boulder/ca/ocsp_test.go at main · https-github-com-bit/boulder

History

211 lines (185 loc) · 7.07 KB

Raw

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

package ca

import (

"context"

"crypto/x509"

"encoding/hex"

"testing"

"time"

capb "github.com/letsencrypt/boulder/ca/proto"

"github.com/letsencrypt/boulder/core"

blog "github.com/letsencrypt/boulder/log"

"github.com/letsencrypt/boulder/metrics"

"github.com/letsencrypt/boulder/test"

"golang.org/x/crypto/ocsp"

)

func serial(t *testing.T) []byte {

serial, err := hex.DecodeString("aabbccddeeffaabbccddeeff000102030405")

if err != nil {

t.Fatal(err)

}

return serial

}

func TestOCSP(t *testing.T) {

testCtx := setup(t)

ca, err := NewCertificateAuthorityImpl(

&mockSA{},

testCtx.pa,

testCtx.ocsp,

testCtx.boulderIssuers,

nil,

testCtx.certExpiry,

testCtx.certBackdate,

testCtx.serialPrefix,

testCtx.maxNames,

testCtx.keyPolicy,

nil,

testCtx.logger,

testCtx.stats,

testCtx.signatureCount,

testCtx.signErrorCount,

testCtx.fc)

test.AssertNotError(t, err, "Failed to create CA")

ocspi := testCtx.ocsp

// Issue a certificate from the RSA issuer caCert, then check OCSP comes from the same issuer.

rsaIssuerID := ca.issuers.byAlg[x509.RSA].ID()

rsaCertPB, err := ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID})

test.AssertNotError(t, err, "Failed to issue certificate")

rsaCert, err := x509.ParseCertificate(rsaCertPB.DER)

test.AssertNotError(t, err, "Failed to parse rsaCert")

rsaOCSPPB, err := ocspi.GenerateOCSP(ctx, &capb.GenerateOCSPRequest{

Serial: core.SerialToString(rsaCert.SerialNumber),

IssuerID: int64(rsaIssuerID),

Status: string(core.OCSPStatusGood),

})

test.AssertNotError(t, err, "Failed to generate OCSP")

rsaOCSP, err := ocsp.ParseResponse(rsaOCSPPB.Response, caCert.Certificate)

test.AssertNotError(t, err, "Failed to parse / validate OCSP for rsaCert")

test.AssertEquals(t, rsaOCSP.Status, 0)

test.AssertEquals(t, rsaOCSP.RevocationReason, 0)

test.AssertEquals(t, rsaOCSP.SerialNumber.Cmp(rsaCert.SerialNumber), 0)

// Issue a certificate from the ECDSA issuer caCert2, then check OCSP comes from the same issuer.

ecdsaIssuerID := ca.issuers.byAlg[x509.ECDSA].ID()

ecdsaCertPB, err := ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: ECDSACSR, RegistrationID: arbitraryRegID})

test.AssertNotError(t, err, "Failed to issue certificate")

ecdsaCert, err := x509.ParseCertificate(ecdsaCertPB.DER)

test.AssertNotError(t, err, "Failed to parse ecdsaCert")

ecdsaOCSPPB, err := ocspi.GenerateOCSP(ctx, &capb.GenerateOCSPRequest{

Serial: core.SerialToString(ecdsaCert.SerialNumber),

IssuerID: int64(ecdsaIssuerID),

Status: string(core.OCSPStatusGood),

})

test.AssertNotError(t, err, "Failed to generate OCSP")

ecdsaOCSP, err := ocsp.ParseResponse(ecdsaOCSPPB.Response, caCert2.Certificate)

test.AssertNotError(t, err, "Failed to parse / validate OCSP for ecdsaCert")

test.AssertEquals(t, ecdsaOCSP.Status, 0)

test.AssertEquals(t, ecdsaOCSP.RevocationReason, 0)

test.AssertEquals(t, ecdsaOCSP.SerialNumber.Cmp(ecdsaCert.SerialNumber), 0)

// GenerateOCSP with a bad IssuerID should fail.

_, err = ocspi.GenerateOCSP(context.Background(), &capb.GenerateOCSPRequest{

Serial: core.SerialToString(rsaCert.SerialNumber),

IssuerID: int64(666),

Status: string(core.OCSPStatusGood),

})

test.AssertError(t, err, "GenerateOCSP didn't fail with invalid IssuerID")

// GenerateOCSP with a bad Serial should fail.

_, err = ocspi.GenerateOCSP(context.Background(), &capb.GenerateOCSPRequest{

Serial: "BADDECAF",

IssuerID: int64(rsaIssuerID),

Status: string(core.OCSPStatusGood),

})

test.AssertError(t, err, "GenerateOCSP didn't fail with invalid Serial")

// GenerateOCSP with a valid-but-nonexistent Serial should *not* fail.

