letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

integration: save hierarchy across runs (#5729) 

This allows repeated runs using the same hiearchy, and avoids spurious
errors from ocsp-updater saying "This CA doesn't have an issuer cert
with ID XXX"

Fixes #5721
This commit is contained in:
Jacob Hoffman-Andrews 2021-10-20 17:06:33 -07:00 committed by GitHub
parent 23dd1e21f9
commit ba0ea090b2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
32 changed files with 98 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -37,3 +37,5 @@ tags
.idea .idea
.vscode/* .vscode/*
.hierarchy/
.softhsm-tokens/

2
docker-compose.yml
View File

@ -9,6 +9,8 @@ services:
volumes: volumes:
- .:/go/src/github.com/letsencrypt/boulder:cached - .:/go/src/github.com/letsencrypt/boulder:cached
- ./.gocache:/root/.cache/go-build:cached - ./.gocache:/root/.cache/go-build:cached
- ./.hierarchy:/hierarchy/:cached
- ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached
networks: networks:
bluenet: bluenet:
ipv4_address: 10.77.77.77 ipv4_address: 10.77.77.77

10
test/cert-ceremonies/generate.go
View File

@ -76,7 +76,7 @@ func genCert(path string) error {
func main() { func main() {
// If one of the output files already exists, assume this ran once // If one of the output files already exists, assume this ran once
// already for the container and don't re-run. // already for the container and don't re-run.
outputFile := "/tmp/root-signing-pub-rsa.pem" outputFile := "/hierarchy/root-signing-pub-rsa.pem"
if loc, err := os.Stat(outputFile); err == nil && loc.Mode().IsRegular() { if loc, err := os.Stat(outputFile); err == nil && loc.Mode().IsRegular() {
fmt.Println("skipping certificate generation: already exists") fmt.Println("skipping certificate generation: already exists")
return return
@ -113,13 +113,13 @@ func main() {
// signing key slots and IDs // signing key slots and IDs
rsaTmpIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{ rsaTmpIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{
"SlotID": rsaRootKeySlot, "SlotID": rsaRootKeySlot,
"CertPath": "/tmp/intermediate-cert-rsa-a.pem", "CertPath": "/hierarchy/intermediate-cert-rsa-a.pem",
"CommonName": "CA intermediate (RSA) A", "CommonName": "CA intermediate (RSA) A",
}) })
cmd.FailOnError(err, "failed to rewrite RSA intermediate cert config with key ID") cmd.FailOnError(err, "failed to rewrite RSA intermediate cert config with key ID")
ecdsaTmpIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml", map[string]string{ ecdsaTmpIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml", map[string]string{
"SlotID": ecdsaRootKeySlot, "SlotID": ecdsaRootKeySlot,
"CertPath": "/tmp/intermediate-cert-ecdsa-a.pem", "CertPath": "/hierarchy/intermediate-cert-ecdsa-a.pem",
"CommonName": "CA intermediate (ECDSA) A", "CommonName": "CA intermediate (ECDSA) A",
}) })
cmd.FailOnError(err, "failed to rewrite ECDSA intermediate cert config with key ID") cmd.FailOnError(err, "failed to rewrite ECDSA intermediate cert config with key ID")
@ -134,13 +134,13 @@ func main() {
// signing key slots and IDs // signing key slots and IDs
rsaTmpIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{ rsaTmpIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{
"SlotID": rsaRootKeySlot, "SlotID": rsaRootKeySlot,
"CertPath": "/tmp/intermediate-cert-rsa-b.pem", "CertPath": "/hierarchy/intermediate-cert-rsa-b.pem",
"CommonName": "CA intermediate (RSA) B", "CommonName": "CA intermediate (RSA) B",
}) })
cmd.FailOnError(err, "failed to rewrite RSA intermediate cert config with key ID") cmd.FailOnError(err, "failed to rewrite RSA intermediate cert config with key ID")
ecdsaTmpIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml", map[string]string{ ecdsaTmpIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml", map[string]string{
"SlotID": ecdsaRootKeySlot, "SlotID": ecdsaRootKeySlot,
"CertPath": "/tmp/intermediate-cert-ecdsa-b.pem", "CertPath": "/hierarchy/intermediate-cert-ecdsa-b.pem",
"CommonName": "CA intermediate (ECDSA) B", "CommonName": "CA intermediate (ECDSA) B",
}) })
cmd.FailOnError(err, "failed to rewrite ECDSA intermediate cert config with key ID") cmd.FailOnError(err, "failed to rewrite ECDSA intermediate cert config with key ID")

