Update PKI provider's test suite to ensure chained certificates work …

…as expected

backend/test.go

@@ -9,60 +9,81 @@ import (
 )
 
 var testingCert = []byte(`-----BEGIN CERTIFICATE-----
-MIIEJzCCAw+gAwIBAgIUG579BxCtbC0pf7fiKupsvH9Xz9swDQYJKoZIhvcNAQEL
-BQAwgaIxCzAJBgNVBAYTAkVFMREwDwYDVQQIDAhIYXJqdW1hYTEQMA4GA1UEBwwH
-VGFsbGlubjEXMBUGA1UECgwOU2VuZHNtYWlseSBMTEMxDzANBgNVBAsMBkRldk9w
-czEiMCAGA1UEAwwZUEtJIHByb3ZpZGVyIHRlc3Rpbmcgcm9vdDEgMB4GCSqGSIb3
-DQEJARYRZGV2b3BzQHNtYWlseS5jb20wHhcNMTkwODI3MDYyMTM2WhcNMjkwODI0
-MDYyMTM2WjCBojELMAkGA1UEBhMCRUUxETAPBgNVBAgMCEhhcmp1bWFhMRAwDgYD
-VQQHDAdUYWxsaW5uMRcwFQYDVQQKDA5TZW5kc21haWx5IExMQzEPMA0GA1UECwwG
-RGV2T3BzMSIwIAYDVQQDDBlQS0kgcHJvdmlkZXIgdGVzdGluZyByb290MSAwHgYJ
-KoZIhvcNAQkBFhFkZXZvcHNAc21haWx5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAOax1uVaNP6vYzERF/yy70ePs2qsyzwRZd2WWde3RXlKyA4H
-vQfMMW3qKf9wRBfLlM7nUuYZjYg7TwGeZ99PSPaLVNktPmngWAi7q4aSru+l6tvq
-LE46TD1s5otyhDeMhUx01w1Mwt17nJs267ROUQ2G/bsMKWbpxjTd22s0KpbuFXXT
-DwdUa4PdW1gw5M/d9yYSUeEeFUKI2p9BpozQBF5k5IXXhp2eZUnJRziI2lOqQtcn
-RIQJ8nYnGMflbeGlawhReHWyNSZGZZtgy+z8FFMVgGLD4FGN9Sls0iEE0G6uEVOx
-Q0FdlmBgTVRsxU7QS6U6iGlgE56HuaiL8BYCUhUCAwEAAaNTMFEwHQYDVR0OBBYE
-FCXrOddgfKQ8RZBriX4P7zd9Ez3iMB8GA1UdIwQYMBaAFCXrOddgfKQ8RZBriX4P
-7zd9Ez3iMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAMvcZV2f
-AIx9g08B4NdyV4T4LxVICIGpvqlq0WLO4eprLZmMq+Vik1TJqIsuaeTOM5FXj4ZF
-eAS2+USGFOaWIJbWuwkiwvdmJiGIS8JhKicOutgQ+XUbPO/w3hORxMJlVr7TBVdf
-GLJRURfPww4J8oIP9d9ZswEzZg0wntFtV6L8JrcQKEENsDam7wS6TfrcOZ0msaMW
-xsNU9wnqEf8sHfHdJ5/DoZxjErQp69TDN+pD+mMf5e4/dnY67AOZXOA2j63GUNXC
-Ke/ouNT5TyiYIndJNNOEN46RAML21aTAdixK+l2VCPz0C04eFJ3qZ4YBREg1Gc8a
-qBKL27koGZ9HZ1w=
+MIIEBDCCAuygAwIBAgIUQLjy+87FJI8Rnk43XPmhzylOI/QwDQYJKoZIhvcNAQEL
+BQAwgYMxCzAJBgNVBAYTAkVFMREwDwYDVQQIEwhIYXJqdW1hYTEQMA4GA1UEBxMH
+VGFsbGlubjEYMBYGA1UEChMPU2VuZHNtYWlseSwgTExDMQ8wDQYDVQQLEwZEZXZP
+cHMxJDAiBgNVBAMTG1BLSSBQcm92aWRlciBUZXN0IEF1dGhvcml0eTAeFw0xOTEw
+MTExMDA1MDBaFw0yOTEwMDgxMDA1MDBaMIGLMQswCQYDVQQGEwJFRTERMA8GA1UE
+CBMISGFyanVtYWExEDAOBgNVBAcTB1RhbGxpbm4xGDAWBgNVBAoTD1NlbmRzbWFp
+bHksIExMQzEPMA0GA1UECxMGRGV2T3BzMSwwKgYDVQQDEyNQS0kgUHJvdmlkZXIg
+SW50ZXJtZWRpYXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBALD3IgX/vXHSJtyjywdV23ASpKaZDGtZ8/64VLhxteGFP7oIy7jGwpX8
