diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index ee1d0f970..be083a57e 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -1351,7 +1351,7 @@ func convertRespToPKCS8(resp *logical.Response) error { return errwrap.Wrapf("error converting response to pkcs8: error parsing previous key: {{err}}", err) } - keyData, err = certutil.MarshalPKCS8PrivateKey(signer) + keyData, err = x509.MarshalPKCS8PrivateKey(signer) if err != nil { return errwrap.Wrapf("error converting response to pkcs8: error marshaling pkcs8 key: {{err}}", err) } diff --git a/helper/certutil/certutil_test.go b/helper/certutil/certutil_test.go index 06769ffec..14bcc27c0 100644 --- a/helper/certutil/certutil_test.go +++ b/helper/certutil/certutil_test.go @@ -2,10 +2,22 @@ package certutil import ( "bytes" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "crypto/x509/pkix" "encoding/json" + "encoding/pem" "fmt" + "math/big" + mathrand "math/rand" "reflect" + "strings" + "sync" "testing" + "time" "github.com/fatih/structs" "github.com/hashicorp/vault/api" @@ -179,7 +191,7 @@ func compareCertBundleToParsedCertBundle(cbut *CertBundle, pcbut *ParsedCertBund return fmt.Errorf("Error when getting subject key id: %s", err) } if bytes.Compare(subjKeyID, pcbut.Certificate.SubjectKeyId) != 0 { - return fmt.Errorf("Parsed bundle private key does not match subject key id") + return fmt.Errorf("Parsed bundle private key does not match subject key id\nGot\n%#v\nExpected\n%#v\nCert\n%#v", subjKeyID, pcbut.Certificate.SubjectKeyId, *pcbut.Certificate) } switch { @@ -307,14 +319,14 @@ func compareCSRBundleToParsedCSRBundle(csrbut *CSRBundle, pcsrbut *ParsedCSRBund return fmt.Errorf("Bundle has wrong private key type") } if csrb.PrivateKey != privRSAKeyPem { - return fmt.Errorf("Bundle private key does not match") + return fmt.Errorf("Bundle rsa private key does not match\nGot\n%#v\nExpected\n%#v", csrb.PrivateKey, privRSAKeyPem) } case "ec": if pcsrbut.PrivateKeyType != ECPrivateKey { return fmt.Errorf("Bundle has wrong private key type") } if csrb.PrivateKey != privECKeyPem { - return fmt.Errorf("Bundle private key does not match") + return fmt.Errorf("Bundle ec private key does not match") } default: return fmt.Errorf("Bundle has unknown private key type") @@ -395,6 +407,7 @@ func TestTLSConfig(t *testing.T) { } func refreshRSA8CertBundle() *CertBundle { + initTest.Do(setCerts) return &CertBundle{ Certificate: certRSAPem, PrivateKey: privRSA8KeyPem, @@ -403,12 +416,14 @@ func refreshRSA8CertBundle() *CertBundle { } func refreshRSA8CertBundleWithChain() *CertBundle { + initTest.Do(setCerts) ret := refreshRSA8CertBundle() ret.CAChain = issuingCaChainPem return ret } func refreshRSACertBundle() *CertBundle { + initTest.Do(setCerts) return &CertBundle{ Certificate: certRSAPem, CAChain: []string{issuingCaChainPem[0]}, @@ -417,12 +432,14 @@ func refreshRSACertBundle() *CertBundle { } func refreshRSACertBundleWithChain() *CertBundle { + initTest.Do(setCerts) ret := refreshRSACertBundle() ret.CAChain = issuingCaChainPem return ret } func refreshECCertBundle() *CertBundle { + initTest.Do(setCerts) return &CertBundle{ Certificate: certECPem, CAChain: []string{issuingCaChainPem[0]}, @@ -431,12 +448,14 @@ func refreshECCertBundle() *CertBundle { } func refreshECCertBundleWithChain() *CertBundle { + initTest.Do(setCerts) ret := refreshECCertBundle() ret.CAChain = issuingCaChainPem return ret } func refreshRSACSRBundle() *CSRBundle { + initTest.Do(setCerts) return &CSRBundle{ CSR: csrRSAPem, PrivateKey: privRSAKeyPem, @@ -444,6 +463,7 @@ func refreshRSACSRBundle() *CSRBundle { } func refreshECCSRBundle() *CSRBundle { + initTest.Do(setCerts) return &CSRBundle{ CSR: csrECPem, PrivateKey: privECKeyPem, @@ -451,6 +471,7 @@ func refreshECCSRBundle() *CSRBundle { } func refreshEC8CertBundle() *CertBundle { + initTest.Do(setCerts) return &CertBundle{ Certificate: certECPem, PrivateKey: privEC8KeyPem, @@ -459,208 +480,230 @@ func refreshEC8CertBundle() *CertBundle { } func refreshEC8CertBundleWithChain() *CertBundle { + initTest.Do(setCerts) ret := refreshEC8CertBundle() ret.CAChain = issuingCaChainPem return ret } +func setCerts() { + caKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + panic(err) + } + subjKeyID, err := GetSubjKeyID(caKey) + if err != nil { + panic(err) + } + caCertTemplate := &x509.Certificate{ + Subject: pkix.Name{ + CommonName: "root.localhost", + }, + SubjectKeyId: subjKeyID, + DNSNames: []string{"root.localhost"}, + KeyUsage: x509.KeyUsage(x509.KeyUsageCertSign | x509.KeyUsageCRLSign), + SerialNumber: big.NewInt(mathrand.Int63()), + NotBefore: time.Now().Add(-30 * time.Second), + NotAfter: time.Now().Add(262980 * time.Hour), + BasicConstraintsValid: true, + IsCA: true, + } + caBytes, err := x509.CreateCertificate(rand.Reader, caCertTemplate, caCertTemplate, caKey.Public(), caKey) + if err != nil { + panic(err) + } + caCert, err := x509.ParseCertificate(caBytes) + if err != nil { + panic(err) + } + caCertPEMBlock := &pem.Block{ + Type: "CERTIFICATE", + Bytes: caBytes, + } + caCertPEM := strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock))) + + intKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + panic(err) + } + subjKeyID, err = GetSubjKeyID(intKey) + if err != nil { + panic(err) + } + intCertTemplate := &x509.Certificate{ + Subject: pkix.Name{ + CommonName: "int.localhost", + }, + SubjectKeyId: subjKeyID, + DNSNames: []string{"int.localhost"}, + KeyUsage: x509.KeyUsage(x509.KeyUsageCertSign | x509.KeyUsageCRLSign), + SerialNumber: big.NewInt(mathrand.Int63()), + NotBefore: time.Now().Add(-30 * time.Second), + NotAfter: time.Now().Add(262980 * time.Hour), + BasicConstraintsValid: true, + IsCA: true, + } + intBytes, err := x509.CreateCertificate(rand.Reader, intCertTemplate, caCert, intKey.Public(), caKey) + if err != nil { + panic(err) + } + intCert, err := x509.ParseCertificate(intBytes) + if err != nil { + panic(err) + } + intCertPEMBlock := &pem.Block{ + Type: "CERTIFICATE", + Bytes: intBytes, + } + intCertPEM := strings.TrimSpace(string(pem.EncodeToMemory(intCertPEMBlock))) + + // EC generation + { + key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + panic(err) + } + subjKeyID, err := GetSubjKeyID(key) + if err != nil { + panic(err) + } + certTemplate := &x509.Certificate{ + Subject: pkix.Name{ + CommonName: "localhost", + }, + SubjectKeyId: subjKeyID, + DNSNames: []string{"localhost"}, + ExtKeyUsage: []x509.ExtKeyUsage{ + x509.ExtKeyUsageServerAuth, + x509.ExtKeyUsageClientAuth, + }, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement, + SerialNumber: big.NewInt(mathrand.Int63()), + NotBefore: time.Now().Add(-30 * time.Second), + NotAfter: time.Now().Add(262980 * time.Hour), + } + csrTemplate := &x509.CertificateRequest{ + Subject: pkix.Name{ + CommonName: "localhost", + }, + DNSNames: []string{"localhost"}, + } + csrBytes, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, key) + if err != nil { + panic(err) + } + csrPEMBlock := &pem.Block{ + Type: "CERTIFICATE REQUEST", + Bytes: csrBytes, + } + csrECPem = strings.TrimSpace(string(pem.EncodeToMemory(csrPEMBlock))) + certBytes, err := x509.CreateCertificate(rand.Reader, certTemplate, intCert, key.Public(), intKey) + if err != nil { + panic(err) + } + certPEMBlock := &pem.Block{ + Type: "CERTIFICATE", + Bytes: certBytes, + } + certECPem = strings.TrimSpace(string(pem.EncodeToMemory(certPEMBlock))) + marshaledKey, err := x509.MarshalECPrivateKey(key) + if err != nil { + panic(err) + } + keyPEMBlock := &pem.Block{ + Type: "EC PRIVATE KEY", + Bytes: marshaledKey, + } + privECKeyPem = strings.TrimSpace(string(pem.EncodeToMemory(keyPEMBlock))) + marshaledKey, err = x509.MarshalPKCS8PrivateKey(key) + if err != nil { + panic(err) + } + keyPEMBlock = &pem.Block{ + Type: "PRIVATE KEY", + Bytes: marshaledKey, + } + privEC8KeyPem = strings.TrimSpace(string(pem.EncodeToMemory(keyPEMBlock))) + } + + // RSA generation + { + key, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + panic(err) + } + subjKeyID, err := GetSubjKeyID(key) + if err != nil { + panic(err) + } + certTemplate := &x509.Certificate{ + Subject: pkix.Name{ + CommonName: "localhost", + }, + SubjectKeyId: subjKeyID, + DNSNames: []string{"localhost"}, + ExtKeyUsage: []x509.ExtKeyUsage{ + x509.ExtKeyUsageServerAuth, + x509.ExtKeyUsageClientAuth, + }, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement, + SerialNumber: big.NewInt(mathrand.Int63()), + NotBefore: time.Now().Add(-30 * time.Second), + NotAfter: time.Now().Add(262980 * time.Hour), + } + csrTemplate := &x509.CertificateRequest{ + Subject: pkix.Name{ + CommonName: "localhost", + }, + DNSNames: []string{"localhost"}, + } + csrBytes, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, key) + if err != nil { + panic(err) + } + csrPEMBlock := &pem.Block{ + Type: "CERTIFICATE REQUEST", + Bytes: csrBytes, + } + csrRSAPem = strings.TrimSpace(string(pem.EncodeToMemory(csrPEMBlock))) + certBytes, err := x509.CreateCertificate(rand.Reader, certTemplate, intCert, key.Public(), intKey) + if err != nil { + panic(err) + } + certPEMBlock := &pem.Block{ + Type: "CERTIFICATE", + Bytes: certBytes, + } + certRSAPem = strings.TrimSpace(string(pem.EncodeToMemory(certPEMBlock))) + marshaledKey := x509.MarshalPKCS1PrivateKey(key) + keyPEMBlock := &pem.Block{ + Type: "RSA PRIVATE KEY", + Bytes: marshaledKey, + } + privRSAKeyPem = strings.TrimSpace(string(pem.EncodeToMemory(keyPEMBlock))) + marshaledKey, err = x509.MarshalPKCS8PrivateKey(key) + if err != nil { + panic(err) + } + keyPEMBlock = &pem.Block{ + Type: "PRIVATE KEY", + Bytes: marshaledKey, + } + privRSA8KeyPem = strings.TrimSpace(string(pem.EncodeToMemory(keyPEMBlock))) + } + + issuingCaChainPem = []string{intCertPEM, caCertPEM} +} + var ( - privRSA8KeyPem = `-----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC92mr7+D/tGkW5 -nvDH/fYkOLywbxsU9wU7lKVPCdj+zNzQYHiixTZtmZPYVTBj27lZgaUDUXuiw9Ru -BWHTuAb/Cpn1I+71qJbh8FgWot+MRDFKuV0PLkgHz5eRVC4JmKy9hbcgo1q0FfGf -qxL+VQmI0GcQ4IYK/ppVMrKbn4ndIg70uR46vPiU11GqRIz5wkiPeLklrhoWa5qE -IHINnR83eHUbijaCuqPEcz0QTz0iLM8dfubVaJ+Gn/DseUtku+qBdcYcUK2hQyCc -NRKtu953gr5hhEX0N9x5JBb10WaI1UL5HGa2wa6ndZ7yVb42B2WTHzNQRR5Cr4N4 -ve31//gRAgMBAAECggEAfEvyvTLDz5zix2tK4vTfYMmQp8amKWysjVx9eijNW8yO -SRLQCGkrgEgLJphnjQk+6V3axjhjxKWHf9ygNrgGRJYRRBCZk1YkKpprYa6Sw0em -KfD//z9iw1JjPi+p0HiXp6FSytiIOt0fC1U6oy7ThjJDOCZ3O92C94KwsviZjx9r -DZbTLDm7Ya2LF4jGCq0dQ+AVqZ65QJ3yjdxm87PSE6q2eiV9wdMUx9RDOmFy+Meq -Mm3L9TW1QzyFtFMXeIF5QYGpmxWP/iii5V0CP573apXMIqQ+wTNpwK3WU5iURypZ -kJ1Iaxbzjfok6wpwLj7SJytF+fOVcygUxud7GPH8UQKBgQDPhQhB3+o+y+bwkUTx -Qdj/YNKcA/bjo/b9KMq+3rufwN9u/DK5z7vVfVklidbh5DVqhlLREsdSuZvb/IHc -OdCYwNeDxk1rLr+1W/iPYSBJod4eWDteIH1U9lts+/mH+u+iSsWVuikbeA8/MUJ3 -nnAYu4FR1nz8I/CrvGbQL/KCdQKBgQDqNNI562Ch+4dJ407F3MC4gNPwPgksfLXn -ZRcPVVwGagil9oIIte0BIT0rAG/jVACfghGxfrj719uwjcFFxnUaSHGQcATseSf6 -SgoruIVF15lI4e8lEcWrOypsW8Id2/amwUiIWYCgwlYG2Q7dggpXfgjmKfjSlvJ8 -+yKR/Y6zrQKBgQCkx2aqICm5mWEUbtWGmJm9Ft3FQqSdV4n8tZJgAy6KiLUiRKHm -x1vIBtNtqkj1b6c2odhK6ZVaS8XF5XgcLdBEKwQ2P5Uj4agaUyBIgYAI174u7DKf -6D58423vWRln70qu3J6N6JdRl4DL1cqIf0dVbDYgjKcL82HcjCo7b4cqLQKBgFGU -TJX4MxS5NIq8LrglCMw7s5c/RJrGZeZQBBRHO2LQlGqazviRxhhap5/O6ypYHE9z -Uw5sgarXqaJ5/hR76FZbXZNeMZjdKtu35osMHwAQ9Ue5yz8yTZQza7eKzrbv4556 -PPWhl3hnuOdxvAfUQB3xvM/PVuijw5tdLtGDbK2RAoGBAKB7OsTgF7wVEkzccJTE -hrbVKD+KBZz8WKnEgNoyyTIT0Kaugk15MCXkGrXIY8bW0IzYAw69qhTOgaWkcu4E -JbTK5UerP8V+X7XPBiw72StPVM4bxaXx2/B+78IuMOI/GR0tHQCF8S6DwTHeBXnl -ke8GFExnXHTPqG6Bku0r/G47 ------END PRIVATE KEY-----` - - privRSAKeyPem = `-----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAvdpq+/g/7RpFuZ7wx/32JDi8sG8bFPcFO5SlTwnY/szc0GB4 -osU2bZmT2FUwY9u5WYGlA1F7osPUbgVh07gG/wqZ9SPu9aiW4fBYFqLfjEQxSrld -Dy5IB8+XkVQuCZisvYW3IKNatBXxn6sS/lUJiNBnEOCGCv6aVTKym5+J3SIO9Lke -Orz4lNdRqkSM+cJIj3i5Ja4aFmuahCByDZ0fN3h1G4o2grqjxHM9EE89IizPHX7m -1Wifhp/w7HlLZLvqgXXGHFCtoUMgnDUSrbved4K+YYRF9DfceSQW9dFmiNVC+Rxm -tsGup3We8lW+Ngdlkx8zUEUeQq+DeL3t9f/4EQIDAQABAoIBAHxL8r0yw8+c4sdr -SuL032DJkKfGpilsrI1cfXoozVvMjkkS0AhpK4BICyaYZ40JPuld2sY4Y8Slh3/c -oDa4BkSWEUQQmZNWJCqaa2GuksNHpinw//8/YsNSYz4vqdB4l6ehUsrYiDrdHwtV -OqMu04YyQzgmdzvdgveCsLL4mY8faw2W0yw5u2GtixeIxgqtHUPgFameuUCd8o3c -ZvOz0hOqtnolfcHTFMfUQzphcvjHqjJty/U1tUM8hbRTF3iBeUGBqZsVj/4oouVd -Aj+e92qVzCKkPsEzacCt1lOYlEcqWZCdSGsW8436JOsKcC4+0icrRfnzlXMoFMbn -exjx/FECgYEAz4UIQd/qPsvm8JFE8UHY/2DSnAP246P2/SjKvt67n8Dfbvwyuc+7 -1X1ZJYnW4eQ1aoZS0RLHUrmb2/yB3DnQmMDXg8ZNay6/tVv4j2EgSaHeHlg7XiB9 -VPZbbPv5h/rvokrFlbopG3gPPzFCd55wGLuBUdZ8/CPwq7xm0C/ygnUCgYEA6jTS -OetgofuHSeNOxdzAuIDT8D4JLHy152UXD1VcBmoIpfaCCLXtASE9KwBv41QAn4IR -sX64+9fbsI3BRcZ1GkhxkHAE7Hkn+koKK7iFRdeZSOHvJRHFqzsqbFvCHdv2psFI -iFmAoMJWBtkO3YIKV34I5in40pbyfPsikf2Os60CgYEApMdmqiApuZlhFG7VhpiZ -vRbdxUKknVeJ/LWSYAMuioi1IkSh5sdbyAbTbapI9W+nNqHYSumVWkvFxeV4HC3Q -RCsENj+VI+GoGlMgSIGACNe+Luwyn+g+fONt71kZZ+9KrtyejeiXUZeAy9XKiH9H -VWw2IIynC/Nh3IwqO2+HKi0CgYBRlEyV+DMUuTSKvC64JQjMO7OXP0SaxmXmUAQU -Rzti0JRqms74kcYYWqefzusqWBxPc1MObIGq16mief4Ue+hWW12TXjGY3Srbt+aL -DB8AEPVHucs/Mk2UM2u3is627+Oeejz1oZd4Z7jncbwH1EAd8bzPz1boo8ObXS7R -g2ytkQKBgQCgezrE4Be8FRJM3HCUxIa21Sg/igWc/FipxIDaMskyE9CmroJNeTAl -5Bq1yGPG1tCM2AMOvaoUzoGlpHLuBCW0yuVHqz/Ffl+1zwYsO9krT1TOG8Wl8dvw -fu/CLjDiPxkdLR0AhfEug8Ex3gV55ZHvBhRMZ1x0z6hugZLtK/xuOw== ------END RSA PRIVATE KEY-----` - - csrRSAPem = `-----BEGIN CERTIFICATE REQUEST----- -MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx -ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBALd2SVGs7QkYlYPOz9MvE+0DDRUIutQQkiCnqcV1 -1nO84uSSUjH0ALLVyRKgWIkobEqWJurKIk+oV9O+Le8EABxkt/ru6jaIFqZkwFE1 -JzSDPkAsR9jXP5M2MWlmo7qVc4Bry3oqlN3eLSFJP2ZH7b1ia8q9oWXPMxDdwuKR -kv9hfkUPszr/gaQCNQXW0BoRe5vdr5+ikv4lrKpsBxvaAoYL1ngR41lCPKhmrgXP -oreEuUcXzfCSSAV1CGbW2qhWc4I7/JFA8qqEBr5GP+AntStGxSbDO8JjD7/uULHC -AReCloDdJE0jDz1355/0CAH4WmEJE/TI8Bq+vgd0jgzRgk0CAwEAAaAAMA0GCSqG -SIb3DQEBCwUAA4IBAQAR8U1vZMJf7YFvGU69QvoWPTDe/o8SwYy1j+++AAO9Y7H2 -C7nb+9tnEMtXm+3pkY0aJIecAnq8H4QWimOrJa/ZsoZLzz9LKW2nzARdWo63j4nB -jKld/EDBzQ/nQSTyoX7s9JiDiSC9yqTXBrPHSXruPbh7sE0yXROar+6atjNdCpDp -uLw86gwewDJrMaB1aFAmDvwaRQQDONwRy0zG1UdMxLQxsxpKOHaGM/ZvV3FPir2B -7mKupki/dvap5UW0lTMJBlKf3qhoeHKMHFo9i5vGCIkWUIv+XgTF0NjbYv9i7bfq -WdW905v4wiuWRlddNwqFtLx9Pf1/fRJVT5mBbjIx ------END CERTIFICATE REQUEST-----` - - certRSAPem = `-----BEGIN CERTIFICATE----- -MIIDfDCCAmSgAwIBAgIUad4Q9EhVvqc06H7fCfKaLGcyDw0wDQYJKoZIhvcNAQEL -BQAwNzE1MDMGA1UEAxMsVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3ViIFN1 -YiBBdXRob3JpdHkwHhcNMTYwODA0MTkyMjAyWhcNMTYwODA0MjAyMjMyWjAhMR8w -HQYDVQQDExZWYXVsdCBUZXN0IENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEAvdpq+/g/7RpFuZ7wx/32JDi8sG8bFPcFO5SlTwnY/szc -0GB4osU2bZmT2FUwY9u5WYGlA1F7osPUbgVh07gG/wqZ9SPu9aiW4fBYFqLfjEQx -SrldDy5IB8+XkVQuCZisvYW3IKNatBXxn6sS/lUJiNBnEOCGCv6aVTKym5+J3SIO -9LkeOrz4lNdRqkSM+cJIj3i5Ja4aFmuahCByDZ0fN3h1G4o2grqjxHM9EE89IizP -HX7m1Wifhp/w7HlLZLvqgXXGHFCtoUMgnDUSrbved4K+YYRF9DfceSQW9dFmiNVC -+RxmtsGup3We8lW+Ngdlkx8zUEUeQq+DeL3t9f/4EQIDAQABo4GVMIGSMA4GA1Ud -DwEB/wQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0O -BBYEFMKLVTrdDyyF0kTxkxcAMcGNcGWlMB8GA1UdIwQYMBaAFNmGqFL215GlYyD0 -mWVIoMB71s+NMCEGA1UdEQQaMBiCFlZhdWx0IFRlc3QgQ2VydGlmaWNhdGUwDQYJ -KoZIhvcNAQELBQADggEBAJJP9OWG3W5uUluKdeFYCzKMIY+rsCUb86QrKRqQ5xYR -w4pKC3yuryEfreBs3iQA4NNw2mMWxuI8t/i+km2H7NzQytTRn6L0sxTa8ThNZ3e7 -xCdWaZZzd1O6Xwq/pDbE1MZ/4z5nvsKaKJVVIvVFL5algi4A8njiFMVSww035c1e -waLww4AOHydlLky/RJBJPOkQNoDBToC9ojDqPtNJVWWaQL2TsUCu+Q+L5QL5djgj -LxPwqGOiM4SLSUrXSXMpHNLX1rhBH1/sNb3Kn1FDBaZ+M9kZglCDwuQyQuH8xKwB -qukeKfgFUp7rH0yoQTZa0eaXAYTFoRLjnTQ+fS7e19s= ------END CERTIFICATE-----` - - privECKeyPem = `-----BEGIN EC PRIVATE KEY----- -MHcCAQEEICC2XihYLxEYEseFesZEXjV1va6rMAdtkpkaxT4hGu5boAoGCCqGSM49 -AwEHoUQDQgAEti0uWkq7MAkQevNNrBpYY0FLni8OAZroHXkij2x6Vo0xIvClftbC -L33BU/520t23TcewtQYsNqv86Bvhx9PeAw== ------END EC PRIVATE KEY-----` - - csrECPem = `-----BEGIN CERTIFICATE REQUEST----- -MIHsMIGcAgEAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw -HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwTjAQBgcqhkjOPQIBBgUr -gQQAIQM6AATBZ3VXwBE9oeSREpM5b25PW6WiuLb4EXWpKZyjj552QYKYe7QBuGe9 -wvvgOeCBovN3tSuGKzTiUKAAMAoGCCqGSM49BAMCAz8AMDwCHFap/5XDuqtXCG1g -ljbYH5OWGBqGYCfL2k2+/6cCHAuk1bmOkGx7JAq/fSPd09i0DQIqUu7WHQHms48= ------END CERTIFICATE REQUEST-----` - - privEC8KeyPem = `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgILZeKFgvERgSx4V6 -xkReNXW9rqswB22SmRrFPiEa7luhRANCAAS2LS5aSrswCRB6802sGlhjQUueLw4B -mugdeSKPbHpWjTEi8KV+1sIvfcFT/nbS3bdNx7C1Biw2q/zoG+HH094D ------END PRIVATE KEY-----` - - certECPem = `-----BEGIN CERTIFICATE----- -MIICtzCCAZ+gAwIBAgIUNDYMWd9SOGVMs4I1hezvRnGDMyUwDQYJKoZIhvcNAQEL -BQAwNzE1MDMGA1UEAxMsVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3ViIFN1 -YiBBdXRob3JpdHkwHhcNMTYwODA0MTkyOTM0WhcNMTYwODA0MjAzMDA0WjAkMSIw -IAYDVQQDExlWYXVsdCBUZXN0IEVDIENlcnRpZmljYXRlMFkwEwYHKoZIzj0CAQYI -KoZIzj0DAQcDQgAEti0uWkq7MAkQevNNrBpYY0FLni8OAZroHXkij2x6Vo0xIvCl -ftbCL33BU/520t23TcewtQYsNqv86Bvhx9PeA6OBmDCBlTAOBgNVHQ8BAf8EBAMC -A6gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBStnbW/ -ga2/dz4FyRNafwhTzM1UbzAfBgNVHSMEGDAWgBTZhqhS9teRpWMg9JllSKDAe9bP -jTAkBgNVHREEHTAbghlWYXVsdCBUZXN0IEVDIENlcnRpZmljYXRlMA0GCSqGSIb3 -DQEBCwUAA4IBAQBsPhwRB51de3sGBMnjDiOMViYpRH7kKhUWAY1W2W/1hqk5HgZw -4c3r0LmdIQ94gShaXng8ojYRDW/5D7LeXJdbtLy9U29xfeCb+vqKDc2oN7Ps3/HB -4YLnseqDiZFKPEAdOE4rtwyFWJI7JR9sOSG1B5El6duN0i9FWOLSklQ4EbV5R45r -cy/fJq0DOYje7MXsFuNl5iQ92gfDjPD2P98DK9lCIquSzB3WkpjE41UtKJ0IKPeD -wYoyl0J33Alxq2eC2subR7xISR3MzZFcdkzNNrBddeaSviYlR4SgTUiqOldAcdR4 -QZxtxazcUqQDZ+wZFOpBOnp94bzVeXT9BF+L ------END CERTIFICATE-----` - - issuingCaChainPem = []string{`-----BEGIN CERTIFICATE----- -MIIDljCCAn6gAwIBAgIUHjciEzUzeNVqI9mwFJeduNtXWzMwDQYJKoZIhvcNAQEL -BQAwMzExMC8GA1UEAxMoVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3ViIEF1 -dGhvcml0eTAeFw0xNjA4MDQxOTEyNTdaFw0xNjA4MDUyMDEzMjdaMDcxNTAzBgNV -BAMTLFZhdWx0IFRlc3RpbmcgSW50ZXJtZWRpYXRlIFN1YiBTdWIgQXV0aG9yaXR5 -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy2pAH1U8KzhjO+MLRPTb -ic7Iyk57d0TFnj6CAJWqZaKNGXoTkwD8wRCirY8mQv8YrfBy3hwGqSLYj6oxwA0R -8FxsiWdf4gFTX2cJpxThFnIllGbzqIXnEZLvCIMydp44Ls9eYxoXfZQ9X24u/Wmf -kWEQFGUzrpyklkIOx2Yo5g7OHbFLl3OfPz89/TDM8VeymlGzCTJZ+Y+iNGDBPT0L -X9aE65lL76dUx/bcKnfQEgAcH4nkE4K/Kgjnj5umZKQUH4+6wKFwDCQT2RwaBkve -WyAiz0LY9a1WFXt7RYCPs+QWLJAhv7wJL8l4gnxYA1k+ovLXDjUqYweU+WHV6/lR -7wIDAQABo4GdMIGaMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0G -A1UdDgQWBBTZhqhS9teRpWMg9JllSKDAe9bPjTAfBgNVHSMEGDAWgBRTY6430DXg -cIDAnEnA+fostjcbqDA3BgNVHREEMDAugixWYXVsdCBUZXN0aW5nIEludGVybWVk -aWF0ZSBTdWIgU3ViIEF1dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAQEAZp3VwrUw -jw6TzjZJEnXkfRxLWZNmqMPAXYOtBl/+5FjAfehifTTzIdIxR4mfdgH5YZnSQpzY -m/w17BXElao8uOX6CUaX+sLTVzwsl2csswpcGlNwHooVREoMq9X187qxSr1HS7zF -O550XgDVIf5e7sXrVuV1rd1XUo3xZLaSLUhU70y/343mcN2TRUslXO4QrIE5lo2v -awyQl0NW0hSO0F9VZYzOvPPVwu7mf1ijTzbkPtUbAXDnmlvOCrlx2JZd/BqXb75e -UgYDq7hIyQ109FBOjv0weAM5tZCdesyvro4/43Krd8pa74zHdZMjfQAsTr66WOi4 -yedj8LnWl66JOA== ------END CERTIFICATE-----`, - `-----BEGIN CERTIFICATE----- -MIIDijCCAnKgAwIBAgIUBNDYCUsOT2Wth8Fz3layfjEVbcIwDQYJKoZIhvcNAQEL -BQAwLzEtMCsGA1UEAxMkVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgQXV0aG9y -aXR5MB4XDTE2MDgwNDE5MTI1NloXDTE2MDgwNjIxMTMyNlowMzExMC8GA1UEAxMo -VmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3ViIEF1dGhvcml0eTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBALHoD7g5YYu2akO8hkFlUCF45Bxjckq4 -WTyDIcDwv/wr7vhZnngCClnP+7Rc30XTmkq2RnH6N7iuqowGM5RNcBV/C9R1weVx -9esXtWr/AUMyuNb3HSjwDwQGuiAVEgk67fXYy08Ii78+ap3uY3CKC1AFDkHdgDZt -e946rJ3Nps00TcH0KwyP5voitLgt6dMBR9ttuUdSoQ4uLQDdDf0HRw/IAQswO4Av -lgUgQObBecnLGhh7e3PM5VVz5f0IqG2ZYnDs3ncl2UYOrj0/JqOMDIMvSQMc2pzS -Hjty0d1wKWWPC9waguL/24oQR4VG5b7TL62elc2kcEg7r8u5L/sCi/8CAwEAAaOB -mTCBljAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU -U2OuN9A14HCAwJxJwPn6LLY3G6gwHwYDVR0jBBgwFoAUgAz80p6Pkzk6Cb7lYmTI -T1jc7iYwMwYDVR0RBCwwKoIoVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgU3Vi -IEF1dGhvcml0eTANBgkqhkiG9w0BAQsFAAOCAQEACXjzGVqRZi6suHwBqvXwVxlS -nf5YwudfBDJ4LfNd5nTCypsvHkfXnaki6LZMCS1rwPvxzssZ5Wp/7zO5fu6lpSTx -yjuiH5fBUGHy+f1Ygu6tlAZtUnxAi6pU4eoCDNZpqunJMM4IdaahHeICdjPhx/bH -AlmwaN0FsNvOlgUuPTjQ3z6jMZn3p2lXI3HiRlcz+nR7gQizPb2L7u8mQ+5EZFmC -AmXMj40g3bTJVmKoGeAR7cb0pYG/GUELmERjEjCfP7W15eYfuu1j7EYTUAVuPAlJ -34HDxCuM8cPJwCGMDKfb3Q39AYRmLT6sE3/sq2CZ5xlj8wfwDpVfpXikRDpI0A== ------END CERTIFICATE-----`, - `-----BEGIN CERTIFICATE----- -MIIDejCCAmKgAwIBAgIUEtjlbdzIth3U71TELA0PVW7HvaEwDQYJKoZIhvcNAQEL -BQAwJzElMCMGA1UEAxMcVmF1bHQgVGVzdGluZyBSb290IEF1dGhvcml0eTAeFw0x -NjA4MDQxOTEyNTVaFw0xNjA4MDgyMzEzMjVaMC8xLTArBgNVBAMTJFZhdWx0IFRl -c3RpbmcgSW50ZXJtZWRpYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQAD -ggEPADCCAQoCggEBAMYAQAHCm9V9062NF/UuAa6z6aYqsS5g2YGkd9DvgYxfU5JI -yIdSz7rkp9QprlQYl2abptZocq+1C9yRVmRJWKjZYDckSwXdmQam/sOfNuiw6Gbd -3OJGdQ82jhx3v3mIQp+3u9E43wXX0StaJ44+9DgkgwG8iybiv4fh0LzuHPSeKsXe -/IvJZ0YAInWuzFNegYxU32UT2CEvLtZdru8+sLr4NFWRu/nYIMPJDeZ2JEQVi9IF -lcB3dP63c6vMBrn4Wn2xBo12JPsQp+ezf5Z5zmtAe68PwRmIXZVAUa2q+CfEuJ36 -66756Ypa0Z3brhPWfX2ahhxSg8DjqFGmZZ5Gfl8CAwEAAaOBlTCBkjAOBgNVHQ8B -Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUgAz80p6Pkzk6Cb7l -YmTIT1jc7iYwHwYDVR0jBBgwFoAU6dC1U32HZp7iq97KSu2i+g8+rf4wLwYDVR0R -BCgwJoIkVmF1bHQgVGVzdGluZyBJbnRlcm1lZGlhdGUgQXV0aG9yaXR5MA0GCSqG -SIb3DQEBCwUAA4IBAQA6xVMyuZgpJhIQnG2LwwD5Zcbmm4+rHkGVNSpwkUH8ga8X -b4Owog+MvBw8R7ADVwAh/aOh1/qsRfHv8KkMWW+SAQ84ICVXJiPBzEUJaMWujpyr -SDkbaD05avRtfvSrPCagaUGVRt+wK24g8hpJqQ+trkufzjq9ySU018+NNX9yGRyA -VjwZAqALlNEAkdcvd4adEBpZqum2x1Fl9EXnjp6NEWQ7nuGkp3X2DP4gDtQPxgmn -omOo4GHhO0U57exEIl0d4kiy9WU0qcIISOr6I+gzesMooX6aI43CaqJoZKsHXYY6 -1uxFLss+/wDtvIcyXdTdjPrgD38YIgk1/iKNIgKO ------END CERTIFICATE-----`} + initTest sync.Once + privRSA8KeyPem string + privRSAKeyPem string + csrRSAPem string + certRSAPem string + privECKeyPem string + csrECPem string + privEC8KeyPem string + certECPem string + issuingCaChainPem []string ) diff --git a/helper/certutil/pkcs8.go b/helper/certutil/pkcs8.go deleted file mode 100644 index 22585de0c..000000000 --- a/helper/certutil/pkcs8.go +++ /dev/null @@ -1,119 +0,0 @@ -// Copyright 2011 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package certutil - -import ( - "crypto/ecdsa" - "crypto/elliptic" - "crypto/rsa" - "crypto/x509" - "crypto/x509/pkix" - "encoding/asn1" - "errors" - "fmt" -) - -var ( - oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33} - oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7} - oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34} - oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35} - - oidPublicKeyRSA = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 1, 1} - oidPublicKeyDSA = asn1.ObjectIdentifier{1, 2, 840, 10040, 4, 1} - oidPublicKeyECDSA = asn1.ObjectIdentifier{1, 2, 840, 10045, 2, 1} -) - -// pkcs8 reflects an ASN.1, PKCS#8 PrivateKey. See -// ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-8/pkcs-8v1_2.asn -// and RFC 5208. -type pkcs8 struct { - Version int - Algo pkix.AlgorithmIdentifier - PrivateKey []byte - // optional attributes omitted. -} - -type ecPrivateKey struct { - Version int - PrivateKey []byte - NamedCurveOID asn1.ObjectIdentifier `asn1:"optional,explicit,tag:0"` - PublicKey asn1.BitString `asn1:"optional,explicit,tag:1"` -} - -// MarshalPKCS8PrivateKey converts a private key to PKCS#8 encoded form. -// The following key types are supported: *rsa.PrivateKey, *ecdsa.PublicKey. -// Unsupported key types result in an error. -// -// See RFC 5208. -func MarshalPKCS8PrivateKey(key interface{}) ([]byte, error) { - var privKey pkcs8 - - switch k := key.(type) { - case *rsa.PrivateKey: - privKey.Algo = pkix.AlgorithmIdentifier{ - Algorithm: oidPublicKeyRSA, - Parameters: asn1.NullRawValue, - } - privKey.PrivateKey = x509.MarshalPKCS1PrivateKey(k) - - case *ecdsa.PrivateKey: - oid, ok := oidFromNamedCurve(k.Curve) - if !ok { - return nil, errors.New("x509: unknown curve while marshalling to PKCS#8") - } - - oidBytes, err := asn1.Marshal(oid) - if err != nil { - return nil, errors.New("x509: failed to marshal curve OID: " + err.Error()) - } - - privKey.Algo = pkix.AlgorithmIdentifier{ - Algorithm: oidPublicKeyECDSA, - Parameters: asn1.RawValue{ - FullBytes: oidBytes, - }, - } - - if privKey.PrivateKey, err = marshalECPrivateKeyWithOID(k, nil); err != nil { - return nil, errors.New("x509: failed to marshal EC private key while building PKCS#8: " + err.Error()) - } - - default: - return nil, fmt.Errorf("x509: unknown key type while marshalling PKCS#8: %T", key) - } - - return asn1.Marshal(privKey) -} - -func oidFromNamedCurve(curve elliptic.Curve) (asn1.ObjectIdentifier, bool) { - switch curve { - case elliptic.P224(): - return oidNamedCurveP224, true - case elliptic.P256(): - return oidNamedCurveP256, true - case elliptic.P384(): - return oidNamedCurveP384, true - case elliptic.P521(): - return oidNamedCurveP521, true - } - - return nil, false -} - -// marshalECPrivateKey marshals an EC private key into ASN.1, DER format and -// sets the curve ID to the given OID, or omits it if OID is nil. -func marshalECPrivateKeyWithOID(key *ecdsa.PrivateKey, oid asn1.ObjectIdentifier) ([]byte, error) { - privateKeyBytes := key.D.Bytes() - paddedPrivateKey := make([]byte, (key.Curve.Params().N.BitLen()+7)/8) - copy(paddedPrivateKey[len(paddedPrivateKey)-len(privateKeyBytes):], privateKeyBytes) - - return asn1.Marshal(ecPrivateKey{ - Version: 1, - PrivateKey: paddedPrivateKey, - NamedCurveOID: oid, - PublicKey: asn1.BitString{Bytes: elliptic.Marshal(key.Curve, key.X, key.Y)}, - }) -} diff --git a/helper/certutil/pkcs8_test.go b/helper/certutil/pkcs8_test.go deleted file mode 100644 index df350ead4..000000000 --- a/helper/certutil/pkcs8_test.go +++ /dev/null @@ -1,110 +0,0 @@ -// Copyright 2011 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package certutil - -import ( - "bytes" - "crypto/ecdsa" - "crypto/elliptic" - "crypto/rsa" - "crypto/x509" - "encoding/hex" - "reflect" - "testing" -) - -// Generated using: -// openssl genrsa 1024 | openssl pkcs8 -topk8 -nocrypt -var pkcs8RSAPrivateKeyHex = `30820278020100300d06092a864886f70d0101010500048202623082025e02010002818100cfb1b5bf9685ffa97b4f99df4ff122b70e59ac9b992f3bc2b3dde17d53c1a34928719b02e8fd17839499bfbd515bd6ef99c7a1c47a239718fe36bfd824c0d96060084b5f67f0273443007a24dfaf5634f7772c9346e10eb294c2306671a5a5e719ae24b4de467291bc571014b0e02dec04534d66a9bb171d644b66b091780e8d020301000102818100b595778383c4afdbab95d2bfed12b3f93bb0a73a7ad952f44d7185fd9ec6c34de8f03a48770f2009c8580bcd275e9632714e9a5e3f32f29dc55474b2329ff0ebc08b3ffcb35bc96e6516b483df80a4a59cceb71918cbabf91564e64a39d7e35dce21cb3031824fdbc845dba6458852ec16af5dddf51a8397a8797ae0337b1439024100ea0eb1b914158c70db39031dd8904d6f18f408c85fbbc592d7d20dee7986969efbda081fdf8bc40e1b1336d6b638110c836bfdc3f314560d2e49cd4fbde1e20b024100e32a4e793b574c9c4a94c8803db5152141e72d03de64e54ef2c8ed104988ca780cd11397bc359630d01b97ebd87067c5451ba777cf045ca23f5912f1031308c702406dfcdbbd5a57c9f85abc4edf9e9e29153507b07ce0a7ef6f52e60dcfebe1b8341babd8b789a837485da6c8d55b29bbb142ace3c24a1f5b54b454d01b51e2ad03024100bd6a2b60dee01e1b3bfcef6a2f09ed027c273cdbbaf6ba55a80f6dcc64e4509ee560f84b4f3e076bd03b11e42fe71a3fdd2dffe7e0902c8584f8cad877cdc945024100aa512fa4ada69881f1d8bb8ad6614f192b83200aef5edf4811313d5ef30a86cbd0a90f7b025c71ea06ec6b34db6306c86b1040670fd8654ad7291d066d06d031` - -// Generated using: -// openssl ecparam -genkey -name secp224r1 | openssl pkcs8 -topk8 -nocrypt -var pkcs8P224PrivateKeyHex = `3078020100301006072a8648ce3d020106052b810400210461305f020101041cca3d72b3e88fed2684576dad9b80a9180363a5424986900e3abcab3fa13c033a0004f8f2a6372872a4e61263ed893afb919576a4cacfecd6c081a2cbc76873cf4ba8530703c6042b3a00e2205087e87d2435d2e339e25702fae1` - -// Generated using: -// openssl ecparam -genkey -name secp256r1 | openssl pkcs8 -topk8 -nocrypt -var pkcs8P256PrivateKeyHex = `308187020100301306072a8648ce3d020106082a8648ce3d030107046d306b0201010420dad6b2f49ca774c36d8ae9517e935226f667c929498f0343d2424d0b9b591b43a14403420004b9c9b90095476afe7b860d8bd43568cab7bcb2eed7b8bf2fa0ce1762dd20b04193f859d2d782b1e4cbfd48492f1f533113a6804903f292258513837f07fda735` - -// Generated using: -// openssl ecparam -genkey -name secp384r1 | openssl pkcs8 -topk8 -nocrypt -var pkcs8P384PrivateKeyHex = `3081b6020100301006072a8648ce3d020106052b8104002204819e30819b02010104309bf832f6aaaeacb78ce47ffb15e6fd0fd48683ae79df6eca39bfb8e33829ac94aa29d08911568684c2264a08a4ceb679a164036200049070ad4ed993c7770d700e9f6dc2baa83f63dd165b5507f98e8ff29b5d2e78ccbe05c8ddc955dbf0f7497e8222cfa49314fe4e269459f8e880147f70d785e530f2939e4bf9f838325bb1a80ad4cf59272ae0e5efe9a9dc33d874492596304bd3` - -// Generated using: -// openssl ecparam -genkey -name secp521r1 | openssl pkcs8 -topk8 -nocrypt -// -// Note that OpenSSL will truncate the private key if it can (i.e. it emits it -// like an integer, even though it's an OCTET STRING field). Thus if you -// regenerate this you may, randomly, find that it's a byte shorter than -// expected and the Go test will fail to recreate it exactly. -var pkcs8P521PrivateKeyHex = `3081ee020100301006072a8648ce3d020106052b810400230481d63081d3020101044200cfe0b87113a205cf291bb9a8cd1a74ac6c7b2ebb8199aaa9a5010d8b8012276fa3c22ac913369fa61beec2a3b8b4516bc049bde4fb3b745ac11b56ab23ac52e361a1818903818600040138f75acdd03fbafa4f047a8e4b272ba9d555c667962b76f6f232911a5786a0964e5edea6bd21a6f8725720958de049c6e3e6661c1c91b227cebee916c0319ed6ca003db0a3206d372229baf9dd25d868bf81140a518114803ce40c1855074d68c4e9dab9e65efba7064c703b400f1767f217dac82715ac1f6d88c74baf47a7971de4ea` - -func TestPKCS8(t *testing.T) { - tests := []struct { - name string - keyHex string - keyType reflect.Type - curve elliptic.Curve - }{ - { - name: "RSA private key", - keyHex: pkcs8RSAPrivateKeyHex, - keyType: reflect.TypeOf(&rsa.PrivateKey{}), - }, - { - name: "P-224 private