Fix PKI tests by generating on-demand
This commit is contained in:
Jeff Mitchell
parent
aa9fc736c7
commit
0f26cb9b8d
2
Makefile
2
Makefile
|
|
@ -11,7 +11,7 @@ EXTERNAL_TOOLS=\
|
|||
BUILD_TAGS?=vault
|
||||
GOFMT_FILES?=$$(find . -name '*.go' | grep -v vendor)
|
||||
|
||||
GO_VERSION_MIN=1.9.1
|
||||
GO_VERSION_MIN=1.10
|
||||
|
||||
default: dev
|
||||
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ Developing Vault
|
|||
--------------------
|
||||
|
||||
If you wish to work on Vault itself or any of its built-in systems, you'll
|
||||
first need [Go](https://www.golang.org) installed on your machine (version 1.9+
|
||||
first need [Go](https://www.golang.org) installed on your machine (version 1.10+
|
||||
is *required*).
|
||||
|
||||
For local dev first make sure Go is properly installed, including setting up a
|
||||
|
|
|
|||
|
|
@ -21,6 +21,7 @@ import (
|
|||
"reflect"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
|
|
@ -136,6 +137,7 @@ func TestPKI_RequireCN(t *testing.T) {
|
|||
// Performs basic tests on CA functionality
|
||||
// Uses the RSA CA key
|
||||
func TestBackend_RSAKey(t *testing.T) {
|
||||
initTest.Do(setCerts)
|
||||
defaultLeaseTTLVal := time.Hour * 24
|
||||
maxLeaseTTLVal := time.Hour * 24 * 32
|
||||
b, err := Factory(context.Background(), &logical.BackendConfig{
|
||||
|
|
@ -164,6 +166,7 @@ func TestBackend_RSAKey(t *testing.T) {
|
|||
// Performs basic tests on CA functionality
|
||||
// Uses the EC CA key
|
||||
func TestBackend_ECKey(t *testing.T) {
|
||||
initTest.Do(setCerts)
|
||||
defaultLeaseTTLVal := time.Hour * 24
|
||||
maxLeaseTTLVal := time.Hour * 24 * 32
|
||||
b, err := Factory(context.Background(), &logical.BackendConfig{
|
||||
|
|
@ -190,6 +193,7 @@ func TestBackend_ECKey(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestBackend_CSRValues(t *testing.T) {
|
||||
initTest.Do(setCerts)
|
||||
defaultLeaseTTLVal := time.Hour * 24
|
||||
maxLeaseTTLVal := time.Hour * 24 * 32
|
||||
b, err := Factory(context.Background(), &logical.BackendConfig{
|
||||
|
|
@ -216,6 +220,7 @@ func TestBackend_CSRValues(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestBackend_URLsCRUD(t *testing.T) {
|
||||
initTest.Do(setCerts)
|
||||
defaultLeaseTTLVal := time.Hour * 24
|
||||
maxLeaseTTLVal := time.Hour * 24 * 32
|
||||
b, err := Factory(context.Background(), &logical.BackendConfig{
|
||||
|
|
@ -245,6 +250,7 @@ func TestBackend_URLsCRUD(t *testing.T) {
|
|||
// of role flags to ensure that they are properly restricted
|
||||
// Uses the RSA CA key
|
||||
func TestBackend_RSARoles(t *testing.T) {
