func (certSuite) TestParseCertAndKey(c *gc.C) {
xcert, key, err := cert.ParseCertAndKey(caCertPEM, caKeyPEM)
c.Assert(err, jc.ErrorIsNil)
c.Assert(xcert.Subject.CommonName, gc.Equals, `juju-generated CA for model "juju testing"`)
c.Assert(key, gc.NotNil)
c.Assert(xcert.PublicKey.(*rsa.PublicKey), gc.DeepEquals, &key.PublicKey)
}
func checkCertificate(c *gc.C, caCert *x509.Certificate, srvCertPEM, srvKeyPEM string, now, expiry time.Time) {
srvCert, srvKey, err := cert.ParseCertAndKey(srvCertPEM, srvKeyPEM)
c.Assert(err, jc.ErrorIsNil)
c.Assert(srvCert.Subject.CommonName, gc.Equals, "*")
checkNotBefore(c, srvCert, now)
checkNotAfter(c, srvCert, expiry)
c.Assert(srvCert.BasicConstraintsValid, jc.IsFalse)
c.Assert(srvCert.IsCA, jc.IsFalse)
c.Assert(srvCert.ExtKeyUsage, gc.DeepEquals, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth})
c.Assert(srvCert.SerialNumber, gc.NotNil)
if srvCert.SerialNumber.Cmp(big.NewInt(0)) == 0 {
c.Fatalf("zero serial number")
}
checkTLSConnection(c, caCert, srvCert, srvKey)
}
func (certSuite) TestNewCA(c *gc.C) {
now := time.Now()
expiry := roundTime(now.AddDate(0, 0, 1))
caCertPEM, caKeyPEM, err := cert.NewCA(
fmt.Sprintf("juju-generated CA for model %s", "foo"),
"1", expiry, 0,
)
c.Assert(err, jc.ErrorIsNil)
caCert, caKey, err := cert.ParseCertAndKey(caCertPEM, caKeyPEM)
c.Assert(err, jc.ErrorIsNil)
c.Check(caKey, gc.FitsTypeOf, (*rsa.PrivateKey)(nil))
c.Check(caCert.Subject.CommonName, gc.Equals, `juju-generated CA for model foo`)
checkNotBefore(c, caCert, now)
checkNotAfter(c, caCert, expiry)
c.Check(caCert.BasicConstraintsValid, jc.IsTrue)
c.Check(caCert.IsCA, jc.IsTrue)
//c.Assert(caCert.MaxPathLen, Equals, 0) TODO it ends up as -1 - check that this is ok.
}
func (certSuite) TestNewClientCertRSASize(c *gc.C) {
for _, size := range rsaByteSizes {
now := time.Now()
expiry := roundTime(now.AddDate(0, 0, 1))
certPem, privPem, err := cert.NewClientCert(
fmt.Sprintf("juju-generated CA for model %s", "foo"), "1", expiry, size)
c.Assert(err, jc.ErrorIsNil)
c.Assert(certPem, gc.NotNil)
c.Assert(privPem, gc.NotNil)
caCert, caKey, err := cert.ParseCertAndKey(certPem, privPem)
c.Assert(err, jc.ErrorIsNil)
c.Check(caCert.Subject.CommonName, gc.Equals, "juju-generated CA for model foo")
c.Check(caCert.Subject.Organization, gc.DeepEquals, []string{"juju"})
c.Check(caCert.Subject.SerialNumber, gc.DeepEquals, "1")
c.Check(caKey, gc.FitsTypeOf, (*rsa.PrivateKey)(nil))
c.Check(caCert.Version, gc.Equals, 3)
value, err := cert.CertGetUPNExtenstionValue(caCert.Subject)
c.Assert(err, jc.ErrorIsNil)
c.Assert(value, gc.Not(gc.IsNil))
expected := []pkix.Extension{
{
Id: cert.CertSubjAltName,
Value: value,
Critical: false,
},
}
c.Assert(caCert.Extensions[4], jc.DeepEquals, expected[0])
c.Assert(caCert.PublicKeyAlgorithm, gc.Equals, x509.RSA)
c.Assert(caCert.ExtKeyUsage[0], gc.Equals, x509.ExtKeyUsageClientAuth)
checkNotBefore(c, caCert, now)
checkNotAfter(c, caCert, expiry)
}
}