|
- // Copyright 2016 The Go Authors. All rights reserved.
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
-
- package autocert
-
- import (
- "bytes"
- "context"
- "crypto"
- "crypto/ecdsa"
- "crypto/elliptic"
- "crypto/rand"
- "crypto/rsa"
- "crypto/tls"
- "crypto/x509"
- "crypto/x509/pkix"
- "encoding/asn1"
- "encoding/base64"
- "encoding/json"
- "fmt"
- "html/template"
- "io"
- "math/big"
- "net/http"
- "net/http/httptest"
- "reflect"
- "strings"
- "sync"
- "testing"
- "time"
-
- "golang.org/x/crypto/acme"
- )
-
- var (
- exampleDomain = "example.org"
- exampleCertKey = certKey{domain: exampleDomain}
- exampleCertKeyRSA = certKey{domain: exampleDomain, isRSA: true}
- )
-
- var discoTmpl = template.Must(template.New("disco").Parse(`{
- "new-reg": "{{.}}/new-reg",
- "new-authz": "{{.}}/new-authz",
- "new-cert": "{{.}}/new-cert"
- }`))
-
- var authzTmpl = template.Must(template.New("authz").Parse(`{
- "status": "pending",
- "challenges": [
- {
- "uri": "{{.}}/challenge/1",
- "type": "tls-sni-01",
- "token": "token-01"
- },
- {
- "uri": "{{.}}/challenge/2",
- "type": "tls-sni-02",
- "token": "token-02"
- },
- {
- "uri": "{{.}}/challenge/dns-01",
- "type": "dns-01",
- "token": "token-dns-01"
- },
- {
- "uri": "{{.}}/challenge/http-01",
- "type": "http-01",
- "token": "token-http-01"
- }
- ]
- }`))
-
- type memCache struct {
- t *testing.T
- mu sync.Mutex
- keyData map[string][]byte
- }
-
- func (m *memCache) Get(ctx context.Context, key string) ([]byte, error) {
- m.mu.Lock()
- defer m.mu.Unlock()
-
- v, ok := m.keyData[key]
- if !ok {
- return nil, ErrCacheMiss
- }
- return v, nil
- }
-
- // filenameSafe returns whether all characters in s are printable ASCII
- // and safe to use in a filename on most filesystems.
- func filenameSafe(s string) bool {
- for _, c := range s {
- if c < 0x20 || c > 0x7E {
- return false
- }
- switch c {
- case '\\', '/', ':', '*', '?', '"', '<', '>', '|':
- return false
- }
- }
- return true
- }
-
- func (m *memCache) Put(ctx context.Context, key string, data []byte) error {
- if !filenameSafe(key) {
- m.t.Errorf("invalid characters in cache key %q", key)
- }
-
- m.mu.Lock()
- defer m.mu.Unlock()
-
- m.keyData[key] = data
- return nil
- }
-
- func (m *memCache) Delete(ctx context.Context, key string) error {
- m.mu.Lock()
- defer m.mu.Unlock()
-
- delete(m.keyData, key)
- return nil
- }
-
- func newMemCache(t *testing.T) *memCache {
- return &memCache{
- t: t,
- keyData: make(map[string][]byte),
- }
- }
-
- func (m *memCache) numCerts() int {
- m.mu.Lock()
- defer m.mu.Unlock()
-
- res := 0
- for key := range m.keyData {
- if strings.HasSuffix(key, "+token") ||
- strings.HasSuffix(key, "+key") ||
- strings.HasSuffix(key, "+http-01") {
- continue
- }
- res++
- }
- return res
- }
-
- func dummyCert(pub interface{}, san ...string) ([]byte, error) {
- return dateDummyCert(pub, time.Now(), time.Now().Add(90*24*time.Hour), san...)
- }
-
- func dateDummyCert(pub interface{}, start, end time.Time, san ...string) ([]byte, error) {
- // use EC key to run faster on 386
- key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
- if err != nil {
- return nil, err
- }
- t := &x509.Certificate{
- SerialNumber: big.NewInt(1),
- NotBefore: start,
- NotAfter: end,
- BasicConstraintsValid: true,
- KeyUsage: x509.KeyUsageKeyEncipherment,
- DNSNames: san,
- }
- if pub == nil {
- pub = &key.PublicKey
- }
- return x509.CreateCertificate(rand.Reader, t, t, pub, key)
- }
-
- func decodePayload(v interface{}, r io.Reader) error {
- var req struct{ Payload string }
- if err := json.NewDecoder(r).Decode(&req); err != nil {
- return err
- }
- payload, err := base64.RawURLEncoding.DecodeString(req.Payload)
- if err != nil {
- return err
- }
- return json.Unmarshal(payload, v)
- }
-
- func clientHelloInfo(sni string, ecdsaSupport bool) *tls.ClientHelloInfo {
- hello := &tls.ClientHelloInfo{
- ServerName: sni,
- CipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305},
- }
- if ecdsaSupport {
- hello.CipherSuites = append(hello.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305)
- }
- return hello
- }
-
- func TestGetCertificate(t *testing.T) {
- man := &Manager{Prompt: AcceptTOS}
- defer man.stopRenew()
- hello := clientHelloInfo("example.org", true)
- testGetCertificate(t, man, "example.org", hello)
- }
-
- func TestGetCertificate_trailingDot(t *testing.T) {
- man := &Manager{Prompt: AcceptTOS}
- defer man.stopRenew()
- hello := clientHelloInfo("example.org.", true)
- testGetCertificate(t, man, "example.org", hello)
- }
-
- func TestGetCertificate_ForceRSA(t *testing.T) {
- man := &Manager{
- Prompt: AcceptTOS,
- Cache: newMemCache(t),
- ForceRSA: true,
- }
- defer man.stopRenew()
- hello := clientHelloInfo(exampleDomain, true)
- testGetCertificate(t, man, exampleDomain, hello)
-
- // ForceRSA was deprecated and is now ignored.
