2797 lines
112 KiB
Go
2797 lines
112 KiB
Go
package wfe
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto/ecdsa"
|
|
"crypto/rsa"
|
|
"crypto/x509"
|
|
"encoding/json"
|
|
"encoding/pem"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"net/url"
|
|
"os"
|
|
"sort"
|
|
"strconv"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/jmhodges/clock"
|
|
"github.com/letsencrypt/boulder/core"
|
|
corepb "github.com/letsencrypt/boulder/core/proto"
|
|
"github.com/letsencrypt/boulder/ctpolicy"
|
|
berrors "github.com/letsencrypt/boulder/errors"
|
|
"github.com/letsencrypt/boulder/features"
|
|
"github.com/letsencrypt/boulder/goodkey"
|
|
"github.com/letsencrypt/boulder/identifier"
|
|
blog "github.com/letsencrypt/boulder/log"
|
|
"github.com/letsencrypt/boulder/metrics"
|
|
"github.com/letsencrypt/boulder/mocks"
|
|
"github.com/letsencrypt/boulder/nonce"
|
|
"github.com/letsencrypt/boulder/probs"
|
|
"github.com/letsencrypt/boulder/ra"
|
|
rapb "github.com/letsencrypt/boulder/ra/proto"
|
|
"github.com/letsencrypt/boulder/revocation"
|
|
"github.com/letsencrypt/boulder/test"
|
|
vaPB "github.com/letsencrypt/boulder/va/proto"
|
|
"github.com/letsencrypt/boulder/web"
|
|
"google.golang.org/grpc"
|
|
"gopkg.in/square/go-jose.v2"
|
|
)
|
|
|
|
const (
|
|
agreementURL = "http://example.invalid/terms"
|
|
|
|
test1KeyPublicJSON = `
|
|
{
|
|
"kty":"RSA",
|
|
"n":"yNWVhtYEKJR21y9xsHV-PD_bYwbXSeNuFal46xYxVfRL5mqha7vttvjB_vc7Xg2RvgCxHPCqoxgMPTzHrZT75LjCwIW2K_klBYN8oYvTwwmeSkAz6ut7ZxPv-nZaT5TJhGk0NT2kh_zSpdriEJ_3vW-mqxYbbBmpvHqsa1_zx9fSuHYctAZJWzxzUZXykbWMWQZpEiE0J4ajj51fInEzVn7VxV-mzfMyboQjujPh7aNJxAWSq4oQEJJDgWwSh9leyoJoPpONHxh5nEE5AjE01FkGICSxjpZsF-w8hOTI3XXohUdu29Se26k2B0PolDSuj0GIQU6-W9TdLXSjBb2SpQ",
|
|
"e":"AQAB"
|
|
}`
|
|
|
|
test1KeyPrivatePEM = `
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
MIIEowIBAAKCAQEAyNWVhtYEKJR21y9xsHV+PD/bYwbXSeNuFal46xYxVfRL5mqh
|
|
a7vttvjB/vc7Xg2RvgCxHPCqoxgMPTzHrZT75LjCwIW2K/klBYN8oYvTwwmeSkAz
|
|
6ut7ZxPv+nZaT5TJhGk0NT2kh/zSpdriEJ/3vW+mqxYbbBmpvHqsa1/zx9fSuHYc
|
|
tAZJWzxzUZXykbWMWQZpEiE0J4ajj51fInEzVn7VxV+mzfMyboQjujPh7aNJxAWS
|
|
q4oQEJJDgWwSh9leyoJoPpONHxh5nEE5AjE01FkGICSxjpZsF+w8hOTI3XXohUdu
|
|
29Se26k2B0PolDSuj0GIQU6+W9TdLXSjBb2SpQIDAQABAoIBAHw58SXYV/Yp72Cn
|
|
jjFSW+U0sqWMY7rmnP91NsBjl9zNIe3C41pagm39bTIjB2vkBNR8ZRG7pDEB/QAc
|
|
Cn9Keo094+lmTArjL407ien7Ld+koW7YS8TyKADYikZo0vAK3qOy14JfQNiFAF9r
|
|
Bw61hG5/E58cK5YwQZe+YcyBK6/erM8fLrJEyw4CV49wWdq/QqmNYU1dx4OExAkl
|
|
KMfvYXpjzpvyyTnZuS4RONfHsO8+JTyJVm+lUv2x+bTce6R4W++UhQY38HakJ0x3
|
|
XRfXooRv1Bletu5OFlpXfTSGz/5gqsfemLSr5UHncsCcFMgoFBsk2t/5BVukBgC7
|
|
PnHrAjkCgYEA887PRr7zu3OnaXKxylW5U5t4LzdMQLpslVW7cLPD4Y08Rye6fF5s
|
|
O/jK1DNFXIoUB7iS30qR7HtaOnveW6H8/kTmMv/YAhLO7PAbRPCKxxcKtniEmP1x
|
|
ADH0tF2g5uHB/zeZhCo9qJiF0QaJynvSyvSyJFmY6lLvYZsAW+C+PesCgYEA0uCi
|
|
Q8rXLzLpfH2NKlLwlJTi5JjE+xjbabgja0YySwsKzSlmvYJqdnE2Xk+FHj7TCnSK
|
|
KUzQKR7+rEk5flwEAf+aCCNh3W4+Hp9MmrdAcCn8ZsKmEW/o7oDzwiAkRCmLw/ck
|
|
RSFJZpvFoxEg15riT37EjOJ4LBZ6SwedsoGA/a8CgYEA2Ve4sdGSR73/NOKZGc23
|
|
q4/B4R2DrYRDPhEySnMGoPCeFrSU6z/lbsUIU4jtQWSaHJPu4n2AfncsZUx9WeSb
|
|
OzTCnh4zOw33R4N4W8mvfXHODAJ9+kCc1tax1YRN5uTEYzb2dLqPQtfNGxygA1DF
|
|
BkaC9CKnTeTnH3TlKgK8tUcCgYB7J1lcgh+9ntwhKinBKAL8ox8HJfkUM+YgDbwR
|
|
sEM69E3wl1c7IekPFvsLhSFXEpWpq3nsuMFw4nsVHwaGtzJYAHByhEdpTDLXK21P
|
|
heoKF1sioFbgJB1C/Ohe3OqRLDpFzhXOkawOUrbPjvdBM2Erz/r11GUeSlpNazs7
|
|
vsoYXQKBgFwFM1IHmqOf8a2wEFa/a++2y/WT7ZG9nNw1W36S3P04K4lGRNRS2Y/S
|
|
snYiqxD9nL7pVqQP2Qbqbn0yD6d3G5/7r86F7Wu2pihM8g6oyMZ3qZvvRIBvKfWo
|
|
eROL1ve1vmQF3kjrMPhhK2kr6qdWnTE5XlPllVSZFQenSTzj98AO
|
|
-----END RSA PRIVATE KEY-----
|
|
`
|
|
|
|
test2KeyPublicJSON = `{
|
|
"kty":"RSA",
|
|
"n":"qnARLrT7Xz4gRcKyLdydmCr-ey9OuPImX4X40thk3on26FkMznR3fRjs66eLK7mmPcBZ6uOJseURU6wAaZNmemoYx1dMvqvWWIyiQleHSD7Q8vBrhR6uIoO4jAzJZR-ChzZuSDt7iHN-3xUVspu5XGwXU_MVJZshTwp4TaFx5elHIT_ObnTvTOU3Xhish07AbgZKmWsVbXh5s-CrIicU4OexJPgunWZ_YJJueOKmTvnLlTV4MzKR2oZlBKZ27S0-SfdV_QDx_ydle5oMAyKVtlAV35cyPMIsYNwgUGBCdY_2Uzi5eX0lTc7MPRwz6qR1kip-i59VcGcUQgqHV6Fyqw",
|
|
"e":"AQAB"
|
|
}`
|
|
|
|
test2KeyPrivatePEM = `
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
MIIEpAIBAAKCAQEAqnARLrT7Xz4gRcKyLdydmCr+ey9OuPImX4X40thk3on26FkM
|
|
znR3fRjs66eLK7mmPcBZ6uOJseURU6wAaZNmemoYx1dMvqvWWIyiQleHSD7Q8vBr
|
|
hR6uIoO4jAzJZR+ChzZuSDt7iHN+3xUVspu5XGwXU/MVJZshTwp4TaFx5elHIT/O
|
|
bnTvTOU3Xhish07AbgZKmWsVbXh5s+CrIicU4OexJPgunWZ/YJJueOKmTvnLlTV4
|
|
MzKR2oZlBKZ27S0+SfdV/QDx/ydle5oMAyKVtlAV35cyPMIsYNwgUGBCdY/2Uzi5
|
|
eX0lTc7MPRwz6qR1kip+i59VcGcUQgqHV6FyqwIDAQABAoIBAG5m8Xpj2YC0aYtG
|
|
tsxmX9812mpJFqFOmfS+f5N0gMJ2c+3F4TnKz6vE/ZMYkFnehAT0GErC4WrOiw68
|
|
F/hLdtJM74gQ0LGh9dKeJmz67bKqngcAHWW5nerVkDGIBtzuMEsNwxofDcIxrjkr
|
|
G0b7AHMRwXqrt0MI3eapTYxby7+08Yxm40mxpSsW87FSaI61LDxUDpeVkn7kolSN
|
|
WifVat7CpZb/D2BfGAQDxiU79YzgztpKhbynPdGc/OyyU+CNgk9S5MgUX2m9Elh3
|
|
aXrWh2bT2xzF+3KgZdNkJQcdIYVoGq/YRBxlGXPYcG4Do3xKhBmH79Io2BizevZv
|
|
nHkbUGECgYEAydjb4rl7wYrElDqAYpoVwKDCZAgC6o3AKSGXfPX1Jd2CXgGR5Hkl
|
|
ywP0jdSLbn2v/jgKQSAdRbYuEiP7VdroMb5M6BkBhSY619cH8etoRoLzFo1GxcE8
|
|
Y7B598VXMq8TT+TQqw/XRvM18aL3YDZ3LSsR7Gl2jF/sl6VwQAaZToUCgYEA2Cn4
|
|
fG58ME+M4IzlZLgAIJ83PlLb9ip6MeHEhUq2Dd0In89nss7Acu0IVg8ES88glJZy
|
|
4SjDLGSiuQuoQVo9UBq/E5YghdMJFp5ovwVfEaJ+ruWqOeujvWzzzPVyIWSLXRQa
|
|
N4kedtfrlqldMIXywxVru66Q1NOGvhDHm/Q8+28CgYEAkhLCbn3VNed7A9qidrkT
|
|
7OdqRoIVujEDU8DfpKtK0jBP3EA+mJ2j4Bvoq4uZrEiBSPS9VwwqovyIstAfX66g
|
|
Qv95IK6YDwfvpawUL9sxB3ZU/YkYIp0JWwun+Mtzo1ZYH4V0DZfVL59q9of9hj9k
|
|
V+fHfNOF22jAC67KYUtlPxECgYEAwF6hj4L3rDqvQYrB/p8tJdrrW+B7dhgZRNkJ
|
|
fiGd4LqLGUWHoH4UkHJXT9bvWNPMx88YDz6qapBoq8svAnHfTLFwyGp7KP1FAkcZ
|
|
Kp4KG/SDTvx+QCtvPX1/fjAUUJlc2QmxxyiU3uiK9Tpl/2/FOk2O4aiZpX1VVUIz
|
|
kZuKxasCgYBiVRkEBk2W4Ia0B7dDkr2VBrz4m23Y7B9cQLpNAapiijz/0uHrrCl8
|
|
TkLlEeVOuQfxTadw05gzKX0jKkMC4igGxvEeilYc6NR6a4nvRulG84Q8VV9Sy9Ie
|
|
wk6Oiadty3eQqSBJv0HnpmiEdQVffIK5Pg4M8Dd+aOBnEkbopAJOuA==
|
|
-----END RSA PRIVATE KEY-----
|
|
`
|
|
test3KeyPrivatePEM = `
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
MIIEpAIBAAKCAQEAuTQER6vUA1RDixS8xsfCRiKUNGRzzyIK0MhbS2biClShbb0h
|
|
Sx2mPP7gBvis2lizZ9r+y9hL57kNQoYCKndOBg0FYsHzrQ3O9AcoV1z2Mq+XhHZb
|
|
FrVYaXI0M3oY9BJCWog0dyi3XC0x8AxC1npd1U61cToHx+3uSvgZOuQA5ffEn5L3
|
|
8Dz1Ti7OV3E4XahnRJvejadUmTkki7phLBUXm5MnnyFm0CPpf6ApV7zhLjN5W+nV
|
|
0WL17o7v8aDgV/t9nIdi1Y26c3PlCEtiVHZcebDH5F1Deta3oLLg9+g6rWnTqPbY
|
|
3knffhp4m0scLD6e33k8MtzxDX/D7vHsg0/X1wIDAQABAoIBAQCnFJpX3lhiuH5G
|
|
1uqHmmdVxpRVv9oKn/eJ63cRSzvZfgg0bE/A6Hq0xGtvXqDySttvck4zsGqqHnQr
|
|
86G4lfE53D1jnv4qvS5bUKnARwmFKIxU4EHE9s1QM8uMNTaV2nMqIX7TkVP6QHuw
|
|
yB70R2inq15dS7EBWVGFKNX6HwAAdj8pFuF6o2vIwmAfee20aFzpWWf81jOH9Ai6
|
|
hyJyV3NqrU1JzIwlXaeX67R1VroFdhN/lapp+2b0ZEcJJtFlcYFl99NjkQeVZyik
|
|
izNv0GZZNWizc57wU0/8cv+jQ2f26ltvyrPz3QNK61bFfzy+/tfMvLq7sdCmztKJ
|
|
tMxCBJOBAoGBAPKnIVQIS2nTvC/qZ8ajw1FP1rkvYblIiixegjgfFhM32HehQ+nu
|
|
3TELi3I3LngLYi9o6YSqtNBmdBJB+DUAzIXp0TdOihOweGiv5dAEWwY9rjCzMT5S
|
|
GP7dCWiJwoMUHrOs1Po3dwcjj/YsoAW+FC0jSvach2Ln2CvPgr5FP0ARAoGBAMNj
|
|
64qUCzgeXiSyPKK69bCCGtHlTYUndwHQAZmABjbmxAXZNYgp/kBezFpKOwmICE8R
|
|
kK8YALRrL0VWXl/yj85b0HAZGkquNFHPUDd1e6iiP5TrY+Hy4oqtlYApjH6f85CE
|
|
lWjQ1iyUL7aT6fcSgzq65ZWD2hUzvNtWbTt6zQFnAoGAWS/EuDY0QblpOdNWQVR/
|
|
vasyqO4ZZRiccKJsCmSioH2uOoozhBAfjJ9JqblOgyDr/bD546E6xD5j+zH0IMci
|
|
ZTYDh+h+J659Ez1Topl3O1wAYjX6q4VRWpuzkZDQxYznm/KydSVdwmn3x+uvBW1P
|
|
zSdjrjDqMhg1BCVJUNXy4YECgYEAjX1z+dwO68qB3gz7/9NnSzRL+6cTJdNYSIW6
|
|
QtAEsAkX9iw+qaXPKgn77X5HljVd3vQXU9QL3pqnloxetxhNrt+p5yMmeOIBnSSF
|
|
MEPxEkK7zDlRETPzfP0Kf86WoLNviz2XfFmOXqXIj2w5RuOvB/6DdmwOpr/aiPLj
|
|
EulwPw0CgYAMSzsWOt6vU+y/G5NyhUCHvY50TdnGOj2btBk9rYVwWGWxCpg2QF0R
|
|
pcKXgGzXEVZKFAqB8V1c/mmCo8ojPgmqGM+GzX2Bj4seVBW7PsTeZUjrHpADshjV
|
|
F7o5b7y92NlxO5kwQzRKEAhwS5PbKJdx90iCuG+JlI1YgWlA1VcJMw==
|
|
-----END RSA PRIVATE KEY-----
|
|
`
|
|
|
|
test4KeyPrivatePEM = `
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
MIIEowIBAAKCAQEAqih+cx32M0wq8MhhN+kBi2xPE+wnw4/iIg1hWO5wtBfpt2Pt
|
|
WikgPuBT6jvK9oyQwAWbSfwqlVZatMPY/+3IyytMNb9R9OatNr6o5HROBoyZnDVS
|
|
iC4iMRd7bRl/PWSIqj/MjhPNa9cYwBdW5iC3jM5TaOgmp0+YFm4tkLGirDcIBDkQ
|
|
Ylnv9NKILvuwqkapZ7XBixeqdCcikUcTRXW5unqygO6bnapzw+YtPsPPlj4Ih3Sv
|
|
K4doyziPV96U8u5lbNYYEzYiW1mbu9n0KLvmKDikGcdOpf6+yRa/10kMZyYQatY1
|
|
eclIKI0xb54kbluEl0GQDaL5FxLmiKeVnsapzwIDAQABAoIBAQCYWNsmTHwjX53O
|
|
qUnJ2jfE0ftXNghAIvHvVRWEny+PPx3FUZWwNMQnJ4haXqCQ8DelhR+NNVYXERLz
|
|
Z6pBMm+l4CVCtgI2B9ar/jaPHMbDPF1IK8GyJcP9Oi4K91oh6IIoFCkcSASS+imx
|
|
yvPF5SMR0aWCduAsyqm743euZizkjIZ4ZzjJzhvtO17BLXpjD2Al8CBfeaaPFfPB
|
|
X86BRH5khuNaRbjG9MVg4h+D752/PuivE6+wBW+F2CYCbFMCYTFSFyHzrVdkw59C
|
|
RbHl6Pk7aTA9z0CR3zNI5k0bGd6z/o0rMei6tWO5OBTQRq5tpW9Gim0uVLH/XJlf
|
|
XmJoze+RAoGBAMNrcbPlWlSpd3C1fwYiztXwIe7TaaJIpQ+UhCZE2NuXmEZFGqD5
|
|
5mrZYV3iIq1cDdeV/BkzkB8ggEuQusZ4d7JfEw/j6I8C3ZRmw4W/bb8LPJMX3Ea7
|
|
SgzFv9e+PqqX/3oHZvUN+kH1FSI+UDpkIdegqUBUyWPvd98SDH0/HaY5AoGBAN7o
|
|
SfwWExIPEYQvpPjiSVxPuuv50z0BZB+vrQL6U2y4FIohuYSfBVvMiy/Q3Coo2yej
|
|
Js4M2bj79lGG86/E+ejdN/YExKWK7qiVnVkOjKnQeJ+bm0+aQWxgetN7RCosqu4T
|
|
Dp+Ih2fmhH9r5CInWjbY8js41c/KmYeMa9ZsehBHAoGAdNGg6eJ8KkoYDXdh1MAw
|
|
FvHyxvr4lbuJeJPWn63eWP75V2Bt97cLx+nk66OICUwTNkIBrusFB6Z9Ky78iDJx
|
|
k16EXaZnWj5jSRhZX3W83EySTHgiBOJm9NWtxgGDIqW0YjVUlb9iT9V7aboIaa98
|
|
D5OKOdu1fBkl9mKqtqBpT/kCgYAugjT9nfV4rSAwfmhjbYN0+UW8+rEyZ1nmqpbk
|
|
qipB4t6WO5cjrrJFhxX7cg6d1Ux0prvv/gpnaFrqg8fQgr7J8W49rJ0DFUvabO0Z
|
|
qcl7nP2t/5+WKk9AN5kpCu0cB5nadqt0ad4mtZgrpe1BmwhdrUJNTPx/kHwcJhZR
|
|
9Ow6/QKBgGzypcqehhIKPjOR7PR8uf0Lb8j5hlLH5akfxVDlUozr5j68cZA3nPW9
|
|
ikuuM4LqU1dlaAp+c51nye7t4hhIw+JtGSWI2fl5NXxB71LOTvN/sN6sGCbNG3pe
|
|
xxBoTncDuGtTpubGbzBrY5W1SlNm1gqu9oQa23WNViN2Rc4aIVm3
|
|
-----END RSA PRIVATE KEY-----
|
|
`
|
|
|
|
testE1KeyPublicJSON = `{
|
|
"kty":"EC",
|
|
"crv":"P-256",
|
|
"x":"FwvSZpu06i3frSk_mz9HcD9nETn4wf3mQ-zDtG21Gao",
|
|
"y":"S8rR-0dWa8nAcw1fbunF_ajS3PQZ-QwLps-2adgLgPk"
|
|
}`
|
|
|
|
testE1KeyPrivatePEM = `
|
|
-----BEGIN EC PRIVATE KEY-----
|
|
MHcCAQEEIH+p32RUnqT/iICBEGKrLIWFcyButv0S0lU/BLPOyHn2oAoGCCqGSM49
|
|
AwEHoUQDQgAEFwvSZpu06i3frSk/mz9HcD9nETn4wf3mQ+zDtG21GapLytH7R1Zr
|
|
ycBzDV9u6cX9qNLc9Bn5DAumz7Zp2AuA+Q==
|
|
-----END EC PRIVATE KEY-----
|
|
`
|
|
|
|
testE2KeyPublicJSON = `{
|
|
"kty":"EC",
|
|
"crv":"P-256",
|
|
"x":"S8FOmrZ3ywj4yyFqt0etAD90U-EnkNaOBSLfQmf7pNg",
|
|
"y":"vMvpDyqFDRHjGfZ1siDOm5LS6xNdR5xTpyoQGLDOX2Q"
|
|
}`
|
|
testE2KeyPrivatePEM = `
|
|
-----BEGIN EC PRIVATE KEY-----
|
|
MHcCAQEEIFRcPxQ989AY6se2RyIoF1ll9O6gHev4oY15SWJ+Jf5eoAoGCCqGSM49
|
|
AwEHoUQDQgAES8FOmrZ3ywj4yyFqt0etAD90U+EnkNaOBSLfQmf7pNi8y+kPKoUN
|
|
EeMZ9nWyIM6bktLrE11HnFOnKhAYsM5fZA==
|
|
-----END EC PRIVATE KEY-----`
|
|
)
|
|
|
|
type MockRegistrationAuthority struct {
|
|
lastRevocationReason revocation.Reason
|
|
}
|
|
|
|
func (ra *MockRegistrationAuthority) NewRegistration(ctx context.Context, reg core.Registration) (core.Registration, error) {
|
|
return reg, nil
|
|
}
|
|
|
|
func (ra *MockRegistrationAuthority) NewAuthorization(ctx context.Context, authz core.Authorization, regID int64) (core.Authorization, error) {
|
|
authz.RegistrationID = regID
|
|
authz.ID = "bkrPh2u0JUf18-rVBZtOOWWb3GuIiliypL-hBM9Ak1Q"
|
|
return authz, nil
|
|
}
|
|
|
|
func (ra *MockRegistrationAuthority) NewCertificate(ctx context.Context, req core.CertificateRequest, regID int64) (core.Certificate, error) {
|
|
return core.Certificate{}, nil
|
|
}
|
|
|
|
func (ra *MockRegistrationAuthority) UpdateRegistration(ctx context.Context, reg core.Registration, updated core.Registration) (core.Registration, error) {
|
|
keysMatch, _ := core.PublicKeysEqual(reg.Key.Key, updated.Key.Key)
|
|
if !keysMatch {
|
|
reg.Key = updated.Key
|
|
}
|
|
return reg, nil
|
|
}
|
|
|
|
func (ra *MockRegistrationAuthority) PerformValidation(_ context.Context, _ *rapb.PerformValidationRequest) (*corepb.Authorization, error) {
|
|
return nil, nil
|
|
}
|
|
|
|
func (ra *MockRegistrationAuthority) RevokeCertificateWithReg(ctx context.Context, cert x509.Certificate, reason revocation.Reason, reg int64) error {
|
|
