/* Copyright IBM Corp. All Rights Reserved. SPDX-License-Identifier: Apache-2.0 */ package comm import ( "crypto/tls" "fmt" "io/ioutil" "path/filepath" "testing" "github.com/stretchr/testify/require" ) const ( numOrgs = 2 numChildOrgs = 2 ) // string for cert filenames var ( orgCACert = filepath.Join("testdata", "certs", "Org%d-cert.pem") childCACert = filepath.Join("testdata", "certs", "Org%d-child%d-cert.pem") ) var badPEM = `-----BEGIN CERTIFICATE----- MIICRDCCAemgAwIBAgIJALwW//dz2ZBvMAoGCCqGSM49BAMCMH4xCzAJBgNVBAYT AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv MRgwFgYDVQQKDA9MaW51eEZvdW5kYXRpb24xFDASBgNVBAsMC0h5cGVybGVkZ2Vy MRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTYxMjA0MjIzMDE4WhcNMjYxMjAyMjIz MDE4WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UE BwwNU2FuIEZyYW5jaXNjbzEYMBYGA1UECgwPTGludXhGb3VuZGF0aW9uMRQwEgYD VQQLDAtIeXBlcmxlZGdlcjESMBAGA1UEAwwJbG9jYWxob3N0MFkwEwYHKoZIzj0C -----END CERTIFICATE----- ` // utility function to load up our test root certificates from testdata/certs func loadRootCAs() [][]byte { rootCAs := [][]byte{} for i := 1; i <= numOrgs; i++ { root, err := ioutil.ReadFile(fmt.Sprintf(orgCACert, i)) if err != nil { return [][]byte{} } rootCAs = append(rootCAs, root) for j := 1; j <= numChildOrgs; j++ { root, err := ioutil.ReadFile(fmt.Sprintf(childCACert, i, j)) if err != nil { return [][]byte{} } rootCAs = append(rootCAs, root) } } return rootCAs } func TestNewCredentialSupport(t *testing.T) { expected := &CredentialSupport{ appRootCAsByChain: make(map[string][][]byte), } require.Equal(t, expected, NewCredentialSupport()) rootCAs := [][]byte{ []byte("certificate-one"), []byte("certificate-two"), } expected.serverRootCAs = rootCAs[:] require.Equal(t, expected, NewCredentialSupport(rootCAs...)) } func TestCredentialSupport(t *testing.T) { t.Parallel() rootCAs := loadRootCAs() t.Logf("loaded %d root certificates", len(rootCAs)) if len(rootCAs) != 6 { t.Fatalf("failed to load root certificates") } cs := &CredentialSupport{ appRootCAsByChain: make(map[string][][]byte), } cert := tls.Certificate{Certificate: [][]byte{}} cs.SetClientCertificate(cert) require.Equal(t, cert, cs.clientCert) require.Equal(t, cert, cs.GetClientCertificate()) cs.appRootCAsByChain["channel1"] = [][]byte{rootCAs[0]} cs.appRootCAsByChain["channel2"] = [][]byte{rootCAs[1]} cs.appRootCAsByChain["channel3"] = [][]byte{rootCAs[2]} cs.serverRootCAs = [][]byte{rootCAs[5]} creds := cs.GetPeerCredentials() require.Equal(t, "1.2", creds.Info().SecurityVersion, "Expected Security version to be 1.2") // append some bad certs and make sure things still work cs.serverRootCAs = append(cs.serverRootCAs, []byte("badcert")) cs.serverRootCAs = append(cs.serverRootCAs, []byte(badPEM)) creds = cs.GetPeerCredentials() require.Equal(t, "1.2", creds.Info().SecurityVersion, "Expected Security version to be 1.2") }