ci: add more tests for GetCertsFromBundle and certMatchPrivateKey

Author: xenOs76

internal/certinfo/common_handlers_test.go

@@ -102,39 +102,59 @@ func TestCertinfo_GetRootCertsFromString(t *testing.T) {
 }
 
 func TestCertinfo_GetCertsFromBundle(t *testing.T) {
-	t.Run("FileReadErrors", func(t *testing.T) {
-		t.Parallel()
-
-		_, errEmptyString := GetCertsFromBundle(
-			emptyString,
-			inputReader,
-		)
-		require.Error(t, errEmptyString)
-		assert.Equal(t,
-			"empty string provided as certBundlePath",
-			errEmptyString.Error(),
-		)
+	readErrorTests := []struct {
+		desc        string
+		certPath    string
+		reader      Reader
+		expectedMsg string
+	}{
+		{
+			desc:        "emptyString",
+			certPath:    emptyString,
+			reader:      inputReader,
+			expectedMsg: "empty string provided as certBundlePath",
+		},
+		{
+			desc:        "unreadableFile",
+			certPath:    unreadableFile,
+			reader:      mockErrReader,
+			expectedMsg: "error reading certificate file: unable to read file testdata/unreadable-file.txt",
+		},
+		{
+			desc:        "wrong file",
+			certPath:    RSACaCertKeyFile,
+			reader:      inputReader,
+			expectedMsg: "no valid certificates found in file " + RSACaCertKeyFile,
+		},
+		{
+			desc:        "nil Reader",
+			certPath:    RSACaCertFile,
+			reader:      nil,
+			expectedMsg: "nil Reader provided",
+		},
+		{
+			desc:        "broken cert file",
+			certPath:    RSASamplePKCS8BrokenCertificate,
+			reader:      inputReader,
+			expectedMsg: "error parsing certificate: x509: inner and outer signature algorithm identifiers don't match",
+		},
+	}
 
-		_, errNoRead := GetCertsFromBundle(
-			unreadableFile,
-			mockErrReader,
-		)
-		require.Error(t, errNoRead)
-		assert.Equal(t,
-			"error reading certificate file: unable to read file testdata/unreadable-file.txt",
-			errNoRead.Error(),
-		)
+	for _, tt := range readErrorTests {
+		t.Run("Read error "+tt.desc, func(t *testing.T) {
+			t.Parallel()
 
-		_, errWrongFile := GetCertsFromBundle(
-			RSACaCertKeyFile,
-			inputReader,
-		)
-		require.Error(t, errWrongFile)
-		assert.Equal(t,
-			"no valid certificates found in file "+RSACaCertKeyFile,
-			errWrongFile.Error(),
-		)
-	})
+			_, err := GetCertsFromBundle(
+				tt.certPath,
+				tt.reader,
+			)
+			require.Error(t, err)
+			assert.Equal(t,
+				tt.expectedMsg,
+				err.Error(),
+			)
+		})
+	}
 
 	t.Run("CertImportValidation", func(t *testing.T) {
 		gotCerts, errCaString := GetCertsFromBundle(
@@ -152,15 +172,6 @@ func TestCertinfo_GetCertsFromBundle(t *testing.T) {
 			)
 		}
 	})
-
-	t.Run("nil Reader error", func(t *testing.T) {
-		_, err := GetCertsFromBundle(
-			RSACaCertFile,
-			nil,
-		)
-		require.Error(t, err)
-		require.EqualError(t, err, "nil Reader provided")
-	})
 }
 
 func TestCertinfo_GetKeyFromFile_inputReaderErrors(t *testing.T) {
@@ -447,11 +458,25 @@ func TestCertinfo_getPassphraseIfNeeded(t *testing.T) {
 }
 
 func TestCertinfo_certMatchPrivateKey_matchFalse(t *testing.T) {
+	uncompleteCert := x509.Certificate{
+		IsCA: false,
+	}
+
 	matchFalseTests := []struct {
-		desc string
-		cert *x509.Certificate
-		key  crypto.PrivateKey
+		desc      string
+		cert      *x509.Certificate
+		key       crypto.PrivateKey
+		expectErr bool
+		expectMsg string
 	}{
+		{
+			desc:      "uncomplete cert",
+			cert:      &uncompleteCert,
+			key:       RSASampleCertKey,
+			expectErr: true,
+			expectMsg: "unsupported public key type in certificate",
+		},
+
 		{
 			desc: "key cert mismatch",
 			cert: RSACaCertParent,
@@ -475,8 +500,15 @@ func TestCertinfo_certMatchPrivateKey_matchFalse(t *testing.T) {
 				tt.cert,
 				tt.key,
 			)
-			require.NoError(t, err)
-			assert.False(t, match)
+			if !tt.expectErr {
+				require.NoError(t, err)
+				assert.False(t, match)
+			}
+
+			if tt.expectErr {
+				require.Error(t, err)
+				require.EqualError(t, err, tt.expectMsg)
+			}
 		})
 	}
 }

internal/certinfo/main_test.go

@@ -51,6 +51,7 @@ var (
 	RSASamplePKCS8EncryptedPrivateKey = testdataDir + "/rsa-pkcs8-encrypted-private-key.pem"
 	RSASamplePKCS8EncBrokenPrivateKey = testdataDir + "/rsa-pkcs8-encrypted-broken-private-key.pem"
 	RSASamplePKCS8Certificate         = testdataDir + "/rsa-pkcs8-crt.pem"
+	RSASamplePKCS8BrokenCertificate   = testdataDir + "/rsa-pkcs8-broken-crt.pem"
 