_, err = ocspi.GenerateOCSP(context.Background(), &capb.GenerateOCSPRequest{

Serial: "03DEADBEEFBADDECAFFADEFACECAFE30",

IssuerID: int64(rsaIssuerID),

Status: string(core.OCSPStatusGood),

})

test.AssertNotError(t, err, "GenerateOCSP failed with fake-but-valid Serial")

}

// Set up an ocspLogQueue with a very long period and a large maxLen,

// to ensure any buffered entries get flushed on `.stop()`.

func TestOcspLogFlushOnExit(t *testing.T) {

t.Parallel()

log := blog.NewMock()

stats := metrics.NoopRegisterer

queue := newOCSPLogQueue(4000, 10000*time.Millisecond, stats, log)

go queue.loop()

queue.enqueue(serial(t), time.Now(), ocsp.ResponseStatus(ocsp.Good))

queue.stop()

expected := []string{

"INFO: [AUDIT] OCSP signed: aabbccddeeffaabbccddeeff000102030405:0,",

}

test.AssertDeepEquals(t, log.GetAll(), expected)

}

// Ensure log lines are sent when they exceed maxLen.

func TestOcspFlushOnLength(t *testing.T) {

t.Parallel()

log := blog.NewMock()

stats := metrics.NoopRegisterer

queue := newOCSPLogQueue(100, 100*time.Millisecond, stats, log)

go queue.loop()

for i := 0; i < 5; i++ {

queue.enqueue(serial(t), time.Now(), ocsp.ResponseStatus(ocsp.Good))

}

queue.stop()

expected := []string{

"INFO: [AUDIT] OCSP signed: aabbccddeeffaabbccddeeff000102030405:0,aabbccddeeffaabbccddeeff000102030405:0,",

"INFO: [AUDIT] OCSP signed: aabbccddeeffaabbccddeeff000102030405:0,",

}

test.AssertDeepEquals(t, log.GetAll(), expected)

}

// Ensure log lines are sent after a timeout.

func TestOcspFlushOnTimeout(t *testing.T) {

t.Parallel()

log := blog.NewWaitingMock()

stats := metrics.NoopRegisterer

queue := newOCSPLogQueue(90000, 10*time.Millisecond, stats, log)

go queue.loop()

queue.enqueue(serial(t), time.Now(), ocsp.ResponseStatus(ocsp.Good))

expected := "INFO: [AUDIT] OCSP signed: aabbccddeeffaabbccddeeff000102030405:0,"

logLines, err := log.WaitForMatch("OCSP signed", 50*time.Millisecond)

test.AssertNotError(t, err, "error in mock log")

test.AssertDeepEquals(t, logLines, expected)

queue.stop()

}

// If the deadline passes and nothing has been logged, we should not log a blank line.

func TestOcspNoEmptyLines(t *testing.T) {

t.Parallel()

log := blog.NewMock()

stats := metrics.NoopRegisterer

queue := newOCSPLogQueue(90000, 10*time.Millisecond, stats, log)

go queue.loop()

time.Sleep(50 * time.Millisecond)

queue.stop()

test.AssertDeepEquals(t, log.GetAll(), []string{})

}

// If the maxLogLen is shorter than one entry, log everything immediately.

func TestOcspLogWhenMaxLogLenIsShort(t *testing.T) {

t.Parallel()

log := blog.NewMock()

stats := metrics.NoopRegisterer

queue := newOCSPLogQueue(3, 10000*time.Millisecond, stats, log)

go queue.loop()

queue.enqueue(serial(t), time.Now(), ocsp.ResponseStatus(ocsp.Good))

queue.stop()

expected := []string{

"INFO: [AUDIT] OCSP signed: aabbccddeeffaabbccddeeff000102030405:0,",

}

test.AssertDeepEquals(t, log.GetAll(), expected)

}

// Enqueueing entries after stop causes panic.

func TestOcspLogPanicsOnEnqueueAfterStop(t *testing.T) {

t.Parallel()

log := blog.NewMock()

stats := metrics.NoopRegisterer

queue := newOCSPLogQueue(4000, 10000*time.Millisecond, stats, log)

go queue.loop()

queue.stop()

defer func() {

if r := recover(); r == nil {

t.Errorf("The code did not panic")

}

}()

queue.enqueue(serial(t), time.Now(), ocsp.ResponseStatus(ocsp.Good))

}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FilesExpand file tree

ocsp_test.go

Latest commit

History

ocsp_test.go

File metadata and controls