forked from TrueCloudLab/certificates
Fix merge and add unit tests
This commit is contained in:
parent
ee7307bd41
commit
42102d88d5
4 changed files with 146 additions and 31 deletions
|
@ -96,13 +96,13 @@ type ACME struct {
|
|||
// provisioner. If this value is not set the default apple, step and tpm
|
||||
// will be used.
|
||||
AttestationFormats []ACMEAttestationFormat `json:"attestationFormats,omitempty"`
|
||||
// AttestationRoots contains a bundle of root certificates in PEM format
|
||||
// that will be used to verify the attestation certificates. If provided,
|
||||
// this bundle will be used even for well-known CAs like Apple and Yubico.
|
||||
AttestationRoots []byte `json:"attestationRoots,omitempty"`
|
||||
Claims *Claims `json:"claims,omitempty"`
|
||||
Options *Options `json:"options,omitempty"`
|
||||
|
||||
// TODO(hs): WIP configuration for ACME Device Attestation
|
||||
AttestationRoots []byte `json:"attestationRoots"`
|
||||
attestationRootPool *x509.CertPool
|
||||
|
||||
ctl *Controller
|
||||
}
|
||||
|
||||
|
@ -160,7 +160,6 @@ func (p *ACME) Init(config Config) (err error) {
|
|||
return errors.New("provisioner name cannot be empty")
|
||||
}
|
||||
|
||||
<<<<<<< HEAD
|
||||
for _, c := range p.Challenges {
|
||||
if err := c.Validate(); err != nil {
|
||||
return err
|
||||
|
@ -172,14 +171,12 @@ func (p *ACME) Init(config Config) (err error) {
|
|||
}
|
||||
}
|
||||
|
||||
=======
|
||||
// TODO(hs): WIP configuration for ACME Device Attestation
|
||||
// Parse attestation roots.
|
||||
// The pool will be nil if the there are not roots.
|
||||
if rest := p.AttestationRoots; len(rest) > 0 {
|
||||
var block *pem.Block
|
||||
var hasCert bool
|
||||
p.attestationRootPool = x509.NewCertPool()
|
||||
|
||||
var (
|
||||
block *pem.Block
|
||||
rest = p.AttestationRoots
|
||||
)
|
||||
for rest != nil {
|
||||
block, rest = pem.Decode(rest)
|
||||
if block == nil {
|
||||
|
@ -187,14 +184,16 @@ func (p *ACME) Init(config Config) (err error) {
|
|||
}
|
||||
cert, err := x509.ParseCertificate(block.Bytes)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "error parsing x509 certificate from PEM block")
|
||||
return errors.New("error parsing attestationRoots: malformed certificate")
|
||||
}
|
||||
p.attestationRootPool.AddCert(cert)
|
||||
hasCert = true
|
||||
}
|
||||
if !hasCert {
|
||||
return errors.New("error parsing attestationRoots: no certificates found")
|
||||
}
|
||||
}
|
||||
|
||||
// TODO(hs): need validation for number of certs? The current ones are only for the `tpm` type; not for Apple or Yubico.
|
||||
|
||||
>>>>>>> acdfdf34 (Add `tpm` attestation with configurable roots)
|
||||
p.ctl, err = NewController(p, p.Claims, config, p.Options)
|
||||
return
|
||||
}
|
||||
|
@ -312,8 +311,11 @@ func (p *ACME) IsAttestationFormatEnabled(ctx context.Context, format ACMEAttest
|
|||
return false
|
||||
}
|
||||
|
||||
// TODO(hs): we may not want to expose the root pool like this;
|
||||
// call into an interface function instead to authorize?
|
||||
func (p *ACME) GetAttestationRoots() (*x509.CertPool, error) {
|
||||
return p.attestationRootPool, nil
|
||||
// GetAttestationRoots returns certificate pool with the configured attestation
|
||||
// roots and reports if the pool contains at least one certificate.
|
||||
//
|
||||
// TODO(hs): we may not want to expose the root pool like this; call into an
|
||||
// interface function instead to authorize?
