func (certSuite) TestVerify(c *C) { now := time.Now() caCert, caKey, err := cert.NewCA("foo", now.Add(1*time.Minute)) c.Assert(err, IsNil) srvCert, _, err := cert.NewServer("foo", caCert, caKey, now.Add(3*time.Minute)) c.Assert(err, IsNil) err = cert.Verify(srvCert, caCert, now) c.Assert(err, IsNil) err = cert.Verify(srvCert, caCert, now.Add(55*time.Second)) c.Assert(err, IsNil) // TODO(rog) why does this succeed? // err = cert.Verify(srvCert, caCert, now.Add(-1 * time.Minute)) //c.Check(err, ErrorMatches, "x509: certificate has expired or is not yet valid") err = cert.Verify(srvCert, caCert, now.Add(2*time.Minute)) c.Check(err, ErrorMatches, "x509: certificate has expired or is not yet valid") caCert2, caKey2, err := cert.NewCA("bar", now.Add(1*time.Minute)) c.Assert(err, IsNil) // Check original server certificate against wrong CA. err = cert.Verify(srvCert, caCert2, now) c.Check(err, ErrorMatches, "x509: certificate signed by unknown authority") srvCert2, _, err := cert.NewServer("bar", caCert2, caKey2, now.Add(1*time.Minute)) c.Assert(err, IsNil) // Check new server certificate against original CA. err = cert.Verify(srvCert2, caCert, now) c.Check(err, ErrorMatches, "x509: certificate signed by unknown authority") }
func mustNewCA() (string, string) { cert.KeyBits = 512 caCert, caKey, err := cert.NewCA("juju testing", time.Now().AddDate(10, 0, 0)) if err != nil { panic(err) } return string(caCert), string(caKey) }
func (certSuite) TestWithNonUTCExpiry(c *C) { expiry, err := time.Parse("2006-01-02 15:04:05.999999999 -0700 MST", "2012-11-28 15:53:57 +0100 CET") c.Assert(err, IsNil) certPEM, keyPEM, err := cert.NewCA("foo", expiry) xcert, err := cert.ParseCert(certPEM) c.Assert(err, IsNil) c.Assert(xcert.NotAfter.Equal(expiry), Equals, true) certPEM, _, err = cert.NewServer("foo", certPEM, keyPEM, expiry) xcert, err = cert.ParseCert(certPEM) c.Assert(err, IsNil) c.Assert(xcert.NotAfter.Equal(expiry), Equals, true) }
func (certSuite) TestNewCA(c *C) { expiry := roundTime(time.Now().AddDate(0, 0, 1)) caCertPEM, caKeyPEM, err := cert.NewCA("foo", expiry) c.Assert(err, IsNil) caCert, caKey, err := cert.ParseCertAndKey(caCertPEM, caKeyPEM) c.Assert(err, IsNil) c.Assert(caKey, FitsTypeOf, (*rsa.PrivateKey)(nil)) c.Assert(caCert.Subject.CommonName, Equals, `juju-generated CA for environment "foo"`) c.Assert(caCert.NotAfter.Equal(expiry), Equals, true) c.Assert(caCert.BasicConstraintsValid, Equals, true) c.Assert(caCert.IsCA, Equals, true) //c.Assert(caCert.MaxPathLen, Equals, 0) TODO it ends up as -1 - check that this is ok. }
func generateCertificate(environ Environ, writeCertAndKey func(environName string, cert, key []byte) error) error { cfg := environ.Config() caCert, caKey, err := cert.NewCA(environ.Name(), time.Now().UTC().AddDate(10, 0, 0)) if err != nil { return err } m := cfg.AllAttrs() m["ca-cert"] = string(caCert) m["ca-private-key"] = string(caKey) cfg, err = config.New(m) if err != nil { return fmt.Errorf("cannot create environment configuration with new CA: %v", err) } if err := environ.SetConfig(cfg); err != nil { return fmt.Errorf("cannot set environment configuration with CA: %v", err) } if err := writeCertAndKey(environ.Name(), caCert, caKey); err != nil { return fmt.Errorf("cannot write CA certificate and key: %v", err) } return nil }
func (certSuite) TestNewServer(c *C) { expiry := roundTime(time.Now().AddDate(1, 0, 0)) caCertPEM, caKeyPEM, err := cert.NewCA("foo", expiry) c.Assert(err, IsNil) caCert, _, err := cert.ParseCertAndKey(caCertPEM, caKeyPEM) c.Assert(err, IsNil) srvCertPEM, srvKeyPEM, err := cert.NewServer("juju test", caCertPEM, caKeyPEM, expiry) c.Assert(err, IsNil) srvCert, srvKey, err := cert.ParseCertAndKey(srvCertPEM, srvKeyPEM) c.Assert(err, IsNil) c.Assert(err, IsNil) c.Assert(srvCert.Subject.CommonName, Equals, "*") c.Assert(srvCert.NotAfter.Equal(expiry), Equals, true) c.Assert(srvCert.BasicConstraintsValid, Equals, false) c.Assert(srvCert.IsCA, Equals, false) checkTLSConnection(c, caCert, srvCert, srvKey) }
// Bootstrap bootstraps the given environment. If the environment does // not contain a CA certificate, a new certificate and key pair are // generated, added to the environment configuration, and writeCertAndKey // will be called to save them. If writeCertFile is nil, the generated // certificate and key will be saved to ~/.juju/<environ-name>-cert.pem // and ~/.juju/<environ-name>-private-key.pem. // // If uploadTools is true, the current version of the juju tools will be // uploaded, as documented in Environ.Bootstrap. func Bootstrap(environ Environ, uploadTools bool, writeCertAndKey func(environName string, cert, key []byte) error) error { if writeCertAndKey == nil { writeCertAndKey = writeCertAndKeyToHome } cfg := environ.Config() caCert, hasCACert := cfg.CACert() caKey, hasCAKey := cfg.CAPrivateKey() if !hasCACert { if hasCAKey { return fmt.Errorf("environment configuration with CA private key but no certificate") } var err error caCert, caKey, err = cert.NewCA(environ.Name(), time.Now().UTC().AddDate(10, 0, 0)) if err != nil { return err } m := cfg.AllAttrs() m["ca-cert"] = string(caCert) m["ca-private-key"] = string(caKey) cfg, err = config.New(m) if err != nil { return fmt.Errorf("cannot create environment configuration with new CA: %v", err) } if err := environ.SetConfig(cfg); err != nil { return fmt.Errorf("cannot set environment configuration with CA: %v", err) } if err := writeCertAndKey(environ.Name(), caCert, caKey); err != nil { return fmt.Errorf("cannot write CA certificate and key: %v", err) } } // Generate a new key pair and certificate for // the newly bootstrapped instance. cert, key, err := cert.NewServer(environ.Name(), caCert, caKey, time.Now().UTC().AddDate(10, 0, 0)) if err != nil { return fmt.Errorf("cannot generate bootstrap certificate: %v", err) } return environ.Bootstrap(uploadTools, cert, key) }