@ -15,7 +15,6 @@ import (
"fmt"
"net/http"
"reflect"
"strings"
"testing"
"time"
@ -25,11 +24,11 @@ import (
"go.step.sm/crypto/pemutil"
"go.step.sm/crypto/x509util"
sassert "github.com/smallstep/assert"
"github.com/smallstep/certificates/api/render"
"github.com/smallstep/certificates/authority/config"
"github.com/smallstep/certificates/authority/policy"
"github.com/smallstep/certificates/authority/provisioner"
"github.com/smallstep/certificates/cas/apiv1"
"github.com/smallstep/certificates/cas/softcas"
"github.com/smallstep/certificates/db"
"github.com/smallstep/certificates/errs"
@ -224,15 +223,6 @@ func generateSubjectKeyID(pub crypto.PublicKey) ([]byte, error) {
return hash [ : ] , nil
}
func assertHasPrefix ( t * testing . T , s , p string ) bool {
if strings . HasPrefix ( s , p ) {
return true
}
t . Helper ( )
t . Errorf ( "%q is not a prefix of %q" , p , s )
return false
}
type basicConstraints struct {
IsCA bool ` asn1:"optional" `
MaxPathLen int ` asn1:"optional,default:-1" `
@ -428,7 +418,7 @@ ZYtQ9Ot36qc=
require . NoError ( t , err )
testAuthority . db = & db . MockAuthDB {
MStoreCertificate : func ( crt * x509 . Certificate ) error {
assert. Equal ( t , "smallstep test" , crt . Subject . CommonName )
s assert. Equal s ( t , crt . Subject . CommonName , "smallstep test" )
return nil
} ,
}
@ -457,7 +447,7 @@ ZYtQ9Ot36qc=
require . NoError ( t , err )
testAuthority . db = & db . MockAuthDB {
MStoreCertificate : func ( crt * x509 . Certificate ) error {
assert. Equal ( t , "smallstep test" , crt . Subject . CommonName )
s assert. Equal s ( t , crt . Subject . CommonName , "smallstep test" )
return nil
} ,
}
@ -486,7 +476,7 @@ ZYtQ9Ot36qc=
require . NoError ( t , err )
testAuthority . db = & db . MockAuthDB {
MStoreCertificate : func ( crt * x509 . Certificate ) error {
assert. Equal ( t , "smallstep test" , crt . Subject . CommonName )
s assert. Equal s ( t , crt . Subject . CommonName , "smallstep test" )
return nil
} ,
}
@ -504,7 +494,7 @@ ZYtQ9Ot36qc=
aa := testAuthority ( t )
aa . db = & db . MockAuthDB {
MStoreCertificate : func ( crt * x509 . Certificate ) error {
assert. Equal ( t , "smallstep test" , crt . Subject . CommonName )
s assert. Equal s ( t , crt . Subject . CommonName , "smallstep test" )
return nil
} ,
}
@ -529,7 +519,7 @@ ZYtQ9Ot36qc=
} ) )
aa . db = & db . MockAuthDB {
MStoreCertificate : func ( crt * x509 . Certificate ) error {
assert. Equal ( t , "smallstep test" , crt . Subject . CommonName )
s assert. Equal s ( t , crt . Subject . CommonName , "smallstep test" )
return nil
} ,
}
@ -549,7 +539,7 @@ ZYtQ9Ot36qc=
aa . db = & db . MockAuthDB {
MStoreCertificate : func ( crt * x509 . Certificate ) error {
fmt . Println ( crt . Subject )
assert. Equal ( t , "smallstep test" , crt . Subject . CommonName )
s assert. Equal s ( t , crt . Subject . CommonName , "smallstep test" )
return nil
} ,
}
@ -610,7 +600,7 @@ ZYtQ9Ot36qc=
_a := testAuthority ( t )
_a . db = & db . MockAuthDB {
MStoreCertificate : func ( crt * x509 . Certificate ) error {
assert. Equal ( t , "smallstep test" , crt . Subject . CommonName )
