Added test for different authority key id after renew
Also ran dep ensure.
This commit is contained in:
max furman
parent
d78febec7a
commit
229e5908b7
2 changed files with 140 additions and 18 deletions
|
|
@ -18,6 +18,7 @@ import (
|
|||
"github.com/smallstep/cli/crypto/keys"
|
||||
"github.com/smallstep/cli/crypto/tlsutil"
|
||||
"github.com/smallstep/cli/crypto/x509util"
|
||||
stepx509 "github.com/smallstep/cli/pkg/x509"
|
||||
)
|
||||
|
||||
func getCSR(t *testing.T, priv interface{}, opts ...func(*x509.CertificateRequest)) *x509.CertificateRequest {
|
||||
|
|
@ -326,7 +327,32 @@ func TestRenew(t *testing.T) {
|
|||
},
|
||||
"success": func() (*renewTest, error) {
|
||||
return &renewTest{
|
||||
crt: crt,
|
||||
auth: a,
|
||||
crt: crt,
|
||||
}, nil
|
||||
},
|
||||
"success-new-intermediate": func() (*renewTest, error) {
|
||||
newRootProfile, err := x509util.NewRootProfile("new-root")
|
||||
assert.FatalError(t, err)
|
||||
newRootBytes, err := newRootProfile.CreateCertificate()
|
||||
assert.FatalError(t, err)
|
||||
newRootCrt, err := stepx509.ParseCertificate(newRootBytes)
|
||||
assert.FatalError(t, err)
|
||||
|
||||
newIntermediateProfile, err := x509util.NewIntermediateProfile("new-intermediate",
|
||||
newRootCrt, newRootProfile.SubjectPrivateKey())
|
||||
assert.FatalError(t, err)
|
||||
newIntermediateBytes, err := newIntermediateProfile.CreateCertificate()
|
||||
assert.FatalError(t, err)
|
||||
newIntermediateCrt, err := stepx509.ParseCertificate(newIntermediateBytes)
|
||||
assert.FatalError(t, err)
|
||||
|
||||
_a := testAuthority(t)
|
||||
_a.intermediateIdentity.Key = newIntermediateProfile.SubjectPrivateKey()
|
||||
_a.intermediateIdentity.Crt = newIntermediateCrt
|
||||
return &renewTest{
|
||||
auth: _a,
|
||||
crt: crt,
|
||||
}, nil
|
||||
},
|
||||
}
|
||||
|
|
@ -355,7 +381,7 @@ func TestRenew(t *testing.T) {
|
|||
}
|
||||
} else {
|
||||
if assert.Nil(t, tc.err) {
|
||||
assert.Equals(t, leaf.NotAfter.Sub(leaf.NotBefore), crt.NotAfter.Sub(crt.NotBefore))
|
||||
assert.Equals(t, leaf.NotAfter.Sub(leaf.NotBefore), tc.crt.NotAfter.Sub(crt.NotBefore))
|
||||
|
||||
assert.True(t, leaf.NotBefore.After(now.Add(-time.Minute)))
|
||||
assert.True(t, leaf.NotBefore.Before(now.Add(time.Minute)))
|
||||
|
|
@ -387,25 +413,51 @@ func TestRenew(t *testing.T) {
|
|||
hash := sha1.Sum(pubBytes)
|
||||
assert.Equals(t, leaf.SubjectKeyId, hash[:])
|
||||
|
||||
assert.Equals(t, leaf.AuthorityKeyId, a.intermediateIdentity.Crt.SubjectKeyId)
|
||||
|
||||
realIntermediate, err := x509.ParseCertificate(a.intermediateIdentity.Crt.Raw)
|
||||
assert.FatalError(t, err)
|
||||
assert.Equals(t, intermediate, realIntermediate)
|
||||
|
||||
// Compare extensions: they can be in a different order
|
||||
for _, ext1 := range crt.Extensions {
|
||||
found := false
|
||||
for _, ext2 := range leaf.Extensions {
|
||||
if reflect.DeepEqual(ext1, ext2) {
|
||||
found = true
|
||||
break
|
||||
// We did not change the intermediate before renewing.
|
||||
if a.intermediateIdentity.Crt.SerialNumber == tc.auth.intermediateIdentity.Crt.SerialNumber {
|
||||
assert.Equals(t, leaf.AuthorityKeyId, a.intermediateIdentity.Crt.SubjectKeyId)
|
||||
// Compare extensions: they can be in a different order
|
||||
for _, ext1 := range tc.crt.Extensions {
|
||||
found := false
|
||||
for _, ext2 := range leaf.Extensions {
|
||||
if reflect.DeepEqual(ext1, ext2) {
|
||||
found = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !found {
|
||||
t.Errorf("x509 extension %s not found in renewed certificate", ext1.Id.String())
|
||||
}
|
||||
}
|
||||
if !found {
|
||||
t.Errorf("x509 extension %s not found in renewed certificate", ext1.Id.String())
|
||||
} else {
|
||||
// We did change the intermediate before renewing.
|
||||
assert.Equals(t, leaf.AuthorityKeyId, tc.auth.intermediateIdentity.Crt.SubjectKeyId)
|
||||
// Compare extensions: they can be in a different order
|
||||
for _, ext1 := range tc.crt.Extensions {
|
||||
// The authority key id extension should be different b/c the intermediates are different.
|
||||
if ext1.Id.Equal(oidAuthorityKeyIdentifier) {
|
||||
for _, ext2 := range leaf.Extensions {
|
||||
assert.False(t, reflect.DeepEqual(ext1, ext2))
|
||||
}
|
||||
continue
|
||||
} else {
|
||||
found := false
|
||||
for _, ext2 := range leaf.Extensions {
|
||||
if reflect.DeepEqual(ext1, ext2) {
|
||||
found = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !found {
|
||||
t.Errorf("x509 extension %s not found in renewed certificate", ext1.Id.String())
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
realIntermediate, err := x509.ParseCertificate(tc.auth.intermediateIdentity.Crt.Raw)
|
||||
assert.FatalError(t, err)
|
||||
assert.Equals(t, intermediate, realIntermediate)
|
||||
}
|
||||
}
|
||||
})
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue