2015-06-19 20:06:56 +00:00
package certutil
import (
"bytes"
2018-02-20 03:46:17 +00:00
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
2015-06-19 20:06:56 +00:00
"encoding/json"
2018-02-20 03:46:17 +00:00
"encoding/pem"
2015-06-19 20:06:56 +00:00
"fmt"
2018-02-20 03:46:17 +00:00
"math/big"
mathrand "math/rand"
2016-09-28 00:50:17 +00:00
"reflect"
2018-03-18 20:00:51 +00:00
"strings"
2018-02-20 03:46:17 +00:00
"sync"
2015-06-19 20:06:56 +00:00
"testing"
2018-02-20 03:46:17 +00:00
"time"
2015-06-19 20:06:56 +00:00
"github.com/fatih/structs"
"github.com/hashicorp/vault/api"
)
// Tests converting back and forth between a CertBundle and a ParsedCertBundle.
//
2016-09-16 15:05:43 +00:00
// Also tests the GetSubjKeyID, GetHexFormatted, and
2015-06-19 20:06:56 +00:00
// ParsedCertBundle.getSigner functions.
func TestCertBundleConversion ( t * testing . T ) {
cbuts := [ ] * CertBundle {
refreshRSACertBundle ( ) ,
2016-09-28 00:50:17 +00:00
refreshRSACertBundleWithChain ( ) ,
2015-12-09 20:41:32 +00:00
refreshRSA8CertBundle ( ) ,
2016-09-28 00:50:17 +00:00
refreshRSA8CertBundleWithChain ( ) ,
2015-06-19 20:06:56 +00:00
refreshECCertBundle ( ) ,
2016-09-28 00:50:17 +00:00
refreshECCertBundleWithChain ( ) ,
2015-12-09 20:41:32 +00:00
refreshEC8CertBundle ( ) ,
2016-09-28 00:50:17 +00:00
refreshEC8CertBundleWithChain ( ) ,
2015-06-19 20:06:56 +00:00
}
2015-12-09 20:41:32 +00:00
for i , cbut := range cbuts {
2015-06-19 20:06:56 +00:00
pcbut , err := cbut . ToParsedCertBundle ( )
if err != nil {
2015-12-09 20:41:32 +00:00
t . Logf ( "Error occurred with bundle %d in test array (index %d).\n" , i + 1 , i )
t . Errorf ( "Error converting to parsed cert bundle: %s" , err )
continue
2015-06-19 20:06:56 +00:00
}
err = compareCertBundleToParsedCertBundle ( cbut , pcbut )
if err != nil {
2015-12-09 20:41:32 +00:00
t . Logf ( "Error occurred with bundle %d in test array (index %d).\n" , i + 1 , i )
t . Errorf ( err . Error ( ) )
2015-06-19 20:06:56 +00:00
}
2015-11-16 17:45:31 +00:00
cbut , err := pcbut . ToCertBundle ( )
2015-06-19 20:06:56 +00:00
if err != nil {
2015-11-16 17:45:31 +00:00
t . Fatalf ( "Error converting to cert bundle: %s" , err )
2015-06-19 20:06:56 +00:00
}
2015-11-16 17:45:31 +00:00
err = compareCertBundleToParsedCertBundle ( cbut , pcbut )
if err != nil {
t . Fatalf ( err . Error ( ) )
2015-06-19 20:06:56 +00:00
}
}
}
2015-12-11 16:58:49 +00:00
func BenchmarkCertBundleParsing ( b * testing . B ) {
for i := 0 ; i < b . N ; i ++ {
cbuts := [ ] * CertBundle {
refreshRSACertBundle ( ) ,
2016-09-28 00:50:17 +00:00
refreshRSACertBundleWithChain ( ) ,
2015-12-11 16:58:49 +00:00
refreshRSA8CertBundle ( ) ,
2016-09-28 00:50:17 +00:00
refreshRSA8CertBundleWithChain ( ) ,
2015-12-11 16:58:49 +00:00
refreshECCertBundle ( ) ,
2016-09-28 00:50:17 +00:00
refreshECCertBundleWithChain ( ) ,
2015-12-11 16:58:49 +00:00
refreshEC8CertBundle ( ) ,
2016-09-28 00:50:17 +00:00
refreshEC8CertBundleWithChain ( ) ,
2015-12-11 16:58:49 +00:00
}
for i , cbut := range cbuts {
pcbut , err := cbut . ToParsedCertBundle ( )
if err != nil {
b . Logf ( "Error occurred with bundle %d in test array (index %d).\n" , i + 1 , i )
b . Errorf ( "Error converting to parsed cert bundle: %s" , err )
continue
}
cbut , err = pcbut . ToCertBundle ( )
if err != nil {
b . Fatalf ( "Error converting to cert bundle: %s" , err )
}
}
}
}
