b275758018
Upgrade cloud.google.com/go
624 lines
25 KiB
Go
624 lines
25 KiB
Go
package cloudcas
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/ecdsa"
|
|
"crypto/ed25519"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/asn1"
|
|
"net"
|
|
"net/url"
|
|
"reflect"
|
|
"testing"
|
|
|
|
kmsapi "github.com/smallstep/certificates/kms/apiv1"
|
|
pb "google.golang.org/genproto/googleapis/cloud/security/privateca/v1beta1"
|
|
wrapperspb "google.golang.org/protobuf/types/known/wrapperspb"
|
|
)
|
|
|
|
var (
|
|
testLeafPublicKey = `-----BEGIN PUBLIC KEY-----
|
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAdUSRBrpgHFilN4eaGlNnX2+xfjX
|
|
a1Iwk2/+AensjFTXJi1UAIB0e+4pqi7Sen5E2QVBhntEHCrA3xOf7czgPw==
|
|
-----END PUBLIC KEY-----
|
|
`
|
|
testRSACertificate = `-----BEGIN CERTIFICATE-----
|
|
MIICozCCAkmgAwIBAgIRANNhMpODj7ThgviZCoF6kj8wCgYIKoZIzj0EAwIwKjEo
|
|
MCYGA1UEAxMfR29vZ2xlIENBUyBUZXN0IEludGVybWVkaWF0ZSBDQTAeFw0yMDA5
|
|
MTUwMTUxMDdaFw0zMDA5MTMwMTUxMDNaMB0xGzAZBgNVBAMTEnRlc3Quc21hbGxz
|
|
dGVwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANPRjuIlsP5Z
|
|
672syAsHlbILFabG/xmrlsO0UdcLo4Yjf9WPAFA+7q+CsVDFh4dQbMv96fsHtdYP
|
|
E9wlWyMqYG+5E8QT2i0WNFEoYcXOGZuXdyD/TA5Aucu1RuYLrZXQrXWDnvaWOgvr
|
|
EZ6s9VsPCzzkL8KBejIMQIMY0KXEJfB/HgXZNn8V2trZkWT5CzxbcOF3s3UC1Z6F
|
|
Ja6zjpxhSyRkqgknJxv6yK4t7HEwdhrDI8uyxJYHPQWKNRjWecHWE9E+MtoS7D08
|
|
mTh8qlAKoBbkGolR2nJSXffU09F3vSg+MIfjPiRqjf6394cQ3T9D5yZK//rCrxWU
|
|
8KKBQMEmdKcCAwEAAaOBkTCBjjAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYI
|
|
KwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQffuoYvH1+IF1cipl35gXJxSJE
|
|
SjAfBgNVHSMEGDAWgBRIOVqyLDSlErJLuWWEvRm5UU1r1TAdBgNVHREEFjAUghJ0
|
|
ZXN0LnNtYWxsc3RlcC5jb20wCgYIKoZIzj0EAwIDSAAwRQIhAL9AAw/LVLvvxBkM
|
|
sJnHd+RIk7ZblkgcArwpIS2+Z5xNAiBtUED4zyimz9b4aQiXdw4IMd2CKxVyW8eE
|
|
6x1vSZMvzQ==
|
|
-----END CERTIFICATE-----`
|
|
testRSAPublicKey = `-----BEGIN RSA PUBLIC KEY-----
|
|
MIIBCgKCAQEA09GO4iWw/lnrvazICweVsgsVpsb/GauWw7RR1wujhiN/1Y8AUD7u
|
|
r4KxUMWHh1Bsy/3p+we11g8T3CVbIypgb7kTxBPaLRY0UShhxc4Zm5d3IP9MDkC5
|
|
y7VG5gutldCtdYOe9pY6C+sRnqz1Ww8LPOQvwoF6MgxAgxjQpcQl8H8eBdk2fxXa
|
|
2tmRZPkLPFtw4XezdQLVnoUlrrOOnGFLJGSqCScnG/rIri3scTB2GsMjy7LElgc9
|
|
BYo1GNZ5wdYT0T4y2hLsPTyZOHyqUAqgFuQaiVHaclJd99TT0Xe9KD4wh+M+JGqN
|
|
/rf3hxDdP0PnJkr/+sKvFZTwooFAwSZ0pwIDAQAB
|
|
-----END RSA PUBLIC KEY-----
|
|
`
|
|
)
|
|
|
|
func Test_createCertificateConfig(t *testing.T) {
|
|
cert := mustParseCertificate(t, testLeafCertificate)
|
|
type args struct {
|
|
tpl *x509.Certificate
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want *pb.Certificate_Config
|
|
wantErr bool
|
|
}{
|
|
{"ok", args{cert}, &pb.Certificate_Config{
|
|
Config: &pb.CertificateConfig{
|
|
SubjectConfig: &pb.CertificateConfig_SubjectConfig{
|
|
Subject: &pb.Subject{},
|
|
CommonName: "test.smallstep.com",
|
|
SubjectAltName: &pb.SubjectAltNames{
|
|
DnsNames: []string{"test.smallstep.com"},
|
|
},
|
|
},
|
|
ReusableConfig: &pb.ReusableConfigWrapper{
|
|
ConfigValues: &pb.ReusableConfigWrapper_ReusableConfigValues{
|
|
ReusableConfigValues: &pb.ReusableConfigValues{
|
|
KeyUsage: &pb.KeyUsage{
|
|
BaseKeyUsage: &pb.KeyUsage_KeyUsageOptions{
|
|
DigitalSignature: true,
|
|
},
|
|
