|
7 | 7 | "crypto/elliptic" |
8 | 8 | "crypto/rand" |
9 | 9 | "crypto/x509" |
| 10 | + "crypto/x509/pkix" |
10 | 11 | "fmt" |
| 12 | + "net" |
11 | 13 | "strings" |
12 | 14 | "testing" |
13 | 15 |
|
@@ -224,3 +226,76 @@ func TestIPShortLived(t *testing.T) { |
224 | 226 | t.Errorf("got cert with first IP SAN '%s', wanted '%s'", cert.IPAddresses[0], ip) |
225 | 227 | } |
226 | 228 | } |
| 229 | + |
| 230 | +// TestIPCNRejected verifies that we will reject IP address identifiers when |
| 231 | +// they occur in the Subject CommonName. |
| 232 | +func TestIPCNRejected(t *testing.T) { |
| 233 | + t.Parallel() |
| 234 | + |
| 235 | + // Create an account. |
| 236 | + client, err := makeClient( "mailto:[email protected]") |
| 237 | + if err != nil { |
| 238 | + t.Fatalf("creating acme client: %s", err) |
| 239 | + } |
| 240 | + |
| 241 | + // Create an IP address identifier to request. |
| 242 | + ip := "64.112.117.122" |
| 243 | + ipParsed := net.ParseIP(ip) |
| 244 | + idents := []acme.Identifier{ |
| 245 | + {Type: "ip", Value: ip}, |
| 246 | + } |
| 247 | + |
| 248 | + order, err := client.Client.NewOrderExtension(client.Account, idents, acme.OrderExtension{Profile: "shortlived"}) |
| 249 | + if err != nil { |
| 250 | + t.Fatalf("creating order: %s", err) |
| 251 | + } |
| 252 | + |
| 253 | + if len(order.Authorizations) != 1 { |
| 254 | + t.Fatalf("Got %d authorizations, expected 1", len(order.Authorizations)) |
| 255 | + } |
| 256 | + auth, err := client.Client.FetchAuthorization(client.Account, order.Authorizations[0]) |
| 257 | + chal, ok := auth.ChallengeMap[acme.ChallengeTypeHTTP01] |
| 258 | + if !ok { |
| 259 | + t.Fatalf("no HTTP challenge at %s", order.Authorizations[0]) |
| 260 | + } |
| 261 | + |
| 262 | + _, err = testSrvClient.AddHTTP01Response(chal.Token, chal.KeyAuthorization) |
| 263 | + if err != nil { |
| 264 | + t.Fatalf("adding HTTP challenge response: %s", err) |
| 265 | + } |
| 266 | + defer testSrvClient.RemoveHTTP01Response(chal.Token) |
| 267 | + |
| 268 | + chal, err = client.Client.UpdateChallenge(client.Account, chal) |
| 269 | + if err != nil { |
| 270 | + t.Fatalf("updating challenge: %s", err) |
| 271 | + } |
| 272 | + |
| 273 | + key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) |
| 274 | + if err != nil { |
| 275 | + t.Fatalf("creating random cert key: %s", err) |
| 276 | + } |
| 277 | + csrTemplate := &x509.CertificateRequest{ |
| 278 | + Subject: pkix.Name{CommonName: ip}, |
| 279 | + SignatureAlgorithm: x509.ECDSAWithSHA256, |
| 280 | + PublicKeyAlgorithm: x509.ECDSA, |
| 281 | + PublicKey: key.Public(), |
| 282 | + IPAddresses: []net.IP{ipParsed}, |
| 283 | + } |
| 284 | + csrDer, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, key) |
| 285 | + if err != nil { |
| 286 | + t.Fatalf("making csr: %s", err) |
| 287 | + } |
| 288 | + csr, err := x509.ParseCertificateRequest(csrDer) |
| 289 | + if err != nil { |
| 290 | + t.Fatalf("parsing csr: %s", err) |
| 291 | + } |
| 292 | + |
| 293 | + _, err = client.Client.FinalizeOrder(client.Account, order, csr) |
| 294 | + if err == nil { |
| 295 | + t.Errorf("Finalizing order with IP in CN: got nil error, want badCSR error") |
| 296 | + } |
| 297 | + if !strings.Contains(err.Error(), "CSR contains IP address in Common Name") { |
| 298 | + t.Errorf("issuing with IP in CN failed for the wrong reason: %s", err) |
| 299 | + } |
| 300 | + |
| 301 | +} |
0 commit comments