consul/tlsutil/generate_test.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package tlsutil

import (
	"crypto"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"io"
	"net"
	"testing"
	"time"

	"strings"

	"github.com/stretchr/testify/require"
)

func TestSerialNumber(t *testing.T) {
	n1, err := GenerateSerialNumber()
	require.Nil(t, err)

	n2, err := GenerateSerialNumber()
	require.Nil(t, err)
	require.NotEqual(t, n1, n2)

	n3, err := GenerateSerialNumber()
	require.Nil(t, err)
	require.NotEqual(t, n1, n3)
	require.NotEqual(t, n2, n3)

}

func TestGeneratePrivateKey(t *testing.T) {
	t.Parallel()
	_, p, err := GeneratePrivateKey()
	require.Nil(t, err)
	require.NotEmpty(t, p)
	require.Contains(t, p, "BEGIN EC PRIVATE KEY")
	require.Contains(t, p, "END EC PRIVATE KEY")

	block, _ := pem.Decode([]byte(p))
	pk, err := x509.ParseECPrivateKey(block.Bytes)

	require.Nil(t, err)
	require.NotNil(t, pk)
	require.Equal(t, 256, pk.Params().BitSize)
}

type TestSigner struct {
	public interface{}
}

func (s *TestSigner) Public() crypto.PublicKey {
	return s.public
}

func (s *TestSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
	return []byte{}, nil
}

func TestGenerateCA(t *testing.T) {
	t.Run("no signer", func(t *testing.T) {
		ca, pk, err := GenerateCA(CAOpts{Signer: &TestSigner{}})
		require.Error(t, err)
		require.Empty(t, ca)
		require.Empty(t, pk)
	})

	t.Run("wrong key", func(t *testing.T) {
		ca, pk, err := GenerateCA(CAOpts{Signer: &TestSigner{public: &rsa.PublicKey{}}})
		require.Error(t, err)
		require.Empty(t, ca)
		require.Empty(t, pk)
	})

	t.Run("valid key", func(t *testing.T) {
		ca, pk, err := GenerateCA(CAOpts{})
		require.Nil(t, err)
		require.NotEmpty(t, ca)
		require.NotEmpty(t, pk)

		cert, err := parseCert(ca)
		require.Nil(t, err)
		require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA"))
		require.Equal(t, true, cert.IsCA)
		require.Equal(t, true, cert.BasicConstraintsValid)

		require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)
		require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)

		require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
	})

	t.Run("RSA key", func(t *testing.T) {
		ca, pk, err := GenerateCA(CAOpts{})
		require.NoError(t, err)
		require.NotEmpty(t, ca)
		require.NotEmpty(t, pk)

		cert, err := parseCert(ca)
		require.NoError(t, err)
		require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA"))
		require.Equal(t, true, cert.IsCA)
		require.Equal(t, true, cert.BasicConstraintsValid)

		require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)
		require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)

		require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
	})
}

func TestGenerateCert(t *testing.T) {
	t.Parallel()
	signer, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	require.Nil(t, err)
	ca, _, err := GenerateCA(CAOpts{Signer: signer})
	require.Nil(t, err)

	DNSNames := []string{"server.dc1.consul"}
	IPAddresses := []net.IP{net.ParseIP("123.234.243.213")}
	extKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
	name := "Cert Name"
	certificate, pk, err := GenerateCert(CertOpts{
		Signer: signer, CA: ca, Name: name, Days: 365,
		DNSNames: DNSNames, IPAddresses: IPAddresses, ExtKeyUsage: extKeyUsage,
	})
	require.Nil(t, err)
	require.NotEmpty(t, certificate)
	require.NotEmpty(t, pk)

	cert, err := parseCert(certificate)
	require.Nil(t, err)
	require.Equal(t, name, cert.Subject.CommonName)
	require.Equal(t, true, cert.BasicConstraintsValid)
	signee, err := ParseSigner(pk)
	require.Nil(t, err)
	certID, err := keyID(signee.Public())
	require.Nil(t, err)
	require.Equal(t, certID, cert.SubjectKeyId)
	caID, err := keyID(signer.Public())
	require.Nil(t, err)
	require.Equal(t, caID, cert.AuthorityKeyId)
	require.Contains(t, cert.Issuer.CommonName, "Consul Agent CA")
	require.Equal(t, false, cert.IsCA)

	require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)
	require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)

	require.Equal(t, x509.KeyUsageDigitalSignature|x509.KeyUsageKeyEncipherment, cert.KeyUsage)
	require.Equal(t, extKeyUsage, cert.ExtKeyUsage)

	// https://github.com/golang/go/blob/10538a8f9e2e718a47633ac5a6e90415a2c3f5f1/src/crypto/x509/verify.go#L414
	require.Equal(t, DNSNames, cert.DNSNames)
	require.True(t, IPAddresses[0].Equal(cert.IPAddresses[0]))
}
Copyright headers for missing files/folders (#16708) * copyright headers for agent folder 2023-03-28 22:48:58 +00:00			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> 2023-08-11 13:12:13 +00:00			`// SPDX-License-Identifier: BUSL-1.1`
Copyright headers for missing files/folders (#16708) * copyright headers for agent folder 2023-03-28 22:48:58 +00:00
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 20:22:07 +00:00			`package tlsutil`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00
			`import (`
			`"crypto"`
			`"crypto/ecdsa"`
			`"crypto/elliptic"`
			`"crypto/rand"`
			`"crypto/rsa"`
			`"crypto/x509"`
			`"encoding/pem"`
			`"io"`
			`"net"`
			`"testing"`
			`"time"`

Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`"strings"`
Fix main build failing An old PR (#7623) was merged after #9585. The old code was incompatible with the new changes, but none of the lines caused a git conflict so the merge was allowed. The incompatible changes caused the tests to fail. This fixes the old code to work with the new changes. 2021-02-05 18:32:08 +00:00
			`"github.com/stretchr/testify/require"`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`)`

			`func TestSerialNumber(t *testing.T) {`
			`n1, err := GenerateSerialNumber()`
			`require.Nil(t, err)`

			`n2, err := GenerateSerialNumber()`
			`require.Nil(t, err)`
			`require.NotEqual(t, n1, n2)`

			`n3, err := GenerateSerialNumber()`
			`require.Nil(t, err)`
			`require.NotEqual(t, n1, n3)`
			`require.NotEqual(t, n2, n3)`

			`}`

			`func TestGeneratePrivateKey(t *testing.T) {`
			`t.Parallel()`
			`_, p, err := GeneratePrivateKey()`
			`require.Nil(t, err)`
			`require.NotEmpty(t, p)`
			`require.Contains(t, p, "BEGIN EC PRIVATE KEY")`
			`require.Contains(t, p, "END EC PRIVATE KEY")`

			`block, _ := pem.Decode([]byte(p))`
			`pk, err := x509.ParseECPrivateKey(block.Bytes)`

			`require.Nil(t, err)`
			`require.NotNil(t, pk)`
			`require.Equal(t, 256, pk.Params().BitSize)`
			`}`

			`type TestSigner struct {`
			`public interface{}`
			`}`

			`func (s *TestSigner) Public() crypto.PublicKey {`
			`return s.public`
			`}`

			`func (s *TestSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {`
			`return []byte{}, nil`
			`}`

			`func TestGenerateCA(t *testing.T) {`
tlsutil: fix a test for go1.16 Using a TestSigner was causing problems because go1.16 has this change: > CreateCertificate now verifies the generated certificate's signature > using the signer's public key. If the signature is invalid, an error is > returned, instead of a malformed certificate. See https://golang.org/doc/go1.16#crypto/x509 2021-04-13 17:31:20 +00:00			`t.Run("no signer", func(t *testing.T) {`
			`ca, pk, err := GenerateCA(CAOpts{Signer: &TestSigner{}})`
			`require.Error(t, err)`
			`require.Empty(t, ca)`
			`require.Empty(t, pk)`
			`})`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00
tlsutil: fix a test for go1.16 Using a TestSigner was causing problems because go1.16 has this change: > CreateCertificate now verifies the generated certificate's signature > using the signer's public key. If the signature is invalid, an error is > returned, instead of a malformed certificate. See https://golang.org/doc/go1.16#crypto/x509 2021-04-13 17:31:20 +00:00			`t.Run("wrong key", func(t *testing.T) {`
			`ca, pk, err := GenerateCA(CAOpts{Signer: &TestSigner{public: &rsa.PublicKey{}}})`
			`require.Error(t, err)`
			`require.Empty(t, ca)`
			`require.Empty(t, pk)`
			`})`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00
tlsutil: fix a test for go1.16 Using a TestSigner was causing problems because go1.16 has this change: > CreateCertificate now verifies the generated certificate's signature > using the signer's public key. If the signature is invalid, an error is > returned, instead of a malformed certificate. See https://golang.org/doc/go1.16#crypto/x509 2021-04-13 17:31:20 +00:00			`t.Run("valid key", func(t *testing.T) {`
			`ca, pk, err := GenerateCA(CAOpts{})`
			`require.Nil(t, err)`
			`require.NotEmpty(t, ca)`
			`require.NotEmpty(t, pk)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00
tlsutil: fix a test for go1.16 Using a TestSigner was causing problems because go1.16 has this change: > CreateCertificate now verifies the generated certificate's signature > using the signer's public key. If the signature is invalid, an error is > returned, instead of a malformed certificate. See https://golang.org/doc/go1.16#crypto/x509 2021-04-13 17:31:20 +00:00			`cert, err := parseCert(ca)`
			`require.Nil(t, err)`
			`require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA"))`
			`require.Equal(t, true, cert.IsCA)`
			`require.Equal(t, true, cert.BasicConstraintsValid)`
Add RSA Test case for generating CA Cert 2021-01-20 23:25:48 +00:00
tlsutil: fix a test for go1.16 Using a TestSigner was causing problems because go1.16 has this change: > CreateCertificate now verifies the generated certificate's signature > using the signer's public key. If the signature is invalid, an error is > returned, instead of a malformed certificate. See https://golang.org/doc/go1.16#crypto/x509 2021-04-13 17:31:20 +00:00			`require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)`
			`require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)`

