diff --git a/pkg/ca/fileca/fileca.go b/pkg/ca/fileca/fileca.go index 32e92d65a..63851101c 100644 --- a/pkg/ca/fileca/fileca.go +++ b/pkg/ca/fileca/fileca.go @@ -16,6 +16,7 @@ package fileca import ( + "bytes" "context" "crypto" "crypto/rand" @@ -32,8 +33,8 @@ import ( type fileCA struct { sync.RWMutex - cert *x509.Certificate - key crypto.Signer + certs []*x509.Certificate + key crypto.Signer } // NewFileCA returns a file backed certificate authority. Expects paths to a @@ -43,7 +44,7 @@ func NewFileCA(certPath, keyPath, keyPass string, watch bool) (ca.CertificateAut var fca fileCA var err error - fca.cert, fca.key, err = loadKeyPair(certPath, keyPath, keyPass) + fca.certs, fca.key, err = loadKeyPair(certPath, keyPath, keyPass) if err != nil { return nil, err } @@ -68,21 +69,21 @@ func NewFileCA(certPath, keyPath, keyPass string, watch bool) (ca.CertificateAut return &fca, err } -func (fca *fileCA) updateX509KeyPair(cert *x509.Certificate, key crypto.Signer) { +func (fca *fileCA) updateX509KeyPair(certs []*x509.Certificate, key crypto.Signer) { fca.Lock() defer fca.Unlock() // NB: We use the RWLock to unsure a reading thread can't get a mismatching // cert / key pair by reading the attributes halfway through the update // below. - fca.cert = cert + fca.certs = certs fca.key = key } func (fca *fileCA) getX509KeyPair() (*x509.Certificate, crypto.Signer) { fca.RLock() defer fca.RUnlock() - return fca.cert, fca.key + return fca.certs[0], fca.key } // CreateCertificate issues code signing certificates @@ -103,8 +104,19 @@ func (fca *fileCA) CreateCertificate(_ context.Context, subject *challenges.Chal } func (fca *fileCA) Root(ctx context.Context) ([]byte, error) { - return pem.EncodeToMemory(&pem.Block{ - Type: "CERTIFICATE", - Bytes: fca.cert.Raw, - }), nil + fca.RLock() + defer fca.RUnlock() + + buf := new(bytes.Buffer) + for _, cert := range fca.certs { + err := pem.Encode(buf, &pem.Block{ + Type: "CERTIFICATE", + Bytes: cert.Raw, + }) + if err != nil { + return nil, err + } + } + + return buf.Bytes(), nil } diff --git a/pkg/ca/fileca/load.go b/pkg/ca/fileca/load.go index 61b84c136..a2bd961b4 100644 --- a/pkg/ca/fileca/load.go +++ b/pkg/ca/fileca/load.go @@ -27,21 +27,64 @@ import ( "go.step.sm/crypto/pemutil" ) -func loadKeyPair(certPath, keyPath, keyPass string) (*x509.Certificate, crypto.Signer, error) { +func loadKeyPair(certPath, keyPath, keyPass string) ([]*x509.Certificate, crypto.Signer, error) { var ( - cert *x509.Certificate - err error - key crypto.Signer + certs []*x509.Certificate + err error + key crypto.Signer ) - // TODO: Load chain of certs (intermediates and root) instead of just one - // certificate. - cert, err = pemutil.ReadCertificate(certPath) + // NB: certs are ordered from leaf at certs[0] to root at + // certs[len(certs)-1] + certs, err = pemutil.ReadCertificateBundle(certPath) if err != nil { return nil, nil, err } + // Verify certificate chain + { + roots := x509.NewCertPool() + roots.AddCert(certs[len(certs)-1]) + + intermediates := x509.NewCertPool() + if len(certs) > 2 { + for _, intermediate := range certs[1 : len(certs)-1] { + intermediates.AddCert(intermediate) + } + } + + opts := x509.VerifyOptions{ + Roots: roots, + Intermediates: intermediates, + KeyUsages: []x509.ExtKeyUsage{ + x509.ExtKeyUsageCodeSigning, + }, + } + if _, err := certs[0].Verify(opts); err != nil { + return nil, nil, err + } + + if !certs[0].IsCA { + return nil, nil, errors.New(`fileca: certificate is not a CA`) + } + + // If using an intermediate, verify that code signing extended key + // usage is set to satify extended key usage chainging + if len(certs) > 1 { + var hasExtKeyUsageCodeSigning bool + for _, extKeyUsage := range certs[0].ExtKeyUsage { + if extKeyUsage == x509.ExtKeyUsageCodeSigning { + hasExtKeyUsageCodeSigning = true + break + } + } + if !hasExtKeyUsageCodeSigning { + return nil, nil, errors.New(`fileca: certificate must have extended key usage code signing set to sign code signing certificates`) + } + } + } + { opaqueKey, err := pemutil.Read(keyPath, pemutil.WithPassword([]byte(keyPass))) if err != nil { @@ -55,15 +98,11 @@ func loadKeyPair(certPath, keyPath, keyPass string) (*x509.Certificate, crypto.S } } - if !valid(cert, key) { + if !valid(certs[0], key) { return nil, nil, errors.New(`fileca: certificate public key and private key don't match`) } - if !cert.IsCA { - return nil, nil, errors.New(`fileca: certificate is not a CA`) - } - - return cert, key, nil + return certs, key, nil } func valid(cert *x509.Certificate, key crypto.Signer) bool { diff --git a/pkg/ca/fileca/load_test.go b/pkg/ca/fileca/load_test.go index 7da90e1e6..e378096e8 100644 --- a/pkg/ca/fileca/load_test.go +++ b/pkg/ca/fileca/load_test.go @@ -25,6 +25,8 @@ func TestValidLoadKeyPair(t *testing.T) { "ecdsa", "ed25519", "rsa4096", + "openssl", + "intermediate", } for _, keypair := range keypairs { @@ -42,6 +44,7 @@ func TestInvalidLoadKeyPair(t *testing.T) { keypairs := []string{ "notca", "mismatch", + "eku-chaining-violation", } for _, keypair := range keypairs { diff --git a/pkg/ca/fileca/testdata/ecdsa-cert.pem b/pkg/ca/fileca/testdata/ecdsa-cert.pem index 476ac642f..d698a80ba 100644 --- a/pkg/ca/fileca/testdata/ecdsa-cert.pem +++ b/pkg/ca/fileca/testdata/ecdsa-cert.pem @@ -1,12 +1,11 @@ -----BEGIN CERTIFICATE----- -MIIBxzCCAU6gAwIBAgIUbQqE8rDPWDqJexmvpaeamgZe/HIwCgYIKoZIzj0EAwIw -EDEOMAwGA1UEAwwFZWNkc2EwIBcNMjExMjIxMTkxMzI2WhgPMjEyMTExMjcxOTEz -MjZaMBAxDjAMBgNVBAMMBWVjZHNhMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEMV9i -0e3Ld1eQy9UXII5MOymw2IFBo288zuOMeH+7w0ejJlY0PFowY4rItKIhqRIWOqFA -luSaVC59sKsqjsiLdQQW2CV19eYFhVvYQS1S2QaROpFA5Zt8ALOACyp5s+6+o2cw -ZTAdBgNVHQ4EFgQU3QF9mKDrefmeiE3lqC46PSmhEOkwHwYDVR0jBBgwFoAU3QF9 -mKDrefmeiE3lqC46PSmhEOkwDwYDVR0TAQH/BAUwAwEB/zASBgNVHRMBAf8ECDAG -AQH/AgEBMAoGCCqGSM49BAMCA2cAMGQCMAQ/g18eRvqITDZEKdzf4bI4qKF/ZbVL -GTZ+2HHZYwDvsuHeznTl1Uq1stzmySi4owIwV1jCF8f4gikxT0XCF+u1CJlVYiZP -tyRnLdZaKl/seNUmBO0RRR72tsRd/X1QR3NK +MIIBojCCASigAwIBAgIQdN97RoNpSe/j6zMPBRiEjTAKBggqhkjOPQQDAzAQMQ4w +DAYDVQQDEwVlY2RzYTAgFw0yMjAxMTUyMTM5NDZaGA8yMTIxMTIyMjIxMzk0Nlow +EDEOMAwGA1UEAxMFZWNkc2EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQkL81PCeoj +XHCTnkv5DtkFiTR14i9ud+xMTCURLDlxBXk1fBywg1o3P6vHzYZpyEVRligoxELH +cPyY1xx4B0es6PJKlN95WoLYZXW10Y5R1aahTxVYSv+kEztt8Syp3zGjRTBDMA4G +A1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBS+Jr+X +Ci1VSjK6/sMMTsQcX6K1MDAKBggqhkjOPQQDAwNoADBlAjEA8swYU8cQcmTLa7Y7 +/yyzpQ6Z+Xwts5d2U9jxvsUchietQfMAjTTZfqF/WZRMLRvwAjBciWw9cL9PUzG3 +1RD+fH+Z8RKcxs2A1NboUcfVEiYbQ3XSZlDX0GhjguI4xgdL6DY= -----END CERTIFICATE----- diff --git a/pkg/ca/fileca/testdata/ecdsa-key.pem b/pkg/ca/fileca/testdata/ecdsa-key.pem index 785f2a20f..030e37c17 100644 --- a/pkg/ca/fileca/testdata/ecdsa-key.pem +++ b/pkg/ca/fileca/testdata/ecdsa-key.pem @@ -1,8 +1,9 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIIBEzBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIGCeFiJ2rs3wCAggA -MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECGZQSOBsvcjqBIHAGdU9wj136ikM -QUqJqDt5oSDKJAU2Yrv+pCRLz6VENGUvxFrPsn9fbjSt69fSZMm09mITfEg1eLO4 -9LDl7PW1Bza803IXKQnZ0xnRUkkY1GQfDtQEGCYFaojRpYNLmmSiHpeFrqAPz83K -+oXsRTwuRkDrABNpwTCEXYVmcHUmk9NqC6E2qjmYOyDx0ktA4HG62H3/cpGZleBs -l58oyOg658erxF1rnASN15lw9/1g0lWACsXsMgbkjDnY51LU71pR ------END ENCRYPTED PRIVATE KEY----- +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,4a2a1826bd853f1c2c0117902551c0a9 + +Flk9LwvoP6yjUQQlr57AMLN2NN6VKV1hnPQ8art2O2aXidLqwgi2ZcpfIuCGuAJn +zcOXJAiXmkvOzWnXkDRW5xmzsuwVp1RzwkF/DbmleO+Bw4SdylOB4OJj2Pu0huv2 +hH+xcym5XdsclLn8gOZZBH01i23oH+O/poHE9JjxnxWX0wALovghbvGMoPiz9unn +JVH9OewvTL8JINsr6vmDMyOX0D+GIAvYmTF518U+ykA= +-----END EC PRIVATE KEY----- diff --git a/pkg/ca/fileca/testdata/ed25519-cert.pem b/pkg/ca/fileca/testdata/ed25519-cert.pem index 03c292c9c..10c0bcbbc 100644 --- a/pkg/ca/fileca/testdata/ed25519-cert.pem +++ b/pkg/ca/fileca/testdata/ed25519-cert.pem @@ -1,10 +1,9 @@ -----BEGIN CERTIFICATE----- -MIIBTzCCAQGgAwIBAgIUeObF4LopbObr0zVOX7BAZbvy4MswBQYDK2VwMBIxEDAO -BgNVBAMMB2VkMjU1MTkwIBcNMjExMjIxMTkxMzI2WhgPMjEyMTExMjcxOTEzMjZa -MBIxEDAOBgNVBAMMB2VkMjU1MTkwKjAFBgMrZXADIQBNNJP9Ys+Sx0Cx/c5pQNAF -cuECdESA0vB2IqXVAG5OiaNnMGUwHQYDVR0OBBYEFJEGm0OzRNsdBVLdDBCcx21i -nEySMB8GA1UdIwQYMBaAFJEGm0OzRNsdBVLdDBCcx21inEySMA8GA1UdEwEB/wQF -MAMBAf8wEgYDVR0TAQH/BAgwBgEB/wIBATAFBgMrZXADQQD6quk/tnnZpFgabR2Q -4WCweJfZ4NfrhMOVvAPdECW/P57NH0P2BUSOK+/DktOBFIjLUWG6ptRExHDcRsFm -WTsA +MIIBKTCB3KADAgECAhEAlbs/LTFVoOGgJ4IoVq5VbDAFBgMrZXAwEjEQMA4GA1UE +AxMHZWQyNTUxOTAgFw0yMjAxMTUyMTM5NDRaGA8yMTIxMTIyMjIxMzk0NFowEjEQ +MA4GA1UEAxMHZWQyNTUxOTAqMAUGAytlcAMhACrmjkFJH7p3ZV3xJhXAVZtUK4Wb +8SQI3xxkYf+zjdEzo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB +/wIBATAdBgNVHQ4EFgQUgjQqhKp/TfTOGOMJUUqd5j/SWRgwBQYDK2VwA0EAFJtY +O7Xb2hUvJOtimrx1Ag3l+aDcgSA8DHT+ibqInGAVhUghkyEmbWv055FQSiIX46Zt +lo9wHPvcSE7LMoa8AA== -----END CERTIFICATE----- diff --git a/pkg/ca/fileca/testdata/ed25519-key.pem b/pkg/ca/fileca/testdata/ed25519-key.pem index 5386d0801..1661d719d 100644 --- a/pkg/ca/fileca/testdata/ed25519-key.pem +++ b/pkg/ca/fileca/testdata/ed25519-key.pem @@ -1,5 +1,6 @@ -----BEGIN ENCRYPTED PRIVATE KEY----- -MIGKME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAggWEDSFylYswICCAAw -DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIaecFy/8IbAYEOHb3xUdAVad3ZcXk -dkwJjtPNP2t2PA/6ngVgfsx2dgqKBhjg9JXG98Yw2eeYqJsbZ4jrHAJK0l8E +MIGkMGAGCSqGSIb3DQEFDTBTMDIGCSqGSIb3DQEFDDAlBBC5ebV8jVzdeumTeg0K +1YR4AgMBhqAwDAYIKoZIhvcNAgkAADAdBglghkgBZQMEASoEEIN6WmojJPzZuNxj +mmET4yYEQGSmy/JMfleTGL9FHT/f6dvV2xcHAJ2aFaNy8/JPLbcV9QgHAc2ze2+e +CPumY7wCCcdvRsMXgxFSsivigqhiPIE= -----END ENCRYPTED PRIVATE KEY----- diff --git a/pkg/ca/fileca/testdata/eku-chaining-violation-cert.pem b/pkg/ca/fileca/testdata/eku-chaining-violation-cert.pem new file mode 100644 index 000000000..0af419195 --- /dev/null +++ b/pkg/ca/fileca/testdata/eku-chaining-violation-cert.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIBhDCCATagAwIBAgIRAJb66/TzcjqBXH201cLeUH8wBQYDK2VwMBgxFjAUBgNV +BAMTDWludGVybWVkaWF0ZTEwHhcNMjIwMTE1MjEzOTU1WhcNMjIwMTE2MjEzOTU1 +WjAYMRYwFAYDVQQDEw1pbnRlcm1lZGlhdGUyMFkwEwYHKoZIzj0CAQYIKoZIzj0D +AQcDQgAEAJm0AEXqLVYA/iodsse5xVZTRs/gKtCbIFDAxN9bT2fGRod9HvgD+Gb/ +H62ifOtbV7sQV/c3ZB669V5TRsryrqNmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1Ud +EwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFPfWO2KNhaRmhTGDYSGHqo9uNs1gMB8G +A1UdIwQYMBaAFAWos1G3TegCEAXva/JEqmnR9ziLMAUGAytlcANBAO3EIzuXOk6Q +77GtvF8B4t/LU6ezC7DJjxwDDQAXpAAYnWbftf15pOYBfulcjEd70yFc1QA1VdtV +V1YXsggiLAI= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBcjCCARegAwIBAgIQJFdlkkJeEz/Nx4qDHVBpOTAKBggqhkjOPQQDAjAPMQ0w +CwYDVQQDEwRyb290MB4XDTIyMDExNTIxMzk1NVoXDTIyMDExNjIxMzk1NVowGDEW +MBQGA1UEAxMNaW50ZXJtZWRpYXRlMTAqMAUGAytlcAMhAPKV6IWCMdQ/n1VcdgSh +lC5MH/m7uilfelOMN9tDpYUZo3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAww +CgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUBaizUbdN +6AIQBe9r8kSqadH3OIswHwYDVR0jBBgwFoAUpzPc0nDf/4hdxMCkLvk6Y9KsJJQw +CgYIKoZIzj0EAwIDSQAwRgIhAJM0z+Z8fTtHz0M4nDaCDJsKRLCpfoSZ/i8TtD/I +J65qAiEA6UudGaQGnEPQjW4QSiFJkD/E2vHxAu0SkSxV1UjGv30= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBYTCCAQagAwIBAgIPSynyoAutDD5fyCjqMj5xMAoGCCqGSM49BAMCMA8xDTAL +BgNVBAMTBHJvb3QwHhcNMjIwMTE1MjEzOTU1WhcNMjIwMTE2MjEzOTU1WjAPMQ0w +CwYDVQQDEwRyb290MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOAKo0hjeKCzW +q3rW/g30/42ltirz39aKQElOe83sgJ8N63t3j7yvhSQ+5puIE83Q9Vb98fteVe+y +Izy9RoKyI6NFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQIw +HQYDVR0OBBYEFKcz3NJw3/+IXcTApC75OmPSrCSUMAoGCCqGSM49BAMCA0kAMEYC +IQCifL/yAa+bBBc04p5/nrp0riyVQTWT4l9YzWYZCTHrjAIhALemgiIT1bV3hRgN +iHHAj9HfVuFpQwTfwtlOyo5wvL5o +-----END CERTIFICATE----- diff --git a/pkg/ca/fileca/testdata/eku-chaining-violation-key.pem b/pkg/ca/fileca/testdata/eku-chaining-violation-key.pem new file mode 100644 index 000000000..bec5b5aba --- /dev/null +++ b/pkg/ca/fileca/testdata/eku-chaining-violation-key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,226887dd5435da96ca6b5563dc3a3a04 + +9Rb2H57DxtFouMfwLSJw1upKHnD44xorC1fj2CttqT3kYv7MX+O+8WqzDZHeY4Vh +DiWEhXt89FnH+JOkGY8t0WnrbIHxwzVlkA8Y8vaaC+hf2V8gYJJP4uVdeZAqQH6W +/ywHRU6k0Ok2W+nQcT+X/nupMN6gBf/4+dptYlwNPsk= +-----END EC PRIVATE KEY----- diff --git a/pkg/ca/fileca/testdata/generate.sh b/pkg/ca/fileca/testdata/generate.sh index 063182c8a..fa02d24da 100755 --- a/pkg/ca/fileca/testdata/generate.sh +++ b/pkg/ca/fileca/testdata/generate.sh @@ -14,105 +14,325 @@ # limitations under the License. password=password123 -duration=36500 # 100 years - -# ed25519 -openssl req -x509 \ - -newkey ed25519 \ - -sha256 \ - -keyout ed25519-key.pem \ - -out ed25519-cert.pem \ - -subj "/CN=ed25519" \ - -days $duration \ - -addext basicConstraints=critical,CA:TRUE,pathlen:1 \ - -passout pass:"$password" - -# ecdsa -openssl req -x509 \ - -newkey ec \ - -pkeyopt ec_paramgen_curve:secp384r1 \ - -sha256 \ - -keyout ecdsa-key.pem \ - -out ecdsa-cert.pem \ - -subj "/CN=ecdsa" \ - -days $duration \ - -addext basicConstraints=critical,CA:TRUE,pathlen:1 \ - -passout pass:"$password" - -# RSA 4096 -openssl req -x509 \ - -newkey rsa:4096 \ - -sha256 \ - -keyout rsa4096-key.pem \ - -out rsa4096-cert.pem \ - -subj "/CN=rsa4096" \ - -days $duration \ - -addext basicConstraints=critical,CA:TRUE,pathlen:1 \ - -passout pass:"$password" - -# mismatch cert (key doesn't match cert) -openssl req -x509 \ - -newkey ed25519 \ - -sha256 \ - -keyout mismatch-key.pem \ - -out mismatch-cert.pem \ - -subj "/CN=mismatch" \ - -days $duration \ - -addext basicConstraints=critical,CA:TRUE,pathlen:1 \ - -passout pass:"$password" - -# Mess up the keys -cp ed25519-key.pem mismatch-key.pem - -# Not a CA -openssl req -x509 \ - -newkey ed25519 \ - -sha256 \ - -keyout notca-key.pem \ - -out notca-cert.pem \ - -subj "/CN=notca" \ - -days $duration \ - -addext basicConstraints=critical,CA:FALSE,pathlen:1 \ - -passout pass:"$password" - -#### Intermediate CA - -# Root CA -openssl req -x509 \ - -newkey ed25519 \ - -sha256 \ - -keyout root-key.pem \ - -out root-cert.pem \ - -subj "/CN=rootca" \ - -days $duration \ - -addext basicConstraints=critical,CA:TRUE,pathlen:2 \ - -nodes - -# Certificate Signing Request -openssl req \ - -newkey ed25519 \ - -sha256 \ - -passout pass:"$password" \ - -subj "/CN=intermediate" \ - -out intermediate-csr.pem \ - -keyout intermediate-key.pem \ - -outform PEM - -# Sign certificate -openssl x509 \ - -req \ - -in intermediate-csr.pem \ - -days $duration \ - -CA root-cert.pem \ - -CAkey root-key.pem \ - -set_serial 22 \ - -out intermediate-cert.pem \ - -extfile openssl-ca.conf \ - -extensions signing_req - -# Full chain -mv intermediate-cert.pem tmp.pem -cat tmp.pem root-cert.pem > intermediate-cert.pem - -# Clean up -rm intermediate-csr.pem tmp.pem root-cert.pem root-key.pem +duration=876000h # 100 years +tpl=temp.tpl + +function generate_ed25519 { + echo $password > password.file + + step certificate create \ + --profile root-ca \ + --not-after $duration \ + --kty OKP \ + --crv Ed25519 \ + --password-file password.file \ + ed25519 \ + ed25519-cert.pem \ + ed25519-key.pem + + rm password.file +} + +function generate_ecdsa { + echo $password > password.file + + step certificate create \ + --profile root-ca \ + --not-after $duration \ + --kty EC \ + --crv P-384 \ + --password-file password.file \ + ecdsa \ + ecdsa-cert.pem \ + ecdsa-key.pem + + rm password.file +} + +function generate_rsa4096 { + echo $password > password.file + + step certificate create \ + --profile root-ca \ + --not-after $duration \ + --kty RSA \ + --size 4096 \ + --password-file password.file \ + rsa4096 \ + rsa4096-cert.pem \ + rsa4096-key.pem + + rm password.file +} + +function generate_openssl { + # OpenSSL uses a different encryption format + # than step so lets makes sure that works + openssl req -x509 \ + -newkey ed25519 \ + -sha256 \ + -keyout openssl-key.pem \ + -out openssl-cert.pem \ + -subj "/CN=openssl" \ + -days 36500 \ + -addext basicConstraints=critical,CA:TRUE,pathlen:1 \ + -passout pass:"$password" +} + +function generate_key_mismatch { + echo $password > password.file + step certificate create \ + --profile root-ca \ + --not-after $duration \ + --kty OKP \ + --crv Ed25519 \ + --password-file password.file \ + mismatch \ + temp-cert.pem \ + temp-key.pem + + step certificate create \ + --profile root-ca \ + --not-after $duration \ + --kty OKP \ + --crv Ed25519 \ + --password-file password.file \ + mismatch \ + mismatch-cert.pem \ + mismatch-key.pem + + mv temp-key.pem mismatch-key.pem + rm temp-cert.pem + rm password.file +} + +function generate_not_a_ca { + echo $password > password.file + + step certificate create \ + --ca ed25519-cert.pem \ + --ca-key ed25519-key.pem \ + --ca-password-file password.file \ + --profile leaf \ + --not-after $duration \ + --kty OKP \ + --crv Ed25519 \ + --password-file password.file \ + notca \ + notca-cert.pem \ + notca-key.pem + + rm password.file +} + +function generate_intermediate_ca { + echo $password > password.file + + # Root CA + cat <<-EOF > root.tpl + { + "subject": { + "commonName": "root" + }, + "issuer": { + "commonName": "root" + }, + "keyUsage": ["certSign", "crlSign"], + "basicConstraints": { + "isCA": true, + "maxPathLen": 2 + } + } +EOF + + step certificate create \ + --template root.tpl \ + --password-file password.file \ + root \ + root-cert.pem \ + root-key.pem \ + + rm root.tpl + + # Intermediate 1 + cat <<-EOF > intermediate1.tpl + { + "subject": { + "commonName": "intermediate1" + }, + "issuer": { + "commonName": "intermediate1" + }, + "keyUsage": ["certSign", "crlSign"], + "extKeyUsage": ["codeSigning"], + "basicConstraints": { + "isCA": true, + "maxPathLen": 1 + } + } +EOF + + step certificate create \ + --template intermediate1.tpl \ + --password-file password.file \ + --kty OKP \ + --curve Ed25519 \ + --ca root-cert.pem \ + --ca-key root-key.pem \ + --ca-password-file password.file \ + intermediate1 \ + intermediate1-cert.pem \ + intermediate1-key.pem \ + + rm root-key.pem + rm intermediate1.tpl + + # Intermediate 2 + cat <<-EOF > intermediate2.tpl + { + "subject": { + "commonName": "intermediate2" + }, + "issuer": { + "commonName": "intermediate2" + }, + "keyUsage": ["certSign", "crlSign"], + "extKeyUsage": ["codeSigning"], + "basicConstraints": { + "isCA": true + } + } +EOF + + step certificate create \ + --template intermediate2.tpl \ + --password-file password.file \ + --ca intermediate1-cert.pem \ + --ca-key intermediate1-key.pem \ + --ca-password-file password.file \ + intermediate2 \ + intermediate2-cert.pem \ + intermediate2-key.pem \ + + rm intermediate1-key.pem + rm intermediate2.tpl + + # Chain certificates together and delete unneeded ones + cat intermediate2-cert.pem intermediate1-cert.pem root-cert.pem > intermediate-cert.pem + mv intermediate2-key.pem intermediate-key.pem + rm intermediate2-cert.pem intermediate1-cert.pem root-cert.pem + + rm password.file +} + +function generate_eku_chaining_violation { + echo $password > password.file + + # Root CA + cat <<-EOF > root.tpl + { + "subject": { + "commonName": "root" + }, + "issuer": { + "commonName": "root" + }, + "keyUsage": ["certSign", "crlSign"], + "basicConstraints": { + "isCA": true, + "maxPathLen": 2 + } + } +EOF + + step certificate create \ + --template root.tpl \ + --password-file password.file \ + root \ + root-cert.pem \ + root-key.pem \ + + rm root.tpl + + # Intermediate 1 + # NB: This intermediate lacks code signing extended key usage so its in + # violation of extended key usage chaining a should _not_ load. + cat <<-EOF > intermediate1.tpl + { + "subject": { + "commonName": "intermediate1" + }, + "issuer": { + "commonName": "intermediate1" + }, + "keyUsage": ["certSign", "crlSign"], + "extKeyUsage": ["codeSigning"], + "basicConstraints": { + "isCA": true, + "maxPathLen": 1 + } + } +EOF + + step certificate create \ + --template intermediate1.tpl \ + --password-file password.file \ + --kty OKP \ + --curve Ed25519 \ + --ca root-cert.pem \ + --ca-key root-key.pem \ + --ca-password-file password.file \ + intermediate1 \ + intermediate1-cert.pem \ + intermediate1-key.pem \ + + rm root-key.pem + rm intermediate1.tpl + + # Intermediate 2 + # NB: This intermediate lacks code signing extended key usage so its in + # violation of extended key usage chaining a should _not_ load. + cat <<-EOF > intermediate2.tpl + { + "subject": { + "commonName": "intermediate2" + }, + "issuer": { + "commonName": "intermediate2" + }, + "keyUsage": ["certSign", "crlSign"], + "basicConstraints": { + "isCA": true + } + } +EOF + + step certificate create \ + --template intermediate2.tpl \ + --password-file password.file \ + --ca intermediate1-cert.pem \ + --ca-key intermediate1-key.pem \ + --ca-password-file password.file \ + intermediate2 \ + intermediate2-cert.pem \ + intermediate2-key.pem \ + + rm intermediate1-key.pem + rm intermediate2.tpl + + # Chain certificates together and delete unneeded ones + cat intermediate2-cert.pem intermediate1-cert.pem root-cert.pem > eku-chaining-violation-cert.pem + mv intermediate2-key.pem eku-chaining-violation-key.pem + rm intermediate2-cert.pem intermediate1-cert.pem root-cert.pem + + rm password.file +} + +generate_ed25519 +generate_ecdsa +generate_rsa4096 +generate_openssl +generate_key_mismatch +generate_not_a_ca +generate_intermediate_ca +generate_eku_chaining_violation diff --git a/pkg/ca/fileca/testdata/intermediate-cert.pem b/pkg/ca/fileca/testdata/intermediate-cert.pem index 9e5fab614..e6d892d4a 100644 --- a/pkg/ca/fileca/testdata/intermediate-cert.pem +++ b/pkg/ca/fileca/testdata/intermediate-cert.pem @@ -1,18 +1,31 @@ -----BEGIN CERTIFICATE----- -MIIBNTCB6KADAgECAgEWMAUGAytlcDARMQ8wDQYDVQQDDAZyb290Y2EwIBcNMjIw -MTA4MDQyOTM3WhgPMjEyMTEyMTUwNDI5MzdaMBcxFTATBgNVBAMMDGludGVybWVk -aWF0ZTAqMAUGAytlcAMhABxIp+uxTqva39hqLoV6GMzS4/0RGpvZ6UuiBiIqe7Nu -o10wWzAdBgNVHQ4EFgQUYMZkOOfGmfPTEs83wGDZRuNhHQIwHwYDVR0jBBgwFoAU -hQF6u+wPlhpfVNyVGI90oQpUSYMwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCBaAw -BQYDK2VwA0EA35RoOqPglrqCvjTebrx1KSck8TPk8Nrr2ga75ND1xpUwcVBC0xul -FK6msSlGwU4JWwyDwK/NAhshaWBxV3cFBQ== +MIIBmTCCAUugAwIBAgIRAPHhFOt8IECqA+s+uQZAOgIwBQYDK2VwMBgxFjAUBgNV +BAMTDWludGVybWVkaWF0ZTEwHhcNMjIwMTE1MjEzOTU1WhcNMjIwMTE2MjEzOTU1 +WjAYMRYwFAYDVQQDEw1pbnRlcm1lZGlhdGUyMFkwEwYHKoZIzj0CAQYIKoZIzj0D +AQcDQgAEG2q6EMhGXLAUeZxrSN/noHxIIt9FkaqNVyJAVUuAKUV2AtRlessVZk8H +Ri9WxWUUCeFkr5SRqFZJIdzrdNeipKN7MHkwDgYDVR0PAQH/BAQDAgEGMBMGA1Ud +JQQMMAoGCCsGAQUFBwMDMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFIJX +vwvHk68S/M3MOtltU+erem4FMB8GA1UdIwQYMBaAFHblUn7C9Mrw8nI9K74MYfo6 +0SyuMAUGAytlcANBAMVPonaSGbXnH62j/W1/5mXjQO7fD138lws4rrU52kSqmDX9 +gAgDiMW2nsYEF7NpuMiHXB0gssiJHjxetTxZ/QE= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBTDCB/6ADAgECAhQly4C9Kx50JaOxPSmy7o3tf21rkDAFBgMrZXAwETEPMA0G -A1UEAwwGcm9vdGNhMCAXDTIyMDEwODA0MjkzN1oYDzIxMjExMjE1MDQyOTM3WjAR -MQ8wDQYDVQQDDAZyb290Y2EwKjAFBgMrZXADIQAm65BwsxLNuBYkBIiHE2SGec8v -FYju2qKuhO6kVgx+hKNnMGUwHQYDVR0OBBYEFIUBervsD5YaX1TclRiPdKEKVEmD -MB8GA1UdIwQYMBaAFIUBervsD5YaX1TclRiPdKEKVEmDMA8GA1UdEwEB/wQFMAMB -Af8wEgYDVR0TAQH/BAgwBgEB/wIBAjAFBgMrZXADQQC5Uk+groK6+m0DoPXdFp+j -6gInepNfYONRKzSxVe+rgi3OSQ4GX1UaML0Rzy6uGALNk1gQiOnplSZz7Y+pLKoE +MIIBcjCCARigAwIBAgIRALUdNGX1hguBs1sVqnV9+VIwCgYIKoZIzj0EAwIwDzEN +MAsGA1UEAxMEcm9vdDAeFw0yMjAxMTUyMTM5NTVaFw0yMjAxMTYyMTM5NTVaMBgx +FjAUBgNVBAMTDWludGVybWVkaWF0ZTEwKjAFBgMrZXADIQCG4Eqjj8FgzCdPWQR9 +IRIFTnkkqgxYKkxPdMFFdz/6WaN7MHkwDgYDVR0PAQH/BAQDAgEGMBMGA1UdJQQM +MAoGCCsGAQUFBwMDMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFHblUn7C +9Mrw8nI9K74MYfo60SyuMB8GA1UdIwQYMBaAFHrcCU2EYdOPCahHzBdjaA36MyeN +MAoGCCqGSM49BAMCA0gAMEUCIQCHvsiI9W3uutyrMTCn4mFNNrkqsD8wzLr+t6JU +1H+TiAIgZHYBawPzy1HgBje5Ig29dnOcITya6DzWs0qtgJOjS0k= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBYjCCAQegAwIBAgIQC0VkV7T8pfBO5RdhNLjY2jAKBggqhkjOPQQDAjAPMQ0w +CwYDVQQDEwRyb290MB4XDTIyMDExNTIxMzk1NVoXDTIyMDExNjIxMzk1NVowDzEN +MAsGA1UEAxMEcm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABA1AzQl4Vj4T ++m/D32hLZwgp19+Zg0JE9Fg2Q7YeRub+6MMdeU4s38nKdmPeaF7rvCBtaAqb1bJL +236kcYRNz7ijRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEC +MB0GA1UdDgQWBBR63AlNhGHTjwmoR8wXY2gN+jMnjTAKBggqhkjOPQQDAgNJADBG +AiEAkNA+Fm6eMr7qVGK/GiCQ6JaJ/T2xZHEJSFc9P5yOqNsCIQCH8UfVKPzvBgPE +JFAXlKHz9OG1AUSSCNvwRHFVf9DF+A== -----END CERTIFICATE----- diff --git a/pkg/ca/fileca/testdata/intermediate-key.pem b/pkg/ca/fileca/testdata/intermediate-key.pem index 00d929a33..f4fb00292 100644 --- a/pkg/ca/fileca/testdata/intermediate-key.pem +++ b/pkg/ca/fileca/testdata/intermediate-key.pem @@ -1,5 +1,8 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIGKME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAgOOujHxCUlcgICCAAw -DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQILfK4b9k62+IEOE6l+NWyFeGlKcb9 -cMojzzwLT0qUbBQfVcHu3XVwKnwgON6jBIRRA12AHrH9sOjHdQO4NFco10A0 ------END ENCRYPTED PRIVATE KEY----- +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,e710e4e60cfa1e80d3ef89d978836a61 + +499UW4ND73wv9xD+XstJew6WKXF1Qqc1BTbFARRz5VZO052IQ1eDwIuKJoSbrCqr +W9k3QWmBWL7FNhUaZYl5+T5rhD/hJR21gwm9yQngDNO8l1gn0TsuvRCYxQYZmvi+ +h/KluNakCh4wkkT7K5fMF+zYMx/kRvK6zwQ2m/LUBSQ= +-----END EC PRIVATE KEY----- diff --git a/pkg/ca/fileca/testdata/mismatch-cert.pem b/pkg/ca/fileca/testdata/mismatch-cert.pem index c49513a15..10aa372b0 100644 --- a/pkg/ca/fileca/testdata/mismatch-cert.pem +++ b/pkg/ca/fileca/testdata/mismatch-cert.pem @@ -1,10 +1,9 @@ -----BEGIN CERTIFICATE----- -MIIBUTCCAQOgAwIBAgIUfHFDsb53zUPiJ5/nlknv5eU3DpkwBQYDK2VwMBMxETAP -BgNVBAMMCG1pc21hdGNoMCAXDTIxMTIyMTE5MTMyN1oYDzIxMjExMTI3MTkxMzI3 -WjATMREwDwYDVQQDDAhtaXNtYXRjaDAqMAUGAytlcAMhAKTb9T96TtiHEC4cLs2y -gobJmI51zTGIKzjR+T+yMddLo2cwZTAdBgNVHQ4EFgQUM/1OrVpNmA8JvPwp47o4 -cS/NLdUwHwYDVR0jBBgwFoAUM/1OrVpNmA8JvPwp47o4cS/NLdUwDwYDVR0TAQH/ -BAUwAwEB/zASBgNVHRMBAf8ECDAGAQH/AgEBMAUGAytlcANBAHZ7HB9H/qh1xqC+ -ih5XmVYPBbec8qOez3i5JSYy+05C6cjsMdBookbAY5qpUtaYeBwcJ9SW7JeP18R8 -JPQ/rg4= +MIIBKzCB3qADAgECAhEAu5AZVpj7oqP/vpJJYrh0GzAFBgMrZXAwEzERMA8GA1UE +AxMIbWlzbWF0Y2gwIBcNMjIwMTE1MjEzOTUwWhgPMjEyMTEyMjIyMTM5NTBaMBMx +ETAPBgNVBAMTCG1pc21hdGNoMCowBQYDK2VwAyEAmScQY8hnKp2DEOa7D9Gkz5Sj +fXukbQx+PnXDsAPXRPujRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG +AQH/AgEBMB0GA1UdDgQWBBQ4NNOItbtV1PG9CMwFH/sDQ1Iv3DAFBgMrZXADQQAG +iO2a9E7OkInA9acmMXDgkMFhsPpIFF/7ZHZiRW7KOD2Ee+bXLo0YCqsPFVyrSJBP +J1ZFabLwDfOta0ij8K4A -----END CERTIFICATE----- diff --git a/pkg/ca/fileca/testdata/mismatch-key.pem b/pkg/ca/fileca/testdata/mismatch-key.pem index 5386d0801..da42fdf8e 100644 --- a/pkg/ca/fileca/testdata/mismatch-key.pem +++ b/pkg/ca/fileca/testdata/mismatch-key.pem @@ -1,5 +1,6 @@ -----BEGIN ENCRYPTED PRIVATE KEY----- -MIGKME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAggWEDSFylYswICCAAw -DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIaecFy/8IbAYEOHb3xUdAVad3ZcXk -dkwJjtPNP2t2PA/6ngVgfsx2dgqKBhjg9JXG98Yw2eeYqJsbZ4jrHAJK0l8E +MIGkMGAGCSqGSIb3DQEFDTBTMDIGCSqGSIb3DQEFDDAlBBC5btFLHho69j312Rsc +VVjWAgMBhqAwDAYIKoZIhvcNAgkAADAdBglghkgBZQMEASoEEN2yT9YbTNKbBGsn +yfSm6LoEQGllEGLnggaLp5wbCYpzI5K5RwusyQ/I/CfLrnpid0yhn3pnlwOEaKQt +04gW1rnWApeVYkqSOKLXTZZmEk/4mdM= -----END ENCRYPTED PRIVATE KEY----- diff --git a/pkg/ca/fileca/testdata/notca-cert.pem