1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
package signer
import (
"bytes"
"reflect"
"testing"
"time"
"github.com/nsheridan/cashier/lib"
"github.com/nsheridan/cashier/testdata"
"golang.org/x/crypto/ssh"
)
var (
key, _ = ssh.ParsePrivateKey(testdata.Priv)
signer = &KeySigner{
ca: key,
validity: 12 * time.Hour,
principals: []string{"ec2-user"},
}
)
func TestCert(t *testing.T) {
r := &lib.SignRequest{
Key: string(testdata.Pub),
Principal: "gopher1",
ValidUntil: time.Now().Add(1 * time.Hour),
}
ret, err := signer.SignUserKey(r)
if err != nil {
t.Fatal(err)
}
c, _, _, _, err := ssh.ParseAuthorizedKey([]byte(ret))
cert, ok := c.(*ssh.Certificate)
if !ok {
t.Fatalf("Expected type *ssh.Certificate, got %v (%T)", cert, cert)
}
if !bytes.Equal(cert.SignatureKey.Marshal(), signer.ca.PublicKey().Marshal()) {
t.Fatal("Cert signer and server signer don't match")
}
var principals []string
principals = append(principals, r.Principal)
principals = append(principals, signer.principals...)
if !reflect.DeepEqual(cert.ValidPrincipals, principals) {
t.Fatalf("Expected %s, got %s", cert.ValidPrincipals, principals)
}
k1, _, _, _, err := ssh.ParseAuthorizedKey([]byte(r.Key))
k2 := cert.Key
if !bytes.Equal(k1.Marshal(), k2.Marshal()) {
t.Fatal("Cert key doesn't match public key")
}
if cert.ValidBefore != uint64(r.ValidUntil.Unix()) {
t.Fatalf("Invalid validity, expected %d, got %d", r.ValidUntil, cert.ValidBefore)
}
}
|
