fix: update error message

Signed-off-by: Junjie Gao <junjiegao@microsoft.com>

x509/cert_validations.go

@@ -174,33 +174,33 @@ func validateLeafKeyUsage(cert *x509.Certificate) error {
 		return err
 	}
 	if cert.KeyUsage&x509.KeyUsageDigitalSignature == 0 {
-		return fmt.Errorf("The certificate with subject %q is invalid. The key usage must have the bit positions for \"Digital Signature\"", cert.Subject)
+		return fmt.Errorf("The certificate with subject %q is invalid. The key usage must have the bit positions for \"Digital Signature\" set", cert.Subject)
 	}
 
 	var invalidKeyUsages []string
 	if cert.KeyUsage&x509.KeyUsageContentCommitment != 0 {
-		invalidKeyUsages = append(invalidKeyUsages, "ContentCommitment")
+		invalidKeyUsages = append(invalidKeyUsages, "\"ContentCommitment\"")
 	}
 	if cert.KeyUsage&x509.KeyUsageKeyEncipherment != 0 {
-		invalidKeyUsages = append(invalidKeyUsages, "KeyEncipherment")
+		invalidKeyUsages = append(invalidKeyUsages, "\"KeyEncipherment\"")
 	}
 	if cert.KeyUsage&x509.KeyUsageDataEncipherment != 0 {
-		invalidKeyUsages = append(invalidKeyUsages, "DataEncipherment")
+		invalidKeyUsages = append(invalidKeyUsages, "\"DataEncipherment\"")
 	}
 	if cert.KeyUsage&x509.KeyUsageKeyAgreement != 0 {
-		invalidKeyUsages = append(invalidKeyUsages, "KeyAgreement")
+		invalidKeyUsages = append(invalidKeyUsages, "\"KeyAgreement\"")
 	}
 	if cert.KeyUsage&x509.KeyUsageCertSign != 0 {
-		invalidKeyUsages = append(invalidKeyUsages, "CertSign")
+		invalidKeyUsages = append(invalidKeyUsages, "\"CertSign\"")
 	}
 	if cert.KeyUsage&x509.KeyUsageCRLSign != 0 {
-		invalidKeyUsages = append(invalidKeyUsages, "CRLSign")
+		invalidKeyUsages = append(invalidKeyUsages, "\"CRLSign\"")
 	}
 	if cert.KeyUsage&x509.KeyUsageEncipherOnly != 0 {
-		invalidKeyUsages = append(invalidKeyUsages, "EncipherOnly")
+		invalidKeyUsages = append(invalidKeyUsages, "\"EncipherOnly\"")
 	}
 	if cert.KeyUsage&x509.KeyUsageDecipherOnly != 0 {
-		invalidKeyUsages = append(invalidKeyUsages, "DecipherOnly")
+		invalidKeyUsages = append(invalidKeyUsages, "\"DecipherOnly\"")
 	}
 	if len(invalidKeyUsages) > 0 {
 		return fmt.Errorf("The certificate with subject %q is invalid. The key usage must be \"Digital Signature\" only, but found %s", cert.Subject, strings.Join(invalidKeyUsages, ", "))

x509/cert_validations_test.go

@@ -512,7 +512,7 @@ var kuNoDigitalSignatureLeaf = parseCertificateFromString(kuNoDigitalSignatureLe
 
 func TestFailKuNoDigitalSignatureLeaf(t *testing.T) {
 	err := validateLeafCertificate(kuNoDigitalSignatureLeaf, x509.ExtKeyUsageCodeSigning)
-	assertErrorEqual("The certificate with subject \"CN=Hello\" is invalid. The key usage must have the bit positions for \"Digital Signature\"", err, t)
+	assertErrorEqual("The certificate with subject \"CN=Hello\" is invalid. The key usage must have the bit positions for \"Digital Signature\" set", err, t)
 }
 
 var kuWrongValuesLeafPem = "-----BEGIN CERTIFICATE-----\n" +
@@ -536,7 +536,7 @@ var kuWrongValuesLeaf = parseCertificateFromString(kuWrongValuesLeafPem)
 
 func TestFailKuWrongValuesLeaf(t *testing.T) {
 	err := validateLeafCertificate(kuWrongValuesLeaf, x509.ExtKeyUsageCodeSigning)
-	assertErrorEqual("The certificate with subject \"CN=Hello\" is invalid. The key usage must be \"Digital Signature\" only, but found CertSign, CRLSign", err, t)
+	assertErrorEqual("The certificate with subject \"CN=Hello\" is invalid. The key usage must be \"Digital Signature\" only, but found \"CertSign\", \"CRLSign\"", err, t)
 }
 
 var rsaKeyTooSmallLeafPem = "-----BEGIN CERTIFICATE-----\n" +
@@ -729,7 +729,7 @@ func TestValidateLeafKeyUsage(t *testing.T) {
 				KeyUsage:   x509.KeyUsageDigitalSignature | x509.KeyUsageContentCommitment,
 				Extensions: extensions,
 			},
-			expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must be \"Digital Signature\" only, but found ContentCommitment",
+			expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must be \"Digital Signature\" only, but found \"ContentCommitment\"",
 		},
 		{
 			name: "Missing DigitalSignature usage",
@@ -738,7 +738,7 @@ func TestValidateLeafKeyUsage(t *testing.T) {
 				KeyUsage:   x509.KeyUsageCertSign,
 				Extensions: extensions,
 			},
-			expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must have the bit positions for \"Digital Signature\"",
+			expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must have the bit positions for \"Digital Signature\" set",
 		},
 		{
 			name: "Invalid KeyEncipherment usage",
@@ -747,7 +747,7 @@ func TestValidateLeafKeyUsage(t *testing.T) {
 				KeyUsage:   x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
 				Extensions: extensions,
 			},
-			expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must be \"Digital Signature\" only, but found KeyEncipherment",
+			expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must be \"Digital Signature\" only, but found \"KeyEncipherment\"",
 		},
 		{
 			name: "Multiple Invalid usages",
@@ -756,7 +756,7 @@ func TestValidateLeafKeyUsage(t *testing.T) {
 				KeyUsage:   x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment | x509.KeyUsageKeyAgreement | x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageEncipherOnly | x509.KeyUsageDecipherOnly | x509.KeyUsageEncipherOnly | x509.KeyUsageDecipherOnly,
 				Extensions: extensions,
 			},
-			expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must be \"Digital Signature\" only, but found KeyEncipherment, DataEncipherment, KeyAgreement, CertSign, CRLSign, EncipherOnly, DecipherOnly",
+			expectedErrMsg: "The certificate with subject \"CN=Test CN\" is invalid. The key usage must be \"Digital Signature\" only, but found \"KeyEncipherment\", \"DataEncipherment\", \"KeyAgreement\", \"CertSign\", \"CRLSign\", \"EncipherOnly\", \"DecipherOnly\"",
 		},
 	}