Return to using hash for login validation (#1084)

* Return to using hash for login validation

This PR also removes the start date for certificate enforcement.

* Inline verify certificate compliance
This commit is contained in:
sarahcaseybot 2021-04-20 14:07:01 -04:00 committed by GitHub
parent ee31f1fd95
commit aac952d6a3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 54 additions and 437 deletions

View file

@ -14,30 +14,24 @@
package google.registry.flows;
import static google.registry.testing.CertificateSamples.SAMPLE_CERT3_HASH;
import static google.registry.testing.DatabaseHelper.loadRegistrar;
import static google.registry.testing.DatabaseHelper.persistResource;
import static google.registry.testing.LogsSubject.assertAboutLogs;
import static google.registry.util.DateTimeUtils.START_OF_TIME;
import static google.registry.util.X509Utils.encodeX509Certificate;
import static google.registry.util.X509Utils.encodeX509CertificateFromPemString;
import static google.registry.util.X509Utils.getCertificateHash;
import static org.joda.time.DateTimeZone.UTC;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.ImmutableSortedMap;
import com.google.common.testing.TestLogHandler;
import google.registry.config.RegistryEnvironment;
import google.registry.flows.certs.CertificateChecker;
import google.registry.testing.AppEngineExtension;
import google.registry.testing.CertificateSamples;
import google.registry.testing.SystemPropertyExtension;
import google.registry.util.SelfSignedCaCertificate;
import java.io.StringWriter;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.joda.time.DateTime;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Order;
@ -66,25 +60,17 @@ class EppLoginTlsTest extends EppTestCase {
ImmutableSet.of("secp256r1", "secp384r1"),
clock);
private final Logger loggerToIntercept =
Logger.getLogger(TlsCredentials.class.getCanonicalName());
private final TestLogHandler handler = new TestLogHandler();
private String encodedCertString;
void setCredentials(String clientCertificateHash, String clientCertificate) {
void setCredentials(String clientCertificateHash) {
setTransportCredentials(
new TlsCredentials(
true,
Optional.ofNullable(clientCertificateHash),
Optional.ofNullable(clientCertificate),
Optional.of("192.168.1.100:54321"),
certificateChecker,
clock));
certificateChecker));
}
@BeforeEach
void beforeEach() throws CertificateException {
void beforeEach() {
persistResource(
loadRegistrar("NewRegistrar")
.asBuilder()
@ -96,20 +82,18 @@ class EppLoginTlsTest extends EppTestCase {
.asBuilder()
.setClientCertificate(CertificateSamples.SAMPLE_CERT2, DateTime.now(UTC))
.build());
loggerToIntercept.addHandler(handler);
encodedCertString = encodeX509CertificateFromPemString(CertificateSamples.SAMPLE_CERT3);
}
@Test
void testLoginLogout() throws Exception {
setCredentials(null, encodedCertString);
setCredentials(SAMPLE_CERT3_HASH);
assertThatLoginSucceeds("NewRegistrar", "foo-BAR2");
assertThatLogoutSucceeds();
}
@Test
void testLogin_wrongPasswordFails() throws Exception {
setCredentials(CertificateSamples.SAMPLE_CERT3_HASH, encodedCertString);
setCredentials(SAMPLE_CERT3_HASH);
// For TLS login, we also check the epp xml password.
assertThatLogin("NewRegistrar", "incorrect")
.hasResponse(
@ -119,7 +103,7 @@ class EppLoginTlsTest extends EppTestCase {
@Test
void testMultiLogin() throws Exception {
setCredentials(CertificateSamples.SAMPLE_CERT3_HASH, encodedCertString);
setCredentials(SAMPLE_CERT3_HASH);
assertThatLoginSucceeds("NewRegistrar", "foo-BAR2");
assertThatLogoutSucceeds();
assertThatLoginSucceeds("NewRegistrar", "foo-BAR2");
@ -133,7 +117,7 @@ class EppLoginTlsTest extends EppTestCase {
@Test
void testNonAuthedLogin_fails() throws Exception {
setCredentials(CertificateSamples.SAMPLE_CERT3_HASH, encodedCertString);
setCredentials(SAMPLE_CERT3_HASH);
assertThatLogin("TheRegistrar", "password2")
.hasResponse(
"response_error.xml",
@ -143,7 +127,7 @@ class EppLoginTlsTest extends EppTestCase {
@Test
void testBadCertificate_failsBadCertificate2200() throws Exception {
setCredentials("laffo", "cert");
setCredentials("laffo");
assertThatLogin("NewRegistrar", "foo-BAR2")
.hasResponse(
"response_error.xml",
@ -153,7 +137,7 @@ class EppLoginTlsTest extends EppTestCase {
@Test
void testGfeDidntProvideClientCertificate_failsMissingCertificate2200() throws Exception {
setCredentials(null, null);
setCredentials(null);
assertThatLogin("NewRegistrar", "foo-BAR2")
.hasResponse(
"response_error.xml",
@ -162,7 +146,7 @@ class EppLoginTlsTest extends EppTestCase {
@Test
void testGoodPrimaryCertificate() throws Exception {
setCredentials(null, encodedCertString);
setCredentials(SAMPLE_CERT3_HASH);
DateTime now = DateTime.now(UTC);
persistResource(
loadRegistrar("NewRegistrar")
@ -175,7 +159,7 @@ class EppLoginTlsTest extends EppTestCase {
@Test
void testGoodFailoverCertificate() throws Exception {
setCredentials(null, encodedCertString);
setCredentials(SAMPLE_CERT3_HASH);
DateTime now = DateTime.now(UTC);
persistResource(
loadRegistrar("NewRegistrar")
@ -188,7 +172,7 @@ class EppLoginTlsTest extends EppTestCase {
@Test
void testMissingPrimaryCertificateButHasFailover_usesFailover() throws Exception {
setCredentials(null, encodedCertString);
setCredentials(SAMPLE_CERT3_HASH);
DateTime now = DateTime.now(UTC);
persistResource(
loadRegistrar("NewRegistrar")
@ -201,7 +185,7 @@ class EppLoginTlsTest extends EppTestCase {
@Test
void testRegistrarHasNoCertificatesOnFile_fails() throws Exception {
setCredentials("laffo", "cert");
setCredentials("laffo");
DateTime now = DateTime.now(UTC);
persistResource(
loadRegistrar("NewRegistrar")
@ -217,9 +201,8 @@ class EppLoginTlsTest extends EppTestCase {
@Test
void testCertificateDoesNotMeetRequirements_fails() throws Exception {
String proxyEncoded = encodeX509CertificateFromPemString(CertificateSamples.SAMPLE_CERT);
// SAMPLE_CERT has a validity period that is too long
setCredentials(CertificateSamples.SAMPLE_CERT_HASH, proxyEncoded);
setCredentials(CertificateSamples.SAMPLE_CERT_HASH);
persistResource(
loadRegistrar("NewRegistrar")
.asBuilder()
@ -251,10 +234,8 @@ class EppLoginTlsTest extends EppTestCase {
pw.writeObject(generator);
}
String proxyEncoded = encodeX509Certificate(certificate);
// SAMPLE_CERT has a validity period that is too long
setCredentials(null, proxyEncoded);
setCredentials(getCertificateHash(certificate));
persistResource(
loadRegistrar("NewRegistrar")
.asBuilder()
@ -273,114 +254,4 @@ class EppLoginTlsTest extends EppTestCase {
+ "Certificate validity period is too long; it must be less than or equal to"
+ " 398 days."));
}
@Test
// TODO(sarahbot@): Remove this test once requirements are enforced in production
void testCertificateDoesNotMeetRequirementsInProduction_beforeStartDate_succeeds()
throws Exception {
RegistryEnvironment.PRODUCTION.setup(systemPropertyExtension);
// SAMPLE_CERT has a validity period that is too long
String proxyEncoded = encodeX509CertificateFromPemString(CertificateSamples.SAMPLE_CERT);
