1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
package ocsp
import (
"golang.org/x/crypto/ocsp"
"io/ioutil"
"testing"
"time"
"github.com/cloudflare/cfssl/helpers"
)
const (
serverCertFile = "../../../../../../ocsp/testdata/ca.pem"
serverKeyFile = "../../../../../../ocsp/testdata/ca-key.pem"
otherCertFile = "../../../../../../ocsp/testdata/cert.pem"
brokenServerCert = "../../../../../../ocsp/testdata/server_broken.crt"
brokenServerKey = "../../../../../../ocsp/testdata/server_broken.key"
wrongServerCertFile = "../../../../../../ocsp/testdata/server.crt"
wrongServerKeyFile = "../../../../../../ocsp/testdata/server.key"
)
func TestNewSignerFromFile(t *testing.T) {
// arbitrary duration
dur, _ := time.ParseDuration("1ms")
// nonexistent files
_, err := NewSignerFromFile("", "", "", dur)
if err == nil {
t.Fatal("Failed to issue error on improper file")
}
_, err = NewSignerFromFile(serverCertFile, "", "", dur)
if err == nil {
t.Fatal("Failed to issue error on improper file")
}
_, err = NewSignerFromFile(serverCertFile, otherCertFile, "", dur)
if err == nil {
t.Fatal("Failed to issue error on improper file")
}
// malformed certs
_, err = NewSignerFromFile(brokenServerCert, otherCertFile, serverKeyFile, dur)
if err == nil {
t.Fatal("Didn't fail on malformed file")
}
_, err = NewSignerFromFile(serverCertFile, brokenServerCert, serverKeyFile, dur)
if err == nil {
t.Fatal("Didn't fail on malformed file")
}
_, err = NewSignerFromFile(serverCertFile, otherCertFile, brokenServerKey, dur)
if err == nil {
t.Fatal("Didn't fail on malformed file")
}
// expected case
_, err = NewSignerFromFile(serverCertFile, otherCertFile, serverKeyFile, dur)
if err != nil {
t.Fatalf("Signer creation failed %v", err)
}
}
func setup(t *testing.T) (SignRequest, time.Duration) {
dur, _ := time.ParseDuration("1ms")
certPEM, err := ioutil.ReadFile(otherCertFile)
if err != nil {
t.Fatal(err)
}
leafCert, err := helpers.ParseCertificatePEM(certPEM)
if err != nil {
t.Fatal(err)
}
req := SignRequest{
Certificate: leafCert,
Status: "good",
}
return req, dur
}
func TestSignNoResponder(t *testing.T) {
req, dur := setup(t)
s, err := NewSignerFromFile(serverCertFile, serverCertFile, serverKeyFile, dur)
if err != nil {
t.Fatalf("Signer creation failed: %v", err)
}
respBytes, err := s.Sign(req)
if err != nil {
t.Fatal("Failed to sign with no responder cert")
}
resp, err := ocsp.ParseResponse(respBytes, nil)
if err != nil {
t.Fatal("Failed to fail on improper status code")
}
if resp.Certificate != nil {
t.Fatal("Response contain responder cert even though it was identical to issuer")
}
}
func TestSign(t *testing.T) {
req, dur := setup(t)
// expected case
s, err := NewSignerFromFile(serverCertFile, otherCertFile, serverKeyFile, dur)
if err != nil {
t.Fatalf("Signer creation failed: %v", err)
}
_, err = s.Sign(SignRequest{})
if err == nil {
t.Fatal("Signed request with nil certificate")
}
_, err = s.Sign(req)
if err != nil {
t.Fatal("Sign failed")
}
sMismatch, err := NewSignerFromFile(wrongServerCertFile, otherCertFile, wrongServerKeyFile, dur)
_, err = sMismatch.Sign(req)
if err == nil {
t.Fatal("Signed a certificate from the wrong issuer")
}
// incorrect status code
req.Status = "aalkjsfdlkafdslkjahds"
_, err = s.Sign(req)
if err == nil {
t.Fatal("Failed to fail on improper status code")
}
// revoked
req.Status = "revoked"
_, err = s.Sign(req)
if err != nil {
t.Fatal("Error on revoked certificate")
}
}
|