4
test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml
View File

@ -5,8 +5,8 @@ pkcs11:
signing-key-slot: {{ .SlotID}} signing-key-slot: {{ .SlotID}}
signing-key-label: root signing key (ecdsa) signing-key-label: root signing key (ecdsa)
inputs: inputs:
public-key-path: /tmp/intermediate-signing-pub-ecdsa.pem public-key-path: /hierarchy/intermediate-signing-pub-ecdsa.pem
issuer-certificate-path: /tmp/root-cert-ecdsa.pem issuer-certificate-path: /hierarchy/root-cert-ecdsa.pem
outputs: outputs:
certificate-path: {{ .CertPath }} certificate-path: {{ .CertPath }}
certificate-profile: certificate-profile:

4
test/cert-ceremonies/intermediate-ceremony-rsa.yaml
View File

@ -5,8 +5,8 @@ pkcs11:
signing-key-slot: {{ .SlotID}} signing-key-slot: {{ .SlotID}}
signing-key-label: root signing key (rsa) signing-key-label: root signing key (rsa)
inputs: inputs:
public-key-path: /tmp/intermediate-signing-pub-rsa.pem public-key-path: /hierarchy/intermediate-signing-pub-rsa.pem
issuer-certificate-path: /tmp/root-cert-rsa.pem issuer-certificate-path: /hierarchy/root-cert-rsa.pem
outputs: outputs:
certificate-path: {{ .CertPath }} certificate-path: {{ .CertPath }}
certificate-profile: certificate-profile:

2
test/cert-ceremonies/intermediate-key-ceremony-ecdsa.yaml
View File

@ -8,4 +8,4 @@ key:
type: ecdsa type: ecdsa
ecdsa-curve: P-384 ecdsa-curve: P-384
outputs: outputs:
public-key-path: /tmp/intermediate-signing-pub-ecdsa.pem public-key-path: /hierarchy/intermediate-signing-pub-ecdsa.pem

2
test/cert-ceremonies/intermediate-key-ceremony-rsa.yaml
View File

@ -8,4 +8,4 @@ key:
type: rsa type: rsa
rsa-mod-length: 2048 rsa-mod-length: 2048
outputs: outputs:
public-key-path: /tmp/intermediate-signing-pub-rsa.pem public-key-path: /hierarchy/intermediate-signing-pub-rsa.pem

6
test/cert-ceremonies/intermediate-ocsp-rsa.yaml
View File

@ -5,10 +5,10 @@ pkcs11:
signing-key-slot: {{ .SlotID}} signing-key-slot: {{ .SlotID}}
signing-key-label: root signing key (rsa) signing-key-label: root signing key (rsa)
inputs: inputs:
certificate-path: /tmp/intermediate-cert-rsa-a.pem certificate-path: /hierarchy/intermediate-cert-rsa-a.pem
issuer-certificate-path: /tmp/root-cert-rsa.pem issuer-certificate-path: /hierarchy/root-cert-rsa.pem
outputs: outputs:
response-path: /tmp/intermediate-ocsp-rsa.b64 response-path: /hierarchy/intermediate-ocsp-rsa.b64
ocsp-profile: ocsp-profile:
this-update: 2020-01-01 12:00:00 this-update: 2020-01-01 12:00:00
next-update: 2039-01-01 12:00:00 next-update: 2039-01-01 12:00:00

