Merge branch 'master' into herman/acme-macos-properties
commit
9b12867e9d
@ -1,18 +0,0 @@
|
|||||||
deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:85
|
|
||||||
deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:107
|
|
||||||
deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:108
|
|
||||||
deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:129
|
|
||||||
deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:131
|
|
||||||
deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:136
|
|
||||||
deac15327f5605a1a963e50818760a95cee9d882:docs/kms.md:generic-api-key:138
|
|
||||||
7c9ab9814fb676cb3c125c3dac4893271f1b7ae5:README.md:generic-api-key:282
|
|
||||||
fb7140444ac8f1fa1245a80e49d17e206f7435f3:docs/provisioners.md:generic-api-key:110
|
|
||||||
e4de7f07e82118b3f926716666b620db058fa9f7:docs/revocation.md:generic-api-key:73
|
|
||||||
e4de7f07e82118b3f926716666b620db058fa9f7:docs/revocation.md:generic-api-key:113
|
|
||||||
e4de7f07e82118b3f926716666b620db058fa9f7:docs/revocation.md:generic-api-key:151
|
|
||||||
8b2de42e9cf6ce99f53a5049881e1d6077d5d66e:docs/docker.md:generic-api-key:152
|
|
||||||
3939e855264117e81531df777a642ea953d325a7:autocert/init/ca/intermediate_ca_key:private-key:1
|
|
||||||
e72f08703753facfa05f2d8c68f9f6a3745824b8:README.md:generic-api-key:244
|
|
||||||
e70a5dae7de0b6ca40a0393c09c28872d4cfa071:autocert/README.md:generic-api-key:365
|
|
||||||
e70a5dae7de0b6ca40a0393c09c28872d4cfa071:autocert/README.md:generic-api-key:366
|
|
||||||
c284a2c0ab1c571a46443104be38c873ef0c7c6d:config.json:generic-api-key:10
|
|
@ -0,0 +1,118 @@
|
|||||||
|
package models
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"crypto/x509"
|
||||||
|
"errors"
|
||||||
|
|
||||||
|
"github.com/smallstep/certificates/authority/provisioner"
|
||||||
|
"golang.org/x/crypto/ssh"
|
||||||
|
)
|
||||||
|
|
||||||
|
var errDummyImplementation = errors.New("dummy implementation")
|
||||||
|
|
||||||
|
// SCEP is the SCEP provisioner model used solely in CA API
|
||||||
|
// responses. All methods for the [provisioner.Interface] interface
|
||||||
|
// are implemented, but return a dummy error.
|
||||||
|
// TODO(hs): remove reliance on the interface for the API responses
|
||||||
|
type SCEP struct {
|
||||||
|
ID string `json:"-"`
|
||||||
|
Type string `json:"type"`
|
||||||
|
Name string `json:"name"`
|
||||||
|
ForceCN bool `json:"forceCN"`
|
||||||
|
ChallengePassword string `json:"challenge"`
|
||||||
|
Capabilities []string `json:"capabilities,omitempty"`
|
||||||
|
IncludeRoot bool `json:"includeRoot"`
|
||||||
|
ExcludeIntermediate bool `json:"excludeIntermediate"`
|
||||||
|
MinimumPublicKeyLength int `json:"minimumPublicKeyLength"`
|
||||||
|
DecrypterCertificate []byte `json:"decrypterCertificate"`
|
||||||
|
DecrypterKeyPEM []byte `json:"decrypterKeyPEM"`
|
||||||
|
DecrypterKeyURI string `json:"decrypterKey"`
|
||||||
|
DecrypterKeyPassword string `json:"decrypterKeyPassword"`
|
||||||
|
EncryptionAlgorithmIdentifier int `json:"encryptionAlgorithmIdentifier"`
|
||||||
|
Options *provisioner.Options `json:"options,omitempty"`
|
||||||
|
Claims *provisioner.Claims `json:"claims,omitempty"`
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetID returns the provisioner unique identifier.
|
||||||
|
func (s *SCEP) GetID() string {
|
||||||
|
if s.ID != "" {
|
||||||
|
return s.ID
|
||||||
|
}
|
||||||
|
return s.GetIDForToken()
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetIDForToken returns an identifier that will be used to load the provisioner
|
||||||
|
// from a token.
|
||||||
|
func (s *SCEP) GetIDForToken() string {
|
||||||
|
return "scep/" + s.Name
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetName returns the name of the provisioner.
|
||||||
|
func (s *SCEP) GetName() string {
|
||||||
|
return s.Name
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetType returns the type of provisioner.
|
||||||
|
func (s *SCEP) GetType() provisioner.Type {
|
||||||
|
return provisioner.TypeSCEP
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetEncryptedKey returns the base provisioner encrypted key if it's defined.
|
||||||
|
func (s *SCEP) GetEncryptedKey() (string, string, bool) {
|
||||||
|
return "", "", false
|
||||||
|
}
|
||||||
|
|
||||||
|
// GetTokenID returns the identifier of the token.
|
||||||
|
func (s *SCEP) GetTokenID(string) (string, error) {
|
||||||
|
return "", errDummyImplementation
|
||||||
|
}
|
||||||
|
|
||||||
|
// Init initializes and validates the fields of a SCEP type.
|
||||||
|
func (s *SCEP) Init(_ provisioner.Config) (err error) {
|
||||||
|
return errDummyImplementation
|
||||||
|
}
|
||||||
|
|
||||||
|
// AuthorizeSign returns an unimplemented error. Provisioners should overwrite
|
||||||
|
// this method if they will support authorizing tokens for signing x509 Certificates.
|
||||||
|
func (s *SCEP) AuthorizeSign(context.Context, string) ([]provisioner.SignOption, error) {
|
||||||
|
return nil, errDummyImplementation
|
||||||
|
}
|
||||||
|
|
||||||
|
// AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite
|
||||||
|
// this method if they will support authorizing tokens for revoking x509 Certificates.
|
||||||
|
func (s *SCEP) AuthorizeRevoke(context.Context, string) error {
|
||||||
|
return errDummyImplementation
|
||||||
|
}
|
||||||
|
|
||||||
|
// AuthorizeRenew returns an unimplemented error. Provisioners should overwrite
|
||||||
|
// this method if they will support authorizing tokens for renewing x509 Certificates.
|
||||||
|
func (s *SCEP) AuthorizeRenew(context.Context, *x509.Certificate) error {
|
||||||
|
return errDummyImplementation
|
||||||
|
}
|
||||||
|
|
||||||
|
// AuthorizeSSHSign returns an unimplemented error. Provisioners should overwrite
|
||||||
|
// this method if they will support authorizing tokens for signing SSH Certificates.
|
||||||
|
func (s *SCEP) AuthorizeSSHSign(context.Context, string) ([]provisioner.SignOption, error) {
|
||||||
|
return nil, errDummyImplementation
|
||||||
|
}
|
||||||
|
|
||||||
|
// AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite
|
||||||
|
// this method if they will support authorizing tokens for revoking SSH Certificates.
|
||||||
|
func (s *SCEP) AuthorizeSSHRevoke(context.Context, string) error {
|
||||||
|
return errDummyImplementation
|
||||||
|
}
|
||||||
|
|
||||||
|
// AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite
|
||||||
|
// this method if they will support authorizing tokens for renewing SSH Certificates.
|
||||||
|
func (s *SCEP) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error) {
|
||||||
|
return nil, errDummyImplementation
|
||||||
|
}
|
||||||
|
|
||||||
|
// AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite
|
||||||
|
// this method if they will support authorizing tokens for rekeying SSH Certificates.
|
||||||
|
func (s *SCEP) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []provisioner.SignOption, error) {
|
||||||
|
return nil, nil, errDummyImplementation
|
||||||
|
}
|
||||||
|
|
||||||
|
var _ provisioner.Interface = (*SCEP)(nil)
|
@ -0,0 +1,247 @@
|
|||||||
|
# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-signature.html
|
||||||
|
|
||||||
|
# default certificate for "other regions"
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDIjCCAougAwIBAgIJAKnL4UEDMN/FMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
|
||||||
|
BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRgw
|
||||||
|
FgYDVQQKEw9BbWF6b24uY29tIEluYy4xGjAYBgNVBAMTEWVjMi5hbWF6b25hd3Mu
|
||||||
|
Y29tMB4XDTE0MDYwNTE0MjgwMloXDTI0MDYwNTE0MjgwMlowajELMAkGA1UEBhMC
|
||||||
|
VVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxGDAWBgNV
|
||||||
|
BAoTD0FtYXpvbi5jb20gSW5jLjEaMBgGA1UEAxMRZWMyLmFtYXpvbmF3cy5jb20w
|
||||||
|
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIe9GN//SRK2knbjySG0ho3yqQM3
|
||||||
|
e2TDhWO8D2e8+XZqck754gFSo99AbT2RmXClambI7xsYHZFapbELC4H91ycihvrD
|
||||||
|
jbST1ZjkLQgga0NE1q43eS68ZeTDccScXQSNivSlzJZS8HJZjgqzBlXjZftjtdJL
|
||||||
|
XeE4hwvo0sD4f3j9AgMBAAGjgc8wgcwwHQYDVR0OBBYEFCXWzAgVyrbwnFncFFIs
|
||||||
|
77VBdlE4MIGcBgNVHSMEgZQwgZGAFCXWzAgVyrbwnFncFFIs77VBdlE4oW6kbDBq
|
||||||
|
MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh
|
||||||
|
dHRsZTEYMBYGA1UEChMPQW1hem9uLmNvbSBJbmMuMRowGAYDVQQDExFlYzIuYW1h
|
||||||
|
em9uYXdzLmNvbYIJAKnL4UEDMN/FMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
|
||||||
|
BQADgYEAFYcz1OgEhQBXIwIdsgCOS8vEtiJYF+j9uO6jz7VOmJqO+pRlAbRlvY8T
|
||||||
|
C1haGgSI/A1uZUKs/Zfnph0oEI0/hu1IIJ/SKBDtN5lvmZ/IzbOPIJWirlsllQIQ
|
||||||
|
7zvWbGd9c9+Rm3p04oTvhup99la7kZqevJK0QRdD/6NpCKsqP/0=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
# certificate for eu-south-1
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICNjCCAZ+gAwIBAgIJAOZ3GEIaDcugMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
|
||||||
|
BAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0
|
||||||
|
dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAgFw0xOTEwMjQx
|
||||||
|
NTE5MDlaGA8yMTk5MDMyOTE1MTkwOVowXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgT
|
||||||
|
EFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0Ft
|
||||||
|
YXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
|
||||||
|
gQCjiPgW3vsXRj4JoA16WQDyoPc/eh3QBARaApJEc4nPIGoUolpAXcjFhWplo2O+
|
||||||
|
ivgfCsc4AU9OpYdAPha3spLey/bhHPRi1JZHRNqScKP0hzsCNmKhfnZTIEQCFvsp
|
||||||
|
DRp4zr91/WS06/flJFBYJ6JHhp0KwM81XQG59lV6kkoW7QIDAQABMA0GCSqGSIb3
|
||||||
|
DQEBCwUAA4GBAGLLrY3P+HH6C57dYgtJkuGZGT2+rMkk2n81/abzTJvsqRqGRrWv
|
||||||
|
XRKRXlKdM/dfiuYGokDGxiC0Mg6TYy6wvsR2qRhtXW1OtZkiHWcQCnOttz+8vpew
|
||||||
|
wx8JGMvowtuKB1iMsbwyRqZkFYLcvH+Opfb/Aayi20/ChQLdI6M2R5VU
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
# certificate for ap-east-1
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICSzCCAbQCCQDtQvkVxRvK9TANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJV
|
||||||
|
UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2VhdHRsZTEYMBYGA1UE
|
||||||
|
ChMPQW1hem9uLmNvbSBJbmMuMRowGAYDVQQDExFlYzIuYW1hem9uYXdzLmNvbTAe
|
||||||
|
Fw0xOTAyMDMwMzAwMDZaFw0yOTAyMDIwMzAwMDZaMGoxCzAJBgNVBAYTAlVTMRMw
|
||||||
|
EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRgwFgYDVQQKEw9B
|
||||||
|
bWF6b24uY29tIEluYy4xGjAYBgNVBAMTEWVjMi5hbWF6b25hd3MuY29tMIGfMA0G
|
||||||
|
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1kkHXYTfc7gY5Q55JJhjTieHAgacaQkiR
|
||||||
|
Pity9QPDE3b+NXDh4UdP1xdIw73JcIIG3sG9RhWiXVCHh6KkuCTqJfPUknIKk8vs
|
||||||
|
M3RXflUpBe8Pf+P92pxqPMCz1Fr2NehS3JhhpkCZVGxxwLC5gaG0Lr4rFORubjYY
|
||||||
|
Rh84dK98VwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBAA6xV9f0HMqXjPHuGILDyaNN
|
||||||
|
dKcvplNFwDTydVg32MNubAGnecoEBtUPtxBsLoVYXCOb+b5/ZMDubPF9tU/vSXuo
|
||||||
|
TpYM5Bq57gJzDRaBOntQbX9bgHiUxw6XZWaTS/6xjRJDT5p3S1E0mPI3lP/eJv4o
|
||||||
|
Ezk5zb3eIf10/sqt4756
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
# certificate for af-south-1
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICNjCCAZ+gAwIBAgIJAKumfZiRrNvHMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
|
||||||
|
BAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0
|
||||||
|
dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAgFw0xOTExMjcw
|
||||||
|
NzE0MDVaGA8yMTk5MDUwMjA3MTQwNVowXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgT
|
||||||
|
EFdhc2hpbmd0b24gU3RhdGUxEDAOBgNVBAcTB1NlYXR0bGUxIDAeBgNVBAoTF0Ft
|
||||||
|
YXpvbiBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
|
||||||
|
gQDFd571nUzVtke3rPyRkYfvs3jh0C0EMzzG72boyUNjnfw1+m0TeFraTLKb9T6F
|
||||||
|
7TuB/ZEN+vmlYqr2+5Va8U8qLbPF0bRH+FdaKjhgWZdYXxGzQzU3ioy5W5ZM1VyB
|
||||||
|
7iUsxEAlxsybC3ziPYaHI42UiTkQNahmoroNeqVyHNnBpQIDAQABMA0GCSqGSIb3
|
||||||
|
DQEBCwUAA4GBAAJLylWyElEgOpW4B1XPyRVD4pAds8Guw2+krgqkY0HxLCdjosuH
|
||||||
|
RytGDGN+q75aAoXzW5a7SGpxLxk6Hfv0xp3RjDHsoeP0i1d8MD3hAC5ezxS4oukK
|
||||||
|
s5gbPOnokhKTMPXbTdRn5ZifCbWlx+bYN/mTYKvxho7b5SVg2o1La9aK
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
# certificate for me-south-1
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDPDCCAqWgAwIBAgIJAMl6uIV/zqJFMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV
|
||||||
|
BAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMSAw
|
||||||
|
HgYDVQQKDBdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzEaMBgGA1UEAwwRZWMyLmFt
|
||||||
|
YXpvbmF3cy5jb20wIBcNMTkwNDI2MTQzMjQ3WhgPMjE5ODA5MjkxNDMyNDdaMHIx
|
||||||
|
CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0
|
||||||
|
dGxlMSAwHgYDVQQKDBdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzEaMBgGA1UEAwwR
|
||||||
|