s assert. Equal s ( t , crt . Subject . CommonName , "smallstep test" )
return nil
} ,
}
@ -644,7 +634,7 @@ ZYtQ9Ot36qc=
_a := testAuthority ( t )
_a . db = & db . MockAuthDB {
MStoreCertificate : func ( crt * x509 . Certificate ) error {
assert. Equal ( t , "smallstep test" , crt . Subject . CommonName )
s assert. Equal s ( t , crt . Subject . CommonName , "smallstep test" )
return nil
} ,
}
@ -678,7 +668,7 @@ ZYtQ9Ot36qc=
require . NoError ( t , err )
testAuthority . db = & db . MockAuthDB {
MStoreCertificate : func ( crt * x509 . Certificate ) error {
assert. Equal ( t , "smallstep test" , crt . Subject . CommonName )
s assert. Equal s ( t , crt . Subject . CommonName , "smallstep test" )
return nil
} ,
}
@ -712,7 +702,7 @@ ZYtQ9Ot36qc=
require . NoError ( t , err )
testAuthority . db = & db . MockAuthDB {
MStoreCertificate : func ( crt * x509 . Certificate ) error {
assert. Equal ( t , "smallstep test" , crt . Subject . CommonName )
s assert. Equal s ( t , crt . Subject . CommonName , "smallstep test" )
return nil
} ,
}
@ -749,7 +739,7 @@ ZYtQ9Ot36qc=
_a . config . AuthorityConfig . Template = & ASN1DN { }
_a . db = & db . MockAuthDB {
MStoreCertificate : func ( crt * x509 . Certificate ) error {
assert. Equal ( t , pkix. Name { } , crt . Subject )
s assert. Equal s ( t , crt. Subject , pkix. Name { } )
return nil
} ,
}
@ -774,8 +764,8 @@ ZYtQ9Ot36qc=
aa . config . AuthorityConfig . Template = a . config . AuthorityConfig . Template
aa . db = & db . MockAuthDB {
MStoreCertificate : func ( crt * x509 . Certificate ) error {
assert. Equal ( t , "smallstep test" , crt . Subject . CommonName )
assert. Equal ( t , [ ] string { "http://ca.example.org/leaf.crl" } , crt . CRLDistributionPoints )
s assert. Equal s ( t , crt . Subject . CommonName , "smallstep test" )
s assert. Equal s ( t , crt . CRLDistributionPoints , [ ] string { "http://ca.example.org/leaf.crl" } )
return nil
} ,
}
@ -795,7 +785,7 @@ ZYtQ9Ot36qc=
aa . config . AuthorityConfig . Template = a . config . AuthorityConfig . Template
aa . db = & db . MockAuthDB {
MStoreCertificate : func ( crt * x509 . Certificate ) error {
assert. Equal ( t , crt . Subject . CommonName , "smallstep test" )
s assert. Equal s ( t , crt . Subject . CommonName , "smallstep test" )
return nil
} ,
}
@ -828,13 +818,13 @@ ZYtQ9Ot36qc=
MStoreCertificateChain : func ( prov provisioner . Interface , certs ... * x509 . Certificate ) error {
p , ok := prov . ( attProvisioner )
if assert . True ( t , ok ) {
assert. Equal ( t , & provisioner . AttestationData {
s assert. Equal s ( t , & provisioner . AttestationData {
PermanentIdentifier : "1234567890" ,
} , p . AttestationData ( ) )
}
if assert . Len ( t , certs , 2 ) {
assert. Equal ( t , "smallstep test" , certs [ 0 ] . Subject . CommonName )
assert. Equal ( t , "smallstep Intermediate CA" , certs [ 1 ] . Subject . CommonName )
s assert. Equal s ( t , certs [ 0 ] . Subject . CommonName , "smallstep test" )
s assert. Equal s ( t , certs [ 1 ] . Subject . CommonName , "smallstep Intermediate CA" )
}
return nil
} ,
@ -863,45 +853,46 @@ ZYtQ9Ot36qc=
if assert . NotNil ( t , tc . err , fmt . Sprintf ( "unexpected error: %s" , err ) ) {
assert . Nil ( t , certChain )
var sc render . StatusCodedError
require. True ( t , errors . As ( err , & sc ) , "error does not implement StatusCodedError interface" )
assert. Equal ( t , tc. code , sc. StatusCode ( ) )
assert HasPrefix( t , err . Error ( ) , tc . err . Error ( ) )
sassert. Fatal ( t , errors . As ( err , & sc ) , "error does not implement StatusCodedError interface" )
s assert. Equal s ( t , sc. StatusCode ( ) , tc . code )
sassert . HasPrefix( t , err . Error ( ) , tc . err . Error ( ) )
var ctxErr * errs . Error
require. True ( t , errors . As ( err , & ctxErr ) , "error is not of type *errs.Error" )
assert. Equal ( t , tc . csr , ctxErr . Details [ "csr" ] )
assert. Equal ( t , tc . signOpts , ctxErr . Details [ "signOptions" ] )
sassert. Fatal ( t , errors . As ( err , & ctxErr ) , "error is not of type *errs.Error" )
s assert. Equal s ( t , ctxErr . Details [ "csr" ] , tc . csr )
s assert. Equal s ( t , ctxErr . Details [ "signOptions" ] , tc . signOpts )
}
} else {
leaf := certChain [ 0 ]
intermediate := certChain [ 1 ]
if assert . Nil ( t , tc . err ) {
assert. Equal ( t , tc . notBefore , leaf . N otBefore)
assert. Equal ( t , tc . notAfter , leaf . N otAfter)
sassert. Equals ( t , leaf . NotBefore , tc . n otBefore)
sassert. Equals ( t , leaf . NotAfter , tc . n otAfter)
tmplt := a . config . AuthorityConfig . Template
if tc . csr . Subject . CommonName == "" {
assert. Equal ( t , pkix. Name { } , leaf . Subject )
s assert. Equal s ( t , leaf. Subject , pkix. Name { } )
} else {
assert . Equal ( t , pkix . Name {
Country : [ ] string { tmplt . Country } ,
Organization : [ ] string { tmplt . Organization } ,
Locality : [ ] string { tmplt . Locality } ,
StreetAddress : [ ] string { tmplt . StreetAddress } ,
Province : [ ] string { tmplt . Province } ,
CommonName : "smallstep test" ,
} . String ( ) , leaf . Subject . String ( ) )
assert . Equal ( t , [ ] string { "test.smallstep.com" } , leaf . DNSNames )
sassert . Equals ( t , leaf . Subject . String ( ) ,
pkix . Name {
Country : [ ] string { tmplt . Country } ,
Organization : [ ] string { tmplt . Organization } ,
Locality : [ ] string { tmplt . Locality } ,
StreetAddress : [ ] string { tmplt . StreetAddress } ,
Province : [ ] string { tmplt . Province } ,
CommonName : "smallstep test" ,
} . String ( ) )
sassert . Equals ( t , leaf . DNSNames , [ ] string { "test.smallstep.com" } )
}
assert. Equal ( t , intermediate . Subject , leaf . Issuer )
assert. Equal ( t , x509. ECDSAWithSHA256 , leaf. SignatureAlgorithm )
assert. Equal ( t , x509. ECDSA , leaf. PublicKeyAlgorithm )
assert. Equal ( t , [ ] x509 . ExtKeyUsage { x509 . ExtKeyUsageServerAuth , x509 . ExtKeyUsageClientAuth } , leaf . ExtKeyUsage )
sassert. Equals ( t , leaf . Issuer , intermediate . Subject )
s assert. Equal s ( t , leaf. SignatureAlgorithm , x509 . ECDSAWithSHA256 )
s assert. Equal s ( t , leaf. PublicKeyAlgorithm , x509 . ECDSA )
s assert. Equal s ( t , leaf . ExtKeyUsage , [ ] x509 . ExtKeyUsage { x509 . ExtKeyUsageServerAuth , x509 . ExtKeyUsageClientAuth } )
issuer := getDefaultIssuer ( a )
subjectKeyID , err := generateSubjectKeyID ( pub )
require . NoError ( t , err )
assert. Equal ( t , subjectKeyID , leaf . SubjectKeyId )
assert. Equal ( t , issuer . SubjectKeyId , leaf . Authority KeyId)
sassert. Equals ( t , leaf . SubjectKeyId , subjectKeyID )
sassert. Equals ( t , leaf . AuthorityKeyId , issuer . Subject KeyId)
// Verify Provisioner OID
found := 0
@ -912,9 +903,9 @@ ZYtQ9Ot36qc=
val := stepProvisionerASN1 { }
_ , err := asn1 . Unmarshal ( ext . Value , & val )
require . NoError ( t , err )
assert. Equal ( t , provisionerTypeJWK, val . Type )
assert. Equal ( t , [ ] byte ( p . Name ) , val . Name )
assert. Equal ( t , [ ] byte ( p . Key . KeyID ) , val . CredentialID )
s assert. Equal s ( t , val. Type , provisionerTypeJWK)
s assert. Equal s ( t , val . Name , [ ] byte ( p . Name ) )
s assert. Equal s ( t , val . CredentialID , [ ] byte ( p . Key . KeyID ) )
// Basic Constraints
case ext . Id . Equal ( asn1 . ObjectIdentifier ( [ ] int { 2 , 5 , 29 , 19 } ) ) :
@ -922,7 +913,7 @@ ZYtQ9Ot36qc=
_ , err := asn1 . Unmarshal ( ext . Value , & val )
require . NoError ( t , err )
assert . False ( t , val . IsCA , false )
assert. Equal ( t , val . MaxPathLen , 0 )
s assert. Equal s ( t , val . MaxPathLen , 0 )
// SAN extension
case ext . Id . Equal ( asn1 . ObjectIdentifier ( [ ] int { 2 , 5 , 29 , 17 } ) ) :
@ -933,10 +924,10 @@ ZYtQ9Ot36qc=
}
}
}
assert. Equal ( t , found , 1 )
s assert. Equal s ( t , found , 1 )
realIntermediate , err := x509 . ParseCertificate ( issuer . Raw )
require . NoError ( t , err )
assert. Equal ( t , realIntermediate , i ntermediate)
sassert. Equals ( t , intermediate , realI ntermediate)
assert . Len ( t , leaf . Extensions , tc . extensionsCount )
}
}
@ -1079,19 +1070,19 @@ func TestAuthority_Renew(t *testing.T) {
if assert . NotNil ( t , tc . err , fmt . Sprintf ( "unexpected error: %s" , err ) ) {
assert . Nil ( t , certChain )
var sc render . StatusCodedError
require. True ( t , errors . As ( err , & sc ) , "error does not implement StatusCodedError interface" )
assert. Equal ( t , tc. code , sc. StatusCode ( ) )
assert HasPrefix( t , err . Error ( ) , tc . err . Error ( ) )
sassert. Fatal ( t , errors . As ( err , & sc ) , "error does not implement StatusCodedError interface" )
s assert. Equal s ( t , sc. StatusCode ( ) , tc . code )
sassert . HasPrefix( t , err . Error ( ) , tc . err . Error ( ) )
var ctxErr * errs . Error
require. True ( t , errors . As ( err , & ctxErr ) , "error is not of type *errs.Error" )
assert. Equal ( t , tc . cert . SerialNumber . String ( ) , ctxErr . Details [ "serialNumber" ] )
sassert. Fatal ( t , errors . As ( err , & ctxErr ) , "error is not of type *errs.Error" )
sassert. Equals ( t , ctxErr . Details [ "serialNumber" ] , tc . cert . SerialNumber . String ( ) )
}
} else {
leaf := certChain [ 0 ]
intermediate := certChain [ 1 ]
if assert . Nil ( t , tc . err ) {
assert. Equal ( t , tc . cert . NotAfter . Sub ( cert . NotBefore ) , leaf . NotAfter . Sub ( leaf . NotBefore ) )
sassert. Equals ( t , leaf . NotAfter . Sub ( leaf . NotBefore ) , tc . cert . NotAfter . Sub ( cert . NotBefore ) )
