github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/pkg/secrets/compactpki/compactpki_test.go (about) 1 // +build !windows 2 3 package compactpki 4 5 import ( 6 "crypto/ecdsa" 7 "crypto/x509" 8 "testing" 9 10 . "github.com/smartystreets/goconvey/convey" 11 "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/claimsheader" 12 "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/pkiverifier" 13 "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/secrets" 14 "go.aporeto.io/enforcerd/trireme-lib/utils/crypto" 15 ) 16 17 // Certs 18 var ( 19 caPEM = `-----BEGIN CERTIFICATE----- 20 MIIBmzCCAUCgAwIBAgIRAIbf7tsXeg6vUJ2pe3WXzgwwCgYIKoZIzj0EAwIwPDEQ 21 MA4GA1UEChMHQXBvcmV0bzEPMA0GA1UECxMGYXBvbXV4MRcwFQYDVQQDEw5BcG9t 22 dXggUm9vdCBDQTAeFw0xODA1MDExODM3MjNaFw0yODAzMDkxODM3MjNaMDwxEDAO 23 BgNVBAoTB0Fwb3JldG8xDzANBgNVBAsTBmFwb211eDEXMBUGA1UEAxMOQXBvbXV4 24 IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQcpOm4VAWyNcI4/WZP 25 qj9EBu5XWQppyG2LoXVYNv1YCfJBFYuVERxVaZEcUJ0ceE/doFyphS1Ohw3QjqDQ 26 xakeoyMwITAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjO 27 PQQDAgNJADBGAiEA+OL+qkSyXwLu6P/75kXBPo8fFGvXyX2vYis0hUAyHJcCIQCn 28 86EFqkJDkeAguDEKvVtORcnxl+rAP924/PJAHLMh6Q== 29 -----END CERTIFICATE-----` 30 caKeyPEM = `-----BEGIN EC PRIVATE KEY----- 31 MHcCAQEEILpUWKqL6Sr+HrKDKLHt/vN6EYi22rJKV2q9xgKmiCqioAoGCCqGSM49 32 AwEHoUQDQgAEHKTpuFQFsjXCOP1mT6o/RAbuV1kKachti6F1WDb9WAnyQRWLlREc 33 VWmRHFCdHHhP3aBcqYUtTocN0I6g0MWpHg== 34 -----END EC PRIVATE KEY-----` 35 privateKeyPEM = `-----BEGIN EC PRIVATE KEY----- 36 MHcCAQEEIGx017ukBSUSddLXefL/5nxxaRXuM1H/tUxQAYxWBrQtoAoGCCqGSM49 37 AwEHoUQDQgAEZKBbcTmg0hGyVcgsUH7xijvaNOJ3EPM3Oq08VdCBsPNAojAR9wfX 38 KLO/w0SRKj1DL03a9dl1Gwk0r7F0VnPQyw== 39 -----END EC PRIVATE KEY-----` 40 publicPEM = `-----BEGIN CERTIFICATE----- 41 MIIBsDCCAVagAwIBAgIRAOmitRugFU+nAhiGsp6fYOwwCgYIKoZIzj0EAwIwPDEQ 42 MA4GA1UEChMHQXBvcmV0bzEPMA0GA1UECxMGYXBvbXV4MRcwFQYDVQQDEw5BcG9t 43 dXggUm9vdCBDQTAeFw0xODA1MDExODQwMzFaFw0yODAzMDkxODQwMzFaMDYxETAP 44 BgNVBAoTCHNvbWUgb3JnMRIwEAYDVQQLEwlzb21lLXVuaXQxDTALBgNVBAMTBHRl 45 c3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARkoFtxOaDSEbJVyCxQfvGKO9o0 46 4ncQ8zc6rTxV0IGw80CiMBH3B9cos7/DRJEqPUMvTdr12XUbCTSvsXRWc9DLoz8w 47 PTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB 48 MAwGA1UdEwEB/wQCMAAwCgYIKoZIzj0EAwIDSAAwRQIgBNYmLdmHI2gKy2NqfSXn 49 MEDF56xWq7son2mcSePvLU8CIQCUxgYfDZDf067Y7vqLw1mWMlSnqECELnq7zel1 50 fXtpyA== 51 -----END CERTIFICATE-----` 52 ) 53 54 // createTxtToken creates a transmitter token 55 func createTxtToken() []byte { 56 caKey, err := crypto.LoadEllipticCurveKey([]byte(caKeyPEM)) 57 if err != nil { 58 panic("bad ca key ") 59 } 60 61 clientCert, err := crypto.LoadCertificate([]byte(publicPEM)) 62 if err != nil { 63 panic("bad client cert ") 64 } 65 66 p := pkiverifier.NewPKIIssuer(caKey) 67 token, err := p.CreateTokenFromCertificate(clientCert, []string{}) 68 if err != nil { 69 panic("can't create token") 70 } 71 return token 72 } 73 74 func TestNewCompactPKIWithTokenCA(t *testing.T) { 75 txKey := createTxtToken() 76 // txkey is a token that has the client public key signed by the CA 77 Convey("When I create a new compact PKI, it should succeed ", t, func() { 78 tokenKey := &secrets.ControllerInfo{ 79 PublicKey: []byte(caPEM), 80 } 81 controllerInfo := []*secrets.ControllerInfo{tokenKey} 82 p, err := NewCompactPKIWithTokenCA([]byte(privateKeyPEM), []byte(publicPEM), []byte(caPEM), controllerInfo, txKey, claimsheader.CompressionTypeV1) 83 So(err, ShouldBeNil) 84 So(p, ShouldNotBeNil) 85 So(p.authorityPEM, ShouldResemble, []byte(caPEM)) 86 So(p.privateKeyPEM, ShouldResemble, []byte(privateKeyPEM)) 87 So(p.publicKeyPEM, ShouldResemble, []byte(publicPEM)) 88 }) 89 90 Convey("When I create a new compact PKI with invalid certs, it should fail", t, func() { 91 tokenKey := &secrets.ControllerInfo{ 92 PublicKey: []byte(caPEM), 93 } 94 controllerInfo := []*secrets.ControllerInfo{tokenKey} 95 p, err := NewCompactPKIWithTokenCA([]byte(privateKeyPEM)[:20], []byte(publicPEM)[:30], []byte(caPEM), controllerInfo, txKey, claimsheader.CompressionTypeV1) 96 So(err, ShouldNotBeNil) 97 So(p, ShouldBeNil) 98 }) 99 100 Convey("When I create a new compact PKI with invalid CA, it should fail", t, func() { 101 tokenKey := &secrets.ControllerInfo{ 102 PublicKey: []byte(caPEM), 103 } 104 controllerInfo := []*secrets.ControllerInfo{tokenKey} 105 p, err := NewCompactPKIWithTokenCA([]byte(privateKeyPEM), []byte(publicPEM), []byte(caPEM)[:10], controllerInfo, txKey, claimsheader.CompressionTypeV1) 106 So(err, ShouldNotBeNil) 107 So(p, ShouldBeNil) 108 }) 109 110 } 111 112 func TestBasicInterfaceFunctions(t *testing.T) { 113 txKey := createTxtToken() 114 Convey("Given a valid CompactPKI ", t, func() { 115 tokenKey := &secrets.ControllerInfo{ 116 PublicKey: []byte(caPEM), 117 } 118 controllerInfo := []*secrets.ControllerInfo{tokenKey} 119 p, err := NewCompactPKIWithTokenCA([]byte(privateKeyPEM), []byte(publicPEM), []byte(caPEM), controllerInfo, txKey, claimsheader.CompressionTypeV1) 120 So(err, ShouldBeNil) 121 So(p, ShouldNotBeNil) 122 123 key, cert, _, _ := crypto.LoadAndVerifyECSecrets([]byte(privateKeyPEM), []byte(publicPEM), []byte(caPEM)) 124 Convey("I should get the right encoding key", func() { 125 So(*(p.EncodingKey().(*ecdsa.PrivateKey)), ShouldResemble, *key) 126 }) 127 128 Convey("I should get the right transmitter key", func() { 129 So(p.TransmittedKey(), ShouldResemble, txKey) 130 }) 131 132 Convey("I should ge the right ack size", func() { 133 So(p.AckSize(), ShouldEqual, compactPKIAckSize) 134 }) 135 136 Convey("I should get the right public key, ", func() { 137 So(p.PublicKey().(*x509.Certificate), ShouldResemble, cert) 138 }) 139 }) 140 }