package tls import ( "testing" "time" ) func getCa(validFrom time.Time, issuerCertLifetime time.Duration, endCertLifetime time.Duration) (*CA, error) { key, err := GenerateKey() if err != nil { return nil, err } ca, err := CreateRootCA("fake-name", key, Validity{ValidFrom: &validFrom, Lifetime: issuerCertLifetime}) if err != nil { return nil, err } return NewCA(ca.Cred, Validity{ValidFrom: &validFrom, Lifetime: endCertLifetime}), nil } func TestCaIssuesCertsWithCorrectExpiration(t *testing.T) { validFrom := time.Now().UTC().Round(time.Second) testCases := []struct { desc string validFrom time.Time issuerLifeTime time.Duration endCertLifetime time.Duration expectedCertExpiration time.Time }{ { desc: "issuer cert expires after end cert", validFrom: validFrom, issuerLifeTime: time.Hour * 48, endCertLifetime: time.Hour * 24, expectedCertExpiration: validFrom.Add(time.Hour * 24).Add(DefaultClockSkewAllowance), }, { desc: "issuer cert expires before end cert", validFrom: validFrom, issuerLifeTime: time.Hour * 10, endCertLifetime: time.Hour * 24, expectedCertExpiration: validFrom.Add(time.Hour * 10).Add(DefaultClockSkewAllowance), }, } for _, tc := range testCases { tc := tc t.Run(tc.desc, func(t *testing.T) { ca, err := getCa(tc.validFrom, tc.issuerLifeTime, tc.endCertLifetime) if err != nil { t.Fatalf("Unexpected error: %s", err) } crt, err := ca.GenerateEndEntityCred("fake-name") if err != nil { t.Fatalf("Unexpected error: %s", err) } if crt.Certificate.NotAfter != tc.expectedCertExpiration { t.Fatalf("Expected cert expiration %v but got %v", tc.expectedCertExpiration, crt.Certificate.NotAfter) } }) } }