ExtendedKeyUsage: &pb.KeyUsage_ExtendedKeyUsageOptions{
|
|
ClientAuth: true,
|
|
ServerAuth: true,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
PublicKey: &pb.PublicKey{
|
|
Type: pb.PublicKey_PEM_EC_KEY,
|
|
Key: []byte(testLeafPublicKey),
|
|
},
|
|
},
|
|
}, false},
|
|
{"fail", args{&x509.Certificate{}}, nil, true},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got, err := createCertificateConfig(tt.args.tpl)
|
|
if (err != nil) != tt.wantErr {
|
|
t.Errorf("createCertificateConfig() error = %v, wantErr %v", err, tt.wantErr)
|
|
return
|
|
}
|
|
if !reflect.DeepEqual(got, tt.want) {
|
|
t.Errorf("createCertificateConfig() = %v, want %v", got.Config.ReusableConfig, tt.want.Config.ReusableConfig)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_createPublicKey(t *testing.T) {
|
|
edpub, _, err := ed25519.GenerateKey(rand.Reader)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
ecCert := mustParseCertificate(t, testLeafCertificate)
|
|
rsaCert := mustParseCertificate(t, testRSACertificate)
|
|
type args struct {
|
|
key crypto.PublicKey
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want *pb.PublicKey
|
|
wantErr bool
|
|
}{
|
|
{"ok ec", args{ecCert.PublicKey}, &pb.PublicKey{
|
|
Type: pb.PublicKey_PEM_EC_KEY,
|
|
Key: []byte(testLeafPublicKey),
|
|
}, false},
|
|
{"ok rsa", args{rsaCert.PublicKey}, &pb.PublicKey{
|
|
Type: pb.PublicKey_PEM_RSA_KEY,
|
|
Key: []byte(testRSAPublicKey),
|
|
}, false},
|
|
{"fail ed25519", args{edpub}, nil, true},
|
|
{"fail ec marshal", args{&ecdsa.PublicKey{
|
|
Curve: &elliptic.CurveParams{Name: "FOO", BitSize: 256},
|
|
X: ecCert.PublicKey.(*ecdsa.PublicKey).X,
|
|
Y: ecCert.PublicKey.(*ecdsa.PublicKey).Y,
|
|
}}, nil, true},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got, err := createPublicKey(tt.args.key)
|
|
if (err != nil) != tt.wantErr {
|
|
t.Errorf("createPublicKey() error = %v, wantErr %v", err, tt.wantErr)
|
|
return
|
|
}
|
|
if !reflect.DeepEqual(got, tt.want) {
|
|
t.Errorf("createPublicKey() = %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_createSubject(t *testing.T) {
|
|
type args struct {
|
|
cert *x509.Certificate
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want *pb.Subject
|
|
}{
|
|
{"ok empty", args{&x509.Certificate{}}, &pb.Subject{}},
|
|
{"ok all", args{&x509.Certificate{
|
|
Subject: pkix.Name{
|
|
Country: []string{"US"},
|
|
Organization: []string{"Smallstep Labs"},
|
|
OrganizationalUnit: []string{"Engineering"},
|
|
Locality: []string{"San Francisco"},
|
|
Province: []string{"California"},
|
|
StreetAddress: []string{"1 A St."},
|
|
PostalCode: []string{"12345"},
|
|
SerialNumber: "1234567890",
|
|
CommonName: "test.smallstep.com",
|
|
},
|
|
}}, &pb.Subject{
|
|
CountryCode: "US",
|
|
Organization: "Smallstep Labs",
|
|
OrganizationalUnit: "Engineering",
|
|
Locality: "San Francisco",
|
|
Province: "California",
|
|
StreetAddress: "1 A St.",
|
|
PostalCode: "12345",
|
|
}},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
if got := createSubject(tt.args.cert); !reflect.DeepEqual(got, tt.want) {
|
|
t.Errorf("createSubject() = %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_createSubjectAlternativeNames(t *testing.T) {
|
|