4
test/cert-ceremonies/root-ceremony-ecdsa.yaml
View File

@ -8,8 +8,8 @@ key:
type: ecdsa type: ecdsa
ecdsa-curve: P-384 ecdsa-curve: P-384
outputs: outputs:
public-key-path: /tmp/root-signing-pub-ecdsa.pem public-key-path: /hierarchy/root-signing-pub-ecdsa.pem
certificate-path: /tmp/root-cert-ecdsa.pem certificate-path: /hierarchy/root-cert-ecdsa.pem
certificate-profile: certificate-profile:
signature-algorithm: ECDSAWithSHA384 signature-algorithm: ECDSAWithSHA384
common-name: CA root (ECDSA) common-name: CA root (ECDSA)

4
test/cert-ceremonies/root-ceremony-rsa.yaml
View File

@ -8,8 +8,8 @@ key:
type: rsa type: rsa
rsa-mod-length: 4096 rsa-mod-length: 4096
outputs: outputs:
public-key-path: /tmp/root-signing-pub-rsa.pem public-key-path: /hierarchy/root-signing-pub-rsa.pem
certificate-path: /tmp/root-cert-rsa.pem certificate-path: /hierarchy/root-cert-rsa.pem
certificate-profile: certificate-profile:
signature-algorithm: SHA256WithRSA signature-algorithm: SHA256WithRSA
common-name: CA root (RSA) common-name: CA root (RSA)

4
test/config-next/ca-a.json
View File

@ -60,7 +60,7 @@
"crlURL": "http://example.com/crl", "crlURL": "http://example.com/crl",
"location": { "location": {
"configFile": "test/test-ca.key-pkcs11.json", "configFile": "test/test-ca.key-pkcs11.json",
"certFile": "/tmp/intermediate-cert-rsa-a.pem", "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
"numSessions": 2 "numSessions": 2
} }
}, },
@ -72,7 +72,7 @@
"crlURL": "http://example.com/crl", "crlURL": "http://example.com/crl",
"location": { "location": {
"configFile": "test/test-ca.key-pkcs11.json", "configFile": "test/test-ca.key-pkcs11.json",
"certFile": "/tmp/intermediate-cert-rsa-b.pem", "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
"numSessions": 2 "numSessions": 2
} }
} }

4
test/config-next/ca-b.json
View File

@ -60,7 +60,7 @@
"crlURL": "http://example.com/crl", "crlURL": "http://example.com/crl",
"location": { "location": {
"configFile": "test/test-ca.key-pkcs11.json", "configFile": "test/test-ca.key-pkcs11.json",
"certFile": "/tmp/intermediate-cert-rsa-a.pem", "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
"numSessions": 2 "numSessions": 2
} }
}, },
@ -72,7 +72,7 @@
"crlURL": "http://example.com/crl", "crlURL": "http://example.com/crl",
"location": { "location": {
"configFile": "test/test-ca.key-pkcs11.json", "configFile": "test/test-ca.key-pkcs11.json",
"certFile": "/tmp/intermediate-cert-rsa-b.pem", "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
"numSessions": 2 "numSessions": 2
} }
} }

6
test/config-next/ocsp-responder.json
View File

@ -7,9 +7,9 @@
"path": "/", "path": "/",
"listenAddress": "0.0.0.0:4002", "listenAddress": "0.0.0.0:4002",
"issuerCerts": [ "issuerCerts": [
"/tmp/intermediate-cert-rsa-a.pem", "/hierarchy/intermediate-cert-rsa-a.pem",
"/tmp/intermediate-cert-rsa-b.pem", "/hierarchy/intermediate-cert-rsa-b.pem",
"/tmp/intermediate-cert-ecdsa-a.pem" "/hierarchy/intermediate-cert-ecdsa-a.pem"
], ],
"maxAge": "10s", "maxAge": "10s",
"timeout": "4.9s", "timeout": "4.9s",

6
test/config-next/orphan-finder.json
View File

@ -1,9 +1,9 @@
{ {
"backdate": "1h", "backdate": "1h",
"issuerCerts": [ "issuerCerts": [
"/tmp/intermediate-cert-rsa-a.pem", "/hierarchy/intermediate-cert-rsa-a.pem",
"/tmp/intermediate-cert-rsa-b.pem", "/hierarchy/intermediate-cert-rsa-b.pem",
"/tmp/intermediate-cert-ecdsa-a.pem" "/hierarchy/intermediate-cert-ecdsa-a.pem"
], ],
"syslog": { "syslog": {

