func (certSuite) TestVerify(c *C) {
now := time.Now()
caCert, caKey, err := cert.NewCA("foo", now.Add(1*time.Minute))
c.Assert(err, IsNil)
srvCert, _, err := cert.NewServer("foo", caCert, caKey, now.Add(3*time.Minute))
c.Assert(err, IsNil)
err = cert.Verify(srvCert, caCert, now)
c.Assert(err, IsNil)
err = cert.Verify(srvCert, caCert, now.Add(55*time.Second))
c.Assert(err, IsNil)
// TODO(rog) why does this succeed?
// err = cert.Verify(srvCert, caCert, now.Add(-1 * time.Minute))
//c.Check(err, ErrorMatches, "x509: certificate has expired or is not yet valid")
err = cert.Verify(srvCert, caCert, now.Add(2*time.Minute))
c.Check(err, ErrorMatches, "x509: certificate has expired or is not yet valid")
caCert2, caKey2, err := cert.NewCA("bar", now.Add(1*time.Minute))
c.Assert(err, IsNil)
// Check original server certificate against wrong CA.
err = cert.Verify(srvCert, caCert2, now)
c.Check(err, ErrorMatches, "x509: certificate signed by unknown authority")
srvCert2, _, err := cert.NewServer("bar", caCert2, caKey2, now.Add(1*time.Minute))
c.Assert(err, IsNil)
// Check new server certificate against original CA.
err = cert.Verify(srvCert2, caCert, now)
c.Check(err, ErrorMatches, "x509: certificate signed by unknown authority")
}
func mustNewCA() (string, string) {
cert.KeyBits = 512
caCert, caKey, err := cert.NewCA("juju testing", time.Now().AddDate(10, 0, 0))
if err != nil {
panic(err)
}
return string(caCert), string(caKey)
}
func (certSuite) TestWithNonUTCExpiry(c *C) {
expiry, err := time.Parse("2006-01-02 15:04:05.999999999 -0700 MST", "2012-11-28 15:53:57 +0100 CET")
c.Assert(err, IsNil)
certPEM, keyPEM, err := cert.NewCA("foo", expiry)
xcert, err := cert.ParseCert(certPEM)
c.Assert(err, IsNil)
c.Assert(xcert.NotAfter.Equal(expiry), Equals, true)
certPEM, _, err = cert.NewServer("foo", certPEM, keyPEM, expiry)
xcert, err = cert.ParseCert(certPEM)
c.Assert(err, IsNil)
c.Assert(xcert.NotAfter.Equal(expiry), Equals, true)
}
func (certSuite) TestNewCA(c *C) {
expiry := roundTime(time.Now().AddDate(0, 0, 1))
caCertPEM, caKeyPEM, err := cert.NewCA("foo", expiry)
c.Assert(err, IsNil)
caCert, caKey, err := cert.ParseCertAndKey(caCertPEM, caKeyPEM)
c.Assert(err, IsNil)
c.Assert(caKey, FitsTypeOf, (*rsa.PrivateKey)(nil))
c.Assert(caCert.Subject.CommonName, Equals, `juju-generated CA for environment "foo"`)
c.Assert(caCert.NotAfter.Equal(expiry), Equals, true)
c.Assert(caCert.BasicConstraintsValid, Equals, true)
c.Assert(caCert.IsCA, Equals, true)
//c.Assert(caCert.MaxPathLen, Equals, 0) TODO it ends up as -1 - check that this is ok.
}
func generateCertificate(environ Environ, writeCertAndKey func(environName string, cert, key []byte) error) error {
cfg := environ.Config()
caCert, caKey, err := cert.NewCA(environ.Name(), time.Now().UTC().AddDate(10, 0, 0))
if err != nil {
return err
}
m := cfg.AllAttrs()
m["ca-cert"] = string(caCert)
m["ca-private-key"] = string(caKey)
cfg, err = config.New(m)
if err != nil {
return fmt.Errorf("cannot create environment configuration with new CA: %v", err)
}
if err := environ.SetConfig(cfg); err != nil {
return fmt.Errorf("cannot set environment configuration with CA: %v", err)
}
if err := writeCertAndKey(environ.Name(), caCert, caKey); err != nil {
return fmt.Errorf("cannot write CA certificate and key: %v", err)
}
return nil
}
func (certSuite) TestNewServer(c *C) {
expiry := roundTime(time.Now().AddDate(1, 0, 0))
caCertPEM, caKeyPEM, err := cert.NewCA("foo", expiry)
c.Assert(err, IsNil)
caCert, _, err := cert.ParseCertAndKey(caCertPEM, caKeyPEM)
c.Assert(err, IsNil)
srvCertPEM, srvKeyPEM, err := cert.NewServer("juju test", caCertPEM, caKeyPEM, expiry)
c.Assert(err, IsNil)
srvCert, srvKey, err := cert.ParseCertAndKey(srvCertPEM, srvKeyPEM)
c.Assert(err, IsNil)
c.Assert(err, IsNil)
c.Assert(srvCert.Subject.CommonName, Equals, "*")
c.Assert(srvCert.NotAfter.Equal(expiry), Equals, true)
c.Assert(srvCert.BasicConstraintsValid, Equals, false)
c.Assert(srvCert.IsCA, Equals, false)
checkTLSConnection(c, caCert, srvCert, srvKey)
}
// Bootstrap bootstraps the given environment. If the environment does
// not contain a CA certificate, a new certificate and key pair are
// generated, added to the environment configuration, and writeCertAndKey
// will be called to save them. If writeCertFile is nil, the generated
// certificate and key will be saved to ~/.juju/<environ-name>-cert.pem
// and ~/.juju/<environ-name>-private-key.pem.
//
// If uploadTools is true, the current version of the juju tools will be
// uploaded, as documented in Environ.Bootstrap.
func Bootstrap(environ Environ, uploadTools bool, writeCertAndKey func(environName string, cert, key []byte) error) error {
if writeCertAndKey == nil {
writeCertAndKey = writeCertAndKeyToHome
}
cfg := environ.Config()
caCert, hasCACert := cfg.CACert()
caKey, hasCAKey := cfg.CAPrivateKey()
if !hasCACert {
if hasCAKey {
return fmt.Errorf("environment configuration with CA private key but no certificate")
}
var err error
caCert, caKey, err = cert.NewCA(environ.Name(), time.Now().UTC().AddDate(10, 0, 0))
if err != nil {
return err
}
m := cfg.AllAttrs()
m["ca-cert"] = string(caCert)
m["ca-private-key"] = string(caKey)
cfg, err = config.New(m)
if err != nil {
return fmt.Errorf("cannot create environment configuration with new CA: %v", err)
}
if err := environ.SetConfig(cfg); err != nil {
return fmt.Errorf("cannot set environment configuration with CA: %v", err)
}
if err := writeCertAndKey(environ.Name(), caCert, caKey); err != nil {
return fmt.Errorf("cannot write CA certificate and key: %v", err)
}
}
// Generate a new key pair and certificate for
// the newly bootstrapped instance.
cert, key, err := cert.NewServer(environ.Name(), caCert, caKey, time.Now().UTC().AddDate(10, 0, 0))
if err != nil {
return fmt.Errorf("cannot generate bootstrap certificate: %v", err)
}
return environ.Bootstrap(uploadTools, cert, key)
}
