github.com/slackhq/nebula@v1.9.0/cmd/nebula-cert/verify_test.go (about) 1 package main 2 3 import ( 4 "bytes" 5 "crypto/rand" 6 "os" 7 "testing" 8 "time" 9 10 "github.com/slackhq/nebula/cert" 11 "github.com/stretchr/testify/assert" 12 "golang.org/x/crypto/ed25519" 13 ) 14 15 func Test_verifySummary(t *testing.T) { 16 assert.Equal(t, "verify <flags>: verifies a certificate isn't expired and was signed by a trusted authority.", verifySummary()) 17 } 18 19 func Test_verifyHelp(t *testing.T) { 20 ob := &bytes.Buffer{} 21 verifyHelp(ob) 22 assert.Equal( 23 t, 24 "Usage of "+os.Args[0]+" verify <flags>: verifies a certificate isn't expired and was signed by a trusted authority.\n"+ 25 " -ca string\n"+ 26 " \tRequired: path to a file containing one or more ca certificates\n"+ 27 " -crt string\n"+ 28 " \tRequired: path to a file containing a single certificate\n", 29 ob.String(), 30 ) 31 } 32 33 func Test_verify(t *testing.T) { 34 time.Local = time.UTC 35 ob := &bytes.Buffer{} 36 eb := &bytes.Buffer{} 37 38 // required args 39 assertHelpError(t, verify([]string{"-ca", "derp"}, ob, eb), "-crt is required") 40 assert.Equal(t, "", ob.String()) 41 assert.Equal(t, "", eb.String()) 42 43 assertHelpError(t, verify([]string{"-crt", "derp"}, ob, eb), "-ca is required") 44 assert.Equal(t, "", ob.String()) 45 assert.Equal(t, "", eb.String()) 46 47 // no ca at path 48 ob.Reset() 49 eb.Reset() 50 err := verify([]string{"-ca", "does_not_exist", "-crt", "does_not_exist"}, ob, eb) 51 assert.Equal(t, "", ob.String()) 52 assert.Equal(t, "", eb.String()) 53 assert.EqualError(t, err, "error while reading ca: open does_not_exist: "+NoSuchFileError) 54 55 // invalid ca at path 56 ob.Reset() 57 eb.Reset() 58 caFile, err := os.CreateTemp("", "verify-ca") 59 assert.Nil(t, err) 60 defer os.Remove(caFile.Name()) 61 62 caFile.WriteString("-----BEGIN NOPE-----") 63 err = verify([]string{"-ca", caFile.Name(), "-crt", "does_not_exist"}, ob, eb) 64 assert.Equal(t, "", ob.String()) 65 assert.Equal(t, "", eb.String()) 66 assert.EqualError(t, err, "error while adding ca cert to pool: input did not contain a valid PEM encoded block") 67 68 // make a ca for later 69 caPub, caPriv, _ := ed25519.GenerateKey(rand.Reader) 70 ca := cert.NebulaCertificate{ 71 Details: cert.NebulaCertificateDetails{ 72 Name: "test-ca", 73 NotBefore: time.Now().Add(time.Hour * -1), 74 NotAfter: time.Now().Add(time.Hour * 2), 75 PublicKey: caPub, 76 IsCA: true, 77 }, 78 } 79 ca.Sign(cert.Curve_CURVE25519, caPriv) 80 b, _ := ca.MarshalToPEM() 81 caFile.Truncate(0) 82 caFile.Seek(0, 0) 83 caFile.Write(b) 84 85 // no crt at path 86 err = verify([]string{"-ca", caFile.Name(), "-crt", "does_not_exist"}, ob, eb) 87 assert.Equal(t, "", ob.String()) 88 assert.Equal(t, "", eb.String()) 89 assert.EqualError(t, err, "unable to read crt; open does_not_exist: "+NoSuchFileError) 90 91 // invalid crt at path 92 ob.Reset() 93 eb.Reset() 94 certFile, err := os.CreateTemp("", "verify-cert") 95 assert.Nil(t, err) 96 defer os.Remove(certFile.Name()) 97 98 certFile.WriteString("-----BEGIN NOPE-----") 99 err = verify([]string{"-ca", caFile.Name(), "-crt", certFile.Name()}, ob, eb) 100 assert.Equal(t, "", ob.String()) 101 assert.Equal(t, "", eb.String()) 102 assert.EqualError(t, err, "error while parsing crt: input did not contain a valid PEM encoded block") 103 104 // unverifiable cert at path 105 _, badPriv, _ := ed25519.GenerateKey(rand.Reader) 106 certPub, _ := x25519Keypair() 107 signer, _ := ca.Sha256Sum() 108 crt := cert.NebulaCertificate{ 109 Details: cert.NebulaCertificateDetails{ 110 Name: "test-cert", 111 NotBefore: time.Now().Add(time.Hour * -1), 112 NotAfter: time.Now().Add(time.Hour), 113 PublicKey: certPub, 114 IsCA: false, 115 Issuer: signer, 116 }, 117 } 118 119 crt.Sign(cert.Curve_CURVE25519, badPriv) 120 b, _ = crt.MarshalToPEM() 121 certFile.Truncate(0) 122 certFile.Seek(0, 0) 123 certFile.Write(b) 124 125 err = verify([]string{"-ca", caFile.Name(), "-crt", certFile.Name()}, ob, eb) 126 assert.Equal(t, "", ob.String()) 127 assert.Equal(t, "", eb.String()) 128 assert.EqualError(t, err, "certificate signature did not match") 129 130 // verified cert at path 131 crt.Sign(cert.Curve_CURVE25519, caPriv) 132 b, _ = crt.MarshalToPEM() 133 certFile.Truncate(0) 134 certFile.Seek(0, 0) 135 certFile.Write(b) 136 137 err = verify([]string{"-ca", caFile.Name(), "-crt", certFile.Name()}, ob, eb) 138 assert.Equal(t, "", ob.String()) 139 assert.Equal(t, "", eb.String()) 140 assert.Nil(t, err) 141 }