70 lines
2.2 KiB
Go
70 lines
2.2 KiB
Go
//go:build integration
|
|
|
|
package integration
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"os"
|
|
"testing"
|
|
|
|
"github.com/eggsampler/acme/v3"
|
|
|
|
"github.com/letsencrypt/boulder/test"
|
|
)
|
|
|
|
// TestFermat ensures that a certificate public key which can be factored using
|
|
// less than 100 rounds of Fermat's Algorithm is rejected.
|
|
func TestFermat(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
// Create a client and complete an HTTP-01 challenge for a fake domain.
|
|
c, err := makeClient()
|
|
test.AssertNotError(t, err, "creating acme client")
|
|
|
|
domain := random_domain()
|
|
|
|
order, err := c.Client.NewOrder(
|
|
c.Account, []acme.Identifier{{Type: "dns", Value: domain}})
|
|
test.AssertNotError(t, err, "creating new order")
|
|
test.AssertEquals(t, len(order.Authorizations), 1)
|
|
|
|
authUrl := order.Authorizations[0]
|
|
|
|
auth, err := c.Client.FetchAuthorization(c.Account, authUrl)
|
|
test.AssertNotError(t, err, "fetching authorization")
|
|
|
|
chal, ok := auth.ChallengeMap[acme.ChallengeTypeHTTP01]
|
|
test.Assert(t, ok, "getting HTTP-01 challenge")
|
|
|
|
_, err = testSrvClient.AddHTTP01Response(chal.Token, chal.KeyAuthorization)
|
|
test.AssertNotError(t, err, "")
|
|
defer func() {
|
|
_, err = testSrvClient.RemoveHTTP01Response(chal.Token)
|
|
test.AssertNotError(t, err, "")
|
|
}()
|
|
|
|
chal, err = c.Client.UpdateChallenge(c.Account, chal)
|
|
test.AssertNotError(t, err, "updating HTTP-01 challenge")
|
|
|
|
// Load the Fermat-weak CSR that we'll submit for finalize. This CSR was
|
|
// generated using test/integration/testdata/fermat_csr.go, has prime factors
|
|
// that differ by only 2^516 + 254, and can be factored in 42 rounds.
|
|
csrPem, err := os.ReadFile("test/integration/testdata/fermat_csr.pem")
|
|
test.AssertNotError(t, err, "reading CSR PEM from disk")
|
|
|
|
csrDer, _ := pem.Decode(csrPem)
|
|
if csrDer == nil {
|
|
t.Fatal("failed to decode CSR PEM")
|
|
}
|
|
|
|
csr, err := x509.ParseCertificateRequest(csrDer.Bytes)
|
|
test.AssertNotError(t, err, "parsing CSR")
|
|
|
|
// Finalizing the order should fail as we reject the public key.
|
|
_, err = c.Client.FinalizeOrder(c.Account, order, csr)
|
|
test.AssertError(t, err, "finalizing order")
|
|
test.AssertContains(t, err.Error(), "urn:ietf:params:acme:error:badCSR")
|
|
test.AssertContains(t, err.Error(), "key generated with factors too close together")
|
|
}
|