From 4690fa64ed9154106140552673d6d2b7ef211f3f Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Fri, 11 Mar 2022 14:59:42 -0800 Subject: [PATCH] Add public methods to retrieve the provisioner extensions. --- authority/provisioner/acme_test.go | 2 +- authority/provisioner/aws_test.go | 2 +- authority/provisioner/azure_test.go | 2 +- authority/provisioner/collection.go | 4 +- authority/provisioner/collection_test.go | 30 ++-- authority/provisioner/extension.go | 73 ++++++++ authority/provisioner/extension_test.go | 158 ++++++++++++++++++ authority/provisioner/gcp_test.go | 2 +- authority/provisioner/jwk_test.go | 2 +- authority/provisioner/k8sSA_test.go | 2 +- authority/provisioner/oidc_test.go | 2 +- authority/provisioner/sign_options.go | 53 ++---- authority/provisioner/sign_options_test.go | 6 +- .../testdata/certs/bad-extension.crt | 21 +++ .../testdata/certs/good-extension.crt | 22 +++ authority/provisioner/x5c_test.go | 2 +- 16 files changed, 317 insertions(+), 66 deletions(-) create mode 100644 authority/provisioner/extension.go create mode 100644 authority/provisioner/extension_test.go create mode 100644 authority/provisioner/testdata/certs/bad-extension.crt create mode 100644 authority/provisioner/testdata/certs/good-extension.crt diff --git a/authority/provisioner/acme_test.go b/authority/provisioner/acme_test.go index a74ef76e..bc4e97e0 100644 --- a/authority/provisioner/acme_test.go +++ b/authority/provisioner/acme_test.go @@ -179,7 +179,7 @@ func TestACME_AuthorizeSign(t *testing.T) { for _, o := range opts { switch v := o.(type) { case *provisionerExtensionOption: - assert.Equals(t, v.Type, int(TypeACME)) + assert.Equals(t, v.Type, TypeACME) assert.Equals(t, v.Name, tc.p.GetName()) assert.Equals(t, v.CredentialID, "") assert.Len(t, 0, v.KeyValuePairs) diff --git a/authority/provisioner/aws_test.go b/authority/provisioner/aws_test.go index 3c6f8741..559a48f1 100644 --- a/authority/provisioner/aws_test.go +++ b/authority/provisioner/aws_test.go @@ -677,7 +677,7 @@ func TestAWS_AuthorizeSign(t *testing.T) { switch v := o.(type) { case certificateOptionsFunc: case *provisionerExtensionOption: - assert.Equals(t, v.Type, int(TypeAWS)) + assert.Equals(t, v.Type, TypeAWS) assert.Equals(t, v.Name, tt.aws.GetName()) assert.Equals(t, v.CredentialID, tt.aws.Accounts[0]) assert.Len(t, 2, v.KeyValuePairs) diff --git a/authority/provisioner/azure_test.go b/authority/provisioner/azure_test.go index da342ea4..c05685b7 100644 --- a/authority/provisioner/azure_test.go +++ b/authority/provisioner/azure_test.go @@ -506,7 +506,7 @@ func TestAzure_AuthorizeSign(t *testing.T) { switch v := o.(type) { case certificateOptionsFunc: case *provisionerExtensionOption: - assert.Equals(t, v.Type, int(TypeAzure)) + assert.Equals(t, v.Type, TypeAzure) assert.Equals(t, v.Name, tt.azure.GetName()) assert.Equals(t, v.CredentialID, tt.azure.TenantID) assert.Len(t, 0, v.KeyValuePairs) diff --git a/authority/provisioner/collection.go b/authority/provisioner/collection.go index 1bec8689..8bbace5f 100644 --- a/authority/provisioner/collection.go +++ b/authority/provisioner/collection.go @@ -152,8 +152,8 @@ func (c *Collection) LoadByToken(token *jose.JSONWebToken, claims *jose.Claims) // proper id to load the provisioner. func (c *Collection) LoadByCertificate(cert *x509.Certificate) (Interface, bool) { for _, e := range cert.Extensions { - if e.Id.Equal(stepOIDProvisioner) { - var provisioner stepProvisionerASN1 + if e.Id.Equal(StepOIDProvisioner) { + var provisioner extensionASN1 if _, err := asn1.Unmarshal(e.Value, &provisioner); err != nil { return nil, false } diff --git a/authority/provisioner/collection_test.go b/authority/provisioner/collection_test.go index 348b797c..24db4593 100644 --- a/authority/provisioner/collection_test.go +++ b/authority/provisioner/collection_test.go @@ -147,6 +147,17 @@ func TestCollection_LoadByToken(t *testing.T) { } func TestCollection_LoadByCertificate(t *testing.T) { + mustExtension := func(typ Type, name, credentialID string) pkix.Extension { + e := Extension{ + Type: typ, Name: name, CredentialID: credentialID, + } + ext, err := e.ToExtension() + if err != nil { + t.Fatal(err) + } + return ext + } + p1, err := generateJWK() assert.FatalError(t, err) p2, err := generateOIDC() @@ -159,30 +170,21 @@ func TestCollection_LoadByCertificate(t *testing.T) { byName.Store(p2.GetName(), p2) byName.Store(p3.GetName(), p3) - ok1Ext, err := createProvisionerExtension(1, p1.Name, p1.Key.KeyID) - assert.FatalError(t, err) - ok2Ext, err := createProvisionerExtension(2, p2.Name, p2.ClientID) - assert.FatalError(t, err) - ok3Ext, err := createProvisionerExtension(int(TypeACME), p3.Name, "") - assert.FatalError(t, err) - notFoundExt, err := createProvisionerExtension(1, "foo", "bar") - assert.FatalError(t, err) - ok1Cert := &x509.Certificate{ - Extensions: []pkix.Extension{ok1Ext}, + Extensions: []pkix.Extension{mustExtension(1, p1.Name, p1.Key.KeyID)}, } ok2Cert := &x509.Certificate{ - Extensions: []pkix.Extension{ok2Ext}, + Extensions: []pkix.Extension{mustExtension(2, p2.Name, p2.ClientID)}, } ok3Cert := &x509.Certificate{ - Extensions: []pkix.Extension{ok3Ext}, + Extensions: []pkix.Extension{mustExtension(TypeACME, p3.Name, "")}, } notFoundCert := &x509.Certificate{ - Extensions: []pkix.Extension{notFoundExt}, + Extensions: []pkix.Extension{mustExtension(1, "foo", "bar")}, } badCert := &x509.Certificate{ Extensions: []pkix.Extension{ - {Id: stepOIDProvisioner, Critical: false, Value: []byte("foobar")}, + {Id: StepOIDProvisioner, Critical: false, Value: []byte("foobar")}, }, } diff --git a/authority/provisioner/extension.go b/authority/provisioner/extension.go new file mode 100644 index 00000000..c316329d --- /dev/null +++ b/authority/provisioner/extension.go @@ -0,0 +1,73 @@ +package provisioner + +import ( + "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" +) + +var ( + // StepOIDRoot is the root OID for smallstep. + StepOIDRoot = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64} + + // StepOIDProvisioner is the OID for the provisioner extension. + StepOIDProvisioner = append(asn1.ObjectIdentifier(nil), append(StepOIDRoot, 1)...) +) + +// Extension is the Go representation of the provisioner extension. +type