|
|
@ -6,10 +6,12 @@ import (
|
|
|
|
"crypto/x509/pkix"
|
|
|
|
"crypto/x509/pkix"
|
|
|
|
"encoding/json"
|
|
|
|
"encoding/json"
|
|
|
|
"net"
|
|
|
|
"net"
|
|
|
|
|
|
|
|
"net/url"
|
|
|
|
"reflect"
|
|
|
|
"reflect"
|
|
|
|
"testing"
|
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
"github.com/google/go-cmp/cmp"
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
"github.com/smallstep/assert"
|
|
|
|
"github.com/smallstep/assert"
|
|
|
|
"github.com/smallstep/certificates/authority"
|
|
|
|
"github.com/smallstep/certificates/authority"
|
|
|
@ -825,71 +827,92 @@ func Test_uniqueSortedIPs(t *testing.T) {
|
|
|
|
ips []net.IP
|
|
|
|
ips []net.IP
|
|
|
|
}
|
|
|
|
}
|
|
|
|
tests := []struct {
|
|
|
|
tests := []struct {
|
|
|
|
name string
|
|
|
|
name string
|
|
|
|
args args
|
|
|
|
args args
|
|
|
|
wantUnique []net.IP
|
|
|
|
want []net.IP
|
|
|
|
}{
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
{
|
|
|
|
name: "ok/empty",
|
|
|
|
name: "ok/empty",
|
|
|
|
args: args{
|
|
|
|
args: args{
|
|
|
|
ips: []net.IP{},
|
|
|
|
ips: []net.IP{},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
wantUnique: []net.IP{},
|
|
|
|
want: []net.IP{},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
{
|
|
|
|
name: "ok/single-ipv4",
|
|
|
|
name: "ok/single-ipv4",
|
|
|
|
args: args{
|
|
|
|
args: args{
|
|
|
|
ips: []net.IP{net.ParseIP("192.168.42.42")},
|
|
|
|
ips: []net.IP{net.ParseIP("192.168.42.42")},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
wantUnique: []net.IP{net.ParseIP("192.168.42.42")},
|
|
|
|
want: []net.IP{net.ParseIP("192.168.42.42")},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
{
|
|
|
|
name: "ok/multiple-ipv4",
|
|
|
|
name: "ok/multiple-ipv4",
|
|
|
|
args: args{
|
|
|
|
args: args{
|
|
|
|
ips: []net.IP{net.ParseIP("192.168.42.42"), net.ParseIP("192.168.42.10"), net.ParseIP("192.168.42.1")},
|
|
|
|
ips: []net.IP{net.ParseIP("192.168.42.42"), net.ParseIP("192.168.42.10"), net.ParseIP("192.168.42.1"), net.ParseIP("127.0.0.1")},
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
want: []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("192.168.42.1"), net.ParseIP("192.168.42.10"), net.ParseIP("192.168.42.42")},
|
|
|
|
|
|
|
|
}, {
|
|
|
|
|
|
|
|
name: "ok/multiple-ipv4-with-varying-byte-representations",
|
|
|
|
|
|
|
|
args: args{
|
|
|
|
|
|
|
|
ips: []net.IP{net.ParseIP("192.168.42.42"), net.ParseIP("192.168.42.10"), net.ParseIP("192.168.42.1"), []byte{0x7f, 0x0, 0x0, 0x1}},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
wantUnique: []net.IP{net.ParseIP("192.168.42.1"), net.ParseIP("192.168.42.10"), net.ParseIP("192.168.42.42")},
|
|
|
|
want: []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("192.168.42.1"), net.ParseIP("192.168.42.10"), net.ParseIP("192.168.42.42")},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
{
|
|
|
|
name: "ok/unique-ipv4",
|
|
|
|
name: "ok/unique-ipv4",
|
|
|
|
args: args{
|
|
|
|
args: args{
|
|
|
|
ips: []net.IP{net.ParseIP("192.168.42.42"), net.ParseIP("192.168.42.42")},
|
|
|
|
ips: []net.IP{net.ParseIP("192.168.42.42"), net.ParseIP("192.168.42.42")},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
wantUnique: []net.IP{net.ParseIP("192.168.42.42")},
|
|
|
|
want: []net.IP{net.ParseIP("192.168.42.42")},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
{
|
|
|
|
name: "ok/single-ipv6",
|
|
|
|
name: "ok/single-ipv6",
|
|
|
|
args: args{
|
|
|
|
args: args{
|
|
|