- cert, err := man.cacheGet(context.Background(), exampleCertKey)
- if err != nil {
- t.Fatalf("man.cacheGet: %v", err)
- }
- if _, ok := cert.PrivateKey.(*ecdsa.PrivateKey); !ok {
- t.Errorf("cert.PrivateKey is %T; want *ecdsa.PrivateKey", cert.PrivateKey)
- }
- }
-
- func TestGetCertificate_nilPrompt(t *testing.T) {
- man := &Manager{}
- defer man.stopRenew()
- url, finish := startACMEServerStub(t, getCertificateFromManager(man, true), "example.org")
- defer finish()
- man.Client = &acme.Client{DirectoryURL: url}
- hello := clientHelloInfo("example.org", true)
- if _, err := man.GetCertificate(hello); err == nil {
- t.Error("got certificate for example.org; wanted error")
- }
- }
-
- func TestGetCertificate_expiredCache(t *testing.T) {
- // Make an expired cert and cache it.
- pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
- if err != nil {
- t.Fatal(err)
- }
- tmpl := &x509.Certificate{
- SerialNumber: big.NewInt(1),
- Subject: pkix.Name{CommonName: exampleDomain},
- NotAfter: time.Now(),
- }
- pub, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &pk.PublicKey, pk)
- if err != nil {
- t.Fatal(err)
- }
- tlscert := &tls.Certificate{
- Certificate: [][]byte{pub},
- PrivateKey: pk,
- }
-
- man := &Manager{Prompt: AcceptTOS, Cache: newMemCache(t)}
- defer man.stopRenew()
- if err := man.cachePut(context.Background(), exampleCertKey, tlscert); err != nil {
- t.Fatalf("man.cachePut: %v", err)
- }
-
- // The expired cached cert should trigger a new cert issuance
- // and return without an error.
- hello := clientHelloInfo(exampleDomain, true)
- testGetCertificate(t, man, exampleDomain, hello)
- }
-
- func TestGetCertificate_failedAttempt(t *testing.T) {
- ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- w.WriteHeader(http.StatusBadRequest)
- }))
- defer ts.Close()
-
- d := createCertRetryAfter
- f := testDidRemoveState
- defer func() {
- createCertRetryAfter = d
- testDidRemoveState = f
- }()
- createCertRetryAfter = 0
- done := make(chan struct{})
- testDidRemoveState = func(ck certKey) {
- if ck != exampleCertKey {
- t.Errorf("testDidRemoveState: domain = %v; want %v", ck, exampleCertKey)
- }
- close(done)
- }
-
- man := &Manager{
- Prompt: AcceptTOS,
- Client: &acme.Client{
- DirectoryURL: ts.URL,
- },
- }
- defer man.stopRenew()
- hello := clientHelloInfo(exampleDomain, true)
- if _, err := man.GetCertificate(hello); err == nil {
- t.Error("GetCertificate: err is nil")
- }
- select {
- case <-time.After(5 * time.Second):
- t.Errorf("took too long to remove the %q state", exampleCertKey)
- case <-done:
- man.stateMu.Lock()
- defer man.stateMu.Unlock()
- if v, exist := man.state[exampleCertKey]; exist {
- t.Errorf("state exists for %v: %+v", exampleCertKey, v)
- }
- }
- }
-
- // testGetCertificate_tokenCache tests the fallback of token certificate fetches
- // to cache when Manager.certTokens misses. ecdsaSupport refers to the CA when
- // verifying the certificate token.
- func testGetCertificate_tokenCache(t *testing.T, ecdsaSupport bool) {
- man1 := &Manager{
- Cache: newMemCache(t),
- Prompt: AcceptTOS,
- }
- defer man1.stopRenew()
- man2 := &Manager{
- Cache: man1.Cache,
- Prompt: AcceptTOS,
- }
- defer man2.stopRenew()
-
- // Send the verification request to a different Manager from the one that
- // initiated the authorization, when they share caches.
