From 4f870fabb61c9b37b734df70d1a60cebed449103 Mon Sep 17 00:00:00 2001 From: Brian Smith Date: Thu, 27 Jul 2017 14:11:46 -1000 Subject: [PATCH] CA: Refactor certificate issuance profile selection tests. (#2913) Split the profile issuance tests such that there is one call to IssueCertificate per test, like the other certificate issuance tests. This will make it easier to later move the calls to IssueCertificate() into TestIssueCertificate(), which will make it much easier to test the precertificate-based flow in addition to the current issuance flow. --- ca/ca_test.go | 48 +++++++++++++++++++++++++++++------------------- 1 file changed, 29 insertions(+), 19 deletions(-) diff --git a/ca/ca_test.go b/ca/ca_test.go index 2ae3d9653..104e9e2be 100644 --- a/ca/ca_test.go +++ b/ca/ca_test.go @@ -257,7 +257,8 @@ func TestIssueCertificate(t *testing.T) { }{ {"IssueCertificate", issueCertificateSubTestDefaultSetup, issueCertificateSubTestIssueCertificate}, {"AllowNoCN", issueCertificateSubTestDefaultSetup, issueCertificateSubTestAllowNoCN}, - {"ProfileSelection", issueCertificateSubTestDefaultSetup, issueCertificateSubTestProfileSelection}, + {"ProfileSelectionRSA", issueCertificateSubTestDefaultSetup, issueCertificateSubTestProfileSelectionRSA}, + {"ProfileSelectionECDSA", issueCertificateSubTestDefaultSetup, issueCertificateSubTestProfileSelectionECDSA}, } for _, testCase := range testCases { @@ -568,27 +569,36 @@ func issueCertificateSubTestAllowNoCN(t *testing.T, ca *CertificateAuthorityImpl test.AssertDeepEquals(t, actual, expected) } -func issueCertificateSubTestProfileSelection(t *testing.T, ca *CertificateAuthorityImpl, _ *mockSA) { - testCases := []struct { - CSR []byte - ExpectedKeyUsage x509.KeyUsage - }{ - {CNandSANCSR, x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment}, - {ECDSACSR, x509.KeyUsageDigitalSignature}, - } +func issueCertificateSubTestProfileSelectionRSA(t *testing.T, ca *CertificateAuthorityImpl, _ *mockSA) { + // Certificates for RSA keys should be marked as usable for signatures and encryption. + expectedKeyUsage := x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment - for _, testCase := range testCases { - // Sign CSR - issuedCert, err := ca.IssueCertificate(ctx, &caPB.IssueCertificateRequest{Csr: testCase.CSR, RegistrationID: &arbitraryRegID}) - test.AssertNotError(t, err, "Failed to sign certificate") + // Sign CSR + issuedCert, err := ca.IssueCertificate(ctx, &caPB.IssueCertificateRequest{Csr: CNandSANCSR, RegistrationID: &arbitraryRegID}) + test.AssertNotError(t, err, "Failed to sign certificate") - // Verify cert contents - cert, err := x509.ParseCertificate(issuedCert.DER) - test.AssertNotError(t, err, "Certificate failed to parse") + // Verify cert contents + cert, err := x509.ParseCertificate(issuedCert.DER) + test.AssertNotError(t, err, "Certificate failed to parse") - t.Logf("expected key usage %v, got %v", testCase.ExpectedKeyUsage, cert.KeyUsage) - test.AssertEquals(t, cert.KeyUsage, testCase.ExpectedKeyUsage) - } + t.Logf("expected key usage %v, got %v", expectedKeyUsage, cert.KeyUsage) + test.AssertEquals(t, cert.KeyUsage, expectedKeyUsage) +} + +func issueCertificateSubTestProfileSelectionECDSA(t *testing.T, ca *CertificateAuthorityImpl, _ *mockSA) { + // Certificates for ECDSA keys should be marked as usable for only signatures. + expectedKeyUsage := x509.KeyUsageDigitalSignature + + // Sign CSR + issuedCert, err := ca.IssueCertificate(ctx, &caPB.IssueCertificateRequest{Csr: ECDSACSR, RegistrationID: &arbitraryRegID}) + test.AssertNotError(t, err, "Failed to sign certificate") + + // Verify cert contents + cert, err := x509.ParseCertificate(issuedCert.DER) + test.AssertNotError(t, err, "Certificate failed to parse") + + t.Logf("expected key usage %v, got %v", expectedKeyUsage, cert.KeyUsage) + test.AssertEquals(t, cert.KeyUsage, expectedKeyUsage) } func countMustStaple(t *testing.T, cert *x509.Certificate) (count int) {