8acbf7f480
* Add PSS signature support to Vault PKI engine Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Use issuer's RevocationSigAlg for CRL signing We introduce a new parameter on issuers, revocation_signature_algorithm to control the signature algorithm used during CRL signing. This is because the SignatureAlgorithm value from the certificate itself is incorrect for this purpose: a RSA root could sign an ECDSA intermediate with say, SHA256WithRSA, but when the intermediate goes to sign a CRL, it must use ECDSAWithSHA256 or equivalent instead of SHA256WithRSA. When coupled with support for PSS-only keys, allowing the user to set the signature algorithm value as desired seems like the best approach. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add use_pss, revocation_signature_algorithm docs Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add PSS to signature role issuance test matrix Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Allow roots to self-identify revocation alg When using PSS support with a managed key, sometimes the underlying device will not support PKCS#1v1.5 signatures. This results in CRL building failing, unless we update the entry's signature algorithm prior to building the CRL for the new root. With a RSA-type key and use_pss=true, we use the signature bits value to decide which hash function to use for PSS support. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add clearer error message on failed import When CRL building fails during cert/key import, due to PSS failures, give a better indication to the user that import succeeded its just CRL building that failed. This tells them the parameter to adjust on the issuer and warns that CRL building will fail until this is fixed. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add case insensitive SigAlgo matching Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Convert UsePSS back to regular bool Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Refactor PSS->certTemplate into helper function Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Proper string output on rev_sig_alg display Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Copy root's SignatureAlgorithm for CRL building Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
4905 lines
158 KiB
Go
4905 lines
158 KiB
Go
package pki
|
||
|
||
import (
|
||
"bytes"
|
||
"context"
|
||
"crypto"
|
||
"crypto/ecdsa"
|
||
"crypto/ed25519"
|
||
"crypto/elliptic"
|
||
"crypto/rand"
|
||
"crypto/rsa"
|
||
"crypto/x509"
|
||
"crypto/x509/pkix"
|
||
"encoding/base64"
|
||
"encoding/hex"
|
||
"encoding/json"
|
||
"encoding/pem"
|
||
"fmt"
|
||
"math"
|
||
"math/big"
|
||
mathrand "math/rand"
|
||
"net"
|
||
"net/url"
|
||
"os"
|
||
"reflect"
|
||
"sort"
|
||
"strconv"
|
||
"strings"
|
||
"sync"
|
||
"testing"
|
||
"time"
|
||
|
||
"github.com/stretchr/testify/require"
|
||
|
||
"github.com/armon/go-metrics"
|
||
"github.com/fatih/structs"
|
||
"github.com/go-test/deep"
|
||
"github.com/hashicorp/go-secure-stdlib/strutil"
|
||
"github.com/hashicorp/vault/api"
|
||
auth "github.com/hashicorp/vault/api/auth/userpass"
|
||
"github.com/hashicorp/vault/builtin/credential/userpass"
|
||
logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
|
||
vaulthttp "github.com/hashicorp/vault/http"
|
||
"github.com/hashicorp/vault/sdk/helper/certutil"
|
||
"github.com/hashicorp/vault/sdk/logical"
|
||
"github.com/hashicorp/vault/vault"
|
||
"github.com/mitchellh/mapstructure"
|
||
"golang.org/x/net/idna"
|
||
)
|
||
|
||
var stepCount = 0
|
||
|
||
// From builtin/credential/cert/test-fixtures/root/rootcacert.pem
|
||
const (
|
||
rootCACertPEM = `-----BEGIN CERTIFICATE-----
|
||
MIIDPDCCAiSgAwIBAgIUb5id+GcaMeMnYBv3MvdTGWigyJ0wDQYJKoZIhvcNAQEL
|
||
BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzI5WhcNMjYw
|
||
MjI2MDIyNzU5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
|
||
AQEBBQADggEPADCCAQoCggEBAOxTMvhTuIRc2YhxZpmPwegP86cgnqfT1mXxi1A7
|
||
Q7qax24Nqbf00I3oDMQtAJlj2RB3hvRSCb0/lkF7i1Bub+TGxuM7NtZqp2F8FgG0
|
||
z2md+W6adwW26rlxbQKjmRvMn66G9YPTkoJmPmxt2Tccb9+apmwW7lslL5j8H48x
|
||
AHJTMb+PMP9kbOHV5Abr3PT4jXUPUr/mWBvBiKiHG0Xd/HEmlyOEPeAThxK+I5tb
|
||
6m+eB+7cL9BsvQpy135+2bRAxUphvFi5NhryJ2vlAvoJ8UqigsNK3E28ut60FAoH
|
||
SWRfFUFFYtfPgTDS1yOKU/z/XMU2giQv2HrleWt0mp4jqBUCAwEAAaOBgTB/MA4G
|
||
A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSdxLNP/ocx
|
||
7HK6JT3/sSAe76iTmzAfBgNVHSMEGDAWgBSdxLNP/ocx7HK6JT3/sSAe76iTmzAc
|
||
BgNVHREEFTATggtleGFtcGxlLmNvbYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA
|
||
wHThDRsXJunKbAapxmQ6bDxSvTvkLA6m97TXlsFgL+Q3Jrg9HoJCNowJ0pUTwhP2
|
||
U946dCnSCkZck0fqkwVi4vJ5EQnkvyEbfN4W5qVsQKOFaFVzep6Qid4rZT6owWPa
|
||
cNNzNcXAee3/j6hgr6OQ/i3J6fYR4YouYxYkjojYyg+CMdn6q8BoV0BTsHdnw1/N
|
||
ScbnBHQIvIZMBDAmQueQZolgJcdOuBLYHe/kRy167z8nGg+PUFKIYOL8NaOU1+CJ
|
||
t2YaEibVq5MRqCbRgnd9a2vG0jr5a3Mn4CUUYv+5qIjP3hUusYenW1/EWtn1s/gk
|
||
zehNe5dFTjFpylg1o6b8Ow==
|
||
-----END CERTIFICATE-----`
|
||
rootCAKeyPEM = `-----BEGIN RSA PRIVATE KEY-----
|
||
MIIEpQIBAAKCAQEA7FMy+FO4hFzZiHFmmY/B6A/zpyCep9PWZfGLUDtDuprHbg2p
|
||
t/TQjegMxC0AmWPZEHeG9FIJvT+WQXuLUG5v5MbG4zs21mqnYXwWAbTPaZ35bpp3
|
||
BbbquXFtAqOZG8yfrob1g9OSgmY+bG3ZNxxv35qmbBbuWyUvmPwfjzEAclMxv48w
|
||
/2Rs4dXkBuvc9PiNdQ9Sv+ZYG8GIqIcbRd38cSaXI4Q94BOHEr4jm1vqb54H7twv
|
||
0Gy9CnLXfn7ZtEDFSmG8WLk2GvIna+UC+gnxSqKCw0rcTby63rQUCgdJZF8VQUVi
|
||
18+BMNLXI4pT/P9cxTaCJC/YeuV5a3SaniOoFQIDAQABAoIBAQCoGZJC84JnnIgb
|
||
ttZNWuWKBXbCJcDVDikOQJ9hBZbqsFg1X0CfGmQS3MHf9Ubc1Ro8zVjQh15oIEfn
|
||
8lIpdzTeXcpxLdiW8ix3ekVJF20F6pnXY8ZP6UnTeOwamXY6QPZAtb0D9UXcvY+f
|
||
nw+IVRD6082XS0Rmzu+peYWVXDy+FDN+HJRANBcdJZz8gOmNBIe0qDWx1b85d/s8
|
||
2Kk1Wwdss1IwAGeSddTSwzBNaaHdItZaMZOqPW1gRyBfVSkcUQIE6zn2RKw2b70t
