From bbb9a73d9bb8668c034539d4bb5823b0235447a5 Mon Sep 17 00:00:00 2001
From: Daniel Nephin <dnephin@hashicorp.com>
Date: Tue, 13 Apr 2021 13:31:20 -0400
Subject: [PATCH] tlsutil: fix a test for go1.16

Using a TestSigner was causing problems because go1.16 has this change:

> CreateCertificate now verifies the generated certificate's signature
> using the signer's public key. If the signature is invalid, an error is
> returned, instead of a malformed certificate.

See https://golang.org/doc/go1.16#crypto/x509
---
 tlsutil/generate_test.go | 77 +++++++++++++++++++++-------------------
 1 file changed, 40 insertions(+), 37 deletions(-)

diff --git a/tlsutil/generate_test.go b/tlsutil/generate_test.go
index 974d3548e5..5be9f7e2b5 100644
--- a/tlsutil/generate_test.go
+++ b/tlsutil/generate_test.go
@@ -62,52 +62,55 @@ func (s *TestSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts)
 }
 
 func TestGenerateCA(t *testing.T) {
-	t.Parallel()
-	ca, pk, err := GenerateCA(CAOpts{Signer: &TestSigner{}})
-	require.Error(t, err)
-	require.Empty(t, ca)
-	require.Empty(t, pk)
+	t.Run("no signer", func(t *testing.T) {
+		ca, pk, err := GenerateCA(CAOpts{Signer: &TestSigner{}})
+		require.Error(t, err)
+		require.Empty(t, ca)
+		require.Empty(t, pk)
+	})
 
-	// test what happens with wrong key
-	ca, pk, err = GenerateCA(CAOpts{Signer: &TestSigner{public: &rsa.PublicKey{}}})
-	require.Error(t, err)
-	require.Empty(t, ca)
-	require.Empty(t, pk)
+	t.Run("wrong key", func(t *testing.T) {
+		ca, pk, err := GenerateCA(CAOpts{Signer: &TestSigner{public: &rsa.PublicKey{}}})
+		require.Error(t, err)
+		require.Empty(t, ca)
+		require.Empty(t, pk)
+	})
 
-	// test what happens with correct key
-	ca, pk, err = GenerateCA(CAOpts{})
-	require.Nil(t, err)
-	require.NotEmpty(t, ca)
-	require.NotEmpty(t, pk)
+	t.Run("valid key", func(t *testing.T) {
+		ca, pk, err := GenerateCA(CAOpts{})
+		require.Nil(t, err)
+		require.NotEmpty(t, ca)
+		require.NotEmpty(t, pk)
 
-	cert, err := parseCert(ca)
-	require.Nil(t, err)
-	require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA"))
-	require.Equal(t, true, cert.IsCA)
-	require.Equal(t, true, cert.BasicConstraintsValid)
+		cert, err := parseCert(ca)
+		require.Nil(t, err)
+		require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA"))
+		require.Equal(t, true, cert.IsCA)
+		require.Equal(t, true, cert.BasicConstraintsValid)
 
-	require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)
-	require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)
+		require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)
+		require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)
 
-	require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
+		require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
+	})
 
-	// Test what happens with a correct RSA Key
-	s, err := rsa.GenerateKey(rand.Reader, 2048)
-	require.Nil(t, err)
-	ca, _, err = GenerateCA(CAOpts{Signer: &TestSigner{public: s.Public()}})
-	require.NoError(t, err)
-	require.NotEmpty(t, ca)
+	t.Run("RSA key", func(t *testing.T) {
+		ca, pk, err := GenerateCA(CAOpts{})
+		require.NoError(t, err)
+		require.NotEmpty(t, ca)
+		require.NotEmpty(t, pk)
 
-	cert, err = parseCert(ca)
-	require.NoError(t, err)
-	require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA"))
-	require.Equal(t, true, cert.IsCA)
-	require.Equal(t, true, cert.BasicConstraintsValid)
+		cert, err := parseCert(ca)
+		require.NoError(t, err)
+		require.True(t, strings.HasPrefix(cert.Subject.CommonName, "Consul Agent CA"))
+		require.Equal(t, true, cert.IsCA)
+		require.Equal(t, true, cert.BasicConstraintsValid)
 
-	require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)
-	require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)
+		require.WithinDuration(t, cert.NotBefore, time.Now(), time.Minute)
+		require.WithinDuration(t, cert.NotAfter, time.Now().AddDate(0, 0, 365), time.Minute)
 
-	require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
+		require.Equal(t, x509.KeyUsageCertSign|x509.KeyUsageCRLSign|x509.KeyUsageDigitalSignature, cert.KeyUsage)
+	})
 }
 
 func TestGenerateCert(t *testing.T) {