|  | @@ -16,8 +16,6 @@ import (
 | 
											
												
													
														|  |  	"golang.org/x/crypto/ed25519"
 |  |  	"golang.org/x/crypto/ed25519"
 | 
											
												
													
														|  |  )
 |  |  )
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  | -//TODO: test file permissions
 |  | 
 | 
											
												
													
														|  | -
 |  | 
 | 
											
												
													
														|  |  func Test_signSummary(t *testing.T) {
 |  |  func Test_signSummary(t *testing.T) {
 | 
											
												
													
														|  |  	assert.Equal(t, "sign <flags>: create and sign a certificate", signSummary())
 |  |  	assert.Equal(t, "sign <flags>: create and sign a certificate", signSummary())
 | 
											
												
													
														|  |  }
 |  |  }
 | 
											
										
											
												
													
														|  | @@ -39,9 +37,11 @@ func Test_signHelp(t *testing.T) {
 | 
											
												
													
														|  |  			"  -in-pub string\n"+
 |  |  			"  -in-pub string\n"+
 | 
											
												
													
														|  |  			"    \tOptional (if out-key not set): path to read a previously generated public key\n"+
 |  |  			"    \tOptional (if out-key not set): path to read a previously generated public key\n"+
 | 
											
												
													
														|  |  			"  -ip string\n"+
 |  |  			"  -ip string\n"+
 | 
											
												
													
														|  | -			"    \tRequired: ipv4 address and network in CIDR notation to assign the cert\n"+
 |  | 
 | 
											
												
													
														|  | 
 |  | +			"    \tDeprecated, see -networks\n"+
 | 
											
												
													
														|  |  			"  -name string\n"+
 |  |  			"  -name string\n"+
 | 
											
												
													
														|  |  			"    \tRequired: name of the cert, usually a hostname\n"+
 |  |  			"    \tRequired: name of the cert, usually a hostname\n"+
 | 
											
												
													
														|  | 
 |  | +			"  -networks string\n"+
 | 
											
												
													
														|  | 
 |  | +			"    \tRequired: comma separated list of ip address and network in CIDR notation to assign to this cert\n"+
 | 
											
												
													
														|  |  			"  -out-crt string\n"+
 |  |  			"  -out-crt string\n"+
 | 
											
												
													
														|  |  			"    \tOptional: path to write the certificate to\n"+
 |  |  			"    \tOptional: path to write the certificate to\n"+
 | 
											
												
													
														|  |  			"  -out-key string\n"+
 |  |  			"  -out-key string\n"+
 | 
											
										
											
												
													
														|  | @@ -50,7 +50,11 @@ func Test_signHelp(t *testing.T) {
 | 
											
												
													
														|  |  			"    \tOptional: output a qr code image (png) of the certificate\n"+
 |  |  			"    \tOptional: output a qr code image (png) of the certificate\n"+
 | 
											
												
													
														|  |  			optionalPkcs11String("  -pkcs11 string\n    \tOptional: PKCS#11 URI to an existing private key\n")+
 |  |  			optionalPkcs11String("  -pkcs11 string\n    \tOptional: PKCS#11 URI to an existing private key\n")+
 | 
											
												
													
														|  |  			"  -subnets string\n"+
 |  |  			"  -subnets string\n"+
 | 
											
												
													
														|  | -			"    \tOptional: comma separated list of ipv4 address and network in CIDR notation. Subnets this cert can serve for\n",
 |  | 
 | 
											
												
													
														|  | 
 |  | +			"    \tDeprecated, see -unsafe-networks\n"+
 | 
											
												
													
														|  | 
 |  | +			"  -unsafe-networks string\n"+
 | 
											
												
													
														|  | 
 |  | +			"    \tOptional: comma separated list of ip address and network in CIDR notation. Unsafe networks this cert can route for\n"+
 | 
											
