c25b90831e
* Export CreateBackendWithStorage for pkiext Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Move zlint_test.go to pkiext Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Fix mount all test to ignore pkiext Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
5978 lines
200 KiB
Go
5978 lines
200 KiB
Go
package pki
|
||
|
||
import (
|
||
"bytes"
|
||
"context"
|
||
"crypto"
|
||
"crypto/ecdsa"
|
||
"crypto/ed25519"
|
||
"crypto/elliptic"
|
||
"crypto/rand"
|
||
"crypto/rsa"
|
||
"crypto/x509"
|
||
"crypto/x509/pkix"
|
||
"encoding/base64"
|
||
"encoding/hex"
|
||
"encoding/json"
|
||
"encoding/pem"
|
||
"fmt"
|
||
"math"
|
||
"math/big"
|
||
mathrand "math/rand"
|
||
"net"
|
||
"net/url"
|
||
"os"
|
||
"reflect"
|
||
"sort"
|
||
"strconv"
|
||
"strings"
|
||
"sync"
|
||
"sync/atomic"
|
||
"testing"
|
||
"time"
|
||
|
||
"github.com/stretchr/testify/require"
|
||
|
||
"github.com/armon/go-metrics"
|
||
"github.com/fatih/structs"
|
||
"github.com/go-test/deep"
|
||
"github.com/hashicorp/go-secure-stdlib/strutil"
|
||
"github.com/hashicorp/vault/api"
|
||
auth "github.com/hashicorp/vault/api/auth/userpass"
|
||
"github.com/hashicorp/vault/builtin/credential/userpass"
|
||
logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
|
||
vaulthttp "github.com/hashicorp/vault/http"
|
||
"github.com/hashicorp/vault/sdk/helper/certutil"
|
||
"github.com/hashicorp/vault/sdk/logical"
|
||
"github.com/hashicorp/vault/vault"
|
||
"github.com/mitchellh/mapstructure"
|
||
"golang.org/x/net/idna"
|
||
)
|
||
|
||
var stepCount = 0
|
||
|
||
// From builtin/credential/cert/test-fixtures/root/rootcacert.pem
|
||
const (
|
||
rootCACertPEM = `-----BEGIN CERTIFICATE-----
|
||
MIIDPDCCAiSgAwIBAgIUb5id+GcaMeMnYBv3MvdTGWigyJ0wDQYJKoZIhvcNAQEL
|
||
BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzI5WhcNMjYw
|
||
MjI2MDIyNzU5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
|
||
AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7
|
||
Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0
|
||
z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x
|
||
AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb
|
||
6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH
|
||
SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaOBgTB/MA4G
|
||
A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSdxLNP/ocx
|
||
7HK6JT3/sSAe76iTmzAfBgNVHSMEGDAWgBSdxLNP/ocx7HK6JT3/sSAe76iTmzAc
|
||
BgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
|
||
wHThDRsXJunKbAapxmQ6bDxSvTvkLA6m97TXlsFgL+Q3Jrg9HoJCNowJ0pUTwhP2
|
||
U946dCnSCkZck0fqkwVi4vJ5EQnkvyEbfN4W5qVsQKOFaFVzep6Qid4rZT6owWPa
|
||
cNNzNcXAee3/j6hgr6OQ/i3J6fYR4YouYxYkjojYyg+CMdn6q8BoV0BTsHdnw1/N
|
||
ScbnBHQIvIZMBDAmQueQZolgJcdOuBLYHe/kRy167z8nGg+PUFKIYOL8NaOU1+CJ
|
||
t2YaEibVq5MRqCbRgnd9a2vG0jr5a3Mn4CUUYv+5qIjP3hUusYenW1/EWtn1s/gk
|
||
zehNe5dFTjFpylg1o6b8Ow==
|
||
-----END CERTIFICATE-----`
|
||
rootCAKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
|
||
MIIEpQIBAAKCAQEA7FMy+FO4hFzZiHFmmY/B6A/zpyCep9PWZfGLUDtDuprHbg2p
|
||
t/TQjegMxC0AmWPZEHeG9FIJvT+WQXuLUG5v5MbG4zs21mqnYXwWAbTPaZ35bpp3
|
||
BbbquXFtAqOZG8yfrob1g9OSgmY+bG3ZNxxv35qmbBbuWyUvmPwfjzEAclMxv48w
|
||
/2Rs4dXkBuvc9PiNdQ9Sv+ZYG8GIqIcbRd38cSaXI4Q94BOHEr4jm1vqb54H7twv
|
||
0Gy9CnLXfn7ZtEDFSmG8WLk2GvIna+UC+gnxSqKCw0rcTby63rQUCgdJZF8VQUVi
|
||
18+BMNLXI4pT/P9cxTaCJC/YeuV5a3SaniOoFQIDAQABAoIBAQCoGZJC84JnnIgb
|
||
ttZNWuWKBXbCJcDVDikOQJ9hBZbqsFg1X0CfGmQS3MHf9Ubc1Ro8zVjQh15oIEfn
|
||
8lIpdzTeXcpxLdiW8ix3ekVJF20F6pnXY8ZP6UnTeOwamXY6QPZAtb0D9UXcvY+f
|
||
nw+IVRD6082XS0Rmzu+peYWVXDy+FDN+HJRANBcdJZz8gOmNBIe0qDWx1b85d/s8
|
||
2Kk1Wwdss1IwAGeSddTSwzBNaaHdItZaMZOqPW1gRyBfVSkcUQIE6zn2RKw2b70t
|
||
grkIvyRcTdfmiKbqkkJ+eR+ITOUt0cBZSH4cDjlQA+r7hulvoBpQBRj068Toxkcc
|
||
bTagHaPBAoGBAPWPGVkHqhTbJ/DjmqDIStxby2M1fhhHt4xUGHinhUYjQjGOtDQ9
|
||
0mfaB7HObudRiSLydRAVGAHGyNJdQcTeFxeQbovwGiYKfZSA1IGpea7dTxPpGEdN
|
||
ksA0pzSp9MfKzX/MdLuAkEtO58aAg5YzsgX9hDNxo4MhH/gremZhEGZlAoGBAPZf
|
||
lqdYvAL0fjHGJ1FUEalhzGCGE9PH2iOqsxqLCXK7bDbzYSjvuiHkhYJHAOgVdiW1
|
||
lB34UHHYAqZ1VVoFqJ05gax6DE2+r7K5VV3FUCaC0Zm3pavxchU9R/TKP82xRrBj
|
||
AFWwdgDTxUyvQEmgPR9sqorftO71Iz2tiwyTpIfxAoGBAIhEMLzHFAse0rtKkrRG
|
||
ccR27BbRyHeQ1Lp6sFnEHKEfT8xQdI/I/snCpCJ3e/PBu2g5Q9z416mktiyGs8ib
|
||
thTNgYsGYnxZtfaCx2pssanoBcn2wBJRae5fSapf5gY49HDG9MBYR7qCvvvYtSzU
|
||
4yWP2ZzyotpRt3vwJKxLkN5BAoGAORHpZvhiDNkvxj3da7Rqpu7VleJZA2y+9hYb
|
||
iOF+HcqWhaAY+I+XcTRrTMM/zYLzLEcEeXDEyao86uwxCjpXVZw1kotvAC9UqbTO
|
||
tnr3VwRkoxPsV4kFYTAh0+1pnC8dbcxxDmhi3Uww3tOVs7hfkEDuvF6XnebA9A+Y
|
||
LyCgMzECgYEA6cCU8QODOivIKWFRXucvWckgE6MYDBaAwe6qcLsd1Q/gpE2e3yQc
|
||
4RB3bcyiPROLzMLlXFxf1vSNJQdIaVfrRv+zJeGIiivLPU8+Eq4Lrb+tl1LepcOX
|
||
OzQeADTSCn5VidOfjDkIst9UXjMlrFfV9/oJEw5Eiqa6lkNPCGDhfA8=
|
||
-----END RSA PRIVATE KEY-----`
|
||
)
|
||
|
||
func TestPKI_RequireCN(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected ca info")
|
||
}
|
||
|
||
// Create a role which does require CN (default)
|
||
_, err = CBWrite(b, s, "roles/example", map[string]interface{}{
|
||
"allowed_domains": "foobar.com,zipzap.com,abc.com,xyz.com",
|
||
"allow_bare_domains": true,
|
||
"allow_subdomains": true,
|
||
"max_ttl": "2h",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue a cert with require_cn set to true and with common name supplied.
|
||
// It should succeed.
|
||
_, err = CBWrite(b, s, "issue/example", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue a cert with require_cn set to true and with out supplying the
|
||
// common name. It should error out.
|
||
_, err = CBWrite(b, s, "issue/example", map[string]interface{}{})
|
||
if err == nil {
|
||
t.Fatalf("expected an error due to missing common_name")
|
||
}
|
||
|
||
// Modify the role to make the common name optional
|
||
_, err = CBWrite(b, s, "roles/example", map[string]interface{}{
|
||
"allowed_domains": "foobar.com,zipzap.com,abc.com,xyz.com",
|
||
"allow_bare_domains": true,
|
||
"allow_subdomains": true,
|
||
"max_ttl": "2h",
|
||
"require_cn": false,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue a cert with require_cn set to false and without supplying the
|
||
// common name. It should succeed.
|
||
resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
if resp.Data["certificate"] == "" {
|
||
t.Fatalf("expected a cert to be generated")
|
||
}
|
||
|
||
// Issue a cert with require_cn set to false and with a common name. It
|
||
// should succeed.
|
||
resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
if resp.Data["certificate"] == "" {
|
||
t.Fatalf("expected a cert to be generated")
|
||
}
|
||
}
|
||
|
||
func TestPKI_DeviceCert(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
"not_after": "9999-12-31T23:59:59Z",
|
||
"not_before_duration": "2h",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected ca info")
|
||
}
|
||
var certBundle certutil.CertBundle
|
||
err = mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
notAfter := cert.NotAfter.Format(time.RFC3339)
|
||
if notAfter != "9999-12-31T23:59:59Z" {
|
||
t.Fatalf("not after from certificate: %v is not matching with input parameter: %v", cert.NotAfter, "9999-12-31T23:59:59Z")
|
||
}
|
||
if math.Abs(float64(time.Now().Add(-2*time.Hour).Unix()-cert.NotBefore.Unix())) > 10 {
|
||
t.Fatalf("root/generate/internal did not properly set validity period (notBefore): was %v vs expected %v", cert.NotBefore, time.Now().Add(-2*time.Hour))
|
||
}
|
||
|
||
// Create a role which does require CN (default)
|
||
_, err = CBWrite(b, s, "roles/example", map[string]interface{}{
|
||
"allowed_domains": "foobar.com,zipzap.com,abc.com,xyz.com",
|
||
"allow_bare_domains": true,
|
||
"allow_subdomains": true,
|
||
"not_after": "9999-12-31T23:59:59Z",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue a cert with require_cn set to true and with common name supplied.
|
||
// It should succeed.
|
||
resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
err = mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
parsedCertBundle, err = certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
cert = parsedCertBundle.Certificate
|
||
notAfter = cert.NotAfter.Format(time.RFC3339)
|
||
if notAfter != "9999-12-31T23:59:59Z" {
|
||
t.Fatal(fmt.Errorf("not after from certificate is not matching with input parameter"))
|
||
}
|
||
}
|
||
|
||
func TestBackend_InvalidParameter(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
_, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
"not_after": "9999-12-31T23:59:59Z",
|
||
"ttl": "25h",
|
||
})
|
||
if err == nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
_, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
"not_after": "9999-12-31T23:59:59",
|
||
})
|
||
if err == nil {
|
||
t.Fatal(err)
|
||
}
|
||
}
|
||
|
||
func TestBackend_CSRValues(t *testing.T) {
|
||
t.Parallel()
|
||
initTest.Do(setCerts)
|
||
b, _ := CreateBackendWithStorage(t)
|
||
|
||
testCase := logicaltest.TestCase{
|
||
LogicalBackend: b,
|
||
Steps: []logicaltest.TestStep{},
|
||
}
|
||
|
||
intdata := map[string]interface{}{}
|
||
reqdata := map[string]interface{}{}
|
||
testCase.Steps = append(testCase.Steps, generateCSRSteps(t, ecCACert, ecCAKey, intdata, reqdata)...)
|
||
|
||
logicaltest.Test(t, testCase)
|
||
}
|
||
|
||
func TestBackend_URLsCRUD(t *testing.T) {
|
||
t.Parallel()
|
||
initTest.Do(setCerts)
|
||
b, _ := CreateBackendWithStorage(t)
|
||
|
||
testCase := logicaltest.TestCase{
|
||
LogicalBackend: b,
|
||
Steps: []logicaltest.TestStep{},
|
||
}
|
||
|
||
intdata := map[string]interface{}{}
|
||
reqdata := map[string]interface{}{}
|
||
testCase.Steps = append(testCase.Steps, generateURLSteps(t, ecCACert, ecCAKey, intdata, reqdata)...)
|
||
|
||
logicaltest.Test(t, testCase)
|
||
}
|
||
|
||
// Generates and tests steps that walk through the various possibilities
|
||
// of role flags to ensure that they are properly restricted
|
||
func TestBackend_Roles(t *testing.T) {
|
||
t.Parallel()
|
||
cases := []struct {
|
||
name string
|
||
key, cert *string
|
||
useCSR bool
|
||
}{
|
||
{"RSA", &rsaCAKey, &rsaCACert, false},
|
||
{"RSACSR", &rsaCAKey, &rsaCACert, true},
|
||
{"EC", &ecCAKey, &ecCACert, false},
|
||
{"ECCSR", &ecCAKey, &ecCACert, true},
|
||
{"ED", &edCAKey, &edCACert, false},
|
||
{"EDCSR", &edCAKey, &edCACert, true},
|
||
}
|
||
|
||
for _, tc := range cases {
|
||
tc := tc
|
||
|
||
t.Run(tc.name, func(t *testing.T) {
|
||
initTest.Do(setCerts)
|
||
b, _ := CreateBackendWithStorage(t)
|
||
|
||
testCase := logicaltest.TestCase{
|
||
LogicalBackend: b,
|
||
Steps: []logicaltest.TestStep{
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "config/ca",
|
||
Data: map[string]interface{}{
|
||
"pem_bundle": *tc.key + "\n" + *tc.cert,
|
||
},
|
||
},
|
||
},
|
||
}
|
||
|
||
testCase.Steps = append(testCase.Steps, generateRoleSteps(t, tc.useCSR)...)
|
||
if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
|
||
for i, v := range testCase.Steps {
|
||
data := map[string]interface{}{}
|
||
var keys []string
|
||
for k := range v.Data {
|
||
keys = append(keys, k)
|
||
}
|
||
sort.Strings(keys)
|
||
for _, k := range keys {
|
||
interf := v.Data[k]
|
||
switch v := interf.(type) {
|
||
case bool:
|
||
if !v {
|
||
continue
|
||
}
|
||
case int:
|
||
if v == 0 {
|
||
continue
|
||
}
|
||
case []string:
|
||
if len(v) == 0 {
|
||
continue
|
||
}
|
||
case string:
|
||
if v == "" {
|
||
continue
|
||
}
|
||
lines := strings.Split(v, "\n")
|
||
if len(lines) > 1 {
|
||
data[k] = lines[0] + " ... (truncated)"
|
||
continue
|
||
}
|
||
}
|
||
data[k] = interf
|
||
|
||
}
|
||
t.Logf("Step %d:\n%s %s err=%v %+v\n\n", i+1, v.Operation, v.Path, v.ErrorOk, data)
|
||
}
|
||
}
|
||
|
||
logicaltest.Test(t, testCase)
|
||
})
|
||
}
|
||
}
|
||
|
||
// Performs some validity checking on the returned bundles
|
||
func checkCertsAndPrivateKey(keyType string, key crypto.Signer, usage x509.KeyUsage, extUsage x509.ExtKeyUsage, validity time.Duration, certBundle *certutil.CertBundle) (*certutil.ParsedCertBundle, error) {
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return nil, fmt.Errorf("error parsing cert bundle: %s", err)
|
||
}
|
||
|
||
if key != nil {
|
||
switch keyType {
|
||
case "rsa":
|
||
parsedCertBundle.PrivateKeyType = certutil.RSAPrivateKey
|
||
parsedCertBundle.PrivateKey = key
|
||
parsedCertBundle.PrivateKeyBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey))
|
||
case "ec":
|
||
parsedCertBundle.PrivateKeyType = certutil.ECPrivateKey
|
||
parsedCertBundle.PrivateKey = key
|
||
parsedCertBundle.PrivateKeyBytes, err = x509.MarshalECPrivateKey(key.(*ecdsa.PrivateKey))
|
||
if err != nil {
|
||
return nil, fmt.Errorf("error parsing EC key: %s", err)
|
||
}
|
||
case "ed25519":
|
||
parsedCertBundle.PrivateKeyType = certutil.Ed25519PrivateKey
|
||
parsedCertBundle.PrivateKey = key
|
||
parsedCertBundle.PrivateKeyBytes, err = x509.MarshalPKCS8PrivateKey(key.(ed25519.PrivateKey))
|
||
if err != nil {
|
||
return nil, fmt.Errorf("error parsing Ed25519 key: %s", err)
|
||
}
|
||
}
|
||
}
|
||
|
||
switch {
|
||
case parsedCertBundle.Certificate == nil:
|
||
return nil, fmt.Errorf("did not find a certificate in the cert bundle")
|
||
case len(parsedCertBundle.CAChain) == 0 || parsedCertBundle.CAChain[0].Certificate == nil:
|
||
return nil, fmt.Errorf("did not find a CA in the cert bundle")
|
||
case parsedCertBundle.PrivateKey == nil:
|
||
return nil, fmt.Errorf("did not find a private key in the cert bundle")
|
||
case parsedCertBundle.PrivateKeyType == certutil.UnknownPrivateKey:
|
||
return nil, fmt.Errorf("could not figure out type of private key")
|
||
}
|
||
|
||
switch {
|
||
case parsedCertBundle.PrivateKeyType == certutil.Ed25519PrivateKey && keyType != "ed25519":
|
||
fallthrough
|
||
case parsedCertBundle.PrivateKeyType == certutil.RSAPrivateKey && keyType != "rsa":
|
||
fallthrough
|
||
case parsedCertBundle.PrivateKeyType == certutil.ECPrivateKey && keyType != "ec":
|
||
return nil, fmt.Errorf("given key type does not match type found in bundle")
|
||
}
|
||
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
if usage != cert.KeyUsage {
|
||
return nil, fmt.Errorf("expected usage of %#v, got %#v; ext usage is %#v", usage, cert.KeyUsage, cert.ExtKeyUsage)
|
||
}
|
||
|
||
// There should only be one ext usage type, because only one is requested
|
||
// in the tests
|
||
if len(cert.ExtKeyUsage) != 1 {
|
||
return nil, fmt.Errorf("got wrong size key usage in generated cert; expected 1, values are %#v", cert.ExtKeyUsage)
|
||
}
|
||
switch extUsage {
|
||
case x509.ExtKeyUsageEmailProtection:
|
||
if cert.ExtKeyUsage[0] != x509.ExtKeyUsageEmailProtection {
|
||
return nil, fmt.Errorf("bad extended key usage")
|
||
}
|
||
case x509.ExtKeyUsageServerAuth:
|
||
if cert.ExtKeyUsage[0] != x509.ExtKeyUsageServerAuth {
|
||
return nil, fmt.Errorf("bad extended key usage")
|
||
}
|
||
case x509.ExtKeyUsageClientAuth:
|
||
if cert.ExtKeyUsage[0] != x509.ExtKeyUsageClientAuth {
|
||
return nil, fmt.Errorf("bad extended key usage")
|
||
}
|
||
case x509.ExtKeyUsageCodeSigning:
|
||
if cert.ExtKeyUsage[0] != x509.ExtKeyUsageCodeSigning {
|
||
return nil, fmt.Errorf("bad extended key usage")
|
||
}
|
||
}
|
||
|
||
// TODO: We incremented 20->25 due to CircleCI execution
|
||
// being slow and pausing this test. We might consider recording the
|
||
// actual issuance time of the cert and calculating the expected
|
||
// validity period +/- fuzz, but that'd require recording and passing
|
||
// through more information.