ra.lastRevocationReason = reason
|
|
return nil
|
|
}
|
|
|
|
func (ra *MockRegistrationAuthority) AdministrativelyRevokeCertificate(ctx context.Context, cert x509.Certificate, reason revocation.Reason, user string) error {
|
|
return nil
|
|
}
|
|
|
|
func (ra *MockRegistrationAuthority) OnValidationUpdate(ctx context.Context, authz core.Authorization) error {
|
|
return nil
|
|
}
|
|
|
|
func (ra *MockRegistrationAuthority) DeactivateAuthorization(ctx context.Context, authz core.Authorization) error {
|
|
return nil
|
|
}
|
|
|
|
func (ra *MockRegistrationAuthority) DeactivateRegistration(ctx context.Context, _ core.Registration) error {
|
|
return nil
|
|
}
|
|
|
|
func (ra *MockRegistrationAuthority) NewOrder(ctx context.Context, _ *rapb.NewOrderRequest) (*corepb.Order, error) {
|
|
return nil, nil
|
|
}
|
|
|
|
func (ra *MockRegistrationAuthority) FinalizeOrder(ctx context.Context, _ *rapb.FinalizeOrderRequest) (*corepb.Order, error) {
|
|
return nil, nil
|
|
}
|
|
|
|
type mockPA struct{}
|
|
|
|
func (pa *mockPA) ChallengesFor(identifier identifier.ACMEIdentifier) (challenges []core.Challenge, err error) {
|
|
return
|
|
}
|
|
|
|
func (pa *mockPA) WillingToIssue(id identifier.ACMEIdentifier) error {
|
|
return nil
|
|
}
|
|
|
|
func (pa *mockPA) WillingToIssueWildcards(idents []identifier.ACMEIdentifier) error {
|
|
return nil
|
|
}
|
|
|
|
func (pa *mockPA) ChallengeTypeEnabled(t string) bool {
|
|
return true
|
|
}
|
|
|
|
func makeBody(s string) io.ReadCloser {
|
|
return ioutil.NopCloser(strings.NewReader(s))
|
|
}
|
|
|
|
// loadPrivateKey loads a private key from PEM/DER-encoded data.
|
|
// Duplicates functionality from jose v1's util.LoadPrivateKey function. It was
|
|
// moved to the jose-util cmd's main packge in v2.
|
|
func loadPrivateKey(t *testing.T, keyBytes []byte) interface{} {
|
|
// pem.Decode does not return an error as its 2nd arg, but instead the "rest"
|
|
// that was leftover from parsing the PEM block. We only care if the decoded
|
|
// PEM block was empty for this test function.
|
|
block, _ := pem.Decode(keyBytes)
|
|
if block == nil {
|
|
t.Fatal("Unable to decode private key PEM bytes")
|
|
}
|
|
|
|
var privKey interface{}
|
|
// Try decoding as an RSA private key
|
|
privKey, err := x509.ParsePKCS1PrivateKey(block.Bytes)
|
|
if err == nil {
|
|
return privKey
|
|
}
|
|
|
|
// Try decoding as a PKCS8 private key
|
|
privKey, err = x509.ParsePKCS8PrivateKey(block.Bytes)
|
|
if err == nil {
|
|
return privKey
|
|
}
|
|
|
|
// Try as an ECDSA private key
|
|
privKey, err = x509.ParseECPrivateKey(block.Bytes)
|
|
if err == nil {
|
|
return privKey
|
|
}
|
|
|
|
// Nothing worked! Fail hard.
|
|
t.Fatal("Unable to decode private key PEM bytes")
|
|
// NOOP - the t.Fatal() call will abort before this return
|
|
return nil
|
|
}
|
|
|
|
// newJoseSigner takes a key and a nonce service and constructs an appropriately
|
|
// configured jose.Signer. If anything goes wrong it uses the testing.T object
|
|
// to fail fatally.
|
|
func newJoseSigner(t *testing.T, key interface{}, ns *nonce.NonceService) jose.Signer {
|
|
var algorithm jose.SignatureAlgorithm
|
|
|
|
switch key.(type) {
|
|
case *rsa.PrivateKey:
|
|
algorithm = jose.RS256
|
|
case *ecdsa.PrivateKey:
|
|
algorithm = jose.ES256
|
|
default:
|
|
t.Fatal("Unsupported key type")
|
|
}
|
|
|
|
opts := &jose.SignerOptions{
|
|
EmbedJWK: true,
|
|
}
|
|
if ns != nil {
|
|
opts.NonceSource = ns
|
|
}
|
|
|
|
signer, err := jose.NewSigner(jose.SigningKey{
|
|
Key: key,
|
|
Algorithm: algorithm,
|
|
}, opts)
|
|
test.AssertNotError(t, err, "Failed to make signer")
|
|
return signer
|
|
}
|
|
|
|
func signRequest(t *testing.T, req string, nonceService *nonce.NonceService) string {
|
|
accountKey := loadPrivateKey(t, []byte(test1KeyPrivatePEM))
|
|
signer := newJoseSigner(t, accountKey, nonceService)
|
|
result, err := signer.Sign([]byte(req))
|
|
test.AssertNotError(t, err, "Failed to sign req")
|
|
ret := result.FullSerialize()
|
|
return ret
|
|
}
|
|
|
|
var testKeyPolicy = goodkey.KeyPolicy{
|
|
AllowRSA: true,
|
|
AllowECDSANISTP256: true,
|
|
AllowECDSANISTP384: true,
|
|
}
|
|
|
|
var ctx = context.Background()
|
|
|
|
func setupWFE(t *testing.T) (WebFrontEndImpl, clock.FakeClock) {
|
|
features.Reset()
|
|
|
|
fc := clock.NewFake()
|
|
stats := metrics.NewNoopScope()
|
|
|
|
wfe, err := NewWebFrontEndImpl(stats, fc, testKeyPolicy, nil, nil, blog.NewMock())
|
|
test.AssertNotError(t, err, "Unable to create WFE")
|
|
|
|
wfe.SubscriberAgreementURL = agreementURL
|
|
|
|
wfe.RA = &MockRegistrationAuthority{}
|
|
wfe.SA = mocks.NewStorageAuthority(fc)
|
|
|
|
return wfe, fc
|
|
}
|
|
|
|
// makePostRequest creates an http.Request with method POST, the provided body,
|
|
// and the correct Content-Length.
|
|
func makePostRequest(body string) *http.Request {
|
|
return &http.Request{
|
|
Method: "POST",
|
|
RemoteAddr: "1.1.1.1:7882",
|
|
Header: map[string][]string{
|
|
"Content-Length": {strconv.Itoa(len(body))},
|
|
},
|
|
Body: makeBody(body),
|
|
}
|
|
}
|
|
|
|
func makePostRequestWithPath(path string, body string) *http.Request {
|
|
request := makePostRequest(body)
|
|
request.URL = mustParseURL(path)
|
|
return request
|
|
}
|
|
|
|
func mustParseURL(s string) *url.URL {
|
|
if u, err := url.Parse(s); err != nil {
|
|
panic("Cannot parse URL " + s)
|
|
} else {
|
|
return u
|
|
}
|
|
}
|
|
|
|
func sortHeader(s string) string {
|
|
a := strings.Split(s, ", ")
|
|
sort.Sort(sort.StringSlice(a))
|
|
return strings.Join(a, ", ")
|
|
}
|
|
|
|
func addHeadIfGet(s []string) []string {
|
|
for _, a := range s {
|
|
if a == "GET" {
|
|
return append(s, "HEAD")
|
|
}
|
|
}
|
|
return s
|
|
}
|
|
|
|
const randomKey = "random-key"
|
|
|
|
func replaceRandomKey(b []byte) []byte {
|
|
var gotMap map[string]interface{}
|
|
var _ = json.Unmarshal(b, &gotMap)
|
|
var key string
|
|
for k, v := range gotMap {
|
|
if v == randomDirKeyExplanationLink {
|
|
key = k
|
|
break
|
|
}
|
|
}
|
|
if key != "" {
|
|
delete(gotMap, key)
|
|
gotMap[randomKey] = randomDirKeyExplanationLink
|
|
b, _ = json.Marshal(gotMap)
|
|
return b
|
|
}
|
|
return b
|
|
}
|
|
|
|
func TestHandleFunc(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
var mux *http.ServeMux
|
|
var rw *httptest.ResponseRecorder
|
|
var stubCalled bool
|
|
runWrappedHandler := func(req *http.Request, allowed ...string) {
|
|
mux = http.NewServeMux()
|
|
rw = httptest.NewRecorder()
|
|
stubCalled = false
|
|
wfe.HandleFunc(mux, "/test", func(context.Context, *web.RequestEvent, http.ResponseWriter, *http.Request) {
|
|
stubCalled = true
|
|
}, allowed...)
|
|
req.URL = mustParseURL("/test")
|
|
mux.ServeHTTP(rw, req)
|
|
}
|
|
|
|
// Plain requests (no CORS)
|
|
type testCase struct {
|
|
allowed []string
|
|
reqMethod string
|
|
shouldCallStub bool
|
|
shouldSucceed bool
|
|
}
|
|
var lastNonce string
|
|
for _, c := range []testCase{
|
|
{[]string{"GET", "POST"}, "GET", true, true},
|
|
{[]string{"GET", "POST"}, "POST", true, true},
|
|
{[]string{"GET"}, "", false, false},
|
|
{[]string{"GET"}, "POST", false, false},
|
|
{[]string{"GET"}, "OPTIONS", false, true},
|
|
{[]string{"GET"}, "MAKE-COFFEE", false, false}, // 405, or 418?
|
|
} {
|
|
runWrappedHandler(&http.Request{Method: c.reqMethod}, c.allowed...)
|
|
test.AssertEquals(t, stubCalled, c.shouldCallStub)
|
|
if c.shouldSucceed {
|
|
test.AssertEquals(t, rw.Code, http.StatusOK)
|
|
} else {
|
|
test.AssertEquals(t, rw.Code, http.StatusMethodNotAllowed)
|
|
test.AssertEquals(t, sortHeader(rw.Header().Get("Allow")), sortHeader(strings.Join(addHeadIfGet(c.allowed), ", ")))
|
|
test.AssertUnmarshaledEquals(t,
|
|
rw.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Method not allowed","status":405}`)
|
|
}
|
|
nonce := rw.Header().Get("Replay-Nonce")
|
|
test.AssertNotEquals(t, nonce, lastNonce)
|
|
test.AssertNotEquals(t, nonce, "")
|
|
lastNonce = nonce
|
|
}
|
|
|
|
// Disallowed method returns error JSON in body
|
|
runWrappedHandler(&http.Request{Method: "PUT"}, "GET", "POST")
|
|
test.AssertEquals(t, rw.Header().Get("Content-Type"), "application/problem+json")
|
|
test.AssertUnmarshaledEquals(t, rw.Body.String(), `{"type":"`+probs.V1ErrorNS+`malformed","detail":"Method not allowed","status":405}`)
|
|
test.AssertEquals(t, sortHeader(rw.Header().Get("Allow")), "GET, HEAD, POST")
|
|
|
|
// Disallowed method special case: response to HEAD has got no body
|
|
runWrappedHandler(&http.Request{Method: "HEAD"}, "GET", "POST")
|
|
test.AssertEquals(t, stubCalled, true)
|
|
test.AssertEquals(t, rw.Body.String(), "")
|
|
|
|
// HEAD doesn't work with POST-only endpoints
|
|
runWrappedHandler(&http.Request{Method: "HEAD"}, "POST")
|
|
test.AssertEquals(t, stubCalled, false)
|
|
test.AssertEquals(t, rw.Code, http.StatusMethodNotAllowed)
|
|
test.AssertEquals(t, rw.Header().Get("Content-Type"), "application/problem+json")
|
|
test.AssertEquals(t, rw.Header().Get("Allow"), "POST")
|
|
test.AssertUnmarshaledEquals(t, rw.Body.String(), `{"type":"`+probs.V1ErrorNS+`malformed","detail":"Method not allowed","status":405}`)
|
|
|
|
wfe.AllowOrigins = []string{"*"}
|
|
testOrigin := "https://example.com"
|
|
|
|
// CORS "actual" request for disallowed method
|
|
runWrappedHandler(&http.Request{
|
|
Method: "POST",
|
|
Header: map[string][]string{
|
|
"Origin": {testOrigin},
|
|
},
|
|
}, "GET")
|
|
test.AssertEquals(t, stubCalled, false)
|
|
test.AssertEquals(t, rw.Code, http.StatusMethodNotAllowed)
|
|
|
|
// CORS "actual" request for allowed method
|
|
runWrappedHandler(&http.Request{
|
|
Method: "GET",
|
|
Header: map[string][]string{
|
|
"Origin": {testOrigin},
|
|
},
|
|
}, "GET", "POST")
|
|
test.AssertEquals(t, stubCalled, true)
|
|
test.AssertEquals(t, rw.Code, http.StatusOK)
|
|
test.AssertEquals(t, rw.Header().Get("Access-Control-Allow-Methods"), "")
|
|
test.AssertEquals(t, rw.Header().Get("Access-Control-Allow-Origin"), "*")
|
|
test.AssertEquals(t, sortHeader(rw.Header().Get("Access-Control-Expose-Headers")), "Link, Replay-Nonce")
|
|
|
|
// CORS preflight request for disallowed method
|
|
runWrappedHandler(&http.Request{
|
|
Method: "OPTIONS",
|
|
Header: map[string][]string{
|
|
"Origin": {testOrigin},
|
|
"Access-Control-Request-Method": {"POST"},
|
|
},
|
|
}, "GET")
|
|
test.AssertEquals(t, stubCalled, false)
|
|
test.AssertEquals(t, rw.Code, http.StatusOK)
|
|
test.AssertEquals(t, rw.Header().Get("Allow"), "GET, HEAD")
|
|
test.AssertEquals(t, rw.Header().Get("Access-Control-Allow-Origin"), "")
|
|
|
|
// CORS preflight request for allowed method
|
|
runWrappedHandler(&http.Request{
|
|
Method: "OPTIONS",
|
|
Header: map[string][]string{
|
|
"Origin": {testOrigin},
|
|
"Access-Control-Request-Method": {"POST"},
|
|
"Access-Control-Request-Headers": {"X-Accept-Header1, X-Accept-Header2", "X-Accept-Header3"},
|
|
},
|
|
}, "GET", "POST")
|
|
test.AssertEquals(t, rw.Code, http.StatusOK)
|
|
test.AssertEquals(t, rw.Header().Get("Access-Control-Allow-Origin"), "*")
|
|
test.AssertEquals(t, rw.Header().Get("Access-Control-Max-Age"), "86400")
|
|
test.AssertEquals(t, sortHeader(rw.Header().Get("Access-Control-Allow-Methods")), "GET, HEAD, POST")
|
|
test.AssertEquals(t, sortHeader(rw.Header().Get("Access-Control-Expose-Headers")), "Link, Replay-Nonce")
|
|
|
|
// OPTIONS request without an Origin header (i.e., not a CORS
|
|
// preflight request)
|
|
runWrappedHandler(&http.Request{
|
|
Method: "OPTIONS",
|
|
Header: map[string][]string{
|
|
"Access-Control-Request-Method": {"POST"},
|
|
},
|
|
}, "GET", "POST")
|
|
test.AssertEquals(t, rw.Code, http.StatusOK)
|
|
test.AssertEquals(t, rw.Header().Get("Access-Control-Allow-Origin"), "")
|
|
test.AssertEquals(t, sortHeader(rw.Header().Get("Allow")), "GET, HEAD, POST")
|
|
|
|
// CORS preflight request missing optional Request-Method
|
|
// header. The "actual" request will be GET.
|
|
for _, allowedMethod := range []string{"GET", "POST"} {
|
|
runWrappedHandler(&http.Request{
|
|
Method: "OPTIONS",
|
|
Header: map[string][]string{
|
|
"Origin": {testOrigin},
|
|
},
|
|
}, allowedMethod)
|
|
test.AssertEquals(t, rw.Code, http.StatusOK)
|
|
if allowedMethod == "GET" {
|
|
test.AssertEquals(t, rw.Header().Get("Access-Control-Allow-Origin"), "*")
|
|
test.AssertEquals(t, rw.Header().Get("Access-Control-Allow-Methods"), "GET, HEAD")
|
|
} else {
|
|
test.AssertEquals(t, rw.Header().Get("Access-Control-Allow-Origin"), "")
|
|
}
|
|
}
|
|
|
|
// No CORS headers are given when configuration does not list
|
|
// "*" or the client-provided origin.
|
|
for _, wfe.AllowOrigins = range [][]string{
|
|
{},
|
|
{"http://example.com", "https://other.example"},
|
|
{""}, // Invalid origin is never matched
|
|
} {
|
|
runWrappedHandler(&http.Request{
|
|
Method: "OPTIONS",
|
|
Header: map[string][]string{
|
|
"Origin": {testOrigin},
|
|
"Access-Control-Request-Method": {"POST"},
|
|
},
|
|
}, "POST")
|
|
test.AssertEquals(t, rw.Code, http.StatusOK)
|
|
for _, h := range []string{
|
|
"Access-Control-Allow-Methods",
|
|
"Access-Control-Allow-Origin",
|
|
"Access-Control-Expose-Headers",
|
|
"Access-Control-Request-Headers",
|
|
} {
|
|
test.AssertEquals(t, rw.Header().Get(h), "")
|
|
}
|
|
}
|
|
|
|
// CORS headers are offered when configuration lists "*" or
|
|
// the client-provided origin.
|
|
for _, wfe.AllowOrigins = range [][]string{
|
|
{testOrigin, "http://example.org", "*"},
|
|
{"", "http://example.org", testOrigin}, // Invalid origin is harmless
|
|
} {
|
|
runWrappedHandler(&http.Request{
|
|
Method: "OPTIONS",
|
|
Header: map[string][]string{
|
|
"Origin": {testOrigin},
|
|
"Access-Control-Request-Method": {"POST"},
|
|
},
|
|
}, "POST")
|
|
test.AssertEquals(t, rw.Code, http.StatusOK)
|
|
test.AssertEquals(t, rw.Header().Get("Access-Control-Allow-Origin"), testOrigin)
|
|
// http://www.w3.org/TR/cors/ section 6.4:
|
|
test.AssertEquals(t, rw.Header().Get("Vary"), "Origin")
|
|
}
|
|
}
|
|
|
|
func TestIndexPOST(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
responseWriter := httptest.NewRecorder()
|
|
url, _ := url.Parse("/")
|
|
wfe.Index(ctx, newRequestEvent(), responseWriter, &http.Request{
|
|
Method: "POST",
|
|
URL: url,
|
|
})
|
|
test.AssertEquals(t, responseWriter.Code, http.StatusMethodNotAllowed)
|
|
}
|
|
|
|
func TestPOST404(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
responseWriter := httptest.NewRecorder()
|
|
url, _ := url.Parse("/foobar")
|
|
wfe.Index(ctx, newRequestEvent(), responseWriter, &http.Request{
|
|
Method: "POST",
|
|
URL: url,
|
|
})
|
|
test.AssertEquals(t, responseWriter.Code, http.StatusNotFound)
|
|
}
|
|
|
|
func TestIndex(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
url, _ := url.Parse("/")
|
|
wfe.Index(ctx, newRequestEvent(), responseWriter, &http.Request{
|
|
Method: "GET",
|
|
URL: url,
|
|
})
|
|
test.AssertEquals(t, responseWriter.Code, http.StatusOK)
|
|
test.AssertNotEquals(t, responseWriter.Body.String(), "404 page not found\n")
|
|
test.Assert(t, strings.Contains(responseWriter.Body.String(), directoryPath),
|
|
"directory path not found")
|
|
test.AssertEquals(t, responseWriter.Header().Get("Cache-Control"), "public, max-age=0, no-cache")
|
|
|
|
responseWriter.Body.Reset()
|
|
responseWriter.Header().Del("Cache-Control")
|
|
url, _ = url.Parse("/foo")
|
|
wfe.Index(ctx, newRequestEvent(), responseWriter, &http.Request{
|
|
URL: url,
|
|
})
|
|
//test.AssertEquals(t, responseWriter.Code, http.StatusNotFound)
|
|
test.AssertEquals(t, responseWriter.Body.String(), "404 page not found\n")
|
|
test.AssertEquals(t, responseWriter.Header().Get("Cache-Control"), "")
|
|
}
|
|
|
|
func TestDirectory(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
mux := wfe.Handler()
|
|
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
url, _ := url.Parse("/directory")
|
|
mux.ServeHTTP(responseWriter, &http.Request{
|
|
Method: "GET",
|
|
URL: url,
|
|
Host: "localhost:4300",
|
|
})
|
|
test.AssertEquals(t, responseWriter.Header().Get("Content-Type"), "application/json")
|
|
test.AssertEquals(t, responseWriter.Code, http.StatusOK)
|
|
body := replaceRandomKey(responseWriter.Body.Bytes())
|
|
test.AssertUnmarshaledEquals(t, string(body), fmt.Sprintf(`{"key-change":"http://localhost:4300/acme/key-change","meta":{"terms-of-service":"http://example.invalid/terms"},"new-authz":"http://localhost:4300/acme/new-authz","new-cert":"http://localhost:4300/acme/new-cert","new-reg":"http://localhost:4300/acme/new-reg","%s":"%s","revoke-cert":"http://localhost:4300/acme/revoke-cert"}`, randomKey, randomDirKeyExplanationLink))
|
|
|
|
responseWriter.Body.Reset()
|
|
url, _ = url.Parse("/directory")
|
|
mux.ServeHTTP(responseWriter, &http.Request{
|
|
Method: "GET",
|
|
URL: url,
|
|
Host: "localhost:4300",
|
|
})
|
|
test.AssertEquals(t, responseWriter.Header().Get("Content-Type"), "application/json")
|
|
test.AssertEquals(t, responseWriter.Code, http.StatusOK)
|
|
body = replaceRandomKey(responseWriter.Body.Bytes())
|
|
test.AssertUnmarshaledEquals(t, string(body), fmt.Sprintf(`{"key-change":"http://localhost:4300/acme/key-change","meta":{"terms-of-service":"http://example.invalid/terms"},"new-authz":"http://localhost:4300/acme/new-authz","new-cert":"http://localhost:4300/acme/new-cert","new-reg":"http://localhost:4300/acme/new-reg","%s":"%s","revoke-cert":"http://localhost:4300/acme/revoke-cert"}`, randomKey, randomDirKeyExplanationLink))
|
|
|
|
// Configure a caaIdentity and website for the /directory meta
|
|
wfe.DirectoryCAAIdentity = "Radiant Lock"
|
|
wfe.DirectoryWebsite = "zombo.com"
|
|
responseWriter = httptest.NewRecorder()
|
|
url, _ = url.Parse("/directory")
|
|
mux.ServeHTTP(responseWriter, &http.Request{
|
|
Method: "GET",
|
|
URL: url,
|
|
Host: "localhost:4300",
|
|
})
|
|
test.AssertEquals(t, responseWriter.Header().Get("Content-Type"), "application/json")
|
|
test.AssertEquals(t, responseWriter.Code, http.StatusOK)
|
|
// The directory response should include the CAAIdentities and Website meta
|
|
// elements as expected
|
|
body = replaceRandomKey(responseWriter.Body.Bytes())
|
|
test.AssertUnmarshaledEquals(t, string(body), fmt.Sprintf(`{
|
|
"key-change": "http://localhost:4300/acme/key-change",
|
|
"meta": {
|
|
"caaIdentities": [
|
|
"Radiant Lock"
|
|
],
|
|
"terms-of-service": "http://example.invalid/terms",
|
|
"website": "zombo.com"
|
|
},
|
|
"%s": "%s",
|
|
"new-authz": "http://localhost:4300/acme/new-authz",
|
|
"new-cert": "http://localhost:4300/acme/new-cert",
|
|
"new-reg": "http://localhost:4300/acme/new-reg",
|
|
"revoke-cert": "http://localhost:4300/acme/revoke-cert"
|
|
}`, randomKey, randomDirKeyExplanationLink))
|
|
|
|
// if the UA is LetsEncryptPythonClient we expect to *not* see the meta entry,
|
|
// even with the DirectoryCAAIdentity and DirectoryWebsite configured.
|
|
responseWriter.Body.Reset()
|
|
url, _ = url.Parse("/directory")
|
|
headers := map[string][]string{
|
|
"User-Agent": {"LetsEncryptPythonClient"},
|
|
}
|
|
mux.ServeHTTP(responseWriter, &http.Request{
|
|
Method: "GET",
|
|
URL: url,
|
|
Host: "localhost:4300",
|
|
Header: headers,
|
|
})
|
|
test.AssertEquals(t, responseWriter.Header().Get("Content-Type"), "application/json")
|
|
test.AssertEquals(t, responseWriter.Code, http.StatusOK)
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), `{"new-authz":"http://localhost:4300/acme/new-authz","new-cert":"http://localhost:4300/acme/new-cert","new-reg":"http://localhost:4300/acme/new-reg","revoke-cert":"http://localhost:4300/acme/revoke-cert"}`)
|
|
}
|
|
|
|
func TestRandomDirectoryKey(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
|
|
responseWriter := httptest.NewRecorder()
|
|
url, _ := url.Parse("/directory")
|
|
wfe.Directory(ctx, &web.RequestEvent{}, responseWriter, &http.Request{
|
|
Method: "GET",
|
|
URL: url,
|
|
Host: "127.0.0.1:4300",
|
|
})
|
|
test.AssertEquals(t, responseWriter.Header().Get("Content-Type"), "application/json")
|
|
test.AssertEquals(t, responseWriter.Code, http.StatusOK)
|
|
var dir map[string]interface{}
|
|
if err := json.Unmarshal(responseWriter.Body.Bytes(), &dir); err != nil {
|
|
t.Errorf("Failed to unmarshal directory: %s", err)
|
|
}
|
|
found := false
|
|
for _, v := range dir {
|
|
if v == randomDirKeyExplanationLink {
|
|
found = true
|
|
break
|
|
}
|
|
}
|
|
if !found {
|
|
t.Errorf("Failed to find random entry in directory: %s", responseWriter.Body.String())
|
|
}
|
|
|
|
responseWriter.Body.Reset()
|
|
headers := map[string][]string{
|
|
"User-Agent": {"LetsEncryptPythonClient"},
|
|
}
|
|
wfe.Directory(ctx, &web.RequestEvent{}, responseWriter, &http.Request{
|
|
Method: "GET",
|
|
URL: url,
|
|
Host: "127.0.0.1:4300",
|
|
Header: headers,
|
|
})
|
|
test.AssertEquals(t, responseWriter.Header().Get("Content-Type"), "application/json")
|
|
test.AssertEquals(t, responseWriter.Code, http.StatusOK)
|
|
dir = map[string]interface{}{}
|
|
if err := json.Unmarshal(responseWriter.Body.Bytes(), &dir); err != nil {
|
|
t.Errorf("Failed to unmarshal directory: %s", err)
|
|
}
|
|
found = false
|
|
for _, v := range dir {
|
|
if v == randomDirKeyExplanationLink {
|
|
found = true
|
|
break
|
|
}
|
|
}
|
|
if found {
|
|
t.Error("Found random entry in directory with 'LetsEncryptPythonClient' UA")
|
|
}
|
|
}
|
|
|
|
// noopCAA implements RA's caaChecker, always returning nil
|
|
type noopCAA struct{}
|
|
|
|
func (cr noopCAA) IsCAAValid(
|
|
ctx context.Context,
|
|
in *vaPB.IsCAAValidRequest,
|
|
opts ...grpc.CallOption,
|
|
) (*vaPB.IsCAAValidResponse, error) {
|
|
return &vaPB.IsCAAValidResponse{}, nil
|
|
}
|
|
|
|
func TestRelativeDirectory(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
mux := wfe.Handler()
|
|
|
|
dirTests := []struct {
|
|
host string
|
|
protoHeader string
|
|
result string
|
|
}{
|
|
// Test '' (No host header) with no proto header
|
|
{"", "", `{"key-change":"http://localhost/acme/key-change","meta":{"terms-of-service": "http://example.invalid/terms"},"new-authz":"http://localhost/acme/new-authz","new-cert":"http://localhost/acme/new-cert","new-reg":"http://localhost/acme/new-reg","%s":"%s","revoke-cert":"http://localhost/acme/revoke-cert"}`},
|
|
// Test localhost:4300 with no proto header
|
|
{"localhost:4300", "", `{"key-change":"http://localhost:4300/acme/key-change","meta":{"terms-of-service": "http://example.invalid/terms"},"new-authz":"http://localhost:4300/acme/new-authz","new-cert":"http://localhost:4300/acme/new-cert","new-reg":"http://localhost:4300/acme/new-reg","%s":"%s","revoke-cert":"http://localhost:4300/acme/revoke-cert"}`},
|
|
// Test 127.0.0.1:4300 with no proto header
|
|
{"127.0.0.1:4300", "", `{"key-change":"http://127.0.0.1:4300/acme/key-change","meta":{"terms-of-service": "http://example.invalid/terms"},"new-authz":"http://127.0.0.1:4300/acme/new-authz","new-cert":"http://127.0.0.1:4300/acme/new-cert","new-reg":"http://127.0.0.1:4300/acme/new-reg","%s":"%s","revoke-cert":"http://127.0.0.1:4300/acme/revoke-cert"}`},
|
|
// Test localhost:4300 with HTTP proto header
|
|
{"localhost:4300", "http", `{"key-change":"http://localhost:4300/acme/key-change","meta":{"terms-of-service": "http://example.invalid/terms"},"new-authz":"http://localhost:4300/acme/new-authz","new-cert":"http://localhost:4300/acme/new-cert","new-reg":"http://localhost:4300/acme/new-reg","%s":"%s","revoke-cert":"http://localhost:4300/acme/revoke-cert"}`},
|
|
// Test localhost:4300 with HTTPS proto header
|
|
{"localhost:4300", "https", `{"key-change":"https://localhost:4300/acme/key-change","meta":{"terms-of-service": "http://example.invalid/terms"},"new-authz":"https://localhost:4300/acme/new-authz","new-cert":"https://localhost:4300/acme/new-cert","new-reg":"https://localhost:4300/acme/new-reg","%s":"%s","revoke-cert":"https://localhost:4300/acme/revoke-cert"}`},
|
|
}
|
|
|
|
for _, tt := range dirTests {
|
|
var headers map[string][]string
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
if tt.protoHeader != "" {
|
|
headers = map[string][]string{
|
|
"X-Forwarded-Proto": {tt.protoHeader},
|
|
}
|
|
}
|
|
|
|
mux.ServeHTTP(responseWriter, &http.Request{
|
|
Method: "GET",
|
|
Host: tt.host,
|
|
URL: mustParseURL(directoryPath),
|
|
Header: headers,
|
|
})
|
|
test.AssertEquals(t, responseWriter.Header().Get("Content-Type"), "application/json")
|
|
test.AssertEquals(t, responseWriter.Code, http.StatusOK)
|
|
body := replaceRandomKey(responseWriter.Body.Bytes())
|
|
test.AssertUnmarshaledEquals(t, string(body), fmt.Sprintf(tt.result, randomKey, randomDirKeyExplanationLink))
|
|
}
|
|
}
|
|
|
|
// TODO: Write additional test cases for:
|
|
// - RA returns with a failure
|
|
func TestIssueCertificate(t *testing.T) {
|
|
wfe, fc := setupWFE(t)
|
|
mux := wfe.Handler()
|
|
mockLog := wfe.log.(*blog.Mock)
|
|
|
|
// The mock CA we use always returns the same test certificate, with a Not
|
|
// Before of 2015-09-22. Since we're currently using a real RA instead of a
|
|
// mock (see below), that date would trigger failures for excessive
|
|
// backdating. So we set the fake clock's time to a time that matches that
|
|
// test certificate.
|
|
testTime := time.Date(2015, 9, 9, 22, 56, 0, 0, time.UTC)
|
|
fc.Add(fc.Now().Sub(testTime))
|
|
|
|
mockCertPEM, err := ioutil.ReadFile("test/not-an-example.com.crt")
|
|
test.AssertNotError(t, err, "Could not load mock cert")
|
|
|
|
// TODO: Use a mock RA so we can test various conditions of authorized, not
|
|
// authorized, etc.
|
|
stats := metrics.NewNoopScope()
|
|
|
|
ctp := ctpolicy.New(&mocks.Publisher{}, nil, nil, wfe.log, metrics.NewNoopScope())
|
|
ra := ra.NewRegistrationAuthorityImpl(
|
|
fc,
|
|
wfe.log,
|
|
stats,
|
|
0,
|
|
testKeyPolicy,
|
|
100,
|
|
true,
|
|
false,
|
|
300*24*time.Hour,
|
|
7*24*time.Hour,
|
|
nil,
|
|
noopCAA{},
|
|
0,
|
|
ctp,
|
|
nil,
|
|
nil,
|
|
)
|
|
ra.SA = mocks.NewStorageAuthority(fc)
|
|
ra.CA = &mocks.MockCA{
|
|
PEM: mockCertPEM,
|
|
}
|
|
ra.PA = &mockPA{}
|
|
wfe.RA = ra
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
// GET instead of POST should be rejected
|
|
mux.ServeHTTP(responseWriter, &http.Request{
|
|
Method: "GET",
|
|
URL: mustParseURL(newCertPath),
|
|
})
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Method not allowed","status":405}`)
|
|
|
|
// POST, but no body.
|
|
responseWriter.Body.Reset()
|
|
wfe.NewCertificate(ctx, newRequestEvent(), responseWriter, &http.Request{
|
|
Method: "POST",
|
|
Header: map[string][]string{
|
|
"Content-Length": {"0"},
|
|
},
|
|
})
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"No body on POST","status":400}`)
|
|
|
|
// POST, but body that isn't valid JWS
|
|
responseWriter.Body.Reset()
|
|
wfe.NewCertificate(ctx, newRequestEvent(), responseWriter, makePostRequest("hi"))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Parse error reading JWS","status":400}`)
|
|
|
|
// POST, Properly JWS-signed, but payload is "foo", not base64-encoded JSON.