												
													
														|  | 
 |  | +			"  -version uint\n"+
 | 
											
												
													
														|  | 
 |  | +			"    \tOptional: version of the certificate format to use, the default is to create both v1 and v2 certificates.\n",
 | 
											
												
													
														|  |  		ob.String(),
 |  |  		ob.String(),
 | 
											
												
													
														|  |  	)
 |  |  	)
 | 
											
												
													
														|  |  }
 |  |  }
 | 
											
										
											
												
													
														|  | @@ -77,20 +81,20 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  |  	// required args
 |  |  	// required args
 | 
											
												
													
														|  |  	assertHelpError(t, signCert(
 |  |  	assertHelpError(t, signCert(
 | 
											
												
													
														|  | -		[]string{"-ca-crt", "./nope", "-ca-key", "./nope", "-ip", "1.1.1.1/24", "-out-key", "nope", "-out-crt", "nope"}, ob, eb, nopw,
 |  | 
 | 
											
												
													
														|  | 
 |  | +		[]string{"-version", "1", "-ca-crt", "./nope", "-ca-key", "./nope", "-ip", "1.1.1.1/24", "-out-key", "nope", "-out-crt", "nope"}, ob, eb, nopw,
 | 
											
												
													
														|  |  	), "-name is required")
 |  |  	), "-name is required")
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  |  	assertHelpError(t, signCert(
 |  |  	assertHelpError(t, signCert(
 | 
											
												
													
														|  | -		[]string{"-ca-crt", "./nope", "-ca-key", "./nope", "-name", "test", "-out-key", "nope", "-out-crt", "nope"}, ob, eb, nopw,
 |  | 
 | 
											
												
													
														|  | -	), "-ip is required")
 |  | 
 | 
											
												
													
														|  | 
 |  | +		[]string{"-version", "1", "-ca-crt", "./nope", "-ca-key", "./nope", "-name", "test", "-out-key", "nope", "-out-crt", "nope"}, ob, eb, nopw,
 | 
											
												
													
														|  | 
 |  | +	), "-networks is required")
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  |  	// cannot set -in-pub and -out-key
 |  |  	// cannot set -in-pub and -out-key
 | 
											
												
													
														|  |  	assertHelpError(t, signCert(
 |  |  	assertHelpError(t, signCert(
 | 
											
												
													
														|  | -		[]string{"-ca-crt", "./nope", "-ca-key", "./nope", "-name", "test", "-in-pub", "nope", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope"}, ob, eb, nopw,
 |  | 
 | 
											
												
													
														|  | 
 |  | +		[]string{"-version", "1", "-ca-crt", "./nope", "-ca-key", "./nope", "-name", "test", "-in-pub", "nope", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope"}, ob, eb, nopw,
 | 
											
												
													
														|  |  	), "cannot set both -in-pub and -out-key")
 |  |  	), "cannot set both -in-pub and -out-key")
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
										
											
												
													
														|  | @@ -98,7 +102,7 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	// failed to read key
 |  |  	// failed to read key
 | 
											
												
													
														|  |  	ob.Reset()
 |  |  	ob.Reset()
 | 
											
												
													
														|  |  	eb.Reset()
 |  |  	eb.Reset()
 | 
											
												
													
														|  | -	args := []string{"-ca-crt", "./nope", "-ca-key", "./nope", "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args := []string{"-version", "1", "-ca-crt", "./nope", "-ca-key", "./nope", "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m"}
 | 
											
												
													
														|  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while reading ca-key: open ./nope: "+NoSuchFileError)
 |  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while reading ca-key: open ./nope: "+NoSuchFileError)
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  |  	// failed to unmarshal key
 |  |  	// failed to unmarshal key
 | 
											
										
											
												
													
														|  | @@ -108,7 +112,7 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	assert.Nil(t, err)
 |  |  	assert.Nil(t, err)
 | 
											
												
													
														|  |  	defer os.Remove(caKeyF.Name())
 |  |  	defer os.Remove(caKeyF.Name())
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", "./nope", "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", "./nope", "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m"}
 | 
											
