2019-03-11 18:56:48 +02:00
package tlsalpn01
2018-06-14 01:20:56 +02:00
import (
"crypto/rand"
"crypto/rsa"
"crypto/sha256"
"crypto/subtle"
"crypto/tls"
"encoding/asn1"
2023-05-02 19:02:18 +02:00
"net"
2018-12-06 23:50:17 +02:00
"net/http"
2018-06-14 01:20:56 +02:00
"testing"
2018-09-15 19:16:35 +02:00
2020-09-02 03:20:01 +02:00
"github.com/go-acme/lego/v4/acme"
"github.com/go-acme/lego/v4/acme/api"
"github.com/go-acme/lego/v4/challenge"
"github.com/go-acme/lego/v4/platform/tester"
2023-05-02 19:02:18 +02:00
"github.com/miekg/dns"
2018-09-15 19:16:35 +02:00
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
2018-06-14 01:20:56 +02:00
)
2018-12-06 23:50:17 +02:00
func TestChallenge ( t * testing . T ) {
2021-11-02 01:52:38 +02:00
_ , apiURL := tester . SetupFakeAPI ( t )
2018-12-06 23:50:17 +02:00
2023-05-02 19:02:18 +02:00
domain := "localhost"
2024-01-06 13:43:26 +02:00
port := "24457"
2018-09-15 19:16:35 +02:00
2018-12-06 23:50:17 +02:00
mockValidate := func ( _ * api . Core , _ string , chlng acme . Challenge ) error {
2023-05-02 19:02:18 +02:00
conn , err := tls . Dial ( "tcp" , net . JoinHostPort ( domain , port ) , & tls . Config {
ServerName : domain ,
2018-06-14 01:20:56 +02:00
InsecureSkipVerify : true ,
} )
2018-10-12 19:29:18 +02:00
require . NoError ( t , err , "Expected to connect to challenge server without an error" )
2018-06-14 01:20:56 +02:00
// Expect the server to only return one certificate
connState := conn . ConnectionState ( )
2018-09-15 19:16:35 +02:00
assert . Len ( t , connState . PeerCertificates , 1 , "Expected the challenge server to return exactly one certificate" )
2018-06-14 01:20:56 +02:00
remoteCert := connState . PeerCertificates [ 0 ]
2018-09-15 19:16:35 +02:00
assert . Len ( t , remoteCert . DNSNames , 1 , "Expected the challenge certificate to have exactly one DNSNames entry" )
assert . Equal ( t , domain , remoteCert . DNSNames [ 0 ] , "challenge certificate DNSName " )
assert . NotEmpty ( t , remoteCert . Extensions , "Expected the challenge certificate to contain extensions" )
2018-06-14 01:20:56 +02:00
idx := - 1
for i , ext := range remoteCert . Extensions {
if idPeAcmeIdentifierV1 . Equal ( ext . Id ) {
idx = i
break
}
}
2018-09-15 19:16:35 +02:00
require . NotEqual ( t , - 1 , idx , "Expected the challenge certificate to contain an extension with the id-pe-acmeIdentifier id," )
2018-06-14 01:20:56 +02:00
ext := remoteCert . Extensions [ idx ]
2018-09-15 19:16:35 +02:00
assert . True ( t , ext . Critical , "Expected the challenge certificate id-pe-acmeIdentifier extension to be marked as critical" )
2018-06-14 01:20:56 +02:00
zBytes := sha256 . Sum256 ( [ ] byte ( chlng . KeyAuthorization ) )
value , err := asn1 . Marshal ( zBytes [ : sha256 . Size ] )
2018-09-15 19:16:35 +02:00
require . NoError ( t , err , "Expected marshaling of the keyAuth to return no error" )
2018-12-06 23:50:17 +02:00
if subtle . ConstantTimeCompare ( value , ext . Value ) != 1 {
2018-06-14 01:20:56 +02:00
t . Errorf ( "Expected the challenge certificate id-pe-acmeIdentifier extension to contain the SHA-256 digest of the keyAuth, %v, but was %v" , zBytes [ : ] , ext . Value )
}
return nil
}
2018-09-15 19:16:35 +02:00
2018-12-06 23:50:17 +02:00
privateKey , err := rsa . GenerateKey ( rand . Reader , 512 )
2018-09-15 19:16:35 +02:00
require . NoError ( t , err , "Could not generate test key" )
2018-12-06 23:50:17 +02:00
core , err := api . New ( http . DefaultClient , "lego-test" , apiURL + "/dir" , "" , privateKey )
require . NoError ( t , err )
2018-09-15 19:16:35 +02:00
2018-12-06 23:50:17 +02:00
solver := NewChallenge (
core ,
mockValidate ,
2024-01-06 13:43:26 +02:00
& ProviderServer { port : port } ,
2018-12-06 23:50:17 +02:00
)
authz := acme . Authorization {
Identifier : acme . Identifier {
2023-05-02 19:02:18 +02:00
Type : "dns" ,
2018-12-06 23:50:17 +02:00
Value : domain ,
} ,
Challenges : [ ] acme . Challenge {
{ Type : challenge . TLSALPN01 . String ( ) , Token : "tlsalpn1" } ,
} ,
}
2018-09-15 19:16:35 +02:00
2018-12-06 23:50:17 +02:00
err = solver . Solve ( authz )
2018-10-12 19:29:18 +02:00
require . NoError ( t , err )
