ari_test.go

Documentation: github.com/letsencrypt/boulder/test/integration

     1  //go:build integration
     2  
     3  package integration
     4  
     5  import (
     6  	"crypto"
     7  	"crypto/ecdsa"
     8  	"crypto/elliptic"
     9  	"crypto/rand"
    10  	"crypto/x509/pkix"
    11  	"math/big"
    12  	"testing"
    13  	"time"
    14  
    15  	"github.com/eggsampler/acme/v3"
    16  
    17  	"github.com/letsencrypt/boulder/test"
    18  	ocsp_helper "github.com/letsencrypt/boulder/test/ocsp/helper"
    19  )
    20  
    21  // certID matches the ASN.1 structure of the CertID sequence defined by RFC6960.
    22  type certID struct {
    23  	HashAlgorithm  pkix.AlgorithmIdentifier
    24  	IssuerNameHash []byte
    25  	IssuerKeyHash  []byte
    26  	SerialNumber   *big.Int
    27  }
    28  
    29  func TestARI(t *testing.T) {
    30  	t.Parallel()
    31  
    32  	// Create an account.
    33  	client, err := makeClient("mailto:example@letsencrypt.org")
    34  	test.AssertNotError(t, err, "creating acme client")
    35  
    36  	// Create a private key.
    37  	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
    38  	test.AssertNotError(t, err, "creating random cert key")
    39  
    40  	// Issue a cert, request ARI, and check that both the suggested window and
    41  	// the retry-after header are approximately the right amount of time in the
    42  	// future.
    43  	name := random_domain()
    44  	ir, err := authAndIssue(client, key, []string{name}, true)
    45  	test.AssertNotError(t, err, "failed to issue test cert")
    46  
    47  	cert := ir.certs[0]
    48  	issuer, err := ocsp_helper.GetIssuer(cert)
    49  	test.AssertNotError(t, err, "failed to get issuer cert")
    50  
    51  	eri, err := client.GetRenewalInfo(cert, issuer, crypto.SHA256)
    52  	test.AssertNotError(t, err, "ARI request should have succeeded")
    53  	test.AssertEquals(t, eri.SuggestedWindow.Start.Sub(time.Now()).Round(time.Hour), 1415*time.Hour)
    54  	test.AssertEquals(t, eri.SuggestedWindow.End.Sub(time.Now()).Round(time.Hour), 1463*time.Hour)
    55  	test.AssertEquals(t, eri.RetryAfter.Sub(time.Now()).Round(time.Hour), 6*time.Hour)
    56  
    57  	// Revoke the cert, re-request ARI, and the window should now be in the past.
    58  	err = client.RevokeCertificate(client.Account, cert, client.PrivateKey, 0)
    59  	test.AssertNotError(t, err, "failed to revoke cert")
    60  
    61  	eri, err = client.GetRenewalInfo(cert, issuer, crypto.SHA256)
    62  	test.AssertNotError(t, err, "ARI request should have succeeded")
    63  	test.Assert(t, eri.SuggestedWindow.End.Before(time.Now()), "suggested window should end in the past")
    64  	test.Assert(t, eri.SuggestedWindow.Start.Before(eri.SuggestedWindow.End), "suggested window should start before it ends")
    65  
    66  	// Check that marking the cert as replaced succeeds, but don't check that
    67  	// any server state has been updated (because that doesn't happen, yet).
    68  	err = client.UpdateRenewalInfo(client.Account, cert, issuer, crypto.SHA256, true)
    69  	test.AssertNotError(t, err, "ARI request should have succeeded")
    70  
    71  	// Try to make a new cert for a new domain, but sabotage the CT logs so
    72  	// issuance fails. Recover the precert from CT, then request ARI and check
    73  	// that it fails, because we don't serve ARI for non-issued certs.
    74  	name = random_domain()
    75  	err = ctAddRejectHost(name)
    76  	test.AssertNotError(t, err, "failed to add ct-test-srv reject host")
    77  	_, err = authAndIssue(client, key, []string{name}, true)
    78  	test.AssertError(t, err, "expected error from authAndIssue, was nil")
    79  
    80  	cert, err = ctFindRejection([]string{name})
    81  	test.AssertNotError(t, err, "failed to find rejected precert")
    82  	issuer, err = ocsp_helper.GetIssuer(cert)
    83  	test.AssertNotError(t, err, "failed to get issuer cert")
    84  
    85  	eri, err = client.GetRenewalInfo(cert, issuer, crypto.SHA256)
    86  	test.AssertError(t, err, "ARI request should have failed")
    87  	test.AssertEquals(t, err.(acme.Problem).Status, 404)
    88  }
    89
View as plain text