Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Further simplifications to test.ThrowAwayCert #7129

Merged
merged 2 commits into from
Nov 2, 2023
Merged

Further simplifications to test.ThrowAwayCert #7129

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9c58f8a
Further simplifications to test.ThrowAwayCert
aarongable Nov 2, 2023
b552f77
Merge branch main into better-throwaway
aarongable Nov 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 6 additions & 27 deletions ra/ra_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3850,7 +3850,7 @@ func TestRevokeCertByApplicant_Subscriber(t *testing.T) {
ra.OCSP = &mockOCSPA{}
ra.purger = &mockPurger{}

_, cert := test.ThrowAwayCert(t, clk, 1)
_, cert := test.ThrowAwayCert(t, clk)
ic, err := issuance.NewCertificate(cert)
test.AssertNotError(t, err, "failed to create issuer cert")
ra.issuersByNameID = map[issuance.IssuerNameID]*issuance.Certificate{
Expand Down Expand Up @@ -3904,7 +3904,7 @@ func TestRevokeCertByApplicant_Controller(t *testing.T) {
ra.OCSP = &mockOCSPA{}
ra.purger = &mockPurger{}

_, cert := test.ThrowAwayCert(t, clk, 1)
_, cert := test.ThrowAwayCert(t, clk)
ic, err := issuance.NewCertificate(cert)
test.AssertNotError(t, err, "failed to create issuer cert")
ra.issuersByNameID = map[issuance.IssuerNameID]*issuance.Certificate{
Expand Down Expand Up @@ -3943,20 +3943,9 @@ func TestRevokeCertByKey(t *testing.T) {
ra.OCSP = &mockOCSPA{}
ra.purger = &mockPurger{}

k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
test.AssertNotError(t, err, "ecdsa.GenerateKey failed")
digest, err := core.KeyDigest(k.Public())
_, cert := test.ThrowAwayCert(t, clk)
digest, err := core.KeyDigest(cert.PublicKey)
test.AssertNotError(t, err, "core.KeyDigest failed")

template := x509.Certificate{
SerialNumber: big.NewInt(257),
NotBefore: clk.Now(),
NotAfter: clk.Now().Add(6 * 24 * time.Hour),
}
der, err := x509.CreateCertificate(rand.Reader, &template, &template, k.Public(), k)
test.AssertNotError(t, err, "x509.CreateCertificate failed")
cert, err := x509.ParseCertificate(der)
test.AssertNotError(t, err, "x509.ParseCertificate failed")
ic, err := issuance.NewCertificate(cert)
test.AssertNotError(t, err, "failed to create issuer cert")
ra.issuersByNameID = map[issuance.IssuerNameID]*issuance.Certificate{
Expand Down Expand Up @@ -4007,19 +3996,9 @@ func TestAdministrativelyRevokeCertificate(t *testing.T) {
ra.OCSP = &mockOCSPA{}
ra.purger = &mockPurger{}

k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
test.AssertNotError(t, err, "ecdsa.GenerateKey failed")
digest, err := core.KeyDigest(k.Public())
serial, cert := test.ThrowAwayCert(t, clk)
digest, err := core.KeyDigest(cert.PublicKey)
test.AssertNotError(t, err, "core.KeyDigest failed")

serial := "04eac294a0e61035d8254d5a04f61a37c802"
serialInt, err := core.StringToSerial(serial)
test.AssertNotError(t, err, "decoding serial number")
template := x509.Certificate{SerialNumber: serialInt}
der, err := x509.CreateCertificate(rand.Reader, &template, &template, k.Public(), k)
test.AssertNotError(t, err, "x509.CreateCertificate failed")
cert, err := x509.ParseCertificate(der)
test.AssertNotError(t, err, "x509.ParseCertificate failed")
ic, err := issuance.NewCertificate(cert)
test.AssertNotError(t, err, "failed to create issuer cert")
ra.issuersByNameID = map[issuance.IssuerNameID]*issuance.Certificate{
Expand Down
16 changes: 8 additions & 8 deletions sa/sa_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -326,7 +326,7 @@ func TestAddSerial(t *testing.T) {
defer cleanUp()

reg := createWorkingRegistration(t, sa)
serial, testCert := test.ThrowAwayCert(t, clk, 1)
serial, testCert := test.ThrowAwayCert(t, clk)

_, err := sa.AddSerial(context.Background(), &sapb.AddSerialRequest{
RegID: reg.Id,
Expand Down Expand Up @@ -378,7 +378,7 @@ func TestGetSerialMetadata(t *testing.T) {
defer cleanUp()

reg := createWorkingRegistration(t, sa)
serial, _ := test.ThrowAwayCert(t, clk, 1)
serial, _ := test.ThrowAwayCert(t, clk)

_, err := sa.GetSerialMetadata(context.Background(), &sapb.Serial{Serial: serial})
test.AssertError(t, err, "getting nonexistent serial should have failed")
Expand Down Expand Up @@ -415,7 +415,7 @@ func TestAddPrecertificate(t *testing.T) {

// Create a throw-away self signed certificate with a random name and
// serial number
serial, testCert := test.ThrowAwayCert(t, clk, 1)
serial, testCert := test.ThrowAwayCert(t, clk)

