/* Copyright 2020 The cert-manager Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package pki_test import ( "crypto" "crypto/rand" "crypto/x509" "encoding/asn1" "reflect" "testing" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" "github.com/cert-manager/cert-manager/pkg/util/pki" "github.com/cert-manager/cert-manager/test/unit/gen" ) func mustGenerateRSA(t *testing.T, keySize int) crypto.PrivateKey { pk, err := pki.GenerateRSAPrivateKey(keySize) if err != nil { t.Fatal(err) } return pk } func mustGenerateECDSA(t *testing.T, keySize int) crypto.PrivateKey { pk, err := pki.GenerateECPrivateKey(keySize) if err != nil { t.Fatal(err) } return pk } func mustGenerateEd25519(t *testing.T) crypto.PrivateKey { pk, err := pki.GenerateEd25519PrivateKey() if err != nil { t.Fatal(err) } return pk } func TestPrivateKeyMatchesSpec(t *testing.T) { tests := map[string]struct { key crypto.PrivateKey expectedAlgo cmapi.PrivateKeyAlgorithm expectedSize int violations []string }{ "should match if keySize and algorithm are correct (RSA)": { key: mustGenerateRSA(t, 2048), expectedAlgo: cmapi.RSAKeyAlgorithm, expectedSize: 2048, }, "should not match if RSA keySize is incorrect": { key: mustGenerateRSA(t, 2048), expectedAlgo: cmapi.RSAKeyAlgorithm, expectedSize: 4096, violations: []string{"spec.privateKey.size"}, }, "should match if keySize and algorithm are correct (ECDSA)": { key: mustGenerateECDSA(t, pki.ECCurve256), expectedAlgo: cmapi.ECDSAKeyAlgorithm, expectedSize: 256, }, "should not match if ECDSA keySize is incorrect": { key: mustGenerateECDSA(t, pki.ECCurve256), expectedAlgo: cmapi.ECDSAKeyAlgorithm, expectedSize: pki.ECCurve521, violations: []string{"spec.privateKey.size"}, }, "should not match if keyAlgorithm is incorrect": { key: mustGenerateECDSA(t, pki.ECCurve256), expectedAlgo: cmapi.RSAKeyAlgorithm, expectedSize: 2048, violations: []string{"spec.privateKey.algorithm"}, }, "should match if keySize and algorithm are correct (Ed25519)": { key: mustGenerateEd25519(t), expectedAlgo: cmapi.Ed25519KeyAlgorithm, }, } for name, test := range tests { t.Run(name, func(t *testing.T) { violations := pki.PrivateKeyMatchesSpec( test.key, cmapi.CertificateSpec{ PrivateKey: &cmapi.CertificatePrivateKey{ Algorithm: test.expectedAlgo, Size: test.expectedSize, }, }, ) if !reflect.DeepEqual(violations, test.violations) { t.Errorf("violations did not match, got=%s, exp=%s", violations, test.violations) } }) } } func TestCertificateRequestOtherNamesMatchSpec(t *testing.T) { tests := map[string]struct { crSpec *cmapi.CertificateRequest certSpec cmapi.CertificateSpec err string violations []string }{ "should not report any violation if Certificate otherName(s) match the CertificateRequest's": { crSpec: mustBuildCertificateRequest(t, &cmapi.Certificate{Spec: cmapi.CertificateSpec{ CommonName: "cn", OtherNames: []cmapi.OtherName{ { OID: "1.3.6.1.4.1.311.20.2.3", UTF8Value: "upn@testdomain.local", }, }, }}), certSpec: cmapi.CertificateSpec{ CommonName: "cn", OtherNames: []cmapi.OtherName{ { OID: "1.3.6.1.4.1.311.20.2.3", UTF8Value: "upn@testdomain.local", }, }, }, err: "", }, "should report violation if Certificate otherName(s) mismatch the CertificateRequest's": { crSpec: mustBuildCertificateRequest(t, &cmapi.Certificate{Spec: cmapi.CertificateSpec{ CommonName: "cn", OtherNames: []cmapi.OtherName{ { OID: "1.3.6.1.4.1.311.20.2.3", UTF8Value: "upn@testdomain.local", }, }, }}), certSpec: cmapi.CertificateSpec{ CommonName: "cn", OtherNames: []cmapi.OtherName{ { OID: "1.3.6.1.4.1.311.20.2.3", UTF8Value: "upn2@testdomain.local", }, }, }, err: "", violations: []string{ "spec.otherNames", }, }, "should not report violation if Certificate otherName(s) match the CertificateRequest's (with different order)": { crSpec: mustBuildCertificateRequest(t, &cmapi.Certificate{Spec: cmapi.CertificateSpec{ CommonName: "cn", OtherNames: []cmapi.OtherName{ { OID: "1.3.6.1.4.1.311.20.2.3", UTF8Value: "anotherupn@testdomain.local", }, { OID: "1.3.6.1.4.1.311.20.2.3", UTF8Value: "upn@testdomain.local", }, }, }}), certSpec: cmapi.CertificateSpec{ CommonName: "cn", OtherNames: []cmapi.OtherName{ { OID: "1.3.6.1.4.1.311.20.2.3", UTF8Value: "upn@testdomain.local", }, { OID: "1.3.6.1.4.1.311.20.2.3", UTF8Value: "anotherupn@testdomain.local", }, }, }, err: "", }, } for name, test := range tests { t.Run(name, func(t *testing.T) { violations, err := pki.RequestMatchesSpec(test.crSpec, test.certSpec) if err != nil { if test.err == "" { t.Errorf("Unexpected error: %s", err.Error()) } else if test.err != err.Error() { t.Errorf("Expected error: %s but got: %s instead", err.Error(), test.err) } } if !reflect.DeepEqual(violations, test.violations) { t.Errorf("violations did not match, got=%s, exp=%s", violations, test.violations) } }) } } func TestRequestMatchesSpecSubject(t *testing.T) { createCSRBlob := func(literalSubject string) []byte { seq, err := pki.UnmarshalSubjectStringToRDNSequence(literalSubject) if err != nil { t.Fatal(err) } asn1Seq, err := asn1.Marshal(seq) if err != nil { t.Fatal(err) } pemBytes, _, err := gen.CSR(x509.Ed25519, func(cr *x509.CertificateRequest) error { cr.RawSubject = asn1Seq return nil }) if err != nil { t.Fatal(err) } return pemBytes } tests := []struct { name string subject *cmapi.X509Subject literalSubject string x509CSR []byte err string violations []string }{ { name: "Matching LiteralSubjects", literalSubject: "CN=example.com,OU=example,O=example,L=example,ST=example,C=US", x509CSR: createCSRBlob("CN=example.com,OU=example,O=example,L=example,ST=example,C=US"), }, { name: "Matching LiteralSubjects", literalSubject: "ST=example,C=US", x509CSR: createCSRBlob("ST=example"), violations: []string{"spec.literalSubject"}, }, { name: "Matching LiteralSubjects", literalSubject: "ST=example,C=US,O=#04024869", x509CSR: createCSRBlob("ST=example,C=US,O=#04024869"), }, } for _, test := range tests { test := test t.Run(test.name, func(t *testing.T) { violations, err := pki.RequestMatchesSpec( &cmapi.CertificateRequest{ Spec: cmapi.CertificateRequestSpec{ Request: test.x509CSR, }, }, cmapi.CertificateSpec{ Subject: test.subject, LiteralSubject: test.literalSubject, }, ) if err != nil { if test.err == "" { t.Errorf("Unexpected error: %s", err.Error()) } else if test.err != err.Error() { t.Errorf("Expected error: %s but got: %s instead", err.Error(), test.err) } } if !reflect.DeepEqual(violations, test.violations) { t.Errorf("violations did not match, got=%s, exp=%s", violations, test.violations) } }) } } func TestFuzzyX509AltNamesMatchSpec(t *testing.T) { tests := map[string]struct { x509 *x509.Certificate spec cmapi.CertificateSpec violations []string }{ "should match if common name and dns names exactly equal": { spec: cmapi.CertificateSpec{ CommonName: "cn", DNSNames: []string{"at", "least", "one"}, }, x509: selfSignCertificate(t, cmapi.CertificateSpec{ CommonName: "cn", DNSNames: []string{"at", "least", "one"}, }), }, "should match if commonName is missing but is present in dnsNames": { spec: cmapi.CertificateSpec{ CommonName: "cn", DNSNames: []string{"at", "least", "one"}, }, x509: selfSignCertificate(t, cmapi.CertificateSpec{ DNSNames: []string{"cn", "at", "least", "one"}, }), }, "should match if commonName is missing but is present in dnsNames (not first)": { spec: cmapi.CertificateSpec{ CommonName: "cn", DNSNames: []string{"at", "least", "one"}, }, x509: selfSignCertificate(t, cmapi.CertificateSpec{ DNSNames: []string{"at", "least", "one", "cn"}, }), }, "should match if commonName is one of the requested dnsNames": { spec: cmapi.CertificateSpec{ DNSNames: []string{"at", "least", "one"}, }, x509: selfSignCertificate(t, cmapi.CertificateSpec{ CommonName: "at", DNSNames: []string{"least", "one"}, }), }, "should not match if commonName is not