZpsC8Skv
|
||||
ekzxsjF1otOrMUPNPQvtTWrVx8GlR2qfx/4xbQa1v2frNvFBCmO59goz+jnWvfTt
|
||||
j2NjwDZ7vlMBsPm16dbKYC840uvRoZjxqsdc3ChCZjqimFqlNG/xoPA8+dTicZzC
|
||||
XE9ijPIcvW6y1aa3bGw=
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIERTCCAy2gAwIBAgICElowDQYJKoZIhvcNAQELBQAwKzEpMCcGA1UEAwwgY2Fj
|
||||
a2xpbmcgY3J5cHRvZ3JhcGhlciBmYWtlIFJPT1QwHhcNMTYwMzIyMDI0NzUyWhcN
|
||||
MjEwMzIxMDI0NzUyWjAfMR0wGwYDVQQDDBRoMnBweSBoMmNrZXIgZmFrZSBDQTCC
|
||||
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMIKR3maBcUSsncXYzQT13D5
|
||||
Nr+Z3mLxMMh3TUdt6sACmqbJ0btRlgXfMtNLM2OU1I6a3Ju+tIZSdn2v21JBwvxU
|
||||
zpZQ4zy2cimIiMQDZCQHJwzC9GZn8HaW091iz9H0Go3A7WDXwYNmsdLNRi00o14U
|
||||
joaVqaPsYrZWvRKaIRqaU0hHmS0AWwQSvN/93iMIXuyiwywmkwKbWnnxCQ/gsctK
|
||||
FUtcNrwEx9Wgj6KlhwDTyI1QWSBbxVYNyUgPFzKxrSmwMO0yNff7ho+QT9x5+Y/7
|
||||
XE59S4Mc4ZXxcXKew/gSlN9U5mvT+D2BhDtkCupdfsZNCQWp27A+b/DmrFI9NqsC
|
||||
AwEAAaOCAX0wggF5MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGG
|
||||
MH8GCCsGAQUFBwEBBHMwcTAyBggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3Rp
|
||||
ZC5vY3NwLmlkZW50cnVzdC5jb20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlk
|
||||
ZW50cnVzdC5jb20vcm9vdHMvZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFOmk
|
||||
P+6epeby1dd5YDyTpi4kjpeqMFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQB
|
||||
gt8TAQEBMDAwLgYIKwYBBQUHAgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5j
|
||||
cnlwdC5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3Qu
|
||||
Y29tL0RTVFJPT1RDQVgzQ1JMLmNybDAdBgNVHQ4EFgQU+3hPEvlgFYMsnxd/NBmz
|
||||
LjbqQYkwDQYJKoZIhvcNAQELBQADggEBAKvePfYXBaAcYca2e0WwkswwJ7lLU/i3
|
||||
GIFM8tErKThNf3gD3KdCtDZ45XomOsgdRv8oxYTvQpBGTclYRAqLsO9t/LgGxeSB
|
||||
jzwY7Ytdwwj8lviEGtiun06sJxRvvBU+l9uTs3DKBxWKZ/YRf4+6wq/vERrShpEC
|
||||
KuQ5+NgMcStQY7dywrsd6x1p3bkOvowbDlaRwru7QCIXTBSb8TepKqCqRzr6YREt
|
||||
doIw2FE8MKMCGR2p+U3slhxfLTh13MuqIOvTuA145S/qf6xCkRc9I92GpjoQk87Z
|
||||
v1uhpkgT9uwbRw0Cs5DMdxT/LgIUSfUTKU83GNrbrQNYinkJ77i6wG0=
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
{
|
||||
"module": "/usr/lib/softhsm/libsofthsm2.so",
|
||||
"tokenLabel": "root signing key (rsa)",
|
||||
"pin": "1234",
|
||||
"privateKeyLabel": "root signing key (rsa)"
|
||||
}
|
||||
|
|
@ -1351,7 +1351,7 @@ def test_blocked_key_account():
|
|||
if not CONFIG_NEXT:
|
||||
return
|
||||
|
||||
with open("test/test-ca.key", "rb") as key_file:
|
||||
with open("test/hierarchy/int-r4.key.pem", "rb") as key_file:
|
||||
key = serialization.load_pem_private_key(key_file.read(), password=None, backend=default_backend())
|
||||
|
||||
# Create a client with the JWK set to a blocked private key
|
||||
|
|
@ -1379,7 +1379,7 @@ def test_blocked_key_cert():
|
|||
if not CONFIG_NEXT:
|
||||
return
|
||||
|
||||
with open("test/test-ca.key", "r") as f:
|
||||
with open("test/hierarchy/int-r4.key.pem", "r") as f:
|
||||
pemBytes = f.read()
|
||||
|
||||
domains = [random_domain(), random_domain()]
|
||||
|
|
|
|||
Loading…
Reference in New Issue