Skip to content

Commit

Permalink
Add stricter tests for full chain construction
Browse files Browse the repository at this point in the history 
We wish to ensure that each desired certificate in the chain is only
present once.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
  • Loading branch information
@cipherboy @stevendpclark
cipherboy authored and stevendpclark committed Apr 20, 2022
1 parent a7baafe commit c3e9ddd
Showing 1 changed file with 10 additions and 10 deletions.
20 changes: 10 additions & 10 deletions builtin/logical/pki/backend_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4066,8 +4066,8 @@ func runFullCAChainTest(t *testing.T, keyType string) {
}

fullChain := resp.Data["ca_chain"].(string)
if !strings.Contains(fullChain, rootCert) {
t.Fatal("expected full chain to contain root certificate")
if strings.Count(fullChain, rootCert) != 1 {
t.Fatalf("expected full chain to contain root certificate; got %v occurrences", strings.Count(fullChain, rootCert))
}

// Now generate an intermediate at /pki-intermediate, signed by the root.
Expand Down Expand Up @@ -4134,11 +4134,11 @@ func runFullCAChainTest(t *testing.T, keyType string) {
require.Equal(t, 0, len(crl.TBSCertList.RevokedCertificates))

fullChain = resp.Data["ca_chain"].(string)
if !strings.Contains(fullChain, intermediateCert) {
t.Fatal("expected full chain to contain intermediate certificate")
if strings.Count(fullChain, intermediateCert) != 1 {
t.Fatalf("expected full chain to contain intermediate certificate; got %v occurrences", strings.Count(fullChain, intermediateCert))
}
if !strings.Contains(fullChain, rootCert) {
t.Fatal("expected full chain to contain root certificate")
if strings.Count(fullChain, rootCert) != 1 {
t.Fatalf("expected full chain to contain root certificate; got %v occurrences", strings.Count(fullChain, rootCert))
}

// Finally, import this signing cert chain into a new mount to ensure
Expand Down Expand Up @@ -4171,11 +4171,11 @@ func runFullCAChainTest(t *testing.T, keyType string) {
}

fullChain = resp.Data["ca_chain"].(string)
if !strings.Contains(fullChain, intermediateCert) {
t.Fatal("expected full chain to contain intermediate certificate")
if strings.Count(fullChain, intermediateCert) != 1 {
t.Fatalf("expected full chain to contain intermediate certificate; got %v occurrences", strings.Count(fullChain, intermediateCert))
}
if !strings.Contains(fullChain, rootCert) {
t.Fatal("expected full chain to contain root certificate")
if strings.Count(fullChain, rootCert) != 1 {
t.Fatalf("expected full chain to contain root certificate; got %v occurrences", strings.Count(fullChain, rootCert))
}

// Now issue a short-lived certificate from our pki-external.
Expand Down

0 comments on commit c3e9ddd

Please sign in to comment.