lkddi/certd
1
0
Fork 0
mirror of https://github.com/certd/certd.git synced 2026-04-27 23:37:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/acme_sync' into v2

Browse Source 
# Conflicts:
#	packages/core/acme-client/CHANGELOG.md
#	packages/core/acme-client/package.json
#	packages/core/acme-client/src/auto.js
This commit is contained in:
xiaojunnuo
2024-03-06 18:35:44 +08:00
parent 370a12e88a 960f61d158
commit 09c9b42cab
55 changed files with 1646 additions and 668 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/core/acme-client/test/00-pebble.spec.js
+103 -9
View File
@@ -3,16 +3,23 @@
*/
const dns = require('dns').promises;
const { randomUUID: uuid } = require('crypto');
const https = require('https');
const { assert } = require('chai');
const { v4: uuid } = require('uuid');
const cts = require('./challtestsrv');
const axios = require('./../src/axios');
const { retrieveTlsAlpnCertificate } = require('./../src/util');
const { isAlpnCertificateAuthorizationValid } = require('./../src/crypto');
const domainName = process.env.ACME_DOMAIN_NAME || 'example.com';
const httpPort = axios.defaults.acmeSettings.httpChallengePort || 80;
const httpsPort = axios.defaults.acmeSettings.httpsChallengePort || 443;
const tlsAlpnPort = axios.defaults.acmeSettings.tlsAlpnChallengePort || 443;
describe('pebble', () => {
const httpsAgent = new https.Agent({ rejectUnauthorized: false });
const testAHost = `${uuid()}.${domainName}`;
const testARecords = ['1.1.1.1', '2.2.2.2'];
const testCnameHost = `${uuid()}.${domainName}`;
@@ -21,9 +28,17 @@ describe('pebble', () => {
const testHttp01ChallengeHost = `${uuid()}.${domainName}`;
const testHttp01ChallengeToken = uuid();
const testHttp01ChallengeContent = uuid();
const testHttps01ChallengeHost = `${uuid()}.${domainName}`;
const testHttps01ChallengeToken = uuid();
const testHttps01ChallengeContent = uuid();
const testDns01ChallengeHost = `_acme-challenge.${uuid()}.${domainName}.`;
const testDns01ChallengeValue = uuid();
const testTlsAlpn01ChallengeHost = `${uuid()}.${domainName}`;
const testTlsAlpn01ChallengeValue = uuid();
/**
* Pebble CTS required
@@ -79,43 +94,122 @@ describe('pebble', () => {
/**
* Challenge response
* HTTP-01 challenge response
*/
describe('challenges', () => {
it('should not locate http-01 challenge response', async () => {
describe('http-01', () => {
it('should not locate challenge response', async () => {
const resp = await axios.get(`http://${testHttp01ChallengeHost}:${httpPort}/.well-known/acme-challenge/${testHttp01ChallengeToken}`);
assert.isString(resp.data);
assert.notEqual(resp.data, testHttp01ChallengeContent);
});
it('should add http-01 challenge response', async () => {
it('should add challenge response', async () => {
const resp = await cts.addHttp01ChallengeResponse(testHttp01ChallengeToken, testHttp01ChallengeContent);
assert.isTrue(resp);
});
it('should locate http-01 challenge response', async () => {
it('should locate challenge response', async () => {
const resp = await axios.get(`http://${testHttp01ChallengeHost}:${httpPort}/.well-known/acme-challenge/${testHttp01ChallengeToken}`);
assert.isString(resp.data);
assert.strictEqual(resp.data, testHttp01ChallengeContent);
});
});
it('should not locate dns-01 challenge response', async () => {
/**
* HTTPS-01 challenge response
*/
describe('https-01', () => {
it('should not locate challenge response', async () => {
const r1 = await axios.get(`http://${testHttps01ChallengeHost}:${httpPort}/.well-known/acme-challenge/${testHttps01ChallengeToken}`, { httpsAgent });
const r2 = await axios.get(`https://${testHttps01ChallengeHost}:${httpsPort}/.well-known/acme-challenge/${testHttps01ChallengeToken}`, { httpsAgent });
[r1, r2].forEach((resp) => {
assert.isString(resp.data);
assert.notEqual(resp.data, testHttps01ChallengeContent);
});
});
it('should add challenge response', async () => {
const resp = await cts.addHttps01ChallengeResponse(testHttps01ChallengeToken, testHttps01ChallengeContent, testHttps01ChallengeHost);
