package signer import ( "bytes" "reflect" "testing" "time" "github.com/nsheridan/cashier/lib" "github.com/nsheridan/cashier/testdata" "golang.org/x/crypto/ssh" ) var ( key, _ = ssh.ParsePrivateKey(testdata.Priv) signer = &KeySigner{ ca: key, validity: 12 * time.Hour, principals: []string{"ec2-user"}, } ) func TestCert(t *testing.T) { r := &lib.SignRequest{ Key: string(testdata.Pub), Principal: "gopher1", ValidUntil: time.Now().Add(1 * time.Hour), } ret, err := signer.SignUserKey(r) if err != nil { t.Fatal(err) } c, _, _, _, err := ssh.ParseAuthorizedKey([]byte(ret)) cert, ok := c.(*ssh.Certificate) if !ok { t.Fatalf("Expected type *ssh.Certificate, got %v (%T)", cert, cert) } if !bytes.Equal(cert.SignatureKey.Marshal(), signer.ca.PublicKey().Marshal()) { t.Fatal("Cert signer and server signer don't match") } var principals []string principals = append(principals, r.Principal) principals = append(principals, signer.principals...) if !reflect.DeepEqual(cert.ValidPrincipals, principals) { t.Fatalf("Expected %s, got %s", cert.ValidPrincipals, principals) } k1, _, _, _, err := ssh.ParseAuthorizedKey([]byte(r.Key)) k2 := cert.Key if !bytes.Equal(k1.Marshal(), k2.Marshal()) { t.Fatal("Cert key doesn't match public key") } if cert.ValidBefore != uint64(r.ValidUntil.Unix()) { t.Fatalf("Invalid validity, expected %d, got %d", r.ValidUntil, cert.ValidBefore) } }