forked from letsencrypt/boulder
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ocsp_test.go
53 lines (47 loc) · 1.32 KB
/
ocsp_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
// +build integration
package integration
import (
"encoding/base64"
"os"
"strings"
"testing"
ocsp_helper "github.com/letsencrypt/boulder/test/ocsp/helper"
"golang.org/x/crypto/ocsp"
)
func TestPrecertificateOCSP(t *testing.T) {
// This test is gated on the PrecertificateOCSP feature flag.
if !strings.Contains(os.Getenv("BOULDER_CONFIG_DIR"), "test/config-next") {
return
}
domain := random_domain()
err := ctAddRejectHost(domain)
if err != nil {
t.Fatalf("adding ct-test-srv reject host: %s", err)
}
os.Setenv("DIRECTORY", "http://boulder:4001/directory")
_, err = authAndIssue(nil, nil, []string{domain})
if err != nil {
if strings.Contains(err.Error(), "urn:ietf:params:acme:error:serverInternal") &&
strings.Contains(err.Error(), "SCT embedding") {
} else {
t.Fatal(err)
}
}
if err == nil {
t.Fatal("expected error issuing for domain rejected by CT servers; got none")
}
rejections, err := ctGetRejections(4500)
if err != nil {
t.Fatalf("getting ct-test-srv rejections: %s", err)
}
for _, r := range rejections {
rejectedCertBytes, err := base64.StdEncoding.DecodeString(r)
if err != nil {
t.Fatalf("decoding rejected cert: %s", err)
}
_, err = ocsp_helper.ReqDER(rejectedCertBytes, ocsp.Good)
if err != nil {
t.Errorf("requesting OCSP for rejected precertificate: %s", err)
}
}
}