mirror of
https://github.com/genuinetools/reg.git
synced 2024-08-17 20:40:23 -04:00
843aebf2c1
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
1131 lines
31 KiB
Go
1131 lines
31 KiB
Go
// Copyright 2016 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package autocert
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto"
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/asn1"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"fmt"
|
|
"html/template"
|
|
"io"
|
|
"math/big"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"reflect"
|
|
"strings"
|
|
"sync"
|
|
"testing"
|
|
"time"
|
|
|
|
"golang.org/x/crypto/acme"
|
|
)
|
|
|
|
var (
|
|
exampleDomain = "example.org"
|
|
exampleCertKey = certKey{domain: exampleDomain}
|
|
exampleCertKeyRSA = certKey{domain: exampleDomain, isRSA: true}
|
|
)
|
|
|
|
var discoTmpl = template.Must(template.New("disco").Parse(`{
|
|
"new-reg": "{{.}}/new-reg",
|
|
"new-authz": "{{.}}/new-authz",
|
|
"new-cert": "{{.}}/new-cert"
|
|
}`))
|
|
|
|
var authzTmpl = template.Must(template.New("authz").Parse(`{
|
|
"status": "pending",
|
|
"challenges": [
|
|
{
|
|
"uri": "{{.}}/challenge/1",
|
|
"type": "tls-sni-01",
|
|
"token": "token-01"
|
|
},
|
|
{
|
|
"uri": "{{.}}/challenge/2",
|
|
"type": "tls-sni-02",
|
|
"token": "token-02"
|
|
},
|
|
{
|
|
"uri": "{{.}}/challenge/dns-01",
|
|
"type": "dns-01",
|
|
"token": "token-dns-01"
|
|
},
|
|
{
|
|
"uri": "{{.}}/challenge/http-01",
|
|
"type": "http-01",
|
|
"token": "token-http-01"
|
|
}
|
|
]
|
|
}`))
|
|
|
|
type memCache struct {
|
|
t *testing.T
|
|
mu sync.Mutex
|
|
keyData map[string][]byte
|
|
}
|
|
|
|
func (m *memCache) Get(ctx context.Context, key string) ([]byte, error) {
|
|
m.mu.Lock()
|
|
defer m.mu.Unlock()
|
|
|
|
v, ok := m.keyData[key]
|
|
if !ok {
|
|
return nil, ErrCacheMiss
|
|
}
|
|
return v, nil
|
|
}
|
|
|
|
// filenameSafe returns whether all characters in s are printable ASCII
|
|
// and safe to use in a filename on most filesystems.
|
|
func filenameSafe(s string) bool {
|
|
for _, c := range s {
|
|
if c < 0x20 || c > 0x7E {
|
|
return false
|
|
}
|
|
switch c {
|
|
case '\\', '/', ':', '*', '?', '"', '<', '>', '|':
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
func (m *memCache) Put(ctx context.Context, key string, data []byte) error {
|
|
if !filenameSafe(key) {
|
|
m.t.Errorf("invalid characters in cache key %q", key)
|
|
}
|
|
|
|
m.mu.Lock()
|
|
defer m.mu.Unlock()
|
|
|
|
m.keyData[key] = data
|
|
return nil
|
|
}
|
|
|
|
func (m *memCache) Delete(ctx context.Context, key string) error {
|
|
m.mu.Lock()
|
|
defer m.mu.Unlock()
|
|
|
|
delete(m.keyData, key)
|
|
return nil
|
|
}
|
|
|
|
func newMemCache(t *testing.T) *memCache {
|
|
return &memCache{
|
|
t: t,
|
|
keyData: make(map[string][]byte),
|
|
}
|
|
}
|
|
|
|
func (m *memCache) numCerts() int {
|
|
m.mu.Lock()
|
|
defer m.mu.Unlock()
|
|
|
|
res := 0
|
|
for key := range m.keyData {
|
|
if strings.HasSuffix(key, "+token") ||
|
|
strings.HasSuffix(key, "+key") ||
|
|
strings.HasSuffix(key, "+http-01") {
|
|
continue
|
|
}
|
|
res++
|
|
}
|
|
return res
|
|
}
|
|
|
|
func dummyCert(pub interface{}, san ...string) ([]byte, error) {
|
|
return dateDummyCert(pub, time.Now(), time.Now().Add(90*24*time.Hour), san...)
|
|
}
|
|
|
|
func dateDummyCert(pub interface{}, start, end time.Time, san ...string) ([]byte, error) {
|
|
// use EC key to run faster on 386
|
|
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
t := &x509.Certificate{
|
|
SerialNumber: big.NewInt(1),
|
|
NotBefore: start,
|
|
NotAfter: end,
|
|
BasicConstraintsValid: true,
|
|
KeyUsage: x509.KeyUsageKeyEncipherment,
|
|
DNSNames: san,
|
|
}
|
|
if pub == nil {
|
|
pub = &key.PublicKey
|
|
}
|
|
return x509.CreateCertificate(rand.Reader, t, t, pub, key)
|
|
}
|
|
|
|
func decodePayload(v interface{}, r io.Reader) error {
|
|
var req struct{ Payload string }
|
|
if err := json.NewDecoder(r).Decode(&req); err != nil {
|
|
return err
|
|
}
|
|
payload, err := base64.RawURLEncoding.DecodeString(req.Payload)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return json.Unmarshal(payload, v)
|
|
}
|
|
|
|
func clientHelloInfo(sni string, ecdsaSupport bool) *tls.ClientHelloInfo {
|
|
hello := &tls.ClientHelloInfo{
|
|
ServerName: sni,
|
|
CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305},
|
|
}
|
|
if ecdsaSupport {
|
|
hello.CipherSuites = append(hello.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305)
|
|
}
|
|
return hello
|
|
}
|
|
|
|
func TestGetCertificate(t *testing.T) {
|
|
man := &Manager{Prompt: AcceptTOS}
|
|
defer man.stopRenew()
|
|
hello := clientHelloInfo("example.org", true)
|
|
testGetCertificate(t, man, "example.org", hello)
|
|
}
|
|
|
|
func TestGetCertificate_trailingDot(t *testing.T) {
|
|
man := &Manager{Prompt: AcceptTOS}
|
|
defer man.stopRenew()
|
|
hello := clientHelloInfo("example.org.", true)
|
|
testGetCertificate(t, man, "example.org", hello)
|
|
}
|
|
|
|
func TestGetCertificate_ForceRSA(t *testing.T) {
|
|
man := &Manager{
|
|
Prompt: AcceptTOS,
|
|
Cache: newMemCache(t),
|
|
ForceRSA: true,
|
|
}
|
|
defer man.stopRenew()
|
|
hello := clientHelloInfo(exampleDomain, true)
|
|
testGetCertificate(t, man, exampleDomain, hello)
|
|
|
|
// ForceRSA was deprecated and is now ignored.
|
|
cert, err := man.cacheGet(context.Background(), exampleCertKey)
|
|
if err != nil {
|
|
t.Fatalf("man.cacheGet: %v", err)
|
|
}
|
|
if _, ok := cert.PrivateKey.(*ecdsa.PrivateKey); !ok {
|
|
t.Errorf("cert.PrivateKey is %T; want *ecdsa.PrivateKey", cert.PrivateKey)
|
|
}
|
|
}
|
|
|
|
func TestGetCertificate_nilPrompt(t *testing.T) {
|
|
man := &Manager{}
|
|
defer man.stopRenew()
|
|
url, finish := startACMEServerStub(t, getCertificateFromManager(man, true), "example.org")
|
|
defer finish()
|
|
man.Client = &acme.Client{DirectoryURL: url}
|
|
hello := clientHelloInfo("example.org", true)
|
|
if _, err := man.GetCertificate(hello); err == nil {
|
|
t.Error("got certificate for example.org; wanted error")
|
|
}
|
|
}
|
|
|
|
func TestGetCertificate_expiredCache(t *testing.T) {
|
|
// Make an expired cert and cache it.
|
|
pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
tmpl := &x509.Certificate{
|
|
SerialNumber: big.NewInt(1),
|
|
Subject: pkix.Name{CommonName: exampleDomain},
|
|
NotAfter: time.Now(),
|
|
}
|
|
pub, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &pk.PublicKey, pk)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
tlscert := &tls.Certificate{
|
|
Certificate: [][]byte{pub},
|
|
PrivateKey: pk,
|
|
}
|
|
|
|
man := &Manager{Prompt: AcceptTOS, Cache: newMemCache(t)}
|
|
defer man.stopRenew()
|
|
if err := man.cachePut(context.Background(), exampleCertKey, tlscert); err != nil {
|
|
t.Fatalf("man.cachePut: %v", err)
|
|
}
|
|
|
|
// The expired cached cert should trigger a new cert issuance
|
|
// and return without an error.
|
|
hello := clientHelloInfo(exampleDomain, true)
|
|
testGetCertificate(t, man, exampleDomain, hello)
|
|
}
|
|
|
|
func TestGetCertificate_failedAttempt(t *testing.T) {
|
|
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
}))
|
|
defer ts.Close()
|
|
|
|
d := createCertRetryAfter
|
|
f := testDidRemoveState
|
|
defer func() {
|
|
createCertRetryAfter = d
|
|
testDidRemoveState = f
|
|
}()
|
|
createCertRetryAfter = 0
|
|
done := make(chan struct{})
|
|
testDidRemoveState = func(ck certKey) {
|
|
if ck != exampleCertKey {
|
|
t.Errorf("testDidRemoveState: domain = %v; want %v", ck, exampleCertKey)
|
|
}
|
|
close(done)
|
|
}
|
|
|
|
man := &Manager{
|
|
Prompt: AcceptTOS,
|
|
Client: &acme.Client{
|
|
DirectoryURL: ts.URL,
|
|
},
|
|
}
|
|
defer man.stopRenew()
|
|
hello := clientHelloInfo(exampleDomain, true)
|
|
if _, err := man.GetCertificate(hello); err == nil {
|
|
t.Error("GetCertificate: err is nil")
|
|
}
|
|
select {
|
|
case <-time.After(5 * time.Second):
|
|
t.Errorf("took too long to remove the %q state", exampleCertKey)
|
|
case <-done:
|
|
man.stateMu.Lock()
|
|
defer man.stateMu.Unlock()
|
|
if v, exist := man.state[exampleCertKey]; exist {
|
|
t.Errorf("state exists for %v: %+v", exampleCertKey, v)
|
|
}
|
|
}
|
|
}
|
|
|
|
// testGetCertificate_tokenCache tests the fallback of token certificate fetches
|
|
// to cache when Manager.certTokens misses. ecdsaSupport refers to the CA when
|
|
// verifying the certificate token.
