certmagic/crypto_test.go

// Copyright 2015 Matthew Holt
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package certmagic

import (
	"bytes"
	"crypto"
	"crypto/ecdsa"
	"crypto/ed25519"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"testing"
)

func TestEncodeDecodeRSAPrivateKey(t *testing.T) {
	privateKey, err := rsa.GenerateKey(rand.Reader, 128) // make tests faster; small key size OK for testing
	if err != nil {
		t.Fatal(err)
	}

	// test save
	savedBytes, err := PEMEncodePrivateKey(privateKey)
	if err != nil {
		t.Fatal("error saving private key:", err)
	}

	// test load
	loadedKey, err := PEMDecodePrivateKey(savedBytes)
	if err != nil {
		t.Error("error loading private key:", err)
	}

	// test load (should fail)
	_, err = PEMDecodePrivateKey(savedBytes[2:])
	if err == nil {
		t.Error("loading private key should have failed")
	}

	// verify loaded key is correct
	if !privateKeysSame(privateKey, loadedKey) {
		t.Error("Expected key bytes to be the same, but they weren't")
	}
}

func TestSaveAndLoadECCPrivateKey(t *testing.T) {
	privateKey, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
	if err != nil {
		t.Fatal(err)
	}

	// test save
	savedBytes, err := PEMEncodePrivateKey(privateKey)
	if err != nil {
		t.Fatal("error saving private key:", err)
	}

	// test load
	loadedKey, err := PEMDecodePrivateKey(savedBytes)
	if err != nil {
		t.Error("error loading private key:", err)
	}

	// verify loaded key is correct
	if !privateKeysSame(privateKey, loadedKey) {
		t.Error("Expected key bytes to be the same, but they weren't")
	}
}

// privateKeysSame compares the bytes of a and b and returns true if they are the same.
func privateKeysSame(a, b crypto.PrivateKey) bool {
	return bytes.Equal(privateKeyBytes(a), privateKeyBytes(b))
}

// privateKeyBytes returns the bytes of DER-encoded key.
func privateKeyBytes(key crypto.PrivateKey) []byte {
	var keyBytes []byte
	switch key := key.(type) {
	case *rsa.PrivateKey:
		keyBytes = x509.MarshalPKCS1PrivateKey(key)
	case *ecdsa.PrivateKey:
		keyBytes, _ = x509.MarshalECPrivateKey(key)
	case ed25519.PrivateKey:
		return key
	}
	return keyBytes
}
Move some tests over Tests originally from Caddy's caddytls package Also fix a few bugs: sorting most recent emails, and nil Config in HTTP challenge handler 2018-12-11 02:59:03 +10:00			`// Copyright 2015 Matthew Holt`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package certmagic`

			`import (`
			`"bytes"`
			`"crypto"`
			`"crypto/ecdsa"`
Replace lego with ACMEz (close #71) (#78) 2020-07-28 08:50:41 +10:00			`"crypto/ed25519"`
Move some tests over Tests originally from Caddy's caddytls package Also fix a few bugs: sorting most recent emails, and nil Config in HTTP challenge handler 2018-12-11 02:59:03 +10:00			`"crypto/elliptic"`
			`"crypto/rand"`
			`"crypto/rsa"`
			`"crypto/x509"`
			`"testing"`
			`)`

			`func TestEncodeDecodeRSAPrivateKey(t *testing.T) {`
			`privateKey, err := rsa.GenerateKey(rand.Reader, 128) // make tests faster; small key size OK for testing`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`// test save`
GetCertificate from external certificate sources (Managers) (#163) This work made possible by Tailscale: https://tailscale.com - thank you to the Tailscale team! * Implement custom GetCertificate callback Useful if another entity is managing certificates and can provide its own dynamically during handshakes. * Refactor CustomGetCertificate into OnDemandConfig * Set certs to managed=true This is only sorta true, but it allows handshake-time maintenance of the certificates that are cached from CustomGetCertificate. Our background maintenance routine skips certs that are OnDemand so it should be fine. * Change CustomGetCertificate into interface value Instead of a function * Case-insensitive subject name comparison Hostnames are case-insensitive Also add context to GetCertificate * Export a couple of outrageously useful functions * Allow multiple custom certificate getters Also minor refactoring and enhancements * Fix tests * Rename Getter -> Manager; refactor And don't cache externally managed certs * Minor updates to comments 2022-02-18 07:37:50 +10:00			`savedBytes, err := PEMEncodePrivateKey(privateKey)`
Move some tests over Tests originally from Caddy's caddytls package Also fix a few bugs: sorting most recent emails, and nil Config in HTTP challenge handler 2018-12-11 02:59:03 +10:00			`if err != nil {`
			`t.Fatal("error saving private key:", err)`
			`}`

			`// test load`
GetCertificate from external certificate sources (Managers) (#163) This work made possible by Tailscale: https://tailscale.com - thank you to the Tailscale team! * Implement custom GetCertificate callback Useful if another entity is managing certificates and can provide its own dynamically during handshakes. * Refactor CustomGetCertificate into OnDemandConfig * Set certs to managed=true This is only sorta true, but it allows handshake-time maintenance of the certificates that are cached from CustomGetCertificate. Our background maintenance routine skips certs that are OnDemand so it should be fine. * Change CustomGetCertificate into interface value Instead of a function * Case-insensitive subject name comparison Hostnames are case-insensitive Also add context to GetCertificate * Export a couple of outrageously useful functions * Allow multiple custom certificate getters Also minor refactoring and enhancements * Fix tests * Rename Getter -> Manager; refactor And don't cache externally managed certs * Minor updates to comments 2022-02-18 07:37:50 +10:00			`loadedKey, err := PEMDecodePrivateKey(savedBytes)`
Move some tests over Tests originally from Caddy's caddytls package Also fix a few bugs: sorting most recent emails, and nil Config in HTTP challenge handler 2018-12-11 02:59:03 +10:00			`if err != nil {`
			`t.Error("error loading private key:", err)`
			`}`

Check keyBlockDER for nil (#147) I got following panic while Caddy was running: 2021/10/26 08:06:34 panic: certificate worker: runtime error: invalid memory address or nil pointer dereference goroutine 43 [running]: github.com/caddyserver/certmagic.(jobManager).worker.func1() github.com/caddyserver/certmagic@v0.14.5/async.go:58 +0x65 panic({0x145d400, 0x23d6c50}) runtime/panic.go:1038 +0x215 github.com/caddyserver/certmagic.decodePrivateKey({0xc000738c00, 0x0, 0x0}) github.com/caddyserver/certmagic@v0.14.5/crypto.go:75 +0x2a github.com/caddyserver/certmagic.(Config).reusePrivateKey(0xc0003b77c0, {0xc0003b1640, 0x32}) github.com/caddyserver/certmagic@v0.14.5/config.go:602 +0x2b9 github.com/caddyserver/certmagic.(Config).obtainCert.func2({0x190d3b8, 0xc000655920}) github.com/caddyserver/certmagic@v0.14.5/config.go:487 +0x1d6 github.com/caddyserver/certmagic.doWithRetry({0x190d310, 0xc0000b0440}, 0xc00003bd40, 0xc0007afba8) github.com/caddyserver/certmagic@v0.14.5/async.go:106 +0x1cc github.com/caddyserver/certmagic.(Config).obtainCert(0xc0003b77c0, {0x190d310, 0xc0000b0440}, {0xc0003b1640, 0x32}, 0x0) github.com/caddyserver/certmagic@v0.14.5/config.go:572 +0x58e github.com/caddyserver/certmagic.(Config).ObtainCertAsync(...) github.com/caddyserver/certmagic@v0.14.5/config.go:427 github.com/caddyserver/certmagic.(Config).manageOne.func1() github.com/caddyserver/certmagic@v0.14.5/config.go:332 +0x6f github.com/caddyserver/certmagic.(jobManager).worker(0x23e0c60) github.com/caddyserver/certmagic@v0.14.5/async.go:73 +0x112 created by github.com/caddyserver/certmagic.(jobManager).Submit github.com/caddyserver/certmagic@v0.14.5/async.go:50 +0x288 According to Go documentation: https://pkg.go.dev/encoding/pem#Decode p can be nil (first parameter returned) and so it should be checked before continuing as per this example: https://pkg.go.dev/encoding/pem#example-Decode I also added a test to verify that the fix works. Running the test without the fix causes a panic. Test: go test -count=1 './...' 2021-10-27 06:11:35 +10:00			`// test load (should fail)`