ZWMyLmFtYXpvbmF3cy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALVN
|
||||||
|
CDTZEnIeoX1SEYqq6k1BV0ZlpY5y3KnoOreCAE589TwS4MX5+8Fzd6AmACmugeBP
|
||||||
|
Qk7Hm6b2+g/d4tWycyxLaQlcq81DB1GmXehRkZRgGeRge1ePWd1TUA0I8P/QBT7S
|
||||||
|
gUePm/kANSFU+P7s7u1NNl+vynyi0wUUrw7/wIZTAgMBAAGjgdcwgdQwHQYDVR0O
|
||||||
|
BBYEFILtMd+T4YgH1cgc+hVsVOV+480FMIGkBgNVHSMEgZwwgZmAFILtMd+T4YgH
|
||||||
|
1cgc+hVsVOV+480FoXakdDByMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGlu
|
||||||
|
Z3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEgMB4GA1UECgwXQW1hem9uIFdlYiBTZXJ2
|
||||||
|
aWNlcyBMTEMxGjAYBgNVBAMMEWVjMi5hbWF6b25hd3MuY29tggkAyXq4hX/OokUw
|
||||||
|
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBhkNTBIFgWFd+ZhC/LhRUY
|
||||||
|
4OjEiykmbEp6hlzQ79T0Tfbn5A4NYDI2icBP0+hmf6qSnIhwJF6typyd1yPK5Fqt
|
||||||
|
NTpxxcXmUKquX+pHmIkK1LKDO8rNE84jqxrxRsfDi6by82fjVYf2pgjJW8R1FAw+
|
||||||
|
mL5WQRFexbfB5aXhcMo0AA==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
# certificate for cn-north-1, cn-northwest-1
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDCzCCAnSgAwIBAgIJALSOMbOoU2svMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
|
||||||
|
BAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0
|
||||||
|
dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0yMzA3MDQw
|
||||||
|
ODM1MzlaFw0yODA3MDIwODM1MzlaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBX
|
||||||
|
YXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6
|
||||||
|
b24gV2ViIFNlcnZpY2VzIExMQzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
|
||||||
|
uhhUNlqAZdcWWB/OSDVDGk3OA99EFzOn/mJlmciQ/Xwu2dFJWmSCqEAE6gjufCjQ
|
||||||
|
q3voxAhC2CF+elKtJW/C0Sz/LYo60PUqd6iXF4h+upB9HkOOGuWHXsHBTsvgkgGA
|
||||||
|
1CGgel4U0Cdq+23eANr8N8m28UzljjSnTlrYCHtzN4sCAwEAAaOB1DCB0TALBgNV
|
||||||
|
HQ8EBAMCB4AwHQYDVR0OBBYEFBkZu3wT27NnYgrfH+xJz4HJaNJoMIGOBgNVHSME
|
||||||
|
gYYwgYOAFBkZu3wT27NnYgrfH+xJz4HJaNJooWCkXjBcMQswCQYDVQQGEwJVUzEZ
|
||||||
|
MBcGA1UECBMQV2FzaGluZ3RvbiBTdGF0ZTEQMA4GA1UEBxMHU2VhdHRsZTEgMB4G
|
||||||
|
A1UEChMXQW1hem9uIFdlYiBTZXJ2aWNlcyBMTEOCCQC0jjGzqFNrLzASBgNVHRMB
|
||||||
|
Af8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBCwUAA4GBAECji43p+oPkYqmzll7e8Hgb
|
||||||
|
oADS0ph+YUz5P/bUCm61wFjlxaTfwKcuTR3ytj7bFLoW5Bm7Sa+TCl3lOGb2taon
|
||||||
|
2h+9NirRK6JYk87LMNvbS40HGPFumJL2NzEsGUeK+MRiWu+Oh5/lJGii3qw4YByx
|
||||||
|
SUDlRyNy1jJFstEZjOhs
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
# certificate for eu-central-2
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICMzCCAZygAwIBAgIGAXjSGFGiMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
|
||||||
|
AlVTMRkwFwYDVQQIDBBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHDAdTZWF0dGxl
|
||||||
|
MSAwHgYDVQQKDBdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAgFw0yMTA0MTQyMDM1
|
||||||
|
MTJaGA8yMjAwMDQxNDIwMzUxMlowXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgMEFdh
|
||||||
|
c2hpbmd0b24gU3RhdGUxEDAOBgNVBAcMB1NlYXR0bGUxIDAeBgNVBAoMF0FtYXpv
|
||||||
|
biBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2
|
||||||
|
mdGdps5Rz2jzYcGNsgETTGUthJRrVqSnUWJXTlVaIbkGPLKO6Or7AfWKFp2sgRJ8
|
||||||
|
vLsjoBVR5cESVK7cuK1wItjvJyi/opKZAUusJx2hpgU3pUHhlp9ATh/VeVD582jT
|
||||||
|
d9IY+8t5MDa6Z3fGliByEiXz0LEHdi8MBacLREu1TwIDAQABMA0GCSqGSIb3DQEB
|
||||||
|
BQUAA4GBAILlpoE3k9o7KdALAxsFJNitVS+g3RMzdbiFM+7MA63Nv5fsf+0xgcjS
|
||||||
|
NBElvPCDKFvTJl4QQhToy056llO5GvdS9RK+H8xrP2mrqngApoKTApv93vHBixgF
|
||||||
|
Sn5KrczRO0YSm3OjkqbydU7DFlmkXXR7GYE+5jbHvQHYiT1J5sMu
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
# certificate for ap-south-2
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICMzCCAZygAwIBAgIGAXjwLj9CMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
|
||||||
|
AlVTMRkwFwYDVQQIDBBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHDAdTZWF0dGxl
|
||||||
|
MSAwHgYDVQQKDBdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAgFw0yMTA0MjAxNjQ3
|
||||||
|
NDVaGA8yMjAwMDQyMDE2NDc0NVowXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgMEFdh
|
||||||
|
c2hpbmd0b24gU3RhdGUxEDAOBgNVBAcMB1NlYXR0bGUxIDAeBgNVBAoMF0FtYXpv
|
||||||
|
biBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDT
|
||||||
|
wHu0ND+sFcobrjvcAYm0PNRD8f4R1jAzvoLt2+qGeOTAyO1Httj6cmsYN3AP1hN5
|
||||||
|
iYuppFiYsl2eNPa/CD0Vg0BAfDFlV5rzjpA0j7TJabVh4kj7JvtD+xYMi6wEQA4x
|
||||||
|
6SPONY4OeZ2+8o/HS8nucpWDVdPRO6ciWUlMhjmDmwIDAQABMA0GCSqGSIb3DQEB
|
||||||
|
BQUAA4GBAAy6sgTdRkTqELHBeWj69q60xHyUmsWqHAQNXKVc9ApWGG4onzuqlMbG
|
||||||
|
ETwUZ9mTq2vxlV0KvuetCDNS5u4cJsxe/TGGbYP0yP2qfMl0cCImzRI5W0gn8gog
|
||||||
|
dervfeT7nH5ih0TWEy/QDWfkQ601L4erm4yh4YQq8vcqAPSkf04N
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
# certificate for ap-southeast-3
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICMzCCAZygAwIBAgIGAXbVDG2yMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
|
||||||
|
AlVTMRkwFwYDVQQIDBBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHDAdTZWF0dGxl
|
||||||
|
MSAwHgYDVQQKDBdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAgFw0yMTAxMDYwMDE1
|
||||||
|
MzBaGA8yMjAwMDEwNjAwMTUzMFowXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgMEFdh
|
||||||
|
c2hpbmd0b24gU3RhdGUxEDAOBgNVBAcMB1NlYXR0bGUxIDAeBgNVBAoMF0FtYXpv
|
||||||
|
biBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCn
|
||||||
|
CS/Vbt0gQ1ebWcur2hSO7PnJifE4OPxQ7RgSAlc4/spJp1sDP+ZrS0LO1ZJfKhXf
|
||||||
|
1R9S3AUwLnsc7b+IuVXdY5LK9RKqu64nyXP5dx170zoL8loEyCSuRR2fs+04i2Qs
|
||||||
|
WBVP+KFNAn7P5L1EHRjkgTO8kjNKviwRV+OkP9ab5wIDAQABMA0GCSqGSIb3DQEB
|
||||||
|
BQUAA4GBAI4WUy6+DKh0JDSzQEZNyBgNlSoSuC2owtMxCwGB6nBfzzfcekWvs6eo
|
||||||
|
fLTSGovrReX7MtVgrcJBZjmPIentw5dWUs+87w/g9lNwUnUt0ZHYyh2tuBG6hVJu
|
||||||
|
UEwDJ/z3wDd6wQviLOTF3MITawt9P8siR1hXqLJNxpjRQFZrgHqi
