From ba0ea090b29acfffedfc5cb401a7944e85b19b63 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Wed, 20 Oct 2021 17:06:33 -0700 Subject: [PATCH] integration: save hierarchy across runs (#5729) This allows repeated runs using the same hiearchy, and avoids spurious errors from ocsp-updater saying "This CA doesn't have an issuer cert with ID XXX" Fixes #5721 --- .gitignore | 2 ++ docker-compose.yml | 2 ++ test/cert-ceremonies/generate.go | 10 ++++----- .../intermediate-ceremony-ecdsa.yaml | 4 ++-- .../intermediate-ceremony-rsa.yaml | 4 ++-- .../intermediate-key-ceremony-ecdsa.yaml | 2 +- .../intermediate-key-ceremony-rsa.yaml | 2 +- .../intermediate-ocsp-rsa.yaml | 6 ++--- test/cert-ceremonies/root-ceremony-ecdsa.yaml | 4 ++-- test/cert-ceremonies/root-ceremony-rsa.yaml | 4 ++-- test/config-next/ca-a.json | 4 ++-- test/config-next/ca-b.json | 4 ++-- test/config-next/ocsp-responder.json | 6 ++--- test/config-next/orphan-finder.json | 6 ++--- test/config-next/publisher.json | 16 +++++++------- test/config-next/ra.json | 6 ++--- test/config-next/wfe.json | 2 +- test/config-next/wfe2.json | 16 +++++++------- test/config/ca-a.json | 4 ++-- test/config/ca-b.json | 4 ++-- test/config/ocsp-responder.json | 6 ++--- test/config/orphan-finder.json | 6 ++--- test/config/publisher.json | 16 +++++++------- test/config/ra.json | 2 +- test/config/wfe.json | 2 +- test/config/wfe2.json | 8 +++---- test/helpers.py | 2 +- test/integration-test.py | 2 +- test/integration/orphan_finder_test.go | 4 ++-- test/issuer-ocsp-responder.json | 4 ++-- test/v1_integration.py | 10 ++++----- test/v2_integration.py | 22 +++++++++---------- 32 files changed, 98 insertions(+), 94 deletions(-) diff --git a/.gitignore b/.gitignore index b2d61ffe4..c1e121cf3 100644 --- a/.gitignore +++ b/.gitignore @@ -37,3 +37,5 @@ tags .idea .vscode/* +.hierarchy/ +.softhsm-tokens/ diff --git a/docker-compose.yml b/docker-compose.yml index d34db315b..495ce108f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -9,6 +9,8 @@ services: volumes: - .:/go/src/github.com/letsencrypt/boulder:cached - ./.gocache:/root/.cache/go-build:cached + - ./.hierarchy:/hierarchy/:cached + - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached networks: bluenet: ipv4_address: 10.77.77.77 diff --git a/test/cert-ceremonies/generate.go b/test/cert-ceremonies/generate.go index 633c882f0..13dee7734 100644 --- a/test/cert-ceremonies/generate.go +++ b/test/cert-ceremonies/generate.go @@ -76,7 +76,7 @@ func genCert(path string) error { func main() { // If one of the output files already exists, assume this ran once // already for the container and don't re-run. - outputFile := "/tmp/root-signing-pub-rsa.pem" + outputFile := "/hierarchy/root-signing-pub-rsa.pem" if loc, err := os.Stat(outputFile); err == nil && loc.Mode().IsRegular() { fmt.Println("skipping certificate generation: already exists") return @@ -113,13 +113,13 @@ func main() { // signing key slots and IDs rsaTmpIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{ "SlotID": rsaRootKeySlot, - "CertPath": "/tmp/intermediate-cert-rsa-a.pem", + "CertPath": "/hierarchy/intermediate-cert-rsa-a.pem", "CommonName": "CA intermediate (RSA) A", }) cmd.FailOnError(err, "failed to rewrite RSA intermediate cert config with key ID") ecdsaTmpIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml", map[string]string{ "SlotID": ecdsaRootKeySlot, - "CertPath": "/tmp/intermediate-cert-ecdsa-a.pem", + "CertPath": "/hierarchy/intermediate-cert-ecdsa-a.pem", "CommonName": "CA intermediate (ECDSA) A", }) cmd.FailOnError(err, "failed to rewrite ECDSA intermediate cert config with key ID") @@ -134,13 +134,13 @@ func main() { // signing key slots and IDs rsaTmpIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{ "SlotID": rsaRootKeySlot, - "CertPath": "/tmp/intermediate-cert-rsa-b.pem", + "CertPath": "/hierarchy/intermediate-cert-rsa-b.pem", "CommonName": "CA intermediate (RSA) B", }) cmd.FailOnError(err, "failed to rewrite RSA intermediate cert config with key ID") ecdsaTmpIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml", map[string]string{ "SlotID": ecdsaRootKeySlot, - "CertPath": "/tmp/intermediate-cert-ecdsa-b.pem", + "CertPath": "/hierarchy/intermediate-cert-ecdsa-b.pem", "CommonName": "CA intermediate (ECDSA) B", }) cmd.FailOnError(err, "failed to rewrite ECDSA intermediate cert config with key ID") diff --git a/test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml b/test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml index a09021aae..b1b503800 100644 --- a/test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml +++ b/test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml @@ -5,8 +5,8 @@ pkcs11: signing-key-slot: {{ .SlotID}} signing-key-label: root signing key (ecdsa) inputs: - public-key-path: /tmp/intermediate-signing-pub-ecdsa.pem - issuer-certificate-path: /tmp/root-cert-ecdsa.pem + public-key-path: /hierarchy/intermediate-signing-pub-ecdsa.pem + issuer-certificate-path: /hierarchy/root-cert-ecdsa.pem outputs: certificate-path: {{ .CertPath }} certificate-profile: diff --git a/test/cert-ceremonies/intermediate-ceremony-rsa.yaml b/test/cert-ceremonies/intermediate-ceremony-rsa.yaml index c927b74b3..ae22af6de 100644 --- a/test/cert-ceremonies/intermediate-ceremony-rsa.yaml +++ b/test/cert-ceremonies/intermediate-ceremony-rsa.yaml @@ -5,8 +5,8 @@ pkcs11: signing-key-slot: {{ .SlotID}} signing-key-label: root signing key (rsa) inputs: - public-key-path: /tmp/intermediate-signing-pub-rsa.pem - issuer-certificate-path: /tmp/root-cert-rsa.pem + public-key-path: /hierarchy/intermediate-signing-pub-rsa.pem + issuer-certificate-path: /hierarchy/root-cert-rsa.pem outputs: certificate-path: {{ .CertPath }} certificate-profile: diff --git a/test/cert-ceremonies/intermediate-key-ceremony-ecdsa.yaml b/test/cert-ceremonies/intermediate-key-ceremony-ecdsa.yaml index ebfbc5393..240124c8c 100644 --- a/test/cert-ceremonies/intermediate-key-ceremony-ecdsa.yaml +++ b/test/cert-ceremonies/intermediate-key-ceremony-ecdsa.yaml @@ -8,4 +8,4 @@ key: type: ecdsa ecdsa-curve: P-384 outputs: - public-key-path: /tmp/intermediate-signing-pub-ecdsa.pem + public-key-path: /hierarchy/intermediate-signing-pub-ecdsa.pem diff --git a/test/cert-ceremonies/intermediate-key-ceremony-rsa.yaml b/test/cert-ceremonies/intermediate-key-ceremony-rsa.yaml index 19308b416..7de2499fc 100644 --- a/test/cert-ceremonies/intermediate-key-ceremony-rsa.yaml +++ b/test/cert-ceremonies/intermediate-key-ceremony-rsa.yaml @@ -8,4 +8,4 @@ key: type: rsa rsa-mod-length: 2048 outputs: - public-key-path: /tmp/intermediate-signing-pub-rsa.pem + public-key-path: /hierarchy/intermediate-signing-pub-rsa.pem diff --git a/test/cert-ceremonies/intermediate-ocsp-rsa.yaml