certmanager updated

internal/logic/issuer.go

@@ -5,8 +5,8 @@ import (
 	"fmt"
 
 	"crypto/x509"
-	"encoding/base64"
-	"encoding/pem"
+	//"encoding/base64"
+	//"encoding/pem"
 
 	cmapi "certmanager/api/certmanagercontrol"
 	"certmanager/internal/descriptor"
@@ -82,16 +82,11 @@ func (lg *Logic) ImportIssuerPair(ctx context.Context, params *cmapi.ImportIssue
 	var err error
 	res := &cmapi.ImportIssuerPairResult{}
 
-	certPEM, err := base64.StdEncoding.DecodeString(params.Certificate)
-	if err != nil {
+	if params.Certificate == "" {
+		err := fmt.Errorf("Empty issuer cerificata data")
 		return res, err
 	}
-	certBlock, _ := pem.Decode([]byte(certPEM))
-	if certBlock == nil {
-		err := fmt.Errorf("Failed to parse certificate PEM")
-		return res, err
-	}
-	cert, err := x509.ParseCertificate(certBlock.Bytes)
+	cert, err := ParseDoubleEncodedCerificate(params.Certificate)
 	if err != nil {
 		return res, err
 	}
@@ -100,15 +95,26 @@ func (lg *Logic) ImportIssuerPair(ctx context.Context, params *cmapi.ImportIssue
 		return res, err
 	}
 
-	if params.Key != "" {
-		keyPEM, err := base64.StdEncoding.DecodeString(params.Key)
-		if err != nil {
-			return res, err
-		}
-		keyBlock, _ := pem.Decode([]byte(keyPEM))
-		if keyBlock == nil {
-			err := fmt.Errorf("Failed to parse certificate PEM")
-			return res, err
+	if params.Key == "" {
+		err := fmt.Errorf("Empty issuer key data")
+		return res, err
+	}
+	_, err = ParseDoubleEncodedKey(params.Key)
+	if err != nil {
+		return res, err
+	}
+
+	topSubjectCN := cert.Subject.String()
+	topIssuerCN := cert.Issuer.String()
+
+	if topSubjectCN != topIssuerCN {
+		chainCerts := make([]*x509.Certificate, 0)
+		for _, chainCertString := range params.ChainCertificate {
+			chainCert, err := ParseDoubleEncodedCerificate(chainCertString)
+			if err != nil {
+				return res, err
+			}
+			chainCerts = append(chainCerts, chainCert)
 		}
 	}
 

