示例#1
0
func (certSuite) TestVerify(c *C) {
	now := time.Now()
	caCert, caKey, err := cert.NewCA("foo", now.Add(1*time.Minute))
	c.Assert(err, IsNil)

	srvCert, _, err := cert.NewServer("foo", caCert, caKey, now.Add(3*time.Minute))
	c.Assert(err, IsNil)

	err = cert.Verify(srvCert, caCert, now)
	c.Assert(err, IsNil)

	err = cert.Verify(srvCert, caCert, now.Add(55*time.Second))
	c.Assert(err, IsNil)

	// TODO(rog) why does this succeed?
	// err = cert.Verify(srvCert, caCert, now.Add(-1 * time.Minute))
	//c.Check(err, ErrorMatches, "x509: certificate has expired or is not yet valid")

	err = cert.Verify(srvCert, caCert, now.Add(2*time.Minute))
	c.Check(err, ErrorMatches, "x509: certificate has expired or is not yet valid")

	caCert2, caKey2, err := cert.NewCA("bar", now.Add(1*time.Minute))
	c.Assert(err, IsNil)

	// Check original server certificate against wrong CA.
	err = cert.Verify(srvCert, caCert2, now)
	c.Check(err, ErrorMatches, "x509: certificate signed by unknown authority")

	srvCert2, _, err := cert.NewServer("bar", caCert2, caKey2, now.Add(1*time.Minute))
	c.Assert(err, IsNil)

	// Check new server certificate against original CA.
	err = cert.Verify(srvCert2, caCert, now)
	c.Check(err, ErrorMatches, "x509: certificate signed by unknown authority")
}
示例#2
0
func mustNewCA() (string, string) {
	cert.KeyBits = 512
	caCert, caKey, err := cert.NewCA("juju testing", time.Now().AddDate(10, 0, 0))
	if err != nil {
		panic(err)
	}
	return string(caCert), string(caKey)
}
示例#3
0
func (certSuite) TestWithNonUTCExpiry(c *C) {
	expiry, err := time.Parse("2006-01-02 15:04:05.999999999 -0700 MST", "2012-11-28 15:53:57 +0100 CET")
	c.Assert(err, IsNil)
	certPEM, keyPEM, err := cert.NewCA("foo", expiry)
	xcert, err := cert.ParseCert(certPEM)
	c.Assert(err, IsNil)
	c.Assert(xcert.NotAfter.Equal(expiry), Equals, true)

	certPEM, _, err = cert.NewServer("foo", certPEM, keyPEM, expiry)
	xcert, err = cert.ParseCert(certPEM)
	c.Assert(err, IsNil)
	c.Assert(xcert.NotAfter.Equal(expiry), Equals, true)
}
示例#4
0
func (certSuite) TestNewCA(c *C) {
	expiry := roundTime(time.Now().AddDate(0, 0, 1))
	caCertPEM, caKeyPEM, err := cert.NewCA("foo", expiry)
	c.Assert(err, IsNil)

	caCert, caKey, err := cert.ParseCertAndKey(caCertPEM, caKeyPEM)
	c.Assert(err, IsNil)