|
||
grkIvyRcTdfmiKbqkkJ+eR+ITOUt0cBZSH4cDjlQA+r7hulvoBpQBRj068Toxkcc
|
||
bTagHaPBAoGBAPWPGVkHqhTbJ/DjmqDIStxby2M1fhhHt4xUGHinhUYjQjGOtDQ9
|
||
0mfaB7HObudRiSLydRAVGAHGyNJdQcTeFxeQbovwGiYKfZSA1IGpea7dTxPpGEdN
|
||
ksA0pzSp9MfKzX/MdLuAkEtO58aAg5YzsgX9hDNxo4MhH/gremZhEGZlAoGBAPZf
|
||
lqdYvAL0fjHGJ1FUEalhzGCGE9PH2iOqsxqLCXK7bDbzYSjvuiHkhYJHAOgVdiW1
|
||
lB34UHHYAqZ1VVoFqJ05gax6DE2+r7K5VV3FUCaC0Zm3pavxchU9R/TKP82xRrBj
|
||
AFWwdgDTxUyvQEmgPR9sqorftO71Iz2tiwyTpIfxAoGBAIhEMLzHFAse0rtKkrRG
|
||
ccR27BbRyHeQ1Lp6sFnEHKEfT8xQdI/I/snCpCJ3e/PBu2g5Q9z416mktiyGs8ib
|
||
thTNgYsGYnxZtfaCx2pssanoBcn2wBJRae5fSapf5gY49HDG9MBYR7qCvvvYtSzU
|
||
4yWP2ZzyotpRt3vwJKxLkN5BAoGAORHpZvhiDNkvxj3da7Rqpu7VleJZA2y+9hYb
|
||
iOF+HcqWhaAY+I+XcTRrTMM/zYLzLEcEeXDEyao86uwxCjpXVZw1kotvAC9UqbTO
|
||
tnr3VwRkoxPsV4kFYTAh0+1pnC8dbcxxDmhi3Uww3tOVs7hfkEDuvF6XnebA9A+Y
|
||
LyCgMzECgYEA6cCU8QODOivIKWFRXucvWckgE6MYDBaAwe6qcLsd1Q/gpE2e3yQc
|
||
4RB3bcyiPROLzMLlXFxf1vSNJQdIaVfrRv+zJeGIiivLPU8+Eq4Lrb+tl1LepcOX
|
||
OzQeADTSCn5VidOfjDkIst9UXjMlrFfV9/oJEw5Eiqa6lkNPCGDhfA8=
|
||
-----END RSA PRIVATE KEY-----`
|
||
)
|
||
|
||
func TestPKI_RequireCN(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := createBackendWithStorage(t)
|
||
|
||
resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected ca info")
|
||
}
|
||
|
||
// Create a role which does require CN (default)
|
||
_, err = CBWrite(b, s, "roles/example", map[string]interface{}{
|
||
"allowed_domains": "foobar.com,zipzap.com,abc.com,xyz.com",
|
||
"allow_bare_domains": true,
|
||
"allow_subdomains": true,
|
||
"max_ttl": "2h",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue a cert with require_cn set to true and with common name supplied.
|
||
// It should succeed.
|
||
resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue a cert with require_cn set to true and with out supplying the
|
||
// common name. It should error out.
|
||
resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{})
|
||
if err == nil {
|
||
t.Fatalf("expected an error due to missing common_name")
|
||
}
|
||
|
||
// Modify the role to make the common name optional
|
||
_, err = CBWrite(b, s, "roles/example", map[string]interface{}{
|
||
"allowed_domains": "foobar.com,zipzap.com,abc.com,xyz.com",
|
||
"allow_bare_domains": true,
|
||
"allow_subdomains": true,
|
||
"max_ttl": "2h",
|
||
"require_cn": false,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue a cert with require_cn set to false and without supplying the
|
||
// common name. It should succeed.
|
||
resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
if resp.Data["certificate"] == "" {
|
||
t.Fatalf("expected a cert to be generated")
|
||
}
|
||
|
||
// Issue a cert with require_cn set to false and with a common name. It
|
||
// should succeed.
|
||
resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
if resp.Data["certificate"] == "" {
|
||
t.Fatalf("expected a cert to be generated")
|
||
}
|
||
}
|
||
|
||
func TestPKI_DeviceCert(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := createBackendWithStorage(t)
|
||
|
||
resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
"not_after": "9999-12-31T23:59:59Z",
|
||
"not_before_duration": "2h",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected ca info")
|
||
}
|
||
var certBundle certutil.CertBundle
|
||
err = mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
notAfter := cert.NotAfter.Format(time.RFC3339)
|
||
if notAfter != "9999-12-31T23:59:59Z" {
|
||
t.Fatalf("not after from certificate: %v is not matching with input parameter: %v", cert.NotAfter, "9999-12-31T23:59:59Z")
|
||
}
|
||
if math.Abs(float64(time.Now().Add(-2*time.Hour).Unix()-cert.NotBefore.Unix())) > 10 {
|
||
t.Fatalf("root/generate/internal did not properly set validity period (notBefore): was %v vs expected %v", cert.NotBefore, time.Now().Add(-2*time.Hour))
|
||
}
|
||
|
||
// Create a role which does require CN (default)
|
||
_, err = CBWrite(b, s, "roles/example", map[string]interface{}{
|
||
"allowed_domains": "foobar.com,zipzap.com,abc.com,xyz.com",
|
||
"allow_bare_domains": true,
|
||
"allow_subdomains": true,
|
||
"not_after": "9999-12-31T23:59:59Z",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue a cert with require_cn set to true and with common name supplied.
|
||
// It should succeed.
|
||
resp, err = CBWrite(b, s, "issue/example", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
err = mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
parsedCertBundle, err = certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
cert = parsedCertBundle.Certificate
|
||
notAfter = cert.NotAfter.Format(time.RFC3339)
|
||
if notAfter != "9999-12-31T23:59:59Z" {
|
||
t.Fatal(fmt.Errorf("not after from certificate is not matching with input parameter"))
|
||
}
|
||
}
|
||
|
||
func TestBackend_InvalidParameter(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := createBackendWithStorage(t)
|
||
|
||
_, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
"not_after": "9999-12-31T23:59:59Z",
|
||
"ttl": "25h",
|
||
})
|
||
if err == nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
_, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
"not_after": "9999-12-31T23:59:59",
|
||
})
|
||
if err == nil {
|
||
t.Fatal(err)
|
||
}
|
||
}
|
||
|
||
func TestBackend_CSRValues(t *testing.T) {
|
||
t.Parallel()
|
||
initTest.Do(setCerts)
|
||
b, _ := createBackendWithStorage(t)
|
||
|
||
testCase := logicaltest.TestCase{
|
||
LogicalBackend: b,
|
||
Steps: []logicaltest.TestStep{},
|
||
}
|
||
|
||
intdata := map[string]interface{}{}
|
||
reqdata := map[string]interface{}{}
|
||
testCase.Steps = append(testCase.Steps, generateCSRSteps(t, ecCACert, ecCAKey, intdata, reqdata)...)
|
||
|
||
logicaltest.Test(t, testCase)
|
||
}
|
||
|
||
func TestBackend_URLsCRUD(t *testing.T) {
|
||
t.Parallel()
|
||
initTest.Do(setCerts)
|
||
b, _ := createBackendWithStorage(t)
|
||
|
||
testCase := logicaltest.TestCase{
|
||
LogicalBackend: b,
|
||
Steps: []logicaltest.TestStep{},
|
||
}
|
||
|
||
intdata := map[string]interface{}{}
|
||
reqdata := map[string]interface{}{}
|
||
testCase.Steps = append(testCase.Steps, generateURLSteps(t, ecCACert, ecCAKey, intdata, reqdata)...)
|
||
|
||
logicaltest.Test(t, testCase)
|
||
}
|
||
|
||
// Generates and tests steps that walk through the various possibilities
|
||
// of role flags to ensure that they are properly restricted
|
||
func TestBackend_Roles(t *testing.T) {
|
||
t.Parallel()
|
||
cases := []struct {
|
||
name string
|
||
key, cert *string
|
||
useCSR bool
|
||
}{
|
||
{"RSA", &rsaCAKey, &rsaCACert, false},
|
||
{"RSACSR", &rsaCAKey, &rsaCACert, true},
|
||
{"EC", &ecCAKey, &ecCACert, false},
|
||
{"ECCSR", &ecCAKey, &ecCACert, true},
|
||
{"ED", &edCAKey, &edCACert, false},
|
||
{"EDCSR", &edCAKey, &edCACert, true},
|
||
}
|
||
|
||
for _, tc := range cases {
|
||
tc := tc
|
||
|
||
t.Run(tc.name, func(t *testing.T) {
|
||
initTest.Do(setCerts)
|
||
b, _ := createBackendWithStorage(t)
|
||
|
||
testCase := logicaltest.TestCase{
|
||
LogicalBackend: b,
|
||
Steps: []logicaltest.TestStep{
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "config/ca",
|
||
Data: map[string]interface{}{
|
||
"pem_bundle": *tc.key + "\n" + *tc.cert,
|
||
},
|
||
},
|
||
},
|
||
}
|
||
|
||
testCase.Steps = append(testCase.Steps, generateRoleSteps(t, tc.useCSR)...)
|
||
if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
|
||
for i, v := range testCase.Steps {
|
||
data := map[string]interface{}{}
|
||
var keys []string
|
||
for k := range v.Data {
|
||
keys = append(keys, k)
|
||
}
|
||
sort.Strings(keys)
|
||
for _, k := range keys {
|
||
interf := v.Data[k]
|
||
switch v := interf.(type) {
|
||
case bool:
|
||
if !v {
|
||
continue
|
||
}
|
||
case int:
|
||
if v == 0 {
|
||
continue
|
||
}
|
||
case []string:
|
||
if len(v) == 0 {
|
||
continue
|
||
}
|
||
case string:
|
||
if v == "" {
|
||
continue
|
||
}
|
||
lines := strings.Split(v, "\n")
|
||
if len(lines) > 1 {
|
||
data[k] = lines[0] + " ... (truncated)"
|
||
continue
|
||
}
|
||
}
|
||
data[k] = interf
|
||
|
||
}
|
||
t.Logf("Step %d:\n%s %s err=%v %+v\n\n", i+1, v.Operation, v.Path, v.ErrorOk, data)
|
||
}
|
||
}
|
||
|
||
logicaltest.Test(t, testCase)
|
||
})
|
||
}
|
||
}
|
||
|
||
// Performs some validity checking on the returned bundles
|
||
func checkCertsAndPrivateKey(keyType string, key crypto.Signer, usage x509.KeyUsage, extUsage x509.ExtKeyUsage, validity time.Duration, certBundle *certutil.CertBundle) (*certutil.ParsedCertBundle, error) {
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return nil, fmt.Errorf("error parsing cert bundle: %s", err)
|
||
}
|
||
|
||
if key != nil {
|
||
switch keyType {
|
||
case "rsa":
|
||
parsedCertBundle.PrivateKeyType = certutil.RSAPrivateKey
|
||
parsedCertBundle.PrivateKey = key
|
||
parsedCertBundle.PrivateKeyBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey))
|
||
case "ec":
|
||
parsedCertBundle.PrivateKeyType = certutil.ECPrivateKey
|
||
parsedCertBundle.PrivateKey = key
|
||
parsedCertBundle.PrivateKeyBytes, err = x509.MarshalECPrivateKey(key.(*ecdsa.PrivateKey))
|
||
if err != nil {
|
||
return nil, fmt.Errorf("error parsing EC key: %s", err)
|
||
}
|
||
case "ed25519":
|
||
parsedCertBundle.PrivateKeyType = certutil.Ed25519PrivateKey
|
||
parsedCertBundle.PrivateKey = key
|
||
parsedCertBundle.PrivateKeyBytes, err = x509.MarshalPKCS8PrivateKey(key.(ed25519.PrivateKey))
|
||
if err != nil {
|
||
return nil, fmt.Errorf("error parsing Ed25519 key: %s", err)
|
||
}
|
||
}
|
||
}
|
||
|
||
switch {
|
||
case parsedCertBundle.Certificate == nil:
|
||
return nil, fmt.Errorf("did not find a certificate in the cert bundle")
|
||
case len(parsedCertBundle.CAChain) == 0 || parsedCertBundle.CAChain[0].Certificate == nil:
|
||
return nil, fmt.Errorf("did not find a CA in the cert bundle")
|
||
case parsedCertBundle.PrivateKey == nil:
|
||
return nil, fmt.Errorf("did not find a private key in the cert bundle")
|
||
case parsedCertBundle.PrivateKeyType == certutil.UnknownPrivateKey:
|
||
return nil, fmt.Errorf("could not figure out type of private key")
|
||
}
|
||
|
||
switch {
|
||
case parsedCertBundle.PrivateKeyType == certutil.Ed25519PrivateKey && keyType != "ed25519":
|
||
fallthrough
|
||
case parsedCertBundle.PrivateKeyType == certutil.RSAPrivateKey && keyType != "rsa":
|
||
fallthrough
|
||
case parsedCertBundle.PrivateKeyType == certutil.ECPrivateKey && keyType != "ec":
|
||
return nil, fmt.Errorf("given key type does not match type found in bundle")
|
||
}
|
||
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
if usage != cert.KeyUsage {
|
||
return nil, fmt.Errorf("expected usage of %#v, got %#v; ext usage is %#v", usage, cert.KeyUsage, cert.ExtKeyUsage)
|
||
}
|
||
|
||
// There should only be one ext usage type, because only one is requested
|
||
// in the tests
|
||
if len(cert.ExtKeyUsage) != 1 {
|
||
return nil, fmt.Errorf("got wrong size key usage in generated cert; expected 1, values are %#v", cert.ExtKeyUsage)
|
||
}
|
||
switch extUsage {
|
||
case x509.ExtKeyUsageEmailProtection:
|
||
if cert.ExtKeyUsage[0] != x509.ExtKeyUsageEmailProtection {
|
||
return nil, fmt.Errorf("bad extended key usage")
|
||
}
|
||
case x509.ExtKeyUsageServerAuth:
|
||
if cert.ExtKeyUsage[0] != x509.ExtKeyUsageServerAuth {
|
||
return nil, fmt.Errorf("bad extended key usage")
|
||
}
|
||
case x509.ExtKeyUsageClientAuth:
|
||
if cert.ExtKeyUsage[0] != x509.ExtKeyUsageClientAuth {
|
||
return nil, fmt.Errorf("bad extended key usage")
