func TestSignerTLS(t *testing.T) {
// Issue a certificate using OpenSSL
newCert, newKey, err := issueCert([]string{"mancave.local", "1.1.1.1", "localhost"})
orFatal("issueCert", err, t)
_, err = openssl.LoadCertificateFromPEM(serverCert)
orFatal("ParseTemplateCertificateTLS", err, t)
_, err = openssl.LoadCertificateFromPEM(rootCertCA)
orFatal("ParseCACertificateTLS", err, t)
expected := "key verifies with Go"
certpool := x509.NewCertPool()
certpool.AddCert(GopenSSLProxyCA.Leaf)
// Go's built-in tranport works just fine.
// tr := &http.Transport{
// TLSClientConfig: &tls.Config{RootCAs: certpool},
// }
// OpenSSL based transport which crashes on FreeBSD
tlsConfig, err := openssl.NewCtx()
tr := &transport.Transport{
TLSClientConfig: tlsConfig,
}
srv := &http.Server{
// Addr: ":8443",
Handler: ConstantHanlder(expected),
}
sslCtx, err := openssl.NewCtx()
orFatal("NewContext", err, t)
sslCtx.UseCertificate(newCert)
sslCtx.UsePrivateKey(*newKey)
l, err := openssl.Listen("tcp", ":8443", sslCtx)
orFatal("NewListener", err, t)
go srv.Serve(l)
// Making sure to wait long enough
// until the server start listening
time.Sleep(2 * time.Second)
req, err := http.NewRequest("GET", "https://localhost:8443", nil)
orFatal("NewRequest", err, t)
resp, err := tr.RoundTrip(req)
orFatal("RoundTrip", err, t)
txt, err := ioutil.ReadAll(resp.Body)
orFatal("ioutil.ReadAll", err, t)
if string(txt) != expected {
t.Errorf("Expected '%s' got '%s'", expected, string(txt))
}
}
func TestSignerX509(t *testing.T) {
newIssuedCert, _, err := issueCert([]string{"example.com", "1.1.1.1", "localhost"})
orFatal("issueCert", err, t)
newIssuedCertPEM, err := newIssuedCert.MarshalPEM()
orFatal("MarshalPEM", err, t)
_, err = openssl.LoadCertificateFromPEM(newIssuedCertPEM)
orFatal("ParseTemplateCertificateX509", err, t)
}
func issueCert(hosts []string) (*openssl.Certificate, *openssl.PrivateKey, error) {
privKey, _ := openssl.GenerateRSAKey(1024)
der, _ := privKey.MarshalPKIXPublicKeyDER()
pubKey, _ := openssl.LoadPublicKeyFromDER(der)
// Use a clone of serverCert certificate as a template.
cert, err := openssl.LoadCertificateFromPEM(serverCert)
if err != nil {
return nil, nil, err
}
// New certificate validity is always 11 days which means
// it has issued yesterday (-24) and expire in 10 days (240).
cert.SetIssueDate(time.Duration(-24) * time.Hour)
cert.SetExpireDate(time.Duration(240) * time.Hour)
// Replace existing public key with new key
cert.SetPubKey(pubKey)
// Generate new name
name, _ := openssl.NewName()
for _, h := range hosts {
if ip := net.ParseIP(h); ip != nil {
name.AddTextEntry("CN", ip.String())
} else {
name.AddTextEntry("CN", h)
}
}
name.AddTextEntry("O", "Man Cave, LLC")
name.AddTextEntry("OU", "Fun")
// Replace existing name with new name
cert.SetSubjectName(name)
// Update existing serial with unique one
rand.Seed(time.Now().UnixNano())
serial := rand.Int()
cert.SetSerial(serial)
// Load Root CA private key and sign new certificate
caPrivKey, _ := openssl.LoadPrivateKeyFromPEM(rootKeyCA)
cert.Sign(caPrivKey, openssl.EVP_SHA256)
return cert, &privKey, err
}
