forked from TrueCloudLab/certificates
Add test case for failed came-tls/1 protocol negotiation.
This commit is contained in:
parent
9052da66a3
commit
b8208ec401
1 changed files with 40 additions and 3 deletions
|
@ -23,8 +23,6 @@ import (
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"golang.org/x/crypto/acme"
|
|
||||||
|
|
||||||
"github.com/pkg/errors"
|
"github.com/pkg/errors"
|
||||||
"github.com/smallstep/assert"
|
"github.com/smallstep/assert"
|
||||||
"github.com/smallstep/certificates/db"
|
"github.com/smallstep/certificates/db"
|
||||||
|
@ -1352,6 +1350,45 @@ func TestTLSALPN01Validate(t *testing.T) {
|
||||||
res: ch,
|
res: ch,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"ok/no-protocol": func(t *testing.T) test {
|
||||||
|
ch, err := newTLSALPNCh()
|
||||||
|
assert.FatalError(t, err)
|
||||||
|
oldb, err := json.Marshal(ch)
|
||||||
|
assert.FatalError(t, err)
|
||||||
|
|
||||||
|
jwk, err := jose.GenerateJWK("EC", "P-256", "ES256", "sig", "", 0)
|
||||||
|
assert.FatalError(t, err)
|
||||||
|
|
||||||
|
expErr := RejectedIdentifierErr(errors.New("cannot negotiate ALPN acme-tls/1 protocol for tls-alpn-01 challenge"))
|
||||||
|
baseClone := ch.clone()
|
||||||
|
baseClone.Error = expErr.ToACME()
|
||||||
|
newCh := &tlsALPN01Challenge{baseClone}
|
||||||
|
newb, err := json.Marshal(newCh)
|
||||||
|
assert.FatalError(t, err)
|
||||||
|
|
||||||
|
srv := httptest.NewTLSServer(nil)
|
||||||
|
|
||||||
|
return test{
|
||||||
|
srv: srv,
|
||||||
|
ch: ch,
|
||||||
|
vo: validateOptions{
|
||||||
|
tlsDial: func(network, addr string, config *tls.Config) (*tls.Conn, error) {
|
||||||
|
return tls.DialWithDialer(&net.Dialer{Timeout: time.Second}, "tcp", srv.Listener.Addr().String(), config)
|
||||||
|
},
|
||||||
|
},
|
||||||
|
jwk: jwk,
|
||||||
|
db: &db.MockNoSQLDB{
|
||||||
|
MCmpAndSwap: func(bucket, key, old, newval []byte) ([]byte, bool, error) {
|
||||||
|
assert.Equals(t, bucket, challengeTable)
|
||||||
|
assert.Equals(t, key, []byte(ch.getID()))
|
||||||
|
assert.Equals(t, old, oldb)
|
||||||
|
assert.Equals(t, string(newval), string(newb))
|
||||||
|
return nil, true, nil
|
||||||
|
},
|
||||||
|
},
|
||||||
|
res: ch,
|
||||||
|
}
|
||||||
|
},
|
||||||
"ok/mismatched-token": func(t *testing.T) test {
|
"ok/mismatched-token": func(t *testing.T) test {
|
||||||
ch, err := newTLSALPNCh()
|
ch, err := newTLSALPNCh()
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
|
@ -1563,7 +1600,7 @@ func newTestTLSALPNServer(validationCert *tls.Certificate) (*httptest.Server, tl
|
||||||
|
|
||||||
srv.TLS = &tls.Config{
|
srv.TLS = &tls.Config{
|
||||||
GetCertificate: func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
GetCertificate: func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
if len(hello.SupportedProtos) == 1 && hello.SupportedProtos[0] == acme.ALPNProto {
|
if len(hello.SupportedProtos) == 1 && hello.SupportedProtos[0] == "acme-tls/1" {
|
||||||
return validationCert, nil
|
return validationCert, nil
|
||||||
}
|
}
|
||||||
return nil, nil
|
return nil, nil
|
||||||
|
|
Loading…
Reference in a new issue