|
ips: []net.IP{net.ParseIP("2001:db8::30")},
|
|
|
|
ips: []net.IP{net.ParseIP("2001:db8::30")},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
wantUnique: []net.IP{net.ParseIP("2001:db8::30")},
|
|
|
|
want: []net.IP{net.ParseIP("2001:db8::30")},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
{
|
|
|
|
name: "ok/multiple-ipv6",
|
|
|
|
name: "ok/multiple-ipv6",
|
|
|
|
args: args{
|
|
|
|
args: args{
|
|
|
|
ips: []net.IP{net.ParseIP("2001:db8::30"), net.ParseIP("2001:db8::20"), net.ParseIP("2001:db8::10")},
|
|
|
|
ips: []net.IP{net.ParseIP("2001:db8::30"), net.ParseIP("2001:db8::20"), net.ParseIP("2001:db8::10")},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
wantUnique: []net.IP{net.ParseIP("2001:db8::10"), net.ParseIP("2001:db8::20"), net.ParseIP("2001:db8::30")},
|
|
|
|
want: []net.IP{net.ParseIP("2001:db8::10"), net.ParseIP("2001:db8::20"), net.ParseIP("2001:db8::30")},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
{
|
|
|
|
name: "ok/unique-ipv6",
|
|
|
|
name: "ok/unique-ipv6",
|
|
|
|
args: args{
|
|
|
|
args: args{
|
|
|
|
ips: []net.IP{net.ParseIP("2001:db8::1"), net.ParseIP("2001:db8::1")},
|
|
|
|
ips: []net.IP{net.ParseIP("2001:db8::1"), net.ParseIP("2001:db8::1")},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
wantUnique: []net.IP{net.ParseIP("2001:db8::1")},
|
|
|
|
want: []net.IP{net.ParseIP("2001:db8::1")},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
{
|
|
|
|
name: "ok/mixed-ipv4-and-ipv6",
|
|
|
|
name: "ok/mixed-ipv4-and-ipv6",
|
|
|
|
args: args{
|
|
|
|
args: args{
|
|
|
|
ips: []net.IP{net.ParseIP("2001:db8::1"), net.ParseIP("2001:db8::1"), net.ParseIP("192.168.42.42"), net.ParseIP("192.168.42.42")},
|
|
|
|
ips: []net.IP{net.ParseIP("2001:db8::1"), net.ParseIP("2001:db8::1"), net.ParseIP("192.168.42.42"), net.ParseIP("192.168.42.42")},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
wantUnique: []net.IP{net.ParseIP("192.168.42.42"), net.ParseIP("2001:db8::1")},
|
|
|
|
want: []net.IP{net.ParseIP("192.168.42.42"), net.ParseIP("2001:db8::1")},
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
name: "ok/mixed-ipv4-and-ipv6-and-varying-byte-representations",
|
|
|
|
|
|
|
|
args: args{
|
|
|
|
|
|
|
|
ips: []net.IP{net.ParseIP("2001:db8::1"), net.ParseIP("2001:db8::1"), net.ParseIP("192.168.42.42"), net.ParseIP("192.168.42.42"), []byte{0x7f, 0x0, 0x0, 0x1}},
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
want: []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("192.168.42.42"), net.ParseIP("2001:db8::1")},
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
name: "ok/mixed-ipv4-and-ipv6-and-more-varying-byte-representations",
|
|
|
|
|
|
|
|
args: args{
|
|
|
|
|
|
|
|
ips: []net.IP{net.ParseIP("2001:db8::1"), net.ParseIP("2001:db8::1"), net.ParseIP("192.168.42.42"), net.ParseIP("2001:db8::2"), net.ParseIP("192.168.42.42"), []byte{0x7f, 0x0, 0x0, 0x1}, []byte{0x7f, 0x0, 0x0, 0x1}, []byte{0x7f, 0x0, 0x0, 0x2}},
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
want: []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("127.0.0.2"), net.ParseIP("192.168.42.42"), net.ParseIP("2001:db8::1"), net.ParseIP("2001:db8::2")},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
|
|
for _, tt := range tests {
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
if gotUnique := uniqueSortedIPs(tt.args.ips); !reflect.DeepEqual(gotUnique, tt.wantUnique) {
|
|
|
|
got := uniqueSortedIPs(tt.args.ips)
|
|
|
