letsencrypt
/
boulder
mirror of https://github.com/letsencrypt/boulder.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
boulder/test/integration/issuance_test.go

234 lines
7.8 KiB
Go
Raw Permalink Blame History

//go:build integration
package integration
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"fmt"
"os"
"strings"
"testing"
"github.com/eggsampler/acme/v3"
"github.com/letsencrypt/boulder/test"
)
// TestCommonNameInCSR ensures that CSRs which have a CN set result in certs
// with the same CN set.
func TestCommonNameInCSR(t *testing.T) {
t.Parallel()
// Create an account.
client, err := makeClient("mailto:example@letsencrypt.org")
test.AssertNotError(t, err, "creating acme client")
// Create a private key.
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
test.AssertNotError(t, err, "creating random cert key")
// Put together some names.
cn := random_domain()
san1 := random_domain()
san2 := random_domain()
idents := []acme.Identifier{
{Type: "dns", Value: cn},
{Type: "dns", Value: san1},
{Type: "dns", Value: san2},
}
// Issue a cert. authAndIssue includes the 0th name as the CN by default.
ir, err := authAndIssue(client, key, idents, true, "")
test.AssertNotError(t, err, "failed to issue test cert")
cert := ir.certs[0]
// Ensure that the CN is incorporated into the SANs.
test.AssertSliceContains(t, cert.DNSNames, cn)
test.AssertSliceContains(t, cert.DNSNames, san1)
test.AssertSliceContains(t, cert.DNSNames, san2)
// Ensure that the CN is preserved as the CN.
test.AssertEquals(t, cert.Subject.CommonName, cn)
}
// TestFirstCSRSANHoistedToCN ensures that CSRs which have no CN set result in
// certs with the first CSR SAN hoisted into the CN field.
func TestFirstCSRSANHoistedToCN(t *testing.T) {
t.Parallel()
// Create an account.
client, err := makeClient("mailto:example@letsencrypt.org")
test.AssertNotError(t, err, "creating acme client")
// Create a private key.
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
test.AssertNotError(t, err, "creating random cert key")
// Create some names that we can sort.
san1 := "a" + random_domain()
san2 := "b" + random_domain()
idents := []acme.Identifier{
{Type: "dns", Value: san2},
{Type: "dns", Value: san1},
}
// Issue a cert using a CSR with no CN set, and the SANs in *non*-alpha order.
ir, err := authAndIssue(client, key, idents, false, "")
test.AssertNotError(t, err, "failed to issue test cert")
cert := ir.certs[0]
// Ensure that the SANs are correct, and sorted alphabetically.
test.AssertEquals(t, cert.DNSNames[0], san1)
test.AssertEquals(t, cert.DNSNames[1], san2)
// Ensure that the first SAN from the CSR is the CN.
test.Assert(t, cert.Subject.CommonName == san2, "first SAN should have been hoisted")
}
// TestCommonNameSANsTooLong tests that, when the names in an order and CSR are
// too long to be hoisted into the CN, the correct behavior results.
func TestCommonNameSANsTooLong(t *testing.T) {
t.Parallel()
// Create an account.
client, err := makeClient("mailto:example@letsencrypt.org")
test.AssertNotError(t, err, "creating acme client")
// Create a private key.
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
test.AssertNotError(t, err, "creating random cert key")
// Put together some names.
san1 := fmt.Sprintf("thisdomainnameis.morethan64characterslong.forthesakeoftesting.%s", random_domain())
san2 := fmt.Sprintf("thisdomainnameis.morethan64characterslong.forthesakeoftesting.%s", random_domain())
idents := []acme.Identifier{
{Type: "dns", Value: san1},
{Type: "dns", Value: san2},
}
// Issue a cert using a CSR with no CN set.
ir, err := authAndIssue(client, key, idents, false, "")
test.AssertNotError(t, err, "failed to issue test cert")
cert := ir.certs[0]
// Ensure that the SANs are correct.
test.AssertSliceContains(t, cert.DNSNames, san1)
test.AssertSliceContains(t, cert.DNSNames, san2)
// Ensure that the CN is empty.
test.AssertEquals(t, cert.Subject.CommonName, "")
}
// TestIssuanceProfiles verifies that profile selection works, and results in
// measurable differences between certificates issued under different profiles.
// It does not test the omission of the keyEncipherment KU, because all of our
// integration test framework assumes ECDSA pubkeys for the sake of speed,
// and ECDSA certs don't get the keyEncipherment KU in either profile.
func TestIssuanceProfiles(t *testing.T) {
t.Parallel()
// Create an account.
client, err := makeClient("mailto:example@letsencrypt.org")
test.AssertNotError(t, err, "creating acme client")
profiles := client.Directory().Meta.Profiles
if len(profiles) < 2 {
t.Fatal("ACME server not advertising multiple profiles")
}
// Create a private key.
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
test.AssertNotError(t, err, "creating random cert key")
// Create a set of identifiers to request.
idents := []acme.Identifier{
{Type: "dns", Value: random_domain()},
}
// Get one cert for each profile that we know the test server advertises.
res, err := authAndIssue(client, key, idents, true, "legacy")
test.AssertNotError(t, err, "failed to issue under legacy profile")
test.AssertEquals(t, res.Order.Profile, "legacy")
legacy := res.certs[0]
res, err = authAndIssue(client, key, idents, true, "modern")
test.AssertNotError(t, err, "failed to issue under modern profile")
test.AssertEquals(t, res.Order.Profile, "modern")
modern := res.certs[0]
// Check that each profile worked as expected.
test.AssertEquals(t, legacy.Subject.CommonName, idents[0].Value)
test.AssertEquals(t, modern.Subject.CommonName, "")
test.AssertDeepEquals(t, legacy.ExtKeyUsage, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth})
test.AssertDeepEquals(t, modern.ExtKeyUsage, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth})
test.AssertEquals(t, len(legacy.SubjectKeyId), 20)
test.AssertEquals(t, len(modern.SubjectKeyId), 0)
}
// TestIPShortLived verifies that we will allow IP address identifiers only in
// orders that use the shortlived profile.
func TestIPShortLived(t *testing.T) {
t.Parallel()
// Create an account.
client, err := makeClient("mailto:example@letsencrypt.org")
if err != nil {
t.Fatalf("creating acme client: %s", err)
}
// Create a private key.
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatalf("creating random cert key: %s", err)
}
// Create an IP address identifier to request.
ip := "64.112.117.122"
idents := []acme.Identifier{
{Type: "ip", Value: ip},
}
// Ensure we fail under each other profile that we know the test server advertises.
_, err = authAndIssue(client, key, idents, false, "legacy")
if err == nil {
t.Error("issued for IP address identifier under legacy profile")
}
if !strings.Contains(err.Error(), "Profile \"legacy\" does not permit ip type identifiers") {
t.Fatalf("issuing under legacy profile failed for the wrong reason: %s", err)
}
_, err = authAndIssue(client, key, idents, false, "modern")
if err == nil {
t.Error("issued for IP address identifier under modern profile")
}
if !strings.Contains(err.Error(), "Profile \"modern\" does not permit ip type identifiers") {
t.Fatalf("issuing under legacy profile failed for the wrong reason: %s", err)
}
// Get one cert for the shortlived profile.
res, err := authAndIssue(client, key, idents, false, "shortlived")
if os.Getenv("BOULDER_CONFIG_DIR") == "test/config-next" {
if err != nil {
t.Errorf("issuing under shortlived profile: %s", err)
}
if res.Order.Profile != "shortlived" {
t.Errorf("got '%s' profile, wanted 'shortlived'", res.Order.Profile)
}
cert := res.certs[0]
// Check that the shortlived profile worked as expected.
if cert.IPAddresses[0].String() != ip {
t.Errorf("got cert with first IP SAN '%s', wanted '%s'", cert.IPAddresses[0], ip)
}
} else {
if !strings.Contains(err.Error(), "Profile \"shortlived\" does not permit ip type identifiers") {
t.Errorf("issuing under shortlived profile failed for the wrong reason: %s", err)
}
}
}
Reference in New Issue View Git Blame Copy Permalink