|
||
if math.Abs(float64(time.Now().Add(validity).Unix()-cert.NotAfter.Unix())) > 25 {
|
||
return nil, fmt.Errorf("certificate validity end: %s; expected within 25 seconds of %s", cert.NotAfter.Format(time.RFC3339), time.Now().Add(validity).Format(time.RFC3339))
|
||
}
|
||
|
||
return parsedCertBundle, nil
|
||
}
|
||
|
||
func generateURLSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[string]interface{}) []logicaltest.TestStep {
|
||
expected := certutil.URLEntries{
|
||
IssuingCertificates: []string{
|
||
"http://example.com/ca1",
|
||
"http://example.com/ca2",
|
||
},
|
||
CRLDistributionPoints: []string{
|
||
"http://example.com/crl1",
|
||
"http://example.com/crl2",
|
||
},
|
||
OCSPServers: []string{
|
||
"http://example.com/ocsp1",
|
||
"http://example.com/ocsp2",
|
||
},
|
||
}
|
||
csrTemplate := x509.CertificateRequest{
|
||
Subject: pkix.Name{
|
||
CommonName: "my@example.com",
|
||
},
|
||
}
|
||
|
||
priv1024, _ := rsa.GenerateKey(rand.Reader, 1024)
|
||
csr1024, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv1024)
|
||
csrPem1024 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
|
||
Type: "CERTIFICATE REQUEST",
|
||
Bytes: csr1024,
|
||
})))
|
||
|
||
priv2048, _ := rsa.GenerateKey(rand.Reader, 2048)
|
||
csr2048, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv2048)
|
||
csrPem2048 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
|
||
Type: "CERTIFICATE REQUEST",
|
||
Bytes: csr2048,
|
||
})))
|
||
|
||
ret := []logicaltest.TestStep{
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/generate/exported",
|
||
Data: map[string]interface{}{
|
||
"common_name": "Root Cert",
|
||
"ttl": "180h",
|
||
},
|
||
Check: func(resp *logical.Response) error {
|
||
if resp.Secret != nil && resp.Secret.LeaseID != "" {
|
||
return fmt.Errorf("root returned with a lease")
|
||
}
|
||
return nil
|
||
},
|
||
},
|
||
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "config/urls",
|
||
Data: map[string]interface{}{
|
||
"issuing_certificates": strings.Join(expected.IssuingCertificates, ","),
|
||
"crl_distribution_points": strings.Join(expected.CRLDistributionPoints, ","),
|
||
"ocsp_servers": strings.Join(expected.OCSPServers, ","),
|
||
},
|
||
},
|
||
|
||
{
|
||
Operation: logical.ReadOperation,
|
||
Path: "config/urls",
|
||
Check: func(resp *logical.Response) error {
|
||
if resp.Data == nil {
|
||
return fmt.Errorf("no data returned")
|
||
}
|
||
var entries certutil.URLEntries
|
||
err := mapstructure.Decode(resp.Data, &entries)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
|
||
if !reflect.DeepEqual(entries, expected) {
|
||
return fmt.Errorf("expected urls\n%#v\ndoes not match provided\n%#v\n", expected, entries)
|
||
}
|
||
|
||
return nil
|
||
},
|
||
},
|
||
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-intermediate",
|
||
Data: map[string]interface{}{
|
||
"common_name": "intermediate.cert.com",
|
||
"csr": csrPem1024,
|
||
"format": "der",
|
||
},
|
||
ErrorOk: true,
|
||
Check: func(resp *logical.Response) error {
|
||
if !resp.IsError() {
|
||
return fmt.Errorf("expected an error response but did not get one")
|
||
}
|
||
if !strings.Contains(resp.Data["error"].(string), "2048") {
|
||
return fmt.Errorf("received an error but not about a 1024-bit key, error was: %s", resp.Data["error"].(string))
|
||
}
|
||
|
||
return nil
|
||
},
|
||
},
|
||
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-intermediate",
|
||
Data: map[string]interface{}{
|
||
"common_name": "intermediate.cert.com",
|
||
"csr": csrPem2048,
|
||
"signature_bits": 512,
|
||
"format": "der",
|
||
"not_before_duration": "2h",
|
||
// Let's Encrypt -- R3 SKID
|
||
"skid": "14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6",
|
||
},
|
||
Check: func(resp *logical.Response) error {
|
||
certString := resp.Data["certificate"].(string)
|
||
if certString == "" {
|
||
return fmt.Errorf("no certificate returned")
|
||
}
|
||
if resp.Secret != nil && resp.Secret.LeaseID != "" {
|
||
return fmt.Errorf("signed intermediate returned with a lease")
|
||
}
|
||
certBytes, _ := base64.StdEncoding.DecodeString(certString)
|
||
certs, err := x509.ParseCertificates(certBytes)
|
||
if err != nil {
|
||
return fmt.Errorf("returned cert cannot be parsed: %w", err)
|
||
}
|
||
if len(certs) != 1 {
|
||
return fmt.Errorf("unexpected returned length of certificates: %d", len(certs))
|
||
}
|
||
cert := certs[0]
|
||
|
||
skid, _ := hex.DecodeString("142EB317B75856CBAE500940E61FAF9D8B14C2C6")
|
||
|
||
switch {
|
||
case !reflect.DeepEqual(expected.IssuingCertificates, cert.IssuingCertificateURL):
|
||
return fmt.Errorf("IssuingCertificateURL:\nexpected\n%#v\ngot\n%#v\n", expected.IssuingCertificates, cert.IssuingCertificateURL)
|
||
case !reflect.DeepEqual(expected.CRLDistributionPoints, cert.CRLDistributionPoints):
|
||
return fmt.Errorf("CRLDistributionPoints:\nexpected\n%#v\ngot\n%#v\n", expected.CRLDistributionPoints, cert.CRLDistributionPoints)
|
||
case !reflect.DeepEqual(expected.OCSPServers, cert.OCSPServer):
|
||
return fmt.Errorf("OCSPServer:\nexpected\n%#v\ngot\n%#v\n", expected.OCSPServers, cert.OCSPServer)
|
||
case !reflect.DeepEqual([]string{"intermediate.cert.com"}, cert.DNSNames):
|
||
return fmt.Errorf("DNSNames\nexpected\n%#v\ngot\n%#v\n", []string{"intermediate.cert.com"}, cert.DNSNames)
|
||
case !reflect.DeepEqual(x509.SHA512WithRSA, cert.SignatureAlgorithm):
|
||
return fmt.Errorf("Signature Algorithm:\nexpected\n%#v\ngot\n%#v\n", x509.SHA512WithRSA, cert.SignatureAlgorithm)
|
||
case !reflect.DeepEqual(skid, cert.SubjectKeyId):
|
||
return fmt.Errorf("SKID:\nexpected\n%#v\ngot\n%#v\n", skid, cert.SubjectKeyId)
|
||
}
|
||
|
||
if math.Abs(float64(time.Now().Add(-2*time.Hour).Unix()-cert.NotBefore.Unix())) > 10 {
|
||
t.Fatalf("root/sign-intermediate did not properly set validity period (notBefore): was %v vs expected %v", cert.NotBefore, time.Now().Add(-2*time.Hour))
|
||
}
|
||
|
||
return nil
|
||
},
|
||
},
|
||
|
||
// Same as above but exclude adding to sans
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-intermediate",
|
||
Data: map[string]interface{}{
|
||
"common_name": "intermediate.cert.com",
|
||
"csr": csrPem2048,
|
||
"format": "der",
|
||
"exclude_cn_from_sans": true,
|
||
},
|
||
Check: func(resp *logical.Response) error {
|
||
certString := resp.Data["certificate"].(string)
|
||
if certString == "" {
|
||
return fmt.Errorf("no certificate returned")
|
||
}
|
||
if resp.Secret != nil && resp.Secret.LeaseID != "" {
|
||
return fmt.Errorf("signed intermediate returned with a lease")
|
||
}
|
||
certBytes, _ := base64.StdEncoding.DecodeString(certString)
|
||
certs, err := x509.ParseCertificates(certBytes)
|
||
if err != nil {
|
||
return fmt.Errorf("returned cert cannot be parsed: %w", err)
|
||
}
|
||
if len(certs) != 1 {
|
||
return fmt.Errorf("unexpected returned length of certificates: %d", len(certs))
|
||
}
|
||
cert := certs[0]
|
||
|
||
switch {
|
||
case !reflect.DeepEqual(expected.IssuingCertificates, cert.IssuingCertificateURL):
|
||
return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.IssuingCertificates, cert.IssuingCertificateURL)
|
||
case !reflect.DeepEqual(expected.CRLDistributionPoints, cert.CRLDistributionPoints):
|
||
return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.CRLDistributionPoints, cert.CRLDistributionPoints)
|
||
case !reflect.DeepEqual(expected.OCSPServers, cert.OCSPServer):
|
||
return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.OCSPServers, cert.OCSPServer)
|
||
case !reflect.DeepEqual([]string(nil), cert.DNSNames):
|
||
return fmt.Errorf("expected\n%#v\ngot\n%#v\n", []string(nil), cert.DNSNames)
|
||
}
|
||
|
||
return nil
|
||
},
|
||
},
|
||
}
|
||
return ret
|
||
}
|
||
|
||
func generateCSR(t *testing.T, csrTemplate *x509.CertificateRequest, keyType string, keyBits int) (interface{}, []byte, string) {
|
||
var priv interface{}
|
||
var err error
|
||
switch keyType {
|
||
case "rsa":
|
||
priv, err = rsa.GenerateKey(rand.Reader, keyBits)
|
||
case "ec":
|
||
switch keyBits {
|
||
case 224:
|
||
priv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
|
||
case 256:
|
||
priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||
case 384:
|
||
priv, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
|
||
case 521:
|
||
priv, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
|
||
default:
|
||
t.Fatalf("Got unknown ec< key bits: %v", keyBits)
|
||
}
|
||
case "ed25519":
|
||
_, priv, err = ed25519.GenerateKey(rand.Reader)
|
||
}
|
||
|
||
if err != nil {
|
||
t.Fatalf("Got error generating private key for CSR: %v", err)
|
||
}
|
||
|
||
csr, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, priv)
|
||
if err != nil {
|
||
t.Fatalf("Got error generating CSR: %v", err)
|
||
}
|
||
|
||
csrPem := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
|
||
Type: "CERTIFICATE REQUEST",
|
||
Bytes: csr,
|
||
})))
|
||
|
||
return priv, csr, csrPem
|
||
}
|
||
|
||
func generateCSRSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[string]interface{}) []logicaltest.TestStep {
|
||
csrTemplate, csrPem := generateTestCsr(t, certutil.RSAPrivateKey, 2048)
|
||
|
||
ret := []logicaltest.TestStep{
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/generate/exported",
|
||
Data: map[string]interface{}{
|
||
"common_name": "Root Cert",
|
||
"ttl": "180h",
|
||
"max_path_length": 0,
|
||
},
|
||
},
|
||
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-intermediate",
|
||
Data: map[string]interface{}{
|
||
"use_csr_values": true,
|
||
"csr": csrPem,
|
||
"format": "der",
|
||
},
|
||
ErrorOk: true,
|
||
},
|
||
|
||
{
|
||
Operation: logical.DeleteOperation,
|
||
Path: "root",
|
||
},
|
||
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/generate/exported",
|
||
Data: map[string]interface{}{
|
||
"common_name": "Root Cert",
|
||
"ttl": "180h",
|
||
"max_path_length": 1,
|
||
},
|
||
},
|
||
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-intermediate",
|
||
Data: map[string]interface{}{
|
||
"use_csr_values": true,
|
||
"csr": csrPem,
|
||
"format": "der",
|
||
},
|
||
Check: func(resp *logical.Response) error {
|
||
certString := resp.Data["certificate"].(string)
|
||
if certString == "" {
|
||
return fmt.Errorf("no certificate returned")
|
||
}
|
||
certBytes, _ := base64.StdEncoding.DecodeString(certString)
|
||
certs, err := x509.ParseCertificates(certBytes)
|
||
if err != nil {
|
||
return fmt.Errorf("returned cert cannot be parsed: %w", err)
|
||
}
|
||
if len(certs) != 1 {
|
||
return fmt.Errorf("unexpected returned length of certificates: %d", len(certs))
|
||
}
|
||
cert := certs[0]
|
||
|
||
if cert.MaxPathLen != 0 {
|
||
return fmt.Errorf("max path length of %d does not match the requested of 3", cert.MaxPathLen)
|
||
}
|
||
if !cert.MaxPathLenZero {
|
||
return fmt.Errorf("max path length zero is not set")
|
||
}
|
||
|
||
// We need to set these as they are filled in with unparsed values in the final cert
|
||
csrTemplate.Subject.Names = cert.Subject.Names
|
||
csrTemplate.Subject.ExtraNames = cert.Subject.ExtraNames
|
||
|
||
switch {
|
||
case !reflect.DeepEqual(cert.Subject, csrTemplate.Subject):
|
||
return fmt.Errorf("cert subject\n%#v\ndoes not match csr subject\n%#v\n", cert.Subject, csrTemplate.Subject)
|
||
case !reflect.DeepEqual(cert.DNSNames, csrTemplate.DNSNames):
|
||
return fmt.Errorf("cert dns names\n%#v\ndoes not match csr dns names\n%#v\n", cert.DNSNames, csrTemplate.DNSNames)
|
||
case !reflect.DeepEqual(cert.EmailAddresses, csrTemplate.EmailAddresses):
|
||
return fmt.Errorf("cert email addresses\n%#v\ndoes not match csr email addresses\n%#v\n", cert.EmailAddresses, csrTemplate.EmailAddresses)
|
||
case !reflect.DeepEqual(cert.IPAddresses, csrTemplate.IPAddresses):
|
||
return fmt.Errorf("cert ip addresses\n%#v\ndoes not match csr ip addresses\n%#v\n", cert.IPAddresses, csrTemplate.IPAddresses)
|
||
}
|
||
return nil
|
||
},
|
||
},
|
||
}
|
||
return ret
|
||
}
|
||
|
||
func generateTestCsr(t *testing.T, keyType certutil.PrivateKeyType, keyBits int) (x509.CertificateRequest, string) {
|
||
csrTemplate := x509.CertificateRequest{
|
||
Subject: pkix.Name{
|
||
Country: []string{"MyCountry"},
|
||
PostalCode: []string{"MyPostalCode"},
|
||
SerialNumber: "MySerialNumber",
|
||
CommonName: "my@example.com",
|
||
},
|
||
DNSNames: []string{
|
||
"name1.example.com",
|
||
"name2.example.com",
|
||
"name3.example.com",
|
||
},
|
||
EmailAddresses: []string{
|
||
"name1@example.com",
|
||
"name2@example.com",
|
||
"name3@example.com",
|
||
},
|
||
IPAddresses: []net.IP{
|
||
net.ParseIP("::ff:1:2:3:4"),
|
||
net.ParseIP("::ff:5:6:7:8"),
|
||
},
|
||
}
|
||
|
||
_, _, csrPem := generateCSR(t, &csrTemplate, string(keyType), keyBits)
|
||
return csrTemplate, csrPem
|
||
}
|
||
|
||
// Generates steps to test out various role permutations
|
||
func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep {
|
||
roleVals := roleEntry{
|
||
MaxTTL: 12 * time.Hour,
|
||
KeyType: "rsa",
|
||
KeyBits: 2048,
|
||
RequireCN: true,
|
||
AllowWildcardCertificates: new(bool),
|
||
}
|
||
*roleVals.AllowWildcardCertificates = true
|
||
|
||
issueVals := certutil.IssueData{}
|
||
ret := []logicaltest.TestStep{}
|
||
|
||
roleTestStep := logicaltest.TestStep{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "roles/test",
|
||
}
|
||
var issueTestStep logicaltest.TestStep
|
||
if useCSRs {
|
||
issueTestStep = logicaltest.TestStep{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "sign/test",
|
||
}
|
||
} else {
|
||
issueTestStep = logicaltest.TestStep{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "issue/test",
|
||
}
|
||
}
|
||
|
||
generatedRSAKeys := map[int]crypto.Signer{}
|
||
generatedECKeys := map[int]crypto.Signer{}
|
||
generatedEdKeys := map[int]crypto.Signer{}
|
||
/*
|
||
// For the number of tests being run, a seed of 1 has been tested
|
||
// to hit all of the various values below. However, for normal
|
||
// testing we use a randomized time for maximum fuzziness.
|
||
*/
|
||
var seed int64 = 1
|
||
fixedSeed := os.Getenv("VAULT_PKITESTS_FIXED_SEED")
|
||
if len(fixedSeed) == 0 {
|
||
seed = time.Now().UnixNano()
|
||
} else {
|
||
var err error
|
||
seed, err = strconv.ParseInt(fixedSeed, 10, 64)
|
||
if err != nil {
|
||
t.Fatalf("error parsing fixed seed of %s: %v", fixedSeed, err)
|
||
}
|
||
}
|
||
mathRand := mathrand.New(mathrand.NewSource(seed))
|
||
// t.Logf("seed under test: %v", seed)
|
||
|
||
// Used by tests not toggling common names to turn off the behavior of random key bit fuzziness
|
||
keybitSizeRandOff := false
|
||
|
||
genericErrorOkCheck := func(resp *logical.Response) error {
|
||
if resp.IsError() {
|
||
return nil
|
||
}
|
||
return fmt.Errorf("expected an error, but did not seem to get one")
|
||
}
|
||
|
||
// Adds tests with the currently configured issue/role information
|
||
addTests := func(testCheck logicaltest.TestCheckFunc) {
|
||
stepCount++
|
||
// t.Logf("test step %d\nrole vals: %#v\n", stepCount, roleVals)
|
||
stepCount++
|
||
// t.Logf("test step %d\nissue vals: %#v\n", stepCount, issueTestStep)
|
||
roleTestStep.Data = roleVals.ToResponseData()
|
||
roleTestStep.Data["generate_lease"] = false
|
||
ret = append(ret, roleTestStep)
|
||
issueTestStep.Data = structs.New(issueVals).Map()
|
||
switch {
|
||
case issueTestStep.ErrorOk:
|
||
issueTestStep.Check = genericErrorOkCheck
|
||
case testCheck != nil:
|
||
issueTestStep.Check = testCheck
|
||
default:
|
||
issueTestStep.Check = nil
|
||
}
|
||
ret = append(ret, issueTestStep)
|
||
}
|
||
|
||
getCountryCheck := func(role roleEntry) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
expected := strutil.RemoveDuplicates(role.Country, true)
|
||
if !reflect.DeepEqual(cert.Subject.Country, expected) {
|
||
return fmt.Errorf("error: returned certificate has Country of %s but %s was specified in the role", cert.Subject.Country, expected)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
getOuCheck := func(role roleEntry) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
expected := strutil.RemoveDuplicatesStable(role.OU, true)
|
||
if !reflect.DeepEqual(cert.Subject.OrganizationalUnit, expected) {
|
||
return fmt.Errorf("error: returned certificate has OU of %s but %s was specified in the role", cert.Subject.OrganizationalUnit, expected)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
getOrganizationCheck := func(role roleEntry) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
expected := strutil.RemoveDuplicates(role.Organization, true)
|
||
if !reflect.DeepEqual(cert.Subject.Organization, expected) {
|
||
return fmt.Errorf("error: returned certificate has Organization of %s but %s was specified in the role", cert.Subject.Organization, expected)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
getLocalityCheck := func(role roleEntry) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
expected := strutil.RemoveDuplicates(role.Locality, true)
|
||
if !reflect.DeepEqual(cert.Subject.Locality, expected) {
|
||
return fmt.Errorf("error: returned certificate has Locality of %s but %s was specified in the role", cert.Subject.Locality, expected)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
getProvinceCheck := func(role roleEntry) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
expected := strutil.RemoveDuplicates(role.Province, true)
|
||
if !reflect.DeepEqual(cert.Subject.Province, expected) {
|
||
return fmt.Errorf("error: returned certificate has Province of %s but %s was specified in the role", cert.Subject.Province, expected)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
getStreetAddressCheck := func(role roleEntry) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
expected := strutil.RemoveDuplicates(role.StreetAddress, true)
|
||
if !reflect.DeepEqual(cert.Subject.StreetAddress, expected) {
|
||
return fmt.Errorf("error: returned certificate has StreetAddress of %s but %s was specified in the role", cert.Subject.StreetAddress, expected)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
getPostalCodeCheck := func(role roleEntry) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
expected := strutil.RemoveDuplicates(role.PostalCode, true)
|
||
if !reflect.DeepEqual(cert.Subject.PostalCode, expected) {
|
||
return fmt.Errorf("error: returned certificate has PostalCode of %s but %s was specified in the role", cert.Subject.PostalCode, expected)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
getNotBeforeCheck := func(role roleEntry) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
actualDiff := time.Since(cert.NotBefore)
|
||
certRoleDiff := (role.NotBeforeDuration - actualDiff).Truncate(time.Second)
|
||
// These times get truncated, so give a 1 second buffer on each side
|
||
if certRoleDiff >= -1*time.Second && certRoleDiff <= 1*time.Second {
|
||
return nil
|
||
}
|
||
return fmt.Errorf("validity period out of range diff: %v", certRoleDiff)
|
||
}
|
||
}
|
||
|
||
// Returns a TestCheckFunc that performs various validity checks on the
|
||
// returned certificate information, mostly within checkCertsAndPrivateKey
|
||
getCnCheck := func(name string, role roleEntry, key crypto.Signer, usage x509.KeyUsage, extUsage x509.ExtKeyUsage, validity time.Duration) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := checkCertsAndPrivateKey(role.KeyType, key, usage, extUsage, validity, &certBundle)
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
if cert.Subject.CommonName != name {
|
||
return fmt.Errorf("error: returned certificate has CN of %s but %s was requested", cert.Subject.CommonName, name)
|
||
}
|
||
if strings.Contains(cert.Subject.CommonName, "@") {
|
||
if len(cert.DNSNames) != 0 || len(cert.EmailAddresses) != 1 {
|
||
return fmt.Errorf("error: found more than one DNS SAN or not one Email SAN but only one was requested, cert.DNSNames = %#v, cert.EmailAddresses = %#v", cert.DNSNames, cert.EmailAddresses)
|
||
}
|
||
} else {
|
||
if len(cert.DNSNames) != 1 || len(cert.EmailAddresses) != 0 {
|
||
return fmt.Errorf("error: found more than one Email SAN or not one DNS SAN but only one was requested, cert.DNSNames = %#v, cert.EmailAddresses = %#v", cert.DNSNames, cert.EmailAddresses)
|
||
}
|
||
}
|
||
var retName string
|
||
if len(cert.DNSNames) > 0 {
|
||
retName = cert.DNSNames[0]
|
||
}
|
||
if len(cert.EmailAddresses) > 0 {
|
||
retName = cert.EmailAddresses[0]
|
||
}
|
||
if retName != name {
|
||
// Check IDNA
|
||
p := idna.New(
|
||
idna.StrictDomainName(true),
|
||
idna.VerifyDNSLength(true),
|
||
)
|
||
converted, err := p.ToUnicode(retName)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if converted != name {
|
||
return fmt.Errorf("error: returned certificate has a DNS SAN of %s (from idna: %s) but %s was requested", retName, converted, name)
|
||
}
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
type csrPlan struct {
|
||
errorOk bool
|
||
roleKeyBits int
|
||
cert string
|
||
privKey crypto.Signer
|
||
}
|
||
|
||
getCsr := func(keyType string, keyBits int, csrTemplate *x509.CertificateRequest) (*pem.Block, crypto.Signer) {
|
||
var privKey crypto.Signer
|
||
var ok bool
|
||
switch keyType {
|
||
case "rsa":
|
||
privKey, ok = generatedRSAKeys[keyBits]
|
||
if !ok {
|
||
privKey, _ = rsa.GenerateKey(rand.Reader, keyBits)
|
||
generatedRSAKeys[keyBits] = privKey
|
||
}
|
||
|
||
case "ec":
|
||
var curve elliptic.Curve
|
||
|
||
switch keyBits {
|
||
case 224:
|
||
curve = elliptic.P224()
|
||
case 256:
|
||
curve = elliptic.P256()
|
||
case 384:
|
||
curve = elliptic.P384()
|
||
case 521:
|
||
curve = elliptic.P521()
|
||
}
|
||
|
||
privKey, ok = generatedECKeys[keyBits]
|
||
if !ok {
|
||
privKey, _ = ecdsa.GenerateKey(curve, rand.Reader)
|
||
generatedECKeys[keyBits] = privKey
|
||
}
|
||
|
||
case "ed25519":
|
||
privKey, ok = generatedEdKeys[keyBits]
|
||
if !ok {
|
||
_, privKey, _ = ed25519.GenerateKey(rand.Reader)
|
||
generatedEdKeys[keyBits] = privKey
|
||
}
|
||
|
||
default:
|
||
panic("invalid key type: " + keyType)
|
||
}
|
||
|
||
csr, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, privKey)
|
||
if err != nil {
|
||
t.Fatalf("Error creating certificate request: %s", err)
|
||
}
|
||
block := pem.Block{
|
||
Type: "CERTIFICATE REQUEST",
|
||
Bytes: csr,
|
||
}
|
||
return &block, privKey
|
||
}
|
||
|
||
getRandCsr := func(keyType string, errorOk bool, csrTemplate *x509.CertificateRequest) csrPlan {
|
||
rsaKeyBits := []int{2048, 3072, 4096}
|
||
ecKeyBits := []int{224, 256, 384, 521}
|
||
plan := csrPlan{errorOk: errorOk}
|
||
|
||
var testBitSize int
|
||
switch keyType {
|
||
case "rsa":
|
||
plan.roleKeyBits = rsaKeyBits[mathRand.Int()%len(rsaKeyBits)]
|
||
testBitSize = plan.roleKeyBits
|
||
|
||
// If we don't expect an error already, randomly choose a
|
||
// key size and expect an error if it's less than the role
|
||
// setting
|
||
if !keybitSizeRandOff && !errorOk {
|
||
testBitSize = rsaKeyBits[mathRand.Int()%len(rsaKeyBits)]
|
||
}
|
||
|
||
if testBitSize < plan.roleKeyBits {
|
||
plan.errorOk = true
|
||
}
|
||
|
||
case "ec":
|
||
plan.roleKeyBits = ecKeyBits[mathRand.Int()%len(ecKeyBits)]
|
||
testBitSize = plan.roleKeyBits
|
||
|
||
// If we don't expect an error already, randomly choose a
|
||
// key size and expect an error if it's less than the role
|
||
// setting
|
||
if !keybitSizeRandOff && !errorOk {
|
||
testBitSize = ecKeyBits[mathRand.Int()%len(ecKeyBits)]
|
||
}
|
||
|
||
if testBitSize < plan.roleKeyBits {
|
||
plan.errorOk = true
|
||
}
|
||
|
||
default:
|
||
panic("invalid key type: " + keyType)
|
||
}
|
||
if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
|
||
t.Logf("roleKeyBits=%d testBitSize=%d errorOk=%v", plan.roleKeyBits, testBitSize, plan.errorOk)
|
||
}
|
||
|
||
block, privKey := getCsr(keyType, testBitSize, csrTemplate)
|
||
plan.cert = strings.TrimSpace(string(pem.EncodeToMemory(block)))
|
||
plan.privKey = privKey
|
||
return plan
|
||
}
|
||
|
||
// Common names to test with the various role flags toggled
|
||
var commonNames struct {
|
||
Localhost bool `structs:"localhost"`
|
||
BareDomain bool `structs:"example.com"`
|
||
SecondDomain bool `structs:"foobar.com"`
|
||
SubDomain bool `structs:"foo.example.com"`
|
||
Wildcard bool `structs:"*.example.com"`
|
||
SubSubdomain bool `structs:"foo.bar.example.com"`
|
||
SubSubdomainWildcard bool `structs:"*.bar.example.com"`
|
||
GlobDomain bool `structs:"fooexample.com"`
|
||
IDN bool `structs:"daɪˈɛrɨsɨs"`
|
||
AnyHost bool `structs:"porkslap.beer"`
|
||
}
|
||
|
||
// Adds a series of tests based on the current selection of
|
||
// allowed common names; contains some (seeded) randomness
|
||
//
|
||
// This allows for a variety of common names to be tested in various
|
||
// combinations with allowed toggles of the role
|
||
addCnTests := func() {
|
||
cnMap := structs.New(commonNames).Map()
|
||
for name, allowedInt := range cnMap {
|
||
roleVals.KeyType = "rsa"
|
||
roleVals.KeyBits = 2048
|
||
if mathRand.Int()%3 == 1 {
|
||
roleVals.KeyType = "ec"
|
||
roleVals.KeyBits = 224
|
||
}
|
||
|
||
roleVals.ServerFlag = false
|
||
roleVals.ClientFlag = false
|
||
roleVals.CodeSigningFlag = false
|
||
roleVals.EmailProtectionFlag = false
|
||
|
||
var usage []string
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "DigitalSignature")
|
||
}
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "ContentCoMmitment")
|
||
}
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "KeyEncipherment")
|
||
}
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "DataEncipherment")
|
||
}
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "KeyAgreemEnt")
|
||
}
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "CertSign")
|
||
}
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "CRLSign")
|
||
}
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "EncipherOnly")
|
||
}
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "DecipherOnly")
|
||
}
|
||
|
||
roleVals.KeyUsage = usage
|
||
parsedKeyUsage := parseKeyUsages(roleVals.KeyUsage)
|
||
if parsedKeyUsage == 0 && len(usage) != 0 {
|
||
panic("parsed key usages was zero")
|
||
}
|
||
|
||
var extUsage x509.ExtKeyUsage
|
||
i := mathRand.Int() % 4
|
||
switch {
|
||
case i == 0:
|
||
// Punt on this for now since I'm not clear the actual proper
|
||
// way to format these
|
||
if name != "daɪˈɛrɨsɨs" {
|
||
extUsage = x509.ExtKeyUsageEmailProtection
|
||
roleVals.EmailProtectionFlag = true
|
||
break
|
||
}
|
||
fallthrough
|
||
case i == 1:
|
||
extUsage = x509.ExtKeyUsageServerAuth
|
||
roleVals.ServerFlag = true
|
||
case i == 2:
|
||
extUsage = x509.ExtKeyUsageClientAuth
|
||
roleVals.ClientFlag = true
|
||
default:
|
||
extUsage = x509.ExtKeyUsageCodeSigning
|
||
roleVals.CodeSigningFlag = true
|
||
}
|
||
|
||
allowed := allowedInt.(bool)
|
||
issueVals.CommonName = name
|
||
if roleVals.EmailProtectionFlag {
|
||
if !strings.HasPrefix(name, "*") {
|
||
issueVals.CommonName = "user@" + issueVals.CommonName
|
||
}
|
||
}
|
||
|
||
issueTestStep.ErrorOk = !allowed
|
||
|
||
validity := roleVals.MaxTTL
|
||
|
||
if useCSRs {
|
||
templ := &x509.CertificateRequest{
|
||
Subject: pkix.Name{
|
||
CommonName: issueVals.CommonName,
|
||
},
|
||
}
|
||
plan := getRandCsr(roleVals.KeyType, issueTestStep.ErrorOk, templ)
|
||
issueVals.CSR = plan.cert
|
||
roleVals.KeyBits = plan.roleKeyBits
|
||
issueTestStep.ErrorOk = plan.errorOk
|
||
|
||
addTests(getCnCheck(issueVals.CommonName, roleVals, plan.privKey, x509.KeyUsage(parsedKeyUsage), extUsage, validity))
|
||
} else {
|
||
addTests(getCnCheck(issueVals.CommonName, roleVals, nil, x509.KeyUsage(parsedKeyUsage), extUsage, validity))
|
||
}
|
||
}
|
||
}
|
||
|
||
funcs := []interface{}{
|
||
addCnTests, getCnCheck, getCountryCheck, getLocalityCheck, getNotBeforeCheck,
|
||
getOrganizationCheck, getOuCheck, getPostalCodeCheck, getRandCsr, getStreetAddressCheck,
|
||
getProvinceCheck,
|
||
}
|
||
if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
|
||
t.Logf("funcs=%d", len(funcs))
|
||
}
|
||
|
||
// Common Name tests
|
||
{
|
||
// common_name not provided
|
||
issueVals.CommonName = ""
|
||
issueTestStep.ErrorOk = true
|
||
addTests(nil)
|
||
|
||
// Nothing is allowed
|
||
addCnTests()
|
||
|
||
roleVals.AllowLocalhost = true
|
||
commonNames.Localhost = true
|
||
addCnTests()
|
||
|
||
roleVals.AllowedDomains = []string{"foobar.com"}
|
||
addCnTests()
|
||
|
||
roleVals.AllowedDomains = []string{"example.com"}
|
||
roleVals.AllowSubdomains = true
|
||
commonNames.SubDomain = true
|
||
commonNames.Wildcard = true
|
||
commonNames.SubSubdomain = true
|
||
commonNames.SubSubdomainWildcard = true
|
||
addCnTests()
|
||
|
||
roleVals.AllowedDomains = []string{"foobar.com", "example.com"}
|
||
commonNames.SecondDomain = true
|
||
roleVals.AllowBareDomains = true
|
||
commonNames.BareDomain = true
|
||
addCnTests()
|
||
|
||
roleVals.AllowedDomains = []string{"foobar.com", "*example.com"}
|
||
roleVals.AllowGlobDomains = true
|
||
commonNames.GlobDomain = true
|
||
addCnTests()
|
||
|
||
roleVals.AllowAnyName = true
|
||
roleVals.EnforceHostnames = true
|
||
commonNames.AnyHost = true
|
||
commonNames.IDN = true
|
||
addCnTests()
|
||
|
||
roleVals.EnforceHostnames = false
|
||
addCnTests()
|
||
|
||
// Ensure that we end up with acceptable key sizes since they won't be
|
||
// toggled any longer
|
||
keybitSizeRandOff = true
|
||
addCnTests()
|
||
}
|
||
// Country tests
|
||
{
|
||
roleVals.Country = []string{"foo"}
|
||
addTests(getCountryCheck(roleVals))
|
||
|
||
roleVals.Country = []string{"foo", "bar"}
|
||
addTests(getCountryCheck(roleVals))
|
||
}
|
||
// OU tests
|
||
{
|
||
roleVals.OU = []string{"foo"}
|
||
addTests(getOuCheck(roleVals))
|
||
|
||
roleVals.OU = []string{"bar", "foo"}
|
||
addTests(getOuCheck(roleVals))
|
||
}
|
||
// Organization tests
|
||
{
|
||
roleVals.Organization = []string{"system:masters"}
|
||
addTests(getOrganizationCheck(roleVals))
|
||
|
||
roleVals.Organization = []string{"foo", "bar"}
|
||
addTests(getOrganizationCheck(roleVals))
|
||
}
|
||
// Locality tests
|
||
{
|
||
roleVals.Locality = []string{"foo"}
|
||
addTests(getLocalityCheck(roleVals))
|
||
|
||
roleVals.Locality = []string{"foo", "bar"}
|
||
addTests(getLocalityCheck(roleVals))
|
||
}
|
||
// Province tests
|
||
{
|
||
roleVals.Province = []string{"foo"}
|
||
addTests(getProvinceCheck(roleVals))
|
||
|
||
roleVals.Province = []string{"foo", "bar"}
|
||
addTests(getProvinceCheck(roleVals))
|
||
}
|
||
// StreetAddress tests
|
||
{
|
||
roleVals.StreetAddress = []string{"123 foo street"}
|
||
addTests(getStreetAddressCheck(roleVals))
|
||
|
||
roleVals.StreetAddress = []string{"123 foo street", "456 bar avenue"}
|
||
addTests(getStreetAddressCheck(roleVals))
|
||
}
|
||
// PostalCode tests
|
||
{
|
||
roleVals.PostalCode = []string{"f00"}
|
||
addTests(getPostalCodeCheck(roleVals))
|
||
|
||
roleVals.PostalCode = []string{"f00", "b4r"}
|
||
addTests(getPostalCodeCheck(roleVals))
|
||
}
|
||
// NotBefore tests
|
||
{
|
||
roleVals.NotBeforeDuration = 10 * time.Second
|
||
addTests(getNotBeforeCheck(roleVals))
|
||
|
||
roleVals.NotBeforeDuration = 30 * time.Second
|
||
addTests(getNotBeforeCheck(roleVals))
|
||
|
||
roleVals.NotBeforeDuration = 0
|
||
}
|
||
|
||
// IP SAN tests
|
||
{
|
||
getIpCheck := func(expectedIp ...net.IP) logicaltest.TestCheckFunc {
|
||
return func(resp *logical.Response) error {
|
||
var certBundle certutil.CertBundle
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error parsing cert bundle: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
var expected []net.IP
|
||
expected = append(expected, expectedIp...)