|
|
responseWriter.Body.Reset()
|
|
wfe.NewCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(signRequest(t, "foo", wfe.nonceService)))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Request payload did not parse as JSON","status":400}`)
|
|
|
|
// Valid, signed JWS body, payload is '{}'
|
|
responseWriter.Body.Reset()
|
|
wfe.NewCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(
|
|
signRequest(t, "{}", wfe.nonceService)))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Request payload does not specify a resource","status":400}`)
|
|
|
|
// Valid, signed JWS body, payload is '{"resource":"new-cert"}'
|
|
responseWriter.Body.Reset()
|
|
wfe.NewCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(signRequest(t, `{"resource":"new-cert"}`, wfe.nonceService)))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Error parsing certificate request: asn1: syntax error: sequence truncated","status":400}`)
|
|
|
|
// Valid, signed JWS body, payload has an invalid signature on CSR and no authorizations:
|
|
// alias b64url="base64 -w0 | sed -e 's,+,-,g' -e 's,/,_,g'"
|
|
// openssl req -outform der -new -nodes -key wfe/test/178.key -subj /CN=foo.com | \
|
|
// sed 's/foo.com/fob.com/' | b64url
|
|
responseWriter.Body.Reset()
|
|
wfe.NewCertificate(ctx, newRequestEvent(),
|
|
responseWriter,
|
|
makePostRequest(signRequest(t, `{
|
|
"resource":"new-cert",
|
|
"csr": "MIICVzCCAT8CAQAwEjEQMA4GA1UEAwwHZm9iLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKzHhqcMSTVjBu61vufGVmIYM4mMbWXgndHOUWnIqSKcNtFtPQ465tcZRT5ITIZWXGjsmgDrj31qvG3t5qLwyaF5hsTvFHK72nLMAQhdgM6481Qe9yaoaulWpkGr_9LVz4jQ9pGAaLVamXGpSxV-ipTOo79Sev4aZE8ksD9atEfWtcOD9w8_zj74vpWjTAHN49Q88chlChVqakn0zSfHPfS-jF8g0UTddBuF0Ti3sZChjxzbo6LwZ4182xX7XPnOLav3AGj0Su7j5XMl3OpenOrlWulWJeZIHq5itGW321j306XiGdbrdWH4K7JygICFds6oolwQRGBY6yinAtCgkTcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBxPiHOtKuBxtvecMNtLkTSuTyEkusQGnjoFDaKe5oqwGYQgy0YBii2-BbaPmqS4ZaDc-vDz_RLeKH5ZiH-NliYR1V_CRtpFLQi18g_2pLQnZLVO3ENs-SM37nU_nBGn9O93t2bkssoM3fZmtgp3R2W7I_wvx7Z8oWKa4boTeBAg_q9Gmi6QskZBddK7A4S_vOR0frU6QSPK_ksPhvovp9fwb6CVKrlJWf556UwRPWgbkW39hvTxK2KHhrUEg3oawNkWde2jZtnZ9e-9zpw8-_5O0X7-YN0ucbFTfQybce_ReuLlGepiHT5bvVavBZoIvqw1XOgSMvGgZFU8tAWMBlj"
|
|
}`, wfe.nonceService)))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Error creating new cert :: invalid signature on CSR","status":400}`)
|
|
|
|
// Valid, signed JWS body, payload has a valid CSR but no authorizations:
|
|
// openssl req -outform der -new -nodes -key wfe/test/178.key -subj /CN=meep.com | b64url
|
|
mockLog.Clear()
|
|
responseWriter.Body.Reset()
|
|
wfe.NewCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(signRequest(t, `{
|
|
"resource":"new-cert",
|
|
"csr": "MIICWDCCAUACAQAwEzERMA8GA1UEAwwIbWVlcC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaqzue57mgXEoGTZZoVkkCZraebWgXI8irX2BgQB1A3iZa9onxGPMcWQMxhSuUisbEJi4UkMcVST12HX01rUwhj41UuBxJvI1w4wvdstssTAaa9c9tsQ5-UED2bFRL1MsyBdbmCF_-pu3i-ZIYqWgiKbjVBe3nlAVbo77zizwp3Y4Tp1_TBOwTAuFkHePmkNT63uPm9My_hNzsSm1o-Q519Cf7ry-JQmOVgz_jIgFVGFYJ17EV3KUIpUuDShuyCFATBQspgJSN2DoXRUlQjXXkNTj23OxxdT_cVLcLJjytyG6e5izME2R2aCkDBWIc1a4_sRJ0R396auPXG6KhJ7o_AgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEALu046p76aKgvoAEHFINkMTgKokPXf9mZ4IZx_BKz-qs1MPMxVtPIrQDVweBH6tYT7Hfj2naLry6SpZ3vUNP_FYeTFWgW1V03LiqacX-QQgbEYtn99Dt3ScGyzb7EH833ztb3vDJ_-ha_CJplIrg-kHBBrlLFWXhh-I9K1qLRTNpbhZ18ooFde4Sbhkw9o9fKivGhx9aYr7ZbjRsNtKit_DsG1nwEXz53TMJ2vB9IQY29coJv_n5NFLkvBfzbG5faRNiFcimPYBO2jFdaA2mWzfxltLtwMF_dBwzTXDpMo3TVT9zEdV8YpsWqr63igqGDZVpKenlkqvRTeGJVayVuMA"
|
|
}`, wfe.nonceService)))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`unauthorized","detail":"Error creating new cert :: authorizations for these names not found or expired: meep.com","status":403}`)
|
|
assertCsrLogged(t, mockLog)
|
|
|
|
mockLog.Clear()
|
|
responseWriter.Body.Reset()
|
|
// openssl req -outform der -new -nodes -key wfe/test/178.key -subj /CN=not-an-example.com | b64url
|
|
wfe.NewCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(signRequest(t, `{
|
|
"resource":"new-cert",
|
|
"csr": "MIICYjCCAUoCAQAwHTEbMBkGA1UEAwwSbm90LWFuLWV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmqs7nue5oFxKBk2WaFZJAma2nm1oFyPIq19gYEAdQN4mWvaJ8RjzHFkDMYUrlIrGxCYuFJDHFUk9dh19Na1MIY-NVLgcSbyNcOML3bLbLEwGmvXPbbEOflBA9mxUS9TLMgXW5ghf_qbt4vmSGKloIim41QXt55QFW6O-84s8Kd2OE6df0wTsEwLhZB3j5pDU-t7j5vTMv4Tc7EptaPkOdfQn-68viUJjlYM_4yIBVRhWCdexFdylCKVLg0obsghQEwULKYCUjdg6F0VJUI115DU49tzscXU_3FS3CyY8rchunuYszBNkdmgpAwViHNWuP7ESdEd_emrj1xuioSe6PwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAE_T1nWU38XVYL28hNVSXU0rW5IBUKtbvr0qAkD4kda4HmQRTYkt-LNSuvxoZCC9lxijjgtJi-OJe_DCTdZZpYzewlVvcKToWSYHYQ6Wm1-fxxD_XzphvZOujpmBySchdiz7QSVWJmVZu34XD5RJbIcrmj_cjRt42J1hiTFjNMzQu9U6_HwIMmliDL-soFY2RTvvZf-dAFvOUQ-Wbxt97eM1PbbmxJNWRhbAmgEpe9PWDPTpqV5AK56VAa991cQ1P8ZVmPss5hvwGWhOtpnpTZVHN3toGNYFKqxWPboirqushQlfKiFqT9rpRgM3-mFjOHidGqsKEkTdmfSVlVEk3oo="
|
|
}`, wfe.nonceService)))
|
|
assertCsrLogged(t, mockLog)
|
|
cert, err := core.LoadCert("test/not-an-example.com.crt")
|
|
test.AssertNotError(t, err, "Could not load cert")
|
|
test.AssertEquals(t,
|
|
responseWriter.Body.String(),
|
|
string(cert.Raw))
|
|
test.AssertEquals(
|
|
t, responseWriter.Header().Get("Location"),
|
|
"http://localhost/acme/cert/0000ff0000000000000e4b4f67d86e818c46")
|
|
test.AssertEquals(
|
|
t, responseWriter.Header().Get("Link"),
|
|
`<http://localhost/acme/issuer-cert>;rel="up"`)
|
|
test.AssertEquals(
|
|
t, responseWriter.Header().Get("Content-Type"),
|
|
"application/pkix-cert")
|
|
reqlogs := mockLog.GetAllMatching(`Certificate request - successful`)
|
|
test.AssertEquals(t, len(reqlogs), 1)
|
|
test.AssertContains(t, reqlogs[0], `INFO: `)
|
|
test.AssertContains(t, reqlogs[0], `[AUDIT] `)
|
|
test.AssertContains(t, reqlogs[0], `"CommonName":"not-an-example.com",`)
|
|
|
|
mockLog.Clear()
|
|
responseWriter.HeaderMap = http.Header{}
|
|
wfe.NewCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(signRequest(t, `{
|
|
"resource":"new-cert",
|
|
"csr": "MIICYjCCAUoCAQAwHTEbMBkGA1UEAwwSbm90LWFuLWV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmqs7nue5oFxKBk2WaFZJAma2nm1oFyPIq19gYEAdQN4mWvaJ8RjzHFkDMYUrlIrGxCYuFJDHFUk9dh19Na1MIY-NVLgcSbyNcOML3bLbLEwGmvXPbbEOflBA9mxUS9TLMgXW5ghf_qbt4vmSGKloIim41QXt55QFW6O-84s8Kd2OE6df0wTsEwLhZB3j5pDU-t7j5vTMv4Tc7EptaPkOdfQn-68viUJjlYM_4yIBVRhWCdexFdylCKVLg0obsghQEwULKYCUjdg6F0VJUI115DU49tzscXU_3FS3CyY8rchunuYszBNkdmgpAwViHNWuP7ESdEd_emrj1xuioSe6PwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAE_T1nWU38XVYL28hNVSXU0rW5IBUKtbvr0qAkD4kda4HmQRTYkt-LNSuvxoZCC9lxijjgtJi-OJe_DCTdZZpYzewlVvcKToWSYHYQ6Wm1-fxxD_XzphvZOujpmBySchdiz7QSVWJmVZu34XD5RJbIcrmj_cjRt42J1hiTFjNMzQu9U6_HwIMmliDL-soFY2RTvvZf-dAFvOUQ-Wbxt97eM1PbbmxJNWRhbAmgEpe9PWDPTpqV5AK56VAa991cQ1P8ZVmPss5hvwGWhOtpnpTZVHN3toGNYFKqxWPboirqushQlfKiFqT9rpRgM3-mFjOHidGqsKEkTdmfSVlVEk3oo="
|
|
}`, wfe.nonceService)))
|
|
test.AssertEquals(
|
|
t, responseWriter.Header().Get("Link"),
|
|
`<http://localhost/acme/issuer-cert>;rel="up"`)
|
|
|
|
mockLog.Clear()
|
|
responseWriter.Body.Reset()
|
|
wfe.NewCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(signRequest(t, `{
|
|
"resource": "new-cert",
|
|
"csr": "MIICWjCCAUICADAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMpwCSKfLhKC3SnvLNpVayAEyAHVixkusgProAPZRBH0VAog_r4JOfoJez7ABiZ2ZIXXA2gg65_05HkGNl9ww-sa0EY8eCty_8WcHxqzafUnyXOJZuLMPJjaJ2oiBv_3BM7PZgpFzyNZ0_0ZuRKdFGtEY-vX9GXZUV0A3sxZMOpce0lhHAiBk_vNARJyM2-O-cZ7WjzZ7R1T9myAyxtsFhWy3QYvIwiKVVF3lDp3KXlPZ_7wBhVIBcVSk0bzhseotyUnKg-aL5qZIeB1ci7IT5qA_6C1_bsCSJSbQ5gnQwIQ0iaUV_SgUBpKNqYbmnSdZmDxvvW8FzhuL6JSDLfBR2kCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQBxxkchTXfjv07aSWU9brHnRziNYOLvsSNiOWmWLNlZg9LKdBy6j1xwM8IQRCfTOVSkbuxVV-kU5p-Cg9UF_UGoerl3j8SiupurTovK9-L_PdX0wTKbK9xkh7OUq88jp32Rw0eAT87gODJRD-M1NXlTvm-j896e60hUmL-DIe3iPbFl8auUS-KROAWjci-LJZYVdomm9Iw47E-zr4Hg27EdZhvCZvSyPMK8ioys9mNg5TthHB6ExepKP1YW3HpQa1EdUVYWGEvyVL4upQZOxuEA1WJqHv6iVDzsQqkl5kkahK87NKTPS59k1TFetjw2GLnQ09-g_L7kT8dpq3Bk5Wo="
|
|
}`, wfe.nonceService)))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"CSR generated using a pre-1.0.2 OpenSSL with a client that doesn't properly specify the CSR version. See https://community.letsencrypt.org/t/openssl-bug-information/19591","status":400}`)
|
|
|
|
// Test the CSR signature type counter works
|
|
test.AssertEquals(t, test.CountCounterVec("type", "SHA256-RSA", wfe.csrSignatureAlgs), 4)
|
|
}
|
|
|
|
func TestGetChallenge(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
|
|
challengeURL := "http://localhost/acme/challenge/valid/23"
|
|
|
|
for _, method := range []string{"GET", "HEAD"} {
|
|
resp := httptest.NewRecorder()
|
|
|
|
req, err := http.NewRequest(method, challengeURL, nil)
|
|
req.URL.Path = "valid/23"
|
|
test.AssertNotError(t, err, "Could not make NewRequest")
|
|
|
|
wfe.Challenge(ctx, newRequestEvent(), resp, req)
|
|
test.AssertEquals(t,
|
|
resp.Code,
|
|
http.StatusAccepted)
|
|
test.AssertEquals(t,
|
|
resp.Header().Get("Location"),
|
|
challengeURL)
|
|
test.AssertEquals(t,
|
|
resp.Header().Get("Content-Type"),
|
|
"application/json")
|
|
test.AssertEquals(t,
|
|
resp.Header().Get("Link"),
|
|
`<http://localhost/acme/authz/valid>;rel="up"`)
|
|
// Body is only relevant for GET. For HEAD, body will
|
|
// be discarded by HandleFunc() anyway, so it doesn't
|
|
// matter what Challenge() writes to it.
|
|
if method == "GET" {
|
|
test.AssertUnmarshaledEquals(
|
|
t, resp.Body.String(),
|
|
`{"type":"dns","token":"token","uri":"http://localhost/acme/challenge/valid/23"}`)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestGetChallengeV2UpRel(t *testing.T) {
|
|
if !strings.HasSuffix(os.Getenv("BOULDER_CONFIG_DIR"), "config-next") {
|
|
return
|
|
}
|
|
|
|
wfe, _ := setupWFE(t)
|
|
_ = features.Set(map[string]bool{"NewAuthorizationSchema": true})
|
|
|
|
challengeURL := "http://localhost/acme/chall-v3/1/-ZfxEw"
|
|
resp := httptest.NewRecorder()
|
|
|
|
req, err := http.NewRequest("GET", challengeURL, nil)
|
|
req.URL.Path = "1/-ZfxEw"
|
|
test.AssertNotError(t, err, "Could not make NewRequest")
|
|
|
|
wfe.ChallengeV2(ctx, newRequestEvent(), resp, req)
|
|
test.AssertEquals(t,
|
|
resp.Code,
|
|
http.StatusAccepted)
|
|
test.AssertEquals(t,
|
|
resp.Header().Get("Link"),
|
|
`<http://localhost/acme/authz-v3/1>;rel="up"`)
|
|
}
|
|
|
|
func TestChallenge(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
var key jose.JSONWebKey
|
|
err := json.Unmarshal([]byte(`
|
|
{
|
|
"e": "AQAB",
|
|
"kty": "RSA",
|
|
"n": "tSwgy3ORGvc7YJI9B2qqkelZRUC6F1S5NwXFvM4w5-M0TsxbFsH5UH6adigV0jzsDJ5imAechcSoOhAh9POceCbPN1sTNwLpNbOLiQQ7RD5mY_pSUHWXNmS9R4NZ3t2fQAzPeW7jOfF0LKuJRGkekx6tXP1uSnNibgpJULNc4208dgBaCHo3mvaE2HV2GmVl1yxwWX5QZZkGQGjNDZYnjFfa2DKVvFs0QbAk21ROm594kAxlRlMMrvqlf24Eq4ERO0ptzpZgm_3j_e4hGRD39gJS7kAzK-j2cacFQ5Qi2Y6wZI2p-FCq_wiYsfEAIkATPBiLKl_6d_Jfcvs_impcXQ"
|
|
}
|
|
`), &key)
|
|
test.AssertNotError(t, err, "Could not unmarshal testing key")
|
|
|
|
challengeURL := "http://localhost/acme/challenge/valid/23"
|
|
path := "valid/23"
|
|
wfe.Challenge(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath(path,
|
|
signRequest(t, `{"resource":"challenge"}`, wfe.nonceService)))
|
|
|
|
test.AssertEquals(t, responseWriter.Code, 202)
|
|
test.AssertEquals(
|
|
t, responseWriter.Header().Get("Location"),
|
|
challengeURL)
|
|
test.AssertEquals(
|
|
t, responseWriter.Header().Get("Link"),
|
|
`<http://localhost/acme/authz/valid>;rel="up"`)
|
|
test.AssertUnmarshaledEquals(
|
|
t, responseWriter.Body.String(),
|
|
`{"type":"dns","token":"token","uri":"http://localhost/acme/challenge/valid/23"}`)
|
|
|
|
// Expired challenges should be inaccessible
|
|
challengeURL = "expired/23"
|
|
responseWriter = httptest.NewRecorder()
|
|
wfe.Challenge(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath(challengeURL,
|
|
signRequest(t, `{"resource":"challenge"}`, wfe.nonceService)))
|
|
test.AssertEquals(t, responseWriter.Code, http.StatusNotFound)
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Expired authorization","status":404}`)
|
|
|
|
// Challenge Not found
|
|
challengeURL = ""
|
|
responseWriter = httptest.NewRecorder()
|
|
wfe.Challenge(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath(challengeURL,
|
|
signRequest(t, `{"resource":"challenge"}`, wfe.nonceService)))
|
|
test.AssertEquals(t, responseWriter.Code, http.StatusNotFound)
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"No such challenge","status":404}`)
|
|
|
|
// Unspecified database error
|
|
errorURL := "error_result/24"
|
|
responseWriter = httptest.NewRecorder()
|
|
wfe.Challenge(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath(errorURL,
|
|
signRequest(t, `{"resource":"challenge"}`, wfe.nonceService)))
|
|
test.AssertEquals(t, responseWriter.Code, http.StatusInternalServerError)
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`serverInternal","detail":"Problem getting authorization","status":500}`)
|
|
|
|
}
|
|
|
|
// MockRAPerformValidationError is a mock RA that just returns an error on
|
|
// PerformValidation.
|
|
type MockRAPerformValidationError struct {
|
|
MockRegistrationAuthority
|
|
}
|
|
|
|
func (ra *MockRAPerformValidationError) PerformValidation(_ context.Context, _ *rapb.PerformValidationRequest) (*corepb.Authorization, error) {
|
|
return nil, errors.New("broken on purpose")
|
|
}
|
|
|
|
// TestUpdateChallengeFinalizedAuthz tests that POSTing a challenge associated
|
|
// with an already valid authorization just returns the challenge without calling
|
|
// the RA.
|
|
func TestUpdateChallengeFinalizedAuthz(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
wfe.RA = &MockRAPerformValidationError{}
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
path := "valid/23"
|
|
wfe.Challenge(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath(path,
|
|
signRequest(t, `{"resource":"challenge"}`, wfe.nonceService)))
|
|
|
|
body := responseWriter.Body.String()
|
|
test.AssertUnmarshaledEquals(t, body, `{
|
|
"type": "dns",
|
|
"token":"token",
|
|
"uri": "http://localhost/acme/challenge/valid/23"
|
|
}`)
|
|
}
|
|
|
|
// TestUpdateChallengeRAError tests that when the RA returns an error from
|
|
// PerformValidation that the WFE returns an internal server error as expected
|
|
// and does not panic or otherwise bug out.
|
|
func TestUpdateChallengeRAError(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
// Mock the RA to always fail PerformValidation
|
|
wfe.RA = &MockRAPerformValidationError{}
|
|
|
|
// Update a pending challenge
|
|
path := "pending/23"
|
|
responseWriter := httptest.NewRecorder()
|
|
wfe.Challenge(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath(path,
|
|
signRequest(t, `{"resource":"challenge"}`, wfe.nonceService)))
|
|
|
|
// The result should be an internal server error problem.
