mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-23 22:27:38 -05:00
88a2811e2a
* Initial concept for pluggable storage (sans tests and docs) * Add TLS storage docs, test harness, and minor clean up from code review * Fix issue with caddymain's temporary moveStorage * Formatting improvement on struct array literal by removing struct name * Pluggable storage changes: * Change storage interface to persist all site or user data in one call * Add lock/unlock calls for renewal and cert obtaining * Key fields on composite literals
132 lines
3.1 KiB
Go
132 lines
3.1 KiB
Go
package caddytls
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto"
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"testing"
|
|
"time"
|
|
)
|
|
|
|
func TestSaveAndLoadRSAPrivateKey(t *testing.T) {
|
|
privateKey, err := rsa.GenerateKey(rand.Reader, 128) // make tests faster; small key size OK for testing
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// test save
|
|
savedBytes, err := savePrivateKey(privateKey)
|
|
if err != nil {
|
|
t.Fatal("error saving private key:", err)
|
|
}
|
|
|
|
// test load
|
|
loadedKey, err := loadPrivateKey(savedBytes)
|
|
if err != nil {
|
|
t.Error("error loading private key:", err)
|
|
}
|
|
|
|
// verify loaded key is correct
|
|
if !PrivateKeysSame(privateKey, loadedKey) {
|
|
t.Error("Expected key bytes to be the same, but they weren't")
|
|
}
|
|
}
|
|
|
|
func TestSaveAndLoadECCPrivateKey(t *testing.T) {
|
|
privateKey, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// test save
|
|
savedBytes, err := savePrivateKey(privateKey)
|
|
if err != nil {
|
|
t.Fatal("error saving private key:", err)
|
|
}
|
|
|
|
// test load
|
|
loadedKey, err := loadPrivateKey(savedBytes)
|
|
if err != nil {
|
|
t.Error("error loading private key:", err)
|
|
}
|
|
|
|
// verify loaded key is correct
|
|
if !PrivateKeysSame(privateKey, loadedKey) {
|
|
t.Error("Expected key bytes to be the same, but they weren't")
|
|
}
|
|
}
|
|
|
|
// PrivateKeysSame compares the bytes of a and b and returns true if they are the same.
|
|
func PrivateKeysSame(a, b crypto.PrivateKey) bool {
|
|
return bytes.Equal(PrivateKeyBytes(a), PrivateKeyBytes(b))
|
|
}
|
|
|
|
// PrivateKeyBytes returns the bytes of DER-encoded key.
|
|
func PrivateKeyBytes(key crypto.PrivateKey) []byte {
|
|
var keyBytes []byte
|
|
switch key := key.(type) {
|
|
case *rsa.PrivateKey:
|
|
keyBytes = x509.MarshalPKCS1PrivateKey(key)
|
|
case *ecdsa.PrivateKey:
|
|
keyBytes, _ = x509.MarshalECPrivateKey(key)
|
|
}
|
|
return keyBytes
|
|
}
|
|
|
|
func TestStandaloneTLSTicketKeyRotation(t *testing.T) {
|
|
tlsGovChan := make(chan struct{})
|
|
defer close(tlsGovChan)
|
|
callSync := make(chan bool, 1)
|
|
defer close(callSync)
|
|
|
|
oldHook := setSessionTicketKeysTestHook
|
|
defer func() {
|
|
setSessionTicketKeysTestHook = oldHook
|
|
}()
|
|
var keysInUse [][32]byte
|
|
setSessionTicketKeysTestHook = func(keys [][32]byte) [][32]byte {
|
|
keysInUse = keys
|
|
callSync <- true
|
|
return keys
|
|
}
|
|
|
|
c := new(tls.Config)
|
|
timer := time.NewTicker(time.Millisecond * 1)
|
|
|
|
go standaloneTLSTicketKeyRotation(c, timer, tlsGovChan)
|
|
|
|
rounds := 0
|
|
var lastTicketKey [32]byte
|
|
for {
|
|
select {
|
|
case <-callSync:
|
|
if lastTicketKey == keysInUse[0] {
|
|
close(tlsGovChan)
|
|
t.Errorf("The same TLS ticket key has been used again (not rotated): %x.", lastTicketKey)
|
|
return
|
|
}
|
|
lastTicketKey = keysInUse[0]
|
|
rounds++
|
|
if rounds <= NumTickets && len(keysInUse) != rounds {
|
|
close(tlsGovChan)
|
|
t.Errorf("Expected TLS ticket keys in use: %d; Got instead: %d.", rounds, len(keysInUse))
|
|
return
|
|
}
|
|
if c.SessionTicketsDisabled == true {
|
|
t.Error("Session tickets have been disabled unexpectedly.")
|
|
return
|
|
}
|
|
if rounds >= NumTickets+1 {
|
|
return
|
|
}
|
|
case <-time.After(time.Second * 1):
|
|
t.Errorf("Timeout after %d rounds.", rounds)
|
|
return
|
|
}
|
|
}
|
|
}
|