|
||||
initTest.Do(setCerts)
|
||||
defaultLeaseTTLVal := time.Hour * 24
|
||||
maxLeaseTTLVal := time.Hour * 24 * 32
|
||||
b, err := Factory(context.Background(), &logical.BackendConfig{
|
||||
|
|
@ -285,6 +291,7 @@ func TestBackend_RSARoles(t *testing.T) {
|
|||
// of role flags to ensure that they are properly restricted
|
||||
// Uses the RSA CA key
|
||||
func TestBackend_RSARoles_CSR(t *testing.T) {
|
||||
initTest.Do(setCerts)
|
||||
defaultLeaseTTLVal := time.Hour * 24
|
||||
maxLeaseTTLVal := time.Hour * 24 * 32
|
||||
b, err := Factory(context.Background(), &logical.BackendConfig{
|
||||
|
|
@ -305,7 +312,7 @@ func TestBackend_RSARoles_CSR(t *testing.T) {
|
|||
Operation: logical.UpdateOperation,
|
||||
Path: "config/ca",
|
||||
Data: map[string]interface{}{
|
||||
"pem_bundle": rsaCAKey + rsaCACert + rsaCAChain,
|
||||
"pem_bundle": rsaCAKey + rsaCACert,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
@ -325,6 +332,7 @@ func TestBackend_RSARoles_CSR(t *testing.T) {
|
|||
// of role flags to ensure that they are properly restricted
|
||||
// Uses the EC CA key
|
||||
func TestBackend_ECRoles(t *testing.T) {
|
||||
initTest.Do(setCerts)
|
||||
defaultLeaseTTLVal := time.Hour * 24
|
||||
maxLeaseTTLVal := time.Hour * 24 * 32
|
||||
b, err := Factory(context.Background(), &logical.BackendConfig{
|
||||
|
|
@ -365,6 +373,7 @@ func TestBackend_ECRoles(t *testing.T) {
|
|||
// of role flags to ensure that they are properly restricted
|
||||
// Uses the EC CA key
|
||||
func TestBackend_ECRoles_CSR(t *testing.T) {
|
||||
initTest.Do(setCerts)
|
||||
defaultLeaseTTLVal := time.Hour * 24
|
||||
maxLeaseTTLVal := time.Hour * 24 * 32
|
||||
b, err := Factory(context.Background(), &logical.BackendConfig{
|
||||
|
|
@ -840,8 +849,8 @@ func generateCATestingSteps(t *testing.T, caCert, caKey, otherCaCert string, int
|
|||
Unauthenticated: true,
|
||||
Check: func(resp *logical.Response) error {
|
||||
rawBytes := resp.Data["http_raw_body"].([]byte)
|
||||
if string(rawBytes) != caCert {
|
||||
return fmt.Errorf("CA certificate:\n%s\ndoes not match original:\n%s\n", string(rawBytes), caCert)
|
||||
if !reflect.DeepEqual(rawBytes, []byte(caCert)) {
|
||||
return fmt.Errorf("CA certificate:\n%#v\ndoes not match original:\n%#v\n", rawBytes, []byte(caCert))
|
||||
}
|
||||
if resp.Data["http_content_type"].(string) != "application/pkix-cert" {
|
||||
return fmt.Errorf("Expected application/pkix-cert as content-type, but got %s", resp.Data["http_content_type"].(string))
|
||||
|
|
@ -1827,8 +1836,14 @@ func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep {
|
|||
i := mathRand.Int() % 4
|
||||
switch {
|
||||
case i == 0:
|
||||
extUsage = x509.ExtKeyUsageEmailProtection
|
||||
roleVals.EmailProtectionFlag = true
|
||||
// Punt on this for now since I'm not clear the actual proper
|
||||
// way to format these
|
||||
if name != "daɪˈɛrɨsɨs" {
|
||||
extUsage = x509.ExtKeyUsageEmailProtection
|
||||
roleVals.EmailProtectionFlag = true
|
||||
break
|
||||
}
|
||||
fallthrough
|
||||
case i == 1:
|
||||
extUsage = x509.ExtKeyUsageServerAuth
|
||||
roleVals.ServerFlag = true
|
||||
|
|
@ -1929,7 +1944,7 @@ func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep {
|
|||
Type: "CERTIFICATE REQUEST",
|
||||
Bytes: csr,
|
||||
}
|
||||
issueVals.CSR = strings.TrimSpace(string(pem.EncodeToMemory(&block)))
|
||||
issueVals.CSR = string(pem.EncodeToMemory(&block))
|
||||
|
||||
addTests(getCnCheck(issueVals.CommonName, roleVals, privKey, x509.KeyUsage(parsedKeyUsage), extUsage, validity))
|
||||
} else {
|
||||
|
|
@ -3193,129 +3208,82 @@ func TestBackend_OID_SANs(t *testing.T) {
|
|||
t.Logf("certificate 3 to check:\n%s", certStr)
|
||||
}
|
||||
|
||||
const (
|
||||
rsaCAKey string = `-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEogIBAAKCAQEAmPQlK7xD5p+E8iLQ8XlVmll5uU2NKMxKY3UF5tbh+0vkc+Fy
|
||||
XmutLxxXAyYRPoztZ1g7ocr8XBFYsQPK26TFc3TzrLL7bBEYHQArd8M+VUHjziB7
|
||||
zwwpbV7tG8WPqIScDKMNncavDcT8sDg3DUqb8/zWkBD8WEYmsVr1VfKY5pFdxIZU
|
||||
kHP3/MkDpGmfrED9K5qPu17dIHTL2VYi4KxKhtIryapZTk6vDwRNfIYJD23QbQnt
|
||||
Si1j0X9MTRUf3BIcd0Ch60aGvv0VSL+1NTafsZQD+z1RY/zNp9IUHz5bNIiePZ6l
|
||||
JrlddodAAXZ4sN1CMetf4bA2RXssxBEIb5FyiQIDAQABAoIBAGMScSk9DvZJCUIV
|
||||
zyU6JHqPzkp6sx5kBSMa37HAKiwt4lI1C3GhaVIEl0/Qzoannfa8rhOEeaXhDoPK
|
||||
IxHWTpcUf+mzHSvIfsf6Hi2655stzLLtU4SvKf5P6GF+vCi5jKKa0u0JjsXqfIpg
|
||||
Pzh6xT1q3kf+2JUNC28Brbv4IZXmPmqWwu21VN+t3GsMGYgOnEOzBjXMhvNnm9kN
|
||||
kznV9Y2y0UIcT4dhbe2VRs4Dp8dGEyrFM7/Ovb3hIJrTkPcxjBbL5eMqpXnIkiW2
|
||||
7NyPMWFvX2lGnGdZ1Erh65SVtMjnHFwnSJ8jD+x9RAH9c1LQrYASws3MvMV8Bdzg
|
||||
2iljNqECgYEAw3Ow0clLx2alj9qFXcS2ap1lUCJxXZ9UiIU5lOcPxpCpHPloua14
|
||||
46rj2EJ9SD1L2kyB5gCq4nGK5uUIx37AJryy1SGzUmtmIVxQLnm6XK6zKnTBk0gx
|
||||
gevS6D7fHLDiVGGl3oGw4evibUFCk7dFOb/I/uBRb1zyaJrqOIlDS7UCgYEAyFYi
|
||||
RYQbYJJ0k18fUWDKy/P/Rl7uy9D67Qa9+wxoYN2Kh/aQwnNxYHAbwG7Pupd0oGcW
|
||||
Yl4bgUliAX3IFGs/cCkPJAIHzwWBPjUDhsJ020TGxKfL4SWP9OaxOpN5TOAixvBY
|
||||
ar9aSaKEl7QShmzc/Dknxu58LcoZUwI82pKIGAUCgYAxaHJ/ZcpxOsKJjez+2jZe
|
||||
1zEAQ+SyjQ96f2sh+BMl1/XYLDhMD80qiE2WoqA2/b/KDGMd+Hc6TQeW/LjubV03
|
||||
raXreNxy7lFgB40BYqY4vbTu+5rfl3VkaW/kY9hU0WY1fIXIrLJBOjb/9WpWGxM1
|
||||