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
# certificate for ap-southeast-4
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICMzCCAZygAwIBAgIGAXjSh40SMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
|
||||||
|
AlVTMRkwFwYDVQQIDBBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHDAdTZWF0dGxl
|
||||||
|
MSAwHgYDVQQKDBdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAgFw0yMTA0MTQyMjM2
|
||||||
|
NDJaGA8yMjAwMDQxNDIyMzY0MlowXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgMEFdh
|
||||||
|
c2hpbmd0b24gU3RhdGUxEDAOBgNVBAcMB1NlYXR0bGUxIDAeBgNVBAoMF0FtYXpv
|
||||||
|
biBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDH
|
||||||
|
ezwQr2VQpQSTW5TXNefiQrP+qWTGAbGsPeMX4hBMjAJUKys2NIRcRZaLM/BCew2F
|
||||||
|
IPVjNtlaj6Gwn9ipU4Mlz3zIwAMWi1AvGMSreppt+wV6MRtfOjh0Dvj/veJe88aE
|
||||||
|
ZJMozNgkJFRS+WFWsckQeL56tf6kY6QTlNo8V/0CsQIDAQABMA0GCSqGSIb3DQEB
|
||||||
|
BQUAA4GBAF7vpPghH0FRo5gu49EArRNPrIvW1egMdZHrzJNqbztLCtV/wcgkqIww
|
||||||
|
uXYj+1rhlL+/iMpQWjdVGEqIZSeXn5fLmdx50eegFCwND837r9e8XYTiQS143Sxt
|
||||||
|
9+Yi6BZ7U7YD8kK9NBWoJxFqUeHdpRCs0O7COjT3gwm7ZxvAmssh
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
# certificate for eu-south-2
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICMzCCAZygAwIBAgIGAXjwLkiaMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
|
||||||
|
AlVTMRkwFwYDVQQIDBBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHDAdTZWF0dGxl
|
||||||
|
MSAwHgYDVQQKDBdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAgFw0yMTA0MjAxNjQ3
|
||||||
|
NDhaGA8yMjAwMDQyMDE2NDc0OFowXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgMEFdh
|
||||||
|
c2hpbmd0b24gU3RhdGUxEDAOBgNVBAcMB1NlYXR0bGUxIDAeBgNVBAoMF0FtYXpv
|
||||||
|
biBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDB
|
||||||
|
/VvR1+45Aey5zn3vPk6xBm5o9grSDL6D2iAuprQnfVXn8CIbSDbWFhA3fi5ippjK
|
||||||
|
kh3sl8VyCvCOUXKdOaNrYBrPRkrdHdBuL2Tc84RO+3m/rxIUZ2IK1fDlC6sWAjdd
|
||||||
|
f6sBrV2w2a78H0H8EwuwiSgttURBjwJ7KPPJCqaqrQIDAQABMA0GCSqGSIb3DQEB
|
||||||
|
BQUAA4GBAKR+FzqQDzun/iMMzcFucmLMl5BxEblrFXOz7IIuOeiGkndmrqUeDCyk
|
||||||
|
ztLku45s7hxdNy4ltTuVAaE5aNBdw5J8U1mRvsKvHLy2ThH6hAWKwTqtPAJp7M21
|
||||||
|
GDwgDDOkPSz6XVOehg+hBgiphYp84DUbWVYeP8YqLEJSqscKscWC
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
# certificate for il-central-1
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICMzCCAZygAwIBAgIGAX0QQGVLMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
|
||||||
|
AlVTMRkwFwYDVQQIDBBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHDAdTZWF0dGxl
|
||||||
|
MSAwHgYDVQQKDBdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAgFw0yMTExMTExODI2
|
||||||
|
MzVaGA8yMjAwMTExMTE4MjYzNVowXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgMEFdh
|
||||||
|
c2hpbmd0b24gU3RhdGUxEDAOBgNVBAcMB1NlYXR0bGUxIDAeBgNVBAoMF0FtYXpv
|
||||||
|
biBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDr
|
||||||
|
c24u3AgFxnoPgzxR6yFXOamcPuxYXhYKWmapb+S8vOy5hpLoRe4RkOrY0cM3bN07
|
||||||
|
GdEMlin5mU0y1t8y3ct4YewvmkgT42kTyMM+t1K4S0xsqjXxxS716uGYh7eWtkxr
|
||||||
|
Cihj8AbXN/6pa095h+7TZyl2n83keiNUzM2KoqQVMwIDAQABMA0GCSqGSIb3DQEB
|
||||||
|
BQUAA4GBADwA6VVEIIZD2YL00F12po40xDLzIc9XvqFPS9iFaWi2ho8wLio7wA49
|
||||||
|
VYEFZSI9CR3SGB9tL8DUib97mlxmd1AcGShMmMlhSB29vhuhrUNB/FmU7H8s62/j
|
||||||
|
D6cOR1A1cClIyZUe1yT1ZbPySCs43J+Thr8i8FSRxzDBSZZi5foW
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
# certificate for me-central-1
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICMzCCAZygAwIBAgIGAXjRrnDjMA0GCSqGSIb3DQEBBQUAMFwxCzAJBgNVBAYT
|
||||||
|
AlVTMRkwFwYDVQQIDBBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHDAdTZWF0dGxl
|
||||||
|
MSAwHgYDVQQKDBdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAgFw0yMTA0MTQxODM5
|
||||||
|
MzNaGA8yMjAwMDQxNDE4MzkzM1owXDELMAkGA1UEBhMCVVMxGTAXBgNVBAgMEFdh
|
||||||
|
c2hpbmd0b24gU3RhdGUxEDAOBgNVBAcMB1NlYXR0bGUxIDAeBgNVBAoMF0FtYXpv
|
||||||
|
biBXZWIgU2VydmljZXMgTExDMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDc
|
||||||
|
aTgW/KyA6zyruJQrYy00a6wqLA7eeUzk3bMiTkLsTeDQfrkaZMfBAjGaaOymRo1C
|
||||||
|
3qzE4rIenmahvUplu9ZmLwL1idWXMRX2RlSvIt+d2SeoKOKQWoc2UOFZMHYxDue7
|
||||||
|
zkyk1CIRaBukTeY13/RIrlc6X61zJ5BBtZXlHwayjQIDAQABMA0GCSqGSIb3DQEB
|
||||||
|
BQUAA4GBABTqTy3R6RXKPW45FA+cgo7YZEj/Cnz5YaoUivRRdX2A83BHuBTvJE2+
|
||||||
|
WX00FTEj4hRVjameE1nENoO8Z7fUVloAFDlDo69fhkJeSvn51D1WRrPnoWGgEfr1
|
||||||
|
+OfK1bAcKTtfkkkP9r4RdwSjKzO5Zu/B+Wqm3kVEz/QNcz6npmA6
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
# certificate for us-gov-east-1 and us-gov-west-1
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDCzCCAnSgAwIBAgIJAIe9Hnq82O7UMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
|
||||||
|
BAYTAlVTMRkwFwYDVQQIExBXYXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0
|
||||||
|
dGxlMSAwHgYDVQQKExdBbWF6b24gV2ViIFNlcnZpY2VzIExMQzAeFw0yMTA3MTQx
|
||||||
|
NDI3NTdaFw0yNDA3MTMxNDI3NTdaMFwxCzAJBgNVBAYTAlVTMRkwFwYDVQQIExBX
|
||||||
|
YXNoaW5ndG9uIFN0YXRlMRAwDgYDVQQHEwdTZWF0dGxlMSAwHgYDVQQKExdBbWF6
|
||||||
|
b24gV2ViIFNlcnZpY2VzIExMQzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
|
||||||
|
qaIcGFFTx/SO1W5G91jHvyQdGP25n1Y91aXCuOOWAUTvSvNGpXrI4AXNrQF+CmIO
|
||||||
|
C4beBASnHCx082jYudWBBl9Wiza0psYc9flrczSzVLMmN8w/c78F/95NfiQdnUQP
|
||||||
|
pvgqcMeJo82cgHkLR7XoFWgMrZJqrcUK0gnsQcb6kakCAwEAAaOB1DCB0TALBgNV
|
||||||
|
HQ8EBAMCB4AwHQYDVR0OBBYEFNWV53gWJz72F5B1ZVY4O/dfFYBPMIGOBgNVHSME
|
||||||
|
gYYwgYOAFNWV53gWJz72F5B1ZVY4O/dfFYBPoWCkXjBcMQswCQYDVQQGEwJVUzEZ
|
||||||
|
MBcGA1UECBMQV2FzaGluZ3RvbiBTdGF0ZTEQMA4GA1UEBxMHU2VhdHRsZTEgMB4G
|
||||||
|
A1UEChMXQW1hem9uIFdlYiBTZXJ2aWNlcyBMTEOCCQCHvR56vNju1DASBgNVHRMB
|
||||||
|
Af8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBCwUAA4GBACrKjWj460GUPZCGm3/z0dIz
|
||||||
|