2018-06-14 01:20:56 +02:00
}
2018-12-06 23:50:17 +02:00
func TestChallengeInvalidPort ( t * testing . T ) {
2021-11-02 01:52:38 +02:00
_ , apiURL := tester . SetupFakeAPI ( t )
2018-12-06 23:50:17 +02:00
privateKey , err := rsa . GenerateKey ( rand . Reader , 128 )
2018-09-15 19:16:35 +02:00
require . NoError ( t , err , "Could not generate test key" )
2018-06-14 01:20:56 +02:00
2018-12-06 23:50:17 +02:00
core , err := api . New ( http . DefaultClient , "lego-test" , apiURL + "/dir" , "" , privateKey )
require . NoError ( t , err )
2018-09-15 19:16:35 +02:00
2018-12-06 23:50:17 +02:00
solver := NewChallenge (
core ,
func ( _ * api . Core , _ string , _ acme . Challenge ) error { return nil } ,
& ProviderServer { port : "123456" } ,
)
authz := acme . Authorization {
Identifier : acme . Identifier {
Value : "localhost:123456" ,
} ,
Challenges : [ ] acme . Challenge {
{ Type : challenge . TLSALPN01 . String ( ) , Token : "tlsalpn1" } ,
} ,
}
2018-09-15 19:16:35 +02:00
2018-12-06 23:50:17 +02:00
err = solver . Solve ( authz )
2018-09-15 19:16:35 +02:00
require . Error ( t , err )
assert . Contains ( t , err . Error ( ) , "invalid port" )
assert . Contains ( t , err . Error ( ) , "123456" )
2018-06-14 01:20:56 +02:00
}
2023-05-02 19:02:18 +02:00
func TestChallengeIPaddress ( t * testing . T ) {
_ , apiURL := tester . SetupFakeAPI ( t )
domain := "127.0.0.1"
2024-01-06 13:43:26 +02:00
port := "24457"
2023-05-02 19:02:18 +02:00
rd , _ := dns . ReverseAddr ( domain )
mockValidate := func ( _ * api . Core , _ string , chlng acme . Challenge ) error {
conn , err := tls . Dial ( "tcp" , net . JoinHostPort ( domain , port ) , & tls . Config {
ServerName : rd ,
InsecureSkipVerify : true ,
} )
require . NoError ( t , err , "Expected to connect to challenge server without an error" )
// Expect the server to only return one certificate
connState := conn . ConnectionState ( )
assert . Len ( t , connState . PeerCertificates , 1 , "Expected the challenge server to return exactly one certificate" )
remoteCert := connState . PeerCertificates [ 0 ]
2023-10-31 15:08:50 +02:00
assert . Empty ( t , remoteCert . DNSNames , "Expected the challenge certificate to have no DNSNames entry in context of challenge for IP" )
2023-05-02 19:02:18 +02:00
assert . Len ( t , remoteCert . IPAddresses , 1 , "Expected the challenge certificate to have exactly one IPAddresses entry" )
assert . True ( t , net . ParseIP ( "127.0.0.1" ) . Equal ( remoteCert . IPAddresses [ 0 ] ) , "challenge certificate IPAddress " )
assert . NotEmpty ( t , remoteCert . Extensions , "Expected the challenge certificate to contain extensions" )
var foundAcmeIdentifier bool
var extValue [ ] byte
for _ , ext := range remoteCert . Extensions {
if idPeAcmeIdentifierV1 . Equal ( ext . Id ) {
assert . True ( t , ext . Critical , "Expected the challenge certificate id-pe-acmeIdentifier extension to be marked as critical" )
foundAcmeIdentifier = true
extValue = ext . Value
break
}
}
require . True ( t , foundAcmeIdentifier , "Expected the challenge certificate to contain an extension with the id-pe-acmeIdentifier id," )
zBytes := sha256 . Sum256 ( [ ] byte ( chlng . KeyAuthorization ) )
value , err := asn1 . Marshal ( zBytes [ : sha256 . Size ] )
require . NoError ( t , err , "Expected marshaling of the keyAuth to return no error" )
require . EqualValues ( t , value , extValue , "Expected the challenge certificate id-pe-acmeIdentifier extension to contain the SHA-256 digest of the keyAuth" )
return nil
}
privateKey , err := rsa . GenerateKey ( rand . Reader , 512 )
require . NoError ( t , err , "Could not generate test key" )
core , err := api . New ( http . DefaultClient , "lego-test" , apiURL + "/dir" , "" , privateKey )
require . NoError ( t , err )
solver := NewChallenge (
core ,
mockValidate ,
2024-01-06 13:43:26 +02:00
& ProviderServer { port : port } ,
2023-05-02 19:02:18 +02:00
)
authz := acme . Authorization {
Identifier : acme . Identifier {
Type : "ip" ,
Value : domain ,
} ,
Challenges : [ ] acme . Challenge {
{ Type : challenge . TLSALPN01 . String ( ) , Token : "tlsalpn1" } ,
} ,
}
require . NoError ( t , solver . Solve ( authz ) )
}