Commit b41466ff authored by ale's avatar ale

Ensure that 'check' and 'sign' do the same thing

Specifically they should both add the subject CN to the set of subjectAltNames. Also add a small test script to verify that signing works using the command-line tool.
parent a163626d
Pipeline #985 passed with stages
in 48 seconds
......@@ -68,6 +68,9 @@ func (c *checkCmd) Execute(ctx context.Context, _ *flag.FlagSet, _ ...interface{
}
}
// Ensure that the CN is part of the subjectAltNames.
c.sanList.Set(c.subject.Name.CommonName)
switch {
case aboutToExpire(cert, c.renewDays):
fmt.Printf("certificate must be renewed (about to expire)\n")
......
......@@ -54,7 +54,9 @@ func (c *csrCmd) Execute(ctx context.Context, _ *flag.FlagSet, _ ...interface{})
return subcommands.ExitFailure
}
// Ensure that the CN is part of the subjectAltNames.
c.sanList.Set(c.subject.Name.CommonName)
csr, err := c.makeCertificateRequest(priv)
if err != nil {
log.Printf("ERROR: could not create certificate signing request: %v", err)
......
#!/bin/sh
die() {
echo "ERROR: $*" >&2
exit 1
}
x509ca() {
echo "+ x509ca $*" >&2
$tmpdir/x509ca "$@"
}
tmpdir=$(mktemp -d)
trap "trap - EXIT ; rm -fr $tmpdir ; exit" EXIT
go build -o $tmpdir/x509ca . || die "build failed"
cd $tmpdir
echo "using temporary directory $tmpdir"
x509ca init --subject=O=Test --ca-cert=ca_cert.pem --ca-key=ca_key.pem \
|| die "x509ca init failed"
x509ca gen-key --key=private_key.pem \
|| die "x509ca gen-key failed"
cert_subject="--subject=CN=test.service --alt=test2.service"
x509ca check --cert=cert.pem $cert_subject --server --renew-days=7 --ca-cert=ca_cert.pem \
&& die "x509ca check succeeded without a certificate file"
x509ca csr --key=private_key.pem $cert_subject \
> csr.pem \
|| die "x509ca csr failed"
x509ca sign --ca-cert=ca_cert.pem --ca-key=ca_key.pem --server \
< csr.pem > cert.pem \
|| die "x509ca sign failed"
x509ca check --cert=cert.pem $cert_subject --server --renew-days=7 --ca-cert=ca_cert.pem \
|| die "x509ca check failed with the newly generated certificate"
x509ca check --cert=cert.pem --subject=O=Different --renew-days=7 --ca-cert=ca_cert.pem \
&& die "x509ca check did not detect a subject change"
echo "OK" >&2
exit 0
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment