2015-11-22 17:32:22 +00:00
|
|
|
package acme
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/rsa"
|
|
|
|
"crypto/sha256"
|
|
|
|
"crypto/tls"
|
|
|
|
"encoding/hex"
|
|
|
|
"fmt"
|
2015-12-05 14:53:53 +00:00
|
|
|
"strings"
|
2015-11-22 17:32:22 +00:00
|
|
|
"testing"
|
|
|
|
)
|
|
|
|
|
2015-12-05 14:53:53 +00:00
|
|
|
func TestTLSSNIChallenge(t *testing.T) {
|
2015-11-22 17:32:22 +00:00
|
|
|
privKey, _ := generatePrivateKey(rsakey, 512)
|
2015-12-05 14:53:53 +00:00
|
|
|
j := &jws{privKey: privKey.(*rsa.PrivateKey)}
|
|
|
|
clientChallenge := challenge{Type: "tls-sni-01", Token: "tlssni1"}
|
2015-12-27 18:26:47 +00:00
|
|
|
mockValidate := func(_ *jws, _, _ string, chlng challenge) error {
|
2015-12-05 14:53:53 +00:00
|
|
|
conn, err := tls.Dial("tcp", "localhost:23457", &tls.Config{
|
2015-11-22 17:32:22 +00:00
|
|
|
InsecureSkipVerify: true,
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
t.Errorf("Expected to connect to challenge server without an error. %s", err.Error())
|
|
|
|
}
|
|
|
|
|
|
|
|
// Expect the server to only return one certificate
|
|
|
|
connState := conn.ConnectionState()
|
|
|
|
if count := len(connState.PeerCertificates); count != 1 {
|
|
|
|
t.Errorf("Expected the challenge server to return exactly one certificate but got %d", count)
|
|
|
|
}
|
|
|
|
|
|
|
|
remoteCert := connState.PeerCertificates[0]
|
|
|
|
if count := len(remoteCert.DNSNames); count != 1 {
|
|
|
|
t.Errorf("Expected the challenge certificate to have exactly one DNSNames entry but had %d", count)
|
|
|
|
}
|
|
|
|
|
2015-12-05 14:53:53 +00:00
|
|
|
zBytes := sha256.Sum256([]byte(chlng.KeyAuthorization))
|
2015-11-22 17:32:22 +00:00
|
|
|
z := hex.EncodeToString(zBytes[:sha256.Size])
|
|
|
|
domain := fmt.Sprintf("%s.%s.acme.invalid", z[:32], z[32:])
|
|
|
|
|
|
|
|
if remoteCert.DNSNames[0] != domain {
|
|
|
|
t.Errorf("Expected the challenge certificate DNSName to match %s but was %s", domain, remoteCert.DNSNames[0])
|
|
|
|
}
|
|
|
|
|
2015-12-05 14:53:53 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
solver := &tlsSNIChallenge{jws: j, validate: mockValidate, optPort: "23457"}
|
2015-11-22 17:32:22 +00:00
|
|
|
|
2015-12-05 14:53:53 +00:00
|
|
|
if err := solver.Solve(clientChallenge, "localhost:23457"); err != nil {
|
|
|
|
t.Errorf("Solve error: got %v, want nil", err)
|
|
|
|
}
|
|
|
|
}
|
2015-11-22 17:32:22 +00:00
|
|
|
|
2015-12-05 14:53:53 +00:00
|
|
|
func TestTLSSNIChallengeInvalidPort(t *testing.T) {
|
|
|
|
privKey, _ := generatePrivateKey(rsakey, 128)
|
|
|
|
j := &jws{privKey: privKey.(*rsa.PrivateKey)}
|
|
|
|
clientChallenge := challenge{Type: "tls-sni-01", Token: "tlssni2"}
|
|
|
|
solver := &tlsSNIChallenge{jws: j, validate: stubValidate, optPort: "123456"}
|
|
|
|
|
|
|
|
if err := solver.Solve(clientChallenge, "localhost:123456"); err == nil {
|
2015-12-30 22:01:21 +00:00
|
|
|
t.Errorf("Solve error: got %v, want error", err)
|
2015-12-05 14:53:53 +00:00
|
|
|
} else if want := "invalid port 123456"; !strings.HasSuffix(err.Error(), want) {
|
|
|
|
t.Errorf("Solve error: got %q, want suffix %q", err.Error(), want)
|
2015-11-22 17:32:22 +00:00
|
|
|
}
|
|
|
|
}
|