|
|
body := responseWriter.Body.String()
|
|
test.AssertUnmarshaledEquals(t, body, `{
|
|
"type": "urn:acme:error:serverInternal",
|
|
"detail": "Unable to perform validation for challenge",
|
|
"status": 500
|
|
}`)
|
|
}
|
|
|
|
func TestBadNonce(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
|
|
key := loadPrivateKey(t, []byte(test2KeyPrivatePEM))
|
|
rsaKey, ok := key.(*rsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load RSA key")
|
|
// NOTE: We deliberately set the NonceSource to nil in the newJoseSigner
|
|
// arguments for this test in order to provoke a bad nonce error
|
|
signer := newJoseSigner(t, rsaKey, nil)
|
|
responseWriter := httptest.NewRecorder()
|
|
result, err := signer.Sign([]byte(`{"resource":"new-reg","contact":["mailto:person@mail.com"],"agreement":"` + agreementURL + `"}`))
|
|
test.AssertNotError(t, err, "Failed to sign body")
|
|
wfe.NewRegistration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(result.FullSerialize()))
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), `{"type":"`+probs.V1ErrorNS+`badNonce","detail":"JWS has no anti-replay nonce","status":400}`)
|
|
}
|
|
|
|
func TestNewECDSARegistration(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
|
|
// E1 always exists; E2 never exists
|
|
key := loadPrivateKey(t, []byte(testE2KeyPrivatePEM))
|
|
ecdsaKey, ok := key.(*ecdsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load ECDSA key")
|
|
signer := newJoseSigner(t, ecdsaKey, wfe.nonceService)
|
|
responseWriter := httptest.NewRecorder()
|
|
result, err := signer.Sign([]byte(`{"resource":"new-reg","contact":["mailto:person@mail.com"],"agreement":"` + agreementURL + `"}`))
|
|
test.AssertNotError(t, err, "Failed to sign")
|
|
wfe.NewRegistration(ctx, newRequestEvent(), responseWriter, makePostRequest(result.FullSerialize()))
|
|
|
|
var reg core.Registration
|
|
err = json.Unmarshal([]byte(responseWriter.Body.String()), ®)
|
|
test.AssertNotError(t, err, "Couldn't unmarshal returned registration object")
|
|
test.Assert(t, len(*reg.Contact) >= 1, "No contact field in registration")
|
|
test.AssertEquals(t, (*reg.Contact)[0], "mailto:person@mail.com")
|
|
test.AssertEquals(t, reg.Agreement, "http://example.invalid/terms")
|
|
test.AssertEquals(t, reg.InitialIP.String(), "1.1.1.1")
|
|
|
|
test.AssertEquals(t, responseWriter.Header().Get("Location"), "http://localhost/acme/reg/0")
|
|
|
|
key = loadPrivateKey(t, []byte(testE1KeyPrivatePEM))
|
|
ecdsaKey, ok = key.(*ecdsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load ECDSA key")
|
|
|
|
signer = newJoseSigner(t, ecdsaKey, wfe.nonceService)
|
|
|
|
// Reset the body and status code
|
|
responseWriter = httptest.NewRecorder()
|
|
// POST, Valid JSON, Key already in use
|
|
result, err = signer.Sign([]byte(`{"resource":"new-reg","contact":["mailto:person@mail.com"],"agreement":"` + agreementURL + `"}`))
|
|
test.AssertNotError(t, err, "Failed to signer.Sign")
|
|
|
|
wfe.NewRegistration(ctx, newRequestEvent(), responseWriter, makePostRequest(result.FullSerialize()))
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), `{"type":"`+probs.V1ErrorNS+`malformed","detail":"Registration key is already in use","status":409}`)
|
|
test.AssertEquals(t, responseWriter.Header().Get("Location"), "http://localhost/acme/reg/3")
|
|
test.AssertEquals(t, responseWriter.Code, 409)
|
|
}
|
|
|
|
// Test that the WFE handling of the "empty update" POST is correct. The ACME
|
|
// spec describes how when clients wish to query the server for information
|
|
// about a registration an empty registration update should be sent, and
|
|
// a populated reg object will be returned.
|
|
func TestEmptyRegistration(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
// Test Key 1 is mocked in the mock StorageAuthority used in setupWFE to
|
|
// return a populated registration for GetRegistrationByKey when test key 1 is
|
|
// used.
|
|
key := loadPrivateKey(t, []byte(test1KeyPrivatePEM))
|
|
rsaKey, ok := key.(*rsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load RSA key")
|
|
|
|
signer := newJoseSigner(t, rsaKey, wfe.nonceService)
|
|
emptyReg := `{"resource":"reg"}`
|
|
emptyBody, err := signer.Sign([]byte(emptyReg))
|
|
test.AssertNotError(t, err, "Unable to sign emptyBody")
|
|
|
|
// Send a registration update with the trivial body
|
|
wfe.Registration(
|
|
ctx,
|
|
newRequestEvent(),
|
|
responseWriter,
|
|
makePostRequestWithPath("1", emptyBody.FullSerialize()))
|
|
|
|
// There should be no error
|
|
test.AssertNotContains(t, responseWriter.Body.String(), probs.V1ErrorNS)
|
|
|
|
// We should get back a populated Registration
|
|
var reg core.Registration
|
|
err = json.Unmarshal([]byte(responseWriter.Body.String()), ®)
|
|
test.AssertNotError(t, err, "Couldn't unmarshal returned registration object")
|
|
test.Assert(t, len(*reg.Contact) >= 1, "No contact field in registration")
|
|
test.AssertEquals(t, (*reg.Contact)[0], "mailto:person@mail.com")
|
|
test.AssertEquals(t, reg.Agreement, "http://example.invalid/terms")
|
|
responseWriter.Body.Reset()
|
|
}
|
|
|
|
func TestNewRegistrationForbiddenWithAllowV1RegistrationDisabled(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
_ = features.Set(map[string]bool{"AllowV1Registration": false})
|
|
|
|
// The "test2KeyPrivatePEM" is not already registered, according to our mocks.
|
|
key := loadPrivateKey(t, []byte(test2KeyPrivatePEM))
|
|
signer := newJoseSigner(t, key, wfe.nonceService)
|
|
// Reset the body and status code
|
|
responseWriter := httptest.NewRecorder()
|
|
result, err := signer.Sign([]byte(`{"resource":"new-reg","contact":["mailto:person@mail.com"],"agreement":"` + agreementURL + `"}`))
|
|
test.AssertNotError(t, err, "Failed to signer.Sign")
|
|
|
|
wfe.NewRegistration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(result.FullSerialize()))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`unauthorized","detail":"Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.","status":403}`)
|
|
}
|
|
|
|
func TestNewRegistration409sWithAllowV1RegistrationDisabled(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
_ = features.Set(map[string]bool{"AllowV1Registration": false})
|
|
|
|
// The "test2KeyPrivatePEM" is not already registered, according to our mocks.
|
|
key := loadPrivateKey(t, []byte(test1KeyPrivatePEM))
|
|
signer := newJoseSigner(t, key, wfe.nonceService)
|
|
// Reset the body and status code
|
|
responseWriter := httptest.NewRecorder()
|
|
// POST, Valid JSON, Key already in use
|
|
result, err := signer.Sign([]byte(`{"resource":"new-reg","contact":["mailto:person@mail.com"],"agreement":"` + agreementURL + `"}`))
|
|
test.AssertNotError(t, err, "Failed to signer.Sign")
|
|
|
|
wfe.NewRegistration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(result.FullSerialize()))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Registration key is already in use","status":409}`)
|
|
}
|
|
|
|
func TestNewRegistration(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
mux := wfe.Handler()
|
|
key := loadPrivateKey(t, []byte(test2KeyPrivatePEM))
|
|
rsaKey, ok := key.(*rsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load RSA key")
|
|
signer := newJoseSigner(t, rsaKey, wfe.nonceService)
|
|
fooBody, err := signer.Sign([]byte("foo"))
|
|
test.AssertNotError(t, err, "Unable to sign")
|
|
|
|
wrongAgreementBody, err := signer.Sign([]byte(`{"resource":"new-reg","contact":["mailto:person@mail.com"],"agreement":"https://letsencrypt.org/im-bad"}`))
|
|
test.AssertNotError(t, err, "Unable to sign")
|
|
|
|
type newRegErrorTest struct {
|
|
r *http.Request
|
|
respBody string
|
|
}
|
|
regErrTests := []newRegErrorTest{
|
|
// GET instead of POST should be rejected
|
|
{
|
|
&http.Request{
|
|
Method: "GET",
|
|
URL: mustParseURL(newRegPath),
|
|
},
|
|
`{"type":"` + probs.V1ErrorNS + `malformed","detail":"Method not allowed","status":405}`,
|
|
},
|
|
|
|
// POST, but no body.
|
|
{
|
|
&http.Request{
|
|
Method: "POST",
|
|
URL: mustParseURL(newRegPath),
|
|
Header: map[string][]string{
|
|
"Content-Length": {"0"},
|
|
},
|
|
},
|
|
`{"type":"` + probs.V1ErrorNS + `malformed","detail":"No body on POST","status":400}`,
|
|
},
|
|
|
|
// POST, but body that isn't valid JWS
|
|
{
|
|
makePostRequestWithPath(newRegPath, "hi"),
|
|
`{"type":"` + probs.V1ErrorNS + `malformed","detail":"Parse error reading JWS","status":400}`,
|
|
},
|
|
|
|
// POST, Properly JWS-signed, but payload is "foo", not base64-encoded JSON.
|
|
{
|
|
makePostRequestWithPath(newRegPath, fooBody.FullSerialize()),
|
|
`{"type":"` + probs.V1ErrorNS + `malformed","detail":"Request payload did not parse as JSON","status":400}`,
|
|
},
|
|
|
|
// Same signed body, but payload modified by one byte, breaking signature.
|
|
// should fail JWS verification.
|
|
{
|
|
makePostRequestWithPath(newRegPath, `
|
|
{
|
|
"header": {
|
|
"alg": "RS256",
|
|
"jwk": {
|
|
"e": "AQAB",
|
|
"kty": "RSA",
|
|
"n": "vd7rZIoTLEe-z1_8G1FcXSw9CQFEJgV4g9V277sER7yx5Qjz_Pkf2YVth6wwwFJEmzc0hoKY-MMYFNwBE4hQHw"
|
|
}
|
|
},
|
|
"payload": "xm9vCg",
|
|
"signature": "RjUQ679fxJgeAJlxqgvDP_sfGZnJ-1RgWF2qmcbnBWljs6h1qp63pLnJOl13u81bP_bCSjaWkelGG8Ymx_X-aQ"
|
|
}
|
|
`),
|
|
`{"type":"` + probs.V1ErrorNS + `malformed","detail":"JWS verification error","status":400}`,
|
|
},
|
|
{
|
|
makePostRequestWithPath(newRegPath, wrongAgreementBody.FullSerialize()),
|
|
`{"type":"` + probs.V1ErrorNS + `malformed","detail":"Provided agreement URL [https://letsencrypt.org/im-bad] does not match current agreement URL [` + agreementURL + `]","status":400}`,
|
|
},
|
|
}
|
|
for _, rt := range regErrTests {
|
|
responseWriter := httptest.NewRecorder()
|
|
mux.ServeHTTP(responseWriter, rt.r)
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), rt.respBody)
|
|
}
|
|
|
|
responseWriter := httptest.NewRecorder()
|
|
result, err := signer.Sign([]byte(`{"resource":"new-reg","contact":["mailto:person@mail.com"],"agreement":"` + agreementURL + `"}`))
|
|
test.AssertNotError(t, err, "signer.Sign failed")
|
|
wfe.NewRegistration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(result.FullSerialize()))
|
|
|
|
var reg core.Registration
|
|
err = json.Unmarshal([]byte(responseWriter.Body.String()), ®)
|
|
test.AssertNotError(t, err, "Couldn't unmarshal returned registration object")
|
|
test.Assert(t, len(*reg.Contact) >= 1, "No contact field in registration")
|
|
test.AssertEquals(t, (*reg.Contact)[0], "mailto:person@mail.com")
|
|
test.AssertEquals(t, reg.Agreement, "http://example.invalid/terms")
|
|
test.AssertEquals(t, reg.InitialIP.String(), "1.1.1.1")
|
|
|
|
test.AssertEquals(
|
|
t, responseWriter.Header().Get("Location"),
|
|
"http://localhost/acme/reg/0")
|
|
links := responseWriter.Header()["Link"]
|
|
test.AssertEquals(t, contains(links, "<http://localhost/acme/new-authz>;rel=\"next\""), true)
|
|
test.AssertEquals(t, contains(links, "<"+agreementURL+">;rel=\"terms-of-service\""), true)
|
|
|
|
test.AssertEquals(
|
|
t, responseWriter.Header().Get("Link"),
|
|
`<http://localhost/acme/new-authz>;rel="next"`)
|
|
|
|
key = loadPrivateKey(t, []byte(test1KeyPrivatePEM))
|
|
rsaKey, ok = key.(*rsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load RSA key")
|
|
signer = newJoseSigner(t, rsaKey, wfe.nonceService)
|
|
// Reset the body and status code
|
|
responseWriter = httptest.NewRecorder()
|
|
// POST, Valid JSON, Key already in use
|
|
result, err = signer.Sign([]byte(`{"resource":"new-reg","contact":["mailto:person@mail.com"],"agreement":"` + agreementURL + `"}`))
|
|
test.AssertNotError(t, err, "Failed to signer.Sign")
|
|
|
|
wfe.NewRegistration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(result.FullSerialize()))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Registration key is already in use","status":409}`)
|
|
test.AssertEquals(
|
|
t, responseWriter.Header().Get("Location"),
|
|
"http://localhost/acme/reg/1")
|
|
test.AssertEquals(t, responseWriter.Code, 409)
|
|
}
|
|
|
|
func makeRevokeRequestJSON(reason *revocation.Reason) ([]byte, error) {
|
|
certPemBytes, err := ioutil.ReadFile("test/238.crt")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
certBlock, _ := pem.Decode(certPemBytes)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
revokeRequest := struct {
|
|
Resource string `json:"resource"`
|
|
CertificateDER core.JSONBuffer `json:"certificate"`
|
|
Reason *revocation.Reason `json:"reason"`
|
|
}{
|
|
Resource: "revoke-cert",
|
|
CertificateDER: certBlock.Bytes,
|
|
Reason: reason,
|
|
}
|
|
revokeRequestJSON, err := json.Marshal(revokeRequest)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return revokeRequestJSON, nil
|
|
}
|
|
|
|
// An SA mock that always returns a berrors.NotFound type error. This is necessary
|
|
// because the standard mock in our mocks package always returns a given test
|
|
// registration when GetRegistrationByKey is called, and we want to get a
|
|
// berrors.NotFound type error for tests that pass regCheck = false to verifyPOST.
|
|
type mockSANoSuchRegistration struct {
|
|
core.StorageGetter
|
|
}
|
|
|
|
func (msa mockSANoSuchRegistration) GetRegistrationByKey(ctx context.Context, jwk *jose.JSONWebKey) (core.Registration, error) {
|
|
return core.Registration{}, berrors.NotFoundError("reg not found")
|
|
}
|
|
|
|
// Valid revocation request for existing, non-revoked cert, signed with cert
|
|
// key.
|
|
func TestRevokeCertificateCertKey(t *testing.T) {
|
|
wfe, fc := setupWFE(t)
|
|
|
|
keyPemBytes, err := ioutil.ReadFile("test/238.key")
|
|
test.AssertNotError(t, err, "Failed to load key")
|
|
key := loadPrivateKey(t, keyPemBytes)
|
|
test.AssertNotError(t, err, "Failed to load key")
|
|
rsaKey, ok := key.(*rsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load RSA key")
|
|
signer := newJoseSigner(t, rsaKey, wfe.nonceService)
|
|
test.AssertNotError(t, err, "Failed to make signer")
|
|
revokeRequestJSON, err := makeRevokeRequestJSON(nil)
|
|
test.AssertNotError(t, err, "Failed to make revokeRequestJSON")
|
|
|
|
wfe.SA = &mockSANoSuchRegistration{mocks.NewStorageAuthority(fc)}
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
result, _ := signer.Sign(revokeRequestJSON)
|
|
wfe.RevokeCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(result.FullSerialize()))
|
|
test.AssertEquals(t, responseWriter.Code, 200)
|
|
test.AssertEquals(t, responseWriter.Body.String(), "")
|
|
}
|
|
|
|
func TestRevokeCertificateReasons(t *testing.T) {
|
|
wfe, fc := setupWFE(t)
|
|
keyPemBytes, err := ioutil.ReadFile("test/238.key")
|
|
test.AssertNotError(t, err, "Failed to load key")
|
|
key := loadPrivateKey(t, keyPemBytes)
|
|
rsaKey, ok := key.(*rsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load RSA key")
|
|
|
|
signer := newJoseSigner(t, rsaKey, wfe.nonceService)
|
|
|
|
// Valid reason
|
|
keyComp := revocation.Reason(1)
|
|
revokeRequestJSON, err := makeRevokeRequestJSON(&keyComp)
|
|
test.AssertNotError(t, err, "Failed to make revokeRequestJSON")
|
|
|
|
ra := wfe.RA.(*MockRegistrationAuthority)
|
|
wfe.SA = &mockSANoSuchRegistration{mocks.NewStorageAuthority(fc)}
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
result, _ := signer.Sign(revokeRequestJSON)
|
|
wfe.RevokeCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(result.FullSerialize()))
|
|
test.AssertEquals(t, responseWriter.Code, 200)
|
|
test.AssertEquals(t, responseWriter.Body.String(), "")
|
|
test.AssertEquals(t, ra.lastRevocationReason, revocation.Reason(1))
|
|
|
|
// No reason
|
|
responseWriter = httptest.NewRecorder()
|
|
revokeRequestJSON, err = makeRevokeRequestJSON(nil)
|
|
test.AssertNotError(t, err, "Failed to make revokeRequestJSON")
|
|
|
|
result, _ = signer.Sign(revokeRequestJSON)
|
|
wfe.RevokeCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(result.FullSerialize()))
|
|
test.AssertEquals(t, responseWriter.Code, 200)
|
|
test.AssertEquals(t, responseWriter.Body.String(), "")
|
|
test.AssertEquals(t, ra.lastRevocationReason, revocation.Reason(0))
|
|
|
|
// Unsupported reason
|
|
responseWriter = httptest.NewRecorder()
|
|
unsupported := revocation.Reason(2)
|
|
revokeRequestJSON, err = makeRevokeRequestJSON(&unsupported)
|
|
test.AssertNotError(t, err, "Failed to make revokeRequestJSON")
|
|
|
|
result, _ = signer.Sign(revokeRequestJSON)
|
|
wfe.RevokeCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(result.FullSerialize()))
|
|
test.AssertEquals(t, responseWriter.Code, 400)
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), `{"type":"`+probs.V1ErrorNS+`malformed","detail":"unsupported revocation reason code provided","status":400}`)
|
|
|
|
responseWriter = httptest.NewRecorder()
|
|
unsupported = revocation.Reason(100)
|
|
revokeRequestJSON, err = makeRevokeRequestJSON(&unsupported)
|
|
test.AssertNotError(t, err, "Failed to make revokeRequestJSON")
|
|
|
|
result, _ = signer.Sign(revokeRequestJSON)
|
|
wfe.RevokeCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(result.FullSerialize()))
|
|
test.AssertEquals(t, responseWriter.Code, 400)
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), `{"type":"`+probs.V1ErrorNS+`malformed","detail":"unsupported revocation reason code provided","status":400}`)
|
|
}
|
|
|
|
// Valid revocation request for existing, non-revoked cert, signed with account
|
|
// key.
|
|
func TestRevokeCertificateAccountKey(t *testing.T) {
|
|
revokeRequestJSON, err := makeRevokeRequestJSON(nil)
|
|
test.AssertNotError(t, err, "Failed to make revokeRequestJSON")
|
|
|
|
wfe, _ := setupWFE(t)
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
test1JWK := loadPrivateKey(t, []byte(test1KeyPrivatePEM))
|
|
test.AssertNotError(t, err, "Failed to load key")
|
|
test1Key, ok := test1JWK.(*rsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load RSA key")
|
|
accountKeySigner := newJoseSigner(t, test1Key, wfe.nonceService)
|
|
result, _ := accountKeySigner.Sign(revokeRequestJSON)
|
|
wfe.RevokeCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(result.FullSerialize()))
|
|
test.AssertEquals(t, responseWriter.Code, 200)
|
|
test.AssertEquals(t, responseWriter.Body.String(), "")
|
|
}
|
|
|
|
// A revocation request signed by an unauthorized key.