												
													
														|  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while parsing ca-key: input did not contain a valid PEM encoded block")
 |  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while parsing ca-key: input did not contain a valid PEM encoded block")
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
										
											
												
													
														|  | @@ -120,7 +124,7 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	caKeyF.Write(cert.MarshalSigningPrivateKeyToPEM(cert.Curve_CURVE25519, caPriv))
 |  |  	caKeyF.Write(cert.MarshalSigningPrivateKeyToPEM(cert.Curve_CURVE25519, caPriv))
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  |  	// failed to read cert
 |  |  	// failed to read cert
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", "./nope", "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", "./nope", "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m"}
 | 
											
												
													
														|  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while reading ca-crt: open ./nope: "+NoSuchFileError)
 |  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while reading ca-crt: open ./nope: "+NoSuchFileError)
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
										
											
												
													
														|  | @@ -132,7 +136,7 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	assert.Nil(t, err)
 |  |  	assert.Nil(t, err)
 | 
											
												
													
														|  |  	defer os.Remove(caCrtF.Name())
 |  |  	defer os.Remove(caCrtF.Name())
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m"}
 | 
											
												
													
														|  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while parsing ca-crt: input did not contain a valid PEM encoded block")
 |  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while parsing ca-crt: input did not contain a valid PEM encoded block")
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
										
											
												
													
														|  | @@ -143,7 +147,7 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	caCrtF.Write(b)
 |  |  	caCrtF.Write(b)
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  |  	// failed to read pub
 |  |  	// failed to read pub
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-in-pub", "./nope", "-duration", "100m"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-in-pub", "./nope", "-duration", "100m"}
 | 
											
												
													
														|  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while reading in-pub: open ./nope: "+NoSuchFileError)
 |  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while reading in-pub: open ./nope: "+NoSuchFileError)
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
										
											
												
													
														|  | @@ -155,7 +159,7 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	assert.Nil(t, err)
 |  |  	assert.Nil(t, err)
 | 
											
												
													
														|  |  	defer os.Remove(inPubF.Name())
 |  |  	defer os.Remove(inPubF.Name())
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-in-pub", inPubF.Name(), "-duration", "100m"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-in-pub", inPubF.Name(), "-duration", "100m"}
 | 
											
												
													
														|  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while parsing in-pub: input did not contain a valid PEM encoded block")
 |  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while parsing in-pub: input did not contain a valid PEM encoded block")
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
										
											
												
													
														|  | @@ -169,30 +173,37 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	// bad ip cidr
 |  |  	// bad ip cidr
 | 
											
												
													
														|  |  	ob.Reset()
 |  |  	ob.Reset()
 | 
											
												
													
														|  |  	eb.Reset()
 |  |  	eb.Reset()
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "a1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m"}
 |  | 
 | 
											
												
													
														|  | -	assertHelpError(t, signCert(args, ob, eb, nopw), "invalid ip definition: a1.1.1.1/24")
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "a1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m"}
 | 
											
												
													
														|  | 
 |  | +	assertHelpError(t, signCert(args, ob, eb, nopw), "invalid -networks definition: a1.1.1.1/24")
 | 
											
												
													
														|  | 
 |  | +	assert.Empty(t, ob.String())
 | 
											
												
													
														|  | 
 |  | +	assert.Empty(t, eb.String())
 | 
											
												
													
														|  | 
 |  | +
 | 
											
												
													
														|  | 
 |  | +	ob.Reset()
 | 
											
												
													
														|  | 
 |  | +	eb.Reset()
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "100::100/100", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m"}
 | 
											
												
													
														|  | 
 |  | +	assertHelpError(t, signCert(args, ob, eb, nopw), "invalid -networks definition: v1 certificates can only have a single ipv4 address")
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  |  	ob.Reset()
 |  |  	ob.Reset()
 | 
											
												
													
														|  |  	eb.Reset()
 |  |  	eb.Reset()
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "100::100/100", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m"}
 |  | 
 | 
											
												
													
														|  | -	assertHelpError(t, signCert(args, ob, eb, nopw), "invalid ip definition: can only be ipv4, have 100::100/100")
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24,1.1.1.2/24", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m"}
 | 
											
												
													
														|  | 
 |  | +	assertHelpError(t, signCert(args, ob, eb, nopw), "invalid -networks definition: v1 certificates can only have a single ipv4 address")
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  |  	// bad subnet cidr
 |  |  	// bad subnet cidr
 | 
											
												
													
														|  |  	ob.Reset()
 |  |  	ob.Reset()
 | 
											
												
													
														|  |  	eb.Reset()
 |  |  	eb.Reset()
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m", "-subnets", "a"}
 |  | 
 | 
											
												
													
														|  | -	assertHelpError(t, signCert(args, ob, eb, nopw), "invalid subnet definition: a")
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m", "-subnets", "a"}
 | 
											
												
													
														|  | 
 |  | +	assertHelpError(t, signCert(args, ob, eb, nopw), "invalid -unsafe-networks definition: a")
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  |  	ob.Reset()
 |  |  	ob.Reset()
 | 
											
												
													
														|  |  	eb.Reset()
 |  |  	eb.Reset()
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m", "-subnets", "100::100/100"}
 |  | 
 | 
											
												
													
														|  | -	assertHelpError(t, signCert(args, ob, eb, nopw), "invalid subnet definition: can only be ipv4, have 100::100/100")
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m", "-subnets", "100::100/100"}
 | 
											
												
													
														|  | 
 |  | +	assertHelpError(t, signCert(args, ob, eb, nopw), "invalid -unsafe-networks definition: v1 certificates can only be ipv4")
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
												
													
														|  |  
 |  |  
 | 
											
										
											
												
													
														|  | @@ -205,7 +216,7 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  |  	ob.Reset()
 |  |  	ob.Reset()
 | 
											
												
													
														|  |  	eb.Reset()
 |  |  	eb.Reset()
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF2.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m", "-subnets", "a"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF2.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "nope", "-out-key", "nope", "-duration", "100m", "-subnets", "a"}
 | 
											
												
													
														|  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "refusing to sign, root certificate does not match private key")
 |  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "refusing to sign, root certificate does not match private key")
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
										
											
												
													
														|  | @@ -213,7 +224,7 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	// failed key write
 |  |  	// failed key write
 | 
											
												
													
														|  |  	ob.Reset()
 |  |  	ob.Reset()
 | 
											
												
													
														|  |  	eb.Reset()
 |  |  	eb.Reset()
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "/do/not/write/pleasecrt", "-out-key", "/do/not/write/pleasekey", "-duration", "100m", "-subnets", "10.1.1.1/32"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "/do/not/write/pleasecrt", "-out-key", "/do/not/write/pleasekey", "-duration", "100m", "-subnets", "10.1.1.1/32"}
 | 
											
												
													
														|  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while writing out-key: open /do/not/write/pleasekey: "+NoSuchDirError)
 |  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while writing out-key: open /do/not/write/pleasekey: "+NoSuchDirError)
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
										
											
												
													
														|  | @@ -226,7 +237,7 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	// failed cert write
 |  |  	// failed cert write
 | 
											
												
													
														|  |  	ob.Reset()
 |  |  	ob.Reset()
 | 
											
												
													
														|  |  	eb.Reset()
 |  |  	eb.Reset()
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "/do/not/write/pleasecrt", "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", "/do/not/write/pleasecrt", "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32"}
 | 
											
												
													
														|  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while writing out-crt: open /do/not/write/pleasecrt: "+NoSuchDirError)
 |  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while writing out-crt: open /do/not/write/pleasecrt: "+NoSuchDirError)
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
										
											
												
													
														|  | @@ -240,7 +251,7 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	// test proper cert with removed empty groups and subnets
 |  |  	// test proper cert with removed empty groups and subnets
 | 
											
