Add the steps to generate the CRL test's test-fixture files

builtin/credential/cert/backend_test.go

@@ -101,6 +101,15 @@ func connectionState(t *testing.T, serverCAPath, serverCertPath, serverKeyPath,
 	return connState
 }
 
+func failOnError(t *testing.T, resp *logical.Response, err error) {
+	if resp != nil && resp.IsError() {
+		t.Fatalf("error returned in response: %s", resp.Data["error"])
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
 func TestBackend_CRLs(t *testing.T) {
 	config := logical.TestBackendConfig()
 	storage := &logical.InmemStorage{}
@@ -130,10 +139,8 @@ func TestBackend_CRLs(t *testing.T) {
 		Data:      certData,
 	}
 
-	_, err = b.HandleRequest(certReq)
-	if err != nil {
-		t.Fatal(err)
-	}
+	resp, err := b.HandleRequest(certReq)
+	failOnError(t, resp, err)
 
 	// Connection state is presenting the client CA cert and its key.
 	// This is exactly what is registered at the backend.
@@ -146,13 +153,8 @@ func TestBackend_CRLs(t *testing.T) {
 			ConnState: &connState,
 		},
 	}
-	resp, err := b.HandleRequest(loginReq)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil || resp.IsError() {
-		t.Fatalf("failed to login")
-	}
+	resp, err = b.HandleRequest(loginReq)
+	failOnError(t, resp, err)
 
 	// Now, without changing the registered client CA cert, present from
 	// the client side, a cert issued using the registered CA.
@@ -161,12 +163,7 @@ func TestBackend_CRLs(t *testing.T) {
 
 	// Attempt login with the updated connection
 	resp, err = b.HandleRequest(loginReq)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil || resp.IsError() {
-		t.Fatalf("failed to login")
-	}
+	failOnError(t, resp, err)
 
 	// Register a CRL containing the issued client certificate used above.
 	issuedCRL, err := ioutil.ReadFile(testIssuedCertCRL)
@@ -183,10 +180,8 @@ func TestBackend_CRLs(t *testing.T) {
 		Path:      "crls/issuedcrl",
 		Data:      crlData,
 	}
-	_, err = b.HandleRequest(crlReq)
-	if err != nil {
-		t.Fatal(err)
-	}
+	resp, err = b.HandleRequest(crlReq)
+	failOnError(t, resp, err)
 
 	// Attempt login with the revoked certificate.
 	resp, err = b.HandleRequest(loginReq)
@@ -203,10 +198,8 @@ func TestBackend_CRLs(t *testing.T) {
 		t.Fatal(err)
 	}
 	certData["certificate"] = clientCA2
-	_, err = b.HandleRequest(certReq)
-	if err != nil {
-		t.Fatal(err)
-	}
+	resp, err = b.HandleRequest(certReq)
+	failOnError(t, resp, err)
 
 	// Test login using a different client CA cert pair.
 	connState = connectionState(t, serverCAPath, serverCertPath, serverKeyPath, testRootCACertPath2, testRootCAKeyPath2)
@@ -214,12 +207,7 @@ func TestBackend_CRLs(t *testing.T) {
 
 	// Attempt login with the updated connection
 	resp, err = b.HandleRequest(loginReq)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if resp == nil || resp.IsError() {
-		t.Fatalf("failed to login")
-	}
+	failOnError(t, resp, err)
 
 	// Register a CRL containing the root CA certificate used above.
 	rootCRL, err := ioutil.ReadFile(testRootCertCRL)
@@ -227,10 +215,8 @@ func TestBackend_CRLs(t *testing.T) {
 		t.Fatal(err)
 	}
 	crlData["crl"] = rootCRL
-	_, err = b.HandleRequest(crlReq)
-	if err != nil {
-		t.Fatal(err)
-	}
+	resp, err = b.HandleRequest(crlReq)
+	failOnError(t, resp, err)
 
 	// Attempt login with the same connection state but with the CRL registered
 	resp, err = b.HandleRequest(loginReq)

builtin/credential/cert/test-fixtures/generate.txt

@@ -0,0 +1,67 @@
+vault mount pki
+vault mount-tune -max-lease-ttl=438000h pki
+vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1
+vi cacert.pem
+vi cakey.pem
+
+vaultcert.hcl
+backend "inmem" {
+}
+disable_mlock = true
+default_lease_ttl = "700h"
+max_lease_ttl = "720h"
+listener "tcp" {
+  address = "127.0.0.1:8200"
+  tls_cert_file = "./cacert.pem"
+  tls_key_file = "./cakey.pem"
+}
+========================================
+vault mount pki
+vault mount-tune -max-lease-ttl=438000h pki
+vault write pki/root/generate/exported common_name=myvault.com ttl=438000h max_ttl=438000h ip_sans=127.0.0.1
+vi testcacert1.pem
+vi testcakey1.pem
+vi testcaserial1
+
+vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
+vault write pki/roles/myvault-dot-com allowed_domains=myvault.com allow_subdomains=true ttl=437999h max_ttl=438000h allow_ip_sans=true
+
+vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
+vi testissuedserial1
+
+vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
+vi testissuedcert2.pem
+vi testissuedkey2.pem
+vi testissuedserial2
+
+vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
+vi testissuedserial3
+
+vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
+vi testissuedcert4.pem
+vi testissuedkey4.pem
+vi testissuedserial4
+
+vault write pki/issue/myvault-dot-com common_name=cert.myvault.com format=pem ip_sans=127.0.0.1
+vi testissuedserial5
+
+vault write pki/revoke serial_number=$(cat testissuedserial2)
+vault write pki/revoke serial_number=$(cat testissuedserial4)
+curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > issuedcertcrl
+openssl crl -in issuedcertcrl -noout -text
+
+========================================
+export VAULT_ADDR='http://127.0.0.1:8200'
+vault mount pki
+vault mount-tune -max-lease-ttl=438000h pki
+vault write pki/root/generate/exported common_name=myvault.com ttl=438000h ip_sans=127.0.0.1
+vi testcacert2.pem
+vi testcakey2.pem
+vi testcaserial2
+vi testcacert2leaseid
+
+vault write pki/config/urls issuing_certificates="http://127.0.0.1:8200/v1/pki/ca" crl_distribution_points="http://127.0.0.1:8200/v1/pki/crl"
+vault revoke $(cat testcacert2leaseid)
+
+curl -XGET "http://127.0.0.1:8200/v1/pki/crl/pem" -H "x-vault-token:123" > cacert2crl
+openssl crl -in cacert2crl -noout -text