Skip to content

Commit

Permalink
Fixed some issues and added tests.
Browse files Browse the repository at this point in the history
  • Loading branch information
michelvocks committed Jul 23, 2018
1 parent e16a2e8 commit e78f37e
Show file tree
Hide file tree
Showing 2 changed files with 131 additions and 9 deletions.
19 changes: 10 additions & 9 deletions security/tls.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,6 @@ func GenerateCA() error {
caKeyPath := filepath.Join(gaia.Cfg.DataPath, keyName)
cleanupCerts(caCertPath, caKeyPath)

// Generate the key
key, err := rsa.GenerateKey(rand.Reader, rsaBits)
if err != nil {
return err
}

// Set time range for cert validation
notBefore := time.Now()
notAfter := notBefore.Add(time.Hour * maxValidCA)
Expand All @@ -55,7 +49,7 @@ func GenerateCA() error {
}

// Generate CA template
template := x509.Certificate{
template := &x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{orgName},
Expand All @@ -65,13 +59,19 @@ func GenerateCA() error {

IsCA: true,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
DNSNames: []string{orgDNS},
}

// Generate the key
key, err := rsa.GenerateKey(rand.Reader, rsaBits)
if err != nil {
return err
}

// Create certificate authority
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, key.PublicKey, key)
derBytes, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
if err != nil {
return err
}
Expand Down Expand Up @@ -134,6 +134,7 @@ func createSignedCert() (string, string, error) {
SubjectKeyId: []byte{1, 2, 3, 4, 6},
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
KeyUsage: x509.KeyUsageDigitalSignature,
DNSNames: []string{orgDNS},
}
priv, _ := rsa.GenerateKey(rand.Reader, rsaBits)
pub := &priv.PublicKey
Expand Down
121 changes: 121 additions & 0 deletions security/tls_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
package security

import (
"crypto/tls"
"crypto/x509"
"io/ioutil"
"os"
"path/filepath"
"testing"

"github.com/gaia-pipeline/gaia"
)

func TestGenerateCA(t *testing.T) {
gaia.Cfg = &gaia.Config{}
gaia.Cfg.DataPath = os.TempDir()

err := GenerateCA()
if err != nil {
t.Fatal(err)
}

caCertPath := filepath.Join(gaia.Cfg.DataPath, "ca.crt")
caKeyPath := filepath.Join(gaia.Cfg.DataPath, "ca.key")

// Load CA plain
caPlain, err := tls.LoadX509KeyPair(caCertPath, caKeyPath)
if err != nil {
t.Fatal(err)
}

// Parse certificate
ca, err := x509.ParseCertificate(caPlain.Certificate[0])
if err != nil {
t.Fatal(err)
}

// Create cert pool and load ca root
certPool := x509.NewCertPool()
rootCA, err := ioutil.ReadFile(caCertPath)
if err != nil {
t.Fatal(err)
}

ok := certPool.AppendCertsFromPEM(rootCA)
if !ok {
t.Fatalf("Cannot append root cert to cert pool!\n")
}

_, err = ca.Verify(x509.VerifyOptions{
Roots: certPool,
DNSName: orgDNS,
})
if err != nil {
t.Fatal(err)
}

err = cleanupCerts(caCertPath, caKeyPath)
if err != nil {
t.Fatal(err)
}
}

func TestCreateSignedCert(t *testing.T) {
gaia.Cfg = &gaia.Config{}
gaia.Cfg.DataPath = os.TempDir()

err := GenerateCA()
if err != nil {
t.Fatal(err)
}

caCertPath := filepath.Join(gaia.Cfg.DataPath, "ca.crt")
caKeyPath := filepath.Join(gaia.Cfg.DataPath, "ca.key")

certPath, keyPath, err := createSignedCert()
if err != nil {
t.Fatal(err)
}

// Load CA plain
caPlain, err := tls.LoadX509KeyPair(certPath, keyPath)
if err != nil {
t.Fatal(err)
}

// Parse certificate
ca, err := x509.ParseCertificate(caPlain.Certificate[0])
if err != nil {
t.Fatal(err)
}

// Create cert pool and load ca root
certPool := x509.NewCertPool()
rootCA, err := ioutil.ReadFile(caCertPath)
if err != nil {
t.Fatal(err)
}

ok := certPool.AppendCertsFromPEM(rootCA)
if !ok {
t.Fatalf("Cannot append root cert to cert pool!\n")
}

_, err = ca.Verify(x509.VerifyOptions{
Roots: certPool,
DNSName: orgDNS,
})
if err != nil {
t.Fatal(err)
}

err = cleanupCerts(caCertPath, caKeyPath)
if err != nil {
t.Fatal(err)
}
err = cleanupCerts(certPath, keyPath)
if err != nil {
t.Fatal(err)
}
}

0 comments on commit e78f37e

Please sign in to comment.