From b200fb182810e185239e6ddaaf3a6ab3b2806af9 Mon Sep 17 00:00:00 2001 From: Tiago Queiroz Date: Thu, 21 Dec 2023 08:23:42 +0100 Subject: [PATCH 1/2] Update TLS certificates in tests (#169) Some TLS certificates used in tests expired, this commit fixes it by generating the certificates and, if needed, calculating the fingerprint on each test. This will prevent future CI failures and reduce the maintenance burden. --- transport/tlscommon/ca_pinning_test.go | 23 +- transport/tlscommon/testdata/cacert.crt | 24 -- transport/tlscommon/testdata/cacert.key | 27 --- transport/tlscommon/testdata/client1.crt | 48 ---- transport/tlscommon/testdata/client1.key | 27 --- transport/tlscommon/testdata/es-leaf.crt | 32 --- .../tlscommon/testdata/es-root-ca-cert.crt | 31 --- transport/tlscommon/testdata/server.crt | 22 -- transport/tlscommon/testdata/server.key | 15 -- transport/tlscommon/testdata/tls.crt | 22 -- transport/tlscommon/testdata/unsigned_tls.crt | 22 -- transport/tlscommon/tls_config_test.go | 216 +++++++++++++----- 12 files changed, 172 insertions(+), 337 deletions(-) delete mode 100644 transport/tlscommon/testdata/cacert.crt delete mode 100644 transport/tlscommon/testdata/cacert.key delete mode 100644 transport/tlscommon/testdata/client1.crt delete mode 100644 transport/tlscommon/testdata/client1.key delete mode 100644 transport/tlscommon/testdata/es-leaf.crt delete mode 100644 transport/tlscommon/testdata/es-root-ca-cert.crt delete mode 100644 transport/tlscommon/testdata/server.crt delete mode 100644 transport/tlscommon/testdata/server.key delete mode 100644 transport/tlscommon/testdata/tls.crt delete mode 100644 transport/tlscommon/testdata/unsigned_tls.crt diff --git a/transport/tlscommon/ca_pinning_test.go b/transport/tlscommon/ca_pinning_test.go index 9a464cf7..13d935ab 100644 --- a/transport/tlscommon/ca_pinning_test.go +++ b/transport/tlscommon/ca_pinning_test.go @@ -94,7 +94,7 @@ func TestCAPinning(t *testing.T) { ca, err := genCA() require.NoError(t, err) - serverCert, err := genSignedCert(ca, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil) + serverCert, err := genSignedCert(ca, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil, false) require.NoError(t, err) mux := http.NewServeMux() @@ -172,10 +172,10 @@ func TestCAPinning(t *testing.T) { ca, err := genCA() require.NoError(t, err) - intermediate, err := genSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true, "localhost", []string{"localhost"}, nil) + intermediate, err := genSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true, "localhost", []string{"localhost"}, nil, false) require.NoError(t, err) - serverCert, err := genSignedCert(intermediate, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil) + serverCert, err := genSignedCert(intermediate, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil, false) require.NoError(t, err) mux := http.NewServeMux() @@ -246,10 +246,10 @@ func TestCAPinning(t *testing.T) { ca, err := genCA() require.NoError(t, err) - intermediate, err := genSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true, "localhost", []string{"localhost"}, nil) + intermediate, err := genSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true, "localhost", []string{"localhost"}, nil, false) require.NoError(t, err) - serverCert, err := genSignedCert(intermediate, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil) + serverCert, err := genSignedCert(intermediate, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil, false) require.NoError(t, err) mux := http.NewServeMux() @@ -360,10 +360,19 @@ func genSignedCert( commonName string, dnsNames []string, ips []net.IP, + expired bool, ) (tls.Certificate, error) { if commonName == "" { commonName = "You know, for search" } + + notBefore := time.Now() + notAfter := notBefore.Add(5 * time.Hour) + + if expired { + notBefore = notBefore.Add(-42 * time.Hour) + notAfter = notAfter.Add(-42 * time.Hour) + } // Create another Cert/key cert := &x509.Certificate{ SerialNumber: big.NewInt(2000), @@ -382,8 +391,8 @@ func genSignedCert( PostalCode: []string{"HOH OHO"}, }, - NotBefore: time.Now(), - NotAfter: time.Now().Add(1 * time.Hour), + NotBefore: notBefore, + NotAfter: notAfter, IsCA: isCA, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, KeyUsage: keyUsage, diff --git a/transport/tlscommon/testdata/cacert.crt b/transport/tlscommon/testdata/cacert.crt deleted file mode 100644 index debdf7e2..00000000 --- a/transport/tlscommon/testdata/cacert.crt +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEBDCCAuygAwIBAgIUXwbLbwGjWWlQNrMUsdDpKzeGixEwDQYJKoZIhvcNAQEL -BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u -dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 -MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG -UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDTALBgNV -BAsMBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtXsn+VCrW -ibutoByM5EeIK29XYffBwN78EeNjDdaZZqMF4wGZZ6z2xQXH6mFx+m1gjnf5R2qo -yfentYH5VRZz5AEtBGPsOqMffV9u5PkHSo/2ilCX40eBVp5u3qh6aFPZ5DKqexWu -5jUMYolTXpvAtML5YbMH9XvW6pn5WAqwHPLNe+fVuPg4tJN0u/ff0wKqSUBIhVOP -7EPhz3yLflACScgj+LPXz/5gtUXe9RR5RB8zyWGfNL91eoVVaApcdp4kIU+DHmgI -p+T4CpgdYWsYuOWH49F7RJyLpocUU4H+heeC4+zH0LIUcELa+n/M2DUDW3RE109a -tv9OEJKR8/YHAgMBAAGjgdMwgdAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU -fyEN1Qe7FlWa+2RBnl8Vd4ZCFkIwgY0GA1UdIwSBhTCBgoAUfyEN1Qe7FlWa+2RB -nl8Vd4ZCFkKhVKRSMFAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAP -BgNVBAcMCE1vbnRyZWFsMQ4wDAYDVQQKDAViZWF0czENMAsGA1UECwwEcm9vdIIU -XwbLbwGjWWlQNrMUsdDpKzeGixEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB -CwUAA4IBAQAANxJCfDMcNNnAVRlXLdh+loVx8Y5STf1gTgX2gtf9tHZGYE7/ix2P -dG1uQcEz/ETlcGSWRZcQSNR8dNeBi5YWK5dmDUD7reQr3FoyIDvPGHyIcF3clglg -blYhsQN0TVwx4G3kZDenjzKNSyVLR81opLq/PDIGW61ZCioJUQKs5q+IqsKj+okn -in6/b5YfQqyTDIWY3IPiXjvcysbKC0pYc0TkmwGUnidxDny7txrVCVJ1vwIedQug -B/UOjVxi0qsNwpWS08mwEOVvgvObi0mFoGQl8l427M0kM//86NM7vDc4Z0QYHOlq -A0ZjtnSbR3RqfhBGXV3BL+GHtXevn55Z ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/cacert.key b/transport/tlscommon/testdata/cacert.key deleted file mode 100644 index e864b93e..00000000 --- a/transport/tlscommon/testdata/cacert.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArV7J/lQq1om7raAcjORHiCtvV2H3wcDe/BHjYw3WmWajBeMB -mWes9sUFx+phcfptYI53+UdqqMn3p7WB+VUWc+QBLQRj7DqjH31fbuT5B0qP9opQ -l+NHgVaebt6oemhT2eQyqnsVruY1DGKJU16bwLTC+WGzB/V71uqZ+VgKsBzyzXvn -1bj4OLSTdLv339MCqklASIVTj+xD4c98i35QAknII/iz18/+YLVF3vUUeUQfM8lh -nzS/dXqFVWgKXHaeJCFPgx5oCKfk+AqYHWFrGLjlh+PRe0Sci6aHFFOB/oXnguPs -x9CyFHBC2vp/zNg1A1t0RNdPWrb/ThCSkfP2BwIDAQABAoIBAQCQmLJYENL5xD5n -/VZSnEKc670dYHRHgRl5m2HPR8doghYN3tuCmtnDp2e+6VkEux1mnuypWEs5I9oO -YnBZCAKF/fCNH1BHwlAy/1oNH6Qj1Khls86sH7+PvDK/va0/CqyE2rL3RVk8Wnx8 -K+LlSc8V1q2XWUj8pl33TgvFzwx6/QpmGa1ofK84GaeWNskRt8xyf2HECiRl6ZFm -zZr2Ror3nRbgZK9FYWpcp6HUgxAH/8GQ3+8vMvftfTsDGD5TmmEq6CFgAFCVj92L -d7AZmNWR1483NzZF0HWOQ6ew9qrWkqVpER7kKKp/kkfoh2qXgvtQBTrw4IcCRwwa -szaSsIEBAoGBANiqXhBzPQJszm1Ajln07ZeyvgRB8PgzZXcAHS9AfGqh/mGQw5/X -3vqHdGiEynphoYtNqK1YT7RH7pkjkpqDzdunZGz1xog7i4ys8kVtivkDGlhn6cXI -4wmFcmyCaf76VPPr1RX8PNjsEKDK3jq1d86lBjSLPgcHT7J16WZgOcJnAoGBAMzY -QVNpjk1WNT7gid3MUXciIIZAovej4AiVyn97XxxLSyByXmNds65f3dM8NOJkJUvT -iV7pAjKl9pd1lE+WTNQSjCgSxw7G+4u9cQfNE7p6klAh/Rek76Mani9rAmQ2PdJl -EFaEgLom3wbR5eOkYURjw2jfqzFYQ8T1YZkWBithAoGAa3EYkknDIFe6ifzwWnWV -+Jr/lXbpuvspvrhEwLDWwb4xOkqiZ7qR7WSMemQXUFbn1/+bvNJFPB5LmI9GXO8t -f1Zj+5BpchctHYaJ4Znvx4odX2ewSo9S3t7ZHiwRygpzZD43fd6Ggf+WQ1Y2m6Bv -l/7Hs/i0uqGKiPHl2wmuutMCgYABZN9c7/T19cY6/VAy4DcVtne+MiZpxQW7STmt -kGtfR+vk9qJJztNwNlrOGzTI7aGLWI8wxCktqw94jGZL/FvdfZrSkv4jzZrcopdo -VC70L+1a+kA8rvSqiX3WGMZVZEEbc3CfBhvSKH2QEFGeMPowevVTe2Iw3cboSjs1 -zX6RQQKBgFV7gOstMfvixCSUCD2s5j/skhNJsB3Wd/tVYRbl/vgA6hHW8UOy2oWv -UTE45vJNVzRv030G5katjOYhlxHf9rpeSAbeIyty54I3X9/vDJZLXwe8WilQjUr7 -Dw8yNwH44j/0s8xcQXG8yE0h1Aa9GxHHtJtYrRYdx7sSwNHtwpnp ------END RSA PRIVATE KEY----- diff --git a/transport/tlscommon/testdata/client1.crt b/transport/tlscommon/testdata/client1.crt deleted file mode 100644 index c3139a72..00000000 --- a/transport/tlscommon/testdata/client1.crt +++ /dev/null @@ -1,48 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEFzCCAv+gAwIBAgIUeaB7uk2DjAM2cuRl0kaE9ly7Lj4wDQYJKoZIhvcNAQEL -BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u -dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 -MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBmMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG -UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDzANBgNV -BAsMBnNlcnZlcjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEA3jXEj7vN+BDlj6cYblKSml0FWpO4yi9C58cubXXDWXI6 -hdpzNpDa0+n606Jg4eVZpFUZPTnnjQmFIcesO0+i85V4Etswr4T22uobDu1AWV7n -26nDMY/vlf+kDI8H/uFgxQg/Htuh12nHuYrjIS+ot/D6gThwIWVldu0TaBaFfvL5 -5qTPRJoteiBPo5y+VuWLhzPWg8cQYZ4KJ4XREk8H4d7PqFRHp+zATfn2YLBjUK7Z -zd0W3mxkdB2P7MnzZuH5n5zrgJ8OI9voopX8QadMYtUSeITP1INmNKhi4vLbpZjU -mt+N/u1G6xwbuyJiSlklBoXdRcWj5kSljpLtF1evvwIDAQABo4HQMIHNMAwGA1Ud -EwEB/wQCMAAwHQYDVR0OBBYEFAuDdHxE9/Zr7iVwfnUJ/lRtJnZkMIGNBgNVHSME -gYUwgYKAFH8hDdUHuxZVmvtkQZ5fFXeGQhZCoVSkUjBQMQswCQYDVQQGEwJDQTEP -MA0GA1UECAwGUXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVh -dHMxDTALBgNVBAsMBHJvb3SCFF8Gy28Bo1lpUDazFLHQ6Ss3hosRMA4GA1UdDwEB -/wQEAwIF4DANBgkqhkiG9w0BAQsFAAOCAQEACzuX6AiVHk5Igs/LdOW2sJ9lm95N -Su1PQCobM0Jo8wX3pDAEQlLmaWTDcr4bfrQPfI8pih1F89DQU9z0nzNCRfxiQaA7 -myF8ftvf8v5j3LpaPWlkdWgCRieCl58fgy5vtcKx73eTY4a6SRB4zbWpl0rX9H6w -En1kQbpCJDzh8W+xmr8AKvY77CSC1vt7TaKan6F+fGwbt8kIng6P6C7dvMGsDKQN -2Tiq/wtH16DB8mOeO+zfxJfa84TPWL4UcSbZJ8w5Fyz4GJormaymxJGtKv58RO7J -u63WF9vlEnKGyqY1FckTsp3P9ivGEb/Y75+NyRwmNq5VO5BPrRBMOF3VAg== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIEBDCCAuygAwIBAgIUXwbLbwGjWWlQNrMUsdDpKzeGixEwDQYJKoZIhvcNAQEL -BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u -dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 -MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG -UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDTALBgNV -BAsMBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtXsn+VCrW -ibutoByM5EeIK29XYffBwN78EeNjDdaZZqMF4wGZZ6z2xQXH6mFx+m1gjnf5R2qo -yfentYH5VRZz5AEtBGPsOqMffV9u5PkHSo/2ilCX40eBVp5u3qh6aFPZ5DKqexWu -5jUMYolTXpvAtML5YbMH9XvW6pn5WAqwHPLNe+fVuPg4tJN0u/ff0wKqSUBIhVOP -7EPhz3yLflACScgj+LPXz/5gtUXe9RR5RB8zyWGfNL91eoVVaApcdp4kIU+DHmgI -p+T4CpgdYWsYuOWH49F7RJyLpocUU4H+heeC4+zH0LIUcELa+n/M2DUDW3RE109a -tv9OEJKR8/YHAgMBAAGjgdMwgdAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU -fyEN1Qe7FlWa+2RBnl8Vd4ZCFkIwgY0GA1UdIwSBhTCBgoAUfyEN1Qe7FlWa+2RB -nl8Vd4ZCFkKhVKRSMFAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAP -BgNVBAcMCE1vbnRyZWFsMQ4wDAYDVQQKDAViZWF0czENMAsGA1UECwwEcm9vdIIU -XwbLbwGjWWlQNrMUsdDpKzeGixEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB -CwUAA4IBAQAANxJCfDMcNNnAVRlXLdh+loVx8Y5STf1gTgX2gtf9tHZGYE7/ix2P -dG1uQcEz/ETlcGSWRZcQSNR8dNeBi5YWK5dmDUD7reQr3FoyIDvPGHyIcF3clglg -blYhsQN0TVwx4G3kZDenjzKNSyVLR81opLq/PDIGW61ZCioJUQKs5q+IqsKj+okn -in6/b5YfQqyTDIWY3IPiXjvcysbKC0pYc0TkmwGUnidxDny7txrVCVJ1vwIedQug -B/UOjVxi0qsNwpWS08mwEOVvgvObi0mFoGQl8l427M0kM//86NM7vDc4Z0QYHOlq -A0ZjtnSbR3RqfhBGXV3BL+GHtXevn55Z ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/client1.key b/transport/tlscommon/testdata/client1.key deleted file mode 100644 index ce5274b7..00000000 --- a/transport/tlscommon/testdata/client1.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA3jXEj7vN+BDlj6cYblKSml0FWpO4yi9C58cubXXDWXI6hdpz -NpDa0+n606Jg4eVZpFUZPTnnjQmFIcesO0+i85V4Etswr4T22uobDu1AWV7n26nD -MY/vlf+kDI8H/uFgxQg/Htuh12nHuYrjIS+ot/D6gThwIWVldu0TaBaFfvL55qTP -RJoteiBPo5y+VuWLhzPWg8cQYZ4KJ4XREk8H4d7PqFRHp+zATfn2YLBjUK7Zzd0W -3mxkdB2P7MnzZuH5n5zrgJ8OI9voopX8QadMYtUSeITP1INmNKhi4vLbpZjUmt+N -/u1G6xwbuyJiSlklBoXdRcWj5kSljpLtF1evvwIDAQABAoIBABdTza7JKHZCT9ck -04vBX2KVIVrA50VScNOkNVuIYVmihEJJDI9N5asZhRtykHkmeqKlzGCBE63asf85 -1vrjAVhQ+KoCGLpUWxXgPbbzcS3wqKaGy9cIJT65957Z5Rz8zAvjMb0rkXHryOvR -iMaTGkM1KRcntZ3L5zr06HSk6J7K8QCEexKHl7Q7Ki1498tvBWdJGeGWRiUtI89j -wOUdcf3pVSVqI7J8gmmqVwNrVMbVxhlen7nkckXofWAackYVQDBD+hU1n3doNKLa -NP6mZkI02BOB29WLDXLuHtKDZtgnXex4JUz6zw53uV42FCDoQf3DUiVsMEL8xRCJ -27H6bwECgYEA/w53zS00mNdYdXO7dGhAw3UYPc3PDyg6Z823BQzfdOzsn5Yw0BIw -nPgstzwzOL0kw2p/PgwkG/7LOsF5CWs2xvU3LhUdOhgmw4B5IbMOYvbkVoYGz+22 -HJf4qyexAr7tKCITB+LCzUwoAgXp8uju1XdLVpk6xmJ3u+kIhMYTxkUCgYEA3wgx -71/uIUsoW6bVL5K00yXPWTTFtTBWM768VJ8Y++k2igPgcvKaBVaElr4AbvX5iCGz -1Ycc9xsGAYAo7+q4D+4cuOki/m0PMKD3DgXWpTtN0kJ+npWUBdE98NyDlTJYsa/w -xjeMQoDvC8tE2bAiwtVIOPQL2C/3emqkJcsVcDMCgYB8NeOJ/DXdKSJfMJldu1eu -2FuR3aS00PaAjuJOh1JbcvZZUZ879V/PUd0U7zBStWot8LM+2FLNf2whlQ8I0zm9 -8rWIr6eoHxLhqrNTAgxDjdDtgh/XKwDBNBFZ6N5/Y9PC87Uo5fnQWQIy2gZw0Zde -RdZeugixjEqbLIWFg6ElsQKBgHRy6O+c3M6RWU8ROnoOVU9xjGN9REUoKbn2uopM -T1UoHQvOnmAl/vkOhUfXiI5m65SCVE0GsL7sYyRhb/5kRRo8Ls71GwpQkv/G63ds -4PeAkU9Y3JecbZ7j8z1RRXqewOR1gndcBWWrwCQeS6KFboDfr0fdVFnaIZLPH0mE -UXs1AoGBAM3zpcyl5o99dO6x9N/8SSnyLT9TzzbJ6pU6d0F0ELn3OxTUBH1oA1dy -q1fADcRgN5vNuJljY4es/scK2BMeX1isFitXoIzk01F4R61xoXr8T33731eXFG6L -ehoECH2Yj9H4qNbVW531iYKheuSyaMaxCxaDoK9jBzcKaxMGbTlc ------END RSA PRIVATE KEY----- diff --git a/transport/tlscommon/testdata/es-leaf.crt b/transport/tlscommon/testdata/es-leaf.crt deleted file mode 100644 index 89d5087e..00000000 --- a/transport/tlscommon/testdata/es-leaf.crt +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFeDCCA2CgAwIBAgIUV7+XlHjcV++/ezqTkJrXSFc1dpAwDQYJKoZIhvcNAQEL -BQAwPDE6MDgGA1UEAxMxRWxhc3RpY3NlYXJjaCBzZWN1cml0eSBhdXRvLWNvbmZp -Z3VyYXRpb24gSFRUUCBDQTAeFw0yMTExMzAxMDMzNTdaFw0yMzExMzAxMDMzNTda -MBExDzANBgNVBAMTBngtd2luZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBALL045X6ywAHg9tWuViNyXu30rHhJa/AI45ZwLWzQMEwnCWnMvV0Cy3FgUd6 -VKw4Rg55/SfBKShhTRjC4PmDIHDIBgpm4NWpREIW2+cZfeEU8B34ucK/ZHycTFQ1 -Guh8HfvFy5J3OYT+8Wfz94ZxvVLMOGROTSiWdL2foVk98tbHgL1K3qyv1v0rgIjt -smZ7G4tbl3sBCuYceUL7X/+0kavJGls2T/rtxxEIfj5dNz4h65KmABrrAJfrEx35 -y2jCdY2XQsBxxMvbHEXXJKhrjQ8pajMcWAlDBKweiNIDdgBDYWpodpr4f3A6ZJkM -Nplw7KyLna4s3BO/g7fd5/FyQGFuLPraFtFnTXGqH+LjX0td74bdSP22/uhU3cKY -3y64I3/HEaEY5JITgUArExcMVpXuKJKqXEb+LtjGmUbAiO8Z7QKL+PqmU+3tJJ0p -kXnS07m3F/MgrDir/VCnYGQcXeteBwEgmcOwPmxz98eOSBhtb0PrimycF2tQuT8b -mCU+evTPC+KQ+8XY5vBwdPGpf6YAaHuVhNtKqBQnYOpsadS7zw5DJ0Y1Kp9z0ZPL -ch4DxE40xqAFmxWnAfpy2scD8LGJ1zDII90tAtYdu+3Wlzj6uMqUdqPuJED7XD41 -mlF2OjB5ipTs/1Jjl3pEnGG94sw5bQmnS1xFQp/DO3mjlgFBAgMBAAGjgZwwgZkw -HQYDVR0OBBYEFJKNxskBHE5xQ9S24puXSKm6/bLKMB8GA1UdIwQYMBaAFHEdsBBS -VCiK0fDIVe2vNN8JvHmcMEwGA1UdEQRFMEOHEP6AAAAAAAAAtw+3JU5DX8mCCWxv -Y2FsaG9zdIcQAAAAAAAAAAAAAAAAAAAAAYcEfwAAAYcEwKgqtoIGeC13aW5nMAkG -A1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAF5JAIQ9cu2xroh2F85fBr/F0s8D -aRV6AJpkjSVKInMm7omn+GLB80TwQZ6NsGuXrbaq0rcM85khsBs4rWn5MqescYG/ -8A7gZ4EtYE3LIyeqiqBByrtIqszZeXm7ITDSF/lwn7X2swe7orkhVD4tVEvKH6L6 -Ql0oNe5UBN1Rm9NskDltMDzE2A25slkm99CAdPERDEjBpvd3eDcfbQdHeuAOPfUV -T8P2DAdW4SC955bxnc0GPTla5TKXWWLde3egow5a4LeJv6KVWPTC9chEXZyQKp4p -jvWZW1fTO/kC3oj97tfqoH/r35/+qyXmg38HNAFbEoVM3bsO0vqrI5CbkWTkB1Xb -7CY6jJxemyEprl2gmkgfA/MXBHFc3RoIL7JcX7Sk8ZWpnEVK3KyoyK1RJ5kY1Cz4 -SRw4KLJA4Cu6DE7vXy9pTlIeeQARgQOUxnrlRGYHpKRIwgjrhwEjVqc0CPwj7rWr -0VY4MW80FPFIePpqy3DjoJmORQU632iu/5zeUS4dZ11Ms7NTakqqnFHi7XczqeZn -4HqPW8ebQTXrqRXMF/X30x6gkK1R1tXHSbve7cTQWJEwJd+MS2aA5Npt7hGznjPn -Y1p4k9jEz5BnbLtZ2RbAj2FuL4Ee6iJoyZpFbi/SW+h+1ZaPCeUTnxUkDLEiXpdk -tN8H6/6dudhy6btm ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/es-root-ca-cert.crt b/transport/tlscommon/testdata/es-root-ca-cert.crt deleted file mode 100644 index 6234774a..00000000 --- a/transport/tlscommon/testdata/es-root-ca-cert.crt +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFWTCCA0GgAwIBAgIUAoPlJ3hVr921EyJfiT+9lVft3fcwDQYJKoZIhvcNAQEL -BQAwPDE6MDgGA1UEAxMxRWxhc3RpY3NlYXJjaCBzZWN1cml0eSBhdXRvLWNvbmZp -Z3VyYXRpb24gSFRUUCBDQTAeFw0yMTExMzAxMDMzNTdaFw0yNDExMjkxMDMzNTda -MDwxOjA4BgNVBAMTMUVsYXN0aWNzZWFyY2ggc2VjdXJpdHkgYXV0by1jb25maWd1 -cmF0aW9uIEhUVFAgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2 -soq+heCJNHsMuyyyLndREhYmxYFav06XOLB5oC1bAt+0WMo3n7rxVB8dAhfvigof -DsTIytnCcK+Th8ll2k4Bs2weF16ZhvvC2FKbSkdUxNXnXfx7gdKDXZLbfref5FiL -ucwxa7CtVL28Lfws9J5dZTTAuxR2XxaX+TJbH6MbQgKUYR+DnK8T3jSfiDTQtiHs -+pd+C8hSdMgzKCynYP36VZbtz1ynWjvQ/0wxARO6q2OLZGBNh2ncoFEmosXgc0ir -Vh9NrVmozSI0H2f6W07imqL3oe1pe3bwW/OdfeahCBY3IvDLDn8q8wDl91gRta3n -EsMsiuBRSRRpT0grgoCFNy+wiIrETVLaI2HJ0UpVIpcoS7K5l2zN/wA+w+hAOdh0 -PoBt8AoC1aCCGM4osCTKqbgbOg957io2twuvWJ6ae3J2k5FFDMvIfMfL+5HhPSRp -nYiRDPOhapDhaXhHa4pEFONpdiJJgmqymLqjW4liZOGft28dSkISK3iiBL74p/gu -X/sBI7PZANycpyVjnLHK+FwPlRZPkrqCw2Gke4Oqm9uydwM08uRVZcNylVS7H0ip -9BEcxKlXJSaULnTqQXkiPGKGkCrrIIsNQTFjoaBIBP2o69NSZ0SozDf4aCnYy10v -U1dwI9yisOmMfDkakNcAPXfRfmuuJlstl1W1RraQswIDAQABo1MwUTAdBgNVHQ4E -FgQUcR2wEFJUKIrR8MhV7a803wm8eZwwHwYDVR0jBBgwFoAUcR2wEFJUKIrR8MhV -7a803wm8eZwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAiHrC -NxCNsyUYLFVivL9AsJ5Y3IrhAHUzYwofLBJiMYNFsaEi3P1VU3TNlo98kzi2QkdY -NPFtRYoOg6sEI0KPEBw54kLP/Q/FJK7jeJSyhJ9V/Z+NS081YHqrMP4YPK6mM4qa -XuM7hpx37vkLDdfrDPionbcLk7Zz+2t6bIThrwta0idMY6LKeFfW1EWeggK6inNc -Ub3n1qcTyOp1RfcLlHCdb17JhgY5hROmqVfhgLlbT0bx1NZS4pRWhw5CDKsflMUe -SyHbLE1BTH6yE0nNXbR6FgDKjQNUSSZBOBck0hdSaRArALavujjBojHmJYWt1jWO -bcBErzwKKwH/peUh7Wgnq1L/lqym9K9AniWUyhvKn8AbxGLnILDMYOSrvlPF2uU+ -uvp2EzhPUyOgYycC28H4fFUdDeoN5FVP+4sFFK+FIgfqLfVMTgDPmGAbkqA6WKlH -fgQ2fP4oB2ZkN0EPxivXkvZkhDVlIXeoisUkNCgAfVuwCjvOLnqz8u0tTnp/wXxq -XAXUPLcG71YFzABlkwuPdA5GhFAL1Rv8GQJEznhZ8mYz/yTtcg/z3pYEhDcM92Cb -161BormFYVRI1B80rSpzeQwJVfvgCwnWOTat+1joFHCzpl99nHu8tMxi6lkO1G9E -8vdk/J0zMMnhO52V2EMNdH2fTJUMZYixBm4BeEM= ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/server.crt b/transport/tlscommon/testdata/server.crt deleted file mode 100644 index 50ca5ce8..00000000 --- a/transport/tlscommon/testdata/server.