2015-06-19 20:06:56 +00:00
func TestCertBundleParsing ( t * testing . T ) {
2016-09-28 00:50:17 +00:00
cbuts := [ ] * CertBundle {
refreshRSACertBundle ( ) ,
refreshRSACertBundleWithChain ( ) ,
refreshRSA8CertBundle ( ) ,
refreshRSA8CertBundleWithChain ( ) ,
refreshECCertBundle ( ) ,
refreshECCertBundleWithChain ( ) ,
refreshEC8CertBundle ( ) ,
refreshEC8CertBundleWithChain ( ) ,
2015-06-19 20:06:56 +00:00
}
2016-09-28 00:50:17 +00:00
for i , cbut := range cbuts {
jsonString , err := json . Marshal ( cbut )
if err != nil {
t . Logf ( "Error occurred with bundle %d in test array (index %d).\n" , i + 1 , i )
t . Fatalf ( "Error marshaling testing certbundle to JSON: %s" , err )
}
pcbut , err := ParsePKIJSON ( jsonString )
if err != nil {
t . Logf ( "Error occurred with bundle %d in test array (index %d).\n" , i + 1 , i )
t . Fatalf ( "Error during JSON bundle handling: %s" , err )
}
err = compareCertBundleToParsedCertBundle ( cbut , pcbut )
if err != nil {
t . Logf ( "Error occurred with bundle %d in test array (index %d).\n" , i + 1 , i )
t . Fatalf ( err . Error ( ) )
}
2015-06-19 20:06:56 +00:00
2016-09-28 00:50:17 +00:00
secret := & api . Secret {
Data : structs . New ( cbut ) . Map ( ) ,
}
pcbut , err = ParsePKIMap ( secret . Data )
if err != nil {
t . Logf ( "Error occurred with bundle %d in test array (index %d).\n" , i + 1 , i )
t . Fatalf ( "Error during JSON bundle handling: %s" , err )
}
err = compareCertBundleToParsedCertBundle ( cbut , pcbut )
if err != nil {
t . Logf ( "Error occurred with bundle %d in test array (index %d).\n" , i + 1 , i )
t . Fatalf ( err . Error ( ) )
}
pcbut , err = ParsePEMBundle ( cbut . ToPEMBundle ( ) )
if err != nil {
t . Logf ( "Error occurred with bundle %d in test array (index %d).\n" , i + 1 , i )
t . Fatalf ( "Error during JSON bundle handling: %s" , err )
}
err = compareCertBundleToParsedCertBundle ( cbut , pcbut )
if err != nil {
t . Logf ( "Error occurred with bundle %d in test array (index %d).\n" , i + 1 , i )
t . Fatalf ( err . Error ( ) )
}
2015-06-19 20:06:56 +00:00
}
}
func compareCertBundleToParsedCertBundle ( cbut * CertBundle , pcbut * ParsedCertBundle ) error {
if cbut == nil {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "got nil bundle" )
2015-06-19 20:06:56 +00:00
}
if pcbut == nil {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "got nil parsed bundle" )
2015-06-19 20:06:56 +00:00
}
switch {
case pcbut . Certificate == nil :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "parsed bundle has nil certificate" )
2015-06-19 20:06:56 +00:00
case pcbut . PrivateKey == nil :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "parsed bundle has nil private key" )
2015-06-19 20:06:56 +00:00
}
switch cbut . PrivateKey {
case privRSAKeyPem :
if pcbut . PrivateKeyType != RSAPrivateKey {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "parsed bundle has wrong private key type: %v, should be 'rsa' (%v)" , pcbut . PrivateKeyType , RSAPrivateKey )
2015-06-19 20:06:56 +00:00
}
2015-12-09 20:41:32 +00:00
case privRSA8KeyPem :
if pcbut . PrivateKeyType != RSAPrivateKey {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "parsed bundle has wrong pkcs8 private key type: %v, should be 'rsa' (%v)" , pcbut . PrivateKeyType , RSAPrivateKey )
2015-12-09 20:41:32 +00:00
}
2015-06-19 20:06:56 +00:00
case privECKeyPem :
