forked from adamlaska/boulder
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathari_test.go
More file actions
91 lines (79 loc) · 2.98 KB
/
ari_test.go
File metadata and controls
91 lines (79 loc) · 2.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
//go:build integration
package integration
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"encoding/hex"
"fmt"
"net/http"
"os"
"strings"
"testing"
"github.com/letsencrypt/boulder/core"
"github.com/letsencrypt/boulder/test"
ocsp_helper "github.com/letsencrypt/boulder/test/ocsp/helper"
"golang.org/x/crypto/ocsp"
)
func TestARI(t *testing.T) {
t.Parallel()
// This test is gated on the ServeRenewalInfo feature flag.
if !strings.Contains(os.Getenv("BOULDER_CONFIG_DIR"), "test/config-next") {
return
}
// Create an account.
os.Setenv("DIRECTORY", "http://boulder:4001/directory")
client, err := makeClient("mailto:example@letsencrypt.org")
test.AssertNotError(t, err, "creating acme client")
// Create a private key.
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
test.AssertNotError(t, err, "creating random cert key")
// Issue a cert.
name := random_domain()
ir, err := authAndIssue(client, key, []string{name})
test.AssertNotError(t, err, "failed to issue test cert")
cert := ir.certs[0]
// Leverage OCSP to get components of ARI request path.
issuer, err := ocsp_helper.GetIssuer(cert)
test.AssertNotError(t, err, "failed to get issuer cert")
ocspReqBytes, err := ocsp.CreateRequest(cert, issuer, nil)
test.AssertNotError(t, err, "failed to build ocsp request")
ocspReq, err := ocsp.ParseRequest(ocspReqBytes)
test.AssertNotError(t, err, "failed to parse ocsp request")
// Make ARI request.
url := fmt.Sprintf(
"http://boulder:4001/get/draft-aaron-ari/renewalInfo/%s/%s/%s",
hex.EncodeToString(ocspReq.IssuerKeyHash),
hex.EncodeToString(ocspReq.IssuerNameHash),
core.SerialToString(cert.SerialNumber),
)
resp, err := http.Get(url)
test.AssertNotError(t, err, "ARI request should have succeeded")
test.AssertEquals(t, resp.StatusCode, http.StatusOK)
// Try to make a new cert for a new domain, but have it fail so only
// a precert gets created.
name = random_domain()
err = ctAddRejectHost(name)
test.AssertNotError(t, err, "failed to add ct-test-srv reject host")
_, err = authAndIssue(client, key, []string{name})
test.AssertError(t, err, "expected error from authAndIssue, was nil")
cert, err = ctFindRejection([]string{name})
test.AssertNotError(t, err, "failed to find rejected precert")
// Get ARI path components.
issuer, err = ocsp_helper.GetIssuer(cert)
test.AssertNotError(t, err, "failed to get issuer cert")
ocspReqBytes, err = ocsp.CreateRequest(cert, issuer, nil)
test.AssertNotError(t, err, "failed to build ocsp request")
ocspReq, err = ocsp.ParseRequest(ocspReqBytes)
test.AssertNotError(t, err, "failed to parse ocsp request")
// Make ARI request.
url = fmt.Sprintf(
"http://boulder:4001/get/draft-aaron-ari/renewalInfo/%s/%s/%s",
hex.EncodeToString(ocspReq.IssuerKeyHash),
hex.EncodeToString(ocspReq.IssuerNameHash),
core.SerialToString(cert.SerialNumber),
)
resp, err = http.Get(url)
test.AssertNotError(t, err, "ARI request should have succeeded")
test.AssertEquals(t, resp.StatusCode, http.StatusNotFound)
}