assert.isTrue(resp);
});
it('should 302 with self-signed cert', async () => {
/* Assert HTTP 302 */
const resp = await axios.get(`http://${testHttps01ChallengeHost}:${httpPort}/.well-known/acme-challenge/${testHttps01ChallengeToken}`, {
maxRedirects: 0,
validateStatus: null
});
assert.strictEqual(resp.status, 302);
assert.strictEqual(resp.headers.location, `https://${testHttps01ChallengeHost}:${httpsPort}/.well-known/acme-challenge/${testHttps01ChallengeToken}`);
/* Self-signed cert test */
await assert.isRejected(axios.get(`https://${testHttps01ChallengeHost}:${httpsPort}/.well-known/acme-challenge/${testHttps01ChallengeToken}`));
await assert.isFulfilled(axios.get(`https://${testHttps01ChallengeHost}:${httpsPort}/.well-known/acme-challenge/${testHttps01ChallengeToken}`, { httpsAgent }));
});
it('should locate challenge response', async () => {
const r1 = await axios.get(`http://${testHttps01ChallengeHost}:${httpPort}/.well-known/acme-challenge/${testHttps01ChallengeToken}`, { httpsAgent });
const r2 = await axios.get(`https://${testHttps01ChallengeHost}:${httpsPort}/.well-known/acme-challenge/${testHttps01ChallengeToken}`, { httpsAgent });
[r1, r2].forEach((resp) => {
assert.isString(resp.data);
assert.strictEqual(resp.data, testHttps01ChallengeContent);
});
});
});
/**
* DNS-01 challenge response
*/
describe('dns-01', () => {
it('should not locate challenge response', async () => {
await assert.isRejected(dns.resolveTxt(testDns01ChallengeHost));
});
it('should add dns-01 challenge response', async () => {
it('should add challenge response', async () => {
const resp = await cts.addDns01ChallengeResponse(testDns01ChallengeHost, testDns01ChallengeValue);
assert.isTrue(resp);
});
it('should locate dns-01 challenge response', async () => {
it('should locate challenge response', async () => {
const resp = await dns.resolveTxt(testDns01ChallengeHost);
assert.isArray(resp);
assert.deepStrictEqual(resp, [[testDns01ChallengeValue]]);
});
});
/**
* TLS-ALPN-01 challenge response
*/
describe('tls-alpn-01', () => {
it('should not locate challenge response', async () => {
await assert.isRejected(retrieveTlsAlpnCertificate(testTlsAlpn01ChallengeHost, tlsAlpnPort), /(failed to retrieve)|(ssl3_read_bytes:tlsv1 alert internal error)/);
});
it('should timeout challenge response', async () => {
await assert.isRejected(retrieveTlsAlpnCertificate('example.org', tlsAlpnPort, 500));
});
it('should add challenge response', async () => {
const resp = await cts.addTlsAlpn01ChallengeResponse(testTlsAlpn01ChallengeHost, testTlsAlpn01ChallengeValue);
assert.isTrue(resp);
});
it('should locate challenge response', async () => {
const resp = await retrieveTlsAlpnCertificate(testTlsAlpn01ChallengeHost, tlsAlpnPort);
assert.isTrue(isAlpnCertificateAuthorizationValid(resp, testTlsAlpn01ChallengeValue));
});
});
});
packages/core/acme-client/test/10-http.spec.js
+1 -4
View File
@@ -2,8 +2,8 @@
* HTTP client tests
*/
const { randomUUID: uuid } = require('crypto');
const { assert } = require('chai');
const { v4: uuid } = require('uuid');
const nock = require('nock');
const axios = require('./../src/axios');
const HttpClient = require('./../src/http');
@@ -26,8 +26,6 @@ describe('http', () => {
*/
before(() => {
axios.defaults.acmeSettings.bypassCustomDnsResolver = true;
const defaultUaOpts = { reqheaders: { 'User-Agent': defaultUserAgent } };
const customUaOpts = { reqheaders: { 'User-Agent': customUserAgent } };
@@ -43,7 +41,6 @@ describe('http', () => {
after(() => {
axios.defaults.headers.common['User-Agent'] = defaultUserAgent;
axios.defaults.acmeSettings.bypassCustomDnsResolver = false;
});
packages/core/acme-client/test/10-verify.spec.js
+51 -1
View File
@@ -2,8 +2,8 @@
* Challenge verification tests
*/
const { randomUUID: uuid } = require('crypto');
const { assert } = require('chai');
const { v4: uuid } = require('uuid');
const cts = require('./challtestsrv');