|
||
}
|
||
case x509.ExtKeyUsageCodeSigning:
|
||
if cert.ExtKeyUsage[0] != x509.ExtKeyUsageCodeSigning {
|
||
return nil, fmt.Errorf("bad extended key usage")
|
||
}
|
||
}
|
||
|
||
if math.Abs(float64(time.Now().Add(validity).Unix()-cert.NotAfter.Unix())) > 20 {
|
||
return nil, fmt.Errorf("certificate validity end: %s; expected within 20 seconds of %s", cert.NotAfter.Format(time.RFC3339), time.Now().Add(validity).Format(time.RFC3339))
|
||
}
|
||
|
||
return parsedCertBundle, nil
|
||
}
|
||
|
||
func generateURLSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[string]interface{}) []logicaltest.TestStep {
|
||
expected := certutil.URLEntries{
|
||
IssuingCertificates: []string{
|
||
"http://example.com/ca1",
|
||
"http://example.com/ca2",
|
||
},
|
||
CRLDistributionPoints: []string{
|
||
"http://example.com/crl1",
|
||
"http://example.com/crl2",
|
||
},
|
||
OCSPServers: []string{
|
||
"http://example.com/ocsp1",
|
||
"http://example.com/ocsp2",
|
||
},
|
||
}
|
||
csrTemplate := x509.CertificateRequest{
|
||
Subject: pkix.Name{
|
||
CommonName: "my@example.com",
|
||
},
|
||
}
|
||
|
||
priv1024, _ := rsa.GenerateKey(rand.Reader, 1024)
|
||
csr1024, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv1024)
|
||
csrPem1024 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
|
||
Type: "CERTIFICATE REQUEST",
|
||
Bytes: csr1024,
|
||
})))
|
||
|
||
priv2048, _ := rsa.GenerateKey(rand.Reader, 2048)
|
||
csr2048, _ := x509.CreateCertificateRequest(rand.Reader, &csrTemplate, priv2048)
|
||
csrPem2048 := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
|
||
Type: "CERTIFICATE REQUEST",
|
||
Bytes: csr2048,
|
||
})))
|
||
|
||
ret := []logicaltest.TestStep{
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/generate/exported",
|
||
Data: map[string]interface{}{
|
||
"common_name": "Root Cert",
|
||
"ttl": "180h",
|
||
},
|
||
Check: func(resp *logical.Response) error {
|
||
if resp.Secret != nil && resp.Secret.LeaseID != "" {
|
||
return fmt.Errorf("root returned with a lease")
|
||
}
|
||
return nil
|
||
},
|
||
},
|
||
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "config/urls",
|
||
Data: map[string]interface{}{
|
||
"issuing_certificates": strings.Join(expected.IssuingCertificates, ","),
|
||
"crl_distribution_points": strings.Join(expected.CRLDistributionPoints, ","),
|
||
"ocsp_servers": strings.Join(expected.OCSPServers, ","),
|
||
},
|
||
},
|
||
|
||
{
|
||
Operation: logical.ReadOperation,
|
||
Path: "config/urls",
|
||
Check: func(resp *logical.Response) error {
|
||
if resp.Data == nil {
|
||
return fmt.Errorf("no data returned")
|
||
}
|
||
var entries certutil.URLEntries
|
||
err := mapstructure.Decode(resp.Data, &entries)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
|
||
if !reflect.DeepEqual(entries, expected) {
|
||
return fmt.Errorf("expected urls\n%#v\ndoes not match provided\n%#v\n", expected, entries)
|
||
}
|
||
|
||
return nil
|
||
},
|
||
},
|
||
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-intermediate",
|
||
Data: map[string]interface{}{
|
||
"common_name": "intermediate.cert.com",
|
||
"csr": csrPem1024,
|
||
"format": "der",
|
||
},
|
||
ErrorOk: true,
|
||
Check: func(resp *logical.Response) error {
|
||
if !resp.IsError() {
|
||
return fmt.Errorf("expected an error response but did not get one")
|
||
}
|
||
if !strings.Contains(resp.Data["error"].(string), "2048") {
|
||
return fmt.Errorf("received an error but not about a 1024-bit key, error was: %s", resp.Data["error"].(string))
|
||
}
|
||
|
||
return nil
|
||
},
|
||
},
|
||
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-intermediate",
|
||
Data: map[string]interface{}{
|
||
"common_name": "intermediate.cert.com",
|
||
"csr": csrPem2048,
|
||
"signature_bits": 512,
|
||
"format": "der",
|
||
"not_before_duration": "2h",
|
||
// Let's Encrypt -- R3 SKID
|
||
"skid": "14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6",
|
||
},
|
||
Check: func(resp *logical.Response) error {
|
||
certString := resp.Data["certificate"].(string)
|
||
if certString == "" {
|
||
return fmt.Errorf("no certificate returned")
|
||
}
|
||
if resp.Secret != nil && resp.Secret.LeaseID != "" {
|
||
return fmt.Errorf("signed intermediate returned with a lease")
|
||
}
|
||
certBytes, _ := base64.StdEncoding.DecodeString(certString)
|
||
certs, err := x509.ParseCertificates(certBytes)
|
||
if err != nil {
|
||
return fmt.Errorf("returned cert cannot be parsed: %v", err)
|
||
}
|
||
if len(certs) != 1 {
|
||
return fmt.Errorf("unexpected returned length of certificates: %d", len(certs))
|
||
}
|
||
cert := certs[0]
|
||
|
||
skid, _ := hex.DecodeString("142EB317B75856CBAE500940E61FAF9D8B14C2C6")
|
||
|
||
switch {
|
||
case !reflect.DeepEqual(expected.IssuingCertificates, cert.IssuingCertificateURL):
|
||
return fmt.Errorf("IssuingCertificateURL:\nexpected\n%#v\ngot\n%#v\n", expected.IssuingCertificates, cert.IssuingCertificateURL)
|
||
case !reflect.DeepEqual(expected.CRLDistributionPoints, cert.CRLDistributionPoints):
|
||
return fmt.Errorf("CRLDistributionPoints:\nexpected\n%#v\ngot\n%#v\n", expected.CRLDistributionPoints, cert.CRLDistributionPoints)
|
||
case !reflect.DeepEqual(expected.OCSPServers, cert.OCSPServer):
|
||
return fmt.Errorf("OCSPServer:\nexpected\n%#v\ngot\n%#v\n", expected.OCSPServers, cert.OCSPServer)
|
||
case !reflect.DeepEqual([]string{"intermediate.cert.com"}, cert.DNSNames):
|
||
return fmt.Errorf("DNSNames\nexpected\n%#v\ngot\n%#v\n", []string{"intermediate.cert.com"}, cert.DNSNames)
|
||
case !reflect.DeepEqual(x509.SHA512WithRSA, cert.SignatureAlgorithm):
|
||
return fmt.Errorf("Signature Algorithm:\nexpected\n%#v\ngot\n%#v\n", x509.SHA512WithRSA, cert.SignatureAlgorithm)
|
||
case !reflect.DeepEqual(skid, cert.SubjectKeyId):
