package ejbca_test import ( "context" "crypto/rand" "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/base64" "encoding/json" "encoding/pem" "fmt" "log/slog" "math/big" "net/http" "net/http/httptest" "os" "strings" "testing" "github.com/shankar0123/certctl/internal/connector/issuer" "github.com/shankar0123/certctl/internal/connector/issuer/ejbca" ) func TestEJBCAConnector(t *testing.T) { logger := slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{Level: slog.LevelDebug})) ctx := context.Background() t.Run("ValidateConfig_Success_mTLS", func(t *testing.T) { config := ejbca.Config{ APIUrl: "https://ejbca.example.com:8443/ejbca/ejbca-rest-api/v1", AuthMode: "mtls", ClientCertPath: "/etc/ssl/certs/client.crt", ClientKeyPath: "/etc/ssl/private/client.key", CAName: "Management CA", } connector := ejbca.New(&config, logger) rawConfig, _ := json.Marshal(config) err := connector.ValidateConfig(ctx, rawConfig) if err != nil { t.Fatalf("ValidateConfig failed: %v", err) } }) t.Run("ValidateConfig_Success_OAuth2", func(t *testing.T) { config := ejbca.Config{ APIUrl: "https://ejbca.example.com:8443/ejbca/ejbca-rest-api/v1", AuthMode: "oauth2", Token: "test-oauth2-token", CAName: "Management CA", } connector := ejbca.New(&config, logger) rawConfig, _ := json.Marshal(config) err := connector.ValidateConfig(ctx, rawConfig) if err != nil { t.Fatalf("ValidateConfig failed: %v", err) } }) t.Run("ValidateConfig_MissingAPIUrl", func(t *testing.T) { config := ejbca.Config{ AuthMode: "mtls", CAName: "Management CA", } connector := ejbca.New(nil, logger) rawConfig, _ := json.Marshal(config) err := connector.ValidateConfig(ctx, rawConfig) if err == nil { t.Fatal("Expected error for missing api_url") } if !strings.Contains(err.Error(), "api_url is required") { t.Errorf("Expected api_url required error, got: %v", err) } }) t.Run("ValidateConfig_MissingCAName", func(t *testing.T) { config := ejbca.Config{ APIUrl: "https://ejbca.example.com:8443/ejbca/ejbca-rest-api/v1", AuthMode: "mtls", } connector := ejbca.New(nil, logger) rawConfig, _ := json.Marshal(config) err := connector.ValidateConfig(ctx, rawConfig) if err == nil { t.Fatal("Expected error for missing ca_name") } if !strings.Contains(err.Error(), "ca_name is required") { t.Errorf("Expected ca_name required error, got: %v", err) } }) t.Run("ValidateConfig_mTLS_MissingCertPath", func(t *testing.T) { config := ejbca.Config{ APIUrl: "https://ejbca.example.com:8443/ejbca/ejbca-rest-api/v1", AuthMode: "mtls", ClientKeyPath: "/etc/ssl/private/client.key", CAName: "Management CA", } connector := ejbca.New(nil, logger) rawConfig, _ := json.Marshal(config) err := connector.ValidateConfig(ctx, rawConfig) if err == nil { t.Fatal("Expected error for missing client_cert_path with auth_mode=mtls") } if !strings.Contains(err.Error(), "client_cert_path is required") { t.Errorf("Expected client_cert_path required error, got: %v", err) } }) t.Run("ValidateConfig_OAuth2_MissingToken", func(t *testing.T) { config := ejbca.Config{ APIUrl: "https://ejbca.example.com:8443/ejbca/ejbca-rest-api/v1", AuthMode: "oauth2", CAName: "Management CA", } connector := ejbca.New(nil, logger) rawConfig, _ := json.Marshal(config) err := connector.ValidateConfig(ctx, rawConfig) if err == nil { t.Fatal("Expected error for missing token with auth_mode=oauth2") } if !strings.Contains(err.Error(), "token is required") { t.Errorf("Expected token required error, got: %v", err) } }) t.Run("ValidateConfig_InvalidAuthMode", func(t *testing.T) { config := ejbca.Config{ APIUrl: "https://ejbca.example.com:8443/ejbca/ejbca-rest-api/v1", AuthMode: "invalid", CAName: "Management CA", } connector := ejbca.New(nil, logger) rawConfig, _ := json.Marshal(config) err := connector.ValidateConfig(ctx, rawConfig) if err == nil { t.Fatal("Expected error for invalid auth_mode") } if !strings.Contains(err.Error(), "auth_mode must be") { t.Errorf("Expected auth_mode validation error, got: %v", err) } }) t.Run("IssueCertificate_Synchronous", func(t *testing.T) { testCertPEM, _ := generateTestCert(t) testChainPEM, _ := generateTestCert(t) // Extract DER from PEM for encoding certBlock, _ := pem.Decode([]byte(testCertPEM)) chainBlock, _ := pem.Decode([]byte(testChainPEM)) srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if strings.HasSuffix(r.URL.Path, "/certificate/pkcs10enroll") && r.Method == http.MethodPost { // Parse the CSR from request var enrollReq map[string]interface{} json.NewDecoder(r.Body).Decode(&enrollReq) // Verify CSR is base64-encoded if csrB64, ok := enrollReq["certificate_request"].(string); ok { // Decode to verify it's valid base64 if _, err := base64.StdEncoding.DecodeString(csrB64); err != nil { w.WriteHeader(http.StatusBadRequest) return } } w.WriteHeader(http.StatusOK) w.Header().Set("Content-Type", "application/json") respData := map[string]interface{}{ "certificate": base64.StdEncoding.EncodeToString(certBlock.Bytes), "certificate_chain": []string{base64.StdEncoding.EncodeToString(chainBlock.Bytes)}, "serial_number": "123456", } json.NewEncoder(w).Encode(respData) return } http.NotFound(w, r) })) defer srv.Close() config := &ejbca.Config{ APIUrl: srv.URL, AuthMode: "oauth2", Token: "test-token", CAName: "Management CA", } connector := ejbca.NewWithHTTPClient(config, logger, srv.Client()) _, csrPEM := generateTestCSR(t, "test.example.com") req := issuer.IssuanceRequest{ CommonName: "test.example.com", SANs: []string{"test.example.com"}, CSRPEM: csrPEM, } result, err := connector.IssueCertificate(ctx, req) if err != nil { t.Fatalf("IssueCertificate failed: %v", err) } if result.CertPEM == "" { t.Error("CertPEM should not be empty") } if result.OrderID == "" { t.Error("OrderID should not be empty") } if !strings.Contains(result.OrderID, "::") { t.Errorf("OrderID should contain issuer_dn::serial separator, got: %s", result.OrderID) } t.Logf("EJBCA issued cert: serial=%s, orderID=%s", result.Serial, result.OrderID) }) t.Run("IssueCertificate_WithProfiles", func(t *testing.T) { testCertPEM, _ := generateTestCert(t) certBlock, _ := pem.Decode([]byte(testCertPEM)) srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if strings.HasSuffix(r.URL.Path, "/certificate/pkcs10enroll") && r.Method == http.MethodPost { // Verify profiles are in request var enrollReq map[string]interface{} json.NewDecoder(r.Body).Decode(&enrollReq) if certProfile, ok := enrollReq["certificate_profile_name"].(string); !ok || certProfile != "ENDUSER" { w.WriteHeader(http.StatusBadRequest) w.Write([]byte(`{"error":"invalid certificate_profile_name"}`)) return } if eeProfile, ok := enrollReq["end_entity_profile_name"].(string); !ok || eeProfile != "ENDUSER" { w.WriteHeader(http.StatusBadRequest) w.Write([]byte(`{"error":"invalid end_entity_profile_name"}`)) return } w.WriteHeader(http.StatusOK) w.Header().Set("Content-Type", "application/json") respData := map[string]interface{}{ "certificate": base64.StdEncoding.EncodeToString(certBlock.Bytes), "certificate_chain": []string{}, "serial_number": "789012", } json.NewEncoder(w).Encode(respData) return } http.NotFound(w, r) })) defer srv.Close() config := &ejbca.Config{ APIUrl: srv.URL, AuthMode: "oauth2", Token: "test-token", CAName: "Management CA", CertProfile: "ENDUSER", EEProfile: "ENDUSER", } connector := ejbca.NewWithHTTPClient(config, logger, srv.Client()) _, csrPEM := generateTestCSR(t, "app.example.com") req := issuer.IssuanceRequest{ CommonName: "app.example.com", CSRPEM: csrPEM, } result, err := connector.IssueCertificate(ctx, req) if err != nil { t.Fatalf("IssueCertificate with profiles failed: %v", err) } if result.CertPEM == "" { t.Error("CertPEM should not be empty") } }) t.Run("IssueCertificate_Error", func(t *testing.T) { srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusBadRequest) w.Write([]byte(`{"error":"invalid CSR"}`)) })) defer srv.Close() config := &ejbca.Config{ APIUrl: srv.URL, AuthMode: "oauth2", Token: "test-token", CAName: "Management CA", } connector := ejbca.NewWithHTTPClient(config, logger, srv.Client()) req := issuer.IssuanceRequest{ CommonName: "test.example.com", CSRPEM: "invalid-csr", } _, err := connector.IssueCertificate(ctx, req) if err == nil { t.Fatal("Expected error for invalid CSR") } }) t.Run("GetOrderStatus_Issued", func(t *testing.T) { testCertPEM, _ := generateTestCert(t) certBlock, _ := pem.Decode([]byte(testCertPEM)) srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if strings.Contains(r.URL.Path, "/certificate/") && r.Method == http.MethodGet { w.WriteHeader(http.StatusOK) w.Header().Set("Content-Type", "application/json") respData := map[string]interface{}{ "certificate": base64.StdEncoding.EncodeToString(certBlock.Bytes), "certificate_chain": []string{}, "serial_number": "123456", } json.NewEncoder(w).Encode(respData) return } http.NotFound(w, r) })) defer srv.Close() config := &ejbca.Config{ APIUrl: srv.URL, AuthMode: "oauth2", Token: "test-token", CAName: "Management CA", } connector := ejbca.NewWithHTTPClient(config, logger, srv.Client()) orderID := "CN=Test CA::123456" status, err := connector.GetOrderStatus(ctx, orderID) if err != nil { t.Fatalf("GetOrderStatus failed: %v", err) } if status.Status != "completed" { t.Errorf("Expected status 'completed', got '%s'", status.Status) } if status.CertPEM == nil || *status.CertPEM == "" { t.Error("CertPEM should not be empty for issued order") } }) t.Run("RenewCertificate_Success", func(t *testing.T) { testCertPEM, _ := generateTestCert(t) certBlock, _ := pem.Decode([]byte(testCertPEM)) srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if strings.HasSuffix(r.URL.Path, "/certificate/pkcs10enroll") && r.Method == http.MethodPost { w.WriteHeader(http.StatusOK) w.Header().Set("Content-Type", "application/json") respData := map[string]interface{}{ "certificate": base64.StdEncoding.EncodeToString(certBlock.Bytes), "certificate_chain": []string{}, "serial_number": "654321", } json.NewEncoder(w).Encode(respData) return } http.NotFound(w, r) })) defer srv.Close() config := &ejbca.Config{ APIUrl: srv.URL, AuthMode: "oauth2", Token: "test-token", CAName: "Management CA", } connector := ejbca.NewWithHTTPClient(config, logger, srv.Client()) _, csrPEM := generateTestCSR(t, "renew.example.com") renewReq := issuer.RenewalRequest{ CommonName: "renew.example.com", CSRPEM: csrPEM, } result, err := connector.RenewCertificate(ctx, renewReq) if err != nil { t.Fatalf("RenewCertificate failed: %v", err) } if result.CertPEM == "" { t.Error("CertPEM should not be empty") } if result.OrderID == "" { t.Error("OrderID should not be empty") } }) t.Run("RevokeCertificate_Success", func(t *testing.T) { srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if strings.Contains(r.URL.Path, "/revoke") && r.Method == http.MethodPut { // Verify reason is in request var revokeReq map[string]interface{} json.NewDecoder(r.Body).Decode(&revokeReq) if _, ok := revokeReq["reason"]; !ok { w.WriteHeader(http.StatusBadRequest) return } w.WriteHeader(http.StatusNoContent) return } http.NotFound(w, r) })) defer srv.Close() config := &ejbca.Config{ APIUrl: srv.URL, AuthMode: "oauth2", Token: "test-token", CAName: "Management CA", } connector := ejbca.NewWithHTTPClient(config, logger, srv.Client()) reason := "keyCompromise" revokeReq := issuer.RevocationRequest{ Serial: "123456", Reason: &reason, } err := connector.RevokeCertificate(ctx, revokeReq) if err != nil { t.Fatalf("RevokeCertificate failed: %v", err) } }) t.Run("RevokeCertificate_ReasonMapping", func(t *testing.T) { reasons := []struct { name string code int mappedTo string }{ {"keyCompromise", 1, "keyCompromise"}, {"caCompromise", 2, "caCompromise"}, {"superseded", 4, "superseded"}, {"cessationOfOperation", 5, "cessationOfOperation"}, } for _, tc := range reasons { t.Run(tc.name, func(t *testing.T) { srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if strings.Contains(r.URL.Path, "/revoke") && r.Method == http.MethodPut { var revokeReq map[string]interface{} json.NewDecoder(r.Body).Decode(&revokeReq) // Verify the reason code matches if reason, ok := revokeReq["reason"].(float64); ok { if int(reason) != tc.code { w.WriteHeader(http.StatusBadRequest) w.Write([]byte(fmt.Sprintf(`{"error":"expected reason %d, got %d"}`, tc.code, int(reason)))) return } } w.WriteHeader(http.StatusNoContent) return } http.NotFound(w, r) })) defer srv.Close() config := &ejbca.Config{ APIUrl: srv.URL, AuthMode: "oauth2", Token: "test-token", CAName: "Management CA", } connector := ejbca.NewWithHTTPClient(config, logger, srv.Client()) revokeReq := issuer.RevocationRequest{ Serial: "test-serial", Reason: &tc.name, } err := connector.RevokeCertificate(ctx, revokeReq) if err != nil { t.Fatalf("RevokeCertificate with reason %s failed: %v", tc.name, err) } }) } }) t.Run("GetRenewalInfo_ReturnsNil", func(t *testing.T) { config := &ejbca.Config{ APIUrl: "https://ejbca.example.com:8443/ejbca/ejbca-rest-api/v1", AuthMode: "oauth2", Token: "test-token", CAName: "Management CA", } connector := ejbca.New(config, logger) result, err := connector.GetRenewalInfo(ctx, "-----BEGIN CERTIFICATE-----\ntest\n-----END CERTIFICATE-----") if err != nil { t.Fatalf("GetRenewalInfo should not return error, got: %v", err) } if result != nil { t.Fatal("GetRenewalInfo should return nil for EJBCA") } }) t.Run("GenerateCRL_Unsupported", func(t *testing.T) { config := &ejbca.Config{ APIUrl: "https://ejbca.example.com:8443/ejbca/ejbca-rest-api/v1", AuthMode: "oauth2", Token: "test-token", CAName: "Management CA", } connector := ejbca.New(config, logger) _, err := connector.GenerateCRL(ctx, []issuer.RevokedCertEntry{}) if err == nil { t.Fatal("Expected error for unsupported GenerateCRL") } if !strings.Contains(err.Error(), "CRL distribution") { t.Errorf("Expected CRL distribution error, got: %v", err) } }) t.Run("SignOCSPResponse_Unsupported", func(t *testing.T) { config := &ejbca.Config{ APIUrl: "https://ejbca.example.com:8443/ejbca/ejbca-rest-api/v1", AuthMode: "oauth2", Token: "test-token", CAName: "Management CA", } connector := ejbca.New(config, logger) _, err := connector.SignOCSPResponse(ctx, issuer.OCSPSignRequest{}) if err == nil { t.Fatal("Expected error for unsupported SignOCSPResponse") } if !strings.Contains(err.Error(), "OCSP") { t.Errorf("Expected OCSP error, got: %v", err) } }) } // generateTestCert creates a self-signed test certificate and returns the PEM string. func generateTestCert(t *testing.T) (certPEM string, keyPEM string) { t.Helper() key, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { t.Fatalf("Failed to generate key: %v", err) } serial, _ := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128)) template := &x509.Certificate{ SerialNumber: serial, Subject: pkix.Name{ CommonName: fmt.Sprintf("Test Certificate %s", serial.String()[:8]), }, DNSNames: []string{"test.example.com"}, KeyUsage: x509.KeyUsageDigitalSignature, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, } certBytes, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key) if err != nil { t.Fatalf("Failed to create certificate: %v", err) } certPEM = string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certBytes})) keyPEM = string(pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})) return certPEM, keyPEM } // generateTestCSR creates a test CSR for the given common name. func generateTestCSR(t *testing.T, commonName string) (*x509.CertificateRequest, string) { t.Helper() key, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { t.Fatalf("Failed to generate key: %v", err) } csrTemplate := x509.CertificateRequest{ Subject: pkix.Name{ CommonName: commonName, }, DNSNames: []string{commonName}, SignatureAlgorithm: x509.SHA256WithRSA, } csrBytes, err := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, key) if err != nil { t.Fatalf("Failed to create CSR: %v", err) } csrPEM := string(pem.EncodeToMemory(&pem.Block{ Type: "CERTIFICATE REQUEST", Bytes: csrBytes, })) csr, err := x509.ParseCertificateRequest(csrBytes) if err != nil { t.Fatalf("Failed to parse CSR: %v", err) } return csr, csrPEM }