Added "Subject Key Identifier" and "Authority Key Identifier" tests t…

…o `tls_locally_signed_cert` and `tls_self_signed_cert` resources

internal/provider/fixtures_test.go

@@ -174,6 +174,10 @@ DsM3TQL4LuEE9V2lU2L2f3kXKrkYzLJj7R4sGck5Fo/E8eeIFm1Z5FCPcia82N+C
 xDsNFvV3r8TsRH60IxFekKddI+ivepa97SvC4r+69MPyxULHNwDtSL+8T4q01LEP
 VKT7dWjBK3K0xxH0SPCtlqRbGalWz4adNNHazN/x7ebK+WB9ReSM
 -----END CERTIFICATE-----
-
 `
 )
+
+var (
+	testPrivateKeyPEMSubjectKeyID = []byte{207, 81, 38, 63, 172, 18, 241, 109, 195, 169, 6, 109, 237, 6, 18, 214, 52, 231, 17, 222}
+	testCAPrivateKeySubjectKeyID  = []byte{242, 39, 231, 129, 23, 93, 231, 171, 243, 171, 29, 48, 45, 93, 12, 82, 97, 100, 255, 81}
+)

internal/provider/resource_locally_signed_cert_test.go

@@ -59,6 +59,7 @@ func TestAccResourceLocallySignedCert(t *testing.T) {
 					}),
 					testCheckPEMCertificateAgainstPEMRootCA("tls_locally_signed_cert.test", "cert_pem", []byte(testCACert)),
 					testCheckPEMCertificateDuration("tls_locally_signed_cert.test", "cert_pem", time.Hour),
+					testCheckPEMCertificateAuthorityKeyID("tls_locally_signed_cert.test", "cert_pem", testCAPrivateKeySubjectKeyID),
 				),
 			},
 		},
@@ -214,6 +215,7 @@ func TestAccResourceLocallySignedCert_HandleKeyAlgorithmDeprecation(t *testing.T
 					}),
 					testCheckPEMCertificateAgainstPEMRootCA("tls_locally_signed_cert.test", "cert_pem", []byte(testCACert)),
 					testCheckPEMCertificateDuration("tls_locally_signed_cert.test", "cert_pem", time.Hour),
+					testCheckPEMCertificateAuthorityKeyID("tls_locally_signed_cert.test", "cert_pem", testCAPrivateKeySubjectKeyID),
 				),
 			},
 		},
@@ -267,6 +269,92 @@ EOT
         }`, testCertRequest, validity, earlyRenewal, testCACert, testCAPrivateKey)
 }
 