const verify = require('./../src/verify');
@@ -17,11 +17,19 @@ describe('verify', () => {
const testHttp01Challenge = { type: 'http-01', status: 'pending', token: uuid() };
const testHttp01Key = uuid();
const testHttps01Authz = { identifier: { type: 'dns', value: `${uuid()}.${domainName}` } };
const testHttps01Challenge = { type: 'http-01', status: 'pending', token: uuid() };
const testHttps01Key = uuid();
const testDns01Authz = { identifier: { type: 'dns', value: `${uuid()}.${domainName}` } };
const testDns01Challenge = { type: 'dns-01', status: 'pending', token: uuid() };
const testDns01Key = uuid();
const testDns01Cname = `${uuid()}.${domainName}`;
const testTlsAlpn01Authz = { identifier: { type: 'dns', value: `${uuid()}.${domainName}` } };
const testTlsAlpn01Challenge = { type: 'dns-01', status: 'pending', token: uuid() };
const testTlsAlpn01Key = uuid();
/**
* Pebble CTS required
@@ -74,6 +82,27 @@ describe('verify', () => {
});
/**
* https-01
*/
describe('https-01', () => {
it('should reject challenge', async () => {
await assert.isRejected(verify['http-01'](testHttps01Authz, testHttps01Challenge, testHttps01Key));
});
it('should mock challenge response', async () => {
const resp = await cts.addHttps01ChallengeResponse(testHttps01Challenge.token, testHttps01Key, testHttps01Authz.identifier.value);
assert.isTrue(resp);
});
it('should verify challenge', async () => {
const resp = await verify['http-01'](testHttps01Authz, testHttps01Challenge, testHttps01Key);
assert.isTrue(resp);
});
});
/**
* dns-01
*/
@@ -103,4 +132,25 @@ describe('verify', () => {
assert.isTrue(resp);
});
});
/**
* tls-alpn-01
*/
describe('tls-alpn-01', () => {
it('should reject challenge', async () => {
await assert.isRejected(verify['tls-alpn-01'](testTlsAlpn01Authz, testTlsAlpn01Challenge, testTlsAlpn01Key));
});
it('should mock challenge response', async () => {
const resp = await cts.addTlsAlpn01ChallengeResponse(testTlsAlpn01Authz.identifier.value, testTlsAlpn01Key);
assert.isTrue(resp);
});
it('should verify challenge', async () => {
const resp = await verify['tls-alpn-01'](testTlsAlpn01Authz, testTlsAlpn01Challenge, testTlsAlpn01Key);
assert.isTrue(resp);
});
});
});
packages/core/acme-client/test/20-crypto.spec.js
+113 -7
View File
@@ -10,10 +10,10 @@ const { crypto } = require('./../');
const emptyBodyChain1 = `
-----BEGIN TEST-----
a
dGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZw==
-----END TEST-----
-----BEGIN TEST-----
b
dGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZw==
-----END TEST-----
-----BEGIN TEST-----
@@ -22,7 +22,7 @@ b
-----BEGIN TEST-----
c
dGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZw==
-----END TEST-----
`;
@@ -38,15 +38,15 @@ const emptyBodyChain2 = `
-----END TEST-----
-----BEGIN TEST-----
a
dGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZw==
-----END TEST-----
-----BEGIN TEST-----
b
dGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZw==
-----END TEST-----
-----BEGIN TEST-----
c
dGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZ3Rlc3Rpbmd0ZXN0aW5ndGVzdGluZw==
-----END TEST-----
`;
@@ -95,6 +95,7 @@ describe('crypto', () => {
let testSanCsr;
let testNonCnCsr;
let testNonAsciiCsr;
let testAlpnCertificate;
/**
@@ -111,6 +112,11 @@ describe('crypto', () => {
assert.isTrue(Buffer.isBuffer(testPublicKeys[n]));
});
it(`${n}/should get public key from string`, () => {
testPublicKeys[n] = crypto.getPublicKey(testPrivateKeys[n].toString());
assert.isTrue(Buffer.isBuffer(testPublicKeys[n]));
});
it(`${n}/should get jwk from private key`, () => {
const jwk = crypto.getJwk(testPrivateKeys[n]);
jwkSpecFn(jwk);
@@ -121,6 +127,11 @@ describe('crypto', () => {
jwkSpecFn(jwk);
});
it(`${n}/should get jwk from string`, () => {
const jwk = crypto.getJwk(testPrivateKeys[n].toString());
jwkSpecFn(jwk);
});
/**
* Certificate Signing Request
@@ -173,6 +184,15 @@ describe('crypto', () => {
testNonAsciiCsr = csr;
});
it(`${n}/should generate a csr with key as string`, async () => {