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDlTCCAX0CAQEwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCVVMxEzARBgNV -BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xFzAVBgNVBAMM -DmNhQGV4YW1wbGUuY29tMB4XDTIxMDEyNTE2MzQ0OVoXDTMxMDEyMzE2MzQ0OVow -UjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh -biBGcmFuY2lzY28xFjAUBgNVBAMMDSouZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcN -AQEBBQADgY0AMIGJAoGBALFuNygrGLLSnD//JRfU6xMDqgizeVdQqDlLaP/HxQ84 -9RPWnjfbyx2M25JYcLvewPqKQ80lOYnMRhpvujmuKP7gQHNDWOsyXH5JljTX78Wb -I+nuVMeYjbUOh+6EgYNY59G5rH7xqgeu3y1YERfNdchEG8xjSxYeIZ7Ev6VMFF8r -AgMBAAEwDQYJKoZIhvcNAQELBQADggIBALyHDjVcY6Po1eHWTUCLLOW1ZzzkX4qu -gsfJM6qTIZIqh/O6tROGqH9kRw8SarIIZvtztfzuYtmQBE0qkBMzPzdN3x+3C4pz -jf2vsEKRqva9mf9y+JM0Mv0WUuPfusHxPKOCl1on71kP1GL1bYylKqazgVa2tAVa -78xs35YIuCM5apt0X+QO+Tnz/qfqJ7t3F7mP1aeCjYm8J20S8vKTYgkRkFX/8VJB -1zRPl0CAMyoHOMcrmb7wX8V1CIER7VBQ7h580B7/7okrw+Hr3xyMOA0w1DiRUQJE -biHBuDTRDmRg6W5nAwNLFLp/RfHttny0nEEcnzcjEStEKyDGbNg1W2ieWuIhgUza -L3W3ld9LDD9pMnQ8yYTMcL+J2Ir6ErhpGL3Hks42W2c/qYhvo3we6B2ADfsS7P+m -ku5W7/G2fDIlj6rtzaAeur+LSgsjU6kc1et2SJxjcJMPrS4xHxpAhJzD7h7f5N/B -RBc5cT2sE2vuUBRGkz0wC9AC2/kxmv4RwjsrYTY8rEOqHRkxDF18lfFocAoq7Hvr -lO6ft9/knzTQzKiizc6unXsLhUCvBzt50bA/gVLXmUmr1sncATKHWOLbvfRWat4I -0m52jlowgqnJPsXtl+wwNYHaw9gF71RTx/Ov2vZ8xm5SeBNkO8cpdAftETAEqpgp -fDlIVeywLvoN ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/server.key b/transport/tlscommon/testdata/server.key deleted file mode 100644 index 8bb153a9..00000000 --- a/transport/tlscommon/testdata/server.key +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQCxbjcoKxiy0pw//yUX1OsTA6oIs3lXUKg5S2j/x8UPOPUT1p43 -28sdjNuSWHC73sD6ikPNJTmJzEYab7o5rij+4EBzQ1jrMlx+SZY01+/FmyPp7lTH -mI21DofuhIGDWOfRuax+8aoHrt8tWBEXzXXIRBvMY0sWHiGexL+lTBRfKwIDAQAB -AoGAaBKW5cfJl/JzVhJphn4MWL3YeXwUW4Pi+KBj+UwLKW+mSTmk2mzgyfd6P3AC -yB/Tn+GD/YutIUehgxYv7G9ceZC85EsPM6+1s887olgKNKbCiZZvrLBcBCzEhzkN -QpC2/cuOOVYdYYQJZp9RX7herAJ5aqxZHUUtCrudgfCiAckCQQDo37NhBBfUlLc4 -LW3ryxydsh7MrTMU63+5IVtXosV3TFdWN9LC6CCarkILcOG5tmEmM6v1UQRAgCkm -lb+/3SrXAkEAwwz9+mcAU1lTTiy+dCJkKepviT4Ex+BFl0yJPfSN5+/Wg15DjwsN -vdE0H5nAT65aECiYy8V9DKNwHNcTIaZXzQJBAMvoPOBhPiCVC410MgC6e9cVRWTA -766Muuy26Y1l6HQac4r6HGEv8oSeuxPbhrsfmBdkPVjz1L5Juj6f9yOgHEcCQHMH -pHkaaay+D00ZQjDHX38AzUqJEtS1xRTXhFDPeyj/3uiWnQ0tHauGR1EjobDcSC0j -ZAk4rOjZMnMvvA6qRTkCQQCT6B0edwnMc9q/4XcdF+LptWRiYNbSKkrisb304N+d -lqbB76fGQY22onWcZEvcOmifmzmgj56QXSUot+fkNlVK ------END RSA PRIVATE KEY----- diff --git a/transport/tlscommon/testdata/tls.crt b/transport/tlscommon/testdata/tls.crt deleted file mode 100644 index d6528cce..00000000 --- a/transport/tlscommon/testdata/tls.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIRAKtKtQKtGFIUneRz5r1FnUMwDQYJKoZIhvcNAQELBQAw -FjEUMBIGA1UEAwwLbW9yZWxsby5vdmgwHhcNMTkwODA5MDkzOTIyWhcNMTkxMTA3 -MDkzOTIyWjBOMRkwFwYDVQQKExBFbGFzdGljc2VhcmNoIENBMTEwLwYDVQQDEyhl -bGFzdGljc2VhcmNoLXNhbXBsZS1lcy1odHRwLmRlZmF1bHQuc3ZjMIIBIjANBgkq -hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq6HRcrfV1kHnXv5Z+ImkgKDvxCezI3/p -yiR0jSv6L7+bblHzzsqkPnz3aaIPJJ2G4sdwaIhl5rJdOvCj48It8OtRidZjzuJH -hN2RpN2Ii5WX4D1u18CrjEQrRUzs/vuwpyP0zWx0yP3lp88fy8kfWHj8cE06KZ3c -jq1fTRjEDv/N6xofqBSIHPsnvOVIP0Sp9bJkw5yO0H3oBfrqP0N2mjnwQknclz30 -t/LoXHcRrZTOH42pgG5ODZslqLNgKLXQHzRcglzNQPwYKYHigBiy+xsHxbIIXe1n -R70PYKXisA0bhHTiV1Sa77dqQRdSkm0JzrNg58lHZYA1sVKTh0nRMQIDAQABo4Gv -MIGsMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDou -x6fQdsT7szqJX2vyfmtmtuXiMGsGA1UdEQRkMGKCKGVsYXN0aWNzZWFyY2gtc2Ft -cGxlLWVzLWh0dHAuZGVmYXVsdC5zdmOCNmVsYXN0aWNzZWFyY2gtc2FtcGxlLWVz -LWh0dHAuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbDANBgkqhkiG9w0BAQsFAAOC -AQEAL0EBOx2vPXJSIjv8t0S2HkbCSerdDvGSNtkOrTizBtL7EwRSec6nes6OaWo6 -JYVNCP0Y+a4jQQrD9MkFKniKxluvLgbsHHsCnQC5tI5iwaOIZe+33pVyNksTc3CC -l2s6Imqpvt6S3GyuWhcwWhwi3pK0ce9RqoO7GONHZmyuOaHGm1OxPeXJQYu7gTKg -3hMjnNAzLOF1oOIrPKnkxfP4jdOrQE1oKk9QR7ScIKLVHJTJoogCM50I7yD7HnMT -itkHwZhk5ptdA29P/OAcZheO5NOGlWJ6OeQl35A9SxgB3DSRTFORoEBfwPZB4ZLC -zODbmFEr7N0FzCN6hU8PjcLLhg== ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/unsigned_tls.crt b/transport/tlscommon/testdata/unsigned_tls.crt deleted file mode 100644 index 710dda0a..00000000 --- a/transport/tlscommon/testdata/unsigned_tls.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDmjCCAoKgAwIBAgIfVNT1201IZeL6eZ5nBDNfdg7z5Rx3pSWKx48R5xEUMzAN -BgkqhkiG9w0BAQUFADBmMQkwBwYDVQQGEwAxCTAHBgNVBAoMADEJMAcGA1UECwwA -MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20xDzANBgkqhkiG9w0BCQEWADEYMBYG -A1UEAwwPd3d3LmV4YW1wbGUuY29tMB4XDTIwMDcyMzIzNTE1NloXDTMwMDcyNDIz -NTE1NlowTDEJMAcGA1UEBhMAMQkwBwYDVQQKDAAxCTAHBgNVBAsMADEYMBYGA1UE -AwwPd3d3LmV4YW1wbGUuY29tMQ8wDQYJKoZIhvcNAQkBFgAwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQDUM6FCJj36941WQVrIKVjHCNKf0bdGiinfxGgL -4SaUywGUo35mp70SFSpEcl3HE5B62Nab3axZ7N3oYeCD5iCJGPI0JWE3/gPdn5ao -2xsGr1sKS+453dkmpDBEnTHNo7HjmvZIDIEzKHDW1QnfeeSGef9TKtVsnoDhGp+u -mMndqBBUEXE/4tIrFuKZLQjxlchw6JQ6fpjmXxZKRCgXJq18/x9jfJnduYpb/DOc -bXfQKZCbJeQdlZO9yxwwmzetZ/7kRZ774qvYtcHs+RVH5tPob1J/xgEoVpE4XAgp -IrYrYCA159ejRJfb5Zs9Hx0AbatzFzTrHzod+jhfDpCh/NX3AgMBAAGjTzBNMB0G -A1UdDgQWBBSuVtBMQ/Q6YHXDi6FQxOGzp+U5pTAfBgNVHSMEGDAWgBSuVtBMQ/Q6 -YHXDi6FQxOGzp+U5pTALBgNVHREEBDACggAwDQYJKoZIhvcNAQEFBQADggEBADNC -AZZUgG4uXpDEIcWKT7gI8G+lbQJjIYciCNtqJsSpxOyN1Vs6tt8FXZBrVjxCa+Ik -TpBZ0OxhY7Ry3veqVoeh9o8ASM8mvFE7y/CjZHtqxh5Q/Q1O5/UuMVy4ilT4hzEb -jXvoH+gLCVxPcaV4cfqfWEWoW3RwfG+NtBq7ZnCl5o7ATDjDl1qe9sZ1rvIq7mLb -Lk7lvNjqZU1PBRj6riW84Tv+yZc2kytqu61l8+NmphKwrKUgVUcbY37knmNIF2tB -pl742yDqYtSu3ODWFtjNw2CZRGhTOcJMXasBFpjch0dz3uM++As0n9r63cNDssDi -GQ6OHiviqMYraJMVFsc= ------END CERTIFICATE----- diff --git a/transport/tlscommon/tls_config_test.go b/transport/tlscommon/tls_config_test.go index 5804d5f3..07bb6327 100644 --- a/transport/tlscommon/tls_config_test.go +++ b/transport/tlscommon/tls_config_test.go @@ -18,15 +18,21 @@ package tlscommon import ( + "bytes" + "crypto/sha256" "crypto/tls" "crypto/x509" + "encoding/hex" "encoding/pem" "errors" - "io/ioutil" + "math/rand" "net" "net/http" "net/url" + "os" "path/filepath" + "regexp" + "strconv" "testing" "github.com/stretchr/testify/assert" @@ -34,15 +40,10 @@ import ( ) func TestMakeVerifyServerConnection(t *testing.T) { - testCerts := openTestCerts(t) + testCerts := genTestCerts(t) - testCA, errs := LoadCertificateAuthorities([]string{ - filepath.Join("testdata", "ca.crt"), - filepath.Join("testdata", "cacert.crt"), - }) - if len(errs) > 0 { - t.Fatalf("failed to load test certificate authorities: %+v", errs) - } + certPool := x509.NewCertPool() + certPool.AddCert(testCerts["ca"]) testcases := map[string]struct { verificationMode TLSVerificationMode @@ -64,7 +65,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "default verification with certificates when required with expired cert": { verificationMode: VerifyFull, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["expired"]}, serverName: "", expectedCallback: true, @@ -73,7 +74,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "default verification with certificates when required with incorrect server name in cert": { verificationMode: VerifyFull, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["correct"]}, serverName: "bad.example.com", expectedCallback: true, @@ -82,7 +83,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "default verification with certificates when required with correct cert": { verificationMode: VerifyFull, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["correct"]}, serverName: "localhost", expectedCallback: true, @@ -91,7 +92,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "default verification with certificates when required with correct wildcard cert": { verificationMode: VerifyFull, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["wildcard"]}, serverName: "hello.example.com", expectedCallback: true, @@ -100,7 +101,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "certificate verification with certificates when required with correct cert": { verificationMode: VerifyCertificate, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["correct"]}, serverName: "localhost", expectedCallback: true, @@ -109,7 +110,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "certificate verification with certificates when required with expired cert": { verificationMode: VerifyCertificate, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["expired"]}, serverName: "localhost", expectedCallback: true, @@ -118,7 +119,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "certificate verification with certificates when required with incorrect server name in cert": { verificationMode: VerifyCertificate, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["correct"]}, serverName: "bad.example.com", expectedCallback: true, @@ -127,7 +128,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "strict verification with certificates when required with correct cert": { verificationMode: VerifyStrict, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["correct"]}, serverName: "localhost", expectedCallback: false, @@ -136,11 +137,11 @@ func TestMakeVerifyServerConnection(t *testing.T) { "default verification with certificates when required with cert signed by unknown authority": { verificationMode: VerifyFull, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, - peerCerts: []*x509.Certificate{testCerts["unknown authority"]}, + certAuthorities: certPool, + peerCerts: []*x509.Certificate{testCerts["unknown_authority"]}, serverName: "", expectedCallback: true, - expectedError: x509.UnknownAuthorityError{Cert: testCerts["unknown authority"]}, + expectedError: x509.UnknownAuthorityError{Cert: testCerts["unknown_authority"]}, }, "default verification without certificates not required": { verificationMode: VerifyFull, @@ -191,11 +192,13 @@ func TestMakeVerifyServerConnection(t *testing.T) { } func TestTrustRootCA(t *testing.T) { - certs := openTestCerts(t) + certs := genTestCerts(t) nonEmptyCertPool := x509.NewCertPool() nonEmptyCertPool.AddCert(certs["wildcard"]) - nonEmptyCertPool.AddCert(certs["unknown authority"]) + nonEmptyCertPool.AddCert(certs["unknown_authority"]) + + fingerprint := getFingerprint(certs["ca"]) testCases := []struct { name string @@ -207,21 +210,21 @@ func TestTrustRootCA(t *testing.T) { }{ { name: "RootCA cert matches the fingerprint and is added to cfg.RootCAs", - caTrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - peerCerts: []*x509.Certificate{certs["es-leaf"], certs["es-root-ca"]}, + caTrustedFingerprint: fingerprint, + peerCerts: []*x509.Certificate{certs["correct"], certs["ca"]}, expectedRootCAsLen: 1, }, { name: "RootCA cert doesn not matche the fingerprint and is not added to cfg.RootCAs", - caTrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - peerCerts: []*x509.Certificate{certs["es-leaf"], certs["es-root-ca"]}, + caTrustedFingerprint: fingerprint, + peerCerts: []*x509.Certificate{certs["correct"], certs["ca"]}, expectedRootCAsLen: 0, }, { name: "non empty CertPool has the RootCA added", rootCAs: nonEmptyCertPool, - caTrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - peerCerts: []*x509.Certificate{certs["es-leaf"], certs["es-root-ca"]}, + caTrustedFingerprint: fingerprint, + peerCerts: []*x509.Certificate{certs["correct"], certs["ca"]}, expectedRootCAsLen: 3, }, { @@ -263,7 +266,8 @@ func TestTrustRootCA(t *testing.T) { } func TestMakeVerifyConnectionUsesCATrustedFingerprint(t *testing.T) { - testCerts := openTestCerts(t) + testCerts := genTestCerts(t) + fingerprint := getFingerprint(testCerts["ca"]) testcases := map[string]struct { verificationMode TLSVerificationMode @@ -276,35 +280,35 @@ func TestMakeVerifyConnectionUsesCATrustedFingerprint(t *testing.T) { }{ "CATrustedFingerprint and verification mode:VerifyFull": { verificationMode: VerifyFull, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, - CATrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", + CATrustedFingerprint: fingerprint, }, "CATrustedFingerprint and verification mode:VerifyCertificate": { verificationMode: VerifyCertificate, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, - CATrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", + CATrustedFingerprint: fingerprint, }, "CATrustedFingerprint and verification mode:VerifyStrict": { verificationMode: VerifyStrict, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, - CATrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - CASHA256: []string{Fingerprint(testCerts["es-leaf"])}, + CATrustedFingerprint: fingerprint, + CASHA256: []string{Fingerprint(testCerts["correct"])}, }, "CATrustedFingerprint and verification mode:VerifyNone": { verificationMode: VerifyNone, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: false, }, "invalid CATrustedFingerprint and verification mode:VerifyFull returns error": { verificationMode: VerifyFull, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, CATrustedFingerprint: "INVALID HEX ENCODING", @@ -312,7 +316,7 @@ func TestMakeVerifyConnectionUsesCATrustedFingerprint(t *testing.T) { }, "invalid CATrustedFingerprint and verification mode:VerifyCertificate returns error": { verificationMode: VerifyCertificate, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, CATrustedFingerprint: "INVALID HEX ENCODING", @@ -320,12 +324,12 @@ func TestMakeVerifyConnectionUsesCATrustedFingerprint(t *testing.T) { }, "invalid CATrustedFingerprint and verification mode:VerifyStrict returns error": { verificationMode: VerifyStrict, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, CATrustedFingerprint: "INVALID HEX ENCODING", expectingError: true, - CASHA256: []string{Fingerprint(testCerts["es-leaf"])}, + CASHA256: []string{Fingerprint(testCerts["correct"])}, }, } @@ -410,7 +414,8 @@ func TestMakeVerifyServerConnectionForIPs(t *testing.T) { false, test.commonName, test.dnsNames, - test.ips) + test.ips, + false) if err != nil { t.Fatalf("cannot generate peer certificate: %s", err) } @@ -585,7 +590,7 @@ func TestVerificationMode(t *testing.T) { for name, test := range testcases { t.Run(name, func(t *testing.T) { - certs, err := genSignedCert(caCert, x509.KeyUsageCertSign, false, test.commonName, test.dnsNames, test.ips) + certs, err := genSignedCert(caCert, x509.KeyUsageCertSign, false, test.commonName, test.dnsNames, test.ips, false) if err != nil { t.Fatalf("could not generate