Checking Validity of all Certs in the chain [VAULT-2114] (#11883)
* Checking Validity of all Certs in the chain * Addressing Comments for TLS cert validation * Fixing tls_verification tests * Fixing minor issue in tls_verification tests * Addressing Comments, Rebasing with main * Adding comment on top of a test
This commit is contained in:
hghaf099
GitHub
parent
5483eba5fc
commit
658a4ea276
|
|
@ -0,0 +1,52 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIIJRQIBADANBgkqhkiG9w0BAQEFAASCCS8wggkrAgEAAoICAQDtrZixHp89k9ga
|
||||
lQNBWxIUlJpftmo55xCK5NqAhtuI81VaDOczA+0dV2ZmONlCykwzj2jHrBeJPZao
|
||||
EYiCtoUH5VbTQjxczAzriB49yvs0rwg2DCmG+Uj1xusdBhx7rBZ7Es79LsQnRQVK
|
||||
ezosZGfwVy1chqW7UeCR5PeMumjcWevZSfBADGWNvy9b7mi2kEMJFFd+BKrl29ms
|
||||
+H6HGt8E0Vmx3SAkZIkTN3X3jzn57ly9IqzuTJp5AGXEQQE/9qLvOug+HMTIFObv
|
||||
/aqevyxaakVQciALTM7yp/dOcnocMIYbApcsSMcH6+tEEHiICAOZSxiVbobwD5Ta
|
||||
EACNOLeTYkedrlAEvsIR7NpTgbPJLYp/cxAsszKqe1EiWi1fMoFqghCXw9Jll13L
|
||||
Fad3eqvBrBgLiUMQWjUqcTmb6NSiNfHziKgrCqPa9nv4tPqQISutP8OLjuKLz1js
|
||||
qJsXbpkDchylS1g17Kkea3UDh4LEsh11/qsq0HBVvxwf929178IStJAqyYD0tW++
|
||||
blX3XL6gDJ/pzOmSdTvQXeFi4KMU3fjuKlhJRi8Oq+4gycWj+ACqSieoN1hztbuX
|
||||
UYx+/Gv1z2jKaoyaXlbQU0zvvCcvqRQ0mGWBp11UUdVaJSN65f4bi6/YR6Z3M+bA
|
||||
HwG0LVfp48QpSVZdVWD44t+EV2+ivQIDAQABAoICAQCUOjeH/rkBBjs4GMa2870K
|
||||
6MJ9/p2xDtHaTW+XyIMRnfAVAQcPYdt2+RL7nWihpthvL3kBTeo/xRE4L/cazgmZ
|
||||
KwZDKoPKu9cy7OkvUG/qI17TljIv4zgFT9FBgJYy6tf6WXiNnaTneLwb/04AcX4A
|
||||
/d1kXvTtJdsQIePg+EB9a/cSxHH4/8I17I30n3LeqImmF/GYvgB26e2PWkpOqAt+
|
||||
TbHKo0VwbOKwAV6ozcIyhN2BdyayV0PfQsg05PWKlp525B4C3p46yg5cja7i4gcf
|
||||
PDeOPB6P7Y8C9o3ddreA7SI1ph/xllHKNu+6uyrwa08TQypJx2yQOqdyd5hgeobB
|
||||
SDlEkrzJh08/f4BOHkubfQ1o40IwRuxnbcZ36OqYiJSMfkG8KR2E/Wu+t5A43rX5
|
||||
+b3r+9+EIuyJFiPbIVkQxmpN+NqtXlHZUaZs70mjUChGr+k/8CCQKC6HqO/7oKjq
|
||||
gAzbkcntYTJrpl2YZO/NbqjoA1wLmpnHEhJ2F2Q5NAgAosFs/89joyaFYvIka7As
|
||||
aS8y6v8RXPpVZ0iKcydThwEhHJvUnqEI8B9mF4oLFrHJgdYSAEc3tiGrV3lrvS2U
|
||||
Uza9rJGw1UnRpFkp3MoS5dI60GyQ0hvQ7X5XJQEUOnUyQd+3pzkW+jKIeczDdYSu
|
||||
4b8YyQDsNMD2Ewru5lY9AQKCAQEA/VN+EnjvJgtK6s0r8VpqkOvIkFcLDWjS8sQ5
|
||||
tWXu5yEyCRJMO+J2aRvoFFph8kMs2oGhJRZ1/4V6D2Zzm0mkhdjMWyBo5n4nDL/4
|
||||
Q5CJX3ri2NtORJjPp8BAVSwXj4HijLQKQqr4oatX5LKhTKUS/4X1vGzzi0w1u9cI
|
||||
