luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Add More TLS Tests and Verification of TLS Root Certificate (#11300) 

* tls tests and root verification

* make the certificate verification check correct for non root CA case

* add expiry test

* addressed comments but struggling with the bug in parsing Cas and inters from single file:

* final checks on tls and listener

* cleanup
This commit is contained in:
Hridoy Roy 2021-04-12 08:39:40 -07:00 committed by GitHub
parent 9bf4fe2f64
commit fde9f2f71d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 638 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
api/test-fixtures/keys/cert.pem
View File

@ -19,4 +19,4 @@ aYqNKFWrRaBRAaaYZ/O1ApRTOrXqRx9Eqr0H1BXLsoAq+mWassL8sf6siae+CpwA
KqBko5G0dNXq5T4i2LQbmoQSVetIrCJEeMrU+idkuqfV2h1BQKgSEhFDABjFdTCN
QDAHsEHsi2M4/jRW9fqEuhHSDfl2n7tkFUI8wTHUUCl7gXwweJ4qtaSXIwKXYzNj
xqKHA8Purc1Yfybz4iE1JCROi9fInKlzr5xABq8nb9Qc/J9DIQM+Xmk=
-----END CERTIFICATE-----
-----END CERTIFICATE-----

1
vault/core.go
View File

@ -1387,6 +1387,7 @@ func (c *Core) migrateSeal(ctx context.Context) error {
if err != nil {
return fmt.Errorf("error checking if seal is migrated or not: %w", err)
}
if ok {
c.logger.Info("migration is already performed")
return nil

14
vault/diagnose/test-fixtures/ecdsa.crt Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN CERTIFICATE-----
MIICPDCCAcMCCQCbpXTR6v+lUDAKBggqhkjOPQQDAjCBhzELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAkNBMQswCQYDVQQHDAJQSDESMBAGA1UECgwJSGFzaGljb3JwMQ4w
DAYDVQQLDAVWYXVsdDEYMBYGA1UEAwwPZWNkc2EudmF1bHQuY29tMSAwHgYJKoZI
hvcNAQkBFhFyb3lAaGFzaGljb3JwLmNvbTAeFw0yMTA0MDcxNDUxMTBaFw0yMzA0
MDcxNDUxMTBaMIGHMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJBgNVBAcM
AlBIMRIwEAYDVQQKDAlIYXNoaWNvcnAxDjAMBgNVBAsMBVZhdWx0MRgwFgYDVQQD
DA9lY2RzYS52YXVsdC5jb20xIDAeBgkqhkiG9w0BCQEWEXJveUBoYXNoaWNvcnAu
Y29tMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEQHr9wo78LVd2y/pU/EZkQ+JDVDPV
2rmRIYMaDSrBpKypJsiO7p+vc7miCZO/lXneAZiFxwX5FDGlBIUSQnGmkHlpKY0c
hP6ogNKknoCjBFgFG0Rq3wYAgHg/6dJ6SNlGMAoGCCqGSM49BAMCA2cAMGQCMB0W
UpmSWnLxmLxDmYVbmut+xJnJVSc+nGn9IiV3HhW5q20kj2kXnqD9jnRcV97kewIw
TnF+AASW0Pyn4h+cWNNv6am03eM6jHZLNQY8V1R8WlHF7Hk8T6YDpL/gvsaipp/W
-----END CERTIFICATE-----

6
vault/diagnose/test-fixtures/ecdsa.key Normal file
View File

@ -0,0 +1,6 @@
-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDB8mhOjdT0FUMchJl+EFtVs+Hwbh0vN8ArITefyBQZoIZ8KLd8qZmhK
wjuF0eZx+lqgBwYFK4EEACKhZANiAARAev3CjvwtV3bL+lT8RmRD4kNUM9XauZEh
gxoNKsGkrKkmyI7un69zuaIJk7+Ved4BmIXHBfkUMaUEhRJCcaaQeWkpjRyE/qiA
0qSegKMEWAUbRGrfBgCAeD/p0npI2UY=
-----END EC PRIVATE KEY-----

22
vault/diagnose/test-fixtures/expiredcert.pem Normal file
View File

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDkDCCAngCCQCRJCLDizZwvjANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMC
VVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJQSDESMBAGA1UECgwJSGFzaGljb3Jw
MQ4wDAYDVQQLDAVWYXVsdDEaMBgGA1UEAwwRZXhwaXJlZC52YXVsdC5jb20xIDAe
BgkqhkiG9w0BCQEWEXJveUBoYXNoaWNvcnAuY29tMB4XDTIxMDQwNzE0MzczNloX
DTIxMDQwODE0MzczNlowgYkxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkG
A1UEBwwCUEgxEjAQBgNVBAoMCUhhc2hpY29ycDEOMAwGA1UECwwFVmF1bHQxGjAY
BgNVBAMMEWV4cGlyZWQudmF1bHQuY29tMSAwHgYJKoZIhvcNAQkBFhFyb3lAaGFz
aGljb3JwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALCAzh3U
w1y8d3lvW5IND5Zc4ncugbJj29YzHicVodSW8B43YWWdN85VuRvniGOYBDjUlsT9
j0b22U1ql/CG2ZwJGWN4o44sdaIDxKNcOqySbKCx/cvytSv/sel1xB1bM+eG5UFm
BIIBZzTbF5sqiSqW1gKIRYn8UYx6QB6pORAww8OfI4pywGasbInTf+7l1753gsR2
fa2rDqZfD+puHiHfF1l85YFnvY1KxS2JkbUepDBqMlYoGSDXGlmgF9WJ2UEuDBDT
aAw3c3hyfpZt9Fr0Ok8KIehBrkirXTzkpYOKN3imiUbVSNBrlYyDPZhYAshBzdGZ
zY+/7dIIfmGYgdECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAIrR+y0Mf7Wm+25pZ
SdJKYoleuKnzSJZBPavCMaL4AeZDI4N3q3/SYT5OsuY3Q6NyZQ9oMBT+1UowMPrB
CBQzCeuuBj4/W8Vl0bC46mF+Uzw4b93I+6Q1ymQ0pHMIP15MJz/y7r4I0AyvBkDJ
vS2qp+rtrkPa4sP+e3cOl/DEn+frfkzUZqwWqKBWvKb01eAcU0K9TMEC0tNWDT9b
yY1EzqbVk+J2TLZjpdsrVE9UdbMPujWGKDG0JGp7YHobjr4XZslx4XVxppzBU4EA
+SdqJckoMYWwN5MwPxnEET8Ng2qEvvbd/hmlQ7Mwb2/047vY4jblCGOpecxcvgrY
SzlpFQ==
-----END CERTIFICATE-----

27
vault/diagnose/test-fixtures/expiredprivatekey.pem Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAsIDOHdTDXLx3eW9bkg0Pllzidy6BsmPb1jMeJxWh1JbwHjdh
ZZ03zlW5G+eIY5gEONSWxP2PRvbZTWqX8IbZnAkZY3ijjix1ogPEo1w6rJJsoLH9
y/K1K/+x6XXEHVsz54blQWYEggFnNNsXmyqJKpbWAohFifxRjHpAHqk5EDDDw58j
inLAZqxsidN/7uXXvneCxHZ9rasOpl8P6m4eId8XWXzlgWe9jUrFLYmRtR6kMGoy
VigZINcaWaAX1YnZQS4MENNoDDdzeHJ+lm30WvQ6Twoh6EGuSKtdPOSlg4o3eKaJ
RtVI0GuVjIM9mFgCyEHN0ZnNj7/t0gh+YZiB0QIDAQABAoIBADTkNF/+HRkSJR9P
vnoSzeP6K6cZWaZShFM4+EUwF1G0dXookFg597ouOA1joZxutn0tP40CisfyOwYW
9jcOwfEfTOthAGofapTFWky126NRMZoqHGrcbWwk8HSMZNuDNBeiddrWLm2i7AGL
0hQeeAI6NyGFIomKAgn9rG9DuKTf6DjT5zdiShb2A5R7R1kxtvggcsdMN4j6AM9d
ZFTUoQKYTN3jxS2McSeqphjSAgI+spJxCa0MXVE7RbTu3EoQpyW/MesooNaED7Fb
mPSIvbaa8h1Ffnw+IoYLrOaZlO0qhb4GfTSWHzVKQg1rmpEJGnMOhnJ3TT/MlD7i
QyDELj0CgYEA59xrO5GBSTe5plM0wy36yaq4xuEWcFIxwn7kItHd7f3jHmkmnBKk
NlOhfLEoFsWkzU/U560fx5+ch2X/oWCr2FFQngxtgKsVj1KFtY4exSb+48wbTB92
4QOdNTZzfYwkFYASTwCfORhiOWxHySa7PRTNZR+3brYtxIvKtIOiUb8CgYEAwuD7
uTYLymkSQq5Mg1Be5b9+F9r+Wtl98Nmrf+V90sq9mwe2zJpEeiZBGF3TH8NrpXVs
13QLJGvHL7zHq4LXfwxUXjoR+5G3WeCcz0mlaNqAakHQUpnEDXdXxG6WcXZvXOV6
s5e6xr3y0UCNG6pH9VfHIyotWmqklFptKJts8G8CgYBreD54AOylLGAv2Pdm1KQe
37P/8wr8iwynczt5bD9q9bhVOzX7N6THzaHXcyH61CecRrmPnS5S0Ae0trFzcqSU
grRUXbxP3H0EzqJNUg+vIHEa01t/wEHQ8GTo6lFDyzZahN93oPksdMHqjecENKCr
Ij5F9hqHBYhXRthxLWaKbwKBgQCVZGOUWBox0Npuw69j+vjEp0fCgd77Rj+Fo1gV
c5hBP6qabg90Sc601R6Rz1tJvkWHUb1ebVcdVIId1lo64NLSUmFa2qlucQZdoBKV
1Z84AkjvLATHTZk9uX9O1nf+Awzb6g9mHarRMEw0nYeO7bq8Gc5O5sZdyeLg13FW
789TgQKBgQCsS2xVrflx9oxi+3pPsVOMR2+TFIIFG7xxMxF5+1Zwypgu87Lef6wc
AIumQFNaASoYJUE//DlviACfEMgY+R2EojegbOW8gVBMvJ2z6lPBopiKvyTyRtNS
HHThuJO+qgpOe1tlJSzVqYXeuf3hA3GUqx/DxccDQIJCPXvTJ1SWJQ==
-----END RSA PRIVATE KEY-----

43
vault/diagnose/test-fixtures/goodcertbadroot.pem Normal file
View File

@ -0,0 +1,43 @@
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgIUf+jhKTFBnqSs34II0WS1L4QsbbAwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzQxWhcNMjUw
MTA1MTAyODExWjAbMRkwFwYDVQQDExBjZXJ0LmV4YW1wbGUuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxS
TRAVnygAftetT8puHflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGn
SgMld6ZWRhNheZhA6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmi
YYMiIWplidMmMO5NTRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5
donyqtnaHuIJGuUdy54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVG
B+5+AAGF5iuHC3N2DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABo4H1
MIHyMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUm++e
HpyM3p708bgZJuRYEdX1o+UwHwYDVR0jBBgwFoAUncSzT/6HMexyuiU9/7EgHu+o
k5swOwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzAChh9odHRwOi8vMTI3LjAuMC4x
OjgyMDAvdjEvcGtpL2NhMCEGA1UdEQQaMBiCEGNlcnQuZXhhbXBsZS5jb22HBH8A
AAEwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3Br
aS9jcmwwDQYJKoZIhvcNAQELBQADggEBABsuvmPSNjjKTVN6itWzdQy+SgMIrwfs
X1Yb9Lefkkwmp9ovKFNQxa4DucuCuzXcQrbKwWTfHGgR8ct4rf30xCRoA7dbQWq4
aYqNKFWrRaBRAaaYZ/O1ApRTOrXqRx9Eqr0H1BXLsoAq+mWassL8sf6siae+CpwA
KqBko5G0dNXq5T4i2LQbmoQSVetIrCJEeMrU+idkuqfV2h1BQKgSEhFDABjFdTCN
QDAHsEHsi2M4/jRW9fqEuhHSDfl2n7tkFUI8wTHUUCl7gXwweJ4qtaSXIwKXYzNj
xqKHA8Purc1Yfybz4iE1JCROi9fInKlzr5xABq8nb9Qc/J9DIQM+Xmk=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
-----END CERTIFICATE-----