16
test/config-next/publisher.json
View File

@ -4,20 +4,20 @@
"blockProfileRate": 1000000000, "blockProfileRate": 1000000000,
"chains": [ "chains": [
[ [
"/tmp/intermediate-cert-rsa-a.pem", "/hierarchy/intermediate-cert-rsa-a.pem",
"/tmp/root-cert-rsa.pem" "/hierarchy/root-cert-rsa.pem"
], ],
[ [
"/tmp/intermediate-cert-rsa-b.pem", "/hierarchy/intermediate-cert-rsa-b.pem",
"/tmp/root-cert-rsa.pem" "/hierarchy/root-cert-rsa.pem"
], ],
[ [
"/tmp/intermediate-cert-ecdsa-a.pem", "/hierarchy/intermediate-cert-ecdsa-a.pem",
"/tmp/root-cert-ecdsa.pem" "/hierarchy/root-cert-ecdsa.pem"
], ],
[ [
"/tmp/intermediate-cert-ecdsa-b.pem", "/hierarchy/intermediate-cert-ecdsa-b.pem",
"/tmp/root-cert-ecdsa.pem" "/hierarchy/root-cert-ecdsa.pem"
] ]
], ],
"debugAddr": ":8009", "debugAddr": ":8009",

6
test/config-next/ra.json
View File

@ -12,9 +12,9 @@
"blockedKeyFile": "test/example-blocked-keys.yaml", "blockedKeyFile": "test/example-blocked-keys.yaml",
"orderLifetime": "168h", "orderLifetime": "168h",
"issuerCerts": [ "issuerCerts": [
"/tmp/intermediate-cert-rsa-a.pem", "/hierarchy/intermediate-cert-rsa-a.pem",
"/tmp/intermediate-cert-rsa-b.pem", "/hierarchy/intermediate-cert-rsa-b.pem",
"/tmp/intermediate-cert-ecdsa-a.pem" "/hierarchy/intermediate-cert-ecdsa-a.pem"
], ],
"tls": { "tls": {
"caCertFile": "test/grpc-creds/minica.pem", "caCertFile": "test/grpc-creds/minica.pem",

2
test/config-next/wfe.json
View File

@ -52,6 +52,6 @@
}, },
"common": { "common": {
"issuerCert": "/tmp/intermediate-cert-rsa-a.pem" "issuerCert": "/hierarchy/intermediate-cert-rsa-a.pem"
} }
} }

16
test/config-next/wfe2.json
View File

@ -41,20 +41,20 @@
}, },
"chains": [ "chains": [
[ [
"/tmp/intermediate-cert-rsa-a.pem", "/hierarchy/intermediate-cert-rsa-a.pem",
"/tmp/root-cert-rsa.pem" "/hierarchy/root-cert-rsa.pem"
], ],
[ [
"/tmp/intermediate-cert-rsa-b.pem", "/hierarchy/intermediate-cert-rsa-b.pem",
"/tmp/root-cert-rsa.pem" "/hierarchy/root-cert-rsa.pem"
], ],
[ [
"/tmp/intermediate-cert-ecdsa-a.pem", "/hierarchy/intermediate-cert-ecdsa-a.pem",
"/tmp/root-cert-ecdsa.pem" "/hierarchy/root-cert-ecdsa.pem"
], ],
[ [
"/tmp/intermediate-cert-ecdsa-b.pem", "/hierarchy/intermediate-cert-ecdsa-b.pem",
"/tmp/root-cert-ecdsa.pem" "/hierarchy/root-cert-ecdsa.pem"
] ]
], ],
"staleTimeout": "5m", "staleTimeout": "5m",

4
test/config/ca-a.json
View File

@ -60,7 +60,7 @@
"crlURL": "http://example.com/crl", "crlURL": "http://example.com/crl",
"location": { "location": {
"configFile": "test/test-ca.key-pkcs11.json", "configFile": "test/test-ca.key-pkcs11.json",
"certFile": "/tmp/intermediate-cert-rsa-a.pem", "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
"numSessions": 2 "numSessions": 2
} }
}, },
@ -72,7 +72,7 @@
"crlURL": "http://example.com/crl", "crlURL": "http://example.com/crl",
"location": { "location": {
"configFile": "test/test-ca.key-pkcs11.json", "configFile": "test/test-ca.key-pkcs11.json",
"certFile": "/tmp/intermediate-cert-rsa-b.pem", "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
"numSessions": 2 "numSessions": 2
} }
} }

