main_test.go

Documentation: github.com/letsencrypt/boulder/cmd/boulder-wfe2

     1  package notmain
     2  
     3  import (
     4  	"crypto/x509"
     5  	"encoding/pem"
     6  	"os"
     7  	"testing"
     8  
     9  	"github.com/letsencrypt/boulder/core"
    10  	"github.com/letsencrypt/boulder/test"
    11  )
    12  
    13  func TestLoadChain_Valid(t *testing.T) {
    14  	issuer, chainPEM, err := loadChain([]string{
    15  		"../../test/test-ca-cross.pem",
    16  		"../../test/test-root2.pem",
    17  	})
    18  	test.AssertNotError(t, err, "Should load valid chain")
    19  
    20  	expectedIssuer, err := core.LoadCert("../../test/test-ca-cross.pem")
    21  	test.AssertNotError(t, err, "Failed to load test issuer")
    22  
    23  	chainIssuerPEM, rest := pem.Decode(chainPEM)
    24  	test.AssertNotNil(t, chainIssuerPEM, "Failed to decode chain PEM")
    25  	parsedIssuer, err := x509.ParseCertificate(chainIssuerPEM.Bytes)
    26  	test.AssertNotError(t, err, "Failed to parse chain PEM")
    27  
    28  	// The three versions of the intermediate (the one loaded by us, the one
    29  	// returned by loadChain, and the one parsed from the chain) should be equal.
    30  	test.AssertByteEquals(t, issuer.Raw, expectedIssuer.Raw)
    31  	test.AssertByteEquals(t, parsedIssuer.Raw, expectedIssuer.Raw)
    32  
    33  	// The chain should contain nothing else.
    34  	rootIssuerPEM, _ := pem.Decode(rest)
    35  	if rootIssuerPEM != nil {
    36  		t.Error("Expected chain PEM to contain one cert and nothing else")
    37  	}
    38  }
    39  
    40  func TestLoadChain_TooShort(t *testing.T) {
    41  	_, _, err := loadChain([]string{"/path/to/one/cert.pem"})
    42  	test.AssertError(t, err, "Should reject too-short chain")
    43  }
    44  
    45  func TestLoadChain_Unloadable(t *testing.T) {
    46  	_, _, err := loadChain([]string{
    47  		"does-not-exist.pem",
    48  		"../../test/test-root2.pem",
    49  	})
    50  	test.AssertError(t, err, "Should reject unloadable chain")
    51  
    52  	_, _, err = loadChain([]string{
    53  		"../../test/test-ca-cross.pem",
    54  		"does-not-exist.pem",
    55  	})
    56  	test.AssertError(t, err, "Should reject unloadable chain")
    57  
    58  	invalidPEMFile, _ := os.CreateTemp("", "invalid.pem")
    59  	err = os.WriteFile(invalidPEMFile.Name(), []byte(""), 0640)
    60  	test.AssertNotError(t, err, "Error writing invalid PEM tmp file")
    61  	_, _, err = loadChain([]string{
    62  		invalidPEMFile.Name(),
    63  		"../../test/test-root2.pem",
    64  	})
    65  	test.AssertError(t, err, "Should reject unloadable chain")
    66  }
    67  
    68  func TestLoadChain_InvalidSig(t *testing.T) {
    69  	_, _, err := loadChain([]string{
    70  		"../../test/test-root2.pem",
    71  		"../../test/test-ca-cross.pem",
    72  	})
    73  	test.AssertError(t, err, "Should reject invalid signature")
    74  }
    75  
    76  func TestLoadChain_NoRoot(t *testing.T) {
    77  	// TODO(#5251): Implement this when we have a hierarchy which includes two
    78  	// CA certs, neither of which is a root.
    79  }
    80
View as plain text