fionera
/
transfer.sh
forked from kiska/transfer.sh
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
259 Commits
9 Branches
34 MiB
 
 
 
Tree: cb0401ec5c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'cb0401ec5c'
${ noResults }
transfer.sh/vendor/golang.org/x/crypto/acme/autocert/autocert_test.go

441 lines
11 KiB
Raw Blame History 

  1. // Copyright 2016 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package autocert

  6. 

  7. import (

  8. 	"crypto"

  9. 	"crypto/ecdsa"

  10. 	"crypto/elliptic"

  11. 	"crypto/rand"

  12. 	"crypto/rsa"

  13. 	"crypto/tls"

  14. 	"crypto/x509"

  15. 	"crypto/x509/pkix"

  16. 	"encoding/base64"

  17. 	"encoding/json"

  18. 	"fmt"

  19. 	"html/template"

  20. 	"io"

  21. 	"math/big"

  22. 	"net/http"

  23. 	"net/http/httptest"

  24. 	"reflect"

  25. 	"sync"

  26. 	"testing"

  27. 	"time"

  28. 

  29. 	"golang.org/x/crypto/acme"

  30. 	"golang.org/x/net/context"

  31. )

  32. 

  33. var discoTmpl = template.Must(template.New("disco").Parse(`{

  34. 	"new-reg": "{{.}}/new-reg",

  35. 	"new-authz": "{{.}}/new-authz",

  36. 	"new-cert": "{{.}}/new-cert"

  37. }`))

  38. 

  39. var authzTmpl = template.Must(template.New("authz").Parse(`{

  40. 	"status": "pending",

  41. 	"challenges": [

  42. 		{

  43. 			"uri": "{{.}}/challenge/1",

  44. 			"type": "tls-sni-01",

  45. 			"token": "token-01"

  46. 		},

  47. 		{

  48. 			"uri": "{{.}}/challenge/2",

  49. 			"type": "tls-sni-02",

  50. 			"token": "token-02"

  51. 		}

  52. 	]

  53. }`))

  54. 

  55. type memCache struct {

  56. 	mu      sync.Mutex

  57. 	keyData map[string][]byte

  58. }

  59. 

  60. func (m *memCache) Get(ctx context.Context, key string) ([]byte, error) {

  61. 	m.mu.Lock()

  62. 	defer m.mu.Unlock()

  63. 

  64. 	v, ok := m.keyData[key]

  65. 	if !ok {

  66. 		return nil, ErrCacheMiss

  67. 	}

  68. 	return v, nil

  69. }

  70. 

  71. func (m *memCache) Put(ctx context.Context, key string, data []byte) error {

  72. 	m.mu.Lock()

  73. 	defer m.mu.Unlock()

  74. 

  75. 	m.keyData[key] = data

  76. 	return nil

  77. }

  78. 

  79. func (m *memCache) Delete(ctx context.Context, key string) error {

  80. 	m.mu.Lock()

  81. 	defer m.mu.Unlock()

  82. 

  83. 	delete(m.keyData, key)

  84. 	return nil

  85. }

  86. 

  87. func newMemCache() *memCache {

  88. 	return &memCache{

  89. 		keyData: make(map[string][]byte),

  90. 	}

  91. }

  92. 

  93. func dummyCert(pub interface{}, san ...string) ([]byte, error) {

  94. 	return dateDummyCert(pub, time.Now(), time.Now().Add(90*24*time.Hour), san...)

  95. }

  96. 

  97. func dateDummyCert(pub interface{}, start, end time.Time, san ...string) ([]byte, error) {

  98. 	// use EC key to run faster on 386

  99. 	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

  100. 	if err != nil {

  101. 		return nil, err

  102. 	}

  103. 	t := &x509.Certificate{

  104. 		SerialNumber:          big.NewInt(1),

  105. 		NotBefore:             start,

  106. 		NotAfter:              end,

  107. 		BasicConstraintsValid: true,

  108. 		KeyUsage:              x509.KeyUsageKeyEncipherment,

  109. 		DNSNames:              san,

  110. 	}

  111. 	if pub == nil {

  112. 		pub = &key.PublicKey

  113. 	}

  114. 	return x509.CreateCertificate(rand.Reader, t, t, pub, key)

  115. }

  116. 

  117. func decodePayload(v interface{}, r io.Reader) error {

  118. 	var req struct{ Payload string }

  119. 	if err := json.NewDecoder(r).Decode(&req); err != nil {

  120. 		return err

  121. 	}

  122. 	payload, err := base64.RawURLEncoding.DecodeString(req.Payload)

  123. 	if err != nil {

  124. 		return err

  125. 	}

  126. 	return json.Unmarshal(payload, v)

  127. }

  128. 