|
|
func testGetCertificate_tokenCache(t *testing.T, ecdsaSupport bool) {
|
|
man1 := &Manager{
|
|
Cache: newMemCache(t),
|
|
Prompt: AcceptTOS,
|
|
}
|
|
defer man1.stopRenew()
|
|
man2 := &Manager{
|
|
Cache: man1.Cache,
|
|
Prompt: AcceptTOS,
|
|
}
|
|
defer man2.stopRenew()
|
|
|
|
// Send the verification request to a different Manager from the one that
|
|
// initiated the authorization, when they share caches.
|
|
url, finish := startACMEServerStub(t, getCertificateFromManager(man2, ecdsaSupport), "example.org")
|
|
defer finish()
|
|
man1.Client = &acme.Client{DirectoryURL: url}
|
|
hello := clientHelloInfo("example.org", true)
|
|
if _, err := man1.GetCertificate(hello); err != nil {
|
|
t.Error(err)
|
|
}
|
|
if _, err := man2.GetCertificate(hello); err != nil {
|
|
t.Error(err)
|
|
}
|
|
}
|
|
|
|
func TestGetCertificate_tokenCache(t *testing.T) {
|
|
t.Run("ecdsaSupport=true", func(t *testing.T) {
|
|
testGetCertificate_tokenCache(t, true)
|
|
})
|
|
t.Run("ecdsaSupport=false", func(t *testing.T) {
|
|
testGetCertificate_tokenCache(t, false)
|
|
})
|
|
}
|
|
|
|
func TestGetCertificate_ecdsaVsRSA(t *testing.T) {
|
|
cache := newMemCache(t)
|
|
man := &Manager{Prompt: AcceptTOS, Cache: cache}
|
|
defer man.stopRenew()
|
|
url, finish := startACMEServerStub(t, getCertificateFromManager(man, true), "example.org")
|
|
defer finish()
|
|
man.Client = &acme.Client{DirectoryURL: url}
|
|
|
|
cert, err := man.GetCertificate(clientHelloInfo("example.org", true))
|
|
if err != nil {
|
|
t.Error(err)
|
|
}
|
|
if _, ok := cert.Leaf.PublicKey.(*ecdsa.PublicKey); !ok {
|
|
t.Error("an ECDSA client was served a non-ECDSA certificate")
|
|
}
|
|
|
|
cert, err = man.GetCertificate(clientHelloInfo("example.org", false))
|
|
if err != nil {
|
|
t.Error(err)
|
|
}
|
|
if _, ok := cert.Leaf.PublicKey.(*rsa.PublicKey); !ok {
|
|
t.Error("a RSA client was served a non-RSA certificate")
|
|
}
|
|
|
|
if _, err := man.GetCertificate(clientHelloInfo("example.org", true)); err != nil {
|
|
t.Error(err)
|
|
}
|
|
if _, err := man.GetCertificate(clientHelloInfo("example.org", false)); err != nil {
|
|
t.Error(err)
|
|
}
|
|
if numCerts := cache.numCerts(); numCerts != 2 {
|
|
t.Errorf("found %d certificates in cache; want %d", numCerts, 2)
|
|
}
|
|
}
|
|
|
|
func TestGetCertificate_wrongCacheKeyType(t *testing.T) {
|
|
cache := newMemCache(t)
|
|
man := &Manager{Prompt: AcceptTOS, Cache: cache}
|
|
defer man.stopRenew()
|
|
url, finish := startACMEServerStub(t, getCertificateFromManager(man, true), exampleDomain)
|
|
defer finish()
|
|
man.Client = &acme.Client{DirectoryURL: url}
|
|
|
|
// Make an RSA cert and cache it without suffix.
|
|
pk, err := rsa.GenerateKey(rand.Reader, 512)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
tmpl := &x509.Certificate{
|
|
SerialNumber: big.NewInt(1),
|
|
Subject: pkix.Name{CommonName: exampleDomain},
|
|
NotAfter: time.Now().Add(90 * 24 * time.Hour),
|
|
}
|
|
pub, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &pk.PublicKey, pk)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
rsaCert := &tls.Certificate{
|
|
Certificate: [][]byte{pub},
|
|
PrivateKey: pk,
|
|
}
|
|
if err := man.cachePut(context.Background(), exampleCertKey, rsaCert); err != nil {
|
|
t.Fatalf("man.cachePut: %v", err)
|
|
}
|
|
|
|
// The RSA cached cert should be silently ignored and replaced.
|
|
cert, err := man.GetCertificate(clientHelloInfo(exampleDomain, true))
|
|
if err != nil {
|
|
t.Error(err)
|
|
}
|
|
if _, ok := cert.Leaf.PublicKey.(*ecdsa.PublicKey); !ok {
|
|
t.Error("an ECDSA client was served a non-ECDSA certificate")
|
|
}
|
|
if numCerts := cache.numCerts(); numCerts != 1 {
|
|
t.Errorf("found %d certificates in cache; want %d", numCerts, 1)
|
|
}
|
|
}
|
|
|
|
func getCertificateFromManager(man *Manager, ecdsaSupport bool) func(string) error {
|
|
return func(sni string) error {
|
|
_, err := man.GetCertificate(clientHelloInfo(sni, ecdsaSupport))
|
|
return err
|
|
}
|
|
}
|
|
|
|
// startACMEServerStub runs an ACME server
|
|
// The domain argument is the expected domain name of a certificate request.