b/test/cert-ceremonies/intermediate-ocsp-rsa.yaml index 677756123..df85daa4a 100644 --- a/test/cert-ceremonies/intermediate-ocsp-rsa.yaml +++ b/test/cert-ceremonies/intermediate-ocsp-rsa.yaml @@ -5,10 +5,10 @@ pkcs11: signing-key-slot: {{ .SlotID}} signing-key-label: root signing key (rsa) inputs: - certificate-path: /tmp/intermediate-cert-rsa-a.pem - issuer-certificate-path: /tmp/root-cert-rsa.pem + certificate-path: /hierarchy/intermediate-cert-rsa-a.pem + issuer-certificate-path: /hierarchy/root-cert-rsa.pem outputs: - response-path: /tmp/intermediate-ocsp-rsa.b64 + response-path: /hierarchy/intermediate-ocsp-rsa.b64 ocsp-profile: this-update: 2020-01-01 12:00:00 next-update: 2039-01-01 12:00:00 diff --git a/test/cert-ceremonies/root-ceremony-ecdsa.yaml b/test/cert-ceremonies/root-ceremony-ecdsa.yaml index 61dd19d68..72aef19fe 100644 --- a/test/cert-ceremonies/root-ceremony-ecdsa.yaml +++ b/test/cert-ceremonies/root-ceremony-ecdsa.yaml @@ -8,8 +8,8 @@ key: type: ecdsa ecdsa-curve: P-384 outputs: - public-key-path: /tmp/root-signing-pub-ecdsa.pem - certificate-path: /tmp/root-cert-ecdsa.pem + public-key-path: /hierarchy/root-signing-pub-ecdsa.pem + certificate-path: /hierarchy/root-cert-ecdsa.pem certificate-profile: signature-algorithm: ECDSAWithSHA384 common-name: CA root (ECDSA) diff --git a/test/cert-ceremonies/root-ceremony-rsa.yaml b/test/cert-ceremonies/root-ceremony-rsa.yaml index 3e98a5797..88dfedeb6 100644 --- a/test/cert-ceremonies/root-ceremony-rsa.yaml +++ b/test/cert-ceremonies/root-ceremony-rsa.yaml @@ -8,8 +8,8 @@ key: type: rsa rsa-mod-length: 4096 outputs: - public-key-path: /tmp/root-signing-pub-rsa.pem - certificate-path: /tmp/root-cert-rsa.pem + public-key-path: /hierarchy/root-signing-pub-rsa.pem + certificate-path: /hierarchy/root-cert-rsa.pem certificate-profile: signature-algorithm: SHA256WithRSA common-name: CA root (RSA) diff --git a/test/config-next/ca-a.json b/test/config-next/ca-a.json index 04b4f6565..edcdceb5f 100644 --- a/test/config-next/ca-a.json +++ b/test/config-next/ca-a.json @@ -60,7 +60,7 @@ "crlURL": "http://example.com/crl", "location": { "configFile": "test/test-ca.key-pkcs11.json", - "certFile": "/tmp/intermediate-cert-rsa-a.pem", + "certFile": "/hierarchy/intermediate-cert-rsa-a.pem", "numSessions": 2 } }, @@ -72,7 +72,7 @@ "crlURL": "http://example.com/crl", "location": { "configFile": "test/test-ca.key-pkcs11.json", - "certFile": "/tmp/intermediate-cert-rsa-b.pem", + "certFile": "/hierarchy/intermediate-cert-rsa-b.pem", "numSessions": 2 } } diff --git a/test/config-next/ca-b.json b/test/config-next/ca-b.json index ae81a75f9..cc61500f7 100644 --- a/test/config-next/ca-b.json +++ b/test/config-next/ca-b.json @@ -60,7 +60,7 @@ "crlURL": "http://example.com/crl", "location": { "configFile": "test/test-ca.key-pkcs11.json", - "certFile": "/tmp/intermediate-cert-rsa-a.pem", + "certFile": "/hierarchy/intermediate-cert-rsa-a.pem", "numSessions": 2 } }, @@ -72,7 +72,7 @@ "crlURL": "http://example.com/crl", "location": { "configFile": "test/test-ca.key-pkcs11.json", - "certFile": "/tmp/intermediate-cert-rsa-b.pem", + "certFile": "/hierarchy/intermediate-cert-rsa-b.pem", "numSessions": 2 } } diff --git a/test/config-next/ocsp-responder.json b/test/config-next/ocsp-responder.json index de015d723..79594bd6c 100644 --- a/test/config-next/ocsp-responder.json +++ b/test/config-next/ocsp-responder.json @@ -7,9 +7,9 @@ "path": "/", "listenAddress": "0.0.0.0:4002", "issuerCerts": [ - "/tmp/intermediate-cert-rsa-a.pem", - "/tmp/intermediate-cert-rsa-b.pem", - "/tmp/intermediate-cert-ecdsa-a.pem" + "/hierarchy/intermediate-cert-rsa-a.pem", + "/hierarchy/intermediate-cert-rsa-b.pem", + "/hierarchy/intermediate-cert-ecdsa-a.pem" ], "maxAge": "10s", "timeout": "4.9s", diff --git a/test/config-next/orphan-finder.json b/test/config-next/orphan-finder.json index 55488e137..bc7527139 100644 --- a/test/config-next/orphan-finder.json +++ b/test/config-next/orphan-finder.json @@ -1,9 +1,9 @@ { "backdate": "1h", "issuerCerts": [ - "/tmp/intermediate-cert-rsa-a.pem", - "/tmp/intermediate-cert-rsa-b.pem", - "/tmp/intermediate-cert-ecdsa-a.pem" + "/hierarchy/intermediate-cert-rsa-a.pem", + "/hierarchy/intermediate-cert-rsa-b.pem", + "/hierarchy/intermediate-cert-ecdsa-a.pem" ], "syslog": { diff --git a/test/config-next/publisher.json b/test/config-next/publisher.json index f926a021b..a266141f1 100644 --- a/test/config-next/publisher.json +++ b/test/config-next/publisher.json @@ -4,20 +4,20 @@ "blockProfileRate": 1000000000, "chains": [ [ - "/tmp/intermediate-cert-rsa-a.pem", - "/tmp/root-cert-rsa.pem" + "/hierarchy/intermediate-cert-rsa-a.pem", + "/hierarchy/root-cert-rsa.pem" ], [ - "/tmp/intermediate-cert-rsa-b.pem", - "/tmp/root-cert-rsa.pem" + "/hierarchy/intermediate-cert-rsa-b.pem", + "/hierarchy/root-cert-rsa.pem" ], [ - "/tmp/intermediate-cert-ecdsa-a.pem", - "/tmp/root-cert-ecdsa.pem" + "/hierarchy/intermediate-cert-ecdsa-a.pem", + "/hierarchy/root-cert-ecdsa.pem" ], [ - "/tmp/intermediate-cert-ecdsa-b.pem", - "/tmp/root-cert-ecdsa.pem" + "/hierarchy/intermediate-cert-ecdsa-b.pem", + "/hierarchy/root-cert-ecdsa.pem" ] ], "debugAddr": ":8009", diff --git a/test/config-next/ra.json b/test/config-next/ra.json index 865751d4a..470003643 100644 --- a/test/config-next/ra.json +++ b/test/config-next/ra.json @@ -12,9 +12,9 @@ "blockedKeyFile": "test/example-blocked-keys.yaml", "orderLifetime": "168h", "issuerCerts": [ - "/tmp/intermediate-cert-rsa-a.pem", - "/tmp/intermediate-cert-rsa-b.pem", - "/tmp/intermediate-cert-ecdsa-a.pem" + "/hierarchy/intermediate-cert-rsa-a.pem", + "/hierarchy/intermediate-cert-rsa-b.pem", + "/hierarchy/intermediate-cert-ecdsa-a.pem" ], "tls": { "caCertFile": "test/grpc-creds/minica.pem", diff --git a/test/config-next/wfe.json b/test/config-next/wfe.json index 169e9966f..76e3f52b3 100644 --- a/test/config-next/wfe.json +++ b/test/config-next/wfe.json @@ -52,6 +52,6 @@ }, "common": { - "issuerCert": "/tmp/intermediate-cert-rsa-a.pem" + "issuerCert": "/hierarchy/intermediate-cert-rsa-a.pem" } } diff --git a/test/config-next/wfe2.json b/test/config-next/wfe2.json index 81e320bc7..256555dec 100644 --- a/test/config-next/wfe2.json +++ b/test/config-next/wfe2.json @@ -41,20 +41,20 @@ }, "chains": [ [ - "/tmp/intermediate-cert-rsa-a.pem", - "/tmp/root-cert-rsa.pem" + "/hierarchy/intermediate-cert-rsa-a.pem", + "/hierarchy/root-cert-rsa.pem" ], [ - "/tmp/intermediate-cert-rsa-b.pem", - "/tmp/root-cert-rsa.pem" + "/hierarchy/intermediate-cert-rsa-b.pem", + "/hierarchy/root-cert-rsa.pem" ], [ - "/tmp/intermediate-cert-ecdsa-a.pem", - "/tmp/root-cert-ecdsa.pem" + "/hierarchy/intermediate-cert-ecdsa-a.pem", + "/hierarchy/root-cert-ecdsa.pem" ], [ - "/tmp/intermediate-cert-ecdsa-b.pem", - "/tmp/root-cert-ecdsa.pem" + "/hierarchy/intermediate-cert-ecdsa-b.pem", + "/hierarchy/root-cert-ecdsa.pem" ] ], "staleTimeout": "5m", diff --git a/test/config/ca-a.json b/test/config/ca-a.json index 509f4cb2f..0be07e4d4 100644 --- a/test/config/ca-a.json +++ b/test/config/ca-a.json @@ -60,7 +60,7 @@ "crlURL": "http://example.com/crl", "location": { "configFile": "test/test-ca.key-pkcs11.json", - "certFile": "/tmp/intermediate-cert-rsa-a.pem", + "certFile": "/hierarchy/intermediate-cert-rsa-a.pem", "numSessions": 2 } }, @@ -72,7 +72,7 @@ "crlURL": "http://example.com/crl", "location": { "configFile": "test/test-ca.key-pkcs11.json", - "certFile": "/tmp/intermediate-cert-rsa-b.pem", + "certFile": "/hierarchy/intermediate-cert-rsa-b.pem", "numSessions": 2 } } diff --git a/test/config/ca-b.json b/test/config/ca-b.json index 9475e0bff..baf548358 100644 --- a/test/config/ca-b.json +++ b/test/config/ca-b.json @@ -60,7 +60,7 @@ "crlURL": "http://example.com/crl", "location": { "configFile": "test/test-ca.key-pkcs11.json", - "certFile": "/tmp/intermediate-cert-rsa-a.pem", + "certFile": "/hierarchy/intermediate-cert-rsa-a.pem", "numSessions": 2 } }, @@ -72,7 +72,7 @@ "crlURL": "http://example.com/crl", "location": { "configFile": "test/test-ca.key-pkcs11.json", - "certFile": "/tmp/intermediate-cert-rsa-b.pem", + "certFile": "/hierarchy/intermediate-cert-rsa-b.pem", "numSessions": 2 } } diff --git a/test/config/ocsp-responder.json b/test/config/ocsp-responder.json index 89f29bd48..ed874d3d8 100644 --- a/test/config/ocsp-responder.json +++ b/test/config/ocsp-responder.json @@ -7,9 +7,9 @@ "path": "/", "listenAddress": "0.0.0.0:4002", "issuerCerts": [ - "/tmp/intermediate-cert-rsa-a.pem", - "/tmp/intermediate-cert-rsa-b.pem", - "/tmp/intermediate-cert-ecdsa-a.pem" + "/hierarchy/intermediate-cert-rsa-a.pem", + "/hierarchy/intermediate-cert-rsa-b.pem", + "/hierarchy/intermediate-cert-ecdsa-a.pem" ], "maxAge": "10s", "timeout": "4.9s", diff --git a/test/config/orphan-finder.json b/test/config/orphan-finder.json index 8be3606ea..9ed902766 100644 --- a/test/config/orphan-finder.json +++ b/test/config/orphan-finder.json @@ -1,9 +1,9 @@ { "backdate": "1h", "issuerCerts": [ - "/tmp/intermediate-cert-rsa-a.pem", - "/tmp/intermediate-cert-rsa-b.pem", - "/tmp/intermediate-cert-ecdsa-a.pem" + "/hierarchy/intermediate-cert-rsa-a.pem", + "/hierarchy/intermediate-cert-rsa-b.pem", + "/hierarchy/intermediate-cert-ecdsa-a.pem" ], diff --git a/test/config/publisher.json b/test/config/publisher.json index 7472c4053..6e0337cd1 100644 --- a/test/config/publisher.json +++ b/test/config/publisher.json @@ -4,20 +4,20 @@ "blockProfileRate": 1000000000, "chains": [ [ - "/tmp/intermediate-cert-rsa-a.pem", - "/tmp/root-cert-rsa.pem" + "/hierarchy/intermediate-cert-rsa-a.pem", + "/hierarchy/root-cert-rsa.pem" ], [ - "/tmp/intermediate-cert-rsa-b.pem", - "/tmp/root-cert-rsa.pem" + "/hierarchy/intermediate-cert-rsa-b.pem", + "/hierarchy/root-cert-rsa.pem" ], [ - "/tmp/intermediate-cert-ecdsa-a.pem", - "/tmp/root-cert-ecdsa.pem" + "/hierarchy/intermediate-cert-ecdsa-a.pem", + "/hierarchy/root-cert-ecdsa.pem" ], [ - "/tmp/intermediate-cert-ecdsa-b.pem", - "/tmp/root-cert-ecdsa.pem" + "/hierarchy/intermediate-cert-ecdsa-b.pem", + "/hierarchy/root-cert-ecdsa.pem" ] ], "debugAddr": ":8009", diff --git