Extension struct { + Type Type + Name string + CredentialID string + KeyValuePairs []string +} + +type extensionASN1 struct { + Type int + Name []byte + CredentialID []byte + KeyValuePairs []string `asn1:"optional,omitempty"` +} + +// Marshal marshals the extension using encoding/asn1. +func (e *Extension) Marshal() ([]byte, error) { + return asn1.Marshal(extensionASN1{ + Type: int(e.Type), + Name: []byte(e.Name), + CredentialID: []byte(e.CredentialID), + KeyValuePairs: e.KeyValuePairs, + }) +} + +// ToExtension returns the pkix.Extension representation of the provisioner +// extension. +func (e *Extension) ToExtension() (pkix.Extension, error) { + b, err := e.Marshal() + if err != nil { + return pkix.Extension{}, err + } + return pkix.Extension{ + Id: StepOIDProvisioner, + Value: b, + }, nil +} + +// GetProvisionerExtension goes through all the certificate extensions and +// returns the provisioner extension (1.3.6.1.4.1.37476.9000.64.1). +func GetProvisionerExtension(cert *x509.Certificate) (*Extension, bool) { + for _, e := range cert.Extensions { + if e.Id.Equal(StepOIDProvisioner) { + var provisioner extensionASN1 + if _, err := asn1.Unmarshal(e.Value, &provisioner); err != nil { + return nil, false + } + return &Extension{ + Type: Type(provisioner.Type), + Name: string(provisioner.Name), + CredentialID: string(provisioner.CredentialID), + KeyValuePairs: provisioner.KeyValuePairs, + }, true + } + } + return nil, false +} diff --git a/authority/provisioner/extension_test.go b/authority/provisioner/extension_test.go new file mode 100644 index 00000000..69be9e18 --- /dev/null +++ b/authority/provisioner/extension_test.go @@ -0,0 +1,158 @@ +package provisioner + +import ( + "crypto/x509" + "crypto/x509/pkix" + "reflect" + "testing" + + "go.step.sm/crypto/pemutil" +) + +func TestExtension_Marshal(t *testing.T) { + type fields struct { + Type Type + Name string + CredentialID string + KeyValuePairs []string + } + tests := []struct { + name string + fields fields + want []byte + wantErr bool + }{ + {"ok", fields{TypeJWK, "name", "credentialID", nil}, []byte{ + 0x30, 0x17, 0x02, 0x01, 0x01, 0x04, 0x04, 0x6e, + 0x61, 0x6d, 0x65, 0x04, 0x0c, 0x63, 0x72, 0x65, + 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x49, + 0x44, + }, false}, + {"ok with pairs", fields{TypeJWK, "name", "credentialID", []string{"foo", "bar"}}, []byte{ + 0x30, 0x23, 0x02, 0x01, 0x01, 0x04, 0x04, 0x6e, + 0x61, 0x6d, 0x65, 0x04, 0x0c, 0x63, 0x72, 0x65, + 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x49, + 0x44, 0x30, 0x0a, 0x13, 0x03, 0x66, 0x6f, 0x6f, + 0x13, 0x03, 0x62, 0x61, 0x72, + }, false}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + e := &Extension{ + Type: tt.fields.Type, + Name: tt.fields.Name, + CredentialID: tt.fields.CredentialID, + KeyValuePairs: tt.fields.KeyValuePairs, + } + got, err := e.Marshal() + if (err != nil) != tt.wantErr { + t.Errorf("Extension.Marshal() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("Extension.Marshal() = %x, want %v", got, tt.want) + } + }) + } +} + +func TestExtension_ToExtension(t *testing.T) { + type fields struct { + Type Type + Name string + CredentialID string + KeyValuePairs []string + } + tests := []struct { + name string + fields fields + want pkix.Extension + wantErr bool + }{ + {"ok", fields{TypeJWK, "name", "credentialID", nil}, pkix.Extension{ + Id: StepOIDProvisioner, + Value: []byte{ + 0x30, 0x17, 0x02, 0x01, 0x01, 0x04, 0x04, 0x6e, + 0x61, 0x6d, 0x65, 0x04, 0x0c, 0x63, 0x72, 0x65, + 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x49, + 0x44, + }, + }, false}, + {"ok empty pairs", fields{TypeJWK, "name", "credentialID", []string{}}, pkix.Extension{ + Id: StepOIDProvisioner, + Value: []byte{ + 0x30, 0x17, 0x02, 0x01, 0x01, 0x04, 0x04, 0x6e, + 0x61, 0x6d, 0x65, 0x04, 0x0c, 0x63, 0x72, 0x65, + 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x49, + 0x44, + }, + }, false}, + {"ok with pairs", fields{TypeJWK, "name", "credentialID", []string{"foo", "bar"}}, pkix.Extension{ + Id: StepOIDProvisioner, + Value: []byte{ + 0x30, 0x23, 0x02, 0x01, 0x01, 0x04, 0x04, 0x6e, + 0x61, 0x6d, 0x65, 0x04, 0x0c, 0x63, 0x72, 0x65, + 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x49, + 0x44, 0x30, 0x0a, 0x13, 0x03, 0x66, 0x6f, 0x6f, + 0x13, 0x03, 0x62, 0x61, 0x72, + }, + }, false}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + e := &Extension{ + Type: tt.fields.Type, + Name: tt.fields.Name, + CredentialID: tt.fields.CredentialID, + KeyValuePairs: tt.fields.KeyValuePairs, + } + got, err := e.ToExtension() + if (err != nil) != tt.wantErr { + t.Errorf("Extension.ToExtension() error = %v, wantErr %v", err, tt.wantErr) + return + } + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("Extension.ToExtension() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestGetProvisionerExtension(t *testing.T) { + mustCertificate := func(fn string) *x509.Certificate { + cert, err := pemutil.ReadCertificate(fn) + if err != nil { + t.Fatal(err) + } + return cert + } + + type args struct { + cert *x509.Certificate + } + tests := []struct { + name string + args args + want *Extension + want1 bool + }{ + {"ok", args{mustCertificate("testdata/certs/good-extension.crt")}, &Extension{ + Type: TypeJWK, + Name: "mariano@smallstep.com", + CredentialID: "nvgnR8wSzpUlrt_tC3mvrhwhBx9Y7T1WL_JjcFVWYBQ", + }, true}, + {"fail unmarshal", args{mustCertificate("testdata/certs/bad-extension.crt")}, nil, false}, + {"missing extension", args{mustCertificate("testdata/certs/aws.crt")}, nil, false}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, got1 := GetProvisionerExtension(tt.args.cert) + if !reflect.DeepEqual(got, tt.want) { + t.Errorf("GetProvisionerExtension() got = %v, want %v", got, tt.want) + } + if got1 != tt.want1 { + t.Errorf("GetProvisionerExtension() got1 = %v, want %v", got1, tt.want1) + } + }) + } +} diff --git a/authority/provisioner/gcp_test.go b/authority/provisioner/gcp_test.go index 94fbd576..b8c437c3 100644 --- a/authority/provisioner/gcp_test.go +++ b/authority/provisioner/gcp_test.go @@ -549,7 +549,7 @@ func TestGCP_AuthorizeSign(t *testing.T) { switch v := o.(type) { case certificateOptionsFunc: case *provisionerExtensionOption: - assert.Equals(t, v.Type, int(TypeGCP)) + assert.Equals(t, v.Type, TypeGCP) assert.Equals(t, v.Name, tt.gcp.GetName()) assert.Equals(t, v.CredentialID, tt.gcp.ServiceAccounts[0]) assert.Len(t, 4, v.KeyValuePairs) diff --git a/authority/provisioner/jwk_test.go b/authority/provisioner/jwk_test.go index bf5c3d2c..dde2f836 100644 --- a/authority/provisioner/jwk_test.go +++ b/authority/provisioner/jwk_test.go @@ -300,7 +300,7 @@ func TestJWK_AuthorizeSign(t *testing.T) { switch v := o.(type) { case certificateOptionsFunc: case *provisionerExtensionOption: - assert.Equals(t, v.Type, int(TypeJWK)) + assert.Equals(t, v.Type, TypeJWK) assert.Equals(t, v.Name, tt.prov.GetName()) assert.Equals(t, v.CredentialID, tt.prov.Key.KeyID) assert.Len(t, 0, v.KeyValuePairs) diff --git a/authority/provisioner/k8sSA_test.go b/authority/provisioner/k8sSA_test.go index 0a82e8ef..378d4471 100644 --- a/authority/provisioner/k8sSA_test.go +++ b/authority/provisioner/k8sSA_test.go @@ -283,7 +283,7 @@ func TestK8sSA_AuthorizeSign(t *testing.T) { switch v := o.(type) { case certificateOptionsFunc: case *provisionerExtensionOption: - assert.Equals(t, v.Type, int(TypeK8sSA)) + assert.Equals(t, v.Type, TypeK8sSA) assert.Equals(t, v.Name, tc.p.GetName()) assert.Equals(t, v.CredentialID, "") assert.Len(t, 0, v.KeyValuePairs) diff --git a/authority/provisioner/oidc_test.go b/authority/provisioner/oidc_test.go index 62082fb2..c1a94b1d 100644 --- a/authority/provisioner/oidc_test.go +++ b/authority/provisioner/oidc_test.go @@ -327,7 +327,7 @@ func TestOIDC_AuthorizeSign(t *testing.T) { switch v := o.(type) { case certificateOptionsFunc: case *provisionerExtensionOption: - assert.Equals(t, v.Type, int(TypeOIDC)) + assert.Equals(t, v.Type, TypeOIDC) assert.Equals(t, v.Name, tt.prov.GetName()) assert.Equals(t, v.CredentialID, tt.prov.ClientID) assert.Len(t, 0, v.KeyValuePairs) diff --git a/authority/provisioner/sign_options.go b/authority/provisioner/sign_options.go index 34b2e99b..80dfc66e 100644 --- a/authority/provisioner/sign_options.go +++ b/authority/provisioner/sign_options.go @@ -6,7 +6,6 @@ import ( "crypto/rsa" "crypto/x509" "crypto/x509/pkix" - "encoding/asn1" "encoding/json" "net" "net/http" @@ -14,7 +13,6 @@ import ( "reflect" "time" - "github.com/pkg/errors" "github.com/smallstep/certificates/errs" "go.step.sm/crypto/keyutil" "go.step.sm/crypto/x509util" @@ -404,17 +402,12 @@ func (v *validityValidator) Valid(cert *x509.Certificate, o SignOptions) error { return nil } -var ( - stepOIDRoot = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64} - stepOIDProvisioner = append(asn1.ObjectIdentifier(nil), append(stepOIDRoot, 1)...) -) - -type stepProvisionerASN1 struct { - Type int - Name []byte - CredentialID []byte - KeyValuePairs []string `asn1:"optional,omitempty"` -} +// type stepProvisionerASN1 struct { +// Type int +// Name []byte +// CredentialID []byte +// KeyValuePairs []string `asn1:"optional,omitempty"` +// } type forceCNOption struct { ForceCN bool @@ -441,23 +434,22 @@ func (o *forceCNOption) Modify(cert *x509.Certificate, _ SignOptions) error { } type provisionerExtensionOption struct { - Type int - Name string - CredentialID string - KeyValuePairs []string + Extension } func newProvisionerExtensionOption(typ Type, name, credentialID string, keyValuePairs ...string) *provisionerExtensionOption { return &provisionerExtensionOption{ - Type: int(typ), - Name: name, - CredentialID: credentialID, - KeyValuePairs: keyValuePairs, + Extension: Extension{ + Type: typ, + Name: name, + CredentialID: credentialID, + KeyValuePairs: keyValuePairs, + }, } } func (o *provisionerExtensionOption) Modify(cert *x509.Certificate, _ SignOptions) error { - ext, err := createProvisionerExtension(o.Type, o.Name, o.CredentialID, o.KeyValuePairs...) + ext, err := o.ToExtension() if err != nil { return errs.NewError(http.StatusInternalServerError, err, "error creating certificate") } @@ -471,20 +463,3 @@ func (o *provisionerExtensionOption) Modify(cert *x509.Certificate, _ SignOption cert.ExtraExtensions = append([]pkix.Extension{ext}, cert.ExtraExtensions...) return nil } - -func createProvisionerExtension(typ int, name, credentialID string, keyValuePairs ...string) (pkix.Extension, error) { - b, err := asn1.Marshal(stepProvisionerASN1{ - Type: typ, - Name: []byte(name), - CredentialID: []byte(credentialID), - KeyValuePairs: keyValuePairs, - }) - if err != nil { - return pkix.Extension{}, errors.Wrap(err, "error marshaling provisioner extension") - } - return pkix.Extension{ - Id: stepOIDProvisioner, - Critical: false, - Value: b, - }, nil -} diff --git a/authority/provisioner/sign_options_test.go b/authority/provisioner/sign_options_test.go index 32b8e3c6..fc4d675a 100644 --- a/authority/provisioner/sign_options_test.go +++ b/authority/provisioner/sign_options_test.go @@ -636,18 +636,18 @@ func Test_newProvisionerExtension_Option(t *testing.T) { valid: func(cert *x509.Certificate) { if assert.Len(t, 1, cert.ExtraExtensions) { ext := cert.ExtraExtensions[0] - assert.Equals(t, ext.Id, stepOIDProvisioner) + assert.Equals(t, ext.Id, StepOIDProvisioner) } }, } }, "ok/prepend": func() test { return test{ - cert: &x509.Certificate{ExtraExtensions: []pkix.Extension{{Id: stepOIDProvisioner, Critical: true}, {Id: []int{1, 2, 3}}}}, + cert: &x509.Certificate{ExtraExtensions: []pkix.Extension{{Id: StepOIDProvisioner, Critical: true}, {Id: []int{1, 2, 3}}}}, valid: func(cert *x509.Certificate) { if assert.Len(t, 3, cert.ExtraExtensions) { ext := cert.ExtraExtensions[0] - assert.Equals(t, ext.Id, stepOIDProvisioner) + assert.Equals(t, ext.Id, StepOIDProvisioner) assert.False(t, ext.Critical) } }, diff --git a/authority/provisioner/testdata/certs/bad-extension.crt b/authority/provisioner/testdata/certs/bad-extension.crt new file mode 100644 index 00000000..ecce0f28 --- /dev/null +++ b/authority/provisioner/testdata/certs/bad-extension.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDeTCCAx+gAwIBAgIRAOTItW2pYuSU+PkmLW090iUwCgYIKoZIzj0EAwIwJDEi +MCAGA1UEAxMZU21hbGxzdGVwIEludGVybWVkaWF0ZSBDQTAeFw0yMjAzMTEyMjUy +MjBaFw0yMjAzMTIyMjUzMjBaMIGcMQswCQYDVQQGEwJDSDETMBEGA1UECBMKQ2Fs +aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEYMBYGA1UECRMPMSBUaGUg +U3RyZWV0IFN0MRMwEQYDVQQKDAo8bm8gdmFsdWU+MRYwFAYDVQQLEw1TbWFsbHN0 +ZXAgRW5nMRkwFwYDVQQDDBB0ZXN0QGV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAE/9vvOZ1Zzysnf3VeGyotMJEMZdAborB36Ah5QL/3yQNMRWIc +pv9Dwx19pHw7SquVE8jIaPPJSjaeWnfMPDYDxaOCAbcwggGzMA4GA1UdDwEB/wQE +AwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw +ADAdBgNVHQ4EFgQUkJUg6AsqWlqTZt6BHidRMwh1vKYwHwYDVR0jBBgwFoAUDpTg +d3VFCn6e71wXcwbDCURBomUwgZoGCCsGAQUFBwEBBIGNMIGKMBcGCCsGAQUFBzAB +hgtodHRwczovL2ZvbzBvBggrBgEFBQcwAoZjaHR0cHM6Ly9jYS5zbWFsbHN0ZXAu +Y29tOjkwMDAvcm9vdC9hNzhhODUwMDI1YzBjMjM0Mzg1ZWRhMjNkNzE5Mjk2NGNh +NTZhYTlkNzI3ZjUzNTY1M2IwYWZiODFjMWUwNTU5MBsGA1UdEQQUMBKBEHRlc3RA +ZXhhbXBsZS5jb20wIAYDVR0gBBkwFzALBglghkgBhv1sAQEwCAYGZ4EMAQICMD8G +A1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWV2 +LXNlcnZlci1nMy5jcmwwFwYMKwYBBAGCpGTGKEABBAdmb29vYmFyMAoGCCqGSM49 +BAMCA0gAMEUCIQCWYqOuk4bLkVVeHvo3P8TlJJ3fw6ijDDLstvdrQqAl5wIgEjSY +wVcR649Oc8PJGh/43Kpx0+4OTYPQrD/JqphVF7g= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/authority/provisioner/testdata/certs/good-extension.crt b/authority/provisioner/testdata/certs/good-extension.crt new file mode 100644 index 00000000..103353a7 --- /dev/null +++ b/authority/provisioner/testdata/certs/good-extension.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDujCCA2GgAwIBAgIRAM5celDKTTqAGycljO7FZdEwCgYIKoZIzj0EAwIwJDEi +MCAGA1UEAxMZU21hbGxzdGVwIEludGVybWVkaWF0ZSBDQTAeFw0yMjAzMTEyMjQx +MDRaFw0yMjAzMTIyMjQyMDRaMIGcMQswCQYDVQQGEwJDSDETMBEGA1UECBMKQ2Fs +aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEYMBYGA1UECRMPMSBUaGUg +U3RyZWV0IFN0MRMwEQYDVQQKDAo8bm8gdmFsdWU+MRYwFAYDVQQLEw1TbWFsbHN0 +ZXAgRW5nMRkwFwYDVQQDDBB0ZXN0QGV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYI +KoZIzj0DAQcDQgAEkXffZYlSJRMxJrZHmUpEMC4jQYCkF86mLJY0iLZ8k00N/xF0 +4rAGwzTU/l9tfRpNl+z/XfMMWPXS0Q8NU/o4S6OCAfkwggH1MA4GA1UdDwEB/wQE +AwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw +ADAdBgNVHQ4EFgQUL3sSlYW8Tf2l2P+gFTdn5wsUjfgwHwYDVR0jBBgwFoAUDpTg +d3VFCn6e71wXcwbDCURBomUwgZoGCCsGAQUFBwEBBIGNMIGKMBcGCCsGAQUFBzAB +hgtodHRwczovL2ZvbzBvBggrBgEFBQcwAoZjaHR0cHM6Ly9jYS5zbWFsbHN0ZXAu +Y29tOjkwMDAvcm9vdC9hNzhhODUwMDI1YzBjMjM0Mzg1ZWRhMjNkNzE5Mjk2NGNh +NTZhYTlkNzI3ZjUzNTY1M2IwYWZiODFjMWUwNTU5MBsGA1UdEQQUMBKBEHRlc3RA +ZXhhbXBsZS5jb20wIAYDVR0gBBkwFzALBglghkgBhv1sAQEwCAYGZ4EMAQICMD8G +A1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWV2 +LXNlcnZlci1nMy5jcmwwWQYMKwYBBAGCpGTGKEABBEkwRwIBAQQVbWFyaWFub0Bz +bWFsbHN0ZXAuY29tBCtudmduUjh3U3pwVWxydF90QzNtdnJod2hCeDlZN1QxV0xf +SmpjRlZXWUJRMAoGCCqGSM49BAMCA0cAMEQCIE6umrhSbeQWWVK5cWBvXj5c0cGB +bUF0rNw/dsaCaWcwAiAKSkmjhsC63DVPXPCNUki90YgVovO69foO1ZaB43lx5w== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/authority/provisioner/x5c_test.go b/authority/provisioner/x5c_test.go index 18a31b04..84e29b48 100644 --- a/authority/provisioner/x5c_test.go +++ b/authority/provisioner/x5c_test.go @@ -469,7 +469,7 @@ func TestX5C_AuthorizeSign(t *testing.T) { switch v := o.(type) { case certificateOptionsFunc: case *provisionerExtensionOption: - assert.Equals(t, v.Type, int(TypeX5C)) + assert.Equals(t, v.Type, TypeX5C) assert.Equals(t, v.Name, tc.p.GetName()) assert.Equals(t, v.CredentialID, "") assert.Len(t, 0, v.KeyValuePairs)