letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added test: CA must reject CSRs with invalid signatures.

This commit is contained in:
Damian Duesentrieb 2015-11-20 21:18:45 +01:00
parent d25e934662
commit e3d8566844
2 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
ca/certificate-authority_test.go
View File

@ -90,6 +90,10 @@ var (
// * DNSNames = moreCAPs.com, morecaps.com, evenMOREcaps.com, Capitalizedletters.COM
CapitalizedCSR = mustRead("./testdata/capitalized_cn_and_san.der.csr")
// CSR generated by OpenSSL:
// Edited signature to become invalid.
WrongSignatureCSR = mustRead("./testdata/invalid_signature.der.csr")
log = mocks.UseMockLog()
)
@ -411,6 +415,22 @@ func TestCapitalizedLetters(t *testing.T) {
test.AssertDeepEquals(t, expected, parsedCert.DNSNames)
}
func TestWrongSignature(t *testing.T) {
ctx := setup(t)
defer ctx.cleanUp()
ctx.caConfig.MaxNames = 3
ca, err := NewCertificateAuthorityImpl(ctx.caConfig, ctx.fc, ctx.stats, caCertFile)
ca.Publisher = &mocks.Publisher{}
ca.PA = ctx.pa
ca.SA = ctx.sa
// x509.ParseCertificateRequest() does not check for invalid signatures...
csr, _ := x509.ParseCertificateRequest(WrongSignatureCSR)
_, err = ca.IssueCertificate(*csr, ctx.reg.ID)
test.AssertError(t, err, "Issued a certificate based on a CSR with an invalid signature.")
}
func TestHSMFaultTimeout(t *testing.T) {
ctx := setup(t)
defer ctx.cleanUp()

BIN
ca/testdata/invalid_signature.der.csr vendored Normal file
View File

Binary file not shown.