Improve Helm test data to be more realistic

pki/helm.go

@@ -62,6 +62,9 @@ func (p *PKI) WriteHelmTemplate(w io.Writer) error {
 		}
 	}
 
+	// TODO(hs): add default SSHPOP provisioner if SSH is configured, similar
+	// as the ACME one above.
+
 	if err := tmpl.Execute(w, helmVariables{
 		Configuration: &p.Configuration,
 		Defaults:      &p.Defaults,

pki/helm_test.go

@@ -2,9 +2,13 @@ package pki
 
 import (
 	"bytes"
+	"crypto/sha256"
 	"crypto/x509"
+	"encoding/hex"
 	"encoding/json"
+	"encoding/pem"
 	"os"
+	"strings"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
@@ -106,12 +110,12 @@ func TestPKI_WriteHelmTemplate(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			o := tt.fields.casOptions
 			opts := tt.fields.pkiOptions
+
 			// TODO(hs): invoking `New` doesn't perform all operations that are executed
-			// when `ca init --helm` is executed. The list of provisioners on the authority
-			// is not populated, for example, resulting in this test not being entirely
-			// realistic. Ideally this logic should be handled in one place and probably
-			// inside of the PKI initialization, but if that becomes messy, some more
-			// logic needs to be performed here to get the PKI instance in good shape.
+			// when `ca init --helm` is executed. Ideally this logic should be handled
+			// in one place and probably inside of the PKI initialization. For testing
+			// purposes the missing operations to fill a Helm template fully are faked
+			// by `setKeyPair`, `setCertificates` and `setSSHSigningKeys`
 			p, err := New(o, opts...)
 			assert.NoError(t, err)
 
@@ -124,10 +128,10 @@ func TestPKI_WriteHelmTemplate(t *testing.T) {
 			// The password for the predefined encrypted key is \x01\x03\x03\x07.
 			setKeyPair(t, p)
 
-			// setFiles sets some static intermediate and root CA certificate bytes. It
+			// setCertificates sets some static intermediate and root CA certificate bytes. It
 			// replaces the logic executed in `p.GenerateRootCertificate`, `p.WriteRootCertificate`,
 			// and `p.GenerateIntermediateCertificate`.
-			setFiles(t, p)
+			setCertificates(t, p)
 
 			// setSSHSigningKeys sets predefined SSH user and host certificate and key bytes.
 			// This replaces the logic in `p.GenerateSSHSigningKeys`
@@ -175,7 +179,6 @@ func setKeyPair(t *testing.T, p *PKI) {
 		}
 	}
 
-	// Add JWK provisioner to the configuration.
 	publicKey, err := json.Marshal(p.ottPublicKey)
 	if err != nil {
 		t.Fatal(err)
@@ -199,12 +202,21 @@ func setKeyPair(t *testing.T, p *PKI) {
 	})
 }
 
-// setFiles sets some static, gibberish intermediate and root CA certificate bytes.
-func setFiles(t *testing.T, p *PKI) {
-	p.Files[p.Root[0]] = encodeCertificate(&x509.Certificate{Raw: []byte("these are just some fake root CA cert bytes")})
-	p.Files[p.RootKey[0]] = []byte("these are just some fake root CA key bytes")
+// setCertificates sets some static, gibberish intermediate and root CA certificate and key bytes.
+func setCertificates(t *testing.T, p *PKI) {
+	raw := []byte("these are just some fake root CA cert bytes")
+	p.Files[p.Root[0]] = encodeCertificate(&x509.Certificate{Raw: raw})
+	p.Files[p.RootKey[0]] = pem.EncodeToMemory(&pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: []byte("these are just some fake root CA key bytes"),
+	})
 	p.Files[p.Intermediate] = encodeCertificate(&x509.Certificate{Raw: []byte("these are just some fake intermediate CA cert bytes")})
-	p.Files[p.IntermediateKey] = []byte("these are just some fake intermediate CA key bytes")
+	p.Files[p.IntermediateKey] = pem.EncodeToMemory(&pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: []byte("these are just some fake intermediate CA key bytes"),
+	})
+	sum := sha256.Sum256(raw)
+	p.Defaults.Fingerprint = strings.ToLower(hex.EncodeToString(sum[:]))
 }
 
 // setSSHSigningKeys sets some static, gibberish ssh user and host CA certificate and key bytes.
@@ -214,8 +226,14 @@ func setSSHSigningKeys(t *testing.T, p *PKI) {
 		return
 	}
 
-	p.Files[p.Ssh.HostKey] = []byte("fake ssh host key bytes")
-	p.Files[p.Ssh.HostPublicKey] = []byte("fake ssh host cert bytes")
-	p.Files[p.Ssh.UserKey] = []byte("fake ssh user key bytes")
-	p.Files[p.Ssh.UserPublicKey] = []byte("fake ssh user cert bytes")
+	p.Files[p.Ssh.HostKey] = pem.EncodeToMemory(&pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: []byte("fake ssh host key bytes"),
+	})
+	p.Files[p.Ssh.HostPublicKey] = []byte("ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ0IdS5sZm6KITBMZLEJD6b5ROVraYHcAOr3feFel8r1Wp4DRPR1oU0W00J/zjNBRBbANlJoYN4x/8WNNVZ49Ms=")
+	p.Files[p.Ssh.UserKey] = pem.EncodeToMemory(&pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: []byte("fake ssh user key bytes"),
+	})
+	p.Files[p.Ssh.UserPublicKey] = []byte("ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEWA1qUxaGwVNErsvEOGe2d6TvLMF+aiVpuOiIEvpMJ3JeJmecLQctjWqeIbpSvy6/gRa7c82Ge5rLlapYmOChs=")
 }

pki/pki.go

@@ -648,7 +648,7 @@ func (p *PKI) GetCertificateAuthority() error {
 // SSH user certificates and a private key used for signing host certificates.
 func (p *PKI) GenerateSSHSigningKeys(password []byte) error {
 	// Enable SSH
-	p.options.enableSSH = true
+	p.options.enableSSH = true // TODO(hs): change this function to not mutate configuration state
 
 	// Create SSH key used to sign host certificates. Using
 	// kmsapi.UnspecifiedSignAlgorithm will default to the default algorithm.

pki/testdata/helm/simple.yml

@@ -32,7 +32,7 @@ inject:
       defaults.json:
         ca-url: https://127.0.0.1
         ca-config: /home/step/config/ca.json
-        fingerprint: 
+        fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
         root: /home/step/certs/root_ca.crt
 
   # Certificates contains the root and intermediate certificate and 
@@ -64,11 +64,18 @@ inject:
     x509:
       # intermediate_ca_key contains the contents of your encrypted intermediate CA key
       intermediate_ca_key: |
-        these are just some fake intermediate CA key bytes
+        -----BEGIN EC PRIVATE KEY-----
+        dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
+        ZXM=
+        -----END EC PRIVATE KEY-----
+        
 
       # root_ca_key contains the contents of your encrypted root CA key
       # Note that this value can be omitted without impacting the functionality of step-certificates
       # If supplied, this should be encrypted using a unique password that is not used for encrypting
       # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
       root_ca_key: |
-        these are just some fake root CA key bytes
+        -----BEGIN EC PRIVATE KEY-----
+        dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
+        -----END EC PRIVATE KEY-----
+        

pki/testdata/helm/with-acme.yml

@@ -33,7 +33,7 @@ inject:
       defaults.json:
         ca-url: https://127.0.0.1
         ca-config: /home/step/config/ca.json
-        fingerprint: 
+        fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
         root: /home/step/certs/root_ca.crt
 
   # Certificates contains the root and intermediate certificate and 
@@ -65,11 +65,18 @@ inject:
     x509:
       # intermediate_ca_key contains the contents of your encrypted intermediate CA key
       intermediate_ca_key: |
-        these are just some fake intermediate CA key bytes
+        -----BEGIN EC PRIVATE KEY-----
+        dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
+        ZXM=
+        -----END EC PRIVATE KEY-----
+        
 
       # root_ca_key contains the contents of your encrypted root CA key
       # Note that this value can be omitted without impacting the functionality of step-certificates
       # If supplied, this should be encrypted using a unique password that is not used for encrypting
       # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
       root_ca_key: |
-        these are just some fake root CA key bytes
+        -----BEGIN EC PRIVATE KEY-----
+        dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
+        -----END EC PRIVATE KEY-----
+        

pki/testdata/helm/with-admin.yml

@@ -32,7 +32,7 @@ inject:
       defaults.json:
         ca-url: https://127.0.0.1
         ca-config: /home/step/config/ca.json
-        fingerprint: 
+        fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
         root: /home/step/certs/root_ca.crt
 
