cacert-gosigner/internal/hsm/hsm_test.go

/*
Copyright 2022 CAcert Inc.
SPDX-License-Identifier: Apache-2.0

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package hsm_test

import (
	"crypto/x509"
	"strings"
	"testing"

	"github.com/sirupsen/logrus"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"

	"git.cacert.org/cacert-gosigner/internal/config"
	"git.cacert.org/cacert-gosigner/internal/hsm"
)

func TestEnsureCAKeysAndCertificates_not_in_setup_mode(t *testing.T) {
	testConfig := setupSignerConfig(t)
	setupSoftHsm(t)

	t.Setenv("TOKEN_PIN_ACME_TEST_HSM", "123456")

	acc, err := hsm.NewAccess(logrus.StandardLogger(),
		hsm.CaConfigOption(testConfig),
		hsm.CADirectoryOption(t.TempDir()))
	assert.NoError(t, err)

	err = acc.EnsureCAKeysAndCertificates()

	t.Cleanup(func() {
		err := acc.CloseP11Contexts()
		assert.NoError(t, err)
	})

	assert.ErrorContains(t, err, "not in setup mode")
}

func prepareSoftHSM(t *testing.T) *hsm.Access {
	t.Helper()

	testConfig := setupSignerConfig(t)
	setupSoftHsm(t)

	t.Setenv("TOKEN_PIN_ACME_TEST_HSM", "123456")

	acc, err := hsm.NewAccess(logrus.StandardLogger(),
		hsm.CaConfigOption(testConfig),
		hsm.SetupModeOption(),
		hsm.CADirectoryOption(t.TempDir()))
	assert.NoError(t, err)

	err = acc.EnsureCAKeysAndCertificates()

	t.Cleanup(func() {
		err := acc.CloseP11Contexts()
		assert.NoError(t, err)
	})

	require.NoError(t, err)

	return acc
}

func TestGetRootCACertificate(t *testing.T) {
	acc := prepareSoftHSM(t)

	testData := map[string]struct {
		label, errMsg string
	}{
		"known root": {
			label: "root",
		},
		"unknown root": {
			label:  "unknown",
			errMsg: "could not get CA definition for label unknown",
		},
		"known subordinate": {
			label:  "sub1",
			errMsg: "CA definition sub1 is not a root CA definition",
		},
	}

	for name, item := range testData {
		t.Run(name, func(t *testing.T) {
			root, err := acc.GetRootCACertificate(item.label)

			if item.errMsg != "" {
				assert.ErrorContains(t, err, item.errMsg)
				assert.Nil(t, root)
			} else {
				assert.NoError(t, err)
				assert.NotNil(t, root)
			}
		})
	}
}

func TestGetSubordinateCACertificate(t *testing.T) {
	acc := prepareSoftHSM(t)

	testData := map[string]struct {
		label, errMsg string
	}{
		"known subordinate": {
			label: "sub1",
		},
		"unknown subordinate": {
			label:  "unknown",
			errMsg: "could not get CA definition for label unknown",
		},
		"known root": {
			label:  "root",
			errMsg: "CA definition root is a root CA definition, subordinate expected",
		},
	}

	for name, item := range testData {
		t.Run(name, func(t *testing.T) {
			root, err := acc.GetSubordinateCACertificate(item.label)

			if item.errMsg != "" {
				assert.ErrorContains(t, err, item.errMsg)
				assert.Nil(t, root)
			} else {
				assert.NoError(t, err)
				assert.NotNil(t, root)
			}
		})
	}
}

func TestRSAKeyGeneration(t *testing.T) {
	const testRSASignerConfig = `---
Settings:
  organization:
    organization: ["Acme CAs Ltd."]
  validity-years:
    root: 30
    subordinate: 10
  url-patterns:
    ocsp: http://ocsp.example.org/
    crl: http://crl.example.org/%s.crl
    issuer: http://%s.cas.example.org/
  serial:
    device: /dev/ttyUSB0
CAs:
  root:
    common-name: "Acme CAs root"
    key-info:
      algorithm: RSA
      rsa-bits: 2048
KeyStorage:
  default:
    type: softhsm
    label: acme-test-hsm
`

	testConfig, err := config.LoadConfiguration(strings.NewReader(testRSASignerConfig))

	require.NoError(t, err)

	setupSoftHsm(t)

	t.Setenv("TOKEN_PIN_ACME_TEST_HSM", "123456")

	acc, err := hsm.NewAccess(
		logrus.StandardLogger(),
		hsm.CaConfigOption(testConfig),
		hsm.SetupModeOption(),
		hsm.CADirectoryOption(t.TempDir()))
	assert.NoError(t, err)

	err = acc.EnsureCAKeysAndCertificates()
	require.NoError(t, err)

	t.Cleanup(func() {
		err := acc.CloseP11Contexts()
		assert.NoError(t, err)
	})

	root, err := acc.GetRootCACertificate("root")

	assert.NoError(t, err)
	assert.NotNil(t, root)
	assert.Equal(t, x509.RSA, root.PublicKeyAlgorithm)
}
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`/*`
			`Copyright 2022 CAcert Inc.`
			`SPDX-License-Identifier: Apache-2.0`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`package hsm_test`