4
test/config/ca-b.json
View File

@ -60,7 +60,7 @@
"crlURL": "http://example.com/crl", "crlURL": "http://example.com/crl",
"location": { "location": {
"configFile": "test/test-ca.key-pkcs11.json", "configFile": "test/test-ca.key-pkcs11.json",
"certFile": "/tmp/intermediate-cert-rsa-a.pem", "certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
"numSessions": 2 "numSessions": 2
} }
}, },
@ -72,7 +72,7 @@
"crlURL": "http://example.com/crl", "crlURL": "http://example.com/crl",
"location": { "location": {
"configFile": "test/test-ca.key-pkcs11.json", "configFile": "test/test-ca.key-pkcs11.json",
"certFile": "/tmp/intermediate-cert-rsa-b.pem", "certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
"numSessions": 2 "numSessions": 2
} }
} }

6
test/config/ocsp-responder.json
View File

@ -7,9 +7,9 @@
"path": "/", "path": "/",
"listenAddress": "0.0.0.0:4002", "listenAddress": "0.0.0.0:4002",
"issuerCerts": [ "issuerCerts": [
"/tmp/intermediate-cert-rsa-a.pem", "/hierarchy/intermediate-cert-rsa-a.pem",
"/tmp/intermediate-cert-rsa-b.pem", "/hierarchy/intermediate-cert-rsa-b.pem",
"/tmp/intermediate-cert-ecdsa-a.pem" "/hierarchy/intermediate-cert-ecdsa-a.pem"
], ],
"maxAge": "10s", "maxAge": "10s",
"timeout": "4.9s", "timeout": "4.9s",

6
test/config/orphan-finder.json
View File

@ -1,9 +1,9 @@
{ {
"backdate": "1h", "backdate": "1h",
"issuerCerts": [ "issuerCerts": [
"/tmp/intermediate-cert-rsa-a.pem", "/hierarchy/intermediate-cert-rsa-a.pem",
"/tmp/intermediate-cert-rsa-b.pem", "/hierarchy/intermediate-cert-rsa-b.pem",
"/tmp/intermediate-cert-ecdsa-a.pem" "/hierarchy/intermediate-cert-ecdsa-a.pem"
], ],

16
test/config/publisher.json
View File

@ -4,20 +4,20 @@
"blockProfileRate": 1000000000, "blockProfileRate": 1000000000,
"chains": [ "chains": [
[ [
"/tmp/intermediate-cert-rsa-a.pem", "/hierarchy/intermediate-cert-rsa-a.pem",
"/tmp/root-cert-rsa.pem" "/hierarchy/root-cert-rsa.pem"
], ],
[ [
"/tmp/intermediate-cert-rsa-b.pem", "/hierarchy/intermediate-cert-rsa-b.pem",
"/tmp/root-cert-rsa.pem" "/hierarchy/root-cert-rsa.pem"
], ],
[ [
"/tmp/intermediate-cert-ecdsa-a.pem", "/hierarchy/intermediate-cert-ecdsa-a.pem",
"/tmp/root-cert-ecdsa.pem" "/hierarchy/root-cert-ecdsa.pem"
], ],
[ [
"/tmp/intermediate-cert-ecdsa-b.pem", "/hierarchy/intermediate-cert-ecdsa-b.pem",
"/tmp/root-cert-ecdsa.pem" "/hierarchy/root-cert-ecdsa.pem"
] ]
], ],
"debugAddr": ":8009", "debugAddr": ":8009",