|
||
return fmt.Errorf("SKID:\nexpected\n%#v\ngot\n%#v\n", skid, cert.SubjectKeyId)
|
||
}
|
||
|
||
if math.Abs(float64(time.Now().Add(-2*time.Hour).Unix()-cert.NotBefore.Unix())) > 10 {
|
||
t.Fatalf("root/sign-intermediate did not properly set validity period (notBefore): was %v vs expected %v", cert.NotBefore, time.Now().Add(-2*time.Hour))
|
||
}
|
||
|
||
return nil
|
||
},
|
||
},
|
||
|
||
// Same as above but exclude adding to sans
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-intermediate",
|
||
Data: map[string]interface{}{
|
||
"common_name": "intermediate.cert.com",
|
||
"csr": csrPem2048,
|
||
"format": "der",
|
||
"exclude_cn_from_sans": true,
|
||
},
|
||
Check: func(resp *logical.Response) error {
|
||
certString := resp.Data["certificate"].(string)
|
||
if certString == "" {
|
||
return fmt.Errorf("no certificate returned")
|
||
}
|
||
if resp.Secret != nil && resp.Secret.LeaseID != "" {
|
||
return fmt.Errorf("signed intermediate returned with a lease")
|
||
}
|
||
certBytes, _ := base64.StdEncoding.DecodeString(certString)
|
||
certs, err := x509.ParseCertificates(certBytes)
|
||
if err != nil {
|
||
return fmt.Errorf("returned cert cannot be parsed: %v", err)
|
||
}
|
||
if len(certs) != 1 {
|
||
return fmt.Errorf("unexpected returned length of certificates: %d", len(certs))
|
||
}
|
||
cert := certs[0]
|
||
|
||
switch {
|
||
case !reflect.DeepEqual(expected.IssuingCertificates, cert.IssuingCertificateURL):
|
||
return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.IssuingCertificates, cert.IssuingCertificateURL)
|
||
case !reflect.DeepEqual(expected.CRLDistributionPoints, cert.CRLDistributionPoints):
|
||
return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.CRLDistributionPoints, cert.CRLDistributionPoints)
|
||
case !reflect.DeepEqual(expected.OCSPServers, cert.OCSPServer):
|
||
return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.OCSPServers, cert.OCSPServer)
|
||
case !reflect.DeepEqual([]string(nil), cert.DNSNames):
|
||
return fmt.Errorf("expected\n%#v\ngot\n%#v\n", []string(nil), cert.DNSNames)
|
||
}
|
||
|
||
return nil
|
||
},
|
||
},
|
||
}
|
||
return ret
|
||
}
|
||
|
||
func generateCSR(t *testing.T, csrTemplate *x509.CertificateRequest, keyType string, keyBits int) (interface{}, []byte, string) {
|
||
var priv interface{}
|
||
var err error
|
||
switch keyType {
|
||
case "rsa":
|
||
priv, err = rsa.GenerateKey(rand.Reader, keyBits)
|
||
case "ec":
|
||
switch keyBits {
|
||
case 224:
|
||
priv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
|
||
case 256:
|
||
priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||
case 384:
|
||
priv, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
|
||
case 521:
|
||
priv, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
|
||
default:
|
||
t.Fatalf("Got unknown ec< key bits: %v", keyBits)
|
||
}
|
||
case "ed25519":
|
||
_, priv, err = ed25519.GenerateKey(rand.Reader)
|
||
}
|
||
|
||
if err != nil {
|
||
t.Fatalf("Got error generating private key for CSR: %v", err)
|
||
}
|
||
|
||
csr, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, priv)
|
||
if err != nil {
|
||
t.Fatalf("Got error generating CSR: %v", err)
|
||
}
|
||
|
||
csrPem := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
|
||
Type: "CERTIFICATE REQUEST",
|
||
Bytes: csr,
|
||
})))
|
||
|
||
return priv, csr, csrPem
|
||
}
|
||
|
||
func generateCSRSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[string]interface{}) []logicaltest.TestStep {
|
||
csrTemplate, csrPem := generateTestCsr(t, certutil.RSAPrivateKey, 2048)
|
||
|
||
ret := []logicaltest.TestStep{
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/generate/exported",
|
||
Data: map[string]interface{}{
|
||
"common_name": "Root Cert",
|
||
"ttl": "180h",
|
||
"max_path_length": 0,
|
||
},
|
||
},
|
||
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-intermediate",
|
||
Data: map[string]interface{}{
|
||
"use_csr_values": true,
|
||
"csr": csrPem,
|
||
"format": "der",
|
||
},
|
||
ErrorOk: true,
|
||
},
|
||
|
||
{
|
||
Operation: logical.DeleteOperation,
|
||
Path: "root",
|
||
},
|
||
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/generate/exported",
|
||
Data: map[string]interface{}{
|
||
"common_name": "Root Cert",
|
||
"ttl": "180h",
|
||
"max_path_length": 1,
|
||
},
|
||
},
|
||
|
||
{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-intermediate",
|
||
Data: map[string]interface{}{
|
||
"use_csr_values": true,
|
||
"csr": csrPem,
|
||
"format": "der",
|
||
},
|
||
Check: func(resp *logical.Response) error {
|
||
certString := resp.Data["certificate"].(string)
|
||
if certString == "" {
|
||
return fmt.Errorf("no certificate returned")
|
||
}
|
||
certBytes, _ := base64.StdEncoding.DecodeString(certString)
|
||
certs, err := x509.ParseCertificates(certBytes)
|
||
if err != nil {
|
||
return fmt.Errorf("returned cert cannot be parsed: %v", err)
|
||
}
|
||
if len(certs) != 1 {
|
||
return fmt.Errorf("unexpected returned length of certificates: %d", len(certs))
|
||
}
|
||
cert := certs[0]
|
||
|
||
if cert.MaxPathLen != 0 {
|
||
return fmt.Errorf("max path length of %d does not match the requested of 3", cert.MaxPathLen)
|
||
}
|
||
if !cert.MaxPathLenZero {
|
||
return fmt.Errorf("max path length zero is not set")
|
||
}
|
||
|
||
// We need to set these as they are filled in with unparsed values in the final cert
|
||
csrTemplate.Subject.Names = cert.Subject.Names
|
||
csrTemplate.Subject.ExtraNames = cert.Subject.ExtraNames
|
||
|
||
switch {
|
||
case !reflect.DeepEqual(cert.Subject, csrTemplate.Subject):
|
||
return fmt.Errorf("cert subject\n%#v\ndoes not match csr subject\n%#v\n", cert.Subject, csrTemplate.Subject)
|
||
case !reflect.DeepEqual(cert.DNSNames, csrTemplate.DNSNames):
|
||
