cacert-gosigner/cmd/signer/main_test.go

package main

import (
	"crypto/rand"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"fmt"
	"math/big"
	"os"
	"testing"
	"time"

	"github.com/ThalesIgnite/crypto11"
)

const defaultPkcs11Module = "/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so"

func TestStart(t *testing.T) {
	pkcs11Module, found := os.LookupEnv("PKCS11_LIB")
	if !found {
		pkcs11Module = defaultPkcs11Module
	}
	p11Context, err := crypto11.Configure(&crypto11.Config{
		Path:       pkcs11Module,
		TokenLabel: "localhsm",
		Pin:        "123456",
	})
	if err != nil {
		t.Fatalf("could not configure PKCS#11 library: %v", err)
	}

	defer func(p11Context *crypto11.Context) {
		err := p11Context.Close()
		if err != nil {
			t.Errorf("could not close PKCS#11 library context: %v", err)
		}
	}(p11Context)

	pair, err := p11Context.FindKeyPair(nil, []byte("rootkey2022"))
	if err != nil {
		t.Fatalf("could not find requested key pair: %v", err)
	}

	serial, err := randomSerialNumber()
	if err != nil {
		t.Fatal(err)
	}

	notBefore := time.Now()
	notAfter := notBefore.AddDate(20, 0, 0)

	certTemplate := &x509.Certificate{
		SerialNumber: serial,
		Subject: pkix.Name{
			Country:       []string{"CH"},
			Organization:  []string{"CAcert Inc."},
			Locality:      []string{"Genève"},
			StreetAddress: []string{"Clos Belmont 2"},
			PostalCode:    []string{"1208"},
			CommonName:    "CAcert ECC Root 2022",
		},
		NotBefore:             notBefore,
		NotAfter:              notAfter,
		MaxPathLen:            0,
		MaxPathLenZero:        true,
		BasicConstraintsValid: true,
		KeyUsage:              x509.KeyUsageCRLSign | x509.KeyUsageCertSign,
		IsCA:                  true,
		SignatureAlgorithm:    x509.ECDSAWithSHA256,
	}

	certificate, err := x509.CreateCertificate(rand.Reader, certTemplate, certTemplate, pair.Public(), pair)
	if err != nil {
		t.Fatalf("could not create root certificate: %v", err)
	}

	certBlock := &pem.Block{
		Type:  "CERTIFICATE",
		Bytes: certificate,
	}

	err = os.WriteFile("/tmp/test.pem", pem.EncodeToMemory(certBlock), 0o600)
	if err != nil {
		t.Errorf("could not write certificate: %v", err)
	}
}

func randomSerialNumber() (*big.Int, error) {
	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
	if err != nil {
		return nil, fmt.Errorf("could not generate serial number: %w", err)
	}
	return serialNumber, nil
}
Add PKCS#11 test to generate root certificate - add documentation how to initialize SoftHSM for testing - add cmd/signer package to hold future signer command - add test to use a private key from softhsm to create a root certificate 2022-04-13 06:30:20 +00:00			`package main`

			`import (`
			`"crypto/rand"`
			`"crypto/x509"`
			`"crypto/x509/pkix"`
			`"encoding/pem"`
			`"fmt"`
			`"math/big"`
			`"os"`
			`"testing"`
			`"time"`

			`"github.com/ThalesIgnite/crypto11"`
			`)`

			`const defaultPkcs11Module = "/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so"`

			`func TestStart(t *testing.T) {`
			`pkcs11Module, found := os.LookupEnv("PKCS11_LIB")`
			`if !found {`
			`pkcs11Module = defaultPkcs11Module`
			`}`
			`p11Context, err := crypto11.Configure(&crypto11.Config{`
			`Path: pkcs11Module,`
			`TokenLabel: "localhsm",`
			`Pin: "123456",`
			`})`
			`if err != nil {`
			`t.Fatalf("could not configure PKCS#11 library: %v", err)`
			`}`

			`defer func(p11Context *crypto11.Context) {`
			`err := p11Context.Close()`
			`if err != nil {`
			`t.Errorf("could not close PKCS#11 library context: %v", err)`
			`}`
			`}(p11Context)`

			`pair, err := p11Context.FindKeyPair(nil, []byte("rootkey2022"))`
			`if err != nil {`
			`t.Fatalf("could not find requested key pair: %v", err)`
			`}`

			`serial, err := randomSerialNumber()`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`notBefore := time.Now()`
			`notAfter := notBefore.AddDate(20, 0, 0)`

			`certTemplate := &x509.Certificate{`
			`SerialNumber: serial,`
			`Subject: pkix.Name{`
			`Country: []string{"CH"},`
			`Organization: []string{"CAcert Inc."},`
			`Locality: []string{"Genève"},`
			`StreetAddress: []string{"Clos Belmont 2"},`
			`PostalCode: []string{"1208"},`
			`CommonName: "CAcert ECC Root 2022",`
			`},`
			`NotBefore: notBefore,`
			`NotAfter: notAfter,`
			`MaxPathLen: 0,`
			`MaxPathLenZero: true,`
			`BasicConstraintsValid: true,`
			`KeyUsage: x509.KeyUsageCRLSign \| x509.KeyUsageCertSign,`
			`IsCA: true,`
			`SignatureAlgorithm: x509.ECDSAWithSHA256,`
			`}`

			`certificate, err := x509.CreateCertificate(rand.Reader, certTemplate, certTemplate, pair.Public(), pair)`
			`if err != nil {`
			`t.Fatalf("could not create root certificate: %v", err)`
			`}`

			`certBlock := &pem.Block{`
			`Type: "CERTIFICATE",`
			`Bytes: certificate,`
			`}`

			`err = os.WriteFile("/tmp/test.pem", pem.EncodeToMemory(certBlock), 0o600)`
			`if err != nil {`
			`t.Errorf("could not write certificate: %v", err)`
			`}`
			`}`

			`func randomSerialNumber() (*big.Int, error) {`
			`serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)`
			`serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)`
			`if err != nil {`
			`return nil, fmt.Errorf("could not generate serial number: %w", err)`
			`}`
			`return serialNumber, nil`
			`}`