|
|
func TestRevokeCertificateWrongKey(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
responseWriter := httptest.NewRecorder()
|
|
test2JWK := loadPrivateKey(t, []byte(test2KeyPrivatePEM))
|
|
test2Key, ok := test2JWK.(*rsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load RSA key")
|
|
accountKeySigner2 := newJoseSigner(t, test2Key, wfe.nonceService)
|
|
revokeRequestJSON, err := makeRevokeRequestJSON(nil)
|
|
test.AssertNotError(t, err, "Unable to create revoke request")
|
|
|
|
result, _ := accountKeySigner2.Sign(revokeRequestJSON)
|
|
wfe.RevokeCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(result.FullSerialize()))
|
|
test.AssertEquals(t, responseWriter.Code, 403)
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`unauthorized","detail":"Revocation request must be signed by private key of cert to be revoked, by the account key of the account that issued it, or by the account key of an account that holds valid authorizations for all names in the certificate.","status":403}`)
|
|
}
|
|
|
|
// Valid revocation request for already-revoked cert
|
|
func TestRevokeCertificateAlreadyRevoked(t *testing.T) {
|
|
wfe, fc := setupWFE(t)
|
|
keyPemBytes, err := ioutil.ReadFile("test/178.key")
|
|
test.AssertNotError(t, err, "Failed to load key")
|
|
key := loadPrivateKey(t, keyPemBytes)
|
|
rsaKey, ok := key.(*rsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load RSA key")
|
|
signer := newJoseSigner(t, rsaKey, wfe.nonceService)
|
|
|
|
certPemBytes, err := ioutil.ReadFile("test/178.crt")
|
|
test.AssertNotError(t, err, "Failed to load cert")
|
|
certBlock, _ := pem.Decode(certPemBytes)
|
|
test.Assert(t, certBlock != nil, "Failed to decode PEM")
|
|
revokeRequest := struct {
|
|
Resource string `json:"resource"`
|
|
CertificateDER core.JSONBuffer `json:"certificate"`
|
|
}{
|
|
Resource: "revoke-cert",
|
|
CertificateDER: certBlock.Bytes,
|
|
}
|
|
revokeRequestJSON, err := json.Marshal(revokeRequest)
|
|
test.AssertNotError(t, err, "Failed to marshal request")
|
|
|
|
// POST, Properly JWS-signed, but payload is "foo", not base64-encoded JSON.
|
|
|
|
wfe.SA = &mockSANoSuchRegistration{mocks.NewStorageAuthority(fc)}
|
|
responseWriter := httptest.NewRecorder()
|
|
responseWriter.Body.Reset()
|
|
result, _ := signer.Sign(revokeRequestJSON)
|
|
wfe.RevokeCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(result.FullSerialize()))
|
|
test.AssertEquals(t, responseWriter.Code, 409)
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Certificate already revoked","status":409}`)
|
|
}
|
|
|
|
func TestRevokeCertificateExpired(t *testing.T) {
|
|
wfe, fc := setupWFE(t)
|
|
keyPemBytes, err := ioutil.ReadFile("test/178.key")
|
|
test.AssertNotError(t, err, "Failed to load key")
|
|
key := loadPrivateKey(t, keyPemBytes)
|
|
rsaKey, ok := key.(*rsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load RSA key")
|
|
signer := newJoseSigner(t, rsaKey, wfe.nonceService)
|
|
|
|
certPemBytes, err := ioutil.ReadFile("test/178.crt")
|
|
test.AssertNotError(t, err, "Failed to load cert")
|
|
certBlock, _ := pem.Decode(certPemBytes)
|
|
test.Assert(t, certBlock != nil, "Failed to decode PEM")
|
|
revokeRequest := struct {
|
|
Resource string `json:"resource"`
|
|
CertificateDER core.JSONBuffer `json:"certificate"`
|
|
}{
|
|
Resource: "revoke-cert",
|
|
CertificateDER: certBlock.Bytes,
|
|
}
|
|
revokeRequestJSON, err := json.Marshal(revokeRequest)
|
|
test.AssertNotError(t, err, "Failed to marshal request")
|
|
|
|
parsedCert, err := x509.ParseCertificate(certBlock.Bytes)
|
|
test.AssertNotError(t, err, "failed to parse test cert")
|
|
fc.Set(parsedCert.NotAfter.Add(time.Hour))
|
|
|
|
wfe.SA = &mockSANoSuchRegistration{mocks.NewStorageAuthority(fc)}
|
|
responseWriter := httptest.NewRecorder()
|
|
responseWriter.Body.Reset()
|
|
result, _ := signer.Sign(revokeRequestJSON)
|
|
wfe.RevokeCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(result.FullSerialize()))
|
|
test.AssertEquals(t, responseWriter.Code, 403)
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`unauthorized","detail":"Certificate is expired","status":403}`)
|
|
|
|
}
|
|
|
|
func TestRevokeCertificateWithAuthz(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
responseWriter := httptest.NewRecorder()
|
|
test4JWK := loadPrivateKey(t, []byte(test4KeyPrivatePEM))
|
|
test4Key, ok := test4JWK.(*rsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load RSA key")
|
|
accountKeySigner := newJoseSigner(t, test4Key, wfe.nonceService)
|
|
revokeRequestJSON, err := makeRevokeRequestJSON(nil)
|
|
test.AssertNotError(t, err, "Unable to create revoke request")
|
|
|
|
result, _ := accountKeySigner.Sign(revokeRequestJSON)
|
|
wfe.RevokeCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(result.FullSerialize()))
|
|
test.AssertEquals(t, responseWriter.Code, 200)
|
|
test.AssertEquals(t, responseWriter.Body.String(), "")
|
|
}
|
|
|
|
// An SA mock that always returns a berrors.ServerInternal error for
|
|
// GetAuthorization.
|
|
type mockSAGetAuthzError struct {
|
|
core.StorageGetter
|
|
}
|
|
|
|
func (msa *mockSAGetAuthzError) GetAuthorization(ctx context.Context, id string) (core.Authorization, error) {
|
|
return core.Authorization{}, berrors.InternalServerError("oops")
|
|
}
|
|
|
|
// TestAuthorization500 tests that internal errors on GetAuthorization result in
|
|
// a 500.
|
|
func TestAuthorization500(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
wfe.SA = &mockSAGetAuthzError{}
|
|
mux := wfe.Handler()
|
|
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
// GET instead of POST should be rejected
|
|
mux.ServeHTTP(responseWriter, &http.Request{
|
|
Method: "GET",
|
|
URL: mustParseURL(authzPath),
|
|
})
|
|
expected := `{
|
|
"type": "urn:acme:error:serverInternal",
|
|
"detail": "Problem getting authorization",
|
|
"status": 500
|
|
}`
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), expected)
|
|
|
|
}
|
|
|
|
func TestAuthorization(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
mux := wfe.Handler()
|
|
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
// GET instead of POST should be rejected
|
|
mux.ServeHTTP(responseWriter, &http.Request{
|
|
Method: "GET",
|
|
URL: mustParseURL(newAuthzPath),
|
|
})
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), `{"type":"`+probs.V1ErrorNS+`malformed","detail":"Method not allowed","status":405}`)
|
|
|
|
// POST, but no body.
|
|
responseWriter.Body.Reset()
|
|
wfe.NewAuthorization(ctx, newRequestEvent(), responseWriter, &http.Request{
|
|
Method: "POST",
|
|
Header: map[string][]string{
|
|
"Content-Length": {"0"},
|
|
},
|
|
})
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), `{"type":"`+probs.V1ErrorNS+`malformed","detail":"No body on POST","status":400}`)
|
|
|
|
// POST, but body that isn't valid JWS
|
|
responseWriter.Body.Reset()
|
|
wfe.NewAuthorization(ctx, newRequestEvent(), responseWriter, makePostRequest("hi"))
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), `{"type":"`+probs.V1ErrorNS+`malformed","detail":"Parse error reading JWS","status":400}`)
|
|
|
|
// POST, Properly JWS-signed, but payload is "foo", not base64-encoded JSON.
|
|
responseWriter.Body.Reset()
|
|
wfe.NewAuthorization(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(signRequest(t, "foo", wfe.nonceService)))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Request payload did not parse as JSON","status":400}`)
|
|
|
|
// Same signed body, but payload modified by one byte, breaking signature.
|
|
// should fail JWS verification.
|
|
responseWriter.Body.Reset()
|
|
wfe.NewAuthorization(ctx, newRequestEvent(), responseWriter, makePostRequest(`
|
|
{
|
|
"header": {
|
|
"alg": "RS256",
|
|
"jwk": {
|
|
"e": "AQAB",
|
|
"kty": "RSA",
|
|
"n": "vd7rZIoTLEe-z1_8G1FcXSw9CQFEJgV4g9V277sER7yx5Qjz_Pkf2YVth6wwwFJEmzc0hoKY-MMYFNwBE4hQHw"
|
|
}
|
|
},
|
|
"payload": "xm9vCg",
|
|
"signature": "RjUQ679fxJgeAJlxqgvDP_sfGZnJ-1RgWF2qmcbnBWljs6h1qp63pLnJOl13u81bP_bCSjaWkelGG8Ymx_X-aQ"
|
|
}
|
|
`))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"JWS verification error","status":400}`)
|
|
|
|
responseWriter.Body.Reset()
|
|
wfe.NewAuthorization(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(signRequest(t, `{"resource":"new-authz","identifier":{"type":"dns","value":"test.com"}}`, wfe.nonceService)))
|
|
|
|
test.AssertEquals(
|
|
t, responseWriter.Header().Get("Location"),
|
|
"http://localhost/acme/authz/bkrPh2u0JUf18-rVBZtOOWWb3GuIiliypL-hBM9Ak1Q")
|
|
test.AssertEquals(
|
|
t, responseWriter.Header().Get("Link"),
|
|
`<http://localhost/acme/new-cert>;rel="next"`)
|
|
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), `{"identifier":{"type":"dns","value":"test.com"}}`)
|
|
|
|
var authz core.Authorization
|
|
err := json.Unmarshal([]byte(responseWriter.Body.String()), &authz)
|
|
test.AssertNotError(t, err, "Couldn't unmarshal returned authorization object")
|
|
|
|
// Expired authorizations should be inaccessible
|
|
authzURL := "expired"
|
|
responseWriter = httptest.NewRecorder()
|
|
wfe.Authorization(ctx, newRequestEvent(), responseWriter, &http.Request{
|
|
Method: "GET",
|
|
URL: mustParseURL(authzURL),
|
|
})
|
|
test.AssertEquals(t, responseWriter.Code, http.StatusNotFound)
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Expired authorization","status":404}`)
|
|
responseWriter.Body.Reset()
|
|
|
|
// Ensure that a valid authorization can't be reached with an invalid URL
|
|
wfe.Authorization(ctx, newRequestEvent(), responseWriter, &http.Request{
|
|
URL: mustParseURL("/a/bunch/of/garbage/valid"),
|
|
Method: "GET",
|
|
})
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"No such authorization","status":404}`)
|
|
}
|
|
|
|
func TestAuthorizationV2(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
|
|
_ = features.Set(map[string]bool{"NewAuthorizationSchema": true})
|
|
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
// Test retrieving a v2 style authorization
|
|
responseWriter = httptest.NewRecorder()
|
|
wfe.AuthorizationV2(ctx, newRequestEvent(), responseWriter, &http.Request{
|
|
URL: mustParseURL("1"),
|
|
Method: "GET",
|
|
})
|
|
test.AssertEquals(t, responseWriter.Code, http.StatusOK)
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), `
|
|
{
|
|
"identifier": {
|
|
"type": "dns",
|
|
"value": "not-an-example.com"
|
|
},
|
|
"status": "valid",
|
|
"expires": "2070-01-01T00:00:00Z",
|
|
"combinations": [[0]],
|
|
"challenges": [
|
|
{
|
|
"type": "dns",
|
|
"token":"token",
|
|
"uri": "http://localhost/acme/chall-v3/1/-ZfxEw"
|
|
}
|
|
]
|
|
}`)
|
|
|
|
// Test that getting a v2 authorization with an invalid ID results in the
|
|
// expected not found status.
|
|
responseWriter = httptest.NewRecorder()
|
|
wfe.AuthorizationV2(ctx, newRequestEvent(), responseWriter, &http.Request{
|
|
URL: mustParseURL("1junkjunkjunk"),
|
|
Method: "GET",
|
|
})
|
|
test.AssertEquals(t, responseWriter.Code, http.StatusBadRequest)
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), `
|
|
{
|
|
"type": "urn:acme:error:malformed",
|
|
"detail": "Invalid authorization ID",
|
|
"status": 400
|
|
}`)
|
|
}
|
|
|
|
// TestAuthorizationChallengeNamespace tests that the runtime prefixing of
|
|
// Challenge Problem Types works as expected
|
|
func TestAuthorizationChallengeNamespace(t *testing.T) {
|
|
wfe, clk := setupWFE(t)
|
|
|
|
mockSA := &mocks.SAWithFailedChallenges{Clk: clk}
|
|
wfe.SA = mockSA
|
|
|
|
// For "oldNS" the SA mock returns an authorization with a failed challenge
|
|
// that has an error with the type already prefixed by the v1 error NS
|
|
authzURL := "oldNS"
|
|
responseWriter := httptest.NewRecorder()
|
|
wfe.Authorization(ctx, newRequestEvent(), responseWriter, &http.Request{
|
|
Method: "GET",
|
|
URL: mustParseURL(authzURL),
|
|
})
|
|
|
|
var authz core.Authorization
|
|
err := json.Unmarshal([]byte(responseWriter.Body.String()), &authz)
|
|
test.AssertNotError(t, err, "Couldn't unmarshal returned authorization object")
|
|
test.AssertEquals(t, len(authz.Challenges), 1)
|
|
// The Challenge Error Type should have its prefix unmodified
|
|
test.AssertEquals(t, string(authz.Challenges[0].Error.Type), probs.V1ErrorNS+"things:are:whack")
|
|
|
|
// For "failed" the SA mock returns an authorization with a failed challenge
|
|
// that has an error with the type not prefixed by an error namespace.
