Added tests for X509MemStore and fixtures

fixtures/trustmanager/ca.crt

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGGjCCBAKgAwIBAgIBATANBgkqhkiG9w0BAQsFADBXMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xDzANBgNVBAoTBkRv
+Y2tlcjESMBAGA1UEAxMJRG9ja2VyIENBMB4XDTE1MDYxMzA1MjgyOFoXDTI1MDYx
+MDA1MjgyOFowVzESMBAGA1UEAxMJRG9ja2VyIENBMQswCQYDVQQGEwJVUzEWMBQG
+A1UEBxMNU2FuIEZyYW5jaXNjbzEPMA0GA1UEChMGRG9ja2VyMQswCQYDVQQIEwJD
+QTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANi0E2c7S7JHsFLIe0l9
+A/tzYTbDu+lWJvGYkPXjK41/mSUpt8fIOdWII/FYkAk/VRgTnkqHxlwUhDqYoXd9
+CxBG6JHQWjcMsgt/TRR3CC0FXdm2Ld3OxAWGuhfDaclFIE1GcN51mf8ZeiH6apbG
+xSccb39AC0e3u+Q4BVVgWmv0R90ZWBcupDhazaPcSNhmd4l89GAyUQnfUfwkBsbz
+qnSLyPRo/qDxl1OuvicLEoagnERp0MxjBO6A4zqiXJqZ75nj9kQTKlllPJlEN9AB
+L6e+zvmbWfZ0s00saUrqBJga5Kj+7ZhdARdcnPSp2dyCXitA5mm4kg54TwVVRigj
+Ctpa3M7vu0p2mEVGqP2tywrPaM3CtMMwsy8VvPz+b2F6cDdqxtNV1FezBYXCTOQq
+qBMIwyz1w4w/jK5DxMmY038dRirzr5ayjft0OA+BOJKxdSTryv6WDoPH7jZWT4nv
+RcjGqILVxIwJelwwnMgkEtEwzxHhrNUZIuhHwob7IsVAUtlXBSn4Ha0Ra3fLfmFW
+J2SgOOwBUd0X6487w7LXRJSiNDpVqnMOp7t3J1X+ur4qeDPUiGDJiEscklDpZw0H
+VdJqWP/d/mb+ZFsMJFNzBgEMabc7EsHnL/cmg9XxjabdUIEhtcx7dQhbtHy30cZ8
+FEzxIMHdd2uMry0m6WjOYid3AgMBAAGjgfAwge0wgYgGA1UdIwSBgDB+gBRf3XNy
+rgaPGObvb5bs3qOLBP5PXqFbpFkwVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNB
+MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQKEwZEb2NrZXIxEjAQBgNV
+BAMTCURvY2tlciBDQYIJAJkfZd7RGdOfMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYD
+VR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIBRjAdBgNV
+HQ4EFgQUlmRlkfVtkdIgwi8Vq1kFaKRUdFcwDQYJKoZIhvcNAQELBQADggIBAEur
+7cGJ/nzPMUldtB7rYtXiTOk9+JMBshve54i48c4a9yc9GI6pjOuJ94rk5xZL7aRk
+0zMsxARcOK6EWOMnYfOZALvvADPzAxNCeHvVDMuQuucSrDbyRY/0gQm2UKApAgcq
+JWN3v1Qzz2WmdTKHPekW9KL67Hr5Z7+f+0PQMYc1Te8qCD727FKTBZKY3HTxSYFP
+zlPuT9VjjhkbPvUBT7HdqcI8JdLRRjqjYXH+pVtrp1mFYa5SLPY3XhmFhGxHTVnT
+JlIcFQebPRo5fkcL3Kgs5508cw42ESQ4xqyMeuWpLJ60g+elL37fElN6xsDhpyCE
+1g5/FA3enOsnQisPLhubjgRnEllYtlxwxFqCuxs5YWQp+/lvA4f3Ygzp5GrQMs0E
+8gnE+TgpGADGJkSNn5+7XWOrliDHhd0RSJ3se6d5b31MTRWaTDofJU2/hN68u+f6
+kS/UxHefKmGWTup3g6gz6kXWreEY0UClyOSbepIy3VwBfPgx9uVxp3/mnh2/nDjI
+lIFJw5D9pmHueZY2AEmUkvK7haEfX0e7CkiRKlJbdK3UiaKPf+NHiStyxa/E/M7y
+vr1/3jLVvbt9y3srmM53f5JUHXF8CpEFF2KfzZVo9f5FXROJgpsU4J8/Gi2QO58R
+gDRIC/0tu8I2id87t4tqpWfEXupFCM3GRhcvSNja
+-----END CERTIFICATE-----

fixtures/trustmanager/root-ca.crt

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFdjCCA16gAwIBAgIJAJkfZd7RGdOfMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEPMA0G
+A1UEChMGRG9ja2VyMRIwEAYDVQQDEwlEb2NrZXIgQ0EwHhcNMTUwNjEzMDUyODE2
+WhcNMjUwNjEwMDUyODE2WjBXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAU
+BgNVBAcTDVNhbiBGcmFuY2lzY28xDzANBgNVBAoTBkRvY2tlcjESMBAGA1UEAxMJ
+RG9ja2VyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA199B21aO
+5qkPxCW+kSVlTI1mJfN3/eF9hxOn9XH1ChIw/Bqy0jjsuv8a9ODvCsiaz3I5D0hR
+4n+2Et8R03Hz2oOQiinaPXzWrtitfVLUsm3hxwGRSo1QT0J/5ab+6u9qE2Igj/fr
+CKyVvcAIFi3u/Ow3C7eXhQWWpuuiTYXuDCINxcHX7QOqywT6qB1Dq6CxVxP4pU5M
+z01o7T8uOu1uvFlK33j4dyg0+IIm6Bb+z4fm0khLNnGW8DtfEcVbmIWoXbatvm+W
+auzo6VOtNlzuyE3KMEiJQndnVO1TPgCQI4ymL2BLIPZz15NWOqORFkoNah1LV39W
+TKYwL22f7m5mZhzTL256Fnrgt5ZZPrqEbu61Eq4MvEolCFX/Hh5YQyun6irnWO59
+1/vdI49q3fDUX1wLI+TMWWkL6ySYL8U+H+S6n0un1TH34thzSXCEVyQTUwgkvdOu
+aAvRVxwpovD5mv/LyxoeIHXKs0RZqFP/MGX3FwcU/2Y//50tS+luUM2ZVh2TOdOR
+KQzWZ6YcDjWb1Q6GQBJhDOnLhflM3Zmkdmov5CtfRs991DcBTAm+E++VLNtaQGzw
+EeN3yf3U+zTzu8OE87ysNazhCshLtCLL7BKeWzJZaKrukGNmt2dsTaDtLICunpMK
+ToSiwwTDIexR1hweeFJNYacSHbTArajDEP0CAwEAAaNFMEMwEgYDVR0TAQH/BAgw
+BgEB/wIBATAOBgNVHQ8BAf8EBAMCAUYwHQYDVR0OBBYEFF/dc3KuBo8Y5u9vluze
+o4sE/k9eMA0GCSqGSIb3DQEBCwUAA4ICAQDLzCkXowDweWWxwVC1tEzQLuWuGbeZ
+UC04ar7EwnpY0SFS8YjoKVseO8+ecsPEQZ7tw1gscMZH9UW9bZUHJr1XjJ67aq2d
+pfN7eo6Szl/Iitkwkfl0TWVyM5Q8fiH+yicOaXrw/0zEx/z+rMm07tqB0p0okxd7
+crlCGCw+8OKsTCmg21x1tCy/jw5sr0rUa+pXRyjHXRF0lwPuaRi3PdGDa7gflC5x
+Fn0k+JKa9z4QF5DGnz3oMl0sR2F1X9KapT2+hc9SxiaGyrSEmazZuV5tH3J05qZU
++amr6YX5xipqecybG6muvegtCn8ww/vBvTb46swqPuiVmyIO0m08K9/m50+lQf54
+54xLvGXvN4ARsGyL3o6rMnXwfPlmQ1imf4rplGWc96a553KQT6u9GPrsgSGqZLil
+JoZZZonyj3Iuon1QYhkkzfzzWyz8pLKYR8/Gm1KKrg5ku57NtRXa8WW01aayUI5u
+2NGHVi2Bk2Yepw2tBqjcE44ESnnRyAhjJZEUAYijjQ5dwqKYaO75sQQzTYvWGycT
+2I2b2U2uifWJvvroxf1ARnkn4n1lFB3VCXnh1kETfdnh8IScBhlhJaf+BPwF/ppU
+LTVoeder8RYlbzxzKdubR6nj79h/ww1TcyiJqkp+EWduouS1GPQyY54BlPdnLvec
+Ns20srByc59Ipw==
+-----END CERTIFICATE-----

fixtures/trustmanager/secure.docker.com.crt

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFMDCCAxigAwIBAgIBATANBgkqhkiG9w0BAQsFADBXMRIwEAYDVQQDEwlEb2Nr
+ZXIgQ0ExCzAJBgNVBAYTAlVTMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMQ8wDQYD
+VQQKEwZEb2NrZXIxCzAJBgNVBAgTAkNBMB4XDTE1MDYxMzA1MzA0NloXDTE2MDYx
+MjA1MzA0NlowXzEaMBgGA1UEAxMRc2VjdXJlLmRvY2tlci5jb20xCzAJBgNVBAYT
+AlVTMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQKEwZEb2NrZXIxCzAJ
+BgNVBAgTAkNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6eU6sCT2
+i8u57I5VLmpa3Hq1Vbkd5Xhn1eeLOhTuYZ2mPdmvDk9Ro1Kiu5bqrckSNJccgqo8
+Ai436JS3/i1Gt+LkcYMYNv2ahezT3ID0fVzx4Ow9uDkxSl28FBIRUO66itjWtEF5
+ENMDmHkRp6+BhZ+Eu20OQlqtGvdO5azBYQAo19JyctA0pyU7o1rAVLllDGdCMAc1
+HP6ZsdYYIi8jUGLYloGlUq9AIGmkAQoM9APxvLANPm95iQwPB1Orm9x6vBAFsKBe
+/Q6zW6UKziBJwpAujKPkFMe1VKXTZQZgeNSFQh7QMJUJgR9Eu0pSKKZf8W5xpCXq
+dpL47pvdNNSIAwIDAQABo4H+MIH7MH8GA1UdIwR4MHaAFJZkZZH1bZHSIMIvFatZ
+BWikVHRXoVukWTBXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcT
+DVNhbiBGcmFuY2lzY28xDzANBgNVBAoTBkRvY2tlcjESMBAGA1UEAxMJRG9ja2Vy
+IENBggEBMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF
+BwMBMA4GA1UdDwEB/wQEAwIFoDAcBgNVHREEFTATghFzZWN1cmUuZG9ja2VyLmNv
+bTAdBgNVHQ4EFgQUt+4JSPFbGr5suuQ+iCn1WW4KcVQwDQYJKoZIhvcNAQELBQAD
+ggIBABGUsCFrA7fuXDrMplTD/QXCJ9znsbkoQm9vHI8MJ+A6xx1NhLO7ErsnN4kf
+L2vwjGs2bv5lZB2OFCDsAhLe49OQg4gOcvxt2urlpb3+veaEbcIicoXgwBYi6ayI
+KqVEOggK06hxaqXZuxw9zeFNtzHfD8HMpe+E1uHDt47EzAbFi+pvAw26sBL1lUgn
+5MElV5BrigO6AgiLuueF5omXBU8xVbmSXnvlTlAO5tbBexeIm8L3iFJaxzyuZna/
+1LTUvBbGFK5IZWha6lisP9I8Id5Yc42eolTA2SThdP/H4oI0nWbHxPlj0Qkbhuaj
+3zVuybJNQP881T7AQ9DdZx1fb0RWzPYNs2lVA8Q23RXeUBOzPfdD4Xo3dpZc/DR7
+2ibtx2qo+ONqsQbMPIfBXYTNPwXcKwXAOaPuOIfECyIAik6s8COU0RprImMASS9R
+kpJKn+1S96j/J50FKNbQyzJ/5xWtl4FofFULx0SoHN9sZvOLmCMVyioR+qmoQg2X
+OGcqJFqExZtlsDaM+q9PbK7J5jQJuALqCI14JNHt+3Ic1vII7uKRUq5x0rz0J+GJ
+I4ZPo0Hxzba/X4dSVNNwaMcpcs/G7qXKVYHEyDOkh5MGXVSkhmGnsJL9jGgRp3w9
+Whe7YpsTs/IEzO95FHevp9tV7zUNaWdlUnLHpP4vPa6TIqAG
+-----END CERTIFICATE-----

fixtures/trustmanager/secure.docker.com.fake.crt

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFMDCCAxigAwIBAgIBATANBgkqhkiG9w0BAQsFADBXMRIwEAYDVQQDEwlEb2Nr
+ZXIgQ0ExCzAJBgNVBAYTAlVTMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMQ8wDQYD
+VQQKEwZEb2NrZXIxCzAJBgNVBAgTAkNBMB4XDTE1MDYxMzA2MDY1NFoXDTE2MDYx
+MjA2MDY1NFowXzEaMBgGA1UEAxMRc2VjdXJlLmRvY2tlci5jb20xCzAJBgNVBAYT
+AlVTMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQKEwZEb2NrZXIxCzAJ
+BgNVBAgTAkNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAybT1thiA
+QkOMWryr75Jo0IQfaB8G3NWjtxu0B8z03wAEJ7R8+YL+CAxJCID75JbfQOUdKunR
+Rl0sL1KPxGBrdQJcy2TRzRCjNWlVc1xd0vK1wOLcXKJGEkHS7xPb1JWOcvNSsYBm
+JZyrspXaZ/OnWgnwJWjzxyAwnH8ITpoXH2uFKTzZyEIvdCEnbmTaQSP19pRCN8zh
+BXb6VSaq+yRCx/3G9ewArShN2bQKGJ4SOuBqIKZX0lO30Y7+vj3smqYyA3ZjB7Zg
+rKWCnmVhaMXKZ6CSvUuRkzMNdFgHkCWHWP3jaPQqK5u4iqT9G91hX+8Taw7oEVa/
+WjRt1MGS4OGPHQIDAQABo4H+MIH7MH8GA1UdIwR4MHaAFHroqCxydhCriGa0M39K
+YhQyxnqRoVukWTBXMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcT
+DVNhbiBGcmFuY2lzY28xDzANBgNVBAoTBkRvY2tlcjESMBAGA1UEAxMJRG9ja2Vy
+IENBggEBMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF
+BwMBMA4GA1UdDwEB/wQEAwIFoDAcBgNVHREEFTATghFzZWN1cmUuZG9ja2VyLmNv
+bTAdBgNVHQ4EFgQUNWMif7MEZO2/9tMpN2Viz5qBhoMwDQYJKoZIhvcNAQELBQAD
+ggIBABgCalHFDScXNBbfQZmsvRIkRtASLCZdlRz0vY4J3WB4/AguCRInPsapTfcE
+PaI9Z5yjU1esnbQ3ttkg76s4aYTP7ykSDIud/otbgMrtZKMQPDac2wNPIWngZQuy
+yo6UFqVQV8PMg3oRmXneNgLOV+bYzlNXSbbtd5DmFKAZAXYX+b7wVghoZpL9Q6Jb
+rnf5DN5ggCUKCn/7bdzklA5gHw2JkQeULUrINsH9RacC8g0awQ7TtRRgaeDQ7Pco
+nUyuSF/w4KCayJcT4jcLZ5yWXJBj3Txj5881/8G92Fu6KMa4t2Hj+fa9vqH76xwM
+mDSoKgNHquV3h+nMpg5Cz+Zzb81wnlk2bVLWsnsatGLUl22/+GjLbumc3ixPvY5V