certificates: %s", err) } @@ -678,30 +683,121 @@ func startTestServer(t *testing.T, serverAddr string, serverCerts []tls.Certific return *serverURL } -func openTestCerts(t testing.TB) map[string]*x509.Certificate { - t.Helper() - certs := make(map[string]*x509.Certificate, 0) +func getFingerprint(cert *x509.Certificate) string { + caSHA256 := sha256.Sum256(cert.Raw) + return hex.EncodeToString(caSHA256[:]) +} + +func genTestCerts(t *testing.T) map[string]*x509.Certificate { + ca, err := genCA() + if err != nil { + t.Fatalf("cannot generate root CA: %s", err) + } + + unknownCA, err := genCA() + if err != nil { + t.Fatalf("cannot generate second root CA: %s", err) + } - for testcase, certname := range map[string]string{ - "expired": "tls.crt", - "unknown authority": "unsigned_tls.crt", - "correct": "client1.crt", - "wildcard": "server.crt", - "es-leaf": "es-leaf.crt", - "es-root-ca": "es-root-ca-cert.crt", - } { + certs := map[string]*x509.Certificate{ + "ca": ca.Leaf, + } - certBytes, err := ioutil.ReadFile(filepath.Join("testdata", certname)) + certData := map[string]struct { + ca tls.Certificate + keyUsage x509.KeyUsage + isCA bool + dnsNames []string + ips []net.IP + expired bool + }{ + "wildcard": { + ca: ca, + keyUsage: x509.KeyUsageDigitalSignature, + isCA: false, + dnsNames: []string{"*.example.com"}, + }, + "correct": { + ca: ca, + keyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, + isCA: false, + dnsNames: []string{"localhost"}, + // IPV4 and IPV6 + ips: []net.IP{{127, 0, 0, 1}, {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}, + }, + "unknown_authority": { + ca: unknownCA, + keyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, + isCA: false, + dnsNames: []string{"localhost"}, + // IPV4 and IPV6 + ips: []net.IP{{127, 0, 0, 1}, {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}, + }, + "expired": { + ca: ca, + keyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, + isCA: false, + dnsNames: []string{"localhost"}, + // IPV4 and IPV6 + ips: []net.IP{{127, 0, 0, 1}, {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}, + expired: true, + }, + } + + tmpDir := t.TempDir() + for certName, data := range certData { + cert, err := genSignedCert( + data.ca, + data.keyUsage, + data.isCA, + certName, + data.dnsNames, + data.ips, + data.expired, + ) if err != nil { - t.Fatalf("reading file %q: %+v", certname, err) + t.Fatalf("could not generate certificate '%s': %s", certName, err) } - block, _ := pem.Decode(certBytes) - testCert, err := x509.ParseCertificate(block.Bytes) + certs[certName] = cert.Leaf + + // We write the certificate to disk, so if the test fails the certs can + // be inspected/reused + certPEM := new(bytes.Buffer) + pem.Encode(certPEM, &pem.Block{ + Type: "CERTIFICATE", + Bytes: cert.Leaf.Raw, + }) + + serverCertFile, err := os.Create(filepath.Join(tmpDir, certName+".crt")) if err != nil { - t.Fatalf("parsing certificate %q: %+v", certname, err) + t.Fatalf("creating file to write server certificate: %v", err) + } + if _, err := serverCertFile.Write(certPEM.Bytes()); err != nil { + t.Fatalf("writing server certificate: %v", err) + } + + if err := serverCertFile.Close(); err != nil { + t.Fatalf("could not close certificate file: %s", err) } - certs[testcase] = testCert } + t.Cleanup(func() { + if t.Failed() { + finalDir := filepath.Join(os.TempDir(), cleanStr(t.Name())+strconv.Itoa(rand.Int())) + if err := os.Rename(tmpDir, finalDir); err != nil { + t.Fatalf("could not rename directory with certificates: %s", err) + } + + t.Logf("certificates persisted on: '%s'", finalDir) + } + }) + return certs } + +var cleanRegExp = regexp.MustCompile(`[^a-zA-Z0-9]`) + +// cleanStr replaces all characters that do not match 'a-zA-Z0-9' by '_' +func cleanStr(path string) string { + return cleanRegExp.ReplaceAllString(path, "_") +} From 5c526acf4c4f974af902402b3d5564de6b6f9708 Mon Sep 17 00:00:00 2001 From: Svetlana Maltseva <58.svetlana.maltseva@gmail.com> Date: Thu, 21 Dec 2023 13:03:46 +0100 Subject: [PATCH 2/2] update-bk-bot-settings (#170) --- .buildkite/pull-requests.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.buildkite/pull-requests.json b/.buildkite/pull-requests.json index 3e1a4d0c..082e5574 100644 --- a/.buildkite/pull-requests.json +++ b/.buildkite/pull-requests.json @@ -5,7 +5,7 @@ "pipelineSlug": "elastic-agent-libs", "allow_org_users": true, "allowed_repo_permissions": ["admin", "write"], - "allowed_list": [ ], + "allowed_list": ["github-actions[bot]"], "set_commit_status": true, "build_on_commit": true, "build_on_comment": true,