return fmt.Errorf("cert dns names\n%#v\ndoes not match csr dns names\n%#v\n", cert.DNSNames, csrTemplate.DNSNames)
|
||
case !reflect.DeepEqual(cert.EmailAddresses, csrTemplate.EmailAddresses):
|
||
return fmt.Errorf("cert email addresses\n%#v\ndoes not match csr email addresses\n%#v\n", cert.EmailAddresses, csrTemplate.EmailAddresses)
|
||
case !reflect.DeepEqual(cert.IPAddresses, csrTemplate.IPAddresses):
|
||
return fmt.Errorf("cert ip addresses\n%#v\ndoes not match csr ip addresses\n%#v\n", cert.IPAddresses, csrTemplate.IPAddresses)
|
||
}
|
||
return nil
|
||
},
|
||
},
|
||
}
|
||
return ret
|
||
}
|
||
|
||
func generateTestCsr(t *testing.T, keyType certutil.PrivateKeyType, keyBits int) (x509.CertificateRequest, string) {
|
||
csrTemplate := x509.CertificateRequest{
|
||
Subject: pkix.Name{
|
||
Country: []string{"MyCountry"},
|
||
PostalCode: []string{"MyPostalCode"},
|
||
SerialNumber: "MySerialNumber",
|
||
CommonName: "my@example.com",
|
||
},
|
||
DNSNames: []string{
|
||
"name1.example.com",
|
||
"name2.example.com",
|
||
"name3.example.com",
|
||
},
|
||
EmailAddresses: []string{
|
||
"name1@example.com",
|
||
"name2@example.com",
|
||
"name3@example.com",
|
||
},
|
||
IPAddresses: []net.IP{
|
||
net.ParseIP("::ff:1:2:3:4"),
|
||
net.ParseIP("::ff:5:6:7:8"),
|
||
},
|
||
}
|
||
|
||
_, _, csrPem := generateCSR(t, &csrTemplate, string(keyType), keyBits)
|
||
return csrTemplate, csrPem
|
||
}
|
||
|
||
// Generates steps to test out various role permutations
|
||
func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep {
|
||
roleVals := roleEntry{
|
||
MaxTTL: 12 * time.Hour,
|
||
KeyType: "rsa",
|
||
KeyBits: 2048,
|
||
RequireCN: true,
|
||
AllowWildcardCertificates: new(bool),
|
||
}
|
||
*roleVals.AllowWildcardCertificates = true
|
||
|
||
issueVals := certutil.IssueData{}
|
||
ret := []logicaltest.TestStep{}
|
||
|
||
roleTestStep := logicaltest.TestStep{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "roles/test",
|
||
}
|
||
var issueTestStep logicaltest.TestStep
|
||
if useCSRs {
|
||
issueTestStep = logicaltest.TestStep{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "sign/test",
|
||
}
|
||
} else {
|
||
issueTestStep = logicaltest.TestStep{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "issue/test",
|
||
}
|
||
}
|
||
|
||
generatedRSAKeys := map[int]crypto.Signer{}
|
||
generatedECKeys := map[int]crypto.Signer{}
|
||
generatedEdKeys := map[int]crypto.Signer{}
|
||
/*
|
||
// For the number of tests being run, a seed of 1 has been tested
|
||
// to hit all of the various values below. However, for normal
|
||
// testing we use a randomized time for maximum fuzziness.
|
||
*/
|
||
var seed int64 = 1
|
||
fixedSeed := os.Getenv("VAULT_PKITESTS_FIXED_SEED")
|
||
if len(fixedSeed) == 0 {
|
||
seed = time.Now().UnixNano()
|
||
} else {
|
||
var err error
|
||
seed, err = strconv.ParseInt(fixedSeed, 10, 64)
|
||
if err != nil {
|
||
t.Fatalf("error parsing fixed seed of %s: %v", fixedSeed, err)
|
||
}
|
||
}
|
||
mathRand := mathrand.New(mathrand.NewSource(seed))
|
||
// t.Logf("seed under test: %v", seed)
|
||
|
||
// Used by tests not toggling common names to turn off the behavior of random key bit fuzziness
|
||
keybitSizeRandOff := false
|
||
|
||
genericErrorOkCheck := func(resp *logical.Response) error {
|
||
if resp.IsError() {
|
||
return nil
|
||
}
|
||
return fmt.Errorf("expected an error, but did not seem to get one")
|
||
}
|
||
|
||
// Adds tests with the currently configured issue/role information
|
||
addTests := func(testCheck logicaltest.TestCheckFunc) {
|
||
stepCount++
|
||
// t.Logf("test step %d\nrole vals: %#v\n", stepCount, roleVals)
|
||
stepCount++
|
||
// t.Logf("test step %d\nissue vals: %#v\n", stepCount, issueTestStep)
|
||
roleTestStep.Data = roleVals.ToResponseData()
|
||
roleTestStep.Data["generate_lease"] = false
|
||
ret = append(ret, roleTestStep)
|
||
issueTestStep.Data = structs.New(issueVals).Map()
|
||
switch {
|
||
case issueTestStep.ErrorOk:
|
||
issueTestStep.Check = genericErrorOkCheck
|
||
case testCheck != nil:
|
||
issueTestStep.Check = testCheck
|
||
default:
|
||
issueTestStep.Check = nil
|
||
}
|
||
ret = append(ret, issueTestStep)
|
||
}
|
||
|
||
getCountryCheck := func(role roleEntry) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
expected := strutil.RemoveDuplicates(role.Country, true)
|
||
if !reflect.DeepEqual(cert.Subject.Country, expected) {
|
||
return fmt.Errorf("error: returned certificate has Country of %s but %s was specified in the role", cert.Subject.Country, expected)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
getOuCheck := func(role roleEntry) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
expected := strutil.RemoveDuplicatesStable(role.OU, true)
|
||
if !reflect.DeepEqual(cert.Subject.OrganizationalUnit, expected) {
|
||
return fmt.Errorf("error: returned certificate has OU of %s but %s was specified in the role", cert.Subject.OrganizationalUnit, expected)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
getOrganizationCheck := func(role roleEntry) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
expected := strutil.RemoveDuplicates(role.Organization, true)
|
||
if !reflect.DeepEqual(cert.Subject.Organization, expected) {
|
||
return fmt.Errorf("error: returned certificate has Organization of %s but %s was specified in the role", cert.Subject.Organization, expected)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
getLocalityCheck := func(role roleEntry) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
expected := strutil.RemoveDuplicates(role.Locality, true)
|
||
if !reflect.DeepEqual(cert.Subject.Locality, expected) {
|
||
return fmt.Errorf("error: returned certificate has Locality of %s but %s was specified in the role", cert.Subject.Locality, expected)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
