Make tests green

This commit is contained in:
Herman Slatman 2021-03-12 16:58:52 +01:00 committed by max furman
parent 57a62964b1
commit be528da709
2 changed files with 70 additions and 67 deletions

View file

@ -7,8 +7,6 @@ import (
"crypto/x509" "crypto/x509"
"encoding/hex" "encoding/hex"
"log" "log"
"os"
"strings"
"sync" "sync"
"time" "time"
@ -315,53 +313,6 @@ func (a *Authority) init() error {
} }
} }
// TODO: decide if this is a good approach for providing the SCEP functionality
// It currently mirrors the logic for the x509CAServer
if a.scepService == nil {
var options casapi.Options
if a.config.AuthorityConfig.Options != nil {
options = *a.config.AuthorityConfig.Options
}
// Read intermediate and create X509 signer and decrypter for default CAS.
if options.Is(casapi.SoftCAS) {
options.CertificateChain, err = pemutil.ReadCertificateBundle(a.config.IntermediateCert)
if err != nil {
return err
}
options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
SigningKey: a.config.IntermediateKey,
Password: []byte(a.config.Password),
})
if err != nil {
return err
}
// TODO: this is not exactly nice to do, but ensures that tests will still run while
// ECDSA keys are in the testdata. ECDSA keys are no crypto.Decrypters, resulting
// in many errors in the test suite. Needs a better solution, I think.
underTest := strings.HasSuffix(os.Args[0], ".test")
if !underTest {
if km, ok := a.keyManager.(kmsapi.Decrypter); ok {
options.Decrypter, err = km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
DecryptionKey: a.config.IntermediateKey,
Password: []byte(a.config.Password),
})
if err != nil {
return err
}
}
}
}
a.scepService, err = scep.NewService(context.Background(), options)
if err != nil {
return err
}
// TODO: mimick the x509CAService GetCertificateAuthority here too?
}
// Read root certificates and store them in the certificates map. // Read root certificates and store them in the certificates map.
if len(a.rootX509Certs) == 0 { if len(a.rootX509Certs) == 0 {
a.rootX509Certs = make([]*x509.Certificate, len(a.config.Root)) a.rootX509Certs = make([]*x509.Certificate, len(a.config.Root))
@ -512,6 +463,47 @@ func (a *Authority) init() error {
} }
} }
// TODO: decide if this is a good approach for providing the SCEP functionality
// It currently mirrors the logic for the x509CAService
if a.requiresSCEPService() && a.scepService == nil {
var options casapi.Options
if a.config.AuthorityConfig.Options != nil {
options = *a.config.AuthorityConfig.Options
}
// Read intermediate and create X509 signer and decrypter for default CAS.
if options.Is(casapi.SoftCAS) {
options.CertificateChain, err = pemutil.ReadCertificateBundle(a.config.IntermediateCert)
if err != nil {
return err
}
options.Signer, err = a.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
SigningKey: a.config.IntermediateKey,
Password: []byte(a.config.Password),
})
if err != nil {
return err
}
if km, ok := a.keyManager.(kmsapi.Decrypter); ok {
options.Decrypter, err = km.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
DecryptionKey: a.config.IntermediateKey,
Password: []byte(a.config.Password),
})
if err != nil {
return err
}
}
}
a.scepService, err = scep.NewService(context.Background(), options)
if err != nil {
return err
}
// TODO: mimick the x509CAService GetCertificateAuthority here too?
}
// Store all the provisioners // Store all the provisioners
for _, p := range a.config.AuthorityConfig.Provisioners { for _, p := range a.config.AuthorityConfig.Provisioners {
if err := p.Init(config); err != nil { if err := p.Init(config); err != nil {
@ -586,12 +578,15 @@ func (a *Authority) CloseForReload() {
} }
} }
// requiresDecrypter iterates over the configured provisioners // requiresDecrypter returns whether the Authority
// and determines if the Authority requires a KMS that provides // requires a KMS that provides a crypto.Decrypter
// a crypto.Decrypter by implementing the apiv1.Decrypter
// interface. Currently only the SCEP provider requires this,
// but others may be added in the future.
func (a *Authority) requiresDecrypter() bool { func (a *Authority) requiresDecrypter() bool {
return a.requiresSCEPService()
}
// requiresSCEPService iterates over the configured provisioners
// and determines if one of them is a SCEP provisioner.
func (a *Authority) requiresSCEPService() bool {
for _, p := range a.config.AuthorityConfig.Provisioners { for _, p := range a.config.AuthorityConfig.Provisioners {
if p.GetType() == provisioner.TypeSCEP { if p.GetType() == provisioner.TypeSCEP {
return true return true
@ -605,6 +600,6 @@ func (a *Authority) requiresDecrypter() bool {
// in order to make SCEP work more easily. It can be // in order to make SCEP work more easily. It can be
// made more correct by using the right interfaces/abstractions // made more correct by using the right interfaces/abstractions
// after it works as expected. // after it works as expected.
func (a *Authority) GetSCEPService() scep.Service { func (a *Authority) GetSCEPService() *scep.Service {
return *a.scepService return a.scepService
} }

View file

@ -51,14 +51,14 @@ type Authority struct {
intermediateCertificate *x509.Certificate intermediateCertificate *x509.Certificate
service Service service *Service
signAuth SignAuthority signAuth SignAuthority
} }
// AuthorityOptions required to create a new SCEP Authority. // AuthorityOptions required to create a new SCEP Authority.
type AuthorityOptions struct { type AuthorityOptions struct {
// Service provides the SCEP functions to Authority // Service provides the SCEP functions to Authority
Service Service Service *Service
// Backdate // Backdate
Backdate provisioner.Duration Backdate provisioner.Duration
// DB is the database used by nosql. // DB is the database used by nosql.
@ -92,15 +92,23 @@ func New(signAuth SignAuthority, ops AuthorityOptions) (*Authority, error) {
} }
} }
return &Authority{ authority := &Authority{
backdate: ops.Backdate, backdate: ops.Backdate,
db: ops.DB, db: ops.DB,
prefix: ops.Prefix, prefix: ops.Prefix,
dns: ops.DNS, dns: ops.DNS,
intermediateCertificate: ops.Service.certificateChain[0],
service: ops.Service,
signAuth: signAuth, signAuth: signAuth,
}, nil }
// TODO: this is not really nice to do; the Service should be removed
// in its entirety to make this more interoperable with the rest of
// step-ca.
if ops.Service != nil {
authority.intermediateCertificate = ops.Service.certificateChain[0]
authority.service = ops.Service
}
return authority, nil
} }
var ( var (