  129. func TestGetCertificate(t *testing.T) {

  130. 	man := &Manager{Prompt: AcceptTOS}

  131. 	defer man.stopRenew()

  132. 	hello := &tls.ClientHelloInfo{ServerName: "example.org"}

  133. 	testGetCertificate(t, man, "example.org", hello)

  134. }

  135. 

  136. func TestGetCertificate_trailingDot(t *testing.T) {

  137. 	man := &Manager{Prompt: AcceptTOS}

  138. 	defer man.stopRenew()

  139. 	hello := &tls.ClientHelloInfo{ServerName: "example.org."}

  140. 	testGetCertificate(t, man, "example.org", hello)

  141. }

  142. 

  143. func TestGetCertificate_ForceRSA(t *testing.T) {

  144. 	man := &Manager{

  145. 		Prompt:   AcceptTOS,

  146. 		Cache:    newMemCache(),

  147. 		ForceRSA: true,

  148. 	}

  149. 	defer man.stopRenew()

  150. 	hello := &tls.ClientHelloInfo{ServerName: "example.org"}

  151. 	testGetCertificate(t, man, "example.org", hello)

  152. 

  153. 	cert, err := man.cacheGet("example.org")

  154. 	if err != nil {

  155. 		t.Fatalf("man.cacheGet: %v", err)

  156. 	}

  157. 	if _, ok := cert.PrivateKey.(*rsa.PrivateKey); !ok {

  158. 		t.Errorf("cert.PrivateKey is %T; want *rsa.PrivateKey", cert.PrivateKey)

  159. 	}

  160. }

  161. 

  162. // tests man.GetCertificate flow using the provided hello argument.

  163. // The domain argument is the expected domain name of a certificate request.

  164. func testGetCertificate(t *testing.T, man *Manager, domain string, hello *tls.ClientHelloInfo) {

  165. 	// echo token-02 | shasum -a 256

  166. 	// then divide result in 2 parts separated by dot

  167. 	tokenCertName := "4e8eb87631187e9ff2153b56b13a4dec.13a35d002e485d60ff37354b32f665d9.token.acme.invalid"

  168. 	verifyTokenCert := func() {

  169. 		hello := &tls.ClientHelloInfo{ServerName: tokenCertName}

  170. 		_, err := man.GetCertificate(hello)

  171. 		if err != nil {

  172. 			t.Errorf("verifyTokenCert: GetCertificate(%q): %v", tokenCertName, err)

  173. 			return

  174. 		}

  175. 	}

  176. 

  177. 	// ACME CA server stub

  178. 	var ca *httptest.Server

  179. 	ca = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

  180. 		w.Header().Set("replay-nonce", "nonce")

  181. 		if r.Method == "HEAD" {

  182. 			// a nonce request

  183. 			return

  184. 		}

  185. 

  186. 		switch r.URL.Path {

  187. 		// discovery

  188. 		case "/":

  189. 			if err := discoTmpl.Execute(w, ca.URL); err != nil {

  190. 				t.Fatalf("discoTmpl: %v", err)

  191. 			}

  192. 		// client key registration

  193. 		case "/new-reg":

  194. 			w.Write([]byte("{}"))

  195. 		// domain authorization

  196. 		case "/new-authz":

  197. 			w.Header().Set("location", ca.URL+"/authz/1")

  198. 			w.WriteHeader(http.StatusCreated)

  199. 			if err := authzTmpl.Execute(w, ca.URL); err != nil {

  200. 				t.Fatalf("authzTmpl: %v", err)

  201. 			}

  202. 		// accept tls-sni-02 challenge

  203. 		case "/challenge/2":

  204. 			verifyTokenCert()

  205. 			w.Write([]byte("{}"))

  206. 		// authorization status

  207. 		case "/authz/1":

  208. 			w.Write([]byte(`{"status": "valid"}`))

  209. 		// cert request

  210. 		case "/new-cert":

  211. 			var req struct {

  212. 				CSR string `json:"csr"`

  213. 			}

  214. 			decodePayload(&req, r.Body)

  215. 			b, _ := base64.RawURLEncoding.DecodeString(req.CSR)

  216. 			csr, err := x509.ParseCertificateRequest(b)

  217. 			if err != nil {

  218. 				t.Fatalf("new-cert: CSR: %v", err)