internal/logic/testchain_a00.crt

@@ -0,0 +1,42 @@
+-----BEGIN CERTIFICATE-----
+MIIHZDCCBkygAwIBAgISA0TPqlhFqMMjfL8lwr1WdKCiMA0GCSqGSIb3DQEBCwUA
+MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
+EwNSMTEwHhcNMjQwNzE1MDcwNTQyWhcNMjQxMDEzMDcwNTQxWjAYMRYwFAYDVQQD
+Ew1oYW0udW5peDcub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+xDw3k4983QmRIqV0PsXFfG3x1wkamrMrY9sMz+M+CR9h1iozv4OQdm5wFJp/8ert
+7x+JS07v4vabYoLyVsdteRXHrqXlSDJMuZaReHIQVqKk1BYZ9miIH64ExUA6vd3r
+8AmilipIPW+UJihaZnP7wPy80PUdCiq0tnSewKN+wfzka5yehWXeaTbDeDoUl1Cf
+5Q3CO9KhbIYNwG8GBm+4YKiuewjjIU4sPEaCPvpvCTcwA4Lcqf1awU/nRdTLXO1e
+L4LezTEPb7KSS7hEZSHs2aQbjVpoV0IcuSYI1beb7XSdsv/jDIzOpu/Sx+AqMUy+
+WE4sO0Yj3ap8mbsY9HTC7QIDAQABo4IEizCCBIcwDgYDVR0PAQH/BAQDAgWgMB0G
+A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud
+DgQWBBR3smydoErE3KVUBr0/ohKZ0ghK0jAfBgNVHSMEGDAWgBTFz0ak6vTDwHps
+lcQtsF6SLybjuTBXBggrBgEFBQcBAQRLMEkwIgYIKwYBBQUHMAGGFmh0dHA6Ly9y
+MTEuby5sZW5jci5vcmcwIwYIKwYBBQUHMAKGF2h0dHA6Ly9yMTEuaS5sZW5jci5v
+cmcvMIICkAYDVR0RBIIChzCCAoOCEmFpcmZvcmNlLnVuaXg3Lm9yZ4IOYXJ0cy51
+bml4Ny5vcmeCDWRlNC51bml4Ny5vcmeCDWRlNS51bml4Ny5vcmeCDWRlNi51bml4
+Ny5vcmeCDWRlNy51bml4Ny5vcmeCDWRlYi51bml4Ny5vcmeCDWRldi51bml4Ny5v
+cmeCDmRuczUudW5peDcub3Jngg1lZHUudW5peDcub3JnghBlZHVtYXgudW5peDcu
+b3Jngg1naXQudW5peDcub3Jngg9nbWFpbC51bml4Ny5vcmeCDWhhbS51bml4Ny5v
+cmeCDmhhc2gudW5peDcub3JnggxoZC51bml4Ny5vcmeCDmhlYXAudW5peDcub3Jn
+ghJob21lZGVzay51bml4Ny5vcmeCDWh1Yi51bml4Ny5vcmeCEGl0ZGVzay51bml4
+Ny5vcmeCD2xhcGlzLnVuaXg3Lm9yZ4IPbG9yZW0udW5peDcub3Jngg5tYWlsLnVu
+aXg3Lm9yZ4IMbXcudW5peDcub3JnggxteC51bml4Ny5vcmeCDnBkbnMudW5peDcu
+b3Jngg5waWtpLnVuaXg3Lm9yZ4IPcHJveHkudW5peDcub3JnghFyZWRtaW5lLnVu
+aXg3Lm9yZ4IMcm0udW5peDcub3Jngg9zbGFjay51bml4Ny5vcmeCEHNwcmluZy51
+bml4Ny5vcmeCDnNydjcudW5peDcub3JnghBzdG9yZXgudW5peDcub3JnghB0YW5h
+a2gudW5peDcub3Jnggx2NS51bml4Ny5vcmeCDXcxMi51bml4Ny5vcmeCDXdjbS51
+bml4Ny5vcmeCDndpa2kudW5peDcub3Jngg13d3cudW5peDcub3JnMBMGA1UdIAQM
+MAowCAYGZ4EMAQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcASLDja9qmRzQP
+5WoC+p0w6xxSActW3SyB2bu/qznYhHMAAAGQtW0RVQAABAMASDBGAiEAjQvvzpOR
+urMOiqV5g0EuAK1A9CuAKOdWJp6/s3/SKBMCIQCbTBj13lhMnTr6bSHwoBtSwoiY
+aeDJzGBmDTpbgGpFdQB1AN/hVuuqBa+1nA+GcY2owDJOrlbZbqf1pWoB0cE7vlJc
+AAABkLVtEicAAAQDAEYwRAIgWe0pdXXB6UmMmeSgYLDncdkS2aKHAHDdOqKOoL9x
+Kx8CIBqobR/Ve1IZMTLrRN54vh8kNmF0OkVjXtrh+ste6cKUMA0GCSqGSIb3DQEB
+CwUAA4IBAQA3c88cXIejS9vy4XUow6dOuud6qqkNX1osSq2vRtYkKMZb2JVuhPAr
+hQsozwptJPm5lOEDQPD8676yZNVgGdjmMvA0ewdWEp9HZ7x+RFlI7RC9CqMSOWPO
+p60RMiBQlK7Els38WurmW2GzZkfykzpZZ/0lIrCNjT7aB9VjGVDOjxo/xHapHSwJ
+GOxq4TTU1KaFfbFl5A2F9bRVrAAWfih+DzUzhlhZBHODzadgs2CimVYIp8gEVf1j
+dGetiU2j+cvOpvQnfX7Xr8Cf2YK7E0j6lfC3RPvK9oA1bP5KBMWELXsGBrwIxgUB
+f2/jRcxrQoGoEYwYW4D/JViKwelABzfc
+-----END CERTIFICATE-----