|
||
if diff := deep.Equal(cert.IPAddresses, expected); len(diff) > 0 {
|
||
return fmt.Errorf("wrong SAN IPs, diff: %v", diff)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
addIPSANTests := func(useCSRs, useCSRSANs, allowIPSANs, errorOk bool, ipSANs string, csrIPSANs []net.IP, check logicaltest.TestCheckFunc) {
|
||
if useCSRs {
|
||
csrTemplate := &x509.CertificateRequest{
|
||
Subject: pkix.Name{
|
||
CommonName: issueVals.CommonName,
|
||
},
|
||
IPAddresses: csrIPSANs,
|
||
}
|
||
block, _ := getCsr(roleVals.KeyType, roleVals.KeyBits, csrTemplate)
|
||
issueVals.CSR = strings.TrimSpace(string(pem.EncodeToMemory(block)))
|
||
}
|
||
oldRoleVals, oldIssueVals, oldIssueTestStep := roleVals, issueVals, issueTestStep
|
||
roleVals.UseCSRSANs = useCSRSANs
|
||
roleVals.AllowIPSANs = allowIPSANs
|
||
issueVals.CommonName = "someone@example.com"
|
||
issueVals.IPSANs = ipSANs
|
||
issueTestStep.ErrorOk = errorOk
|
||
addTests(check)
|
||
roleVals, issueVals, issueTestStep = oldRoleVals, oldIssueVals, oldIssueTestStep
|
||
}
|
||
roleVals.AllowAnyName = true
|
||
roleVals.EnforceHostnames = true
|
||
roleVals.AllowLocalhost = true
|
||
roleVals.UseCSRCommonName = true
|
||
commonNames.Localhost = true
|
||
|
||
netip1, netip2 := net.IP{127, 0, 0, 1}, net.IP{170, 171, 172, 173}
|
||
textip1, textip3 := "127.0.0.1", "::1"
|
||
|
||
// IPSANs not allowed and not provided, should not be an error.
|
||
addIPSANTests(useCSRs, false, false, false, "", nil, getIpCheck())
|
||
|
||
// IPSANs not allowed, valid IPSANs provided, should be an error.
|
||
addIPSANTests(useCSRs, false, false, true, textip1+","+textip3, nil, nil)
|
||
|
||
// IPSANs allowed, bogus IPSANs provided, should be an error.
|
||
addIPSANTests(useCSRs, false, true, true, "foobar", nil, nil)
|
||
|
||
// Given IPSANs as API argument and useCSRSANs false, CSR arg ignored.
|
||
addIPSANTests(useCSRs, false, true, false, textip1,
|
||
[]net.IP{netip2}, getIpCheck(netip1))
|
||
|
||
if useCSRs {
|
||
// IPSANs not allowed, valid IPSANs provided via CSR, should be an error.
|
||
addIPSANTests(useCSRs, true, false, true, "", []net.IP{netip1}, nil)
|
||
|
||
// Given IPSANs as both API and CSR arguments and useCSRSANs=true, API arg ignored.
|
||
addIPSANTests(useCSRs, true, true, false, textip3,
|
||
[]net.IP{netip1, netip2}, getIpCheck(netip1, netip2))
|
||
}
|
||
}
|
||
|
||
{
|
||
getOtherCheck := func(expectedOthers ...otherNameUtf8) logicaltest.TestCheckFunc {
|
||
return func(resp *logical.Response) error {
|
||
var certBundle certutil.CertBundle
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error parsing cert bundle: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
foundOthers, err := getOtherSANsFromX509Extensions(cert.Extensions)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
var expected []otherNameUtf8
|
||
expected = append(expected, expectedOthers...)
|
||
if diff := deep.Equal(foundOthers, expected); len(diff) > 0 {
|
||
return fmt.Errorf("wrong SAN IPs, diff: %v", diff)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
addOtherSANTests := func(useCSRs, useCSRSANs bool, allowedOtherSANs []string, errorOk bool, otherSANs []string, csrOtherSANs []otherNameUtf8, check logicaltest.TestCheckFunc) {
|
||
otherSansMap := func(os []otherNameUtf8) map[string][]string {
|
||
ret := make(map[string][]string)
|
||
for _, o := range os {
|
||
ret[o.oid] = append(ret[o.oid], o.value)
|
||
}
|
||
return ret
|
||
}
|
||
if useCSRs {
|
||
csrTemplate := &x509.CertificateRequest{
|
||
Subject: pkix.Name{
|
||
CommonName: issueVals.CommonName,
|
||
},
|
||
}
|
||
if err := handleOtherCSRSANs(csrTemplate, otherSansMap(csrOtherSANs)); err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
block, _ := getCsr(roleVals.KeyType, roleVals.KeyBits, csrTemplate)
|
||
issueVals.CSR = strings.TrimSpace(string(pem.EncodeToMemory(block)))
|
||
}
|
||
oldRoleVals, oldIssueVals, oldIssueTestStep := roleVals, issueVals, issueTestStep
|
||
roleVals.UseCSRSANs = useCSRSANs
|
||
roleVals.AllowedOtherSANs = allowedOtherSANs
|
||
issueVals.CommonName = "someone@example.com"
|
||
issueVals.OtherSANs = strings.Join(otherSANs, ",")
|
||
issueTestStep.ErrorOk = errorOk
|
||
addTests(check)
|
||
roleVals, issueVals, issueTestStep = oldRoleVals, oldIssueVals, oldIssueTestStep
|
||
}
|
||
roleVals.AllowAnyName = true
|
||
roleVals.EnforceHostnames = true
|
||
roleVals.AllowLocalhost = true
|
||
roleVals.UseCSRCommonName = true
|
||
commonNames.Localhost = true
|
||
|
||
newOtherNameUtf8 := func(s string) (ret otherNameUtf8) {
|
||
pieces := strings.Split(s, ";")
|
||
if len(pieces) == 2 {
|
||
piecesRest := strings.Split(pieces[1], ":")
|
||
if len(piecesRest) == 2 {
|
||
switch strings.ToUpper(piecesRest[0]) {
|
||
case "UTF-8", "UTF8":
|
||
return otherNameUtf8{oid: pieces[0], value: piecesRest[1]}
|
||
}
|
||
}
|
||
}
|
||
t.Fatalf("error parsing otherName: %q", s)
|
||
return
|
||
}
|
||
oid1 := "1.3.6.1.4.1.311.20.2.3"
|
||
oth1str := oid1 + ";utf8:devops@nope.com"
|
||
oth1 := newOtherNameUtf8(oth1str)
|
||
oth2 := otherNameUtf8{oid1, "me@example.com"}
|
||
// allowNone, allowAll := []string{}, []string{oid1 + ";UTF-8:*"}
|
||
allowNone, allowAll := []string{}, []string{"*"}
|
||
|
||
// OtherSANs not allowed and not provided, should not be an error.
|
||
addOtherSANTests(useCSRs, false, allowNone, false, nil, nil, getOtherCheck())
|
||
|
||
// OtherSANs not allowed, valid OtherSANs provided, should be an error.
|
||
addOtherSANTests(useCSRs, false, allowNone, true, []string{oth1str}, nil, nil)
|
||
|
||
// OtherSANs allowed, bogus OtherSANs provided, should be an error.
|
||
addOtherSANTests(useCSRs, false, allowAll, true, []string{"foobar"}, nil, nil)
|
||
|
||
// Given OtherSANs as API argument and useCSRSANs false, CSR arg ignored.
|
||
addOtherSANTests(useCSRs, false, allowAll, false, []string{oth1str},
|
||
[]otherNameUtf8{oth2}, getOtherCheck(oth1))
|
||
|
||
if useCSRs {
|
||
// OtherSANs not allowed, valid OtherSANs provided via CSR, should be an error.
|
||
addOtherSANTests(useCSRs, true, allowNone, true, nil, []otherNameUtf8{oth1}, nil)
|
||
|
||
// Given OtherSANs as both API and CSR arguments and useCSRSANs=true, API arg ignored.
|
||
addOtherSANTests(useCSRs, false, allowAll, false, []string{oth2.String()},
|
||
[]otherNameUtf8{oth1}, getOtherCheck(oth2))
|
||
}
|
||
}
|
||
|
||
// Lease tests
|
||
{
|
||
roleTestStep.ErrorOk = true
|
||
roleVals.Lease = ""
|
||
roleVals.MaxTTL = 0
|
||
addTests(nil)
|
||
|
||
roleVals.Lease = "12h"
|
||
roleVals.MaxTTL = 6 * time.Hour
|
||
addTests(nil)
|
||
|
||
roleTestStep.ErrorOk = false
|
||
roleVals.TTL = 0
|
||
roleVals.MaxTTL = 12 * time.Hour
|
||
}
|
||
|
||
// Listing test
|
||
ret = append(ret, logicaltest.TestStep{
|
||
Operation: logical.ListOperation,
|
||
Path: "roles/",
|
||
Check: func(resp *logical.Response) error {
|
||
if resp.Data == nil {
|
||
return fmt.Errorf("nil data")
|
||
}
|
||
|
||
keysRaw, ok := resp.Data["keys"]
|
||
if !ok {
|
||
return fmt.Errorf("no keys found")
|
||
}
|
||
|
||
keys, ok := keysRaw.([]string)
|
||
if !ok {
|
||
return fmt.Errorf("could not convert keys to a string list")
|
||
}
|
||
|
||
if len(keys) != 1 {
|
||
return fmt.Errorf("unexpected keys length of %d", len(keys))
|
||
}
|
||
|
||
if keys[0] != "test" {
|
||
return fmt.Errorf("unexpected key value of %s", keys[0])
|
||
}
|
||
|
||
return nil
|
||
},
|
||
})
|
||
|
||
return ret
|
||
}
|
||
|
||
func TestRolesAltIssuer(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
// Create two issuers.
|
||
resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "root a - example.com",
|
||
"issuer_name": "root-a",
|
||
"key_type": "ec",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
rootAPem := resp.Data["certificate"].(string)
|
||
rootACert := parseCert(t, rootAPem)
|
||
|
||
resp, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "root b - example.com",
|
||
"issuer_name": "root-b",
|
||
"key_type": "ec",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
rootBPem := resp.Data["certificate"].(string)
|
||
rootBCert := parseCert(t, rootBPem)
|
||
|
||
// Create three roles: one with no assignment, one with explicit root-a,
|
||
// one with explicit root-b.
|
||
_, err = CBWrite(b, s, "roles/use-default", map[string]interface{}{
|
||
"allow_any_name": true,
|
||
"enforce_hostnames": false,
|
||
"key_type": "ec",
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
_, err = CBWrite(b, s, "roles/use-root-a", map[string]interface{}{
|
||
"allow_any_name": true,
|
||
"enforce_hostnames": false,
|
||
"key_type": "ec",
|
||
"issuer_ref": "root-a",
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
_, err = CBWrite(b, s, "roles/use-root-b", map[string]interface{}{
|
||
"allow_any_name": true,
|
||
"enforce_hostnames": false,
|
||
"issuer_ref": "root-b",
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
// Now issue certs against these roles.
|
||
resp, err = CBWrite(b, s, "issue/use-default", map[string]interface{}{
|
||
"common_name": "testing",
|
||
"ttl": "5s",
|
||
})
|
||
require.NoError(t, err)
|
||
leafPem := resp.Data["certificate"].(string)
|
||
leafCert := parseCert(t, leafPem)
|
||
err = leafCert.CheckSignatureFrom(rootACert)
|
||
require.NoError(t, err, "should be signed by root-a but wasn't")
|
||
|
||
resp, err = CBWrite(b, s, "issue/use-root-a", map[string]interface{}{
|
||
"common_name": "testing",
|
||
"ttl": "5s",
|
||
})
|
||
require.NoError(t, err)
|
||
leafPem = resp.Data["certificate"].(string)
|
||
leafCert = parseCert(t, leafPem)
|
||
err = leafCert.CheckSignatureFrom(rootACert)
|
||
require.NoError(t, err, "should be signed by root-a but wasn't")
|
||
|
||
resp, err = CBWrite(b, s, "issue/use-root-b", map[string]interface{}{
|
||
"common_name": "testing",
|
||
"ttl": "5s",
|
||
})
|
||
require.NoError(t, err)
|
||
leafPem = resp.Data["certificate"].(string)
|
||
leafCert = parseCert(t, leafPem)
|
||
err = leafCert.CheckSignatureFrom(rootBCert)
|
||
require.NoError(t, err, "should be signed by root-b but wasn't")
|
||
|
||
// Update the default issuer to be root B and make sure that the
|
||
// use-default role updates.
|
||
_, err = CBWrite(b, s, "config/issuers", map[string]interface{}{
|
||
"default": "root-b",
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
resp, err = CBWrite(b, s, "issue/use-default", map[string]interface{}{
|
||
"common_name": "testing",
|
||
"ttl": "5s",
|
||
})
|
||
require.NoError(t, err)
|
||
leafPem = resp.Data["certificate"].(string)
|
||
leafCert = parseCert(t, leafPem)
|
||
err = leafCert.CheckSignatureFrom(rootBCert)
|
||
require.NoError(t, err, "should be signed by root-b but wasn't")
|
||
}
|
||
|
||
func TestBackend_PathFetchValidRaw(t *testing.T) {
|
||
t.Parallel()
|
||
b, storage := CreateBackendWithStorage(t)
|
||
|
||
resp, err := b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/generate/internal",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"common_name": "test.com",
|
||
"ttl": "6h",
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
require.NoError(t, err)
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to generate root, %#v", resp)
|
||
}
|
||
rootCaAsPem := resp.Data["certificate"].(string)
|
||
|
||
// Chain should contain the root.
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.ReadOperation,
|
||
Path: "ca_chain",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{},
|
||
MountPoint: "pki/",
|
||
})
|
||
require.NoError(t, err)
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed read ca_chain, %#v", resp)
|
||
}
|
||
if strings.Count(string(resp.Data[logical.HTTPRawBody].([]byte)), rootCaAsPem) != 1 {
|
||
t.Fatalf("expected raw chain to contain the root cert")
|
||
}
|
||
|
||
// The ca/pem should return us the actual CA...
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.ReadOperation,
|
||
Path: "ca/pem",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{},
|
||
MountPoint: "pki/",
|
||
})
|
||
require.NoError(t, err)
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed read ca/pem, %#v", resp)
|
||
}
|
||
// check the raw cert matches the response body
|
||
if !bytes.Equal(resp.Data[logical.HTTPRawBody].([]byte), []byte(rootCaAsPem)) {
|
||
t.Fatalf("failed to get raw cert")
|
||
}
|
||
|
||
_, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "roles/example",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"allowed_domains": "example.com",
|
||
"allow_subdomains": "true",
|
||
"max_ttl": "1h",
|
||
"no_store": "false",
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
require.NoError(t, err, "error setting up pki role: %v", err)
|
||
|
||
// Now issue a short-lived certificate from our pki-external.
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "issue/example",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"common_name": "test.example.com",
|
||
"ttl": "5m",
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
require.NoError(t, err, "error issuing certificate: %v", err)
|
||
require.NotNil(t, resp, "got nil response from issuing request")
|
||
|
||
issueCrtAsPem := resp.Data["certificate"].(string)
|
||
issuedCrt := parseCert(t, issueCrtAsPem)
|
||
expectedSerial := serialFromCert(issuedCrt)
|
||
expectedCert := []byte(issueCrtAsPem)
|
||
|
||
// get der cert
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.ReadOperation,
|
||
Path: fmt.Sprintf("cert/%s/raw", expectedSerial),
|
||
Storage: storage,
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to get raw cert, %#v", resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// check the raw cert matches the response body
|
||
rawBody := resp.Data[logical.HTTPRawBody].([]byte)
|
||
bodyAsPem := []byte(strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rawBody}))))
|
||
if !bytes.Equal(bodyAsPem, expectedCert) {
|
||
t.Fatalf("failed to get raw cert for serial number: %s", expectedSerial)
|
||
}
|
||
if resp.Data[logical.HTTPContentType] != "application/pkix-cert" {
|
||
t.Fatalf("failed to get raw cert content-type")
|
||
}
|
||
|
||
// get pem
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.ReadOperation,
|
||
Path: fmt.Sprintf("cert/%s/raw/pem", expectedSerial),
|
||
Storage: storage,
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to get raw, %#v", resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// check the pem cert matches the response body
|
||
if !bytes.Equal(resp.Data[logical.HTTPRawBody].([]byte), expectedCert) {
|
||
t.Fatalf("failed to get pem cert")
|
||
}
|
||
if resp.Data[logical.HTTPContentType] != "application/pem-certificate-chain" {
|
||
t.Fatalf("failed to get raw cert content-type")
|
||
}
|
||
}
|
||
|
||
func TestBackend_PathFetchCertList(t *testing.T) {
|
||
t.Parallel()
|
||
// create the backend
|
||
b, storage := CreateBackendWithStorage(t)
|
||
|
||
// generate root
|
||
rootData := map[string]interface{}{
|
||
"common_name": "test.com",
|
||
"ttl": "6h",
|
||
}
|
||
|
||
resp, err := b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/generate/internal",
|
||
Storage: storage,
|
||
Data: rootData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to generate root, %#v", resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// config urls
|
||
urlsData := map[string]interface{}{
|
||
"issuing_certificates": "http://127.0.0.1:8200/v1/pki/ca",
|
||
"crl_distribution_points": "http://127.0.0.1:8200/v1/pki/crl",
|
||
}
|
||
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "config/urls",
|
||
Storage: storage,
|
||
Data: urlsData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to config urls, %#v", resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// create a role entry
|
||
roleData := map[string]interface{}{
|
||
"allowed_domains": "test.com",
|
||
"allow_subdomains": "true",
|
||
"max_ttl": "4h",
|
||
}
|
||
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "roles/test-example",
|
||
Storage: storage,
|
||
Data: roleData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to create a role, %#v", resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// issue some certs
|
||
i := 1
|
||
for i < 10 {
|
||
certData := map[string]interface{}{
|
||
"common_name": "example.test.com",
|
||
}
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "issue/test-example",
|
||
Storage: storage,
|
||
Data: certData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to issue a cert, %#v", resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
i = i + 1
|
||
}
|
||
|
||
// list certs
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.ListOperation,
|
||
Path: "certs",
|
||
Storage: storage,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to list certs, %#v", resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
// check that the root and 9 additional certs are all listed
|
||
if len(resp.Data["keys"].([]string)) != 10 {
|
||
t.Fatalf("failed to list all 10 certs")
|
||
}
|
||
|
||
// list certs/
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.ListOperation,
|
||
Path: "certs/",
|
||
Storage: storage,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to list certs, %#v", resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
// check that the root and 9 additional certs are all listed
|
||
if len(resp.Data["keys"].([]string)) != 10 {
|
||
t.Fatalf("failed to list all 10 certs")
|
||
}
|
||
}
|
||
|
||
func TestBackend_SignVerbatim(t *testing.T) {
|
||
t.Parallel()
|
||
testCases := []struct {
|
||
testName string
|
||
keyType string
|
||
}{
|
||
{testName: "RSA", keyType: "rsa"},
|
||
{testName: "ED25519", keyType: "ed25519"},
|
||
{testName: "EC", keyType: "ec"},
|
||
{testName: "Any", keyType: "any"},
|
||
}
|
||
for _, tc := range testCases {
|
||
tc := tc
|
||
t.Run(tc.testName, func(t *testing.T) {
|
||
runTestSignVerbatim(t, tc.keyType)
|
||
})
|
||
}
|
||
}
|
||
|
||
func runTestSignVerbatim(t *testing.T, keyType string) {
|
||
// create the backend
|
||
b, storage := CreateBackendWithStorage(t)
|
||
|
||
// generate root
|
||
rootData := map[string]interface{}{
|
||
"common_name": "test.com",
|
||
"not_after": "9999-12-31T23:59:59Z",
|
||
}
|
||
|
||
resp, err := b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/generate/internal",
|
||
Storage: storage,
|
||
Data: rootData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to generate root, %#v", *resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// create a CSR and key
|
||
key, err := rsa.GenerateKey(rand.Reader, 2048)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
oidExtensionSubjectAltName = []int{2, 5, 29, 17}
|
||
csrReq := &x509.CertificateRequest{
|
||
Subject: pkix.Name{
|
||
CommonName: "foo.bar.com",
|
||
},
|
||
// Check that otherName extensions are not duplicated (see hashicorp/vault#16700).
|
||
// If these extensions are duplicated, sign-verbatim will fail when parsing the signed certificate on Go 1.19+ (see golang/go#50988).
|
||
// On older versions of Go this test will fail due to an explicit check for duplicate otherNames later in this test.
|
||
ExtraExtensions: []pkix.Extension{
|
||
{
|
||
Id: oidExtensionSubjectAltName,
|
||
Critical: false,
|
||
Value: []byte{0x30, 0x26, 0xA0, 0x24, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03, 0xA0, 0x16, 0x0C, 0x14, 0x75, 0x73, 0x65, 0x72, 0x6E, 0x61, 0x6D, 0x65, 0x40, 0x65, 0x78, 0x61, 0x6D, 0x70, 0x6C, 0x65, 0x2E, 0x63, 0x6F, 0x6D},
|
||
},
|
||
},
|
||
}
|
||
csr, err := x509.CreateCertificateRequest(rand.Reader, csrReq, key)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if len(csr) == 0 {
|
||
t.Fatal("generated csr is empty")
|
||
}
|
||
pemCSR := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
|
||
Type: "CERTIFICATE REQUEST",
|
||
Bytes: csr,
|
||
})))
|
||
if len(pemCSR) == 0 {
|
||
t.Fatal("pem csr is empty")
|
||
}
|
||
|
||
signVerbatimData := map[string]interface{}{
|
||
"csr": pemCSR,
|
||
}
|
||
if keyType == "rsa" {
|
||
signVerbatimData["signature_bits"] = 512
|
||
}
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "sign-verbatim",
|
||
Storage: storage,
|
||
Data: signVerbatimData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to sign-verbatim basic CSR: %#v", *resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp.Secret != nil {
|
||
t.Fatal("secret is not nil")
|
||
}
|
||
|
||
// create a role entry; we use this to check that sign-verbatim when used with a role is still honoring TTLs
|
||
roleData := map[string]interface{}{
|
||
"ttl": "4h",
|
||
"max_ttl": "8h",
|
||
"key_type": keyType,
|
||
"not_before_duration": "2h",
|
||
}
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "roles/test",
|
||
Storage: storage,
|
||
Data: roleData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to create a role, %#v", *resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "sign-verbatim/test",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"csr": pemCSR,
|
||
"ttl": "5h",
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to sign-verbatim ttl'd CSR: %#v", *resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp.Secret != nil {
|
||
t.Fatal("got a lease when we should not have")
|
||
}
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "sign-verbatim/test",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"csr": pemCSR,
|
||
"ttl": "12h",
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf(resp.Error().Error())
|
||
}
|
||
if resp.Data == nil || resp.Data["certificate"] == nil {
|
||
t.Fatal("did not get expected data")
|
||
}
|
||
certString := resp.Data["certificate"].(string)
|
||
block, _ := pem.Decode([]byte(certString))
|
||
if block == nil {
|
||
t.Fatal("nil pem block")
|
||
}
|
||
certs, err := x509.ParseCertificates(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if len(certs) != 1 {
|
||
t.Fatalf("expected a single cert, got %d", len(certs))
|
||
}
|
||
cert := certs[0]
|
||
if math.Abs(float64(time.Now().Add(12*time.Hour).Unix()-cert.NotAfter.Unix())) < 10 {
|
||
t.Fatalf("sign-verbatim did not properly cap validity period (notAfter) on signed CSR: was %v vs requested %v but should've been %v", cert.NotAfter, time.Now().Add(12*time.Hour), time.Now().Add(8*time.Hour))
|
||
}
|
||
if math.Abs(float64(time.Now().Add(-2*time.Hour).Unix()-cert.NotBefore.Unix())) > 10 {
|
||
t.Fatalf("sign-verbatim did not properly cap validity period (notBefore) on signed CSR: was %v vs expected %v", cert.NotBefore, time.Now().Add(-2*time.Hour))
|
||
}
|
||
|
||
// Now check signing a certificate using the not_after input using the Y10K value
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "sign-verbatim/test",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"csr": pemCSR,
|
||
"not_after": "9999-12-31T23:59:59Z",
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf(resp.Error().Error())
|
||
}
|
||
if resp.Data == nil || resp.Data["certificate"] == nil {
|
||
t.Fatal("did not get expected data")
|
||
}
|
||
certString = resp.Data["certificate"].(string)
|
||
block, _ = pem.Decode([]byte(certString))
|
||
if block == nil {
|
||
t.Fatal("nil pem block")
|
||
}
|
||
certs, err = x509.ParseCertificates(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if len(certs) != 1 {
|
||
t.Fatalf("expected a single cert, got %d", len(certs))
|
||
}
|
||
cert = certs[0]
|
||
|
||
// Fallback check for duplicate otherName, necessary on Go versions before 1.19.
|
||
// We assume that there is only one SAN in the original CSR and that it is an otherName.
|
||
san_count := 0
|
||
for _, ext := range cert.Extensions {
|
||
if ext.Id.Equal(oidExtensionSubjectAltName) {
|
||
san_count += 1
|
||
}
|
||
}
|
||
if san_count != 1 {
|
||
t.Fatalf("expected one SAN extension, got %d", san_count)
|
||
}
|
||
|
||
notAfter := cert.NotAfter.Format(time.RFC3339)
|
||
if notAfter != "9999-12-31T23:59:59Z" {
|
||
t.Fatal(fmt.Errorf("not after from certificate is not matching with input parameter"))
|
||
}
|
||
|
||
// now check that if we set generate-lease it takes it from the role and the TTLs match
|
||
roleData = map[string]interface{}{
|
||
"ttl": "4h",
|
||
"max_ttl": "8h",
|
||
"generate_lease": true,
|
||
"key_type": keyType,
|
||
}
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "roles/test",
|
||
Storage: storage,
|
||
Data: roleData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to create a role, %#v", *resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "sign-verbatim/test",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"csr": pemCSR,
|
||
"ttl": "5h",
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to sign-verbatim role-leased CSR: %#v", *resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp.Secret == nil {
|
||
t.Fatalf("secret is nil, response is %#v", *resp)
|
||
}
|
||
if math.Abs(float64(resp.Secret.TTL-(5*time.Hour))) > float64(5*time.Hour) {
|
||
t.Fatalf("ttl not default; wanted %v, got %v", b.System().DefaultLeaseTTL(), resp.Secret.TTL)
|
||
}
|
||
}
|
||
|
||
func TestBackend_Root_Idempotency(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
// This is a change within 1.11, we are no longer idempotent across generate/internal calls.
|
||
resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp, "expected ca info")
|
||
keyId1 := resp.Data["key_id"]
|
||
issuerId1 := resp.Data["issuer_id"]
|
||
|
||
resp, err = CBRead(b, s, "cert/ca_chain")
|
||
require.NoError(t, err, "error reading ca_chain: %v", err)
|
||
|
||
r1Data := resp.Data
|
||
|
||
// Calling generate/internal should generate a new CA as well.
