security/pkg/pki/util/generate_csr_test.go

// Copyright Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package util

import (
	"crypto/ecdsa"
	"crypto/rsa"
	"crypto/x509"
	"encoding/pem"
	"errors"
	"reflect"
	"strings"
	"testing"
)

func TestGenCSR(t *testing.T) {
	// Options to generate a CSR.
	cases := map[string]struct {
		csrOptions CertOptions
		err        error
	}{
		"GenCSR with RSA": {
			csrOptions: CertOptions{
				Host:       "test_ca.com",
				Org:        "MyOrg",
				RSAKeySize: 2048,
			},
		},
		"GenCSR with EC": {
			csrOptions: CertOptions{
				Host:     "test_ca.com",
				Org:      "MyOrg",
				ECSigAlg: EcdsaSigAlg,
			},
		},
		"GenCSR with EC errors due to invalid signature algorithm": {
			csrOptions: CertOptions{
				Host:     "test_ca.com",
				Org:      "MyOrg",
				ECSigAlg: "ED25519",
			},
			err: errors.New("csr cert generation fails due to unsupported EC signature algorithm"),
		},
	}

	for id, tc := range cases {
		csrPem, _, err := GenCSR(tc.csrOptions)
		if err != nil {
			if tc.err != nil {
				if err.Error() == tc.err.Error() {
					continue
				}
				t.Fatalf("%s: expected error to match expected error: %v", id, err)
			} else {
				t.Errorf("%s: failed to gen CSR", id)
			}
		}

		pemBlock, _ := pem.Decode(csrPem)
		if pemBlock == nil {
			t.Fatalf("%s: failed to decode csr", id)
		}
		csr, err := x509.ParseCertificateRequest(pemBlock.Bytes)
		if err != nil {
			t.Fatalf("%s: failed to parse csr", id)
		}
		if err = csr.CheckSignature(); err != nil {
			t.Errorf("%s: csr signature is invalid", id)
		}
		if csr.Subject.Organization[0] != "MyOrg" {
			t.Errorf("%s: csr subject does not match", id)
		}
		if !strings.HasSuffix(string(csr.Extensions[0].Value), "test_ca.com") {
			t.Errorf("%s: csr host does not match", id)
		}
		if tc.csrOptions.ECSigAlg != "" {
			if tc.csrOptions.ECSigAlg != EcdsaSigAlg {
				t.Errorf("%s: Only ECDSA signature algorithms are currently supported", id)
			}
			if reflect.TypeOf(csr.PublicKey) != reflect.TypeOf(&ecdsa.PublicKey{}) {
				t.Errorf("%s: decoded PKCS#8 returned unexpected key type: %T", id, csr.PublicKey)
			}
		} else if reflect.TypeOf(csr.PublicKey) != reflect.TypeOf(&rsa.PublicKey{}) {
			t.Errorf("%s: decoded PKCS#8 returned unexpected key type: %T", id, csr.PublicKey)
		}
	}
}

func TestGenCSRPKCS8Key(t *testing.T) {
	// Options to generate a CSR.
	cases := map[string]struct {
		csrOptions CertOptions
	}{
		"PKCS8Key with RSA": {
			csrOptions: CertOptions{
				Host:       "test_ca.com",
				Org:        "MyOrg",
				RSAKeySize: 2048,
				PKCS8Key:   true,
			},
		},
		"PKCS8Key with EC": {
			csrOptions: CertOptions{
				Host:     "test_ca.com",
				Org:      "MyOrg",
				ECSigAlg: EcdsaSigAlg,
				PKCS8Key: true,
			},
		},
	}

	for id, tc := range cases {
		csrPem, keyPem, err := GenCSR(tc.csrOptions)
		if err != nil {
			t.Errorf("%s: failed to gen CSR", id)
		}

		pemBlock, _ := pem.Decode(csrPem)
		if pemBlock == nil {
			t.Fatalf("%s: failed to decode csr", id)
		}
		csr, err := x509.ParseCertificateRequest(pemBlock.Bytes)
		if err != nil {
			t.Fatalf("%s: failed to parse csr", id)
		}
		if err = csr.CheckSignature(); err != nil {
			t.Errorf("%s: csr signature is invalid", id)
		}
		if csr.Subject.Organization[0] != "MyOrg" {
			t.Errorf("%s: csr subject does not match", id)
		}
		if !strings.HasSuffix(string(csr.Extensions[0].Value), "test_ca.com") {
			t.Errorf("%s: csr host does not match", id)
		}

		keyPemBlock, _ := pem.Decode(keyPem)
		if keyPemBlock == nil {
			t.Fatalf("%s: failed to decode private key PEM", id)
		}
		key, err := x509.ParsePKCS8PrivateKey(keyPemBlock.Bytes)
		if err != nil {
			t.Errorf("%s: failed to parse PKCS#8 private key", id)
		}
		if tc.csrOptions.ECSigAlg != "" {
			if tc.csrOptions.ECSigAlg != EcdsaSigAlg {
				t.Errorf("%s: Only ECDSA signature algorithms are currently supported", id)
			}
			if reflect.TypeOf(key) != reflect.TypeOf(&ecdsa.PrivateKey{}) {
				t.Errorf("%s: decoded PKCS#8 returned unexpected key type: %T", id, key)
			}
		} else if reflect.TypeOf(key) != reflect.TypeOf(&rsa.PrivateKey{}) {
			t.Errorf("%s: decoded PKCS#8 returned unexpected key type: %T", id, key)
		}
	}
}

func TestGenCSRWithInvalidOption(t *testing.T) {
	// Options with invalid Key size.
	csrOptions := CertOptions{
		Host:       "test_ca.com",
		Org:        "MyOrg",
		RSAKeySize: -1,
	}

	csr, priv, err := GenCSR(csrOptions)

	if err == nil || csr != nil || priv != nil {
		t.Errorf("Should have failed")
	}
}

func TestGenCSRTemplateForDualUse(t *testing.T) {
	tt := map[string]struct {
		host       string
		expectedCN string
	}{
		"Single host": {
			host:       "bla.com",
			expectedCN: "bla.com",
		},
		"Multiple hosts": {
			host:       "a.org,b.net,c.groups",
			expectedCN: "a.org",
		},
	}

	for _, tc := range tt {
		opts := CertOptions{
			Host:       tc.host,
			Org:        "MyOrg",
			RSAKeySize: 512,
			IsDualUse:  true,
		}

		csr, err := GenCSRTemplate(opts)
		if err != nil {
			t.Error(err)
		}

		if csr.Subject.CommonName != tc.expectedCN {
			t.Errorf("unexpected value for 'CommonName' field: want %v but got %v", tc.expectedCN, csr.Subject.CommonName)
		}
	}
}