+BQ76Wztdb9oaqDJwMrQh0KnKwJSWmPl9WKCdPdRz5OD586oDXKfELpH0MqE8TUVO
+QZPj6YDTBAAQdDCwNoeH0EGS+JteUW+Buk8PyILJSEUKtxRfRQf48atGW3dnOX1Y
+NLSSOmjZrToD9MCEpieDndyjw3+xE/fgsHSP9KlyGuRY+j6463GSV+3qbowy8aNh
+41mW+u9EVxkCSEaetXZ6o3PATc3p6DNgHsTreoMo0UPWybdIDogEWYD3u6nuRFDn
+hPoy8jJLnRCpY+mkFXE02zhBKzkz0N4yYx3bdAzXYtNsCgit
+-----END CERTIFICATE-----

trustmanager/X509MemStore_test.go

@@ -0,0 +1,269 @@
+package trustmanager
+
+import (
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/hex"
+	"encoding/pem"
+	"io/ioutil"
+	"testing"
+
+	"github.com/docker/vetinari/trustmanager"
+)
+
+func TestAddCert(t *testing.T) {
+	// Read certificate from file
+	b, err := ioutil.ReadFile("../fixtures/trustmanager/root-ca.crt")
+	if err != nil {
+		t.Fatalf("couldn't load fixture: %v", err)
+	}
+	// Decode PEM block
+	var block *pem.Block
+	block, _ = pem.Decode(b)
+
+	// Load X509 Certificate
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatalf("couldn't parse certificate: %v", err)
+	}
+	// Create a Store and add the certificate to it
+	store := trustmanager.NewX509MemStore()
+	err = store.AddCert(cert)
+	if err != nil {
+		t.Fatalf("failed to load certificate: %v", err)
+	}
+	// Retrieve all the certificates
+	certs := store.GetCertificates()
+	// Check to see if certificate is present and total number of certs is correct
+	numCerts := len(certs)
+	if numCerts != 1 {
+		t.Fatalf("unexpected number of certificates in store: %d", numCerts)
+	}
+	if certs[0] != cert {
+		t.Fatalf("expected certificates to be the same")
+	}
+}
+
+func TestAddCertFromFile(t *testing.T) {
+	store := trustmanager.NewX509MemStore()
+	err := store.AddCertFromFile("../fixtures/trustmanager/root-ca.crt")
+	if err != nil {
+		t.Fatalf("failed to load certificate from file: %v", err)
+	}
+	numCerts := len(store.GetCertificates())
+	if numCerts != 1 {
+		t.Fatalf("unexpected number of certificates in store: %d", numCerts)
+	}
+}
+
+func TestAddCertFromPEM(t *testing.T) {
+	b, err := ioutil.ReadFile("../fixtures/trustmanager/root-ca.crt")
+	if err != nil {
+		t.Fatalf("couldn't load fixture: %v", err)
+	}
+
+	store := trustmanager.NewX509MemStore()
+	err = store.AddCertFromPEM(b)
+	if err != nil {
+		t.Fatalf("failed to load certificate from PEM: %v", err)
+	}
+	numCerts := len(store.GetCertificates())
+	if numCerts != 1 {
+		t.Fatalf("unexpected number of certificates in store: %d", numCerts)
+	}
+}
+
+// (diogo): Mock GET request and create test for AddCertFromURL
+func TestAddCertFromURL(t *testing.T) {
+	t.Skip("")
+}
+
+func TestRemoveCert(t *testing.T) {
+	b, err := ioutil.ReadFile("../fixtures/trustmanager/root-ca.crt")
+	if err != nil {
+		t.Fatalf("couldn't load fixture: %v", err)
+	}
+	var block *pem.Block