- url, finish := startACMEServerStub(t, getCertificateFromManager(man2, ecdsaSupport), "example.org")
- defer finish()
- man1.Client = &acme.Client{DirectoryURL: url}
- hello := clientHelloInfo("example.org", true)
- if _, err := man1.GetCertificate(hello); err != nil {
- t.Error(err)
- }
- if _, err := man2.GetCertificate(hello); err != nil {
- t.Error(err)
- }
- }
-
- func TestGetCertificate_tokenCache(t *testing.T) {
- t.Run("ecdsaSupport=true", func(t *testing.T) {
- testGetCertificate_tokenCache(t, true)
- })
- t.Run("ecdsaSupport=false", func(t *testing.T) {
- testGetCertificate_tokenCache(t, false)
- })
- }
-
- func TestGetCertificate_ecdsaVsRSA(t *testing.T) {
- cache := newMemCache(t)
- man := &Manager{Prompt: AcceptTOS, Cache: cache}
- defer man.stopRenew()
- url, finish := startACMEServerStub(t, getCertificateFromManager(man, true), "example.org")
- defer finish()
- man.Client = &acme.Client{DirectoryURL: url}
-
- cert, err := man.GetCertificate(clientHelloInfo("example.org", true))
- if err != nil {
- t.Error(err)
- }
- if _, ok := cert.Leaf.PublicKey.(*ecdsa.PublicKey); !ok {
- t.Error("an ECDSA client was served a non-ECDSA certificate")
- }
-
- cert, err = man.GetCertificate(clientHelloInfo("example.org", false))
- if err != nil {
- t.Error(err)
- }
- if _, ok := cert.Leaf.PublicKey.(*rsa.PublicKey); !ok {
- t.Error("a RSA client was served a non-RSA certificate")
- }
-
- if _, err := man.GetCertificate(clientHelloInfo("example.org", true)); err != nil {
- t.Error(err)
- }
- if _, err := man.GetCertificate(clientHelloInfo("example.org", false)); err != nil {
- t.Error(err)
- }
- if numCerts := cache.numCerts(); numCerts != 2 {
- t.Errorf("found %d certificates in cache; want %d", numCerts, 2)
- }
- }
-
- func TestGetCertificate_wrongCacheKeyType(t *testing.T) {
- cache := newMemCache(t)
- man := &Manager{Prompt: AcceptTOS, Cache: cache}
- defer man.stopRenew()
- url, finish := startACMEServerStub(t, getCertificateFromManager(man, true), exampleDomain)
- defer finish()
- man.Client = &acme.Client{DirectoryURL: url}
-
- // Make an RSA cert and cache it without suffix.
- pk, err := rsa.GenerateKey(rand.Reader, 512)
- if err != nil {
- t.Fatal(err)
- }
- tmpl := &x509.Certificate{
- SerialNumber: big.NewInt(1),
- Subject: pkix.Name{CommonName: exampleDomain},
- NotAfter: time.Now().Add(90 * 24 * time.Hour),
- }
- pub, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &pk.PublicKey, pk)
- if err != nil {
- t.Fatal(err)
- }
- rsaCert := &tls.Certificate{
- Certificate: [][]byte{pub},
- PrivateKey: pk,
- }
- if err := man.cachePut(context.Background(), exampleCertKey, rsaCert); err != nil {
- t.Fatalf("man.cachePut: %v", err)
- }
-
- // The RSA cached cert should be silently ignored and replaced.
- cert, err := man.GetCertificate(clientHelloInfo(exampleDomain, true))
- if err != nil {
- t.Error(err)
- }
- if _, ok := cert.Leaf.PublicKey.(*ecdsa.PublicKey); !ok {
- t.Error("an ECDSA client was served a non-ECDSA certificate")
- }
- if numCerts := cache.numCerts(); numCerts != 1 {
- t.Errorf("found %d certificates in cache; want %d", numCerts, 1)
- }
- }
-
- func getCertificateFromManager(man *Manager, ecdsaSupport bool) func(string) error {
- return func(sni string) error {
- _, err := man.GetCertificate(clientHelloInfo(sni, ecdsaSupport))
- return err
- }
- }
-
- // startACMEServerStub runs an ACME server
- // The domain argument is the expected domain name of a certificate request.