2
test/config/ra.json
View File

@ -11,7 +11,7 @@
"weakKeyFile": "test/example-weak-keys.json", "weakKeyFile": "test/example-weak-keys.json",
"blockedKeyFile": "test/example-blocked-keys.yaml", "blockedKeyFile": "test/example-blocked-keys.yaml",
"orderLifetime": "168h", "orderLifetime": "168h",
"issuerCertPath": "/tmp/intermediate-cert-rsa-a.pem", "issuerCertPath": "/hierarchy/intermediate-cert-rsa-a.pem",
"tls": { "tls": {
"caCertFile": "test/grpc-creds/minica.pem", "caCertFile": "test/grpc-creds/minica.pem",
"certFile": "test/grpc-creds/ra.boulder/cert.pem", "certFile": "test/grpc-creds/ra.boulder/cert.pem",

2
test/config/wfe.json
View File

@ -53,6 +53,6 @@
}, },
"common": { "common": {
"issuerCert": "/tmp/intermediate-cert-rsa-a.pem" "issuerCert": "/hierarchy/intermediate-cert-rsa-a.pem"
} }
} }

8
test/config/wfe2.json
View File

@ -40,12 +40,12 @@
} }
}, },
"certificateChains": { "certificateChains": {
"http://boulder:4430/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ], "http://boulder:4430/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ],
"http://127.0.0.1:4000/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ] "http://127.0.0.1:4000/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ]
}, },
"alternateCertificateChains": { "alternateCertificateChains": {
"http://boulder:4430/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ], "http://boulder:4430/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ],
"http://127.0.0.1:4000/acme/issuer-cert": [ "/tmp/intermediate-cert-rsa-a.pem" ] "http://127.0.0.1:4000/acme/issuer-cert": [ "/hierarchy/intermediate-cert-rsa-a.pem" ]
}, },
"staleTimeout": "5m", "staleTimeout": "5m",
"authorizationLifetimeDays": 30, "authorizationLifetimeDays": 30,

2
test/helpers.py
View File

@ -86,7 +86,7 @@ def ocsp_verify(cert_file, issuer_file, ocsp_response):
'-issuer', issuer_file, '-issuer', issuer_file,
'-cert', cert_file, '-cert', cert_file,
'-verify_other', issuer_file, '-verify_other', issuer_file,
'-CAfile', '/tmp/root-cert-rsa.pem', '-CAfile', '/hierarchy/root-cert-rsa.pem',
'-respin', f.name], stderr=subprocess.STDOUT).decode() '-respin', f.name], stderr=subprocess.STDOUT).decode()
# OpenSSL doesn't always return non-zero when response verify fails, so we # OpenSSL doesn't always return non-zero when response verify fails, so we
# also look for the string "Response Verify Failure" # also look for the string "Response Verify Failure"

2
test/integration-test.py
View File

@ -62,7 +62,7 @@ def test_single_ocsp():
# Verify that the static OCSP responder, which answers with a # Verify that the static OCSP responder, which answers with a
# pre-signed, long-lived response for the CA cert, works. # pre-signed, long-lived response for the CA cert, works.
verify_ocsp("/tmp/intermediate-cert-rsa-a.pem", "/tmp/root-cert-rsa.pem", "http://localhost:4003", "good") verify_ocsp("/hierarchy/intermediate-cert-rsa-a.pem", "/hierarchy/root-cert-rsa.pem", "http://localhost:4003", "good")
p.send_signal(signal.SIGTERM) p.send_signal(signal.SIGTERM)
p.wait() p.wait()

4
test/integration/orphan_finder_test.go
View File

@ -75,7 +75,7 @@ func makeFakeCert(precert bool) (*x509.Certificate, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
pubKeyBytes, err := ioutil.ReadFile("/tmp/intermediate-signing-pub-rsa.pem") pubKeyBytes, err := ioutil.ReadFile("/hierarchy/intermediate-signing-pub-rsa.pem")
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -100,7 +100,7 @@ func makeFakeCert(precert bool) (*x509.Certificate, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
issuer, err := issuance.LoadCertificate("/tmp/intermediate-cert-rsa-a.pem") issuer, err := issuance.LoadCertificate("/hierarchy/intermediate-cert-rsa-a.pem")
if err != nil { if err != nil {
return nil, err return nil, err
} }

