func TestVerifyCSR(t *testing.T) { private, err := rsa.GenerateKey(rand.Reader, 2048) test.AssertNotError(t, err, "error generating test key") signedReqBytes, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{PublicKey: private.PublicKey, SignatureAlgorithm: x509.SHA256WithRSA}, private) test.AssertNotError(t, err, "error generating test CSR") signedReq, err := x509.ParseCertificateRequest(signedReqBytes) test.AssertNotError(t, err, "error parsing test CSR") brokenSignedReq := new(x509.CertificateRequest) *brokenSignedReq = *signedReq brokenSignedReq.Signature = []byte{1, 1, 1, 1} signedReqWithHosts := new(x509.CertificateRequest) *signedReqWithHosts = *signedReq signedReqWithHosts.DNSNames = []string{"a.com", "b.com"} signedReqWithLongCN := new(x509.CertificateRequest) *signedReqWithLongCN = *signedReq signedReqWithLongCN.Subject.CommonName = strings.Repeat("a", maxCNLength+1) signedReqWithBadName := new(x509.CertificateRequest) *signedReqWithBadName = *signedReq signedReqWithBadName.DNSNames = []string{"bad-name.com"} cases := []struct { csr *x509.CertificateRequest maxNames int keyPolicy *goodkey.KeyPolicy pa core.PolicyAuthority regID int64 expectedError error }{ { &x509.CertificateRequest{}, 0, testingPolicy, &mockPA{}, 0, errors.New("invalid public key in CSR"), }, { &x509.CertificateRequest{PublicKey: private.PublicKey}, 1, testingPolicy, &mockPA{}, 0, errors.New("signature algorithm not supported"), }, { brokenSignedReq, 1, testingPolicy, &mockPA{}, 0, errors.New("invalid signature on CSR"), }, { signedReq, 1, testingPolicy, &mockPA{}, 0, errors.New("at least one DNS name is required"), }, { signedReqWithLongCN, 1, testingPolicy, &mockPA{}, 0, errors.New("CN was longer than 64 bytes"), }, { signedReqWithHosts, 1, testingPolicy, &mockPA{}, 0, errors.New("CSR contains more than 1 DNS names"), }, { signedReqWithBadName, 1, testingPolicy, &mockPA{}, 0, errors.New("policy forbids issuing for: bad-name.com"), }, } for _, c := range cases { err := VerifyCSR(c.csr, c.maxNames, c.keyPolicy, c.pa, false, c.regID) test.AssertDeepEquals(t, c.expectedError, err) } }