- func startACMEServerStub(t *testing.T, getCertificate func(string) error, domain string) (url string, finish func()) {
- // echo token-02 | shasum -a 256
- // then divide result in 2 parts separated by dot
- tokenCertName := "4e8eb87631187e9ff2153b56b13a4dec.13a35d002e485d60ff37354b32f665d9.token.acme.invalid"
- verifyTokenCert := func() {
- if err := getCertificate(tokenCertName); err != nil {
- t.Errorf("verifyTokenCert: GetCertificate(%q): %v", tokenCertName, err)
- return
- }
- }
-
- // ACME CA server stub
- var ca *httptest.Server
- ca = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- w.Header().Set("Replay-Nonce", "nonce")
- if r.Method == "HEAD" {
- // a nonce request
- return
- }
-
- switch r.URL.Path {
- // discovery
- case "/":
- if err := discoTmpl.Execute(w, ca.URL); err != nil {
- t.Errorf("discoTmpl: %v", err)
- }
- // client key registration
- case "/new-reg":
- w.Write([]byte("{}"))
- // domain authorization
- case "/new-authz":
- w.Header().Set("Location", ca.URL+"/authz/1")
- w.WriteHeader(http.StatusCreated)
- if err := authzTmpl.Execute(w, ca.URL); err != nil {
- t.Errorf("authzTmpl: %v", err)
- }
- // accept tls-sni-02 challenge
- case "/challenge/2":
- verifyTokenCert()
- w.Write([]byte("{}"))
- // authorization status
- case "/authz/1":
- w.Write([]byte(`{"status": "valid"}`))
- // cert request
- case "/new-cert":
- var req struct {
- CSR string `json:"csr"`
- }
- decodePayload(&req, r.Body)
- b, _ := base64.RawURLEncoding.DecodeString(req.CSR)
- csr, err := x509.ParseCertificateRequest(b)
- if err != nil {
- t.Errorf("new-cert: CSR: %v", err)
- }
- if csr.Subject.CommonName != domain {
- t.Errorf("CommonName in CSR = %q; want %q", csr.Subject.CommonName, domain)
- }
- der, err := dummyCert(csr.PublicKey, domain)
- if err != nil {
- t.Errorf("new-cert: dummyCert: %v", err)
- }
- chainUp := fmt.Sprintf("<%s/ca-cert>; rel=up", ca.URL)
- w.Header().Set("Link", chainUp)
- w.WriteHeader(http.StatusCreated)
- w.Write(der)
- // CA chain cert
- case "/ca-cert":
- der, err := dummyCert(nil, "ca")
- if err != nil {
- t.Errorf("ca-cert: dummyCert: %v", err)
- }
- w.Write(der)
- default:
- t.Errorf("unrecognized r.URL.Path: %s", r.URL.Path)
- }
- }))
- finish = func() {
- ca.Close()
-
- // make sure token cert was removed
- cancel := make(chan struct{})
- done := make(chan struct{})
- go func() {
- defer close(done)
- tick := time.NewTicker(100 * time.Millisecond)
- defer tick.Stop()
- for {
- if err := getCertificate(tokenCertName); err != nil {
- return
- }
- select {
- case <-tick.C:
- case <-cancel:
- return
- }
- }
- }()
- select {
- case <-done:
- case <-time.After(5 * time.Second):
- close(cancel)
- t.Error("token cert was not removed")
- <-done
- }
- }
- return ca.URL, finish
- }
-
- // tests man.GetCertificate flow using the provided hello argument.
- // The domain argument is the expected domain name of a certificate request.
- func testGetCertificate(t *testing.T, man *Manager, domain string, hello *tls.ClientHelloInfo) {
- url, finish := startACMEServerStub(t, getCertificateFromManager(man, true), domain)
- defer finish()
- man.Client = &acme.Client{DirectoryURL: url}
-
- // simulate tls.Config.GetCertificate
- var tlscert *tls.Certificate
- var err error
- done := make(chan struct{})
- go func() {
- tlscert, err = man.GetCertificate(hello)
- close(done)
- }()
- select {
- case <-time.After(time.Minute):
- t.Fatal("man.GetCertificate took too long to return")
- case <-done:
- }
- if err != nil {
- t.Fatalf("man.GetCertificate: %v", err)
- }
-
- // verify the tlscert is the same we responded with from the CA stub
- if len(tlscert.Certificate) == 0 {
- t.Fatal("len(tlscert.Certificate) is 0")
- }
- cert, err := x509.ParseCertificate(tlscert.Certificate[0])
- if err != nil {
- t.Fatalf("x509.ParseCertificate: %v", err)
- }
- if len(cert.DNSNames) == 0 || cert.DNSNames[0] != domain {
- t.Errorf("cert.DNSNames = %v; want %q", cert.DNSNames, domain)
- }
-
- }
-
- func TestVerifyHTTP01(t *testing.T) {
- var (
- http01 http.Handler
-
- authzCount int // num. of created authorizations
- didAcceptHTTP01 bool
- )
-
- verifyHTTPToken := func() {
- r := httptest.NewRequest("GET", "/.well-known/acme-challenge/token-http-01", nil)
- w := httptest.NewRecorder()
- http01.ServeHTTP(w, r)
- if w.Code != http.StatusOK {
- t.Errorf("http token: w.Code = %d; want %d", w.Code, http.StatusOK)
- }
- if v := w.Body.String(); !strings.HasPrefix(v, "token-http-01.") {
- t.Errorf("http token value = %q; want 'token-http-01.' prefix", v)
- }
- }
-
- // ACME CA server stub, only the needed bits.