marshalRawValues := func(rawValues []asn1.RawValue) []byte {
|
|
b, err := asn1.Marshal(rawValues)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
return b
|
|
}
|
|
|
|
uri := func(s string) *url.URL {
|
|
u, err := url.Parse(s)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
return u
|
|
}
|
|
type args struct {
|
|
cert *x509.Certificate
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want *pb.SubjectAltNames
|
|
}{
|
|
{"ok empty", args{&x509.Certificate{}}, &pb.SubjectAltNames{}},
|
|
{"ok dns", args{&x509.Certificate{DNSNames: []string{
|
|
"doe.com", "doe.org",
|
|
}}}, &pb.SubjectAltNames{DnsNames: []string{"doe.com", "doe.org"}}},
|
|
{"ok emails", args{&x509.Certificate{EmailAddresses: []string{
|
|
"john@doe.com", "jane@doe.com",
|
|
}}}, &pb.SubjectAltNames{EmailAddresses: []string{"john@doe.com", "jane@doe.com"}}},
|
|
{"ok ips", args{&x509.Certificate{IPAddresses: []net.IP{
|
|
net.ParseIP("127.0.0.1"), net.ParseIP("1.2.3.4"),
|
|
net.ParseIP("::1"), net.ParseIP("2001:0db8:85a3:a0b:12f0:8a2e:0370:7334"), net.ParseIP("2001:0db8:85a3:0000:0000:8a2e:0370:7334"),
|
|
}}}, &pb.SubjectAltNames{IpAddresses: []string{"127.0.0.1", "1.2.3.4", "::1", "2001:db8:85a3:a0b:12f0:8a2e:370:7334", "2001:db8:85a3::8a2e:370:7334"}}},
|
|
{"ok uris", args{&x509.Certificate{URIs: []*url.URL{
|
|
uri("mailto:john@doe.com"), uri("https://john@doe.com/hello"),
|
|
}}}, &pb.SubjectAltNames{Uris: []string{"mailto:john@doe.com", "https://john@doe.com/hello"}}},
|
|
{"ok extensions", args{&x509.Certificate{
|
|
ExtraExtensions: []pkix.Extension{{
|
|
Id: []int{2, 5, 29, 17}, Critical: true, Value: []byte{
|
|
0x30, 0x48, 0x82, 0x0b, 0x77, 0x77, 0x77, 0x2e, 0x64, 0x6f, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x81,
|
|
0x0c, 0x6a, 0x61, 0x6e, 0x65, 0x40, 0x64, 0x6f, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x87, 0x04, 0x01,
|
|
0x02, 0x03, 0x04, 0x87, 0x10, 0x20, 0x01, 0x0d, 0xb8, 0x85, 0xa3, 0x0a, 0x0b, 0x12, 0xf0, 0x8a,
|
|
0x2e, 0x03, 0x70, 0x73, 0x34, 0x86, 0x13, 0x6d, 0x61, 0x69, 0x6c, 0x74, 0x6f, 0x3a, 0x6a, 0x61,
|
|
0x6e, 0x65, 0x40, 0x64, 0x6f, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
|
|
},
|
|
}},
|
|
}}, &pb.SubjectAltNames{
|
|
CustomSans: []*pb.X509Extension{{
|
|
ObjectId: &pb.ObjectId{ObjectIdPath: []int32{2, 5, 29, 17}},
|
|
Critical: true,
|
|
Value: []byte{
|
|
0x30, 0x48, 0x82, 0x0b, 0x77, 0x77, 0x77, 0x2e, 0x64, 0x6f, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x81,
|
|
0x0c, 0x6a, 0x61, 0x6e, 0x65, 0x40, 0x64, 0x6f, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x87, 0x04, 0x01,
|
|
0x02, 0x03, 0x04, 0x87, 0x10, 0x20, 0x01, 0x0d, 0xb8, 0x85, 0xa3, 0x0a, 0x0b, 0x12, 0xf0, 0x8a,
|
|
0x2e, 0x03, 0x70, 0x73, 0x34, 0x86, 0x13, 0x6d, 0x61, 0x69, 0x6c, 0x74, 0x6f, 0x3a, 0x6a, 0x61,
|
|
0x6e, 0x65, 0x40, 0x64, 0x6f, 0x65, 0x2e, 0x63, 0x6f, 0x6d,
|
|
},
|
|
}},
|
|
}},
|
|
{"ok extra extensions", args{&x509.Certificate{
|
|
DNSNames: []string{"doe.com"},
|
|
ExtraExtensions: []pkix.Extension{{
|
|
Id: []int{2, 5, 29, 17}, Critical: true, Value: marshalRawValues([]asn1.RawValue{
|
|
{Class: asn1.ClassApplication, Tag: 2, IsCompound: true, Bytes: []byte{}},
|
|
{Class: asn1.ClassContextSpecific, Tag: nameTypeDNS, Bytes: []byte("doe.com")},