+vfDs5pHkcFg9AaEzZDSrRyevc9/vjNcC2LFzHSWiVjbkX9sjFUodgKUYtYDDILy3
+pFM5oVsr9oSqrk5I8bJoXswh9RRzg1l1MoDZ1vVBD1QKyR9ie+eGndllEJKBWdyQ
+5z2hNC64eMyve0RSNtKUe0JdeQYWOq9QLPrdaxMYLyuKg78r+FD/QoA9e5Gh4z4r
+9kvaNK1rCCCbtttb1L3qWGZjM8fd5bN2ZLFMnAndFtHOqeDUJzkOmHwv/DDC/K5x
+bUfLME94cRopSeU49T51eO5bc4rXmCcCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgGG
+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFCpyKAfkIQ9QJhSH9AhtSmUC
+d9/3MB8GA1UdIwQYMBaAFN1cGYQCHrd4XsoxF9sYB5lcDoFEMA0GCSqGSIb3DQEB
+CwUAA4IBAQBPnf+AwHgXMqDLbZYs8068mgyHuoxm15FzQVjc4opNBkb9dnrsSdKV
+MWk83wActR4E6TmDytqe9PFitqG5D8xgpczH9ouYjIvCOhqfOAnJJnzrMpmgfzO0
+eITn+qpbXdCpqs8zwgwFhP0WpsNiC/TH0NfvX0YR9httPi1UttVsrdF8T3MewLNY
+2U25gQZJbXV+UzttEy/kGnV7/wFzG76uA6aSjr6FkOYTptJhE49/SNXADyCNs7bl
++q5e0uyVTt35EyOjnucR1vCkKqjo5oVNVsH7OXmJT+KkgHqGtEQOBdXIhvgpUph3
+S+08Hkn4jKpFv4niU2zEVMe+xazUm8jC
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIID2DCCAsCgAwIBAgIUBA9Y/OGy5NOWfcA9XnNac7eekvMwDQYJKoZIhvcNAQEL
+BQAwgYMxCzAJBgNVBAYTAkVFMREwDwYDVQQIEwhIYXJqdW1hYTEQMA4GA1UEBxMH
+VGFsbGlubjEYMBYGA1UEChMPU2VuZHNtYWlseSwgTExDMQ8wDQYDVQQLEwZEZXZP
+cHMxJDAiBgNVBAMTG1BLSSBQcm92aWRlciBUZXN0IEF1dGhvcml0eTAeFw0xOTEw
+MTExMDA0MDBaFw0zNDEwMDcxMDA0MDBaMIGDMQswCQYDVQQGEwJFRTERMA8GA1UE
+CBMISGFyanVtYWExEDAOBgNVBAcTB1RhbGxpbm4xGDAWBgNVBAoTD1NlbmRzbWFp
+bHksIExMQzEPMA0GA1UECxMGRGV2T3BzMSQwIgYDVQQDExtQS0kgUHJvdmlkZXIg
+VGVzdCBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/
+VJi1/+k+B0+6cS8GqC4UVUzB+qjmpmLgWT4SGNmevAlAUA++lFQhvS9GdTzxE9lt
+BB3zEdlpzOyvXUdwU2tgTw8QDCcdtmlYVdS9FjYCaF8gn25c0rbd5uqqPHqJJycP
+QbChmR+W8zZT8afrdGGyLZC1lxs8JgSOnfhdnFU1LZUZf3PRuAsWW3Z4ysBagm1u
+j4bD13HT1KJBanh27b7bmJI5LcjHR0uI7WNk1d5a6lOMHOTm+e5Fps7vU/sHJUwf
+6bpmEWuT1hWA248QUDgMhx9IkgtkD85YxpFWyK3v+9UAfhGLUrYAXwDjfXIooIeP
+2gtPKm0fI9eCkWmgdi6jAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
+Af8EBTADAQH/MB0GA1UdDgQWBBTdXBmEAh63eF7KMRfbGAeZXA6BRDANBgkqhkiG
+9w0BAQsFAAOCAQEAIO9f9SxI44/96brJgU4taWWZTyN4SrBHtCGP+flRolHf74IR
+Gq9tW8oTWGqkV61Zfc5VXlUkh75eqsgUfe9XWkqZvbuM4idg55+8YTgQgYgZg2+T
+iIXYCg/NT6F+hq7+cm5UwNFZcHHAwa2chqCVEXcYB3ioWQ8TZMc4VKApf7/c0al8
+TgZzX1nhb2jFhZP/UfsfFQSAzydaplvEvLye+6DNu0b89W6fok4lgjTsnxNDoi9i
+vPNKSBR/D5I1XAoVzlPZFe5gAnJb09zhfQoK6NNPsSgkVlTeBzkQX2wZh5hPq78l
+MkIozXyZfT0YlCIwRnXJRkt/wNGuQYN6dmFQ6g==
 -----END CERTIFICATE-----
 `)
 