- // TODO: Merge this with startACMEServerStub, making it a configurable CA for testing.
- var ca *httptest.Server
- ca = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- w.Header().Set("Replay-Nonce", "nonce")
- if r.Method == "HEAD" {
- // a nonce request
- return
- }
-
- switch r.URL.Path {
- // Discovery.
- case "/":
- if err := discoTmpl.Execute(w, ca.URL); err != nil {
- t.Errorf("discoTmpl: %v", err)
- }
- // Client key registration.
- case "/new-reg":
- w.Write([]byte("{}"))
- // New domain authorization.
- case "/new-authz":
- authzCount++
- w.Header().Set("Location", fmt.Sprintf("%s/authz/%d", ca.URL, authzCount))
- w.WriteHeader(http.StatusCreated)
- if err := authzTmpl.Execute(w, ca.URL); err != nil {
- t.Errorf("authzTmpl: %v", err)
- }
- // Accept tls-sni-02.
- case "/challenge/2":
- w.Write([]byte("{}"))
- // Reject tls-sni-01.
- case "/challenge/1":
- http.Error(w, "won't accept tls-sni-01", http.StatusBadRequest)
- // Should not accept dns-01.
- case "/challenge/dns-01":
- t.Errorf("dns-01 challenge was accepted")
- http.Error(w, "won't accept dns-01", http.StatusBadRequest)
- // Accept http-01.
- case "/challenge/http-01":
- didAcceptHTTP01 = true
- verifyHTTPToken()
- w.Write([]byte("{}"))
- // Authorization statuses.
- // Make tls-sni-xxx invalid.
- case "/authz/1", "/authz/2":
- w.Write([]byte(`{"status": "invalid"}`))
- case "/authz/3", "/authz/4":
- w.Write([]byte(`{"status": "valid"}`))
- default:
- http.NotFound(w, r)
- t.Errorf("unrecognized r.URL.Path: %s", r.URL.Path)
- }
- }))
- defer ca.Close()
-
- m := &Manager{
- Client: &acme.Client{
- DirectoryURL: ca.URL,
- },
- }
- http01 = m.HTTPHandler(nil)
- ctx := context.Background()
- client, err := m.acmeClient(ctx)
- if err != nil {
- t.Fatalf("m.acmeClient: %v", err)
- }
- if err := m.verify(ctx, client, "example.org"); err != nil {
- t.Errorf("m.verify: %v", err)
- }
- // Only tls-sni-01, tls-sni-02 and http-01 must be accepted
- // The dns-01 challenge is unsupported.
- if authzCount != 3 {
- t.Errorf("authzCount = %d; want 3", authzCount)
- }
- if !didAcceptHTTP01 {
- t.Error("did not accept http-01 challenge")
- }
- }
-
- func TestRevokeFailedAuthz(t *testing.T) {
- // Prefill authorization URIs expected to be revoked.
- // The challenges are selected in a specific order,
- // each tried within a newly created authorization.
- // This means each authorization URI corresponds to a different challenge type.
- revokedAuthz := map[string]bool{
- "/authz/0": false, // tls-sni-02
- "/authz/1": false, // tls-sni-01
- "/authz/2": false, // no viable challenge, but authz is created
- }
-
- var authzCount int // num. of created authorizations
- var revokeCount int // num. of revoked authorizations
- done := make(chan struct{}) // closed when revokeCount is 3
-
- // ACME CA server stub, only the needed bits.
- // TODO: Merge this with startACMEServerStub, making it a configurable CA for testing.
- var ca *httptest.Server
- ca = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- w.Header().Set("Replay-Nonce", "nonce")
- if r.Method == "HEAD" {
- // a nonce request
- return
- }
-
- switch r.URL.Path {
- // Discovery.
- case "/":
- if err := discoTmpl.Execute(w, ca.URL); err != nil {
- t.Errorf("discoTmpl: %v", err)
- }
- // Client key registration.
- case "/new-reg":
- w.Write([]byte("{}"))
- // New domain authorization.
- case "/new-authz":
- w.Header().Set("Location", fmt.Sprintf("%s/authz/%d", ca.URL, authzCount))
- w.WriteHeader(http.StatusCreated)
- if err := authzTmpl.Execute(w, ca.URL); err != nil {
- t.Errorf("authzTmpl: %v", err)
- }
- authzCount++
- // tls-sni-02 challenge "accept" request.
- case "/challenge/2":
- // Refuse.
- http.Error(w, "won't accept tls-sni-02 challenge", http.StatusBadRequest)
- // tls-sni-01 challenge "accept" request.
- case "/challenge/1":
- // Accept but the authorization will be "expired".
- w.Write([]byte("{}"))
- // Authorization requests.
- case "/authz/0", "/authz/1", "/authz/2":
- // Revocation requests.