internal/logic/testchain_a01.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFBjCCAu6gAwIBAgIRAIp9PhPWLzDvI4a9KQdrNPgwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
+WhcNMjcwMzEyMjM1OTU5WjAzMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDEMMAoGA1UEAxMDUjExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuoe8XBsAOcvKCs3UZxD5ATylTqVhyybKUvsVAbe5KPUoHu0nsyQYOWcJ
+DAjs4DqwO3cOvfPlOVRBDE6uQdaZdN5R2+97/1i9qLcT9t4x1fJyyXJqC4N0lZxG
+AGQUmfOx2SLZzaiSqhwmej/+71gFewiVgdtxD4774zEJuwm+UE1fj5F2PVqdnoPy
+6cRms+EGZkNIGIBloDcYmpuEMpexsr3E+BUAnSeI++JjF5ZsmydnS8TbKF5pwnnw
+SVzgJFDhxLyhBax7QG0AtMJBP6dYuC/FXJuluwme8f7rsIU5/agK70XEeOtlKsLP
+Xzze41xNG/cLJyuqC0J3U095ah2H2QIDAQABo4H4MIH1MA4GA1UdDwEB/wQEAwIB
+hjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwEgYDVR0TAQH/BAgwBgEB
+/wIBADAdBgNVHQ4EFgQUxc9GpOr0w8B6bJXELbBeki8m47kwHwYDVR0jBBgwFoAU
+ebRZ5nu25eQBc4AIiMgaWPbpm24wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAC
+hhZodHRwOi8veDEuaS5sZW5jci5vcmcvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMCcG
+A1UdHwQgMB4wHKAaoBiGFmh0dHA6Ly94MS5jLmxlbmNyLm9yZy8wDQYJKoZIhvcN
+AQELBQADggIBAE7iiV0KAxyQOND1H/lxXPjDj7I3iHpvsCUf7b632IYGjukJhM1y
+v4Hz/MrPU0jtvfZpQtSlET41yBOykh0FX+ou1Nj4ScOt9ZmWnO8m2OG0JAtIIE38
+01S0qcYhyOE2G/93ZCkXufBL713qzXnQv5C/viOykNpKqUgxdKlEC+Hi9i2DcaR1
+e9KUwQUZRhy5j/PEdEglKg3l9dtD4tuTm7kZtB8v32oOjzHTYw+7KdzdZiw/sBtn
+UfhBPORNuay4pJxmY/WrhSMdzFO2q3Gu3MUBcdo27goYKjL9CTF8j/Zz55yctUoV
+aneCWs/ajUX+HypkBTA+c8LGDLnWO2NKq0YD/pnARkAnYGPfUDoHR9gVSp/qRx+Z
+WghiDLZsMwhN1zjtSC0uBWiugF3vTNzYIEFfaPG7Ws3jDrAMMYebQ95JQ+HIBD/R
+PBuHRTBpqKlyDnkSHDHYPiNX3adPoPAcgdF3H2/W0rmoswMWgTlLn1Wu0mrks7/q
+pdWfS6PJ1jty80r2VKsM/Dj3YIDfbjXKdaFU5C+8bhfJGqU3taKauuz0wHVGT3eo
+6FlWkWYtbt4pgdamlwVeZEW+LM7qZEJEsMNPrfC03APKmZsJgpWCDWOKZvkZcvjV
+uYkQ4omYCTX5ohy+knMjdOmdH9c7SpqEWBDC86fiNex+O0XOMEZSa8DA
+-----END CERTIFICATE-----

internal/logic/testchain_a02.crt

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----

internal/logic/testchain_a03.crt

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFVDCCBDygAwIBAgIRAKLBiJX85huxZJB/Ylc2Y5gwDQYJKoZIhvcNAQEFBQAw
+gakxCzAJBgNVBAYTAnVzMQ0wCwYDVQQIEwRVdGFoMRcwFQYDVQQHEw5TYWx0IExh
+a2UgQ2l0eTEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMREw
+DwYDVQQLEwhEU1RDQSBYMTEWMBQGA1UEAxMNRFNUIFJvb3RDQSBYMTEhMB8GCSqG
+SIb3DQEJARYSY2FAZGlnc2lndHJ1c3QuY29tMB4XDTA0MDkwODE0NDM0NVoXDTA4
+MTEyODEzMDI1OVowPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3Qg
+Q28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+Do
+M3ZJKuM/IUmTrE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwG
+MoOifooUMM0RoOEqOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOe
+DNoJjj4XLh7dIN9bxiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqc
+kh49ZLOMxt+/yUFw7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr
+2m7xPi71XAicPNaDaeQQmxkqtilX4+U9m5/wAl0CAwEAAaOCAd4wggHaMA8GA1Ud
+EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMIG7BgNVHR8EgbMwgbAwga2ggaqg
+gaeGgaRsZGFwOi8vbGRhcC5kaWdzaWd0cnVzdC5jb20vY249RFNUJTIwUm9vdENB
+JTIwWDEsb3U9RFNUQ0ElMjBYMSxvPURpZ2l0YWwlMjBTaWduYXR1cmUlMjBUcnVz
+dCUyMENvLixsPVNhbHQlMjBMYWtlJTIwQ2l0eSxTPVV0YWgsYz11cz9jZXJ0aWZp
+Y2F0ZVJldm9jYXRpb25MaXN0O2JpbmFyeTCBuAYIKwYBBQUHAQEEgaswgagwgaUG
+CCsGAQUFBzAChoGYbGRhcDovL2xkYXAuZGlnc2lndHJ1c3QuY29tL2NuPURTVCUy
+MFJvb3RDQSUyMFgxLG91PURTVENBJTIwWDEsbz1EaWdpdGFsJTIwU2lnbmF0dXJl
+JTIwVHJ1c3QlMjBDby4sbD1TYWx0JTIwTGFrZSUyMENpdHksUz1VdGFoLGM9dXM/
+Y0FDZXJ0aWZpY2F0ZTtiaW5hcnkwHwYDVR0jBBgwFoAUaU2asPSCd8A2GzVVCRQa
+/goSAAowHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqGSIb3DQEB
+BQUAA4IBAQCpFXMtsChLFvN/Z+mwiodooamIW0qjMoVGHeN9CcDdUIGQI7cgbT10
+tsJuEZx3opp2s4LoM7Gn/o0T/rysLlT34vPwI4Ei/df3aG0ite5ehqWgMuc65n1P
+tadwl5JFFx3l8B0YWrOv5xJ0kY+br4FGI2OGqxagBtH2y7Uak4Iq2xipTHhlvx6a
+DWAzGQHovRdLf1c4cFti11gU29QYPgDXsJSuriq3xcItGzjYZT9V45WiIlmdvez0
+vCr6wcnjifctVfQ7z2o2+yl7A1+ijNhDhyfcrdPqctwx0Nk8IDitss+vNMsqoEHx
+uBoIoQw0DQhKAEYri9bw+9wqZhotOjMw
+-----END CERTIFICATE-----

internal/logic/x509.go

@@ -97,7 +97,7 @@ type CreateServicePairResult struct {
 func CreateServicePair(params *CreateServicePairParams) (*CreateServicePairResult, error) {
 	var err error
 