|
|
func startACMEServerStub(t *testing.T, getCertificate func(string) error, domain string) (url string, finish func()) {
|
|
// echo token-02 | shasum -a 256
|
|
// then divide result in 2 parts separated by dot
|
|
tokenCertName := "4e8eb87631187e9ff2153b56b13a4dec.13a35d002e485d60ff37354b32f665d9.token.acme.invalid"
|
|
verifyTokenCert := func() {
|
|
if err := getCertificate(tokenCertName); err != nil {
|
|
t.Errorf("verifyTokenCert: GetCertificate(%q): %v", tokenCertName, err)
|
|
return
|
|
}
|
|
}
|
|
|
|
// ACME CA server stub
|
|
var ca *httptest.Server
|
|
ca = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Replay-Nonce", "nonce")
|
|
if r.Method == "HEAD" {
|
|
// a nonce request
|
|
return
|
|
}
|
|
|
|
switch r.URL.Path {
|
|
// discovery
|
|
case "/":
|
|
if err := discoTmpl.Execute(w, ca.URL); err != nil {
|
|
t.Errorf("discoTmpl: %v", err)
|
|
}
|
|
// client key registration
|
|
case "/new-reg":
|
|
w.Write([]byte("{}"))
|
|
// domain authorization
|
|
case "/new-authz":
|
|
w.Header().Set("Location", ca.URL+"/authz/1")
|
|
w.WriteHeader(http.StatusCreated)
|
|
if err := authzTmpl.Execute(w, ca.URL); err != nil {
|
|
t.Errorf("authzTmpl: %v", err)
|
|
}
|
|
// accept tls-sni-02 challenge
|
|
case "/challenge/2":
|
|
verifyTokenCert()
|
|
w.Write([]byte("{}"))
|
|
// authorization status
|
|
case "/authz/1":
|
|
w.Write([]byte(`{"status": "valid"}`))
|
|
// cert request
|
|
case "/new-cert":
|
|
var req struct {
|
|
CSR string `json:"csr"`
|
|
}
|
|
decodePayload(&req, r.Body)
|
|
b, _ := base64.RawURLEncoding.DecodeString(req.CSR)
|
|
csr, err := x509.ParseCertificateRequest(b)
|
|
if err != nil {
|
|
t.Errorf("new-cert: CSR: %v", err)
|
|
}
|
|
if csr.Subject.CommonName != domain {
|
|
t.Errorf("CommonName in CSR = %q; want %q", csr.Subject.CommonName, domain)
|
|
}
|
|
der, err := dummyCert(csr.PublicKey, domain)
|
|
if err != nil {
|
|
t.Errorf("new-cert: dummyCert: %v", err)
|
|
}
|
|
chainUp := fmt.Sprintf("<%s/ca-cert>; rel=up", ca.URL)
|
|
w.Header().Set("Link", chainUp)
|
|
w.WriteHeader(http.StatusCreated)
|
|
w.Write(der)
|
|
// CA chain cert
|
|
case "/ca-cert":
|
|
der, err := dummyCert(nil, "ca")
|
|
if err != nil {
|
|
t.Errorf("ca-cert: dummyCert: %v", err)
|
|
}
|
|
w.Write(der)
|
|
default:
|
|
t.Errorf("unrecognized r.URL.Path: %s", r.URL.Path)
|
|
}
|
|
}))
|
|
finish = func() {
|
|
ca.Close()
|
|
|
|
// make sure token cert was removed
|
|
cancel := make(chan struct{})
|
|
done := make(chan struct{})
|
|
go func() {
|
|
defer close(done)
|
|
tick := time.NewTicker(100 * time.Millisecond)
|
|
defer tick.Stop()
|
|
for {
|
|
if err := getCertificate(tokenCertName); err != nil {
|
|
return
|
|
}
|
|
select {
|
|
case <-tick.C:
|
|
case <-cancel:
|
|
return
|
|
}
|
|
}
|
|
}()
|
|
select {
|
|
case <-done:
|
|
case <-time.After(5 * time.Second):
|
|
close(cancel)
|
|
t.Error("token cert was not removed")
|
|
<-done
|
|
}
|
|
}
|
|
return ca.URL, finish
|
|
}
|
|
|
|
// tests man.GetCertificate flow using the provided hello argument.
|
|
// The domain argument is the expected domain name of a certificate request.
|
|
func testGetCertificate(t *testing.T, man *Manager, domain string, hello *tls.ClientHelloInfo) {
|
|
url, finish := startACMEServerStub(t, getCertificateFromManager(man, true), domain)
|
|
defer finish()
|
|
man.Client = &acme.Client{DirectoryURL: url}
|
|
|
|
// simulate tls.Config.GetCertificate
|
|
var tlscert *tls.Certificate
|
|
var err error
|
|
done := make(chan struct{})
|
|
go func() {
|
|
tlscert, err = man.GetCertificate(hello)
|
|
close(done)
|
|
}()
|
|
select {
|
|
case <-time.After(time.Minute):
|
|
t.Fatal("man.GetCertificate took too long to return")
|
|
case <-done:
|
|
}
|
|
if err != nil {
|
|
t.Fatalf("man.GetCertificate: %v", err)
|
|
}
|
|
|
|
// verify the tlscert is the same we responded with from the CA stub
|
|
if len(tlscert.Certificate) == 0 {
|
|
t.Fatal("len(tlscert.Certificate) is 0")
|
|
}
|
|
cert, err := x509.ParseCertificate(tlscert.Certificate[0])
|
|
if err != nil {
|
|
t.Fatalf("x509.ParseCertificate: %v", err)
|
|
}
|
|
if len(cert.DNSNames) == 0 || cert.DNSNames[0] != domain {
|
|
t.Errorf("cert.DNSNames = %v; want %q", cert.DNSNames, domain)
|
|
}
|
|
|
|
}
|
|
|
|
func TestVerifyHTTP01(t *testing.T) {
|
|
var (
|
|
http01 http.Handler
|
|
|
|
authzCount int // num. of created authorizations
|
|
didAcceptHTTP01 bool
|
|
)
|
|
|
|
verifyHTTPToken := func() {
|
|
r := httptest.NewRequest("GET", "/.well-known/acme-challenge/token-http-01", nil)
|
|
w := httptest.NewRecorder()
|
|
http01.ServeHTTP(w, r)
|
|
if w.Code != http.StatusOK {
|
|
t.Errorf("http token: w.Code = %d; want %d", w.Code, http.StatusOK)
|
|
}
|
|
if v := w.Body.String(); !strings.HasPrefix(v, "token-http-01.") {
|
|
t.Errorf("http token value = %q; want 'token-http-01.' prefix", v)
|
|
}
|
|
}
|
|
|
|
// ACME CA server stub, only the needed bits.