2QR/YcdURoPE67xf1FsdrQKBgE8KdNEakzah8e6nLBMOblTTutcH4410sVvNOi2P
|
||||
sqrtHZgRNwIRTB0xfjGJRtomoXQb2CANYyq6SjmuZ79upQPan0ekqXILiPeDMRX9
|
||||
KN/OHeI/FdiJ2mdUkX476zLih7YX47qSLsw4m7nC6UAyOWomHsSFGWdzglRW4K2X
|
||||
/KwFAoGAYQUEWhXp5vpKzAly1ivSH9+sGC59Cujdy50oJSjaw9J+W1fM5WO9z+MH
|
||||
CoEpRt8epIgvCBBP2IM7uJUu8i2jQgJ/rrn3NTJgZn2UEPzyxUxbuWnSyueyUsD6
|
||||
uhTwBDf8LWOpvdZHMI4CPZ5WJwxAGkvde9xtlzuZUSAlyI2X8m0=
|
||||
-----END RSA PRIVATE KEY-----
|
||||
`
|
||||
rsaCACert string = `-----BEGIN CERTIFICATE-----
|
||||
MIIDljCCAn6gAwIBAgIUQVapfgyAeDH9rAmpw3PQrhMcjRMwDQYJKoZIhvcNAQEL
|
||||
BQAwMzExMC8GA1UEAxMoVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3ViIEF1
|
||||
dGhvcml0eTAeFw0xNjA4MDcyMjUzNTRaFw0yNjA3MjQxMDU0MjRaMDcxNTAzBgNV
|
||||
BAMTLFZhdWx0IFRlc3RpbmcgSW50ZXJtZWRpYXRlIFN1YiBTdWIgQXV0aG9yaXR5
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmPQlK7xD5p+E8iLQ8XlV
|
||||
mll5uU2NKMxKY3UF5tbh+0vkc+FyXmutLxxXAyYRPoztZ1g7ocr8XBFYsQPK26TF
|
||||
c3TzrLL7bBEYHQArd8M+VUHjziB7zwwpbV7tG8WPqIScDKMNncavDcT8sDg3DUqb
|
||||
8/zWkBD8WEYmsVr1VfKY5pFdxIZUkHP3/MkDpGmfrED9K5qPu17dIHTL2VYi4KxK
|
||||
htIryapZTk6vDwRNfIYJD23QbQntSi1j0X9MTRUf3BIcd0Ch60aGvv0VSL+1NTaf
|
||||
sZQD+z1RY/zNp9IUHz5bNIiePZ6lJrlddodAAXZ4sN1CMetf4bA2RXssxBEIb5Fy
|
||||
iQIDAQABo4GdMIGaMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G
|
||||
A1UdDgQWBBRMeQTX9VkLqb1wzrvN/vFG09yhUTAfBgNVHSMEGDAWgBR0Oq2VTUBE
|
||||
dOm6a1sKJTvdZMV5LjA3BgNVHREEMDAugixWYXVsdCBUZXN0aW5nIEludGVybWVk
|
||||
aWF0ZSBTdWIgU3ViIEF1dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAQEAagYM7uFa
|
||||
tUziraBkuU7cIyX83y7lYFsDhUse2hkpqmgO14oEOwFsDox1Jg2QGt4FEfJoCOXf
|
||||
oCZZN8XmaWdSrfgs1nDmtE0xwXiX1z7JuJZ+Ygt3dcRHO1zs5tmuHLxrvMnKfIfG
|
||||
bsGmES4mknt0qQ7tGhpyC+KgEmcVL1QQJXNjzCrw5iQ9sgvQt+oCqV28pxOUSYkq
|
||||
FdrozmNdJwMgVADywiY/FqYJWgkixlFHQkPR7eiXwpahON+zRMk1JSgr/8N8fRDj
|
||||
aqVBRppPzVU9joUME0vOc8cK3VozNe4iRkKNZFelHU2NPPJSDjRLVH9tJ7jPVOEA
|
||||
/k6w2PwdoRom7Q==
|
||||
-----END CERTIFICATE-----
|
||||
`
|
||||
func setCerts() {
|
||||
cak, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
marshaledKey, err := x509.MarshalECPrivateKey(cak)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
keyPEMBlock := &pem.Block{
|
||||
Type: "EC PRIVATE KEY",
|
||||
Bytes: marshaledKey,
|
||||
}
|
||||
ecCAKey = string(pem.EncodeToMemory(keyPEMBlock))
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
subjKeyID, err := certutil.GetSubjKeyID(cak)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
caCertTemplate := &x509.Certificate{
|
||||
Subject: pkix.Name{
|
||||
CommonName: "root.localhost",
|
||||
},
|
||||