M2BPuH769wcOsqfFZcMKEysSFK91tVtUb1soFwH4/Lb/T0PqNrvtEwD1Nva5k0h2
|
||||||
|
xZhNNRmDuhOhW1K9wCcnHGRBwY5t4lYL6hNV6hcrqYwGMjTjcAjBG2yMgznSNFle
|
||||||
|
Rwi/S3BFXISixNx9cILu
|
||||||
|
-----END CERTIFICATE-----
|
@ -0,0 +1,313 @@
|
|||||||
|
package pki
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"path/filepath"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/smallstep/certificates/authority/admin"
|
||||||
|
admindb "github.com/smallstep/certificates/authority/admin/db/nosql"
|
||||||
|
authconfig "github.com/smallstep/certificates/authority/config"
|
||||||
|
"github.com/smallstep/certificates/authority/provisioner"
|
||||||
|
"github.com/smallstep/certificates/cas/apiv1"
|
||||||
|
"github.com/smallstep/certificates/db"
|
||||||
|
"github.com/smallstep/nosql"
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
"go.step.sm/cli-utils/step"
|
||||||
|
)
|
||||||
|
|
||||||
|
func withDBDataSource(t *testing.T, dataSource string) func(c *authconfig.Config) error {
|
||||||
|
return func(c *authconfig.Config) error {
|
||||||
|
if c == nil || c.DB == nil {
|
||||||
|
require.Fail(t, "withDBDataSource prerequisites not met")
|
||||||
|
}
|
||||||
|
c.DB.DataSource = dataSource
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestPKI_GenerateConfig(t *testing.T) {
|
||||||
|
var preparePKI = func(t *testing.T, opts ...Option) *PKI {
|
||||||
|
o := apiv1.Options{
|
||||||
|
Type: "softcas",
|
||||||
|
IsCreator: true,
|
||||||
|
}
|
||||||
|
|
||||||
|
// TODO(hs): invoking `New` doesn't perform all operations that are executed
|
||||||
|
// when `ca init` is executed. Ideally this logic should be handled in one
|
||||||
|
// place and probably inside of the PKI initialization. For testing purposes
|
||||||
|
// the missing operations are faked by `setKeyPair`.
|
||||||
|
p, err := New(o, opts...)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
// setKeyPair sets a predefined JWK and a default JWK provisioner. This is one
|
||||||
|
// of the things performed in the `ca init` code that's not part of `New`, but
|
||||||
|
// performed after that in p.GenerateKeyPairs`. We're currently using the same
|
||||||
|
// JWK for every test to keep test variance small: we're not testing JWK generation
|
||||||
|
// here after all. It's a bit dangerous to redefine the function here, but it's
|
||||||
|
// the simplest way to make this fully testable without refactoring the init now.
|
||||||
|
// The password for the predefined encrypted key is \x01\x03\x03\x07.
|
||||||
|
setKeyPair(t, p)
|
||||||
|
|
||||||
|
return p
|
||||||
|
}
|
||||||
|
type args struct {
|
||||||
|
opt []ConfigOption
|
||||||
|
}
|
||||||
|
type test struct {
|
||||||
|
pki *PKI
|
||||||
|
args args
|
||||||
|
want *authconfig.Config
|
||||||
|
wantErr bool
|
||||||
|
}
|
||||||
|
var tests = map[string]func(t *testing.T) test{
|
||||||
|
"ok/simple": func(t *testing.T) test {
|
||||||
|
pki := preparePKI(t)
|
||||||
|
pki.options.deploymentType = StandaloneDeployment
|
||||||
|
pki.options.provisioner = "default-prov"
|
||||||
|
return test{
|
||||||
|
pki: pki,
|
||||||
|
args: args{
|
||||||
|
[]ConfigOption{},
|
||||||
|
},
|
||||||
|
want: &authconfig.Config{
|
||||||
|
Address: "127.0.0.1:9000",
|
||||||
|
InsecureAddress: "",
|
||||||
|
DNSNames: []string{"127.0.0.1"},
|
||||||
|
AuthorityConfig: &authconfig.AuthConfig{
|
||||||
|
DeploymentType: "", // TODO(hs): (why is) this is not set to standalone?
|
||||||
|
EnableAdmin: false,
|
||||||
|
Provisioners: provisioner.List{
|
||||||
|
&provisioner.JWK{
|
||||||
|
Type: "JWK",
|
||||||
|
Name: "default-prov",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
DB: &db.Config{
|
||||||
|
Type: "badgerv2",
|
||||||
|
DataSource: filepath.Join(step.Path(), "db"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
wantErr: false,
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"ok/with-acme": func(t *testing.T) test {
|
||||||
|
pki := preparePKI(t)
|
||||||
|
pki.options.deploymentType = StandaloneDeployment
|
||||||
|
pki.options.provisioner = "default-prov"
|
||||||
|
pki.options.enableACME = true
|
||||||
|
return test{
|
||||||
|
pki: pki,
|
||||||
|
args: args{
|
||||||
|
[]ConfigOption{},
|
||||||
|
},
|
||||||
|
want: &authconfig.Config{
|
||||||
|
Address: "127.0.0.1:9000",
|
||||||
|
InsecureAddress: "",
|
||||||
|
DNSNames: []string{"127.0.0.1"},
|
||||||
|
AuthorityConfig: &authconfig.AuthConfig{
|
||||||
|
DeploymentType: "", // TODO(hs): (why is) this is not set to standalone?
|
||||||
|
EnableAdmin: false,
|
||||||
|
Provisioners: provisioner.List{
|
||||||
|
&provisioner.JWK{
|
||||||
|
Type: "JWK",
|
||||||
|
Name: "default-prov",
|
||||||
|
},
|
||||||
|
&provisioner.ACME{
|
||||||
|
Type: "ACME",
|
||||||
|
Name: "acme",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
DB: &db.Config{
|
||||||
|
Type: "badgerv2",
|
||||||
|
DataSource: filepath.Join(step.Path(), "db"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
wantErr: false,
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"ok/with-acme-and-double-provisioner-name": func(t *testing.T) test {
|
||||||
|
pki := preparePKI(t)
|
||||||
|
pki.options.deploymentType = StandaloneDeployment
|
||||||
|
pki.options.provisioner = "acme"
|
||||||
|
pki.options.enableACME = true
|
||||||
|
return test{
|
||||||
|
pki: pki,
|
||||||
|
args: args{
|
||||||
|
[]ConfigOption{},
|
||||||
|
},
|
||||||
|
want: &authconfig.Config{
|
||||||
|
Address: "127.0.0.1:9000",
|
||||||
|
InsecureAddress: "",
|
||||||
|
DNSNames: []string{"127.0.0.1"},
|
||||||
|
AuthorityConfig: &authconfig.AuthConfig{
|
||||||
|
DeploymentType: "", // TODO(hs): (why is) this is not set to standalone?
