-
Notifications
You must be signed in to change notification settings - Fork 211
Expand file tree
/
Copy pathrevoke_test.go
More file actions
123 lines (103 loc) · 3.22 KB
/
revoke_test.go
File metadata and controls
123 lines (103 loc) · 3.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
package cmd
import (
"crypto/x509"
"flag"
"io/ioutil"
"os"
"testing"
"time"
"github.com/square/certstrap/depot"
"github.com/square/certstrap/pkix"
"github.com/urfave/cli"
)
const (
caName = "ca"
cnName = "cn"
)
func TestRevokeCmd(t *testing.T) {
tmp, err := ioutil.TempDir("", "certstrap-revoke")
if err != nil {
t.Fatalf("could not create tmp dir: %v", err)
}
defer os.RemoveAll(tmp)
d, err = depot.NewFileDepot(tmp)
if err != nil {
t.Fatalf("could not create file depot: %v", err)
}
setupCA(t, d)
setupCN(t, d)
fs := flag.NewFlagSet("test", flag.ContinueOnError)
fs.String("CA", "", "")
fs.String("CN", "", "")
if err := fs.Parse([]string{"-CA", "ca", "-CN", "cn"}); err != nil {
t.Fatal("could not parse flags")
}
new(revokeCommand).run(cli.NewContext(nil, fs, nil))
list, err := depot.GetCertificateRevocationList(d, caName)
if err != nil {
t.Fatalf("could not get crl: %v", err)
}
certList, err := x509.ParseDERCRL(list.DERBytes())
if err != nil {
t.Fatalf("could not parse crl: %v", err)
}
if len(certList.TBSCertList.RevokedCertificates) != 1 {
t.Fatalf("unexpected number of revoked certs: want = 1, got = %d", len(certList.TBSCertList.RevokedCertificates))
}
cnCert, _ := depot.GetCertificate(d, cnName)
cnX509, _ := cnCert.GetRawCertificate()
if cnX509.SerialNumber.Cmp(certList.TBSCertList.RevokedCertificates[0].SerialNumber) != 0 {
t.Fatalf("certificates serial numbers are not equal")
}
}
func setupCA(t *testing.T, dt depot.Depot) {
// create private key
key, err := pkix.CreateRSAKey(2048)
if err != nil {
t.Fatalf("could not create RSA key: %v", err)
}
if err = depot.PutPrivateKey(dt, caName, key); err != nil {
t.Fatalf("could not put private key: %v", err)
}
// create certificate authority
caCert, err := pkix.CreateCertificateAuthority(key, caName, time.Now().Add(1*time.Minute), "", "", "", "", caName, nil)
if err != nil {
t.Fatalf("could not create authority cert: %v", err)
}
if err = depot.PutCertificate(dt, caName, caCert); err != nil {
t.Fatalf("could not put certificate: %v", err)
}
// create an empty certificate revocation list
crl, err := pkix.CreateCertificateRevocationList(key, caCert, time.Now().Add(1*time.Minute))
if err != nil {
t.Fatalf("could not create crl: %v", err)
}
if err = depot.PutCertificateRevocationList(dt, caName, crl); err != nil {
t.Fatalf("could not put crl: %v", err)
}
}
func setupCN(t *testing.T, dt depot.Depot) {
// create private key
key, err := pkix.CreateRSAKey(2048)
if err != nil {
t.Fatalf("could not create RSA key: %v", err)
}
if err = depot.PutPrivateKey(dt, cnName, key); err != nil {
t.Fatalf("could not put private key: %v", err)
}
csr, err := pkix.CreateCertificateSigningRequest(key, cnName, nil, []string{"example.com"}, nil, "", "", "", "", cnName)
if err != nil {
t.Fatalf("could not create csr: %v", err)
}
caCert, err := depot.GetCertificate(dt, caName)
if err != nil {
t.Fatalf("could not get cert: %v", err)
}
cnCert, err := pkix.CreateCertificateHost(caCert, key, csr, time.Now().Add(1*time.Hour), nil)
if err != nil {
t.Fatalf("could not create cert host: %v", err)
}
if err = depot.PutCertificate(dt, "cn", cnCert); err != nil {
t.Fatalf("could not put cert: %v", err)
}
}