+func TestAccResourceLocallySignedCert_KeyIDs(t *testing.T) {
+	r.UnitTest(t, r.TestCase{
+		ProviderFactories: testProviders,
+		Steps: []r.TestStep{
+			{
+				Config: fmt.Sprintf(`
+					resource "tls_locally_signed_cert" "test" {
+						cert_request_pem = <<EOT
+%s
+EOT
+						validity_period_hours = 1
+						early_renewal_hours = 0
+						allowed_uses = ["server_auth"]
+						set_subject_key_id = false
+						ca_cert_pem = <<EOT
+%s
+EOT
+						ca_private_key_pem = <<EOT
+%s
+EOT
+                    }`, testCertRequest, testCACert, testCAPrivateKey,
+				),
+				// Even if `set_subject_key_id` is set to `false`, the certificate will still get
+				// an Authority Key Identifier as it's provided by the CA
+				Check: r.ComposeAggregateTestCheckFunc(
+					testCheckPEMCertificateSubjectKeyID("tls_locally_signed_cert.test", "cert_pem", nil),
+					testCheckPEMCertificateAuthorityKeyID("tls_locally_signed_cert.test", "cert_pem", testCAPrivateKeySubjectKeyID),
+				),
+			},
+			{
+				Config: fmt.Sprintf(`
+					resource "tls_locally_signed_cert" "test" {
+						cert_request_pem = <<EOT
+%s
+EOT
+						validity_period_hours = 1
+						early_renewal_hours = 0
+						allowed_uses = ["server_auth"]
+						set_subject_key_id = true
+						ca_cert_pem = <<EOT
+%s
+EOT
+						ca_private_key_pem = <<EOT
+%s
+EOT
+                    }`, testCertRequest, testCACert, testCAPrivateKey,
+				),
+				Check: r.ComposeAggregateTestCheckFunc(
+					testCheckPEMCertificateSubjectKeyID("tls_locally_signed_cert.test", "cert_pem", testPrivateKeyPEMSubjectKeyID),
+					testCheckPEMCertificateAuthorityKeyID("tls_locally_signed_cert.test", "cert_pem", testCAPrivateKeySubjectKeyID),
+				),
+			},
+			{
+				Config: `
+					resource "tls_private_key" "ca_prv_test" {
+						algorithm = "ED25519"
+					}
+					resource "tls_self_signed_cert" "ca_cert_test" {
+						private_key_pem = tls_private_key.ca_prv_test.private_key_pem
+						validity_period_hours = 8760
+						allowed_uses = ["cert_signing"]
+					}
+					resource "tls_private_key" "test" {
+						algorithm = "ED25519"
+					}
+					resource "tls_cert_request" "test" {
+						private_key_pem = tls_private_key.test.private_key_pem
+					}
+					resource "tls_locally_signed_cert" "test" {
+						validity_period_hours = 1
+						early_renewal_hours = 0
+						allowed_uses = ["server_auth", "client_auth"]
+						cert_request_pem = tls_cert_request.test.cert_request_pem
+						ca_cert_pem = tls_self_signed_cert.ca_cert_test.cert_pem
+						ca_private_key_pem = tls_private_key.ca_prv_test.private_key_pem
+					}
+				`,
+				// NOTE: As the CA used for this certificate is a non-CA self-signed certificate that doesn't
+				// carry a Subject Key Identifier, this is reflected in the child certificate that has no
+				// Authority Key Identifier
+				Check: testCheckPEMCertificateAuthorityKeyID("tls_locally_signed_cert.test", "cert_pem", nil),
+			},
+		},
+	})
+}
+
 func TestAccResourceLocallySignedCert_FromED25519PrivateKeyResource(t *testing.T) {
 	r.UnitTest(t, r.TestCase{
 		ProviderFactories: testProviders,
@@ -433,9 +521,7 @@ func TestAccResourceLocallySignedCert_InvalidConfigs(t *testing.T) {
 						}
 						is_ca_certificate     = true
 						validity_period_hours = 8760
-						allowed_uses = [
-							"cert_signing",
-						]
+						allowed_uses = ["cert_signing"]
 					}
 					resource "tls_private_key" "test" {
 						algorithm = "ED25519"
@@ -447,10 +533,7 @@ func TestAccResourceLocallySignedCert_InvalidConfigs(t *testing.T) {
 						is_ca_certificate = true
 						validity_period_hours = 1
 						early_renewal_hours = 0
-						allowed_uses = [
-							"server_auth",
-							"client_auth",
-						]
+						allowed_uses = ["server_auth", "client_auth"]
 						cert_request_pem = tls_cert_request.test.cert_request_pem
 						ca_cert_pem = tls_self_signed_cert.ca_cert_test.cert_pem
 						ca_private_key_pem = tls_private_key.ca_prv_test.private_key_pem

internal/provider/resource_self_signed_cert_test.go

@@ -1,7 +1,6 @@
 package provider
 
 import (
-	"bytes"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"fmt"
@@ -250,7 +249,7 @@ func TestAccResourceSelfSignedCert_NotRecreatedForEarlyRenewalUpdateInFuture(t *
 	overridableTimeFunc = oldNow
 }
 
-func TestAccResourceSelfSignedCert_SetSubjectKeyID(t *testing.T) {
+func TestAccResourceSelfSignedCert_KeyIDs(t *testing.T) {
 	r.UnitTest(t, r.TestCase{
 		ProviderFactories: testProviders,
 		PreCheck:          setTimeForTest("2019-06-14T12:00:00Z"),
@@ -269,14 +268,30 @@ func TestAccResourceSelfSignedCert_SetSubjectKeyID(t *testing.T) {
 EOT
 					}
 				`, testPrivateKeyPEM),
-				Check: testCheckPEMCertificateWith("tls_self_signed_cert.test", "cert_pem", func(cert *x509.Certificate) error {
-					got := cert.SubjectKeyId
-					want := []byte{207, 81, 38, 63, 172, 18, 241, 109, 195, 169, 6, 109, 237, 6, 18, 214, 52, 231, 17, 222}
-					if !bytes.Equal(got, want) {
-						return fmt.Errorf("incorrect subject key id\ngot:  %v\nwant: %v", got, want)
+				Check: r.ComposeAggregateTestCheckFunc(
+					testCheckPEMCertificateSubjectKeyID("tls_self_signed_cert.test", "cert_pem", testPrivateKeyPEMSubjectKeyID),
+					testCheckPEMCertificateAuthorityKeyID("tls_self_signed_cert.test", "cert_pem", nil),
+				),
+			},
+			{
+				Config: fmt.Sprintf(`
+					resource "tls_self_signed_cert" "test" {
+						subject {
+							serial_number = "42"
+						}
+						validity_period_hours = 1
+						allowed_uses = []
+						set_subject_key_id = true
+						set_authority_key_id = true
+						private_key_pem = <<EOT
+%s
+EOT
 					}
-					return nil
-				}),
+				`, testPrivateKeyPEM),
+				Check: r.ComposeAggregateTestCheckFunc(
+					testCheckPEMCertificateSubjectKeyID("tls_self_signed_cert.test", "cert_pem", testPrivateKeyPEMSubjectKeyID),
+					testCheckPEMCertificateAuthorityKeyID("tls_self_signed_cert.test", "cert_pem", testPrivateKeyPEMSubjectKeyID),
+				),
 			},
 		},
 	})
@@ -358,6 +373,22 @@ func TestAccResourceSelfSignedCert_InvalidConfigs(t *testing.T) {
 				`,
 				ExpectError: regexp.MustCompile(`Certificate Subject must contain at least one Distinguished Name when creating Certificate Authority \(CA\)`),
 			},
+			{
+				Config: fmt.Sprintf(`
+					resource "tls_self_signed_cert" "test" {
+						subject {
+							serial_number = "42"
+						}
+						validity_period_hours = 1
+						allowed_uses = []
+						set_authority_key_id = true
+						private_key_pem = <<EOT
+%s
+EOT
+					}
+				`, testPrivateKeyPEM),
+				ExpectError: regexp.MustCompile("could not determine the Authority Key Identifier from the Certificate Authority"),
+			},
 		},
 	})
 }

internal/provider/test_check_func_test.go

@@ -1,6 +1,7 @@
 package provider
 
 import (
+	"bytes"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
@@ -152,6 +153,26 @@ func testCheckPEMCertificateDuration(name, key string, expected time.Duration) r
 	})
 }
 
+//nolint:unparam // `key` parameter always receives `cert_pem` because generated PEMs attributes are called that way.
+func testCheckPEMCertificateSubjectKeyID(name, key string, expected []byte) r.TestCheckFunc {
+	return testCheckPEMCertificateWith(name, key, func(crt *x509.Certificate) error {
+		if !bytes.Equal(crt.SubjectKeyId, expected) {
+			return fmt.Errorf("incorrect Subject Key ID\n  expected: %v\n  got: %v", expected, crt.SubjectKeyId)
+		}
+		return nil
+	})
+}
+
+//nolint:unparam // `key` parameter always receives `cert_pem` because generated PEMs attributes are called that way.
+func testCheckPEMCertificateAuthorityKeyID(name, key string, expected []byte) r.TestCheckFunc {
+	return testCheckPEMCertificateWith(name, key, func(crt *x509.Certificate) error {
+		if !bytes.Equal(crt.AuthorityKeyId, expected) {
+			return fmt.Errorf("incorrect Authority Key ID\n\t\texpected: %v\n\t\tgot: %v", expected, crt.AuthorityKeyId)
+		}
+		return nil
+	})
+}
+
 func testCheckPEMCertificateAgainstPEMRootCA(name, key string, rootCA []byte) r.TestCheckFunc {
 	return testCheckPEMCertificateWith(name, key, func(crt *x509.Certificate) error {
 		// Certificate verification must fail if no CA Cert Pool is provided