1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
package cert_test
import (
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/asn1"
"math/big"
"net"
"net/url"
"testing"
"time"
"github.com/lestrrat-go/jwx/v2/cert"
"github.com/lestrrat-go/jwx/v2/internal/jwxtest"
"github.com/stretchr/testify/assert"
)
func parseCIDR(s string) *net.IPNet {
_, net, err := net.ParseCIDR(s)
if err != nil {
panic(err)
}
return net
}
func parseURI(s string) *url.URL {
uri, err := url.Parse(s)
if err != nil {
panic(err)
}
return uri
}
func TestCert(t *testing.T) {
privkey, err := jwxtest.GenerateRsaKey()
if !assert.NoError(t, err, `jwxtest.GenerateRsaKey`) {
return
}
testExtKeyUsage := []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
testUnknownExtKeyUsage := []asn1.ObjectIdentifier{[]int{1, 2, 3}, []int{2, 59, 1}}
extraExtensionData := []byte("extra extension")
oidExtensionSubjectKeyID := []int{2, 5, 29, 14}
commonName := "test.example.com"
template := x509.Certificate{
SerialNumber: big.NewInt(1), // SerialNumbers must be non-negative since go1.19
Subject: pkix.Name{
CommonName: commonName,
Organization: []string{"Σ Acme Co"},
Country: []string{"US"},
ExtraNames: []pkix.AttributeTypeAndValue{
{
Type: []int{2, 5, 4, 42},
Value: "Gopher",
},
// This should override the Country, above.
{
Type: []int{2, 5, 4, 6},
Value: "NL",
},
},
},
NotBefore: time.Unix(1000, 0),
NotAfter: time.Unix(100000, 0),
SignatureAlgorithm: x509.SHA384WithRSA,
SubjectKeyId: []byte{1, 2, 3, 4},
KeyUsage: x509.KeyUsageCertSign,
ExtKeyUsage: testExtKeyUsage,
UnknownExtKeyUsage: testUnknownExtKeyUsage,
BasicConstraintsValid: true,
IsCA: true,
OCSPServer: []string{"http://ocsp.example.com"},
IssuingCertificateURL: []string{"http://crt.example.com/ca1.crt"},
DNSNames: []string{"test.example.com"},
EmailAddresses: []string{"gopher@golang.org"},
IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1).To4(), net.ParseIP("2001:4860:0:2001::68")},
URIs: []*url.URL{parseURI("https://foo.com/wibble#foo")},
PolicyIdentifiers: []asn1.ObjectIdentifier{[]int{1, 2, 3}},
PermittedDNSDomains: []string{".example.com", "example.com"},
ExcludedDNSDomains: []string{"bar.example.com"},
PermittedIPRanges: []*net.IPNet{parseCIDR("192.168.1.1/16"), parseCIDR("1.2.3.4/8")},
ExcludedIPRanges: []*net.IPNet{parseCIDR("2001:db8::/48")},
PermittedEmailAddresses: []string{"foo@example.com"},
ExcludedEmailAddresses: []string{".example.com", "example.com"},
PermittedURIDomains: []string{".bar.com", "bar.com"},
ExcludedURIDomains: []string{".bar2.com", "bar2.com"},
CRLDistributionPoints: []string{"http://crl1.example.com/ca1.crl", "http://crl2.example.com/ca1.crl"},
ExtraExtensions: []pkix.Extension{
{
Id: []int{1, 2, 3, 4},
Value: extraExtensionData,
},
// This extension should override the SubjectKeyId, above.
{
Id: oidExtensionSubjectKeyID,
Critical: false,
Value: []byte{0x04, 0x04, 4, 3, 2, 1},
},
},
}
b64, err := cert.Create(rand.Reader, &template, &template, &privkey.PublicKey, privkey)
if !assert.NoError(t, err, `cert.Certificate should succeed`) {
return
}
_, err = cert.Parse(b64)
if !assert.NoError(t, err, `cert.Parse should succeed`) {
return
}
}
|
