(t *testing.T)
| 482 | } |
| 483 | |
| 484 | func (s) TestBuildVerifyFuncFailures(t *testing.T) { |
| 485 | tests := []struct { |
| 486 | desc string |
| 487 | peerCertChain [][]byte |
| 488 | wantErr string |
| 489 | }{ |
| 490 | { |
| 491 | desc: "invalid x509", |
| 492 | peerCertChain: [][]byte{[]byte("NOT_A_CERT")}, |
| 493 | wantErr: "x509: malformed certificate", |
| 494 | }, |
| 495 | { |
| 496 | desc: "invalid SPIFFE ID in peer cert", |
| 497 | // server1.pem doesn't have a valid SPIFFE ID, so attempted to get a |
| 498 | // root from the SPIFFE Bundle Map will fail |
| 499 | peerCertChain: loadCert(t, testdata.Path("server1.pem"), testdata.Path("server1.key")), |
| 500 | wantErr: "spiffe: could not get spiffe ID from peer leaf cert but verification with spiffe trust map was configure", |
| 501 | }, |
| 502 | } |
| 503 | testProvider := testCertProviderWithKeyMaterial{} |
| 504 | hi := NewHandshakeInfo(&testProvider, &testProvider, nil, true, "", false, false) |
| 505 | ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second) |
| 506 | defer cancel() |
| 507 | cfg, err := hi.ClientSideTLSConfig(ctx, "") |
| 508 | if err != nil { |
| 509 | t.Fatalf("hi.ClientSideTLSConfig() failed with err %v", err) |
| 510 | } |
| 511 | for _, tc := range tests { |
| 512 | t.Run(tc.desc, func(t *testing.T) { |
| 513 | err = cfg.VerifyPeerCertificate(tc.peerCertChain, nil) |
| 514 | if !strings.Contains(err.Error(), tc.wantErr) { |
| 515 | t.Errorf("VerifyPeerCertificate got err %v, want: %v", err, tc.wantErr) |
| 516 | } |
| 517 | }) |
| 518 | } |
| 519 | } |
| 520 | |
| 521 | func loadCert(t *testing.T, certPath, keyPath string) [][]byte { |
| 522 | cert, err := tls.LoadX509KeyPair(certPath, keyPath) |
nothing calls this directly
no test coverage detected