const [key, csr] = await crypto.createCsr({
commonName: testCsrDomain
}, testPrivateKeys[n].toString());
assert.isTrue(Buffer.isBuffer(key));
assert.isTrue(Buffer.isBuffer(csr));
});
it(`${n}/should throw with invalid key`, async () => {
await assert.isRejected(crypto.createCsr({
commonName: testCsrDomain
@@ -215,6 +235,51 @@ describe('crypto', () => {
assert.strictEqual(result.commonName, testCsrDomain);
assert.deepStrictEqual(result.altNames, [testCsrDomain]);
});
it(`${n}/should resolve domains from csr string`, () => {
[testCsr, testSanCsr, testNonCnCsr, testNonAsciiCsr].forEach((csr) => {
const result = crypto.readCsrDomains(csr.toString());
spec.crypto.csrDomains(result);
});
});
/**
* ALPN
*/
it(`${n}/should generate alpn certificate`, async () => {
const authz = { identifier: { value: 'test.example.com' } };
const [key, cert] = await crypto.createAlpnCertificate(authz, 'super-secret.12345', await createFn());
assert.isTrue(Buffer.isBuffer(key));
assert.isTrue(Buffer.isBuffer(cert));
testAlpnCertificate = cert;
});
it(`${n}/should generate alpn certificate with key as string`, async () => {
const k = await createFn();
const authz = { identifier: { value: 'test.example.com' } };
const [key, cert] = await crypto.createAlpnCertificate(authz, 'super-secret.12345', k.toString());
assert.isTrue(Buffer.isBuffer(key));
assert.isTrue(Buffer.isBuffer(cert));
});
it(`${n}/should not validate invalid alpn certificate key authorization`, () => {
assert.isFalse(crypto.isAlpnCertificateAuthorizationValid(testAlpnCertificate, 'aaaaaaa'));
assert.isFalse(crypto.isAlpnCertificateAuthorizationValid(testAlpnCertificate, 'bbbbbbb'));
assert.isFalse(crypto.isAlpnCertificateAuthorizationValid(testAlpnCertificate, 'ccccccc'));
});
it(`${n}/should validate valid alpn certificate key authorization`, () => {
assert.isTrue(crypto.isAlpnCertificateAuthorizationValid(testAlpnCertificate, 'super-secret.12345'));
});
it(`${n}/should validate valid alpn certificate with cert as string`, () => {
assert.isTrue(crypto.isAlpnCertificateAuthorizationValid(testAlpnCertificate.toString(), 'super-secret.12345'));
});
});
});
});
@@ -250,7 +315,7 @@ describe('crypto', () => {
* CSR with auto-generated key
*/
it('should generate a csr with auto-generated key', async () => {
it('should generate a csr with default key', async () => {
const [key, csr] = await crypto.createCsr({
commonName: testCsrDomain
});
@@ -280,6 +345,26 @@ describe('crypto', () => {
assert.deepEqual(info.domains.altNames, testSanCsrDomains.slice(1, testSanCsrDomains.length));
});
it('should read certificate info from string', () => {
[testCert, testSanCert].forEach((cert) => {
const info = crypto.readCertificateInfo(cert.toString());
spec.crypto.certificateInfo(info);
});
});
/**
* ALPN
*/
it('should generate alpn certificate with default key', async () => {
const authz = { identifier: { value: 'test.example.com' } };
const [key, cert] = await crypto.createAlpnCertificate(authz, 'abc123');
assert.isTrue(Buffer.isBuffer(key));
assert.isTrue(Buffer.isBuffer(cert));
});
/**
* PEM utils
@@ -296,6 +381,17 @@ describe('crypto', () => {
});
});
it('should get pem body as b64u from string', () => {
[testPemKey, testCert, testSanCert].forEach((pem) => {
const body = crypto.getPemBodyAsB64u(pem.toString());
assert.isString(body);
assert.notInclude(body, '\r');
assert.notInclude(body, '\n');
assert.notInclude(body, '\r\n');
});
});
it('should split pem chain', () => {
[testPemKey, testCert, testSanCert].forEach((pem) => {
const chain = crypto.splitPemChain(pem);
@@ -306,6 +402,16 @@ describe('crypto', () => {
});
});
it('should split pem chain from string', () => {
[testPemKey, testCert, testSanCert].forEach((pem) => {
const chain = crypto.splitPemChain(pem.toString());
assert.isArray(chain);
assert.isNotEmpty(chain);
chain.forEach((c) => assert.isString(c));
});
});
it('should split pem chain with empty bodies', () => {
const c1 = crypto.splitPemChain(emptyBodyChain1);
