Add check_certificate and check_jwk_without_password

hslatman · hslatman · commit 193284278388 · 2025-06-17T16:23:24.000+02:00
diff --git a/integration/certificate_test.go b/integration/certificate_test.go
@@ -51,6 +51,9 @@ func TestCertificateSignCommand(t *testing.T) {
 
 			return nil
 		},
+		Cmds: map[string]func(ts *testscript.TestScript, neg bool, args []string){
+			"check_certificate": checkCertificate,
+		},
 	})
 
 	testscript.Run(t, testscript.Params{
@@ -117,3 +120,13 @@ func TestCertificateFingerprintCommand(t *testing.T) {
 		},
 	})
 }
+
+func checkCertificate(ts *testscript.TestScript, neg bool, args []string) {
+	contents := ts.ReadFile("stdout") // directly reads from stdout of the previously executed command
+	bundle, err := pemutil.ParseCertificateBundle([]byte(contents))
+	ts.Check(err)
+
+	if len(bundle) != 1 {
+		ts.Fatalf("expected 1 certificate; got %d", len(bundle))
+	}
+}
diff --git a/integration/crypto_test.go b/integration/crypto_test.go
@@ -46,7 +46,8 @@ func TestCryptoJWKCreateRSACommand(t *testing.T) {
 			return os.WriteFile(filepath.Join(e.Cd, "password.txt"), []byte("password"), 0600)
 		},
 		Cmds: map[string]func(ts *testscript.TestScript, neg bool, args []string){
-			"check_jwk": checkKeyPair,
+			"check_jwk":                  checkKeyPair,
+			"check_jwk_without_password": checkKeyPairWithoutPassword,
 		},
 	})
 }
@@ -58,7 +59,8 @@ func TestCryptoJWKCreateECCommand(t *testing.T) {
 			return os.WriteFile(filepath.Join(e.Cd, "password.txt"), []byte("password"), 0600)
 		},
 		Cmds: map[string]func(ts *testscript.TestScript, neg bool, args []string){
-			"check_jwk": checkKeyPair,
+			"check_jwk":                  checkKeyPair,
+			"check_jwk_without_password": checkKeyPairWithoutPassword,
 		},
 	})
 }
@@ -70,7 +72,8 @@ func TestCryptoJWKCreateOKPCommand(t *testing.T) {
 			return os.WriteFile(filepath.Join(e.Cd, "password.txt"), []byte("password"), 0600)
 		},
 		Cmds: map[string]func(ts *testscript.TestScript, neg bool, args []string){
-			"check_jwk": checkKeyPair,
+			"check_jwk":                  checkKeyPair,
+			"check_jwk_without_password": checkKeyPairWithoutPassword,
 		},
 	})
 }
@@ -82,7 +85,8 @@ func TestCryptoJWKCreateOctCommand(t *testing.T) {
 			return os.WriteFile(filepath.Join(e.Cd, "password.txt"), []byte("password"), 0600)
 		},
 		Cmds: map[string]func(ts *testscript.TestScript, neg bool, args []string){
-			"check_jwk": checkKeyPair,
+			"check_jwk":                  checkKeyPair,
+			"check_jwk_without_password": checkKeyPairWithoutPassword,
 		},
 	})
 }
@@ -311,16 +315,10 @@ func TestCryptoHelp(t *testing.T) {
 	})
 }
 
-// checkKeyPair checks that the public/private key pair is valid. It performs
-// the following checks:
-//
-//   - Read and parse the JWK public key, validating it's a valid public key
-//   - Read and parse the JWK private key, validating it's a valid private key
-//   - Compare the public and private key SHA-1 thumbprints to verify they match
-//   - The type of the key that was created
-//   - For RSA keys, the key size is the expected size
-//   - For EC keys, the key curve is the expected curve
-func checkKeyPair(ts *testscript.TestScript, neg bool, args []string) {
+// checkKeyPair checks that the public/private key pair provided as filenames in
+// the first and second argument is valid. It always uses the password "password".
+// Other validations are delegated to the checkKeyDetails function.
+func checkKeyPair(ts *testscript.TestScript, _ bool, args []string) {
 	if len(args) < 4 {
 		ts.Fatalf("expected at least 4 arguments, got %d", len(args))
 	}
@@ -330,6 +328,35 @@ func checkKeyPair(ts *testscript.TestScript, neg bool, args []string) {
 	priv, err := jose.ParseKey([]byte(ts.ReadFile(args[1])), jose.WithPassword([]byte("password")))
 	ts.Check(err)
 
+	checkKeyDetails(ts, pub, priv, args)
+}
+
+// checkKeyPair checks that the public/private key pair provided as filenames in
+// the first and second argument is valid. It assumes no password is set on the file.
+// Other validations are delegated to the checkKeyDetails function.
+func checkKeyPairWithoutPassword(ts *testscript.TestScript, _ bool, args []string) {
+	if len(args) < 4 {
+		ts.Fatalf("expected at least 4 arguments, got %d", len(args))
+	}
+
+	pub, err := jose.ParseKey([]byte(ts.ReadFile(args[0])))
+	ts.Check(err)
+	priv, err := jose.ParseKey([]byte(ts.ReadFile(args[1])))
+	ts.Check(err)
+
+	checkKeyDetails(ts, pub, priv, args)
+}
+
+// checkKeyDetails checks that the public/private key pair is valid. It performs
+// the following checks:
+//
+//   - Compare the public and private key SHA-1 thumbprints to verify they match
+//   - The type of the key that was created
+//   - For RSA keys, the key size is the expected size, and using the expected algorithm
+//   - For EC keys, the key curve is the expected curve, and using the expected algorithm
+//   - For OKP keys, the key curve is the expected curve, and using the expected algorithm
+//   - For oct keys, the key parts are of the expected type, and using the expected algorithm
+func checkKeyDetails(ts *testscript.TestScript, pub, priv *jose.JSONWebKey, args []string) {
 	keyType := strings.ToUpper(args[2])
 	if keyType == "OCT" {
 		if _, ok := pub.Key.([]byte); !ok {
diff --git a/integration/testdata/certificate/sign.txtar b/integration/testdata/certificate/sign.txtar
@@ -1,2 +1,2 @@
 exec step certificate sign test.csr cacert.pem cakey.pem
-stdout '-----BEGIN CERTIFICATE-----'
+check_certificate
diff --git a/integration/testdata/crypto/jwk-create-ec.txtar b/integration/testdata/crypto/jwk-create-ec.txtar
@@ -56,3 +56,13 @@ stderr 'alg ''ES384'' is not compatible with kty ''EC'' and crv ''P-256'''
 # EC P256 size fails
 ! exec step crypto jwk create --password-file password.txt --kty EC --crv P-256 --alg ES256 --size 2048 fail.pub fail.priv
 stderr 'flag ''--size'' is incompatible with ''--kty EC'''
+
+
+# EC P256 without password
+exec step crypto jwk create --no-password --insecure --kty EC ec-no-pass.pub ec-no-pass.priv 
+check_jwk_without_password ec-no-pass.pub ec-no-pass.priv ECDSA P-256
+
+
+# EC P256 without password without insecure fails
+! exec step crypto jwk create --no-password --kty EC fail.pub fail.priv 
+stderr 'flag ''--no-password'' requires the ''--insecure'' flag'
diff --git a/integration/testdata/crypto/jwk-create-oct.txtar b/integration/testdata/crypto/jwk-create-oct.txtar
@@ -86,3 +86,13 @@ stderr 'alg ''RS256'' is not compatible with kty ''oct'''
 # oct with curve fails 
 ! exec step crypto jwk create --password-file password.txt --kty oct --alg HS256 --size 32 --curve P-256 fail.pub fail.priv
 stderr 'flag ''--crv'' is incompatible with ''--kty oct'''
+
+
+# oct without password
+exec step crypto jwk create --no-password --insecure --kty oct oct-no-pass.pub oct-no-pass.priv 
+check_jwk_without_password oct-no-pass.pub oct-no-pass.priv oct HS256
+
+
+# oct without password without insecure fails
+! exec step crypto jwk create --no-password --kty oct fail.pub fail.priv 
+stderr 'flag ''--no-password'' requires the ''--insecure'' flag'
diff --git a/integration/testdata/crypto/jwk-create-okp.txtar b/integration/testdata/crypto/jwk-create-okp.txtar
@@ -31,3 +31,13 @@ stderr 'flag ''--size'' is incompatible with ''--kty OKP'''
 # bad key type
 ! exec step crypto jwk create --password-file password.txt --kty okp fail.pub fail.priv 
 stderr 'invalid value ''okp'' for flag ''--kty''; options are EC, RSA, OKP, or oct'
+
+
+# OKP without password
+exec step crypto jwk create --no-password --insecure --kty OKP okp-no-pass.pub okp-no-pass.priv 
+check_jwk_without_password okp-no-pass.pub okp-no-pass.priv OKP Ed25519
+
+
+# OKP without password without insecure fails
+! exec step crypto jwk create --no-password --kty OKP fail.pub fail.priv 
+stderr 'flag ''--no-password'' requires the ''--insecure'' flag'
diff --git a/integration/testdata/crypto/jwk-create-rsa.txtar b/integration/testdata/crypto/jwk-create-rsa.txtar
@@ -116,3 +116,13 @@ check_jwk kid.pub kid.priv RSA 2048 PS512
 # RSA 2048, with curve
 ! exec step crypto jwk create --password-file password.txt --kty RSA --size 2048 --alg RS256 --crv P-256 fail.pub fail.priv 
 stderr 'flag ''--crv'' is incompatible with ''--kty RSA'''
+
+
+# OKP without password
+exec step crypto jwk create --no-password --insecure --kty RSA rsa-no-pass.pub rsa-no-pass.priv 
+check_jwk_without_password rsa-no-pass.pub rsa-no-pass.priv RSA 2048 RS256
+
+
+# OKP without password without insecure fails
+! exec step crypto jwk create --no-password --kty RSA fail.pub fail.priv 
+stderr 'flag ''--no-password'' requires the ''--insecure'' flag'
diff --git a/integration/testdata/crypto/jwt-sign.txtar b/integration/testdata/crypto/jwt-sign.txtar
@@ -8,7 +8,6 @@ exec step crypto jwt sign -key p256.pem -iss TestIssuer -aud TestAudience -sub T
 stdout 'eyJhbGciOiJFUzI1NiIsImtpZCI6Ii1pZ1pNalRCdkhFRG02bjkxQkgwT0k4ZUhqQko2b0I3UlpIZFA0RE81U0EiLCJ0eXAiOiJKV1QifQ'
 
 
-
 # P-256 sign fails with JSON public key 
 ! exec step crypto jwt sign -key p256.pub.json -iss TestIssuer -aud TestAudience -sub TestSubject -nbf $NBF -iat $IAT -exp $EXP
 stderr 'cannot use a public key for signing'
diff --git a/internal/cmd/root.go b/internal/cmd/root.go
diff --git a/internal/cmd/root_test.go b/internal/cmd/root_test.go

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`exec step certificate sign test.csr cacert.pem cakey.pem`
`2`		`-stdout '-----BEGIN CERTIFICATE-----'`
	`2`	`+check_certificate`