From e78f37e6638c4daab2e9d0c11e4816294ebe9aad Mon Sep 17 00:00:00 2001 From: Michel Vocks Date: Mon, 23 Jul 2018 16:04:24 +0200 Subject: [PATCH] Fixed some issues and added tests. --- security/tls.go | 19 +++---- security/tls_test.go | 121 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 131 insertions(+), 9 deletions(-) create mode 100644 security/tls_test.go diff --git a/security/tls.go b/security/tls.go index 158f7f56..e6ba2a4d 100644 --- a/security/tls.go +++ b/security/tls.go @@ -37,12 +37,6 @@ func GenerateCA() error { caKeyPath := filepath.Join(gaia.Cfg.DataPath, keyName) cleanupCerts(caCertPath, caKeyPath) - // Generate the key - key, err := rsa.GenerateKey(rand.Reader, rsaBits) - if err != nil { - return err - } - // Set time range for cert validation notBefore := time.Now() notAfter := notBefore.Add(time.Hour * maxValidCA) @@ -55,7 +49,7 @@ func GenerateCA() error { } // Generate CA template - template := x509.Certificate{ + template := &x509.Certificate{ SerialNumber: serialNumber, Subject: pkix.Name{ Organization: []string{orgName}, @@ -65,13 +59,19 @@ func GenerateCA() error { IsCA: true, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, DNSNames: []string{orgDNS}, } + // Generate the key + key, err := rsa.GenerateKey(rand.Reader, rsaBits) + if err != nil { + return err + } + // Create certificate authority - derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, key.PublicKey, key) + derBytes, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key) if err != nil { return err } @@ -134,6 +134,7 @@ func createSignedCert() (string, string, error) { SubjectKeyId: []byte{1, 2, 3, 4, 6}, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, KeyUsage: x509.KeyUsageDigitalSignature, + DNSNames: []string{orgDNS}, } priv, _ := rsa.GenerateKey(rand.Reader, rsaBits) pub := &priv.PublicKey diff --git a/security/tls_test.go b/security/tls_test.go new file mode 100644 index 00000000..f924a0ee --- /dev/null +++ b/security/tls_test.go @@ -0,0 +1,121 @@ +package security + +import ( + "crypto/tls" + "crypto/x509" + "io/ioutil" + "os" + "path/filepath" + "testing" + + "github.com/gaia-pipeline/gaia" +) + +func TestGenerateCA(t *testing.T) { + gaia.Cfg = &gaia.Config{} + gaia.Cfg.DataPath = os.TempDir() + + err := GenerateCA() + if err != nil { + t.Fatal(err) + } + + caCertPath := filepath.Join(gaia.Cfg.DataPath, "ca.crt") + caKeyPath := filepath.Join(gaia.Cfg.DataPath, "ca.key") + + // Load CA plain + caPlain, err := tls.LoadX509KeyPair(caCertPath, caKeyPath) + if err != nil { + t.Fatal(err) + } + + // Parse certificate + ca, err := x509.ParseCertificate(caPlain.Certificate[0]) + if err != nil { + t.Fatal(err) + } + + // Create cert pool and load ca root + certPool := x509.NewCertPool() + rootCA, err := ioutil.ReadFile(caCertPath) + if err != nil { + t.Fatal(err) + } + + ok := certPool.AppendCertsFromPEM(rootCA) + if !ok { + t.Fatalf("Cannot append root cert to cert pool!\n") + } + + _, err = ca.Verify(x509.VerifyOptions{ + Roots: certPool, + DNSName: orgDNS, + }) + if err != nil { + t.Fatal(err) + } + + err = cleanupCerts(caCertPath, caKeyPath) + if err != nil { + t.Fatal(err) + } +} + +func TestCreateSignedCert(t *testing.T) { + gaia.Cfg = &gaia.Config{} + gaia.Cfg.DataPath = os.TempDir() + + err := GenerateCA() + if err != nil { + t.Fatal(err) + } + + caCertPath := filepath.Join(gaia.Cfg.DataPath, "ca.crt") + caKeyPath := filepath.Join(gaia.Cfg.DataPath, "ca.key") + + certPath, keyPath, err := createSignedCert() + if err != nil { + t.Fatal(err) + } + + // Load CA plain + caPlain, err := tls.LoadX509KeyPair(certPath, keyPath) + if err != nil { + t.Fatal(err) + } + + // Parse certificate + ca, err := x509.ParseCertificate(caPlain.Certificate[0]) + if err != nil { + t.Fatal(err) + } + + // Create cert pool and load ca root + certPool := x509.NewCertPool() + rootCA, err := ioutil.ReadFile(caCertPath) + if err != nil { + t.Fatal(err) + } + + ok := certPool.AppendCertsFromPEM(rootCA) + if !ok { + t.Fatalf("Cannot append root cert to cert pool!\n") + } + + _, err = ca.Verify(x509.VerifyOptions{ + Roots: certPool, + DNSName: orgDNS, + }) + if err != nil { + t.Fatal(err) + } + + err = cleanupCerts(caCertPath, caKeyPath) + if err != nil { + t.Fatal(err) + } + err = cleanupCerts(certPath, keyPath) + if err != nil { + t.Fatal(err) + } +}