|
|
@ -75,6 +75,15 @@ var (
|
|
|
|
testSignedIntermediateTemplate = mustSign(testIntermediateTemplate, testSignedRootTemplate, testNow, testNow.Add(24*time.Hour))
|
|
|
|
testSignedIntermediateTemplate = mustSign(testIntermediateTemplate, testSignedRootTemplate, testNow, testNow.Add(24*time.Hour))
|
|
|
|
)
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
type signatureAlgorithmSigner struct {
|
|
|
|
|
|
|
|
crypto.Signer
|
|
|
|
|
|
|
|
algorithm x509.SignatureAlgorithm
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
func (s *signatureAlgorithmSigner) SignatureAlgorithm() x509.SignatureAlgorithm {
|
|
|
|
|
|
|
|
return s.algorithm
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
type mockKeyManager struct {
|
|
|
|
type mockKeyManager struct {
|
|
|
|
signer crypto.Signer
|
|
|
|
signer crypto.Signer
|
|
|
|
errGetPublicKey error
|
|
|
|
errGetPublicKey error
|
|
|
@ -247,6 +256,13 @@ func TestSoftCAS_CreateCertificate(t *testing.T) {
|
|
|
|
tmplNoSerial := *testTemplate
|
|
|
|
tmplNoSerial := *testTemplate
|
|
|
|
tmplNoSerial.SerialNumber = nil
|
|
|
|
tmplNoSerial.SerialNumber = nil
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
saTemplate := *testSignedTemplate
|
|
|
|
|
|
|
|
saTemplate.SignatureAlgorithm = 0
|
|
|
|
|
|
|
|
saSigner := &signatureAlgorithmSigner{
|
|
|
|
|
|
|
|
Signer: testSigner,
|
|
|
|
|
|
|
|
algorithm: x509.PureEd25519,
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
type fields struct {
|
|
|
|
type fields struct {
|
|
|
|
Issuer *x509.Certificate
|
|
|
|
Issuer *x509.Certificate
|
|
|
|
Signer crypto.Signer
|
|
|
|
Signer crypto.Signer
|
|
|
@ -267,6 +283,12 @@ func TestSoftCAS_CreateCertificate(t *testing.T) {
|
|
|
|
Certificate: testSignedTemplate,
|
|
|
|
Certificate: testSignedTemplate,
|
|
|
|
CertificateChain: []*x509.Certificate{testIssuer},
|
|
|
|
CertificateChain: []*x509.Certificate{testIssuer},
|
|
|
|
}, false},
|
|
|
|
}, false},
|
|
|
|
|
|
|
|
{"ok signature algorithm", fields{testIssuer, saSigner}, args{&apiv1.CreateCertificateRequest{
|
|
|
|
|
|
|
|
Template: &saTemplate, Lifetime: 24 * time.Hour,
|
|
|
|
|
|
|
|
}}, &apiv1.CreateCertificateResponse{
|
|
|
|
|
|
|
|
Certificate: testSignedTemplate,
|
|
|
|
|
|
|
|
CertificateChain: []*x509.Certificate{testIssuer},
|
|
|
|
|
|
|
|
}, false},
|
|
|
|
{"ok with notBefore", fields{testIssuer, testSigner}, args{&apiv1.CreateCertificateRequest{
|
|
|
|
{"ok with notBefore", fields{testIssuer, testSigner}, args{&apiv1.CreateCertificateRequest{
|
|
|
|
Template: &tmplNotBefore, Lifetime: 24 * time.Hour,
|
|
|
|
Template: &tmplNotBefore, Lifetime: 24 * time.Hour,
|
|
|
|
}}, &apiv1.CreateCertificateResponse{
|
|
|
|
}}, &apiv1.CreateCertificateResponse{
|
|
|
@ -316,6 +338,11 @@ func TestSoftCAS_RenewCertificate(t *testing.T) {
|
|
|
|
tmplNoSerial := *testTemplate
|
|
|
|
tmplNoSerial := *testTemplate
|
|
|
|
tmplNoSerial.SerialNumber = nil
|
|
|
|
tmplNoSerial.SerialNumber = nil
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
saSigner := &signatureAlgorithmSigner{
|
|
|
|
|
|
|
|
Signer: testSigner,
|
|
|
|
|
|
|
|
algorithm: x509.PureEd25519,
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
type fields struct {
|
|
|
|
type fields struct {
|
|
|
|
Issuer *x509.Certificate
|
|
|
|
Issuer *x509.Certificate
|
|
|
|
Signer crypto.Signer
|
|
|
|
Signer crypto.Signer
|
|
|
@ -336,6 +363,12 @@ func TestSoftCAS_RenewCertificate(t *testing.T) {
|
|
|
|
Certificate: testSignedTemplate,
|
|
|
|
Certificate: testSignedTemplate,
|
|
|
|
CertificateChain: []*x509.Certificate{testIssuer},
|
|
|
|
CertificateChain: []*x509.Certificate{testIssuer},
|
|
|
|
}, false},
|
|
|
|
}, false},
|
|
|
|
|
|
|
|
{"ok signature algorithm", fields{testIssuer, saSigner}, args{&apiv1.RenewCertificateRequest{
|
|
|
|
|
|
|
|
Template: testTemplate, Lifetime: 24 * time.Hour,
|
|
|
|
|
|
|
|
}}, &apiv1.RenewCertificateResponse{
|
|
|
|
|
|
|
|
Certificate: testSignedTemplate,
|
|
|
|
|
|
|
|
CertificateChain: []*x509.Certificate{testIssuer},
|
|
|
|
|
|
|
|
}, false},
|
|
|
|
{"fail template", fields{testIssuer, testSigner}, args{&apiv1.RenewCertificateRequest{Lifetime: 24 * time.Hour}}, nil, true},
|
|
|
|
{"fail template", fields{testIssuer, testSigner}, args{&apiv1.RenewCertificateRequest{Lifetime: 24 * time.Hour}}, nil, true},
|
|
|
|
{"fail lifetime", fields{testIssuer, testSigner}, args{&apiv1.RenewCertificateRequest{Template: testTemplate}}, nil, true},
|
|
|
|
{"fail lifetime", fields{testIssuer, testSigner}, args{&apiv1.RenewCertificateRequest{Template: testTemplate}}, nil, true},
|
|
|
|
{"fail CreateCertificate", fields{testIssuer, testSigner}, args{&apiv1.RenewCertificateRequest{
|
|
|
|
{"fail CreateCertificate", fields{testIssuer, testSigner}, args{&apiv1.RenewCertificateRequest{
|
|
|
@ -425,6 +458,11 @@ func Test_now(t *testing.T) {
|
|
|
|
func TestSoftCAS_CreateCertificateAuthority(t *testing.T) {
|
|
|
|
func TestSoftCAS_CreateCertificateAuthority(t *testing.T) {
|
|
|
|
mockNow(t)
|
|
|
|
mockNow(t)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
saSigner := &signatureAlgorithmSigner{
|
|
|
|
|
|
|
|
Signer: testSigner,
|
|
|
|
|
|
|
|
algorithm: x509.PureEd25519,
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
type fields struct {
|
|
|
|
type fields struct {
|
|
|
|
Issuer *x509.Certificate
|
|
|
|
Issuer *x509.Certificate
|
|
|
|
Signer crypto.Signer
|
|
|
|
Signer crypto.Signer
|
|
|
@ -467,6 +505,17 @@ func TestSoftCAS_CreateCertificateAuthority(t *testing.T) {
|
|
|
|
PrivateKey: testSigner,
|
|
|
|
PrivateKey: testSigner,
|
|
|
|
Signer: testSigner,
|
|
|
|
Signer: testSigner,
|
|
|
|
}, false},
|
|
|
|
}, false},
|
|
|
|
|
|
|
|
{"ok signature algorithm", fields{nil, nil, &mockKeyManager{signer: saSigner}}, args{&apiv1.CreateCertificateAuthorityRequest{
|
|
|
|
|
|
|
|
Type: apiv1.RootCA,
|
|
|
|
|
|
|
|
Template: testRootTemplate,
|
|
|
|
|
|
|
|
Lifetime: 24 * time.Hour,
|
|
|
|
|
|
|
|
}}, &apiv1.CreateCertificateAuthorityResponse{
|
|
|
|
|
|
|
|
Name: "Test Root CA",
|
|
|
|
|
|
|
|
Certificate: testSignedRootTemplate,
|
|
|
|
|
|
|
|
PublicKey: testSignedRootTemplate.PublicKey,
|
|
|
|
|
|
|
|
PrivateKey: saSigner,
|
|
|
|
|
|
|
|
Signer: saSigner,
|
|
|
|
|
|
|
|
}, false},
|
|
|
|
{"fail template", fields{nil, nil, &mockKeyManager{}}, args{&apiv1.CreateCertificateAuthorityRequest{
|
|
|
|
{"fail template", fields{nil, nil, &mockKeyManager{}}, args{&apiv1.CreateCertificateAuthorityRequest{
|
|
|
|
Type: apiv1.RootCA,
|
|
|
|
Type: apiv1.RootCA,
|
|
|
|
Lifetime: 24 * time.Hour,
|
|
|
|
Lifetime: 24 * time.Hour,
|
|
|
|