			`import (`
			`"crypto/x509"`
			`"strings"`
			`"testing"`

Switch to logrus for structured logging 2022-11-20 09:07:02 +00:00			`"github.com/sirupsen/logrus"`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`

Move internal code to internal packages 2022-11-28 16:39:48 +00:00			`"git.cacert.org/cacert-gosigner/internal/config"`
			`"git.cacert.org/cacert-gosigner/internal/hsm"`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`)`

			`func TestEnsureCAKeysAndCertificates_not_in_setup_mode(t *testing.T) {`
			`testConfig := setupSignerConfig(t)`
			`setupSoftHsm(t)`

			`t.Setenv("TOKEN_PIN_ACME_TEST_HSM", "123456")`

Switch to logrus for structured logging 2022-11-20 09:07:02 +00:00			`acc, err := hsm.NewAccess(logrus.StandardLogger(),`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`hsm.CaConfigOption(testConfig),`
			`hsm.CADirectoryOption(t.TempDir()))`
Refactor HSM setup - create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access 2022-08-03 07:59:26 +00:00			`assert.NoError(t, err)`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00
Refactor HSM setup - create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access 2022-08-03 07:59:26 +00:00			`err = acc.EnsureCAKeysAndCertificates()`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00
			`t.Cleanup(func() {`
Refactor HSM setup - create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access 2022-08-03 07:59:26 +00:00			`err := acc.CloseP11Contexts()`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`assert.NoError(t, err)`
			`})`

			`assert.ErrorContains(t, err, "not in setup mode")`
			`}`

Refactor HSM setup - create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access 2022-08-03 07:59:26 +00:00			`func prepareSoftHSM(t testing.T) hsm.Access {`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`t.Helper()`

			`testConfig := setupSignerConfig(t)`
			`setupSoftHsm(t)`

			`t.Setenv("TOKEN_PIN_ACME_TEST_HSM", "123456")`

Switch to logrus for structured logging 2022-11-20 09:07:02 +00:00			`acc, err := hsm.NewAccess(logrus.StandardLogger(),`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`hsm.CaConfigOption(testConfig),`
			`hsm.SetupModeOption(),`
			`hsm.CADirectoryOption(t.TempDir()))`
Refactor HSM setup - create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access 2022-08-03 07:59:26 +00:00			`assert.NoError(t, err)`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00
Refactor HSM setup - create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access 2022-08-03 07:59:26 +00:00			`err = acc.EnsureCAKeysAndCertificates()`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00
			`t.Cleanup(func() {`
Refactor HSM setup - create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access 2022-08-03 07:59:26 +00:00			`err := acc.CloseP11Contexts()`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`assert.NoError(t, err)`
			`})`

			`require.NoError(t, err)`

Refactor HSM setup - create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access 2022-08-03 07:59:26 +00:00			`return acc`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`}`

			`func TestGetRootCACertificate(t *testing.T) {`
Refactor HSM setup - create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access 2022-08-03 07:59:26 +00:00			`acc := prepareSoftHSM(t)`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00
			`testData := map[string]struct {`
			`label, errMsg string`
			`}{`
			`"known root": {`
			`label: "root",`
			`},`
			`"unknown root": {`
			`label: "unknown",`
			`errMsg: "could not get CA definition for label unknown",`
			`},`
Rename intermediary CA to subordinate CA This refactoring commit renames all occurrences of the term "intermediary CA" to "subordinate CA" for better alignment with the terms used in RFC-5280 and other standard documents. 2022-08-03 14:01:06 +00:00			`"known subordinate": {`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`label: "sub1",`
			`errMsg: "CA definition sub1 is not a root CA definition",`
			`},`
			`}`

			`for name, item := range testData {`
			`t.Run(name, func(t *testing.T) {`
Refactor HSM setup - create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access 2022-08-03 07:59:26 +00:00			`root, err := acc.GetRootCACertificate(item.label)`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00
			`if item.errMsg != "" {`
			`assert.ErrorContains(t, err, item.errMsg)`
			`assert.Nil(t, root)`
			`} else {`
			`assert.NoError(t, err)`
			`assert.NotNil(t, root)`
			`}`
			`})`
			`}`
			`}`