present on certificate": { spec: cmapi.CertificateSpec{ CommonName: "cn", DNSNames: []string{"at", "least", "one"}, }, x509: selfSignCertificate(t, cmapi.CertificateSpec{ DNSNames: []string{"at", "least", "one"}, }), violations: []string{"spec.commonName"}, }, "should report violation for both commonName and dnsNames if both are missing": { spec: cmapi.CertificateSpec{ CommonName: "cn", DNSNames: []string{"at", "least", "one", "other"}, }, x509: selfSignCertificate(t, cmapi.CertificateSpec{ DNSNames: []string{"at", "least", "one"}, }), violations: []string{"spec.commonName", "spec.dnsNames"}, }, "should report violation for both commonName and dnsNames if not requested": { spec: cmapi.CertificateSpec{ DNSNames: []string{"at", "least", "one"}, }, x509: selfSignCertificate(t, cmapi.CertificateSpec{ CommonName: "cn", DNSNames: []string{"at", "least", "one", "other"}, }), violations: []string{"spec.commonName", "spec.dnsNames"}, }, "should not match if certificate has more dnsNames than spec": { spec: cmapi.CertificateSpec{ CommonName: "cn", DNSNames: []string{"at", "least", "one"}, }, x509: selfSignCertificate(t, cmapi.CertificateSpec{ CommonName: "cn", DNSNames: []string{"at", "least", "one", "other"}, }), violations: []string{"spec.dnsNames"}, }, "should match if commonName is a duplicated dnsName (but not requested)": { spec: cmapi.CertificateSpec{ DNSNames: []string{"at", "least", "one"}, }, x509: selfSignCertificate(t, cmapi.CertificateSpec{ CommonName: "at", DNSNames: []string{"at", "least", "one"}, }), }, "should match if commonName is a duplicated dnsName": { spec: cmapi.CertificateSpec{ CommonName: "cn", DNSNames: []string{"at", "least", "one"}, }, x509: selfSignCertificate(t, cmapi.CertificateSpec{ CommonName: "at", DNSNames: []string{"at", "least", "one", "cn"}, }), }, "should match if ipAddresses are equal": { spec: cmapi.CertificateSpec{ IPAddresses: []string{"127.0.0.1"}, }, x509: selfSignCertificate(t, cmapi.CertificateSpec{ IPAddresses: []string{"127.0.0.1"}, }), }, "should not match if ipAddresses are not equal": { spec: cmapi.CertificateSpec{ IPAddresses: []string{"127.0.0.1"}, }, x509: selfSignCertificate(t, cmapi.CertificateSpec{ IPAddresses: []string{"127.0.2.1"}, }), violations: []string{"spec.ipAddresses"}, }, "should not match if ipAddresses has been made the commonName": { spec: cmapi.CertificateSpec{ IPAddresses: []string{"127.0.0.1"}, }, x509: selfSignCertificate(t, cmapi.CertificateSpec{ CommonName: "127.0.0.1", IPAddresses: []string{"127.0.0.1"}, }), violations: []string{"spec.commonName"}, }, } for name, test := range tests { t.Run(name, func(t *testing.T) { violations := pki.FuzzyX509AltNamesMatchSpec(test.x509, test.spec) if !reflect.DeepEqual(violations, test.violations) { t.Errorf("violations did not match, got=%s, exp=%s", violations, test.violations) } }) } } func selfSignCertificate(t *testing.T, spec cmapi.CertificateSpec) *x509.Certificate { template, err := pki.CertificateTemplateFromCertificate(&cmapi.Certificate{Spec: spec}) if err != nil { t.Fatal(err) } pk, err := pki.GenerateRSAPrivateKey(2048) if err != nil { t.Fatal(err) } // Marshal and unmarshal to ensure all fields are set correctly certDER, err := x509.CreateCertificate(rand.Reader, template, template, pk.Public(), pk) if err != nil { t.Fatal(err) } cert, err := x509.ParseCertificate(certDER) if err != nil { t.Fatal(err) } return cert } func mustBuildCertificateRequest(t *testing.T, crt *cmapi.Certificate) *cmapi.CertificateRequest { pemData, _, err := gen.CSRForCertificate(crt) if err != nil { t.Fatal(err) } cr := &cmapi.CertificateRequest{ ObjectMeta: metav1.ObjectMeta{ Name: t.Name(), Annotations: crt.Annotations, Labels: crt.Labels, }, Spec: cmapi.CertificateRequestSpec{ Request: pemData, Duration: crt.Spec.Duration, IssuerRef: crt.Spec.IssuerRef, IsCA: crt.Spec.IsCA, Usages: crt.Spec.Usages, }, } return cr }