forked from TrueCloudLab/certificates
Fix authority package tests.
This commit is contained in:
Mariano Cano
parent
ccc705cdcd
commit
d64cb99a22
2 changed files with 32 additions and 14 deletions
|
|
@ -449,7 +449,7 @@ func TestAuthority_authorizeSign(t *testing.T) {
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if assert.Nil(t, tc.err) {
|
if assert.Nil(t, tc.err) {
|
||||||
assert.Len(t, 6, got)
|
assert.Len(t, 7, got)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
|
|
||||||
|
|
@ -95,6 +95,22 @@ func setExtraExtsCSR(exts []pkix.Extension) func(*x509.CertificateRequest) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func generateSubjectKeyID(pub crypto.PublicKey) ([]byte, error) {
|
||||||
|
b, err := x509.MarshalPKIXPublicKey(pub)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "error marshaling public key")
|
||||||
|
}
|
||||||
|
info := struct {
|
||||||
|
Algorithm pkix.AlgorithmIdentifier
|
||||||
|
SubjectPublicKey asn1.BitString
|
||||||
|
}{}
|
||||||
|
if _, err = asn1.Unmarshal(b, &info); err != nil {
|
||||||
|
return nil, errors.Wrap(err, "error unmarshaling public key")
|
||||||
|
}
|
||||||
|
hash := sha1.Sum(info.SubjectPublicKey.Bytes)
|
||||||
|
return hash[:], nil
|
||||||
|
}
|
||||||
|
|
||||||
type basicConstraints struct {
|
type basicConstraints struct {
|
||||||
IsCA bool `asn1:"optional"`
|
IsCA bool `asn1:"optional"`
|
||||||
MaxPathLen int `asn1:"optional,default:-1"`
|
MaxPathLen int `asn1:"optional,default:-1"`
|
||||||
|
|
@ -176,7 +192,7 @@ func TestAuthority_Sign(t *testing.T) {
|
||||||
extraOpts: extraOpts,
|
extraOpts: extraOpts,
|
||||||
signOpts: signOpts,
|
signOpts: signOpts,
|
||||||
err: errors.New("authority.Sign: default ASN1DN template cannot be nil"),
|
err: errors.New("authority.Sign: default ASN1DN template cannot be nil"),
|
||||||
code: http.StatusInternalServerError,
|
code: http.StatusUnauthorized,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"fail create cert": func(t *testing.T) *signTest {
|
"fail create cert": func(t *testing.T) *signTest {
|
||||||
|
|
@ -188,7 +204,7 @@ func TestAuthority_Sign(t *testing.T) {
|
||||||
csr: csr,
|
csr: csr,
|
||||||
extraOpts: extraOpts,
|
extraOpts: extraOpts,
|
||||||
signOpts: signOpts,
|
signOpts: signOpts,
|
||||||
err: errors.New("authority.Sign; error creating new leaf certificate"),
|
err: errors.New("authority.Sign; error creating certificate"),
|
||||||
code: http.StatusInternalServerError,
|
code: http.StatusInternalServerError,
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
@ -357,10 +373,9 @@ ZYtQ9Ot36qc=
|
||||||
[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth})
|
[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth})
|
||||||
assert.Equals(t, leaf.DNSNames, []string{"test.smallstep.com"})
|
assert.Equals(t, leaf.DNSNames, []string{"test.smallstep.com"})
|
||||||
|
|
||||||
pubBytes, err := x509.MarshalPKIXPublicKey(pub)
|
subjectKeyID, err := generateSubjectKeyID(pub)
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
hash := sha1.Sum(pubBytes)
|
assert.Equals(t, leaf.SubjectKeyId, subjectKeyID)
|
||||||
assert.Equals(t, leaf.SubjectKeyId, hash[:])
|
|
||||||
|
|
||||||
assert.Equals(t, leaf.AuthorityKeyId, a.x509Issuer.SubjectKeyId)
|
assert.Equals(t, leaf.AuthorityKeyId, a.x509Issuer.SubjectKeyId)
|
||||||
|
|
||||||
|
|
@ -411,6 +426,13 @@ func TestAuthority_Renew(t *testing.T) {
|
||||||
CommonName: "renew",
|
CommonName: "renew",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