if pcbut . PrivateKeyType != ECPrivateKey {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "parsed bundle has wrong private key type: %v, should be 'ec' (%v)" , pcbut . PrivateKeyType , ECPrivateKey )
2015-06-19 20:06:56 +00:00
}
2015-12-09 20:41:32 +00:00
case privEC8KeyPem :
if pcbut . PrivateKeyType != ECPrivateKey {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "parsed bundle has wrong pkcs8 private key type: %v, should be 'ec' (%v)" , pcbut . PrivateKeyType , ECPrivateKey )
2015-12-09 20:41:32 +00:00
}
2015-06-19 20:06:56 +00:00
default :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "parsed bundle has unknown private key type" )
2015-06-19 20:06:56 +00:00
}
subjKeyID , err := GetSubjKeyID ( pcbut . PrivateKey )
if err != nil {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "error when getting subject key id: %s" , err )
2015-06-19 20:06:56 +00:00
}
if bytes . Compare ( subjKeyID , pcbut . Certificate . SubjectKeyId ) != 0 {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "parsed bundle private key does not match subject key id\nGot\n%#v\nExpected\n%#v\nCert\n%#v" , subjKeyID , pcbut . Certificate . SubjectKeyId , * pcbut . Certificate )
2015-06-19 20:06:56 +00:00
}
2016-09-28 00:50:17 +00:00
switch {
case len ( pcbut . CAChain ) > 0 && len ( cbut . CAChain ) == 0 :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "parsed bundle ca chain has certs when cert bundle does not" )
2016-09-28 00:50:17 +00:00
case len ( pcbut . CAChain ) == 0 && len ( cbut . CAChain ) > 0 :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "cert bundle ca chain has certs when parsed cert bundle does not" )
2016-09-28 00:50:17 +00:00
}
2015-06-19 20:06:56 +00:00
cb , err := pcbut . ToCertBundle ( )
if err != nil {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "thrown error during parsed bundle conversion: %s\n\nInput was: %#v" , err , * pcbut )
2015-06-19 20:06:56 +00:00
}
switch {
case len ( cb . Certificate ) == 0 :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "bundle has nil certificate" )
2015-06-19 20:06:56 +00:00
case len ( cb . PrivateKey ) == 0 :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "bundle has nil private key" )
2016-09-28 00:50:17 +00:00
case len ( cb . CAChain [ 0 ] ) == 0 :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "bundle has nil issuing CA" )
2015-06-19 20:06:56 +00:00
}
2015-12-11 20:43:14 +00:00
switch pcbut . PrivateKeyType {
case RSAPrivateKey :
2015-12-09 20:41:32 +00:00
if cb . PrivateKey != privRSAKeyPem && cb . PrivateKey != privRSA8KeyPem {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "bundle private key does not match" )
2015-06-19 20:06:56 +00:00
}
2015-12-11 20:43:14 +00:00
case ECPrivateKey :
2015-12-09 20:41:32 +00:00
if cb . PrivateKey != privECKeyPem && cb . PrivateKey != privEC8KeyPem {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "bundle private key does not match" )
2015-06-19 20:06:56 +00:00
}
default :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "certBundle has unknown private key type" )
2015-06-19 20:06:56 +00:00
}
2016-09-16 15:05:43 +00:00
if cb . SerialNumber != GetHexFormatted ( pcbut . Certificate . SerialNumber . Bytes ( ) , ":" ) {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "bundle serial number does not match" )
2015-06-19 20:06:56 +00:00
}
2016-09-28 00:50:17 +00:00
switch {