getProvinceCheck := func(role roleEntry) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
expected := strutil.RemoveDuplicates(role.Province, true)
|
||
if !reflect.DeepEqual(cert.Subject.Province, expected) {
|
||
return fmt.Errorf("error: returned certificate has Province of %s but %s was specified in the role", cert.Subject.Province, expected)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
getStreetAddressCheck := func(role roleEntry) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
expected := strutil.RemoveDuplicates(role.StreetAddress, true)
|
||
if !reflect.DeepEqual(cert.Subject.StreetAddress, expected) {
|
||
return fmt.Errorf("error: returned certificate has StreetAddress of %s but %s was specified in the role", cert.Subject.StreetAddress, expected)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
getPostalCodeCheck := func(role roleEntry) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
expected := strutil.RemoveDuplicates(role.PostalCode, true)
|
||
if !reflect.DeepEqual(cert.Subject.PostalCode, expected) {
|
||
return fmt.Errorf("error: returned certificate has PostalCode of %s but %s was specified in the role", cert.Subject.PostalCode, expected)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
getNotBeforeCheck := func(role roleEntry) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
|
||
actualDiff := time.Now().Sub(cert.NotBefore)
|
||
certRoleDiff := (role.NotBeforeDuration - actualDiff).Truncate(time.Second)
|
||
// These times get truncated, so give a 1 second buffer on each side
|
||
if certRoleDiff >= -1*time.Second && certRoleDiff <= 1*time.Second {
|
||
return nil
|
||
}
|
||
return fmt.Errorf("validity period out of range diff: %v", certRoleDiff)
|
||
}
|
||
}
|
||
|
||
// Returns a TestCheckFunc that performs various validity checks on the
|
||
// returned certificate information, mostly within checkCertsAndPrivateKey
|
||
getCnCheck := func(name string, role roleEntry, key crypto.Signer, usage x509.KeyUsage, extUsage x509.ExtKeyUsage, validity time.Duration) logicaltest.TestCheckFunc {
|
||
var certBundle certutil.CertBundle
|
||
return func(resp *logical.Response) error {
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := checkCertsAndPrivateKey(role.KeyType, key, usage, extUsage, validity, &certBundle)
|
||
if err != nil {
|
||
return fmt.Errorf("error checking generated certificate: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
if cert.Subject.CommonName != name {
|
||
return fmt.Errorf("error: returned certificate has CN of %s but %s was requested", cert.Subject.CommonName, name)
|
||
}
|
||
if strings.Contains(cert.Subject.CommonName, "@") {
|
||
if len(cert.DNSNames) != 0 || len(cert.EmailAddresses) != 1 {
|
||
return fmt.Errorf("error: found more than one DNS SAN or not one Email SAN but only one was requested, cert.DNSNames = %#v, cert.EmailAddresses = %#v", cert.DNSNames, cert.EmailAddresses)
|
||
}
|
||
} else {
|
||
if len(cert.DNSNames) != 1 || len(cert.EmailAddresses) != 0 {
|
||
return fmt.Errorf("error: found more than one Email SAN or not one DNS SAN but only one was requested, cert.DNSNames = %#v, cert.EmailAddresses = %#v", cert.DNSNames, cert.EmailAddresses)
|
||
}
|
||
}
|
||
var retName string
|
||
if len(cert.DNSNames) > 0 {
|
||
retName = cert.DNSNames[0]
|
||
}
|
||
if len(cert.EmailAddresses) > 0 {
|
||
retName = cert.EmailAddresses[0]
|
||
}
|
||
if retName != name {
|
||
// Check IDNA
|
||
p := idna.New(
|
||
idna.StrictDomainName(true),
|
||
idna.VerifyDNSLength(true),
|
||
)
|
||
converted, err := p.ToUnicode(retName)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if converted != name {
|
||
return fmt.Errorf("error: returned certificate has a DNS SAN of %s (from idna: %s) but %s was requested", retName, converted, name)
|
||
}
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
type csrPlan struct {
|
||
errorOk bool
|
||
roleKeyBits int
|
||
cert string
|
||
privKey crypto.Signer
|
||
}
|
||
|
||
getCsr := func(keyType string, keyBits int, csrTemplate *x509.CertificateRequest) (*pem.Block, crypto.Signer) {
|
||
var privKey crypto.Signer
|
||
var ok bool
|
||
switch keyType {
|
||
case "rsa":
|
||
privKey, ok = generatedRSAKeys[keyBits]
|
||
if !ok {
|
||
privKey, _ = rsa.GenerateKey(rand.Reader, keyBits)
|
||
generatedRSAKeys[keyBits] = privKey
|
||
}
|
||
|
||
case "ec":
|
||
var curve elliptic.Curve
|
||
|
||
switch keyBits {
|
||
case 224:
|
||
curve = elliptic.P224()
|
||
case 256:
|
||
curve = elliptic.P256()
|
||
case 384:
|
||
curve = elliptic.P384()
|
||
case 521:
|
||
curve = elliptic.P521()
|
||
}
|
||
|
||
privKey, ok = generatedECKeys[keyBits]
|
||
if !ok {
|
||
privKey, _ = ecdsa.GenerateKey(curve, rand.Reader)
|
||
generatedECKeys[keyBits] = privKey
|
||
}
|
||
|
||
case "ed25519":
|
||
privKey, ok = generatedEdKeys[keyBits]
|
||
if !ok {
|
||
_, privKey, _ = ed25519.GenerateKey(rand.Reader)
|
||
generatedEdKeys[keyBits] = privKey
|
||
}
|
||
|
||
default:
|
||
panic("invalid key type: " + keyType)
|
||
}
|
||
|
||
csr, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, privKey)
|
||
if err != nil {
|
||
t.Fatalf("Error creating certificate request: %s", err)
|
||
}
|
||
block := pem.Block{
|
||
Type: "CERTIFICATE REQUEST",
|
||
Bytes: csr,
|
||
}
|
||
return &block, privKey
|
||
}
|
||
|
||
getRandCsr := func(keyType string, errorOk bool, csrTemplate *x509.CertificateRequest) csrPlan {
|
||
rsaKeyBits := []int{2048, 3072, 4096}
|
||
ecKeyBits := []int{224, 256, 384, 521}
|
||
plan := csrPlan{errorOk: errorOk}
|
||
|
||
var testBitSize int
|
||
switch keyType {
|
||
case "rsa":
|
||
plan.roleKeyBits = rsaKeyBits[mathRand.Int()%len(rsaKeyBits)]
|
||
testBitSize = plan.roleKeyBits
|
||
|
||