												
													
														|  |  	ob.Reset()
 |  |  	ob.Reset()
 | 
											
												
													
														|  |  	eb.Reset()
 |  |  	eb.Reset()
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 | 
											
												
													
														|  |  	assert.Nil(t, signCert(args, ob, eb, nopw))
 |  |  	assert.Nil(t, signCert(args, ob, eb, nopw))
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
										
											
												
													
														|  | @@ -283,7 +294,7 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	os.Remove(crtF.Name())
 |  |  	os.Remove(crtF.Name())
 | 
											
												
													
														|  |  	ob.Reset()
 |  |  	ob.Reset()
 | 
											
												
													
														|  |  	eb.Reset()
 |  |  	eb.Reset()
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-in-pub", inPubF.Name(), "-duration", "100m", "-groups", "1"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-in-pub", inPubF.Name(), "-duration", "100m", "-groups", "1"}
 | 
											
												
													
														|  |  	assert.Nil(t, signCert(args, ob, eb, nopw))
 |  |  	assert.Nil(t, signCert(args, ob, eb, nopw))
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
										
											
												
													
														|  | @@ -300,7 +311,7 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	eb.Reset()
 |  |  	eb.Reset()
 | 
											
												
													
														|  |  	os.Remove(keyF.Name())
 |  |  	os.Remove(keyF.Name())
 | 
											
												
													
														|  |  	os.Remove(crtF.Name())
 |  |  	os.Remove(crtF.Name())
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "1000m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "1000m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 | 
											
												
													
														|  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while signing: certificate expires after signing certificate")
 |  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "error while signing: certificate expires after signing certificate")
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
										
											
												
													
														|  | @@ -308,14 +319,14 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	// create valid cert/key for overwrite tests
 |  |  	// create valid cert/key for overwrite tests
 | 
											
												
													
														|  |  	os.Remove(keyF.Name())
 |  |  	os.Remove(keyF.Name())
 | 
											
												
													
														|  |  	os.Remove(crtF.Name())
 |  |  	os.Remove(crtF.Name())
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 | 
											
												
													
														|  |  	assert.Nil(t, signCert(args, ob, eb, nopw))
 |  |  	assert.Nil(t, signCert(args, ob, eb, nopw))
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  |  	// test that we won't overwrite existing key file
 |  |  	// test that we won't overwrite existing key file
 | 
											
												
													
														|  |  	os.Remove(crtF.Name())
 |  |  	os.Remove(crtF.Name())
 | 
											
												
													
														|  |  	ob.Reset()
 |  |  	ob.Reset()
 | 
											
												
													
														|  |  	eb.Reset()
 |  |  	eb.Reset()
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 | 
											
												
													
														|  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "refusing to overwrite existing key: "+keyF.Name())
 |  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "refusing to overwrite existing key: "+keyF.Name())
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
										
											
												
													
														|  | @@ -323,14 +334,14 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	// create valid cert/key for overwrite tests
 |  |  	// create valid cert/key for overwrite tests
 | 
											
												
													
														|  |  	os.Remove(keyF.Name())
 |  |  	os.Remove(keyF.Name())
 | 
											
												
													
														|  |  	os.Remove(crtF.Name())
 |  |  	os.Remove(crtF.Name())
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 | 
											
												
													
														|  |  	assert.Nil(t, signCert(args, ob, eb, nopw))
 |  |  	assert.Nil(t, signCert(args, ob, eb, nopw))
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  |  	// test that we won't overwrite existing certificate file
 |  |  	// test that we won't overwrite existing certificate file
 | 
											
												
													
														|  |  	os.Remove(keyF.Name())
 |  |  	os.Remove(keyF.Name())
 | 
											
												
													
														|  |  	ob.Reset()
 |  |  	ob.Reset()
 | 
											
												
													
														|  |  	eb.Reset()
 |  |  	eb.Reset()
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 | 
											
