gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 16:51:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
certctl/internal/connector/target/certutil/certutil_test.go
T
shankar0123 7d6ef44e21 feat(M46): Windows Certificate Store + Java Keystore target connectors, shared certutil package 
Extract shared certutil helpers (CreatePFX, ParsePrivateKey, ComputeThumbprint,
GenerateRandomPassword, ParseCertificatePEM) from IIS connector for reuse.
Add WinCertStore connector (PowerShell Import-PfxCertificate, dual local/WinRM
mode, configurable store/location, expired cert cleanup) and JavaKeystore
connector (PEM→PKCS#12→keytool pipeline, JKS/PKCS12 support, shell injection
prevention, path traversal protection). 53 new tests, all passing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-05 19:14:32 -04:00

190 lines
4.7 KiB
Go
Raw Permalink Blame History

package certutil
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"math/big"
"testing"
"time"
)
// generateTestCertAndKey creates a self-signed certificate and key for testing.
func generateTestCertAndKey() (string, string, error) {
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return "", "", err
}
template := &x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{CommonName: "test.example.com"},
NotBefore: time.Now().Add(-1 * time.Hour),
NotAfter: time.Now().Add(24 * time.Hour),
KeyUsage: x509.KeyUsageDigitalSignature,
}
certDER, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
if err != nil {
return "", "", err
}
certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
keyDER, err := x509.MarshalPKCS8PrivateKey(key)
if err != nil {
return "", "", err
}
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: keyDER})
return string(certPEM), string(keyPEM), nil
}
func TestCreatePFX_Success(t *testing.T) {
certPEM, keyPEM, err := generateTestCertAndKey()
if err != nil {
t.Fatalf("generate test cert: %v", err)
}
pfx, err := CreatePFX(certPEM, keyPEM, "", "test-password")
if err != nil {
t.Fatalf("CreatePFX failed: %v", err)
}
if len(pfx) == 0 {
t.Error("expected non-empty PFX data")
}
}
func TestCreatePFX_WithChain(t *testing.T) {
certPEM, keyPEM, err := generateTestCertAndKey()
if err != nil {
t.Fatalf("generate test cert: %v", err)
}
// Use the same cert as chain for testing purposes
pfx, err := CreatePFX(certPEM, keyPEM, certPEM, "test-password")
if err != nil {
t.Fatalf("CreatePFX with chain failed: %v", err)
}
if len(pfx) == 0 {
t.Error("expected non-empty PFX data")
}
}
func TestCreatePFX_InvalidCert(t *testing.T) {
_, err := CreatePFX("not-a-cert", "not-a-key", "", "pw")
if err == nil {
t.Fatal("expected error for invalid cert PEM")
}
}
func TestCreatePFX_InvalidKey(t *testing.T) {
certPEM, _, err := generateTestCertAndKey()
if err != nil {
t.Fatalf("generate test cert: %v", err)
}
_, err = CreatePFX(certPEM, "not-a-key", "", "pw")
if err == nil {
t.Fatal("expected error for invalid key PEM")
}
}
func TestParsePrivateKey_PKCS8(t *testing.T) {
key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
der, _ := x509.MarshalPKCS8PrivateKey(key)
parsed, err := ParsePrivateKey(der)
if err != nil {
t.Fatalf("ParsePrivateKey failed: %v", err)
}
if parsed == nil {
t.Fatal("expected non-nil key")
}
}
func TestParsePrivateKey_EC(t *testing.T) {
key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
der, _ := x509.MarshalECPrivateKey(key)
parsed, err := ParsePrivateKey(der)
if err != nil {
t.Fatalf("ParsePrivateKey failed: %v", err)
}
if parsed == nil {
t.Fatal("expected non-nil key")
}
}
func TestParsePrivateKey_Invalid(t *testing.T) {
_, err := ParsePrivateKey([]byte("garbage"))
if err == nil {
t.Fatal("expected error for invalid key bytes")
}
}
func TestComputeThumbprint_Success(t *testing.T) {
certPEM, _, err := generateTestCertAndKey()
if err != nil {
t.Fatalf("generate test cert: %v", err)
}
thumb, err := ComputeThumbprint(certPEM)
if err != nil {
t.Fatalf("ComputeThumbprint failed: %v", err)
}
if len(thumb) != 40 {
t.Errorf("expected 40-char hex thumbprint, got %d chars", len(thumb))
}
// Verify uppercase hex
for _, c := range thumb {
if !((c >= '0' && c <= '9') || (c >= 'A' && c <= 'F')) {
t.Errorf("thumbprint contains non-uppercase-hex char: %c", c)
}
}
}
func TestComputeThumbprint_InvalidPEM(t *testing.T) {
_, err := ComputeThumbprint("not a cert")
if err == nil {
t.Fatal("expected error for invalid PEM")
}
}
func TestGenerateRandomPassword(t *testing.T) {
pw, err := GenerateRandomPassword(32)
if err != nil {
t.Fatalf("GenerateRandomPassword failed: %v", err)
}
if len(pw) != 32 {
t.Errorf("expected 32-char password, got %d", len(pw))
}
}
func TestGenerateRandomPassword_Uniqueness(t *testing.T) {
pw1, _ := GenerateRandomPassword(32)
pw2, _ := GenerateRandomPassword(32)
if pw1 == pw2 {
t.Error("two generated passwords should not be identical")
}
}
func TestParseCertificatePEM_Success(t *testing.T) {
certPEM, _, err := generateTestCertAndKey()
if err != nil {
t.Fatalf("generate test cert: %v", err)
}
cert, err := ParseCertificatePEM(certPEM)
if err != nil {
t.Fatalf("ParseCertificatePEM failed: %v", err)
}
if cert.Subject.CommonName != "test.example.com" {
t.Errorf("expected CN test.example.com, got %s", cert.Subject.CommonName)
}
}
func TestParseCertificatePEM_Invalid(t *testing.T) {
_, err := ParseCertificatePEM("not a cert")
if err == nil {
t.Fatal("expected error for invalid PEM")
}
}
Reference in New Issue View Git Blame Copy Permalink