|
|
{Class: asn1.ClassContextSpecific, Tag: nameTypeEmail, Bytes: []byte("jane@doe.com")},
|
|
{Class: asn1.ClassContextSpecific, Tag: 8, Bytes: []byte("foo.bar")},
|
|
}),
|
|
}},
|
|
}}, &pb.SubjectAltNames{
|
|
DnsNames: []string{"doe.com"},
|
|
CustomSans: []*pb.X509Extension{{
|
|
ObjectId: &pb.ObjectId{ObjectIdPath: []int32{2, 5, 29, 17}},
|
|
Critical: true,
|
|
Value: marshalRawValues([]asn1.RawValue{
|
|
{Class: asn1.ClassApplication, Tag: 2, IsCompound: true, Bytes: []byte{}},
|
|
{Class: asn1.ClassContextSpecific, Tag: nameTypeEmail, Bytes: []byte("jane@doe.com")},
|
|
{Class: asn1.ClassContextSpecific, Tag: 8, Bytes: []byte("foo.bar")},
|
|
}),
|
|
}},
|
|
}},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
if got := createSubjectAlternativeNames(tt.args.cert); !reflect.DeepEqual(got, tt.want) {
|
|
t.Errorf("createSubjectAlternativeNames() = %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_createReusableConfig(t *testing.T) {
|
|
withKU := func(ku *pb.KeyUsage) *pb.ReusableConfigWrapper {
|
|
if ku.BaseKeyUsage == nil {
|
|
ku.BaseKeyUsage = &pb.KeyUsage_KeyUsageOptions{}
|
|
}
|
|
if ku.ExtendedKeyUsage == nil {
|
|
ku.ExtendedKeyUsage = &pb.KeyUsage_ExtendedKeyUsageOptions{}
|
|
}
|
|
return &pb.ReusableConfigWrapper{
|
|
ConfigValues: &pb.ReusableConfigWrapper_ReusableConfigValues{
|
|
ReusableConfigValues: &pb.ReusableConfigValues{
|
|
KeyUsage: ku,
|
|
},
|
|
},
|
|
}
|
|
}
|
|
withRCV := func(rcv *pb.ReusableConfigValues) *pb.ReusableConfigWrapper {
|
|
if rcv.KeyUsage == nil {
|
|
rcv.KeyUsage = &pb.KeyUsage{
|
|
BaseKeyUsage: &pb.KeyUsage_KeyUsageOptions{},
|
|
ExtendedKeyUsage: &pb.KeyUsage_ExtendedKeyUsageOptions{},
|
|
}
|
|
}
|
|
return &pb.ReusableConfigWrapper{
|
|
ConfigValues: &pb.ReusableConfigWrapper_ReusableConfigValues{
|
|
ReusableConfigValues: rcv,
|
|
},
|
|
}
|
|
}
|
|
|
|
type args struct {
|
|
cert *x509.Certificate
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want *pb.ReusableConfigWrapper
|
|
}{
|
|
{"keyUsageDigitalSignature", args{&x509.Certificate{
|
|
KeyUsage: x509.KeyUsageDigitalSignature,
|
|
}}, &pb.ReusableConfigWrapper{
|
|
ConfigValues: &pb.ReusableConfigWrapper_ReusableConfigValues{
|
|
ReusableConfigValues: &pb.ReusableConfigValues{
|
|
KeyUsage: &pb.KeyUsage{
|
|
BaseKeyUsage: &pb.KeyUsage_KeyUsageOptions{
|
|
DigitalSignature: true,
|
|
},
|
|
ExtendedKeyUsage: &pb.KeyUsage_ExtendedKeyUsageOptions{},
|
|
UnknownExtendedKeyUsages: nil,
|
|
},
|
|
CaOptions: nil,
|
|
PolicyIds: nil,
|
|
AiaOcspServers: nil,
|
|
AdditionalExtensions: nil,
|
|
},
|
|
},
|
|
}},
|
|
// KeyUsage
|
|
{"KeyUsageDigitalSignature", args{&x509.Certificate{KeyUsage: x509.KeyUsageDigitalSignature}}, withKU(&pb.KeyUsage{
|
|
BaseKeyUsage: &pb.KeyUsage_KeyUsageOptions{
|
|
DigitalSignature: true,
|
|
},
|
|
})},
|
|
{"KeyUsageContentCommitment", args{&x509.Certificate{KeyUsage: x509.KeyUsageContentCommitment}}, withKU(&pb.KeyUsage{
|
|
BaseKeyUsage: &pb.KeyUsage_KeyUsageOptions{
|
|
ContentCommitment: true,
|
|
},
|
|
})},
|
|
{"KeyUsageKeyEncipherment", args{&x509.Certificate{KeyUsage: x509.KeyUsageKeyEncipherment}}, withKU(&pb.KeyUsage{
|
|
BaseKeyUsage: &pb.KeyUsage_KeyUsageOptions{
|
|
KeyEncipherment: true,