setCredentials(null, proxyEncoded);
persistResource(
loadRegistrar("NewRegistrar")
.asBuilder()
.setClientCertificate(CertificateSamples.SAMPLE_CERT, clock.nowUtc())
.setFailoverClientCertificate(CertificateSamples.SAMPLE_CERT2, clock.nowUtc())
.build());
// Even though the certificate contains security violations, the login will succeed in
// production
assertThatLogin("NewRegistrar", "foo-BAR2")
.atTime(DateTime.parse("2020-01-01T16:00:00Z"))
.hasSuccessfulLogin();
assertAboutLogs()
.that(handler)
.hasLogAtLevelWithMessage(
Level.WARNING,
"Registrar certificate used for NewRegistrar does not meet certificate requirements:"
+ " Certificate validity period is too long; it must be less than or equal to 398"
+ " days.");
}
@Test
void testCertificateDoesNotMeetRequirementsInProduction_afterStartDate_fails() throws Exception {
RegistryEnvironment.PRODUCTION.setup(systemPropertyExtension);
String proxyEncoded = encodeX509CertificateFromPemString(CertificateSamples.SAMPLE_CERT);
// SAMPLE_CERT has a validity period that is too long
setCredentials(CertificateSamples.SAMPLE_CERT_HASH, proxyEncoded);
persistResource(
loadRegistrar("NewRegistrar")
.asBuilder()
.setClientCertificate(CertificateSamples.SAMPLE_CERT, clock.nowUtc())
.setFailoverClientCertificate(CertificateSamples.SAMPLE_CERT2, clock.nowUtc())
.build());
assertThatLogin("NewRegistrar", "foo-BAR2")
.atTime(DateTime.parse("2021-04-01T16:00:00Z"))
.hasResponse(
"response_error.xml",
ImmutableMap.of(
"CODE",
"2200",
"MSG",
"Registrar certificate contains the following security violations:\n"
+ "Certificate validity period is too long; it must be less than or equal to"
+ " 398 days."));
}
@Test
void testRegistrarCertificateContainsExtraMetadata_succeeds() throws Exception {
String certPem =
String.format(
"Bag Attributes\n"
+ " localKeyID: 1F 1C 3A 3A 4C 03 EC C4 BC 7A C3 21 A9 F2 13 66 21 B8 7B 26 \n"
+ "subject=/C=US/ST=New York/L=New"
+ " York/O=Test/OU=ABC/CN=tester.test/emailAddress=test-certificate@test.test\n"
+ "issuer=/C=US/ST=NY/L=NYC/O=ABC/OU=TEST CA/CN=TEST"
+ " CA/emailAddress=testing@test.test\n"
+ "%s",
CertificateSamples.SAMPLE_CERT3);
setCredentials(null, encodeX509CertificateFromPemString(certPem));
DateTime now = DateTime.now(UTC);
persistResource(
loadRegistrar("NewRegistrar")
.asBuilder()
.setClientCertificate(certPem, now)
.setFailoverClientCertificate(CertificateSamples.SAMPLE_CERT2, now)
.build());
assertThatLoginSucceeds("NewRegistrar", "foo-BAR2");
}
@Test
void testRegistrarCertificateContainsExtraMetadataAndViolations_fails() throws Exception {
String certPem =
String.format(
"Bag Attributes\n"
+ " localKeyID: 1F 1C 3A 3A 4C 03 EC C4 BC 7A C3 21 A9 F2 13 66 21 B8 7B 26 \n"
+ "subject=/C=US/ST=New York/L=New"
+ " York/O=Test/OU=ABC/CN=tester.test/emailAddress=test-certificate@test.test\n"
+ "issuer=/C=US/ST=NY/L=NYC/O=ABC/OU=TEST CA/CN=TEST"
+ " CA/emailAddress=testing@test.test\n"
+ "%s",
CertificateSamples.SAMPLE_CERT);
setCredentials(null, encodeX509CertificateFromPemString(certPem));
DateTime now = DateTime.now(UTC);
persistResource(
loadRegistrar("NewRegistrar")
.asBuilder()
.setClientCertificate(certPem, now)
.setFailoverClientCertificate(CertificateSamples.SAMPLE_CERT2, now)
.build());
assertThatLogin("NewRegistrar", "foo-BAR2")
.hasResponse(
"response_error.xml",
ImmutableMap.of(
"CODE",
"2200",
"MSG",
"Registrar certificate contains the following security violations:\n"
+ "Certificate validity period is too long; it must be less than or equal to"
+ " 398 days."));
}
}

