From 9c58f8a780b9cc95a673a5ee8522be5d45a75fd9 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Wed, 1 Nov 2023 17:00:53 -0700 Subject: [PATCH] Further simplifications to test.ThrowAwayCert --- ra/ra_test.go | 33 ++++++--------------------------- sa/sa_test.go | 16 ++++++++-------- test/certs.go | 46 +++++++++++++++------------------------------- 3 files changed, 29 insertions(+), 66 deletions(-) diff --git a/ra/ra_test.go b/ra/ra_test.go index 7929ec27378..d95dd332250 100644 --- a/ra/ra_test.go +++ b/ra/ra_test.go @@ -3850,7 +3850,7 @@ func TestRevokeCertByApplicant_Subscriber(t *testing.T) { ra.OCSP = &mockOCSPA{} ra.purger = &mockPurger{} - _, cert := test.ThrowAwayCert(t, clk, 1) + _, cert := test.ThrowAwayCert(t, clk) ic, err := issuance.NewCertificate(cert) test.AssertNotError(t, err, "failed to create issuer cert") ra.issuersByNameID = map[issuance.IssuerNameID]*issuance.Certificate{ @@ -3904,7 +3904,7 @@ func TestRevokeCertByApplicant_Controller(t *testing.T) { ra.OCSP = &mockOCSPA{} ra.purger = &mockPurger{} - _, cert := test.ThrowAwayCert(t, clk, 1) + _, cert := test.ThrowAwayCert(t, clk) ic, err := issuance.NewCertificate(cert) test.AssertNotError(t, err, "failed to create issuer cert") ra.issuersByNameID = map[issuance.IssuerNameID]*issuance.Certificate{ @@ -3943,20 +3943,9 @@ func TestRevokeCertByKey(t *testing.T) { ra.OCSP = &mockOCSPA{} ra.purger = &mockPurger{} - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) - test.AssertNotError(t, err, "ecdsa.GenerateKey failed") - digest, err := core.KeyDigest(k.Public()) + _, cert := test.ThrowAwayCert(t, clk) + digest, err := core.KeyDigest(cert.PublicKey) test.AssertNotError(t, err, "core.KeyDigest failed") - - template := x509.Certificate{ - SerialNumber: big.NewInt(257), - NotBefore: clk.Now(), - NotAfter: clk.Now().Add(6 * 24 * time.Hour), - } - der, err := x509.CreateCertificate(rand.Reader, &template, &template, k.Public(), k) - test.AssertNotError(t, err, "x509.CreateCertificate failed") - cert, err := x509.ParseCertificate(der) - test.AssertNotError(t, err, "x509.ParseCertificate failed") ic, err := issuance.NewCertificate(cert) test.AssertNotError(t, err, "failed to create issuer cert") ra.issuersByNameID = map[issuance.IssuerNameID]*issuance.Certificate{ @@ -4007,19 +3996,9 @@ func TestAdministrativelyRevokeCertificate(t *testing.T) { ra.OCSP = &mockOCSPA{} ra.purger = &mockPurger{} - k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) - test.AssertNotError(t, err, "ecdsa.GenerateKey failed") - digest, err := core.KeyDigest(k.Public()) + serial, cert := test.ThrowAwayCert(t, clk) + digest, err := core.KeyDigest(cert.PublicKey) test.AssertNotError(t, err, "core.KeyDigest failed") - - serial := "04eac294a0e61035d8254d5a04f61a37c802" - serialInt, err := core.StringToSerial(serial) - test.AssertNotError(t, err, "decoding serial number") - template := x509.Certificate{SerialNumber: serialInt} - der, err := x509.CreateCertificate(rand.Reader, &template, &template, k.Public(), k) - test.AssertNotError(t, err, "x509.CreateCertificate failed") - cert, err := x509.ParseCertificate(der) - test.AssertNotError(t, err, "x509.ParseCertificate failed") ic, err := issuance.NewCertificate(cert) test.AssertNotError(t, err, "failed to create issuer cert") ra.issuersByNameID = map[issuance.IssuerNameID]*issuance.Certificate{ diff --git a/sa/sa_test.go b/sa/sa_test.go index 328b0e547c0..65764591527 100644 --- a/sa/sa_test.go +++ b/sa/sa_test.go @@ -326,7 +326,7 @@ func TestAddSerial(t *testing.T) { defer cleanUp() reg := createWorkingRegistration(t, sa) - serial, testCert := test.ThrowAwayCert(t, clk, 1) + serial, testCert := test.ThrowAwayCert(t, clk) _, err := sa.AddSerial(context.Background(), &sapb.AddSerialRequest{ RegID: reg.Id, @@ -378,7 +378,7 @@ func TestGetSerialMetadata(t *testing.T) { defer cleanUp() reg := createWorkingRegistration(t, sa) - serial, _ := test.ThrowAwayCert(t, clk, 1) + serial, _ := test.ThrowAwayCert(t, clk) _, err := sa.GetSerialMetadata(context.Background(), &sapb.Serial{Serial: serial}) test.AssertError(t, err, "getting nonexistent serial should have failed") @@ -415,7 +415,7 @@ func TestAddPrecertificate(t *testing.T) { // Create a throw-away self signed certificate with a random name and // serial number - serial, testCert := test.ThrowAwayCert(t, clk, 1) + serial, testCert := test.ThrowAwayCert(t, clk) // Add the cert as a precertificate regID := reg.Id @@ -459,7 +459,7 @@ func TestAddPrecertificateNoOCSP(t *testing.T) { defer cleanUp() reg := createWorkingRegistration(t, sa) - _, testCert := test.ThrowAwayCert(t, clk, 1) + _, testCert := test.ThrowAwayCert(t, clk) regID := reg.Id issuedTime := time.Date(2018, 4, 1, 7, 0, 0, 0, time.UTC) @@ -479,7 +479,7 @@ func TestAddPreCertificateDuplicate(t *testing.T) { reg := createWorkingRegistration(t, sa) - _, testCert := test.ThrowAwayCert(t, clk, 1) + _, testCert := test.ThrowAwayCert(t, clk) issuedTime := clk.Now() _, err := sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{ @@ -509,7 +509,7 @@ func TestAddPrecertificateIncomplete(t *testing.T) { // Create a throw-away self signed certificate with a random name and // serial number - _, testCert := test.ThrowAwayCert(t, clk, 1) + _, testCert := test.ThrowAwayCert(t, clk) // Add the cert as a precertificate regID := reg.Id @@ -530,7 +530,7 @@ func TestAddPrecertificateKeyHash(t *testing.T) { defer cleanUp() reg := createWorkingRegistration(t, sa) - serial, testCert := test.ThrowAwayCert(t, clk, 1) + serial, testCert := test.ThrowAwayCert(t, clk) _, err := sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{ Der: testCert.Raw, RegID: reg.Id, @@ -610,7 +610,7 @@ func TestAddCertificateDuplicate(t *testing.T) { reg := createWorkingRegistration(t, sa) - _, testCert := test.ThrowAwayCert(t, clk, 1) + _, testCert := test.ThrowAwayCert(t, clk) issuedTime := clk.Now() _, err := sa.AddCertificate(ctx, &sapb.AddCertificateRequest{ diff --git a/test/certs.go b/test/certs.go index 82106aac40a..6dd1ce5a239 100644 --- a/test/certs.go +++ b/test/certs.go @@ -3,6 +3,7 @@ package test import ( "crypto" "crypto/ecdsa" + "crypto/elliptic" "crypto/rand" "crypto/rsa" "crypto/x509" @@ -61,51 +62,34 @@ func LoadSigner(filename string) (crypto.Signer, error) { } // ThrowAwayCert is a small test helper function that creates a self-signed -// certificate for nameCount random example.com subdomains and returns the -// parsed certificate and the random serial in string form or aborts the test. +// certificate with one SAN. It returns the parsed certificate and its serial +// in string form for convenience. // The certificate returned from this function is the bare minimum needed for // most tests and isn't a robust example of a complete end entity certificate. -func ThrowAwayCert(t *testing.T, clk clock.Clock, nameCount int) (string, *x509.Certificate) { +func ThrowAwayCert(t *testing.T, clk clock.Clock) (string, *x509.Certificate) { + var nameBytes [3]byte + _, _ = rand.Read(nameBytes[:]) + name := fmt.Sprintf("%s.example.com", hex.EncodeToString(nameBytes[:])) + var serialBytes [16]byte _, _ = rand.Read(serialBytes[:]) - sn := big.NewInt(0).SetBytes(serialBytes[:]) - - return ThrowAwayCertWithSerial(t, clk, nameCount, sn, nil) -} + serial := big.NewInt(0).SetBytes(serialBytes[:]) -// ThrowAwayCertWithSerial is a small test helper function that creates a -// certificate for nameCount random example.com subdomains and returns the -// parsed certificate and the serial in string form or aborts the test. -// The new throwaway certificate is always self-signed (with a random key), -// but will appear to be issued from issuer if provided. -// The certificate returned from this function is the bare minimum needed for -// most tests and isn't a robust example of a complete end entity certificate. -func ThrowAwayCertWithSerial(t *testing.T, clk clock.Clock, nameCount int, sn *big.Int, issuer *x509.Certificate) (string, *x509.Certificate) { - k, err := rsa.GenerateKey(rand.Reader, 512) + key, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader) AssertNotError(t, err, "rsa.GenerateKey failed") - var names []string - for i := 0; i < nameCount; i++ { - var nameBytes [3]byte - _, _ = rand.Read(nameBytes[:]) - names = append(names, fmt.Sprintf("%s.example.com", hex.EncodeToString(nameBytes[:]))) - } - template := &x509.Certificate{ - SerialNumber: sn, - DNSNames: names, + SerialNumber: serial, + DNSNames: []string{name}, NotBefore: clk.Now(), NotAfter: clk.Now().Add(6 * 24 * time.Hour), IssuingCertificateURL: []string{"http://localhost:4001/acme/issuer-cert/1234"}, } - if issuer == nil { - issuer = template - } - - testCertDER, err := x509.CreateCertificate(rand.Reader, template, issuer, &k.PublicKey, k) + testCertDER, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key) AssertNotError(t, err, "x509.CreateCertificate failed") testCert, err := x509.ParseCertificate(testCertDER) AssertNotError(t, err, "failed to parse self-signed cert DER") - return fmt.Sprintf("%036x", sn), testCert + + return fmt.Sprintf("%036x", serial), testCert }