|
|
// TODO: Merge this with startACMEServerStub, making it a configurable CA for testing.
|
|
var ca *httptest.Server
|
|
ca = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Replay-Nonce", "nonce")
|
|
if r.Method == "HEAD" {
|
|
// a nonce request
|
|
return
|
|
}
|
|
|
|
switch r.URL.Path {
|
|
// Discovery.
|
|
case "/":
|
|
if err := discoTmpl.Execute(w, ca.URL); err != nil {
|
|
t.Errorf("discoTmpl: %v", err)
|
|
}
|
|
// Client key registration.
|
|
case "/new-reg":
|
|
w.Write([]byte("{}"))
|
|
// New domain authorization.
|
|
case "/new-authz":
|
|
authzCount++
|
|
w.Header().Set("Location", fmt.Sprintf("%s/authz/%d", ca.URL, authzCount))
|
|
w.WriteHeader(http.StatusCreated)
|
|
if err := authzTmpl.Execute(w, ca.URL); err != nil {
|
|
t.Errorf("authzTmpl: %v", err)
|
|
}
|
|
// Accept tls-sni-02.
|
|
case "/challenge/2":
|
|
w.Write([]byte("{}"))
|
|
// Reject tls-sni-01.
|
|
case "/challenge/1":
|
|
http.Error(w, "won't accept tls-sni-01", http.StatusBadRequest)
|
|
// Should not accept dns-01.
|
|
case "/challenge/dns-01":
|
|
t.Errorf("dns-01 challenge was accepted")
|
|
http.Error(w, "won't accept dns-01", http.StatusBadRequest)
|
|
// Accept http-01.
|
|
case "/challenge/http-01":
|
|
didAcceptHTTP01 = true
|
|
verifyHTTPToken()
|
|
w.Write([]byte("{}"))
|
|
// Authorization statuses.
|
|
// Make tls-sni-xxx invalid.
|
|
case "/authz/1", "/authz/2":
|
|
w.Write([]byte(`{"status": "invalid"}`))
|
|
case "/authz/3", "/authz/4":
|
|
w.Write([]byte(`{"status": "valid"}`))
|
|
default:
|
|
http.NotFound(w, r)
|
|
t.Errorf("unrecognized r.URL.Path: %s", r.URL.Path)
|
|
}
|
|
}))
|
|
defer ca.Close()
|
|
|
|
m := &Manager{
|
|
Client: &acme.Client{
|
|
DirectoryURL: ca.URL,
|
|
},
|
|
}
|
|
http01 = m.HTTPHandler(nil)
|
|
ctx := context.Background()
|
|
client, err := m.acmeClient(ctx)
|
|
if err != nil {
|
|
t.Fatalf("m.acmeClient: %v", err)
|
|
}
|
|
if err := m.verify(ctx, client, "example.org"); err != nil {
|
|
t.Errorf("m.verify: %v", err)
|
|
}
|
|
// Only tls-sni-01, tls-sni-02 and http-01 must be accepted
|
|
// The dns-01 challenge is unsupported.
|
|
if authzCount != 3 {
|
|
t.Errorf("authzCount = %d; want 3", authzCount)
|
|
}
|
|
if !didAcceptHTTP01 {
|
|
t.Error("did not accept http-01 challenge")
|
|
}
|
|
}
|
|
|
|
func TestRevokeFailedAuthz(t *testing.T) {
|
|
// Prefill authorization URIs expected to be revoked.
|
|
// The challenges are selected in a specific order,
|
|
// each tried within a newly created authorization.
|
|
// This means each authorization URI corresponds to a different challenge type.
|
|
revokedAuthz := map[string]bool{
|
|
"/authz/0": false, // tls-sni-02
|
|
"/authz/1": false, // tls-sni-01
|
|
"/authz/2": false, // no viable challenge, but authz is created
|
|
}
|
|
|
|
var authzCount int // num. of created authorizations
|
|
var revokeCount int // num. of revoked authorizations
|
|
done := make(chan struct{}) // closed when revokeCount is 3
|
|
|
|
// ACME CA server stub, only the needed bits.
|
|
// TODO: Merge this with startACMEServerStub, making it a configurable CA for testing.
|
|
var ca *httptest.Server
|
|
ca = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Replay-Nonce", "nonce")
|
|
if r.Method == "HEAD" {
|
|
// a nonce request
|
|
return
|
|
}
|
|
|
|
switch r.URL.Path {
|
|
// Discovery.
|
|
case "/":
|
|
if err := discoTmpl.Execute(w, ca.URL); err != nil {
|
|
t.Errorf("discoTmpl: %v", err)
|
|
}
|
|
// Client key registration.
|
|
case "/new-reg":
|
|
w.Write([]byte("{}"))
|
|
// New domain authorization.