const c2 = crypto.splitPemChain(emptyBodyChain2);
packages/core/acme-client/test/50-client.spec.js
+34 -13
View File
@@ -2,8 +2,8 @@
* ACME client tests
*/
const { randomUUID: uuid } = require('crypto');
const { assert } = require('chai');
const { v4: uuid } = require('uuid');
const cts = require('./challtestsrv');
const getCertIssuers = require('./get-cert-issuers');
const spec = require('./spec');
@@ -33,6 +33,7 @@ if (capEabEnabled && process.env.ACME_EAB_KID && process.env.ACME_EAB_HMAC_KEY)
describe('client', () => {
const testDomain = `${uuid()}.${domainName}`;
const testDomainAlpn = `${uuid()}.${domainName}`;
const testDomainWildcard = `*.${testDomain}`;
const testContact = `mailto:test-${uuid()}@nope.com`;
@@ -78,16 +79,22 @@ describe('client', () => {
let testAccount;
let testAccountUrl;
let testOrder;
let testOrderAlpn;
let testOrderWildcard;
let testAuthz;
let testAuthzAlpn;
let testAuthzWildcard;
let testChallenge;
let testChallengeAlpn;
let testChallengeWildcard;
let testKeyAuthorization;
let testKeyAuthorizationAlpn;
let testKeyAuthorizationWildcard;
let testCsr;
let testCsrAlpn;
let testCsrWildcard;
let testCertificate;
let testCertificateAlpn;
let testCertificateWildcard;
@@ -107,6 +114,7 @@ describe('client', () => {
it('should generate certificate signing request', async () => {
[, testCsr] = await acme.crypto.createCsr({ commonName: testDomain }, await createKeyFn());
[, testCsrAlpn] = await acme.crypto.createCsr({ commonName: testDomainAlpn }, await createKeyFn());
[, testCsrWildcard] = await acme.crypto.createCsr({ commonName: testDomainWildcard }, await createKeyFn());
});
@@ -336,12 +344,14 @@ describe('client', () => {
it('should create new order', async () => {
const data1 = { identifiers: [{ type: 'dns', value: testDomain }] };
const data2 = { identifiers: [{ type: 'dns', value: testDomainWildcard }] };
const data2 = { identifiers: [{ type: 'dns', value: testDomainAlpn }] };
const data3 = { identifiers: [{ type: 'dns', value: testDomainWildcard }] };
testOrder = await testClient.createOrder(data1);
testOrderWildcard = await testClient.createOrder(data2);
testOrderAlpn = await testClient.createOrder(data2);
testOrderWildcard = await testClient.createOrder(data3);
[testOrder, testOrderWildcard].forEach((item) => {
[testOrder, testOrderAlpn, testOrderWildcard].forEach((item) => {
spec.rfc8555.order(item);
assert.strictEqual(item.status, 'pending');
});
@@ -353,7 +363,7 @@ describe('client', () => {
*/
it('should get existing order', async () => {
await Promise.all([testOrder, testOrderWildcard].map(async (existing) => {
await Promise.all([testOrder, testOrderAlpn, testOrderWildcard].map(async (existing) => {
const result = await testClient.getOrder(existing);
spec.rfc8555.order(result);
@@ -368,9 +378,10 @@ describe('client', () => {
it('should get identifier authorization', async () => {
const orderAuthzCollection = await testClient.getAuthorizations(testOrder);
const alpnAuthzCollection = await testClient.getAuthorizations(testOrderAlpn);
const wildcardAuthzCollection = await testClient.getAuthorizations(testOrderWildcard);
[orderAuthzCollection, wildcardAuthzCollection].forEach((collection) => {
[orderAuthzCollection, alpnAuthzCollection, wildcardAuthzCollection].forEach((collection) => {
assert.isArray(collection);
assert.isNotEmpty(collection);
@@ -381,9 +392,10 @@ describe('client', () => {
});
testAuthz = orderAuthzCollection.pop();
testAuthzAlpn = alpnAuthzCollection.pop();
testAuthzWildcard = wildcardAuthzCollection.pop();
testAuthz.challenges.concat(testAuthzWildcard.challenges).forEach((item) => {
testAuthz.challenges.concat(testAuthzAlpn.challenges).concat(testAuthzWildcard.challenges).forEach((item) => {
spec.rfc8555.challenge(item);
assert.strictEqual(item.status, 'pending');
});
@@ -396,12 +408,14 @@ describe('client', () => {
it('should get challenge key authorization', async () => {
testChallenge = testAuthz.challenges.find((c) => (c.type === 'http-01'));