|
||||
func (p *ACME) GetAttestationRoots() (*x509.CertPool, bool) {
|
||||
return p.attestationRootPool, p.attestationRootPool != nil
|
||||
}
|
||||
|
|
|
@ -1,11 +1,13 @@
|
|||
package provisioner
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/x509"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"os"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
|
@ -77,6 +79,15 @@ func TestACME_Getters(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestACME_Init(t *testing.T) {
|
||||
appleCA, err := os.ReadFile("testdata/certs/apple-att-ca.crt")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
yubicoCA, err := os.ReadFile("testdata/certs/yubico-piv-ca.crt")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
type ProvisionerValidateTest struct {
|
||||
p *ACME
|
||||
err error
|
||||
|
@ -120,6 +131,18 @@ func TestACME_Init(t *testing.T) {
|
|||
err: errors.New("acme attestation format \"zar\" is not supported"),
|
||||
}
|
||||
},
|
||||
"fail-parse-attestation-roots": func(t *testing.T) ProvisionerValidateTest {
|
||||
return ProvisionerValidateTest{
|
||||
p: &ACME{Name: "foo", Type: "bar", AttestationRoots: []byte("-----BEGIN CERTIFICATE-----\nZm9v\n-----END CERTIFICATE-----")},
|
||||
err: errors.New("error parsing attestationRoots: malformed certificate"),
|
||||
}
|
||||
},
|
||||
"fail-empty-attestation-roots": func(t *testing.T) ProvisionerValidateTest {
|
||||
return ProvisionerValidateTest{
|
||||
p: &ACME{Name: "foo", Type: "bar", AttestationRoots: []byte("\n")},
|
||||
err: errors.New("error parsing attestationRoots: no certificates found"),
|
||||
}
|
||||
},
|
||||
"ok": func(t *testing.T) ProvisionerValidateTest {
|
||||
return ProvisionerValidateTest{
|
||||
p: &ACME{Name: "foo", Type: "bar"},
|
||||
|
@ -132,6 +155,7 @@ func TestACME_Init(t *testing.T) {
|
|||
Type: "bar",
|
||||
Challenges: []ACMEChallenge{DNS_01, DEVICE_ATTEST_01},
|
||||
AttestationFormats: []ACMEAttestationFormat{APPLE, STEP},
|
||||
AttestationRoots: bytes.Join([][]byte{appleCA, yubicoCA}, []byte("\n")),
|
||||
},
|
||||
}
|
||||
},
|
||||
|
@ -144,6 +168,7 @@ func TestACME_Init(t *testing.T) {
|
|||
for name, get := range tests {
|
||||
t.Run(name, func(t *testing.T) {
|
||||
tc := get(t)
|
||||
t.Log(string(tc.p.AttestationRoots))
|
||||
err := tc.p.Init(config)
|
||||
if err != nil {
|
||||
if assert.NotNil(t, tc.err) {
|
||||
|
@ -346,3 +371,58 @@ func TestACME_IsAttestationFormatEnabled(t *testing.T) {
|
|||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestACME_GetAttestationRoots(t *testing.T) {
|
||||
appleCA, err := os.ReadFile("testdata/certs/apple-att-ca.crt")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
yubicoCA, err := os.ReadFile("testdata/certs/yubico-piv-ca.crt")
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
|
||||
pool := x509.NewCertPool()
|
||||
pool.AppendCertsFromPEM(appleCA)
|
||||
pool.AppendCertsFromPEM(yubicoCA)
|
||||
|
||||
type fields struct {
|
||||
Type string
|
||||
Name string
|
||||
AttestationRoots []byte
|
||||
}
|
||||
tests := []struct {
|
||||
name string
|
||||
fields fields
|
||||
want *x509.CertPool
|
||||
want1 bool
|
||||
}{
|
||||
{"ok", fields{"ACME", "acme", bytes.Join([][]byte{appleCA, yubicoCA}, []byte("\n"))}, pool, true},
|
||||
{"nil", fields{"ACME", "acme", nil}, nil, false},
|
||||
{"empty", fields{"ACME", "acme", []byte{}}, nil, false},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