a/test/config/ra.json b/test/config/ra.json index 64ce5ff24..420e20a1d 100644 --- a/test/config/ra.json +++ b/test/config/ra.json @@ -11,7 +11,7 @@ "weakKeyFile": "test/example-weak-keys.json", "blockedKeyFile": "test/example-blocked-keys.yaml", "orderLifetime": "168h", - "issuerCertPath": "/tmp/intermediate-cert-rsa-a.pem", + "issuerCertPath": "/hierarchy/intermediate-cert-rsa-a.pem", "tls": { "caCertFile": "test/grpc-creds/minica.pem", "certFile": "test/grpc-creds/ra.boulder/cert.pem", diff --git a/test/config/wfe.json b/test/config/wfe.json index ee3a64ddb..7e4d53da6 100644 --- a/test/config/wfe.json +++ b/test/config/wfe.json @@ -53,6 +53,6 @@ }, "common": { - "issuerCert": "/tmp/intermediate-cert-rsa-a.pem" + "issuerCert": "/hierarchy/intermediate-cert-rsa-a.pem" } } diff --git a/test/config/wfe2.json b/test/config/wfe2.json index be95eb5ea..70d47719d 100644 --- a/test/config/wfe2.json +++ b/test/config/wfe2.json @@ -40,12 +40,12 @@ } }, "certificateChains": { - "http://boulder:4430/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ], - "http://127.0.0.1:4000/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ] + "http://boulder:4430/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ], + "http://127.0.0.1:4000/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ] }, "alternateCertificateChains": { - "http://boulder:4430/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ], - "http://127.0.0.1:4000/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ] + "http://boulder:4430/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ], + "http://127.0.0.1:4000/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ] }, "staleTimeout": "5m", "authorizationLifetimeDays": 30, diff --git a/test/helpers.py b/test/helpers.py index 7b6044f1d..4144c32e4 100644 --- a/test/helpers.py +++ b/test/helpers.py @@ -86,7 +86,7 @@ def ocsp_verify(cert_file, issuer_file, ocsp_response): '-issuer', issuer_file, '-cert', cert_file, '-verify_other', issuer_file, - '-CAfile', '/tmp/root-cert-rsa.pem', + '-CAfile', '/hierarchy/root-cert-rsa.pem', '-respin', f.name], stderr=subprocess.STDOUT).decode() # OpenSSL doesn't always return non-zero when response verify fails, so we # also look for the string "Response Verify Failure" diff --git a/test/integration-test.py b/test/integration-test.py index 2a62e31bf..46316957d 100644 --- a/test/integration-test.py +++ b/test/integration-test.py @@ -62,7 +62,7 @@ def test_single_ocsp(): # Verify that the static OCSP responder, which answers with a # pre-signed, long-lived response for the CA cert, works. - verify_ocsp("/tmp/intermediate-cert-rsa-a.pem", "/tmp/root-cert-rsa.pem", "http://localhost:4003", "good") + verify_ocsp("/hierarchy/intermediate-cert-rsa-a.pem", "/hierarchy/root-cert-rsa.pem", "http://localhost:4003", "good") p.send_signal(signal.SIGTERM) p.wait() diff --git a/test/integration/orphan_finder_test.go b/test/integration/orphan_finder_test.go index ea923a9b6..13ca16eb5 100644 --- a/test/integration/orphan_finder_test.go +++ b/test/integration/orphan_finder_test.go @@ -75,7 +75,7 @@ func makeFakeCert(precert bool) (*x509.Certificate, error) { if err != nil { return nil, err } - pubKeyBytes, err := ioutil.ReadFile("/tmp/intermediate-signing-pub-rsa.pem") + pubKeyBytes, err := ioutil.ReadFile("/hierarchy/intermediate-signing-pub-rsa.pem") if err != nil { return