												
													
														|  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "refusing to overwrite existing cert: "+crtF.Name())
 |  |  	assert.EqualError(t, signCert(args, ob, eb, nopw), "refusing to overwrite existing cert: "+crtF.Name())
 | 
											
												
													
														|  |  	assert.Empty(t, ob.String())
 |  |  	assert.Empty(t, ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
										
											
												
													
														|  | @@ -362,7 +373,7 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	caCrtF.Write(b)
 |  |  	caCrtF.Write(b)
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  |  	// test with the proper password
 |  |  	// test with the proper password
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 | 
											
												
													
														|  |  	assert.Nil(t, signCert(args, ob, eb, testpw))
 |  |  	assert.Nil(t, signCert(args, ob, eb, testpw))
 | 
											
												
													
														|  |  	assert.Equal(t, "Enter passphrase: ", ob.String())
 |  |  	assert.Equal(t, "Enter passphrase: ", ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
										
											
												
													
														|  | @@ -372,7 +383,7 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	eb.Reset()
 |  |  	eb.Reset()
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  |  	testpw.password = []byte("invalid password")
 |  |  	testpw.password = []byte("invalid password")
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 | 
											
												
													
														|  |  	assert.Error(t, signCert(args, ob, eb, testpw))
 |  |  	assert.Error(t, signCert(args, ob, eb, testpw))
 | 
											
												
													
														|  |  	assert.Equal(t, "Enter passphrase: ", ob.String())
 |  |  	assert.Equal(t, "Enter passphrase: ", ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 | 
											
										
											
												
													
														|  | @@ -381,7 +392,7 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	ob.Reset()
 |  |  	ob.Reset()
 | 
											
												
													
														|  |  	eb.Reset()
 |  |  	eb.Reset()
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 | 
											
												
													
														|  |  	assert.Error(t, signCert(args, ob, eb, nopw))
 |  |  	assert.Error(t, signCert(args, ob, eb, nopw))
 | 
											
												
													
														|  |  	// normally the user hitting enter on the prompt would add newlines between these
 |  |  	// normally the user hitting enter on the prompt would add newlines between these
 | 
											
												
													
														|  |  	assert.Equal(t, "Enter passphrase: Enter passphrase: Enter passphrase: Enter passphrase: Enter passphrase: ", ob.String())
 |  |  	assert.Equal(t, "Enter passphrase: Enter passphrase: Enter passphrase: Enter passphrase: Enter passphrase: ", ob.String())
 | 
											
										
											
												
													
														|  | @@ -391,7 +402,7 @@ func Test_signCert(t *testing.T) {
 | 
											
												
													
														|  |  	ob.Reset()
 |  |  	ob.Reset()
 | 
											
												
													
														|  |  	eb.Reset()
 |  |  	eb.Reset()
 | 
											
												
													
														|  |  
 |  |  
 | 
											
												
													
														|  | -	args = []string{"-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 |  | 
 | 
											
												
													
														|  | 
 |  | +	args = []string{"-version", "1", "-ca-crt", caCrtF.Name(), "-ca-key", caKeyF.Name(), "-name", "test", "-ip", "1.1.1.1/24", "-out-crt", crtF.Name(), "-out-key", keyF.Name(), "-duration", "100m", "-subnets", "10.1.1.1/32, ,   10.2.2.2/32   ,   ,  ,, 10.5.5.5/32", "-groups", "1,,   2    ,        ,,,3,4,5"}
 | 
											
												
													
														|  |  	assert.Error(t, signCert(args, ob, eb, errpw))
 |  |  	assert.Error(t, signCert(args, ob, eb, errpw))
 | 
											
												
													
														|  |  	assert.Equal(t, "Enter passphrase: ", ob.String())
 |  |  	assert.Equal(t, "Enter passphrase: ", ob.String())
 | 
											
												
													
														|  |  	assert.Empty(t, eb.String())
 |  |  	assert.Empty(t, eb.String())
 |