SubjectKeyId: subjKeyID,
|
||||
DNSNames: []string{"root.localhost"},
|
||||
KeyUsage: x509.KeyUsage(x509.KeyUsageCertSign | x509.KeyUsageCRLSign),
|
||||
SerialNumber: big.NewInt(mathrand.Int63()),
|
||||
NotBefore: time.Now().Add(-30 * time.Second),
|
||||
NotAfter: time.Now().Add(262980 * time.Hour),
|
||||
BasicConstraintsValid: true,
|
||||
IsCA: true,
|
||||
}
|
||||
caBytes, err := x509.CreateCertificate(rand.Reader, caCertTemplate, caCertTemplate, cak.Public(), cak)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
caCertPEMBlock := &pem.Block{
|
||||
Type: "CERTIFICATE",
|
||||
Bytes: caBytes,
|
||||
}
|
||||
ecCACert = string(pem.EncodeToMemory(caCertPEMBlock))
|
||||
|
||||
rsaCAChain string = `-----BEGIN CERTIFICATE-----
|
||||
MIIDijCCAnKgAwIBAgIUOiGo/1EOhRhuupTRGDYnqdALk/swDQYJKoZIhvcNAQEL
|
||||
BQAwLzEtMCsGA1UEAxMkVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgQXV0aG9y
|
||||
aXR5MB4XDTE2MDgwNzIyNTA1MloXDTI2MDcyODE0NTEyMlowMzExMC8GA1UEAxMo
|
||||
VmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3ViIEF1dGhvcml0eTCCASIwDQYJ
|
||||
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMTPRQREwW3BEifNcm0XElMRB0GNTXHr
|
||||
XCuNoFVsVBlIEsNVQkka+SHZcmNBdEcZLBXP/W3tBT82B48GVN8jyxAGfYZ5hoOQ
|
||||
ed3GVft1A7lAnxcGvf5e9kfecKDcBB4G4rBhqdDNcAtklS2hV4uZUcVcEJKggpsQ
|
||||
a1wZkCn8eg6sqEYG/SxPouwL52PblxIN+Dd57sBeqx4qdL297XR8LuLkxqftwUCZ
|
||||
l2iFBnSDID/06ZmHDXA38I0n3jT2ZGjgPGFnIFKxRGq1vpVc3F5ga8qk+u66ybBu
|
||||
xWHzINQrrryjELbl2YBTr6i0R9HnZle6OPcXMWp0JuGjtDC1xb5NmnkCAwEAAaOB
|
||||
mTCBljAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
|
||||
dDqtlU1ARHTpumtbCiU73WTFeS4wHwYDVR0jBBgwFoAU+UO/nrlKr4COZCxLZSY/
|
||||
ul+YMvMwMwYDVR0RBCwwKoIoVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3Vi
|
||||
IEF1dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAQEAjgCuTXsLFkf0DVkfSsKReNwI
|
||||
U/yBcP8Ttbx/ltanJGIVfD5TZoCnNTWm6RkML29ohfxI27sHTUhj+/6Ba0MRiLeI
|
||||
FXdclXmHOU2dTHlrmUa0m/4cb5uYoiiEnpmyWL5k94fqPOZAvJcFHnP3db4vsaUW
|
||||
47YcOvJbPSJqFXZHadqnsf3Fur5NCeTkIk6yZSvwTaZJT0JIWcqfE5LK3mYAMMC3
|
||||
iPaIa1cYqOZhWx9ilQfW6u6WxWeOphGuDIusP7Q4qc2Dr9sekyD59dfIYsroK5TP
|
||||
QVJb69nIYINpYdg3l3VNmmkY4G30N9QNs6acaH49rYzLcRX6tLBgPklO6d+TPA==
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDejCCAmKgAwIBAgIUULdIdrdK4Y8d+XM9fuOpDlNcJIYwDQYJKoZIhvcNAQEL
|
||||
BQAwJzElMCMGA1UEAxMcVmF1bHQgVGVzdGluZyBSb290IEF1dGhvcml0eTAeFw0x
|
||||
NjA4MDcyMjUwNTFaFw0yNjA4MDExODUxMjFaMC8xLTArBgNVBAMTJFZhdWx0IFRl
|
||||
c3RpbmcgSW50ZXJtZWRpYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQAD
|
||||
ggEPADCCAQoCggEBANXa6U+MDiUrryeZeGxgkmAZdrm9wCKz/6SmxYSebKr8aZwD