- if r.Method == "POST" {
- var req struct{ Status string }
- if err := decodePayload(&req, r.Body); err != nil {
- t.Errorf("%s: decodePayload: %v", r.URL, err)
- }
- switch req.Status {
- case "deactivated":
- revokedAuthz[r.URL.Path] = true
- revokeCount++
- if revokeCount >= 3 {
- // Last authorization is revoked.
- defer close(done)
- }
- default:
- t.Errorf("%s: req.Status = %q; want 'deactivated'", r.URL, req.Status)
- }
- w.Write([]byte(`{"status": "invalid"}`))
- return
- }
- // Authorization status requests.
- // Simulate abandoned authorization, deleted by the CA.
- w.WriteHeader(http.StatusNotFound)
- default:
- http.NotFound(w, r)
- t.Errorf("unrecognized r.URL.Path: %s", r.URL.Path)
- }
- }))
- defer ca.Close()
-
- m := &Manager{
- Client: &acme.Client{DirectoryURL: ca.URL},
- }
- // Should fail and revoke 3 authorizations.
- // The first 2 are tsl-sni-02 and tls-sni-01 challenges.
- // The third time an authorization is created but no viable challenge is found.
- // See revokedAuthz above for more explanation.
- if _, err := m.createCert(context.Background(), exampleCertKey); err == nil {
- t.Errorf("m.createCert returned nil error")
- }
- select {
- case <-time.After(3 * time.Second):
- t.Error("revocations took too long")
- case <-done:
- // revokeCount is at least 3.
- }
- for uri, ok := range revokedAuthz {
- if !ok {
- t.Errorf("%q authorization was not revoked", uri)
- }
- }
- }
-
- func TestHTTPHandlerDefaultFallback(t *testing.T) {
- tt := []struct {
- method, url string
- wantCode int
- wantLocation string
- }{
- {"GET", "http://example.org", 302, "https://example.org/"},
- {"GET", "http://example.org/foo", 302, "https://example.org/foo"},
- {"GET", "http://example.org/foo/bar/", 302, "https://example.org/foo/bar/"},
- {"GET", "http://example.org/?a=b", 302, "https://example.org/?a=b"},
- {"GET", "http://example.org/foo?a=b", 302, "https://example.org/foo?a=b"},
- {"GET", "http://example.org:80/foo?a=b", 302, "https://example.org:443/foo?a=b"},
- {"GET", "http://example.org:80/foo%20bar", 302, "https://example.org:443/foo%20bar"},
- {"GET", "http://[2602:d1:xxxx::c60a]:1234", 302, "https://[2602:d1:xxxx::c60a]:443/"},
- {"GET", "http://[2602:d1:xxxx::c60a]", 302, "https://[2602:d1:xxxx::c60a]/"},
- {"GET", "http://[2602:d1:xxxx::c60a]/foo?a=b", 302, "https://[2602:d1:xxxx::c60a]/foo?a=b"},
- {"HEAD", "http://example.org", 302, "https://example.org/"},
- {"HEAD", "http://example.org/foo", 302, "https://example.org/foo"},
- {"HEAD", "http://example.org/foo/bar/", 302, "https://example.org/foo/bar/"},
- {"HEAD", "http://example.org/?a=b", 302, "https://example.org/?a=b"},
- {"HEAD", "http://example.org/foo?a=b", 302, "https://example.org/foo?a=b"},
- {"POST", "http://example.org", 400, ""},
- {"PUT", "http://example.org", 400, ""},
- {"GET", "http://example.org/.well-known/acme-challenge/x", 404, ""},
- }
- var m Manager
- h := m.HTTPHandler(nil)
- for i, test := range tt {
- r := httptest.NewRequest(test.method, test.url, nil)
- w := httptest.NewRecorder()
- h.ServeHTTP(w, r)
- if w.Code != test.wantCode {
- t.Errorf("%d: w.Code = %d; want %d", i, w.Code, test.wantCode)
- t.Errorf("%d: body: %s", i, w.Body.Bytes())
- }
- if v := w.Header().Get("Location"); v != test.wantLocation {
- t.Errorf("%d: Location = %q; want %q", i, v, test.wantLocation)
- }
- }
- }
-
- func TestAccountKeyCache(t *testing.T) {
- m := Manager{Cache: newMemCache(t)}
- ctx := context.Background()
- k1, err := m.accountKey(ctx)
- if err != nil {
- t.Fatal(err)
- }
- k2, err := m.accountKey(ctx)
- if err != nil {
- t.Fatal(err)
- }
- if !reflect.DeepEqual(k1, k2) {
- t.Errorf("account keys don't match: k1 = %#v; k2 = %#v", k1, k2)
- }
- }
-
- func TestCache(t *testing.T) {
- ecdsaKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
- if err != nil {
- t.Fatal(err)
- }
- cert, err := dummyCert(ecdsaKey.Public(), exampleDomain)
- if err != nil {
- t.Fatal(err)
- }