+	block, _ = pem.Decode(b)
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatalf("couldn't parse certificate: %v", err)
+	}
+
+	store := trustmanager.NewX509MemStore()
+	err = store.AddCert(cert)
+	if err != nil {
+		t.Fatalf("failed to load certificate: %v", err)
+	}
+
+	// Number of certificates should be 1 since we added the cert
+	numCerts := len(store.GetCertificates())
+	if numCerts != 1 {
+		t.Fatalf("unexpected number of certificates in store: %d", numCerts)
+	}
+
+	// Remove the cert from the store
+	err = store.RemoveCert(cert)
+	if err != nil {
+		t.Fatalf("failed to remove certificate: %v", err)
+	}
+	// Number of certificates should be 0 since we added and removed the cert
+	numCerts = len(store.GetCertificates())
+	if numCerts != 0 {
+		t.Fatalf("unexpected number of certificates in store: %d", numCerts)
+	}
+}
+
+func TestInexistentGetCertificateBySKID(t *testing.T) {
+	store := trustmanager.NewX509MemStore()
+	err := store.AddCertFromFile("../fixtures/trustmanager/root-ca.crt")
+	if err != nil {
+		t.Fatalf("failed to load certificate from file: %v", err)
+	}
+
+	_, err = store.GetCertificateBySKID("4d06afd30b8bed131d2a84c97d00b37f422021598bfae34285ce98e77b708b5a")
+	if err == nil {
+		t.Fatalf("no error returned for inexistent certificate")
+	}
+}
+
+func TestGetCertificateBySKID(t *testing.T) {
+	b, err := ioutil.ReadFile("../fixtures/trustmanager/root-ca.crt")
+	if err != nil {
+		t.Fatalf("couldn't load fixture: %v", err)
+	}
+	var block *pem.Block
+	block, _ = pem.Decode(b)
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatalf("couldn't parse certificate: %v", err)
+	}
+
+	store := trustmanager.NewX509MemStore()
+	err = store.AddCert(cert)
+	if err != nil {
+		t.Fatalf("failed to load certificate from PEM: %v", err)
+	}
+
+	// Calculate SHA256 fingerprint for cert
+	fingerprintBytes := sha256.Sum256(cert.Raw)
+	certFingerprint := hex.EncodeToString(fingerprintBytes[:])
+
+	// Tries to retreive cert by Subject Key IDs
+	_, err = store.GetCertificateBySKID(certFingerprint)
+	if err != nil {
+		t.Fatalf("expected certificate in store: %s", certFingerprint)
+	}
+}
+
+func TestGetVerifyOpsErrorsWithoutCerts(t *testing.T) {
+	// Create empty Store
+	store := trustmanager.NewX509MemStore()
+
+	// Try to get VerifyOptions without certs added
+	_, err := store.GetVerifyOptions("docker.com")
+	if err == nil {
+		t.Fatalf("expecting an error when getting empty VerifyOptions")
+	}
+}
+
+func TestVerifyLeafCertFromIntermediate(t *testing.T) {
+	// Create a store and add a root
+	store := trustmanager.NewX509MemStore()
+	err := store.AddCertFromFile("../fixtures/trustmanager/ca.crt")
+	if err != nil {
+		t.Fatalf("failed to load certificate from file: %v", err)
