Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added the optional subject_key_id parameter. #31

Merged
merged 2 commits into from
Aug 16, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion tls/data_source_public_key_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ D9Hk2MajZuFnJiqj1QIDAQAB
)

func TestAccPublicKey_dataSource(t *testing.T) {
resource.Test(t, resource.TestCase{
resource.UnitTest(t, resource.TestCase{
Providers: testProviders,
Steps: []resource.TestStep{
{
Expand Down
2 changes: 1 addition & 1 deletion tls/resource_cert_request_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import (
)

func TestCertRequest(t *testing.T) {
r.Test(t, r.TestCase{
r.UnitTest(t, r.TestCase{
Providers: testProviders,
Steps: []r.TestStep{
{
Expand Down
14 changes: 14 additions & 0 deletions tls/resource_certificate.go
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,13 @@ func resourceCertificateCommonSchema() map[string]*schema.Schema {
Type: schema.TypeString,
Computed: true,
},

"set_subject_key_id": &schema.Schema{
Type: schema.TypeBool,
Optional: true,
Description: "If true, the generated certificate will include a subject key identifier.",
ForceNew: true,
},
}
}

Expand Down Expand Up @@ -165,6 +172,13 @@ func createCertificate(d *schema.ResourceData, template, parent *x509.Certificat
}
}

if d.Get("set_subject_key_id").(bool) {
template.SubjectKeyId, err = generateSubjectKeyID(pub)
if err != nil {
return fmt.Errorf("failed to set subject key identifier: %s", err)
}
}

certBytes, err := x509.CreateCertificate(rand.Reader, template, parent, pub, priv)
if err != nil {
return fmt.Errorf("error creating certificate: %s", err)
Expand Down
6 changes: 3 additions & 3 deletions tls/resource_locally_signed_cert_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ import (
)

func TestLocallySignedCert(t *testing.T) {
r.Test(t, r.TestCase{
r.UnitTest(t, r.TestCase{
Providers: testProviders,
Steps: []r.TestStep{
{
Expand Down Expand Up @@ -146,7 +146,7 @@ func TestLocallySignedCert(t *testing.T) {
func TestAccLocallySignedCertRecreatesAfterExpired(t *testing.T) {
oldNow := now
var previousCert string
r.Test(t, r.TestCase{
r.UnitTest(t, r.TestCase{
Providers: testProviders,
PreCheck: setTimeForTest("2019-06-14T12:00:00Z"),
Steps: []r.TestStep{
Expand Down Expand Up @@ -223,7 +223,7 @@ func TestAccLocallySignedCertRecreatesAfterExpired(t *testing.T) {
func TestAccLocallySignedCertNotRecreatedForEarlyRenewalUpdateInFuture(t *testing.T) {
oldNow := now
var previousCert string
r.Test(t, r.TestCase{
r.UnitTest(t, r.TestCase{
Providers: testProviders,
PreCheck: setTimeForTest("2019-06-14T12:00:00Z"),
Steps: []r.TestStep{
Expand Down
4 changes: 2 additions & 2 deletions tls/resource_private_key_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import (
)

func TestPrivateKeyRSA(t *testing.T) {
r.Test(t, r.TestCase{
r.UnitTest(t, r.TestCase{
Providers: testProviders,
Steps: []r.TestStep{
{
Expand Down Expand Up @@ -105,7 +105,7 @@ func TestPrivateKeyRSA(t *testing.T) {
}

func TestPrivateKeyECDSA(t *testing.T) {
r.Test(t, r.TestCase{
r.UnitTest(t, r.TestCase{
Providers: testProviders,
Steps: []r.TestStep{
{
Expand Down
53 changes: 50 additions & 3 deletions tls/resource_self_signed_cert_test.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package tls

import (
"bytes"
"crypto/x509"
"encoding/pem"
"fmt"
Expand All @@ -13,7 +14,7 @@ import (
)

func TestSelfSignedCert(t *testing.T) {
r.Test(t, r.TestCase{
r.UnitTest(t, r.TestCase{
Providers: testProviders,
Steps: []r.TestStep{
{
Expand Down Expand Up @@ -192,6 +193,9 @@ EOT
if expected, got := 0, len(cert.ExtKeyUsage); got != expected {
return fmt.Errorf("incorrect number of ExtKeyUsage: expected %v, got %v", expected, got)
}
if expected, got := []byte(``), cert.SubjectKeyId; !bytes.Equal(got, expected) {
return fmt.Errorf("incorrect subject key id: expected %v, got %v", expected, got)
}