- ecdsaCert := &tls.Certificate{
- Certificate: [][]byte{cert},
- PrivateKey: ecdsaKey,
- }
-
- rsaKey, err := rsa.GenerateKey(rand.Reader, 512)
- if err != nil {
- t.Fatal(err)
- }
- cert, err = dummyCert(rsaKey.Public(), exampleDomain)
- if err != nil {
- t.Fatal(err)
- }
- rsaCert := &tls.Certificate{
- Certificate: [][]byte{cert},
- PrivateKey: rsaKey,
- }
-
- man := &Manager{Cache: newMemCache(t)}
- defer man.stopRenew()
- ctx := context.Background()
-
- if err := man.cachePut(ctx, exampleCertKey, ecdsaCert); err != nil {
- t.Fatalf("man.cachePut: %v", err)
- }
- if err := man.cachePut(ctx, exampleCertKeyRSA, rsaCert); err != nil {
- t.Fatalf("man.cachePut: %v", err)
- }
-
- res, err := man.cacheGet(ctx, exampleCertKey)
- if err != nil {
- t.Fatalf("man.cacheGet: %v", err)
- }
- if res == nil || !bytes.Equal(res.Certificate[0], ecdsaCert.Certificate[0]) {
- t.Errorf("man.cacheGet = %+v; want %+v", res, ecdsaCert)
- }
-
- res, err = man.cacheGet(ctx, exampleCertKeyRSA)
- if err != nil {
- t.Fatalf("man.cacheGet: %v", err)
- }
- if res == nil || !bytes.Equal(res.Certificate[0], rsaCert.Certificate[0]) {
- t.Errorf("man.cacheGet = %+v; want %+v", res, rsaCert)
- }
- }
-
- func TestHostWhitelist(t *testing.T) {
- policy := HostWhitelist("example.com", "example.org", "*.example.net")
- tt := []struct {
- host string
- allow bool
- }{
- {"example.com", true},
- {"example.org", true},
- {"one.example.com", false},
- {"two.example.org", false},
- {"three.example.net", false},
- {"dummy", false},
- }
- for i, test := range tt {
- err := policy(nil, test.host)
- if err != nil && test.allow {
- t.Errorf("%d: policy(%q): %v; want nil", i, test.host, err)
- }
- if err == nil && !test.allow {
- t.Errorf("%d: policy(%q): nil; want an error", i, test.host)
- }
- }
- }
-
- func TestValidCert(t *testing.T) {
- key1, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
- if err != nil {
- t.Fatal(err)
- }
- key2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
- if err != nil {
- t.Fatal(err)
- }
- key3, err := rsa.GenerateKey(rand.Reader, 512)
- if err != nil {
- t.Fatal(err)
- }
- cert1, err := dummyCert(key1.Public(), "example.org")
- if err != nil {
- t.Fatal(err)
- }
- cert2, err := dummyCert(key2.Public(), "example.org")
- if err != nil {
- t.Fatal(err)
- }
- cert3, err := dummyCert(key3.Public(), "example.org")
- if err != nil {
- t.Fatal(err)
- }
- now := time.Now()
- early, err := dateDummyCert(key1.Public(), now.Add(time.Hour), now.Add(2*time.Hour), "example.org")
- if err != nil {
- t.Fatal(err)
- }
- expired, err := dateDummyCert(key1.Public(), now.Add(-2*time.Hour), now.Add(-time.Hour), "example.org")
- if err != nil {
- t.Fatal(err)
- }
-
- tt := []struct {
- ck certKey
- key crypto.Signer
- cert [][]byte
- ok bool
- }{
- {certKey{domain: "example.org"}, key1, [][]byte{cert1}, true},
- {certKey{domain: "example.org", isRSA: true}, key3, [][]byte{cert3}, true},
- {certKey{domain: "example.org"}, key1, [][]byte{cert1, cert2, cert3}, true},
- {certKey{domain: "example.org"}, key1, [][]byte{cert1, {1}}, false},
- {certKey{domain: "example.org"}, key1, [][]byte{{1}}, false},
- {certKey{domain: "example.org"}, key1, [][]byte{cert2}, false},
- {certKey{domain: "example.org"}, key2, [][]byte{cert1}, false},
- {certKey{domain: "example.org"}, key1, [][]byte{cert3}, false},
- {certKey{domain: "example.org"}, key3, [][]byte{cert1}, false},
- {certKey{domain: "example.net"}, key1, [][]byte{cert1}, false},
- {certKey{domain: "example.org"}, key1, [][]byte{early}, false},
- {certKey{domain: "example.org"}, key1, [][]byte{expired}, false},
- {certKey{domain: "example.org", isRSA: true}, key1, [][]byte{cert1}, false},
- {certKey{domain: "example.org"}, key3, [][]byte{cert3}, false},
- }
- for i, test := range tt {
- leaf, err := validCert(test.ck, test.cert, test.key)
- if err != nil && test.ok {
- t.Errorf("%d: err = %v", i, err)
- }
- if err == nil && !test.ok {
- t.Errorf("%d: err is nil", i)