case len ( pcbut . CAChain ) > 0 && len ( cb . CAChain ) == 0 :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "parsed bundle ca chain has certs when cert bundle does not" )
2016-09-28 00:50:17 +00:00
case len ( pcbut . CAChain ) == 0 && len ( cb . CAChain ) > 0 :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "cert bundle ca chain has certs when parsed cert bundle does not" )
2016-09-28 00:50:17 +00:00
case ! reflect . DeepEqual ( cbut . CAChain , cb . CAChain ) :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "cert bundle ca chain does not match: %#v\n\n%#v" , cbut . CAChain , cb . CAChain )
2016-09-28 00:50:17 +00:00
}
2015-06-19 20:06:56 +00:00
return nil
}
2015-11-16 17:45:31 +00:00
func TestCSRBundleConversion ( t * testing . T ) {
csrbuts := [ ] * CSRBundle {
refreshRSACSRBundle ( ) ,
refreshECCSRBundle ( ) ,
}
for _ , csrbut := range csrbuts {
pcsrbut , err := csrbut . ToParsedCSRBundle ( )
if err != nil {
t . Fatalf ( "Error converting to parsed CSR bundle: %v" , err )
}
err = compareCSRBundleToParsedCSRBundle ( csrbut , pcsrbut )
if err != nil {
t . Fatalf ( err . Error ( ) )
}
csrbut , err = pcsrbut . ToCSRBundle ( )
if err != nil {
t . Fatalf ( "Error converting to CSR bundle: %v" , err )
}
err = compareCSRBundleToParsedCSRBundle ( csrbut , pcsrbut )
if err != nil {
t . Fatalf ( err . Error ( ) )
}
}
}
func compareCSRBundleToParsedCSRBundle ( csrbut * CSRBundle , pcsrbut * ParsedCSRBundle ) error {
if csrbut == nil {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "got nil bundle" )
2015-11-16 17:45:31 +00:00
}
if pcsrbut == nil {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "got nil parsed bundle" )
2015-11-16 17:45:31 +00:00
}
switch {
case pcsrbut . CSR == nil :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "parsed bundle has nil csr" )
2015-11-16 17:45:31 +00:00
case pcsrbut . PrivateKey == nil :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "parsed bundle has nil private key" )
2015-11-16 17:45:31 +00:00
}
switch csrbut . PrivateKey {
case privRSAKeyPem :
if pcsrbut . PrivateKeyType != RSAPrivateKey {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "parsed bundle has wrong private key type" )
2015-11-16 17:45:31 +00:00
}
case privECKeyPem :
if pcsrbut . PrivateKeyType != ECPrivateKey {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "parsed bundle has wrong private key type" )
2015-11-16 17:45:31 +00:00
}
default :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "parsed bundle has unknown private key type" )
2015-11-16 17:45:31 +00:00
}
csrb , err := pcsrbut . ToCSRBundle ( )
if err != nil {
return fmt . Errorf ( "Thrown error during parsed bundle conversion: %s\n\nInput was: %#v" , err , * pcsrbut )
}
switch {
case len ( csrb . CSR ) == 0 :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "bundle has nil certificate" )
2015-11-16 17:45:31 +00:00
case len ( csrb . PrivateKey ) == 0 :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "bundle has nil private key" )
2015-11-16 17:45:31 +00:00
}
switch csrb . PrivateKeyType {
case "rsa" :
if pcsrbut . PrivateKeyType != RSAPrivateKey {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "bundle has wrong private key type" )
2015-11-16 17:45:31 +00:00
}
if csrb . PrivateKey != privRSAKeyPem {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "bundle rsa private key does not match\nGot\n%#v\nExpected\n%#v" , csrb . PrivateKey , privRSAKeyPem )
2015-11-16 17:45:31 +00:00
}
case "ec" :
if pcsrbut . PrivateKeyType != ECPrivateKey {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "bundle has wrong private key type" )
2015-11-16 17:45:31 +00:00
}
if csrb . PrivateKey != privECKeyPem {
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "bundle ec private key does not match" )
2015-11-16 17:45:31 +00:00
}
default :
2018-04-09 18:35:21 +00:00
return fmt . Errorf ( "bundle has unknown private key type" )
2015-11-16 17:45:31 +00:00
}
return nil
}
func TestTLSConfig ( t * testing . T ) {
cbut := refreshRSACertBundle ( )
pcbut , err := cbut . ToParsedCertBundle ( )
if err != nil {
t . Fatalf ( "Error getting parsed cert bundle: %s" , err )
}
usages := [ ] TLSUsage {
TLSUnknown ,
TLSClient ,
TLSServer ,
TLSClient | TLSServer ,
}
for _ , usage := range usages {
tlsConfig , err := pcbut . GetTLSConfig ( usage )
if err != nil {
t . Fatalf ( "Error getting tls config: %s" , err )
}
if tlsConfig == nil {
t . Fatalf ( "Got nil tls.Config" )
}
if len ( tlsConfig . Certificates ) != 1 {
t . Fatalf ( "Unexpected length in config.Certificates" )
}
// Length should be 2, since we passed in a CA
if len ( tlsConfig . Certificates [ 0 ] . Certificate ) != 2 {
t . Fatalf ( "Did not find both certificates in config.Certificates.Certificate" )
}
if tlsConfig . Certificates [ 0 ] . Leaf != pcbut . Certificate {
t . Fatalf ( "Leaf certificate does not match parsed bundle's certificate" )
}
if tlsConfig . Certificates [ 0 ] . PrivateKey != pcbut . PrivateKey {
t . Fatalf ( "Config's private key does not match parsed bundle's private key" )
}
switch usage {
case TLSServer | TLSClient :
2016-09-28 00:50:17 +00:00
if len ( tlsConfig . ClientCAs . Subjects ( ) ) != 1 || bytes . Compare ( tlsConfig . ClientCAs . Subjects ( ) [ 0 ] , pcbut . CAChain [ 0 ] . Certificate . RawSubject ) != 0 {
2015-11-16 17:45:31 +00:00
t . Fatalf ( "CA certificate not in client cert pool as expected" )
}
2016-09-28 00:50:17 +00:00
if len ( tlsConfig . RootCAs . Subjects ( ) ) != 1 || bytes . Compare ( tlsConfig . RootCAs . Subjects ( ) [ 0 ] , pcbut . CAChain [ 0 ] . Certificate . RawSubject ) != 0 {
2015-11-16 17:45:31 +00:00
t . Fatalf ( "CA certificate not in root cert pool as expected" )
}
case TLSServer :
2016-09-28 00:50:17 +00:00
if len ( tlsConfig . ClientCAs . Subjects ( ) ) != 1 || bytes . Compare ( tlsConfig . ClientCAs . Subjects ( ) [ 0 ] , pcbut . CAChain [ 0 ] . Certificate . RawSubject ) != 0 {
2015-11-16 17:45:31 +00:00
t . Fatalf ( "CA certificate not in client cert pool as expected" )
}
if tlsConfig . RootCAs != nil {
t . Fatalf ( "Found root pools in config object when not expected" )
}
case TLSClient :
2016-09-28 00:50:17 +00:00
if len ( tlsConfig . RootCAs . Subjects ( ) ) != 1 || bytes . Compare ( tlsConfig . RootCAs . Subjects ( ) [ 0 ] , pcbut . CAChain [ 0 ] . Certificate . RawSubject ) != 0 {
2015-11-16 17:45:31 +00:00
t . Fatalf ( "CA certificate not in root cert pool as expected" )
}
if tlsConfig . ClientCAs != nil {
t . Fatalf ( "Found root pools in config object when not expected" )
}
default :
if tlsConfig . RootCAs != nil || tlsConfig . ClientCAs != nil {
t . Fatalf ( "Found root pools in config object when not expected" )
}
}
}
}
2015-12-09 20:41:32 +00:00
func refreshRSA8CertBundle ( ) * CertBundle {