|
|
authzURL = "failed"
|
|
responseWriter = httptest.NewRecorder()
|
|
wfe.Authorization(ctx, newRequestEvent(), responseWriter, &http.Request{
|
|
Method: "GET",
|
|
URL: mustParseURL(authzURL),
|
|
})
|
|
|
|
err = json.Unmarshal([]byte(responseWriter.Body.String()), &authz)
|
|
test.AssertNotError(t, err, "Couldn't unmarshal returned authorization object")
|
|
test.AssertEquals(t, len(authz.Challenges), 1)
|
|
// The Challenge Error Type should have had the probs.V1ErrorNS prefix added
|
|
test.AssertEquals(t, string(authz.Challenges[0].Error.Type), probs.V1ErrorNS+"things:are:whack")
|
|
responseWriter.Body.Reset()
|
|
}
|
|
|
|
func contains(s []string, e string) bool {
|
|
for _, a := range s {
|
|
if a == e {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
func TestRegistration(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
mux := wfe.Handler()
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
// Test invalid method
|
|
mux.ServeHTTP(responseWriter, &http.Request{
|
|
Method: "MAKE-COFFEE",
|
|
URL: mustParseURL(regPath),
|
|
Body: makeBody("invalid"),
|
|
})
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Method not allowed","status":405}`)
|
|
responseWriter.Body.Reset()
|
|
|
|
// Test GET proper entry returns 405
|
|
mux.ServeHTTP(responseWriter, &http.Request{
|
|
Method: "GET",
|
|
URL: mustParseURL(regPath),
|
|
})
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Method not allowed","status":405}`)
|
|
responseWriter.Body.Reset()
|
|
|
|
// Test POST invalid JSON
|
|
wfe.Registration(ctx, newRequestEvent(), responseWriter, makePostRequestWithPath("2", "invalid"))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Parse error reading JWS","status":400}`)
|
|
responseWriter.Body.Reset()
|
|
|
|
key := loadPrivateKey(t, []byte(test2KeyPrivatePEM))
|
|
rsaKey, ok := key.(*rsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load RSA key")
|
|
signer := newJoseSigner(t, rsaKey, wfe.nonceService)
|
|
|
|
// Test POST valid JSON but key is not registered
|
|
result, err := signer.Sign([]byte(`{"resource":"reg","agreement":"` + agreementURL + `"}`))
|
|
test.AssertNotError(t, err, "Unable to sign")
|
|
wfe.Registration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath("2", result.FullSerialize()))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`unauthorized","detail":"No registration exists matching provided key","status":403}`)
|
|
responseWriter.Body.Reset()
|
|
|
|
key = loadPrivateKey(t, []byte(test1KeyPrivatePEM))
|
|
rsaKey, ok = key.(*rsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load RSA key")
|
|
signer = newJoseSigner(t, rsaKey, wfe.nonceService)
|
|
|
|
// Test POST valid JSON with registration up in the mock (with incorrect agreement URL)
|
|
result, err = signer.Sign([]byte(`{"resource":"reg","agreement":"https://letsencrypt.org/im-bad"}`))
|
|
test.AssertNotError(t, err, "signer.Sign failed")
|
|
|
|
// Test POST valid JSON with registration up in the mock
|
|
wfe.Registration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath("1", result.FullSerialize()))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Provided agreement URL [https://letsencrypt.org/im-bad] does not match current agreement URL [`+agreementURL+`]","status":400}`)
|
|
responseWriter.Body.Reset()
|
|
|
|
// Test POST valid JSON with registration up in the mock (with correct agreement URL)
|
|
result, err = signer.Sign([]byte(`{"resource":"reg","agreement":"` + agreementURL + `"}`))
|
|
test.AssertNotError(t, err, "Couldn't sign")
|
|
wfe.Registration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath("1", result.FullSerialize()))
|
|
test.AssertNotContains(t, responseWriter.Body.String(), probs.V1ErrorNS)
|
|
links := responseWriter.Header()["Link"]
|
|
test.AssertEquals(t, contains(links, "<http://localhost/acme/new-authz>;rel=\"next\""), true)
|
|
test.AssertEquals(t, contains(links, "<"+agreementURL+">;rel=\"terms-of-service\""), true)
|
|
responseWriter.Body.Reset()
|
|
|
|
// Test POST valid JSON with garbage in URL but valid registration ID
|
|
result, err = signer.Sign([]byte(`{"resource":"reg","agreement":"` + agreementURL + `"}`))
|
|
test.AssertNotError(t, err, "Couldn't sign")
|
|
wfe.Registration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath("/a/bunch/of/garbage/1", result.FullSerialize()))
|
|
test.AssertContains(t, responseWriter.Body.String(), "400")
|
|
test.AssertContains(t, responseWriter.Body.String(), probs.V1ErrorNS+"malformed")
|
|
responseWriter.Body.Reset()
|
|
|
|
// Test POST valid JSON with registration up in the mock (with old agreement URL)
|
|
responseWriter.HeaderMap = http.Header{}
|
|
wfe.SubscriberAgreementURL = "http://example.invalid/new-terms"
|
|
result, err = signer.Sign([]byte(`{"resource":"reg","agreement":"` + agreementURL + `"}`))
|
|
test.AssertNotError(t, err, "Couldn't sign")
|
|
wfe.Registration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath("1", result.FullSerialize()))
|
|
test.AssertNotContains(t, responseWriter.Body.String(), probs.V1ErrorNS)
|
|
links = responseWriter.Header()["Link"]
|
|
test.AssertEquals(t, contains(links, "<http://localhost/acme/new-authz>;rel=\"next\""), true)
|
|
test.AssertEquals(t, contains(links, "<http://example.invalid/new-terms>;rel=\"terms-of-service\""), true)
|
|
responseWriter.Body.Reset()
|
|
}
|
|
|
|
func TestTermsRedirect(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
path, _ := url.Parse("/terms")
|
|
wfe.Terms(ctx, newRequestEvent(), responseWriter, &http.Request{
|
|
Method: "GET",
|
|
URL: path,
|
|
})
|
|
test.AssertEquals(
|
|
t, responseWriter.Header().Get("Location"),
|
|
agreementURL)
|
|
test.AssertEquals(t, responseWriter.Code, 302)
|
|
}
|
|
|
|
func TestIssuer(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
wfe.IssuerCert = []byte{0, 0, 1}
|
|
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
wfe.Issuer(ctx, newRequestEvent(), responseWriter, &http.Request{
|
|
Method: "GET",
|
|
})
|
|
test.AssertEquals(t, responseWriter.Code, http.StatusOK)
|
|
test.Assert(t, bytes.Compare(responseWriter.Body.Bytes(), wfe.IssuerCert) == 0, "Incorrect bytes returned")
|
|
}
|
|
|
|
func TestGetCertificate(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
mux := wfe.Handler()
|
|
|
|
certPemBytes, _ := ioutil.ReadFile("test/178.crt")
|
|
certBlock, _ := pem.Decode(certPemBytes)
|
|
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
mockLog := wfe.log.(*blog.Mock)
|
|
mockLog.Clear()
|
|
|
|
// Valid serial, cached
|
|
req, _ := http.NewRequest("GET", "/acme/cert/0000000000000000000000000000000000b2", nil)
|
|
req.RemoteAddr = "192.168.0.1"
|
|
mux.ServeHTTP(responseWriter, req)
|
|
test.AssertEquals(t, responseWriter.Code, 200)
|
|
test.AssertEquals(t, responseWriter.Header().Get("Cache-Control"), "public, max-age=0, no-cache")
|
|
test.AssertEquals(t, responseWriter.Header().Get("Content-Type"), "application/pkix-cert")
|
|
test.Assert(t, bytes.Compare(responseWriter.Body.Bytes(), certBlock.Bytes) == 0, "Certificates don't match")
|
|
test.AssertEquals(
|
|
t, responseWriter.Header().Get("Link"),
|
|
`<http://localhost/acme/issuer-cert>;rel="up"`)
|
|
|
|
// Unused serial, no cache
|
|
mockLog.Clear()
|
|
responseWriter = httptest.NewRecorder()
|
|
req, _ = http.NewRequest("GET", "/acme/cert/0000000000000000000000000000000000ff", nil)
|
|
req.RemoteAddr = "192.168.0.1"
|
|
req.Header.Set("X-Forwarded-For", "192.168.99.99")
|
|
mux.ServeHTTP(responseWriter, req)
|
|
test.AssertEquals(t, responseWriter.Code, 404)
|
|
test.AssertEquals(t, responseWriter.Header().Get("Cache-Control"), "public, max-age=0, no-cache")
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), `{"type":"`+probs.V1ErrorNS+`malformed","detail":"Certificate not found","status":404}`)
|
|
|
|
// Invalid serial, no cache
|
|
responseWriter = httptest.NewRecorder()
|
|
req, _ = http.NewRequest("GET", "/acme/cert/nothex", nil)
|
|
mux.ServeHTTP(responseWriter, req)
|
|
test.AssertEquals(t, responseWriter.Code, 404)
|
|
test.AssertEquals(t, responseWriter.Header().Get("Cache-Control"), "public, max-age=0, no-cache")
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), `{"type":"`+probs.V1ErrorNS+`malformed","detail":"Certificate not found","status":404}`)
|
|
|
|
// Invalid serial, no cache
|
|
responseWriter = httptest.NewRecorder()
|
|
req, _ = http.NewRequest("GET", "/acme/cert/00000000000000", nil)
|
|
mux.ServeHTTP(responseWriter, req)
|
|
test.AssertEquals(t, responseWriter.Code, 404)
|
|
test.AssertEquals(t, responseWriter.Header().Get("Cache-Control"), "public, max-age=0, no-cache")
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), `{"type":"`+probs.V1ErrorNS+`malformed","detail":"Certificate not found","status":404}`)
|
|
}
|
|
|
|
func assertCsrLogged(t *testing.T, mockLog *blog.Mock) {
|
|
matches := mockLog.GetAllMatching("^INFO: \\[AUDIT\\] Certificate request JSON=")
|
|
test.Assert(t, len(matches) == 1,
|
|
fmt.Sprintf("Incorrect number of certificate request log entries: %d",
|
|
len(matches)))
|
|
}
|
|
|
|
func TestLogCsrPem(t *testing.T) {
|
|
const certificateRequestJSON = `{
|
|
"csr": "MIICWTCCAUECAQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAycX3ca-fViOuRWF38mssORISFxbJvspDfhPGRBZDxJ63NIqQzupB-6dp48xkcX7Z_KDaRJStcpJT2S0u33moNT4FHLklQBETLhExDk66cmlz6Xibp3LGZAwhWuec7wJoEwIgY8oq4rxihIyGq7HVIJoq9DqZGrUgfZMDeEJqbphukQOaXGEop7mD-eeu8-z5EVkB1LiJ6Yej6R8MAhVPHzG5fyOu6YVo6vY6QgwjRLfZHNj5XthxgPIEETZlUbiSoI6J19GYHvLURBTy5Ys54lYAPIGfNwcIBAH4gtH9FrYcDY68R22rp4iuxdvkf03ZWiT0F2W1y7_C9B2jayTzvQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAHd6Do9DIZ2hvdt1GwBXYjsqprZidT_DYOMfYcK17KlvdkFT58XrBH88ulLZ72NXEpiFMeTyzfs3XEyGq_Bbe7TBGVYZabUEh-LOskYwhgcOuThVN7tHnH5rhN-gb7cEdysjTb1QL-vOUwYgV75CB6PE5JVYK-cQsMIVvo0Kz4TpNgjJnWzbcH7h0mtvub-fCv92vBPjvYq8gUDLNrok6rbg05tdOJkXsF2G_W-Q6sf2Fvx0bK5JeH4an7P7cXF9VG9nd4sRt5zd-L3IcyvHVKxNhIJXZVH0AOqh_1YrKI9R0QKQiZCEy0xN1okPlcaIVaFhb7IKAHPxTI3r5f72LXY"
|
|
}`
|
|
wfe, fc := setupWFE(t)
|
|
var certificateRequest core.CertificateRequest
|
|
err := json.Unmarshal([]byte(certificateRequestJSON), &certificateRequest)
|
|
test.AssertNotError(t, err, "Unable to parse certificateRequest")
|
|
|
|
mockSA := mocks.NewStorageAuthority(fc)
|
|
reg, err := mockSA.GetRegistration(ctx, 789)
|
|
test.AssertNotError(t, err, "Unable to get registration")
|
|
|
|
req, err := http.NewRequest("GET", "http://[::1]/", nil)
|
|
test.AssertNotError(t, err, "NewRequest failed")
|
|
req.RemoteAddr = "12.34.98.76"
|
|
req.Header.Set("X-Forwarded-For", "10.0.0.1,172.16.0.1")
|
|
|
|
mockLog := wfe.log.(*blog.Mock)
|
|
mockLog.Clear()
|
|
|
|
wfe.logCsr(req, certificateRequest, reg)
|
|
|
|
assertCsrLogged(t, mockLog)
|
|
}
|
|
|
|
func TestLengthRequired(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
_, _, _, prob := wfe.verifyPOST(ctx, newRequestEvent(), &http.Request{
|
|
Method: "POST",
|
|
URL: mustParseURL("/"),
|
|
}, false, "resource")
|
|
test.Assert(t, prob != nil, "No error returned for request body missing Content-Length.")
|
|
test.AssertEquals(t, probs.MalformedProblem, prob.Type)
|
|
test.AssertEquals(t, http.StatusLengthRequired, prob.HTTPStatus)
|
|
}
|
|
|
|
type mockSAGetRegByKeyFails struct {
|
|
core.StorageGetter
|
|
}
|
|
|
|
func (sa *mockSAGetRegByKeyFails) GetRegistrationByKey(ctx context.Context, jwk *jose.JSONWebKey) (core.Registration, error) {
|
|
return core.Registration{}, fmt.Errorf("whoops")
|
|
}
|
|
|
|
// When SA.GetRegistrationByKey errors (e.g. gRPC timeout), verifyPOST should
|
|
// return internal server errors.
|
|
func TestVerifyPOSTWhenGetRegByKeyFails(t *testing.T) {
|
|
wfe, fc := setupWFE(t)
|
|
wfe.SA = &mockSAGetRegByKeyFails{mocks.NewStorageAuthority(fc)}
|
|
event := newRequestEvent()
|
|
payload := `{"resource":"ima-payload"}`
|
|
_, _, _, prob := wfe.verifyPOST(ctx, event, makePostRequest(signRequest(t,
|
|
payload, wfe.nonceService)), false, "ima-payload")
|
|
if prob == nil {
|
|
t.Fatalf("No error returned when GetRegByKey failed with generic error.")
|
|
}
|
|
if prob.Type != probs.ServerInternalProblem {
|
|
t.Errorf("Wrong type for returned problem: %#v", prob)
|
|
}
|
|
}
|
|
|
|
// When SA.GetRegistrationByKey errors (e.g. gRPC timeout), NewRegistration should
|
|
// return internal server errors.
|
|
func TestNewRegWhenGetRegByKeyFails(t *testing.T) {
|
|
wfe, fc := setupWFE(t)
|
|
wfe.SA = &mockSAGetRegByKeyFails{mocks.NewStorageAuthority(fc)}
|
|
payload := `{"resource":"new-reg","contact":["mailto:person@mail.com"],"agreement":"` + agreementURL + `"}`
|
|
responseWriter := httptest.NewRecorder()
|
|
wfe.NewRegistration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(signRequest(t, payload, wfe.nonceService)))
|
|
var prob probs.ProblemDetails
|
|
err := json.Unmarshal(responseWriter.Body.Bytes(), &prob)
|
|
test.AssertNotError(t, err, "unmarshalling response")
|
|
if prob.Type != probs.V1ErrorNS+probs.ServerInternalProblem {
|
|
t.Errorf("Wrong type for returned problem: %#v", prob.Type)
|
|
}
|
|
}
|
|
|
|
type mockSAGetRegByKeyNotFound struct {
|
|
core.StorageGetter
|
|
}
|
|
|
|
func (sa *mockSAGetRegByKeyNotFound) GetRegistrationByKey(ctx context.Context, jwk *jose.JSONWebKey) (core.Registration, error) {
|
|
return core.Registration{}, berrors.NotFoundError("not found")
|
|
}
|
|
|
|
// When SA.GetRegistrationByKey returns berrors.NotFound, verifyPOST with
|
|
// regCheck = false (i.e. during a NewRegistration) should succeed.
|
|
func TestVerifyPOSTWhenGetRegByKeyNotFound(t *testing.T) {
|
|
wfe, fc := setupWFE(t)
|
|
wfe.SA = &mockSAGetRegByKeyNotFound{mocks.NewStorageAuthority(fc)}
|
|
event := newRequestEvent()
|
|
payload := `{"resource":"ima-payload"}`
|
|
_, _, _, err := wfe.verifyPOST(ctx, event, makePostRequest(signRequest(t,
|
|
payload, wfe.nonceService)), false, "ima-payload")
|
|
if err != nil {
|
|
t.Fatalf("Expected verifyPOST with regCheck=false to succeed when SA.GetRegistrationByKey returned NotFound, get %v", err)
|
|
}
|
|
}
|
|
|
|
// When SA.GetRegistrationByKey returns NotFound, NewRegistration should
|
|
// succeed.
|
|
func TestNewRegWhenGetRegByKeyNotFound(t *testing.T) {
|
|
wfe, fc := setupWFE(t)
|
|
wfe.SA = &mockSAGetRegByKeyNotFound{mocks.NewStorageAuthority(fc)}
|
|
payload := `{"resource":"new-reg","contact":["mailto:person@mail.com"],"agreement":"` + agreementURL + `"}`
|
|
responseWriter := httptest.NewRecorder()
|
|
wfe.NewRegistration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(signRequest(t, payload, wfe.nonceService)))
|
|
if responseWriter.Code != http.StatusCreated {
|
|
t.Errorf("Bad response to NewRegistration: %d, %s", responseWriter.Code, responseWriter.Body)
|
|
}
|
|
}
|
|
|
|
// TestLogPayload ensures that verifyPOST sets the Payload field of the logEvent
|
|
// it is passed.
|
|
func TestLogPayload(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
event := newRequestEvent()
|
|
payload := `{"resource":"ima-payload"}`
|
|
_, _, _, err := wfe.verifyPOST(ctx, event, makePostRequest(signRequest(t,
|
|
payload, wfe.nonceService)), false, "ima-payload")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
test.AssertEquals(t, event.Payload, payload)
|
|
}
|
|
|
|
type mockSADifferentStoredKey struct {
|
|
core.StorageGetter
|
|
}
|
|
|
|
func (sa mockSADifferentStoredKey) GetRegistrationByKey(ctx context.Context, jwk *jose.JSONWebKey) (core.Registration, error) {
|
|
keyJSON := []byte(test2KeyPublicJSON)
|
|
var parsedKey jose.JSONWebKey
|
|
err := parsedKey.UnmarshalJSON(keyJSON)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
return core.Registration{
|
|
Key: &parsedKey,
|
|
}, nil
|
|
}
|
|
|
|
func TestVerifyPOSTUsesStoredKey(t *testing.T) {
|
|
wfe, fc := setupWFE(t)
|
|
wfe.SA = &mockSADifferentStoredKey{mocks.NewStorageAuthority(fc)}
|
|
// signRequest signs with test1Key, but our special mock returns a
|
|
// registration with test2Key
|
|
_, _, _, err := wfe.verifyPOST(ctx, newRequestEvent(), makePostRequest(signRequest(t, `{"resource":"foo"}`, wfe.nonceService)), true, "foo")
|
|
test.AssertError(t, err, "No error returned when provided key differed from stored key.")
|
|
}
|
|
|
|
func TestBadKeyCSR(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
// CSR with a bad (512 bit RSA) key.
|
|
// openssl req -outform der -new -newkey rsa:512 -nodes -keyout foo.com.key
|
|
// -subj /CN=foo.com | base64 -w0 | sed -e 's,+,-,g' -e 's,/,_,g'
|
|
wfe.NewCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(signRequest(t, `{
|
|
"resource":"new-cert",
|
|
"csr": "MIHLMHcCAQAwEjEQMA4GA1UEAwwHZm9vLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDCZftp4x4owgjBnwOKfzihIPedT-BUmV2fuQPMqaUlc8yJUp13vcO5uxUlaBm8leM7Dj_sgTDP_JgykorlYo73AgMBAAGgADANBgkqhkiG9w0BAQsFAANBAEaQ2QBhweK-kp1ejQCedUhMit_wG-uTBtKnc3M82f6_fztLkhg1vWQ782nmhbEI5orXp6QtNHgJYnBpqA9Ut00"
|
|
}`, wfe.nonceService)))
|
|
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`malformed","detail":"Invalid key in certificate request :: key too small: 512","status":400}`)
|
|
}
|
|
|
|
// This uses httptest.NewServer because ServeMux.ServeHTTP won't prevent the
|
|
// body from being sent like the net/http Server's actually do.
|
|
func TestGetCertificateHEADHasCorrectBodyLength(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
|
|
certPemBytes, _ := ioutil.ReadFile("test/178.crt")
|
|
certBlock, _ := pem.Decode(certPemBytes)
|
|
|
|
mockLog := wfe.log.(*blog.Mock)
|
|
mockLog.Clear()
|
|
|
|
mux := wfe.Handler()
|
|
s := httptest.NewServer(mux)
|
|
defer s.Close()
|
|
req, _ := http.NewRequest("HEAD", s.URL+"/acme/cert/0000000000000000000000000000000000b2", nil)
|
|
resp, err := http.DefaultClient.Do(req)
|
|
if err != nil {
|
|
test.AssertNotError(t, err, "do error")
|
|
}
|
|
body, err := ioutil.ReadAll(resp.Body)
|
|
if err != nil {
|
|
test.AssertNotEquals(t, err, "readall error")
|
|
}
|
|
err = resp.Body.Close()
|
|
if err != nil {
|
|
test.AssertNotEquals(t, err, "readall error")
|
|
}
|
|
test.AssertEquals(t, resp.StatusCode, 200)
|
|
test.AssertEquals(t, strconv.Itoa(len(certBlock.Bytes)), resp.Header.Get("Content-Length"))
|
|
test.AssertEquals(t, 0, len(body))
|
|
}
|
|
|
|
func newRequestEvent() *web.RequestEvent {
|
|
return &web.RequestEvent{Extra: make(map[string]interface{})}
|
|
}
|
|
|
|
func TestVerifyPOSTInvalidJWK(t *testing.T) {
|
|
badJWS := `{"signatures":[{"header":{"jwk":{"kty":"RSA","n":"","e":""}}}],"payload":""}`
|
|
wfe, _ := setupWFE(t)
|
|
_, _, _, prob := wfe.verifyPOST(ctx, newRequestEvent(), makePostRequest(badJWS), false, "resource")
|
|
test.Assert(t, prob != nil, "No error returned for request body with invalid JWS key.")