|
t.Errorf("uniqueSortedIPs() = %v, want %v", gotUnique, tt.wantUnique)
|
|
|
|
if !cmp.Equal(tt.want, got) {
|
|
|
|
|
|
|
|
t.Errorf("uniqueSortedIPs() diff =\n%s", cmp.Diff(tt.want, got))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -1122,9 +1145,9 @@ func Test_canonicalize(t *testing.T) {
|
|
|
|
csr *x509.CertificateRequest
|
|
|
|
csr *x509.CertificateRequest
|
|
|
|
}
|
|
|
|
}
|
|
|
|
tests := []struct {
|
|
|
|
tests := []struct {
|
|
|
|
name string
|
|
|
|
name string
|
|
|
|
args args
|
|
|
|
args args
|
|
|
|
wantCanonicalized *x509.CertificateRequest
|
|
|
|
want *x509.CertificateRequest
|
|
|
|
}{
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
{
|
|
|
|
name: "ok/dns",
|
|
|
|
name: "ok/dns",
|
|
|
@ -1133,7 +1156,7 @@ func Test_canonicalize(t *testing.T) {
|
|
|
|
DNSNames: []string{"www.example.com", "example.com"},
|
|
|
|
DNSNames: []string{"www.example.com", "example.com"},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
wantCanonicalized: &x509.CertificateRequest{
|
|
|
|
want: &x509.CertificateRequest{
|
|
|
|
DNSNames: []string{"example.com", "www.example.com"},
|
|
|
|
DNSNames: []string{"example.com", "www.example.com"},
|
|
|
|
IPAddresses: []net.IP{},
|
|
|
|
IPAddresses: []net.IP{},
|
|
|
|
},
|
|
|
|
},
|
|
|
@ -1148,7 +1171,7 @@ func Test_canonicalize(t *testing.T) {
|
|
|
|
DNSNames: []string{"www.example.com"},
|
|
|
|
DNSNames: []string{"www.example.com"},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
wantCanonicalized: &x509.CertificateRequest{
|
|
|
|
want: &x509.CertificateRequest{
|
|
|
|
Subject: pkix.Name{
|
|
|
|
Subject: pkix.Name{
|
|
|
|
CommonName: "example.com",
|
|
|
|
CommonName: "example.com",
|
|
|
|
},
|
|
|
|
},
|
|
|
@ -1163,7 +1186,7 @@ func Test_canonicalize(t *testing.T) {
|
|
|
|
IPAddresses: []net.IP{net.ParseIP("192.168.43.42"), net.ParseIP("192.168.42.42")},
|
|
|
|
IPAddresses: []net.IP{net.ParseIP("192.168.43.42"), net.ParseIP("192.168.42.42")},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
wantCanonicalized: &x509.CertificateRequest{
|
|
|
|
want: &x509.CertificateRequest{
|
|
|
|
DNSNames: []string{},
|
|
|
|
DNSNames: []string{},
|
|
|
|
IPAddresses: []net.IP{net.ParseIP("192.168.42.42"), net.ParseIP("192.168.43.42")},
|
|
|
|
IPAddresses: []net.IP{net.ParseIP("192.168.42.42"), net.ParseIP("192.168.43.42")},
|
|
|
|
},
|
|
|
|
},
|
|
|
@ -1176,7 +1199,7 @@ func Test_canonicalize(t *testing.T) {
|
|
|
|
IPAddresses: []net.IP{net.ParseIP("192.168.43.42"), net.ParseIP("192.168.42.42")},
|
|
|
|
IPAddresses: []net.IP{net.ParseIP("192.168.43.42"), net.ParseIP("192.168.42.42")},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
wantCanonicalized: &x509.CertificateRequest{
|
|
|
|
want: &x509.CertificateRequest{
|
|
|
|
DNSNames: []string{"example.com", "www.example.com"},
|
|
|
|
DNSNames: []string{"example.com", "www.example.com"},
|
|
|
|
IPAddresses: []net.IP{net.ParseIP("192.168.42.42"), net.ParseIP("192.168.43.42")},
|
|
|
|
IPAddresses: []net.IP{net.ParseIP("192.168.42.42"), net.ParseIP("192.168.43.42")},
|
|
|
|
},
|
|
|
|
},
|
|
|
@ -1192,7 +1215,7 @@ func Test_canonicalize(t *testing.T) {
|
|
|
|
IPAddresses: []net.IP{net.ParseIP("192.168.43.42"), net.ParseIP("192.168.42.42")},
|
|
|
|
IPAddresses: []net.IP{net.ParseIP("192.168.43.42"), net.ParseIP("192.168.42.42")},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
wantCanonicalized: &x509.CertificateRequest{
|
|
|
|
want: &x509.CertificateRequest{
|
|
|
|
Subject: pkix.Name{
|
|
|
|
Subject: pkix.Name{
|
|
|
|
CommonName: "example.com",
|
|
|
|
CommonName: "example.com",
|
|
|
|
},
|
|
|
|
},
|
|
|
@ -1200,11 +1223,31 @@ func Test_canonicalize(t *testing.T) {
|
|
|
|
IPAddresses: []net.IP{net.ParseIP("192.168.42.42"), net.ParseIP("192.168.43.42")},
|
|
|
|
IPAddresses: []net.IP{net.ParseIP("192.168.42.42"), net.ParseIP("192.168.43.42")},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
name: "ok/ip-common-name",
|
|
|
|
|
|
|
|
args: args{
|
|
|
|
|
|
|
|
csr: &x509.CertificateRequest{
|
|
|
|
|
|
|
|
Subject: pkix.Name{
|
|
|
|
|
|
|
|
CommonName: "127.0.0.1",
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
DNSNames: []string{"example.com"},
|
|
|
|
|
|
|
|
IPAddresses: []net.IP{net.ParseIP("192.168.43.42"), net.ParseIP("192.168.42.42")},
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
want: &x509.CertificateRequest{
|
|
|
|
|
|
|
|
Subject: pkix.Name{
|
|
|
|
|
|
|
|
CommonName: "127.0.0.1",
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
DNSNames: []string{"example.com"},
|
|
|
|
|
|
|
|
IPAddresses: []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("192.168.42.42"), net.ParseIP("192.168.43.42")},
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
|
|
for _, tt := range tests {
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
|
|
if gotCanonicalized := canonicalize(tt.args.csr); !reflect.DeepEqual(gotCanonicalized, tt.wantCanonicalized) {
|
|
|
|
got := canonicalize(tt.args.csr)
|
|
|
|
t.Errorf("canonicalize() = %v, want %v", gotCanonicalized, tt.wantCanonicalized)
|
|
|
|
if !cmp.Equal(tt.want, got) {
|
|
|
|
|
|
|
|
t.Errorf("canonicalize() diff =\n%s", cmp.Diff(tt.want, got))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -1238,6 +1281,39 @@ func TestOrder_sans(t *testing.T) {
|
|
|
|
},
|
|
|
|
},
|
|
|
|
err: nil,
|
|
|
|
err: nil,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
name: "fail/invalid-alternative-name-email",
|
|
|
|
|
|
|
|
fields: fields{
|
|
|
|
|
|
|
|
Identifiers: []Identifier{},
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
csr: &x509.CertificateRequest{
|
|
|
|
|
|
|
|
Subject: pkix.Name{
|
|
|
|
|
|
|
|
CommonName: "foo.internal",
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
EmailAddresses: []string{"test@example.com"},
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
want: []x509util.SubjectAlternativeName{},
|
|
|
|
|
|
|
|
err: NewError(ErrorBadCSRType, "Only DNS names and IP addresses are allowed"),
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
name: "fail/invalid-alternative-name-uri",
|
|
|
|
|
|
|
|
fields: fields{
|
|
|
|
|
|
|
|
Identifiers: []Identifier{},
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
csr: &x509.CertificateRequest{
|
|
|
|
|
|
|
|
Subject: pkix.Name{
|
|
|
|
|
|
|
|
CommonName: "foo.internal",
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
URIs: []*url.URL{
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
Scheme: "https://",
|
|
|
|
|
|
|
|
Host: "smallstep.com",
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
},
|
|
|
|
|
|
|
|
want: []x509util.SubjectAlternativeName{},
|
|
|
|
|
|
|
|
err: NewError(ErrorBadCSRType, "Only DNS names and IP addresses are allowed"),
|
|
|
|
|
|
|
|
},
|
|
|
|
{
|
|
|
|
{
|
|
|
|
name: "fail/error-names-length-mismatch",
|
|
|
|
name: "fail/error-names-length-mismatch",
|
|
|
|
fields: fields{
|
|
|
|
fields: fields{
|
|
|
|