|
|
case "/new-authz":
|
|
w.Header().Set("Location", fmt.Sprintf("%s/authz/%d", ca.URL, authzCount))
|
|
w.WriteHeader(http.StatusCreated)
|
|
if err := authzTmpl.Execute(w, ca.URL); err != nil {
|
|
t.Errorf("authzTmpl: %v", err)
|
|
}
|
|
authzCount++
|
|
// tls-sni-02 challenge "accept" request.
|
|
case "/challenge/2":
|
|
// Refuse.
|
|
http.Error(w, "won't accept tls-sni-02 challenge", http.StatusBadRequest)
|
|
// tls-sni-01 challenge "accept" request.
|
|
case "/challenge/1":
|
|
// Accept but the authorization will be "expired".
|
|
w.Write([]byte("{}"))
|
|
// Authorization requests.
|
|
case "/authz/0", "/authz/1", "/authz/2":
|
|
// Revocation requests.
|
|
if r.Method == "POST" {
|
|
var req struct{ Status string }
|
|
if err := decodePayload(&req, r.Body); err != nil {
|
|
t.Errorf("%s: decodePayload: %v", r.URL, err)
|
|
}
|
|
switch req.Status {
|
|
case "deactivated":
|
|
revokedAuthz[r.URL.Path] = true
|
|
revokeCount++
|
|
if revokeCount >= 3 {
|
|
// Last authorization is revoked.
|
|
defer close(done)
|
|
}
|
|
default:
|
|
t.Errorf("%s: req.Status = %q; want 'deactivated'", r.URL, req.Status)
|
|
}
|
|
w.Write([]byte(`{"status": "invalid"}`))
|
|
return
|
|
}
|
|
// Authorization status requests.
|
|
// Simulate abandoned authorization, deleted by the CA.
|
|
w.WriteHeader(http.StatusNotFound)
|
|
default:
|
|
http.NotFound(w, r)
|
|
t.Errorf("unrecognized r.URL.Path: %s", r.URL.Path)
|
|
}
|
|
}))
|
|
defer ca.Close()
|
|
|
|
m := &Manager{
|
|
Client: &acme.Client{DirectoryURL: ca.URL},
|
|
}
|
|
// Should fail and revoke 3 authorizations.
|
|
// The first 2 are tsl-sni-02 and tls-sni-01 challenges.
|
|
// The third time an authorization is created but no viable challenge is found.
|
|
// See revokedAuthz above for more explanation.
|
|
if _, err := m.createCert(context.Background(), exampleCertKey); err == nil {
|
|
t.Errorf("m.createCert returned nil error")
|
|
}
|
|
select {
|
|
case <-time.After(3 * time.Second):
|
|
t.Error("revocations took too long")
|
|
case <-done:
|
|
// revokeCount is at least 3.
|
|
}
|
|
for uri, ok := range revokedAuthz {
|
|
if !ok {
|
|
t.Errorf("%q authorization was not revoked", uri)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestHTTPHandlerDefaultFallback(t *testing.T) {
|
|
tt := []struct {
|
|
method, url string
|
|
wantCode int
|
|
wantLocation string
|
|
}{
|
|
{"GET", "http://example.org", 302, "https://example.org/"},
|
|
{"GET", "http://example.org/foo", 302, "https://example.org/foo"},
|
|
{"GET", "http://example.org/foo/bar/", 302, "https://example.org/foo/bar/"},
|
|
{"GET", "http://example.org/?a=b", 302, "https://example.org/?a=b"},
|
|
{"GET", "http://example.org/foo?a=b", 302, "https://example.org/foo?a=b"},
|
|
{"GET", "http://example.org:80/foo?a=b", 302, "https://example.org:443/foo?a=b"},
|
|
{"GET", "http://example.org:80/foo%20bar", 302, "https://example.org:443/foo%20bar"},
|
|
{"GET", "http://[2602:d1:xxxx::c60a]:1234", 302, "https://[2602:d1:xxxx::c60a]:443/"},
|
|
{"GET", "http://[2602:d1:xxxx::c60a]", 302, "https://[2602:d1:xxxx::c60a]/"},
|
|
{"GET", "http://[2602:d1:xxxx::c60a]/foo?a=b", 302, "https://[2602:d1:xxxx::c60a]/foo?a=b"},
|
|
{"HEAD", "http://example.org", 302, "https://example.org/"},
|
|
{"HEAD", "http://example.org/foo", 302, "https://example.org/foo"},
|
|
{"HEAD", "http://example.org/foo/bar/", 302, "https://example.org/foo/bar/"},
|
|
{"HEAD", "http://example.org/?a=b", 302, "https://example.org/?a=b"},
|
|
{"HEAD", "http://example.org/foo?a=b", 302, "https://example.org/foo?a=b"},
|
|
{"POST", "http://example.org", 400, ""},
|
|
{"PUT", "http://example.org", 400, ""},
|
|
{"GET", "http://example.org/.well-known/acme-challenge/x", 404, ""},
|
|
}
|
|
var m Manager
|
|
h := m.HTTPHandler(nil)
|
|
for i, test := range tt {
|
|
r := httptest.NewRequest(test.method, test.url, nil)
|
|
w := httptest.NewRecorder()
|
|
h.ServeHTTP(w, r)
|
|
if w.Code != test.wantCode {
|
|
t.Errorf("%d: w.Code = %d; want %d", i, w.Code, test.wantCode)
|
|
t.Errorf("%d: body: %s", i, w.Body.Bytes())
|
|
}
|
|
if v := w.Header().Get("Location"); v != test.wantLocation {
|
|
t.Errorf("%d: Location = %q; want %q", i, v, test.wantLocation)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestAccountKeyCache(t *testing.T) {
|
|
m := Manager{Cache: newMemCache(t)}
|
|
ctx := context.Background()
|
|