nil, err } @@ -100,7 +100,7 @@ func makeFakeCert(precert bool) (*x509.Certificate, error) { if err != nil { return nil, err } - issuer, err := issuance.LoadCertificate("/tmp/intermediate-cert-rsa-a.pem") + issuer, err := issuance.LoadCertificate("/hierarchy/intermediate-cert-rsa-a.pem") if err != nil { return nil, err } diff --git a/test/issuer-ocsp-responder.json b/test/issuer-ocsp-responder.json index e9690bebe..a4dbe3b7c 100644 --- a/test/issuer-ocsp-responder.json +++ b/test/issuer-ocsp-responder.json @@ -1,10 +1,10 @@ { "ocspResponder": { - "source": "file:///tmp/intermediate-ocsp-rsa.b64", + "source": "file:///hierarchy/intermediate-ocsp-rsa.b64", "path": "/", "listenAddress": "0.0.0.0:4003", "issuerCerts": [ - "/tmp/intermediate-cert-rsa-a.pem" + "/hierarchy/intermediate-cert-rsa-a.pem" ], "maxAge": "10s", "timeout": "4.9s", diff --git a/test/v1_integration.py b/test/v1_integration.py index 74f566bbe..1cc97d8e6 100644 --- a/test/v1_integration.py +++ b/test/v1_integration.py @@ -345,7 +345,7 @@ def test_issuer(): parsed_chain = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, chain) parsed_cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, cert) parsed_root = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, - open("/tmp/root-cert-rsa.pem").read()) + open("/hierarchy/root-cert-rsa.pem").read()) store = OpenSSL.crypto.X509Store() store.add_cert(parsed_root) @@ -365,7 +365,7 @@ def test_ocsp(): # As OCSP-Updater is generating responses independently of the CA we sit in a loop # checking OCSP until we either see a good response or we timeout (5s). - verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "good") + verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "good") def test_ct_submission(): hostname = random_domain() @@ -418,7 +418,7 @@ def test_revoke_by_account(): reset_akamai_purges() client.revoke(cert.body, 0) - verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") + verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") verify_akamai_purge() @@ -580,7 +580,7 @@ def test_admin_revoker_cert(): serial, '1']) # Wait for OCSP response to indicate revocation took place - verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") + verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") verify_akamai_purge() def test_admin_revoker_batched(): @@ -601,7 +601,7 @@ def test_admin_revoker_batched(): serialFile.name, '0', '2']) for cert_file in cert_files: - verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") + verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") def test_sct_embedding(): certr, authzs = auth_and_issue([random_domain()]) diff --git a/test/v2_integration.py b/test/v2_integration.py index de1a5c096..f513fe9ba 100644 --- a/test/v2_integration.py +++ b/test/v2_integration.py @@ -683,7 +683,7 @@ def test_revoke_by_account(): reset_akamai_purges() client.revoke(josepy.ComparableX509(cert), 0) - verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") + verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") verify_akamai_purge() def test_revoke_by_issuer(): @@ -695,7 +695,7 @@ def test_revoke_by_issuer(): reset_akamai_purges() client.revoke(josepy.ComparableX509(cert), 0) - verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") + verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") verify_akamai_purge() def test_revoke_by_authz(): @@ -711,7 +711,7 @@ def test_revoke_by_authz(): reset_akamai_purges() client.revoke(josepy.ComparableX509(cert), 0) - verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") + verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") verify_akamai_purge() def test_revoke_by_privkey(): @@ -745,7 +745,7 @@ def test_revoke_by_privkey(): cert_file.write(OpenSSL.crypto.dump_certificate( OpenSSL.crypto.FILETYPE_PEM, cert).decode()) cert_file.close() - verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") + verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") verify_akamai_purge() def test_sct_embedding(): @@ -1159,7 +1159,7 @@ def test_ocsp(): # As OCSP-Updater is generating responses independently of the CA we sit in a loop # checking OCSP until we either see a good response or we timeout (5s). - verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "good") + verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "good") def test_ct_submission(): hostname = random_domain() @@ -1215,7 +1215,7 @@ def ocsp_exp_unauth_setup(): # Since our servers are pretending to be in the past, but the openssl cli # isn't, we'll get an expired OCSP response. Just check that it exists; # don't do the full verification (which would fail). - check_ocsp_basic_oid(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002") + check_ocsp_basic_oid(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002") global ocsp_exp_unauth_setup_data ocsp_exp_unauth_setup_data['cert_file'] = cert_file.name @@ -1226,7 +1226,7 @@ def test_ocsp_exp_unauth(): cert_file = ocsp_exp_unauth_setup_data['cert_file'] while tries < 5: try: - verify_ocsp(cert_file, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "XXX") + verify_ocsp(cert_file, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "XXX") raise(Exception("Unexpected return from verify_ocsp")) except subprocess.CalledProcessError as cpe: if cpe.output == b"Responder Error: unauthorized (6)\n": @@ -1476,7 +1476,7 @@ def test_admin_revoker_cert(): '%x' % parsed_cert.serial_number, '1']) # Wait for OCSP response to indicate revocation took place - verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") + verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") verify_akamai_purge() def test_admin_revoker_batched(): @@ -1497,7 +1497,7 @@ def test_admin_revoker_batched(): serialFile.name, '0', '2']) for cert_file in cert_files: - verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") + verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") def test_sct_embedding(): order = chisel2.auth_and_issue([random_domain()]) @@ -1569,7 +1569,7 @@ def ocsp_resigning_setup(): client.revoke(josepy.ComparableX509(cert), 3) ocsp_response, reason = get_ocsp_response_and_reason( - cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002") + cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002") global ocsp_resigning_setup_data ocsp_resigning_setup_data = { 'cert_file': cert_file.name, @@ -1585,7 +1585,7 @@ def test_ocsp_resigning(): tries = 0 while tries < 5: resp, reason = get_ocsp_response_and_reason( - ocsp_resigning_setup_data['cert_file'], "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002") + ocsp_resigning_setup_data['cert_file'], "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002") if resp != ocsp_resigning_setup_data['response']: break tries += 1