Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for Must-Staple / TLS-Feature #1224

Merged
merged 45 commits into from Feb 16, 2016
Merged
Changes from 1 commit
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
6b5101c
Update CFSSL to latest
bifurcation Dec 4, 2015
02a98e8
Add support for the must-staple extension
bifurcation Nov 20, 2015
b4f202f
Add changes to CA tests
bifurcation Dec 15, 2015
580c79c
Merge branch 'master' into must-staple
bifurcation Dec 15, 2015
b48d3a3
Provide correct TLS-Feature extension value
bifurcation Dec 15, 2015
dfc7021
Add new test files
bifurcation Dec 15, 2015
54e336e
Merge branch 'master' into must-staple
bifurcation Dec 15, 2015
a439df4
Address review comments
bifurcation Dec 16, 2015
f95c5bb
Merge branch 'master' into must-staple
bifurcation Dec 16, 2015
b552d24
Remove stray variables
bifurcation Dec 16, 2015
0103dbb
Merge branch 'master' into must-staple
bifurcation Dec 16, 2015
d05e908
Merge branch 'master' into must-staple
bifurcation Dec 17, 2015
eb5a00f
Merge branch 'master' into must-staple
bifurcation Dec 18, 2015
02595e0
Merge branch 'master' into must-staple
bifurcation Jan 13, 2016
55d1795
Reset Godep changes
bifurcation Jan 13, 2016
e3daa6c
Factor out extension handling and require a specific value
bifurcation Jan 13, 2016
de8f1f5
Merge branch 'must-staple' of https://github.com/letsencrypt/boulder …
bifurcation Jan 13, 2016
2e74211
Merge branch 'master' into must-staple
bifurcation Jan 20, 2016
3411e9d
Merge branch 'master' into must-staple
bifurcation Jan 22, 2016
65ea6f6
Stricter error checking for extensions
bifurcation Jan 22, 2016
5020352
Merge branch 'master' into must-staple
bifurcation Jan 22, 2016
e588c52
Attempt to fix test failure
bifurcation Jan 22, 2016
d2f3a89
Merge branch 'must-staple' of https://github.com/letsencrypt/boulder …
bifurcation Jan 22, 2016
22bc89f
Merge branch 'master' into must-staple
bifurcation Jan 22, 2016
c1f1649
Back out RA change
bifurcation Jan 25, 2016
14fbf3b
Add stats and error only on a bad TLS Feature extension
bifurcation Jan 25, 2016
e243442
Merge branch 'master' into must-staple
bifurcation Jan 25, 2016
746fc88
Merge branch 'master' into must-staple
bifurcation Jan 26, 2016
4c3f14b
Merge branch 'master' into must-staple
bifurcation Jan 27, 2016
06ac584
Printf clean-up
bifurcation Jan 27, 2016
51c1a1c
Merge branch 'master' into must-staple
bifurcation Jan 27, 2016
0afa843
Merge branch 'master' into must-staple
bifurcation Jan 27, 2016
d9fdfac
Merge branch 'master' into must-staple
bifurcation Jan 28, 2016
4157112
Merge branch 'master' into must-staple
bifurcation Jan 28, 2016
1ec567e
Merge branch 'master' into must-staple
bifurcation Jan 29, 2016
5d35967
Ignore duplicate extensions
bifurcation Feb 16, 2016
4e31d80
Merge branch 'master' into must-staple
bifurcation Feb 16, 2016
42782be
Clean up metrics and don't use naked returns
bifurcation Feb 16, 2016
f1ccf2f
Merge branch 'must-staple' of https://github.com/letsencrypt/boulder …
bifurcation Feb 16, 2016
edd2471
Actually check for duplicate extensions
bifurcation Feb 16, 2016
4f81e8c
Test proper duplicate extension handling
bifurcation Feb 16, 2016
1d62ca8
Add duplicate-must-staple test CSR, and use it
bifurcation Feb 16, 2016
8a79e48
Merge branch 'master' into must-staple
rolandshoemaker Feb 16, 2016
901f651
Actually use the duplicate must staple CSR
bifurcation Feb 16, 2016
6fb913a
Merge branch 'must-staple' of https://github.com/letsencrypt/boulder …
bifurcation Feb 16, 2016
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

Test proper duplicate extension handling

  • Loading branch information
bifurcation committed Feb 16, 2016
commit 4f81e8cfbde29645d51312e57a2ca15ae3bc89dd
@@ -102,6 +102,12 @@ var (
// * Includes an extensionRequest attribute for a well-formed TLS Feature extension
MustStapleCSR = mustRead("./testdata/must_staple.der.csr")

// CSR generated by Go:
// * Random public key
// * CN = not-example.com
// * Includes extensionRequest attributes for *two* must-staple extensions
DuplicateMustStapleCSR = mustRead("./testdata/must_staple.der.csr")

// CSR generated by Go:
// * Random public key
// * CN = not-example.com
@@ -708,21 +714,38 @@ func TestExtensions(t *testing.T) {
test.Assert(t, foundMustStaple, "TLS Feature extension not found")
test.AssertEquals(t, ctx.stats.Counters[metricCSRExtensionTLSFeature], int64(1))

// Even if there are multiple TLS Feature extensions, only one extension should be included
cert, err = ca.IssueCertificate(*csr, ctx.reg.ID)
test.AssertNotError(t, err, "Failed to gracefully handle a CSR with multiple must_staple")
parsedCert2, err := x509.ParseCertificate(cert.DER)
test.AssertNotError(t, err, "Error parsing certificate produced by CA")

numMustStaple := 0
for _, ext := range parsedCert2.Extensions {
if ext.Id.Equal(oidTLSFeature) {
numMustStaple += 1
test.Assert(t, !ext.Critical, "Extension was marked critical")
test.AssertByteEquals(t, ext.Value, mustStapleFeatureValue)
}
}
test.Assert(t, numMustStaple == 1, "Duplicate TLS Feature extensions found")
test.AssertEquals(t, ctx.stats.Counters[metricCSRExtensionTLSFeature], int64(2))

// ... but if it doesn't ask for stapling, there should be an error
csr, _ = x509.ParseCertificateRequest(TLSFeatureUnknownCSR)
cert, err = ca.IssueCertificate(*csr, ctx.reg.ID)
test.AssertError(t, err, "Allowed a CSR with an empty TLS feature extension")
test.AssertEquals(t, ctx.stats.Counters[metricCSRExtensionTLSFeature], int64(2))
test.AssertEquals(t, ctx.stats.Counters[metricCSRExtensionTLSFeature], int64(3))
test.AssertEquals(t, ctx.stats.Counters[metricCSRExtensionTLSFeatureInvalid], int64(1))

// Unsupported extensions should be silently ignored, having the same
// extensions as the TLS Feature cert above, minus the TLS Feature Extension
csr, _ = x509.ParseCertificateRequest(UnsupportedExtensionCSR)
cert, err = ca.IssueCertificate(*csr, ctx.reg.ID)
test.AssertNotError(t, err, "Failed to gracefully handle a CSR with an unknown extension")
parsedCert2, err := x509.ParseCertificate(cert.DER)
parsedCert3, err := x509.ParseCertificate(cert.DER)
test.AssertNotError(t, err, "Error parsing certificate produced by CA")
test.AssertEquals(t, len(parsedCert2.Extensions), len(parsedCert1.Extensions)-1)
test.AssertEquals(t, len(parsedCert3.Extensions), len(parsedCert1.Extensions)-1)
test.AssertEquals(t, ctx.stats.Counters[metricCSRExtensionOther], int64(1))

// None of the above CSRs have basic extensions
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.