42
vault/diagnose/test-fixtures/goodcertwithroot.pem Normal file
View File

@ -0,0 +1,42 @@
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgIUf+jhKTFBnqSs34II0WS1L4QsbbAwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzQxWhcNMjUw
MTA1MTAyODExWjAbMRkwFwYDVQQDExBjZXJ0LmV4YW1wbGUuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxS
TRAVnygAftetT8puHflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGn
SgMld6ZWRhNheZhA6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmi
YYMiIWplidMmMO5NTRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5
donyqtnaHuIJGuUdy54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVG
B+5+AAGF5iuHC3N2DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABo4H1
MIHyMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUm++e
HpyM3p708bgZJuRYEdX1o+UwHwYDVR0jBBgwFoAUncSzT/6HMexyuiU9/7EgHu+o
k5swOwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzAChh9odHRwOi8vMTI3LjAuMC4x
OjgyMDAvdjEvcGtpL2NhMCEGA1UdEQQaMBiCEGNlcnQuZXhhbXBsZS5jb22HBH8A
AAEwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3Br
aS9jcmwwDQYJKoZIhvcNAQELBQADggEBABsuvmPSNjjKTVN6itWzdQy+SgMIrwfs
X1Yb9Lefkkwmp9ovKFNQxa4DucuCuzXcQrbKwWTfHGgR8ct4rf30xCRoA7dbQWq4
aYqNKFWrRaBRAaaYZ/O1ApRTOrXqRx9Eqr0H1BXLsoAq+mWassL8sf6siae+CpwA
KqBko5G0dNXq5T4i2LQbmoQSVetIrCJEeMrU+idkuqfV2h1BQKgSEhFDABjFdTCN
QDAHsEHsi2M4/jRW9fqEuhHSDfl2n7tkFUI8wTHUUCl7gXwweJ4qtaSXIwKXYzNj
xqKHA8Purc1Yfybz4iE1JCROi9fInKlzr5xABq8nb9Qc/J9DIQM+Xmk=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDPDCCAiSgAwIBAgIUb5id+GcaMeMnYBv3MvdTGWigyJ0wDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzI5WhcNMjYw
MjI2MDIyNzU5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7
Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0
z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x
AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb
6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH
SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaOBgTB/MA4G
A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSdxLNP/ocx
7HK6JT3/sSAe76iTmzAfBgNVHSMEGDAWgBSdxLNP/ocx7HK6JT3/sSAe76iTmzAc
BgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
wHThDRsXJunKbAapxmQ6bDxSvTvkLA6m97TXlsFgL+Q3Jrg9HoJCNowJ0pUTwhP2
U946dCnSCkZck0fqkwVi4vJ5EQnkvyEbfN4W5qVsQKOFaFVzep6Qid4rZT6owWPa
cNNzNcXAee3/j6hgr6OQ/i3J6fYR4YouYxYkjojYyg+CMdn6q8BoV0BTsHdnw1/N
ScbnBHQIvIZMBDAmQueQZolgJcdOuBLYHe/kRy167z8nGg+PUFKIYOL8NaOU1+CJ
t2YaEibVq5MRqCbRgnd9a2vG0jr5a3Mn4CUUYv+5qIjP3hUusYenW1/EWtn1s/gk
zehNe5dFTjFpylg1o6b8Ow==
-----END CERTIFICATE-----

27
vault/diagnose/test-fixtures/goodkey.pem Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxSTRAVnygAftetT8pu
HflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGnSgMld6ZWRhNheZhA
6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmiYYMiIWplidMmMO5N
TRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5donyqtnaHuIJGuUd
y54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVGB+5+AAGF5iuHC3N2
DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABAoIBAHR7fFV0eAGaopsX
9OD0TUGlsephBXb43g0GYHfJ/1Ew18w9oaxszJEqkl+PB4W3xZ3yG3e8ZomxDOhF
RreF2WgG5xOfhDogMwu6NodbArfgnAvoC6JnW3qha8HMP4F500RFVyCRcd6A3Frd
rFtaZn/UyCsBAN8/zkwPeYHayo7xX6d9kzgRl9HluEX5PXI5+3uiBDUiM085gkLI
5Cmadh9fMdjfhDXI4x2JYmILpp/9Nlc/krB15s5n1MPNtn3yL0TI0tWp0WlwDCV7
oUm1SfIM0F1fXGFyFDcqwoIr6JCQgXk6XtTg31YhH1xgUIclUVdtHqmAwAbLdIhQ
GAiHn2kCgYEAwD4pZ8HfpiOG/EHNoWsMATc/5yC7O8F9WbvcHZQIymLY4v/7HKZb
VyOR6UQ5/O2cztSGIuKSF6+OK1C34lOyCuTSOTFrjlgEYtLIXjdGLfFdtOO8GRQR
akVXdwuzNAjTBaH5eXbG+NKcjmCvZL48dQVlfDTVulzFGbcsVTHIMQUCgYEA7IQI
FVsKnY3KqpyGqXq92LMcsT3XgW6X1BIIV+YhJ5AFUFkFrjrbXs94/8XyLfi0xBQy
efK+8g5sMs7koF8LyZEcAXWZJQduaKB71hoLlRaU4VQkL/dl2B6VFmAII/CsRCYh
r9RmDN2PF/mp98Ih9dpC1VqcCDRGoTYsd7jLalMCgYAMgH5k1wDaZxkSMp1S0AlZ
0uP+/evvOOgT+9mWutfPgZolOQx1koQCKLgGeX9j6Xf3I28NubpSfAI84uTyfQrp
FnRtb79U5Hh0jMynA+U2e6niZ6UF5H41cQj9Hu+qhKBkj2IP+h96cwfnYnZFkPGR
kqZE65KyqfHPeFATwkcImQKBgCdrfhlpGiTWXCABhKQ8s+WpPLAB2ahV8XJEKyXT
UlVQuMIChGLcpnFv7P/cUxf8asx/fUY8Aj0/0CLLvulHziQjTmKj4gl86pb/oIQ3
xRRtNhU0O+/OsSfLORgIm3K6C0w0esregL/GMbJSR1TnA1gBr7/1oSnw5JC8Ab9W
injHAoGAJT1MGAiQrhlt9GCGe6Ajw4omdbY0wS9NXefnFhf7EwL0es52ezZ28zpU
2LXqSFbtann5CHgpSLxiMYPDIf+er4xgg9Bz34tz1if1rDfP2Qrxdrpr4jDnrGT3
gYC2qCpvVD9RRUMKFfnJTfl5gMQdBW/LINkHtJ82snAeLl3gjQ4=
-----END RSA PRIVATE KEY-----

57
vault/diagnose/tls.go
View File

@ -1,57 +0,0 @@
package diagnose
import (
"crypto/tls"
"crypto/x509"
"fmt"
"github.com/hashicorp/vault/internalshared/listenerutil"
"github.com/hashicorp/vault/vault"
)
func ListenerChecks(listeners []listenerutil.Listener) error {
for _, listener := range listeners {
l := listener.Config
err := TLSFileChecks(l.TLSCertFile, l.TLSKeyFile)
if err != nil {
return err
}
}
return nil
}
// TLSChecks contains manual error checks against the TLS configuration
func TLSFileChecks(certFilePath, keyFilePath string) error {
// LoadX509KeyPair will check if the key/cert information can be loaded from files,
// if they exist with keys and certs of the same algorithm type, if there
// is an unknown algorithm type being used, and if the files have trailing
// data.
cert, err := tls.LoadX509KeyPair(certFilePath, keyFilePath)
if err != nil {
return err
}
// LoadX509KeyPair has a nil leaf certificate because it does not retain the
// parsed form, so we have to manually create it ourselves.
x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
if err != nil {
return err
}
cert.Leaf = x509Cert
// TODO: Check root as well via l.TLSClientCAFile
// Check that certificate isn't expired and is of correct usage type
cert.Leaf.Verify(x509.VerifyOptions{
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
})
return nil
}
// ServerListenerActiveProbe attempts to use TLS information to set up a TLS server with each listener
// and generate a successful request through to the server.
// TODO
func ServerListenerActiveProbe(core *vault.Core) error {
return fmt.Errorf("Method not implemented")
}

146
vault/diagnose/tls_test.go
View File

@ -1,146 +0,0 @@
package diagnose
import (
"testing"
"github.com/hashicorp/vault/command/server"
"github.com/hashicorp/vault/internalshared/configutil"
"github.com/hashicorp/vault/internalshared/listenerutil"
"github.com/hashicorp/vault/vault"
)
func setup(t *testing.T) *vault.Core {
serverConf := &server.Config{
SharedConfig: &configutil.SharedConfig{
Listeners: []*configutil.Listener{
{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./certs/server.crt",
TLSKeyFile: "./certs/server.key",
TLSClientCAFile: "./certs/rootca.crt",
TLSMinVersion: "tls11",
TLSRequireAndVerifyClientCert: true,
TLSDisableClientCerts: true,
},
{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./certs/server2.crt",
TLSKeyFile: "./certs/server2.key",
TLSClientCAFile: "./certs/rootca2.crt",
TLSMinVersion: "tls12",
TLSRequireAndVerifyClientCert: true,
TLSDisableClientCerts: false,
},
{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./certs/server3.crt",
TLSKeyFile: "./certs/server3.key",
TLSClientCAFile: "./certs/rootca3.crt",
TLSMinVersion: "tls13",
TLSRequireAndVerifyClientCert: false,
TLSDisableClientCerts: true,
},
},
},
}
conf := &vault.CoreConfig{
RawConfig: serverConf,
}
core := vault.TestCoreWithConfig(t, conf)
return core
}
func TestTLSValidCert(t *testing.T) {
listeners := []listenerutil.Listener{
{
Config: &configutil.Listener{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem",
TLSMinVersion: "0",
TLSRequireAndVerifyClientCert: true,
TLSDisableClientCerts: false,
},
},
}
err := ListenerChecks(listeners)
if err != nil {
t.Errorf(err.Error())
}
}
func TestTLSFakeCert(t *testing.T) {
listeners := []listenerutil.Listener{
{
Config: &configutil.Listener{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./test-fixtures/fakecert.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem",
TLSMinVersion: "0",
TLSRequireAndVerifyClientCert: true,
TLSDisableClientCerts: false,
},
},
}
err := ListenerChecks(listeners)
if err == nil {
t.Errorf("TLS Config check on fake certificate should fail")
}
if err.Error() != "tls: failed to find any PEM data in certificate input" {
t.Errorf("Bad error message: %s", err.Error())
}
}
// TestTLSTrailingData uses a certificate from:
// https://github.com/golang/go/issues/40545 that contains
// an extra DER sequence, and makes sure a trailing data error
// is returned.
func TestTLSTrailingData(t *testing.T) {
listeners := []listenerutil.Listener{
{
Config: &configutil.Listener{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./test-fixtures/trailingdatacert.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem",
TLSMinVersion: "0",
TLSRequireAndVerifyClientCert: true,
TLSDisableClientCerts: false,
},
},
}
err := ListenerChecks(listeners)
if err == nil {
t.Errorf("TLS Config check on fake certificate should fail")
}
if err.Error() != "asn1: syntax error: trailing data" {
t.Errorf("Bad error message: %s", err.Error())
}
}
func TestTLSExpiredCert(t *testing.T) {
}
func TestTLSMismatchedCryptographicInfo(t *testing.T) {}
func TestTLSContradictoryFlags(t *testing.T) {}
func TestTLSBadCipherSuite(t *testing.T) {}
func TestTLSUnknownAlgorithm(t *testing.T) {}
func TestTLSIncorrectUsageType(t *testing.T) {}

