0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-23 22:27:38 -05:00
caddy/caddytls/crypto_test.go
Chad Retz 88a2811e2a Pluggable TLS Storage (#913)
* Initial concept for pluggable storage (sans tests and docs)

* Add TLS storage docs, test harness, and minor clean up from code review

* Fix issue with caddymain's temporary moveStorage

* Formatting improvement on struct array literal by removing struct name

* Pluggable storage changes:

* Change storage interface to persist all site or user data in one call
* Add lock/unlock calls for renewal and cert obtaining

* Key fields on composite literals
2016-07-08 07:32:31 -06:00

132 lines
3.1 KiB
Go

package caddytls
import (
"bytes"
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"testing"
"time"
)
func TestSaveAndLoadRSAPrivateKey(t *testing.T) {
privateKey, err := rsa.GenerateKey(rand.Reader, 128) // make tests faster; small key size OK for testing
if err != nil {
t.Fatal(err)
}
// test save
savedBytes, err := savePrivateKey(privateKey)
if err != nil {
t.Fatal("error saving private key:", err)
}
// test load
loadedKey, err := loadPrivateKey(savedBytes)
if err != nil {
t.Error("error loading private key:", err)
}
// verify loaded key is correct
if !PrivateKeysSame(privateKey, loadedKey) {
t.Error("Expected key bytes to be the same, but they weren't")
}
}
func TestSaveAndLoadECCPrivateKey(t *testing.T) {
privateKey, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
if err != nil {
t.Fatal(err)
}
// test save
savedBytes, err := savePrivateKey(privateKey)
if err != nil {
t.Fatal("error saving private key:", err)
}
// test load
loadedKey, err := loadPrivateKey(savedBytes)
if err != nil {
t.Error("error loading private key:", err)
}
// verify loaded key is correct
if !PrivateKeysSame(privateKey, loadedKey) {
t.Error("Expected key bytes to be the same, but they weren't")
}
}
// PrivateKeysSame compares the bytes of a and b and returns true if they are the same.
func PrivateKeysSame(a, b crypto.PrivateKey) bool {
return bytes.Equal(PrivateKeyBytes(a), PrivateKeyBytes(b))
}
// PrivateKeyBytes returns the bytes of DER-encoded key.
func PrivateKeyBytes(key crypto.PrivateKey) []byte {
var keyBytes []byte
switch key := key.(type) {
case *rsa.PrivateKey:
keyBytes = x509.MarshalPKCS1PrivateKey(key)
case *ecdsa.PrivateKey:
keyBytes, _ = x509.MarshalECPrivateKey(key)
}
return keyBytes
}
func TestStandaloneTLSTicketKeyRotation(t *testing.T) {
tlsGovChan := make(chan struct{})
defer close(tlsGovChan)
callSync := make(chan bool, 1)
defer close(callSync)
oldHook := setSessionTicketKeysTestHook
defer func() {
setSessionTicketKeysTestHook = oldHook
}()
var keysInUse [][32]byte
setSessionTicketKeysTestHook = func(keys [][32]byte) [][32]byte {
keysInUse = keys
callSync <- true
return keys
}
c := new(tls.Config)
timer := time.NewTicker(time.Millisecond * 1)
go standaloneTLSTicketKeyRotation(c, timer, tlsGovChan)
rounds := 0
var lastTicketKey [32]byte
for {
select {
case <-callSync:
if lastTicketKey == keysInUse[0] {
close(tlsGovChan)
t.Errorf("The same TLS ticket key has been used again (not rotated): %x.", lastTicketKey)
return
}
lastTicketKey = keysInUse[0]
rounds++
if rounds <= NumTickets && len(keysInUse) != rounds {
close(tlsGovChan)
t.Errorf("Expected TLS ticket keys in use: %d; Got instead: %d.", rounds, len(keysInUse))
return
}
if c.SessionTicketsDisabled == true {
t.Error("Session tickets have been disabled unexpectedly.")
return
}
if rounds >= NumTickets+1 {
return
}
case <-time.After(time.Second * 1):
t.Errorf("Timeout after %d rounds.", rounds)
return
}
}
}