Cleanup testing and print statements (mozilla-services#4)

* Refactor verification to handle passing multiple cert pools (#2) * pass VerifyOptions instead of one cert pool Signed-off-by: Meredith Lancaster <[email protected]> * add eku usage to test Signed-off-by: Meredith Lancaster <[email protected]> * add new method for non breaking changes Signed-off-by: Meredith Lancaster <[email protected]> * add default EKU settings Signed-off-by: Meredith Lancaster <[email protected]> * verifySignatureAtTime should be used Signed-off-by: Meredith Lancaster <[email protected]> Signed-off-by: Meredith Lancaster <[email protected]> * remove print statements made during testing Signed-off-by: Meredith Lancaster <[email protected]> * fix tests that were accidentally updated Signed-off-by: Meredith Lancaster <[email protected]> * comment out use of more insecure algorithms Signed-off-by: Meredith Lancaster <[email protected]> * use GODEBUG so tests can run with sha1 algorithm Signed-off-by: Meredith Lancaster <[email protected]> * add sha1 algorithms back Signed-off-by: Meredith Lancaster <[email protected]> * update comment Signed-off-by: Meredith Lancaster <[email protected]> * Cleanup tests (#3) * remove print statements made during testing Signed-off-by: Meredith Lancaster <[email protected]> * comment out use of more insecure algorithms Signed-off-by: Meredith Lancaster <[email protected]> * use GODEBUG so tests can run with sha1 algorithm Signed-off-by: Meredith Lancaster <[email protected]> * add sha1 algorithms back Signed-off-by: Meredith Lancaster <[email protected]> * update comment Signed-off-by: Meredith Lancaster <[email protected]> Signed-off-by: Meredith Lancaster <[email protected]> --------- Signed-off-by: Meredith Lancaster <[email protected]>
gravitational · Jul 13, 2023 · c24e9dc · c24e9dc
1 parent 51331cc
commit c24e9dc
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 13 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -20,4 +20,9 @@ jobs:
         go-version: ${{ matrix.go }}
         stable: false
     - name: Test
+      env:
+        # set this environment variable to true so tests can be run with the
+        # sha1 algorithm. Without this set, tests fail because Go notes the
+        # SHA1 algorithm as insecure
+        GODEBUG: x509sha1=1
       run: go vet . && go build . && go test -count=1 -covermode=count -coverprofile=coverage.out .
diff --git a/Makefile b/Makefile
@@ -1,7 +1,7 @@
 all: vet staticcheck test
 
 test:
-	go test -covermode=count -coverprofile=coverage.out .
+	GODEBUG=x509sha1=1 go test -covermode=count -coverprofile=coverage.out .
 
 showcoverage: test
 	go tool cover -html=coverage.out

diff --git a/pkcs7_test.go b/pkcs7_test.go
@@ -12,9 +12,7 @@ import (
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"fmt"
-	"log"
 	"math/big"
-	"os"
 	"time"
 )
 
@@ -283,7 +281,6 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509
 		issuerKey = priv
 	}
 
-	log.Println("creating cert", name, "issued by", issuerCert.Subject.CommonName, "with sigalg", sigAlg)
 	switch priv.(type) {
 	case *rsa.PrivateKey:
 		switch issuerKey := issuerKey.(type) {
@@ -341,7 +338,6 @@ func createTestCertificateByIssuer(name string, issuer *certKeyPair, sigAlg x509
 	if err != nil {
 		return nil, err
 	}
-	pem.Encode(os.Stdout, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
 	return &certKeyPair{
 		Certificate: cert,
 		PrivateKey:  &priv,

diff --git a/sign_test.go b/sign_test.go
@@ -9,7 +9,6 @@ import (
 	"encoding/pem"
 	"fmt"
 	"io/ioutil"
-	"log"
 	"math/big"
 	"os"
 	"os/exec"
@@ -48,7 +47,6 @@ func TestSign(t *testing.T) {
 					t.Fatalf("test %s/%s/%s: cannot generate signer cert: %s", sigalgroot, sigalginter, sigalgsigner, err)
 				}
 				for _, testDetach := range []bool{false, true} {
-					log.Printf("test %s/%s/%s detached %t\n", sigalgroot, sigalginter, sigalgsigner, testDetach)
 					toBeSigned, err := NewSignedData(content)
 					if err != nil {
 						t.Fatalf("test %s/%s/%s: cannot initialize signed data: %s", sigalgroot, sigalginter, sigalgsigner, err)
@@ -68,7 +66,6 @@ func TestSign(t *testing.T) {
 					if err != nil {
 						t.Fatalf("test %s/%s/%s: cannot finish signing data: %s", sigalgroot, sigalginter, sigalgsigner, err)
 					}
-					pem.Encode(os.Stdout, &pem.Block{Type: "PKCS7", Bytes: signed})
 					p7, err := Parse(signed)
 					if err != nil {
 						t.Fatalf("test %s/%s/%s: cannot parse signed data: %s", sigalgroot, sigalginter, sigalgsigner, err)
@@ -183,7 +180,6 @@ func TestSignWithoutAttributes(t *testing.T) {
 				t.Fatalf("test %s/%s: cannot generate signer cert: %s", sigalgroot, sigalgsigner, err)
 			}
 			for _, testDetach := range []bool{false, true} {
-				log.Printf("test %s/%s/%s detached %t\n", sigalgroot, sigalgroot, sigalgsigner, testDetach)
 				toBeSigned, err := NewSignedData(content)
 				if err != nil {
 					t.Fatalf("test %s/%s: cannot initialize signed data: %s", sigalgroot, sigalgsigner, err)
@@ -203,7 +199,6 @@ func TestSignWithoutAttributes(t *testing.T) {
 				if err != nil {
 					t.Fatalf("test %s/%s: cannot finish signing data: %s", sigalgroot, sigalgsigner, err)
 				}
-				pem.Encode(os.Stdout, &pem.Block{Type: "PKCS7", Bytes: signed})
 				p7, err := Parse(signed)
 				if err != nil {
 					t.Fatalf("test %s/%s: cannot parse signed data: %s", sigalgroot, sigalgsigner, err)
@@ -249,11 +244,10 @@ func ExampleSignedData() {
 	signedData.Detach()
 
 	// Finish() to obtain the signature bytes
-	detachedSignature, err := signedData.Finish()
+	_, err = signedData.Finish()
 	if err != nil {
 		fmt.Printf("Cannot finish signing data: %s", err)
 	}
-	pem.Encode(os.Stdout, &pem.Block{Type: "PKCS7", Bytes: detachedSignature})
 }
 
 func TestSetContentType(t *testing.T) {
@@ -330,7 +324,6 @@ func TestDegenerateCertificate(t *testing.T) {
 		t.Fatal(err)
 	}
 	testOpenSSLParse(t, deg)
-	pem.Encode(os.Stdout, &pem.Block{Type: "PKCS7", Bytes: deg})
 }
 
 func TestSkipCertificates(t *testing.T) {