|
|
},
|
|
})},
|
|
{"KeyUsageDataEncipherment", args{&x509.Certificate{KeyUsage: x509.KeyUsageDataEncipherment}}, withKU(&pb.KeyUsage{
|
|
BaseKeyUsage: &pb.KeyUsage_KeyUsageOptions{
|
|
DataEncipherment: true,
|
|
},
|
|
})},
|
|
{"KeyUsageKeyAgreement", args{&x509.Certificate{KeyUsage: x509.KeyUsageKeyAgreement}}, withKU(&pb.KeyUsage{
|
|
BaseKeyUsage: &pb.KeyUsage_KeyUsageOptions{
|
|
KeyAgreement: true,
|
|
},
|
|
})},
|
|
{"KeyUsageCertSign", args{&x509.Certificate{KeyUsage: x509.KeyUsageCertSign}}, withKU(&pb.KeyUsage{
|
|
BaseKeyUsage: &pb.KeyUsage_KeyUsageOptions{
|
|
CertSign: true,
|
|
},
|
|
})},
|
|
{"KeyUsageCRLSign", args{&x509.Certificate{KeyUsage: x509.KeyUsageCRLSign}}, withKU(&pb.KeyUsage{
|
|
BaseKeyUsage: &pb.KeyUsage_KeyUsageOptions{
|
|
CrlSign: true,
|
|
},
|
|
})},
|
|
{"KeyUsageEncipherOnly", args{&x509.Certificate{KeyUsage: x509.KeyUsageEncipherOnly}}, withKU(&pb.KeyUsage{
|
|
BaseKeyUsage: &pb.KeyUsage_KeyUsageOptions{
|
|
EncipherOnly: true,
|
|
},
|
|
})},
|
|
{"KeyUsageDecipherOnly", args{&x509.Certificate{KeyUsage: x509.KeyUsageDecipherOnly}}, withKU(&pb.KeyUsage{
|
|
BaseKeyUsage: &pb.KeyUsage_KeyUsageOptions{
|
|
DecipherOnly: true,
|
|
},
|
|
})},
|
|
// ExtKeyUsage
|
|
{"ExtKeyUsageAny", args{&x509.Certificate{ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageAny}}}, withKU(&pb.KeyUsage{
|
|
UnknownExtendedKeyUsages: []*pb.ObjectId{{ObjectIdPath: []int32{2, 5, 29, 37, 0}}},
|
|
})},
|
|
{"ExtKeyUsageServerAuth", args{&x509.Certificate{ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}}}, withKU(&pb.KeyUsage{
|
|
ExtendedKeyUsage: &pb.KeyUsage_ExtendedKeyUsageOptions{
|
|
ServerAuth: true,
|
|
},
|
|
})},
|
|
{"ExtKeyUsageClientAuth", args{&x509.Certificate{ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}}}, withKU(&pb.KeyUsage{
|
|
ExtendedKeyUsage: &pb.KeyUsage_ExtendedKeyUsageOptions{
|
|
ClientAuth: true,
|
|
},
|
|
})},
|
|
{"ExtKeyUsageCodeSigning", args{&x509.Certificate{ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning}}}, withKU(&pb.KeyUsage{
|
|
ExtendedKeyUsage: &pb.KeyUsage_ExtendedKeyUsageOptions{
|
|
CodeSigning: true,
|
|
},
|
|
})},
|
|
{"ExtKeyUsageEmailProtection", args{&x509.Certificate{ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageEmailProtection}}}, withKU(&pb.KeyUsage{
|
|
ExtendedKeyUsage: &pb.KeyUsage_ExtendedKeyUsageOptions{
|
|
EmailProtection: true,
|
|
},
|
|
})},
|
|
{"ExtKeyUsageIPSECEndSystem", args{&x509.Certificate{ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageIPSECEndSystem}}}, withKU(&pb.KeyUsage{
|
|
UnknownExtendedKeyUsages: []*pb.ObjectId{{ObjectIdPath: []int32{1, 3, 6, 1, 5, 5, 7, 3, 5}}},
|
|
})},
|
|
{"ExtKeyUsageIPSECTunnel", args{&x509.Certificate{ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageIPSECTunnel}}}, withKU(&pb.KeyUsage{
|
|
UnknownExtendedKeyUsages: []*pb.ObjectId{{ObjectIdPath: []int32{1, 3, 6, 1, 5, 5, 7, 3, 6}}},
|
|
})},
|
|
{"ExtKeyUsageIPSECUser", args{&x509.Certificate{ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageIPSECUser}}}, withKU(&pb.KeyUsage{
|
|
UnknownExtendedKeyUsages: []*pb.ObjectId{{ObjectIdPath: []int32{1, 3, 6, 1, 5, 5, 7, 3, 7}}},
|
|
})},
|
|