key", - keyHex: pkcs8P224PrivateKeyHex, - keyType: reflect.TypeOf(&ecdsa.PrivateKey{}), - curve: elliptic.P224(), - }, - { - name: "P-256 private key", - keyHex: pkcs8P256PrivateKeyHex, - keyType: reflect.TypeOf(&ecdsa.PrivateKey{}), - curve: elliptic.P256(), - }, - { - name: "P-384 private key", - keyHex: pkcs8P384PrivateKeyHex, - keyType: reflect.TypeOf(&ecdsa.PrivateKey{}), - curve: elliptic.P384(), - }, - { - name: "P-521 private key", - keyHex: pkcs8P521PrivateKeyHex, - keyType: reflect.TypeOf(&ecdsa.PrivateKey{}), - curve: elliptic.P521(), - }, - } - - for _, test := range tests { - derBytes, err := hex.DecodeString(test.keyHex) - if err != nil { - t.Errorf("%s: failed to decode hex: %s", test.name, err) - continue - } - privKey, err := x509.ParsePKCS8PrivateKey(derBytes) - if err != nil { - t.Errorf("%s: failed to decode PKCS#8: %s", test.name, err) - continue - } - if reflect.TypeOf(privKey) != test.keyType { - t.Errorf("%s: decoded PKCS#8 returned unexpected key type: %T", test.name, privKey) - continue - } - if ecKey, isEC := privKey.(*ecdsa.PrivateKey); isEC && ecKey.Curve != test.curve { - t.Errorf("%s: decoded PKCS#8 returned unexpected curve %#v", test.name, ecKey.Curve) - continue - } - reserialised, err := MarshalPKCS8PrivateKey(privKey) - if err != nil { - t.Errorf("%s: failed to marshal into PKCS#8: %s", test.name, err) - continue - } - if !bytes.Equal(derBytes, reserialised) { - t.Errorf("%s: marshalled PKCS#8 didn't match original: got %x, want %x", test.name, reserialised, derBytes) - continue - } - } -} diff --git a/helper/certutil/types.go b/helper/certutil/types.go index dbf607f5c..372af6888 100644 --- a/helper/certutil/types.go +++ b/helper/certutil/types.go @@ -188,7 +188,7 @@ func (c *CertBundle) ToParsedCertBundle() (*ParsedCertBundle, error) { result.CertificateBytes = pemBlock.Bytes result.Certificate, err = x509.ParseCertificate(result.CertificateBytes) if err != nil { - return nil, errutil.UserError{Err: "Error encountered parsing certificate bytes from raw bundle"} + return nil, errutil.UserError{Err: fmt.Sprintf("Error encountered parsing certificate bytes from raw bundle: %v", err)} } } switch { @@ -201,7 +201,7 @@ func (c *CertBundle) ToParsedCertBundle() (*ParsedCertBundle, error) { parsedCert, err := x509.ParseCertificate(pemBlock.Bytes) if err != nil { - return nil, errutil.UserError{Err: "Error encountered parsing certificate bytes from raw bundle"} + return nil, errutil.UserError{Err: fmt.Sprintf("Error encountered parsing certificate bytes from raw bundle via CA chain: %v", err)} } certBlock := &CertBlock{ @@ -220,7 +220,7 @@ func (c *CertBundle) ToParsedCertBundle() (*ParsedCertBundle, error) { parsedCert, err := x509.ParseCertificate(pemBlock.Bytes) if err != nil { - return nil, errutil.UserError{Err: "Error encountered parsing certificate bytes from raw bundle3"} + return nil, errutil.UserError{Err: fmt.Sprintf("Error encountered parsing certificate bytes from raw bundle via issuing CA: %v", err)} } result.SerialNumber = result.Certificate.SerialNumber @@ -444,7 +444,7 @@ func (c *CSRBundle) ToParsedCSRBundle() (*ParsedCSRBundle, error) { result.CSRBytes = pemBlock.Bytes result.CSR, err = x509.ParseCertificateRequest(result.CSRBytes) if err != nil { - return nil, errutil.UserError{Err: fmt.Sprintf("Error encountered parsing certificate bytes from raw bundle: %v", err)} + return nil, errutil.UserError{Err: fmt.Sprintf("Error encountered parsing certificate bytes from raw bundle via CSR: %v", err)} } } diff --git a/helper/pgpkeys/keybase.go b/helper/pgpkeys/keybase.go index 5c14cbced..c116194b0 100644 --- a/helper/pgpkeys/keybase.go +++ b/helper/pgpkeys/keybase.go @@ -49,25 +49,25 @@ func FetchKeybasePubkeys(input []string) (map[string]string, error) { } defer resp.Body.Close() - type publicKeys struct { + type PublicKeys struct { Primary struct { Bundle string } } - type them struct { - publicKeys `json:"public_keys"` + type LThem struct { + PublicKeys `json:"public_keys"` } - type kbResp struct { + type KbResp struct { Status struct { Name string } - Them []them + Them []LThem } - out := &kbResp{ - Them: []them{}, + out := &KbResp{ + Them: []LThem{}, } if err := jsonutil.DecodeJSONFromReader(resp.Body, out); err != nil {