a73x

ca/ca_test.go

Ref:   Size: 1.8 KiB

package ca_test

import (
	"crypto/x509"
	"os"
	"path/filepath"
	"testing"

	"github.com/xanderle/nono/ca"
)

func TestLoadOrCreateCA_GeneratesNewCA(t *testing.T) {
	dir := t.TempDir()
	caCert, caKey, err := ca.LoadOrCreate(dir)
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	}
	if caCert == nil {
		t.Fatal("expected CA cert, got nil")
	}
	if caKey == nil {
		t.Fatal("expected CA key, got nil")
	}
	if !caCert.IsCA {
		t.Error("expected cert to be a CA")
	}
	if caCert.Subject.CommonName != "Nono Proxy CA" {
		t.Errorf("expected CN 'Nono Proxy CA', got %q", caCert.Subject.CommonName)
	}
	if _, err := os.Stat(filepath.Join(dir, "ca.pem")); err != nil {
		t.Errorf("ca.pem not written: %v", err)
	}
	if _, err := os.Stat(filepath.Join(dir, "ca.key")); err != nil {
		t.Errorf("ca.key not written: %v", err)
	}
}

func TestLoadOrCreateCA_LoadsExistingCA(t *testing.T) {
	dir := t.TempDir()
	cert1, _, err := ca.LoadOrCreate(dir)
	if err != nil {
		t.Fatalf("generate: %v", err)
	}
	cert2, _, err := ca.LoadOrCreate(dir)
	if err != nil {
		t.Fatalf("load: %v", err)
	}
	if !cert1.Equal(cert2) {
		t.Error("expected same cert on reload")
	}
}

func TestGenerateLeafCert(t *testing.T) {
	dir := t.TempDir()
	caCert, caKey, err := ca.LoadOrCreate(dir)
	if err != nil {
		t.Fatalf("CA setup: %v", err)
	}
	tlsCert, err := ca.GenerateLeaf("example.com", caCert, caKey)
	if err != nil {
		t.Fatalf("unexpected error: %v", err)
	}
	leaf, err := x509.ParseCertificate(tlsCert.Certificate[0])
	if err != nil {
		t.Fatalf("parse leaf: %v", err)
	}
	if leaf.Subject.CommonName != "example.com" {
		t.Errorf("expected CN 'example.com', got %q", leaf.Subject.CommonName)
	}
	pool := x509.NewCertPool()
	pool.AddCert(caCert)
	if _, err := leaf.Verify(x509.VerifyOptions{Roots: pool}); err != nil {
		t.Errorf("leaf cert not signed by CA: %v", err)
	}
}