2018-02-20 03:46:17 +00:00
initTest . Do ( setCerts )
2015-12-09 20:41:32 +00:00
return & CertBundle {
Certificate : certRSAPem ,
PrivateKey : privRSA8KeyPem ,
2016-09-28 00:50:17 +00:00
CAChain : [ ] string { issuingCaChainPem [ 0 ] } ,
2015-12-09 20:41:32 +00:00
}
}
2016-09-28 00:50:17 +00:00
func refreshRSA8CertBundleWithChain ( ) * CertBundle {
2018-02-20 03:46:17 +00:00
initTest . Do ( setCerts )
2016-09-28 00:50:17 +00:00
ret := refreshRSA8CertBundle ( )
ret . CAChain = issuingCaChainPem
return ret
}
2015-06-19 20:06:56 +00:00
func refreshRSACertBundle ( ) * CertBundle {
2018-02-20 03:46:17 +00:00
initTest . Do ( setCerts )
2016-09-28 00:50:17 +00:00
return & CertBundle {
2015-06-19 20:06:56 +00:00
Certificate : certRSAPem ,
2016-09-28 00:50:17 +00:00
CAChain : [ ] string { issuingCaChainPem [ 0 ] } ,
PrivateKey : privRSAKeyPem ,
2015-06-19 20:06:56 +00:00
}
2016-09-28 00:50:17 +00:00
}
func refreshRSACertBundleWithChain ( ) * CertBundle {
2018-02-20 03:46:17 +00:00
initTest . Do ( setCerts )
2016-09-28 00:50:17 +00:00
ret := refreshRSACertBundle ( )
ret . CAChain = issuingCaChainPem
2015-11-19 15:13:28 +00:00
return ret
2015-06-19 20:06:56 +00:00
}
func refreshECCertBundle ( ) * CertBundle {
2018-02-20 03:46:17 +00:00
initTest . Do ( setCerts )
2016-09-28 00:50:17 +00:00
return & CertBundle {
2015-06-19 20:06:56 +00:00
Certificate : certECPem ,
2016-09-28 00:50:17 +00:00
CAChain : [ ] string { issuingCaChainPem [ 0 ] } ,
PrivateKey : privECKeyPem ,
2015-06-19 20:06:56 +00:00
}
2016-09-28 00:50:17 +00:00
}
func refreshECCertBundleWithChain ( ) * CertBundle {
2018-02-20 03:46:17 +00:00
initTest . Do ( setCerts )
2016-09-28 00:50:17 +00:00
ret := refreshECCertBundle ( )
ret . CAChain = issuingCaChainPem
2015-11-19 15:13:28 +00:00
return ret
2015-06-19 20:06:56 +00:00
}
2015-11-16 17:45:31 +00:00
func refreshRSACSRBundle ( ) * CSRBundle {
2018-02-20 03:46:17 +00:00
initTest . Do ( setCerts )
2016-09-28 00:50:17 +00:00
return & CSRBundle {
CSR : csrRSAPem ,
PrivateKey : privRSAKeyPem ,
2015-11-16 17:45:31 +00:00
}
}
func refreshECCSRBundle ( ) * CSRBundle {
2018-02-20 03:46:17 +00:00
initTest . Do ( setCerts )
2016-09-28 00:50:17 +00:00
return & CSRBundle {
CSR : csrECPem ,
PrivateKey : privECKeyPem ,
2015-11-16 17:45:31 +00:00
}
}
2015-12-09 20:41:32 +00:00
func refreshEC8CertBundle ( ) * CertBundle {
2018-02-20 03:46:17 +00:00
initTest . Do ( setCerts )
2015-12-09 20:41:32 +00:00
return & CertBundle {
Certificate : certECPem ,
PrivateKey : privEC8KeyPem ,
2016-09-28 00:50:17 +00:00
CAChain : [ ] string { issuingCaChainPem [ 0 ] } ,
2015-12-09 20:41:32 +00:00
}
}
2016-09-28 00:50:17 +00:00
func refreshEC8CertBundleWithChain ( ) * CertBundle {
2018-02-20 03:46:17 +00:00
initTest . Do ( setCerts )
2016-09-28 00:50:17 +00:00
ret := refreshEC8CertBundle ( )
ret . CAChain = issuingCaChainPem
return ret
}
2018-02-20 03:46:17 +00:00
func setCerts ( ) {
caKey , err := ecdsa . GenerateKey ( elliptic . P256 ( ) , rand . Reader )
if err != nil {
panic ( err )
}
subjKeyID , err := GetSubjKeyID ( caKey )
if err != nil {
panic ( err )
}
caCertTemplate := & x509 . Certificate {
Subject : pkix . Name {
CommonName : "root.localhost" ,
} ,
SubjectKeyId : subjKeyID ,
DNSNames : [ ] string { "root.localhost" } ,
KeyUsage : x509 . KeyUsage ( x509 . KeyUsageCertSign | x509 . KeyUsageCRLSign ) ,
