package pki import ( "bytes" "context" "crypto/x509" "crypto/x509/pkix" "encoding/hex" "encoding/pem" "fmt" "strconv" "strings" "testing" "time" "github.com/hashicorp/vault/sdk/logical" ) // For speed, all keys are ECDSA. type CBGenerateKey struct { Name string } func (c CBGenerateKey) Run(t testing.TB, b *backend, s logical.Storage, knownKeys map[string]string, knownCerts map[string]string) { resp, err := CBWrite(b, s, "keys/generate/exported", map[string]interface{}{ "name": c.Name, "algo": "ec", "bits": 256, }) if err != nil { t.Fatalf("failed to provision key (%v): %v", c.Name, err) } knownKeys[c.Name] = resp.Data["private"].(string) } // Generate a root. type CBGenerateRoot struct { Key string Existing bool Name string CommonName string ErrorMessage string } func (c CBGenerateRoot) Run(t testing.TB, b *backend, s logical.Storage, knownKeys map[string]string, knownCerts map[string]string) { url := "issuers/generate/root/" data := make(map[string]interface{}) if c.Existing { url += "existing" data["key_ref"] = c.Key } else { url += "exported" data["key_type"] = "ec" data["key_bits"] = 256 data["key_name"] = c.Key } data["issuer_name"] = c.Name data["common_name"] = c.Name if len(c.CommonName) > 0 { data["common_name"] = c.CommonName } resp, err := CBWrite(b, s, url, data) if err != nil { if len(c.ErrorMessage) > 0 { if !strings.Contains(err.Error(), c.ErrorMessage) { t.Fatalf("failed to generate root cert for issuer (%v): expected (%v) in error message but got %v", c.Name, c.ErrorMessage, err) } return } t.Fatalf("failed to provision issuer (%v): %v / body: %v", c.Name, err, data) } else if len(c.ErrorMessage) > 0 { t.Fatalf("expected to fail generation of issuer (%v) with error message containing (%v)", c.Name, c.ErrorMessage) } if !c.Existing { knownKeys[c.Key] = resp.Data["private_key"].(string) } knownCerts[c.Name] = resp.Data["certificate"].(string) // Validate key_id matches. url = "key/" + c.Key resp, err = CBRead(b, s, url) if err != nil { t.Fatalf("failed to fetch key for name %v: %v", c.Key, err) } if resp == nil { t.Fatalf("failed to fetch key for name %v: nil response", c.Key) } expectedKeyId := resp.Data["key_id"] url = "issuer/" + c.Name resp, err = CBRead(b, s, url) if err != nil { t.Fatalf("failed to fetch issuer for name %v: %v", c.Name, err) } if resp == nil { t.Fatalf("failed to fetch issuer for name %v: nil response", c.Name) } actualKeyId := resp.Data["key_id"] if expectedKeyId != actualKeyId { t.Fatalf("expected issuer %v to have key matching %v but got mismatch: %v vs %v", c.Name, c.Key, actualKeyId, expectedKeyId) } } // Generate an intermediate. Might not really be an intermediate; might be // a cross-signed cert. type CBGenerateIntermediate struct { Key string Existing bool Name string CommonName string SKID string Parent string ImportErrorMessage string } func (c CBGenerateIntermediate) Run(t testing.TB, b *backend, s logical.Storage, knownKeys map[string]string, knownCerts map[string]string) { // Build CSR url := "issuers/generate/intermediate/" data := make(map[string]interface{}) if c.Existing { url += "existing" data["key_ref"] = c.Key } else { url += "exported" data["key_type"] = "ec" data["key_bits"] = 256 data["key_name"] = c.Key } resp, err := CBWrite(b, s, url, data) if err != nil { t.Fatalf("failed to generate CSR for issuer (%v): %v / body: %v", c.Name, err, data) } if !c.Existing { knownKeys[c.Key] = resp.Data["private_key"].(string) } csr := resp.Data["csr"].(string) // Sign CSR url = fmt.Sprintf("issuer/%s/sign-intermediate", c.Parent) data = make(map[string]interface{}) data["csr"] = csr data["common_name"] = c.Name if len(c.CommonName) > 0 { data["common_name"] = c.CommonName } if len(c.SKID) > 0 { // Copy the SKID from an existing, already-issued cert. otherPEM := knownCerts[c.SKID] otherCert := ToCertificate(t, otherPEM) data["skid"] = hex.EncodeToString(otherCert.SubjectKeyId) } resp, err = CBWrite(b, s, url, data) if err != nil { t.Fatalf("failed to sign CSR for issuer (%v): %v / body: %v", c.Name, err, data) } knownCerts[c.Name] = strings.TrimSpace(resp.Data["certificate"].(string)) // Verify SKID if one was requested. if len(c.SKID) > 0 { otherPEM := knownCerts[c.SKID] otherCert := ToCertificate(t, otherPEM) ourCert := ToCertificate(t, knownCerts[c.Name]) if !bytes.Equal(otherCert.SubjectKeyId, ourCert.SubjectKeyId) { t.Fatalf("Expected two certs to have equal SKIDs but differed: them: %v vs us: %v", otherCert.SubjectKeyId, ourCert.SubjectKeyId) } } // Set the signed intermediate url = "intermediate/set-signed" data = make(map[string]interface{}) data["certificate"] = knownCerts[c.Name] data["issuer_name"] = c.Name resp, err = CBWrite(b, s, url, data) if err != nil { if len(c.ImportErrorMessage) > 0 { if !strings.Contains(err.Error(), c.ImportErrorMessage) { t.Fatalf("failed to import signed cert for issuer (%v): expected (%v) in error message but got %v", c.Name, c.ImportErrorMessage, err) } return } t.Fatalf("failed to import signed cert for issuer (%v): %v / body: %v", c.Name, err, data) } else if len(c.ImportErrorMessage) > 0 { t.Fatalf("expected to fail import (with error %v) of cert for issuer (%v) but was success: response: %v", c.ImportErrorMessage, c.Name, resp) } // Update the name since set-signed doesn't actually take an issuer name // parameter. rawNewCerts := resp.Data["imported_issuers"].([]string) if len(rawNewCerts) != 1 { t.Fatalf("Expected a single new certificate during import of signed cert for %v: got %v\nresp: %v", c.Name, len(rawNewCerts), resp) } newCertId := rawNewCerts[0] _, err = CBWrite(b, s, "issuer/"+newCertId, map[string]interface{}{ "issuer_name": c.Name, }) if err != nil { t.Fatalf("failed to update name for issuer (%v/%v): %v", c.Name, newCertId, err) } // Validate key_id matches. url = "key/" + c.Key resp, err = CBRead(b, s, url) if err != nil { t.Fatalf("failed to fetch key for name %v: %v", c.Key, err) } if resp == nil { t.Fatalf("failed to fetch key for name %v: nil response", c.Key) } expectedKeyId := resp.Data["key_id"] url = "issuer/" + c.Name resp, err = CBRead(b, s, url) if err != nil { t.Fatalf("failed to fetch issuer for name %v: %v", c.Name, err) } if resp == nil { t.Fatalf("failed to fetch issuer for name %v: nil response", c.Name) } actualKeyId := resp.Data["key_id"] if expectedKeyId != actualKeyId { t.Fatalf("expected issuer %v to have key matching %v but got mismatch: %v vs %v", c.Name, c.Key, actualKeyId, expectedKeyId) } } // Delete an issuer; breaks chains. type CBDeleteIssuer struct { Issuer string } func (c CBDeleteIssuer) Run(t testing.TB, b *backend, s logical.Storage, knownKeys map[string]string, knownCerts map[string]string) { url := fmt.Sprintf("issuer/%v", c.Issuer) _, err := CBDelete(b, s, url) if err != nil { t.Fatalf("failed to delete issuer (%v): %v", c.Issuer, err) } delete(knownCerts, c.Issuer) } // Validate the specified chain exists, by name. type CBValidateChain struct { Chains map[string][]string Aliases map[string]string } func (c CBValidateChain) ChainToPEMs(t testing.TB, parent string, chain []string, knownCerts map[string]string) []string { var result []string for entryIndex, entry := range chain { var chainEntry string modifiedEntry := entry if entryIndex == 0 && entry == "self" { modifiedEntry = parent } for pattern, replacement := range c.Aliases { modifiedEntry = strings.ReplaceAll(modifiedEntry, pattern, replacement) } for _, issuer := range strings.Split(modifiedEntry, ",") { cert, ok := knownCerts[issuer] if !ok { t.Fatalf("Unknown issuer %v in chain for %v: %v", issuer, parent, chain) } chainEntry += cert } result = append(result, chainEntry) } return result } func (c CBValidateChain) FindNameForCert(t testing.TB, cert string, knownCerts map[string]string) string { for issuer, known := range knownCerts { if strings.TrimSpace(known) == strings.TrimSpace(cert) { return issuer } } t.Fatalf("Unable to find cert:\n[%v]\nin known map:\n%v\n", cert, knownCerts) return "" } func (c CBValidateChain) PrettyChain(t testing.TB, chain []string, knownCerts map[string]string) []string { var prettyChain []string for _, cert := range chain { prettyChain = append(prettyChain, c.FindNameForCert(t, cert, knownCerts)) } return prettyChain } func ToCertificate(t testing.TB, cert string) *x509.Certificate { block, _ := pem.Decode([]byte(cert)) if block == nil { t.Fatalf("Unable to parse certificate: nil PEM block\n[%v]\n", cert) } ret, err := x509.ParseCertificate(block.Bytes) if err != nil { t.Fatalf("Unable to parse certificate: %v\n[%v]\n", err, cert) } return ret } func ToCRL(t testing.TB, crl string, issuer *x509.Certificate) *pkix.CertificateList { block, _ := pem.Decode([]byte(crl)) if block == nil { t.Fatalf("Unable to parse CRL: nil PEM block\n[%v]\n", crl) } ret, err := x509.ParseCRL(block.Bytes) if err != nil { t.Fatalf("Unable to parse CRL: %v\n[%v]\n", err, crl) } if issuer != nil { if err := issuer.CheckCRLSignature(ret); err != nil { t.Fatalf("Unable to check CRL signature: %v\n[%v]\n[%v]\n", err, crl, issuer) } } return ret } func (c CBValidateChain) Run(t testing.TB, b *backend, s logical.Storage, knownKeys map[string]string, knownCerts map[string]string) { for issuer, chain := range c.Chains { resp, err := CBRead(b, s, "issuer/"+issuer) if err != nil { t.Fatalf("failed to get chain for issuer (%v): %v", issuer, err) } rawCurrentChain := resp.Data["ca_chain"].([]string) var currentChain []string for _, entry := range rawCurrentChain { currentChain = append(currentChain, strings.TrimSpace(entry)) } // Ensure the issuer cert is always first. if currentChain[0] != knownCerts[issuer] { pretty := c.FindNameForCert(t, currentChain[0], knownCerts) t.Fatalf("expected certificate at index 0 to be self:\n[%v]\n[pretty: %v]\nis not the issuer's cert:\n[%v]\n[pretty: %v]", currentChain[0], pretty, knownCerts[issuer], issuer) } // Validate it against the expected chain. expectedChain := c.ChainToPEMs(t, issuer, chain, knownCerts) if len(currentChain) != len(expectedChain) { prettyCurrentChain := c.PrettyChain(t, currentChain, knownCerts) t.Fatalf("Lengths of chains for issuer %v mismatched: got %v vs expected %v:\n[%v]\n[pretty: %v]\n[%v]\n[pretty: %v]", issuer, len(currentChain), len(expectedChain), currentChain, prettyCurrentChain, expectedChain, chain) } for currentIndex, currentCert := range currentChain { // Chains might be forked so we may not be able to strictly validate // the chain against a single value. Instead, use strings.Contains // to validate the current cert is in the list of allowed // possibilities. if !strings.Contains(expectedChain[currentIndex], currentCert) { pretty := c.FindNameForCert(t, currentCert, knownCerts) t.Fatalf("chain mismatch at index %v for issuer %v: got cert:\n[%v]\n[pretty: %v]\nbut expected one of\n[%v]\n[pretty: %v]\n", currentIndex, issuer, currentCert, pretty, expectedChain[currentIndex], chain[currentIndex]) } } // Due to alternate paths, the above doesn't ensure ensure each cert // in the chain is only used once. Validate that now. for thisIndex, thisCert := range currentChain { for otherIndex, otherCert := range currentChain[thisIndex+1:] { if thisCert == otherCert { thisPretty := c.FindNameForCert(t, thisCert, knownCerts) otherPretty := c.FindNameForCert(t, otherCert, knownCerts) otherIndex += thisIndex + 1 t.Fatalf("cert reused in chain for %v:\n[%v]\n[pretty: %v / index: %v]\n[%v]\n[pretty: %v / index: %v]\n", issuer, thisCert, thisPretty, thisIndex, otherCert, otherPretty, otherIndex) } } } // Finally, validate that all certs verify something that came before // it. In the linear chain sense, this should strictly mean that the // parent comes before the child. for thisIndex, thisCertPem := range currentChain[1:] { thisIndex += 1 // Absolute index. parentCert := ToCertificate(t, thisCertPem) // Iterate backwards; prefer the most recent cert to the older // certs. foundCert := false for otherIndex := thisIndex - 1; otherIndex >= 0; otherIndex-- { otherCertPem := currentChain[otherIndex] childCert := ToCertificate(t, otherCertPem) if err := childCert.CheckSignatureFrom(parentCert); err == nil { foundCert = true } } if !foundCert { pretty := c.FindNameForCert(t, thisCertPem, knownCerts) t.Fatalf("malformed test scenario: certificate at chain index %v when validating %v does not validate any previous certificates:\n[%v]\n[pretty: %v]\n", thisIndex, issuer, thisCertPem, pretty) } } } } // Update an issuer type CBUpdateIssuer struct { Name string CAChain []string Usage string } func (c CBUpdateIssuer) Run(t testing.TB, b *backend, s logical.Storage, knownKeys map[string]string, knownCerts map[string]string) { url := "issuer/" + c.Name data := make(map[string]interface{}) data["issuer_name"] = c.Name resp, err := CBRead(b, s, url) if err != nil { t.Fatalf("failed to read issuer (%v): %v", c.Name, err) } if len(c.CAChain) == 1 && c.CAChain[0] == "existing" { data["manual_chain"] = resp.Data["manual_chain"] } else { data["manual_chain"] = c.CAChain } if c.Usage == "existing" { data["usage"] = resp.Data["usage"] } else if len(c.Usage) == 0 { data["usage"] = "read-only,issuing-certificates,crl-signing" } else { data["usage"] = c.Usage } _, err = CBWrite(b, s, url, data) if err != nil { t.Fatalf("failed to update issuer (%v): %v / body: %v", c.Name, err, data) } } // Issue a leaf, revoke it, and then validate it appears on the CRL. type CBIssueLeaf struct { Issuer string Role string } func (c CBIssueLeaf) IssueLeaf(t testing.TB, b *backend, s logical.Storage, knownKeys map[string]string, knownCerts map[string]string, errorMessage string) *logical.Response { // Write a role url := "roles/" + c.Role data := make(map[string]interface{}) data["allow_localhost"] = true data["ttl"] = "200s" data["key_type"] = "ec" _, err := CBWrite(b, s, url, data) if err != nil { t.Fatalf("failed to update role (%v): %v / body: %v", c.Role, err, data) } // Issue the certificate. url = "issuer/" + c.Issuer + "/issue/" + c.Role data = make(map[string]interface{}) data["common_name"] = "localhost" resp, err := CBWrite(b, s, url, data) if err != nil { if len(errorMessage) >= 0 { if !strings.Contains(err.Error(), errorMessage) { t.Fatalf("failed to issue cert (%v via %v): %v / body: %v\nExpected error message: %v", c.Issuer, c.Role, err, data, errorMessage) } return nil } t.Fatalf("failed to issue cert (%v via %v): %v / body: %v", c.Issuer, c.Role, err, data) } if resp == nil { t.Fatalf("failed to issue cert (%v via %v): nil response / body: %v", c.Issuer, c.Role, data) } raw_cert := resp.Data["certificate"].(string) cert := ToCertificate(t, raw_cert) raw_issuer := resp.Data["issuing_ca"].(string) issuer := ToCertificate(t, raw_issuer) // Validate issuer and signatures are good. if strings.TrimSpace(raw_issuer) != strings.TrimSpace(knownCerts[c.Issuer]) { t.Fatalf("signing certificate ended with wrong certificate for issuer %v:\n[%v]\n\nvs\n\n[%v]\n", c.Issuer, raw_issuer, knownCerts[c.Issuer]) } if err := cert.CheckSignatureFrom(issuer); err != nil { t.Fatalf("failed to verify signature on issued certificate from %v: %v\n[%v]\n[%v]\n", c.Issuer, err, raw_cert, raw_issuer) } return resp } func (c CBIssueLeaf) RevokeLeaf(t testing.TB, b *backend, s logical.Storage, knownKeys map[string]string, knownCerts map[string]string, issueResponse *logical.Response, hasCRL bool, isDefault bool) { api_serial := issueResponse.Data["serial_number"].(string) raw_cert := issueResponse.Data["certificate"].(string) cert := ToCertificate(t, raw_cert) raw_issuer := issueResponse.Data["issuing_ca"].(string) issuer := ToCertificate(t, raw_issuer) // Revoke the certificate. url := "revoke" data := make(map[string]interface{}) data["serial_number"] = api_serial resp, err := CBWrite(b, s, url, data) if err != nil { t.Fatalf("failed to revoke issued certificate (%v) under role %v / issuer %v: %v", api_serial, c.Role, c.Issuer, err) } if resp == nil { t.Fatalf("failed to revoke issued certificate (%v) under role %v / issuer %v: nil response", api_serial, c.Role, c.Issuer) } if _, ok := resp.Data["revocation_time"]; !ok { t.Fatalf("failed to revoke issued certificate (%v) under role %v / issuer %v: expected response parameter revocation_time was missing from response:\n%v", api_serial, c.Role, c.Issuer, resp.Data) } if !hasCRL && isDefault { // Nothing further we can test here. We could re-enable CRL building // and check that it works, but that seems like a stretch. Other // issuers might be functionally the same as this issuer (and thus // this CRL will still be issued), but that requires more work to // check and verify. return } // Verify it is on this issuer's CRL. url = "issuer/" + c.Issuer + "/crl" resp, err = CBRead(b, s, url) if err != nil { t.Fatalf("failed to fetch CRL for issuer %v: %v", c.Issuer, err) } if resp == nil { t.Fatalf("failed to fetch CRL for issuer %v: nil response", c.Issuer) } raw_crl := resp.Data["crl"].(string) crl := ToCRL(t, raw_crl, issuer) foundCert := requireSerialNumberInCRL(nil, crl.TBSCertList, api_serial) if !foundCert { if !hasCRL && !isDefault { // Update the issuer we expect to find this on. resp, err := CBRead(b, s, "config/issuers") if err != nil { t.Fatalf("failed to read default issuer config: %v", err) } if resp == nil { t.Fatalf("failed to read default issuer config: nil response") } defaultID := resp.Data["default"].(issuerID).String() c.Issuer = defaultID issuer = nil } // Verify it is on the default issuer's CRL. url = "issuer/" + c.Issuer + "/crl" resp, err = CBRead(b, s, url) if err != nil { t.Fatalf("failed to fetch CRL for issuer %v: %v", c.Issuer, err) } if resp == nil { t.Fatalf("failed to fetch CRL for issuer %v: nil response", c.Issuer) } raw_crl = resp.Data["crl"].(string) crl = ToCRL(t, raw_crl, issuer) foundCert = requireSerialNumberInCRL(nil, crl.TBSCertList, api_serial) } if !foundCert { // If CRL building is broken, this is useful for finding which issuer's // CRL the revoked cert actually appears on. for issuerName := range knownCerts { url = "issuer/" + issuerName + "/crl" resp, err = CBRead(b, s, url) if err != nil { t.Fatalf("failed to fetch CRL for issuer %v: %v", issuerName, err) } if resp == nil { t.Fatalf("failed to fetch CRL for issuer %v: nil response", issuerName) } raw_crl := resp.Data["crl"].(string) crl := ToCRL(t, raw_crl, nil) for index, revoked := range crl.TBSCertList.RevokedCertificates { // t.Logf("[%v] revoked serial number: %v -- vs -- %v", index, revoked.SerialNumber, cert.SerialNumber) if revoked.SerialNumber.Cmp(cert.SerialNumber) == 0 { t.Logf("found revoked cert at index: %v for unexpected issuer: %v", index, issuerName) break } } } t.Fatalf("expected to find certificate with serial [%v] on issuer %v's CRL but was missing: %v revoked certs\n\nCRL:\n[%v]\n\nLeaf:\n[%v]\n\nIssuer:\n[%v]\n", api_serial, c.Issuer, len(crl.TBSCertList.RevokedCertificates), raw_crl, raw_cert, raw_issuer) } } func (c CBIssueLeaf) Run(t testing.TB, b *backend, s logical.Storage, knownKeys map[string]string, knownCerts map[string]string) { if len(c.Role) == 0 { c.Role = "testing" } resp, err := CBRead(b, s, "config/issuers") if err != nil { t.Fatalf("failed to read default issuer config: %v", err) } if resp == nil { t.Fatalf("failed to read default issuer config: nil response") } defaultID := resp.Data["default"].(issuerID).String() resp, err = CBRead(b, s, "issuer/"+c.Issuer) if err != nil { t.Fatalf("failed to read issuer %v: %v", c.Issuer, err) } if resp == nil { t.Fatalf("failed to read issuer %v: nil response", c.Issuer) } ourID := resp.Data["issuer_id"].(issuerID).String() areDefault := ourID == defaultID for _, usage := range []string{"read-only", "crl-signing", "issuing-certificates", "issuing-certificates,crl-signing"} { ui := CBUpdateIssuer{ Name: c.Issuer, CAChain: []string{"existing"}, Usage: usage, } ui.Run(t, b, s, knownKeys, knownCerts) ilError := "requested usage issuing-certificates for issuer" hasIssuing := strings.Contains(usage, "issuing-certificates") if hasIssuing { ilError = "" } hasCRL := strings.Contains(usage, "crl-signing") resp := c.IssueLeaf(t, b, s, knownKeys, knownCerts, ilError) if resp == nil && !hasIssuing { continue } c.RevokeLeaf(t, b, s, knownKeys, knownCerts, resp, hasCRL, areDefault) } } // Stable ordering func ensureStableOrderingOfChains(t testing.TB, b *backend, s logical.Storage, knownKeys map[string]string, knownCerts map[string]string) { // Start by fetching all chains certChains := make(map[string][]string) for issuer := range knownCerts { resp, err := CBRead(b, s, "issuer/"+issuer) if err != nil { t.Fatalf("failed to get chain for issuer (%v): %v", issuer, err) } rawCurrentChain := resp.Data["ca_chain"].([]string) var currentChain []string for _, entry := range rawCurrentChain { currentChain = append(currentChain, strings.TrimSpace(entry)) } certChains[issuer] = currentChain } // Now, generate a bunch of arbitrary roots and validate the chain is // consistent. var runs []time.Duration for i := 0; i < 10; i++ { name := "stable-order-root-" + strconv.Itoa(i) step := CBGenerateRoot{ Key: name, Name: name, } step.Run(t, b, s, make(map[string]string), make(map[string]string)) before := time.Now() _, err := CBDelete(b, s, "issuer/"+name) if err != nil { t.Fatalf("failed to delete temporary testing issuer %v: %v", name, err) } after := time.Now() elapsed := after.Sub(before) runs = append(runs, elapsed) for issuer := range knownCerts { resp, err := CBRead(b, s, "issuer/"+issuer) if err != nil { t.Fatalf("failed to get chain for issuer (%v): %v", issuer, err) } rawCurrentChain := resp.Data["ca_chain"].([]string) for index, entry := range rawCurrentChain { if strings.TrimSpace(entry) != certChains[issuer][index] { t.Fatalf("iteration %d - chain for issuer %v differed at index %d\n%v\nvs\n%v", i, issuer, index, entry, certChains[issuer][index]) } } } } min := runs[0] max := runs[0] var avg time.Duration for _, run := range runs { if run < min { min = run } if run > max { max = run } avg += run } avg = avg / time.Duration(len(runs)) t.Logf("Chain building run time (deletion) - min: %v / avg: %v / max: %v - entries: %v", min, avg, max, runs) } type CBTestStep interface { Run(t testing.TB, b *backend, s logical.Storage, knownKeys map[string]string, knownCerts map[string]string) } type CBTestScenario struct { Steps []CBTestStep } var chainBuildingTestCases = []CBTestScenario{ { // This test builds up two cliques lined by a cycle, dropping into // a single intermediate. Steps: []CBTestStep{ // Create a reissued certificate using the same key. These // should validate themselves. CBGenerateRoot{ Key: "key-root-old", Name: "root-old-a", CommonName: "root-old", }, CBValidateChain{ Chains: map[string][]string{ "root-old-a": {"self"}, }, }, // After adding the second root using the same key and common // name, there should now be two certs in each chain. CBGenerateRoot{ Key: "key-root-old", Existing: true, Name: "root-old-b", CommonName: "root-old", }, CBValidateChain{ Chains: map[string][]string{ "root-old-a": {"self", "root-old-b"}, "root-old-b": {"self", "root-old-a"}, }, }, // After adding a third root, there are now two possibilities for // each later chain entry. CBGenerateRoot{ Key: "key-root-old", Existing: true, Name: "root-old-c", CommonName: "root-old", }, CBValidateChain{ Chains: map[string][]string{ "root-old-a": {"self", "root-old-bc", "root-old-bc"}, "root-old-b": {"self", "root-old-ac", "root-old-ac"}, "root-old-c": {"self", "root-old-ab", "root-old-ab"}, }, Aliases: map[string]string{ "root-old-ac": "root-old-a,root-old-c", "root-old-ab": "root-old-a,root-old-b", "root-old-bc": "root-old-b,root-old-c", }, }, // If we generate an unrelated issuer, it shouldn't affect either // chain. CBGenerateRoot{ Key: "key-root-new", Name: "root-new-a", CommonName: "root-new", }, CBValidateChain{ Chains: map[string][]string{ "root-old-a": {"self", "root-old-bc", "root-old-bc"}, "root-old-b": {"self", "root-old-ac", "root-old-ac"}, "root-old-c": {"self", "root-old-ab", "root-old-ab"}, "root-new-a": {"self"}, }, Aliases: map[string]string{ "root-old-ac": "root-old-a,root-old-c", "root-old-ab": "root-old-a,root-old-b", "root-old-bc": "root-old-b,root-old-c", }, }, // Reissuing this new root should form another clique. CBGenerateRoot{ Key: "key-root-new", Existing: true, Name: "root-new-b", CommonName: "root-new", }, CBValidateChain{ Chains: map[string][]string{ "root-old-a": {"self", "root-old-bc", "root-old-bc"}, "root-old-b": {"self", "root-old-ac", "root-old-ac"}, "root-old-c": {"self", "root-old-ab", "root-old-ab"}, "root-new-a": {"self", "root-new-b"}, "root-new-b": {"self", "root-new-a"}, }, Aliases: map[string]string{ "root-old-ac": "root-old-a,root-old-c", "root-old-ab": "root-old-a,root-old-b", "root-old-bc": "root-old-b,root-old-c", }, }, // Generating a cross-signed cert from old->new should result // in all old clique certs showing up in the new root's paths. // This does not form a cycle. CBGenerateIntermediate{ // In order to validate the existing root-new clique, we // have to reuse the key and common name here for // cross-signing. Key: "key-root-new", Existing: true, Name: "cross-old-new", CommonName: "root-new", SKID: "root-new-a", // Which old issuer is used here doesn't matter as they have // the same CN and key. Parent: "root-old-a", }, CBValidateChain{ Chains: map[string][]string{ "root-old-a": {"self", "root-old-bc", "root-old-bc"}, "root-old-b": {"self", "root-old-ac", "root-old-ac"}, "root-old-c": {"self", "root-old-ab", "root-old-ab"}, "cross-old-new": {"self", "root-old-abc", "root-old-abc", "root-old-abc"}, "root-new-a": {"self", "root-new-b", "cross-old-new", "root-old-abc", "root-old-abc", "root-old-abc"}, "root-new-b": {"self", "root-new-a", "cross-old-new", "root-old-abc", "root-old-abc", "root-old-abc"}, }, Aliases: map[string]string{ "root-old-ac": "root-old-a,root-old-c", "root-old-ab": "root-old-a,root-old-b", "root-old-bc": "root-old-b,root-old-c", "root-old-abc": "root-old-a,root-old-b,root-old-c", }, }, // If we create a new intermediate off of the root-new, we should // simply add to the existing chain. CBGenerateIntermediate{ Key: "key-inter-a-root-new", Name: "inter-a-root-new", Parent: "root-new-a", }, CBValidateChain{ Chains: map[string][]string{ "root-old-a": {"self", "root-old-bc", "root-old-bc"}, "root-old-b": {"self", "root-old-ac", "root-old-ac"}, "root-old-c": {"self", "root-old-ab", "root-old-ab"}, "cross-old-new": {"self", "root-old-abc", "root-old-abc", "root-old-abc"}, "root-new-a": {"self", "root-new-b", "cross-old-new", "root-old-abc", "root-old-abc", "root-old-abc"}, "root-new-b": {"self", "root-new-a", "cross-old-new", "root-old-abc", "root-old-abc", "root-old-abc"}, // If we find cross-old-new first, the old clique will be ahead // of the new clique; otherwise the new clique will appear first. "inter-a-root-new": {"self", "full-cycle", "full-cycle", "full-cycle", "full-cycle", "full-cycle", "full-cycle"}, }, Aliases: map[string]string{ "root-old-ac": "root-old-a,root-old-c", "root-old-ab": "root-old-a,root-old-b", "root-old-bc": "root-old-b,root-old-c", "root-old-abc": "root-old-a,root-old-b,root-old-c", "full-cycle": "root-old-a,root-old-b,root-old-c,cross-old-new,root-new-a,root-new-b", }, }, // Now, if we cross-sign back from new to old, we should // form cycle with multiple reissued cliques. This means // all nodes will have the same chain. CBGenerateIntermediate{ // In order to validate the existing root-old clique, we // have to reuse the key and common name here for // cross-signing. Key: "key-root-old", Existing: true, Name: "cross-new-old", CommonName: "root-old", SKID: "root-old-a", // Which new issuer is used here doesn't matter as they have // the same CN and key. Parent: "root-new-a", }, CBValidateChain{ Chains: map[string][]string{ "root-old-a": {"self", "root-old-bc", "root-old-bc", "both-cross-old-new", "both-cross-old-new", "root-new-ab", "root-new-ab"}, "root-old-b": {"self", "root-old-ac", "root-old-ac", "both-cross-old-new", "both-cross-old-new", "root-new-ab", "root-new-ab"}, "root-old-c": {"self", "root-old-ab", "root-old-ab", "both-cross-old-new", "both-cross-old-new", "root-new-ab", "root-new-ab"}, "cross-old-new": {"self", "cross-new-old", "both-cliques", "both-cliques", "both-cliques", "both-cliques", "both-cliques"}, "cross-new-old": {"self", "cross-old-new", "both-cliques", "both-cliques", "both-cliques", "both-cliques", "both-cliques"}, "root-new-a": {"self", "root-new-b", "both-cross-old-new", "both-cross-old-new", "root-old-abc", "root-old-abc", "root-old-abc"}, "root-new-b": {"self", "root-new-a", "both-cross-old-new", "both-cross-old-new", "root-old-abc", "root-old-abc", "root-old-abc"}, "inter-a-root-new": {"self", "full-cycle", "full-cycle", "full-cycle", "full-cycle", "full-cycle", "full-cycle", "full-cycle"}, }, Aliases: map[string]string{ "root-old-ac": "root-old-a,root-old-c", "root-old-ab": "root-old-a,root-old-b", "root-old-bc": "root-old-b,root-old-c", "root-old-abc": "root-old-a,root-old-b,root-old-c", "root-new-ab": "root-new-a,root-new-b", "both-cross-old-new": "cross-old-new,cross-new-old", "both-cliques": "root-old-a,root-old-b,root-old-c,root-new-a,root-new-b", "full-cycle": "root-old-a,root-old-b,root-old-c,cross-old-new,cross-new-old,root-new-a,root-new-b", }, }, // Update each old root to only include itself. CBUpdateIssuer{ Name: "root-old-a", CAChain: []string{"root-old-a"}, }, CBUpdateIssuer{ Name: "root-old-b", CAChain: []string{"root-old-b"}, }, CBUpdateIssuer{ Name: "root-old-c", CAChain: []string{"root-old-c"}, }, // Step 19 CBValidateChain{ Chains: map[string][]string{ "root-old-a": {"self"}, "root-old-b": {"self"}, "root-old-c": {"self"}, "cross-old-new": {"self", "cross-new-old", "both-cliques", "both-cliques", "both-cliques", "both-cliques", "both-cliques"}, "cross-new-old": {"self", "cross-old-new", "both-cliques", "both-cliques", "both-cliques", "both-cliques", "both-cliques"}, "root-new-a": {"self", "root-new-b", "both-cross-old-new", "both-cross-old-new", "root-old-abc", "root-old-abc", "root-old-abc"}, "root-new-b": {"self", "root-new-a", "both-cross-old-new", "both-cross-old-new", "root-old-abc", "root-old-abc", "root-old-abc"}, "inter-a-root-new": {"self", "full-cycle", "full-cycle", "full-cycle", "full-cycle", "full-cycle", "full-cycle", "full-cycle"}, }, Aliases: map[string]string{ "root-old-ac": "root-old-a,root-old-c", "root-old-ab": "root-old-a,root-old-b", "root-old-bc": "root-old-b,root-old-c", "root-old-abc": "root-old-a,root-old-b,root-old-c", "root-new-ab": "root-new-a,root-new-b", "both-cross-old-new": "cross-old-new,cross-new-old", "both-cliques": "root-old-a,root-old-b,root-old-c,root-new-a,root-new-b", "full-cycle": "root-old-a,root-old-b,root-old-c,cross-old-new,cross-new-old,root-new-a,root-new-b", }, }, // Reset the old roots; should get the original chains back. CBUpdateIssuer{ Name: "root-old-a", }, CBUpdateIssuer{ Name: "root-old-b", }, CBUpdateIssuer{ Name: "root-old-c", }, CBValidateChain{ Chains: map[string][]string{ "root-old-a": {"self", "root-old-bc", "root-old-bc", "both-cross-old-new", "both-cross-old-new", "root-new-ab", "root-new-ab"}, "root-old-b": {"self", "root-old-ac", "root-old-ac", "both-cross-old-new", "both-cross-old-new", "root-new-ab", "root-new-ab"}, "root-old-c": {"self", "root-old-ab", "root-old-ab", "both-cross-old-new", "both-cross-old-new", "root-new-ab", "root-new-ab"}, "cross-old-new": {"self", "cross-new-old", "both-cliques", "both-cliques", "both-cliques", "both-cliques", "both-cliques"}, "cross-new-old": {"self", "cross-old-new", "both-cliques", "both-cliques", "both-cliques", "both-cliques", "both-cliques"}, "root-new-a": {"self", "root-new-b", "both-cross-old-new", "both-cross-old-new", "root-old-abc", "root-old-abc", "root-old-abc"}, "root-new-b": {"self", "root-new-a", "both-cross-old-new", "both-cross-old-new", "root-old-abc", "root-old-abc", "root-old-abc"}, "inter-a-root-new": {"self", "full-cycle", "full-cycle", "full-cycle", "full-cycle", "full-cycle", "full-cycle", "full-cycle"}, }, Aliases: map[string]string{ "root-old-ac": "root-old-a,root-old-c", "root-old-ab": "root-old-a,root-old-b", "root-old-bc": "root-old-b,root-old-c", "root-old-abc": "root-old-a,root-old-b,root-old-c", "root-new-ab": "root-new-a,root-new-b", "both-cross-old-new": "cross-old-new,cross-new-old", "both-cliques": "root-old-a,root-old-b,root-old-c,root-new-a,root-new-b", "full-cycle": "root-old-a,root-old-b,root-old-c,cross-old-new,cross-new-old,root-new-a,root-new-b", }, }, CBIssueLeaf{Issuer: "root-old-a"}, CBIssueLeaf{Issuer: "root-old-b"}, CBIssueLeaf{Issuer: "root-old-c"}, CBIssueLeaf{Issuer: "cross-old-new"}, CBIssueLeaf{Issuer: "cross-new-old"}, CBIssueLeaf{Issuer: "root-new-a"}, CBIssueLeaf{Issuer: "root-new-b"}, CBIssueLeaf{Issuer: "inter-a-root-new"}, }, }, { // Here we're testing our chain capacity. First we'll create a // bunch of unique roots to form a cycle of length 10. Steps: []CBTestStep{ CBGenerateRoot{ Key: "key-root-a", Name: "root-a", CommonName: "root-a", }, CBGenerateRoot{ Key: "key-root-b", Name: "root-b", CommonName: "root-b", }, CBGenerateRoot{ Key: "key-root-c", Name: "root-c", CommonName: "root-c", }, CBGenerateRoot{ Key: "key-root-d", Name: "root-d", CommonName: "root-d", }, CBGenerateRoot{ Key: "key-root-e", Name: "root-e", CommonName: "root-e", }, // They should all be disjoint to start. CBValidateChain{ Chains: map[string][]string{ "root-a": {"self"}, "root-b": {"self"}, "root-c": {"self"}, "root-d": {"self"}, "root-e": {"self"}, }, }, // Start the cross-signing chains. These are all linear, so there's // no error expected; they're just long. CBGenerateIntermediate{ Key: "key-root-b", Existing: true, Name: "cross-a-b", CommonName: "root-b", Parent: "root-a", }, CBValidateChain{ Chains: map[string][]string{ "root-a": {"self"}, "cross-a-b": {"self", "root-a"}, "root-b": {"self", "cross-a-b", "root-a"}, "root-c": {"self"}, "root-d": {"self"}, "root-e": {"self"}, }, }, CBGenerateIntermediate{ Key: "key-root-c", Existing: true, Name: "cross-b-c", CommonName: "root-c", Parent: "root-b", }, CBValidateChain{ Chains: map[string][]string{ "root-a": {"self"}, "cross-a-b": {"self", "root-a"}, "root-b": {"self", "cross-a-b", "root-a"}, "cross-b-c": {"self", "b-or-cross", "b-chained-cross", "b-chained-cross"}, "root-c": {"self", "cross-b-c", "b-or-cross", "b-chained-cross", "b-chained-cross"}, "root-d": {"self"}, "root-e": {"self"}, }, Aliases: map[string]string{ "b-or-cross": "root-b,cross-a-b", "b-chained-cross": "root-b,cross-a-b,root-a", }, }, CBGenerateIntermediate{ Key: "key-root-d", Existing: true, Name: "cross-c-d", CommonName: "root-d", Parent: "root-c", }, CBValidateChain{ Chains: map[string][]string{ "root-a": {"self"}, "cross-a-b": {"self", "root-a"}, "root-b": {"self", "cross-a-b", "root-a"}, "cross-b-c": {"self", "b-or-cross", "b-chained-cross", "b-chained-cross"}, "root-c": {"self", "cross-b-c", "b-or-cross", "b-chained-cross", "b-chained-cross"}, "cross-c-d": {"self", "c-or-cross", "c-chained-cross", "c-chained-cross", "c-chained-cross", "c-chained-cross"}, "root-d": {"self", "cross-c-d", "c-or-cross", "c-chained-cross", "c-chained-cross", "c-chained-cross", "c-chained-cross"}, "root-e": {"self"}, }, Aliases: map[string]string{ "b-or-cross": "root-b,cross-a-b", "b-chained-cross": "root-b,cross-a-b,root-a", "c-or-cross": "root-c,cross-b-c", "c-chained-cross": "root-c,cross-b-c,root-b,cross-a-b,root-a", }, }, CBGenerateIntermediate{ Key: "key-root-e", Existing: true, Name: "cross-d-e", CommonName: "root-e", Parent: "root-d", }, CBValidateChain{ Chains: map[string][]string{ "root-a": {"self"}, "cross-a-b": {"self", "root-a"}, "root-b": {"self", "cross-a-b", "root-a"}, "cross-b-c": {"self", "b-or-cross", "b-chained-cross", "b-chained-cross"}, "root-c": {"self", "cross-b-c", "b-or-cross", "b-chained-cross", "b-chained-cross"}, "cross-c-d": {"self", "c-or-cross", "c-chained-cross", "c-chained-cross", "c-chained-cross", "c-chained-cross"}, "root-d": {"self", "cross-c-d", "c-or-cross", "c-chained-cross", "c-chained-cross", "c-chained-cross", "c-chained-cross"}, "cross-d-e": {"self", "d-or-cross", "d-chained-cross", "d-chained-cross", "d-chained-cross", "d-chained-cross", "d-chained-cross", "d-chained-cross"}, "root-e": {"self", "cross-d-e", "d-or-cross", "d-chained-cross", "d-chained-cross", "d-chained-cross", "d-chained-cross", "d-chained-cross", "d-chained-cross"}, }, Aliases: map[string]string{ "b-or-cross": "root-b,cross-a-b", "b-chained-cross": "root-b,cross-a-b,root-a", "c-or-cross": "root-c,cross-b-c", "c-chained-cross": "root-c,cross-b-c,root-b,cross-a-b,root-a", "d-or-cross": "root-d,cross-c-d", "d-chained-cross": "root-d,cross-c-d,root-c,cross-b-c,root-b,cross-a-b,root-a", }, }, CBIssueLeaf{Issuer: "root-a"}, CBIssueLeaf{Issuer: "cross-a-b"}, CBIssueLeaf{Issuer: "root-b"}, CBIssueLeaf{Issuer: "cross-b-c"}, CBIssueLeaf{Issuer: "root-c"}, CBIssueLeaf{Issuer: "cross-c-d"}, CBIssueLeaf{Issuer: "root-d"}, CBIssueLeaf{Issuer: "cross-d-e"}, CBIssueLeaf{Issuer: "root-e"}, // Importing the new e->a cross fails because the cycle // it builds is too long. CBGenerateIntermediate{ Key: "key-root-a", Existing: true, Name: "cross-e-a", CommonName: "root-a", Parent: "root-e", ImportErrorMessage: "exceeds max size", }, // Deleting any root and one of its crosses (either a->b or b->c) // should fix this. CBDeleteIssuer{"root-b"}, CBDeleteIssuer{"cross-b-c"}, // Importing the new e->a cross fails because the cycle // it builds is too long. CBGenerateIntermediate{ Key: "key-root-a", Existing: true, Name: "cross-e-a", CommonName: "root-a", Parent: "root-e", }, CBIssueLeaf{Issuer: "root-a"}, CBIssueLeaf{Issuer: "cross-a-b"}, CBIssueLeaf{Issuer: "root-c"}, CBIssueLeaf{Issuer: "cross-c-d"}, CBIssueLeaf{Issuer: "root-d"}, CBIssueLeaf{Issuer: "cross-d-e"}, CBIssueLeaf{Issuer: "root-e"}, CBIssueLeaf{Issuer: "cross-e-a"}, }, }, { // Here we're testing our clique capacity. First we'll create a // bunch of unique roots to form a cycle of length 10. Steps: []CBTestStep{ CBGenerateRoot{ Key: "key-root", Name: "root-a", CommonName: "root", }, CBGenerateRoot{ Key: "key-root", Existing: true, Name: "root-b", CommonName: "root", }, CBGenerateRoot{ Key: "key-root", Existing: true, Name: "root-c", CommonName: "root", }, CBGenerateRoot{ Key: "key-root", Existing: true, Name: "root-d", CommonName: "root", }, CBGenerateRoot{ Key: "key-root", Existing: true, Name: "root-e", CommonName: "root", }, CBGenerateRoot{ Key: "key-root", Existing: true, Name: "root-f", CommonName: "root", }, CBIssueLeaf{Issuer: "root-a"}, CBIssueLeaf{Issuer: "root-b"}, CBIssueLeaf{Issuer: "root-c"}, CBIssueLeaf{Issuer: "root-d"}, CBIssueLeaf{Issuer: "root-e"}, CBIssueLeaf{Issuer: "root-f"}, // Seventh reissuance fails. CBGenerateRoot{ Key: "key-root", Existing: true, Name: "root-g", CommonName: "root", ErrorMessage: "excessively reissued certificate", }, // Deleting one and trying again should succeed. CBDeleteIssuer{"root-a"}, CBGenerateRoot{ Key: "key-root", Existing: true, Name: "root-g", CommonName: "root", }, CBIssueLeaf{Issuer: "root-b"}, CBIssueLeaf{Issuer: "root-c"}, CBIssueLeaf{Issuer: "root-d"}, CBIssueLeaf{Issuer: "root-e"}, CBIssueLeaf{Issuer: "root-f"}, CBIssueLeaf{Issuer: "root-g"}, }, }, { // There's one more pathological case here: we have a cycle // which validates a clique/cycle via cross-signing. We call // the parent cycle new roots and the child cycle/clique the // old roots. Steps: []CBTestStep{ // New Cycle CBGenerateRoot{ Key: "key-root-new-a", Name: "root-new-a", }, CBGenerateRoot{ Key: "key-root-new-b", Name: "root-new-b", }, CBGenerateIntermediate{ Key: "key-root-new-b", Existing: true, Name: "cross-root-new-b-sig-a", CommonName: "root-new-b", Parent: "root-new-a", }, CBGenerateIntermediate{ Key: "key-root-new-a", Existing: true, Name: "cross-root-new-a-sig-b", CommonName: "root-new-a", Parent: "root-new-b", }, // Old Cycle + Clique CBGenerateRoot{ Key: "key-root-old-a", Name: "root-old-a", }, CBGenerateRoot{ Key: "key-root-old-a", Existing: true, Name: "root-old-a-reissued", CommonName: "root-old-a", }, CBGenerateRoot{ Key: "key-root-old-b", Name: "root-old-b", }, CBGenerateRoot{ Key: "key-root-old-b", Existing: true, Name: "root-old-b-reissued", CommonName: "root-old-b", }, CBGenerateIntermediate{ Key: "key-root-old-b", Existing: true, Name: "cross-root-old-b-sig-a", CommonName: "root-old-b", Parent: "root-old-a", }, CBGenerateIntermediate{ Key: "key-root-old-a", Existing: true, Name: "cross-root-old-a-sig-b", CommonName: "root-old-a", Parent: "root-old-b", }, // Validate the chains are separate before linking them. CBValidateChain{ Chains: map[string][]string{ // New stuff "root-new-a": {"self", "cross-root-new-a-sig-b", "root-new-b-or-cross", "root-new-b-or-cross"}, "root-new-b": {"self", "cross-root-new-b-sig-a", "root-new-a-or-cross", "root-new-a-or-cross"}, "cross-root-new-b-sig-a": {"self", "any-root-new", "any-root-new", "any-root-new"}, "cross-root-new-a-sig-b": {"self", "any-root-new", "any-root-new", "any-root-new"}, // Old stuff "root-old-a": {"self", "root-old-a-reissued", "cross-root-old-a-sig-b", "cross-root-old-b-sig-a", "both-root-old-b", "both-root-old-b"}, "root-old-a-reissued": {"self", "root-old-a", "cross-root-old-a-sig-b", "cross-root-old-b-sig-a", "both-root-old-b", "both-root-old-b"}, "root-old-b": {"self", "root-old-b-reissued", "cross-root-old-b-sig-a", "cross-root-old-a-sig-b", "both-root-old-a", "both-root-old-a"}, "root-old-b-reissued": {"self", "root-old-b", "cross-root-old-b-sig-a", "cross-root-old-a-sig-b", "both-root-old-a", "both-root-old-a"}, "cross-root-old-b-sig-a": {"self", "all-root-old", "all-root-old", "all-root-old", "all-root-old", "all-root-old"}, "cross-root-old-a-sig-b": {"self", "all-root-old", "all-root-old", "all-root-old", "all-root-old", "all-root-old"}, }, Aliases: map[string]string{ "root-new-a-or-cross": "root-new-a,cross-root-new-a-sig-b", "root-new-b-or-cross": "root-new-b,cross-root-new-b-sig-a", "both-root-new": "root-new-a,root-new-b", "any-root-new": "root-new-a,cross-root-new-a-sig-b,root-new-b,cross-root-new-b-sig-a", "both-root-old-a": "root-old-a,root-old-a-reissued", "both-root-old-b": "root-old-b,root-old-b-reissued", "all-root-old": "root-old-a,root-old-a-reissued,root-old-b,root-old-b-reissued,cross-root-old-b-sig-a,cross-root-old-a-sig-b", }, }, // Finally, generate an intermediate to link new->old. We // link root-new-a into root-old-a. CBGenerateIntermediate{ Key: "key-root-old-a", Existing: true, Name: "cross-root-old-a-sig-root-new-a", CommonName: "root-old-a", Parent: "root-new-a", }, CBValidateChain{ Chains: map[string][]string{ // New stuff should be unchanged. "root-new-a": {"self", "cross-root-new-a-sig-b", "root-new-b-or-cross", "root-new-b-or-cross"}, "root-new-b": {"self", "cross-root-new-b-sig-a", "root-new-a-or-cross", "root-new-a-or-cross"}, "cross-root-new-b-sig-a": {"self", "any-root-new", "any-root-new", "any-root-new"}, "cross-root-new-a-sig-b": {"self", "any-root-new", "any-root-new", "any-root-new"}, // Old stuff "root-old-a": {"self", "root-old-a-reissued", "cross-root-old-a-sig-b", "cross-root-old-b-sig-a", "both-root-old-b", "both-root-old-b", "cross-root-old-a-sig-root-new-a", "any-root-new", "any-root-new", "any-root-new", "any-root-new"}, "root-old-a-reissued": {"self", "root-old-a", "cross-root-old-a-sig-b", "cross-root-old-b-sig-a", "both-root-old-b", "both-root-old-b", "cross-root-old-a-sig-root-new-a", "any-root-new", "any-root-new", "any-root-new", "any-root-new"}, "root-old-b": {"self", "root-old-b-reissued", "cross-root-old-b-sig-a", "cross-root-old-a-sig-b", "both-root-old-a", "both-root-old-a", "cross-root-old-a-sig-root-new-a", "any-root-new", "any-root-new", "any-root-new", "any-root-new"}, "root-old-b-reissued": {"self", "root-old-b", "cross-root-old-b-sig-a", "cross-root-old-a-sig-b", "both-root-old-a", "both-root-old-a", "cross-root-old-a-sig-root-new-a", "any-root-new", "any-root-new", "any-root-new", "any-root-new"}, "cross-root-old-b-sig-a": {"self", "all-root-old", "all-root-old", "all-root-old", "all-root-old", "all-root-old", "cross-root-old-a-sig-root-new-a", "any-root-new", "any-root-new", "any-root-new", "any-root-new"}, "cross-root-old-a-sig-b": {"self", "all-root-old", "all-root-old", "all-root-old", "all-root-old", "all-root-old", "cross-root-old-a-sig-root-new-a", "any-root-new", "any-root-new", "any-root-new", "any-root-new"}, // Link "cross-root-old-a-sig-root-new-a": {"self", "root-new-a-or-cross", "any-root-new", "any-root-new", "any-root-new"}, }, Aliases: map[string]string{ "root-new-a-or-cross": "root-new-a,cross-root-new-a-sig-b", "root-new-b-or-cross": "root-new-b,cross-root-new-b-sig-a", "both-root-new": "root-new-a,root-new-b", "any-root-new": "root-new-a,cross-root-new-a-sig-b,root-new-b,cross-root-new-b-sig-a", "both-root-old-a": "root-old-a,root-old-a-reissued", "both-root-old-b": "root-old-b,root-old-b-reissued", "all-root-old": "root-old-a,root-old-a-reissued,root-old-b,root-old-b-reissued,cross-root-old-b-sig-a,cross-root-old-a-sig-b", }, }, CBIssueLeaf{Issuer: "root-new-a"}, CBIssueLeaf{Issuer: "root-new-b"}, CBIssueLeaf{Issuer: "cross-root-new-b-sig-a"}, CBIssueLeaf{Issuer: "cross-root-new-a-sig-b"}, CBIssueLeaf{Issuer: "root-old-a"}, CBIssueLeaf{Issuer: "root-old-a-reissued"}, CBIssueLeaf{Issuer: "root-old-b"}, CBIssueLeaf{Issuer: "root-old-b-reissued"}, CBIssueLeaf{Issuer: "cross-root-old-b-sig-a"}, CBIssueLeaf{Issuer: "cross-root-old-a-sig-b"}, CBIssueLeaf{Issuer: "cross-root-old-a-sig-root-new-a"}, }, }, { // Test a dual-root of trust chaining example with different // lengths of chains. Steps: []CBTestStep{ CBGenerateRoot{ Key: "key-root-new", Name: "root-new", }, CBGenerateIntermediate{ Key: "key-inter-new", Name: "inter-new", Parent: "root-new", }, CBGenerateRoot{ Key: "key-root-old", Name: "root-old", }, CBGenerateIntermediate{ Key: "key-inter-old-a", Name: "inter-old-a", Parent: "root-old", }, CBGenerateIntermediate{ Key: "key-inter-old-b", Name: "inter-old-b", Parent: "inter-old-a", }, // Now generate a cross-signed intermediate to merge these // two chains. CBGenerateIntermediate{ Key: "key-cross-old-new", Name: "cross-old-new-signed-new", CommonName: "cross-old-new", Parent: "inter-new", }, CBGenerateIntermediate{ Key: "key-cross-old-new", Existing: true, Name: "cross-old-new-signed-old", CommonName: "cross-old-new", Parent: "inter-old-b", }, CBGenerateIntermediate{ Key: "key-leaf-inter", Name: "leaf-inter", Parent: "cross-old-new-signed-new", }, CBValidateChain{ Chains: map[string][]string{ "root-new": {"self"}, "inter-new": {"self", "root-new"}, "cross-old-new-signed-new": {"self", "inter-new", "root-new"}, "root-old": {"self"}, "inter-old-a": {"self", "root-old"}, "inter-old-b": {"self", "inter-old-a", "root-old"}, "cross-old-new-signed-old": {"self", "inter-old-b", "inter-old-a", "root-old"}, "leaf-inter": {"self", "either-cross", "one-intermediate", "other-inter-or-root", "everything-else", "everything-else", "everything-else", "everything-else"}, }, Aliases: map[string]string{ "either-cross": "cross-old-new-signed-new,cross-old-new-signed-old", "one-intermediate": "inter-new,inter-old-b", "other-inter-or-root": "root-new,inter-old-a", "everything-else": "cross-old-new-signed-new,cross-old-new-signed-old,inter-new,inter-old-b,root-new,inter-old-a,root-old", }, }, CBIssueLeaf{Issuer: "root-new"}, CBIssueLeaf{Issuer: "inter-new"}, CBIssueLeaf{Issuer: "root-old"}, CBIssueLeaf{Issuer: "inter-old-a"}, CBIssueLeaf{Issuer: "inter-old-b"}, CBIssueLeaf{Issuer: "cross-old-new-signed-new"}, CBIssueLeaf{Issuer: "cross-old-new-signed-old"}, CBIssueLeaf{Issuer: "leaf-inter"}, }, }, { // Test just a single root. Steps: []CBTestStep{ CBGenerateRoot{ Key: "key-root", Name: "root", }, CBValidateChain{ Chains: map[string][]string{ "root": {"self"}, }, }, CBIssueLeaf{Issuer: "root"}, }, }, { // Test root + intermediate. Steps: []CBTestStep{ CBGenerateRoot{ Key: "key-root", Name: "root", }, CBGenerateIntermediate{ Key: "key-inter", Name: "inter", Parent: "root", }, CBValidateChain{ Chains: map[string][]string{ "root": {"self"}, "inter": {"self", "root"}, }, }, CBIssueLeaf{Issuer: "root"}, CBIssueLeaf{Issuer: "inter"}, }, }, { // Test root + intermediate, twice (simulating rotation without // chaining). Steps: []CBTestStep{ CBGenerateRoot{ Key: "key-root-a", Name: "root-a", }, CBGenerateIntermediate{ Key: "key-inter-a", Name: "inter-a", Parent: "root-a", }, CBGenerateRoot{ Key: "key-root-b", Name: "root-b", }, CBGenerateIntermediate{ Key: "key-inter-b", Name: "inter-b", Parent: "root-b", }, CBValidateChain{ Chains: map[string][]string{ "root-a": {"self"}, "inter-a": {"self", "root-a"}, "root-b": {"self"}, "inter-b": {"self", "root-b"}, }, }, CBIssueLeaf{Issuer: "root-a"}, CBIssueLeaf{Issuer: "inter-a"}, CBIssueLeaf{Issuer: "root-b"}, CBIssueLeaf{Issuer: "inter-b"}, }, }, { // Test root + intermediate, twice, chained a->b. Steps: []CBTestStep{ CBGenerateRoot{ Key: "key-root-a", Name: "root-a", }, CBGenerateIntermediate{ Key: "key-inter-a", Name: "inter-a", Parent: "root-a", }, CBGenerateRoot{ Key: "key-root-b", Name: "root-b", }, CBGenerateIntermediate{ Key: "key-inter-b", Name: "inter-b", Parent: "root-b", }, CBGenerateIntermediate{ Key: "key-root-b", Existing: true, Name: "cross-a-b", CommonName: "root-b", Parent: "root-a", }, CBValidateChain{ Chains: map[string][]string{ "root-a": {"self"}, "inter-a": {"self", "root-a"}, "root-b": {"self", "cross-a-b", "root-a"}, "inter-b": {"self", "root-b", "cross-a-b", "root-a"}, "cross-a-b": {"self", "root-a"}, }, }, CBIssueLeaf{Issuer: "root-a"}, CBIssueLeaf{Issuer: "inter-a"}, CBIssueLeaf{Issuer: "root-b"}, CBIssueLeaf{Issuer: "inter-b"}, CBIssueLeaf{Issuer: "cross-a-b"}, }, }, } func Test_CAChainBuilding(t *testing.T) { t.Parallel() for testIndex, testCase := range chainBuildingTestCases { b, s := createBackendWithStorage(t) knownKeys := make(map[string]string) knownCerts := make(map[string]string) for stepIndex, testStep := range testCase.Steps { t.Logf("Running %v / %v", testIndex, stepIndex) testStep.Run(t, b, s, knownKeys, knownCerts) } t.Logf("Checking stable ordering of chains...") ensureStableOrderingOfChains(t, b, s, knownKeys, knownCerts) } } func BenchmarkChainBuilding(benchies *testing.B) { for testIndex, testCase := range chainBuildingTestCases { name := "test-case-" + strconv.Itoa(testIndex) benchies.Run(name, func(bench *testing.B) { // Stop the timer as we setup the infra and certs. bench.StopTimer() bench.ResetTimer() b, s := createBackendWithStorage(bench) knownKeys := make(map[string]string) knownCerts := make(map[string]string) for _, testStep := range testCase.Steps { testStep.Run(bench, b, s, knownKeys, knownCerts) } // Run the benchmark. ctx := context.Background() sc := b.makeStorageContext(ctx, s) bench.StartTimer() for n := 0; n < bench.N; n++ { sc.rebuildIssuersChains(nil) } }) } }