	c.Assert(caKey, FitsTypeOf, (*rsa.PrivateKey)(nil))
	c.Assert(caCert.Subject.CommonName, Equals, `juju-generated CA for environment "foo"`)
	c.Assert(caCert.NotAfter.Equal(expiry), Equals, true)
	c.Assert(caCert.BasicConstraintsValid, Equals, true)
	c.Assert(caCert.IsCA, Equals, true)
	//c.Assert(caCert.MaxPathLen, Equals, 0)	TODO it ends up as -1 - check that this is ok.
}
示例#5
0
func generateCertificate(environ Environ, writeCertAndKey func(environName string, cert, key []byte) error) error {
	cfg := environ.Config()
	caCert, caKey, err := cert.NewCA(environ.Name(), time.Now().UTC().AddDate(10, 0, 0))
	if err != nil {
		return err
	}
	m := cfg.AllAttrs()
	m["ca-cert"] = string(caCert)
	m["ca-private-key"] = string(caKey)
	cfg, err = config.New(m)
	if err != nil {
		return fmt.Errorf("cannot create environment configuration with new CA: %v", err)
	}
	if err := environ.SetConfig(cfg); err != nil {
		return fmt.Errorf("cannot set environment configuration with CA: %v", err)
	}
	if err := writeCertAndKey(environ.Name(), caCert, caKey); err != nil {
		return fmt.Errorf("cannot write CA certificate and key: %v", err)
	}
	return nil
}
示例#6
0
func (certSuite) TestNewServer(c *C) {
	expiry := roundTime(time.Now().AddDate(1, 0, 0))
	caCertPEM, caKeyPEM, err := cert.NewCA("foo", expiry)
	c.Assert(err, IsNil)

	caCert, _, err := cert.ParseCertAndKey(caCertPEM, caKeyPEM)
	c.Assert(err, IsNil)

	srvCertPEM, srvKeyPEM, err := cert.NewServer("juju test", caCertPEM, caKeyPEM, expiry)
	c.Assert(err, IsNil)

	srvCert, srvKey, err := cert.ParseCertAndKey(srvCertPEM, srvKeyPEM)
	c.Assert(err, IsNil)
	c.Assert(err, IsNil)
	c.Assert(srvCert.Subject.CommonName, Equals, "*")
	c.Assert(srvCert.NotAfter.Equal(expiry), Equals, true)
	c.Assert(srvCert.BasicConstraintsValid, Equals, false)
	c.Assert(srvCert.IsCA, Equals, false)

	checkTLSConnection(c, caCert, srvCert, srvKey)
}
示例#7
0
// Bootstrap bootstraps the given environment.  If the environment does
// not contain a CA certificate, a new certificate and key pair are
// generated, added to the environment configuration, and writeCertAndKey
// will be called to save them.  If writeCertFile is nil, the generated
// certificate and key will be saved to ~/.juju/<environ-name>-cert.pem
// and ~/.juju/<environ-name>-private-key.pem.
//
// If uploadTools is true, the current version of the juju tools will be
// uploaded, as documented in Environ.Bootstrap.
func Bootstrap(environ Environ, uploadTools bool, writeCertAndKey func(environName string, cert, key []byte) error) error {
	if writeCertAndKey == nil {
		writeCertAndKey = writeCertAndKeyToHome
	}
	cfg := environ.Config()
	caCert, hasCACert := cfg.CACert()
	caKey, hasCAKey := cfg.CAPrivateKey()
	if !hasCACert {
		if hasCAKey {
			return fmt.Errorf("environment configuration with CA private key but no certificate")
		}
		var err error
		caCert, caKey, err = cert.NewCA(environ.Name(), time.Now().UTC().AddDate(10, 0, 0))
		if err != nil {
			return err
		}
		m := cfg.AllAttrs()
		m["ca-cert"] = string(caCert)
		m["ca-private-key"] = string(caKey)
		cfg, err = config.New(m)
		if err != nil {
			return fmt.Errorf("cannot create environment configuration with new CA: %v", err)
		}
		if err := environ.SetConfig(cfg); err != nil {
			return fmt.Errorf("cannot set environment configuration with CA: %v", err)
		}
		if err := writeCertAndKey(environ.Name(), caCert, caKey); err != nil {
			return fmt.Errorf("cannot write CA certificate and key: %v", err)
		}
	}
	// Generate a new key pair and certificate for
	// the newly bootstrapped instance.
	cert, key, err := cert.NewServer(environ.Name(), caCert, caKey, time.Now().UTC().AddDate(10, 0, 0))
	if err != nil {
		return fmt.Errorf("cannot generate bootstrap certificate: %v", err)
	}
	return environ.Bootstrap(uploadTools, cert, key)
}