-var testingKey = []byte(`-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDmsdblWjT+r2Mx
-ERf8su9Hj7NqrMs8EWXdllnXt0V5SsgOB70HzDFt6in/cEQXy5TO51LmGY2IO08B
-nmffT0j2i1TZLT5p4FgIu6uGkq7vperb6ixOOkw9bOaLcoQ3jIVMdNcNTMLde5yb
-Nuu0TlENhv27DClm6cY03dtrNCqW7hV10w8HVGuD3VtYMOTP3fcmElHhHhVCiNqf
-QaaM0AReZOSF14adnmVJyUc4iNpTqkLXJ0SECfJ2JxjH5W3hpWsIUXh1sjUmRmWb
-YMvs/BRTFYBiw+BRjfUpbNIhBNBurhFTsUNBXZZgYE1UbMVO0EulOohpYBOeh7mo
-i/AWAlIVAgMBAAECggEAIZXAaFFyp6VW9ny7lkFijnOANkaDq/IId3L9D2eSCK93
-YnuD7I+wnoTZqmNotmIf/uM0cWVE8pFX1i9+hccgIyxzpM5uaLGNf2/677OJHkB0
-aaG044qfMM4a3jBEyWV+vnvAFyKWt/HYAczEEdLY//QoGkQR/vaHsYie+gN1M9Wc
-qUve5SOmRc9Q8KYyob6Q8YWsvhDzK3ZM2RGNOkXTXQEqTofA7MpXNjukto9GyrXl
-9QVlco29OIEPxp7bor9UQ7mRsb4dtufhPnZzyqhU9H3PDghLiLN/P6BZq0EvDEjs
-nwOBICaXPpaKK/zusZqOFZbop72hTvgefpxNyVufgQKBgQD4h+u9rWrOOXBJ3vib
-Cj4Ls8yqMERcutGQgmn1qu7KsY8e4Ijh4ja2y4LKRe/WsTARWduKXNmhgaYY0TRI
-fWc5g6v6Y7ofu9aw5vgIZmXMwOZS3D+1VOCQ71N5aYig5oyUyDsCYip9GkVoMtvk
-v+2ILcqCejxH7s722bamrP3MtQKBgQDtoLHkF8IUmTAPWtDmCmOA3nebuxu/OhtB
-b6kvE2+vEVvXTx9hgR6lYci63pTmSAJz9BHWwcKpYqqwSEvuNaoOVyvha0vkqYc7
-r2ZecsFT6xVnpZrMbsOpvoYIhxyafySZ+w0R5igWUUyzbMWi9x6o8/1rQnG2lKn9
-vMELi7Mr4QKBgQDcCUK++RVxpcrzrBRA9+184OAX4Yn063X00nHLjl3CWTfUZ4jp
-LCWy6zVNrmOsmc1r3zmPI6uO4UFUAYyfjV9hvWD622aDCAQJNURt83K3uCVzQQqq
-mY4E487s1HGhutzGMQyFjLH/ds3ydezXdtFvWtNLd7t9GEJmrNSYdtpxbQKBgCt9
-D1FpL7HJX0xQGI8hM5iwHj+3/JoArmBJaTMeYYAusxoydtHHaa5muO/KMIH8h8Zk
-0qb1CwUo84gTkyHjXF4HghZdJqSQihlYPmnmoo8TJPW1DyF+2/xCzBDfeVKlFjPA
-CGJQNuHuuxTTQVBT3Z6aGLT6kgkSKBIx6zqLtJzBAoGAOb99J2wnnleJRSitUpaJ
-NnVAaPlTRVkAVgYDbY4bLbz4uz6wSnS5iYfH8wp3kHhBSTps6F40FP2WuRU2EesD
-zDXiVO/FX+R5c6+iHW+Doi5LiAsavFtXQDxXgrozXBgkCbuarvqH3xk3It3PNgcf
-M/e/i4JlQtMxFlVUin8PgUE=
------END PRIVATE KEY-----