// Add the cert as a precertificate
regID := reg.Id
Expand Down Expand Up @@ -459,7 +459,7 @@ func TestAddPrecertificateNoOCSP(t *testing.T) {
defer cleanUp()

reg := createWorkingRegistration(t, sa)
_, testCert := test.ThrowAwayCert(t, clk, 1)
_, testCert := test.ThrowAwayCert(t, clk)

regID := reg.Id
issuedTime := time.Date(2018, 4, 1, 7, 0, 0, 0, time.UTC)
Expand All @@ -479,7 +479,7 @@ func TestAddPreCertificateDuplicate(t *testing.T) {

reg := createWorkingRegistration(t, sa)

_, testCert := test.ThrowAwayCert(t, clk, 1)
_, testCert := test.ThrowAwayCert(t, clk)
issuedTime := clk.Now()

_, err := sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
Expand Down Expand Up @@ -509,7 +509,7 @@ func TestAddPrecertificateIncomplete(t *testing.T) {

// Create a throw-away self signed certificate with a random name and
// serial number
_, testCert := test.ThrowAwayCert(t, clk, 1)
_, testCert := test.ThrowAwayCert(t, clk)

// Add the cert as a precertificate
regID := reg.Id
Expand All @@ -530,7 +530,7 @@ func TestAddPrecertificateKeyHash(t *testing.T) {
defer cleanUp()
reg := createWorkingRegistration(t, sa)

serial, testCert := test.ThrowAwayCert(t, clk, 1)
serial, testCert := test.ThrowAwayCert(t, clk)
_, err := sa.AddPrecertificate(ctx, &sapb.AddCertificateRequest{
Der: testCert.Raw,
RegID: reg.Id,
Expand Down Expand Up @@ -610,7 +610,7 @@ func TestAddCertificateDuplicate(t *testing.T) {

reg := createWorkingRegistration(t, sa)

_, testCert := test.ThrowAwayCert(t, clk, 1)
_, testCert := test.ThrowAwayCert(t, clk)

issuedTime := clk.Now()
_, err := sa.AddCertificate(ctx, &sapb.AddCertificateRequest{
Expand Down
46 changes: 15 additions & 31 deletions test/certs.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package test
import (
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
Expand Down Expand Up @@ -61,51 +62,34 @@ func LoadSigner(filename string) (crypto.Signer, error) {
}

// ThrowAwayCert is a small test helper function that creates a self-signed
// certificate for nameCount random example.com subdomains and returns the
// parsed certificate and the random serial in string form or aborts the test.
// certificate with one SAN. It returns the parsed certificate and its serial
// in string form for convenience.
// The certificate returned from this function is the bare minimum needed for
// most tests and isn't a robust example of a complete end entity certificate.
func ThrowAwayCert(t *testing.T, clk clock.Clock, nameCount int) (string, *x509.Certificate) {
func ThrowAwayCert(t *testing.T, clk clock.Clock) (string, *x509.Certificate) {
var nameBytes [3]byte
_, _ = rand.Read(nameBytes[:])
name := fmt.Sprintf("%s.example.com", hex.EncodeToString(nameBytes[:]))

var serialBytes [16]byte
_, _ = rand.Read(serialBytes[:])
sn := big.NewInt(0).SetBytes(serialBytes[:])

return ThrowAwayCertWithSerial(t, clk, nameCount, sn, nil)
}
serial := big.NewInt(0).SetBytes(serialBytes[:])

// ThrowAwayCertWithSerial is a small test helper function that creates a
// certificate for nameCount random example.com subdomains and returns the
// parsed certificate and the serial in string form or aborts the test.
// The new throwaway certificate is always self-signed (with a random key),
// but will appear to be issued from issuer if provided.
// The certificate returned from this function is the bare minimum needed for
// most tests and isn't a robust example of a complete end entity certificate.
func ThrowAwayCertWithSerial(t *testing.T, clk clock.Clock, nameCount int, sn *big.Int, issuer *x509.Certificate) (string, *x509.Certificate) {
k, err := rsa.GenerateKey(rand.Reader, 512)
key, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
AssertNotError(t, err, "rsa.GenerateKey failed")

var names []string
for i := 0; i < nameCount; i++ {
var nameBytes [3]byte
_, _ = rand.Read(nameBytes[:])
names = append(names, fmt.Sprintf("%s.example.com", hex.EncodeToString(nameBytes[:])))
}

template := &x509.Certificate{
SerialNumber: sn,
DNSNames: names,
SerialNumber: serial,
DNSNames: []string{name},
NotBefore: clk.Now(),
NotAfter: clk.Now().Add(6 * 24 * time.Hour),
IssuingCertificateURL: []string{"http://localhost:4001/acme/issuer-cert/1234"},
}

if issuer == nil {
issuer = template
}

testCertDER, err := x509.CreateCertificate(rand.Reader, template, issuer, &k.PublicKey, k)
testCertDER, err := x509.CreateCertificate(rand.Reader, template, template, key.Public(), key)
AssertNotError(t, err, "x509.CreateCertificate failed")
testCert, err := x509.ParseCertificate(testCertDER)
AssertNotError(t, err, "failed to parse self-signed cert DER")
return fmt.Sprintf("%036x", sn), testCert

return fmt.Sprintf("%036x", serial), testCert
}