func TestCa(t *testing.T) {
logger.InitLogs(os.Stdout, os.Stdout, os.Stderr)
keylength := 4098
organization := "org"
country := "PT-PT"
expiresDays := 10
expires := time.Now().AddDate(0, 0, expiresDays).UTC()
// generate certificate
_, rootCert, _, err := NewRootCertificate(keylength, expires, organization, country)
if err != nil {
t.Error(err)
}
// verify fingerprint
fingerprint, err := GetCertificateFingerprint()
if err != nil {
t.Error(err)
}
if err := rootCert.VerifyFingerprint(&fingerprint); err != nil {
t.Fatalf("Fingerprint! %s", err)
}
// CSR signature is tested in container_test.go
}
func main() {
logger.InitLogs(os.Stdout, os.Stdout, os.Stderr)
if len(os.Args) == 1 {
argError("")
return
}
switch os.Args[1] {
case "ca":
caCmd()
case "container":
containerCmd()
default:
clientCmd()
}
}
func TestClient(t *testing.T) {
logger.InitLogs(os.Stdout, os.Stdout, os.Stderr)
keyLength := 2048
hostname := "symbios"
privateKeyPath := "id_test"
expires := time.Now().AddDate(1, 0, 0).UTC()
// generate private key
userKeyBase64, _, _, err := NewUserKey(&hostname, keyLength, &expires, &privateKeyPath)
if err != nil {
t.Error(err)
}
pubKeyPath := privateKeyPath + ".crt"
defer os.Remove(privateKeyPath)
defer os.Remove(pubKeyPath)
// compare generated public key and base64encoded key
userKey, err := b64.StdEncoding.DecodeString(*userKeyBase64)
if err != nil {
t.Error(err)
}
rawCsr, err := ioutil.ReadFile(pubKeyPath)
if !bytes.Equal(userKey, rawCsr) {
t.Fail()
}
userCert, err := pkix.NewCertificateFromPEM(rawCsr)
if err != nil {
t.Error(err)
}
tokenExpires := time.Duration(time.Second * 10)
// generate token using private key
userToken, err := NewTokenUsingPrivateKeyFile(privateKeyPath, hostname, tokenExpires)
if err != nil {
t.Error(err)
}
if err := ca.ValidateToken(*userToken, userCert, &hostname); err != nil {
t.Fatalf("Token validation failed: %s", err)
}
// replay attack
if err := ca.ValidateToken(*userToken, userCert, &hostname); err == nil {
t.Fatalf("Replay attack detection fail: %s", err)
}
// expired token
tokenExpires = time.Duration(time.Second * 1)
userToken, err = NewTokenUsingPrivateKeyFile(privateKeyPath, hostname, tokenExpires)
if err != nil {
t.Error(err)
}
time.Sleep(time.Duration(time.Second * 5))
if err := ca.ValidateToken(*userToken, userCert, &hostname); err == nil {
t.Fatalf("Expired token detection fail: %s", err)
}
}
func TestContainer(t *testing.T) {
logger.InitLogs(os.Stdout, os.Stdout, os.Stderr)
// create root keys
keysize := 2048
key, err := pkix.CreateRSAKey(keysize)
if err != nil {
t.Fatal("Unable to generate keys.", err)
}
// start CA
keylength := 4098
organization := "org"
country := "PT-PT"
expiresDays := 10
expires := time.Now().AddDate(0, 0, expiresDays).UTC()
_, caCert, _, err := ca.NewRootCertificate(keylength, expires, organization, country)
caFingerprint, err := caCert.Fingerprint()
if err != nil {
t.Fatal("Unable to generate keys.", err)
}
// add user to CA
keyLength := 2048
username := "******"
userExpires := time.Now().AddDate(1, 0, 0).UTC()
// generate private key
_, userCert, userPrivateKey, err := client.NewUserKey(&username, keyLength, &userExpires, nil)
if err != nil {
t.Error(err)
}
ca.SetUserCertificate(userCert)
userPrivateKeyBytes, err := userPrivateKey.ExportPrivate()
if err != nil {
t.Error(err)
}
tokenExpires := time.Duration(time.Second * 20)
token, err := client.NewToken(userPrivateKeyBytes, username, tokenExpires)
if err != nil {
t.Error(err)
}
//setup mockHTTPServer
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// /cert
if r.URL.String() == "/v1/cert" {
ca.HandleCertRequest(w, r)
}
if r.URL.String() == "/v1/csr" {
ca.HandleCSR(w, r)
}
}))
defer ts.Close()
fmt.Println(ts.URL)
certProp := CertificateProperties{
name: "Tommy",
ip_list: "192.168.1.1",
domain_list: "symbios",
organization: "symbios",
country: "US",
}
_, err = Authenticate(&ts.URL, token, key, &certProp, &caFingerprint)
if err != nil {
t.Fatalf("Unable to authenticate.", err)
}
}