 	ECDSASamplePlaintextPrivateKey = testdataDir + "/ecdsa-plaintext-private-key.pem"
 	ECDSASampleEncryptedPrivateKey = testdataDir + "/ecdsa-encrypted-private-key.pem"

internal/certinfo/testdata/rsa-pkcs8-broken-crt.pem

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFbTCCA1WgAwIBAgIUBzx2EsVl+ybPvE466xTKQunu37cwDQYJKoZIhvcAAAAA
+BQAwXzELMAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxDzANBgNBBBBB
+BkJlcmxpbjEUMBIGA1UECgwLZXhhbXBsZSBMdGQxFDASBgNVBAMMC2V4YW1CCCCC
+Y29tMB4XDTI1MTIxMjIyMDcwOFoXDTM1MTIxMDIyMDcwOFowXzELMAkGA1UEBhMC
+REUxEzARBgNVBAgMClNvbWUtU3RhdGUxDzANBgNVBAcMBkJlcmxpbjEUMBIGA1UE
+CgwLZXhhbXBsZSBMdGQxFDASBgNVBAMMC2V4YW1wbGUuY29tMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAtjvz7pjc6iXFHeCNEgQ9Fj/wLArQ2Rmuqhe2
+Lqozt4V8fI8euikVECxXHIF0cDoJmdyY9oU71VKW3qDPS0NcB51rUi0iyfoTPXCy
+Sig6tkAewbWc03doUifTLSxSmBz5cjdrZIKK8zkQBtdd3A/B7u/ewRXuRA567vN2
+2Gjc5EkrypJUrCWYeFlfcW1UzcbEMag4X3Z3YEmQXppz3EDsm72XZ+KHA3PytKv4
+rPM4IMtQkLMCIpvQ/NdbQXcwYorVo6dszCohqI2uc6hfQ0sbNEsvGX7/PakArNr8
+JkFif5DWS54tXzfzPz3HMbDFyjAURIguHBa6mBCq/tyTQvBNxNu+N+WERMqJjrKk
+MQVVbzZLeEov0cINJipI4IC09CqaHa3LUBsvJQmTRoEZJDvtKDmS6qw+eprJIHgU
+R5AJ4Is6CddLHUJnPKLoU3pZdsb7a3ks2d4PiHKuRaVJVs5495d/syfZYejB+C+r
+9Uyj48p4VuHknJG5JmGtEc9w5pnWdWiGfPJJCSt5C5cZhjDqIkU/g+LrhYULLQRC
+yFQ9oDLWo8zGf8xXYDKNutw/qfjBrCLGApNyqW1MibSQf1JNX3sVljDZaR5k20OW
+Yd00wqtubq8rw2KgoKV3KOQa/Dkq6SIFg4krbys+DqnZ2XKtL+Bq1OpAu558A76S
+zKjpKT8CAwEAAaMhMB8wHQYDVR0OBBYEFAjuAcgUUDpC4pmbUICqf9TYnsXEMA0G
+CSqGSIb3DQEBCwUAA4ICAQAAyrqWKwonL6ZCeuzEjCizXRv0bFSZZBKvggX1z+KS
+EDJppjA7vvzC0k9HuWat+qV69xkQ3u+BpnnPa0OSasqI6sQJIMt8Az7EVeqrS074
+qedulOIQzZnbH7NOht/EKso9Gz3iP7G3NKf1JsStc9FuSiWaiqsg83iLCAe1py/t
+8KM2G/vCvNPYIZAR8RwaNGgBicaOQsPW9PuNphQ9i1tcF2L0pstImoCuCzY0guRt
+Ku0syZweF8RYecnKxqSoWHL++vBWHHJ85O6RKjvSYWcCcaU6SkMlgTY7n7xvztrd
+U1GKlBnijObU+lIfNv9cxufy7KE9X5qQmwBbDkNPYQSif1dkCzs/3sWQq0aSvpHX
+XI/inejkNtInddchh2prdBLHn1yEilQ4Bow4H05ipsnFhB9W+154JpcYI8VN67xr
+xMw4DAG2S1byUIfiBW8hU5AKQE9c56SSUdci6kaFVC4FRvd1Nsd3HU/e3mLdw6J9
+iIXRnj5TBQkX7WipZKc1NBUXSWa1NNPl8oUe1BwaYG9cqOWWNbeprLBiToqPMpts
+0ENmMrxPXrl71akGpj5L7A8I+9W9VtQl5BGTy1fmscqVwlHxDh1iWwV1mLFrlSS0
+wlrSh0IajUFG0/M5lvVDH+LGg1z6tDA5KaD3YE4du7JBXFJNMI+kT0cCgNSWmows
+IA==
+-----END CERTIFICATE-----