|
||||
nfbsPLRFxU6BXp9Nc6pP7e8HLBv6PtFTQG389zxOBwAHxZQvUsFESumUd64oTLRG
|
||||
J+AErTh7rtSWbLZsgDtQVvpx+6mKkvm53f/aKcq+DbqAFOg6slYOaQix0ZvP/qL0
|
||||
iWGIPr1JZk9uBJOUuIUBJdbsgTk+KQqJL9M6up8bCnM0noCafwrNKwZWtsbkfOZE
|
||||
OLSycdzCEBeHejpHTIU0vgAkdj63oEy2AbK3hMPxKzNthL3DX6W0tssoVgL//92i
|
||||
oSfpDTxiXqqdr+J3accpsAvA+F+D2TqaxdAfjLcCAwEAAaOBlTCBkjAOBgNVHQ8B
|
||||
Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU+UO/nrlKr4COZCxL
|
||||
ZSY/ul+YMvMwHwYDVR0jBBgwFoAUA3jY4OUWi1Y7zQgM7S9QeXjNgIQwLwYDVR0R
|
||||
BCgwJoIkVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgQXV0aG9yaXR5MA0GCSqG
|
||||
SIb3DQEBCwUAA4IBAQA9VJt92LsOOegtAx35rr41LSSfPWB2SCKg0fphL2gMPO5y
|
||||
fE2u8O5TF5dJWJ1fF3cg9/XK30Ohdl1/ujfHbVcX+O6Sb3cgwKTQQOhTdsAZKFRT
|
||||
RPHaf/Ja8uqAXMITApxOp7YiYQwukwZr+OsKi66s+zhlfI790PoQbC3UJvgmNDmv
|
||||
V5oP63mw4yhqRNPn4NOjzoC/hJSIM0AIdRB1nx2rsSUw0P354R1j9gO43L/Lj33S
|
||||
NEaPmw+SC3Tbcx4yxeKnTvGdu3sw/ndmZkCjaq5jxgTy9FONqT45TPJOyk29o5gl
|
||||
+AVQz5fD2M3C1L/sZIPH2OQbXxePHcsvUZVgaKyk
|
||||
-----END CERTIFICATE-----
|
||||
`
|
||||
rak, err := rsa.GenerateKey(rand.Reader, 2048)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
marshaledKey = x509.MarshalPKCS1PrivateKey(rak)
|
||||
keyPEMBlock = &pem.Block{
|
||||
Type: "RSA PRIVATE KEY",
|
||||
Bytes: marshaledKey,
|
||||
}
|
||||
rsaCAKey = string(pem.EncodeToMemory(keyPEMBlock))
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
subjKeyID, err = certutil.GetSubjKeyID(rak)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
caBytes, err = x509.CreateCertificate(rand.Reader, caCertTemplate, caCertTemplate, rak.Public(), rak)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
caCertPEMBlock = &pem.Block{
|
||||
Type: "CERTIFICATE",
|
||||
Bytes: caBytes,
|
||||
}
|
||||
rsaCACert = string(pem.EncodeToMemory(caCertPEMBlock))
|
||||
}
|
||||
|
||||
ecCAKey string = `-----BEGIN EC PRIVATE KEY-----
|
||||
MIGkAgEBBDBP/t89wrC0RFVs0N+jiRuGPptoxI1Iyu42/PzzZWMKYnO7yCWFG/Qv
|
||||
zC8cRa8PDqegBwYFK4EEACKhZANiAAQI9e8n9RD6gOd5YpWpDi5AoPbskxQSogxx
|
||||
dYFzzHwS0RYIucmlcJ2CuJQNc+9E4dUCMsYr2cAnCgA4iUHzGaje3Fa4O667LVH1
|
||||
imAyAj5nbfSd89iNzg4XNPkFjuVNBlE=
|
||||
-----END EC PRIVATE KEY-----
|
||||
`
|
||||
|
||||
ecCACert string = `-----BEGIN CERTIFICATE-----
|
||||
MIIDHzCCAqSgAwIBAgIUEQ4L+8Xl9+/uxU3MMCrd3Bw0HMcwCgYIKoZIzj0EAwIw
|
||||
XzEjMCEGA1UEAxMaVmF1bHQgRUMgdGVzdGluZyByb290IGNlcnQxODA2BgNVBAUT
|
||||
Lzk3MzY2MDk3NDQ1ODU2MDI3MDY5MDQ0MTkxNjIxODI4NjI0NjM0NTI5MTkzMTU5
|
||||
MB4XDTE1MTAwNTE2MzAwMFoXDTM1MDkzMDE2MzAwMFowXzEjMCEGA1UEAxMaVmF1
|
||||
