func (certSuite) TestNewServerHostnames(c *gc.C) {
type test struct {
hostnames []string
expectedDNSNames []string
expectedIPAddresses []net.IP
}
tests := []test{{
[]string{},
nil,
nil,
}, {
[]string{"example.com"},
[]string{"example.com"},
nil,
}, {
[]string{"example.com", "127.0.0.1"},
[]string{"example.com"},
[]net.IP{net.IPv4(127, 0, 0, 1).To4()},
}, {
[]string{"::1"},
nil,
[]net.IP{net.IPv6loopback},
}}
for i, t := range tests {
c.Logf("test %d: %v", i, t.hostnames)
expiry := roundTime(time.Now().AddDate(1, 0, 0))
srvCertPEM, srvKeyPEM, err := cert.NewServer(caCertPEM, caKeyPEM, expiry, t.hostnames)
c.Assert(err, gc.IsNil)
srvCert, _, err := cert.ParseCertAndKey(srvCertPEM, srvKeyPEM)
c.Assert(err, gc.IsNil)
c.Assert(srvCert.DNSNames, gc.DeepEquals, t.expectedDNSNames)
c.Assert(srvCert.IPAddresses, gc.DeepEquals, t.expectedIPAddresses)
}
}
func (certSuite) TestNewServerWithInvalidCert(c *gc.C) {
var noHostnames []string
srvCert, srvKey, err := cert.NewServer(nonCACert, nonCAKey, time.Now(), noHostnames)
c.Check(srvCert, gc.Equals, "")
c.Check(srvKey, gc.Equals, "")
c.Assert(err, gc.ErrorMatches, "CA certificate is not a valid CA")
}
func mustNewServer() (string, string) {
cert.KeyBits = 512
var hostnames []string
srvCert, srvKey, err := cert.NewServer(CACert, CAKey, time.Now().AddDate(10, 0, 0), hostnames)
if err != nil {
panic(err)
}
return string(srvCert), string(srvKey)
}
// GenerateStateServerCertAndKey makes sure that the config has a CACert and
// CAPrivateKey, generates and retruns new certificate and key.
func (cfg *Config) GenerateStateServerCertAndKey() (string, string, error) {
caCert, hasCACert := cfg.CACert()
if !hasCACert {
return "", "", fmt.Errorf("environment configuration has no ca-cert")
}
caKey, hasCAKey := cfg.CAPrivateKey()
if !hasCAKey {
return "", "", fmt.Errorf("environment configuration has no ca-private-key")
}
var noHostnames []string
return cert.NewServer(caCert, caKey, time.Now().UTC().AddDate(10, 0, 0), noHostnames)
}
func (certSuite) TestWithNonUTCExpiry(c *gc.C) {
expiry, err := time.Parse("2006-01-02 15:04:05.999999999 -0700 MST", "2012-11-28 15:53:57 +0100 CET")
c.Assert(err, gc.IsNil)
certPEM, keyPEM, err := cert.NewCA("foo", expiry)
xcert, err := cert.ParseCert(certPEM)
c.Assert(err, gc.IsNil)
c.Assert(xcert.NotAfter.Equal(expiry), gc.Equals, true)
var noHostnames []string
certPEM, _, err = cert.NewServer(certPEM, keyPEM, expiry, noHostnames)
xcert, err = cert.ParseCert(certPEM)
c.Assert(err, gc.IsNil)
c.Assert(xcert.NotAfter.Equal(expiry), gc.Equals, true)
}
// ensureCertificates ensures that a CA certificate,
// server certificate, and private key exist in the log
// directory, and writes them if not. The CA certificate
// is entered into the environment configuration to be
// picked up by other agents.
func (h *RsyslogConfigHandler) ensureCertificates() error {
// We write ca-cert.pem last, after propagating into state.
// If it's there, then there's nothing to do. Otherwise,
// start over.
caCertPEM := h.syslogConfig.CACertPath()
if _, err := os.Stat(caCertPEM); err == nil {
return nil
}
// Files must be chowned to syslog:adm.
syslogUid, syslogGid, err := lookupUser("syslog")
if err != nil {
return err
}
// Generate a new CA and server cert/key pairs.