4
test/issuer-ocsp-responder.json
View File

@ -1,10 +1,10 @@
{ {
"ocspResponder": { "ocspResponder": {
"source": "file:///tmp/intermediate-ocsp-rsa.b64", "source": "file:///hierarchy/intermediate-ocsp-rsa.b64",
"path": "/", "path": "/",
"listenAddress": "0.0.0.0:4003", "listenAddress": "0.0.0.0:4003",
"issuerCerts": [ "issuerCerts": [
"/tmp/intermediate-cert-rsa-a.pem" "/hierarchy/intermediate-cert-rsa-a.pem"
], ],
"maxAge": "10s", "maxAge": "10s",
"timeout": "4.9s", "timeout": "4.9s",

10
test/v1_integration.py
View File

@ -345,7 +345,7 @@ def test_issuer():
parsed_chain = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, chain) parsed_chain = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, chain)
parsed_cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, cert) parsed_cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_ASN1, cert)
parsed_root = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, parsed_root = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,
open("/tmp/root-cert-rsa.pem").read()) open("/hierarchy/root-cert-rsa.pem").read())
store = OpenSSL.crypto.X509Store() store = OpenSSL.crypto.X509Store()
store.add_cert(parsed_root) store.add_cert(parsed_root)
@ -365,7 +365,7 @@ def test_ocsp():
# As OCSP-Updater is generating responses independently of the CA we sit in a loop # As OCSP-Updater is generating responses independently of the CA we sit in a loop
# checking OCSP until we either see a good response or we timeout (5s). # checking OCSP until we either see a good response or we timeout (5s).
verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "good") verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "good")
def test_ct_submission(): def test_ct_submission():
hostname = random_domain() hostname = random_domain()
@ -418,7 +418,7 @@ def test_revoke_by_account():
reset_akamai_purges() reset_akamai_purges()
client.revoke(cert.body, 0) client.revoke(cert.body, 0)
verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
verify_akamai_purge() verify_akamai_purge()
@ -580,7 +580,7 @@ def test_admin_revoker_cert():
serial, '1']) serial, '1'])
# Wait for OCSP response to indicate revocation took place # Wait for OCSP response to indicate revocation took place
verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
verify_akamai_purge() verify_akamai_purge()
def test_admin_revoker_batched(): def test_admin_revoker_batched():
@ -601,7 +601,7 @@ def test_admin_revoker_batched():
serialFile.name, '0', '2']) serialFile.name, '0', '2'])
for cert_file in cert_files: for cert_file in cert_files:
verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
def test_sct_embedding(): def test_sct_embedding():
certr, authzs = auth_and_issue([random_domain()]) certr, authzs = auth_and_issue([random_domain()])