138
vault/diagnose/tls_verification.go Normal file
View File

@ -0,0 +1,138 @@
package diagnose
import (
"bytes"
"crypto/tls"
"crypto/x509"
"encoding/pem"
"fmt"
"io/ioutil"
"github.com/hashicorp/vault/internalshared/listenerutil"
"github.com/hashicorp/vault/sdk/helper/tlsutil"
"github.com/hashicorp/vault/vault"
)
const minVersionError = "'tls_min_version' value %q not supported, please specify one of [tls10,tls11,tls12,tls13]"
const maxVersionError = "'tls_max_version' value %q not supported, please specify one of [tls10,tls11,tls12,tls13]"
func ListenerChecks(listeners []listenerutil.Listener) error {
for _, listener := range listeners {
l := listener.Config
// Perform the TLS version check for listeners.
if l.TLSMinVersion == "" {
l.TLSMinVersion = "tls12"
}
if l.TLSMaxVersion == "" {
l.TLSMaxVersion = "tls13"
}
_, ok := tlsutil.TLSLookup[l.TLSMinVersion]
if !ok {
return fmt.Errorf(minVersionError, l.TLSMinVersion)
}
_, ok = tlsutil.TLSLookup[l.TLSMaxVersion]
if !ok {
return fmt.Errorf(maxVersionError, l.TLSMaxVersion)
}
var err error
// Perform checks on the TLS Cryptographic Information.
if err = TLSFileChecks(l.TLSCertFile, l.TLSKeyFile); err != nil {
return err
}
}
return nil
}
// TLSFileChecks contains manual error checks against the TLS configuration
func TLSFileChecks(certFilePath, keyFilePath string) error {
data, err := ioutil.ReadFile(certFilePath)
if err != nil {
return fmt.Errorf("failed to read tls_client_ca_file: %w", err)
}
certBlocks := []*pem.Block{}
leafCerts := []*x509.Certificate{}
rootPool := x509.NewCertPool()
interPool := x509.NewCertPool()
rst := []byte(data)
for len(rst) != 0 {
block, rest := pem.Decode(rst)
if block == nil {
return fmt.Errorf("could not decode cert")
}
certBlocks = append(certBlocks, block)
rst = rest
}
if len(certBlocks) == 0 {
return fmt.Errorf("no certificates found in cert file")
}
for _, certBlock := range certBlocks {
cert, err := x509.ParseCertificate(certBlock.Bytes)
if err != nil {
return fmt.Errorf("A pem block does not parse to a certificate: %w", err)
}
// Detect if the certificate is a root, leaf, or intermediate
if cert.IsCA && bytes.Equal(cert.RawIssuer, cert.RawSubject) {
// It's a root
rootPool.AddCert(cert)
} else if cert.IsCA {
// It's not a root but it's a CA, so it's an inter
interPool.AddCert(cert)
} else {
// It's gotta be a leaf
leafCerts = append(leafCerts, cert)
}
}
// Make sure there's only one leaf. If there are multiple, it's a bad pem file.
if len(leafCerts) != 1 {
return fmt.Errorf("Number of leaf certificates detected is not one. Instead, it is: %d", len(leafCerts))
}
rootSubjs := rootPool.Subjects()
if len(rootSubjs) == 0 {
// this is a self signed server certificate, or the root is just not provided. In any
// case, we need to bypass the root verification step by adding the leaf itself to the
// root pool.
rootPool.AddCert(leafCerts[0])
}
// Verify checks that certificate isn't expired, is of correct usage type, and has an appropriate
// chain.
_, err = leafCerts[0].Verify(x509.VerifyOptions{
Roots: rootPool,
Intermediates: interPool,
KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
})
if err != nil {
return fmt.Errorf("failed to verify certificate: %w", err)
}
// After verify passes, we need to check the values on the certificate itself.
// This is a separate check beyond the certificate expiry and chain checks.
cert, err := tls.LoadX509KeyPair(certFilePath, keyFilePath)
if err != nil {
return err
}
x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
if err != nil {
return err
}
cert.Leaf = x509Cert
return nil
}
// ServerListenerActiveProbe attempts to use TLS information to set up a TLS server with each listener
// and generate a successful request through to the server.
// TODO
func ServerListenerActiveProbe(core *vault.Core) error {
return fmt.Errorf("Method not implemented")
}

