Example #1
0
func (certSuite) TestVerify(c *C) {
	now := time.Now()
	caCert, caKey, err := cert.NewCA("foo", now.Add(1*time.Minute))
	c.Assert(err, IsNil)

	srvCert, _, err := cert.NewServer("foo", caCert, caKey, now.Add(3*time.Minute))
	c.Assert(err, IsNil)

	err = cert.Verify(srvCert, caCert, now)
	c.Assert(err, IsNil)

	err = cert.Verify(srvCert, caCert, now.Add(55*time.Second))
	c.Assert(err, IsNil)

	// TODO(rog) why does this succeed?
	// err = cert.Verify(srvCert, caCert, now.Add(-1 * time.Minute))
	//c.Check(err, ErrorMatches, "x509: certificate has expired or is not yet valid")

	err = cert.Verify(srvCert, caCert, now.Add(2*time.Minute))
	c.Check(err, ErrorMatches, "x509: certificate has expired or is not yet valid")

	caCert2, caKey2, err := cert.NewCA("bar", now.Add(1*time.Minute))
	c.Assert(err, IsNil)

	// Check original server certificate against wrong CA.
	err = cert.Verify(srvCert, caCert2, now)
	c.Check(err, ErrorMatches, "x509: certificate signed by unknown authority")

	srvCert2, _, err := cert.NewServer("bar", caCert2, caKey2, now.Add(1*time.Minute))
	c.Assert(err, IsNil)

	// Check new server certificate against original CA.
	err = cert.Verify(srvCert2, caCert, now)
	c.Check(err, ErrorMatches, "x509: certificate signed by unknown authority")
}
Example #2
0
func mustNewServer() (string, string) {
	cert.KeyBits = 512
	srvCert, srvKey, err := cert.NewServer("testing-env", []byte(CACert), []byte(CAKey), time.Now().AddDate(10, 0, 0))
	if err != nil {
		panic(err)
	}
	return string(srvCert), string(srvKey)
}
Example #3
0
// GenerateStateServerCertAndKey makes sure that the config has a CACert and
// CAPrivateKey, generates and retruns new certificate and key.
func (cfg *Config) GenerateStateServerCertAndKey() ([]byte, []byte, error) {
	caCert, hasCACert := cfg.CACert()
	if !hasCACert {
		return nil, nil, fmt.Errorf("environment configuration has no ca-cert")
	}
	caKey, hasCAKey := cfg.CAPrivateKey()
	if !hasCAKey {
		return nil, nil, fmt.Errorf("environment configuration has no ca-private-key")
	}
	return cert.NewServer(cfg.Name(), caCert, caKey, time.Now().UTC().AddDate(10, 0, 0))
}
Example #4
0
func (certSuite) TestWithNonUTCExpiry(c *C) {
	expiry, err := time.Parse("2006-01-02 15:04:05.999999999 -0700 MST", "2012-11-28 15:53:57 +0100 CET")
	c.Assert(err, IsNil)
	certPEM, keyPEM, err := cert.NewCA("foo", expiry)
	xcert, err := cert.ParseCert(certPEM)
	c.Assert(err, IsNil)
	c.Assert(xcert.NotAfter.Equal(expiry), Equals, true)

	certPEM, _, err = cert.NewServer("foo", certPEM, keyPEM, expiry)
	xcert, err = cert.ParseCert(certPEM)
	c.Assert(err, IsNil)
	c.Assert(xcert.NotAfter.Equal(expiry), Equals, true)
}
Example #5
0
func (certSuite) TestNewServer(c *C) {
	expiry := roundTime(time.Now().AddDate(1, 0, 0))
	caCertPEM, caKeyPEM, err := cert.NewCA("foo", expiry)
	c.Assert(err, IsNil)

	caCert, _, err := cert.ParseCertAndKey(caCertPEM, caKeyPEM)
	c.Assert(err, IsNil)

	srvCertPEM, srvKeyPEM, err := cert.NewServer("juju test", caCertPEM, caKeyPEM, expiry)
	c.Assert(err, IsNil)

	srvCert, srvKey, err := cert.ParseCertAndKey(srvCertPEM, srvKeyPEM)
	c.Assert(err, IsNil)
	c.Assert(err, IsNil)
	c.Assert(srvCert.Subject.CommonName, Equals, "*")
	c.Assert(srvCert.NotAfter.Equal(expiry), Equals, true)
	c.Assert(srvCert.BasicConstraintsValid, Equals, false)
	c.Assert(srvCert.IsCA, Equals, false)

	checkTLSConnection(c, caCert, srvCert, srvKey)
}
Example #6
0
// Bootstrap bootstraps the given environment.  If the environment does
// not contain a CA certificate, a new certificate and key pair are
// generated, added to the environment configuration, and writeCertAndKey
// will be called to save them.  If writeCertFile is nil, the generated
// certificate and key will be saved to ~/.juju/<environ-name>-cert.pem
// and ~/.juju/<environ-name>-private-key.pem.
//
// If uploadTools is true, the current version of the juju tools will be
// uploaded, as documented in Environ.Bootstrap.
func Bootstrap(environ Environ, uploadTools bool, writeCertAndKey func(environName string, cert, key []byte) error) error {
	if writeCertAndKey == nil {
		writeCertAndKey = writeCertAndKeyToHome
	}
	cfg := environ.Config()
	caCert, hasCACert := cfg.CACert()
	caKey, hasCAKey := cfg.CAPrivateKey()
	if !hasCACert {
		if hasCAKey {
			return fmt.Errorf("environment configuration with CA private key but no certificate")
		}
		var err error
		caCert, caKey, err = cert.NewCA(environ.Name(), time.Now().UTC().AddDate(10, 0, 0))
		if err != nil {
			return err
		}
		m := cfg.AllAttrs()
		m["ca-cert"] = string(caCert)
		m["ca-private-key"] = string(caKey)
		cfg, err = config.New(m)
		if err != nil {
			return fmt.Errorf("cannot create environment configuration with new CA: %v", err)
		}
		if err := environ.SetConfig(cfg); err != nil {
			return fmt.Errorf("cannot set environment configuration with CA: %v", err)
		}
		if err := writeCertAndKey(environ.Name(), caCert, caKey); err != nil {
			return fmt.Errorf("cannot write CA certificate and key: %v", err)
		}
	}
	// Generate a new key pair and certificate for
	// the newly bootstrapped instance.
	cert, key, err := cert.NewServer(environ.Name(), caCert, caKey, time.Now().UTC().AddDate(10, 0, 0))
	if err != nil {
		return fmt.Errorf("cannot generate bootstrap certificate: %v", err)
	}
	return environ.Bootstrap(uploadTools, cert, key)
}
Example #7
0
func (certSuite) TestNewServerWithInvalidCert(c *C) {
	srvCert, srvKey, err := cert.NewServer("foo", nonCACert, nonCAKey, time.Now())
	c.Check(srvCert, IsNil)
	c.Check(srvKey, IsNil)
	c.Assert(err, ErrorMatches, "CA certificate is not a valid CA")
}