GetCertificate from external certificate sources (Managers) (#163) This work made possible by Tailscale: https://tailscale.com - thank you to the Tailscale team! * Implement custom GetCertificate callback Useful if another entity is managing certificates and can provide its own dynamically during handshakes. * Refactor CustomGetCertificate into OnDemandConfig * Set certs to managed=true This is only sorta true, but it allows handshake-time maintenance of the certificates that are cached from CustomGetCertificate. Our background maintenance routine skips certs that are OnDemand so it should be fine. * Change CustomGetCertificate into interface value Instead of a function * Case-insensitive subject name comparison Hostnames are case-insensitive Also add context to GetCertificate * Export a couple of outrageously useful functions * Allow multiple custom certificate getters Also minor refactoring and enhancements * Fix tests * Rename Getter -> Manager; refactor And don't cache externally managed certs * Minor updates to comments 2022-02-18 07:37:50 +10:00			`_, err = PEMDecodePrivateKey(savedBytes[2:])`
Check keyBlockDER for nil (#147) I got following panic while Caddy was running: 2021/10/26 08:06:34 panic: certificate worker: runtime error: invalid memory address or nil pointer dereference goroutine 43 [running]: github.com/caddyserver/certmagic.(jobManager).worker.func1() github.com/caddyserver/certmagic@v0.14.5/async.go:58 +0x65 panic({0x145d400, 0x23d6c50}) runtime/panic.go:1038 +0x215 github.com/caddyserver/certmagic.decodePrivateKey({0xc000738c00, 0x0, 0x0}) github.com/caddyserver/certmagic@v0.14.5/crypto.go:75 +0x2a github.com/caddyserver/certmagic.(Config).reusePrivateKey(0xc0003b77c0, {0xc0003b1640, 0x32}) github.com/caddyserver/certmagic@v0.14.5/config.go:602 +0x2b9 github.com/caddyserver/certmagic.(Config).obtainCert.func2({0x190d3b8, 0xc000655920}) github.com/caddyserver/certmagic@v0.14.5/config.go:487 +0x1d6 github.com/caddyserver/certmagic.doWithRetry({0x190d310, 0xc0000b0440}, 0xc00003bd40, 0xc0007afba8) github.com/caddyserver/certmagic@v0.14.5/async.go:106 +0x1cc github.com/caddyserver/certmagic.(Config).obtainCert(0xc0003b77c0, {0x190d310, 0xc0000b0440}, {0xc0003b1640, 0x32}, 0x0) github.com/caddyserver/certmagic@v0.14.5/config.go:572 +0x58e github.com/caddyserver/certmagic.(Config).ObtainCertAsync(...) github.com/caddyserver/certmagic@v0.14.5/config.go:427 github.com/caddyserver/certmagic.(Config).manageOne.func1() github.com/caddyserver/certmagic@v0.14.5/config.go:332 +0x6f github.com/caddyserver/certmagic.(jobManager).worker(0x23e0c60) github.com/caddyserver/certmagic@v0.14.5/async.go:73 +0x112 created by github.com/caddyserver/certmagic.(jobManager).Submit github.com/caddyserver/certmagic@v0.14.5/async.go:50 +0x288 According to Go documentation: https://pkg.go.dev/encoding/pem#Decode p can be nil (first parameter returned) and so it should be checked before continuing as per this example: https://pkg.go.dev/encoding/pem#example-Decode I also added a test to verify that the fix works. Running the test without the fix causes a panic. Test: go test -count=1 './...' 2021-10-27 06:11:35 +10:00			`if err == nil {`
			`t.Error("loading private key should have failed")`
			`}`

Move some tests over Tests originally from Caddy's caddytls package Also fix a few bugs: sorting most recent emails, and nil Config in HTTP challenge handler 2018-12-11 02:59:03 +10:00			`// verify loaded key is correct`
			`if !privateKeysSame(privateKey, loadedKey) {`
			`t.Error("Expected key bytes to be the same, but they weren't")`
			`}`
			`}`

