From 503186c2d20e17e161bfbc321fee7239fc1c2de0 Mon Sep 17 00:00:00 2001
From: James Munnelly <james.munnelly@jetstack.io>
Date: Wed, 8 Aug 2018 10:51:28 +0100
Subject: [PATCH] Add unit test for PublicKeyMatchesCertificate

---
 pkg/util/pki/generate_test.go | 66 +++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)

diff --git a/pkg/util/pki/generate_test.go b/pkg/util/pki/generate_test.go
index 1fd859827..758239d37 100644
--- a/pkg/util/pki/generate_test.go
+++ b/pkg/util/pki/generate_test.go
@@ -1,12 +1,17 @@
 package pki
 
 import (
+	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
+	"crypto/rand"
 	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
 	"fmt"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/jetstack/cert-manager/pkg/apis/certmanager/v1alpha1"
 )
@@ -200,3 +205,64 @@ func TestGeneratePrivateKeyForCertificate(t *testing.T) {
 		t.Run(test.name, testFn(test))
 	}
 }
+
+func signTestCert(key crypto.Signer) *x509.Certificate {
+	commonName := "testingcert"
+
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		panic(fmt.Errorf("failed to generate serial number: %s", err.Error()))
+	}
+
+	template := &x509.Certificate{
+		Version:               3,
+		BasicConstraintsValid: true,
+		SerialNumber:          serialNumber,
+		SignatureAlgorithm:    x509.SHA256WithRSA,
+		Subject: pkix.Name{
+			Organization: []string{defaultOrganization},
+			CommonName:   commonName,
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(defaultNotAfter),
+		// see http://golang.org/pkg/crypto/x509/#KeyUsage
+		KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+	}
+
+	_, crt, err := SignCertificate(template, template, key.Public(), key)
+	if err != nil {
+		panic(fmt.Errorf("error signing test cert: %v", err))
+	}
+
+	return crt
+}
+
+func TestPublicKeyMatchesCertificate(t *testing.T) {
+	privKey1, err := GenerateRSAPrivateKey(2048)
+	if err != nil {
+		t.Errorf("error generating private key: %v", err)
+	}
+	privKey2, err := GenerateRSAPrivateKey(2048)
+	if err != nil {
+		t.Errorf("error generating private key: %v", err)
+	}
+
+	testCert1 := signTestCert(privKey1)
+	testCert2 := signTestCert(privKey2)
+
+	matches, err := PublicKeyMatchesCertificate(privKey1.Public(), testCert1)
+	if err != nil {
+		t.Errorf("expected no error, but got: %v", err)
+	}
+	if !matches {
+		t.Errorf("expected private key to match certificate, but it did not")
+	}
+
+	matches, err = PublicKeyMatchesCertificate(privKey1.Public(), testCert2)
+	if err != nil {
+		t.Errorf("expected no error, but got: %v", err)
+	}
+	if matches {
+		t.Errorf("expected private key to not match certificate, but it did")
+	}
+}