|
||
resp, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp, "expected ca info")
|
||
keyId2 := resp.Data["key_id"]
|
||
issuerId2 := resp.Data["issuer_id"]
|
||
|
||
// Make sure that we actually generated different issuer and key values
|
||
require.NotEqual(t, keyId1, keyId2)
|
||
require.NotEqual(t, issuerId1, issuerId2)
|
||
|
||
// Now because the issued CA's have no links, the call to ca_chain should return the same data (ca chain from default)
|
||
resp, err = CBRead(b, s, "cert/ca_chain")
|
||
require.NoError(t, err, "error reading ca_chain: %v", err)
|
||
|
||
r2Data := resp.Data
|
||
if !reflect.DeepEqual(r1Data, r2Data) {
|
||
t.Fatal("got different ca certs")
|
||
}
|
||
|
||
// Now let's validate that the import bundle is idempotent.
|
||
pemBundleRootCA := rootCACertPEM + "\n" + rootCAKeyPEM
|
||
resp, err = CBWrite(b, s, "config/ca", map[string]interface{}{
|
||
"pem_bundle": pemBundleRootCA,
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp, "expected ca info")
|
||
firstImportedKeys := resp.Data["imported_keys"].([]string)
|
||
firstImportedIssuers := resp.Data["imported_issuers"].([]string)
|
||
|
||
require.NotContains(t, firstImportedKeys, keyId1)
|
||
require.NotContains(t, firstImportedKeys, keyId2)
|
||
require.NotContains(t, firstImportedIssuers, issuerId1)
|
||
require.NotContains(t, firstImportedIssuers, issuerId2)
|
||
|
||
// Performing this again should result in no key/issuer ids being imported/generated.
|
||
resp, err = CBWrite(b, s, "config/ca", map[string]interface{}{
|
||
"pem_bundle": pemBundleRootCA,
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp, "expected ca info")
|
||
secondImportedKeys := resp.Data["imported_keys"]
|
||
secondImportedIssuers := resp.Data["imported_issuers"]
|
||
|
||
require.Nil(t, secondImportedKeys)
|
||
require.Nil(t, secondImportedIssuers)
|
||
|
||
resp, err = CBDelete(b, s, "root")
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.Equal(t, 1, len(resp.Warnings))
|
||
|
||
// Make sure we can delete twice...
|
||
resp, err = CBDelete(b, s, "root")
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.Equal(t, 1, len(resp.Warnings))
|
||
|
||
_, err = CBRead(b, s, "cert/ca_chain")
|
||
require.Error(t, err, "expected an error fetching deleted ca_chain")
|
||
|
||
// We should be able to import the same ca bundle as before and get a different key/issuer ids
|
||
resp, err = CBWrite(b, s, "config/ca", map[string]interface{}{
|
||
"pem_bundle": pemBundleRootCA,
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp, "expected ca info")
|
||
postDeleteImportedKeys := resp.Data["imported_keys"]
|
||
postDeleteImportedIssuers := resp.Data["imported_issuers"]
|
||
|
||
// Make sure that we actually generated different issuer and key values, then the previous import
|
||
require.NotNil(t, postDeleteImportedKeys)
|
||
require.NotNil(t, postDeleteImportedIssuers)
|
||
require.NotEqual(t, postDeleteImportedKeys, firstImportedKeys)
|
||
require.NotEqual(t, postDeleteImportedIssuers, firstImportedIssuers)
|
||
|
||
resp, err = CBRead(b, s, "cert/ca_chain")
|
||
require.NoError(t, err)
|
||
|
||
caChainPostDelete := resp.Data
|
||
if reflect.DeepEqual(r1Data, caChainPostDelete) {
|
||
t.Fatal("ca certs from ca_chain were the same post delete, should have changed.")
|
||
}
|
||
}
|
||
|
||
func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {
|
||
t.Parallel()
|
||
b_root, s_root := CreateBackendWithStorage(t)
|
||
b_int, s_int := CreateBackendWithStorage(t)
|
||
var err error
|
||
|
||
// Direct issuing from root
|
||
_, err = CBWrite(b_root, s_root, "root/generate/internal", map[string]interface{}{
|
||
"ttl": "40h",
|
||
"common_name": "myvault.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
_, err = CBWrite(b_root, s_root, "roles/test", map[string]interface{}{
|
||
"allow_bare_domains": true,
|
||
"allow_subdomains": true,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
resp, err := CBWrite(b_int, s_int, "intermediate/generate/internal", map[string]interface{}{
|
||
"common_name": "myint.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
csr := resp.Data["csr"]
|
||
|
||
_, err = CBWrite(b_root, s_root, "sign/test", map[string]interface{}{
|
||
"common_name": "myint.com",
|
||
"csr": csr,
|
||
"ttl": "60h",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
_, err = CBWrite(b_root, s_root, "sign-verbatim/test", map[string]interface{}{
|
||
"common_name": "myint.com",
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.3;utf8:caadmin@example.com",
|
||
"csr": csr,
|
||
"ttl": "60h",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
resp, err = CBWrite(b_root, s_root, "root/sign-intermediate", map[string]interface{}{
|
||
"common_name": "myint.com",
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.3;utf8:caadmin@example.com",
|
||
"csr": csr,
|
||
"ttl": "60h",
|
||
})
|
||
if err != nil {
|
||
t.Fatalf("got error: %v", err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("got nil response")
|
||
}
|
||
if len(resp.Warnings) == 0 {
|
||
t.Fatalf("expected warnings, got %#v", *resp)
|
||
}
|
||
}
|
||
|
||
func TestBackend_ConsulSignLeafWithLegacyRole(t *testing.T) {
|
||
t.Parallel()
|
||
// create the backend
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
// generate root
|
||
data, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"ttl": "40h",
|
||
"common_name": "myvault.com",
|
||
})
|
||
require.NoError(t, err, "failed generating internal root cert")
|
||
rootCaPem := data.Data["certificate"].(string)
|
||
|
||
// Create a signing role like Consul did with the default args prior to Vault 1.10
|
||
_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
|
||
"allow_any_name": true,
|
||
"allowed_serial_numbers": []string{"MySerialNumber"},
|
||
"key_type": "any",
|
||
"key_bits": "2048",
|
||
"signature_bits": "256",
|
||
})
|
||
require.NoError(t, err, "failed creating legacy role")
|
||
|
||
_, csrPem := generateTestCsr(t, certutil.ECPrivateKey, 256)
|
||
data, err = CBWrite(b, s, "sign/test", map[string]interface{}{
|
||
"csr": csrPem,
|
||
})
|
||
require.NoError(t, err, "failed signing csr")
|
||
certAsPem := data.Data["certificate"].(string)
|
||
|
||
signedCert := parseCert(t, certAsPem)
|
||
rootCert := parseCert(t, rootCaPem)
|
||
requireSignedBy(t, signedCert, rootCert)
|
||
}
|
||
|
||
func TestBackend_SignSelfIssued(t *testing.T) {
|
||
t.Parallel()
|
||
// create the backend
|
||
b, storage := CreateBackendWithStorage(t)
|
||
|
||
// generate root
|
||
rootData := map[string]interface{}{
|
||
"common_name": "test.com",
|
||
"ttl": "172800",
|
||
}
|
||
|
||
resp, err := b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/generate/internal",
|
||
Storage: storage,
|
||
Data: rootData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to generate root, %#v", *resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
key, err := rsa.GenerateKey(rand.Reader, 2048)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
template := &x509.Certificate{
|
||
Subject: pkix.Name{
|
||
CommonName: "foo.bar.com",
|
||
},
|
||
SerialNumber: big.NewInt(1234),
|
||
IsCA: false,
|
||
BasicConstraintsValid: true,
|
||
}
|
||
|
||
ss, _ := getSelfSigned(t, template, template, key)
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-self-issued",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"certificate": ss,
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("got nil response")
|
||
}
|
||
if !resp.IsError() {
|
||
t.Fatalf("expected error due to non-CA; got: %#v", *resp)
|
||
}
|
||
|
||
// Set CA to true, but leave issuer alone
|
||
template.IsCA = true
|
||
|
||
issuer := &x509.Certificate{
|
||
Subject: pkix.Name{
|
||
CommonName: "bar.foo.com",
|
||
},
|
||
SerialNumber: big.NewInt(2345),
|
||
IsCA: true,
|
||
BasicConstraintsValid: true,
|
||
}
|
||
ss, ssCert := getSelfSigned(t, template, issuer, key)
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-self-issued",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"certificate": ss,
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("got nil response")
|
||
}
|
||
if !resp.IsError() {
|
||
t.Fatalf("expected error due to different issuer; cert info is\nIssuer\n%#v\nSubject\n%#v\n", ssCert.Issuer, ssCert.Subject)
|
||
}
|
||
|
||
ss, _ = getSelfSigned(t, template, template, key)
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-self-issued",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"certificate": ss,
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("got nil response")
|
||
}
|
||
if resp.IsError() {
|
||
t.Fatalf("error in response: %s", resp.Error().Error())
|
||
}
|
||
|
||
newCertString := resp.Data["certificate"].(string)
|
||
block, _ := pem.Decode([]byte(newCertString))
|
||
newCert, err := x509.ParseCertificate(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
sc := b.makeStorageContext(context.Background(), storage)
|
||
signingBundle, err := sc.fetchCAInfo(defaultRef, ReadOnlyUsage)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if reflect.DeepEqual(newCert.Subject, newCert.Issuer) {
|
||
t.Fatal("expected different subject/issuer")
|
||
}
|
||
if !reflect.DeepEqual(newCert.Issuer, signingBundle.Certificate.Subject) {
|
||
t.Fatalf("expected matching issuer/CA subject\n\nIssuer:\n%#v\nSubject:\n%#v\n", newCert.Issuer, signingBundle.Certificate.Subject)
|
||
}
|
||
if bytes.Equal(newCert.AuthorityKeyId, newCert.SubjectKeyId) {
|
||
t.Fatal("expected different authority/subject")
|
||
}
|
||
if !bytes.Equal(newCert.AuthorityKeyId, signingBundle.Certificate.SubjectKeyId) {
|
||
t.Fatal("expected authority on new cert to be same as signing subject")
|
||
}
|
||
if newCert.Subject.CommonName != "foo.bar.com" {
|
||
t.Fatalf("unexpected common name on new cert: %s", newCert.Subject.CommonName)
|
||
}
|
||
}
|
||
|
||
// TestBackend_SignSelfIssued_DifferentTypes tests the functionality of the
|
||
// require_matching_certificate_algorithms flag.
|
||
func TestBackend_SignSelfIssued_DifferentTypes(t *testing.T) {
|
||
t.Parallel()
|
||
// create the backend
|
||
b, storage := CreateBackendWithStorage(t)
|
||
|
||
// generate root
|
||
rootData := map[string]interface{}{
|
||
"common_name": "test.com",
|
||
"ttl": "172800",
|
||
"key_type": "ec",
|
||
"key_bits": "521",
|
||
}
|
||
|
||
resp, err := b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/generate/internal",
|
||
Storage: storage,
|
||
Data: rootData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to generate root, %#v", *resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
key, err := rsa.GenerateKey(rand.Reader, 2048)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
template := &x509.Certificate{
|
||
Subject: pkix.Name{
|
||
CommonName: "foo.bar.com",
|
||
},
|
||
SerialNumber: big.NewInt(1234),
|
||
IsCA: true,
|
||
BasicConstraintsValid: true,
|
||
}
|
||
|
||
// Tests absent the flag
|
||
ss, _ := getSelfSigned(t, template, template, key)
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-self-issued",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"certificate": ss,
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("got nil response")
|
||
}
|
||
|
||
// Set CA to true, but leave issuer alone
|
||
template.IsCA = true
|
||
|
||
// Tests with flag present but false
|
||
ss, _ = getSelfSigned(t, template, template, key)
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-self-issued",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"certificate": ss,
|
||
"require_matching_certificate_algorithms": false,
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("got nil response")
|
||
}
|
||
|
||
// Test with flag present and true
|
||
ss, _ = getSelfSigned(t, template, template, key)
|
||
_, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-self-issued",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"certificate": ss,
|
||
"require_matching_certificate_algorithms": true,
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error due to mismatched algorithms")
|
||
}
|
||
}
|
||
|
||
// This is a really tricky test because the Go stdlib asn1 package is incapable
|
||
// of doing the right thing with custom OID SANs (see comments in the package,
|
||
// it's readily admitted that it's too magic) but that means that any
|
||
// validation logic written for this test isn't being independently verified,
|
||
// as in, if cryptobytes is used to decode it to make the test work, that
|
||
// doesn't mean we're encoding and decoding correctly, only that we made the
|
||
// test pass. Instead, when run verbosely it will first perform a bunch of
|
||
// checks to verify that the OID SAN logic doesn't screw up other SANs, then
|
||
// will spit out the PEM. This can be validated independently.
|
||
//
|
||
// You want the hex dump of the octet string corresponding to the X509v3
|
||
// Subject Alternative Name. There's a nice online utility at
|
||
// https://lapo.it/asn1js that can be used to view the structure of an
|
||
// openssl-generated other SAN at
|
||
// https://lapo.it/asn1js/#3022A020060A2B060104018237140203A0120C106465766F7073406C6F63616C686F7374
|
||
// (openssl asn1parse can also be used with -strparse using an offset of the
|
||
// hex blob for the subject alternative names extension).
|
||
//
|
||
// The structure output from here should match that precisely (even if the OID
|
||
// itself doesn't) in the second test.
|
||
//
|
||
// The test that encodes two should have them be in separate elements in the
|
||
// top-level sequence; see
|
||
// https://lapo.it/asn1js/#3046A020060A2B060104018237140203A0120C106465766F7073406C6F63616C686F7374A022060A2B060104018237140204A0140C12322D6465766F7073406C6F63616C686F7374 for an openssl-generated example.
|
||
//
|
||
// The good news is that it's valid to simply copy and paste the PEM output from
|
||
// here into the form at that site as it will do the right thing so it's pretty
|
||
// easy to validate.
|
||
func TestBackend_OID_SANs(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
var err error
|
||
var resp *logical.Response
|
||
var certStr string
|
||
var block *pem.Block
|
||
var cert *x509.Certificate
|
||
|
||
_, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"ttl": "40h",
|
||
"common_name": "myvault.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
|
||
"allowed_domains": []string{"foobar.com", "zipzap.com"},
|
||
"allow_bare_domains": true,
|
||
"allow_subdomains": true,
|
||
"allow_ip_sans": true,
|
||
"allowed_other_sans": "1.3.6.1.4.1.311.20.2.3;UTF8:devops@*,1.3.6.1.4.1.311.20.2.4;utf8:d*e@foobar.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Get a baseline before adding OID SANs. In the next sections we'll verify
|
||
// that the SANs are all added even as the OID SAN inclusion forces other
|
||
// adding logic (custom rather than built-in Golang logic)
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foobar.com,foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
certStr = resp.Data["certificate"].(string)
|
||
block, _ = pem.Decode([]byte(certStr))
|
||
cert, err = x509.ParseCertificate(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if cert.IPAddresses[0].String() != "1.2.3.4" {
|
||
t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
|
||
}
|
||
if len(cert.DNSNames) != 3 ||
|
||
cert.DNSNames[0] != "bar.foobar.com" ||
|
||
cert.DNSNames[1] != "foo.foobar.com" ||
|
||
cert.DNSNames[2] != "foobar.com" {
|
||
t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
|
||
}
|
||
|
||
// First test some bad stuff that shouldn't work
|
||
_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
// Not a valid value for the first possibility
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.3;UTF8:devop@nope.com",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
// Not a valid OID for the first possibility
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.5;UTF8:devops@nope.com",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
// Not a valid name for the second possibility
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.4;UTF8:d34g@foobar.com",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
// Not a valid OID for the second possibility
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.5;UTF8:d34e@foobar.com",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
// Not a valid type
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.5;UTF2:d34e@foobar.com",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
// Valid for first possibility
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.3;utf8:devops@nope.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
certStr = resp.Data["certificate"].(string)
|
||
block, _ = pem.Decode([]byte(certStr))
|
||
cert, err = x509.ParseCertificate(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if cert.IPAddresses[0].String() != "1.2.3.4" {
|
||
t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
|
||
}
|
||
if len(cert.DNSNames) != 3 ||
|
||
cert.DNSNames[0] != "bar.foobar.com" ||
|
||
cert.DNSNames[1] != "foo.foobar.com" ||
|
||
cert.DNSNames[2] != "foobar.com" {
|
||
t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
|
||
}
|
||
if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
|
||
t.Logf("certificate 1 to check:\n%s", certStr)
|
||
}
|
||
|
||
// Valid for second possibility
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.4;UTF8:d234e@foobar.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
certStr = resp.Data["certificate"].(string)
|
||
block, _ = pem.Decode([]byte(certStr))
|
||
cert, err = x509.ParseCertificate(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if cert.IPAddresses[0].String() != "1.2.3.4" {
|
||
t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
|
||
}
|
||
if len(cert.DNSNames) != 3 ||
|
||
cert.DNSNames[0] != "bar.foobar.com" ||
|
||
cert.DNSNames[1] != "foo.foobar.com" ||
|
||
cert.DNSNames[2] != "foobar.com" {
|
||
t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
|
||
}
|
||
if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
|
||
t.Logf("certificate 2 to check:\n%s", certStr)
|
||
}
|
||
|
||
// Valid for both
|
||
oid1, type1, val1 := "1.3.6.1.4.1.311.20.2.3", "utf8", "devops@nope.com"
|
||
oid2, type2, val2 := "1.3.6.1.4.1.311.20.2.4", "utf-8", "d234e@foobar.com"
|
||
otherNames := []string{
|
||
fmt.Sprintf("%s;%s:%s", oid1, type1, val1),
|
||
fmt.Sprintf("%s;%s:%s", oid2, type2, val2),
|
||
}
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
"other_sans": strings.Join(otherNames, ","),
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
certStr = resp.Data["certificate"].(string)
|
||
block, _ = pem.Decode([]byte(certStr))
|
||
cert, err = x509.ParseCertificate(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if cert.IPAddresses[0].String() != "1.2.3.4" {
|
||
t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
|
||
}
|
||
if len(cert.DNSNames) != 3 ||
|
||
cert.DNSNames[0] != "bar.foobar.com" ||
|
||
cert.DNSNames[1] != "foo.foobar.com" ||
|
||
cert.DNSNames[2] != "foobar.com" {
|
||
t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
|
||
}
|
||
expectedOtherNames := []otherNameUtf8{{oid1, val1}, {oid2, val2}}
|
||
foundOtherNames, err := getOtherSANsFromX509Extensions(cert.Extensions)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if diff := deep.Equal(expectedOtherNames, foundOtherNames); len(diff) != 0 {
|
||
t.Errorf("unexpected otherNames: %v", diff)
|
||
}
|
||
if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
|
||
t.Logf("certificate 3 to check:\n%s", certStr)
|
||
}
|
||
}
|
||
|
||
func TestBackend_AllowedSerialNumbers(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
var err error
|
||
var resp *logical.Response
|
||
var certStr string
|
||
var block *pem.Block
|
||
var cert *x509.Certificate
|
||
|
||
_, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"ttl": "40h",
|
||
"common_name": "myvault.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// First test that Serial Numbers are not allowed
|
||
_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
|
||
"allow_any_name": true,
|
||
"enforce_hostnames": false,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar",
|
||
"ttl": "1h",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar",
|
||
"ttl": "1h",
|
||
"serial_number": "foobar",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
// Update the role to allow serial numbers
|
||
_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
|
||
"allow_any_name": true,
|
||
"enforce_hostnames": false,
|
||
"allowed_serial_numbers": "f00*,b4r*",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar",
|
||
"ttl": "1h",
|
||
// Not a valid serial number
|
||
"serial_number": "foobar",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
// Valid for first possibility
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar",
|
||
"serial_number": "f00bar",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
certStr = resp.Data["certificate"].(string)
|
||
block, _ = pem.Decode([]byte(certStr))
|
||
cert, err = x509.ParseCertificate(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if cert.Subject.SerialNumber != "f00bar" {
|
||
t.Fatalf("unexpected Subject SerialNumber %s", cert.Subject.SerialNumber)
|
||
}
|
||
if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
|
||
t.Logf("certificate 1 to check:\n%s", certStr)
|
||
}
|
||
|
||
// Valid for second possibility
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar",
|
||
"serial_number": "b4rf00",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
certStr = resp.Data["certificate"].(string)
|
||
block, _ = pem.Decode([]byte(certStr))
|
||
cert, err = x509.ParseCertificate(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if cert.Subject.SerialNumber != "b4rf00" {
|
||
t.Fatalf("unexpected Subject SerialNumber %s", cert.Subject.SerialNumber)
|
||
}
|
||
if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
|
||
t.Logf("certificate 2 to check:\n%s", certStr)
|
||
}
|
||
}
|
||
|
||
func TestBackend_URI_SANs(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
var err error
|
||
|
||
_, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"ttl": "40h",
|
||
"common_name": "myvault.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
|
||
"allowed_domains": []string{"foobar.com", "zipzap.com"},
|
||
"allow_bare_domains": true,
|
||
"allow_subdomains": true,
|
||
"allow_ip_sans": true,
|
||
"allowed_uri_sans": []string{"http://someuri/abc", "spiffe://host.com/*"},
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// First test some bad stuff that shouldn't work
|
||
_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
"uri_sans": "http://www.mydomain.com/zxf",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
// Test valid single entry
|
||
_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
"uri_sans": "http://someuri/abc",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Test globed entry
|
||
_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
"uri_sans": "spiffe://host.com/something",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Test multiple entries
|
||
resp, err := CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
"uri_sans": "spiffe://host.com/something,http://someuri/abc",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
certStr := resp.Data["certificate"].(string)
|
||
block, _ := pem.Decode([]byte(certStr))
|
||
cert, err := x509.ParseCertificate(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
URI0, _ := url.Parse("spiffe://host.com/something")
|
||
URI1, _ := url.Parse("http://someuri/abc")
|
||
|
||
if len(cert.URIs) != 2 {
|
||
t.Fatalf("expected 2 valid URIs SANs %v", cert.URIs)
|
||
}
|
||
|
||
if cert.URIs[0].String() != URI0.String() || cert.URIs[1].String() != URI1.String() {
|
||
t.Fatalf(
|
||
"expected URIs SANs %v to equal provided values spiffe://host.com/something, http://someuri/abc",
|
||
cert.URIs)
|
||
}
|
||
}
|
||
|
||
func TestBackend_AllowedURISANsTemplate(t *testing.T) {
|
||
t.Parallel()
|
||
coreConfig := &vault.CoreConfig{
|
||
CredentialBackends: map[string]logical.Factory{
|
||
"userpass": userpass.Factory,
|
||
},
|
||
LogicalBackends: map[string]logical.Factory{
|
||
"pki": Factory,
|
||
},
|
||
}
|
||
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
||
HandlerFunc: vaulthttp.Handler,
|
||
})
|
||
cluster.Start()
|
||
defer cluster.Cleanup()
|
||
client := cluster.Cores[0].Client
|
||
|
||
// Write test policy for userpass auth method.
|
||
err := client.Sys().PutPolicy("test", `
|
||
path "pki/*" {
|
||
capabilities = ["update"]
|
||
}`)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Enable userpass auth method.
|
||
if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Configure test role for userpass.
|
||
if _, err := client.Logical().Write("auth/userpass/users/userpassname", map[string]interface{}{
|
||
"password": "test",
|
||
"policies": "test",
|
||
}); err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Login userpass for test role and keep client token.
|
||
secret, err := client.Logical().Write("auth/userpass/login/userpassname", map[string]interface{}{
|
||
"password": "test",
|
||
})
|
||
if err != nil || secret == nil {
|
||
t.Fatal(err)
|
||
}
|
||
userpassToken := secret.Auth.ClientToken
|
||
|
||
// Get auth accessor for identity template.
|
||
auths, err := client.Sys().ListAuth()
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
userpassAccessor := auths["userpass/"].Accessor
|
||
|
||
// Mount PKI.
|
||
err = client.Sys().Mount("pki", &api.MountInput{
|
||
Type: "pki",
|
||
Config: api.MountConfigInput{
|
||
DefaultLeaseTTL: "16h",
|
||
MaxLeaseTTL: "60h",
|
||
},
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Generate internal CA.
|
||
_, err = client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
|
||
"ttl": "40h",
|
||
"common_name": "myvault.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Write role PKI.
|
||
_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
|
||
"allowed_uri_sans": []string{
|
||
"spiffe://domain/{{identity.entity.aliases." + userpassAccessor + ".name}}",
|
||
"spiffe://domain/{{identity.entity.aliases." + userpassAccessor + ".name}}/*", "spiffe://domain/foo",
|
||
},
|
||
"allowed_uri_sans_template": true,
|
||
"require_cn": false,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue certificate with identity templating
|
||
client.SetToken(userpassToken)
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"uri_sans": "spiffe://domain/userpassname, spiffe://domain/foo"})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue certificate with identity templating and glob
|
||
client.SetToken(userpassToken)
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"uri_sans": "spiffe://domain/userpassname/bar"})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue certificate with non-matching identity template parameter
|
||
client.SetToken(userpassToken)
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"uri_sans": "spiffe://domain/unknownuser"})
|
||
if err == nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Set allowed_uri_sans_template to false.
|
||
_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
|
||
"allowed_uri_sans_template": false,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue certificate with userpassToken.
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"uri_sans": "spiffe://domain/users/userpassname"})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
}
|
||
|
||
func TestBackend_AllowedDomainsTemplate(t *testing.T) {
|
||
t.Parallel()
|
||
coreConfig := &vault.CoreConfig{
|
||
CredentialBackends: map[string]logical.Factory{
|
||
"userpass": userpass.Factory,
|
||
},
|
||
LogicalBackends: map[string]logical.Factory{
|
||
"pki": Factory,
|
||
},
|
||
}
|
||
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
||
HandlerFunc: vaulthttp.Handler,
|
||
})
|
||
cluster.Start()
|
||
defer cluster.Cleanup()
|
||
client := cluster.Cores[0].Client
|
||
|
||
// Write test policy for userpass auth method.
|
||
err := client.Sys().PutPolicy("test", `
|
||
path "pki/*" {
|
||
capabilities = ["update"]
|
||
}`)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Enable userpass auth method.
|
||
if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Configure test role for userpass.
|
||
if _, err := client.Logical().Write("auth/userpass/users/userpassname", map[string]interface{}{
|
||
"password": "test",
|
||
"policies": "test",
|
||
}); err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Login userpass for test role and set client token
|
||
userpassAuth, err := auth.NewUserpassAuth("userpassname", &auth.Password{FromString: "test"})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Get auth accessor for identity template.
|
||
auths, err := client.Sys().ListAuth()
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
userpassAccessor := auths["userpass/"].Accessor
|
||
|
||
// Mount PKI.
|
||
err = client.Sys().Mount("pki", &api.MountInput{
|
||
Type: "pki",
|
||
Config: api.MountConfigInput{
|
||
DefaultLeaseTTL: "16h",
|
||
MaxLeaseTTL: "60h",
|
||
},
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Generate internal CA.
|
||
_, err = client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
|
||
"ttl": "40h",
|
||
"common_name": "myvault.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Write role PKI.
|
||
_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
|
||
"allowed_domains": []string{
|
||
"foobar.com", "zipzap.com", "{{identity.entity.aliases." + userpassAccessor + ".name}}",
|
||
"foo.{{identity.entity.aliases." + userpassAccessor + ".name}}.example.com",
|
||
},
|
||
"allowed_domains_template": true,
|
||
"allow_bare_domains": true,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue certificate with userpassToken.
|
||
secret, err := client.Auth().Login(context.TODO(), userpassAuth)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if err != nil || secret == nil {
|
||
t.Fatal(err)
|
||
}
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "userpassname"})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue certificate for foobar.com to verify allowed_domain_template doesn't break plain domains.
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "foobar.com"})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue certificate for unknown userpassname.
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "unknownuserpassname"})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
// Issue certificate for foo.userpassname.domain.
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "foo.userpassname.example.com"})
|
||
if err != nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
// Set allowed_domains_template to false.
|
||
_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
|
||
"allowed_domains_template": false,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue certificate with userpassToken.
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "userpassname"})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
}
|
||
|
||
func TestReadWriteDeleteRoles(t *testing.T) {
|
||
t.Parallel()
|
||
ctx := context.Background()
|
||
coreConfig := &vault.CoreConfig{
|
||
CredentialBackends: map[string]logical.Factory{
|
||
"userpass": userpass.Factory,
|
||
},
|
||
LogicalBackends: map[string]logical.Factory{
|
||
"pki": Factory,
|
||
},
|
||
}
|
||
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
||
HandlerFunc: vaulthttp.Handler,
|
||
})
|
||
cluster.Start()
|
||
defer cluster.Cleanup()
|
||
client := cluster.Cores[0].Client
|
||
|
||
// Mount PKI.
|
||
err := client.Sys().MountWithContext(ctx, "pki", &api.MountInput{
|
||
Type: "pki",
|
||
Config: api.MountConfigInput{
|
||
DefaultLeaseTTL: "16h",
|
||
MaxLeaseTTL: "60h",
|
||
},
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
resp, err := client.Logical().ReadWithContext(ctx, "pki/roles/test")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
if resp != nil {
|
||
t.Fatalf("response should have been emtpy but was:\n%#v", resp)
|
||
}
|
||
|
||
// Write role PKI.
|
||
_, err = client.Logical().WriteWithContext(ctx, "pki/roles/test", map[string]interface{}{})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Read the role.
|
||
resp, err = client.Logical().ReadWithContext(ctx, "pki/roles/test")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
if resp.Data == nil {
|
||
t.Fatal("default data within response was nil when it should have contained data")
|
||
}
|
||
|
||
// Validate that we have not changed any defaults unknowingly
|
||
expectedData := map[string]interface{}{
|
||
"key_type": "rsa",
|
||
"use_csr_sans": true,
|
||
"client_flag": true,
|
||
"allowed_serial_numbers": []interface{}{},
|
||
"generate_lease": false,
|
||
"signature_bits": json.Number("256"),
|
||
"use_pss": false,
|
||
"allowed_domains": []interface{}{},
|
||
"allowed_uri_sans_template": false,
|
||
"enforce_hostnames": true,
|
||
"policy_identifiers": []interface{}{},
|
||
"require_cn": true,
|
||
"allowed_domains_template": false,
|
||
"allow_token_displayname": false,
|
||
"country": []interface{}{},
|
||
"not_after": "",
|
||
"postal_code": []interface{}{},
|
||
"use_csr_common_name": true,
|
||
"allow_localhost": true,
|
||
"allow_subdomains": false,
|
||
"allow_wildcard_certificates": true,
|
||
"allowed_other_sans": []interface{}{},
|
||
"allowed_uri_sans": []interface{}{},
|
||
"basic_constraints_valid_for_non_ca": false,
|
||
"key_usage": []interface{}{"DigitalSignature", "KeyAgreement", "KeyEncipherment"},
|
||
"not_before_duration": json.Number("30"),
|
||
"allow_glob_domains": false,
|
||
"ttl": json.Number("0"),
|
||
"ou": []interface{}{},
|
||
"email_protection_flag": false,
|
||
"locality": []interface{}{},
|
||
"server_flag": true,
|
||
"allow_bare_domains": false,
|
||
"allow_ip_sans": true,
|
||
"ext_key_usage_oids": []interface{}{},
|
||
"allow_any_name": false,
|
||
"ext_key_usage": []interface{}{},
|
||
"key_bits": json.Number("2048"),
|
||
"max_ttl": json.Number("0"),
|
||
"no_store": false,
|
||
"organization": []interface{}{},
|
||
"province": []interface{}{},
|
||
"street_address": []interface{}{},
|
||
"code_signing_flag": false,
|
||
"issuer_ref": "default",
|
||
"cn_validations": []interface{}{"email", "hostname"},
|
||
}
|
||
|
||
if diff := deep.Equal(expectedData, resp.Data); len(diff) > 0 {
|
||
t.Fatalf("pki role default values have changed, diff: %v", diff)
|
||
}
|
||
|
||
_, err = client.Logical().DeleteWithContext(ctx, "pki/roles/test")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
resp, err = client.Logical().ReadWithContext(ctx, "pki/roles/test")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
if resp != nil {
|
||
t.Fatalf("response should have been empty but was:\n%#v", resp)
|
||
}
|
||
}
|
||
|
||
func setCerts() {
|
||
cak, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
marshaledKey, err := x509.MarshalECPrivateKey(cak)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
keyPEMBlock := &pem.Block{
|
||
Type: "EC PRIVATE KEY",
|
||
Bytes: marshaledKey,
|
||
}
|
||
ecCAKey = strings.TrimSpace(string(pem.EncodeToMemory(keyPEMBlock)))
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
subjKeyID, err := certutil.GetSubjKeyID(cak)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
caCertTemplate := &x509.Certificate{
|
||
Subject: pkix.Name{
|
||
CommonName: "root.localhost",
|
||
},
|
||
SubjectKeyId: subjKeyID,
|
||
DNSNames: []string{"root.localhost"},
|
||
KeyUsage: x509.KeyUsage(x509.KeyUsageCertSign | x509.KeyUsageCRLSign),
|
||
SerialNumber: big.NewInt(mathrand.Int63()),
|
||
NotAfter: time.Now().Add(262980 * time.Hour),
|
||
BasicConstraintsValid: true,
|
||
IsCA: true,
|
||
}
|
||
caBytes, err := x509.CreateCertificate(rand.Reader, caCertTemplate, caCertTemplate, cak.Public(), cak)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
caCertPEMBlock := &pem.Block{
|
||
Type: "CERTIFICATE",
|
||
Bytes: caBytes,
|
||
}
|
||
ecCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock)))
|
||
|
||
rak, err := rsa.GenerateKey(rand.Reader, 2048)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
marshaledKey = x509.MarshalPKCS1PrivateKey(rak)
|
||
keyPEMBlock = &pem.Block{
|
||
Type: "RSA PRIVATE KEY",
|
||
Bytes: marshaledKey,
|
||
}
|
||
rsaCAKey = strings.TrimSpace(string(pem.EncodeToMemory(keyPEMBlock)))
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
_, err = certutil.GetSubjKeyID(rak)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
caBytes, err = x509.CreateCertificate(rand.Reader, caCertTemplate, caCertTemplate, rak.Public(), rak)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
caCertPEMBlock = &pem.Block{
|
||
Type: "CERTIFICATE",
|
||
Bytes: caBytes,
|
||
}
|
||
rsaCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock)))
|
||
|
||
_, edk, err := ed25519.GenerateKey(rand.Reader)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
marshaledKey, err = x509.MarshalPKCS8PrivateKey(edk)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
keyPEMBlock = &pem.Block{
|
||
Type: "PRIVATE KEY",
|
||
Bytes: marshaledKey,
|
||
}
|
||
edCAKey = strings.TrimSpace(string(pem.EncodeToMemory(keyPEMBlock)))
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
_, err = certutil.GetSubjKeyID(edk)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
caBytes, err = x509.CreateCertificate(rand.Reader, caCertTemplate, caCertTemplate, edk.Public(), edk)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
caCertPEMBlock = &pem.Block{
|
||
Type: "CERTIFICATE",
|
||
Bytes: caBytes,
|
||
}
|
||
edCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock)))
|
||
}
|
||
|
||
func TestBackend_RevokePlusTidy_Intermediate(t *testing.T) {
|
||
// Use a ridiculously long time to minimize the chance
|
||
// that we have to deal with more than one interval.
|
||
// InMemSink rounds down to an interval boundary rather than
|
||
// starting one at the time of initialization.
|
||
//
|
||
// This test is not parallelizable.
|
||
inmemSink := metrics.NewInmemSink(
|
||
1000000*time.Hour,
|
||
2000000*time.Hour)
|
||
|
||
metricsConf := metrics.DefaultConfig("")
|
||
metricsConf.EnableHostname = false
|
||
metricsConf.EnableHostnameLabel = false
|
||
metricsConf.EnableServiceLabel = false
|
||
metricsConf.EnableTypePrefix = false
|
||
|
||
_, err := metrics.NewGlobal(metricsConf, inmemSink)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Enable PKI secret engine
|
||
coreConfig := &vault.CoreConfig{
|
||
LogicalBackends: map[string]logical.Factory{
|
||
"pki": Factory,
|
||
},
|
||
}
|
||
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
||
HandlerFunc: vaulthttp.Handler,
|
||
})
|
||
cluster.Start()
|
||
defer cluster.Cleanup()
|
||
cores := cluster.Cores
|
||
vault.TestWaitActive(t, cores[0].Core)
|
||
client := cores[0].Client
|
||
|
||
// Mount /pki as a root CA
|
||
err = client.Sys().Mount("pki", &api.MountInput{
|
||
Type: "pki",
|
||
Config: api.MountConfigInput{
|
||
DefaultLeaseTTL: "16h",
|
||
MaxLeaseTTL: "32h",
|
||
},
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Check the metrics initialized in order to calculate backendUUID for /pki
|
||
// BackendUUID not consistent during tests with UUID from /sys/mounts/pki
|
||
metricsSuffix := "total_certificates_stored"
|
||
backendUUID := ""
|
||
mostRecentInterval := inmemSink.Data()[len(inmemSink.Data())-1]
|
||
for _, existingGauge := range mostRecentInterval.Gauges {
|
||
if strings.HasSuffix(existingGauge.Name, metricsSuffix) {
|
||
expandedGaugeName := existingGauge.Name
|
||
backendUUID = strings.Split(expandedGaugeName, ".")[2]
|
||
break
|
||
}
|
||
}
|
||
if backendUUID == "" {
|
||
t.Fatalf("No Gauge Found ending with %s", metricsSuffix)
|
||
}
|
||
|
||
// Set the cluster's certificate as the root CA in /pki
|
||
pemBundleRootCA := string(cluster.CACertPEM) + string(cluster.CAKeyPEM)
|
||
_, err = client.Logical().Write("pki/config/ca", map[string]interface{}{
|
||
"pem_bundle": pemBundleRootCA,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Mount /pki2 to operate as an intermediate CA
|
||
err = client.Sys().Mount("pki2", &api.MountInput{
|
||
Type: "pki",
|
||
Config: api.MountConfigInput{
|
||
DefaultLeaseTTL: "16h",
|
||
MaxLeaseTTL: "32h",
|
||
},
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Create a CSR for the intermediate CA
|
||
secret, err := client.Logical().Write("pki2/intermediate/generate/internal", nil)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
intermediateCSR := secret.Data["csr"].(string)
|
||
|
||
// Sign the intermediate CSR using /pki
|
||
secret, err = client.Logical().Write("pki/root/sign-intermediate", map[string]interface{}{
|
||
"permitted_dns_domains": ".myvault.com",
|
||
"csr": intermediateCSR,
|
||
"ttl": "10s",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
intermediateCertSerial := secret.Data["serial_number"].(string)
|
||
intermediateCASerialColon := strings.ReplaceAll(strings.ToLower(intermediateCertSerial), ":", "-")
|
||
|
||
// Get the intermediate cert after signing
|
||
secret, err = client.Logical().Read("pki/cert/" + intermediateCASerialColon)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if secret == nil || len(secret.Data) == 0 || len(secret.Data["certificate"].(string)) == 0 {
|
||
t.Fatal("expected certificate information from read operation")
|
||
}
|
||
|
||
// Issue a revoke on on /pki
|
||
_, err = client.Logical().Write("pki/revoke", map[string]interface{}{
|
||
"serial_number": intermediateCertSerial,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Check the cert-count metrics
|
||
expectedCertCountGaugeMetrics := map[string]float32{
|
||
"secrets.pki." + backendUUID + ".total_revoked_certificates_stored": 1,
|
||
"secrets.pki." + backendUUID + ".total_certificates_stored": 1,
|
||
}
|
||
mostRecentInterval = inmemSink.Data()[len(inmemSink.Data())-1]
|
||
for gauge, value := range expectedCertCountGaugeMetrics {
|
||
if _, ok := mostRecentInterval.Gauges[gauge]; !ok {
|
||
t.Fatalf("Expected metrics to include a value for gauge %s", gauge)
|
||
}
|
||
if value != mostRecentInterval.Gauges[gauge].Value {
|
||
t.Fatalf("Expected value metric %s to be %f but got %f", gauge, value, mostRecentInterval.Gauges[gauge].Value)
|
||
}
|
||
}
|
||
|
||
// Revoke adds a fixed 2s buffer, so we sleep for a bit longer to ensure
|
||
// the revocation time is past the current time.
|
||
time.Sleep(3 * time.Second)
|
||
|
||
// Issue a tidy on /pki
|
||
_, err = client.Logical().Write("pki/tidy", map[string]interface{}{
|
||
"tidy_cert_store": true,
|
||
"tidy_revoked_certs": true,
|
||
"safety_buffer": "1s",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Sleep a bit to make sure we're past the safety buffer
|
||
time.Sleep(2 * time.Second)
|
||
|
||
// Get CRL and ensure the tidied cert is still in the list after the tidy
|
||
// operation since it's not past the NotAfter (ttl) value yet.
|
||
crl := getParsedCrl(t, client, "pki")
|
||
|
||
revokedCerts := crl.TBSCertList.RevokedCertificates
|
||
if len(revokedCerts) == 0 {
|
||
t.Fatal("expected CRL to be non-empty")
|
||
}
|
||
|
||
sn := certutil.GetHexFormatted(revokedCerts[0].SerialNumber.Bytes(), ":")
|
||
if sn != intermediateCertSerial {
|
||
t.Fatalf("expected: %v, got: %v", intermediateCertSerial, sn)
|
||
}
|
||
|
||
// Wait for cert to expire
|
||
time.Sleep(10 * time.Second)
|
||
|
||
// Issue a tidy on /pki
|
||
_, err = client.Logical().Write("pki/tidy", map[string]interface{}{
|
||
"tidy_cert_store": true,
|
||
"tidy_revoked_certs": true,
|
||
"safety_buffer": "1s",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Sleep a bit to make sure we're past the safety buffer
|
||
time.Sleep(2 * time.Second)
|
||
|
||
// Issue a tidy-status on /pki
|
||
{
|
||
tidyStatus, err := client.Logical().Read("pki/tidy-status")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
expectedData := map[string]interface{}{
|
||
"safety_buffer": json.Number("1"),
|
||
"issuer_safety_buffer": json.Number("31536000"),
|
||
"tidy_cert_store": true,
|
||
"tidy_revoked_certs": true,
|
||
"tidy_revoked_cert_issuer_associations": false,
|
||
"tidy_expired_issuers": false,
|
||
"pause_duration": "0s",
|
||
"state": "Finished",
|
||
"error": nil,
|
||
"time_started": nil,
|
||
"time_finished": nil,
|
||
"message": nil,
|
||
"cert_store_deleted_count": json.Number("1"),
|
||
"revoked_cert_deleted_count": json.Number("1"),
|
||
"missing_issuer_cert_count": json.Number("0"),
|
||
"current_cert_store_count": json.Number("0"),
|
||
"current_revoked_cert_count": json.Number("0"),
|
||
}
|
||
// Let's copy the times from the response so that we can use deep.Equal()
|
||
timeStarted, ok := tidyStatus.Data["time_started"]
|
||
if !ok || timeStarted == "" {
|
||
t.Fatal("Expected tidy status response to include a value for time_started")
|
||
}
|
||
expectedData["time_started"] = timeStarted
|
||
timeFinished, ok := tidyStatus.Data["time_finished"]
|
||
if !ok || timeFinished == "" {
|
||
t.Fatal("Expected tidy status response to include a value for time_finished")
|
||
}
|
||
expectedData["time_finished"] = timeFinished
|
||
|
||
if diff := deep.Equal(expectedData, tidyStatus.Data); diff != nil {
|
||
t.Fatal(diff)
|
||
}
|
||
}
|
||
// Check the tidy metrics
|
||
{
|
||
// Map of gauges to expected value
|
||
expectedGauges := map[string]float32{
|
||
"secrets.pki.tidy.cert_store_current_entry": 0,
|
||
"secrets.pki.tidy.cert_store_total_entries": 1,
|
||
"secrets.pki.tidy.revoked_cert_current_entry": 0,
|
||
"secrets.pki.tidy.revoked_cert_total_entries": 1,
|
||
"secrets.pki.tidy.start_time_epoch": 0,
|
||
"secrets.pki." + backendUUID + ".total_certificates_stored": 0,
|
||
"secrets.pki." + backendUUID + ".total_revoked_certificates_stored": 0,
|
||
"secrets.pki.tidy.cert_store_total_entries_remaining": 0,
|
||
"secrets.pki.tidy.revoked_cert_total_entries_remaining": 0,
|
||
}
|
||
// Map of counters to the sum of the metrics for that counter
|
||
expectedCounters := map[string]float64{
|
||
"secrets.pki.tidy.cert_store_deleted_count": 1,
|
||
"secrets.pki.tidy.revoked_cert_deleted_count": 1,
|
||
"secrets.pki.tidy.success": 2,
|
||
// Note that "secrets.pki.tidy.failure" won't be in the captured metrics
|
||
}
|
||
|
||
// If the metrics span more than one interval, skip the checks
|
||
intervals := inmemSink.Data()
|
||
if len(intervals) == 1 {
|
||
interval := inmemSink.Data()[0]
|
||
|
||
for gauge, value := range expectedGauges {
|
||
if _, ok := interval.Gauges[gauge]; !ok {
|
||
t.Fatalf("Expected metrics to include a value for gauge %s", gauge)
|
||
}
|
||
if value != interval.Gauges[gauge].Value {
|
||
t.Fatalf("Expected value metric %s to be %f but got %f", gauge, value, interval.Gauges[gauge].Value)
|
||
}
|
||
|
||
}
|
||
for counter, value := range expectedCounters {
|
||
if _, ok := interval.Counters[counter]; !ok {
|
||
t.Fatalf("Expected metrics to include a value for couter %s", counter)
|
||
}
|
||
if value != interval.Counters[counter].Sum {
|
||
t.Fatalf("Expected the sum of metric %s to be %f but got %f", counter, value, interval.Counters[counter].Sum)
|
||
}
|
||
}
|
||
|
||
tidyDuration, ok := interval.Samples["secrets.pki.tidy.duration"]
|
||
if !ok {
|
||
t.Fatal("Expected metrics to include a value for sample secrets.pki.tidy.duration")
|
||
}
|
||
if tidyDuration.Count <= 0 {
|
||
t.Fatalf("Expected metrics to have count > 0 for sample secrets.pki.tidy.duration, but got %d", tidyDuration.Count)
|
||
}
|
||
}
|
||
}
|
||
|
||
crl = getParsedCrl(t, client, "pki")
|
||
|
||
revokedCerts = crl.TBSCertList.RevokedCertificates
|
||
if len(revokedCerts) != 0 {
|
||
t.Fatal("expected CRL to be empty")
|
||
}
|
||
}
|
||
|
||
func TestBackend_Root_FullCAChain(t *testing.T) {
|
||
t.Parallel()
|
||
testCases := []struct {
|
||
testName string
|
||
keyType string
|
||
}{
|
||
{testName: "RSA", keyType: "rsa"},
|
||
{testName: "ED25519", keyType: "ed25519"},
|
||
{testName: "EC", keyType: "ec"},
|
||
}
|
||
for _, tc := range testCases {
|
||
tc := tc
|
||
t.Run(tc.testName, func(t *testing.T) {
|
||
runFullCAChainTest(t, tc.keyType)
|
||
})
|
||
}
|
||
}
|
||
|
||
func runFullCAChainTest(t *testing.T, keyType string) {
|
||
// Generate a root CA at /pki-root
|
||
b_root, s_root := CreateBackendWithStorage(t)
|
||
|
||
var err error
|
||
|
||
resp, err := CBWrite(b_root, s_root, "root/generate/exported", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_type": keyType,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected ca info")
|
||
}
|
||
rootData := resp.Data
|
||
rootCert := rootData["certificate"].(string)
|
||
|
||
// Validate that root's /cert/ca-chain now contains the certificate.
|
||
resp, err = CBRead(b_root, s_root, "cert/ca_chain")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected intermediate chain information")
|
||
}
|
||
|
||
fullChain := resp.Data["ca_chain"].(string)
|
||
requireCertInCaChainString(t, fullChain, rootCert, "expected root cert within root cert/ca_chain")
|
||
|
||
// Make sure when we issue a leaf certificate we get the full chain back.
|
||
_, err = CBWrite(b_root, s_root, "roles/example", map[string]interface{}{
|
||
"allowed_domains": "example.com",
|
||
"allow_subdomains": "true",
|
||
"max_ttl": "1h",
|
||
})
|
||
require.NoError(t, err, "error setting up pki root role: %v", err)
|
||
|
||
resp, err = CBWrite(b_root, s_root, "issue/example", map[string]interface{}{
|
||
"common_name": "test.example.com",
|
||
"ttl": "5m",
|
||
})
|
||
require.NoError(t, err, "error issuing certificate from pki root: %v", err)
|
||
fullChainArray := resp.Data["ca_chain"].([]string)
|
||
requireCertInCaChainArray(t, fullChainArray, rootCert, "expected root cert within root issuance pki-root/issue/example")
|
||
|
||
// Now generate an intermediate at /pki-intermediate, signed by the root.
|
||
b_int, s_int := CreateBackendWithStorage(t)
|
||
|
||
resp, err = CBWrite(b_int, s_int, "intermediate/generate/exported", map[string]interface{}{
|
||
"common_name": "intermediate myvault.com",
|
||
"key_type": keyType,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected intermediate CSR info")
|
||
}
|
||
intermediateData := resp.Data
|
||
intermediateKey := intermediateData["private_key"].(string)
|
||
|
||
resp, err = CBWrite(b_root, s_root, "root/sign-intermediate", map[string]interface{}{
|
||
"csr": intermediateData["csr"],
|
||
"format": "pem",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected signed intermediate info")
|
||
}
|
||
intermediateSignedData := resp.Data
|
||
intermediateCert := intermediateSignedData["certificate"].(string)
|
||
|
||
rootCaCert := parseCert(t, rootCert)
|
||
intermediaryCaCert := parseCert(t, intermediateCert)
|
||
requireSignedBy(t, intermediaryCaCert, rootCaCert)
|
||
intermediateCaChain := intermediateSignedData["ca_chain"].([]string)
|
||
|
||
require.Equal(t, parseCert(t, intermediateCaChain[0]), intermediaryCaCert, "intermediate signed cert should have been part of ca_chain")
|
||
require.Equal(t, parseCert(t, intermediateCaChain[1]), rootCaCert, "root cert should have been part of ca_chain")
|
||
|
||
_, err = CBWrite(b_int, s_int, "intermediate/set-signed", map[string]interface{}{
|
||
"certificate": intermediateCert + "\n" + rootCert + "\n",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Validate that intermediate's ca_chain field now includes the full
|
||
// chain.
|
||
resp, err = CBRead(b_int, s_int, "cert/ca_chain")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected intermediate chain information")
|
||
}
|
||
|
||
// Verify we have a proper CRL now
|
||
crl := getParsedCrlFromBackend(t, b_int, s_int, "crl")
|
||
require.Equal(t, 0, len(crl.TBSCertList.RevokedCertificates))
|
||
|
||
fullChain = resp.Data["ca_chain"].(string)
|
||
requireCertInCaChainString(t, fullChain, intermediateCert, "expected full chain to contain intermediate certificate from pki-intermediate/cert/ca_chain")
|
||
requireCertInCaChainString(t, fullChain, rootCert, "expected full chain to contain root certificate from pki-intermediate/cert/ca_chain")
|
||
|
||
// Make sure when we issue a leaf certificate we get the full chain back.
|
||
_, err = CBWrite(b_int, s_int, "roles/example", map[string]interface{}{
|
||
"allowed_domains": "example.com",
|
||
"allow_subdomains": "true",
|
||
"max_ttl": "1h",
|
||
})
|
||
require.NoError(t, err, "error setting up pki intermediate role: %v", err)
|
||
|
||
resp, err = CBWrite(b_int, s_int, "issue/example", map[string]interface{}{
|
||
"common_name": "test.example.com",
|
||
"ttl": "5m",
|
||
})
|
||
require.NoError(t, err, "error issuing certificate from pki intermediate: %v", err)
|
||
fullChainArray = resp.Data["ca_chain"].([]string)
|
||
requireCertInCaChainArray(t, fullChainArray, intermediateCert, "expected full chain to contain intermediate certificate from pki-intermediate/issue/example")
|
||
requireCertInCaChainArray(t, fullChainArray, rootCert, "expected full chain to contain root certificate from pki-intermediate/issue/example")
|
||
|
||
// Finally, import this signing cert chain into a new mount to ensure
|
||
// "external" CAs behave as expected.
|
||
b_ext, s_ext := CreateBackendWithStorage(t)
|
||
|
||
_, err = CBWrite(b_ext, s_ext, "config/ca", map[string]interface{}{
|
||
"pem_bundle": intermediateKey + "\n" + intermediateCert + "\n" + rootCert + "\n",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Validate the external chain information was loaded correctly.
|
||
resp, err = CBRead(b_ext, s_ext, "cert/ca_chain")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected intermediate chain information")
|
||
}
|
||
|
||
fullChain = resp.Data["ca_chain"].(string)
|
||
if strings.Count(fullChain, intermediateCert) != 1 {
|
||
t.Fatalf("expected full chain to contain intermediate certificate; got %v occurrences", strings.Count(fullChain, intermediateCert))
|
||
}
|
||
if strings.Count(fullChain, rootCert) != 1 {
|
||
t.Fatalf("expected full chain to contain root certificate; got %v occurrences", strings.Count(fullChain, rootCert))
|
||
}
|
||
|
||
// Now issue a short-lived certificate from our pki-external.
|
||
_, err = CBWrite(b_ext, s_ext, "roles/example", map[string]interface{}{
|
||
"allowed_domains": "example.com",
|
||
"allow_subdomains": "true",
|
||
"max_ttl": "1h",
|
||
})
|
||
require.NoError(t, err, "error setting up pki role: %v", err)
|
||
|
||
resp, err = CBWrite(b_ext, s_ext, "issue/example", map[string]interface{}{
|
||
"common_name": "test.example.com",
|
||
"ttl": "5m",
|
||
})
|
||
require.NoError(t, err, "error issuing certificate: %v", err)
|
||
require.NotNil(t, resp, "got nil response from issuing request")
|
||
issueCrtAsPem := resp.Data["certificate"].(string)
|
||
issuedCrt := parseCert(t, issueCrtAsPem)
|
||
|
||
// Verify that the certificates are signed by the intermediary CA key...
|
||
requireSignedBy(t, issuedCrt, intermediaryCaCert)
|
||
|
||
// Test that we can request that the root ca certificate not appear in the ca_chain field
|
||
resp, err = CBWrite(b_ext, s_ext, "issue/example", map[string]interface{}{
|
||
"common_name": "test.example.com",
|
||
"ttl": "5m",
|
||
"remove_roots_from_chain": "true",
|
||
})
|
||
requireSuccessNonNilResponse(t, resp, err, "error issuing certificate when removing self signed")
|
||
fullChain = strings.Join(resp.Data["ca_chain"].([]string), "\n")
|
||
if strings.Count(fullChain, intermediateCert) != 1 {
|
||
t.Fatalf("expected full chain to contain intermediate certificate; got %v occurrences", strings.Count(fullChain, intermediateCert))
|
||
}
|
||
if strings.Count(fullChain, rootCert) != 0 {
|
||
t.Fatalf("expected full chain to NOT contain root certificate; got %v occurrences", strings.Count(fullChain, rootCert))
|
||
}
|
||
}
|
||
|
||
func requireCertInCaChainArray(t *testing.T, chain []string, cert string, msgAndArgs ...interface{}) {
|
||
var fullChain string
|
||
for _, caCert := range chain {
|
||
fullChain = fullChain + "\n" + caCert
|
||
}
|
||
|
||
requireCertInCaChainString(t, fullChain, cert, msgAndArgs)
|
||
}
|
||
|
||
func requireCertInCaChainString(t *testing.T, chain string, cert string, msgAndArgs ...interface{}) {
|
||
count := strings.Count(chain, cert)
|
||
if count != 1 {
|
||
failMsg := fmt.Sprintf("Found %d occurrances of the cert in the provided chain", count)
|
||
require.FailNow(t, failMsg, msgAndArgs...)
|
||
}
|
||
}
|
||
|
||
type MultiBool int
|
||
|
||
const (
|
||
MFalse MultiBool = iota
|
||
MTrue MultiBool = iota
|
||
MAny MultiBool = iota
|
||
)
|
||
|
||
func (o MultiBool) ToValues() []bool {
|
||
if o == MTrue {
|
||
return []bool{true}
|
||
}
|
||
|
||
if o == MFalse {
|
||
return []bool{false}
|
||
}
|
||
|
||
if o == MAny {
|
||
return []bool{true, false}
|
||
}
|
||
|
||
return []bool{}
|
||
}
|
||
|
||
type IssuanceRegression struct {
|
||
AllowedDomains []string
|
||
AllowBareDomains MultiBool
|
||
AllowGlobDomains MultiBool
|
||
AllowSubdomains MultiBool
|
||
AllowLocalhost MultiBool
|
||
AllowWildcardCertificates MultiBool
|
||
CNValidations []string
|
||
CommonName string
|
||
Issued bool
|
||
}
|
||
|
||
func RoleIssuanceRegressionHelper(t *testing.T, b *backend, s logical.Storage, index int, test IssuanceRegression) int {
|
||
tested := 0
|
||
for _, AllowBareDomains := range test.AllowBareDomains.ToValues() {
|
||
for _, AllowGlobDomains := range test.AllowGlobDomains.ToValues() {
|
||
for _, AllowSubdomains := range test.AllowSubdomains.ToValues() {
|
||
for _, AllowLocalhost := range test.AllowLocalhost.ToValues() {
|
||
for _, AllowWildcardCertificates := range test.AllowWildcardCertificates.ToValues() {
|
||
role := fmt.Sprintf("issuance-regression-%d-bare-%v-glob-%v-subdomains-%v-localhost-%v-wildcard-%v", index, AllowBareDomains, AllowGlobDomains, AllowSubdomains, AllowLocalhost, AllowWildcardCertificates)
|
||
_, err := CBWrite(b, s, "roles/"+role, map[string]interface{}{
|
||
"allowed_domains": test.AllowedDomains,
|
||
"allow_bare_domains": AllowBareDomains,
|
||
"allow_glob_domains": AllowGlobDomains,
|
||
"allow_subdomains": AllowSubdomains,
|
||
"allow_localhost": AllowLocalhost,
|
||
"allow_wildcard_certificates": AllowWildcardCertificates,
|
||
"cn_validations": test.CNValidations,
|
||
// TODO: test across this vector as well. Currently certain wildcard
|
||
// matching is broken with it enabled (such as x*x.foo).
|
||
"enforce_hostnames": false,
|
||
"key_type": "ec",
|
||
"key_bits": 256,
|
||
"no_store": true,
|
||
// With the CN Validations field, ensure we prevent CN from appearing
|
||
// in SANs.
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
resp, err := CBWrite(b, s, "issue/"+role, map[string]interface{}{
|
||
"common_name": test.CommonName,
|
||
"exclude_cn_from_sans": true,
|
||
})
|
||
|
||
haveErr := err != nil || resp == nil
|
||
expectErr := !test.Issued
|
||
|
||
if haveErr != expectErr {
|
||
t.Fatalf("issuance regression test [%d] failed: haveErr: %v, expectErr: %v, err: %v, resp: %v, test case: %v, role: %v", index, haveErr, expectErr, err, resp, test, role)
|
||
}
|
||
|
||
tested += 1
|
||
}
|
||
}
|
||
}
|
||
}
|
||
}
|
||
|
||
return tested
|
||
}
|
||
|
||
func TestBackend_Roles_IssuanceRegression(t *testing.T) {
|
||
t.Parallel()
|
||
// Regression testing of role's issuance policy.
|
||
testCases := []IssuanceRegression{
|
||
// allowed, bare, glob, subdomains, localhost, wildcards, cn, issued
|
||
|
||
// === Globs not allowed but used === //
|
||
// Allowed contains globs, but globbing not allowed, resulting in all
|
||
// issuances failing. Note that tests against issuing a wildcard with
|
||
// a bare domain will be covered later.
|
||
/* 0 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "baz.fud.bar.foo", false},
|
||
/* 1 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.fud.bar.foo", false},
|
||
/* 2 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "fud.bar.foo", false},
|
||
/* 3 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.bar.foo", false},
|
||
/* 4 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "bar.foo", false},
|
||
/* 5 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.foo", false},
|
||
/* 6 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "foo", false},
|
||
/* 7 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "baz.fud.bar.foo", false},
|
||
/* 8 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.fud.bar.foo", false},
|
||
/* 9 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "fud.bar.foo", false},
|
||
/* 10 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.bar.foo", false},
|
||
/* 11 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "bar.foo", false},
|
||
/* 12 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "foo", false},
|
||
|
||
// === Localhost sanity === //
|
||
// Localhost forbidden, not matching allowed domains -> not issued
|
||
/* 13 */ {[]string{"*.*.foo"}, MAny, MAny, MAny, MFalse, MAny, nil, "localhost", false},
|
||
// Localhost allowed, not matching allowed domains -> issued
|
||
/* 14 */ {[]string{"*.*.foo"}, MAny, MAny, MAny, MTrue, MAny, nil, "localhost", true},
|
||
// Localhost allowed via allowed domains (and bare allowed), not by AllowLocalhost -> issued
|
||
/* 15 */ {[]string{"localhost"}, MTrue, MAny, MAny, MFalse, MAny, nil, "localhost", true},
|
||
// Localhost allowed via allowed domains (and bare not allowed), not by AllowLocalhost -> not issued
|
||
/* 16 */ {[]string{"localhost"}, MFalse, MAny, MAny, MFalse, MAny, nil, "localhost", false},
|
||
// Localhost allowed via allowed domains (but bare not allowed), and by AllowLocalhost -> issued
|
||
/* 17 */ {[]string{"localhost"}, MFalse, MAny, MAny, MTrue, MAny, nil, "localhost", true},
|
||
|
||
// === Bare wildcard issuance == //
|
||
// allowed_domains contains one or more wildcards and bare domains allowed,
|
||
// resulting in the cert being issued.
|
||
/* 18 */ {[]string{"*.foo"}, MTrue, MAny, MAny, MAny, MTrue, nil, "*.foo", true},
|
||
/* 19 */ {[]string{"*.*.foo"}, MTrue, MAny, MAny, MAny, MAny, nil, "*.*.foo", false}, // Does not conform to RFC 6125
|
||
|
||
// === Double Leading Glob Testing === //
|
||
// Allowed contains globs, but glob allowed so certain matches work.
|
||
// The value of bare and localhost does not impact these results.
|
||
/* 20 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "baz.fud.bar.foo", true}, // glob domains allow infinite subdomains
|
||
/* 21 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MTrue, nil, "*.fud.bar.foo", true}, // glob domain allows wildcard of subdomains
|
||
/* 22 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "fud.bar.foo", true},
|
||
/* 23 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MTrue, nil, "*.bar.foo", true}, // Regression fix: Vault#13530
|
||
/* 24 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "bar.foo", false},
|
||
/* 25 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "*.foo", false},
|
||
/* 26 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "foo", false},
|
||
|
||
// Allowed contains globs, but glob and subdomain both work, so we expect
|
||
// wildcard issuance to work as well. The value of bare and localhost does
|
||
// not impact these results.
|
||
/* 27 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "baz.fud.bar.foo", true},
|
||
/* 28 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MTrue, nil, "*.fud.bar.foo", true},
|
||
/* 29 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "fud.bar.foo", true},
|
||
/* 30 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MTrue, nil, "*.bar.foo", true}, // Regression fix: Vault#13530
|
||
/* 31 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "bar.foo", false},
|
||
/* 32 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "*.foo", false},
|
||
/* 33 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "foo", false},
|
||
|
||
// === Single Leading Glob Testing === //
|
||
// Allowed contains globs, but glob allowed so certain matches work.
|
||
// The value of bare and localhost does not impact these results.
|
||
/* 34 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "baz.fud.bar.foo", true}, // glob domains allow infinite subdomains
|
||
/* 35 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MTrue, nil, "*.fud.bar.foo", true}, // glob domain allows wildcard of subdomains
|
||
/* 36 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "fud.bar.foo", true}, // glob domains allow infinite subdomains
|
||
/* 37 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MTrue, nil, "*.bar.foo", true}, // glob domain allows wildcards of subdomains
|
||
/* 38 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "bar.foo", true},
|
||
/* 39 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "foo", false},
|
||
|
||
// Allowed contains globs, but glob and subdomain both work, so we expect
|
||
// wildcard issuance to work as well. The value of bare and localhost does
|
||
// not impact these results.
|
||
/* 40 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "baz.fud.bar.foo", true},
|
||
/* 41 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MTrue, nil, "*.fud.bar.foo", true},
|
||
/* 42 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "fud.bar.foo", true},
|
||
/* 43 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MTrue, nil, "*.bar.foo", true},
|
||
/* 44 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "bar.foo", true},
|
||
/* 45 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "foo", false},
|
||
|
||
// === Only base domain name === //
|
||
// Allowed contains only domain components, but subdomains not allowed. This
|
||
// results in most issuances failing unless we allow bare domains, in which
|
||
// case only the final issuance for "foo" will succeed.
|
||
/* 46 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "baz.fud.bar.foo", false},
|
||
/* 47 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "*.fud.bar.foo", false},
|
||
/* 48 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "fud.bar.foo", false},
|
||
/* 49 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "*.bar.foo", false},
|
||
/* 50 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "bar.foo", false},
|
||
/* 51 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "*.foo", false},
|
||
/* 52 */ {[]string{"foo"}, MFalse, MAny, MFalse, MAny, MAny, nil, "foo", false},
|
||
/* 53 */ {[]string{"foo"}, MTrue, MAny, MFalse, MAny, MAny, nil, "foo", true},
|
||
|
||
// Allowed contains only domain components, and subdomains are now allowed.
|
||
// This results in most issuances succeeding, with the exception of the
|
||
// base foo, which is still governed by base's value.
|
||
/* 54 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MAny, nil, "baz.fud.bar.foo", true},
|
||
/* 55 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "*.fud.bar.foo", true},
|
||
/* 56 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MAny, nil, "fud.bar.foo", true},
|
||
/* 57 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "*.bar.foo", true},
|
||
/* 58 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MAny, nil, "bar.foo", true},
|
||
/* 59 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "*.foo", true},
|
||
/* 60 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "x*x.foo", true}, // internal wildcards should be allowed per RFC 6125/6.4.3
|
||
/* 61 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "*x.foo", true}, // prefix wildcards should be allowed per RFC 6125/6.4.3
|
||
/* 62 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "x*.foo", true}, // suffix wildcards should be allowed per RFC 6125/6.4.3
|
||
/* 63 */ {[]string{"foo"}, MFalse, MAny, MTrue, MAny, MAny, nil, "foo", false},
|
||
/* 64 */ {[]string{"foo"}, MTrue, MAny, MTrue, MAny, MAny, nil, "foo", true},
|
||
|
||
// === Internal Glob Matching === //
|
||
// Basic glob matching requirements
|
||
/* 65 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xerox.foo", true},
|
||
/* 66 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xylophone.files.pyrex.foo", true}, // globs can match across subdomains
|
||
/* 67 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xercex.bar.foo", false}, // x.foo isn't matched
|
||
/* 68 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "bar.foo", false}, // x*x isn't matched.
|
||
/* 69 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.foo", false}, // unrelated wildcard
|
||
/* 70 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.x*x.foo", false}, // Does not conform to RFC 6125
|
||
/* 71 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.xyx.foo", false}, // Globs and Subdomains do not layer per docs.
|
||
|
||
// Various requirements around x*x.foo wildcard matching.
|
||
/* 72 */ {[]string{"x*x.foo"}, MFalse, MFalse, MAny, MAny, MAny, nil, "x*x.foo", false}, // base disabled, shouldn't match wildcard
|
||
/* 73 */ {[]string{"x*x.foo"}, MFalse, MTrue, MAny, MAny, MTrue, nil, "x*x.foo", true}, // base disallowed, but globbing allowed and should match
|
||
/* 74 */ {[]string{"x*x.foo"}, MTrue, MAny, MAny, MAny, MTrue, nil, "x*x.foo", true}, // base allowed, should match wildcard
|
||
|
||
// Basic glob matching requirements with internal dots.
|
||
/* 75 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xerox.foo", false}, // missing dots
|
||
/* 76 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "x.ero.x.foo", true},
|
||
/* 77 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xylophone.files.pyrex.foo", false}, // missing dots
|
||
/* 78 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "x.ylophone.files.pyre.x.foo", true}, // globs can match across subdomains
|
||
/* 79 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xercex.bar.foo", false}, // x.foo isn't matched
|
||
/* 80 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "bar.foo", false}, // x.*.x isn't matched.
|
||
/* 81 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.foo", false}, // unrelated wildcard
|
||
/* 82 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.x.*.x.foo", false}, // Does not conform to RFC 6125
|
||
/* 83 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.x.y.x.foo", false}, // Globs and Subdomains do not layer per docs.
|
||
|
||
// === Wildcard restriction testing === //
|
||
/* 84 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MFalse, nil, "*.fud.bar.foo", false}, // glob domain allows wildcard of subdomains
|
||
/* 85 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MFalse, nil, "*.bar.foo", false}, // glob domain allows wildcards of subdomains
|
||
/* 86 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "*.fud.bar.foo", false},
|
||
/* 87 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "*.bar.foo", false},
|
||
/* 88 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "*.foo", false},
|
||
/* 89 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "x*x.foo", false},
|
||
/* 90 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "*x.foo", false},
|
||
/* 91 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "x*.foo", false},
|
||
/* 92 */ {[]string{"x*x.foo"}, MTrue, MAny, MAny, MAny, MFalse, nil, "x*x.foo", false},
|
||
/* 93 */ {[]string{"*.foo"}, MFalse, MFalse, MAny, MAny, MAny, nil, "*.foo", false}, // Bare and globs forbidden despite (potentially) allowing wildcards.
|
||
/* 94 */ {[]string{"x.*.x.foo"}, MAny, MAny, MAny, MAny, MAny, nil, "x.*.x.foo", false}, // Does not conform to RFC 6125
|
||
|
||
// === CN validation allowances === //
|
||
/* 95 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "*.fud.bar.foo", true},
|
||
/* 96 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "*.fud.*.foo", true},
|
||
/* 97 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "*.bar.*.bar", true},
|
||
/* 98 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "foo@foo", true},
|
||
/* 99 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "foo@foo@foo", true},
|
||
/* 100 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "bar@bar@bar", true},
|
||
/* 101 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar@bar@bar", false},
|
||
/* 102 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar@bar", false},
|
||
/* 103 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar@foo", true},
|
||
/* 104 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"hostname"}, "bar@foo", false},
|
||
/* 105 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"hostname"}, "bar@bar", false},
|
||
/* 106 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"hostname"}, "bar.foo", true},
|
||
/* 107 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"hostname"}, "bar.bar", false},
|
||
/* 108 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar.foo", false},
|
||
/* 109 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar.bar", false},
|
||
}
|
||
|
||
if len(testCases) != 110 {
|
||
t.Fatalf("misnumbered test case entries will make it hard to find bugs: %v", len(testCases))
|
||
}
|
||
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
// We need a RSA key so all signature sizes are valid with it.
|
||
resp, err := CBWrite(b, s, "root/generate/exported", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
"ttl": "128h",
|
||
"key_type": "rsa",
|
||
"key_bits": 2048,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected ca info")
|
||
}
|
||
|
||
tested := 0
|
||
for index, test := range testCases {
|
||
tested += RoleIssuanceRegressionHelper(t, b, s, index, test)
|
||
}
|
||
|
||
t.Logf("Issuance regression expanded matrix test scenarios: %d", tested)
|
||
}
|
||
|
||
type KeySizeRegression struct {
|
||
// Values reused for both Role and CA configuration.
|
||
RoleKeyType string
|
||
RoleKeyBits []int
|
||
|
||
// Signature Bits presently is only specified on the role.
|
||
RoleSignatureBits []int
|
||
RoleUsePSS bool
|
||
|
||
// These are tuples; must be of the same length.
|
||
TestKeyTypes []string
|
||
TestKeyBits []int
|
||
|
||
// All of the above key types/sizes must pass or fail together.
|
||
ExpectError bool
|
||
}
|
||
|
||
func (k KeySizeRegression) KeyTypeValues() []string {
|
||
if k.RoleKeyType == "any" {
|
||
return []string{"rsa", "ec", "ed25519"}
|
||
}
|
||
|
||
return []string{k.RoleKeyType}
|
||
}
|
||
|
||
func RoleKeySizeRegressionHelper(t *testing.T, b *backend, s logical.Storage, index int, test KeySizeRegression) int {
|
||
tested := 0
|
||
|
||
for _, caKeyType := range test.KeyTypeValues() {
|
||
for _, caKeyBits := range test.RoleKeyBits {
|
||
// Generate a new CA key.
|
||
resp, err := CBWrite(b, s, "root/generate/exported", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
"ttl": "128h",
|
||
"key_type": caKeyType,
|
||
"key_bits": caKeyBits,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected ca info")
|
||
}
|
||
|
||
for _, roleKeyBits := range test.RoleKeyBits {
|
||
for _, roleSignatureBits := range test.RoleSignatureBits {
|
||
role := fmt.Sprintf("key-size-regression-%d-keytype-%v-keybits-%d-signature-bits-%d", index, test.RoleKeyType, roleKeyBits, roleSignatureBits)
|
||
_, err := CBWrite(b, s, "roles/"+role, map[string]interface{}{
|
||
"key_type": test.RoleKeyType,
|
||
"key_bits": roleKeyBits,
|
||
"signature_bits": roleSignatureBits,
|
||
"use_pss": test.RoleUsePSS,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
for index, keyType := range test.TestKeyTypes {
|
||
keyBits := test.TestKeyBits[index]
|
||
|
||
_, _, csrPem := generateCSR(t, &x509.CertificateRequest{
|
||
Subject: pkix.Name{
|
||
CommonName: "localhost",
|
||
},
|
||
}, keyType, keyBits)
|
||
|
||
resp, err = CBWrite(b, s, "sign/"+role, map[string]interface{}{
|
||
"common_name": "localhost",
|
||
"csr": csrPem,
|
||
})
|
||
|
||
haveErr := err != nil || resp == nil
|
||
|
||
if haveErr != test.ExpectError {
|
||
t.Fatalf("key size regression test [%d] failed: haveErr: %v, expectErr: %v, err: %v, resp: %v, test case: %v, caKeyType: %v, caKeyBits: %v, role: %v, keyType: %v, keyBits: %v", index, haveErr, test.ExpectError, err, resp, test, caKeyType, caKeyBits, role, keyType, keyBits)
|
||
}
|
||
|
||
if resp != nil && test.RoleUsePSS && caKeyType == "rsa" {
|
||
leafCert := parseCert(t, resp.Data["certificate"].(string))
|
||
switch leafCert.SignatureAlgorithm {
|
||
case x509.SHA256WithRSAPSS, x509.SHA384WithRSAPSS, x509.SHA512WithRSAPSS:
|
||
default:
|
||
t.Fatalf("key size regression test [%d] failed on role %v: unexpected signature algorithm; expected RSA-type CA to sign a leaf cert with PSS algorithm; got %v", index, role, leafCert.SignatureAlgorithm.String())
|
||
}
|
||
}
|
||
|
||
tested += 1
|
||
}
|
||
}
|
||
}
|
||
|
||
_, err = CBDelete(b, s, "root")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
}
|
||
}
|
||
|
||
return tested
|
||
}
|
||
|
||
func TestBackend_Roles_KeySizeRegression(t *testing.T) {
|
||
t.Parallel()
|
||
// Regression testing of role's issuance policy.
|
||
testCases := []KeySizeRegression{
|
||
// RSA with default parameters should fail to issue smaller RSA keys
|
||
// and any size ECDSA/Ed25519 keys.
|
||
/* 0 */ {"rsa", []int{0, 2048}, []int{0, 256, 384, 512}, false, []string{"rsa", "ec", "ec", "ec", "ec", "ed25519"}, []int{1024, 224, 256, 384, 521, 0}, true},
|
||
// But it should work to issue larger RSA keys.
|
||
/* 1 */ {"rsa", []int{0, 2048}, []int{0, 256, 384, 512}, false, []string{"rsa", "rsa"}, []int{2048, 3072}, false},
|
||
|
||
// EC with default parameters should fail to issue smaller EC keys
|
||
// and any size RSA/Ed25519 keys.
|
||
/* 2 */ {"ec", []int{0}, []int{0}, false, []string{"rsa", "ec", "ed25519"}, []int{2048, 224, 0}, true},
|
||
// But it should work to issue larger EC keys. Note that we should be
|
||
// independent of signature bits as that's computed from the issuer
|
||
// type (for EC based issuers).
|
||
/* 3 */ {"ec", []int{224}, []int{0, 256, 384, 521}, false, []string{"ec", "ec", "ec", "ec"}, []int{224, 256, 384, 521}, false},
|
||
/* 4 */ {"ec", []int{0, 256}, []int{0, 256, 384, 521}, false, []string{"ec", "ec", "ec"}, []int{256, 384, 521}, false},
|
||
/* 5 */ {"ec", []int{384}, []int{0, 256, 384, 521}, false, []string{"ec", "ec"}, []int{384, 521}, false},
|
||
/* 6 */ {"ec", []int{521}, []int{0, 256, 384, 512}, false, []string{"ec"}, []int{521}, false},
|
||
|
||
// Ed25519 should reject RSA and EC keys.
|
||
/* 7 */ {"ed25519", []int{0}, []int{0}, false, []string{"rsa", "ec", "ec"}, []int{2048, 256, 521}, true},
|
||
// But it should work to issue Ed25519 keys.
|
||
/* 8 */ {"ed25519", []int{0}, []int{0}, false, []string{"ed25519"}, []int{0}, false},
|
||
|
||
// Any key type should reject insecure RSA key sizes.
|
||
/* 9 */ {"any", []int{0}, []int{0, 256, 384, 512}, false, []string{"rsa", "rsa"}, []int{512, 1024}, true},
|
||
// But work for everything else.
|
||
/* 10 */ {"any", []int{0}, []int{0, 256, 384, 512}, false, []string{"rsa", "rsa", "ec", "ec", "ec", "ec", "ed25519"}, []int{2048, 3072, 224, 256, 384, 521, 0}, false},
|
||
|
||
// RSA with larger than default key size should reject smaller ones.
|
||
/* 11 */ {"rsa", []int{3072}, []int{0, 256, 384, 512}, false, []string{"rsa"}, []int{2048}, true},
|
||
|
||
// We should be able to sign with PSS with any CA key type.
|
||
/* 12 */ {"rsa", []int{0}, []int{0, 256, 384, 512}, true, []string{"rsa"}, []int{2048}, false},
|
||
/* 13 */ {"ec", []int{0}, []int{0}, true, []string{"ec"}, []int{256}, false},
|
||
/* 14 */ {"ed25519", []int{0}, []int{0}, true, []string{"ed25519"}, []int{0}, false},
|
||
}
|
||
|
||
if len(testCases) != 15 {
|
||
t.Fatalf("misnumbered test case entries will make it hard to find bugs: %v", len(testCases))
|
||
}
|
||
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
tested := 0
|
||
for index, test := range testCases {
|
||
tested += RoleKeySizeRegressionHelper(t, b, s, index, test)
|
||
}
|
||
|
||
t.Logf("Key size regression expanded matrix test scenarios: %d", tested)
|
||
}
|
||
|
||
func TestRootWithExistingKey(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
var err error
|
||
|
||
// Fail requests if type is existing, and we specify the key_type param
|
||
_, err = CBWrite(b, s, "root/generate/existing", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_type": "rsa",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "key_type nor key_bits arguments can be set in this mode")
|
||
|
||
// Fail requests if type is existing, and we specify the key_bits param
|
||
_, err = CBWrite(b, s, "root/generate/existing", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_bits": "2048",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "key_type nor key_bits arguments can be set in this mode")
|
||
|
||
// Fail if the specified key does not exist.
|
||
_, err = CBWrite(b, s, "issuers/generate/root/existing", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"issuer_name": "my-issuer1",
|
||
"key_ref": "my-key1",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "unable to find PKI key for reference: my-key1")
|
||
|
||
// Fail if the specified key name is default.
|
||
_, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"issuer_name": "my-issuer1",
|
||
"key_name": "Default",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "reserved keyword 'default' can not be used as key name")
|
||
|
||
// Fail if the specified issuer name is default.
|
||
_, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"issuer_name": "DEFAULT",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "reserved keyword 'default' can not be used as issuer name")
|
||
|
||
// Create the first CA
|
||
resp, err := CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_type": "rsa",
|
||
"issuer_name": "my-issuer1",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp.Data["certificate"])
|
||
myIssuerId1 := resp.Data["issuer_id"]
|
||
myKeyId1 := resp.Data["key_id"]
|
||
require.NotEmpty(t, myIssuerId1)
|
||
require.NotEmpty(t, myKeyId1)
|
||
|
||
// Fetch the parsed CRL; it should be empty as we've not revoked anything
|
||
parsedCrl := getParsedCrlFromBackend(t, b, s, "issuer/my-issuer1/crl/der")
|
||
require.Equal(t, len(parsedCrl.TBSCertList.RevokedCertificates), 0, "should have no revoked certificates")
|
||
|
||
// Fail if the specified issuer name is re-used.
|
||
_, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"issuer_name": "my-issuer1",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "issuer name already in use")
|
||
|
||
// Create the second CA
|
||
resp, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_type": "rsa",
|
||
"issuer_name": "my-issuer2",
|
||
"key_name": "root-key2",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp.Data["certificate"])
|
||
myIssuerId2 := resp.Data["issuer_id"]
|
||
myKeyId2 := resp.Data["key_id"]
|
||
require.NotEmpty(t, myIssuerId2)
|
||
require.NotEmpty(t, myKeyId2)
|
||
|
||
// Fetch the parsed CRL; it should be empty as we've not revoked anything
|
||
parsedCrl = getParsedCrlFromBackend(t, b, s, "issuer/my-issuer2/crl/der")
|
||
require.Equal(t, len(parsedCrl.TBSCertList.RevokedCertificates), 0, "should have no revoked certificates")
|
||
|
||
// Fail if the specified key name is re-used.
|
||
_, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"issuer_name": "my-issuer3",
|
||
"key_name": "root-key2",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "key name already in use")
|
||
|
||
// Create a third CA re-using key from CA 1
|
||
resp, err = CBWrite(b, s, "issuers/generate/root/existing", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"issuer_name": "my-issuer3",
|
||
"key_ref": myKeyId1,
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp.Data["certificate"])
|
||
myIssuerId3 := resp.Data["issuer_id"]
|
||
myKeyId3 := resp.Data["key_id"]
|
||
require.NotEmpty(t, myIssuerId3)
|
||
require.NotEmpty(t, myKeyId3)
|
||
|
||
// Fetch the parsed CRL; it should be empty as we've not revoking anything.
|
||
parsedCrl = getParsedCrlFromBackend(t, b, s, "issuer/my-issuer3/crl/der")
|
||
require.Equal(t, len(parsedCrl.TBSCertList.RevokedCertificates), 0, "should have no revoked certificates")
|
||
// Signatures should be the same since this is just a reissued cert. We
|
||
// use signature as a proxy for "these two CRLs are equal".