{"ExtKeyUsageTimeStamping", args{&x509.Certificate{ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageTimeStamping}}}, withKU(&pb.KeyUsage{
|
|
ExtendedKeyUsage: &pb.KeyUsage_ExtendedKeyUsageOptions{
|
|
TimeStamping: true,
|
|
},
|
|
})},
|
|
{"ExtKeyUsageOCSPSigning", args{&x509.Certificate{ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageOCSPSigning}}}, withKU(&pb.KeyUsage{
|
|
ExtendedKeyUsage: &pb.KeyUsage_ExtendedKeyUsageOptions{
|
|
OcspSigning: true,
|
|
},
|
|
})},
|
|
{"ExtKeyUsageMicrosoftServerGatedCrypto", args{&x509.Certificate{ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageMicrosoftServerGatedCrypto}}}, withKU(&pb.KeyUsage{
|
|
UnknownExtendedKeyUsages: []*pb.ObjectId{{ObjectIdPath: []int32{1, 3, 6, 1, 4, 1, 311, 10, 3, 3}}},
|
|
})},
|
|
{"ExtKeyUsageNetscapeServerGatedCrypto", args{&x509.Certificate{ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageNetscapeServerGatedCrypto}}}, withKU(&pb.KeyUsage{
|
|
UnknownExtendedKeyUsages: []*pb.ObjectId{{ObjectIdPath: []int32{2, 16, 840, 1, 113730, 4, 1}}},
|
|
})},
|
|
{"ExtKeyUsageMicrosoftCommercialCodeSigning", args{&x509.Certificate{ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageMicrosoftCommercialCodeSigning}}}, withKU(&pb.KeyUsage{
|
|
UnknownExtendedKeyUsages: []*pb.ObjectId{{ObjectIdPath: []int32{1, 3, 6, 1, 4, 1, 311, 2, 1, 22}}},
|
|
})},
|
|
{"ExtKeyUsageMicrosoftKernelCodeSigning", args{&x509.Certificate{ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageMicrosoftKernelCodeSigning}}}, withKU(&pb.KeyUsage{
|
|
UnknownExtendedKeyUsages: []*pb.ObjectId{{ObjectIdPath: []int32{1, 3, 6, 1, 4, 1, 311, 61, 1, 1}}},
|
|
})},
|
|
// UnknownExtendedKeyUsages
|
|
{"UnknownExtKeyUsage", args{&x509.Certificate{UnknownExtKeyUsage: []asn1.ObjectIdentifier{{1, 2, 3, 4}, {4, 3, 2, 1}}}}, withKU(&pb.KeyUsage{
|
|
UnknownExtendedKeyUsages: []*pb.ObjectId{
|
|
{ObjectIdPath: []int32{1, 2, 3, 4}},
|
|
{ObjectIdPath: []int32{4, 3, 2, 1}},
|
|
},
|
|
})},
|
|
// BasicCre
|
|
{"BasicConstraintsCAMax0", args{&x509.Certificate{BasicConstraintsValid: true, IsCA: true, MaxPathLen: 0, MaxPathLenZero: true}}, withRCV(&pb.ReusableConfigValues{
|
|
CaOptions: &pb.ReusableConfigValues_CaOptions{
|
|
IsCa: wrapperspb.Bool(true),
|
|
MaxIssuerPathLength: wrapperspb.Int32(0),
|
|
},
|
|
})},
|
|
{"BasicConstraintsCAMax1", args{&x509.Certificate{BasicConstraintsValid: true, IsCA: true, MaxPathLen: 1, MaxPathLenZero: false}}, withRCV(&pb.ReusableConfigValues{
|
|
CaOptions: &pb.ReusableConfigValues_CaOptions{
|
|
IsCa: wrapperspb.Bool(true),
|
|
MaxIssuerPathLength: wrapperspb.Int32(1),
|
|
},
|
|
})},
|
|
{"BasicConstraintsCANoMax", args{&x509.Certificate{BasicConstraintsValid: true, IsCA: true, MaxPathLen: -1, MaxPathLenZero: false}}, withRCV(&pb.ReusableConfigValues{
|
|
CaOptions: &pb.ReusableConfigValues_CaOptions{
|
|
IsCa: wrapperspb.Bool(true),
|
|
MaxIssuerPathLength: nil,
|
|
},
|
|
})},
|
|
{"BasicConstraintsCANoMax0", args{&x509.Certificate{BasicConstraintsValid: true, IsCA: true, MaxPathLen: 0, MaxPathLenZero: false}}, withRCV(&pb.ReusableConfigValues{
|
|
CaOptions: &pb.ReusableConfigValues_CaOptions{
|
|
IsCa: wrapperspb.Bool(true),
|
|
MaxIssuerPathLength: nil,
|
|
},
|
|
})},
|
|