o3U7kENc8+f5O1Xq9+0xlV+hjE/btWUZfqlUSSqF6SIdcA00f0IMFjXyAwlh0R1G
|
||||
iBKNmhLrKGbU0KFyzcAqxfWf+wehTsggpiX0vtodyi1EvG7HiZn9QCgRARQGgq5O
|
||||
7MKlOATHB9Iv2Kj4fFw5onE8jQYyZqaWMUUpBCPCHahj6z6XNQKCAQEA8C/SXiYt
|
||||
eOQINLYh6RQ1uEYWPH8vUe3UXOt59a/t2CWDRApn7JfOis01z/OjpRPLfOgBTeeN
|
||||
9l3WjCKFHqp+0Y0GSZYmgCZbQCvzer49tqT482jRDI1g52qs4WQMJM/ONmL4ixKP
|
||||
83RZlmKV7NjedBFfArsw3WJy0Q1rpcnrpv20IcCyn/qcylLxziRWh39NRsWWERtv
|
||||
wN02zcBQChqrhFDpzzSFslnKNejQsVasIlH17UsMe/PvPBqulHqKSDxihxKAjtcB
|
||||
LRMglWHr5rEkoOxoVVZvmwh+6A+DqHe55dXGNxarv07hjwtvgpgzdy4QCe5B0Zrq
|
||||
7JcwiC2LPoLmaQKCAQEA6E9c2gvVJApPFaw5lAfamjPfpZ5tIEr0yHRyh4uG3qZu
|
||||
gCsrhe9Tr2hMF/4avFQmGeuun5hNdZouKVlGwy1xlt0N6rN5/4XIwcR6I1u03r6O
|
||||
sVfMGtQX+jovxOu+X3g5Ddc9YY3wnDHJVI0LpoHrPjDW/Yjcfu3QiQXVgjDMAqwD
|
||||
3hjpUiSkaeA3DEi6mTXSwjKIgsM97Cr2yqjiXhN+BQXIl8W4vlgoP+CdAcQh3x1i
|
||||
UZabqwejhFOp5gguQcLphpm4dyVvoGXd075XvoXIrsNsnx0fGuIGZmj7L9wAL7MR
|
||||
4nY6MnIiDcl1gSZe5OS966zxJxXJW2Z/aTs3BlBL0QKCAQEAqHjStSlQQfio7NhI
|
||||
BuYfHCdFF6Aaf/wzNg4RmMyTJ0aAwWwPIzwEKwXv1fJOec7dr7pIl+1wfTuq7taT
|
||||
y0PJ+pBRtbH1RXQiE2wAt7rTLNagrJN79rMAIrKHmv0DK5r7SNi4/0vA3wJgiISU
|
||||
JvKjboR0wUSt7MtOP+aK+Foeyh4wiHBSmrY93gi6BV8ltpsLiDW1okA9bel8tGtN
|
||||
eRjl78SVi7qKgORMWu333DwwN06IEq7Oje83glAw3oLpleuNLLNEq2ySLZy6AS4T
|
||||
OthMGfhY4mrjk7os0fd34OZB5b3B8Agd5e2ddymNSOwbRWBw7ZZKYoyoddVCvHI9
|
||||
tlY46QKCAQEAtP4/Qkxuz8u4ZLKwHzGF9T1PgopsCBHpT/bP7CpXcA4dmo3CELgK
|
||||
B993iwtTpPTR6LABATnQ10wv6sJPp5aysggcWPkgjrVEOh7bdrhejcbauzGUotf/
|
||||
uwI8csEjJ1PUzmojlO1dlZ2BjEKIkreTBx1hKgNi8VjpR+/2lGXAp4iAm7gpJrsk
|
||||
mDnqmwBJ6gwRVrB9+8qmicpqNloopj43PeJTWrREUEcpdTpx2drIylAc/o71l3Cd
|
||||
WBbQKYf3YXzmsthICWmCXL6U5Hv9quKXUs3hSAmPMay+sopulxFnNck+ppf759H8
|
||||
xOLGonW/TvDl4gkmCzyFJcFxz77EF6N7hw==
|
||||
-----END PRIVATE KEY-----
|
||||
|
|
@ -59,7 +59,6 @@ func ListenerChecks(ctx context.Context, listeners []listenerutil.Listener) ([]s
|
|||
// Perform checks on the Client CA Cert
|
||||
warnings, err = TLSClientCAFileCheck(l)
|
||||
listenerWarnings, listenerErrors = outputError(ctx, warnings, listenerWarnings, err, listenerErrors, listenerID)
|
||||
|
||||
// TODO: Use listenerutil.TLSConfig to warn on incorrect protocol specified
|
||||
// Alternatively, use tlsutil.SetupTLSConfig.
