File tree Expand file tree Collapse file tree
CERTInext.IntegrationTests Expand file tree Collapse file tree Original file line number Diff line number Diff line change @@ -161,13 +161,12 @@ public async Task Enroll_AcceptsKeyAlgorithm(string tag)
161161 }
162162 catch ( Exception ex )
163163 {
164- // Per agreed scope: a CA-side rejection (algorithm not supported, or other
165- // account/provisioning gap) becomes an explicit Skip carrying the CA's message,
166- // so the matrix documents real CERTInext support without a hard failure.
167- _output . WriteLine ( $ "[SKIP] { tag } : CERTInext rejected submission — { ex . Message } ") ;
168- Skip . If ( true ,
169- $ "CERTInext did not accept a { tag } order. This may be an unsupported key algorithm "+
170- $ "or an account/provisioning limitation. CA message: { ex . Message } ") ;
164+ // Per agreed scope: a CA-side rejection becomes an explicit Skip carrying the CA's
165+ // message (classified so an unsupported algorithm isn't confused with a credit/
166+ // account limitation), so the matrix documents real CERTInext support honestly.
167+ string reason = KeyAlgorithms . ClassifyRejection ( ex . Message ) ;
168+ _output . WriteLine ( $ "[SKIP] { tag } : { reason } — { ex . Message } ") ;
169+ Skip . If ( true , $ "CERTInext did not accept a { tag } order: { reason } . CA message: { ex . Message } ") ;
171170 }
172171
173172 enrollResult . Should ( ) . NotBeNull ( $ "{ tag } : Enroll must return a non-null result when accepted") ;
Original file line number Diff line number Diff line change @@ -415,8 +415,9 @@ public async Task EnrollWithDcvOn_IssuesPerKeyAlgorithm(string tag)
415415 }
416416 catch ( Exception ex )
417417 {
418- _output . WriteLine ( $ "[SKIP] { tag } : CERTInext rejected the DV order at submission — { ex . Message } ") ;
419- Skip . If ( true , $ "CERTInext did not accept a { tag } DV order (likely an unsupported key algorithm). CA message: { ex . Message } ") ;
418+ string reason = KeyAlgorithms . ClassifyRejection ( ex . Message ) ;
419+ _output . WriteLine ( $ "[SKIP] { tag } : { reason } — { ex . Message } ") ;
420+ Skip . If ( true , $ "CERTInext did not issue a { tag } cert: { reason } . CA message: { ex . Message } ") ;
420421 return ; // unreachable — Skip throws
421422 }
422423
Original file line number Diff line number Diff line change @@ -115,5 +115,23 @@ public static byte[] DerFromPem(string pem)
115115
116116 /// <summary>A filesystem/DNS-safe slug for a tag, e.g. "ECDSA-P256" → "ecdsap256".</summary>
117117 public static string Slug ( string tag ) => tag . ToLowerInvariant ( ) . Replace ( "-" , string . Empty ) ;
118+
119+ /// <summary>
120+ /// Classifies a CERTInext order-rejection message so the algorithm matrix doesn't
121+ /// conflate "this key algorithm is unsupported" with "the account can't place orders
122+ /// right now". CERTInext's live envelope (observed): RSA 2048/3072/4096 + ECC P-256/P-384
123+ /// are accepted; larger RSA, P-521, and the Ed* curves return "Invalid key size" /
124+ /// "Something went Wrong". A credit shortfall returns "Insufficient Credits" regardless
125+ /// of algorithm.
126+ /// </summary>
127+ public static string ClassifyRejection ( string caMessage )
128+ {
129+ caMessage ??= string . Empty ;
130+ if ( caMessage . IndexOf ( "Invalid key size" , StringComparison . OrdinalIgnoreCase ) >= 0 )
131+ return "key algorithm/size not supported by CERTInext" ;
132+ if ( caMessage . IndexOf ( "Insufficient Credits" , StringComparison . OrdinalIgnoreCase ) >= 0 )
133+ return "CERTInext account is out of credits — algorithm support was not exercised" ;
134+ return "rejected by CERTInext" ;
135+ }
118136 }
119137}
You can’t perform that action at this time.
0 commit comments