+var testingKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAsPciBf+9cdIm3KPLB1XbcBKkppkMa1nz/rhUuHG14YU/ugjL
+uMbClfy98OzmkeRwWD0BoTNkNKtHJ69z3++M1wLYsXMdJaJWNuRf2yMVSh2ApRi1
+gMMgvLekUzmhWyv2hKquTkjxsmhezCH1FHODWXUygNnW9UEPVArJH2J754ad2WUQ
+koFZ3JDnPaE0Lrh4zK97RFI20pR7Ql15BhY6r1As+t1rExgvK4qDvyv4UP9CgD17
+kaHjPiv2S9o0rWsIIJu221vUvepYZmMzx93ls3ZksUycCd0W0c6p4NQnOQ6YfC/8
+MML8rnFtR8swT3hxGilJ5Tj1PnV47ltziteYJwIDAQABAoIBAFqumRm33i0oQk/I
+Ay8EGQmKFCNmxA1yr+x0Kr3FTy18aZZ8EWDjQS04sWB3FQPnqoYc5Ovk+NFgf3rf
+lqJHD8XSKJZt5Z62XDWOu2wAw1USXyy6x69uziTGegdHvd6JXa7IA8AL8wa4IvO5
+5uuO8dzyiGmst1FAAInRaRSTE+kkoTJSsE+81/S1nxS+P4xf81TG0AhWE/ArRCoq
+HpemQLgFEaXSN+ArFA+bMFXxM3Z1tOdQLCE5NTcURZgPMZkRAn/7h49PMYmPGsG/
+H6cQWZCz9ojOenLv1CFLfKuSqJvbhePRyClMATHklR/hPtKmCFofc9X2DJ0NlTJD
+czcRxskCgYEA1u0ZKEvrJGWgB6CjlYoktSi3bUvrelHaP61XiPl5EZKPQWQx1TUG
+LROr+fZsHZ1OcYbwQ9PCAlFN+GXITc0QXWMcoL45u9RrQyn2tqss1pybAM131YnI
+zBiBwIcOMq1/nTbrM2icEMczgEWhchduL2Ra0oO4TKyI9BfMa4udoDMCgYEA0sjd
+uoj5M8SjA8YFtJOsZWSbNYRNuyq9UzmfVdMN9iawF2flqqjol1gwgAiSaTzRXQOZ
+fyxEUI2J/WiHqcEDA7UK2xdD86ktVR/uJrpXRYYnrax/E6YIFkzYPFFitCKix7ba
+O0MT5grELiZ314sCRJNA3RMrpLovxCmqk6b55D0CgYAZKqY5e7pLBsNYYU0GY6is
+tdnUqIEoT5FYx3lqhpvQnPK9W3giWRUiDh2jJWG/jf3zeTOFHbSoBNE2duSfh5WU
++dgOUnf8MIFm2fETrrOPZcMYsvaHQJ0MmQoIe0gEUyCQTi/4UxWDOXAkYwLmkyvJ
+zNx9rgLUp5dZzbeYGD8a1QKBgGib8Zba1bqAc1qzEy/MPjnP1UuZDq6+Blngdhg0
+92/bQXdMQ+oPi+dYiDFyj58U5N7ho3M+9+R2ai5Oi02PEbzsQ6f6AupRYsMlZp7n
+ydoiO1zxB9wrgUX3+zTsOy0lJ14wfFv+7Ug0vaodw0pAne6EmiNdmUJWeNBE0XgX
+3VsNAoGAfMw29/Wa1pgzXZL6lvUTpHIjcZr0OujOCYWAt69wPa26ZcAusDNr8QCv
+wxWxMbCyOnHfL5HYqi4AFCmXkN4KcF+aOh/rJLHfYyRStrR4GOrBSjL4oTbb0mgs
+NC/3eW/RhqeK872hSJW1kWQpXrvzJkErLAe0VHi8MZhdSxk47Ng=
+-----END RSA PRIVATE KEY-----
 `)
 
