|
|
|
@ -1463,28 +1463,28 @@ func TestTLSALPN01Validate(t *testing.T) {
|
|
|
|
|
res: ch,
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok/with-new-oid": func(t *testing.T) test {
|
|
|
|
|
"ok/obsolete-oid": func(t *testing.T) test {
|
|
|
|
|
ch, err := newTLSALPNCh()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
_ch, ok := ch.(*tlsALPN01Challenge)
|
|
|
|
|
assert.Fatal(t, ok)
|
|
|
|
|
_ch.baseChallenge.Error = MalformedErr(nil).ToACME()
|
|
|
|
|
oldb, err := json.Marshal(ch)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|
expErr := RejectedIdentifierErr(errors.New("incorrect certificate for tls-alpn-01 challenge: " +
|
|
|
|
|
"obsolete id-pe-acmeIdentifier in acmeValidationV1 extension"))
|
|
|
|
|
baseClone := ch.clone()
|
|
|
|
|
baseClone.Status = StatusValid
|
|
|
|
|
baseClone.Error = nil
|
|
|
|
|
baseClone.Error = expErr.ToACME()
|
|
|
|
|
newCh := &tlsALPN01Challenge{baseClone}
|
|
|
|
|
|
|
|
|
|
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
|
|
|
|
|
newb, err := json.Marshal(newCh)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|
expKeyAuth, err := KeyAuthorization(ch.getToken(), jwk)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
expKeyAuthHash := sha256.Sum256([]byte(expKeyAuth))
|
|
|
|
|
|
|
|
|
|
cert, err := newTLSALPNValidationCert(expKeyAuthHash[:], false, true, ch.getValue())
|
|
|
|
|
cert, err := newTLSALPNValidationCert(expKeyAuthHash[:], true, true, ch.getValue())
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|
srv, tlsDial := newTestTLSALPNServer(cert)
|
|
|
|
@ -1494,15 +1494,7 @@ func TestTLSALPN01Validate(t *testing.T) {
|
|
|
|
|
srv: srv,
|
|
|
|
|
ch: ch,
|
|
|
|
|
vo: validateOptions{
|
|
|
|
|
tlsDial: func(network, addr string, config *tls.Config) (conn *tls.Conn, err error) {
|
|
|
|
|
assert.Equals(t, network, "tcp")
|
|
|
|
|
assert.Equals(t, addr, net.JoinHostPort(newCh.getValue(), "443"))
|
|
|
|
|
assert.Equals(t, config.NextProtos, []string{"acme-tls/1"})
|
|
|
|
|
assert.Equals(t, config.ServerName, newCh.getValue())
|
|
|
|
|
assert.True(t, config.InsecureSkipVerify)
|
|
|
|
|
|
|
|
|
|
return tlsDial(network, addr, config)
|
|
|
|
|
},
|
|
|
|
|
tlsDial: tlsDial,
|
|
|
|
|
},
|
|
|
|
|
jwk: jwk,
|
|
|
|
|
db: &db.MockNoSQLDB{
|
|
|
|
@ -1510,22 +1502,14 @@ func TestTLSALPN01Validate(t *testing.T) {
|
|
|
|
|
assert.Equals(t, bucket, challengeTable)
|
|
|
|
|
assert.Equals(t, key, []byte(ch.getID()))
|
|
|
|
|
assert.Equals(t, old, oldb)
|
|
|
|
|
|
|
|
|
|
alpnCh, err := unmarshalChallenge(newval)
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
assert.Equals(t, alpnCh.getStatus(), StatusValid)
|
|
|
|
|
assert.True(t, alpnCh.getValidated().Before(time.Now().UTC().Add(time.Minute)))
|
|
|
|
|
assert.True(t, alpnCh.getValidated().After(time.Now().UTC().Add(-1*time.Second)))
|
|
|
|
|
|
|
|
|
|
baseClone.Validated = alpnCh.getValidated()
|
|
|
|
|
|
|
|
|
|
assert.Equals(t, string(newval), string(newb))
|
|
|
|
|
return nil, true, nil
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
res: newCh,
|
|
|
|
|
res: ch,
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"ok/with-obsolete-oid": func(t *testing.T) test {
|
|
|
|
|
"ok/with-new-oid": func(t *testing.T) test {
|
|
|
|
|
ch, err := newTLSALPNCh()
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
_ch, ok := ch.(*tlsALPN01Challenge)
|
|
|
|
@ -1546,7 +1530,7 @@ func TestTLSALPN01Validate(t *testing.T) {
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
expKeyAuthHash := sha256.Sum256([]byte(expKeyAuth))
|
|
|
|
|
|
|
|
|
|
cert, err := newTLSALPNValidationCert(expKeyAuthHash[:], true, true, ch.getValue())
|
|
|
|
|
cert, err := newTLSALPNValidationCert(expKeyAuthHash[:], false, true, ch.getValue())
|
|
|
|
|
assert.FatalError(t, err)
|
|
|
|
|
|
|
|
|
|
srv, tlsDial := newTestTLSALPNServer(cert)
|
|
|
|
@ -1556,7 +1540,15 @@ func TestTLSALPN01Validate(t *testing.T) {
|
|
|
|
|
srv: srv,
|
|
|
|
|
ch: ch,
|
|
|
|
|
vo: validateOptions{
|
|
|
|
|
tlsDial: tlsDial,
|
|
|
|
|
tlsDial: func(network, addr string, config *tls.Config) (conn *tls.Conn, err error) {
|
|
|
|
|
assert.Equals(t, network, "tcp")
|
|
|
|
|
assert.Equals(t, addr, net.JoinHostPort(newCh.getValue(), "443"))
|
|
|
|
|
assert.Equals(t, config.NextProtos, []string{"acme-tls/1"})
|
|
|
|
|
assert.Equals(t, config.ServerName, newCh.getValue())
|
|
|
|
|
assert.True(t, config.InsecureSkipVerify)
|
|
|
|
|
|
|
|
|
|
return tlsDial(network, addr, config)
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
jwk: jwk,
|
|
|
|
|
db: &db.MockNoSQLDB{
|
|
|
|
|