{"BasicConstraintsNoCA", args{&x509.Certificate{BasicConstraintsValid: true, IsCA: false, MaxPathLen: 0, MaxPathLenZero: false}}, withRCV(&pb.ReusableConfigValues{
|
|
CaOptions: &pb.ReusableConfigValues_CaOptions{
|
|
IsCa: wrapperspb.Bool(false),
|
|
MaxIssuerPathLength: nil,
|
|
},
|
|
})},
|
|
{"BasicConstraintsNoValid", args{&x509.Certificate{BasicConstraintsValid: false, IsCA: false, MaxPathLen: 0, MaxPathLenZero: false}}, withRCV(&pb.ReusableConfigValues{
|
|
CaOptions: nil,
|
|
})},
|
|
// PolicyIdentifiers
|
|
{"PolicyIdentifiers", args{&x509.Certificate{PolicyIdentifiers: []asn1.ObjectIdentifier{{1, 2, 3, 4}, {4, 3, 2, 1}}}}, withRCV(&pb.ReusableConfigValues{
|
|
PolicyIds: []*pb.ObjectId{
|
|
{ObjectIdPath: []int32{1, 2, 3, 4}},
|
|
{ObjectIdPath: []int32{4, 3, 2, 1}},
|
|
},
|
|
})},
|
|
// OCSPServer
|
|
{"OCPServers", args{&x509.Certificate{OCSPServer: []string{"https://oscp.doe.com", "https://doe.com/ocsp"}}}, withRCV(&pb.ReusableConfigValues{
|
|
AiaOcspServers: []string{"https://oscp.doe.com", "https://doe.com/ocsp"},
|
|
})},
|
|
// Extensions
|
|
{"Extensions", args{&x509.Certificate{ExtraExtensions: []pkix.Extension{
|
|
{Id: []int{1, 2, 3, 4}, Critical: true, Value: []byte("foobar")},
|
|
{Id: []int{2, 5, 29, 17}, Critical: true, Value: []byte("SANs")}, //
|
|
{Id: []int{4, 3, 2, 1}, Critical: false, Value: []byte("zoobar")},
|
|
{Id: []int{2, 5, 29, 31}, Critical: false, Value: []byte("CRL Distribution points")},
|
|
}}}, withRCV(&pb.ReusableConfigValues{
|
|
AdditionalExtensions: []*pb.X509Extension{
|
|
{ObjectId: &pb.ObjectId{ObjectIdPath: []int32{1, 2, 3, 4}}, Critical: true, Value: []byte("foobar")},
|
|
{ObjectId: &pb.ObjectId{ObjectIdPath: []int32{4, 3, 2, 1}}, Critical: false, Value: []byte("zoobar")},
|
|
},
|
|
})},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
if got := createReusableConfig(tt.args.cert); !reflect.DeepEqual(got, tt.want) {
|
|
t.Errorf("createReusableConfig() = %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_isExtraExtension(t *testing.T) {
|
|
type args struct {
|
|
oid asn1.ObjectIdentifier
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want bool
|
|
}{
|
|
{"oidExtensionSubjectKeyID", args{oidExtensionSubjectKeyID}, false},
|
|
{"oidExtensionKeyUsage", args{oidExtensionKeyUsage}, false},
|
|
{"oidExtensionExtendedKeyUsage", args{oidExtensionExtendedKeyUsage}, false},
|
|
{"oidExtensionAuthorityKeyID", args{oidExtensionAuthorityKeyID}, false},
|
|
{"oidExtensionBasicConstraints", args{oidExtensionBasicConstraints}, false},
|
|
{"oidExtensionSubjectAltName", args{oidExtensionSubjectAltName}, false},
|
|
{"oidExtensionCRLDistributionPoints", args{oidExtensionCRLDistributionPoints}, false},
|
|
{"oidExtensionCertificatePolicies", args{oidExtensionCertificatePolicies}, false},
|
|
{"oidExtensionAuthorityInfoAccess", args{oidExtensionAuthorityInfoAccess}, false},
|
|
{"other", args{[]int{1, 2, 3, 4}}, true},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
if got := isExtraExtension(tt.args.oid); got != tt.want {
|
|
t.Errorf("isExtraExtension() = %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_createKeyVersionSpec(t *testing.T) {
|
|
type args struct {
|
|
alg kmsapi.SignatureAlgorithm
|
|
bits int