   # Certificates contains the root and intermediate certificate and 
@@ -64,11 +64,18 @@ inject:
     x509:
       # intermediate_ca_key contains the contents of your encrypted intermediate CA key
       intermediate_ca_key: |
-        these are just some fake intermediate CA key bytes
+        -----BEGIN EC PRIVATE KEY-----
+        dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
+        ZXM=
+        -----END EC PRIVATE KEY-----
+        
 
       # root_ca_key contains the contents of your encrypted root CA key
       # Note that this value can be omitted without impacting the functionality of step-certificates
       # If supplied, this should be encrypted using a unique password that is not used for encrypting
       # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
       root_ca_key: |
-        these are just some fake root CA key bytes
+        -----BEGIN EC PRIVATE KEY-----
+        dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
+        -----END EC PRIVATE KEY-----
+        

pki/testdata/helm/with-provisioner.yml

@@ -32,7 +32,7 @@ inject:
       defaults.json:
         ca-url: https://127.0.0.1
         ca-config: /home/step/config/ca.json
-        fingerprint: 
+        fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
         root: /home/step/certs/root_ca.crt
 
   # Certificates contains the root and intermediate certificate and 
@@ -64,11 +64,18 @@ inject:
     x509:
       # intermediate_ca_key contains the contents of your encrypted intermediate CA key
       intermediate_ca_key: |
-        these are just some fake intermediate CA key bytes
+        -----BEGIN EC PRIVATE KEY-----
+        dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
+        ZXM=
+        -----END EC PRIVATE KEY-----
+        
 
       # root_ca_key contains the contents of your encrypted root CA key
       # Note that this value can be omitted without impacting the functionality of step-certificates
       # If supplied, this should be encrypted using a unique password that is not used for encrypting
       # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
       root_ca_key: |
-        these are just some fake root CA key bytes
+        -----BEGIN EC PRIVATE KEY-----
+        dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
+        -----END EC PRIVATE KEY-----
+        

pki/testdata/helm/with-ssh.yml

@@ -35,7 +35,7 @@ inject:
       defaults.json:
         ca-url: https://127.0.0.1
         ca-config: /home/step/config/ca.json
-        fingerprint: 
+        fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
         root: /home/step/certs/root_ca.crt
 
   # Certificates contains the root and intermediate certificate and 
@@ -56,10 +56,10 @@ inject:
       -----END CERTIFICATE-----
       
     # ssh_host_ca contains the text of the public ssh key for the SSH root CA
-    ssh_host_ca: fake ssh host cert bytes
+    ssh_host_ca: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ0IdS5sZm6KITBMZLEJD6b5ROVraYHcAOr3feFel8r1Wp4DRPR1oU0W00J/zjNBRBbANlJoYN4x/8WNNVZ49Ms=
 
     # ssh_user_ca contains the text of the public ssh key for the SSH root CA
-    ssh_user_ca: fake ssh user cert bytes
+    ssh_user_ca: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEWA1qUxaGwVNErsvEOGe2d6TvLMF+aiVpuOiIEvpMJ3JeJmecLQctjWqeIbpSvy6/gRa7c82Ge5rLlapYmOChs=
 
   # Secrets contains the root and intermediate keys and optionally the SSH
   # private keys
@@ -72,19 +72,32 @@ inject:
     x509:
       # intermediate_ca_key contains the contents of your encrypted intermediate CA key
       intermediate_ca_key: |
-        these are just some fake intermediate CA key bytes
+        -----BEGIN EC PRIVATE KEY-----
+        dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
+        ZXM=
+        -----END EC PRIVATE KEY-----
+        
 
       # root_ca_key contains the contents of your encrypted root CA key
       # Note that this value can be omitted without impacting the functionality of step-certificates
       # If supplied, this should be encrypted using a unique password that is not used for encrypting
       # the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
       root_ca_key: |
-        these are just some fake root CA key bytes
+        -----BEGIN EC PRIVATE KEY-----
+        dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
+        -----END EC PRIVATE KEY-----
+        
     ssh:
       # ssh_host_ca_key contains the contents of your encrypted SSH Host CA key
       host_ca_key: |
-        fake ssh host key bytes
+        -----BEGIN EC PRIVATE KEY-----
+        ZmFrZSBzc2ggaG9zdCBrZXkgYnl0ZXM=
+        -----END EC PRIVATE KEY-----
+        
 
       # ssh_user_ca_key contains the contents of your encrypted SSH User CA key
       user_ca_key: |
-        fake ssh user key bytes
+        -----BEGIN EC PRIVATE KEY-----
+        ZmFrZSBzc2ggdXNlciBrZXkgYnl0ZXM=
+        -----END EC PRIVATE KEY-----
+