fix: Tests

Create bifrost root cert properly
RealImage · Apr 9, 2024 · 2e6029a · 2e6029a
1 parent 36e773d
commit 2e6029a
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 23 deletions.
diff --git a/cmd/bf/main.go b/cmd/bf/main.go
@@ -14,7 +14,7 @@ func main() {
 	rev, t := getBuildInfo()
 	version := rev + " (" + t.String() + ")"
 
-	app := &cli.Command{
+	cli := &cli.Command{
 		Name:    "bf",
 		Version: version,
 		Flags: []cli.Flag{
@@ -40,9 +40,9 @@ func main() {
 			proxyCmd,
 			newCmd,
 		},
-		DefaultCommand: "ca",
+		DefaultCommand: "certificate-authority",
 	}
-	if err := app.Run(context.Background(), os.Args); err != nil {
+	if err := cli.Run(context.Background(), os.Args); err != nil {
 		panic(err)
 	}
 }

diff --git a/cmd/bf/new.go b/cmd/bf/new.go
@@ -136,7 +136,10 @@ var newCmd = &cli.Command{
 					return err
 				}
 
-				template := tinyca.CACertTemplate(notBefore, notAfter, namespace, id)
+				template, err := tinyca.CACertTemplate(notBefore, notAfter, namespace, id)
+				if err != nil {
+					return err
+				}
 
 				certDer, err := x509.CreateCertificate(
 					rand.Reader,

diff --git a/tinyca/ca_test.go b/tinyca/ca_test.go
@@ -3,10 +3,8 @@ package tinyca
 import (
 	"bytes"
 	"crypto/x509"
-	"crypto/x509/pkix"
 	"encoding/pem"
 	"io"
-	"math/big"
 	"math/rand"
 	"mime"
 	"net/http"
@@ -219,25 +217,17 @@ func TestCA_ServeHTTP(t *testing.T) {
 
 	id := bifrost.UUID(testns, key.PublicKey())
 
-	// Create root certificate.
-	template := x509.Certificate{
-		SerialNumber: big.NewInt(2),
-		Subject: pkix.Name{
-			CommonName:   id.String(),
-			Organization: []string{testns.String()},
-		},
-		NotBefore:      time.Now(),
-		NotAfter:       time.Now().Add(time.Hour * 24),
-		KeyUsage:       x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:    []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		IsCA:           true,
-		MaxPathLenZero: true,
+	notBefore := time.Now()
+	notAfter := notBefore.Add(time.Hour * 24)
+	template, err := CACertTemplate(notBefore, notAfter, testns, id)
+	if err != nil {
+		t.Fatal(err)
 	}
 
 	certDer, err := x509.CreateCertificate(
 		randReader,
-		&template,
-		&template,
+		template,
+		template,
 		key.PublicKey().PublicKey,
 		key,
 	)

diff --git a/tinyca/templates.go b/tinyca/templates.go
@@ -1,8 +1,12 @@
 package tinyca
 
 import (
+	"crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
+	"fmt"
+	"math"
+	"math/big"
 	"time"
 
 	"github.com/google/uuid"
@@ -18,8 +22,13 @@ func TLSClientCertTemplate(nb, na time.Time) *x509.Certificate {
 	}
 }
 
-func CACertTemplate(nb, na time.Time, ns, id uuid.UUID) *x509.Certificate {
+func CACertTemplate(nb, na time.Time, ns, id uuid.UUID) (*x509.Certificate, error) {
+	serialNumber, err := rand.Int(rand.Reader, big.NewInt(int64(math.MaxInt64)))
+	if err != nil {
+		return nil, fmt.Errorf("bifrost: unexpected error generating certificate serial: %w", err)
+	}
 	return &x509.Certificate{
+		SerialNumber: serialNumber,
 		Subject: pkix.Name{
 			Organization: []string{ns.String()},
 			CommonName:   id.String(),
@@ -28,5 +37,5 @@ func CACertTemplate(nb, na time.Time, ns, id uuid.UUID) *x509.Certificate {
 		BasicConstraintsValid: true,
 		IsCA:                  true,
 		MaxPathLenZero:        true,
-	}
+	}, nil
 }