...

Source file src/github.com/letsencrypt/boulder/test/integration/issuance_test.go

Documentation: github.com/letsencrypt/boulder/test/integration 

     1  //go:build integration
     2  
     3  package integration
     4  
     5  import (
     6  	"crypto/ecdsa"
     7  	"crypto/elliptic"
     8  	"crypto/rand"
     9  	"fmt"
    10  	"os"
    11  	"strings"
    12  	"testing"
    13  
    14  	"github.com/letsencrypt/boulder/test"
    15  )
    16  
    17  // TestCommonNameInCSR ensures that CSRs which have a CN set result in certs
    18  // with the same CN set.
    19  func TestCommonNameInCSR(t *testing.T) {
    20  	t.Parallel()
    21  
    22  	// Create an account.
    23  	client, err := makeClient("mailto:example@letsencrypt.org")
    24  	test.AssertNotError(t, err, "creating acme client")
    25  
    26  	// Create a private key.
    27  	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
    28  	test.AssertNotError(t, err, "creating random cert key")
    29  
    30  	// Put together some names.
    31  	cn := random_domain()
    32  	san1 := random_domain()
    33  	san2 := random_domain()
    34  
    35  	// Issue a cert. authAndIssue includes the 0th name as the CN by default.
    36  	ir, err := authAndIssue(client, key, []string{cn, san1, san2}, true)
    37  	test.AssertNotError(t, err, "failed to issue test cert")
    38  	cert := ir.certs[0]
    39  
    40  	// Ensure that the CN is incorporated into the SANs.
    41  	test.AssertSliceContains(t, cert.DNSNames, cn)
    42  	test.AssertSliceContains(t, cert.DNSNames, san1)
    43  	test.AssertSliceContains(t, cert.DNSNames, san2)
    44  
    45  	// Ensure that the CN is preserved as the CN.
    46  	test.AssertEquals(t, cert.Subject.CommonName, cn)
    47  }
    48  
    49  // TestFirstCSRSANHoistedToCN ensures that CSRs which have no CN set result in
    50  // certs with the first CSR SAN hoisted into the CN field.
    51  func TestFirstCSRSANHoistedToCN(t *testing.T) {
    52  	t.Parallel()
    53  
    54  	// Create an account.
    55  	client, err := makeClient("mailto:example@letsencrypt.org")
    56  	test.AssertNotError(t, err, "creating acme client")
    57  
    58  	// Create a private key.
    59  	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
    60  	test.AssertNotError(t, err, "creating random cert key")
    61  
    62  	// Create some names that we can sort.
    63  	san1 := "a" + random_domain()
    64  	san2 := "b" + random_domain()
    65  
    66  	// Issue a cert using a CSR with no CN set, and the SANs in *non*-alpha order.
    67  	ir, err := authAndIssue(client, key, []string{san2, san1}, false)
    68  	test.AssertNotError(t, err, "failed to issue test cert")
    69  	cert := ir.certs[0]
    70  
    71  	// Ensure that the SANs are correct, and sorted alphabetically.
    72  	test.AssertEquals(t, cert.DNSNames[0], san1)
    73  	test.AssertEquals(t, cert.DNSNames[1], san2)
    74  
    75  	// Ensure that the first SAN from the CSR is the CN.
    76  	test.Assert(t, cert.Subject.CommonName == san2, "first SAN should have been hoisted")
    77  }
    78  
    79  // TestCommonNameSANsTooLong tests that, when the names in an order and CSR are
    80  // too long to be hoisted into the CN, the correct behavior results (depending
    81  // on the state of the RequireCommonName feature flag).
    82  func TestCommonNameSANsTooLong(t *testing.T) {
    83  	t.Parallel()
    84  
    85  	// Create an account.
    86  	client, err := makeClient("mailto:example@letsencrypt.org")
    87  	test.AssertNotError(t, err, "creating acme client")
    88  
    89  	// Create a private key.
    90  	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
    91  	test.AssertNotError(t, err, "creating random cert key")
    92  
    93  	// Put together some names.
    94  	san1 := fmt.Sprintf("thisdomainnameis.morethan64characterslong.forthesakeoftesting.%s", random_domain())
    95  	san2 := fmt.Sprintf("thisdomainnameis.morethan64characterslong.forthesakeoftesting.%s", random_domain())
    96  
    97  	// Issue a cert using a CSR with no CN set.
    98  	ir, err := authAndIssue(client, key, []string{san1, san2}, false)
    99  
   100  	// By default, the RequireCommonName flag is true, so issuance should have failed.
   101  	if !strings.Contains(os.Getenv("BOULDER_CONFIG_DIR"), "test/config-next") {
   102  		test.AssertError(t, err, "issuing cert with no CN")
   103  		return
   104  	}
   105  
   106  	// But in config-next, the RequireCommonName flag is false, so issuance should
   107  	// have succeeded.
   108  	test.AssertNotError(t, err, "failed to issue test cert")
   109  	cert := ir.certs[0]
   110  
   111  	// Ensure that the SANs are correct.
   112  	test.AssertSliceContains(t, cert.DNSNames, san1)
   113  	test.AssertSliceContains(t, cert.DNSNames, san2)
   114  
   115  	// Ensure that the CN is empty.
   116  	test.AssertEquals(t, cert.Subject.CommonName, "")
   117  }
   118  

View as plain text