317
vault/diagnose/tls_verification_test.go Normal file
View File

@ -0,0 +1,317 @@
package diagnose
import (
"fmt"
"strings"
"testing"
"github.com/hashicorp/vault/internalshared/configutil"
"github.com/hashicorp/vault/internalshared/listenerutil"
)
// TestTLSValidCert is the positive test case to show that specifying a valid cert and key
// passes all checks.
func TestTLSValidCert(t *testing.T) {
listeners := []listenerutil.Listener{
{
Config: &configutil.Listener{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./test-fixtures/goodcertwithroot.pem",
TLSKeyFile: "./test-fixtures/goodkey.pem",
TLSMinVersion: "tls10",
TLSRequireAndVerifyClientCert: true,
TLSDisableClientCerts: false,
},
},
}
err := ListenerChecks(listeners)
if err != nil {
t.Error(err.Error())
}
}
// TestTLSFakeCert simply ensures that the certificate file must contain PEM data.
func TestTLSFakeCert(t *testing.T) {
listeners := []listenerutil.Listener{
{
Config: &configutil.Listener{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./test-fixtures/fakecert.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSMinVersion: "tls10",
TLSRequireAndVerifyClientCert: true,
TLSDisableClientCerts: false,
},
},
}
err := ListenerChecks(listeners)
if err == nil {
t.Error("TLS Config check on fake certificate should fail")
}
if !strings.Contains(err.Error(), "could not decode cert") {
t.Errorf("Bad error message: %w", err)
}
}
// TestTLSTrailingData uses a certificate from:
// https://github.com/golang/go/issues/40545 that contains
// an extra DER sequence, and makes sure a trailing data error
// is returned.
func TestTLSTrailingData(t *testing.T) {
listeners := []listenerutil.Listener{
{
Config: &configutil.Listener{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./test-fixtures/trailingdatacert.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSMinVersion: "tls10",
TLSRequireAndVerifyClientCert: true,
TLSDisableClientCerts: false,
},
},
}
err := ListenerChecks(listeners)
if err == nil {
t.Error("TLS Config check on fake certificate should fail")
}
if !strings.Contains(err.Error(), "asn1: syntax error: trailing data") {
t.Errorf("Bad error message: %w", err)
}
}
// TestTLSExpiredCert checks that an expired certificate fails TLS checks
// with an appropriate error.
func TestTLSExpiredCert(t *testing.T) {
listeners := []listenerutil.Listener{
{
Config: &configutil.Listener{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./test-fixtures/expiredcert.pem",
TLSKeyFile: "./test-fixtures/expiredprivatekey.pem",
TLSMinVersion: "tls10",
TLSRequireAndVerifyClientCert: true,
TLSDisableClientCerts: false,
},
},
}
err := ListenerChecks(listeners)
if err == nil {
t.Error("TLS Config check on fake certificate should fail")
}
if !strings.Contains(err.Error(), "certificate has expired or is not yet valid") {
t.Errorf("Bad error message: %w", err)
}
}
// TestTLSMismatchedCryptographicInfo verifies that a cert and key of differing cryptographic
// types, when specified together, is met with a unique error message.
func TestTLSMismatchedCryptographicInfo(t *testing.T) {
listeners := []listenerutil.Listener{
{
Config: &configutil.Listener{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSKeyFile: "./test-fixtures/ecdsa.key",
TLSMinVersion: "tls10",
TLSRequireAndVerifyClientCert: true,
TLSDisableClientCerts: false,
},
},
}
err := ListenerChecks(listeners)
if err == nil {
t.Error("TLS Config check on fake certificate should fail")
}
if err.Error() != "tls: private key type does not match public key type" {
t.Errorf("Bad error message: %w", err)
}
listeners = []listenerutil.Listener{
{
Config: &configutil.Listener{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./test-fixtures/ecdsa.crt",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem",
TLSMinVersion: "tls10",
TLSRequireAndVerifyClientCert: true,
TLSDisableClientCerts: false,
},
},
}
err = ListenerChecks(listeners)
if err == nil {
t.Error("TLS Config check on fake certificate should fail")
}
if err.Error() != "tls: private key type does not match public key type" {
t.Errorf("Bad error message: %w", err)
}
}
