292 lines
8.4 KiB
Go
292 lines
8.4 KiB
Go
/*
|
|
Copyright 2020 The cert-manager Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package pki
|
|
|
|
import (
|
|
"crypto"
|
|
"reflect"
|
|
"testing"
|
|
|
|
corev1 "k8s.io/api/core/v1"
|
|
|
|
cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
|
|
)
|
|
|
|
func mustGenerateRSA(t *testing.T, keySize int) crypto.PrivateKey {
|
|
pk, err := GenerateRSAPrivateKey(keySize)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
return pk
|
|
}
|
|
|
|
func mustGenerateECDSA(t *testing.T, keySize int) crypto.PrivateKey {
|
|
pk, err := GenerateECPrivateKey(keySize)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
return pk
|
|
}
|
|
|
|
func mustGenerateEd25519(t *testing.T) crypto.PrivateKey {
|
|
pk, err := GenerateEd25519PrivateKey()
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
return pk
|
|
}
|
|
|
|
func TestPrivateKeyMatchesSpec(t *testing.T) {
|
|
tests := map[string]struct {
|
|
key crypto.PrivateKey
|
|
expectedAlgo cmapi.PrivateKeyAlgorithm
|
|
expectedSize int
|
|
violations []string
|
|
err string
|
|
}{
|
|
"should match if keySize and algorithm are correct (RSA)": {
|
|
key: mustGenerateRSA(t, 2048),
|
|
expectedAlgo: cmapi.RSAKeyAlgorithm,
|
|
expectedSize: 2048,
|
|
},
|
|
"should not match if RSA keySize is incorrect": {
|
|
key: mustGenerateRSA(t, 2048),
|
|
expectedAlgo: cmapi.RSAKeyAlgorithm,
|
|
expectedSize: 4096,
|
|
violations: []string{"spec.privateKey.size"},
|
|
},
|
|
"should match if keySize and algorithm are correct (ECDSA)": {
|
|
key: mustGenerateECDSA(t, ECCurve256),
|
|
expectedAlgo: cmapi.ECDSAKeyAlgorithm,
|
|
expectedSize: 256,
|
|
},
|
|
"should not match if ECDSA keySize is incorrect": {
|
|
key: mustGenerateECDSA(t, ECCurve256),
|
|
expectedAlgo: cmapi.ECDSAKeyAlgorithm,
|
|
expectedSize: ECCurve521,
|
|
violations: []string{"spec.privateKey.size"},
|
|
},
|
|
"should not match if keyAlgorithm is incorrect": {
|
|
key: mustGenerateECDSA(t, ECCurve256),
|
|
expectedAlgo: cmapi.RSAKeyAlgorithm,
|
|
expectedSize: 2048,
|
|
violations: []string{"spec.privateKey.algorithm"},
|
|
},
|
|
"should match if keySize and algorithm are correct (Ed25519)": {
|
|
key: mustGenerateEd25519(t),
|
|
expectedAlgo: cmapi.Ed25519KeyAlgorithm,
|
|
},
|
|
}
|
|
for name, test := range tests {
|
|
t.Run(name, func(t *testing.T) {
|
|
violations, err := PrivateKeyMatchesSpec(
|
|
test.key,
|
|
cmapi.CertificateSpec{
|
|
PrivateKey: &cmapi.CertificatePrivateKey{
|
|
Algorithm: test.expectedAlgo,
|
|
Size: test.expectedSize,
|
|
},
|
|
},
|
|
)
|
|
switch {
|
|
case err != nil:
|
|
if test.err != err.Error() {
|
|
t.Errorf("error text did not match, got=%s, exp=%s", err.Error(), test.err)
|
|
}
|
|
default:
|
|
if test.err != "" {
|
|
t.Errorf("got no error but expected: %s", test.err)
|
|
}
|
|
}
|
|
if !reflect.DeepEqual(violations, test.violations) {
|
|
t.Errorf("violations did not match, got=%s, exp=%s", violations, test.violations)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestSecretDataAltNamesMatchSpec(t *testing.T) {
|
|
tests := map[string]struct {
|
|
data []byte
|
|
spec cmapi.CertificateSpec
|
|
err string
|
|
violations []string
|
|
}{
|
|
"should match if common name and dns names exactly equal": {
|
|
spec: cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one"},
|
|
}),
|
|
},
|
|
"should match if commonName is missing but is present in dnsNames": {
|
|
spec: cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
DNSNames: []string{"cn", "at", "least", "one"},
|
|
}),
|
|
},
|
|
"should match if commonName is missing but is present in dnsNames (not first)": {
|
|
spec: cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
DNSNames: []string{"at", "least", "one", "cn"},
|
|
}),
|
|
},
|
|
"should match if commonName is one of the requested requested dnsNames": {
|
|
spec: cmapi.CertificateSpec{
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
CommonName: "at",
|
|
DNSNames: []string{"least", "one"},
|
|
}),
|
|
},
|
|
"should not match if commonName is not present on certificate": {
|
|
spec: cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
DNSNames: []string{"at", "least", "one"},
|
|
}),
|
|
violations: []string{"spec.commonName"},
|
|
},
|
|
"should report violation for both commonName and dnsNames if both are missing": {
|
|
spec: cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one", "other"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
DNSNames: []string{"at", "least", "one"},
|
|
}),
|
|
violations: []string{"spec.commonName", "spec.dnsNames"},
|
|
},
|
|
"should report violation for both commonName and dnsNames if not requested": {
|
|
spec: cmapi.CertificateSpec{
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one", "other"},
|
|
}),
|
|
violations: []string{"spec.commonName", "spec.dnsNames"},
|
|
},
|
|
"should not match if certificate has more dnsNames than spec": {
|
|
spec: cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one", "other"},
|
|
}),
|
|
violations: []string{"spec.dnsNames"},
|
|
},
|
|
"should match if commonName is a duplicated dnsName (but not requested)": {
|
|
spec: cmapi.CertificateSpec{
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
CommonName: "at",
|
|
DNSNames: []string{"at", "least", "one"},
|
|
}),
|
|
},
|
|
"should match if commonName is a duplicated dnsName": {
|
|
spec: cmapi.CertificateSpec{
|
|
CommonName: "cn",
|
|
DNSNames: []string{"at", "least", "one"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
CommonName: "at",
|
|
DNSNames: []string{"at", "least", "one", "cn"},
|
|
}),
|
|
},
|
|
"should match if ipAddresses are equal": {
|
|
spec: cmapi.CertificateSpec{
|
|
IPAddresses: []string{"127.0.0.1"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
IPAddresses: []string{"127.0.0.1"},
|
|
}),
|
|
},
|
|
"should not match if ipAddresses are not equal": {
|
|
spec: cmapi.CertificateSpec{
|
|
IPAddresses: []string{"127.0.0.1"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
IPAddresses: []string{"127.0.2.1"},
|
|
}),
|
|
violations: []string{"spec.ipAddresses"},
|
|
},
|
|
"should not match if ipAddresses has been made the commonName": {
|
|
spec: cmapi.CertificateSpec{
|
|
IPAddresses: []string{"127.0.0.1"},
|
|
},
|
|
data: selfSignCertificate(t, cmapi.CertificateSpec{
|
|
CommonName: "127.0.0.1",
|
|
IPAddresses: []string{"127.0.0.1"},
|
|
}),
|
|
violations: []string{"spec.commonName"},
|
|
},
|
|
}
|
|
for name, test := range tests {
|
|
t.Run(name, func(t *testing.T) {
|
|
violations, err := SecretDataAltNamesMatchSpec(&corev1.Secret{Data: map[string][]byte{corev1.TLSCertKey: test.data}}, test.spec)
|
|
switch {
|
|
case err != nil:
|
|
if test.err != err.Error() {
|
|
t.Errorf("error text did not match, got=%s, exp=%s", err.Error(), test.err)
|
|
}
|
|
default:
|
|
if test.err != "" {
|
|
t.Errorf("got no error but expected: %s", test.err)
|
|
}
|
|
}
|
|
if !reflect.DeepEqual(violations, test.violations) {
|
|
t.Errorf("violations did not match, got=%s, exp=%s", violations, test.violations)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func selfSignCertificate(t *testing.T, spec cmapi.CertificateSpec) []byte {
|
|
pk, err := GenerateRSAPrivateKey(2048)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
template, err := CertificateTemplateFromCertificate(&cmapi.Certificate{Spec: spec})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
pemData, _, err := SignCertificate(template, template, pk.Public(), pk)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
return pemData
|
|
}
|