SerialNumber : big . NewInt ( mathrand . Int63 ( ) ) ,
NotBefore : time . Now ( ) . Add ( - 30 * time . Second ) ,
NotAfter : time . Now ( ) . Add ( 262980 * time . Hour ) ,
BasicConstraintsValid : true ,
2018-09-04 16:29:18 +00:00
IsCA : true ,
2018-02-20 03:46:17 +00:00
}
caBytes , err := x509 . CreateCertificate ( rand . Reader , caCertTemplate , caCertTemplate , caKey . Public ( ) , caKey )
if err != nil {
panic ( err )
}
caCert , err := x509 . ParseCertificate ( caBytes )
if err != nil {
panic ( err )
}
caCertPEMBlock := & pem . Block {
Type : "CERTIFICATE" ,
Bytes : caBytes ,
}
2018-03-18 20:00:51 +00:00
caCertPEM := strings . TrimSpace ( string ( pem . EncodeToMemory ( caCertPEMBlock ) ) )
2018-02-20 03:46:17 +00:00
intKey , err := ecdsa . GenerateKey ( elliptic . P256 ( ) , rand . Reader )
if err != nil {
panic ( err )
}
subjKeyID , err = GetSubjKeyID ( intKey )
if err != nil {
panic ( err )
}
intCertTemplate := & x509 . Certificate {
Subject : pkix . Name {
CommonName : "int.localhost" ,
} ,
SubjectKeyId : subjKeyID ,
DNSNames : [ ] string { "int.localhost" } ,
KeyUsage : x509 . KeyUsage ( x509 . KeyUsageCertSign | x509 . KeyUsageCRLSign ) ,
SerialNumber : big . NewInt ( mathrand . Int63 ( ) ) ,
NotBefore : time . Now ( ) . Add ( - 30 * time . Second ) ,
NotAfter : time . Now ( ) . Add ( 262980 * time . Hour ) ,
BasicConstraintsValid : true ,
2018-09-04 16:29:18 +00:00
IsCA : true ,
2018-02-20 03:46:17 +00:00
}
intBytes , err := x509 . CreateCertificate ( rand . Reader , intCertTemplate , caCert , intKey . Public ( ) , caKey )
if err != nil {
panic ( err )
}
intCert , err := x509 . ParseCertificate ( intBytes )
if err != nil {
panic ( err )
}
intCertPEMBlock := & pem . Block {
Type : "CERTIFICATE" ,
Bytes : intBytes ,
}
2018-03-18 20:00:51 +00:00
intCertPEM := strings . TrimSpace ( string ( pem . EncodeToMemory ( intCertPEMBlock ) ) )
2018-02-20 03:46:17 +00:00
// EC generation
{
key , err := ecdsa . GenerateKey ( elliptic . P256 ( ) , rand . Reader )
if err != nil {
panic ( err )
}
subjKeyID , err := GetSubjKeyID ( key )
if err != nil {
panic ( err )
}
certTemplate := & x509 . Certificate {
Subject : pkix . Name {
CommonName : "localhost" ,
} ,
SubjectKeyId : subjKeyID ,
DNSNames : [ ] string { "localhost" } ,
ExtKeyUsage : [ ] x509 . ExtKeyUsage {
x509 . ExtKeyUsageServerAuth ,
x509 . ExtKeyUsageClientAuth ,
} ,
KeyUsage : x509 . KeyUsageDigitalSignature | x509 . KeyUsageKeyEncipherment | x509 . KeyUsageKeyAgreement ,
SerialNumber : big . NewInt ( mathrand . Int63 ( ) ) ,
NotBefore : time . Now ( ) . Add ( - 30 * time . Second ) ,
NotAfter : time . Now ( ) . Add ( 262980 * time . Hour ) ,
}
csrTemplate := & x509 . CertificateRequest {
Subject : pkix . Name {
CommonName : "localhost" ,
} ,
DNSNames : [ ] string { "localhost" } ,
}
csrBytes , err := x509 . CreateCertificateRequest ( rand . Reader , csrTemplate , key )
if err != nil {
panic ( err )
}
csrPEMBlock := & pem . Block {
Type : "CERTIFICATE REQUEST" ,
Bytes : csrBytes ,
}
2018-03-18 20:00:51 +00:00
csrECPem = strings . TrimSpace ( string ( pem . EncodeToMemory ( csrPEMBlock ) ) )
2018-02-20 03:46:17 +00:00
certBytes , err := x509 . CreateCertificate ( rand . Reader , certTemplate , intCert , key . Public ( ) , intKey )
if err != nil {
panic ( err )
}
certPEMBlock := & pem . Block {
Type : "CERTIFICATE" ,
Bytes : certBytes ,
}
2018-03-18 20:00:51 +00:00
certECPem = strings . TrimSpace ( string ( pem . EncodeToMemory ( certPEMBlock ) ) )
2018-02-20 03:46:17 +00:00
marshaledKey , err := x509 . MarshalECPrivateKey ( key )
if err != nil {
panic ( err )
}
keyPEMBlock := & pem . Block {
Type : "EC PRIVATE KEY" ,
Bytes : marshaledKey ,
}
2018-03-18 20:00:51 +00:00
privECKeyPem = strings . TrimSpace ( string ( pem . EncodeToMemory ( keyPEMBlock ) ) )
2018-03-29 21:40:42 +00:00
marshaledKey , err = x509 . MarshalPKCS8PrivateKey ( key )
2018-02-20 03:46:17 +00:00
if err != nil {
panic ( err )
}
keyPEMBlock = & pem . Block {
Type : "PRIVATE KEY" ,
Bytes : marshaledKey ,
}
2018-03-18 20:00:51 +00:00
privEC8KeyPem = strings . TrimSpace ( string ( pem . EncodeToMemory ( keyPEMBlock ) ) )
2018-02-20 03:46:17 +00:00
}
// RSA generation
{
key , err := rsa . GenerateKey ( rand . Reader , 2048 )
if err != nil {
panic ( err )
}
subjKeyID , err := GetSubjKeyID ( key )
if err != nil {
panic ( err )
}
certTemplate := & x509 . Certificate {
Subject : pkix . Name {
CommonName : "localhost" ,
} ,
SubjectKeyId : subjKeyID ,
DNSNames : [ ] string { "localhost" } ,
ExtKeyUsage : [ ] x509 . ExtKeyUsage {
x509 . ExtKeyUsageServerAuth ,
x509 . ExtKeyUsageClientAuth ,
} ,
KeyUsage : x509 . KeyUsageDigitalSignature | x509 . KeyUsageKeyEncipherment | x509 . KeyUsageKeyAgreement ,
SerialNumber : big . NewInt ( mathrand . Int63 ( ) ) ,
NotBefore : time . Now ( ) . Add ( - 30 * time . Second ) ,
NotAfter : time . Now ( ) . Add ( 262980 * time . Hour ) ,
}
csrTemplate := & x509 . CertificateRequest {
Subject : pkix . Name {
CommonName : "localhost" ,
} ,
DNSNames : [ ] string { "localhost" } ,
}
csrBytes , err := x509 . CreateCertificateRequest ( rand . Reader , csrTemplate , key )
if err != nil {
panic ( err )
}
csrPEMBlock := & pem . Block {
Type : "CERTIFICATE REQUEST" ,
Bytes : csrBytes ,
}
2018-03-18 20:00:51 +00:00
csrRSAPem = strings . TrimSpace ( string ( pem . EncodeToMemory ( csrPEMBlock ) ) )
2018-02-20 03:46:17 +00:00
certBytes , err := x509 . CreateCertificate ( rand . Reader , certTemplate , intCert , key . Public ( ) , intKey )
if err != nil {
panic ( err )
}
certPEMBlock := & pem . Block {
Type : "CERTIFICATE" ,
Bytes : certBytes ,
}
2018-03-18 20:00:51 +00:00
certRSAPem = strings . TrimSpace ( string ( pem . EncodeToMemory ( certPEMBlock ) ) )
2018-02-20 03:46:17 +00:00
marshaledKey := x509 . MarshalPKCS1PrivateKey ( key )
keyPEMBlock := & pem . Block {
Type : "RSA PRIVATE KEY" ,
Bytes : marshaledKey ,
}
2018-03-18 20:00:51 +00:00
privRSAKeyPem = strings . TrimSpace ( string ( pem . EncodeToMemory ( keyPEMBlock ) ) )
2018-03-29 21:40:42 +00:00
marshaledKey , err = x509 . MarshalPKCS8PrivateKey ( key )
2018-02-20 03:46:17 +00:00
if err != nil {
panic ( err )
}
keyPEMBlock = & pem . Block {
Type : "PRIVATE KEY" ,
Bytes : marshaledKey ,
}
2018-03-18 20:00:51 +00:00
privRSA8KeyPem = strings . TrimSpace ( string ( pem . EncodeToMemory ( keyPEMBlock ) ) )
2018-02-20 03:46:17 +00:00
}
issuingCaChainPem = [ ] string { intCertPEM , caCertPEM }
}
2016-09-28 00:50:17 +00:00
var (
2018-02-20 03:46:17 +00:00
initTest sync . Once
privRSA8KeyPem string
privRSAKeyPem string
csrRSAPem string
certRSAPem string
privECKeyPem string
csrECPem string
privEC8KeyPem string
certECPem string
issuingCaChainPem [ ] string
2015-06-19 20:06:56 +00:00
)