github.com/letsencrypt/boulder@v0.20251208.0/test/integration/bad_key_test.go

github.com/letsencrypt/boulder@v0.20251208.0/test/integration/bad_key_test.go (about)

     1  //go:build integration
     2  
     3  package integration
     4  
     5  import (
     6  	"crypto/x509"
     7  	"encoding/pem"
     8  	"os"
     9  	"testing"
    10  
    11  	"github.com/eggsampler/acme/v3"
    12  
    13  	"github.com/letsencrypt/boulder/test"
    14  )
    15  
    16  // TestFermat ensures that a certificate public key which can be factored using
    17  // less than 100 rounds of Fermat's Algorithm is rejected.
    18  func TestFermat(t *testing.T) {
    19  	t.Parallel()
    20  
    21  	// Create a client and complete an HTTP-01 challenge for a fake domain.
    22  	c, err := makeClient()
    23  	test.AssertNotError(t, err, "creating acme client")
    24  
    25  	domain := random_domain()
    26  
    27  	order, err := c.Client.NewOrder(
    28  		c.Account, []acme.Identifier{{Type: "dns", Value: domain}})
    29  	test.AssertNotError(t, err, "creating new order")
    30  	test.AssertEquals(t, len(order.Authorizations), 1)
    31  
    32  	authUrl := order.Authorizations[0]
    33  
    34  	auth, err := c.Client.FetchAuthorization(c.Account, authUrl)
    35  	test.AssertNotError(t, err, "fetching authorization")
    36  
    37  	chal, ok := auth.ChallengeMap[acme.ChallengeTypeHTTP01]
    38  	test.Assert(t, ok, "getting HTTP-01 challenge")
    39  
    40  	_, err = testSrvClient.AddHTTP01Response(chal.Token, chal.KeyAuthorization)
    41  	test.AssertNotError(t, err, "")
    42  	defer func() {
    43  		_, err = testSrvClient.RemoveHTTP01Response(chal.Token)
    44  		test.AssertNotError(t, err, "")
    45  	}()
    46  
    47  	chal, err = c.Client.UpdateChallenge(c.Account, chal)
    48  	test.AssertNotError(t, err, "updating HTTP-01 challenge")
    49  
    50  	// Load the Fermat-weak CSR that we'll submit for finalize. This CSR was
    51  	// generated using test/integration/testdata/fermat_csr.go, has prime factors
    52  	// that differ by only 2^516 + 254, and can be factored in 42 rounds.
    53  	csrPem, err := os.ReadFile("test/integration/testdata/fermat_csr.pem")
    54  	test.AssertNotError(t, err, "reading CSR PEM from disk")
    55  
    56  	csrDer, _ := pem.Decode(csrPem)
    57  	if csrDer == nil {
    58  		t.Fatal("failed to decode CSR PEM")
    59  	}
    60  
    61  	csr, err := x509.ParseCertificateRequest(csrDer.Bytes)
    62  	test.AssertNotError(t, err, "parsing CSR")
    63  
    64  	// Finalizing the order should fail as we reject the public key.
    65  	_, err = c.Client.FinalizeOrder(c.Account, order, csr)
    66  	test.AssertError(t, err, "finalizing order")
    67  	test.AssertContains(t, err.Error(), "urn:ietf:params:acme:error:badCSR")
    68  	test.AssertContains(t, err.Error(), "key generated with factors too close together")
    69  }