certModToWithOptions := func(m provisioner.CertificateModifierFunc) x509util.WithOption {
|
||||||
|
return func(p x509util.Profile) error {
|
||||||
|
crt := p.Subject()
|
||||||
|
return m.Modify(crt, provisioner.Options{})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
now := time.Now().UTC()
|
now := time.Now().UTC()
|
||||||
nb1 := now.Add(-time.Minute * 7)
|
nb1 := now.Add(-time.Minute * 7)
|
||||||
na1 := now
|
na1 := now
|
||||||
|
|
@ -421,7 +443,7 @@ func TestAuthority_Renew(t *testing.T) {
|
||||||
|
|
||||||
leaf, err := x509util.NewLeafProfile("renew", a.x509Issuer, a.x509Signer,
|
leaf, err := x509util.NewLeafProfile("renew", a.x509Issuer, a.x509Signer,
|
||||||
x509util.WithNotBeforeAfterDuration(so.NotBefore.Time(), so.NotAfter.Time(), 0),
|
x509util.WithNotBeforeAfterDuration(so.NotBefore.Time(), so.NotAfter.Time(), 0),
|
||||||
withDefaultASN1DN(a.config.AuthorityConfig.Template),
|
certModToWithOptions(withDefaultASN1DN(a.config.AuthorityConfig.Template)),
|
||||||
x509util.WithPublicKey(pub), x509util.WithHosts("test.smallstep.com,test"),
|
x509util.WithPublicKey(pub), x509util.WithHosts("test.smallstep.com,test"),
|
||||||
withProvisionerOID("Max", a.config.AuthorityConfig.Provisioners[0].(*provisioner.JWK).Key.KeyID))
|
withProvisionerOID("Max", a.config.AuthorityConfig.Provisioners[0].(*provisioner.JWK).Key.KeyID))
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
|
|
@ -432,7 +454,7 @@ func TestAuthority_Renew(t *testing.T) {
|
||||||
|
|
||||||
leafNoRenew, err := x509util.NewLeafProfile("norenew", a.x509Issuer, a.x509Signer,
|
leafNoRenew, err := x509util.NewLeafProfile("norenew", a.x509Issuer, a.x509Signer,
|
||||||
x509util.WithNotBeforeAfterDuration(so.NotBefore.Time(), so.NotAfter.Time(), 0),
|
x509util.WithNotBeforeAfterDuration(so.NotBefore.Time(), so.NotAfter.Time(), 0),
|
||||||
withDefaultASN1DN(a.config.AuthorityConfig.Template),
|
certModToWithOptions(withDefaultASN1DN(a.config.AuthorityConfig.Template)),
|
||||||
x509util.WithPublicKey(pub), x509util.WithHosts("test.smallstep.com,test"),
|
x509util.WithPublicKey(pub), x509util.WithHosts("test.smallstep.com,test"),
|
||||||
withProvisionerOID("dev", a.config.AuthorityConfig.Provisioners[2].(*provisioner.JWK).Key.KeyID),
|
withProvisionerOID("dev", a.config.AuthorityConfig.Provisioners[2].(*provisioner.JWK).Key.KeyID),
|
||||||
)
|
)
|
||||||
|
|
@ -552,13 +574,9 @@ func TestAuthority_Renew(t *testing.T) {
|
||||||
[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth})
|
[]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth})
|
||||||
assert.Equals(t, leaf.DNSNames, []string{"test.smallstep.com", "test"})
|
assert.Equals(t, leaf.DNSNames, []string{"test.smallstep.com", "test"})
|
||||||
|
|
||||||
// Test Public Key and SubjectKeyId
|
subjectKeyID, err := generateSubjectKeyID(pub)
|
||||||
assert.Equals(t, leaf.PublicKey, cert.PublicKey)
|
|
||||||
pubBytes, err := x509.MarshalPKIXPublicKey(cert.PublicKey)
|
|
||||||
assert.FatalError(t, err)
|
assert.FatalError(t, err)
|
||||||
hash := sha1.Sum(pubBytes)
|
assert.Equals(t, leaf.SubjectKeyId, subjectKeyID)
|
||||||
assert.Equals(t, leaf.SubjectKeyId, hash[:])
|
|
||||||
assert.Equals(t, leaf.SubjectKeyId, cert.SubjectKeyId)
|
|
||||||
|
|
||||||
// We did not change the intermediate before renewing.
|
// We did not change the intermediate before renewing.
|
||||||
if a.x509Issuer.SerialNumber == tc.auth.x509Issuer.SerialNumber {
|
if a.x509Issuer.SerialNumber == tc.auth.x509Issuer.SerialNumber {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue