forked from TrueCloudLab/certificates
5df1694250
In a linked RA mode, send an endpoint id to group the server certificates.
291 lines
8.2 KiB
Go
291 lines
8.2 KiB
Go
package stepcas
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/ecdsa"
|
|
"crypto/ed25519"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"io"
|
|
"net/url"
|
|
"reflect"
|
|
"testing"
|
|
"time"
|
|
|
|
"go.step.sm/crypto/jose"
|
|
)
|
|
|
|
type noneSigner []byte
|
|
|
|
func (b noneSigner) Public() crypto.PublicKey {
|
|
return []byte(b)
|
|
}
|
|
|
|
func (b noneSigner) Sign(rnd io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) {
|
|
return digest, nil
|
|
}
|
|
|
|
func fakeTime(t *testing.T) {
|
|
t.Helper()
|
|
tmp := timeNow
|
|
t.Cleanup(func() {
|
|
timeNow = tmp
|
|
})
|
|
timeNow = func() time.Time {
|
|
return testX5CCrt.NotBefore
|
|
}
|
|
}
|
|
|
|
func Test_x5cIssuer_SignToken(t *testing.T) {
|
|
caURL, err := url.Parse("https://ca.smallstep.com")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
type fields struct {
|
|
caURL *url.URL
|
|
certFile string
|
|
keyFile string
|
|
issuer string
|
|
}
|
|
type args struct {
|
|
subject string
|
|
sans []string
|
|
info *raInfo
|
|
}
|
|
type stepClaims struct {
|
|
RA *raInfo `json:"ra"`
|
|
}
|
|
type claims struct {
|
|
Aud []string `json:"aud"`
|
|
Sub string `json:"sub"`
|
|
Sans []string `json:"sans"`
|
|
Step stepClaims `json:"step"`
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
fields fields
|
|
args args
|
|
wantErr bool
|
|
}{
|
|
{"ok", fields{caURL, testX5CPath, testX5CKeyPath, "X5C"}, args{"doe", []string{"doe.org"}, nil}, false},
|
|
{"ok ra", fields{caURL, testX5CPath, testX5CKeyPath, "X5C"}, args{"doe", []string{"doe.org"}, &raInfo{
|
|
AuthorityID: "authority-id", ProvisionerID: "provisioner-id", ProvisionerType: "provisioner-type",
|
|
}}, false},
|
|
{"ok ra endpoint id", fields{caURL, testX5CPath, testX5CKeyPath, "X5C"}, args{"doe", []string{"doe.org"}, &raInfo{
|
|
AuthorityID: "authority-id", EndpointID: "endpoint-id",
|
|
}}, false},
|
|
{"fail crt", fields{caURL, "", testX5CKeyPath, "X5C"}, args{"doe", []string{"doe.org"}, nil}, true},
|
|
{"fail key", fields{caURL, testX5CPath, "", "X5C"}, args{"doe", []string{"doe.org"}, nil}, true},
|
|
{"fail no signer", fields{caURL, testIssKeyPath, testIssPath, "X5C"}, args{"doe", []string{"doe.org"}, nil}, true},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
i := &x5cIssuer{
|
|
caURL: tt.fields.caURL,
|
|
certFile: tt.fields.certFile,
|
|
keyFile: tt.fields.keyFile,
|
|
issuer: tt.fields.issuer,
|
|
}
|
|
got, err := i.SignToken(tt.args.subject, tt.args.sans, tt.args.info)
|
|
if (err != nil) != tt.wantErr {
|
|
t.Errorf("x5cIssuer.SignToken() error = %v, wantErr %v", err, tt.wantErr)
|
|
}
|
|
if !tt.wantErr {
|
|
jwt, err := jose.ParseSigned(got)
|
|
if err != nil {
|
|
t.Errorf("jose.ParseSigned() error = %v", err)
|
|
}
|
|
var c claims
|
|
want := claims{
|
|
Aud: []string{tt.fields.caURL.String() + "/1.0/sign#x5c/X5C"},
|
|
Sub: tt.args.subject,
|
|
Sans: tt.args.sans,
|
|
}
|
|
if tt.args.info != nil {
|
|
want.Step.RA = tt.args.info
|
|
}
|
|
if err := jwt.Claims(testX5CKey.Public(), &c); err != nil {
|
|
t.Errorf("jwt.Claims() error = %v", err)
|
|
}
|
|
if !reflect.DeepEqual(c, want) {
|
|
t.Errorf("jwt.Claims() claims = %#v, want %#v", c, want)
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_x5cIssuer_RevokeToken(t *testing.T) {
|
|
caURL, err := url.Parse("https://ca.smallstep.com")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
type fields struct {
|
|
caURL *url.URL
|
|
certFile string
|
|
keyFile string
|
|
issuer string
|
|
}
|
|
type args struct {
|
|
subject string
|
|
}
|
|
type claims struct {
|
|
Aud []string `json:"aud"`
|
|
Sub string `json:"sub"`
|
|
Sans []string `json:"sans"`
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
fields fields
|
|
args args
|
|
wantErr bool
|
|
}{
|
|
{"ok", fields{caURL, testX5CPath, testX5CKeyPath, "X5C"}, args{"doe"}, false},
|
|
{"fail crt", fields{caURL, "", testX5CKeyPath, "X5C"}, args{"doe"}, true},
|
|
{"fail key", fields{caURL, testX5CPath, "", "X5C"}, args{"doe"}, true},
|
|
{"fail no signer", fields{caURL, testIssKeyPath, testIssPath, "X5C"}, args{"doe"}, true},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
i := &x5cIssuer{
|
|
caURL: tt.fields.caURL,
|
|
certFile: tt.fields.certFile,
|
|
keyFile: tt.fields.keyFile,
|
|
issuer: tt.fields.issuer,
|
|
}
|
|
got, err := i.RevokeToken(tt.args.subject)
|
|
if (err != nil) != tt.wantErr {
|
|
t.Errorf("x5cIssuer.RevokeToken() error = %v, wantErr %v", err, tt.wantErr)
|
|
return
|
|
}
|
|
if !tt.wantErr {
|
|
jwt, err := jose.ParseSigned(got)
|
|
if err != nil {
|
|
t.Errorf("jose.ParseSigned() error = %v", err)
|
|
}
|
|
var c claims
|
|
want := claims{
|
|
Aud: []string{tt.fields.caURL.String() + "/1.0/revoke#x5c/X5C"},
|
|
Sub: tt.args.subject,
|
|
}
|
|
if err := jwt.Claims(testX5CKey.Public(), &c); err != nil {
|
|
t.Errorf("jwt.Claims() error = %v", err)
|
|
}
|
|
if !reflect.DeepEqual(c, want) {
|
|
t.Errorf("jwt.Claims() claims = %#v, want %#v", c, want)
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_x5cIssuer_Lifetime(t *testing.T) {
|
|
fakeTime(t)
|
|
caURL, err := url.Parse("https://ca.smallstep.com")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
// With a leeway of 1m the max duration will be 59m.