testChallengeAlpn = testAuthzAlpn.challenges.find((c) => (c.type === 'tls-alpn-01'));
testChallengeWildcard = testAuthzWildcard.challenges.find((c) => (c.type === 'dns-01'));
testKeyAuthorization = await testClient.getChallengeKeyAuthorization(testChallenge);
testKeyAuthorizationAlpn = await testClient.getChallengeKeyAuthorization(testChallengeAlpn);
testKeyAuthorizationWildcard = await testClient.getChallengeKeyAuthorization(testChallengeWildcard);
[testKeyAuthorization, testKeyAuthorizationWildcard].forEach((k) => assert.isString(k));
[testKeyAuthorization, testKeyAuthorizationAlpn, testKeyAuthorizationWildcard].forEach((k) => assert.isString(k));
});
@@ -438,9 +452,11 @@ describe('client', () => {
it('should verify challenge', async () => {
await cts.assertHttpChallengeCreateFn(testAuthz, testChallenge, testKeyAuthorization);
await cts.assertTlsAlpnChallengeCreateFn(testAuthzAlpn, testChallengeAlpn, testKeyAuthorizationAlpn);
await cts.assertDnsChallengeCreateFn(testAuthzWildcard, testChallengeWildcard, testKeyAuthorizationWildcard);
await testClient.verifyChallenge(testAuthz, testChallenge);
await testClient.verifyChallenge(testAuthzAlpn, testChallengeAlpn);
await testClient.verifyChallenge(testAuthzWildcard, testChallengeWildcard);
});
@@ -450,7 +466,7 @@ describe('client', () => {
*/
it('should complete challenge', async () => {
await Promise.all([testChallenge, testChallengeWildcard].map(async (challenge) => {
await Promise.all([testChallenge, testChallengeAlpn, testChallengeWildcard].map(async (challenge) => {
const result = await testClient.completeChallenge(challenge);
spec.rfc8555.challenge(result);
@@ -464,7 +480,7 @@ describe('client', () => {
*/
it('should wait for valid challenge status', async () => {
await Promise.all([testChallenge, testChallengeWildcard].map(async (c) => testClient.waitForValidStatus(c)));
await Promise.all([testChallenge, testChallengeAlpn, testChallengeWildcard].map(async (c) => testClient.waitForValidStatus(c)));
});
@@ -474,11 +490,13 @@ describe('client', () => {
it('should finalize order', async () => {
const finalize = await testClient.finalizeOrder(testOrder, testCsr);
const finalizeAlpn = await testClient.finalizeOrder(testOrderAlpn, testCsrAlpn);
const finalizeWildcard = await testClient.finalizeOrder(testOrderWildcard, testCsrWildcard);
[finalize, finalizeWildcard].forEach((f) => spec.rfc8555.order(f));
[finalize, finalizeAlpn, finalizeWildcard].forEach((f) => spec.rfc8555.order(f));
assert.strictEqual(testOrder.url, finalize.url);
assert.strictEqual(testOrderAlpn.url, finalizeAlpn.url);
assert.strictEqual(testOrderWildcard.url, finalizeWildcard.url);
});
@@ -488,7 +506,7 @@ describe('client', () => {
*/
it('should wait for valid order status', async () => {
await Promise.all([testOrder, testOrderWildcard].map(async (o) => testClient.waitForValidStatus(o)));
await Promise.all([testOrder, testOrderAlpn, testOrderWildcard].map(async (o) => testClient.waitForValidStatus(o)));
});
@@ -498,9 +516,10 @@ describe('client', () => {
it('should get certificate', async () => {
testCertificate = await testClient.getCertificate(testOrder);
testCertificateAlpn = await testClient.getCertificate(testOrderAlpn);
testCertificateWildcard = await testClient.getCertificate(testOrderWildcard);
[testCertificate, testCertificateWildcard].forEach((cert) => {
[testCertificate, testCertificateAlpn, testCertificateWildcard].forEach((cert) => {
assert.isString(cert);
acme.crypto.readCertificateInfo(cert);
});
@@ -539,11 +558,13 @@ describe('client', () => {
it('should revoke certificate', async () => {
await testClient.revokeCertificate(testCertificate);
await testClient.revokeCertificate(testCertificateAlpn, { reason: 0 });
await testClient.revokeCertificate(testCertificateWildcard, { reason: 4 });
});
it('should not allow getting revoked certificate', async () => {
await assert.isRejected(testClient.getCertificate(testOrder));