|
||
firstCrl := getParsedCrlFromBackend(t, b, s, "issuer/my-issuer1/crl/der")
|
||
require.Equal(t, parsedCrl.SignatureValue, firstCrl.SignatureValue)
|
||
|
||
require.NotEqual(t, myIssuerId1, myIssuerId2)
|
||
require.NotEqual(t, myIssuerId1, myIssuerId3)
|
||
require.NotEqual(t, myKeyId1, myKeyId2)
|
||
require.Equal(t, myKeyId1, myKeyId3)
|
||
|
||
resp, err = CBList(b, s, "issuers")
|
||
require.NoError(t, err)
|
||
require.Equal(t, 3, len(resp.Data["keys"].([]string)))
|
||
require.Contains(t, resp.Data["keys"], string(myIssuerId1.(issuerID)))
|
||
require.Contains(t, resp.Data["keys"], string(myIssuerId2.(issuerID)))
|
||
require.Contains(t, resp.Data["keys"], string(myIssuerId3.(issuerID)))
|
||
}
|
||
|
||
func TestIntermediateWithExistingKey(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
var err error
|
||
|
||
// Fail requests if type is existing, and we specify the key_type param
|
||
_, err = CBWrite(b, s, "intermediate/generate/existing", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_type": "rsa",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "key_type nor key_bits arguments can be set in this mode")
|
||
|
||
// Fail requests if type is existing, and we specify the key_bits param
|
||
_, err = CBWrite(b, s, "intermediate/generate/existing", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_bits": "2048",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "key_type nor key_bits arguments can be set in this mode")
|
||
|
||
// Fail if the specified key does not exist.
|
||
_, err = CBWrite(b, s, "issuers/generate/intermediate/existing", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_ref": "my-key1",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "unable to find PKI key for reference: my-key1")
|
||
|
||
// Create the first intermediate CA
|
||
resp, err := CBWrite(b, s, "issuers/generate/intermediate/internal", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_type": "rsa",
|
||
})
|
||
require.NoError(t, err)
|
||
// csr1 := resp.Data["csr"]
|
||
myKeyId1 := resp.Data["key_id"]
|
||
require.NotEmpty(t, myKeyId1)
|
||
|
||
// Create the second intermediate CA
|
||
resp, err = CBWrite(b, s, "issuers/generate/intermediate/internal", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_type": "rsa",
|
||
"key_name": "interkey1",
|
||
})
|
||
require.NoError(t, err)
|
||
// csr2 := resp.Data["csr"]
|
||
myKeyId2 := resp.Data["key_id"]
|
||
require.NotEmpty(t, myKeyId2)
|
||
|
||
// Create a third intermediate CA re-using key from intermediate CA 1
|
||
resp, err = CBWrite(b, s, "issuers/generate/intermediate/existing", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_ref": myKeyId1,
|
||
})
|
||
require.NoError(t, err)
|
||
// csr3 := resp.Data["csr"]
|
||
myKeyId3 := resp.Data["key_id"]
|
||
require.NotEmpty(t, myKeyId3)
|
||
|
||
require.NotEqual(t, myKeyId1, myKeyId2)
|
||
require.Equal(t, myKeyId1, myKeyId3, "our new ca did not seem to reuse the key as we expected.")
|
||
}
|
||
|
||
func TestIssuanceTTLs(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "root example.com",
|
||
"issuer_name": "root",
|
||
"ttl": "10s",
|
||
"key_type": "ec",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
rootCert := parseCert(t, resp.Data["certificate"].(string))
|
||
|
||
_, err = CBWrite(b, s, "roles/local-testing", map[string]interface{}{
|
||
"allow_any_name": true,
|
||
"enforce_hostnames": false,
|
||
"key_type": "ec",
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
|
||
"common_name": "testing",
|
||
"ttl": "1s",
|
||
})
|
||
require.NoError(t, err, "expected issuance to succeed due to shorter ttl than cert ttl")
|
||
|
||
_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
|
||
"common_name": "testing",
|
||
})
|
||
require.Error(t, err, "expected issuance to fail due to longer default ttl than cert ttl")
|
||
|
||
resp, err = CBWrite(b, s, "issuer/root", map[string]interface{}{
|
||
"issuer_name": "root",
|
||
"leaf_not_after_behavior": "permit",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
|
||
_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
|
||
"common_name": "testing",
|
||
})
|
||
require.NoError(t, err, "expected issuance to succeed due to permitted longer TTL")
|
||
|
||
resp, err = CBWrite(b, s, "issuer/root", map[string]interface{}{
|
||
"issuer_name": "root",
|
||
"leaf_not_after_behavior": "truncate",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
|
||
_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
|
||
"common_name": "testing",
|
||
})
|
||
require.NoError(t, err, "expected issuance to succeed due to truncated ttl")
|
||
|
||
// Sleep until the parent cert expires and the clock rolls over
|
||
// to the next second.
|
||
time.Sleep(time.Until(rootCert.NotAfter) + (1500 * time.Millisecond))
|
||
|
||
resp, err = CBWrite(b, s, "issuer/root", map[string]interface{}{
|
||
"issuer_name": "root",
|
||
"leaf_not_after_behavior": "err",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
|
||
// Even 1s ttl should now fail.
|
||
_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
|
||
"common_name": "testing",
|
||
"ttl": "1s",
|
||
})
|
||
require.Error(t, err, "expected issuance to fail due to longer default ttl than cert ttl")
|
||
}
|
||
|
||
func TestSealWrappedStorageConfigured(t *testing.T) {
|
||
t.Parallel()
|
||
b, _ := CreateBackendWithStorage(t)
|
||
wrappedEntries := b.Backend.PathsSpecial.SealWrapStorage
|
||
|
||
// Make sure our legacy bundle is within the list
|
||
// NOTE: do not convert these test values to constants, we should always have these paths within seal wrap config
|
||
require.Contains(t, wrappedEntries, "config/ca_bundle", "Legacy bundle missing from seal wrap")
|
||
// The trailing / is important as it treats the entire folder requiring seal wrapping, not just config/key
|
||
require.Contains(t, wrappedEntries, "config/key/", "key prefix with trailing / missing from seal wrap.")
|
||
}
|
||
|
||
func TestBackend_ConfigCA_WithECParams(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
// Generated key with OpenSSL:
|
||
// $ openssl ecparam -out p256.key -name prime256v1 -genkey
|
||
//
|
||
// Regression test for https://github.com/hashicorp/vault/issues/16667
|
||
resp, err := CBWrite(b, s, "config/ca", map[string]interface{}{
|
||
"pem_bundle": `
|
||
-----BEGIN EC PARAMETERS-----
|
||
BggqhkjOPQMBBw==
|
||
-----END EC PARAMETERS-----
|
||
-----BEGIN EC PRIVATE KEY-----
|
||
MHcCAQEEINzXthCZdhyV7+wIEBl/ty+ctNsUS99ykTeax6EbYZtvoAoGCCqGSM49
|
||
AwEHoUQDQgAE57NX8bR/nDoW8yRgLswoXBQcjHrdyfuHS0gPwki6BNnfunUzryVb
|
||
8f22/JWj6fsEF6AOADZlrswKIbR2Es9e/w==
|
||
-----END EC PRIVATE KEY-----
|
||
`,
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp, "expected ca info")
|
||
importedKeys := resp.Data["imported_keys"].([]string)
|
||
importedIssuers := resp.Data["imported_issuers"].([]string)
|
||
|
||
require.Equal(t, len(importedKeys), 1)
|
||
require.Equal(t, len(importedIssuers), 0)
|
||
}
|
||
|
||
func TestPerIssuerAIA(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
// Generating a root without anything should not have AIAs.
|
||
resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "root example.com",
|
||
"issuer_name": "root",
|
||
"key_type": "ec",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
rootCert := parseCert(t, resp.Data["certificate"].(string))
|
||
require.Empty(t, rootCert.OCSPServer)
|
||
require.Empty(t, rootCert.IssuingCertificateURL)
|
||
require.Empty(t, rootCert.CRLDistributionPoints)
|
||
|
||
// Set some local URLs on the issuer.
|
||
_, err = CBWrite(b, s, "issuer/default", map[string]interface{}{
|
||
"issuing_certificates": []string{"https://google.com"},
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
_, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
|
||
"allow_any_name": true,
|
||
"ttl": "85s",
|
||
"key_type": "ec",
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
// Issue something with this re-configured issuer.
|
||
resp, err = CBWrite(b, s, "issuer/default/issue/testing", map[string]interface{}{
|
||
"common_name": "localhost.com",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
leafCert := parseCert(t, resp.Data["certificate"].(string))
|
||
require.Empty(t, leafCert.OCSPServer)
|
||
require.Equal(t, leafCert.IssuingCertificateURL, []string{"https://google.com"})
|
||
require.Empty(t, leafCert.CRLDistributionPoints)
|
||
|
||
// Set global URLs and ensure they don't appear on this issuer's leaf.
|
||
_, err = CBWrite(b, s, "config/urls", map[string]interface{}{
|
||
"issuing_certificates": []string{"https://example.com/ca", "https://backup.example.com/ca"},
|
||
"crl_distribution_points": []string{"https://example.com/crl", "https://backup.example.com/crl"},
|
||
"ocsp_servers": []string{"https://example.com/ocsp", "https://backup.example.com/ocsp"},
|
||
})
|
||
require.NoError(t, err)
|
||
resp, err = CBWrite(b, s, "issuer/default/issue/testing", map[string]interface{}{
|
||
"common_name": "localhost.com",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
leafCert = parseCert(t, resp.Data["certificate"].(string))
|
||
require.Empty(t, leafCert.OCSPServer)
|
||
require.Equal(t, leafCert.IssuingCertificateURL, []string{"https://google.com"})
|
||
require.Empty(t, leafCert.CRLDistributionPoints)
|
||
|
||
// Now come back and remove the local modifications and ensure we get
|
||
// the defaults again.
|
||
_, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
|
||
"issuing_certificates": []string{},
|
||
})
|
||
require.NoError(t, err)
|
||
resp, err = CBWrite(b, s, "issuer/default/issue/testing", map[string]interface{}{
|
||
"common_name": "localhost.com",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
leafCert = parseCert(t, resp.Data["certificate"].(string))
|
||
require.Equal(t, leafCert.IssuingCertificateURL, []string{"https://example.com/ca", "https://backup.example.com/ca"})
|
||
require.Equal(t, leafCert.OCSPServer, []string{"https://example.com/ocsp", "https://backup.example.com/ocsp"})
|
||
require.Equal(t, leafCert.CRLDistributionPoints, []string{"https://example.com/crl", "https://backup.example.com/crl"})
|
||
}
|
||
|
||
func TestIssuersWithoutCRLBits(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
// Importing a root without CRL signing bits should work fine.
|
||
customBundleWithoutCRLBits := `
|
||
-----BEGIN CERTIFICATE-----
|
||
MIIDGTCCAgGgAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhyb290
|
||
LW5ldzAeFw0yMjA4MjQxMjEzNTVaFw0yMzA5MDMxMjEzNTVaMBMxETAPBgNVBAMM
|
||
CHJvb3QtbmV3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAojTA/Mx7
|
||
LVW/Zgn/N4BqZbaF82MrTIBFug3ob7mqycNRlWp4/PH8v37+jYn8e691HUsKjden
|
||
rDTrO06kiQKiJinAzmlLJvgcazE3aXoh7wSzVG9lFHYvljEmVj+yDbkeaqaCktup
|
||
skuNjxCoN9BLmKzZIwVCHn92ZHlhN6LI7CNaU3SDJdu7VftWF9Ugzt9FIvI+6Gcn
|
||
/WNE9FWvZ9o7035rZ+1vvTn7/tgxrj2k3XvD51Kq4tsSbqjnSf3QieXT6E6uvtUE
|
||
TbPp3xjBElgBCKmeogR1l28rs1aujqqwzZ0B/zOeF8ptaH0aZOIBsVDJR8yTwHzq
|
||
s34hNdNfKLHzOwIDAQABo3gwdjAdBgNVHQ4EFgQUF4djNmx+1+uJINhZ82pN+7jz
|
||
H8EwHwYDVR0jBBgwFoAUF4djNmx+1+uJINhZ82pN+7jzH8EwDwYDVR0TAQH/BAUw
|
||
AwEB/zAOBgNVHQ8BAf8EBAMCAoQwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZI
|
||
hvcNAQELBQADggEBAICQovBz4KLWlLmXeZ2Vf6WfQYyGNgGyJa10XNXtWQ5dM2NU
|
||
OLAit4x1c2dz+aFocc8ZsX/ikYi/bruT2rsGWqMAGC4at3U4GuaYGO5a6XzMKIDC
|
||
nxIlbiO+Pn6Xum7fAqUri7+ZNf/Cygmc5sByi3MAAIkszeObUDZFTJL7gEOuXIMT
|
||
rKIXCINq/U+qc7m9AQ8vKhF1Ddj+dLGLzNQ5j3cKfilPs/wRaYqbMQvnmarX+5Cs
|
||
k1UL6kWSQsiP3+UWaBlcWkmD6oZ3fIG7c0aMxf7RISq1eTAM9XjH3vMxWQJlS5q3
|
||
2weJ2LYoPe/DwX5CijR0IezapBCrin1BscJMLFQ=
|
||
-----END CERTIFICATE-----
|
||
-----BEGIN PRIVATE KEY-----
|
||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCiNMD8zHstVb9m
|
||
Cf83gGpltoXzYytMgEW6DehvuarJw1GVanj88fy/fv6Nifx7r3UdSwqN16esNOs7
|
||
TqSJAqImKcDOaUsm+BxrMTdpeiHvBLNUb2UUdi+WMSZWP7INuR5qpoKS26myS42P
|
||
EKg30EuYrNkjBUIef3ZkeWE3osjsI1pTdIMl27tV+1YX1SDO30Ui8j7oZyf9Y0T0
|
||
Va9n2jvTfmtn7W+9Ofv+2DGuPaTde8PnUqri2xJuqOdJ/dCJ5dPoTq6+1QRNs+nf
|
||
GMESWAEIqZ6iBHWXbyuzVq6OqrDNnQH/M54Xym1ofRpk4gGxUMlHzJPAfOqzfiE1
|
||
018osfM7AgMBAAECggEAAVd6kZZaN69IZITIc1vHRYa2rlZpKS2JP7c8Vd3Z/4Fz
|
||
ZZvnJ7LgVAmUYg5WPZ2sOqBNLfKVN/oke5Q0dALgdxYl7dWQIhPjHeRFbZFtjqEV
|
||
OXZGBniamMO/HSKGWGrqFf7BM/H7AhClUwQgjnzVSz+B+LJJidM+SVys3n1xuDmC
|
||
EP+iOda+bAHqHv/7oCELQKhLmCvPc9v2fDy+180ttdo8EHuxwVnKiyR/ryKFhSyx
|
||
K1wgAPQ9jO+V+GESL90rqpX/r501REsIOOpm4orueelHTD4+dnHxvUPqJ++9aYGX
|
||
79qBNPPUhxrQI1yoHxwW0cTxW5EqkZ9bT2lSd5rjcQKBgQDNyPBpidkHPrYemQDT
|
||
RldtS6FiW/jc1It/CRbjU4A6Gi7s3Cda43pEUObKNLeXMyLQaMf4GbDPDX+eh7B8
|
||
RkUq0Q/N0H4bn1hbxYSUdgv0j/6czpMo6rLcJHGwOTSpHGsNsxSLL7xlpgzuzqrG
|
||
FzEgjMA1aD3w8B9+/77AoSLoMQKBgQDJyYMw82+euLYRbR5Wc/SbrWfh2n1Mr2BG
|
||
pp1ZNYorXE5CL4ScdLcgH1q/b8r5XGwmhMcpeA+geAAaKmk1CGG+gPLoq20c9Q1Y
|
||
Ykq9tUVJasIkelvbb/SPxyjkJdBwylzcPP14IJBsqQM0be+yVqLJJVHSaoKhXZcl
|
||
IW2xgCpjKwKBgFpeX5U5P+F6nKebMU2WmlYY3GpBUWxIummzKCX0SV86mFjT5UR4
|
||
mPzfOjqaI/V2M1eqbAZ74bVLjDumAs7QXReMb5BGetrOgxLqDmrT3DQt9/YMkXtq
|
||
ddlO984XkRSisjB18BOfhvBsl0lX4I7VKHHO3amWeX0RNgOjc7VMDfRBAoGAWAQH
|
||
r1BfvZHACLXZ58fISCdJCqCsysgsbGS8eW77B5LJp+DmLQBT6DUE9j+i/0Wq/ton
|
||
rRTrbAkrsj4RicpQKDJCwe4UN+9DlOu6wijRQgbJC/Q7IOoieJxcX7eGxcve2UnZ
|
||
HY7GsD7AYRwa02UquCYJHIjM1enmxZFhMW1AD+UCgYEAm4jdNz5e4QjA4AkNF+cB
|
||
ZenrAZ0q3NbTyiSsJEAtRe/c5fNFpmXo3mqgCannarREQYYDF0+jpSoTUY8XAc4q
|
||
wL7EZNzwxITLqBnnHQbdLdAvYxB43kvWTy+JRK8qY9LAMCCFeDoYwXkWV4Wkx/b0
|
||
TgM7RZnmEjNdeaa4M52o7VY=
|
||
-----END PRIVATE KEY-----
|
||
`
|
||
resp, err := CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
|
||
"pem_bundle": customBundleWithoutCRLBits,
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotEmpty(t, resp.Data)
|
||
require.NotEmpty(t, resp.Data["imported_issuers"])
|
||
require.NotEmpty(t, resp.Data["imported_keys"])
|
||
require.NotEmpty(t, resp.Data["mapping"])
|
||
|
||
// Shouldn't have crl-signing on the newly imported issuer's usage.
|
||
resp, err = CBRead(b, s, "issuer/default")
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotEmpty(t, resp.Data)
|
||
require.NotEmpty(t, resp.Data["usage"])
|
||
require.NotContains(t, resp.Data["usage"], "crl-signing")
|
||
|
||
// Modifying to set CRL should fail.
|
||
resp, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
|
||
"usage": "issuing-certificates,crl-signing",
|
||
})
|
||
require.Error(t, err)
|
||
require.True(t, resp.IsError())
|
||
|
||
// Modifying to set issuing-certificates and ocsp-signing should succeed.
|
||
resp, err = CBPatch(b, s, "issuer/default", map[string]interface{}{
|
||
"usage": "issuing-certificates,ocsp-signing",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotEmpty(t, resp.Data)
|
||
require.NotEmpty(t, resp.Data["usage"])
|
||
require.NotContains(t, resp.Data["usage"], "crl-signing")
|
||
}
|
||
|
||
func TestBackend_IfModifiedSinceHeaders(t *testing.T) {
|
||
t.Parallel()
|
||
coreConfig := &vault.CoreConfig{
|
||
LogicalBackends: map[string]logical.Factory{
|
||
"pki": Factory,
|
||
},
|
||
}
|
||
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
||
HandlerFunc: vaulthttp.Handler,
|
||
})
|
||
cluster.Start()
|
||
defer cluster.Cleanup()
|
||
client := cluster.Cores[0].Client
|
||
|
||
// Mount PKI.
|
||
err := client.Sys().Mount("pki", &api.MountInput{
|
||
Type: "pki",
|
||
Config: api.MountConfigInput{
|
||
DefaultLeaseTTL: "16h",
|
||
MaxLeaseTTL: "60h",
|
||
// Required to allow the header to be passed through.
|
||
PassthroughRequestHeaders: []string{"if-modified-since"},
|
||
AllowedResponseHeaders: []string{"Last-Modified"},
|
||
},
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
// Get a time before CA generation. Subtract two seconds to ensure
|
||
// the value in the seconds field is different than the time the CA
|
||
// is actually generated at.
|
||
beforeOldCAGeneration := time.Now().Add(-2 * time.Second)
|
||
|
||
// Generate an internal CA. This one is the default.
|
||
resp, err := client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
|
||
"ttl": "40h",
|
||
"common_name": "Root X1",
|
||
"key_type": "ec",
|
||
"issuer_name": "old-root",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotNil(t, resp.Data)
|
||
require.NotEmpty(t, resp.Data["certificate"])
|
||
|
||
// CA is generated, but give a grace window.
|
||
afterOldCAGeneration := time.Now().Add(2 * time.Second)
|
||
|
||
// When you _save_ headers, client returns a copy. But when you go to
|
||
// reset them, it doesn't create a new copy (and instead directly
|
||
// assigns). This means we have to continually refresh our view of the
|
||
// last headers, otherwise the headers added after the last set operation
|
||
// leak into this copy... Yuck!
|
||
lastHeaders := client.Headers()
|
||
for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/old-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta"} {
|
||
t.Logf("path: %v", path)
|
||
field := "certificate"
|
||
if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
|
||
field = "crl"
|
||
}
|
||
|
||
// Reading the CA should work, without a header.
|
||
resp, err := client.Logical().Read(path)
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotNil(t, resp.Data)
|
||
require.NotEmpty(t, resp.Data[field])
|
||
|
||
// Ensure that the CA is returned correctly if we give it the old time.
|
||
client.AddHeader("If-Modified-Since", beforeOldCAGeneration.Format(time.RFC1123))
|
||
resp, err = client.Logical().Read(path)
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotNil(t, resp.Data)
|
||
require.NotEmpty(t, resp.Data[field])
|
||
client.SetHeaders(lastHeaders)
|
||
lastHeaders = client.Headers()
|
||
|
||
// Ensure that the CA is elided if we give it the present time (plus a
|
||
// grace window).
|
||
client.AddHeader("If-Modified-Since", afterOldCAGeneration.Format(time.RFC1123))
|
||
t.Logf("headers: %v", client.Headers())
|
||
resp, err = client.Logical().Read(path)
|
||
require.NoError(t, err)
|
||
require.Nil(t, resp)
|
||
client.SetHeaders(lastHeaders)
|
||
lastHeaders = client.Headers()
|
||
}
|
||
|
||
// Wait three seconds. This ensures we have adequate grace period
|
||
// to distinguish the two cases, even with grace periods.
|
||
time.Sleep(3 * time.Second)
|
||
|
||
// Generating a second root. This one isn't the default.
|
||
beforeNewCAGeneration := time.Now().Add(-2 * time.Second)
|
||
|
||
// Generate an internal CA. This one is the default.
|
||
_, err = client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
|
||
"ttl": "40h",
|
||
"common_name": "Root X1",
|
||
"key_type": "ec",
|
||
"issuer_name": "new-root",
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
// As above.
|
||
afterNewCAGeneration := time.Now().Add(2 * time.Second)
|
||
|
||
// New root isn't the default, so it has fewer paths.
|
||
for _, path := range []string{"pki/issuer/new-root/json", "pki/issuer/new-root/crl", "pki/issuer/new-root/crl/delta"} {
|
||
t.Logf("path: %v", path)
|
||
field := "certificate"
|
||
if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
|
||
field = "crl"
|
||
}
|
||
|
||
// Reading the CA should work, without a header.
|
||
resp, err := client.Logical().Read(path)
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotNil(t, resp.Data)
|
||
require.NotEmpty(t, resp.Data[field])
|
||
|
||
// Ensure that the CA is returned correctly if we give it the old time.
|
||
client.AddHeader("If-Modified-Since", beforeNewCAGeneration.Format(time.RFC1123))
|
||
resp, err = client.Logical().Read(path)
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotNil(t, resp.Data)
|
||
require.NotEmpty(t, resp.Data[field])
|
||
client.SetHeaders(lastHeaders)
|
||
lastHeaders = client.Headers()
|
||
|
||
// Ensure that the CA is elided if we give it the present time (plus a
|
||
// grace window).
|
||
client.AddHeader("If-Modified-Since", afterNewCAGeneration.Format(time.RFC1123))
|
||
t.Logf("headers: %v", client.Headers())
|
||
resp, err = client.Logical().Read(path)
|
||
require.NoError(t, err)
|
||
require.Nil(t, resp)
|
||
client.SetHeaders(lastHeaders)
|
||
lastHeaders = client.Headers()
|
||
}
|
||
|
||
// Wait three seconds. This ensures we have adequate grace period
|
||
// to distinguish the two cases, even with grace periods.
|
||
time.Sleep(3 * time.Second)
|
||
|
||
// Now swap the default issuers around.
|
||
_, err = client.Logical().Write("pki/config/issuers", map[string]interface{}{
|
||
"default": "new-root",
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
// Reading both with the last modified date should return new values.
|
||
for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
|
||
t.Logf("path: %v", path)
|
||
field := "certificate"
|
||
if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
|
||
field = "crl"
|
||
}
|
||
|
||
// Ensure that the CA is returned correctly if we give it the old time.
|
||
client.AddHeader("If-Modified-Since", afterOldCAGeneration.Format(time.RFC1123))
|
||
resp, err = client.Logical().Read(path)
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotNil(t, resp.Data)
|
||
require.NotEmpty(t, resp.Data[field])
|
||
client.SetHeaders(lastHeaders)
|
||
lastHeaders = client.Headers()
|
||
|
||
// Ensure that the CA is returned correctly if we give it the old time.
|
||
client.AddHeader("If-Modified-Since", afterNewCAGeneration.Format(time.RFC1123))
|
||
resp, err = client.Logical().Read(path)
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotNil(t, resp.Data)
|
||
require.NotEmpty(t, resp.Data[field])
|
||
client.SetHeaders(lastHeaders)
|
||
lastHeaders = client.Headers()
|
||
}
|
||
|
||
// Wait for things to settle, record the present time, and wait for the
|
||
// clock to definitely tick over again.
|
||
time.Sleep(2 * time.Second)
|
||
preRevocationTimestamp := time.Now()
|
||
time.Sleep(2 * time.Second)
|
||
|
||
// The above tests should say everything is cached.
|
||
for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
|
||
t.Logf("path: %v", path)
|
||
|
||
// Ensure that the CA is returned correctly if we give it the new time.
|
||
client.AddHeader("If-Modified-Since", preRevocationTimestamp.Format(time.RFC1123))
|
||
resp, err = client.Logical().Read(path)
|
||
require.NoError(t, err)
|
||
require.Nil(t, resp)
|
||
client.SetHeaders(lastHeaders)
|
||
lastHeaders = client.Headers()
|
||
}
|
||
|
||
// We could generate some leaves and verify the revocation updates the
|
||
// CRL. But, revoking the issuer behaves the same, so let's do that
|
||
// instead.
|
||
_, err = client.Logical().Write("pki/issuer/old-root/revoke", map[string]interface{}{})
|
||
require.NoError(t, err)
|
||
|
||
// CA should still be valid.
|
||
for _, path := range []string{"pki/cert/ca", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json"} {
|
||
t.Logf("path: %v", path)
|
||
|
||
// Ensure that the CA is returned correctly if we give it the old time.
|
||
client.AddHeader("If-Modified-Since", preRevocationTimestamp.Format(time.RFC1123))
|
||
resp, err = client.Logical().Read(path)
|
||
require.NoError(t, err)
|
||
require.Nil(t, resp)
|
||
client.SetHeaders(lastHeaders)
|
||
lastHeaders = client.Headers()
|
||
}
|
||
|
||
// CRL should be invalidated
|
||
for _, path := range []string{"pki/cert/crl", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
|
||
t.Logf("path: %v", path)
|
||
field := "certificate"
|
||
if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
|
||
field = "crl"
|
||
}
|
||
|
||
client.AddHeader("If-Modified-Since", preRevocationTimestamp.Format(time.RFC1123))
|
||
resp, err = client.Logical().Read(path)
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotNil(t, resp.Data)
|
||
require.NotEmpty(t, resp.Data[field])
|
||
client.SetHeaders(lastHeaders)
|
||
lastHeaders = client.Headers()
|
||
}
|
||
|
||
// If we send some time in the future, everything should be cached again!
|
||
futureTime := time.Now().Add(30 * time.Second)
|
||
for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
|
||
t.Logf("path: %v", path)
|
||
|
||
// Ensure that the CA is returned correctly if we give it the new time.
|
||
client.AddHeader("If-Modified-Since", futureTime.Format(time.RFC1123))
|
||
resp, err = client.Logical().Read(path)
|
||
require.NoError(t, err)
|
||
require.Nil(t, resp)
|
||
client.SetHeaders(lastHeaders)
|
||
lastHeaders = client.Headers()
|
||
}
|
||
|
||
beforeThreeWaySwap := time.Now().Add(-2 * time.Second)
|
||
|
||
// Now, do a three-way swap of names (old->tmp; new->old; tmp->new). This
|
||
// should result in all names/CRLs being invalidated.
