...

Source file src/github.com/letsencrypt/boulder/test/integration/ocsp_test.go

Documentation: github.com/letsencrypt/boulder/test/integration 

     1  //go:build integration
     2  
     3  package integration
     4  
     5  import (
     6  	"strings"
     7  	"testing"
     8  
     9  	"golang.org/x/crypto/ocsp"
    10  
    11  	"github.com/letsencrypt/boulder/core"
    12  	ocsp_helper "github.com/letsencrypt/boulder/test/ocsp/helper"
    13  )
    14  
    15  // TODO(#5172): Fill out these test stubs.
    16  func TestOCSPBadRequestMethod(t *testing.T) {
    17  	return
    18  }
    19  
    20  func TestOCSPBadGetUrl(t *testing.T) {
    21  	return
    22  }
    23  
    24  func TestOCSPBadGetBody(t *testing.T) {
    25  	return
    26  }
    27  
    28  func TestOCSPBadPostBody(t *testing.T) {
    29  	return
    30  }
    31  
    32  func TestOCSPBadHashAlgorithm(t *testing.T) {
    33  	return
    34  }
    35  
    36  func TestOCSPBadIssuerCert(t *testing.T) {
    37  	return
    38  }
    39  
    40  func TestOCSPBadSerialPrefix(t *testing.T) {
    41  	t.Parallel()
    42  	domain := random_domain()
    43  	res, err := authAndIssue(nil, nil, []string{domain}, true)
    44  	if err != nil || len(res.certs) < 1 {
    45  		t.Fatal("Failed to issue dummy cert for OCSP testing")
    46  	}
    47  	cert := res.certs[0]
    48  	// Increment the first byte of the cert's serial number by 1, making the
    49  	// prefix invalid. This works because ocsp_helper.Req (and the underlying
    50  	// ocsp.CreateRequest) completely ignore the cert's .Raw value.
    51  	serialStr := []byte(core.SerialToString(cert.SerialNumber))
    52  	serialStr[0] = serialStr[0] + 1
    53  	cert.SerialNumber.SetString(string(serialStr), 16)
    54  	_, err = ocsp_helper.Req(cert, ocsp_helper.DefaultConfig)
    55  	if err == nil {
    56  		t.Fatal("Expected error getting OCSP for request with invalid serial")
    57  	}
    58  }
    59  
    60  func TestOCSPNonexistentSerial(t *testing.T) {
    61  	return
    62  }
    63  
    64  func TestOCSPExpiredCert(t *testing.T) {
    65  	return
    66  }
    67  
    68  func TestOCSPRejectedPrecertificate(t *testing.T) {
    69  	t.Parallel()
    70  	domain := random_domain()
    71  	err := ctAddRejectHost(domain)
    72  	if err != nil {
    73  		t.Fatalf("adding ct-test-srv reject host: %s", err)
    74  	}
    75  
    76  	_, err = authAndIssue(nil, nil, []string{domain}, true)
    77  	if err != nil {
    78  		if !strings.Contains(err.Error(), "urn:ietf:params:acme:error:serverInternal") ||
    79  			!strings.Contains(err.Error(), "SCT embedding") {
    80  			t.Fatal(err)
    81  		}
    82  	}
    83  	if err == nil {
    84  		t.Fatal("expected error issuing for domain rejected by CT servers; got none")
    85  	}
    86  
    87  	// Try to find a precertificate matching the domain from one of the
    88  	// configured ct-test-srv instances.
    89  	cert, err := ctFindRejection([]string{domain})
    90  	if err != nil || cert == nil {
    91  		t.Fatalf("couldn't find rejected precert for %q", domain)
    92  	}
    93  
    94  	ocspConfig := ocsp_helper.DefaultConfig.WithExpectStatus(ocsp.Good)
    95  	_, err = ocsp_helper.ReqDER(cert.Raw, ocspConfig)
    96  	if err != nil {
    97  		t.Errorf("requesting OCSP for rejected precertificate: %s", err)
    98  	}
    99  }
   100  

View as plain text