22
test/v2_integration.py
View File

@ -683,7 +683,7 @@ def test_revoke_by_account():
reset_akamai_purges() reset_akamai_purges()
client.revoke(josepy.ComparableX509(cert), 0) client.revoke(josepy.ComparableX509(cert), 0)
verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
verify_akamai_purge() verify_akamai_purge()
def test_revoke_by_issuer(): def test_revoke_by_issuer():
@ -695,7 +695,7 @@ def test_revoke_by_issuer():
reset_akamai_purges() reset_akamai_purges()
client.revoke(josepy.ComparableX509(cert), 0) client.revoke(josepy.ComparableX509(cert), 0)
verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
verify_akamai_purge() verify_akamai_purge()
def test_revoke_by_authz(): def test_revoke_by_authz():
@ -711,7 +711,7 @@ def test_revoke_by_authz():
reset_akamai_purges() reset_akamai_purges()
client.revoke(josepy.ComparableX509(cert), 0) client.revoke(josepy.ComparableX509(cert), 0)
verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
verify_akamai_purge() verify_akamai_purge()
def test_revoke_by_privkey(): def test_revoke_by_privkey():
@ -745,7 +745,7 @@ def test_revoke_by_privkey():
cert_file.write(OpenSSL.crypto.dump_certificate( cert_file.write(OpenSSL.crypto.dump_certificate(
OpenSSL.crypto.FILETYPE_PEM, cert).decode()) OpenSSL.crypto.FILETYPE_PEM, cert).decode())
cert_file.close() cert_file.close()
verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
verify_akamai_purge() verify_akamai_purge()
def test_sct_embedding(): def test_sct_embedding():
@ -1159,7 +1159,7 @@ def test_ocsp():
# As OCSP-Updater is generating responses independently of the CA we sit in a loop # As OCSP-Updater is generating responses independently of the CA we sit in a loop
# checking OCSP until we either see a good response or we timeout (5s). # checking OCSP until we either see a good response or we timeout (5s).
verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "good") verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "good")
def test_ct_submission(): def test_ct_submission():
hostname = random_domain() hostname = random_domain()
@ -1215,7 +1215,7 @@ def ocsp_exp_unauth_setup():
# Since our servers are pretending to be in the past, but the openssl cli # Since our servers are pretending to be in the past, but the openssl cli
# isn't, we'll get an expired OCSP response. Just check that it exists; # isn't, we'll get an expired OCSP response. Just check that it exists;
# don't do the full verification (which would fail). # don't do the full verification (which would fail).
check_ocsp_basic_oid(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002") check_ocsp_basic_oid(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002")
global ocsp_exp_unauth_setup_data global ocsp_exp_unauth_setup_data
ocsp_exp_unauth_setup_data['cert_file'] = cert_file.name ocsp_exp_unauth_setup_data['cert_file'] = cert_file.name
@ -1226,7 +1226,7 @@ def test_ocsp_exp_unauth():
cert_file = ocsp_exp_unauth_setup_data['cert_file'] cert_file = ocsp_exp_unauth_setup_data['cert_file']
while tries < 5: while tries < 5:
try: try:
verify_ocsp(cert_file, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "XXX") verify_ocsp(cert_file, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "XXX")
raise(Exception("Unexpected return from verify_ocsp")) raise(Exception("Unexpected return from verify_ocsp"))
except subprocess.CalledProcessError as cpe: except subprocess.CalledProcessError as cpe:
if cpe.output == b"Responder Error: unauthorized (6)\n": if cpe.output == b"Responder Error: unauthorized (6)\n":
@ -1476,7 +1476,7 @@ def test_admin_revoker_cert():
'%x' % parsed_cert.serial_number, '1']) '%x' % parsed_cert.serial_number, '1'])
# Wait for OCSP response to indicate revocation took place # Wait for OCSP response to indicate revocation took place
verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
verify_akamai_purge() verify_akamai_purge()
def test_admin_revoker_batched(): def test_admin_revoker_batched():
@ -1497,7 +1497,7 @@ def test_admin_revoker_batched():
serialFile.name, '0', '2']) serialFile.name, '0', '2'])
for cert_file in cert_files: for cert_file in cert_files:
verify_ocsp(cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked") verify_ocsp(cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002", "revoked")
def test_sct_embedding(): def test_sct_embedding():
order = chisel2.auth_and_issue([random_domain()]) order = chisel2.auth_and_issue([random_domain()])
@ -1569,7 +1569,7 @@ def ocsp_resigning_setup():
client.revoke(josepy.ComparableX509(cert), 3) client.revoke(josepy.ComparableX509(cert), 3)
ocsp_response, reason = get_ocsp_response_and_reason( ocsp_response, reason = get_ocsp_response_and_reason(
cert_file.name, "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002") cert_file.name, "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002")
global ocsp_resigning_setup_data global ocsp_resigning_setup_data
ocsp_resigning_setup_data = { ocsp_resigning_setup_data = {
'cert_file': cert_file.name, 'cert_file': cert_file.name,
@ -1585,7 +1585,7 @@ def test_ocsp_resigning():
tries = 0 tries = 0
while tries < 5: while tries < 5:
resp, reason = get_ocsp_response_and_reason( resp, reason = get_ocsp_response_and_reason(
ocsp_resigning_setup_data['cert_file'], "/tmp/intermediate-cert-rsa-a.pem", "http://localhost:4002") ocsp_resigning_setup_data['cert_file'], "/hierarchy/intermediate-cert-rsa-a.pem", "http://localhost:4002")
if resp != ocsp_resigning_setup_data['response']: if resp != ocsp_resigning_setup_data['response']:
break break
tries += 1 tries += 1