// The CA key will be discarded after the server
// cert has been generated.
expiry := time.Now().UTC().AddDate(10, 0, 0)
caCertPEM, caKeyPEM, err := cert.NewCA("rsyslog", expiry)
if err != nil {
return err
}
rsyslogCertPEM, rsyslogKeyPEM, err := cert.NewServer(caCertPEM, caKeyPEM, expiry, nil)
if err != nil {
return err
}
// Update the environment config with the CA cert,
// so clients can configure rsyslog.
if err := h.st.SetRsyslogCert(caCertPEM); err != nil {
return err
}
// Write the certificates and key. The CA certificate must be written last for idempotency.
for _, pair := range []struct {
path string
data string
}{
{h.syslogConfig.ServerCertPath(), rsyslogCertPEM},
{h.syslogConfig.ServerKeyPath(), rsyslogKeyPEM},
{h.syslogConfig.CACertPath(), caCertPEM},
} {
if err := writeFileAtomic(pair.path, []byte(pair.data), 0600, syslogUid, syslogGid); err != nil {
return err
}
}
return nil
}
func (certSuite) TestVerify(c *gc.C) {
now := time.Now()
caCert, caKey, err := cert.NewCA("foo", now.Add(1*time.Minute))
c.Assert(err, gc.IsNil)
var noHostnames []string
srvCert, _, err := cert.NewServer(caCert, caKey, now.Add(3*time.Minute), noHostnames)
c.Assert(err, gc.IsNil)
err = cert.Verify(srvCert, caCert, now)
c.Assert(err, gc.IsNil)
err = cert.Verify(srvCert, caCert, now.Add(55*time.Second))
c.Assert(err, gc.IsNil)
// TODO(rog) why does this succeed?
// err = cert.Verify(srvCert, caCert, now.Add(-1 * time.Minute))
//c.Check(err, gc.ErrorMatches, "x509: certificate has expired or is not yet valid")
err = cert.Verify(srvCert, caCert, now.Add(2*time.Minute))
c.Check(err, gc.ErrorMatches, "x509: certificate has expired or is not yet valid")
caCert2, caKey2, err := cert.NewCA("bar", now.Add(1*time.Minute))
c.Assert(err, gc.IsNil)
// Check original server certificate against wrong CA.
err = cert.Verify(srvCert, caCert2, now)
c.Check(err, gc.ErrorMatches, "x509: certificate signed by unknown authority")
srvCert2, _, err := cert.NewServer(caCert2, caKey2, now.Add(1*time.Minute), noHostnames)
c.Assert(err, gc.IsNil)
// Check new server certificate against original CA.
err = cert.Verify(srvCert2, caCert, now)
c.Check(err, gc.ErrorMatches, "x509: certificate signed by unknown authority")
}
// ServeTLS runs a storage server on the given network address, relaying
// requests to the given storage implementation. The server runs a TLS
// listener, and verifies client certificates (if given) against the
// specified CA certificate. A client certificate is only required for
// PUT and DELETE methods.
//
// This method returns the network listener, which can then be attached
// to with ClientTLS.
func ServeTLS(addr string, stor storage.Storage, caCertPEM, caKeyPEM string, hostnames []string, authkey string) (net.Listener, error) {
expiry := time.Now().UTC().AddDate(10, 0, 0)
certPEM, keyPEM, err := cert.NewServer(caCertPEM, caKeyPEM, expiry, hostnames)
if err != nil {
return nil, err
}
serverCert, err := tls.X509KeyPair([]byte(certPEM), []byte(keyPEM))
if err != nil {
return nil, err
}
caCerts := x509.NewCertPool()
if !caCerts.AppendCertsFromPEM([]byte(caCertPEM)) {
return nil, errors.New("error adding CA certificate to pool")
}
config := &tls.Config{
NextProtos: []string{"http/1.1"},
Certificates: []tls.Certificate{serverCert},
ClientAuth: tls.VerifyClientCertIfGiven,
ClientCAs: caCerts,
}
return serve(addr, stor, config, authkey)
}
func (certSuite) TestNewServer(c *gc.C) {
expiry := roundTime(time.Now().AddDate(1, 0, 0))
caCertPEM, caKeyPEM, err := cert.NewCA("foo", expiry)
c.Assert(err, gc.IsNil)
caCert, _, err := cert.ParseCertAndKey(caCertPEM, caKeyPEM)
c.Assert(err, gc.IsNil)
var noHostnames []string
srvCertPEM, srvKeyPEM, err := cert.NewServer(caCertPEM, caKeyPEM, expiry, noHostnames)
c.Assert(err, gc.IsNil)
srvCert, srvKey, err := cert.ParseCertAndKey(srvCertPEM, srvKeyPEM)
c.Assert(err, gc.IsNil)
c.Assert(srvCert.Subject.CommonName, gc.Equals, "*")
c.Assert(srvCert.NotAfter.Equal(expiry), gc.Equals, true)
c.Assert(srvCert.BasicConstraintsValid, gc.Equals, false)
c.Assert(srvCert.IsCA, gc.Equals, false)
c.Assert(srvCert.ExtKeyUsage, gc.DeepEquals, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth})
checkTLSConnection(c, caCert, srvCert, srvKey)
}
