github.com/jlmeeker/kismatic@v1.10.1-0.20180612190640-57f9005a1f1a/integration-tests/tls/ca_test.go (about)

     1  package tls
     2  
     3  import (
     4  	"reflect"
     5  	"testing"
     6  	"time"
     7  
     8  	"github.com/cloudflare/cfssl/helpers"
     9  )
    10  
    11  func TestNewCACert(t *testing.T) {
    12  	subject := Subject{
    13  		Organization:       "someOrg",
    14  		OrganizationalUnit: "someOrgUnit",
    15  	}
    16  	_, cert, err := NewCACert("test/ca-csr.json", "someCommonName", subject)
    17  	if err != nil {
    18  		t.Fatalf("error creating CA cert: %v", err)
    19  	}
    20  
    21  	parsedCert, err := helpers.ParseCertificatePEM(cert)
    22  	if err != nil {
    23  		t.Fatalf("error parsing certificate: %v", err)
    24  	}
    25  
    26  	if !parsedCert.IsCA {
    27  		t.Errorf("Genereated CA cert is not CA")
    28  	}
    29  
    30  	expectedCN := "someCommonName"
    31  	if parsedCert.Subject.CommonName != expectedCN {
    32  		t.Errorf("CN mismatch: expected %q, found %q", expectedCN, parsedCert.Subject.CommonName)
    33  	}
    34  
    35  	if parsedCert.Subject.Organization[0] != subject.Organization {
    36  		t.Errorf("Organization mismatch: expected %q, found %q", subject.Organization, parsedCert.Subject.Organization[0])
    37  	}
    38  
    39  	if parsedCert.Subject.OrganizationalUnit[0] != subject.OrganizationalUnit {
    40  		t.Errorf("OrganizationalUnit mismatch: expected %q, found %q", subject.OrganizationalUnit, parsedCert.Subject.OrganizationalUnit[0])
    41  	}
    42  
    43  	if !reflect.DeepEqual(parsedCert.Issuer, parsedCert.Subject) {
    44  		t.Errorf("cert issuer is not equal to the CA's subject")
    45  	}
    46  
    47  	// You might be tempted to test for this, but it seems like the AuthKeyID doesn't have to be set
    48  	// for self-signed certificates. https://go.googlesource.com/go/+/b623b71509b2d24df915d5bc68602e1c6edf38ca
    49  	// if !bytes.Equal(parsedCert.AuthorityKeyId, parsedCert.SubjectKeyId) {
    50  	// 	t.Errorf("certificate auth key ID %q is not the subject key ID of the CA %q", string(parsedCert.AuthorityKeyId), string(parsedCert.SubjectKeyId))
    51  	// }
    52  
    53  	// Verify expiration
    54  	now := time.Now().UTC()
    55  	d, err := time.ParseDuration("8760h")
    56  	if err != nil {
    57  		t.Fatalf("error parsing duration: %v", err)
    58  	}
    59  	expectedExpiration := now.Add(d)
    60  	if expectedExpiration.Year() != parsedCert.NotAfter.Year() || expectedExpiration.YearDay() != parsedCert.NotAfter.YearDay() {
    61  		t.Errorf("expected expiration date %q, got %q", expectedExpiration, parsedCert.NotAfter)
    62  	}
    63  }