From 8a1b9c84aef231f0305362bf1d785d7e8bd5b763 Mon Sep 17 00:00:00 2001 From: Oleg Ivanov Date: Thu, 25 Oct 2018 17:35:00 +0300 Subject: [PATCH 1/2] certificate: Allow including subject key id in certificates --- tls/resource_certificate.go | 14 +++++++ tls/resource_self_signed_cert_test.go | 49 +++++++++++++++++++++- website/docs/r/locally_signed_cert.html.md | 4 ++ website/docs/r/self_signed_cert.html.md | 4 ++ 4 files changed, 70 insertions(+), 1 deletion(-) diff --git a/tls/resource_certificate.go b/tls/resource_certificate.go index 1217c7a6..5002c7fa 100644 --- a/tls/resource_certificate.go +++ b/tls/resource_certificate.go @@ -130,6 +130,13 @@ func resourceCertificateCommonSchema() map[string]*schema.Schema { Type: schema.TypeString, Computed: true, }, + + "set_subject_key_id": &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + Description: "If true, the generated certificate will include a subject key identifier.", + ForceNew: true, + }, } } @@ -165,6 +172,13 @@ func createCertificate(d *schema.ResourceData, template, parent *x509.Certificat } } + if d.Get("set_subject_key_id").(bool) { + template.SubjectKeyId, err = generateSubjectKeyID(pub) + if err != nil { + return fmt.Errorf("failed to set subject key identifier: %s", err) + } + } + certBytes, err := x509.CreateCertificate(rand.Reader, template, parent, pub, priv) if err != nil { return fmt.Errorf("error creating certificate: %s", err) diff --git a/tls/resource_self_signed_cert_test.go b/tls/resource_self_signed_cert_test.go index e88fdf19..314e060b 100644 --- a/tls/resource_self_signed_cert_test.go +++ b/tls/resource_self_signed_cert_test.go @@ -1,6 +1,7 @@ package tls import ( + "bytes" "crypto/x509" "encoding/pem" "fmt" @@ -13,7 +14,7 @@ import ( ) func TestSelfSignedCert(t *testing.T) { - r.Test(t, r.TestCase{ + r.UnitTest(t, r.TestCase{ Providers: testProviders, Steps: []r.TestStep{ { @@ -192,6 +193,9 @@ EOT if expected, got := 0, len(cert.ExtKeyUsage); got != expected { return fmt.Errorf("incorrect number of ExtKeyUsage: expected %v, got %v", expected, got) } + if expected, got := []byte(``), cert.SubjectKeyId; !bytes.Equal(got, expected) { + return fmt.Errorf("incorrect subject key id: expected %v, got %v", expected, got) + } if expected, got := x509.KeyUsage(0), cert.KeyUsage; got != expected { return fmt.Errorf("incorrect KeyUsage: expected %v, got %v", expected, got) @@ -358,6 +362,49 @@ func TestAccSelfSignedCertNotRecreatedForEarlyRenewalUpdateInFuture(t *testing.T now = oldNow } +func TestAccSelfSignedCertSetSubjectKeyID(t *testing.T) { + r.UnitTest(t, r.TestCase{ + Providers: testProviders, + PreCheck: setTimeForTest("2019-06-14T12:00:00Z"), + Steps: []r.TestStep{ + { + Config: fmt.Sprintf(` + resource "tls_self_signed_cert" "test" { + subject { + serial_number = "42" + } + key_algorithm = "RSA" + validity_period_hours = 1 + allowed_uses = [] + set_subject_key_id = true + private_key_pem = < Date: Fri, 16 Aug 2019 15:44:05 -0700 Subject: [PATCH 2/2] tests: all tests as unit tests rather than acceptance tests This provider doesn't reach out to any other systems, so we can safely run all of the tests as normal unit tests. This allows them to be run in our CI system. --- tls/data_source_public_key_test.go | 2 +- tls/resource_cert_request_test.go | 2 +- tls/resource_locally_signed_cert_test.go | 6 +++--- tls/resource_private_key_test.go | 4 ++-- tls/resource_self_signed_cert_test.go | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/tls/data_source_public_key_test.go b/tls/data_source_public_key_test.go index 65d5f412..7a93ccfd 100644 --- a/tls/data_source_public_key_test.go +++ b/tls/data_source_public_key_test.go @@ -21,7 +21,7 @@ D9Hk2MajZuFnJiqj1QIDAQAB ) func TestAccPublicKey_dataSource(t *testing.T) { - resource.Test(t, resource.TestCase{ + resource.UnitTest(t, resource.TestCase{ Providers: testProviders, Steps: []resource.TestStep{ { diff --git a/tls/resource_cert_request_test.go b/tls/resource_cert_request_test.go index f1013b3d..71928a2b 100644 --- a/tls/resource_cert_request_test.go +++ b/tls/resource_cert_request_test.go @@ -12,7 +12,7 @@ import ( ) func TestCertRequest(t *testing.T) { - r.Test(t, r.TestCase{ + r.UnitTest(t, r.TestCase{ Providers: testProviders, Steps: []r.TestStep{ { diff --git a/tls/resource_locally_signed_cert_test.go b/tls/resource_locally_signed_cert_test.go index 96f22d63..017a84f2 100644 --- a/tls/resource_locally_signed_cert_test.go +++ b/tls/resource_locally_signed_cert_test.go @@ -14,7 +14,7 @@ import ( ) func TestLocallySignedCert(t *testing.T) { - r.Test(t, r.TestCase{ + r.UnitTest(t, r.TestCase{ Providers: testProviders, Steps: []r.TestStep{ { @@ -146,7 +146,7 @@ func TestLocallySignedCert(t *testing.T) { func TestAccLocallySignedCertRecreatesAfterExpired(t *testing.T) { oldNow := now var previousCert string - r.Test(t, r.TestCase{ + r.UnitTest(t, r.TestCase{ Providers: testProviders, PreCheck: setTimeForTest("2019-06-14T12:00:00Z"), Steps: []r.TestStep{ @@ -223,7 +223,7 @@ func TestAccLocallySignedCertRecreatesAfterExpired(t *testing.T) { func TestAccLocallySignedCertNotRecreatedForEarlyRenewalUpdateInFuture(t *testing.T) { oldNow := now var previousCert string - r.Test(t, r.TestCase{ + r.UnitTest(t, r.TestCase{ Providers: testProviders, PreCheck: setTimeForTest("2019-06-14T12:00:00Z"), Steps: []r.TestStep{ diff --git a/tls/resource_private_key_test.go b/tls/resource_private_key_test.go index 2cc69011..aba3d874 100644 --- a/tls/resource_private_key_test.go +++ b/tls/resource_private_key_test.go @@ -10,7 +10,7 @@ import ( ) func TestPrivateKeyRSA(t *testing.T) { - r.Test(t, r.TestCase{ + r.UnitTest(t, r.TestCase{ Providers: testProviders, Steps: []r.TestStep{ { @@ -105,7 +105,7 @@ func TestPrivateKeyRSA(t *testing.T) { } func TestPrivateKeyECDSA(t *testing.T) { - r.Test(t, r.TestCase{ + r.UnitTest(t, r.TestCase{ Providers: testProviders, Steps: []r.TestStep{ { diff --git a/tls/resource_self_signed_cert_test.go b/tls/resource_self_signed_cert_test.go index 314e060b..2521cc57 100644 --- a/tls/resource_self_signed_cert_test.go +++ b/tls/resource_self_signed_cert_test.go @@ -211,7 +211,7 @@ EOT func TestAccSelfSignedCertRecreatesAfterExpired(t *testing.T) { oldNow := now var previousCert string - r.Test(t, r.TestCase{ + r.UnitTest(t, r.TestCase{ Providers: testProviders, PreCheck: setTimeForTest("2019-06-14T12:00:00Z"), Steps: []r.TestStep{ @@ -288,7 +288,7 @@ func TestAccSelfSignedCertRecreatesAfterExpired(t *testing.T) { func TestAccSelfSignedCertNotRecreatedForEarlyRenewalUpdateInFuture(t *testing.T) { oldNow := now var previousCert string - r.Test(t, r.TestCase{ + r.UnitTest(t, r.TestCase{ Providers: testProviders, PreCheck: setTimeForTest("2019-06-14T12:00:00Z"), Steps: []r.TestStep{