if expected, got := x509.KeyUsage(0), cert.KeyUsage; got != expected {
return fmt.Errorf("incorrect KeyUsage: expected %v, got %v", expected, got)
Expand All @@ -207,7 +211,7 @@ EOT
func TestAccSelfSignedCertRecreatesAfterExpired(t *testing.T) {
oldNow := now
var previousCert string
r.Test(t, r.TestCase{
r.UnitTest(t, r.TestCase{
Providers: testProviders,
PreCheck: setTimeForTest("2019-06-14T12:00:00Z"),
Steps: []r.TestStep{
Expand Down Expand Up @@ -284,7 +288,7 @@ func TestAccSelfSignedCertRecreatesAfterExpired(t *testing.T) {
func TestAccSelfSignedCertNotRecreatedForEarlyRenewalUpdateInFuture(t *testing.T) {
oldNow := now
var previousCert string
r.Test(t, r.TestCase{
r.UnitTest(t, r.TestCase{
Providers: testProviders,
PreCheck: setTimeForTest("2019-06-14T12:00:00Z"),
Steps: []r.TestStep{
Expand Down Expand Up @@ -358,6 +362,49 @@ func TestAccSelfSignedCertNotRecreatedForEarlyRenewalUpdateInFuture(t *testing.T
now = oldNow
}

func TestAccSelfSignedCertSetSubjectKeyID(t *testing.T) {
r.UnitTest(t, r.TestCase{
Providers: testProviders,
PreCheck: setTimeForTest("2019-06-14T12:00:00Z"),
Steps: []r.TestStep{
{
Config: fmt.Sprintf(`
resource "tls_self_signed_cert" "test" {
subject {
serial_number = "42"
}
key_algorithm = "RSA"
validity_period_hours = 1
allowed_uses = []
set_subject_key_id = true
private_key_pem = <<EOT
%s
EOT
}
output "cert_pem" {
value = "${tls_self_signed_cert.test.cert_pem}"
}
`, testPrivateKey),
Check: func(s *terraform.State) error {
certPEM := s.RootModule().Outputs["cert_pem"].Value
block, _ := pem.Decode([]byte(certPEM.(string)))
cert, err := x509.ParseCertificate(block.Bytes)
if err != nil {
return fmt.Errorf("error parsing cert: %s", err)
}
got := cert.SubjectKeyId
want := []byte{207, 81, 38, 63, 172, 18, 241, 109, 195, 169, 6, 109, 237, 6, 18, 214, 52, 231, 17, 222}
if !bytes.Equal(got, want) {
return fmt.Errorf("incorrect subject key id\ngot: %v\nwant: %v", got, want)
}
return nil
},
},
},
})

}

func selfSignedCertConfig(validity uint32, earlyRenewal uint32) string {
return fmt.Sprintf(`
resource "tls_self_signed_cert" "test1" {
Expand Down
4 changes: 4 additions & 0 deletions website/docs/r/locally_signed_cert.html.md
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,10 @@ The following arguments are supported:
generated certificate. Defaults to `false`, meaning that the certificate does not represent
a certificate authority.

* `set_subject_key_id` - (Optional) If `true`, the certificate will include
the subject key identifier. Defaults to `false`, in which case the subject
key identifier is not set at all.

The `allowed_uses` list accepts the following keywords, combining the set of flags defined by
both [Key Usage](https://tools.ietf.org/html/rfc5280#section-4.2.1.3) and
[Extended Key Usage](https://tools.ietf.org/html/rfc5280#section-4.2.1.12) in
Expand Down
4 changes: 4 additions & 0 deletions website/docs/r/self_signed_cert.html.md
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,10 @@ The following arguments are supported:
generated certificate. Defaults to `false`, meaning that the certificate does not represent
a certificate authority.

* `set_subject_key_id` - (Optional) If `true`, the certificate will include
the subject key identifier. Defaults to `false`, in which case the subject
key identifier is not set at all.

The `allowed_uses` list accepts the following keywords, combining the set of flags defined by
both [Key Usage](https://tools.ietf.org/html/rfc5280#section-4.2.1.3) and
[Extended Key Usage](https://tools.ietf.org/html/rfc5280#section-4.2.1.12) in
Expand Down