func (certSuite) TestVerify(c *C) {
now := time.Now()
caCert, caKey, err := cert.NewCA("foo", now.Add(1*time.Minute))
c.Assert(err, IsNil)
srvCert, _, err := cert.NewServer("foo", caCert, caKey, now.Add(3*time.Minute))
c.Assert(err, IsNil)
err = cert.Verify(srvCert, caCert, now)
c.Assert(err, IsNil)
err = cert.Verify(srvCert, caCert, now.Add(55*time.Second))
c.Assert(err, IsNil)
// TODO(rog) why does this succeed?
// err = cert.Verify(srvCert, caCert, now.Add(-1 * time.Minute))
//c.Check(err, ErrorMatches, "x509: certificate has expired or is not yet valid")
err = cert.Verify(srvCert, caCert, now.Add(2*time.Minute))
c.Check(err, ErrorMatches, "x509: certificate has expired or is not yet valid")
caCert2, caKey2, err := cert.NewCA("bar", now.Add(1*time.Minute))
c.Assert(err, IsNil)
// Check original server certificate against wrong CA.
err = cert.Verify(srvCert, caCert2, now)
c.Check(err, ErrorMatches, "x509: certificate signed by unknown authority")
srvCert2, _, err := cert.NewServer("bar", caCert2, caKey2, now.Add(1*time.Minute))
c.Assert(err, IsNil)
// Check new server certificate against original CA.
err = cert.Verify(srvCert2, caCert, now)
c.Check(err, ErrorMatches, "x509: certificate signed by unknown authority")
}
func (*ConfigSuite) TestGenerateStateServerCertAndKey(c *gc.C) {
// In order to test missing certs, it checks the JUJU_HOME dir, so we need
// a fake home.
defer testing.MakeFakeHomeWithFiles(c, []testing.TestFile{
{".ssh/id_rsa.pub", "rsa\n"},
}).Restore()
for _, test := range []struct {
configValues map[string]interface{}
errMatch string
}{{
configValues: map[string]interface{}{
"name": "test-no-certs",
"type": "dummy",
},
errMatch: "environment configuration has no ca-cert",
}, {
configValues: map[string]interface{}{
"name": "test-no-certs",
"type": "dummy",
"ca-cert": testing.CACert,
},
errMatch: "environment configuration has no ca-private-key",
}, {
configValues: map[string]interface{}{
"name": "test-no-certs",
"type": "dummy",
"ca-cert": testing.CACert,
"ca-private-key": testing.CAKey,
},
}} {
cfg, err := config.New(test.configValues)
c.Assert(err, gc.IsNil)
certPEM, keyPEM, err := cfg.GenerateStateServerCertAndKey()
if test.errMatch == "" {
c.Assert(err, gc.IsNil)
_, _, err = cert.ParseCertAndKey(certPEM, keyPEM)
c.Check(err, gc.IsNil)
err = cert.Verify(certPEM, []byte(testing.CACert), time.Now())
c.Assert(err, gc.IsNil)
err = cert.Verify(certPEM, []byte(testing.CACert), time.Now().AddDate(9, 0, 0))
c.Assert(err, gc.IsNil)
err = cert.Verify(certPEM, []byte(testing.CACert), time.Now().AddDate(10, 0, 1))
c.Assert(err, gc.NotNil)
} else {
c.Assert(err, gc.ErrorMatches, test.errMatch)
c.Assert(certPEM, gc.IsNil)
c.Assert(keyPEM, gc.IsNil)
}
}
}
func (s *CloudInitSuite) TestFinishBootstrapConfig(c *C) {
cfg, err := config.New(map[string]interface{}{
"name": "barbara",
"type": "dummy",
"admin-secret": "lisboan-pork",
"authorized-keys": "we-are-the-keys",
"agent-version": "1.2.3",
"ca-cert": testing.CACert,
"ca-private-key": testing.CAKey,
"state-server": false,
"secret": "british-horse",
})
c.Assert(err, IsNil)
oldAttrs := cfg.AllAttrs()
mcfg := &cloudinit.MachineConfig{
StateServer: true,
}
cons := constraints.MustParse("mem=1T cpu-power=999999999")
err = environs.FinishMachineConfig(mcfg, cfg, cons)
c.Check(err, IsNil)
c.Check(mcfg.AuthorizedKeys, Equals, "we-are-the-keys")
password := utils.PasswordHash("lisboan-pork")
c.Check(mcfg.APIInfo, DeepEquals, &api.Info{
Password: password, CACert: []byte(testing.CACert),
})
c.Check(mcfg.StateInfo, DeepEquals, &state.Info{
Password: password, CACert: []byte(testing.CACert),
})
c.Check(mcfg.StatePort, Equals, cfg.StatePort())
c.Check(mcfg.APIPort, Equals, cfg.APIPort())
c.Check(mcfg.Constraints, DeepEquals, cons)
oldAttrs["ca-private-key"] = ""
oldAttrs["admin-secret"] = ""
delete(oldAttrs, "secret")
c.Check(mcfg.Config.AllAttrs(), DeepEquals, oldAttrs)
srvCertPEM := mcfg.StateServerCert
srvKeyPEM := mcfg.StateServerKey
_, _, err = cert.ParseCertAndKey(srvCertPEM, srvKeyPEM)
c.Check(err, IsNil)
err = cert.Verify(srvCertPEM, []byte(testing.CACert), time.Now())
c.Assert(err, IsNil)
err = cert.Verify(srvCertPEM, []byte(testing.CACert), time.Now().AddDate(9, 0, 0))
c.Assert(err, IsNil)
err = cert.Verify(srvCertPEM, []byte(testing.CACert), time.Now().AddDate(10, 0, 1))
c.Assert(err, NotNil)
}
func verifyCertificates() error {
_, err := tls.X509KeyPair([]byte(CACert), []byte(CAKey))
if err != nil {
return fmt.Errorf("bad CA cert key pair: %v", err)
}
_, err = tls.X509KeyPair([]byte(ServerCert), []byte(ServerKey))
if err != nil {
return fmt.Errorf("bad server cert key pair: %v", err)
}
return cert.Verify([]byte(ServerCert), []byte(CACert), time.Now())
}
func verifyCert(c *C, srvCertPEM, caCertPEM []byte) {
err := cert.Verify(srvCertPEM, caCertPEM, time.Now())
c.Assert(err, IsNil)
err = cert.Verify(srvCertPEM, caCertPEM, time.Now().AddDate(9, 0, 0))
c.Assert(err, IsNil)
}