Rename intermediary CA to subordinate CA This refactoring commit renames all occurrences of the term "intermediary CA" to "subordinate CA" for better alignment with the terms used in RFC-5280 and other standard documents. 2022-08-03 14:01:06 +00:00			`func TestGetSubordinateCACertificate(t *testing.T) {`
Refactor HSM setup - create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access 2022-08-03 07:59:26 +00:00			`acc := prepareSoftHSM(t)`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00
			`testData := map[string]struct {`
			`label, errMsg string`
			`}{`
Rename intermediary CA to subordinate CA This refactoring commit renames all occurrences of the term "intermediary CA" to "subordinate CA" for better alignment with the terms used in RFC-5280 and other standard documents. 2022-08-03 14:01:06 +00:00			`"known subordinate": {`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`label: "sub1",`
			`},`
Rename intermediary CA to subordinate CA This refactoring commit renames all occurrences of the term "intermediary CA" to "subordinate CA" for better alignment with the terms used in RFC-5280 and other standard documents. 2022-08-03 14:01:06 +00:00			`"unknown subordinate": {`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`label: "unknown",`
			`errMsg: "could not get CA definition for label unknown",`
			`},`
			`"known root": {`
			`label: "root",`
Rename intermediary CA to subordinate CA This refactoring commit renames all occurrences of the term "intermediary CA" to "subordinate CA" for better alignment with the terms used in RFC-5280 and other standard documents. 2022-08-03 14:01:06 +00:00			`errMsg: "CA definition root is a root CA definition, subordinate expected",`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`},`
			`}`

			`for name, item := range testData {`
			`t.Run(name, func(t *testing.T) {`
Rename intermediary CA to subordinate CA This refactoring commit renames all occurrences of the term "intermediary CA" to "subordinate CA" for better alignment with the terms used in RFC-5280 and other standard documents. 2022-08-03 14:01:06 +00:00			`root, err := acc.GetSubordinateCACertificate(item.label)`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00
			`if item.errMsg != "" {`
			`assert.ErrorContains(t, err, item.errMsg)`
			`assert.Nil(t, root)`
			`} else {`
			`assert.NoError(t, err)`
			`assert.NotNil(t, root)`
			`}`
			`})`
			`}`
			`}`

			`func TestRSAKeyGeneration(t *testing.T) {`
			const testRSASignerConfig = `---
			`Settings:`
			`organization:`
			`organization: ["Acme CAs Ltd."]`
			`validity-years:`
			`root: 30`
Rename intermediary CA to subordinate CA This refactoring commit renames all occurrences of the term "intermediary CA" to "subordinate CA" for better alignment with the terms used in RFC-5280 and other standard documents. 2022-08-03 14:01:06 +00:00			`subordinate: 10`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`url-patterns:`
			`ocsp: http://ocsp.example.org/`
			`crl: http://crl.example.org/%s.crl`
			`issuer: http://%s.cas.example.org/`
Implement serial link and protocol handling infrastructure This commit adds basic serial link and protocol support. None of the commands from the docs/design.md document is implemented yet. The following new packages have been added: - seriallink containing the serial link handler including COBS decoding and encoding - protocol containing the protocol handler including msgpack unmarshalling and marshaling - health containing a rudimentary health check implementation - messages containing command and response types and generated msgpack marshaling code A client simulation command has been added in cmd/clientsim. README.md got instructions how to run the client simulator. The docs/config.sample.yaml contains a new section for the serial connection parameters. 2022-08-03 12:38:36 +00:00			`serial:`
			`device: /dev/ttyUSB0`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`CAs:`
			`root:`
			`common-name: "Acme CAs root"`
			`key-info:`
			`algorithm: RSA`
			`rsa-bits: 2048`
			`KeyStorage:`
			`default:`
			`type: softhsm`
			`label: acme-test-hsm`
			`
Refactor HSM setup - create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access 2022-08-03 07:59:26 +00:00
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`testConfig, err := config.LoadConfiguration(strings.NewReader(testRSASignerConfig))`

			`require.NoError(t, err)`

			`setupSoftHsm(t)`

			`t.Setenv("TOKEN_PIN_ACME_TEST_HSM", "123456")`

Refactor HSM setup - create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access 2022-08-03 07:59:26 +00:00			`acc, err := hsm.NewAccess(`
Switch to logrus for structured logging 2022-11-20 09:07:02 +00:00			`logrus.StandardLogger(),`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`hsm.CaConfigOption(testConfig),`
			`hsm.SetupModeOption(),`
			`hsm.CADirectoryOption(t.TempDir()))`
Refactor HSM setup - create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access 2022-08-03 07:59:26 +00:00			`assert.NoError(t, err)`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00
Refactor HSM setup - create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access 2022-08-03 07:59:26 +00:00			`err = acc.EnsureCAKeysAndCertificates()`
			`require.NoError(t, err)`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00
			`t.Cleanup(func() {`
Refactor HSM setup - create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access 2022-08-03 07:59:26 +00:00			`err := acc.CloseP11Contexts()`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00			`assert.NoError(t, err)`
			`})`

Refactor HSM setup - create new type hsm.Access to encapsulate HSM operations - make setup options operate on hsm.Access instances - adapt tests and cmd/signer to work with hsm.Access 2022-08-03 07:59:26 +00:00			`root, err := acc.GetRootCACertificate("root")`
Improve test coverage of package hsm 2022-05-01 10:36:17 +00:00
			`assert.NoError(t, err)`
			`assert.NotNil(t, root)`
			`assert.Equal(t, x509.RSA, root.PublicKeyAlgorithm)`
			`}`