github.com/lestrrat-go/jwx/v2@v2.0.21/cert/cert_test.go (about) 1 package cert_test 2 3 import ( 4 "crypto/rand" 5 "crypto/x509" 6 "crypto/x509/pkix" 7 "encoding/asn1" 8 "math/big" 9 "net" 10 "net/url" 11 "testing" 12 "time" 13 14 "github.com/lestrrat-go/jwx/v2/cert" 15 "github.com/lestrrat-go/jwx/v2/internal/jwxtest" 16 "github.com/stretchr/testify/assert" 17 ) 18 19 func parseCIDR(s string) *net.IPNet { 20 _, net, err := net.ParseCIDR(s) 21 if err != nil { 22 panic(err) 23 } 24 return net 25 } 26 27 func parseURI(s string) *url.URL { 28 uri, err := url.Parse(s) 29 if err != nil { 30 panic(err) 31 } 32 return uri 33 } 34 35 func TestCert(t *testing.T) { 36 privkey, err := jwxtest.GenerateRsaKey() 37 if !assert.NoError(t, err, `jwxtest.GenerateRsaKey`) { 38 return 39 } 40 41 testExtKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth} 42 testUnknownExtKeyUsage := []asn1.ObjectIdentifier{[]int{1, 2, 3}, []int{2, 59, 1}} 43 extraExtensionData := []byte("extra extension") 44 oidExtensionSubjectKeyID := []int{2, 5, 29, 14} 45 46 commonName := "test.example.com" 47 template := x509.Certificate{ 48 SerialNumber: big.NewInt(1), // SerialNumbers must be non-negative since go1.19 49 Subject: pkix.Name{ 50 CommonName: commonName, 51 Organization: []string{"Σ Acme Co"}, 52 Country: []string{"US"}, 53 ExtraNames: []pkix.AttributeTypeAndValue{ 54 { 55 Type: []int{2, 5, 4, 42}, 56 Value: "Gopher", 57 }, 58 // This should override the Country, above. 59 { 60 Type: []int{2, 5, 4, 6}, 61 Value: "NL", 62 }, 63 }, 64 }, 65 NotBefore: time.Unix(1000, 0), 66 NotAfter: time.Unix(100000, 0), 67 68 SignatureAlgorithm: x509.SHA384WithRSA, 69 70 SubjectKeyId: []byte{1, 2, 3, 4}, 71 KeyUsage: x509.KeyUsageCertSign, 72 73 ExtKeyUsage: testExtKeyUsage, 74 UnknownExtKeyUsage: testUnknownExtKeyUsage, 75 76 BasicConstraintsValid: true, 77 IsCA: true, 78 79 OCSPServer: []string{"http://ocsp.example.com"}, 80 IssuingCertificateURL: []string{"http://crt.example.com/ca1.crt"}, 81 82 DNSNames: []string{"test.example.com"}, 83 EmailAddresses: []string{"gopher@golang.org"}, 84 IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1).To4(), net.ParseIP("2001:4860:0:2001::68")}, 85 URIs: []*url.URL{parseURI("https://foo.com/wibble#foo")}, 86 87 PolicyIdentifiers: []asn1.ObjectIdentifier{[]int{1, 2, 3}}, 88 PermittedDNSDomains: []string{".example.com", "example.com"}, 89 ExcludedDNSDomains: []string{"bar.example.com"}, 90 PermittedIPRanges: []*net.IPNet{parseCIDR("192.168.1.1/16"), parseCIDR("1.2.3.4/8")}, 91 ExcludedIPRanges: []*net.IPNet{parseCIDR("2001:db8::/48")}, 92 PermittedEmailAddresses: []string{"foo@example.com"}, 93 ExcludedEmailAddresses: []string{".example.com", "example.com"}, 94 PermittedURIDomains: []string{".bar.com", "bar.com"}, 95 ExcludedURIDomains: []string{".bar2.com", "bar2.com"}, 96 97 CRLDistributionPoints: []string{"http://crl1.example.com/ca1.crl", "http://crl2.example.com/ca1.crl"}, 98 99 ExtraExtensions: []pkix.Extension{ 100 { 101 Id: []int{1, 2, 3, 4}, 102 Value: extraExtensionData, 103 }, 104 // This extension should override the SubjectKeyId, above. 105 { 106 Id: oidExtensionSubjectKeyID, 107 Critical: false, 108 Value: []byte{0x04, 0x04, 4, 3, 2, 1}, 109 }, 110 }, 111 } 112 113 b64, err := cert.Create(rand.Reader, &template, &template, &privkey.PublicKey, privkey) 114 if !assert.NoError(t, err, `cert.Certificate should succeed`) { 115 return 116 } 117 118 _, err = cert.Parse(b64) 119 if !assert.NoError(t, err, `cert.Parse should succeed`) { 120 return 121 } 122 }