|
||||
}
|
||||
|
|
@ -221,10 +220,9 @@ func TLSErrorChecks(leafCerts, interCerts, rootCerts []*x509.Certificate) error
|
|||
// and root certificates provided.
|
||||
func TLSFileWarningChecks(leafCerts, interCerts, rootCerts []*x509.Certificate) ([]string, error) {
|
||||
var warnings []string
|
||||
|
||||
// add a warning for when there are more than one leaf certs
|
||||
if len(leafCerts) > 1 {
|
||||
warnings = append(warnings, "leafCerts contains more than one cert.")
|
||||
warnings = append(warnings, fmt.Sprintf("More than one leaf certificate detected. Please ensure that there is one unique leaf certificate being supplied to vault in the vault server config file."))
|
||||
}
|
||||
|
||||
for _, c := range leafCerts {
|
||||
|
|
|
|||
|
|
@ -193,7 +193,7 @@ func TestTLSMultiKeys(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
// TestTLSMultiCerts verifies that a unique error message is thrown when a cert is specified twice.
|
||||
// TestTLSCertAsKey verifies that a unique error message is thrown when a cert is specified twice.
|
||||
func TestTLSCertAsKey(t *testing.T) {
|
||||
listeners := []listenerutil.Listener{
|
||||
{
|
||||
|
|
@ -261,6 +261,7 @@ func TestTLSNoRoot(t *testing.T) {
|
|||
},
|
||||
}
|
||||
_, errs := ListenerChecks(context.Background(), listeners)
|
||||
|
||||
if errs != nil {
|
||||
t.Fatalf("server certificate without root certificate is insecure, but still valid")
|
||||
}
|
||||
|
|
@ -285,7 +286,7 @@ func TestTLSInvalidMinVersion(t *testing.T) {
|
|||
}
|
||||
_, errs := ListenerChecks(context.Background(), listeners)
|
||||
if errs == nil || len(errs) != 1 {
|
||||
t.Fatalf("TLS Config check on fake certificate should fail")
|
||||
t.Fatalf("TLS Config check on invalid 'tls_min_version' should fail")
|
||||
}
|
||||
if !strings.Contains(errs[0].Error(), fmt.Errorf(minVersionError, "0").Error()) {
|
||||
t.Fatalf("Bad error message: %s", errs[0])
|
||||
|
|
@ -311,7 +312,7 @@ func TestTLSInvalidMaxVersion(t *testing.T) {
|
|||
}
|
||||
_, errs := ListenerChecks(context.Background(), listeners)
|
||||
if errs == nil || len(errs) != 1 {
|
||||
t.Fatalf("TLS Config check on fake certificate should fail")
|
||||
t.Fatalf("TLS Config check on invalid 'tls_max_version' should fail")
|
||||
}
|
||||
if !strings.Contains(errs[0].Error(), fmt.Errorf(maxVersionError, "0").Error()) {
|
||||
t.Fatalf("Bad error message: %s", errs[0])
|
||||
|
|
@ -550,7 +551,8 @@ func TestTLSMultipleRootInClietCACert(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestTLSSelfSignedCert(t *testing.T) {
|
||||
// TestTLSSelfSignedCerts tests invalid self-signed cert as TLSClientCAFile
|
||||
func TestTLSSelfSignedCerts(t *testing.T) {
|
||||
listeners := []listenerutil.Listener{
|
||||
{
|
||||
Config: &configutil.Listener{
|
||||
|
|
|
|||
Loading…
Reference in New Issue