- }
- if err == nil && test.ok && leaf == nil {
- t.Errorf("%d: leaf is nil", i)
- }
- }
- }
-
- type cacheGetFunc func(ctx context.Context, key string) ([]byte, error)
-
- func (f cacheGetFunc) Get(ctx context.Context, key string) ([]byte, error) {
- return f(ctx, key)
- }
-
- func (f cacheGetFunc) Put(ctx context.Context, key string, data []byte) error {
- return fmt.Errorf("unsupported Put of %q = %q", key, data)
- }
-
- func (f cacheGetFunc) Delete(ctx context.Context, key string) error {
- return fmt.Errorf("unsupported Delete of %q", key)
- }
-
- func TestManagerGetCertificateBogusSNI(t *testing.T) {
- m := Manager{
- Prompt: AcceptTOS,
- Cache: cacheGetFunc(func(ctx context.Context, key string) ([]byte, error) {
- return nil, fmt.Errorf("cache.Get of %s", key)
- }),
- }
- tests := []struct {
- name string
- wantErr string
- }{
- {"foo.com", "cache.Get of foo.com"},
- {"foo.com.", "cache.Get of foo.com"},
- {`a\b.com`, "acme/autocert: server name contains invalid character"},
- {`a/b.com`, "acme/autocert: server name contains invalid character"},
- {"", "acme/autocert: missing server name"},
- {"foo", "acme/autocert: server name component count invalid"},
- {".foo", "acme/autocert: server name component count invalid"},
- {"foo.", "acme/autocert: server name component count invalid"},
- {"fo.o", "cache.Get of fo.o"},
- }
- for _, tt := range tests {
- _, err := m.GetCertificate(clientHelloInfo(tt.name, true))
- got := fmt.Sprint(err)
- if got != tt.wantErr {
- t.Errorf("GetCertificate(SNI = %q) = %q; want %q", tt.name, got, tt.wantErr)
- }
- }
- }
-
- func TestCertRequest(t *testing.T) {
- key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
- if err != nil {
- t.Fatal(err)
- }
- // An extension from RFC7633. Any will do.
- ext := pkix.Extension{
- Id: asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1},
- Value: []byte("dummy"),
- }
- b, err := certRequest(key, "example.org", []pkix.Extension{ext}, "san.example.org")
- if err != nil {
- t.Fatalf("certRequest: %v", err)
- }
- r, err := x509.ParseCertificateRequest(b)
- if err != nil {
- t.Fatalf("ParseCertificateRequest: %v", err)
- }
- var found bool
- for _, v := range r.Extensions {
- if v.Id.Equal(ext.Id) {
- found = true
- break
- }
- }
- if !found {
- t.Errorf("want %v in Extensions: %v", ext, r.Extensions)
- }
- }
-
- func TestSupportsECDSA(t *testing.T) {
- tests := []struct {
- CipherSuites []uint16
- SignatureSchemes []tls.SignatureScheme
- SupportedCurves []tls.CurveID
- ecdsaOk bool
- }{
- {[]uint16{
- tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- }, nil, nil, false},
- {[]uint16{
- tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- }, nil, nil, true},
-
- // SignatureSchemes limits, not extends, CipherSuites
- {[]uint16{
- tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
- }, []tls.SignatureScheme{
- tls.PKCS1WithSHA256, tls.ECDSAWithP256AndSHA256,
- }, nil, false},
- {[]uint16{
- tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- }, []tls.SignatureScheme{
- tls.PKCS1WithSHA256,
- }, nil, false},
- {[]uint16{
- tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- }, []tls.SignatureScheme{
- tls.PKCS1WithSHA256, tls.ECDSAWithP256AndSHA256,
- }, nil, true},
-
- {[]uint16{
- tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- }, []tls.SignatureScheme{
- tls.PKCS1WithSHA256, tls.ECDSAWithP256AndSHA256,
- }, []tls.CurveID{
- tls.CurveP521,
- }, false},
- {[]uint16{
- tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
- }, []tls.SignatureScheme{
- tls.PKCS1WithSHA256, tls.ECDSAWithP256AndSHA256,
- }, []tls.CurveID{
- tls.CurveP256,
- tls.CurveP521,
- }, true},
- }
- for i, tt := range tests {
- result := supportsECDSA(&tls.ClientHelloInfo{
- CipherSuites: tt.CipherSuites,
- SignatureSchemes: tt.SignatureSchemes,
- SupportedCurves: tt.SupportedCurves,
- })
- if result != tt.ecdsaOk {
- t.Errorf("%d: supportsECDSA = %v; want %v", i, result, tt.ecdsaOk)
- }
- }
- }
|