assert . True ( t , leaf . NotBefore . After ( now . Add ( - 2 * time . Minute ) ) )
assert . True ( t , leaf . NotBefore . Before ( now . Add ( time . Minute ) ) )
@ -1101,29 +1092,30 @@ func TestAuthority_Renew(t *testing.T) {
assert . True ( t , leaf . NotAfter . Before ( expiry . Add ( time . Hour ) ) )
tmplt := a . config . AuthorityConfig . Template
assert . Equal ( t , tc . cert . RawSubject , leaf . RawSubject )
assert . Equal ( t , [ ] string { tmplt . Country } , leaf . Subject . Country )
assert . Equal ( t , [ ] string { tmplt . Organization } , leaf . Subject . Organization )
assert . Equal ( t , [ ] string { tmplt . Locality } , leaf . Subject . Locality )
assert . Equal ( t , [ ] string { tmplt . StreetAddress } , leaf . Subject . StreetAddress )
assert . Equal ( t , [ ] string { tmplt . Province } , leaf . Subject . Province )
assert . Equal ( t , tmplt . CommonName , leaf . Subject . CommonName )
assert . Equal ( t , intermediate . Subject , leaf . Issuer )
assert . Equal ( t , x509 . ECDSAWithSHA256 , leaf . SignatureAlgorithm )
assert . Equal ( t , x509 . ECDSA , leaf . PublicKeyAlgorithm )
assert . Equal ( t , [ ] x509 . ExtKeyUsage { x509 . ExtKeyUsageServerAuth , x509 . ExtKeyUsageClientAuth } , leaf . ExtKeyUsage )
assert . Equal ( t , [ ] string { "test.smallstep.com" , "test" } , leaf . DNSNames )
sassert . Equals ( t , leaf . RawSubject , tc . cert . RawSubject )
sassert . Equals ( t , leaf . Subject . Country , [ ] string { tmplt . Country } )
sassert . Equals ( t , leaf . Subject . Organization , [ ] string { tmplt . Organization } )
sassert . Equals ( t , leaf . Subject . Locality , [ ] string { tmplt . Locality } )
sassert . Equals ( t , leaf . Subject . StreetAddress , [ ] string { tmplt . StreetAddress } )
sassert . Equals ( t , leaf . Subject . Province , [ ] string { tmplt . Province } )
sassert . Equals ( t , leaf . Subject . CommonName , tmplt . CommonName )
sassert . Equals ( t , leaf . Issuer , intermediate . Subject )
sassert . Equals ( t , leaf . SignatureAlgorithm , x509 . ECDSAWithSHA256 )
sassert . Equals ( t , leaf . PublicKeyAlgorithm , x509 . ECDSA )
sassert . Equals ( t , leaf . ExtKeyUsage ,
[ ] x509 . ExtKeyUsage { x509 . ExtKeyUsageServerAuth , x509 . ExtKeyUsageClientAuth } )
sassert . Equals ( t , leaf . DNSNames , [ ] string { "test.smallstep.com" , "test" } )
subjectKeyID , err := generateSubjectKeyID ( leaf . PublicKey )
require . NoError ( t , err )
assert. Equal ( t , subjectKeyID , leaf . SubjectKeyId )
sassert. Equals ( t , leaf . SubjectKeyId , subjectKeyID )
// We did not change the intermediate before renewing.
authIssuer := getDefaultIssuer ( tc . auth )
if issuer . SerialNumber == authIssuer . SerialNumber {
assert. Equal ( t , issuer . SubjectKeyId , leaf . Authority KeyId)
sassert. Equals ( t , leaf . AuthorityKeyId , issuer . Subject KeyId)
// Compare extensions: they can be in a different order
for _ , ext1 := range tc . cert . Extensions {
//skip SubjectKeyIdentifier
@ -1143,7 +1135,7 @@ func TestAuthority_Renew(t *testing.T) {
}
} else {
// We did change the intermediate before renewing.
assert. Equal ( t , authIssuer . SubjectKeyId , leaf . Authority KeyId)
sassert. Equals ( t , leaf . AuthorityKeyId , authIssuer . Subject KeyId)
// Compare extensions: they can be in a different order
for _ , ext1 := range tc . cert . Extensions {
//skip SubjectKeyIdentifier
@ -1172,7 +1164,7 @@ func TestAuthority_Renew(t *testing.T) {
realIntermediate , err := x509 . ParseCertificate ( authIssuer . Raw )
require . NoError ( t , err )
assert. Equal ( t , realIntermediate , i ntermediate)
sassert. Equals ( t , intermediate , realI ntermediate)
}
}
} )
@ -1283,19 +1275,19 @@ func TestAuthority_Rekey(t *testing.T) {
if assert . NotNil ( t , tc . err , fmt . Sprintf ( "unexpected error: %s" , err ) ) {
assert . Nil ( t , certChain )
var sc render . StatusCodedError
require. True ( t , errors . As ( err , & sc ) , "error does not implement StatusCodedError interface" )
assert. Equal ( t , tc. code , sc. StatusCode ( ) )
assert HasPrefix( t , err . Error ( ) , tc . err . Error ( ) )
sassert. Fatal ( t , errors . As ( err , & sc ) , "error does not implement StatusCodedError interface" )
s assert. Equal s ( t , sc. StatusCode ( ) , tc . code )
sassert . HasPrefix( t , err . Error ( ) , tc . err . Error ( ) )
var ctxErr * errs . Error
require. True ( t , errors . As ( err , & ctxErr ) , "error is not of type *errs.Error" )
assert. Equal ( t , tc . cert . SerialNumber . String ( ) , ctxErr . Details [ "serialNumber" ] )
sassert. Fatal ( t , errors . As ( err , & ctxErr ) , "error is not of type *errs.Error" )
sassert. Equals ( t , ctxErr . Details [ "serialNumber" ] , tc . cert . SerialNumber . String ( ) )
}
} else {
leaf := certChain [ 0 ]
intermediate := certChain [ 1 ]
if assert . Nil ( t , tc . err ) {
assert. Equal ( t , tc . cert . NotAfter . Sub ( cert . NotBefore ) , leaf . NotAfter . Sub ( leaf . NotBefore ) )
sassert. Equals ( t , leaf . NotAfter . Sub ( leaf . NotBefore ) , tc . cert . NotAfter . Sub ( cert . NotBefore ) )
assert . True ( t , leaf . NotBefore . After ( now . Add ( - 2 * time . Minute ) ) )
assert . True ( t , leaf . NotBefore . Before ( now . Add ( time . Minute ) ) )
@ -1305,39 +1297,41 @@ func TestAuthority_Rekey(t *testing.T) {
assert . True ( t , leaf . NotAfter . Before ( expiry . Add ( time . Hour ) ) )
tmplt := a . config . AuthorityConfig . Template
assert . Equal ( t , pkix . Name {
Country : [ ] string { tmplt . Country } ,
Organization : [ ] string { tmplt . Organization } ,
Locality : [ ] string { tmplt . Locality } ,
StreetAddress : [ ] string { tmplt . StreetAddress } ,
Province : [ ] string { tmplt . Province } ,
CommonName : tmplt . CommonName ,
} . String ( ) , leaf . Subject . String ( ) )
assert . Equal ( t , intermediate . Subject , leaf . Issuer )
assert . Equal ( t , x509 . ECDSAWithSHA256 , leaf . SignatureAlgorithm )
assert . Equal ( t , x509 . ECDSA , leaf . PublicKeyAlgorithm )
assert . Equal ( t , [ ] x509 . ExtKeyUsage { x509 . ExtKeyUsageServerAuth , x509 . ExtKeyUsageClientAuth } , leaf . ExtKeyUsage )
assert . Equal ( t , [ ] string { "test.smallstep.com" , "test" } , leaf . DNSNames )
sassert . Equals ( t , leaf . Subject . String ( ) ,
pkix . Name {
Country : [ ] string { tmplt . Country } ,
Organization : [ ] string { tmplt . Organization } ,
Locality : [ ] string { tmplt . Locality } ,
StreetAddress : [ ] string { tmplt . StreetAddress } ,
Province : [ ] string { tmplt . Province } ,
CommonName : tmplt . CommonName ,
} . String ( ) )
sassert . Equals ( t , leaf . Issuer , intermediate . Subject )
sassert . Equals ( t , leaf . SignatureAlgorithm , x509 . ECDSAWithSHA256 )
sassert . Equals ( t , leaf . PublicKeyAlgorithm , x509 . ECDSA )
sassert . Equals ( t , leaf . ExtKeyUsage ,
[ ] x509 . ExtKeyUsage { x509 . ExtKeyUsageServerAuth , x509 . ExtKeyUsageClientAuth } )
sassert . Equals ( t , leaf . DNSNames , [ ] string { "test.smallstep.com" , "test" } )
// Test Public Key and SubjectKeyId
expectedPK := tc . pk
if tc . pk == nil {
expectedPK = cert . PublicKey
}
assert. Equal ( t , expectedPK, leaf. PublicKey )
s assert. Equal s ( t , leaf. PublicKey , expectedPK )
subjectKeyID , err := generateSubjectKeyID ( expectedPK )
require . NoError ( t , err )
assert. Equal ( t , subjectKeyID , leaf . SubjectKeyId )
sassert. Equals ( t , leaf . SubjectKeyId , subjectKeyID )
if tc . pk == nil {
assert. Equal ( t , cert . SubjectKeyId , leaf . SubjectKeyId )
sassert. Equals ( t , leaf . SubjectKeyId , cert . SubjectKeyId )
}
// We did not change the intermediate before renewing.
authIssuer := getDefaultIssuer ( tc . auth )
if issuer . SerialNumber == authIssuer . SerialNumber {
assert. Equal ( t , issuer . SubjectKeyId , leaf . Authority KeyId)
sassert. Equals ( t , leaf . AuthorityKeyId , issuer . Subject KeyId)
// Compare extensions: they can be in a different order
for _ , ext1 := range tc . cert . Extensions {
//skip SubjectKeyIdentifier
@ -1357,7 +1351,7 @@ func TestAuthority_Rekey(t *testing.T) {
}
} else {
// We did change the intermediate before renewing.
assert. Equal ( t , authIssuer . SubjectKeyId , leaf . Authority KeyId)
sassert. Equals ( t , leaf . AuthorityKeyId , authIssuer . Subject KeyId)
// Compare extensions: they can be in a different order
for _ , ext1 := range tc . cert . Extensions {
//skip SubjectKeyIdentifier
@ -1386,7 +1380,7 @@ func TestAuthority_Rekey(t *testing.T) {
realIntermediate , err := x509 . ParseCertificate ( authIssuer . Raw )
require . NoError ( t , err )
assert. Equal ( t , realIntermediate , i ntermediate)
sassert. Equals ( t , intermediate , realI ntermediate)
}
}
} )
@ -1424,7 +1418,7 @@ func TestAuthority_GetTLSOptions(t *testing.T) {
require . NoError ( t , err )
opts := tc . auth . GetTLSOptions ( )
assert. Equal ( t , tc. opts, opts )
s assert. Equal s ( t , opts, tc . opts )
} )
}
}
@ -1494,9 +1488,9 @@ func TestAuthority_Revoke(t *testing.T) {
err : errors . New ( "authority.Revoke; no persistence layer configured" ) ,
code : http . StatusNotImplemented ,
checkErrDetails : func ( err * errs . Error ) {
assert. Equal ( t , raw , err . Details [ "token" ] )
assert. Equal ( t , "44" , err . Details [ "tokenID" ] )
assert. Equal ( t , "step-cli:4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc" , err . Details [ "provisionerID" ] )
s assert. Equal s ( t , err . Details [ "token" ] , raw )
s assert. Equal s ( t , err . Details [ "tokenID" ] , "44" )
s assert. Equal s ( t , err . Details [ "provisionerID" ] , "step-cli:4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc" )
} ,
}
} ,
@ -1534,9 +1528,9 @@ func TestAuthority_Revoke(t *testing.T) {
err : errors . New ( "authority.Revoke: force" ) ,
code : http . StatusInternalServerError ,
checkErrDetails : func ( err * errs . Error ) {
assert. Equal ( t , raw , err . Details [ "token" ] )
assert. Equal ( t , "44" , err . Details [ "tokenID" ] )
assert. Equal ( t , "step-cli:4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc" , err . Details [ "provisionerID" ] )
s assert. Equal s ( t , err . Details [ "token" ] , raw )
s assert. Equal s ( t , err . Details [ "tokenID" ] , "44" )
s assert. Equal s ( t , err . Details [ "provisionerID" ] , "step-cli:4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc" )
} ,
}
} ,
@ -1574,9 +1568,9 @@ func TestAuthority_Revoke(t *testing.T) {
err : errors . New ( "certificate with serial number 'sn' is already revoked" ) ,
code : http . StatusBadRequest ,
checkErrDetails : func ( err * errs . Error ) {
assert. Equal ( t , raw , err . Details [ "token" ] )
assert. Equal ( t , "44" , err . Details [ "tokenID" ] )
assert. Equal ( t , "step-cli:4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc" , err . Details [ "provisionerID" ] )
s assert. Equal s ( t , err . Details [ "token" ] , raw )
s assert. Equal s ( t , err . Details [ "tokenID" ] , "44" )
s assert. Equal s ( t , err . Details [ "provisionerID" ] , "step-cli:4UELJx8e0aS9m0CH3fZ0EB7D5aUPICb759zALHFejvc" )
} ,
}
} ,
@ -1710,17 +1704,17 @@ func TestAuthority_Revoke(t *testing.T) {
if err := tc . auth . Revoke ( tc . ctx , tc . opts ) ; err != nil {
if assert . NotNil ( t , tc . err , fmt . Sprintf ( "unexpected error: %s" , err ) ) {
var sc render . StatusCodedError
require. True ( t , errors . As ( err , & sc ) , "error does not implement StatusCodedError interface" )
assert. Equal ( t , tc. code , sc. StatusCode ( ) )
assert HasPrefix( t , err . Error ( ) , tc . err . Error ( ) )
sassert. Fatal ( t , errors . As ( err , & sc ) , "error does not implement StatusCodedError interface" )
s assert. Equal s ( t , sc. StatusCode ( ) , tc . code )
sassert . HasPrefix( t , err . Error ( ) , tc . err . Error ( ) )
var ctxErr * errs . Error
require. True ( t , errors . As ( err , & ctxErr ) , "error is not of type *errs.Error" )
assert. Equal ( t , tc. opts . Serial , ctxErr. Details [ "serialNumber" ] )
assert. Equal ( t , tc . opts . ReasonCode , ctxErr . Details [ "reasonCode" ] )
assert. Equal ( t , tc . opts . Reason , ctxErr . Details [ "reason" ] )
assert. Equal ( t , tc . opts . MTLS , ctxErr . Details [ "MTLS" ] )
assert. Equal ( t , provisioner. RevokeMethod . String ( ) , ctxErr . Details [ "context" ] )
sassert. Fatal ( t , errors . As ( err , & ctxErr ) , "error is not of type *errs.Error" )
s assert. Equal s ( t , ctxErr. Details [ "serialNumber" ] , tc . opts . Serial )
sassert. Equals ( t , ctxErr . Details [ "reasonCode" ] , tc . opts . ReasonCode )
sassert. Equals ( t , ctxErr . Details [ "reason" ] , tc . opts . Reason )
sassert. Equals ( t , ctxErr . Details [ "MTLS" ] , tc . opts . MTLS )
s assert. Equal s ( t , ctxErr. Details [ "context" ] , provisioner. RevokeMethod . String ( ) )
if tc . checkErrDetails != nil {
tc . checkErrDetails ( ctxErr )
@ -1958,39 +1952,3 @@ func TestAuthority_CRL(t *testing.T) {
} )
}
}
type notImplementedCAS struct { }
func ( notImplementedCAS ) CreateCertificate ( req * apiv1 . CreateCertificateRequest ) ( * apiv1 . CreateCertificateResponse , error ) {
return nil , apiv1 . NotImplementedError { }
}
func ( notImplementedCAS ) RenewCertificate ( req * apiv1 . RenewCertificateRequest ) ( * apiv1 . RenewCertificateResponse , error ) {
return nil , apiv1 . NotImplementedError { }
}
func ( notImplementedCAS ) RevokeCertificate ( req * apiv1 . RevokeCertificateRequest ) ( * apiv1 . RevokeCertificateResponse , error ) {
return nil , apiv1 . NotImplementedError { }
}
func TestAuthority_GetX509Signer ( t * testing . T ) {
auth := testAuthority ( t )
require . IsType ( t , & softcas . SoftCAS { } , auth . x509CAService )
signer := auth . x509CAService . ( * softcas . SoftCAS ) . Signer
require . NotNil ( t , signer )
tests := [ ] struct {
name string
authority * Authority
want crypto . Signer
assertion assert . ErrorAssertionFunc
} {
{ "ok" , auth , signer , assert . NoError } ,
{ "fail" , testAuthority ( t , WithX509CAService ( notImplementedCAS { } ) ) , nil , assert . Error } ,
}
for _ , tt := range tests {
t . Run ( tt . name , func ( t * testing . T ) {
got , err := tt . authority . GetX509Signer ( )
tt . assertion ( t , err )
assert . Equal ( t , tt . want , got )
} )
}
}