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want *pb.CertificateAuthority_KeyVersionSpec
|
|
wantErr bool
|
|
}{
|
|
{"ok P256", args{0, 0}, &pb.CertificateAuthority_KeyVersionSpec{
|
|
KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
|
|
Algorithm: pb.CertificateAuthority_EC_P256_SHA256,
|
|
}}, false},
|
|
{"ok P256", args{kmsapi.ECDSAWithSHA256, 0}, &pb.CertificateAuthority_KeyVersionSpec{
|
|
KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
|
|
Algorithm: pb.CertificateAuthority_EC_P256_SHA256,
|
|
}}, false},
|
|
{"ok P384", args{kmsapi.ECDSAWithSHA384, 0}, &pb.CertificateAuthority_KeyVersionSpec{
|
|
KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
|
|
Algorithm: pb.CertificateAuthority_EC_P384_SHA384,
|
|
}}, false},
|
|
{"ok RSA default", args{kmsapi.SHA256WithRSA, 0}, &pb.CertificateAuthority_KeyVersionSpec{
|
|
KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
|
|
Algorithm: pb.CertificateAuthority_RSA_PKCS1_3072_SHA256,
|
|
}}, false},
|
|
{"ok RSA 2048", args{kmsapi.SHA256WithRSA, 2048}, &pb.CertificateAuthority_KeyVersionSpec{
|
|
KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
|
|
Algorithm: pb.CertificateAuthority_RSA_PKCS1_2048_SHA256,
|
|
}}, false},
|
|
{"ok RSA 3072", args{kmsapi.SHA256WithRSA, 3072}, &pb.CertificateAuthority_KeyVersionSpec{
|
|
KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
|
|
Algorithm: pb.CertificateAuthority_RSA_PKCS1_3072_SHA256,
|
|
}}, false},
|
|
{"ok RSA 4096", args{kmsapi.SHA256WithRSA, 4096}, &pb.CertificateAuthority_KeyVersionSpec{
|
|
KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
|
|
Algorithm: pb.CertificateAuthority_RSA_PKCS1_4096_SHA256,
|
|
}}, false},
|
|
{"ok RSA-PSS default", args{kmsapi.SHA256WithRSAPSS, 0}, &pb.CertificateAuthority_KeyVersionSpec{
|
|
KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
|
|
Algorithm: pb.CertificateAuthority_RSA_PSS_3072_SHA256,
|
|
}}, false},
|
|
{"ok RSA-PSS 2048", args{kmsapi.SHA256WithRSAPSS, 2048}, &pb.CertificateAuthority_KeyVersionSpec{
|
|
KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
|
|
Algorithm: pb.CertificateAuthority_RSA_PSS_2048_SHA256,
|
|
}}, false},
|
|
{"ok RSA-PSS 3072", args{kmsapi.SHA256WithRSAPSS, 3072}, &pb.CertificateAuthority_KeyVersionSpec{
|
|
KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
|
|
Algorithm: pb.CertificateAuthority_RSA_PSS_3072_SHA256,
|
|
}}, false},
|
|
{"ok RSA-PSS 4096", args{kmsapi.SHA256WithRSAPSS, 4096}, &pb.CertificateAuthority_KeyVersionSpec{
|
|
KeyVersion: &pb.CertificateAuthority_KeyVersionSpec_Algorithm{
|
|
Algorithm: pb.CertificateAuthority_RSA_PSS_4096_SHA256,
|
|
}}, false},
|
|
{"fail Ed25519", args{kmsapi.PureEd25519, 0}, nil, true},
|
|
{"fail RSA size", args{kmsapi.SHA256WithRSA, 1024}, nil, true},
|
|
{"fail RSA-PSS size", args{kmsapi.SHA256WithRSAPSS, 1024}, nil, true},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got, err := createKeyVersionSpec(tt.args.alg, tt.args.bits)
|
|
if (err != nil) != tt.wantErr {
|
|
t.Errorf("createKeyVersionSpec() error = %v, wantErr %v", err, tt.wantErr)
|
|
return
|
|
}
|
|
if !reflect.DeepEqual(got, tt.want) {
|
|
t.Errorf("createKeyVersionSpec() = %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|