bHQgRUMgdGVzdGluZyByb290IGNlcnQxODA2BgNVBAUTLzk3MzY2MDk3NDQ1ODU2
|
||||
MDI3MDY5MDQ0MTkxNjIxODI4NjI0NjM0NTI5MTkzMTU5MHYwEAYHKoZIzj0CAQYF
|
||||
K4EEACIDYgAECPXvJ/UQ+oDneWKVqQ4uQKD27JMUEqIMcXWBc8x8EtEWCLnJpXCd
|
||||
griUDXPvROHVAjLGK9nAJwoAOIlB8xmo3txWuDuuuy1R9YpgMgI+Z230nfPYjc4O
|
||||
FzT5BY7lTQZRo4IBHzCCARswDgYDVR0PAQH/BAQDAgGuMBMGA1UdJQQMMAoGCCsG
|
||||
AQUFBwMJMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCIBqs15CiKuj7vqmIW5
|
||||
L07WSeLhMB8GA1UdIwQYMBaAFCIBqs15CiKuj7vqmIW5L07WSeLhMEIGCCsGAQUF
|
||||
BwEBBDYwNDAyBggrBgEFBQcwAoYmaHR0cDovL3ZhdWx0LmV4YW1wbGUuY29tL3Yx
|
||||
L3Jvb3Rwa2kvY2EwJQYDVR0RBB4wHIIaVmF1bHQgRUMgdGVzdGluZyByb290IGNl
|
||||
cnQwOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL3ZhdWx0LmV4YW1wbGUuY29tL3Yx
|
||||
L3Jvb3Rwa2kvY3JsMAoGCCqGSM49BAMCA2kAMGYCMQDRrxXskBtXjuZ1tUTk+qae
|
||||
3bNVE1oeTDJhe0m3KN7qTykSGslxfEjlv83GYXziiv0CMQDsqu1U9uXPn3ezSbgG
|
||||
O30prQ/sanDzNAeJhftoGtNPJDspwx0fzclHvKIhgl3JVUc=
|
||||
-----END CERTIFICATE-----
|
||||
`
|
||||
var (
|
||||
initTest sync.Once
|
||||
rsaCAKey string
|
||||
rsaCACert string
|
||||
ecCAKey string
|
||||
ecCACert string
|
||||
)
|
||||
|
|
|
|||
|
|
@ -33,6 +33,10 @@ secret key and certificate.`,
|
|||
func (b *backend) pathCAWrite(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
||||
pemBundle := data.Get("pem_bundle").(string)
|
||||
|
||||
if pemBundle == "" {
|
||||
return logical.ErrorResponse("'pem_bundle' was empty"), nil
|
||||
}
|
||||
|
||||
parsedBundle, err := certutil.ParsePEMBundle(pemBundle)
|
||||
if err != nil {
|
||||
switch err.(type) {
|
||||
|
|
|
|||
|
|
@ -168,13 +168,15 @@ func (b *backend) pathFetchRead(ctx context.Context, req *logical.Request, data
|
|||
}
|
||||
|
||||
caChain := caInfo.GetCAChain()
|
||||
var certStr string
|
||||
for _, ca := range caChain {
|
||||
block := pem.Block{
|
||||
Type: "CERTIFICATE",
|
||||
Bytes: ca.Bytes,
|
||||
}
|
||||
certificate = append(certificate, pem.EncodeToMemory(&block)...)
|
||||
certStr = certStr + string(pem.EncodeToMemory(&block))
|
||||
}
|
||||
certificate = []byte(certStr)
|
||||
goto reply
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -119,7 +119,7 @@ func ParsePEMBundle(pemBundle string) (*ParsedCertBundle, error) {
|
|||
for len(pemBytes) > 0 {
|
||||
pemBlock, pemBytes = pem.Decode(pemBytes)
|
||||
if pemBlock == nil {
|
||||
return nil, errutil.UserError{Err: "no data found"}
|
||||
return nil, errutil.UserError{Err: "no data found in PEM block"}
|
||||
}
|
||||
|
||||
if signer, err := x509.ParseECPrivateKey(pemBlock.Bytes); err == nil {
|
||||
|
|
|
|||
Loading…
Reference in New Issue