Ensure that 'check' and 'sign' do the same thing

Specifically they should both add the subject CN to the set of subjectAltNames. Also add a small test script to verify that signing works using the command-line tool.

Ensure that 'check' and 'sign' do the same thing
b41466ff · ale · a163626d · b41466ff · b41466ff · b41466ff
Commit b41466ff authored Jun 02, 2018 by ale
Hide whitespace changes
Inline Side-by-side

Showing with 47 additions and 0 deletions

check.go check.go +3 -0

csr.go csr.go +2 -0

test.sh test.sh +42 -0

No files found.
--- a/check.go
+++ b/check.go
@@ -68,6 +68,9 @@ func (c *checkCmd) Execute(ctx context.Context, _ *flag.FlagSet, _ ...interface{
 		}
 	}

+	// Ensure that the CN is part of the subjectAltNames.
+	c.sanList.Set(c.subject.Name.CommonName)
+
 	switch {
 	case aboutToExpire(cert, c.renewDays):
 		fmt.Printf("certificate must be renewed (about to expire)\n")

--- a/csr.go
+++ b/csr.go
@@ -54,7 +54,9 @@ func (c *csrCmd) Execute(ctx context.Context, _ *flag.FlagSet, _ ...interface{})
 		return subcommands.ExitFailure
 	}

+	// Ensure that the CN is part of the subjectAltNames.
 	c.sanList.Set(c.subject.Name.CommonName)
+
 	csr, err := c.makeCertificateRequest(priv)
 	if err != nil {
 		log.Printf("ERROR: could not create certificate signing request: %v", err)

--- a/test.sh
+++ b/test.sh
+#!/bin/sh
+
+die() {
+    echo "ERROR: $*" >&2
+    exit 1
+}
+
+x509ca() {
+    echo "+ x509ca $*" >&2
+    $tmpdir/x509ca "$@"
+}
+
+tmpdir=$(mktemp -d)
+trap "trap - EXIT ; rm -fr $tmpdir ; exit" EXIT
+go build -o $tmpdir/x509ca . || die "build failed"
+
+cd $tmpdir
+echo "using temporary directory $tmpdir"
+
+x509ca init --subject=O=Test --ca-cert=ca_cert.pem --ca-key=ca_key.pem \
+    || die "x509ca init failed"
+x509ca gen-key --key=private_key.pem \
+    || die "x509ca gen-key failed"
+
+cert_subject="--subject=CN=test.service --alt=test2.service"
+x509ca check --cert=cert.pem $cert_subject --server --renew-days=7 --ca-cert=ca_cert.pem \
+    && die "x509ca check succeeded without a certificate file"
+x509ca csr --key=private_key.pem $cert_subject \
+    > csr.pem \
+    || die "x509ca csr failed"
+x509ca sign --ca-cert=ca_cert.pem --ca-key=ca_key.pem --server \
+     < csr.pem > cert.pem \
+    || die "x509ca sign failed"
+
+x509ca check --cert=cert.pem $cert_subject --server --renew-days=7 --ca-cert=ca_cert.pem \
+    || die "x509ca check failed with the newly generated certificate"
+
+x509ca check --cert=cert.pem --subject=O=Different --renew-days=7 --ca-cert=ca_cert.pem \
+    && die "x509ca check did not detect a subject change"
+
+echo "OK" >&2
+exit 0