Remove unnecessary parse and improve tests.

authority/tls.go

@@ -116,24 +116,15 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
 
 // Renew creates a new Certificate identical to the old certificate, except
 // with a validity window that begins 'now'.
-func (a *Authority) Renew(ocx *x509.Certificate) (*x509.Certificate, *x509.Certificate, error) {
+func (a *Authority) Renew(oldCert *x509.Certificate) (*x509.Certificate, *x509.Certificate, error) {
 	// Check step provisioner extensions
-	if err := a.authorizeRenewal(ocx); err != nil {
+	if err := a.authorizeRenewal(oldCert); err != nil {
 		return nil, nil, err
 	}
 
 	// Issuer
 	issIdentity := a.intermediateIdentity
 
-	// Convert a realx509.Certificate to the step x509 Certificate.
-	oldCert, err := x509.ParseCertificate(ocx.Raw)
-	if err != nil {
-		return nil, nil, &apiError{
-			errors.Wrap(err, "error converting x509.Certificate to stepx509.Certificate"),
-			http.StatusInternalServerError, context{},
-		}
-	}
-
 	now := time.Now().UTC()
 	duration := oldCert.NotAfter.Sub(oldCert.NotBefore)
 	newCert := &x509.Certificate{

authority/tls_test.go

@@ -109,6 +109,20 @@ func TestSign(t *testing.T) {
 		err       *apiError
 	}
 	tests := map[string]func(*testing.T) *signTest{
+		"fail invalid signature": func(t *testing.T) *signTest {
+			csr := getCSR(t, priv)
+			csr.Signature = []byte("foo")
+			return &signTest{
+				auth:      a,
+				csr:       csr,
+				extraOpts: extraOpts,
+				signOpts:  signOpts,
+				err: &apiError{errors.New("sign: invalid certificate request"),
+					http.StatusBadRequest,
+					context{"csr": csr, "signOptions": signOpts},
+				},
+			}
+		},
 		"fail invalid extra option": func(t *testing.T) *signTest {
 			csr := getCSR(t, priv)
 			csr.Raw = []byte("foo")