diff --git a/trifid-pki/src/ca.rs b/trifid-pki/src/ca.rs
index 236a237..a589600 100644
--- a/trifid-pki/src/ca.rs
+++ b/trifid-pki/src/ca.rs
@@ -62,6 +62,8 @@ impl NebulaCAPool {
let fingerprint = cert.sha256sum()?;
let expired = cert.expired(SystemTime::now());
+ if expired { self.expired = true }
+
self.cas.insert(fingerprint, cert);
Ok(expired)
diff --git a/trifid-pki/src/test.rs b/trifid-pki/src/test.rs
index a614583..55a0461 100644
--- a/trifid-pki/src/test.rs
+++ b/trifid-pki/src/test.rs
@@ -11,7 +11,7 @@ use std::str::FromStr;
use ed25519_dalek::{SigningKey, VerifyingKey};
use quick_protobuf::{MessageWrite, Writer};
use rand::rngs::OsRng;
-use crate::ca::NebulaCAPool;
+use crate::ca::{NebulaCAPool};
use crate::cert_codec::{RawNebulaCertificate, RawNebulaCertificateDetails};
/// This is a cert that we (e3team) actually use in production, and it's a known-good certificate.
@@ -464,6 +464,64 @@ fn cert_private_key() {
cert2.verify_private_key(&priv_key.to_bytes()).unwrap_err();
}
+#[test]
+fn capool_from_pem() {
+ let no_newlines = b"# Current provisional, Remove once everything moves over to the real root.
+-----BEGIN NEBULA CERTIFICATE-----
+CkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL
+vcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv
+bzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB
+-----END NEBULA CERTIFICATE-----
+# root-ca01
+-----BEGIN NEBULA CERTIFICATE-----
+CkMKEW5lYnVsYSByb290IGNhIDAxKJL2u9EFMJL86+cGOiDPXMH4oU6HZTk/CqTG
+BVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf
+8/phAUt+FLzqTECzQKisYswKvE3pl9mbEYKbOdIHrxdIp95mo4sF
+-----END NEBULA CERTIFICATE-----";
+ let with_newlines = b"# Current provisional, Remove once everything moves over to the real root.
+-----BEGIN NEBULA CERTIFICATE-----
+CkAKDm5lYnVsYSByb290IGNhKJfap9AFMJfg1+YGOiCUQGByMuNRhIlQBOyzXWbL
+vcKBwDhov900phEfJ5DN3kABEkDCq5R8qBiu8sl54yVfgRcQXEDt3cHr8UTSLszv
+bzBEr00kERQxxTzTsH8cpYEgRoipvmExvg8WP8NdAJEYJosB
+-----END NEBULA CERTIFICATE-----
+# root-ca01
+-----BEGIN NEBULA CERTIFICATE-----
+CkMKEW5lYnVsYSByb290IGNhIDAxKJL2u9EFMJL86+cGOiDPXMH4oU6HZTk/CqTG
+BVG+oJpAoqokUBbI4U0N8CSfpUABEkB/Pm5A2xyH/nc8mg/wvGUWG3pZ7nHzaDMf
+8/phAUt+FLzqTECzQKisYswKvE3pl9mbEYKbOdIHrxdIp95mo4sF
+-----END NEBULA CERTIFICATE-----
+
+";
+ let expired = b"# expired certificate
+-----BEGIN NEBULA CERTIFICATE-----
+CjkKB2V4cGlyZWQouPmWjQYwufmWjQY6ILCRaoCkJlqHgv5jfDN4lzLHBvDzaQm4
+vZxfu144hmgjQAESQG4qlnZi8DncvD/LDZnLgJHOaX1DWCHHEh59epVsC+BNgTie
+WH1M9n4O7cFtGlM6sJJOS+rCVVEJ3ABS7+MPdQs=
+-----END NEBULA CERTIFICATE-----";
+
+ let pool_a = NebulaCAPool::new_from_pem(no_newlines).unwrap();
+ assert_eq!(pool_a.cas["c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522"].details.name, "nebula root ca".to_string());
+ assert_eq!(pool_a.cas["5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd"].details.name, "nebula root ca 01".to_string());
+ assert!(!pool_a.expired);
+
+ let pool_b = NebulaCAPool::new_from_pem(with_newlines).unwrap();
+ assert_eq!(pool_b.cas["c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522"].details.name, "nebula root ca".to_string());
+ assert_eq!(pool_b.cas["5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd"].details.name, "nebula root ca 01".to_string());
+ assert!(!pool_b.expired);
+
+ let pool_c = NebulaCAPool::new_from_pem(expired).unwrap();
+ assert!(pool_c.expired);
+ assert_eq!(pool_c.cas["152070be6bb19bc9e3bde4c2f0e7d8f4ff5448b4c9856b8eccb314fade0229b0"].details.name, "expired");
+
+ let mut pool_d = NebulaCAPool::new_from_pem(with_newlines).unwrap();
+ pool_d.add_ca_certificate(expired).unwrap();
+ assert_eq!(pool_d.cas["c9bfaf7ce8e84b2eeda2e27b469f4b9617bde192efd214b68891ecda6ed49522"].details.name, "nebula root ca".to_string());
+ assert_eq!(pool_d.cas["5c9c3f23e7ee7fe97637cbd3a0a5b854154d1d9aaaf7b566a51f4a88f76b64cd"].details.name, "nebula root ca 01".to_string());
+ assert_eq!(pool_d.cas["152070be6bb19bc9e3bde4c2f0e7d8f4ff5448b4c9856b8eccb314fade0229b0"].details.name, "expired");
+ assert!(pool_d.expired);
+ assert_eq!(pool_d.get_fingerprints().len(), 3);
+}
+
#[macro_export]
macro_rules! netmask {
($ip:expr,$mask:expr) => {
diff --git a/trifid-pki/tarpaulin-report.html b/trifid-pki/tarpaulin-report.html
index 72179ec..1357d5a 100644
--- a/trifid-pki/tarpaulin-report.html
+++ b/trifid-pki/tarpaulin-report.html
@@ -107,8 +107,8 @@