+	}
+
+	// Get the VerifyOptions from our Store
+	opts, err := store.GetVerifyOptions("secure.docker.com")
+
+	// Get leaf certificate
+	b, err := ioutil.ReadFile("../fixtures/trustmanager/secure.docker.com.crt")
+	if err != nil {
+		t.Fatalf("couldn't load fixture: %v", err)
+	}
+	var block *pem.Block
+	block, _ = pem.Decode(b)
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatalf("couldn't parse certificate: %v", err)
+	}
+
+	// Try to find a valid chain for cert
+	_, err = cert.Verify(opts)
+	if err != nil {
+		t.Fatalf("couldn't find a valid chain for this certificate: %v", err)
+	}
+}
+
+func TestVerifyIntermediateFromRoot(t *testing.T) {
+	// Create a store and add a root
+	store := trustmanager.NewX509MemStore()
+	err := store.AddCertFromFile("../fixtures/trustmanager/root-ca.crt")
+	if err != nil {
+		t.Fatalf("failed to load certificate from file: %v", err)
+	}
+
+	// Get the VerifyOptions from our Store
+	opts, err := store.GetVerifyOptions("Docker CA")
+
+	// Get leaf certificate
+	b, err := ioutil.ReadFile("../fixtures/trustmanager/ca.crt")
+	if err != nil {
+		t.Fatalf("couldn't load fixture: %v", err)
+	}
+	var block *pem.Block
+	block, _ = pem.Decode(b)
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatalf("couldn't parse certificate: %v", err)
+	}
+
+	// Try to find a valid chain for cert
+	_, err = cert.Verify(opts)
+	if err != nil {
+		t.Fatalf("couldn't find a valid chain for this certificate: %v", err)
+	}
+}
+
+func TestNewX509FilteredMemStore(t *testing.T) {
+	store := trustmanager.NewX509FilteredMemStore(func(cert *x509.Certificate) bool {
+		return cert.IsCA
+	})
+
+	// AddCert should succeed because this is a CA being added
+	err := store.AddCertFromFile("../fixtures/trustmanager/root-ca.crt")
+	if err != nil {
+		t.Fatalf("failed to load certificate from file: %v", err)
+	}
+	numCerts := len(store.GetCertificates())
+	if numCerts != 1 {
+		t.Fatalf("unexpected number of certificates in store: %d", numCerts)
+	}
+
+	// AddCert should fail because this is a leaf cert being added
+	err = store.AddCertFromFile("../fixtures/trustmanager/secure.docker.com.crt")
+	if err == nil {
+		t.Fatalf("was expecting non-CA certificate to be rejected")
+	}
+}
+
+func TestGetCertificatePool(t *testing.T) {
+	// Create a store and add a root
+	store := trustmanager.NewX509MemStore()
+	err := store.AddCertFromFile("../fixtures/trustmanager/root-ca.crt")
+	if err != nil {
+		t.Fatalf("failed to load certificate from file: %v", err)
+	}
+
+	pool := store.GetCertificatePool()
+	numCerts := len(pool.Subjects())
+	if numCerts != 1 {
+		t.Fatalf("unexpected number of certificates in pool: %d", numCerts)
+	}
+}