await assert.isRejected(testClient.getCertificate(testOrderAlpn));
await assert.isRejected(testClient.getCertificate(testOrderWildcard));
});
packages/core/acme-client/test/70-auto.spec.js
+67 -1
View File
@@ -2,8 +2,8 @@
* ACME client.auto tests
*/
const { randomUUID: uuid } = require('crypto');
const { assert } = require('chai');
const { v4: uuid } = require('uuid');
const cts = require('./challtestsrv');
const getCertIssuers = require('./get-cert-issuers');
const spec = require('./spec');
@@ -32,7 +32,9 @@ if (capEabEnabled && process.env.ACME_EAB_KID && process.env.ACME_EAB_HMAC_KEY)
describe('client.auto', () => {
const testDomain = `${uuid()}.${domainName}`;
const testHttpDomain = `${uuid()}.${domainName}`;
const testHttpsDomain = `${uuid()}.${domainName}`;
const testDnsDomain = `${uuid()}.${domainName}`;
const testAlpnDomain = `${uuid()}.${domainName}`;
const testWildcardDomain = `${uuid()}.${domainName}`;
const testSanDomains = [
@@ -178,6 +180,38 @@ describe('client.auto', () => {
assert.isString(cert);
});
it('should settle all challenges before rejecting', async () => {
const results = [];
const [, csr] = await acme.crypto.createCsr({
commonName: `${uuid()}.${domainName}`,
altNames: [
`${uuid()}.${domainName}`,
`${uuid()}.${domainName}`,
`${uuid()}.${domainName}`,
`${uuid()}.${domainName}`
]
}, await createKeyFn());
await assert.isRejected(testClient.auto({
csr,
termsOfServiceAgreed: true,
challengeCreateFn: async (...args) => {
if ([0, 1, 2].includes(results.length)) {
results.push(false);
throw new Error('oops');
}
await new Promise((resolve) => { setTimeout(resolve, 500); });
results.push(true);
return cts.challengeCreateFn(...args);
},
challengeRemoveFn: cts.challengeRemoveFn
}));
assert.strictEqual(results.length, 5);
assert.deepStrictEqual(results, [false, false, false, true, true]);
});
/**
* Order certificates
@@ -215,6 +249,22 @@ describe('client.auto', () => {
assert.isString(cert);
});
it('should order certificate using https-01', async () => {
const [, csr] = await acme.crypto.createCsr({
commonName: testHttpsDomain
}, await createKeyFn());
const cert = await testClient.auto({
csr,
termsOfServiceAgreed: true,
challengeCreateFn: cts.assertHttpsChallengeCreateFn,
challengeRemoveFn: cts.challengeRemoveFn,
challengePriority: ['http-01']
});
assert.isString(cert);
});
it('should order certificate using dns-01', async () => {
const [, csr] = await acme.crypto.createCsr({
commonName: testDnsDomain
@@ -231,6 +281,22 @@ describe('client.auto', () => {
assert.isString(cert);
});
it('should order certificate using tls-alpn-01', async () => {
const [, csr] = await acme.crypto.createCsr({
commonName: testAlpnDomain
}, await createKeyFn());
const cert = await testClient.auto({
csr,
termsOfServiceAgreed: true,
challengeCreateFn: cts.assertTlsAlpnChallengeCreateFn,
challengeRemoveFn: cts.challengeRemoveFn,
challengePriority: ['tls-alpn-01']
});
assert.isString(cert);
});
it('should order san certificate', async () => {
const [, csr] = await acme.crypto.createCsr({
commonName: testSanDomains[0],
packages/core/acme-client/test/challtestsrv.js
+31
View File
@@ -6,6 +6,7 @@ const { assert } = require('chai');
const axios = require('./../src/axios');
const apiBaseUrl = process.env.ACME_CHALLTESTSRV_URL || null;
const httpsPort = axios.defaults.acmeSettings.httpsChallengePort || 443;
/**
@@ -50,12 +51,26 @@ async function addHttp01ChallengeResponse(token, content) {
return request('add-http01', { token, content });
}
async function addHttps01ChallengeResponse(token, content, targetHostname) {
await addHttp01ChallengeResponse(token, content);
return request('add-redirect', {
path: `/.well-known/acme-challenge/${token}`,
targetURL: `https://${targetHostname}:${httpsPort}/.well-known/acme-challenge/${token}`
});
}
async function addDns01ChallengeResponse(host, value) {
return request('set-txt', { host, value });
}
async function addTlsAlpn01ChallengeResponse(host, content) {
return request('add-tlsalpn01', { host, content });