View file

@ -153,17 +153,10 @@ class FlowRunnerTest {
void testRun_loggingStatement_tlsCredentials() throws Exception {
flowRunner.credentials =
new TlsCredentials(
true,
Optional.of("abc123def"),
Optional.of("cert046F5A3"),
Optional.of("127.0.0.1"),
certificateChecker,
clock);
true, Optional.of("abc123def"), Optional.of("127.0.0.1"), certificateChecker);
flowRunner.run(eppMetricBuilder);
assertThat(Splitter.on("\n\t").split(findFirstLogMessageByPrefix(handler, "EPP Command\n\t")))
.contains(
"TlsCredentials{clientCertificate=cert046F5A3, clientCertificateHash=abc123def,"
+ " clientAddress=/127.0.0.1}");
.contains("TlsCredentials{clientCertificateHash=abc123def," + " clientAddress=/127.0.0.1}");
}
@Test

View file

@ -67,13 +67,7 @@ final class TlsCredentialsTest {
@Test
void testClientCertificateAndHash_missing() {
TlsCredentials tls =
new TlsCredentials(
true,
Optional.empty(),
Optional.empty(),
Optional.of("192.168.1.1"),
certificateChecker,
clock);
new TlsCredentials(true, Optional.empty(), Optional.of("192.168.1.1"), certificateChecker);
persistResource(
loadRegistrar("TheRegistrar")
.asBuilder()
@ -81,19 +75,13 @@ final class TlsCredentialsTest {
.build());
assertThrows(
MissingRegistrarCertificateException.class,
() -> tls.validateCertificate(Registrar.loadByClientId("TheRegistrar").get()));
() -> tls.validateCertificateHash(Registrar.loadByClientId("TheRegistrar").get()));
}
@Test
void test_missingIpAddress_doesntAllowAccess() {
TlsCredentials tls =
new TlsCredentials(
false,
Optional.of("certHash"),
Optional.empty(),
Optional.empty(),
certificateChecker,
clock);
new TlsCredentials(false, Optional.of("certHash"), Optional.empty(), certificateChecker);
persistResource(
loadRegistrar("TheRegistrar")
.asBuilder()
@ -105,60 +93,22 @@ final class TlsCredentialsTest {
() -> tls.validate(Registrar.loadByClientId("TheRegistrar").get(), "password"));
}
@Test
void test_validateCertificate_canBeConfiguredToBypassCertHashes() throws Exception {
TlsCredentials tls =
new TlsCredentials(
false,
Optional.of("certHash"),
Optional.of("cert"),
Optional.of("192.168.1.1"),
certificateChecker,
clock);
persistResource(
loadRegistrar("TheRegistrar")
.asBuilder()
.setClientCertificate(null, clock.nowUtc())
.setFailoverClientCertificate(null, clock.nowUtc())
.build());
// This would throw a RegistrarCertificateNotConfiguredException if cert hashes were not
// bypassed
tls.validateCertificate(Registrar.loadByClientId("TheRegistrar").get());
}
@Test
void testProvideClientCertificate() {
HttpServletRequest req = mock(HttpServletRequest.class);
when(req.getHeader(ProxyHttpHeaders.FULL_CERTIFICATE)).thenReturn("data");
assertThat(TlsCredentials.EppTlsModule.provideClientCertificate(req)).hasValue("data");
}
@Test
void testClientCertificate_notConfigured() {
TlsCredentials tls =
new TlsCredentials(
true,
Optional.of("hash"),
Optional.of(SAMPLE_CERT),
Optional.of("192.168.1.1"),
certificateChecker,
clock);
true, Optional.of("hash"), Optional.of("192.168.1.1"), certificateChecker);
persistResource(loadRegistrar("TheRegistrar").asBuilder().build());
assertThrows(
RegistrarCertificateNotConfiguredException.class,
() -> tls.validateCertificate(Registrar.loadByClientId("TheRegistrar").get()));
() -> tls.validateCertificateHash(Registrar.loadByClientId("TheRegistrar").get()));
}
@Test
void test_validateCertificate_canBeConfiguredToBypassCerts() throws Exception {
void test_validateCertificateHash_canBeConfiguredToBypassCerts() throws Exception {
TlsCredentials tls =
new TlsCredentials(
false,
Optional.of("certHash"),
Optional.of("cert"),
Optional.of("192.168.1.1"),
certificateChecker,
clock);
false, Optional.of("certHash"), Optional.of("192.168.1.1"), certificateChecker);
persistResource(
loadRegistrar("TheRegistrar")
.asBuilder()
@ -166,6 +116,6 @@ final class TlsCredentialsTest {
.setFailoverClientCertificate(null, clock.nowUtc())
.build());
// This would throw a RegistrarCertificateNotConfiguredException if cert hashes wren't bypassed.
tls.validateCertificate(Registrar.loadByClientId("TheRegistrar").get());
tls.validateCertificateHash(Registrar.loadByClientId("TheRegistrar").get());
}
}

View file

@ -16,7 +16,6 @@ package google.registry.flows.session;
import static google.registry.testing.DatabaseHelper.persistResource;
import static google.registry.util.DateTimeUtils.START_OF_TIME;
import static google.registry.util.X509Utils.encodeX509CertificateFromPemString;
import static org.joda.time.DateTimeZone.UTC;
import com.google.common.collect.ImmutableList;
@ -31,18 +30,9 @@ import google.registry.flows.certs.CertificateChecker;
import google.registry.model.registrar.Registrar;
import google.registry.testing.CertificateSamples;
import google.registry.util.CidrAddressBlock;
import google.registry.util.SelfSignedCaCertificate;
import java.io.StringWriter;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.Optional;
import org.joda.time.DateTime;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.testcontainers.shaded.org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
import org.testcontainers.shaded.org.bouncycastle.util.io.pem.PemObjectGenerator;
import org.testcontainers.shaded.org.bouncycastle.util.io.pem.PemWriter;
/** Unit tests for {@link LoginFlow} when accessed via a TLS transport. */
public class LoginFlowViaTlsTest extends LoginFlowTestCase {
@ -50,7 +40,6 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
private static final Optional<String> GOOD_CERT = Optional.of(CertificateSamples.SAMPLE_CERT3);
private static final Optional<String> GOOD_CERT_HASH =
Optional.of(CertificateSamples.SAMPLE_CERT3_HASH);
private static final Optional<String> BAD_CERT = Optional.of(CertificateSamples.SAMPLE_CERT2);
private static final Optional<String> BAD_CERT_HASH =
Optional.of(CertificateSamples.SAMPLE_CERT2_HASH);
private static final Optional<String> GOOD_IP = Optional.of("192.168.1.1");
@ -64,12 +53,6 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
2048,
ImmutableSet.of("secp256r1", "secp384r1"),
clock);
private Optional<String> encodedCertString;
@BeforeEach
void beforeEach() throws CertificateException {
encodedCertString = Optional.of(encodeX509CertificateFromPemString(GOOD_CERT.get()));
}
@Override
protected Registrar.Builder getRegistrarBuilder() {
@ -82,42 +65,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
@Test
void testSuccess_withGoodCredentials() throws Exception {
persistResource(getRegistrarBuilder().build());
credentials =
new TlsCredentials(
true, GOOD_CERT_HASH, encodedCertString, GOOD_IP, certificateChecker, clock);
doSuccessfulTest("login_valid.xml");
}
@Test
void testSuccess_withNewlyConstructedCertificate() throws Exception {
X509Certificate certificate =
SelfSignedCaCertificate.create(
"test", clock.nowUtc().minusDays(100), clock.nowUtc().plusDays(150))
.cert();
StringWriter sw = new StringWriter();
try (PemWriter pw = new PemWriter(sw)) {
PemObjectGenerator generator = new JcaMiscPEMGenerator(certificate);
pw.writeObject(generator);
}
persistResource(
super.getRegistrarBuilder()
.setClientCertificate(sw.toString(), DateTime.now(UTC))
.setIpAddressAllowList(
ImmutableList.of(
CidrAddressBlock.create(InetAddresses.forString(GOOD_IP.get()), 32)))
.build());
String encodedCertificate = Base64.getEncoder().encodeToString(certificate.getEncoded());
credentials =
new TlsCredentials(
true,
Optional.empty(),
Optional.of(encodedCertificate),
GOOD_IP,
certificateChecker,
clock);
credentials = new TlsCredentials(true, GOOD_CERT_HASH, GOOD_IP, certificateChecker);
doSuccessfulTest("login_valid.xml");
}
@ -128,9 +76,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
.setIpAddressAllowList(
ImmutableList.of(CidrAddressBlock.create("2001:db8:0:0:0:0:1:1/32")))
.build());
credentials =
new TlsCredentials(
true, GOOD_CERT_HASH, encodedCertString, GOOD_IPV6, certificateChecker, clock);
