Share key type func

Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
2019-07-05 09:35:30 +01:00 · 2019-07-05 09:35:30 +01:00 · a60a6d755f
commit a60a6d755f
parent f9417da5c5
2 changed files with 12 additions and 52 deletions
--- a/pkg/util/pki/csr.go
+++ b/pkg/util/pki/csr.go
@ -172,11 +172,6 @@ func GenerateTemplate(crt *v1alpha1.Certificate) (*x509.Certificate, error) {
 		return nil, err
 	}

-	keyUsages := x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment
-	if crt.Spec.IsCA {
-		keyUsages |= x509.KeyUsageCertSign
-	}
-
 	return &x509.Certificate{
 		Version:               3,
 		BasicConstraintsValid: true,
@ -190,12 +185,21 @@ func GenerateTemplate(crt *v1alpha1.Certificate) (*x509.Certificate, error) {
 		NotBefore: time.Now(),
 		NotAfter:  time.Now().Add(certDuration),
 		// see http://golang.org/pkg/crypto/x509/#KeyUsage
-		KeyUsage:    keyUsages,
+		KeyUsage:    keyUsage(crt.Spec.IsCA),
 		DNSNames:    dnsNames,
 		IPAddresses: ipAddresses,
 	}, nil
 }

+func keyUsage(isCA bool) x509.KeyUsage {
+	keyUsages := x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment
+	if isCA {
+		keyUsages |= x509.KeyUsageCertSign
+	}
+
+	return keyUsages
+}
+
 // GenerateTemplate will create a x509.Certificate for the given
 // CertificateRequest resource
 func GenerateTemplateFromCertificateRequest(cr *v1alpha1.CertificateRequest) (*x509.Certificate, error) {
@ -224,8 +228,6 @@ func GenerateTemplateFromCertificateRequest(cr *v1alpha1.CertificateRequest) (*x
 		certDuration = cr.Spec.Duration.Duration
 	}

-	keyUsages := x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment
-
 	return &x509.Certificate{
 		Version:               csr.Version,
 		BasicConstraintsValid: true,
@ -237,7 +239,7 @@ func GenerateTemplateFromCertificateRequest(cr *v1alpha1.CertificateRequest) (*x
 		NotBefore:             time.Now(),
 		NotAfter:              time.Now().Add(certDuration),
 		// see http://golang.org/pkg/crypto/x509/#KeyUsage
-		KeyUsage:    keyUsages,
+		KeyUsage:    keyUsage(cr.Spec.IsCA),
 		DNSNames:    csr.DNSNames,
 		IPAddresses: csr.IPAddresses,
 		URIs:        csr.URIs,
--- a/test/e2e/suite/issuers/ca/certificaterequest.go
+++ b/test/e2e/suite/issuers/ca/certificaterequest.go
@ -30,7 +30,7 @@ import (
 	"github.com/jetstack/cert-manager/test/e2e/util"
 )

-var _ = framework.CertManagerDescribe("CA Certificate", func() {
+var _ = framework.CertManagerDescribe("CA CertificateRequest", func() {
 	f := framework.NewDefaultFramework("create-ca-certificate")
 	h := f.Helper()

@ -141,46 +141,4 @@ var _ = framework.CertManagerDescribe("CA Certificate", func() {
 			})
 		}
 	})
-
-	Context("when the CA is an issuer", func() {
-		BeforeEach(func() {
-			By("Creating a signing keypair fixture")
-			_, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(newSigningIssuer1KeypairSecret(issuerSecretName))
-			Expect(err).NotTo(HaveOccurred())
-		})
-
-		It("should generate a signed keypair", func() {
-			crClient := f.CertManagerClientSet.CertmanagerV1alpha1().CertificateRequests(f.Namespace.Name)
-
-			By("Creating a CertificateRequest")
-			cr, key, err := util.NewCertManagerBasicCertificateRequest(certificateRequestName, issuerName, v1alpha1.IssuerKind, nil, nil, nil, nil, x509.RSA)
-			Expect(err).NotTo(HaveOccurred())
-			_, err = crClient.Create(cr)
-			Expect(err).NotTo(HaveOccurred())
-			By("Verifying the Certificate is valid")
-			err = h.WaitCertificateRequestIssuedValidTLS(f.Namespace.Name, certificateRequestName, time.Second*30, key, []byte(rootCert))
-			Expect(err).NotTo(HaveOccurred())
-		})
-	})
-
-	Context("when the CA is a second level issuer", func() {
-		BeforeEach(func() {
-			By("Creating a signing keypair fixture")
-			_, err := f.KubeClientSet.CoreV1().Secrets(f.Namespace.Name).Create(newSigningIssuer2KeypairSecret(issuerSecretName))
-			Expect(err).NotTo(HaveOccurred())
-		})
-
-		It("should generate a signed keypair", func() {
-			crClient := f.CertManagerClientSet.CertmanagerV1alpha1().CertificateRequests(f.Namespace.Name)
-
-			By("Creating a CertificateRequest")
-			cr, key, err := util.NewCertManagerBasicCertificateRequest(certificateRequestName, issuerName, v1alpha1.IssuerKind, nil, nil, nil, nil, x509.RSA)
-			Expect(err).NotTo(HaveOccurred())
-			_, err = crClient.Create(cr)
-			Expect(err).NotTo(HaveOccurred())
-			By("Verifying the Certificate is valid")
-			err = h.WaitCertificateRequestIssuedValidTLS(f.Namespace.Name, certificateRequestName, time.Second*30, key, []byte(rootCert))
-			Expect(err).NotTo(HaveOccurred())
-		})
-	})
 })