From 71c51110949592cbc50f25ede769bd0e8f535993 Mon Sep 17 00:00:00 2001 From: cyli Date: Tue, 28 Mar 2017 17:44:31 -0700 Subject: [PATCH] Adding an additional test case for intermediate validation (top intermediate must have the same subject and public key as the signing cert), and cleaning up an extra useless variable. Signed-off-by: cyli --- ca/certificates_test.go | 15 +++++++++++++++ ca/server.go | 3 +-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/ca/certificates_test.go b/ca/certificates_test.go index 8ab9383f0c..ab488ad505 100644 --- a/ca/certificates_test.go +++ b/ca/certificates_test.go @@ -619,6 +619,14 @@ func TestNewRootCAInvalidCertAndKeys(t *testing.T) { notYetValidIntermediate := testutils.ReDateCert(t, testutils.ECDSACertChain[1], testutils.ECDSACertChain[2], testutils.ECDSACertChainKeys[2], now.Add(time.Hour), now.Add(2*time.Hour)) + certChainRootCA, err := ca.NewRootCA(testutils.ECDSACertChain[2], testutils.ECDSACertChain[2], testutils.ECDSACertChainKeys[2], + ca.DefaultNodeCertExpiration, nil) + require.NoError(t, err) + + cert, _, _ := testutils.CreateRootCertAndKey("alternateIntermediate") + alternateIntermediate, err := certChainRootCA.CrossSignCACertificate(cert) + require.NoError(t, err) + invalids := []invalidNewRootCATestCase{ // invalid root or signer cert { @@ -772,6 +780,13 @@ func TestNewRootCAInvalidCertAndKeys(t *testing.T) { intermediates: testutils.ECDSA256SHA256Cert, errorStr: "unknown authority", // intermediates don't chain up to root }, + { + roots: testutils.ECDSACertChain[2], + cert: testutils.ECDSACertChain[1], + key: testutils.ECDSACertChainKeys[1], + intermediates: alternateIntermediate, + errorStr: "the first intermediate must have the same subject and public key as the signing cert", + }, } for i, invalid := range invalids { diff --git a/ca/server.go b/ca/server.go index b78c00f396..767f66d42e 100644 --- a/ca/server.go +++ b/ca/server.go @@ -542,7 +542,6 @@ func (s *Server) UpdateRootCA(ctx context.Context, cluster *api.Cluster) error { s.secConfigMu.Lock() defer s.secConfigMu.Unlock() - var err error rCA := cluster.RootCA rootCAChanged := len(rCA.CACert) != 0 && !equality.RootCAEqualStable(s.lastSeenClusterRootCA, &cluster.RootCA) externalCAChanged := !equality.ExternalCAsEqualStable(s.lastSeenExternalCAs, cluster.Spec.CAConfig.ExternalCAs) @@ -565,7 +564,7 @@ func (s *Server) UpdateRootCA(ctx context.Context, cluster *api.Cluster) error { } } else { // NodeCertExpiry seems to be nil - logger.WithError(err).Warn("failed to parse certificate expiration, using default") + logger.Warn("no certificate expiration specified, using default") } // Attempt to update our local RootCA with the new parameters var intermediates []byte