FilesExpand file tree

 main

/

ocsp_test.go

Copy path

BlameMore file actions

BlameMore file actions

Latest commit

 

History

History

History

103 lines (87 loc) · 2.6 KB

 main

/

ocsp_test.go

Top

File metadata and controls

• Code
• Blame

103 lines (87 loc) · 2.6 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

//go:build integration

package integration

import (

"io/ioutil"

"os"

"strings"

"testing"

"github.com/letsencrypt/boulder/core"

ocsp_helper "github.com/letsencrypt/boulder/test/ocsp/helper"

"golang.org/x/crypto/ocsp"

)

// TODO(#5172): Fill out these test stubs.

func TestOCSPBadRequestMethod(t *testing.T) {

return

}

func TestOCSPBadGetUrl(t *testing.T) {

return

}

func TestOCSPBadGetBody(t *testing.T) {

return

}

func TestOCSPBadPostBody(t *testing.T) {

return

}

func TestOCSPBadHashAlgorithm(t *testing.T) {

return

}

func TestOCSPBadIssuerCert(t *testing.T) {

return

}

func TestOCSPBadSerialPrefix(t *testing.T) {

t.Parallel()

domain := random_domain()

os.Setenv("DIRECTORY", "http://boulder:4001/directory")

res, err := authAndIssue(nil, nil, []string{domain})

if err != nil || len(res.certs) < 1 {

t.Fatal("Failed to issue dummy cert for OCSP testing")

}

cert := res.certs[0]

// Increment the first byte of the cert's serial number by 1, making the

// prefix invalid. This works because ocsp_helper.Req (and the underlying

// ocsp.CreateRequest) completely ignore the cert's .Raw value.

serialStr := []byte(core.SerialToString(cert.SerialNumber))

ocspConfig := ocsp_helper.DefaultConfig.WithOutput(ioutil.Discard)

serialStr[0] = serialStr[0] + 1

cert.SerialNumber.SetString(string(serialStr), 16)

_, err = ocsp_helper.Req(cert, ocspConfig)

if err == nil {

t.Fatal("Expected error getting OCSP for request with invalid serial")

}

}

func TestOCSPNonexistentSerial(t *testing.T) {

return

}

func TestOCSPExpiredCert(t *testing.T) {

return

}

func TestOCSPRejectedPrecertificate(t *testing.T) {

t.Parallel()

domain := random_domain()

err := ctAddRejectHost(domain)

if err != nil {

t.Fatalf("adding ct-test-srv reject host: %s", err)

}

os.Setenv("DIRECTORY", "http://boulder:4001/directory")

_, err = authAndIssue(nil, nil, []string{domain})

if err != nil {

if !strings.Contains(err.Error(), "urn:ietf:params:acme:error:serverInternal") ||

!strings.Contains(err.Error(), "SCT embedding") {

t.Fatal(err)

}

}

if err == nil {

t.Fatal("expected error issuing for domain rejected by CT servers; got none")

}

// Try to find a precertificate matching the domain from one of the

// configured ct-test-srv instances.

cert, err := ctFindRejection([]string{domain})

if err != nil || cert == nil {

t.Fatalf("couldn't find rejected precert for %q", domain)

}

ocspConfig := ocsp_helper.DefaultConfig.WithExpectStatus(ocsp.Good).WithOutput(ioutil.Discard)

_, err = ocsp_helper.ReqDER(cert.Raw, ocspConfig)

if err != nil {

t.Errorf("requesting OCSP for rejected precertificate: %s", err)

}

}