@@ -17,6 +17,7 @@ package tlscfg
1717import (
1818 "crypto/tls"
1919 "crypto/x509"
20+ "fmt"
2021 "io/ioutil"
2122 "os"
2223 "path/filepath"
@@ -92,9 +93,24 @@ func TestReload(t *testing.T) {
9293 require .NoError (t , err )
9394
9495 waitUntil (func () bool {
95- return logObserver .FilterField (zap .String ("certificate" , certFile .Name ())).Len () > 0
96+ // Logged when both matching public and private keys are modified in the cert.
97+ // If mismatched keys are present in the cert, the "Failed to load certificate" error will be logged instead.
98+ return logObserver .FilterMessage ("Loaded modified certificate" ).Len () > 0
9699 }, 100 , time .Millisecond * 200 )
97- assert .True (t , logObserver .FilterField (zap .String ("certificate" , certFile .Name ())).Len () > 0 )
100+
101+ // Logged when the cert is modified with the client's public key due to
102+ // a mismatch with the existing server private key.
103+ assert .True (t , logObserver .
104+ FilterMessage ("Failed to load certificate" ).
105+ FilterField (zap .String ("certificate" , certFile .Name ())).Len () > 0 ,
106+ "Failed to find wanted logs. All logs: " + fmt .Sprint (logObserver .All ()))
107+
108+ // Logged when the cert is modified with the client's private key,
109+ // resulting in both public and private keys matching (from the client).
110+ assert .True (t , logObserver .
111+ FilterMessage ("Loaded modified certificate" ).
112+ FilterField (zap .String ("certificate" , keyFile .Name ())).Len () > 0 ,
113+ "Failed to find wanted logs. All logs: " + fmt .Sprint (logObserver .All ()))
98114
99115 cert , err = tls .LoadX509KeyPair (filepath .Clean (clientCert ), clientKey )
100116 require .NoError (t , err )
0 commit comments