			`require.Equal(t, x509.KeyUsageCertSign\|x509.KeyUsageCRLSign\|x509.KeyUsageDigitalSignature, cert.KeyUsage)`
			`})`
Add RSA Test case for generating CA Cert 2021-01-20 23:25:48 +00:00
tlsutil: fix a test for go1.16 Using a TestSigner was causing problems because go1.16 has this change: > CreateCertificate now verifies the generated certificate's signature > using the signer's public key. If the signature is invalid, an error is > returned, instead of a malformed certificate. See https://golang.org/doc/go1.16#crypto/x509 2021-04-13 17:31:20 +00:00			`t.Run("RSA key", func(t *testing.T) {`
			`ca, pk, err := GenerateCA(CAOpts{})`
			`require.NoError(t, err)`
			`require.NotEmpty(t, ca)`
			`require.NotEmpty(t, pk)`
Add RSA Test case for generating CA Cert 2021-01-20 23:25:48 +00:00
tlsutil: fix a test for go1.16 Using a TestSigner was causing problems because go1.16 has this change: > CreateCertificate now verifies the generated certificate's signature > using the signer's public key. If the signature is invalid, an error is > returned, instead of a malformed certificate. See https://golang.org/doc/go1.16#crypto/x509 2021-04-13 17:31:20 +00:00			`cert, err := parseCert(ca)`
			`require.NoError(t, err)`
			`require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA"))`
			`require.Equal(t, true, cert.IsCA)`
			`require.Equal(t, true, cert.BasicConstraintsValid)`
Add RSA Test case for generating CA Cert 2021-01-20 23:25:48 +00:00
tlsutil: fix a test for go1.16 Using a TestSigner was causing problems because go1.16 has this change: > CreateCertificate now verifies the generated certificate's signature > using the signer's public key. If the signature is invalid, an error is > returned, instead of a malformed certificate. See https://golang.org/doc/go1.16#crypto/x509 2021-04-13 17:31:20 +00:00			`require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)`
			`require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)`

			`require.Equal(t, x509.KeyUsageCertSign\|x509.KeyUsageCRLSign\|x509.KeyUsageDigitalSignature, cert.KeyUsage)`
			`})`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`}`

			`func TestGenerateCert(t *testing.T) {`
			`t.Parallel()`
			`signer, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)`
			`require.Nil(t, err)`
Add flags to support CA generation for Connect (#9585) 2021-01-27 07:52:15 +00:00			`ca, _, err := GenerateCA(CAOpts{Signer: signer})`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`require.Nil(t, err)`

			`DNSNames := []string{"server.dc1.consul"}`
			`IPAddresses := []net.IP{net.ParseIP("123.234.243.213")}`
			`extKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}`
			`name := "Cert Name"`
introduce certopts (#9606) * introduce cert opts * it should be using the same signer * lint and omit serial 2021-03-22 09:16:41 +00:00			`certificate, pk, err := GenerateCert(CertOpts{`
			`Signer: signer, CA: ca, Name: name, Days: 365,`
			`DNSNames: DNSNames, IPAddresses: IPAddresses, ExtKeyUsage: extKeyUsage,`
			`})`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00			`require.Nil(t, err)`
			`require.NotEmpty(t, certificate)`
			`require.NotEmpty(t, pk)`

			`cert, err := parseCert(certificate)`
			`require.Nil(t, err)`
			`require.Equal(t, name, cert.Subject.CommonName)`
			`require.Equal(t, true, cert.BasicConstraintsValid)`
			`signee, err := ParseSigner(pk)`
			`require.Nil(t, err)`
			`certID, err := keyID(signee.Public())`
			`require.Nil(t, err)`
			`require.Equal(t, certID, cert.SubjectKeyId)`
			`caID, err := keyID(signer.Public())`
			`require.Nil(t, err)`
			`require.Equal(t, caID, cert.AuthorityKeyId)`
			`require.Contains(t, cert.Issuer.CommonName, "Consul Agent CA")`
			`require.Equal(t, false, cert.IsCA)`

tests: switch to WithinDuration to improve test (#6860) * Switch to WithinDuration to improve test This test was flaky before because of the time logic. Now it uses WithinDuration and should be correct. Fixes https://github.com/hashicorp/consul/issues/6857. 2019-12-13 16:42:42 +00:00			`require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)`
			`require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)`
Builtin tls helper (#5078) * command: add tls subcommand * website: update docs and guide 2018-12-19 08:22:49 +00:00
			`require.Equal(t, x509.KeyUsageDigitalSignature\|x509.KeyUsageKeyEncipherment, cert.KeyUsage)`
			`require.Equal(t, extKeyUsage, cert.ExtKeyUsage)`

			`// https://github.com/golang/go/blob/10538a8f9e2e718a47633ac5a6e90415a2c3f5f1/src/crypto/x509/verify.go#L414`
			`require.Equal(t, DNSNames, cert.DNSNames)`
			`require.True(t, IPAddresses[0].Equal(cert.IPAddresses[0]))`
			`}`