			`func TestSaveAndLoadECCPrivateKey(t *testing.T) {`
			`privateKey, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`// test save`
GetCertificate from external certificate sources (Managers) (#163) This work made possible by Tailscale: https://tailscale.com - thank you to the Tailscale team! * Implement custom GetCertificate callback Useful if another entity is managing certificates and can provide its own dynamically during handshakes. * Refactor CustomGetCertificate into OnDemandConfig * Set certs to managed=true This is only sorta true, but it allows handshake-time maintenance of the certificates that are cached from CustomGetCertificate. Our background maintenance routine skips certs that are OnDemand so it should be fine. * Change CustomGetCertificate into interface value Instead of a function * Case-insensitive subject name comparison Hostnames are case-insensitive Also add context to GetCertificate * Export a couple of outrageously useful functions * Allow multiple custom certificate getters Also minor refactoring and enhancements * Fix tests * Rename Getter -> Manager; refactor And don't cache externally managed certs * Minor updates to comments 2022-02-18 07:37:50 +10:00			`savedBytes, err := PEMEncodePrivateKey(privateKey)`
Move some tests over Tests originally from Caddy's caddytls package Also fix a few bugs: sorting most recent emails, and nil Config in HTTP challenge handler 2018-12-11 02:59:03 +10:00			`if err != nil {`
			`t.Fatal("error saving private key:", err)`
			`}`

			`// test load`
GetCertificate from external certificate sources (Managers) (#163) This work made possible by Tailscale: https://tailscale.com - thank you to the Tailscale team! * Implement custom GetCertificate callback Useful if another entity is managing certificates and can provide its own dynamically during handshakes. * Refactor CustomGetCertificate into OnDemandConfig * Set certs to managed=true This is only sorta true, but it allows handshake-time maintenance of the certificates that are cached from CustomGetCertificate. Our background maintenance routine skips certs that are OnDemand so it should be fine. * Change CustomGetCertificate into interface value Instead of a function * Case-insensitive subject name comparison Hostnames are case-insensitive Also add context to GetCertificate * Export a couple of outrageously useful functions * Allow multiple custom certificate getters Also minor refactoring and enhancements * Fix tests * Rename Getter -> Manager; refactor And don't cache externally managed certs * Minor updates to comments 2022-02-18 07:37:50 +10:00			`loadedKey, err := PEMDecodePrivateKey(savedBytes)`
Move some tests over Tests originally from Caddy's caddytls package Also fix a few bugs: sorting most recent emails, and nil Config in HTTP challenge handler 2018-12-11 02:59:03 +10:00			`if err != nil {`
			`t.Error("error loading private key:", err)`
			`}`

			`// verify loaded key is correct`
			`if !privateKeysSame(privateKey, loadedKey) {`
			`t.Error("Expected key bytes to be the same, but they weren't")`
			`}`
			`}`

			`// privateKeysSame compares the bytes of a and b and returns true if they are the same.`
			`func privateKeysSame(a, b crypto.PrivateKey) bool {`
			`return bytes.Equal(privateKeyBytes(a), privateKeyBytes(b))`
			`}`

			`// privateKeyBytes returns the bytes of DER-encoded key.`
			`func privateKeyBytes(key crypto.PrivateKey) []byte {`
			`var keyBytes []byte`
			`switch key := key.(type) {`
			`case *rsa.PrivateKey:`
			`keyBytes = x509.MarshalPKCS1PrivateKey(key)`
			`case *ecdsa.PrivateKey:`
			`keyBytes, _ = x509.MarshalECPrivateKey(key)`
Replace lego with ACMEz (close #71) (#78) 2020-07-28 08:50:41 +10:00			`case ed25519.PrivateKey:`
			`return key`
Move some tests over Tests originally from Caddy's caddytls package Also fix a few bugs: sorting most recent emails, and nil Config in HTTP challenge handler 2018-12-11 02:59:03 +10:00			`}`
			`return keyBytes`
			`}`