|
|
test.AssertEquals(t, probs.MalformedProblem, prob.Type)
|
|
test.AssertEquals(t, http.StatusBadRequest, prob.HTTPStatus)
|
|
}
|
|
|
|
func TestHeaderBoulderRequester(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
mux := wfe.Handler()
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
// create a signed request
|
|
key := loadPrivateKey(t, []byte(test1KeyPrivatePEM))
|
|
rsaKey, ok := key.(*rsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load RSA key")
|
|
signer := newJoseSigner(t, rsaKey, wfe.nonceService)
|
|
|
|
// requests that do not call sendError() have the requester header
|
|
result, err := signer.Sign([]byte(`{"resource":"reg","agreement":"` + agreementURL + `"}`))
|
|
test.AssertNotError(t, err, "signer.Sign failed")
|
|
request := makePostRequestWithPath(regPath+"1", result.FullSerialize())
|
|
mux.ServeHTTP(responseWriter, request)
|
|
test.AssertEquals(t, responseWriter.Header().Get("Boulder-Requester"), "1")
|
|
|
|
// requests that do call sendError() also should have the requester header
|
|
result, err = signer.Sign([]byte(`{"resource":"reg","agreement":"https://letsencrypt.org/im-bad"}`))
|
|
test.AssertNotError(t, err, "Failed to signer.Sign")
|
|
request = makePostRequestWithPath(regPath+"1", result.FullSerialize())
|
|
mux.ServeHTTP(responseWriter, request)
|
|
test.AssertEquals(t, responseWriter.Header().Get("Boulder-Requester"), "1")
|
|
}
|
|
|
|
func TestDeactivateAuthorization(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
responseWriter.Body.Reset()
|
|
wfe.Authorization(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath("valid", signRequest(t, `{"resource":"authz","status":""}`, wfe.nonceService)))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type": "`+probs.V1ErrorNS+`malformed","detail": "Invalid status value","status": 400}`)
|
|
|
|
responseWriter.Body.Reset()
|
|
wfe.Authorization(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath("valid", signRequest(t, `{"resource":"authz","status":"deactivated"}`, wfe.nonceService)))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{
|
|
"identifier": {
|
|
"type": "dns",
|
|
"value": "not-an-example.com"
|
|
},
|
|
"status": "deactivated",
|
|
"expires": "2070-01-01T00:00:00Z",
|
|
"combinations": [[0]],
|
|
"challenges": [
|
|
{
|
|
"type": "dns",
|
|
"token":"token",
|
|
"uri": "http://localhost/acme/challenge/valid/23"
|
|
}
|
|
]
|
|
}`)
|
|
}
|
|
|
|
func TestDeactivateRegistration(t *testing.T) {
|
|
responseWriter := httptest.NewRecorder()
|
|
wfe, _ := setupWFE(t)
|
|
|
|
responseWriter.Body.Reset()
|
|
wfe.Registration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath("1", signRequest(t, `{"resource":"reg","status":"asd"}`, wfe.nonceService)))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type": "`+probs.V1ErrorNS+`malformed","detail": "Invalid value provided for status field","status": 400}`)
|
|
|
|
responseWriter.Body.Reset()
|
|
wfe.Registration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath("1", signRequest(t, `{"resource":"reg","status":"deactivated"}`, wfe.nonceService)))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{
|
|
"id": 1,
|
|
"key": {
|
|
"kty": "RSA",
|
|
"n": "yNWVhtYEKJR21y9xsHV-PD_bYwbXSeNuFal46xYxVfRL5mqha7vttvjB_vc7Xg2RvgCxHPCqoxgMPTzHrZT75LjCwIW2K_klBYN8oYvTwwmeSkAz6ut7ZxPv-nZaT5TJhGk0NT2kh_zSpdriEJ_3vW-mqxYbbBmpvHqsa1_zx9fSuHYctAZJWzxzUZXykbWMWQZpEiE0J4ajj51fInEzVn7VxV-mzfMyboQjujPh7aNJxAWSq4oQEJJDgWwSh9leyoJoPpONHxh5nEE5AjE01FkGICSxjpZsF-w8hOTI3XXohUdu29Se26k2B0PolDSuj0GIQU6-W9TdLXSjBb2SpQ",
|
|
"e": "AQAB"
|
|
},
|
|
"contact": [
|
|
"mailto:person@mail.com"
|
|
],
|
|
"agreement": "http://example.invalid/terms",
|
|
"initialIp": "",
|
|
"createdAt": "0001-01-01T00:00:00Z",
|
|
"status": "deactivated"
|
|
}`)
|
|
|
|
responseWriter.Body.Reset()
|
|
wfe.Registration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath("1", signRequest(t, `{"resource":"reg","status":"deactivated","contact":[]}`, wfe.nonceService)))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{
|
|
"id": 1,
|
|
"key": {
|
|
"kty": "RSA",
|
|
"n": "yNWVhtYEKJR21y9xsHV-PD_bYwbXSeNuFal46xYxVfRL5mqha7vttvjB_vc7Xg2RvgCxHPCqoxgMPTzHrZT75LjCwIW2K_klBYN8oYvTwwmeSkAz6ut7ZxPv-nZaT5TJhGk0NT2kh_zSpdriEJ_3vW-mqxYbbBmpvHqsa1_zx9fSuHYctAZJWzxzUZXykbWMWQZpEiE0J4ajj51fInEzVn7VxV-mzfMyboQjujPh7aNJxAWSq4oQEJJDgWwSh9leyoJoPpONHxh5nEE5AjE01FkGICSxjpZsF-w8hOTI3XXohUdu29Se26k2B0PolDSuj0GIQU6-W9TdLXSjBb2SpQ",
|
|
"e": "AQAB"
|
|
},
|
|
"contact": [
|
|
"mailto:person@mail.com"
|
|
],
|
|
"agreement": "http://example.invalid/terms",
|
|
"initialIp": "",
|
|
"createdAt": "0001-01-01T00:00:00Z",
|
|
"status": "deactivated"
|
|
}`)
|
|
|
|
key := loadPrivateKey(t, []byte(test3KeyPrivatePEM))
|
|
rsaKey, ok := key.(*rsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load RSA key")
|
|
signer := newJoseSigner(t, rsaKey, wfe.nonceService)
|
|
|
|
result, err := signer.Sign([]byte(`{"resource":"reg","status":"deactivated"}`))
|
|
test.AssertNotError(t, err, "Unable to sign")
|
|
wfe.Registration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath("2", result.FullSerialize()))
|
|
|
|
responseWriter.Body.Reset()
|
|
wfe.Registration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequestWithPath("2", result.FullSerialize()))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{
|
|
"type": "`+probs.V1ErrorNS+`unauthorized",
|
|
"detail": "Registration is not valid, has status 'deactivated'",
|
|
"status": 403
|
|
}`)
|
|
}
|
|
|
|
func TestKeyRollover(t *testing.T) {
|
|
responseWriter := httptest.NewRecorder()
|
|
wfe, _ := setupWFE(t)
|
|
|
|
key := loadPrivateKey(t, []byte(test3KeyPrivatePEM))
|
|
rsaKey, ok := key.(*rsa.PrivateKey)
|
|
test.Assert(t, ok, "Couldn't load RSA key")
|
|
signer := newJoseSigner(t, rsaKey, wfe.nonceService)
|
|
|
|
wfe.KeyRollover(ctx, newRequestEvent(), responseWriter, makePostRequestWithPath("", "{}"))
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{
|
|
"type": "`+probs.V1ErrorNS+`malformed",
|
|
"detail": "Parse error reading JWS",
|
|
"status": 400
|
|
}`)
|
|
|
|
for _, testCase := range []struct {
|
|
payload string
|
|
expectedResponse string
|
|
}{
|
|
{
|
|
// Missing account URL
|
|
"{}",
|
|
`{
|
|
"type": "` + probs.V1ErrorNS + `malformed",
|
|
"detail": "Incorrect account URL provided in payload",
|
|
"status": 400
|
|
}`,
|
|
},
|
|
// Missing new key
|
|
{
|
|
`{"account":"http://localhost/acme/reg/1"}`,
|
|
`{
|
|
"type": "` + probs.V1ErrorNS + `malformed",
|
|
"detail": "Unable to marshal new JWK",
|
|
"status": 400
|
|
}`,
|
|
},
|
|
// Different key used to sign inner JWS
|
|
{
|
|
`{"newKey":{"kty":"RSA","n":"yNWVhtYEKJR21y9xsHV-PD_bYwbXSeNuFal46xYxVfRL5mqha7vttvjB_vc7Xg2RvgCxHPCqoxgMPTzHrZT75LjCwIW2K_klBYN8oYvTwwmeSkAz6ut7ZxPv-nZaT5TJhGk0NT2kh_zSpdriEJ_3vW-mqxYbbBmpvHqsa1_zx9fSuHYctAZJWzxzUZXykbWMWQZpEiE0J4ajj51fInEzVn7VxV-mzfMyboQjujPh7aNJxAWSq4oQEJJDgWwSh9leyoJoPpONHxh5nEE5AjE01FkGICSxjpZsF-w8hOTI3XXohUdu29Se26k2B0PolDSuj0GIQU6-W9TdLXSjBb2SpQ","e":"AQAB"},"account":"http://localhost/acme/reg/1"}`,
|
|
`{
|
|
"type": "` + probs.V1ErrorNS + `malformed",
|
|
"detail": "New JWK in inner payload doesn't match key used to sign inner JWS",
|
|
"status": 400
|
|
}`,
|
|
},
|
|
// Valid request
|
|
{
|
|
`{"newKey":{"kty":"RSA","n":"uTQER6vUA1RDixS8xsfCRiKUNGRzzyIK0MhbS2biClShbb0hSx2mPP7gBvis2lizZ9r-y9hL57kNQoYCKndOBg0FYsHzrQ3O9AcoV1z2Mq-XhHZbFrVYaXI0M3oY9BJCWog0dyi3XC0x8AxC1npd1U61cToHx-3uSvgZOuQA5ffEn5L38Dz1Ti7OV3E4XahnRJvejadUmTkki7phLBUXm5MnnyFm0CPpf6ApV7zhLjN5W-nV0WL17o7v8aDgV_t9nIdi1Y26c3PlCEtiVHZcebDH5F1Deta3oLLg9-g6rWnTqPbY3knffhp4m0scLD6e33k8MtzxDX_D7vHsg0_X1w","e":"AQAB"},"account":"http://localhost/acme/reg/1"}`,
|
|
`{
|
|
"id": 1,
|
|
"key": {
|
|
"kty": "RSA",
|
|
"n": "uTQER6vUA1RDixS8xsfCRiKUNGRzzyIK0MhbS2biClShbb0hSx2mPP7gBvis2lizZ9r-y9hL57kNQoYCKndOBg0FYsHzrQ3O9AcoV1z2Mq-XhHZbFrVYaXI0M3oY9BJCWog0dyi3XC0x8AxC1npd1U61cToHx-3uSvgZOuQA5ffEn5L38Dz1Ti7OV3E4XahnRJvejadUmTkki7phLBUXm5MnnyFm0CPpf6ApV7zhLjN5W-nV0WL17o7v8aDgV_t9nIdi1Y26c3PlCEtiVHZcebDH5F1Deta3oLLg9-g6rWnTqPbY3knffhp4m0scLD6e33k8MtzxDX_D7vHsg0_X1w",
|
|
"e": "AQAB"
|
|
},
|
|
"contact": [
|
|
"mailto:person@mail.com"
|
|
],
|
|
"agreement": "http://example.invalid/terms",
|
|
"initialIp": "",
|
|
"createdAt": "0001-01-01T00:00:00Z",
|
|
"status": "valid"
|
|
}`,
|
|
},
|
|
} {
|
|
inner, err := signer.Sign([]byte(testCase.payload))
|
|
test.AssertNotError(t, err, "Unable to sign")
|
|
innerStr := inner.FullSerialize()
|
|
innerStr = innerStr[:len(innerStr)-1] + `,"resource":"key-change"}` // awful
|
|
outer := signRequest(t, innerStr, wfe.nonceService)
|
|
|
|
responseWriter.Body.Reset()
|
|
wfe.KeyRollover(ctx, newRequestEvent(), responseWriter, makePostRequestWithPath("", outer))
|
|
test.AssertUnmarshaledEquals(t, responseWriter.Body.String(), testCase.expectedResponse)
|
|
}
|
|
}
|
|
|
|
func TestPrepChallengeForDisplay(t *testing.T) {
|
|
req := &http.Request{
|
|
Host: "example.com",
|
|
}
|
|
chall := &core.Challenge{
|
|
Status: core.AcmeStatus("pending"),
|
|
Token: "asd",
|
|
Type: core.ChallengeTypeDNS01,
|
|
}
|
|
authz := core.Authorization{
|
|
ID: "eyup",
|
|
Status: core.AcmeStatus("invalid"),
|
|
}
|
|
|
|
wfe, _ := setupWFE(t)
|
|
wfe.prepChallengeForDisplay(req, authz, chall)
|
|
if chall.Status != "invalid" {
|
|
t.Errorf("Expected challenge status to be forced to invalid, got %#v", chall)
|
|
}
|
|
test.AssertEquals(t, chall.URI, "http://example.com/acme/challenge/eyup/0")
|
|
|
|
_ = features.Set(map[string]bool{"NewAuthorizationSchema": true})
|
|
authz.V2 = true
|
|
wfe.prepChallengeForDisplay(req, authz, chall)
|
|
test.AssertEquals(t, chall.URI, "http://example.com/acme/chall-v3/eyup/iFVMwA")
|
|
}
|
|
|
|
// noSCTMockRA is a mock RA that always returns a `berrors.MissingSCTsError` from `NewCertificate`
|
|
type noSCTMockRA struct {
|
|
MockRegistrationAuthority
|
|
}
|
|
|
|
func (ra *noSCTMockRA) NewCertificate(ctx context.Context, req core.CertificateRequest, regID int64) (core.Certificate, error) {
|
|
return core.Certificate{}, berrors.MissingSCTsError("noSCTMockRA missing scts error")
|
|
}
|
|
|
|
func TestNewCertificateSCTError(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
|
|
// Set up an RA mock that always returns a berrors.MissingSCTsError from
|
|
// `NewCertificate`
|
|
wfe.RA = &noSCTMockRA{}
|
|
|
|
// Create a response writer to capture the WFE response
|
|
responseWriter := httptest.NewRecorder()
|
|
|
|
// Make a well-formed NewCertificate request (test case from `TestNewCertificate`)
|
|
// openssl req -outform der -new -nodes -key wfe/test/178.key -subj /CN=not-an-example.com | b64url
|
|
wfe.NewCertificate(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(signRequest(t, `{
|
|
"resource":"new-cert",
|
|
"csr": "MIICYjCCAUoCAQAwHTEbMBkGA1UEAwwSbm90LWFuLWV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmqs7nue5oFxKBk2WaFZJAma2nm1oFyPIq19gYEAdQN4mWvaJ8RjzHFkDMYUrlIrGxCYuFJDHFUk9dh19Na1MIY-NVLgcSbyNcOML3bLbLEwGmvXPbbEOflBA9mxUS9TLMgXW5ghf_qbt4vmSGKloIim41QXt55QFW6O-84s8Kd2OE6df0wTsEwLhZB3j5pDU-t7j5vTMv4Tc7EptaPkOdfQn-68viUJjlYM_4yIBVRhWCdexFdylCKVLg0obsghQEwULKYCUjdg6F0VJUI115DU49tzscXU_3FS3CyY8rchunuYszBNkdmgpAwViHNWuP7ESdEd_emrj1xuioSe6PwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAE_T1nWU38XVYL28hNVSXU0rW5IBUKtbvr0qAkD4kda4HmQRTYkt-LNSuvxoZCC9lxijjgtJi-OJe_DCTdZZpYzewlVvcKToWSYHYQ6Wm1-fxxD_XzphvZOujpmBySchdiz7QSVWJmVZu34XD5RJbIcrmj_cjRt42J1hiTFjNMzQu9U6_HwIMmliDL-soFY2RTvvZf-dAFvOUQ-Wbxt97eM1PbbmxJNWRhbAmgEpe9PWDPTpqV5AK56VAa991cQ1P8ZVmPss5hvwGWhOtpnpTZVHN3toGNYFKqxWPboirqushQlfKiFqT9rpRgM3-mFjOHidGqsKEkTdmfSVlVEk3oo="
|
|
}`, wfe.nonceService)))
|
|
|
|
// We expect the berrors.MissingSCTsError error to have been converted into
|
|
// a serverInternal error with the right message.
|
|
test.AssertUnmarshaledEquals(t,
|
|
responseWriter.Body.String(),
|
|
`{"type":"`+probs.V1ErrorNS+`serverInternal","detail":"Error creating new cert :: Unable to meet CA SCT embedding requirements","status":500}`)
|
|
}
|
|
|
|
type mockSAGetRegByKeyNotFoundAfterVerify struct {
|
|
core.StorageGetter
|
|
verified bool
|
|
}
|
|
|
|
func (sa *mockSAGetRegByKeyNotFoundAfterVerify) GetRegistrationByKey(ctx context.Context, jwk *jose.JSONWebKey) (core.Registration, error) {
|
|
if !sa.verified {
|
|
sa.verified = true
|
|
return sa.StorageGetter.GetRegistrationByKey(ctx, jwk)
|
|
}
|
|
return core.Registration{}, errors.New("broke")
|
|
}
|
|
|
|
// If GetRegistrationByKey returns a non berrors.NotFound error NewRegistration should fail
|
|
// out with an internal server error instead of continuing on and attempting to create a new
|
|
// account.
|
|
func TestNewRegistrationGetKeyBroken(t *testing.T) {
|
|
wfe, fc := setupWFE(t)
|
|
wfe.SA = &mockSAGetRegByKeyNotFoundAfterVerify{mocks.NewStorageAuthority(fc), false}
|
|
payload := `{"resource":"new-reg","contact":["mailto:person@mail.com"],"agreement":"` + agreementURL + `"}`
|
|
responseWriter := httptest.NewRecorder()
|
|
wfe.NewRegistration(ctx, newRequestEvent(), responseWriter,
|
|
makePostRequest(signRequest(t, payload, wfe.nonceService)))
|
|
var prob probs.ProblemDetails
|
|
err := json.Unmarshal(responseWriter.Body.Bytes(), &prob)
|
|
test.AssertNotError(t, err, "unmarshalling response")
|
|
if prob.Type != probs.V1ErrorNS+probs.ServerInternalProblem {
|
|
t.Errorf("Wrong type for returned problem: %#v", prob.Type)
|
|
}
|
|
}
|
|
|
|
func TestChallengeNewIDScheme(t *testing.T) {
|
|
wfe, _ := setupWFE(t)
|
|
_ = features.Set(map[string]bool{"NewAuthorizationSchema": true})
|
|
|
|
for _, tc := range []struct {
|
|
path string
|
|
location string
|
|
expected string
|
|
expectedStatus int
|
|
handler func(context.Context, *web.RequestEvent, http.ResponseWriter, *http.Request)
|
|
}{
|
|
{
|
|
path: "valid/23",
|
|
location: "http://localhost/acme/challenge/valid/23",
|
|
expected: `{"type":"dns","token":"token","uri":"http://localhost/acme/challenge/valid/23"}`,
|
|
expectedStatus: http.StatusAccepted,
|
|
handler: wfe.Challenge,
|
|
},
|
|
{
|
|
path: "1/-ZfxEw",
|
|
location: "http://localhost/acme/chall-v3/1/-ZfxEw",
|
|
expected: `{"type":"dns","token":"token","uri":"http://localhost/acme/chall-v3/1/-ZfxEw"}`,
|
|
expectedStatus: http.StatusAccepted,
|
|
handler: wfe.ChallengeV2,
|
|
},
|
|
{
|
|
path: "1aaaa/-ZfxEw",
|
|
expected: `{ "type": "urn:acme:error:malformed", "detail": "Invalid authorization ID", "status": 400 }`,
|
|
expectedStatus: http.StatusBadRequest,
|
|
handler: wfe.ChallengeV2,
|
|
},
|
|
} {
|
|
resp := httptest.NewRecorder()
|
|
req, err := http.NewRequest("GET", tc.path, nil)
|
|
test.AssertNotError(t, err, "http.NewRequest failed")
|
|
|
|
tc.handler(context.Background(), newRequestEvent(), resp, req)
|
|
test.AssertEquals(t,
|
|
resp.Code,
|
|
tc.expectedStatus)
|
|
test.AssertEquals(t,
|
|
resp.Header().Get("Location"),
|
|
tc.location)
|
|
test.AssertUnmarshaledEquals(
|
|
t, resp.Body.String(),
|
|
tc.expected)
|
|
}
|
|
|
|
for _, tc := range []struct {
|
|
path string
|
|
location string
|
|
expected string
|
|
handler func(context.Context, *web.RequestEvent, http.ResponseWriter, *http.Request)
|
|
}{
|
|
{
|
|
path: "valid/23",
|
|
location: "http://localhost/acme/challenge/valid/23",
|
|
expected: `{"type":"dns","token":"token","uri":"http://localhost/acme/challenge/valid/23"}`,
|
|
handler: wfe.Challenge,
|
|
},
|
|
{
|
|
path: "1/-ZfxEw",
|
|
location: "http://localhost/acme/chall-v3/1/-ZfxEw",
|
|
expected: `{"type":"dns","token":"token","uri":"http://localhost/acme/chall-v3/1/-ZfxEw"}`,
|
|
handler: wfe.ChallengeV2,
|
|
},
|
|
} {
|
|
resp := httptest.NewRecorder()
|
|
tc.handler(ctx, newRequestEvent(), resp, makePostRequestWithPath(
|
|
tc.path, signRequest(t, `{"resource":"challenge"}`, wfe.nonceService)))
|
|
test.AssertEquals(t,
|
|
resp.Code,
|
|
http.StatusAccepted)
|
|
test.AssertEquals(t,
|
|
resp.Header().Get("Location"),
|
|
tc.location)
|
|
test.AssertUnmarshaledEquals(
|
|
t, resp.Body.String(),
|
|
tc.expected)
|
|
}
|
|
}
|