b/pkg/ca/fileca/testdata/notca-cert.pem index ee83bafe5..edac36861 100644 --- a/pkg/ca/fileca/testdata/notca-cert.pem +++ b/pkg/ca/fileca/testdata/notca-cert.pem @@ -1,9 +1,10 @@ -----BEGIN CERTIFICATE----- -MIIBRzCB+qADAgECAhQDX4GfTfK6ck56Yn7yT8hrJn1SyDAFBgMrZXAwEDEOMAwG -A1UEAwwFbm90Y2EwIBcNMjExMjIxMTkxMzI3WhgPMjEyMTExMjcxOTEzMjdaMBAx -DjAMBgNVBAMMBW5vdGNhMCowBQYDK2VwAyEAH/poanRWlO3G2v7TojRWEpmJLVLX -0zxmyTA1EbOQuTGjZDBiMB0GA1UdDgQWBBS6S5FO2LmyK9GjNdWt4lBUeAq0LjAf -BgNVHSMEGDAWgBS6S5FO2LmyK9GjNdWt4lBUeAq0LjAPBgNVHRMBAf8EBTADAQH/ -MA8GA1UdEwEB/wQFMAMCAQEwBQYDK2VwA0EABvr4fVmVtWGtYVxPEhANWPmf3oFS -ukFOmBetWsTYmrH8HWx7P73MCPo9aXkkla9s5p/oITqD7h2RvF9nNimqAg== +MIIBZzCCARmgAwIBAgIQWiLQu0n5jujjEmMP6NYDkjAFBgMrZXAwEjEQMA4GA1UE +AxMHZWQyNTUxOTAgFw0yMjAxMTUyMTM5NTFaGA8yMTIxMTIyMjIxMzk1MVowEDEO +MAwGA1UEAxMFbm90Y2EwKjAFBgMrZXADIQCXYmu5mkK+kCbKk+1AueGcwpQf8CYZ +/3rTPrueUx9Dh6OBhDCBgTAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYwFAYIKwYB +BQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQiI01PMd8s2C9yCTLY6VVuklbDvzAf +BgNVHSMEGDAWgBSCNCqEqn9N9M4Y4wlRSp3mP9JZGDAQBgNVHREECTAHggVub3Rj +YTAFBgMrZXADQQCa/4e8+39kij5HFDDr3HU1YspoJQV/Ky5/b/6KgMhNZ5fYr0XO +No5F9KuQRpOExD9EUHgHL51+hiZeM7Cx0+kI -----END CERTIFICATE----- diff --git a/pkg/ca/fileca/testdata/notca-key.pem b/pkg/ca/fileca/testdata/notca-key.pem index b298c768a..0cf5b014e 100644 --- a/pkg/ca/fileca/testdata/notca-key.pem +++ b/pkg/ca/fileca/testdata/notca-key.pem @@ -1,5 +1,6 @@ -----BEGIN ENCRYPTED PRIVATE KEY----- -MIGKME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAjwTlExAYUMxwICCAAw -DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIHg80StF7iN8EOLK5NCgrUFxs7p9Z -oxcp1G7Bh2qswvz6eGef4yL6boxGEuCg4zcUzec+0lFJ8nyOw3bb1Jwwi5JO +MIGkMGAGCSqGSIb3DQEFDTBTMDIGCSqGSIb3DQEFDDAlBBDPR7bWDdIIUSyg+ssG +grs2AgMBhqAwDAYIKoZIhvcNAgkAADAdBglghkgBZQMEASoEEEQe5WtDuRD7V9M5 +K/3xVJsEQOaCma8Mpoaava3czE3PtJh7vaOZz8pBIIkGfBiB2il6Yf1wgtjLaaFg +lx4kFAMIHteYSVTVGtvKdU0K5IsMFEY= -----END ENCRYPTED PRIVATE KEY----- diff --git a/pkg/ca/fileca/testdata/openssl-ca.conf b/pkg/ca/fileca/testdata/openssl-ca.conf deleted file mode 100644 index ed1c2d1a3..000000000 --- a/pkg/ca/fileca/testdata/openssl-ca.conf +++ /dev/null @@ -1,14 +0,0 @@ -[ signing_policy ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional - -[ signing_req ] -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid,issuer -basicConstraints = CA:TRUE -keyUsage = digitalSignature, keyEncipherment diff --git a/pkg/ca/fileca/testdata/openssl-cert.pem b/pkg/ca/fileca/testdata/openssl-cert.pem new file mode 100644 index 000000000..90b9b4a67 --- /dev/null +++ b/pkg/ca/fileca/testdata/openssl-cert.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBTzCCAQGgAwIBAgIUBzfhYwehOpVXiwAu4NUQSJ7WircwBQYDK2VwMBIxEDAO +BgNVBAMMB29wZW5zc2wwIBcNMjIwMTE1MjEzOTUwWhgPMjEyMTEyMjIyMTM5NTBa +MBIxEDAOBgNVBAMMB29wZW5zc2wwKjAFBgMrZXADIQA+6T0sVCvNjPXfawGTOEHk +LLJdHtO/TaDH53bdcaymfKNnMGUwHQYDVR0OBBYEFFpmjtXlt0tMIBcmg4mV3X6f +sxz6MB8GA1UdIwQYMBaAFFpmjtXlt0tMIBcmg4mV3X6fsxz6MA8GA1UdEwEB/wQF +MAMBAf8wEgYDVR0TAQH/BAgwBgEB/wIBATAFBgMrZXADQQApebcCsIoHj54QgLT7 +zBs+SahFDhvRlpxQQsh59lpWInPgyPZSH1lJEI4Lp7nn5nkTkNIvpk5Hyr6Fyi3m +j2IL +-----END CERTIFICATE----- diff --git a/pkg/ca/fileca/testdata/openssl-key.pem b/pkg/ca/fileca/testdata/openssl-key.pem new file mode 100644 index 000000000..7e7a6475e --- /dev/null +++ b/pkg/ca/fileca/testdata/openssl-key.pem @@ -0,0 +1,5 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIGKME4GCSqGSIb3DQEFDTBBMCkGCSqGSIb3DQEFDDAcBAjjyxWSbwjG6QICCAAw +DAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIIpN3ZCf2g4cEOOsEmJuG7AEi3Wvk +9GuNyXHp8D+UBDUQLWKGOIZsSKDQro/UaTMp1SM5Nl7bRL5L3LYgJ8+uMEov +-----END ENCRYPTED PRIVATE KEY----- diff --git a/pkg/ca/fileca/testdata/rsa4096-cert.pem b/pkg/ca/fileca/testdata/rsa4096-cert.pem index 6427e2e67..c7809620f 100644 --- a/pkg/ca/fileca/testdata/rsa4096-cert.pem +++ b/pkg/ca/fileca/testdata/rsa4096-cert.pem @@ -1,30 +1,29 @@ -----BEGIN CERTIFICATE----- -MIIFGzCCAwOgAwIBAgIUNNrNtETw6r3oJIDH+quQ01QYxlQwDQYJKoZIhvcNAQEL -BQAwEjEQMA4GA1UEAwwHcnNhNDA5NjAgFw0yMTEyMjExOTEzMjdaGA8yMTIxMTEy -NzE5MTMyN1owEjEQMA4GA1UEAwwHcnNhNDA5NjCCAiIwDQYJKoZIhvcNAQEBBQAD -ggIPADCCAgoCggIBAM9mSsC1QpNg9i4ZRd9tNZ3bD50CNpDdmy5+Axbhvd9PKgX9 -Krn0YubMbipyWeqlzV8PKTAplnaXSOpDlVfCiTBACw68YxIa7Hp1Qan/UGd5l5qQ -NID35Lyfy5UqiRgxtEJp15W59RepxJlc4ks2WShQVmpRjs4uUtg84fOhzZJt/HST -nbpoSkC8sJJIPRVnlaGMGjTKuLurVaSFXNdVbnSLOwsajgaWS/Sc3hmg2NGEgLPa -u9qhaJ2ckCg7J8yiA81Www5KWiz6PeREaeSdJquN+RT1FY7JRYZ1BAaGnsndP8OA -rgpGgL+r8Dcy/cy28HcCEyQnDirBcONxoP7Wh6PudgJAJwaVxYvFm8adm8puvbWK -NFtBqd9Sl6t8clBf63Y/WQMzWvIBBxS1bd2152VQsCrDEkACCGtVyoOlLcUrUFOQ -GXChRFWfbvkldb4vxW7zKKoNXS+B6lhKH5AbxoY//16WAAkT+capnUQZ0X0323rA -zF/HcKAVdDDr/oh+WxU42fEhmzbbvZYL1MECfwfju8TvPNIk2gbO8s7nXzvTqO4x -TBpElSWDdOlI16h1FIHA0rkLYhX+BiAuOHVJhOO49GBF7xmWsdo4qDXG6OtW+mGJ -5YQyIlgjzzEKqX9/MC+24dNZCAVoLqAhuRV3UBf7LfBTxHcc2Hi9QxuUEmGdAgMB -AAGjZzBlMB0GA1UdDgQWBBSrJb6lgTBKm36AWKx12MRM2Nd6HTAfBgNVHSMEGDAW -gBSrJb6lgTBKm36AWKx12MRM2Nd6HTAPBgNVHRMBAf8EBTADAQH/MBIGA1UdEwEB -/wQIMAYBAf8CAQEwDQYJKoZIhvcNAQELBQADggIBAADYzYrv05CHLjKWZRj6+ufW -V5gKZr4KSjAgES2EpBBon1sY1HHulgDDE6yNgPJgkOl8S5g+BYBW1bIldhOLhe0A -MN26e4gW1/CSiqEUYqZHs8qdmqNaNCvODgJtZS+UIaqEUOFkHhBd73RK5RHq+H9J -hbHqSn1P8/UPvRv/lWRPFUEP7o6IrDHC8NcdV6Hy4kIv0VwiJQdI19h1IslAcGwq -Z/R6Cuuyqm5YUIfGTZSMRmx4V4FsFyoL6+U6Ujoa7vGSUDChqZYZQdbNSLSBPrv8 -7ejCkh+BAHz05nKABAIWJnSdKs15JcM3wAIAKW+W0QIxh4qn/n4ochQh077nkRdv -pWEEh3bvCIJRgnpPufdGF5GIZQrCUwiYPGRUDP1IzVM/NRRtFMhfzkl3brXoMtrv -qb3A+AWP9xw4aC+AHb+fK7fZB8Ag54lhn/2PH/vxrmMhhTovLF7ccE5f2sZuiV9i -Ak/bfqfmYIckxIW/4NwUKn9mlWLB4NNuNnjfcdADzxHS6vqMAY56KOdFYLq3GW4y -xK1NdzEk19Np6rtBGImydBBUqx4auN9b0hm/+zooRkuTmJbg8cUmnatSKkHC24ZR -zqi0j2yJfkstNCn+K8Y+6cvU6WeoFses+n408JVqNVmw6jnd5u76yxXNdBqF+2sw -HQHYjVyVGoWRiL5+3VwI +MIIE9TCCAt2gAwIBAgIQG25+WqZRit8WLmhPZF0nzTANBgkqhkiG9w0BAQsFADAS +MRAwDgYDVQQDEwdyc2E0MDk2MCAXDTIyMDExNTIxMzk0OFoYDzIxMjExMjIyMjEz +OTQ3WjASMRAwDgYDVQQDEwdyc2E0MDk2MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A +MIICCgKCAgEA0ByHxXyIqQNkOc3s+2q3n29rrgxBnR0Wsjfi3Y2EGDviVabYvzx9 +ZJK7iBV03nqsEF02ulQaKzmgH1UFkwc5uoMYGtI0HWbtqo+wvL5Xe5Ao+94FJvnX +q3dpe0jObaacynZ4zg4ZFw0Jeel/tzVYAGbjRmH6DmRDrSOwj6VB3dDXuAS6yY5s +n+pYDk7RBVMpJW4EECGCTKMYQmZ7ICdWqMv7/HewqWUwv2wFlNxif4v5GEAXJj/V +OPWRfVyPIsyWB36l8fopJAtQe8HtttWGycV1flgSqMxFKnAaxtR0NXvUcalm19CK +Xd5ftDdWNGvzaJDHDyHZGxlfA/v2LyENrWUZZz7jS9G2cOpe+5ekuSFLT/N2y0cm +pBwmmUlfHcI8P7tmy47V9LGPMy+exwF+CvDXiqh8nYCiH4WLQyrC7IFlI/fQ2qEl +N9/6FYRi39A0QiiUCg50/bNGfndVEngp3wViOI30ktzUJqgqcfk3AnkD6yAqJRPx +BrNuBXmdFjoY3lB81XC87JhJuDv3N09/cxWIGH7qGLkRPKIidFSOg/L5NmG3GR2H +FiL9ssfoAfEl78vlVSDx9RUtoZVwhZSHKeVOeKUPKOGvCE9FZ9Y00Nw2+HcqT9/9 +6paIzZi6Ewlndj7lcw+bTdmCTkOmQrDihyf+ijvrNoyT/tsYM+4TMwECAwEAAaNF +MEMwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE +FPT4JyjphNyRwoGZhQ7vG5mPSJJLMA0GCSqGSIb3DQEBCwUAA4ICAQACW9Fecl3J +b31fbreQJJ5n7aWn5TZHCA2GGSKSP9sdD+9lKGdPoNzTJXObHQYeKvzSTkRlvY/7 +wGtqHy1UY4GHWmslvrxBsIF9pW7F/E5o9JLfRimZXtFEIBr/W8CZUyv4LlFXYvKh +1Sg4lLT2kvOJGB0HR1wnxEme+UzURoNTrJ/v8JMCuO7uV28op3MqQvGsQxcDGFGL +JYbDF7aMGlMGt5ZX9/fe1THvM7qOKYA2VMqHAy10aUnXkjl9KTm2A7Hc204qb0pf +ehThsolnrTnWzS6kEOO9hpW6op32T3WRPZ7t1WuNHFy7tHDerKkp9Tbeo4vfYF4N +OS7fssREmP2zKyXCoP1XHxoLMLK9a7xu4F3eHUbFXfDwGgBYc8tz41DQv5avQDsX +KzXdCiSDdehuOMJ2VmMXfbT6Up+g7AG8eHmZJhunrVB+42iNpHsRpwM6cWnC0yUy +rxHuelELl4LsdF9E0gI46nsYK1AnbzcbhWeMTH3mddgmo/QgFX4UxNH75b19/O6l +9Y2YnNjcvEju6THspkKC+TmZjtl354NeFwOLU50XKRafnX6CFMMhv4ejjRtgF0tC +54j4sxXc5jmIliEa40piOudiMxQ7Zbtgn6Urf80maTQ83oTd9sfkYd4DS0jxg2Qm +/Mg4X2FC1SjVPnehYSsOJkuXOXoIB866qQ== -----END CERTIFICATE----- diff --git a/pkg/ca/fileca/testdata/rsa4096-key.pem b/pkg/ca/fileca/testdata/rsa4096-key.pem index 2c8187459..c36d1132c 100644 --- a/pkg/ca/fileca/testdata/rsa4096-key.pem +++ b/pkg/ca/fileca/testdata/rsa4096-key.pem @@ -1,54 +1,54 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIIJnDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIDnoOjtThhSQCAggA -MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECGpK9biEitHyBIIJSHBRbJc1Ncfz -asUSDjBGSUw7Aqyk76GPLconnjO6Z6R0eiFq5aJqwX5qJvVZkDImXGn8A+7KIZRC -ZnawoVUUze9z42a1OxPkmhu3GQGQENdjTA6uxqW1S2gQOdYxBaA32nswCRL01NO3 -XQHGan6fgrd+cMWCRPdBVz9wXyyn26vBa/DIgyGgWfijFuJ5/zZEudApIyFNBLOv -0WCr3Nd1wUgQe1Z+0+LwnVDuMAPeVHdhC/OcOGNOVXJFpLv2hc6fwIqeOH63WIgU -kJ/Bzw3gg2R86u1ED+P2iglClrmDgu/VpdHkz8NR+aRgMUjpWVj9NzjR8KAu5SRj -JoqY95CLjt00movm1Z2eaHIjAuDi1C4HEIMklJERXGNTE9qSp4TyOO+QgsKESV70 -WCcn0guusMoMR6kVTPJeEGjK8OXyEth9kpA+Nay5ZD+dtidlGIO5ojQsrhxmy2OT -SxjHrH1HtGLyPCTQYpSc/NfAjKDNsZbij2qozggi/hWbudep5FoeSib5gJF3zwiC -GhIJ8fBK6aMPvwVZsRWwtWkUUuRDCKd3Llrn0Sp5zSH3bAYhWRehtFY+KilEvM3x -6oxYJiFSGbDx8SuM/nzJnJMTqkgRWefcCpI2x20Eanj9P0mY62QXWcGuKdKmqfsn -HxtdyhsKWwJyuTBCvG4ewjeX2LocC/zPGq7wiNV1d7+lvD/nE2GJd4ia8nXWBONl -VryFDgCaKm6hpAiqMQY2i/+9aDlWSjRjzste5WTZ/S7OETNqoO1dzEVjN2aN6bpI -yFDaJt+TEwi/irlJ2qBC+eWrjXomq5MhlbMnC42L3qFJfWVnlUgubb8dEi5yfb5d -O/1XCpjwwONORqbCNmp6l65v764lE7JgGcvUVMpbwL+Jy/WiWVgDxXEAo+w64vOZ -jIOb6j/Lmtf1BlKlUAp0yYAWLYYChNX8KYpNmgCUKwXqlSFOv46OvorsoMGmadGy -rim/jvn46cHUjT4UG+kMuq+k610DKjntIs0bvEhl1cVuV6OxZJYp7CNedsSoBP2a -pA9mR42EEu4JvCedKRsorgGHE5oAwKkQBTK4TfTDiVRRSLurxM4sQcyHqvenUYz9 -UdQAwbYrkVZki44d+3YAXx6jZonph6vqMS3olZEkbDa/RYgnbCh9xdWh4/0NRRoF -UpmuHVwAJnRTB6a8leJDZg98j+yf3lTvml6bBMgYy345DLC0BvnV++63h0EIb16l -iMSSUcd236lwqPLRSZwhXChwRxfhXcK55a1ECBYu0MeiS295EeA7D77HUn+lyPhd -o98W4Ivq1M1CtS1JE1+D8pvis0VG6+dC1r30e8coNqkdtq6udAtash0JvJjctLJw -HmWCxwdDmJMPv2fKXbfc9PFkfEZjoeu5Mueq1Fdj8Nr698m6q234eXOPm47+/G0H -P51axZBpZUAr7dXj70A0qjtCqWdEamLVQEl8VyA1du4oNPB5sj1v6CNwjtzkImEU -F+SWYkbdmO7mg9GtEdjc9ubXgB8iOQQQyOEPhuagfa5E8Gz2MEZYnRG+1l4JJUaA -uq2nxs/ufI1daoqVDNUnlvnIXUy9KSNI0gPX77Z/RBWraEJMDUaVvJIDUsceZq2d -/sp1HHZGIvqcNzGR/fV3zrymtrLQFzG1vSucR7nxF+btoAcoDUBhOKM6sapeytdM -5qM9jF4rh3V4M5s2yMeba5Gki9J5Wnf6Pdb4eb3oLotQGl7/z3wjRINV2A5HRb92 -j+Up8lg5b3b8qSWor8mcFG8lNFZppqZ1a4z3yqy94bV9m6suhKNnfg+st63ZBRyH -jHx3LD3Wz/4Un/5UrO2sEoAL7mmEKCArAwUeCTPakeIBZka49Ufbg8/mGZ6RRYY8 -YFHoGtoYdUFwdy0EVLpSGwWyS6WJz98wcF2RFXDUk21ZoVMh7HTmyB9jSAaZWjRt -OzCR3BchfS726U6jTHRpMED97r/8h5Y8ZsBPoUnqnMgUi0rYPu7uyTD1ATCru7aC -XTsBdmRqLoIJxhskjbK3S3PHmUwLm69WCKgwOLLGSgyNYhiAbXN9V15boyY4f94D -JvNONv2jWhYPGVTm66GqzagpbxedC8ags1nT+CswISi7uZplKzwXq1ferXMn8oP1 -N7JRSHVZN+1lXR5Z3YZTdyP++NlfZ3jQPdiUVzHKQic9gFEk3oiV2P24NOJ5Ibtv -6GMjpWvv4HNqpP6N4SplpsqJtx4SK1Hmy/IW23en9ITMPIv1/EpRG19TuhfiDUZ6 -EXIIjUssodXp2BO8PwzxUsS/12lYfQ8T3bbjKUzy7hnp3zlLvYVgdksY+xXvIPbd -slN98zZwnndqF+x/ZwAwe9O6Cax9XrgaHADvLGzCe7fBmW8JLKBjP2Qw0TQrdWIw -NbKp9CH/fhxE1Zzlps3nCBn0pODovHSSv61v9ieNV8zHWVSSASv693Fr4J/mHoap -aN4OnGextUQTsY0/H6HdxP/vuAcQHl7CurVEvm7LrbaAPrswdEyQJbDrjiAYPs/J -r6GOcOTI67U+Z6cc/rOmiy1tf5dJ+HXFXHnDjPCJls2X+YPCOJjES+O32O0kgYdz -HgCc6Cb89TloIogUgjvlILMNEjLQ4Q/c2tLb1fLgANl1yfGlC5ljI1ncLt0qB+i6 -TW8YuQOC5BEPhn3VyLbyD8ih+LJ9lc+7Yp7ji3N8XFOT99TvuFt7ucfNkE1HKq+U -G6hfkcAxQ66mR2Da0n7x8y7xP8LYie4qfHDBYAkge2KlF24fTr32HPuoqD0lMr4a -AwHbRBbaJ2Na7WievSEOq3RHamGjc70Sn+mZ9XeWCN7+yxI60yTjZ7uU5SKR1H7A -qlEKO794fZt564J8ElMOl/RTBqHPFfJeTrabC90MR4xmUiB1UERym2Optw+NuB2U -QRUdcjNCPZ3bZbRn/z9DOL6WX2/hVX7ninfYrSb8/5ilutKtU95Tkg2uoDm2PZuo -8m/Qhb9c/tTi5oYkYytPH8f8cCi/GODqLWXp3IxG+Zi3o5BaiBan0C+trONolBFq -JhBEokpY2yqfPiPPDWrAyVv2xEex5GCAJQyA77LI2ABA1KZHsIL9biwAPHXZ0+fL -DtoZZ0Qf1Byrht3/yQHoIbWnPIj+7uRbLWdz+oP4EYTxQC14IwjkBMGp47ghc+li -SltOTT/4oMIVEu3INXhiAw== ------END ENCRYPTED PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,e073ca7344e72aea6f47cfcb3ee2c80f + +X0MLwQOI+0GD4iDeSCCYbxuynw1eZllTX3vzAwHWNhBAVkzgjvxGbuoD8Bq8m8JF +6AVFIT1TsUVQClAMKB4Dlyxl+FcZz2wPGkgsKcTg0KDFa6ut88zBR2kad0apbp00 +FQHMcOpaqSZ9IjWwDXvMjMYA1bc6sDv/1GAkInLk1p7BgxVio0d5NxEmziFJoU+g +ly2ygskuCNrb1xZFW47ssncRphyqWoQ1vlsh3UPvQzzxaYVl3YAE1C8APgLVQgBT +CRb9rkpHCj7xwJf1CAiAt0YLk1GCgJWrvYpPnDgOcqw60LaxRVzFYEazT5H+odDv +wm8sOuQGAPyJ2rWuSgKC5X3ZY6j1zIN3P9H5KmgVu0J7aatyc7RbZb6H83cYLo/y +ERxYmnWTdHuGBSDKxO4BWjYw0pCDrRnH2uN1er/FA57iIGVNhiB/bNW0P3CfJ3OA +YPWAT7U3240WBmrsG1LjaTTSQb7pj0EmhZUEzth7tgxzj9DwBkJCiTSbUdUiDtFb +9bIbv1L6mKlZ1R+GKV9OoNNes5jlsx3oSIZOWugsnsQuN3QhZ0xG0lcuX2LrfA7Q +UG6tS9V74sGr7V0WD7GqBsYHCWZyju3GJEF694mqdh+dgdmMaPXAUQolZB2NuaMJ +c+aZio9ST01gtr+E//ERp0y29NMUtv+9FVcA8OkDGJA78dpnH9RTOkqvIQk/sfLP +7RKv2udZpYxVNyKaSdONeW1AJr1bFzkg1sUG708IfgRfd0Ry9cJ2H0d37YWJ3yF1 +uvHV6OSOR43tssHukOsJYH1CSiVP/W0FTPQzzeBTCVoKZXZNNuj0zWZFATIvRUSx +ez2GSBJvmMPni+3QeqzTfORL3KEpKrHlcZz2eUIh+HaEpGk5ZWg9z9OB4Fx8AqNH ++oaDT0TemLR65ISnpQ+IVt2XB/v6daHJibZA/YPk+0OSj6d7mtrFzNRlYED5CqZY +70N/kVXrGztftiXpEGL+TDUjHm/JCZOX6aNAUoW8v5CBVdiFaUJoOA+K3AksYb/j +ZKQ6G02dWxMTQUHGzaxoH1bI6Qf6HqVOjfW2ghHwPSLmHVe3b24m0FM4IdSuZU6t +JJeBEmN8kk5kks1AAQH7wNNtJ3/U4gYgQrqUznQg6zMeCQOBGb+BrcDj21dajsg0 +l9w6XOy9jIG8LmsExIAzsWt7hHvcmTky+bZzvlEqGlutLeZROcyZ2elCxv/ToCMQ +ck/2VPfNBXBLHIhKgZ2guT9kfAxE4p+Z1Cueq7yXXM70icRaPqk4631rcGzGCUH6 +Q5+sMu9TSmGk9h2RZMuXCTDaVIIHA/OZbb03hdzqAaPuUdgh316Z9sUJZ/t0F/R/ +NHPLuVJiPXrA2mxR18rSr6AFglcOQzI6B5EbsDUKreEEjYsclmQxiWS9kDIJyZla +xGyTtHF4CnydZUBNAr7YXOCG5uT2VgRfMXLdHLMOnmWmyGzT5n3wG1dzgiAnsdR/ +rZKzGIzD/dRDf+X0SuUcshIQrWJVQMKMnvkZPuxaGUfmlnZUP89GFYEVmY/uF0jb +X2fc/cjEMoE6aaxufukW19o7u/Q7tcAa6j9n7qCRoRewDs/u/bjXHGN1vk8XW/3B +4u0LkUoIrJ/0AWv5mwzPTHShD2CLia1I1KH1m5MWvv0tk1LALkXU8GgEtRMQF0uP +79rfLP//hRdKduljuPN6jG2Gd14UvKE3C48L2goLQUjabb4wDtFxrDVhSPlfsrj/ +sYXmjDW0QM4aIOFxemJjkdu4MlA5URmbn0oDYFlWA3UxQzOydKc43+LMv9eu9VsX +OezRdjAfWJryLFwDJhkr6LBFeM1JM9XSjITXMSlM99LLUX14Nx7rL/6WvhKxWXiE +gNMLGBnHMMM08Tx+T4kZCR4AY0GDrvv4dUFDvoTiMwyH4kyGThtG5ZEQjPUH/GaN +1c9E9qxCkhpg3+SFVSyGr3/luHhReh81eioo4yoQRlHb7xBCQ2ooRzM6q3bco7Vq +tCpO599IamFF7BHFACCGxZvMuk/9f5V/lTFrSKSzpmCbbUHuRns8Vk65tBEjk0l8 +K8rG5znJPeZVVJoTrHZDIWlBjhFODahDNdOiNKCE2H65twHZbeE89TAD4zjLJmjf +vPtOaVLD4zUwnw9LzmhrIxA/7sTPu+kNVvgxhcCaArpAtqSv5Iq1+MOAo0imzbsb +0VRMFD25R03E396GmS2wY06hZ03moyU2pTtcmQp8JnL3GlCnbGKgs+zw7T61251K +DO424PSn1zpE7cSkJcG4bqgkeLQ6eECKq9iYnIMzpn7nqjq/GNJ9zGdp1lDexfOp +vWkrL8vFmcxQtj+ErwZJJoNNs47uzt7omAbXuz01OwHdEgjx4hyTFyhBS9sL5kdN +nDfy17IIB3+Ej7J7UMp4el8FKj9CmcWsIi0WaF/cePW7j5yUh8O2YiEm6UdCNc0H +TP0TAtJKk6nWyipwizbZxzV08Q7vme+5zedrcoR2SZDHdwtTfgKv6Rgg0vGsqm90 +MGloaT/0vQJ2H+YE2iCQ0YSqSlPuFQESf2t1h+zJUkm/07rRCsGJOl7a9ldrWtL/ ++wJjy2tSFpY2PAY/avxeaJbDh5DD3GVjBVkjs6VdUPANwt1bvIPQes38XDmNkESw +yGcQbCibcMZNZ2kX2EaN+YLJbtf0pRSHb82QbQ/P7oPQx4HU//tBMziLvDBCNa9+ +02F+KU+TOJFEnvuDTvHknP777sQt5nVdFZwyeGzLDl24i3FlAbY5M3L0gdVs74MC +GpPN1UtDO9J3xXn5So+mSrxARHENgfPdh51KOvWeYiecB7xhBj+zLApeZxVmE07A +A0A0H0Hd8UpGbfoQO8kqjpVKCKYZl/CObALmsgJKlTYd3Giu8mAGWFhdi1zxaku2 +9HjBVpkUalMlKr9yL2orwGBgTVhkPOWBR9qLO8KLnLPKr9fDpbIZ6nSyxN/RK6Nx +ei1hFfHG+DIahnHYpaDZZhcK0dhjYaK/LXg8Tqb3WbEfg9UTH6iLB0prICjV6OsS +VNHkPR1tQOhDYpvHXNb+tO9ZoEFWNYFugdl36Dd5OF/+DC2B4NOwdtkpCZPeKUyI +CXDaHsdT8AhJCDR0IVBPb9Q/UZdj36DgLf788XW1kfaDVq3KNsIqNet5zltjbST9 +-----END RSA PRIVATE KEY----- diff --git a/pkg/ca/fileca/watch.go b/pkg/ca/fileca/watch.go index b509bf990..2a8e68404 100644 --- a/pkg/ca/fileca/watch.go +++ b/pkg/ca/fileca/watch.go @@ -22,10 +22,10 @@ import ( "github.com/fsnotify/fsnotify" ) -func ioWatch(certPath, keyPath, keyPass string, watcher *fsnotify.Watcher, callback func(*x509.Certificate, crypto.Signer)) { +func ioWatch(certPath, keyPath, keyPass string, watcher *fsnotify.Watcher, callback func([]*x509.Certificate, crypto.Signer)) { for event := range watcher.Events { if event.Op&fsnotify.Write == fsnotify.Write { - cert, key, err := loadKeyPair(certPath, keyPath, keyPass) + certs, key, err := loadKeyPair(certPath, keyPath, keyPass) if err != nil { // Don't sweat it if this errors out. One file might // have updated and the other isn't causing a key-pair @@ -33,7 +33,7 @@ func ioWatch(certPath, keyPath, keyPass string, watcher *fsnotify.Watcher, callb continue } - callback(cert, key) + callback(certs, key) } } } diff --git a/pkg/ca/fileca/watch_test.go b/pkg/ca/fileca/watch_test.go index 76d11442b..6ebd65927 100644 --- a/pkg/ca/fileca/watch_test.go +++ b/pkg/ca/fileca/watch_test.go @@ -57,14 +57,14 @@ func TestIOWatch(t *testing.T) { // Set up callback trap var received []struct { - cert *x509.Certificate - key crypto.Signer + certs []*x509.Certificate + key crypto.Signer } - callback := func(cert *x509.Certificate, key crypto.Signer) { + callback := func(certs []*x509.Certificate, key crypto.Signer) { received = append(received, struct { - cert *x509.Certificate - key crypto.Signer - }{cert, key}) + certs []*x509.Certificate + key crypto.Signer + }{certs, key}) } // Set up watcher