github
/
acme4j
mirror of https://github.com/shred/acme4j
1
0
Fork 0
Code Issues Releases Wiki Activity

Test certificate revocation via domain key

pull/66/head
Richard Körber 2018-07-15 15:17:14 +02:00
parent b9aeb81615
commit 2be925bfd6
No known key found for this signature in database
GPG Key ID: AAB9FD19C78AA3E0
1 changed files with 55 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
acme4j-it/src/test/java/org/shredzone/acme4j/it/pebble/OrderIT.java
View File

@ -68,7 +68,7 @@ public class OrderIT extends PebbleITBase {
cleanup(() -> client.httpRemoveToken(challenge.getToken()));
return challenge;
});
}, OrderIT::standardRevoker);
}
/**
@ -89,7 +89,7 @@ public class OrderIT extends PebbleITBase {
cleanup(() -> client.dnsRemoveTxtRecord(challengeDomainName));
return challenge;
});
}, OrderIT::standardRevoker);
}
/**
@ -115,7 +115,28 @@ public class OrderIT extends PebbleITBase {
cleanup(() -> client.tlsAlpnRemoveCertificate(auth.getDomain()));
return challenge;
});
}, OrderIT::standardRevoker);
}
/**
* Test if a certificate can be revoked by its domain key.
*/
@Test
public void testDomainKeyRevocation() throws Exception {
orderCertificate(TEST_DOMAIN, auth -> {
BammBammClient client = getBammBammClient();
Http01Challenge challenge = auth.findChallenge(Http01Challenge.TYPE);
assertThat(challenge, is(notNullValue()));
client.dnsAddARecord(TEST_DOMAIN, getBammBammHostname());
client.httpAddToken(challenge.getToken(), challenge.getAuthorization());
cleanup(() -> client.dnsRemoveARecord(TEST_DOMAIN));
cleanup(() -> client.httpRemoveToken(challenge.getToken()));
return challenge;
}, OrderIT::domainKeyRevoker);
}
/**
@ -126,8 +147,11 @@ public class OrderIT extends PebbleITBase {
* @param validator
* {@link Validator} that finds and prepares a {@link Challenge} for domain
* validation
* @param revoker
* {@link Revoker} that finally revokes the certificate
*/
private void orderCertificate(String domain, Validator validator) throws Exception {
private void orderCertificate(String domain, Validator validator, Revoker revoker)
throws Exception {
KeyPair keyPair = createKeyPair();
Session session = new Session(pebbleURI());
@ -196,7 +220,7 @@ public class OrderIT extends PebbleITBase {
assertThat(cert.getNotBefore(), not(nullValue()));
assertThat(cert.getSubjectX500Principal().getName(), containsString("CN=" + domain));
certificate.revoke(RevocationReason.KEY_COMPROMISE);
revoker.revoke(session, certificate, keyPair, domainKeyPair);
// Make sure certificate is revoked
try {
@ -209,9 +233,35 @@ public class OrderIT extends PebbleITBase {
}
}
/**
* Revokes a certificate by calling {@link Certificate#revoke(RevocationReason)}.
* This is the standard way to revoke a certificate.
*/
private static void standardRevoker(Session session, Certificate certificate,
KeyPair keyPair, KeyPair domainKeyPair) throws Exception {
certificate.revoke(RevocationReason.KEY_COMPROMISE);
}
/**
* Revokes a certificate by calling
* {@link Certificate#revoke(Session, KeyPair, X509Certificate, RevocationReason)}.
* This way can be used when the account key was lost.
*/
private static void domainKeyRevoker(Session session, Certificate certificate,
KeyPair keyPair, KeyPair domainKeyPair) throws Exception {
Certificate.revoke(session, domainKeyPair, certificate.getCertificate(),
RevocationReason.KEY_COMPROMISE);
}
@FunctionalInterface
private static interface Validator {
Challenge prepare(Authorization auth) throws Exception;
}
@FunctionalInterface
private static interface Revoker {
void revoke(Session session, Certificate certificate, KeyPair keyPair,
KeyPair domainKeyPair) throws Exception;
}
}