credentials = new TlsCredentials(true, GOOD_CERT_HASH, GOOD_IPV6, certificateChecker);
doSuccessfulTest("login_valid.xml");
}
@ -141,9 +87,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
.setIpAddressAllowList(
ImmutableList.of(CidrAddressBlock.create("2001:db8:0:0:0:0:1:1/32")))
.build());
credentials =
new TlsCredentials(
true, GOOD_CERT_HASH, encodedCertString, GOOD_IPV6, certificateChecker, clock);
credentials = new TlsCredentials(true, GOOD_CERT_HASH, GOOD_IPV6, certificateChecker);
doSuccessfulTest("login_valid.xml");
}
@ -153,38 +97,21 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
getRegistrarBuilder()
.setIpAddressAllowList(ImmutableList.of(CidrAddressBlock.create("192.168.1.255/24")))
.build());
credentials =
new TlsCredentials(
true, GOOD_CERT_HASH, encodedCertString, GOOD_IP, certificateChecker, clock);
credentials = new TlsCredentials(true, GOOD_CERT_HASH, GOOD_IP, certificateChecker);
doSuccessfulTest("login_valid.xml");
}
@Test
void testFailure_incorrectClientCertificateHash() throws Exception {
persistResource(getRegistrarBuilder().build());
String proxyEncoded = encodeX509CertificateFromPemString(BAD_CERT.get());
credentials =
new TlsCredentials(
true, BAD_CERT_HASH, Optional.of(proxyEncoded), GOOD_IP, certificateChecker, clock);
credentials = new TlsCredentials(true, BAD_CERT_HASH, GOOD_IP, certificateChecker);
doFailingTest("login_valid.xml", BadRegistrarCertificateException.class);
}
@Test
// TODO(Sarahbot): This should fail once hash fallback is removed
void testSuccess_missingClientCertificate() throws Exception {
persistResource(getRegistrarBuilder().build());
credentials =
new TlsCredentials(
true, GOOD_CERT_HASH, Optional.empty(), GOOD_IP, certificateChecker, clock);
doSuccessfulTest("login_valid.xml");
}
@Test
void testFailure_missingClientCertificateAndHash() {
persistResource(getRegistrarBuilder().build());
credentials =
new TlsCredentials(
true, Optional.empty(), Optional.empty(), GOOD_IP, certificateChecker, clock);
credentials = new TlsCredentials(true, Optional.empty(), GOOD_IP, certificateChecker);
doFailingTest("login_valid.xml", MissingRegistrarCertificateException.class);
}
@ -197,9 +124,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
CidrAddressBlock.create(InetAddresses.forString("192.168.1.1"), 32),
CidrAddressBlock.create(InetAddresses.forString("2001:db8::1"), 128)))
.build());
credentials =
new TlsCredentials(
true, GOOD_CERT_HASH, GOOD_CERT, Optional.empty(), certificateChecker, clock);
credentials = new TlsCredentials(true, GOOD_CERT_HASH, GOOD_CERT, certificateChecker);
doFailingTest("login_valid.xml", BadRegistrarIpAddressException.class);
}
@ -212,8 +137,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
CidrAddressBlock.create(InetAddresses.forString("192.168.1.1"), 32),
CidrAddressBlock.create(InetAddresses.forString("2001:db8::1"), 128)))
.build());
credentials =
new TlsCredentials(true, GOOD_CERT_HASH, GOOD_CERT, BAD_IP, certificateChecker, clock);
credentials = new TlsCredentials(true, GOOD_CERT_HASH, BAD_IP, certificateChecker);
doFailingTest("login_valid.xml", BadRegistrarIpAddressException.class);
}
@ -226,8 +150,7 @@ public class LoginFlowViaTlsTest extends LoginFlowTestCase {
CidrAddressBlock.create(InetAddresses.forString("192.168.1.1"), 32),
CidrAddressBlock.create(InetAddresses.forString("2001:db8::1"), 128)))
.build());
credentials =
new TlsCredentials(true, GOOD_CERT_HASH, GOOD_CERT, BAD_IPV6, certificateChecker, clock);
credentials = new TlsCredentials(true, GOOD_CERT_HASH, BAD_IPV6, certificateChecker);
doFailingTest("login_valid.xml", BadRegistrarIpAddressException.class);
}
}