-	var res *CreateServicePairResult
+	res := &CreateServicePairResult{}
 
 	certPem := make([]byte, 0)
 	keyPem := make([]byte, 0)
@@ -161,6 +161,7 @@ func CreateServicePair(params *CreateServicePairParams) (*CreateServicePairResul
 		Type:  "CERTIFICATE",
 		Bytes: certBytes,
 	}
+
 	certPem = pem.EncodeToMemory(&certPemBlock)
 	if err != nil {
 		return res, err
@@ -169,3 +170,107 @@ func CreateServicePair(params *CreateServicePairParams) (*CreateServicePairResul
 	res.Key = base64.StdEncoding.EncodeToString(keyPem)
 	return res, err
 }
+
+func ParseDoubleEncodedCerificate(certString string) (*x509.Certificate, error) {
+	var err error
+	res := &x509.Certificate{}
+
+	certPEM, err := base64.StdEncoding.DecodeString(certString)
+	if err != nil {
+		return res, err
+	}
+	certBlock, _ := pem.Decode([]byte(certPEM))
+	if certBlock == nil {
+		err := fmt.Errorf("Failed to parse certificate PEM")
+		return res, err
+	}
+	res, err = x509.ParseCertificate(certBlock.Bytes)
+	if err != nil {
+		return res, err
+	}
+	return res, err
+}
+
+func ParseEncodedCerificate(certPEM string) (*x509.Certificate, error) {
+	var err error
+	res := &x509.Certificate{}
+
+	certBlock, _ := pem.Decode([]byte(certPEM))
+	if certBlock == nil {
+		err := fmt.Errorf("Failed to parse certificate PEM")
+		return res, err
+	}
+	res, err = x509.ParseCertificate(certBlock.Bytes)
+	if err != nil {
+		return res, err
+	}
+	return res, err
+}
+
+func ParseDoubleEncodedKey(keyString string) (*rsa.PrivateKey, error) {
+	var err error
+	res := &rsa.PrivateKey{}
+
+	keyPEM, err := base64.StdEncoding.DecodeString(keyString)
+	if err != nil {
+		return res, err
+	}
+	keyBlock, _ := pem.Decode([]byte(keyPEM))
+	if keyBlock == nil {
+		err := fmt.Errorf("Failed to parse key PEM")
+		return res, err
+	}
+	res, err = x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
+	if err != nil {
+		return res, err
+	}
+	return res, err
+}
+
+type CertificateCortege struct {
+	CertString string
+	CertObj    *x509.Certificate
+}
+
+func CheckCertificateChain(topIssuerCN string, certCorteges []*CertificateCortege) ([]*CertificateCortege, error) {
+	var err error
+	res := make([]*CertificateCortege, 0)
+
+	issuerFound := false
+	issuerIndex := -1
+	for i, cortege := range certCorteges {
+		if topIssuerCN == cortege.CertObj.Subject.String() {
+			issuerIndex = i
+			issuerFound = true
+		}
+	}
+	if !issuerFound {
+		err := fmt.Errorf("Issuer for %s cannot found", topIssuerCN)
+		return res, err
+	}
+	interInssuerCortege := certCorteges[issuerIndex]
+	if !interInssuerCortege.CertObj.IsCA {
+		err := fmt.Errorf("Issuer %s is not CA", interInssuerCortege.CertObj.Subject.String())
+		return res, err
+	}
+	expired := interInssuerCortege.CertObj.NotAfter.Before(time.Now())
+	if !expired {
+		err := fmt.Errorf("Issuer %s expired %v", interInssuerCortege.CertObj.Subject.String(),
+			interInssuerCortege.CertObj.NotAfter)
+		return res, err
+	}
+
+	res = append(res, interInssuerCortege)
+	if interInssuerCortege.CertObj.Subject.String() == interInssuerCortege.CertObj.Issuer.String() {
+		return res, err
+	}
+	updatedCorteges := append(certCorteges[:issuerIndex], certCorteges[issuerIndex+1:]...)
+	topIssuerCN = interInssuerCortege.CertObj.Issuer.String()
+
+	cortegeTail, err := CheckCertificateChain(topIssuerCN, updatedCorteges)
+	if err != nil {
+		return res, err
+	}
+	res = append(res, cortegeTail...)
+	return res, err
+}

internal/logic/x509_test.go

@@ -0,0 +1,64 @@
+package logic
+
+import (
+	//"crypto/x509"
+	"fmt"
+	"os"
+	"strings"
+	"testing"
+	//"time"
+
+	"github.com/stretchr/testify/require"
+	"sigs.k8s.io/yaml"
+)
+
+func TestCertChainChecker(t *testing.T) {
+	var err error
+
+	serviceCertBytes, err := os.ReadFile("testchain_a01.crt")
+	require.NoError(t, err)
+	require.NotZero(t, len(serviceCertBytes))
+	serviceCert, err := ParseEncodedCerificate(string(serviceCertBytes))
+	require.NoError(t, err)
+	require.NotNil(t, serviceCert)
+
+	certChain := make([]*CertificateCortege, 0)
+	for i := 1; i < 4; i++ {
+		certBytes, err := os.ReadFile(fmt.Sprintf("testchain_a%02d.crt", i))
+		require.NoError(t, err)
+		require.NotZero(t, len(certBytes))
+
+		cert, err := ParseEncodedCerificate(string(certBytes))
+		require.NoError(t, err)
+		require.NotNil(t, cert)
+
+		certCortege := &CertificateCortege{
+			CertString: string(certBytes),
+			CertObj:    cert,
+		}
+
+		fmt.Printf("Subject: %s\n", cert.Subject.String())
+		fmt.Printf("Issuer:  %s\n\n\n", cert.Issuer.String())
+
+		//expired := cert.NotAfter.Before(time.Now())
+		//require.False(t, expired)
+
+		certChain = append(certChain, certCortege)
+	}
+
+	topIssuerCN := serviceCert.Issuer.String()
+
+	resChain, err := CheckCertificateChain(topIssuerCN, certChain)
+	require.NoError(t, err)
+	require.NotNil(t, resChain)
+}
+
+func printObj(label string, obj any) {
+	objBytes, _ := yaml.Marshal(obj)
+	objString := string(objBytes)
+	if strings.Count(objString, "\n") < 2 {
+		fmt.Printf("==== %s: %s\n", label, objString)
+	} else {
+		fmt.Printf("==== %s ::\n%s\n", label, objString)
+	}
+}

internal/test/logic_test.go

@@ -2,11 +2,9 @@ package test
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"testing"
 	"time"
-	//"encoding/base64"
 	"strings"
 
 	cmapi "certmanager/api/certmanagercontrol"
@@ -15,6 +13,7 @@ import (
 	"certmanager/internal/logic"
 
 	"github.com/stretchr/testify/require"
+        "sigs.k8s.io/yaml"
 )
 
 func TestLogicIssuer(t *testing.T) {
@@ -41,11 +40,10 @@ func TestLogicIssuer(t *testing.T) {
 		require.NotNil(t, lg)
 	}
 
-	ctx, _ := context.WithTimeout(context.Background(), 1*time.Second)
+	ctx, _ := context.WithTimeout(context.Background(), 10*time.Second)
 
 	issuerCommonName := "foo.bar"
 	var issuerID int64
-
 	{
 		createIssuerPairParams := &cmapi.CreateIssuerPairParams{
 			IssuerCommonName: issuerCommonName,
@@ -139,6 +137,18 @@ func TestLogicIssuer(t *testing.T) {
 
 		printObj("importIssuerPairRes", importIssuerPairRes)
 	}
+	{
+                for i := 0; i < 3; i++ {
+                        createIssuerPairParams := &cmapi.CreateIssuerPairParams{
+                                IssuerCommonName: fmt.Sprintf("sub%0d.%s", i, issuerCommonName),
+                        }
+                        createIssuerPairRes, err := lg.CreateIssuerPair(ctx, createIssuerPairParams)
+                        require.NoError(t, err)
+                        require.NotNil(t, createIssuerPairRes)
+                        issuerID = createIssuerPairRes.IssuerID
+                        printObj("issuerID", issuerID)
+                }
+	}
 	{
 		listIssuerPairsParams := &cmapi.ListIssuerPairsParams{}
 		listIssuerPairsRes, err := lg.ListIssuerPairs(ctx, listIssuerPairsParams)
@@ -148,14 +158,41 @@ func TestLogicIssuer(t *testing.T) {
 
 		printObj("listIssuerPairRes", listIssuerPairsRes)
 	}
+	serviceCommonName := "make.love"
+	var serviceID int64
+	{
+		createServicePairParams := &cmapi.CreateServicePairParams{
+			ServiceCommonName: serviceCommonName,
+                        IssuerID: issuerID,
+		}
+		createServicePairRes, err := lg.CreateServicePair(ctx, createServicePairParams)
+		printObj("createServicePairRes", createServicePairRes)
+
+		require.NoError(t, err)
+		require.NotNil(t, createServicePairRes)
+		serviceID = createServicePairRes.ServiceID
+		printObj("serviceID", serviceID)
+	}
+	{
+		getServicePairParams := &cmapi.GetServicePairParams{
+			ServiceID: serviceID,
+		}
+		getServicePairRes, err := lg.GetServicePair(ctx, getServicePairParams)
+		require.NoError(t, err)
+		require.NotNil(t, getServicePairRes)
+		require.NotZero(t, len(getServicePairRes.Certificate))
+		require.False(t, getServicePairRes.Revoked)
+
+		printObj("getServicePairRes", getServicePairRes)
+	}
 }
 
 func printObj(label string, obj any) {
-	objBytes, _ := json.MarshalIndent(obj, " ", "    ")
+	objBytes, _ := yaml.Marshal(obj)
 	objString := string(objBytes)
 	if strings.Count(objString, "\n") < 2 {
 		fmt.Printf("==== %s: %s\n", label, objString)
 	} else {
-		fmt.Printf("==== %s ::\n %s\n", label, objString)
+		fmt.Printf("==== %s ::\n%s\n", label, objString)
 	}
 }