3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-05 04:13:11 +02:00
Code Issues Projects Releases Packages Wiki Activity

derive CA from pre-shared key (#3815)

Browse source
This commit is contained in:
Denis Mishin 2022-12-16 12:56:26 -05:00 committed by GitHub
parent 27c94396a8
commit 44a5c1b2fb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 267 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

51
pkg/derivecert/ca_test.go Normal file
View file

@ -0,0 +1,51 @@
package derivecert_test
import (
"crypto/rand"
"crypto/x509"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/pomerium/pomerium/pkg/derivecert"
)
// TestCA creates two CA instances from same PSK
// and asserts that they yield same private key,
// and a certificate created by one CA is trusted by another
func TestCA(t *testing.T) {
psk := make([]byte, 32)
_, err := rand.Read(psk)
require.NoError(t, err)
ca1, err := derivecert.NewCA(psk)
require.NoError(t, err)
ca2, err := derivecert.NewCA(psk)
require.NoError(t, err)
ca1PEM, err := ca2.PEM()
require.NoError(t, err)
ca2PEM, err := ca2.PEM()
require.NoError(t, err)
assert.Equal(t, ca1PEM.Key, ca2PEM.Key)
serverPEM, err := ca1.NewServerCert([]string{"myserver.com"})
require.NoError(t, err)
_, serverCert, err := serverPEM.KeyCert()
require.NoError(t, err)
pool := x509.NewCertPool()
require.True(t, pool.AppendCertsFromPEM(ca2PEM.Cert))
opts := x509.VerifyOptions{
Roots: pool,
DNSName: "myserver.com",
Intermediates: x509.NewCertPool(),
}
_, err = serverCert.Verify(opts)
require.NoError(t, err)
}