p := &ACME{
|
||||
Type: tt.fields.Type,
|
||||
Name: tt.fields.Name,
|
||||
AttestationRoots: tt.fields.AttestationRoots,
|
||||
}
|
||||
if err := p.Init(Config{
|
||||
Claims: globalProvisionerClaims,
|
||||
Audiences: testAudiences,
|
||||
}); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
got, got1 := p.GetAttestationRoots()
|
||||
if tt.want == nil && got != nil {
|
||||
t.Errorf("ACME.GetAttestationRoots() got = %v, want %v", got, tt.want)
|
||||
} else if !tt.want.Equal(got) {
|
||||
t.Errorf("ACME.GetAttestationRoots() got = %v, want %v", got, tt.want)
|
||||
}
|
||||
if got1 != tt.want1 {
|
||||
t.Errorf("ACME.GetAttestationRoots() got1 = %v, want %v", got1, tt.want1)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
14
authority/provisioner/testdata/certs/apple-att-ca.crt
vendored
Normal file
14
authority/provisioner/testdata/certs/apple-att-ca.crt
vendored
Normal file
|
@ -0,0 +1,14 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIICJDCCAamgAwIBAgIUQsDCuyxyfFxeq/bxpm8frF15hzcwCgYIKoZIzj0EAwMw
|
||||
UTEtMCsGA1UEAwwkQXBwbGUgRW50ZXJwcmlzZSBBdHRlc3RhdGlvbiBSb290IENB
|
||||
MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0yMjAyMTYxOTAx
|
||||
MjRaFw00NzAyMjAwMDAwMDBaMFExLTArBgNVBAMMJEFwcGxlIEVudGVycHJpc2Ug
|
||||
QXR0ZXN0YXRpb24gUm9vdCBDQTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UE
|
||||
BhMCVVMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT6Jigq+Ps9Q4CoT8t8q+UnOe2p
|
||||
oT9nRaUfGhBTbgvqSGXPjVkbYlIWYO+1zPk2Sz9hQ5ozzmLrPmTBgEWRcHjA2/y7
|
||||
7GEicps9wn2tj+G89l3INNDKETdxSPPIZpPj8VmjQjBAMA8GA1UdEwEB/wQFMAMB
|
||||
Af8wHQYDVR0OBBYEFPNqTQGd8muBpV5du+UIbVbi+d66MA4GA1UdDwEB/wQEAwIB
|
||||
BjAKBggqhkjOPQQDAwNpADBmAjEA1xpWmTLSpr1VH4f8Ypk8f3jMUKYz4QPG8mL5
|
||||
8m9sX/b2+eXpTv2pH4RZgJjucnbcAjEA4ZSB6S45FlPuS/u4pTnzoz632rA+xW/T
|
||||
ZwFEh9bhKjJ+5VQ9/Do1os0u3LEkgN/r
|
||||
-----END CERTIFICATE-----
|
19
authority/provisioner/testdata/certs/yubico-piv-ca.crt
vendored
Normal file
19
authority/provisioner/testdata/certs/yubico-piv-ca.crt
vendored
Normal file
|
@ -0,0 +1,19 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDFzCCAf+gAwIBAgIDBAZHMA0GCSqGSIb3DQEBCwUAMCsxKTAnBgNVBAMMIFl1
|
||||
YmljbyBQSVYgUm9vdCBDQSBTZXJpYWwgMjYzNzUxMCAXDTE2MDMxNDAwMDAwMFoY
|
||||
DzIwNTIwNDE3MDAwMDAwWjArMSkwJwYDVQQDDCBZdWJpY28gUElWIFJvb3QgQ0Eg
|
||||
U2VyaWFsIDI2Mzc1MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMN2
|
||||
cMTNR6YCdcTFRxuPy31PabRn5m6pJ+nSE0HRWpoaM8fc8wHC+Tmb98jmNvhWNE2E
|
||||
ilU85uYKfEFP9d6Q2GmytqBnxZsAa3KqZiCCx2LwQ4iYEOb1llgotVr/whEpdVOq
|
||||
joU0P5e1j1y7OfwOvky/+AXIN/9Xp0VFlYRk2tQ9GcdYKDmqU+db9iKwpAzid4oH
|
||||
BVLIhmD3pvkWaRA2H3DA9t7H/HNq5v3OiO1jyLZeKqZoMbPObrxqDg+9fOdShzgf
|
||||
wCqgT3XVmTeiwvBSTctyi9mHQfYd2DwkaqxRnLbNVyK9zl+DzjSGp9IhVPiVtGet
|
||||
X02dxhQnGS7K6BO0Qe8CAwEAAaNCMEAwHQYDVR0OBBYEFMpfyvLEojGc6SJf8ez0
|
||||
1d8Cv4O/MA8GA1UdEwQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
|
||||
DQEBCwUAA4IBAQBc7Ih8Bc1fkC+FyN1fhjWioBCMr3vjneh7MLbA6kSoyWF70N3s
|
||||
XhbXvT4eRh0hvxqvMZNjPU/VlRn6gLVtoEikDLrYFXN6Hh6Wmyy1GTnspnOvMvz2
|
||||
lLKuym9KYdYLDgnj3BeAvzIhVzzYSeU77/Cupofj093OuAswW0jYvXsGTyix6B3d
|
||||
bW5yWvyS9zNXaqGaUmP3U9/b6DlHdDogMLu3VLpBB9bm5bjaKWWJYgWltCVgUbFq
|
||||
Fqyi4+JE014cSgR57Jcu3dZiehB6UtAPgad9L5cNvua/IWRmm+ANy3O2LH++Pyl8
|
||||
SREzU8onbBsjMg9QDiSf5oJLKvd/Ren+zGY7
|
||||
-----END CERTIFICATE-----
|
Loading…
Reference in a new issue