Merge branch 'main' into issuance-crls

ca/ca_test.go

@@ -96,9 +96,10 @@ var (
 const arbitraryRegID int64 = 1001
 
 // Useful key and certificate files.
-const caKeyFile = "../test/test-ca.key"
-const caCertFile = "../test/test-ca.pem"
-const caCertFile2 = "../test/test-ca2.pem"
+const rsaIntKey = "../test/hierarchy/int-r3.key.pem"
+const rsaIntCert = "../test/hierarchy/int-r3.cert.pem"
+const ecdsaIntKey = "../test/hierarchy/int-e1.key.pem"
+const ecdsaIntCert = "../test/hierarchy/int-e1.cert.pem"
 
 func mustRead(path string) []byte {
 	return must.Do(os.ReadFile(path))
@@ -185,7 +186,7 @@ func setup(t *testing.T) *testCtx {
 		IssuerURL:         "http://not-example.com/issuer-url",
 		OCSPURL:           "http://not-example.com/ocsp",
 		CRLURLBase:        "http://not-example.com/crl/",
-		Location:          issuance.IssuerLoc{File: caKeyFile, CertFile: caCertFile2},
+		Location:          issuance.IssuerLoc{File: ecdsaIntKey, CertFile: ecdsaIntCert},
 	}, fc)
 	test.AssertNotError(t, err, "Couldn't load test issuer")
 
@@ -195,7 +196,7 @@ func setup(t *testing.T) *testCtx {
 		IssuerURL:         "http://not-example.com/issuer-url",
 		OCSPURL:           "http://not-example.com/ocsp",
 		CRLURLBase:        "http://not-example.com/crl/",
-		Location:          issuance.IssuerLoc{File: caKeyFile, CertFile: caCertFile},
+		Location:          issuance.IssuerLoc{File: rsaIntKey, CertFile: rsaIntCert},
 	}, fc)
 	test.AssertNotError(t, err, "Couldn't load test issuer")
 

ca/ocsp_test.go

@@ -50,7 +50,7 @@ func TestOCSP(t *testing.T) {
 	test.AssertNotError(t, err, "Failed to create CA")
 	ocspi := testCtx.ocsp
 
-	// Issue a certificate from the RSA issuer caCert, then check OCSP comes from the same issuer.
+	// Issue a certificate from the RSA issuer, then check OCSP comes from that same issuer.
 	rsaIssuerID := ca.issuers.byAlg[x509.RSA].NameID()
 	rsaCertPB, err := ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: arbitraryRegID})
 	test.AssertNotError(t, err, "Failed to issue certificate")
@@ -68,7 +68,11 @@ func TestOCSP(t *testing.T) {
 	test.AssertEquals(t, rsaOCSP.RevocationReason, 0)
 	test.AssertEquals(t, rsaOCSP.SerialNumber.Cmp(rsaCert.SerialNumber), 0)
 
-	// Issue a certificate from the ECDSA issuer caCert2, then check OCSP comes from the same issuer.
+	// Check that a different issuer cannot validate the OCSP response
+	_, err = ocsp.ParseResponse(rsaOCSPPB.Response, testCtx.boulderIssuers[0].Cert.Certificate)
+	test.AssertError(t, err, "Parsed / validated OCSP for rsaCert, but should not have")
+
+	// Issue a certificate from an ECDSA issuer, then check OCSP comes from that same issuer.
 	ecdsaIssuerID := ca.issuers.byAlg[x509.ECDSA].NameID()
 	ecdsaCertPB, err := ca.IssuePrecertificate(ctx, &capb.IssueCertificateRequest{Csr: ECDSACSR, RegistrationID: arbitraryRegID})
 	test.AssertNotError(t, err, "Failed to issue certificate")

core/util_test.go

@@ -276,13 +276,13 @@ func TestLoadCert(t *testing.T) {
 	test.AssertError(t, err, "Loading non-PEM file did not error")
 	test.AssertEquals(t, err.Error(), "no data in cert PEM file \"../test/test-ca.der\"")
 
-	_, err = LoadCert("../test/test-ca.key")
+	_, err = LoadCert("../test/hierarchy/int-e1.key.pem")
 	test.AssertError(t, err, "Loading non-cert file did not error")
 	test.AssertEquals(t, err.Error(), "x509: malformed tbs certificate")
 
-	cert, err := LoadCert("../test/test-ca.pem")
+	cert, err := LoadCert("../test/hierarchy/int-r3.cert.pem")
 	test.AssertNotError(t, err, "Failed to load cert file")
-	test.AssertEquals(t, cert.Subject.CommonName, "happy hacker fake CA")
+	test.AssertEquals(t, cert.Subject.CommonName, "(TEST) Radical Rhino R3")
 }
 
 func TestRetryBackoff(t *testing.T) {

test/config/ca.json

@@ -75,7 +75,7 @@
 					"issuerURL": "http://127.0.0.1:4001/aia/issuer/6605440498369741",
 					"ocspURL": "http://127.0.0.1:4002/",
 					"location": {
-						"configFile": "test/test-ca.key-pkcs11.json",
+						"configFile": "/hierarchy/intermediate-signing-key-rsa.pkcs11.json",
 						"certFile": "/hierarchy/intermediate-cert-rsa-a.pem",
 						"numSessions": 2
 					}
@@ -86,7 +86,7 @@
 					"issuerURL": "http://127.0.0.1:4001/aia/issuer/41127673797486028",
 					"ocspURL": "http://127.0.0.1:4002/",
 					"location": {
-						"configFile": "test/test-ca.key-pkcs11.json",
+						"configFile": "/hierarchy/intermediate-signing-key-rsa.pkcs11.json",
 						"certFile": "/hierarchy/intermediate-cert-rsa-b.pem",
 						"numSessions": 2
 					}

test/example-blocked-keys.yaml

@@ -26,7 +26,9 @@ blocked:
   - cuwGhNNI6nfob5aqY90e7BleU6l7rfxku4X3UTJ3Z7M=
   # test/block-a-key/test/test.rsa.jwk.json
   - Qebc1V3SkX3izkYRGNJilm9Bcuvf0oox4U2Rn+b4JOE=
+  # test/hierarchy/int-r4.cert.pem
+  - +//lPMatuGvtf7yesXNv6FSf0UovKbP3BKdQZ23L4BY=
 blockedHashesHex:
   - 41e6dcd55dd2917de2ce461118d262966f4172ebdfd28a31e14d919fe6f824e1
 
-  
+

test/v2_integration.py

@@ -1351,7 +1351,7 @@ def test_blocked_key_account():
     if not CONFIG_NEXT:
         return
 
-    with open("test/test-ca.key", "rb") as key_file:
+    with open("test/hierarchy/int-r4.key.pem", "rb") as key_file:
         key = serialization.load_pem_private_key(key_file.read(), password=None, backend=default_backend())
 
     # Create a client with the JWK set to a blocked private key
@@ -1379,7 +1379,7 @@ def test_blocked_key_cert():
     if not CONFIG_NEXT:
         return
 
-    with open("test/test-ca.key", "r") as f:
+    with open("test/hierarchy/int-r4.key.pem", "r") as f:
         pemBytes = f.read()
 
     domains = [random_domain(), random_domain()]