 // NewTestBackend creates a new test CA backend.
@@ -77,14 +98,18 @@ type TestBackend struct{}
 func (b TestBackend) Load(ca string) (cert *tls.Certificate, err error) {
 	cert = &tls.Certificate{}
 
-	block, _ := pem.Decode(testingCert)
-	if block == nil {
-		return nil, errors.New("got empty decode result for certificate")
+	raw := testingCert
+	for {
+		block, rest := pem.Decode(raw)
+		if block == nil {
+			break
+		} else if block.Type == "CERTIFICATE" {
+			cert.Certificate = append(cert.Certificate, block.Bytes)
+		}
+		raw = rest
 	}
 
-	cert.Certificate = append(cert.Certificate, block.Bytes)
-
-	block, _ = pem.Decode(testingKey)
+	block, _ := pem.Decode(testingKey)
 	if block == nil {
 		return nil, errors.New("got empty decode result for private key")
 	}

driver/driver_test.go

@@ -43,7 +43,7 @@ var _ = Describe("PKI Docker secret provider driver", func() {
 				cert, err := parsePKIBundle(bundle)
 				Expect(err).To(BeNil())
 
-				Expect(len(cert.Certificate)).To(Equal(2))
+				Expect(len(cert.Certificate)).To(Equal(3))
 				Expect(cert.PrivateKey).ToNot(BeNil())
 			})
 
@@ -54,17 +54,15 @@ var _ = Describe("PKI Docker secret provider driver", func() {
 				signedCert, err := x509.ParseCertificate(cert.Certificate[0])
 				Expect(err).To(BeNil())
 
-				rootCert, err := x509.ParseCertificate(cert.Certificate[1])
-				Expect(err).To(BeNil())
+				intermediateCert, err := x509.ParseCertificate(cert.Certificate[1])
 
-				// Sanity check to validate the root cert is in the `rootCert` variable,
-				// and not the other way around. This works on the assumption that root
-				// certificate is self signed (which it is with the testing backend).
-				Expect(rootCert.AuthorityKeyId).To(Equal(rootCert.SubjectKeyId))
+				rootCert, err := x509.ParseCertificate(cert.Certificate[2])
+				Expect(err).To(BeNil())
 
 				// As per RFC 3280, section 4.2.1.1 and 4.2.1.2:
 				// https://tools.ietf.org/html/rfc3280#section-4.2.1.1
-				Expect(signedCert.AuthorityKeyId).To(Equal(rootCert.SubjectKeyId))
+				Expect(signedCert.AuthorityKeyId).To(Equal(intermediateCert.SubjectKeyId))
+				Expect(intermediateCert.AuthorityKeyId).To(Equal(rootCert.SubjectKeyId))
 			})
 		})
 	})