|
|
maxDuration := testX5CCrt.NotAfter.Sub(timeNow()) - time.Minute
|
|
|
|
type fields struct {
|
|
caURL *url.URL
|
|
certFile string
|
|
keyFile string
|
|
issuer string
|
|
}
|
|
type args struct {
|
|
d time.Duration
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
fields fields
|
|
args args
|
|
want time.Duration
|
|
}{
|
|
{"ok 0s", fields{caURL, testX5CPath, testX5CKeyPath, "X5C"}, args{0}, 0},
|
|
{"ok 1m", fields{caURL, testX5CPath, testX5CKeyPath, "X5C"}, args{time.Minute}, time.Minute},
|
|
{"ok max-1m", fields{caURL, testX5CPath, testX5CKeyPath, "X5C"}, args{maxDuration - time.Minute}, maxDuration - time.Minute},
|
|
{"ok max", fields{caURL, testX5CPath, testX5CKeyPath, "X5C"}, args{maxDuration}, maxDuration},
|
|
{"ok max+1m", fields{caURL, testX5CPath, testX5CKeyPath, "X5C"}, args{maxDuration + time.Minute}, maxDuration},
|
|
{"ok fail", fields{caURL, testX5CPath + ".missing", testX5CKeyPath, "X5C"}, args{maxDuration + time.Minute}, maxDuration + time.Minute},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
i := &x5cIssuer{
|
|
caURL: tt.fields.caURL,
|
|
certFile: tt.fields.certFile,
|
|
keyFile: tt.fields.keyFile,
|
|
issuer: tt.fields.issuer,
|
|
}
|
|
if got := i.Lifetime(tt.args.d); got != tt.want {
|
|
t.Errorf("x5cIssuer.Lifetime() = %v, want %v", got, tt.want)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func Test_newJoseSigner(t *testing.T) {
|
|
mustSigner := func(args ...interface{}) crypto.Signer {
|
|
if err := args[len(args)-1]; err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
for _, a := range args {
|
|
if s, ok := a.(crypto.Signer); ok {
|
|
return s
|
|
}
|
|
}
|
|
t.Fatal("signer not found")
|
|
return nil
|
|
}
|
|
|
|
p224 := mustSigner(ecdsa.GenerateKey(elliptic.P224(), rand.Reader))
|
|
p256 := mustSigner(ecdsa.GenerateKey(elliptic.P256(), rand.Reader))
|
|
p384 := mustSigner(ecdsa.GenerateKey(elliptic.P384(), rand.Reader))
|
|
p521 := mustSigner(ecdsa.GenerateKey(elliptic.P521(), rand.Reader))
|
|
edKey := mustSigner(ed25519.GenerateKey(rand.Reader))
|
|
rsaKey := mustSigner(rsa.GenerateKey(rand.Reader, 2048))
|
|
|
|
type args struct {
|
|
key crypto.Signer
|
|
so *jose.SignerOptions
|
|
}
|
|
tests := []struct {
|
|
name string
|
|
args args
|
|
want []jose.Header
|
|
wantErr bool
|
|
}{
|
|
{"p256", args{p256, nil}, []jose.Header{{Algorithm: "ES256"}}, false},
|
|
{"p384", args{p384, new(jose.SignerOptions).WithType("JWT")}, []jose.Header{{Algorithm: "ES384", ExtraHeaders: map[jose.HeaderKey]interface{}{"typ": "JWT"}}}, false},
|
|
{"p521", args{p521, new(jose.SignerOptions).WithHeader("kid", "the-kid")}, []jose.Header{{Algorithm: "ES512", KeyID: "the-kid"}}, false},
|
|
{"ed25519", args{edKey, nil}, []jose.Header{{Algorithm: "EdDSA"}}, false},
|
|
{"rsa", args{rsaKey, nil}, []jose.Header{{Algorithm: "RS256"}}, false},
|
|
{"fail p224", args{p224, nil}, nil, true},
|
|
{"fail signer", args{noneSigner{1, 2, 3}, nil}, nil, true},
|
|
}
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
got, err := newJoseSigner(tt.args.key, tt.args.so)
|
|
if (err != nil) != tt.wantErr {
|
|
t.Errorf("newJoseSigner() error = %v, wantErr %v", err, tt.wantErr)
|
|
return
|
|
}
|
|
if !tt.wantErr {
|
|
jws, err := got.Sign([]byte("{}"))
|
|
if err != nil {
|
|
t.Errorf("jose.Signer.Sign() err = %v", err)
|
|
}
|
|
jwt, err := jose.ParseSigned(jws.FullSerialize())
|
|
if err != nil {
|
|
t.Errorf("jose.ParseSigned() err = %v", err)
|
|
}
|
|
if !reflect.DeepEqual(jwt.Headers, tt.want) {
|
|
t.Errorf("jose.Header got = %v, want = %v", jwt.Headers, tt.want)
|
|
}
|
|
}
|
|
})
|
|
}
|
|
}
|