Source file src/github.com/letsencrypt/boulder/goodkey/blocked_test.go

Documentation: github.com/letsencrypt/boulder/goodkey

     1  package goodkey
     2  
     3  import (
     4  	"context"
     5  	"crypto"
     6  	"os"
     7  	"testing"
     8  
     9  	"github.com/letsencrypt/boulder/core"
    10  	"github.com/letsencrypt/boulder/test"
    11  	"github.com/letsencrypt/boulder/web"
    12  	yaml "gopkg.in/yaml.v3"
    13  )
    14  
    15  func TestBlockedKeys(t *testing.T) {
    16  	// Start with an empty list
    17  	var inList struct {
    18  		BlockedHashes    []string `yaml:"blocked"`
    19  		BlockedHashesHex []string `yaml:"blockedHashesHex"`
    20  	}
    21  
    22  	yamlList, err := yaml.Marshal(&inList)
    23  	test.AssertNotError(t, err, "error marshaling test blockedKeys list")
    24  
    25  	yamlListFile, err := os.CreateTemp("", "test-blocked-keys-list.*.yaml")
    26  	test.AssertNotError(t, err, "error creating test blockedKeys yaml file")
    27  	defer os.Remove(yamlListFile.Name())
    28  
    29  	err = os.WriteFile(yamlListFile.Name(), yamlList, 0640)
    30  	test.AssertNotError(t, err, "error writing test blockedKeys yaml file")
    31  
    32  	// Trying to load it should error
    33  	_, err = loadBlockedKeysList(yamlListFile.Name())
    34  	test.AssertError(t, err, "expected error loading empty blockedKeys yaml file")
    35  
    36  	// Load some test certs/keys - see ../test/block-a-key/test/README.txt
    37  	// for more information.
    38  	testCertA, err := core.LoadCert("../test/block-a-key/test/test.rsa.cert.pem")
    39  	test.AssertNotError(t, err, "error loading test.rsa.cert.pem")
    40  	testCertB, err := core.LoadCert("../test/block-a-key/test/test.ecdsa.cert.pem")
    41  	test.AssertNotError(t, err, "error loading test.ecdsa.cert.pem")
    42  	testJWKA, err := web.LoadJWK("../test/block-a-key/test/test.rsa.jwk.json")
    43  	test.AssertNotError(t, err, "error loading test.rsa.jwk.pem")
    44  	testJWKB, err := web.LoadJWK("../test/block-a-key/test/test.ecdsa.jwk.json")
    45  	test.AssertNotError(t, err, "error loading test.ecdsa.jwk.pem")
    46  
    47  	// All of the above should be blocked
    48  	blockedKeys := []crypto.PublicKey{
    49  		testCertA.PublicKey,
    50  		testCertB.PublicKey,
    51  		testJWKA.Key,
    52  		testJWKB.Key,
    53  	}
    54  
    55  	// Now use a populated list - these values match the base64 digest of the
    56  	// public keys in the test certs/JWKs
    57  	inList.BlockedHashes = []string{
    58  		"cuwGhNNI6nfob5aqY90e7BleU6l7rfxku4X3UTJ3Z7M=",
    59  	}
    60  	inList.BlockedHashesHex = []string{
    61  		"41e6dcd55dd2917de2ce461118d262966f4172ebdfd28a31e14d919fe6f824e1",
    62  	}
    63  
    64  	yamlList, err = yaml.Marshal(&inList)
    65  	test.AssertNotError(t, err, "error marshaling test blockedKeys list")
    66  
    67  	yamlListFile, err = os.CreateTemp("", "test-blocked-keys-list.*.yaml")
    68  	test.AssertNotError(t, err, "error creating test blockedKeys yaml file")
    69  	defer os.Remove(yamlListFile.Name())
    70  
    71  	err = os.WriteFile(yamlListFile.Name(), yamlList, 0640)
    72  	test.AssertNotError(t, err, "error writing test blockedKeys yaml file")
    73  
    74  	// Trying to load it should not error
    75  	outList, err := loadBlockedKeysList(yamlListFile.Name())
    76  	test.AssertNotError(t, err, "unexpected error loading empty blockedKeys yaml file")
    77  
    78  	// Create a test policy that doesn't reference the blocked list
    79  	testingPolicy := &KeyPolicy{
    80  		AllowRSA:           true,
    81  		AllowECDSANISTP256: true,
    82  		AllowECDSANISTP384: true,
    83  	}
    84  
    85  	// All of the test keys should not be considered blocked
    86  	for _, k := range blockedKeys {
    87  		err := testingPolicy.GoodKey(context.Background(), k)
    88  		test.AssertNotError(t, err, "test key was blocked by key policy without block list")
    89  	}
    90  
    91  	// Now update the key policy with the blocked list
    92  	testingPolicy.blockedList = outList
    93  
    94  	// Now all of the test keys should be considered blocked, and with the correct
    95  	// type of error.
    96  	for _, k := range blockedKeys {
    97  		err := testingPolicy.GoodKey(context.Background(), k)
    98  		test.AssertError(t, err, "test key was not blocked by key policy with block list")
    99  		test.AssertErrorIs(t, err, ErrBadKey)
   100  	}
   101  }
   102  

View as plain text