|
||
_, err = client.Logical().JSONMergePatch(ctx, "pki/issuer/old-root", map[string]interface{}{
|
||
"issuer_name": "tmp-root",
|
||
})
|
||
require.NoError(t, err)
|
||
_, err = client.Logical().JSONMergePatch(ctx, "pki/issuer/new-root", map[string]interface{}{
|
||
"issuer_name": "old-root",
|
||
})
|
||
require.NoError(t, err)
|
||
_, err = client.Logical().JSONMergePatch(ctx, "pki/issuer/tmp-root", map[string]interface{}{
|
||
"issuer_name": "new-root",
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
afterThreeWaySwap := time.Now().Add(2 * time.Second)
|
||
|
||
for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl", "pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
|
||
t.Logf("path: %v", path)
|
||
field := "certificate"
|
||
if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
|
||
field = "crl"
|
||
}
|
||
|
||
// Ensure that the CA is returned if we give it the pre-update time.
|
||
client.AddHeader("If-Modified-Since", beforeThreeWaySwap.Format(time.RFC1123))
|
||
resp, err = client.Logical().Read(path)
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotNil(t, resp.Data)
|
||
require.NotEmpty(t, resp.Data[field])
|
||
client.SetHeaders(lastHeaders)
|
||
lastHeaders = client.Headers()
|
||
|
||
// Ensure that the CA is elided correctly if we give it the after time.
|
||
client.AddHeader("If-Modified-Since", afterThreeWaySwap.Format(time.RFC1123))
|
||
resp, err = client.Logical().Read(path)
|
||
require.NoError(t, err)
|
||
require.Nil(t, resp)
|
||
client.SetHeaders(lastHeaders)
|
||
lastHeaders = client.Headers()
|
||
}
|
||
|
||
time.Sleep(4 * time.Second)
|
||
|
||
beforeDeltaRotation := time.Now().Add(-2 * time.Second)
|
||
|
||
// Finally, rebuild the delta CRL and ensure that only that is
|
||
// invalidated. We first need to enable it though.
|
||
_, err = client.Logical().Write("pki/config/crl", map[string]interface{}{
|
||
"auto_rebuild": true,
|
||
"enable_delta": true,
|
||
})
|
||
require.NoError(t, err)
|
||
resp, err = client.Logical().Read("pki/crl/rotate-delta")
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotNil(t, resp.Data)
|
||
require.Equal(t, resp.Data["success"], true)
|
||
|
||
afterDeltaRotation := time.Now().Add(2 * time.Second)
|
||
|
||
for _, path := range []string{"pki/cert/ca", "pki/cert/crl", "pki/issuer/default/json", "pki/issuer/old-root/json", "pki/issuer/new-root/json", "pki/issuer/old-root/crl", "pki/issuer/new-root/crl"} {
|
||
t.Logf("path: %v", path)
|
||
|
||
for _, when := range []time.Time{beforeDeltaRotation, afterDeltaRotation} {
|
||
client.AddHeader("If-Modified-Since", when.Format(time.RFC1123))
|
||
resp, err = client.Logical().Read(path)
|
||
require.NoError(t, err)
|
||
require.Nil(t, resp)
|
||
client.SetHeaders(lastHeaders)
|
||
lastHeaders = client.Headers()
|
||
}
|
||
}
|
||
|
||
for _, path := range []string{"pki/cert/delta-crl", "pki/issuer/old-root/crl/delta", "pki/issuer/new-root/crl/delta"} {
|
||
t.Logf("path: %v", path)
|
||
field := "certificate"
|
||
if strings.HasPrefix(path, "pki/issuer") && strings.Contains(path, "/crl") {
|
||
field = "crl"
|
||
}
|
||
|
||
// Ensure that the CRL is present if we give it the pre-update time.
|
||
client.AddHeader("If-Modified-Since", beforeDeltaRotation.Format(time.RFC1123))
|
||
resp, err = client.Logical().Read(path)
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotNil(t, resp.Data)
|
||
require.NotEmpty(t, resp.Data[field])
|
||
client.SetHeaders(lastHeaders)
|
||
lastHeaders = client.Headers()
|
||
|
||
client.AddHeader("If-Modified-Since", afterDeltaRotation.Format(time.RFC1123))
|
||
resp, err = client.Logical().Read(path)
|
||
require.NoError(t, err)
|
||
require.Nil(t, resp)
|
||
client.SetHeaders(lastHeaders)
|
||
lastHeaders = client.Headers()
|
||
}
|
||
}
|
||
|
||
func TestBackend_InitializeCertificateCounts(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
ctx := context.Background()
|
||
|
||
// Set up an Issuer and Role
|
||
// We need a root certificate to write/revoke certificates with
|
||
resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected ca info")
|
||
}
|
||
|
||
// Create a role
|
||
_, err = CBWrite(b, s, "roles/example", map[string]interface{}{
|
||
"allowed_domains": "myvault.com",
|
||
"allow_bare_domains": true,
|
||
"allow_subdomains": true,
|
||
"max_ttl": "2h",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Put certificates A, B, C, D, E in backend
|
||
var certificates []string = []string{"a", "b", "c", "d", "e"}
|
||
serials := make([]string, 5)
|
||
for i, cn := range certificates {
|
||
resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{
|
||
"common_name": cn + ".myvault.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
serials[i] = resp.Data["serial_number"].(string)
|
||
}
|
||
|
||
// Revoke certificates A + B
|
||
revocations := serials[0:2]
|
||
for _, key := range revocations {
|
||
resp, err = CBWrite(b, s, "revoke", map[string]interface{}{
|
||
"serial_number": key,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
}
|
||
|
||
// Assert initialize from clean is correct:
|
||
b.initializeStoredCertificateCounts(ctx)
|
||
if atomic.LoadUint32(b.certCount) != 6 {
|
||
t.Fatalf("Failed to count six certificates root,A,B,C,D,E, instead counted %d certs", atomic.LoadUint32(b.certCount))
|
||
}
|
||
if atomic.LoadUint32(b.revokedCertCount) != 2 {
|
||
t.Fatalf("Failed to count two revoked certificates A+B, instead counted %d certs", atomic.LoadUint32(b.revokedCertCount))
|
||
}
|
||
|
||
// Simulates listing while initialize in progress, by "restarting it"
|
||
atomic.StoreUint32(b.certCount, 0)
|
||
atomic.StoreUint32(b.revokedCertCount, 0)
|
||
b.certsCounted.Store(false)
|
||
|
||
// Revoke certificates C, D
|
||
dirtyRevocations := serials[2:4]
|
||
for _, key := range dirtyRevocations {
|
||
resp, err = CBWrite(b, s, "revoke", map[string]interface{}{
|
||
"serial_number": key,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
}
|
||
|
||
// Put certificates F, G in the backend
|
||
dirtyCertificates := []string{"f", "g"}
|
||
for _, cn := range dirtyCertificates {
|
||
resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{
|
||
"common_name": cn + ".myvault.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
}
|
||
|
||
// Run initialize
|
||
b.initializeStoredCertificateCounts(ctx)
|
||
|
||
// Test certificate count
|
||
if *(b.certCount) != 8 {
|
||
t.Fatalf("Failed to initialize count of certificates root, A,B,C,D,E,F,G counted %d certs", *(b.certCount))
|
||
}
|
||
|
||
if *(b.revokedCertCount) != 4 {
|
||
t.Fatalf("Failed to count revoked certificates A,B,C,D counted %d certs", *(b.revokedCertCount))
|
||
}
|
||
|
||
return
|
||
}
|
||
|
||
// Verify that our default values are consistent when creating an issuer and when we do an
|
||
// empty POST update to it. This will hopefully identify if we have different default values
|
||
// for fields across the two APIs.
|
||
func TestBackend_VerifyIssuerUpdateDefaultsMatchCreation(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
})
|
||
requireSuccessNonNilResponse(t, resp, err, "failed generating root issuer")
|
||
|
||
resp, err = CBRead(b, s, "issuer/default")
|
||
requireSuccessNonNilResponse(t, resp, err, "failed reading default issuer")
|
||
preUpdateValues := resp.Data
|
||
|
||
// This field gets reset during issuer update to the empty string
|
||
// (meaning Go will auto-detect the rev-sig-algo).
|
||
preUpdateValues["revocation_signature_algorithm"] = ""
|
||
|
||
resp, err = CBWrite(b, s, "issuer/default", map[string]interface{}{})
|
||
requireSuccessNonNilResponse(t, resp, err, "failed updating default issuer with no values")
|
||
|
||
resp, err = CBRead(b, s, "issuer/default")
|
||
requireSuccessNonNilResponse(t, resp, err, "failed reading default issuer")
|
||
postUpdateValues := resp.Data
|
||
|
||
require.Equal(t, preUpdateValues, postUpdateValues,
|
||
"A value was updated based on the empty update of an issuer, "+
|
||
"most likely we have a different set of field parameters across create and update of issuers.")
|
||
}
|
||
|
||
func TestBackend_VerifyPSSKeysIssuersFailImport(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
// PKCS8 parsing fails on this key due to rsaPSS OID
|
||
rsaOIDKey := `
|
||
-----BEGIN PRIVATE KEY-----
|
||
MIIEugIBADALBgkqhkiG9w0BAQoEggSmMIIEogIBAAKCAQEAtN0/NPuJHLuyEdBr
|
||
tUikXoXOV741XZcNvLAIVBIqDA0ege2gXt9A15FGUI4X3u6kT16Fl6MRdtUZ/qNS
|
||
Vs15nK9A1PI/AVekMgTVFTnoCzs550CKN8iRk9Om+lwHimpyXxKkFW69v8fsXwKE
|
||
Bsz69jjT7HV9VZQ7fQhmE79brAMuwKP1fUQKdHq5OBKtQ7Cl3Gmipp0izCsVuQIE
|
||
kBHvT3UUgyaSp2n+FONpOiyuBoYUH5tVEv9sZzBqSsrYBJYF+GvfnFy9AcTdqRe2
|
||
VX2SjjWjDF84T30OBA798gIFIPwu9R4OjWOlPeh2bo2kGeo3AITjwFZ28m7kS7kc
|
||
OtvHpwIDAQABAoIBAFQxmjbj0RQbG+3HBBzD0CBgUYnu9ZC3vKFVoMriGci6YrVB
|
||
FSKU8u5mpkDhpKMWnE6GRdItCvgyg4NSLAZUaIRT4O5ARqwtTDYsobTb2/U+gNnx
|
||
5WXKbFpQcK6jIK+ClfNEDjYb8yDPxG0GEsfHrBvqoFy25L1t37N4sWwH7HjJyZIe
|
||
Hbqx4NVDur9qgqaUwkfSeufn4ycHqFtkzKNzCUarDkST9cxE6/1AKfhl09PPuMEa
|
||
lAY2JLiEplQL5sh9cxG5FObJbutJo5EIhR2OdM0VcPf0MTD9LXKRoGR3SNlG7IlS
|
||
llJzBjlh4J1ByMX32btKMHzEvlhyrMI90E1SEGECgYEAx1yDQWe4/b1MBqCxA3d0
|
||
20dDmUHSRQFhkd/Mzkl5dPzRkG42W3ryNbMKdeuL0ZgK9AhfaLCjcj1i+44O7dHb
|
||
qBTVwfRrer2uoQVCqqJ6z8PGxPJJxTaqh9QuJxkoQ0i43ZNPcjc2M2sWLn+lkkdE
|
||
MaGMiyrmjIQEC6tmgCtZ1VUCgYEA6D9xoT9VuAnQjDvW2tO5N2U2H/8ZyRd1pC3z
|
||
H1CzjwShhxsP4YOUaVdw59K95JL4SMxSmpRrhthlW3cRaiT/exBcXLEvz0Qu0OhW
|
||
a6155ZFjK3UaLDKlwvmtuoAsuAFqX084LO0B1oxvUJESgyPncQ36fv2lZGV7A66z
|
||
Uo+BKQsCgYB2yGBMMAjA5nDN4iCV+C7gF+3m+pjWFKSVzcqxfoWndptGeuRYTUDT
|
||
TgIFkHqWPwkHrZVrQxOflYPMbi/m8wr1crSKA5+mWi4aMpAuKvERqYxc/B+IKbIh
|
||
jAKTuSGMNWAwZP0JCGx65mso+VUleuDe0Wpz4PPM9TuT2GQSKcI0oQKBgHAHcouC
|
||
npmo+lU65DgoWzaydrpWdpy+2Tt6AsW/Su4ZIMWoMy/oJaXuzQK2cG0ay/NpxArW
|
||
v0uLhNDrDZZzBF3blYIM4nALhr205UMJqjwntnuXACoDwFvdzoShIXEdFa+l6gYZ
|
||
yYIxudxWLmTd491wDb5GIgrcvMsY8V1I5dfjAoGAM9g2LtdqgPgK33dCDtZpBm8m
|
||
y4ri9PqHxnpps9WJ1dO6MW/YbW+a7vbsmNczdJ6XNLEfy2NWho1dw3xe7ztFVDjF
|
||
cWNUzs1+/6aFsi41UX7EFn3zAFhQUPxT59hXspuWuKbRAWc5fMnxbCfI/Cr8wTLJ
|
||
E/0kiZ4swUMyI4tYSbM=
|
||
-----END PRIVATE KEY-----
|
||
`
|
||
_, err := CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
|
||
"pem_bundle": rsaOIDKey,
|
||
})
|
||
require.Error(t, err, "expected error importing PKCS8 rsaPSS OID key")
|
||
|
||
_, err = CBWrite(b, s, "keys/import", map[string]interface{}{
|
||
"key": rsaOIDKey,
|
||
})
|
||
require.Error(t, err, "expected error importing PKCS8 rsaPSS OID key")
|
||
|
||
// Importing a cert with rsaPSS OID should also fail
|
||
rsaOIDCert := `
|
||
-----BEGIN CERTIFICATE-----
|
||
MIIDfjCCAjGgAwIBAgIBATBCBgkqhkiG9w0BAQowNaAPMA0GCWCGSAFlAwQCAQUA
|
||
oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogQCAgDeMBMxETAPBgNVBAMM
|
||
CHJvb3Qtb2xkMB4XDTIyMDkxNjE0MDEwM1oXDTIzMDkyNjE0MDEwM1owEzERMA8G
|
||
A1UEAwwIcm9vdC1vbGQwggEgMAsGCSqGSIb3DQEBCgOCAQ8AMIIBCgKCAQEAtN0/
|
||
NPuJHLuyEdBrtUikXoXOV741XZcNvLAIVBIqDA0ege2gXt9A15FGUI4X3u6kT16F
|
||
l6MRdtUZ/qNSVs15nK9A1PI/AVekMgTVFTnoCzs550CKN8iRk9Om+lwHimpyXxKk
|
||
FW69v8fsXwKEBsz69jjT7HV9VZQ7fQhmE79brAMuwKP1fUQKdHq5OBKtQ7Cl3Gmi
|
||
pp0izCsVuQIEkBHvT3UUgyaSp2n+FONpOiyuBoYUH5tVEv9sZzBqSsrYBJYF+Gvf
|
||
nFy9AcTdqRe2VX2SjjWjDF84T30OBA798gIFIPwu9R4OjWOlPeh2bo2kGeo3AITj
|
||
wFZ28m7kS7kcOtvHpwIDAQABo3UwczAdBgNVHQ4EFgQUVGkTAUJ8inxIVGBlfxf4
|
||
cDhRSnowHwYDVR0jBBgwFoAUVGkTAUJ8inxIVGBlfxf4cDhRSnowDAYDVR0TBAUw
|
||
AwEB/zAOBgNVHQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwEwQgYJKoZI
|
||
hvcNAQEKMDWgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgB
|
||
ZQMEAgEFAKIEAgIA3gOCAQEAQZ3iQ3NjvS4FYJ5WG41huZI0dkvNFNan+ZYWlYHJ
|
||
MIQhbFogb/UQB0rlsuldG0+HF1RDXoYNuThfzt5hiBWYEtMBNurezvnOn4DF0hrl
|
||
Uk3sBVnvTalVXg+UVjqh9hBGB75JYJl6a5Oa2Zrq++4qGNwjd0FqgnoXzqS5UGuB
|
||
TJL8nlnXPuOIK3VHoXEy7l9GtvEzKcys0xa7g1PYpaJ5D2kpbBJmuQGmU6CDcbP+
|
||
m0hI4QDfVfHtnBp2VMCvhj0yzowtwF4BFIhv4EXZBU10mzxVj0zyKKft9++X8auH
|
||
nebuK22ZwzbPe4NhOvAdfNDElkrrtGvTnzkDB7ezPYjelA==
|
||
-----END CERTIFICATE-----
|
||
`
|
||
_, err = CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
|
||
"pem_bundle": rsaOIDCert,
|
||
})
|
||
require.Error(t, err, "expected error importing PKCS8 rsaPSS OID cert")
|
||
|
||
_, err = CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
|
||
"pem_bundle": rsaOIDKey + "\n" + rsaOIDCert,
|
||
})
|
||
require.Error(t, err, "expected error importing PKCS8 rsaPSS OID key+cert")
|
||
|
||
_, err = CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
|
||
"pem_bundle": rsaOIDCert + "\n" + rsaOIDKey,
|
||
})
|
||
require.Error(t, err, "expected error importing PKCS8 rsaPSS OID cert+key")
|
||
|
||
// After all these errors, we should have zero issuers and keys.
|
||
resp, err := CBList(b, s, "issuers")
|
||
require.NoError(t, err)
|
||
require.Equal(t, nil, resp.Data["keys"])
|
||
|
||
resp, err = CBList(b, s, "keys")
|
||
require.NoError(t, err)
|
||
require.Equal(t, nil, resp.Data["keys"])
|
||
|
||
// If we create a new PSS root, we should be able to issue an intermediate
|
||
// under it.
|
||
resp, err = CBWrite(b, s, "root/generate/exported", map[string]interface{}{
|
||
"use_pss": "true",
|
||
"common_name": "root x1 - pss",
|
||
"key_type": "ec",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotNil(t, resp.Data)
|
||
require.NotEmpty(t, resp.Data["certificate"])
|
||
require.NotEmpty(t, resp.Data["private_key"])
|
||
|
||
resp, err = CBWrite(b, s, "intermediate/generate/exported", map[string]interface{}{
|
||
"use_pss": "true",
|
||
"common_name": "int x1 - pss",
|
||
"key_type": "ec",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotNil(t, resp.Data)
|
||
require.NotEmpty(t, resp.Data["csr"])
|
||
require.NotEmpty(t, resp.Data["private_key"])
|
||
|
||
resp, err = CBWrite(b, s, "issuer/default/sign-intermediate", map[string]interface{}{
|
||
"use_pss": "true",
|
||
"common_name": "int x1 - pss",
|
||
"csr": resp.Data["csr"].(string),
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotNil(t, resp.Data)
|
||
require.NotEmpty(t, resp.Data["certificate"])
|
||
|
||
resp, err = CBWrite(b, s, "issuers/import/bundle", map[string]interface{}{
|
||
"pem_bundle": resp.Data["certificate"].(string),
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
// Finally, if we were to take an rsaPSS OID'd CSR and use it against this
|
||
// mount, it will fail.
|
||
_, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
|
||
"allow_any_name": true,
|
||
"ttl": "85s",
|
||
"key_type": "any",
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
// Issuing a leaf from a CSR with rsaPSS OID should fail...
|
||
rsaOIDCSR := `-----BEGIN CERTIFICATE REQUEST-----
|
||
MIICkTCCAUQCAQAwGTEXMBUGA1UEAwwOcmFuY2hlci5teS5vcmcwggEgMAsGCSqG
|
||
SIb3DQEBCgOCAQ8AMIIBCgKCAQEAtzHuGEUK55lXI08yp9DXoye9yCZbkJZO+Hej
|
||
1TWGEkbX4hzauRJeNp2+wn8xU5y8ITjWSIXEVDHeezosLCSy0Y2QT7/V45zWPUYY
|
||
ld0oUnPiwsb9CPFlBRFnX3dO9SS5MONIrNCJGKXmLdF3lgSl8zPT6J/hWM+JBjHO
|
||
hBzK6L8IYwmcEujrQfnOnOztzgMEBJtWG8rnI8roz1adpczTddDKGymh2QevjhlL
|
||
X9CLeYSSQZInOMsgaDYl98Hn00K5x0CBp8ADzzXtaPSQ9nsnihN8VvZ/wHw6YbBS
|
||
BSHa6OD+MrYnw3Sao6/YgBRNT2glIX85uro4ARW9zGB9/748dwIDAQABoAAwQgYJ
|
||
KoZIhvcNAQEKMDWgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglg
|
||
hkgBZQMEAgEFAKIEAgIA3gOCAQEARGAa0HiwzWCpvAdLOVc4/srEyOYFZPLbtv+Y
|
||
ezZIaUBNaWhOvkunqpa48avmcbGlji7r6fxJ5sT28lHt7ODWcJfn1XPAnqesXErm
|
||
EBuOIhCv6WiwVyGeTVynuHYkHyw3rIL/zU7N8+zIFV2G2M1UAv5D/eyh/74cr9Of
|
||
+nvm9jAbkHix8UwOBCFY2LLNl6bXvbIeJEdDOEtA9UmDXs8QGBg4lngyqcE2Z7rz
|
||
+5N/x4guMk2FqblbFGiCc5fLB0Gp6lFFOqhX9Q8nLJ6HteV42xGJUUtsFpppNCRm
|
||
82dGIH2PTbXZ0k7iAAwLaPjzOv1v58Wq90o35d4iEsOfJ8v98Q==
|
||
-----END CERTIFICATE REQUEST-----`
|
||
|
||
_, err = CBWrite(b, s, "issuer/default/sign/testing", map[string]interface{}{
|
||
"common_name": "example.com",
|
||
"csr": rsaOIDCSR,
|
||
})
|
||
require.Error(t, err)
|
||
|
||
_, err = CBWrite(b, s, "issuer/default/sign-verbatim", map[string]interface{}{
|
||
"common_name": "example.com",
|
||
"use_pss": true,
|
||
"csr": rsaOIDCSR,
|
||
})
|
||
require.Error(t, err)
|
||
|
||
_, err = CBWrite(b, s, "issuer/default/sign-intermediate", map[string]interface{}{
|
||
"common_name": "faulty x1 - pss",
|
||
"use_pss": true,
|
||
"csr": rsaOIDCSR,
|
||
})
|
||
require.Error(t, err)
|
||
|
||
// Vault has a weird API for signing self-signed certificates. Ensure
|
||
// that doesn't accept rsaPSS OID'd certificates either.
|
||
_, err = CBWrite(b, s, "issuer/default/sign-self-issued", map[string]interface{}{
|
||
"use_pss": true,
|
||
"certificate": rsaOIDCert,
|
||
})
|
||
require.Error(t, err)
|
||
|
||
// Issuing a regular leaf should succeed.
|
||
_, err = CBWrite(b, s, "roles/testing", map[string]interface{}{
|
||
"allow_any_name": true,
|
||
"ttl": "85s",
|
||
"key_type": "rsa",
|
||
"use_pss": "true",
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
resp, err = CBWrite(b, s, "issuer/default/issue/testing", map[string]interface{}{
|
||
"common_name": "example.com",
|
||
"use_pss": "true",
|
||
})
|
||
requireSuccessNonNilResponse(t, resp, err, "failed to issue PSS leaf")
|
||
}
|
||
|
||
func TestPKI_EmptyCRLConfigUpgraded(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
// Write an empty CRLConfig into storage.
|
||
crlConfigEntry, err := logical.StorageEntryJSON("config/crl", &crlConfig{})
|
||
require.NoError(t, err)
|
||
err = s.Put(ctx, crlConfigEntry)
|
||
require.NoError(t, err)
|
||
|
||
resp, err := CBRead(b, s, "config/crl")
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.NotNil(t, resp.Data)
|
||
require.Equal(t, resp.Data["expiry"], defaultCrlConfig.Expiry)
|
||
require.Equal(t, resp.Data["disable"], defaultCrlConfig.Disable)
|
||
require.Equal(t, resp.Data["ocsp_disable"], defaultCrlConfig.OcspDisable)
|
||
require.Equal(t, resp.Data["auto_rebuild"], defaultCrlConfig.AutoRebuild)
|
||
require.Equal(t, resp.Data["auto_rebuild_grace_period"], defaultCrlConfig.AutoRebuildGracePeriod)
|
||
require.Equal(t, resp.Data["enable_delta"], defaultCrlConfig.EnableDelta)
|
||
require.Equal(t, resp.Data["delta_rebuild_interval"], defaultCrlConfig.DeltaRebuildInterval)
|
||
}
|
||
|
||
func TestPKI_ListRevokedCerts(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := CreateBackendWithStorage(t)
|
||
|
||
// Test empty cluster
|
||
resp, err := CBList(b, s, "certs/revoked")
|
||
requireSuccessNonNilResponse(t, resp, err, "failed listing empty cluster")
|
||
require.Empty(t, resp.Data, "response map contained data that we did not expect")
|
||
|
||
// Set up a mount that we can revoke under (We will create 3 leaf certs, 2 of which will be revoked)
|
||
resp, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "test.com",
|
||
"key_type": "ec",
|
||
})
|
||
requireSuccessNonNilResponse(t, resp, err, "error generating root CA")
|
||
requireFieldsSetInResp(t, resp, "serial_number")
|
||
issuerSerial := resp.Data["serial_number"]
|
||
|
||
resp, err = CBWrite(b, s, "roles/test", map[string]interface{}{
|
||
"allowed_domains": "test.com",
|
||
"allow_subdomains": "true",
|
||
"max_ttl": "1h",
|
||
})
|
||
requireSuccessNilResponse(t, resp, err, "error setting up pki role")
|
||
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "test1.test.com",
|
||
})
|
||
requireSuccessNonNilResponse(t, resp, err, "error issuing cert 1")
|
||
requireFieldsSetInResp(t, resp, "serial_number")
|
||
serial1 := resp.Data["serial_number"]
|
||
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "test2.test.com",
|
||
})
|
||
requireSuccessNonNilResponse(t, resp, err, "error issuing cert 2")
|
||
requireFieldsSetInResp(t, resp, "serial_number")
|
||
serial2 := resp.Data["serial_number"]
|
||
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "test3.test.com",
|
||
})
|
||
requireSuccessNonNilResponse(t, resp, err, "error issuing cert 2")
|
||
requireFieldsSetInResp(t, resp, "serial_number")
|
||
serial3 := resp.Data["serial_number"]
|
||
|
||
resp, err = CBWrite(b, s, "revoke", map[string]interface{}{"serial_number": serial1})
|
||
requireSuccessNonNilResponse(t, resp, err, "error revoking cert 1")
|
||
|
||
resp, err = CBWrite(b, s, "revoke", map[string]interface{}{"serial_number": serial2})
|
||
requireSuccessNonNilResponse(t, resp, err, "error revoking cert 2")
|
||
|
||
// Test that we get back the expected revoked serial numbers.
|
||
resp, err = CBList(b, s, "certs/revoked")
|
||
requireSuccessNonNilResponse(t, resp, err, "failed listing revoked certs")
|
||
requireFieldsSetInResp(t, resp, "keys")
|
||
revokedKeys := resp.Data["keys"].([]string)
|
||
|
||
require.Contains(t, revokedKeys, serial1)
|
||
require.Contains(t, revokedKeys, serial2)
|
||
require.Equal(t, 2, len(revokedKeys), "Expected 2 revoked entries got %d: %v", len(revokedKeys), revokedKeys)
|
||
|
||
// Test that listing our certs returns a different response
|
||
resp, err = CBList(b, s, "certs")
|
||
requireSuccessNonNilResponse(t, resp, err, "failed listing written certs")
|
||
requireFieldsSetInResp(t, resp, "keys")
|
||
certKeys := resp.Data["keys"].([]string)
|
||
|
||
require.Contains(t, certKeys, serial1)
|
||
require.Contains(t, certKeys, serial2)
|
||
require.Contains(t, certKeys, serial3)
|
||
require.Contains(t, certKeys, issuerSerial)
|
||
require.Equal(t, 4, len(certKeys), "Expected 4 cert entries got %d: %v", len(certKeys), certKeys)
|
||
}
|
||
|
||
var (
|
||
initTest sync.Once
|
||
rsaCAKey string
|
||
rsaCACert string
|
||
ecCAKey string
|
||
ecCACert string
|
||
edCAKey string
|
||
edCACert string
|
||
)
|