  219. 			}

  220. 			if csr.Subject.CommonName != domain {

  221. 				t.Errorf("CommonName in CSR = %q; want %q", csr.Subject.CommonName, domain)

  222. 			}

  223. 			der, err := dummyCert(csr.PublicKey, domain)

  224. 			if err != nil {

  225. 				t.Fatalf("new-cert: dummyCert: %v", err)

  226. 			}

  227. 			chainUp := fmt.Sprintf("<%s/ca-cert>; rel=up", ca.URL)

  228. 			w.Header().Set("link", chainUp)

  229. 			w.WriteHeader(http.StatusCreated)

  230. 			w.Write(der)

  231. 		// CA chain cert

  232. 		case "/ca-cert":

  233. 			der, err := dummyCert(nil, "ca")

  234. 			if err != nil {

  235. 				t.Fatalf("ca-cert: dummyCert: %v", err)

  236. 			}

  237. 			w.Write(der)

  238. 		default:

  239. 			t.Errorf("unrecognized r.URL.Path: %s", r.URL.Path)

  240. 		}

  241. 	}))

  242. 	defer ca.Close()

  243. 

  244. 	// use EC key to run faster on 386

  245. 	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

  246. 	if err != nil {

  247. 		t.Fatal(err)

  248. 	}

  249. 	man.Client = &acme.Client{

  250. 		Key:          key,

  251. 		DirectoryURL: ca.URL,

  252. 	}

  253. 

  254. 	// simulate tls.Config.GetCertificate

  255. 	var tlscert *tls.Certificate

  256. 	done := make(chan struct{})

  257. 	go func() {

  258. 		tlscert, err = man.GetCertificate(hello)

  259. 		close(done)

  260. 	}()

  261. 	select {

  262. 	case <-time.After(time.Minute):

  263. 		t.Fatal("man.GetCertificate took too long to return")

  264. 	case <-done:

  265. 	}

  266. 	if err != nil {

  267. 		t.Fatalf("man.GetCertificate: %v", err)

  268. 	}

  269. 

  270. 	// verify the tlscert is the same we responded with from the CA stub

  271. 	if len(tlscert.Certificate) == 0 {

  272. 		t.Fatal("len(tlscert.Certificate) is 0")

  273. 	}

  274. 	cert, err := x509.ParseCertificate(tlscert.Certificate[0])

  275. 	if err != nil {

  276. 		t.Fatalf("x509.ParseCertificate: %v", err)

  277. 	}

  278. 	if len(cert.DNSNames) == 0 || cert.DNSNames[0] != domain {

  279. 		t.Errorf("cert.DNSNames = %v; want %q", cert.DNSNames, domain)

  280. 	}

  281. 

  282. 	// make sure token cert was removed

  283. 	done = make(chan struct{})

  284. 	go func() {

  285. 		for {

  286. 			hello := &tls.ClientHelloInfo{ServerName: tokenCertName}

  287. 			if _, err := man.GetCertificate(hello); err != nil {

  288. 				break

  289. 			}

  290. 			time.Sleep(100 * time.Millisecond)

  291. 		}

  292. 		close(done)

  293. 	}()

  294. 	select {

  295. 	case <-time.After(5 * time.Second):

  296. 		t.Error("token cert was not removed")

  297. 	case <-done:

  298. 	}

  299. }

  300. 

  301. func TestAccountKeyCache(t *testing.T) {

  302. 	m := Manager{Cache: newMemCache()}

  303. 	ctx := context.Background()

  304. 	k1, err := m.accountKey(ctx)

  305. 	if err != nil {

  306. 		t.Fatal(err)

  307. 	}

  308. 	k2, err := m.accountKey(ctx)

  309. 	if err != nil {

  310. 		t.Fatal(err)

  311. 	}

  312. 	if !reflect.DeepEqual(k1, k2) {

  313. 		t.Errorf("account keys don't match: k1 = %#v; k2 = %#v", k1, k2)

  314. 	}

  315. }

  316. 

  317. func TestCache(t *testing.T) {

  318. 	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

  319. 	if err != nil {

  320. 		t.Fatal(err)

  321. 	}

  322. 	tmpl := &x509.Certificate{

  323. 		SerialNumber: big.NewInt(1),

  324. 		Subject:      pkix.Name{CommonName: "example.org"},

  325. 		NotAfter:     time.Now().Add(time.Hour),

  326. 	}

  327. 	pub, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &privKey.PublicKey, privKey)

  328. 	if err != nil {

  329. 		t.Fatal(err)

  330. 	}

  331. 	tlscert := &tls.Certificate{

  332. 		Certificate: [][]byte{pub},

  333. 		PrivateKey:  privKey,

  334. 	}

  335. 

  336. 	man := &Manager{Cache: newMemCache()}

  337. 	defer man.stopRenew()

  338. 	if err := man.cachePut("example.org", tlscert); err != nil {

  339. 		t.Fatalf("man.cachePut: %v", err)

  340. 	}

  341. 	res, err := man.cacheGet("example.org")

  342. 	if err != nil {

  343. 		t.Fatalf("man.cacheGet: %v", err)

  344. 	}

  345. 	if res == nil {

  346. 		t.Fatal("res is nil")

  347. 	}

  348. }

  349. 

  350. func TestHostWhitelist(t *testing.T) {

  351. 	policy := HostWhitelist("example.com", "example.org", "*.example.net")

  352. 	tt := []struct {

  353. 		host  string

  354. 		allow bool

  355. 	}{

  356. 		{"example.com", true},

  357. 		{"example.org", true},

  358. 		{"one.example.com", false},

  359. 		{"two.example.org", false},

  360. 		{"three.example.net", false},

  361. 		{"dummy", false},

  362. 	}

  363. 	for i, test := range tt {

  364. 		err := policy(nil, test.host)

  365. 		if err != nil && test.allow {

  366. 			t.Errorf("%d: policy(%q): %v; want nil", i, test.host, err)

  367. 		}

  368. 		if err == nil && !test.allow {

  369. 			t.Errorf("%d: policy(%q): nil; want an error", i, test.host)

  370. 		}

  371. 	}

  372. }

  373. 

  374. func TestValidCert(t *testing.T) {

  375. 	key1, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

  376. 	if err != nil {

  377. 		t.Fatal(err)

  378. 	}

  379. 	key2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)

  380. 	if err != nil {

  381. 		t.Fatal(err)

  382. 	}

  383. 	key3, err := rsa.GenerateKey(rand.Reader, 512)

  384. 	if err != nil {

  385. 		t.Fatal(err)

  386. 	}

  387. 	cert1, err := dummyCert(key1.Public(), "example.org")

  388. 	if err != nil {

  389. 		t.Fatal(err)

  390. 	}

  391. 	cert2, err := dummyCert(key2.Public(), "example.org")

  392. 	if err != nil {

  393. 		t.Fatal(err)

  394. 	}

  395. 	cert3, err := dummyCert(key3.Public(), "example.org")

  396. 	if err != nil {

  397. 		t.Fatal(err)

  398. 	}

  399. 	now := time.Now()

  400. 	early, err := dateDummyCert(key1.Public(), now.Add(time.Hour), now.Add(2*time.Hour), "example.org")

  401. 	if err != nil {

  402. 		t.Fatal(err)

  403. 	}

  404. 	expired, err := dateDummyCert(key1.Public(), now.Add(-2*time.Hour), now.Add(-time.Hour), "example.org")

  405. 	if err != nil {

  406. 		t.Fatal(err)

  407. 	}

  408. 

  409. 	tt := []struct {

  410. 		domain string

  411. 		key    crypto.Signer

  412. 		cert   [][]byte

  413. 		ok     bool

  414. 	}{

  415. 		{"example.org", key1, [][]byte{cert1}, true},

  416. 		{"example.org", key3, [][]byte{cert3}, true},

  417. 		{"example.org", key1, [][]byte{cert1, cert2, cert3}, true},

  418. 		{"example.org", key1, [][]byte{cert1, {1}}, false},

  419. 		{"example.org", key1, [][]byte{{1}}, false},

  420. 		{"example.org", key1, [][]byte{cert2}, false},

  421. 		{"example.org", key2, [][]byte{cert1}, false},

  422. 		{"example.org", key1, [][]byte{cert3}, false},

  423. 		{"example.org", key3, [][]byte{cert1}, false},

  424. 		{"example.net", key1, [][]byte{cert1}, false},

  425. 		{"example.org", key1, [][]byte{early}, false},

  426. 		{"example.org", key1, [][]byte{expired}, false},

  427. 	}

  428. 	for i, test := range tt {

  429. 		leaf, err := validCert(test.domain, test.cert, test.key)

  430. 		if err != nil && test.ok {

  431. 			t.Errorf("%d: err = %v", i, err)

  432. 		}

  433. 		if err == nil && !test.ok {

  434. 			t.Errorf("%d: err is nil", i)

  435. 		}

  436. 		if err == nil && test.ok && leaf == nil {

  437. 			t.Errorf("%d: leaf is nil", i)

  438. 		}

  439. 	}

  440. }