// TestTLSMultiKeys verifies that a unique error message is thrown when a key is specified twice.
func TestTLSMultiKeys(t *testing.T) {
listeners := []listenerutil.Listener{
{
Config: &configutil.Listener{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./../../api/test-fixtures/keys/key.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem",
TLSMinVersion: "tls10",
TLSRequireAndVerifyClientCert: true,
TLSDisableClientCerts: false,
},
},
}
err := ListenerChecks(listeners)
if err == nil {
t.Error("TLS Config check on fake certificate should fail")
}
if !strings.Contains(err.Error(), "pem block does not parse to a certificate") {
t.Errorf("Bad error message: %w", err)
}
}
// TestTLSMultiCerts verifies that a unique error message is thrown when a cert is specified twice.
func TestTLSMultiCerts(t *testing.T) {
listeners := []listenerutil.Listener{
{
Config: &configutil.Listener{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/cert.pem",
TLSMinVersion: "tls10",
TLSRequireAndVerifyClientCert: true,
TLSDisableClientCerts: false,
},
},
}
err := ListenerChecks(listeners)
if err == nil {
t.Error("TLS Config check on fake certificate should fail")
}
if !strings.Contains(err.Error(), "found a certificate rather than a key in the PEM for the private key") {
t.Errorf("Bad error message: %w", err)
}
}
// TestTLSInvalidRoot makes sure that the Verify call in tls.go checks the authority of
// the root. The root certificate used in this test is the Baltimore Cyber Trust root
// certificate, downloaded from: https://www.digicert.com/kb/digicert-root-certificates.htm
func TestTLSInvalidRoot(t *testing.T) {
listeners := []listenerutil.Listener{
{
Config: &configutil.Listener{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./test-fixtures/goodcertbadroot.pem",
TLSKeyFile: "./test-fixtures/goodkey.pem",
TLSMinVersion: "tls10",
TLSRequireAndVerifyClientCert: true,
TLSDisableClientCerts: false,
},
},
}
err := ListenerChecks(listeners)
if err == nil {
t.Error("TLS Config check on fake certificate should fail")
}
if err.Error() != "failed to verify certificate: x509: certificate signed by unknown authority" {
t.Errorf("Bad error message: %w", err)
}
}
// TestTLSNoRoot ensures that a server certificate that is passed in without a root
// is still accepted by diagnose as valid. This is an acceptable, though less secure,
// server configuration.
func TestTLSNoRoot(t *testing.T) {
listeners := []listenerutil.Listener{
{
Config: &configutil.Listener{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSKeyFile: "./test-fixtures/goodkey.pem",
TLSMinVersion: "tls10",
TLSRequireAndVerifyClientCert: true,
TLSDisableClientCerts: false,
},
},
}
err := ListenerChecks(listeners)
if err != nil {
t.Error("Server certificate without root certificate is insecure, but still valid.")
}
}
// TestTLSInvalidMinVersion checks that a listener with an invalid minimum configured
// version errors appropriately.
func TestTLSInvalidMinVersion(t *testing.T) {
listeners := []listenerutil.Listener{
{
Config: &configutil.Listener{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem",
TLSMinVersion: "0",
TLSRequireAndVerifyClientCert: true,
TLSDisableClientCerts: false,
},
},
}
err := ListenerChecks(listeners)
if err == nil {
t.Error("TLS Config check on fake certificate should fail")
}
if err.Error() != fmt.Errorf(minVersionError, "0").Error() {
t.Errorf("Bad error message: %w", err)
}
}
// TestTLSInvalidMaxVersion checks that a listener with an invalid maximum configured
// version errors appropriately.
func TestTLSInvalidMaxVersion(t *testing.T) {
listeners := []listenerutil.Listener{
{
Config: &configutil.Listener{
Type: "tcp",
Address: "127.0.0.1:443",
ClusterAddress: "127.0.0.1:8201",
TLSCertFile: "./../../api/test-fixtures/keys/cert.pem",
TLSKeyFile: "./../../api/test-fixtures/keys/key.pem",
TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem",
TLSMaxVersion: "0",
TLSRequireAndVerifyClientCert: true,
TLSDisableClientCerts: false,
},
},
}
err := ListenerChecks(listeners)
if err == nil {
t.Error("TLS Config check on fake certificate should fail")
}
if err.Error() != fmt.Errorf(maxVersionError, "0").Error() {
t.Errorf("Bad error message: %w", err)
}
}