}
exports.addHttp01ChallengeResponse = addHttp01ChallengeResponse;
exports.addHttps01ChallengeResponse = addHttps01ChallengeResponse;
exports.addDns01ChallengeResponse = addDns01ChallengeResponse;
exports.addTlsAlpn01ChallengeResponse = addTlsAlpn01ChallengeResponse;
/**
@@ -67,11 +82,21 @@ async function assertHttpChallengeCreateFn(authz, challenge, keyAuthorization) {
return addHttp01ChallengeResponse(challenge.token, keyAuthorization);
}
async function assertHttpsChallengeCreateFn(authz, challenge, keyAuthorization) {
assert.strictEqual(challenge.type, 'http-01');
return addHttps01ChallengeResponse(challenge.token, keyAuthorization, authz.identifier.value);
}
async function assertDnsChallengeCreateFn(authz, challenge, keyAuthorization) {
assert.strictEqual(challenge.type, 'dns-01');
return addDns01ChallengeResponse(`_acme-challenge.${authz.identifier.value}.`, keyAuthorization);
}
async function assertTlsAlpnChallengeCreateFn(authz, challenge, keyAuthorization) {
assert.strictEqual(challenge.type, 'tls-alpn-01');
return addTlsAlpn01ChallengeResponse(authz.identifier.value, keyAuthorization);
}
async function challengeCreateFn(authz, challenge, keyAuthorization) {
if (challenge.type === 'http-01') {
return assertHttpChallengeCreateFn(authz, challenge, keyAuthorization);
@@ -81,6 +106,10 @@ async function challengeCreateFn(authz, challenge, keyAuthorization) {
return assertDnsChallengeCreateFn(authz, challenge, keyAuthorization);
}
if (challenge.type === 'tls-alpn-01') {
return assertTlsAlpnChallengeCreateFn(authz, challenge, keyAuthorization);
}
throw new Error(`Unsupported challenge type ${challenge.type}`);
}
@@ -89,5 +118,7 @@ exports.challengeNoopFn = async () => true;
exports.challengeThrowFn = async () => { throw new Error('oops'); };
exports.assertHttpChallengeCreateFn = assertHttpChallengeCreateFn;
exports.assertHttpsChallengeCreateFn = assertHttpsChallengeCreateFn;
exports.assertDnsChallengeCreateFn = assertDnsChallengeCreateFn;
exports.assertTlsAlpnChallengeCreateFn = assertTlsAlpnChallengeCreateFn;
exports.challengeCreateFn = challengeCreateFn;
packages/core/acme-client/test/setup.js
+9 -51
View File
@@ -2,10 +2,7 @@
* Setup testing
*/
const url = require('url');
const net = require('net');
const fs = require('fs');
const dns = require('dns').promises;
const chai = require('chai');
const chaiAsPromised = require('chai-as-promised');
const axios = require('./../src/axios');
@@ -19,13 +16,21 @@ chai.use(chaiAsPromised);
/**
* HTTP challenge port
* Challenge test server ports
*/
if (process.env.ACME_HTTP_PORT) {
axios.defaults.acmeSettings.httpChallengePort = process.env.ACME_HTTP_PORT;
}
if (process.env.ACME_HTTPS_PORT) {
axios.defaults.acmeSettings.httpsChallengePort = process.env.ACME_HTTPS_PORT;
}
if (process.env.ACME_TLSALPN_PORT) {
axios.defaults.acmeSettings.tlsAlpnChallengePort = process.env.ACME_TLSALPN_PORT;
}
/**
* External account binding
@@ -38,50 +43,3 @@ if (('ACME_CAP_EAB_ENABLED' in process.env) && (process.env.ACME_CAP_EAB_ENABLED
process.env.ACME_EAB_KID = kid;
process.env.ACME_EAB_HMAC_KEY = hmacKey;
}
/**
* Custom DNS resolver
*/
if (process.env.ACME_DNS_RESOLVER) {
dns.setServers([process.env.ACME_DNS_RESOLVER]);
/**
* Axios DNS resolver
*/
axios.interceptors.request.use(async (config) => {
const urlObj = url.parse(config.url);
/* Bypass */
if (axios.defaults.acmeSettings.bypassCustomDnsResolver === true) {
return config;
}
/* Skip IP addresses and localhost */
if (net.isIP(urlObj.hostname) || (urlObj.hostname === 'localhost')) {
return config;
}
/* Lookup hostname */
const result = await dns.resolve4(urlObj.hostname);
if (!result.length) {
throw new Error(`Unable to lookup address: ${urlObj.hostname}`);
}
/* Place hostname in header */
config.headers = config.headers || {};
config.headers.Host = urlObj.hostname;
/* Inject address into URL */
delete urlObj.host;
urlObj.hostname = result[0];
config.url = url.format(urlObj);
/* Done */
return config;
});
}