-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
Copy pathcertificate_test.go
192 lines (153 loc) · 4.96 KB
/
certificate_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
// SPDX-FileCopyrightText: 2023 The Pion community <https://pion.ly>
// SPDX-License-Identifier: MIT
//go:build !js
// +build !js
package webrtc
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"crypto/x509"
"encoding/pem"
"testing"
"time"
"github.com/stretchr/testify/assert"
)
func TestGenerateCertificateRSA(t *testing.T) {
sk, err := rsa.GenerateKey(rand.Reader, 2048)
assert.Nil(t, err)
skPEM := pem.EncodeToMemory(&pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(sk),
})
cert, err := GenerateCertificate(sk)
assert.Nil(t, err)
certPEM := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: cert.x509Cert.Raw,
})
_, err = tls.X509KeyPair(certPEM, skPEM)
assert.Nil(t, err)
}
func TestGenerateCertificateECDSA(t *testing.T) {
sk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
assert.Nil(t, err)
skDER, err := x509.MarshalECPrivateKey(sk)
assert.Nil(t, err)
skPEM := pem.EncodeToMemory(&pem.Block{
Type: "EC PRIVATE KEY",
Bytes: skDER,
})
cert, err := GenerateCertificate(sk)
assert.Nil(t, err)
certPEM := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: cert.x509Cert.Raw,
})
_, err = tls.X509KeyPair(certPEM, skPEM)
assert.Nil(t, err)
}
func TestGenerateCertificateEqual(t *testing.T) {
sk1, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
assert.Nil(t, err)
sk3, err := rsa.GenerateKey(rand.Reader, 2048)
assert.NoError(t, err)
cert1, err := GenerateCertificate(sk1)
assert.Nil(t, err)
sk2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
assert.Nil(t, err)
cert2, err := GenerateCertificate(sk2)
assert.Nil(t, err)
cert3, err := GenerateCertificate(sk3)
assert.NoError(t, err)
assert.True(t, cert1.Equals(*cert1))
assert.False(t, cert1.Equals(*cert2))
assert.True(t, cert3.Equals(*cert3))
}
func TestGenerateCertificateExpires(t *testing.T) {
sk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
assert.Nil(t, err)
cert, err := GenerateCertificate(sk)
assert.Nil(t, err)
now := time.Now()
assert.False(t, cert.Expires().IsZero() || now.After(cert.Expires()))
x509Cert := CertificateFromX509(sk, &x509.Certificate{})
assert.NotNil(t, x509Cert)
assert.Contains(t, x509Cert.statsID, "certificate")
}
func TestBadCertificate(t *testing.T) {
var nokey interface{}
badcert, err := NewCertificate(nokey, x509.Certificate{})
assert.Nil(t, badcert)
assert.Error(t, err)
sk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
assert.Nil(t, err)
badcert, err = NewCertificate(sk, x509.Certificate{})
assert.Nil(t, badcert)
assert.Error(t, err)
c0 := Certificate{}
c1 := Certificate{}
assert.False(t, c0.Equals(c1))
}
func TestPEM(t *testing.T) {
sk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
assert.Nil(t, err)
cert, err := GenerateCertificate(sk)
assert.Nil(t, err)
pem, err := cert.PEM()
assert.Nil(t, err)
cert2, err := CertificateFromPEM(pem)
assert.Nil(t, err)
pem2, err := cert2.PEM()
assert.Nil(t, err)
assert.Equal(t, pem, pem2)
}
const (
certHeader = `!! This is a test certificate: Don't use it in production !!
You can create your own using openssl
` + "```sh" + `
openssl req -new -sha256 -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 ` +
`-x509 -nodes -days 365 -out cert.pem -keyout cert.pem -subj "/CN=WebRTC"
openssl x509 -in cert.pem -noout -fingerprint -sha256
` + "```\n"
certPriv = `-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg2XFaTNqFpTUqNtG9
A21MEe04JtsWVpUTDD8nI0KvchKhRANCAAS1nqME3jS5GFicwYfGDYaz7oSINwWm
X4BkfsSCxMrhr7mPtfxOi4Lxy/P3w6EvSSEU8t5E9ouKIWh5xPS9dYwu
-----END PRIVATE KEY-----
`
certCert = `-----BEGIN CERTIFICATE-----
MIIBljCCATugAwIBAgIUQa1sD+5HG43K+hCEVZLYxB68/hQwCgYIKoZIzj0EAwIw
IDEeMBwGA1UEAwwVc3dpdGNoLmV2YW4tYnJhc3MubmV0MB4XDTI0MDQyNDIwMjEy
MFoXDTI1MDQyNDIwMjEyMFowIDEeMBwGA1UEAwwVc3dpdGNoLmV2YW4tYnJhc3Mu
bmV0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtZ6jBN40uRhYnMGHxg2Gs+6E
iDcFpl+AZH7EgsTK4a+5j7X8TouC8cvz98OhL0khFPLeRPaLiiFoecT0vXWMLqNT
MFEwHQYDVR0OBBYEFGecfGnYqZFVgUApHGgX2kSIhUusMB8GA1UdIwQYMBaAFGec
fGnYqZFVgUApHGgX2kSIhUusMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwID
SQAwRgIhAJ3VWO8JZ7FEOJhxpUCeyOgl+G4vXSHtj9J9NRD3uGGZAiEAsTKGLOGE
9c6CtLDU9Ohf1c+Xj2Yi9H+srLZj1mrsnd4=
-----END CERTIFICATE-----
`
)
func TestOpensslCert(t *testing.T) {
// Check that CertificateFromPEM can parse certificates with the PRIVATE KEY before the CERTIFICATE block
_, err := CertificateFromPEM(certHeader + certPriv + certCert)
assert.Nil(t, err)
}
func TestEmpty(t *testing.T) {
cert, err := CertificateFromPEM("")
assert.Nil(t, cert)
assert.Equal(t, errCertificatePEMMissing, err)
}
func TestMultiCert(t *testing.T) {
cert, err := CertificateFromPEM(certHeader + certCert + certPriv + certCert)
assert.Nil(t, cert)
assert.Equal(t, errCertificatePEMMultipleCert, err)
}
func TestMultiPriv(t *testing.T) {
cert, err := CertificateFromPEM(certPriv + certHeader + certCert + certPriv)
assert.Nil(t, cert)
assert.Equal(t, errCertificatePEMMultiplePriv, err)
}