forked from TrueCloudLab/certificates
Fix authority package tests.
This commit is contained in:
Mariano Cano
parent
ccc705cdcd
commit
d64cb99a22
2 changed files with 32 additions and 14 deletions
|
|
@ -449,7 +449,7 @@ func TestAuthority_authorizeSign(t *testing.T) {
|
|||
}
|
||||
} else {
|
||||
if assert.Nil(t, tc.err) {
|
||||
assert.Len(t, 6, got)
|
||||
assert.Len(t, 7, got)
|
||||
}
|
||||
}
|
||||
})
|
||||
|
|
|
|||
|
|
@ -95,6 +95,22 @@ func setExtraExtsCSR(exts []pkix.Extension) func(*x509.CertificateRequest) {
|
|||
}
|
||||
}
|
||||
|
||||
func generateSubjectKeyID(pub crypto.PublicKey) ([]byte, error) {
|
||||
b, err := x509.MarshalPKIXPublicKey(pub)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "error marshaling public key")
|
||||
}
|
||||
info := struct {
|
||||
Algorithm pkix.AlgorithmIdentifier
|
||||
SubjectPublicKey asn1.BitString
|
||||
}{}
|
||||
if _, err = asn1.Unmarshal(b, &info); err != nil {
|
||||
return nil, errors.Wrap(err, "error unmarshaling public key")
|
||||
}
|
||||
hash := sha1.Sum(info.SubjectPublicKey.Bytes)
|
||||
return hash[:], nil
|
||||
}
|
||||
|
||||
type basicConstraints struct {
|
||||
IsCA bool `asn1:"optional"`
|
||||
MaxPathLen int `asn1:"optional,default:-1"`
|
||||
|
|
@ -176,7 +192,7 @@ func TestAuthority_Sign(t *testing.T) {
|
|||
extraOpts: extraOpts,
|
||||
signOpts: signOpts,
|
||||
err: errors.New("authority.Sign: default ASN1DN template cannot be nil"),
|
||||
code: http.StatusInternalServerError,
|
||||
code: http.StatusUnauthorized,
|
||||
}
|
||||
},
|
||||
"fail create cert": func(t *testing.T) *signTest {
|
||||
|
|
@ -188,7 +204,7 @@ func TestAuthority_Sign(t *testing.T) {
|
|||
csr: csr,
|
||||
extraOpts: extraOpts,
|
||||
signOpts: signOpts,
|
||||
err: errors.New("authority.Sign; error creating new leaf certificate"),
|
||||
err: errors.New("authority.Sign; error creating certificate"),
|
||||
code: http.StatusInternalServerError,
|
||||
}
|
||||
},
|
||||
|
|
@ -357,10 +373,9 @@ ZYtQ9Ot36qc=
|
|||
[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth})
|
||||
assert.Equals(t, leaf.DNSNames, []string{"test.smallstep.com"})
|
||||
|
||||
pubBytes, err := x509.MarshalPKIXPublicKey(pub)
|
||||
subjectKeyID, err := generateSubjectKeyID(pub)
|
||||
assert.FatalError(t, err)
|
||||
hash := sha1.Sum(pubBytes)
|
||||
assert.Equals(t, leaf.SubjectKeyId, hash[:])
|
||||
assert.Equals(t, leaf.SubjectKeyId, subjectKeyID)
|
||||
|
||||
assert.Equals(t, leaf.AuthorityKeyId, a.x509Issuer.SubjectKeyId)
|
||||
|
||||
|
|
@ -411,6 +426,13 @@ func TestAuthority_Renew(t *testing.T) {
|
|||
CommonName: "renew",
|
||||
}
|
||||
|
||||
certModToWithOptions := func(m provisioner.CertificateModifierFunc) x509util.WithOption {
|
||||
return func(p x509util.Profile) error {
|
||||
crt := p.Subject()
|
||||
return m.Modify(crt, provisioner.Options{})
|
||||
}
|
||||
}
|
||||
|
||||
now := time.Now().UTC()
|
||||
nb1 := now.Add(-time.Minute * 7)
|
||||
na1 := now
|
||||
|
|
@ -421,7 +443,7 @@ func TestAuthority_Renew(t *testing.T) {
|
|||
|
||||
leaf, err := x509util.NewLeafProfile("renew", a.x509Issuer, a.x509Signer,
|
||||
x509util.WithNotBeforeAfterDuration(so.NotBefore.Time(), so.NotAfter.Time(), 0),
|
||||
withDefaultASN1DN(a.config.AuthorityConfig.Template),
|
||||
certModToWithOptions(withDefaultASN1DN(a.config.AuthorityConfig.Template)),
|
||||
x509util.WithPublicKey(pub), x509util.WithHosts("test.smallstep.com,test"),
|
||||
withProvisionerOID("Max", a.config.AuthorityConfig.Provisioners[0].(*provisioner.JWK).Key.KeyID))
|
||||
assert.FatalError(t, err)
|
||||
|
|
@ -432,7 +454,7 @@ func TestAuthority_Renew(t *testing.T) {
|
|||
|
||||
leafNoRenew, err := x509util.NewLeafProfile("norenew", a.x509Issuer, a.x509Signer,
|
||||
x509util.WithNotBeforeAfterDuration(so.NotBefore.Time(), so.NotAfter.Time(), 0),
|
||||
withDefaultASN1DN(a.config.AuthorityConfig.Template),
|
||||
certModToWithOptions(withDefaultASN1DN(a.config.AuthorityConfig.Template)),
|
||||
x509util.WithPublicKey(pub), x509util.WithHosts("test.smallstep.com,test"),
|
||||
withProvisionerOID("dev", a.config.AuthorityConfig.Provisioners[2].(*provisioner.JWK).Key.KeyID),
|
||||
)
|
||||
|
|
@ -552,13 +574,9 @@ func TestAuthority_Renew(t *testing.T) {
|
|||
[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth})
|
||||
assert.Equals(t, leaf.DNSNames, []string{"test.smallstep.com", "test"})
|
||||
|
||||
// Test Public Key and SubjectKeyId
|
||||
assert.Equals(t, leaf.PublicKey, cert.PublicKey)
|
||||
pubBytes, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
|
||||
subjectKeyID, err := generateSubjectKeyID(pub)
|
||||
assert.FatalError(t, err)
|
||||
hash := sha1.Sum(pubBytes)
|
||||
assert.Equals(t, leaf.SubjectKeyId, hash[:])
|
||||
assert.Equals(t, leaf.SubjectKeyId, cert.SubjectKeyId)
|
||||
assert.Equals(t, leaf.SubjectKeyId, subjectKeyID)
|
||||
|
||||
// We did not change the intermediate before renewing.
|
||||
if a.x509Issuer.SerialNumber == tc.auth.x509Issuer.SerialNumber {
|
||||
|
|
|
|||
Loading…
Reference in a new issue