-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
signer_test.go
165 lines (144 loc) · 4.47 KB
/
signer_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
package goproxy
import (
"crypto/tls"
"crypto/x509"
"io"
"net/http"
"net/http/httptest"
"os"
"os/exec"
"strings"
"testing"
"time"
)
func orFatal(msg string, err error, t *testing.T) {
if err != nil {
t.Fatal(msg, err)
}
}
type ConstantHanlder string
func (h ConstantHanlder) ServeHTTP(w http.ResponseWriter, r *http.Request) {
w.Write([]byte(h))
}
func getBrowser(args []string) string {
for i, arg := range args {
if arg == "-browser" && i+1 < len(arg) {
return args[i+1]
}
if strings.HasPrefix(arg, "-browser=") {
return arg[len("-browser="):]
}
}
return ""
}
func testSignerX509(t *testing.T, ca tls.Certificate) {
cert, err := signHost(ca, []string{"example.com", "1.1.1.1", "localhost"})
orFatal("singHost", err, t)
cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0])
orFatal("ParseCertificate", err, t)
certpool := x509.NewCertPool()
certpool.AddCert(ca.Leaf)
orFatal("VerifyHostname", cert.Leaf.VerifyHostname("example.com"), t)
orFatal("CheckSignatureFrom", cert.Leaf.CheckSignatureFrom(ca.Leaf), t)
_, err = cert.Leaf.Verify(x509.VerifyOptions{
DNSName: "example.com",
Roots: certpool,
})
orFatal("Verify", err, t)
}
func testSignerTls(t *testing.T, ca tls.Certificate) {
cert, err := signHost(ca, []string{"example.com", "1.1.1.1", "localhost"})
orFatal("singHost", err, t)
cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0])
orFatal("ParseCertificate", err, t)
expected := "key verifies with Go"
server := httptest.NewUnstartedServer(ConstantHanlder(expected))
defer server.Close()
server.TLS = &tls.Config{Certificates: []tls.Certificate{*cert, ca}}
server.TLS.BuildNameToCertificate()
server.StartTLS()
certpool := x509.NewCertPool()
certpool.AddCert(ca.Leaf)
tr := &http.Transport{
TLSClientConfig: &tls.Config{RootCAs: certpool},
}
asLocalhost := strings.Replace(server.URL, "127.0.0.1", "localhost", -1)
req, err := http.NewRequest(http.MethodGet, asLocalhost, nil)
orFatal("NewRequest", err, t)
resp, err := tr.RoundTrip(req)
orFatal("RoundTrip", err, t)
txt, err := io.ReadAll(resp.Body)
orFatal("io.ReadAll", err, t)
if string(txt) != expected {
t.Errorf("Expected '%s' got '%s'", expected, string(txt))
}
browser := getBrowser(os.Args)
if browser != "" {
exec.Command(browser, asLocalhost).Run()
time.Sleep(10 * time.Second)
}
}
func TestSignerRsaTls(t *testing.T) {
testSignerTls(t, GoproxyCa)
}
func TestSignerRsaX509(t *testing.T) {
testSignerX509(t, GoproxyCa)
}
func TestSignerEcdsaTls(t *testing.T) {
testSignerTls(t, EcdsaCa)
}
func TestSignerEcdsaX509(t *testing.T) {
testSignerX509(t, EcdsaCa)
}
var c *tls.Certificate
var e error
func BenchmarkSignRsa(b *testing.B) {
var cert *tls.Certificate
var err error
for n := 0; n < b.N; n++ {
cert, err = signHost(GoproxyCa, []string{"example.com", "1.1.1.1", "localhost"})
}
c = cert
e = err
}
func BenchmarkSignEcdsa(b *testing.B) {
var cert *tls.Certificate
var err error
for n := 0; n < b.N; n++ {
cert, err = signHost(EcdsaCa, []string{"example.com", "1.1.1.1", "localhost"})
}
c = cert
e = err
}
//
// Eliptic Curve certificate and key for testing
//
var ECDSA_CA_CERT = []byte(`-----BEGIN CERTIFICATE-----
MIICGDCCAb8CFEkSgqYhlT0+Yyr9anQNJgtclTL0MAoGCCqGSM49BAMDMIGOMQsw
CQYDVQQGEwJJTDEPMA0GA1UECAwGQ2VudGVyMQwwCgYDVQQHDANMb2QxEDAOBgNV
BAoMB0dvUHJveHkxEDAOBgNVBAsMB0dvUHJveHkxGjAYBgNVBAMMEWdvcHJveHku
Z2l0aHViLmlvMSAwHgYJKoZIhvcNAQkBFhFlbGF6YXJsQGdtYWlsLmNvbTAeFw0x
OTA1MDcxMTUwMThaFw0zOTA1MDIxMTUwMThaMIGOMQswCQYDVQQGEwJJTDEPMA0G
A1UECAwGQ2VudGVyMQwwCgYDVQQHDANMb2QxEDAOBgNVBAoMB0dvUHJveHkxEDAO
BgNVBAsMB0dvUHJveHkxGjAYBgNVBAMMEWdvcHJveHkuZ2l0aHViLmlvMSAwHgYJ
KoZIhvcNAQkBFhFlbGF6YXJsQGdtYWlsLmNvbTBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABDlH4YrdukPFAjbO8x+gR9F8ID7eCU8Orhba/MIblSRrRVedpj08lK+2
svyoAcrcDsynClO9aQtsC9ivZ+Pmr3MwCgYIKoZIzj0EAwMDRwAwRAIgGRSSJVSE
1b1KVU0+w+SRtnR5Wb7jkwnaDNxQ3c3FXoICIBJV/l1hFM7mbd68Oi5zLq/4ZsrL
98Bb3nddk2xys6a9
-----END CERTIFICATE-----`)
var ECDSA_CA_KEY = []byte(`-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgEsc8m+2aZfagnesg
qMgXe8ph4LtVu2VOUYhHttuEDsChRANCAAQ5R+GK3bpDxQI2zvMfoEfRfCA+3glP
Dq4W2vzCG5Uka0VXnaY9PJSvtrL8qAHK3A7MpwpTvWkLbAvYr2fj5q9z
-----END PRIVATE KEY-----`)
var EcdsaCa, ecdsaCaErr = tls.X509KeyPair(ECDSA_CA_CERT, ECDSA_CA_KEY)
func init() {
if ecdsaCaErr != nil {
panic("Error parsing ecdsa CA " + ecdsaCaErr.Error())
}
var err error
if EcdsaCa.Leaf, err = x509.ParseCertificate(EcdsaCa.Certificate[0]); err != nil {
panic("Error parsing ecdsa CA " + err.Error())
}
}