open-consul/tlsutil/generate_test.go

package tlsutil

import (
	"crypto"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"io"
	"net"
	"testing"
	"time"

	"strings"

	"github.com/stretchr/testify/require"
)

func TestSerialNumber(t *testing.T) {
	n1, err := GenerateSerialNumber()
	require.Nil(t, err)

	n2, err := GenerateSerialNumber()
	require.Nil(t, err)
	require.NotEqual(t, n1, n2)

	n3, err := GenerateSerialNumber()
	require.Nil(t, err)
	require.NotEqual(t, n1, n3)
	require.NotEqual(t, n2, n3)

}

func TestGeneratePrivateKey(t *testing.T) {
	t.Parallel()
	_, p, err := GeneratePrivateKey()
	require.Nil(t, err)
	require.NotEmpty(t, p)
	require.Contains(t, p, "BEGIN EC PRIVATE KEY")
	require.Contains(t, p, "END EC PRIVATE KEY")

	block, _ := pem.Decode([]byte(p))
	pk, err := x509.ParseECPrivateKey(block.Bytes)

	require.Nil(t, err)
	require.NotNil(t, pk)
	require.Equal(t, 256, pk.Params().BitSize)
}

type TestSigner struct {
	public interface{}
}

func (s *TestSigner) Public() crypto.PublicKey {
	return s.public
}

func (s *TestSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
	return []byte{}, nil
}

func TestGenerateCA(t *testing.T) {
	t.Parallel()
	ca, pk, err := GenerateCA(CAOpts{Signer: &TestSigner{}})
	require.Error(t, err)
	require.Empty(t, ca)
	require.Empty(t, pk)

	// test what happens with wrong key
	ca, pk, err = GenerateCA(CAOpts{Signer: &TestSigner{public: &rsa.PublicKey{}}})
	require.Error(t, err)
	require.Empty(t, ca)
	require.Empty(t, pk)

	// test what happens with correct key
	ca, pk, err = GenerateCA(CAOpts{})
	require.Nil(t, err)
	require.NotEmpty(t, ca)
	require.NotEmpty(t, pk)

	cert, err := parseCert(ca)
	require.Nil(t, err)
	require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA"))
	require.Equal(t, true, cert.IsCA)
	require.Equal(t, true, cert.BasicConstraintsValid)

	require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)
	require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)

	require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)

	// Test what happens with a correct RSA Key
	s, err := rsa.GenerateKey(rand.Reader, 2048)
	require.Nil(t, err)
	ca, _, err = GenerateCA(CAOpts{Signer: &TestSigner{public: s.Public()}})
	require.NoError(t, err)
	require.NotEmpty(t, ca)

	cert, err = parseCert(ca)
	require.NoError(t, err)
	require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA"))
	require.Equal(t, true, cert.IsCA)
	require.Equal(t, true, cert.BasicConstraintsValid)

	require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)
	require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)

	require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
}

func TestGenerateCert(t *testing.T) {
	t.Parallel()
	signer, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	require.Nil(t, err)
	ca, _, err := GenerateCA(CAOpts{Signer: signer})
	require.Nil(t, err)

	DNSNames := []string{"server.dc1.consul"}
	IPAddresses := []net.IP{net.ParseIP("123.234.243.213")}
	extKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
	name := "Cert Name"
	certificate, pk, err := GenerateCert(CertOpts{
		Signer: signer, CA: ca, Name: name, Days: 365,
		DNSNames: DNSNames, IPAddresses: IPAddresses, ExtKeyUsage: extKeyUsage,
	})
	require.Nil(t, err)
	require.NotEmpty(t, certificate)
	require.NotEmpty(t, pk)

	cert, err := parseCert(certificate)
	require.Nil(t, err)
	require.Equal(t, name, cert.Subject.CommonName)
	require.Equal(t, true, cert.BasicConstraintsValid)
	signee, err := ParseSigner(pk)
	require.Nil(t, err)
	certID, err := keyID(signee.Public())
	require.Nil(t, err)
	require.Equal(t, certID, cert.SubjectKeyId)
	caID, err := keyID(signer.Public())
	require.Nil(t, err)
	require.Equal(t, caID, cert.AuthorityKeyId)
	require.Contains(t, cert.Issuer.CommonName, "Consul Agent CA")
	require.Equal(t, false, cert.IsCA)

	require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)
	require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)

	require.Equal(t, x509.KeyUsageDigitalSignature|x509.KeyUsageKeyEncipherment, cert.KeyUsage)
	require.Equal(t, extKeyUsage, cert.ExtKeyUsage)

	// https://github.com/golang/go/blob/10538a8f9e2e718a47633ac5a6e90415a2c3f5f1/src/crypto/x509/verify.go#L414
	require.Equal(t, DNSNames, cert.DNSNames)
	require.True(t, IPAddresses[0].Equal(cert.IPAddresses[0]))
}
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 20:22:07 +00:00			`package tlsutil`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00
			`import (`
			`"crypto"`
			`"crypto/ecdsa"`
			`"crypto/elliptic"`
			`"crypto/rand"`
			`"crypto/rsa"`
			`"crypto/x509"`
			`"encoding/pem"`
			`"io"`
			`"net"`
			`"testing"`
			`"time"`

Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`"strings"`
Fix main build failing An old PR (#7623) was merged after #9585. The old code was incompatible with the new changes, but none of the lines caused a git conflict so the merge was allowed. The incompatible changes caused the tests to fail. This fixes the old code to work with the new changes. 2021-02-05 18:32:08 +00:00
			`"github.com/stretchr/testify/require"`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`)`

			`func TestSerialNumber(t *testing.T) {`
			`n1, err := GenerateSerialNumber()`
			`require.Nil(t, err)`

			`n2, err := GenerateSerialNumber()`
			`require.Nil(t, err)`
			`require.NotEqual(t, n1, n2)`

			`n3, err := GenerateSerialNumber()`
			`require.Nil(t, err)`
			`require.NotEqual(t, n1, n3)`
			`require.NotEqual(t, n2, n3)`

			`}`

			`func TestGeneratePrivateKey(t *testing.T) {`
			`t.Parallel()`
			`_, p, err := GeneratePrivateKey()`
			`require.Nil(t, err)`
			`require.NotEmpty(t, p)`
			`require.Contains(t, p, "BEGIN EC PRIVATE KEY")`
			`require.Contains(t, p, "END EC PRIVATE KEY")`

			`block, _ := pem.Decode([]byte(p))`
			`pk, err := x509.ParseECPrivateKey(block.Bytes)`

			`require.Nil(t, err)`
			`require.NotNil(t, pk)`
			`require.Equal(t, 256, pk.Params().BitSize)`
			`}`

			`type TestSigner struct {`
			`public interface{}`
			`}`

			`func (s *TestSigner) Public() crypto.PublicKey {`
			`return s.public`
			`}`

			`func (s *TestSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {`
			`return []byte{}, nil`
			`}`

			`func TestGenerateCA(t *testing.T) {`
			`t.Parallel()`
Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`ca, pk, err := GenerateCA(CAOpts{Signer: &TestSigner{}})`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`require.Error(t, err)`
			`require.Empty(t, ca)`
Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`require.Empty(t, pk)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00
			`// test what happens with wrong key`
Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`ca, pk, err = GenerateCA(CAOpts{Signer: &TestSigner{public: &rsa.PublicKey{}}})`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`require.Error(t, err)`
			`require.Empty(t, ca)`
Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`require.Empty(t, pk)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00
			`// test what happens with correct key`
Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`ca, pk, err = GenerateCA(CAOpts{})`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`require.Nil(t, err)`
			`require.NotEmpty(t, ca)`
Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`require.NotEmpty(t, pk)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00
			`cert, err := parseCert(ca)`
			`require.Nil(t, err)`
Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA"))`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`require.Equal(t, true, cert.IsCA)`
			`require.Equal(t, true, cert.BasicConstraintsValid)`

tests: switch to WithinDuration to improve test (#6860) * Switch to WithinDuration to improve test This test was flaky before because of the time logic. Now it uses WithinDuration and should be correct. Fixes https://github.com/hashicorp/consul/issues/6857. 2019-12-13 16:42:42 +00:00			`require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)`
			`require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00
			`require.Equal(t, x509.KeyUsageCertSign\|x509.KeyUsageCRLSign\|x509.KeyUsageDigitalSignature, cert.KeyUsage)`
Add RSA Test case for generating CA Cert 2021-01-20 23:25:48 +00:00
			`// Test what happens with a correct RSA Key`
Fix main build failing An old PR (#7623) was merged after #9585. The old code was incompatible with the new changes, but none of the lines caused a git conflict so the merge was allowed. The incompatible changes caused the tests to fail. This fixes the old code to work with the new changes. 2021-02-05 18:32:08 +00:00			`s, err := rsa.GenerateKey(rand.Reader, 2048)`
Add RSA Test case for generating CA Cert 2021-01-20 23:25:48 +00:00			`require.Nil(t, err)`
Fix main build failing An old PR (#7623) was merged after #9585. The old code was incompatible with the new changes, but none of the lines caused a git conflict so the merge was allowed. The incompatible changes caused the tests to fail. This fixes the old code to work with the new changes. 2021-02-05 18:32:08 +00:00			`ca, _, err = GenerateCA(CAOpts{Signer: &TestSigner{public: s.Public()}})`
			`require.NoError(t, err)`
Add RSA Test case for generating CA Cert 2021-01-20 23:25:48 +00:00			`require.NotEmpty(t, ca)`

			`cert, err = parseCert(ca)`
Fix main build failing An old PR (#7623) was merged after #9585. The old code was incompatible with the new changes, but none of the lines caused a git conflict so the merge was allowed. The incompatible changes caused the tests to fail. This fixes the old code to work with the new changes. 2021-02-05 18:32:08 +00:00			`require.NoError(t, err)`
			`require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA"))`
Add RSA Test case for generating CA Cert 2021-01-20 23:25:48 +00:00			`require.Equal(t, true, cert.IsCA)`
			`require.Equal(t, true, cert.BasicConstraintsValid)`

			`require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)`
			`require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)`

			`require.Equal(t, x509.KeyUsageCertSign\|x509.KeyUsageCRLSign\|x509.KeyUsageDigitalSignature, cert.KeyUsage)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`}`

			`func TestGenerateCert(t *testing.T) {`
			`t.Parallel()`
			`signer, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)`
			`require.Nil(t, err)`
Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`ca, _, err := GenerateCA(CAOpts{Signer: signer})`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`require.Nil(t, err)`

			`DNSNames := []string{"server.dc1.consul"}`
			`IPAddresses := []net.IP{net.ParseIP("123.234.243.213")}`
			`extKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}`
			`name := "Cert Name"`
introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 2021-03-22 09:16:41 +00:00			`certificate, pk, err := GenerateCert(CertOpts{`
			`Signer: signer, CA: ca, Name: name, Days: 365,`
			`DNSNames: DNSNames, IPAddresses: IPAddresses, ExtKeyUsage: extKeyUsage,`
			`})`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`require.Nil(t, err)`
			`require.NotEmpty(t, certificate)`
			`require.NotEmpty(t, pk)`

			`cert, err := parseCert(certificate)`
			`require.Nil(t, err)`
			`require.Equal(t, name, cert.Subject.CommonName)`
			`require.Equal(t, true, cert.BasicConstraintsValid)`
			`signee, err := ParseSigner(pk)`
			`require.Nil(t, err)`
			`certID, err := keyID(signee.Public())`
			`require.Nil(t, err)`
			`require.Equal(t, certID, cert.SubjectKeyId)`
			`caID, err := keyID(signer.Public())`
			`require.Nil(t, err)`
			`require.Equal(t, caID, cert.AuthorityKeyId)`
			`require.Contains(t, cert.Issuer.CommonName, "Consul Agent CA")`
			`require.Equal(t, false, cert.IsCA)`

tests: switch to WithinDuration to improve test (#6860) * Switch to WithinDuration to improve test This test was flaky before because of the time logic. Now it uses WithinDuration and should be correct. Fixes https://github.com/hashicorp/consul/issues/6857. 2019-12-13 16:42:42 +00:00			`require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)`
			`require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00
			`require.Equal(t, x509.KeyUsageDigitalSignature\|x509.KeyUsageKeyEncipherment, cert.KeyUsage)`
			`require.Equal(t, extKeyUsage, cert.ExtKeyUsage)`

			`// https://github.com/golang/go/blob/10538a8f9e2e718a47633ac5a6e90415a2c3f5f1/src/crypto/x509/verify.go#L414`
			`require.Equal(t, DNSNames, cert.DNSNames)`
			`require.True(t, IPAddresses[0].Equal(cert.IPAddresses[0]))`
			`}`