|
||||||
|
EnableAdmin: false,
|
||||||
|
Provisioners: provisioner.List{
|
||||||
|
&provisioner.JWK{
|
||||||
|
Type: "JWK",
|
||||||
|
Name: "acme",
|
||||||
|
},
|
||||||
|
&provisioner.ACME{
|
||||||
|
Type: "ACME",
|
||||||
|
Name: "acme-1",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
DB: &db.Config{
|
||||||
|
Type: "badgerv2",
|
||||||
|
DataSource: filepath.Join(step.Path(), "db"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
wantErr: false,
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"ok/with-ssh": func(t *testing.T) test {
|
||||||
|
pki := preparePKI(t)
|
||||||
|
pki.options.deploymentType = StandaloneDeployment
|
||||||
|
pki.options.provisioner = "default-prov"
|
||||||
|
pki.options.enableSSH = true
|
||||||
|
return test{
|
||||||
|
pki: pki,
|
||||||
|
args: args{
|
||||||
|
[]ConfigOption{},
|
||||||
|
},
|
||||||
|
want: &authconfig.Config{
|
||||||
|
Address: "127.0.0.1:9000",
|
||||||
|
InsecureAddress: "",
|
||||||
|
DNSNames: []string{"127.0.0.1"},
|
||||||
|
AuthorityConfig: &authconfig.AuthConfig{
|
||||||
|
DeploymentType: "", // TODO(hs): (why is) this is not set to standalone?
|
||||||
|
EnableAdmin: false,
|
||||||
|
Provisioners: provisioner.List{
|
||||||
|
&provisioner.JWK{
|
||||||
|
Type: "JWK",
|
||||||
|
Name: "default-prov",
|
||||||
|
},
|
||||||
|
&provisioner.SSHPOP{
|
||||||
|
Type: "SSHPOP",
|
||||||
|
Name: "sshpop",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
DB: &db.Config{
|
||||||
|
Type: "badgerv2",
|
||||||
|
DataSource: filepath.Join(step.Path(), "db"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
wantErr: false,
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"ok/with-ssh-and-double-provisioner-name": func(t *testing.T) test {
|
||||||
|
pki := preparePKI(t)
|
||||||
|
pki.options.deploymentType = StandaloneDeployment
|
||||||
|
pki.options.provisioner = "sshpop"
|
||||||
|
pki.options.enableSSH = true
|
||||||
|
return test{
|
||||||
|
pki: pki,
|
||||||
|
args: args{
|
||||||
|
[]ConfigOption{},
|
||||||
|
},
|
||||||
|
want: &authconfig.Config{
|
||||||
|
Address: "127.0.0.1:9000",
|
||||||
|
InsecureAddress: "",
|
||||||
|
DNSNames: []string{"127.0.0.1"},
|
||||||
|
AuthorityConfig: &authconfig.AuthConfig{
|
||||||
|
DeploymentType: "", // TODO(hs): (why is) this is not set to standalone?
|
||||||
|
EnableAdmin: false,
|
||||||
|
Provisioners: provisioner.List{
|
||||||
|
&provisioner.JWK{
|
||||||
|
Type: "JWK",
|
||||||
|
Name: "sshpop",
|
||||||
|
},
|
||||||
|
&provisioner.SSHPOP{
|
||||||
|
Type: "SSHPOP",
|
||||||
|
Name: "sshpop-1",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
DB: &db.Config{
|
||||||
|
Type: "badgerv2",
|
||||||
|
DataSource: filepath.Join(step.Path(), "db"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
wantErr: false,
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"ok/with-admin": func(t *testing.T) test {
|
||||||
|
pki := preparePKI(t)
|
||||||
|
pki.options.deploymentType = StandaloneDeployment
|
||||||
|
pki.options.provisioner = "default-prov"
|
||||||
|
pki.options.enableAdmin = true
|
||||||
|
tempDir := t.TempDir()
|
||||||
|
return test{
|
||||||
|
pki: pki,
|
||||||
|
args: args{
|
||||||
|
[]ConfigOption{withDBDataSource(t, filepath.Join(tempDir, "db"))},
|
||||||
|
},
|
||||||
|
want: &authconfig.Config{
|
||||||
|
Address: "127.0.0.1:9000",
|
||||||
|
InsecureAddress: "",
|
||||||
|
DNSNames: []string{"127.0.0.1"},
|
||||||
|
AuthorityConfig: &authconfig.AuthConfig{
|
||||||
|
DeploymentType: "", // TODO(hs): (why is) this is not set to standalone?
|
||||||
|
EnableAdmin: true,
|
||||||
|
Provisioners: provisioner.List{}, // when admin is enabled, provisioner list is expected to be empty
|
||||||
|
},
|
||||||
|
DB: &db.Config{
|
||||||
|
Type: "badgerv2",
|
||||||
|
DataSource: filepath.Join(tempDir, "db"),
|
||||||
|
},
|
||||||
|
},
|
||||||
|
wantErr: false,
|
||||||
|
}
|
||||||
|
},
|
||||||
|
}
|
||||||
|
for name, run := range tests {
|
||||||
|
tc := run(t)
|
||||||
|
t.Run(name, func(t *testing.T) {
|
||||||
|
got, err := tc.pki.GenerateConfig(tc.args.opt...)
|
||||||
|
if tc.wantErr {
|
||||||
|
assert.NotNil(t, err)
|
||||||
|
assert.Nil(t, got)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
assert.Nil(t, err)
|
||||||
|
if assert.NotNil(t, got) {
|
||||||
|
assert.Equal(t, tc.want.Address, got.Address)
|
||||||
|
assert.Equal(t, tc.want.InsecureAddress, got.InsecureAddress)
|
||||||
|
assert.Equal(t, tc.want.DNSNames, got.DNSNames)
|
||||||
|
assert.Equal(t, tc.want.DB, got.DB)
|
||||||
|
if assert.NotNil(t, tc.want.AuthorityConfig) {
|
||||||
|
assert.Equal(t, tc.want.AuthorityConfig.DeploymentType, got.AuthorityConfig.DeploymentType)
|
||||||
|
assert.Equal(t, tc.want.AuthorityConfig.EnableAdmin, got.AuthorityConfig.EnableAdmin)
|
||||||
|
if numberOfProvisioners := len(tc.want.AuthorityConfig.Provisioners); numberOfProvisioners > 0 {
|
||||||
|
if assert.Len(t, got.AuthorityConfig.Provisioners, numberOfProvisioners) {
|
||||||
|
for i, p := range tc.want.AuthorityConfig.Provisioners {
|
||||||
|
assert.Equal(t, p.GetType(), got.AuthorityConfig.Provisioners[i].GetType())
|
||||||
|
assert.Equal(t, p.GetName(), got.AuthorityConfig.Provisioners[i].GetName())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if tc.want.AuthorityConfig.EnableAdmin {
|
||||||
|
_db, err := db.New(tc.want.DB)
|
||||||
|
require.NoError(t, err)
|
||||||
|
defer _db.Shutdown()
|
||||||
|
|
||||||
|
adminDB, err := admindb.New(_db.(nosql.DB), admin.DefaultAuthorityID)
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
provs, err := adminDB.GetProvisioners(context.Background())
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
assert.NotEmpty(t, provs) // currently about the best we can do in terms of checks
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,82 @@
|
|||||||
|
# Helm template
|
||||||
|
inject:
|
||||||
|
enabled: true
|
||||||
|
# Config contains the configuration files ca.json and defaults.json
|
||||||
|
config:
|
||||||
|
files:
|
||||||
|
ca.json:
|
||||||
|
root: /home/step/certs/root_ca.crt
|
||||||
|
federateRoots: []
|
||||||
|
crt: /home/step/certs/intermediate_ca.crt
|
||||||
|
key: /home/step/secrets/intermediate_ca_key
|
||||||
|
address: 127.0.0.1:9000
|
||||||
|
dnsNames:
|
||||||
|
- 127.0.0.1
|
||||||
|
logger:
|
||||||
|
format: json
|
||||||
|
db:
|
||||||
|
type: badgerv2
|
||||||
|
dataSource: /home/step/db
|
||||||
|
authority:
|
||||||
|
enableAdmin: false
|
||||||
|
provisioners:
|
||||||
|
- {"type":"JWK","name":"acme","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","options":{"x509":{},"ssh":{}}}
|
||||||
|
- {"type":"ACME","name":"acme-1"}
|
||||||
|
tls:
|
||||||
|
cipherSuites:
|
||||||
|
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||||
|
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||||
|
minVersion: 1.2
|
||||||
|
maxVersion: 1.3
|
||||||
|
renegotiation: false
|
||||||
|
|
||||||
|
defaults.json:
|
||||||
|
ca-url: https://127.0.0.1
|
||||||
|
ca-config: /home/step/config/ca.json
|
||||||
|
fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
|
||||||
|
root: /home/step/certs/root_ca.crt
|
||||||
|
|
||||||
|
# Certificates contains the root and intermediate certificate and
|
||||||
|
# optionally the SSH host and user public keys
|
||||||
|
certificates:
|
||||||
|
# intermediate_ca contains the text of the intermediate CA Certificate
|
||||||
|
intermediate_ca: |
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBjZXJ0IGJ5
|
||||||
|
dGVz
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
|
||||||
|
# root_ca contains the text of the root CA Certificate
|
||||||
|
root_ca: |
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0EgY2VydCBieXRlcw==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
|
||||||
|
# Secrets contains the root and intermediate keys and optionally the SSH
|
||||||
|
# private keys
|
||||||
|
secrets:
|
||||||
|
# ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key
|
||||||
|
# This value must be base64 encoded.
|
||||||
|
ca_password:
|
||||||
|
provisioner_password:
|
||||||
|
|
||||||
|
x509:
|
||||||
|
# intermediate_ca_key contains the contents of your encrypted intermediate CA key
|
||||||
|
intermediate_ca_key: |
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
|
||||||
|
ZXM=
|
||||||
|
-----END EC PRIVATE KEY-----
|
||||||
|
|
||||||
|
|
||||||
|
# root_ca_key contains the contents of your encrypted root CA key
|
||||||
|
# Note that this value can be omitted without impacting the functionality of step-certificates
|
||||||
|
# If supplied, this should be encrypted using a unique password that is not used for encrypting
|
||||||
|
# the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
|
||||||
|
root_ca_key: |
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
|
||||||
|
-----END EC PRIVATE KEY-----
|
||||||
|
|
@ -0,0 +1,104 @@
|
|||||||
|
# Helm template
|
||||||
|
inject:
|
||||||
|
enabled: true
|
||||||
|
# Config contains the configuration files ca.json and defaults.json
|
||||||
|
config:
|
||||||
|
files:
|
||||||
|
ca.json:
|
||||||
|
root: /home/step/certs/root_ca.crt
|
||||||
|
federateRoots: []
|
||||||
|
crt: /home/step/certs/intermediate_ca.crt
|
||||||
|
key: /home/step/secrets/intermediate_ca_key
|
||||||
|
ssh:
|
||||||
|
hostKey: /home/step/secrets/ssh_host_ca_key
|
||||||
|
userKey: /home/step/secrets/ssh_user_ca_key
|
||||||
|
address: 127.0.0.1:9000
|
||||||
|
dnsNames:
|
||||||
|
- 127.0.0.1
|
||||||
|
logger:
|
||||||
|
format: json
|
||||||
|
db:
|
||||||
|
type: badgerv2
|
||||||
|
dataSource: /home/step/db
|
||||||
|
authority:
|
||||||
|
enableAdmin: false
|
||||||
|
provisioners:
|
||||||
|
- {"type":"JWK","name":"sshpop","key":{"use":"sig","kty":"EC","kid":"zsUmysmDVoGJ71YoPHyZ-68tNihDaDaO5Mu7xX3M-_I","crv":"P-256","alg":"ES256","x":"Pqnua4CzqKz6ua41J3yeWZ1sRkGt0UlCkbHv8H2DGuY","y":"UhoZ_2ItDen9KQTcjay-ph-SBXH0mwqhHyvrrqIFDOI"},"encryptedKey":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiZjVvdGVRS2hvOXl4MmQtSGlMZi05QSJ9.eYA6tt3fNuUpoxKWDT7P0Lbn2juxhEbTxEnwEMbjlYLLQ3sxL-dYTA.ven-FhmdjlC9itH0.a2jRTarN9vPd6F_mWnNBlOn6KbfMjCApmci2t65XbAsLzYFzhI_79Ykm5ueMYTupWLTjBJctl-g51ZHmsSB55pStbpoyyLNAsUX2E1fTmHe-Ni8bRrspwLv15FoN1Xo1g0mpR-ufWIFxOsW-QIfnMmMIIkygVuHFXmg2tFpzTNNG5aS29K3dN2nyk0WJrdIq79hZSTqVkkBU25Yu3A46sgjcM86XcIJJ2XUEih_KWEa6T1YrkixGu96pebjVqbO0R6dbDckfPF7FqNnwPHVtb1ACFpEYoOJVIbUCMaARBpWsxYhjJZlEM__XA46l8snFQDkNY3CdN0p1_gF3ckA.JLmq9nmu1h9oUi1S8ZxYjA","claims":{"enableSSHCA":true,"disableRenewal":false,"allowRenewalAfterExpiry":false,"disableSmallstepExtensions":false},"options":{"x509":{},"ssh":{}}}
|
||||||
|
- {"type":"SSHPOP","name":"sshpop-1","claims":{"enableSSHCA":true}}
|
||||||
|
tls:
|
||||||
|
cipherSuites:
|
||||||
|
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||||
|
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
||||||
|
minVersion: 1.2
|
||||||
|
maxVersion: 1.3
|
||||||
|
renegotiation: false
|
||||||
|
|
||||||
|
defaults.json:
|
||||||
|
ca-url: https://127.0.0.1
|
||||||
|
ca-config: /home/step/config/ca.json
|
||||||
|
fingerprint: e543cad8e9f6417076bb5aed3471c588152118aac1e0ca7984a43ee7f76da5e3
|
||||||
|
root: /home/step/certs/root_ca.crt
|
||||||
|
|
||||||
|
# Certificates contains the root and intermediate certificate and
|
||||||
|
# optionally the SSH host and user public keys
|
||||||
|
certificates:
|
||||||
|
# intermediate_ca contains the text of the intermediate CA Certificate
|
||||||
|
intermediate_ca: |
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBjZXJ0IGJ5
|
||||||
|
dGVz
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
|
||||||
|
# root_ca contains the text of the root CA Certificate
|
||||||
|
root_ca: |
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0EgY2VydCBieXRlcw==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
|
# ssh_host_ca contains the text of the public ssh key for the SSH root CA
|
||||||
|
ssh_host_ca: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ0IdS5sZm6KITBMZLEJD6b5ROVraYHcAOr3feFel8r1Wp4DRPR1oU0W00J/zjNBRBbANlJoYN4x/8WNNVZ49Ms=
|
||||||
|
|
||||||
|
# ssh_user_ca contains the text of the public ssh key for the SSH root CA
|
||||||
|
ssh_user_ca: ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEWA1qUxaGwVNErsvEOGe2d6TvLMF+aiVpuOiIEvpMJ3JeJmecLQctjWqeIbpSvy6/gRa7c82Ge5rLlapYmOChs=
|
||||||
|
|
||||||
|
# Secrets contains the root and intermediate keys and optionally the SSH
|
||||||
|
# private keys
|
||||||
|
secrets:
|
||||||
|
# ca_password contains the password used to encrypt x509.intermediate_ca_key, ssh.host_ca_key and ssh.user_ca_key
|
||||||
|
# This value must be base64 encoded.
|
||||||
|
ca_password:
|
||||||
|
provisioner_password:
|
||||||
|
|
||||||
|
x509:
|
||||||
|
# intermediate_ca_key contains the contents of your encrypted intermediate CA key
|
||||||
|
intermediate_ca_key: |
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIGludGVybWVkaWF0ZSBDQSBrZXkgYnl0
|
||||||
|
ZXM=
|
||||||
|
-----END EC PRIVATE KEY-----
|
||||||
|
|
||||||
|
|
||||||
|
# root_ca_key contains the contents of your encrypted root CA key
|
||||||
|
# Note that this value can be omitted without impacting the functionality of step-certificates
|
||||||
|
# If supplied, this should be encrypted using a unique password that is not used for encrypting
|
||||||
|
# the intermediate_ca_key, ssh.host_ca_key or ssh.user_ca_key.
|
||||||
|
root_ca_key: |
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
dGhlc2UgYXJlIGp1c3Qgc29tZSBmYWtlIHJvb3QgQ0Ega2V5IGJ5dGVz
|
||||||
|
-----END EC PRIVATE KEY-----
|
||||||
|
|
||||||
|
ssh:
|
||||||
|
# ssh_host_ca_key contains the contents of your encrypted SSH Host CA key
|
||||||
|
host_ca_key: |
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
ZmFrZSBzc2ggaG9zdCBrZXkgYnl0ZXM=
|
||||||
|
-----END EC PRIVATE KEY-----
|
||||||
|
|
||||||
|
|
||||||
|
# ssh_user_ca_key contains the contents of your encrypted SSH User CA key
|
||||||
|
user_ca_key: |
|
||||||
|
-----BEGIN EC PRIVATE KEY-----
|
||||||
|
ZmFrZSBzc2ggdXNlciBrZXkgYnl0ZXM=
|
||||||
|
-----END EC PRIVATE KEY-----
|
||||||
|
|
@ -0,0 +1,73 @@
|
|||||||
|
package scep
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/x509"
|
||||||
|
"crypto/x509/pkix"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/smallstep/pkcs7"
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
"go.step.sm/crypto/keyutil"
|
||||||
|
"go.step.sm/crypto/minica"
|
||||||
|
"go.step.sm/crypto/randutil"
|
||||||
|
)
|
||||||
|
|
||||||
|
func generateContent(t *testing.T, size int) []byte {
|
||||||
|
t.Helper()
|
||||||
|
b, err := randutil.Bytes(size)
|
||||||
|
require.NoError(t, err)
|
||||||
|
return b
|
||||||
|
}
|
||||||
|
|
||||||
|
func generateRecipients(t *testing.T) []*x509.Certificate {
|
||||||
|
ca, err := minica.New()
|
||||||
|
require.NoError(t, err)
|
||||||
|
s, err := keyutil.GenerateSigner("RSA", "", 2048)
|
||||||
|
require.NoError(t, err)
|
||||||
|
tmpl := &x509.Certificate{
|
||||||
|
PublicKey: s.Public(),
|
||||||
|
Subject: pkix.Name{CommonName: "Test PKCS#7 Encryption"},
|
||||||
|
}
|
||||||
|
cert, err := ca.Sign(tmpl)
|
||||||
|
require.NoError(t, err)
|
||||||
|
return []*x509.Certificate{cert}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestAuthority_encrypt(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
a := &Authority{}
|
||||||
|
recipients := generateRecipients(t)
|
||||||
|
type args struct {
|
||||||
|
content []byte
|
||||||
|
recipients []*x509.Certificate
|
||||||
|
algorithm int
|
||||||
|
}
|
||||||
|
tests := []struct {
|
||||||
|
name string
|
||||||
|
args args
|
||||||
|
wantErr bool
|
||||||
|
}{
|
||||||
|
{"alg-0", args{generateContent(t, 32), recipients, pkcs7.EncryptionAlgorithmDESCBC}, false},
|
||||||
|
{"alg-1", args{generateContent(t, 32), recipients, pkcs7.EncryptionAlgorithmAES128CBC}, false},
|
||||||
|
{"alg-2", args{generateContent(t, 32), recipients, pkcs7.EncryptionAlgorithmAES256CBC}, false},
|
||||||
|
{"alg-3", args{generateContent(t, 32), recipients, pkcs7.EncryptionAlgorithmAES128GCM}, false},
|
||||||
|
{"alg-4", args{generateContent(t, 32), recipients, pkcs7.EncryptionAlgorithmAES256GCM}, false},
|
||||||
|
{"alg-unknown", args{generateContent(t, 32), recipients, 42}, true},
|
||||||
|
}
|
||||||
|
for _, tt := range tests {
|
||||||
|
tc := tt
|
||||||
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
t.Parallel()
|
||||||
|
got, err := a.encrypt(tc.args.content, tc.args.recipients, tc.args.algorithm)
|
||||||
|
if tc.wantErr {
|
||||||
|
assert.Error(t, err)
|
||||||
|
assert.Nil(t, got)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
assert.NoError(t, err)
|
||||||
|
assert.NotEmpty(t, got)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
@ -1,29 +0,0 @@
|
|||||||
package scep
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"errors"
|
|
||||||
)
|
|
||||||
|
|
||||||
// ContextKey is the key type for storing and searching for SCEP request
|
|
||||||
// essentials in the context of a request.
|
|
||||||
type ContextKey string
|
|
||||||
|
|
||||||
const (
|
|
||||||
// ProvisionerContextKey provisioner key
|
|
||||||
ProvisionerContextKey = ContextKey("provisioner")
|
|
||||||
)
|
|
||||||
|
|
||||||
// provisionerFromContext searches the context for a SCEP provisioner.
|
|
||||||
// Returns the provisioner or an error.
|
|
||||||
func provisionerFromContext(ctx context.Context) (Provisioner, error) {
|
|
||||||
val := ctx.Value(ProvisionerContextKey)
|
|
||||||
if val == nil {
|
|
||||||
return nil, errors.New("provisioner expected in request context")
|
|
||||||
}
|
|
||||||
p, ok := val.(Provisioner)
|
|
||||||
if !ok || p == nil {
|
|
||||||
return nil, errors.New("provisioner in context is not a SCEP provisioner")
|
|
||||||
}
|
|
||||||
return p, nil
|
|
||||||
}
|
|
@ -1,7 +0,0 @@
|
|||||||
package scep
|
|
||||||
|
|
||||||
import "crypto/x509"
|
|
||||||
|
|
||||||
type DB interface {
|
|
||||||
StoreCertificate(crt *x509.Certificate) error
|
|
||||||
}
|
|
@ -1,28 +0,0 @@
|
|||||||
package scep
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"crypto"
|
|
||||||
"crypto/x509"
|
|
||||||
)
|
|
||||||
|
|
||||||
// Service is a wrapper for crypto.Signer and crypto.Decrypter
|
|
||||||
type Service struct {
|
|
||||||
certificateChain []*x509.Certificate
|
|
||||||
signer crypto.Signer
|
|
||||||
decrypter crypto.Decrypter
|
|
||||||
}
|
|
||||||
|
|
||||||
// NewService returns a new Service type.
|
|
||||||
func NewService(_ context.Context, opts Options) (*Service, error) {
|
|
||||||
if err := opts.Validate(); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
// TODO: should this become similar to the New CertificateAuthorityService as in x509CAService?
|
|
||||||
return &Service{
|
|
||||||
certificateChain: opts.CertificateChain,
|
|
||||||
signer: opts.Signer,
|
|
||||||
decrypter: opts.Decrypter,
|
|
||||||
}, nil
|
|
||||||
}
|
|
Loading…
Reference in New Issue