Fixed some issues and added tests.

michelvocks · michelvocks · commit e78f37e6638c · 2018-07-23T16:04:24.000+02:00
diff --git a/security/tls.go b/security/tls.go
@@ -37,12 +37,6 @@ func GenerateCA() error {
 	caKeyPath := filepath.Join(gaia.Cfg.DataPath, keyName)
 	cleanupCerts(caCertPath, caKeyPath)
 
-	// Generate the key
-	key, err := rsa.GenerateKey(rand.Reader, rsaBits)
-	if err != nil {
-		return err
-	}
-
 	// Set time range for cert validation
 	notBefore := time.Now()
 	notAfter := notBefore.Add(time.Hour * maxValidCA)
@@ -55,7 +49,7 @@ func GenerateCA() error {
 	}
 
 	// Generate CA template
-	template := x509.Certificate{
+	template := &x509.Certificate{
 		SerialNumber: serialNumber,
 		Subject: pkix.Name{
 			Organization: []string{orgName},
@@ -65,13 +59,19 @@ func GenerateCA() error {
 
 		IsCA:                  true,
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
 		BasicConstraintsValid: true,
 		DNSNames:              []string{orgDNS},
 	}
 
+	// Generate the key
+	key, err := rsa.GenerateKey(rand.Reader, rsaBits)
+	if err != nil {
+		return err
+	}
+
 	// Create certificate authority
-	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, key.PublicKey, key)
+	derBytes, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
 	if err != nil {
 		return err
 	}
@@ -134,6 +134,7 @@ func createSignedCert() (string, string, error) {
 		SubjectKeyId: []byte{1, 2, 3, 4, 6},
 		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
 		KeyUsage:     x509.KeyUsageDigitalSignature,
+		DNSNames:     []string{orgDNS},
 	}
 	priv, _ := rsa.GenerateKey(rand.Reader, rsaBits)
 	pub := &priv.PublicKey
diff --git a/security/tls_test.go b/security/tls_test.go
@@ -0,0 +1,121 @@
+package security
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/gaia-pipeline/gaia"
+)
+
+func TestGenerateCA(t *testing.T) {
+	gaia.Cfg = &gaia.Config{}
+	gaia.Cfg.DataPath = os.TempDir()
+
+	err := GenerateCA()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	caCertPath := filepath.Join(gaia.Cfg.DataPath, "ca.crt")
+	caKeyPath := filepath.Join(gaia.Cfg.DataPath, "ca.key")
+
+	// Load CA plain
+	caPlain, err := tls.LoadX509KeyPair(caCertPath, caKeyPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Parse certificate
+	ca, err := x509.ParseCertificate(caPlain.Certificate[0])
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create cert pool and load ca root
+	certPool := x509.NewCertPool()
+	rootCA, err := ioutil.ReadFile(caCertPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ok := certPool.AppendCertsFromPEM(rootCA)
+	if !ok {
+		t.Fatalf("Cannot append root cert to cert pool!\n")
+	}
+
+	_, err = ca.Verify(x509.VerifyOptions{
+		Roots:   certPool,
+		DNSName: orgDNS,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = cleanupCerts(caCertPath, caKeyPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func TestCreateSignedCert(t *testing.T) {
+	gaia.Cfg = &gaia.Config{}
+	gaia.Cfg.DataPath = os.TempDir()
+
+	err := GenerateCA()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	caCertPath := filepath.Join(gaia.Cfg.DataPath, "ca.crt")
+	caKeyPath := filepath.Join(gaia.Cfg.DataPath, "ca.key")
+
+	certPath, keyPath, err := createSignedCert()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Load CA plain
+	caPlain, err := tls.LoadX509KeyPair(certPath, keyPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Parse certificate
+	ca, err := x509.ParseCertificate(caPlain.Certificate[0])
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Create cert pool and load ca root
+	certPool := x509.NewCertPool()
+	rootCA, err := ioutil.ReadFile(caCertPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ok := certPool.AppendCertsFromPEM(rootCA)
+	if !ok {
+		t.Fatalf("Cannot append root cert to cert pool!\n")
+	}
+
+	_, err = ca.Verify(x509.VerifyOptions{
+		Roots:   certPool,
+		DNSName: orgDNS,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = cleanupCerts(caCertPath, caKeyPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = cleanupCerts(certPath, keyPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