k1, err := m.accountKey(ctx)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
k2, err := m.accountKey(ctx)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
if !reflect.DeepEqual(k1, k2) {
|
|
t.Errorf("account keys don't match: k1 = %#v; k2 = %#v", k1, k2)
|
|
}
|
|
}
|
|
|
|
func TestCache(t *testing.T) {
|
|
ecdsaKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
cert, err := dummyCert(ecdsaKey.Public(), exampleDomain)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
ecdsaCert := &tls.Certificate{
|
|
Certificate: [][]byte{cert},
|
|
PrivateKey: ecdsaKey,
|
|
}
|
|
|
|
rsaKey, err := rsa.GenerateKey(rand.Reader, 512)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
cert, err = dummyCert(rsaKey.Public(), exampleDomain)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
rsaCert := &tls.Certificate{
|
|
Certificate: [][]byte{cert},
|
|
PrivateKey: rsaKey,
|
|
}
|
|
|
|
man := &Manager{Cache: newMemCache(t)}
|
|
defer man.stopRenew()
|
|
ctx := context.Background()
|
|
|
|
if err := man.cachePut(ctx, exampleCertKey, ecdsaCert); err != nil {
|
|
t.Fatalf("man.cachePut: %v", err)
|
|
}
|
|
if err := man.cachePut(ctx, exampleCertKeyRSA, rsaCert); err != nil {
|
|
t.Fatalf("man.cachePut: %v", err)
|
|
}
|
|
|
|
res, err := man.cacheGet(ctx, exampleCertKey)
|
|
if err != nil {
|
|
t.Fatalf("man.cacheGet: %v", err)
|
|
}
|
|
if res == nil || !bytes.Equal(res.Certificate[0], ecdsaCert.Certificate[0]) {
|
|
t.Errorf("man.cacheGet = %+v; want %+v", res, ecdsaCert)
|
|
}
|
|
|
|
res, err = man.cacheGet(ctx, exampleCertKeyRSA)
|
|
if err != nil {
|
|
t.Fatalf("man.cacheGet: %v", err)
|
|
}
|
|
if res == nil || !bytes.Equal(res.Certificate[0], rsaCert.Certificate[0]) {
|
|
t.Errorf("man.cacheGet = %+v; want %+v", res, rsaCert)
|
|
}
|
|
}
|
|
|
|
func TestHostWhitelist(t *testing.T) {
|
|
policy := HostWhitelist("example.com", "example.org", "*.example.net")
|
|
tt := []struct {
|
|
host string
|
|
allow bool
|
|
}{
|
|
{"example.com", true},
|
|
{"example.org", true},
|
|
{"one.example.com", false},
|
|
{"two.example.org", false},
|
|
{"three.example.net", false},
|
|
{"dummy", false},
|
|
}
|
|
for i, test := range tt {
|
|
err := policy(nil, test.host)
|
|
if err != nil && test.allow {
|
|
t.Errorf("%d: policy(%q): %v; want nil", i, test.host, err)
|
|
}
|
|
if err == nil && !test.allow {
|
|
t.Errorf("%d: policy(%q): nil; want an error", i, test.host)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestValidCert(t *testing.T) {
|
|
key1, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
key2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
key3, err := rsa.GenerateKey(rand.Reader, 512)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
cert1, err := dummyCert(key1.Public(), "example.org")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
cert2, err := dummyCert(key2.Public(), "example.org")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
cert3, err := dummyCert(key3.Public(), "example.org")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
now := time.Now()
|
|
early, err := dateDummyCert(key1.Public(), now.Add(time.Hour), now.Add(2*time.Hour), "example.org")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
expired, err := dateDummyCert(key1.Public(), now.Add(-2*time.Hour), now.Add(-time.Hour), "example.org")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
tt := []struct {
|
|
ck certKey
|
|
key crypto.Signer
|
|
cert [][]byte
|
|
ok bool
|
|
}{
|
|
{certKey{domain: "example.org"}, key1, [][]byte{cert1}, true},
|
|
{certKey{domain: "example.org", isRSA: true}, key3, [][]byte{cert3}, true},
|
|
{certKey{domain: "example.org"}, key1, [][]byte{cert1, cert2, cert3}, true},
|
|
{certKey{domain: "example.org"}, key1, [][]byte{cert1, {1}}, false},
|
|
{certKey{domain: "example.org"}, key1, [][]byte{{1}}, false},
|
|
{certKey{domain: "example.org"}, key1, [][]byte{cert2}, false},
|
|
{certKey{domain: "example.org"}, key2, [][]byte{cert1}, false},
|
|
{certKey{domain: "example.org"}, key1, [][]byte{cert3}, false},
|
|
{certKey{domain: "example.org"}, key3, [][]byte{cert1}, false},
|
|
{certKey{domain: "example.net"}, key1, [][]byte{cert1}, false},
|
|
{certKey{domain: "example.org"}, key1, [][]byte{early}, false},
|
|
{certKey{domain: "example.org"}, key1, [][]byte{expired}, false},
|
|
{certKey{domain: "example.org", isRSA: true}, key1, [][]byte{cert1}, false},
|
|
{certKey{domain: "example.org"}, key3, [][]byte{cert3}, false},
|
|
}
|
|
for i, test := range tt {
|
|
leaf, err := validCert(test.ck, test.cert, test.key)
|
|
if err != nil && test.ok {
|
|
t.Errorf("%d: err = %v", i, err)
|
|
}
|
|
if err == nil && !test.ok {
|
|
t.Errorf("%d: err is nil", i)
|
|
}
|
|
if err == nil && test.ok && leaf == nil {
|
|
t.Errorf("%d: leaf is nil", i)
|
|
}
|
|
}
|
|
}
|
|
|
|
type cacheGetFunc func(ctx context.Context, key string) ([]byte, error)
|
|
|
|
func (f cacheGetFunc) Get(ctx context.Context, key string) ([]byte, error) {
|
|
return f(ctx, key)
|
|
}
|
|
|
|
func (f cacheGetFunc) Put(ctx context.Context, key string, data []byte) error {
|
|
return fmt.Errorf("unsupported Put of %q = %q", key, data)
|
|
}
|
|
|
|
func (f cacheGetFunc) Delete(ctx context.Context, key string) error {
|
|
return fmt.Errorf("unsupported Delete of %q", key)
|
|
}
|
|
|
|
func TestManagerGetCertificateBogusSNI(t *testing.T) {
|
|
m := Manager{
|
|
Prompt: AcceptTOS,
|
|
Cache: cacheGetFunc(func(ctx context.Context, key string) ([]byte, error) {
|
|
return nil, fmt.Errorf("cache.Get of %s", key)
|
|
}),
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
wantErr string
|
|
}{
|
|
{"foo.com", "cache.Get of foo.com"},
|
|
{"foo.com.", "cache.Get of foo.com"},
|
|
{`a\b.com`, "acme/autocert: server name contains invalid character"},
|
|
{`a/b.com`, "acme/autocert: server name contains invalid character"},
|
|
{"", "acme/autocert: missing server name"},
|
|
{"foo", "acme/autocert: server name component count invalid"},
|
|
{".foo", "acme/autocert: server name component count invalid"},
|
|
{"foo.", "acme/autocert: server name component count invalid"},
|
|
{"fo.o", "cache.Get of fo.o"},
|
|
}
|
|
for _, tt := range tests {
|
|
_, err := m.GetCertificate(clientHelloInfo(tt.name, true))
|
|
got := fmt.Sprint(err)
|
|
if got != tt.wantErr {
|
|
t.Errorf("GetCertificate(SNI = %q) = %q; want %q", tt.name, got, tt.wantErr)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestCertRequest(t *testing.T) {
|
|
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
// An extension from RFC7633. Any will do.
|
|
ext := pkix.Extension{
|
|
Id: asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1},
|
|
Value: []byte("dummy"),
|
|
}
|
|
b, err := certRequest(key, "example.org", []pkix.Extension{ext}, "san.example.org")
|
|
if err != nil {
|
|
t.Fatalf("certRequest: %v", err)
|
|
}
|
|
r, err := x509.ParseCertificateRequest(b)
|
|
if err != nil {
|
|
t.Fatalf("ParseCertificateRequest: %v", err)
|
|
}
|
|
var found bool
|
|
for _, v := range r.Extensions {
|
|
if v.Id.Equal(ext.Id) {
|
|
found = true
|
|
break
|
|
}
|
|
}
|
|
if !found {
|
|
t.Errorf("want %v in Extensions: %v", ext, r.Extensions)
|
|
}
|
|
}
|
|
|
|
func TestSupportsECDSA(t *testing.T) {
|
|
tests := []struct {
|
|
CipherSuites []uint16
|
|
SignatureSchemes []tls.SignatureScheme
|
|
SupportedCurves []tls.CurveID
|
|
ecdsaOk bool
|
|
}{
|
|
{[]uint16{
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
}, nil, nil, false},
|
|
{[]uint16{
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
}, nil, nil, true},
|
|
|
|
// SignatureSchemes limits, not extends, CipherSuites
|
|
{[]uint16{
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
}, []tls.SignatureScheme{
|
|
tls.PKCS1WithSHA256, tls.ECDSAWithP256AndSHA256,
|
|
}, nil, false},
|
|
{[]uint16{
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
}, []tls.SignatureScheme{
|
|
tls.PKCS1WithSHA256,
|
|
}, nil, false},
|
|
{[]uint16{
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
}, []tls.SignatureScheme{
|
|
tls.PKCS1WithSHA256, tls.ECDSAWithP256AndSHA256,
|
|
}, nil, true},
|
|
|
|
{[]uint16{
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
}, []tls.SignatureScheme{
|
|
tls.PKCS1WithSHA256, tls.ECDSAWithP256AndSHA256,
|
|
}, []tls.CurveID{
|
|
tls.CurveP521,
|
|
}, false},
|
|
{[]uint16{
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
}, []tls.SignatureScheme{
|
|
tls.PKCS1WithSHA256, tls.ECDSAWithP256AndSHA256,
|
|
}, []tls.CurveID{
|
|
tls.CurveP256,
|
|
tls.CurveP521,
|
|
}, true},
|
|
}
|
|
for i, tt := range tests {
|
|
result := supportsECDSA(&tls.ClientHelloInfo{
|
|
CipherSuites: tt.CipherSuites,
|
|
SignatureSchemes: tt.SignatureSchemes,
|
|
SupportedCurves: tt.SupportedCurves,
|
|
})
|
|
if result != tt.ecdsaOk {
|
|
t.Errorf("%d: supportsECDSA = %v; want %v", i, result, tt.ecdsaOk)
|
|
}
|
|
}
|
|
}
|