// If we don't expect an error already, randomly choose a
|
||
// key size and expect an error if it's less than the role
|
||
// setting
|
||
if !keybitSizeRandOff && !errorOk {
|
||
testBitSize = rsaKeyBits[mathRand.Int()%len(rsaKeyBits)]
|
||
}
|
||
|
||
if testBitSize < plan.roleKeyBits {
|
||
plan.errorOk = true
|
||
}
|
||
|
||
case "ec":
|
||
plan.roleKeyBits = ecKeyBits[mathRand.Int()%len(ecKeyBits)]
|
||
testBitSize = plan.roleKeyBits
|
||
|
||
// If we don't expect an error already, randomly choose a
|
||
// key size and expect an error if it's less than the role
|
||
// setting
|
||
if !keybitSizeRandOff && !errorOk {
|
||
testBitSize = ecKeyBits[mathRand.Int()%len(ecKeyBits)]
|
||
}
|
||
|
||
if testBitSize < plan.roleKeyBits {
|
||
plan.errorOk = true
|
||
}
|
||
|
||
default:
|
||
panic("invalid key type: " + keyType)
|
||
}
|
||
if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
|
||
t.Logf("roleKeyBits=%d testBitSize=%d errorOk=%v", plan.roleKeyBits, testBitSize, plan.errorOk)
|
||
}
|
||
|
||
block, privKey := getCsr(keyType, testBitSize, csrTemplate)
|
||
plan.cert = strings.TrimSpace(string(pem.EncodeToMemory(block)))
|
||
plan.privKey = privKey
|
||
return plan
|
||
}
|
||
|
||
// Common names to test with the various role flags toggled
|
||
var commonNames struct {
|
||
Localhost bool `structs:"localhost"`
|
||
BareDomain bool `structs:"example.com"`
|
||
SecondDomain bool `structs:"foobar.com"`
|
||
SubDomain bool `structs:"foo.example.com"`
|
||
Wildcard bool `structs:"*.example.com"`
|
||
SubSubdomain bool `structs:"foo.bar.example.com"`
|
||
SubSubdomainWildcard bool `structs:"*.bar.example.com"`
|
||
GlobDomain bool `structs:"fooexample.com"`
|
||
IDN bool `structs:"daɪˈɛrɨsɨs"`
|
||
AnyHost bool `structs:"porkslap.beer"`
|
||
}
|
||
|
||
// Adds a series of tests based on the current selection of
|
||
// allowed common names; contains some (seeded) randomness
|
||
//
|
||
// This allows for a variety of common names to be tested in various
|
||
// combinations with allowed toggles of the role
|
||
addCnTests := func() {
|
||
cnMap := structs.New(commonNames).Map()
|
||
for name, allowedInt := range cnMap {
|
||
roleVals.KeyType = "rsa"
|
||
roleVals.KeyBits = 2048
|
||
if mathRand.Int()%3 == 1 {
|
||
roleVals.KeyType = "ec"
|
||
roleVals.KeyBits = 224
|
||
}
|
||
|
||
roleVals.ServerFlag = false
|
||
roleVals.ClientFlag = false
|
||
roleVals.CodeSigningFlag = false
|
||
roleVals.EmailProtectionFlag = false
|
||
|
||
var usage []string
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "DigitalSignature")
|
||
}
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "ContentCoMmitment")
|
||
}
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "KeyEncipherment")
|
||
}
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "DataEncipherment")
|
||
}
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "KeyAgreemEnt")
|
||
}
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "CertSign")
|
||
}
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "CRLSign")
|
||
}
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "EncipherOnly")
|
||
}
|
||
if mathRand.Int()%2 == 1 {
|
||
usage = append(usage, "DecipherOnly")
|
||
}
|
||
|
||
roleVals.KeyUsage = usage
|
||
parsedKeyUsage := parseKeyUsages(roleVals.KeyUsage)
|
||
if parsedKeyUsage == 0 && len(usage) != 0 {
|
||
panic("parsed key usages was zero")
|
||
}
|
||
|
||
var extUsage x509.ExtKeyUsage
|
||
i := mathRand.Int() % 4
|
||
switch {
|
||
case i == 0:
|
||
// Punt on this for now since I'm not clear the actual proper
|
||
// way to format these
|
||
if name != "daɪˈɛrɨsɨs" {
|
||
extUsage = x509.ExtKeyUsageEmailProtection
|
||
roleVals.EmailProtectionFlag = true
|
||
break
|
||
}
|
||
fallthrough
|
||
case i == 1:
|
||
extUsage = x509.ExtKeyUsageServerAuth
|
||
roleVals.ServerFlag = true
|
||
case i == 2:
|
||
extUsage = x509.ExtKeyUsageClientAuth
|
||
roleVals.ClientFlag = true
|
||
default:
|
||
extUsage = x509.ExtKeyUsageCodeSigning
|
||
roleVals.CodeSigningFlag = true
|
||
}
|
||
|
||
allowed := allowedInt.(bool)
|
||
issueVals.CommonName = name
|
||
if roleVals.EmailProtectionFlag {
|
||
if !strings.HasPrefix(name, "*") {
|
||
issueVals.CommonName = "user@" + issueVals.CommonName
|
||
}
|
||
}
|
||
|
||
issueTestStep.ErrorOk = !allowed
|
||
|
||
validity := roleVals.MaxTTL
|
||
|
||
if useCSRs {
|
||
templ := &x509.CertificateRequest{
|
||
Subject: pkix.Name{
|
||
CommonName: issueVals.CommonName,
|
||
},
|
||
}
|
||
plan := getRandCsr(roleVals.KeyType, issueTestStep.ErrorOk, templ)
|
||
issueVals.CSR = plan.cert
|
||
roleVals.KeyBits = plan.roleKeyBits
|
||
issueTestStep.ErrorOk = plan.errorOk
|
||
|
||
addTests(getCnCheck(issueVals.CommonName, roleVals, plan.privKey, x509.KeyUsage(parsedKeyUsage), extUsage, validity))
|
||
} else {
|
||
addTests(getCnCheck(issueVals.CommonName, roleVals, nil, x509.KeyUsage(parsedKeyUsage), extUsage, validity))
|
||
}
|
||
}
|
||
}
|
||
|
||
funcs := []interface{}{
|
||
addCnTests, getCnCheck, getCountryCheck, getLocalityCheck, getNotBeforeCheck,
|
||
getOrganizationCheck, getOuCheck, getPostalCodeCheck, getRandCsr, getStreetAddressCheck,
|
||
getProvinceCheck,
|
||
}
|
||
if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
|
||
t.Logf("funcs=%d", len(funcs))
|
||
}
|
||
|
||
// Common Name tests
|
||
{
|
||
// common_name not provided
|
||
issueVals.CommonName = ""
|
||
issueTestStep.ErrorOk = true
|
||
addTests(nil)
|
||
|
||
// Nothing is allowed
|
||
addCnTests()
|
||
|
||
roleVals.AllowLocalhost = true
|
||
commonNames.Localhost = true
|
||
addCnTests()
|
||
|
||
roleVals.AllowedDomains = []string{"foobar.com"}
|
||
addCnTests()
|
||
|
||
roleVals.AllowedDomains = []string{"example.com"}
|
||
roleVals.AllowSubdomains = true
|
||
commonNames.SubDomain = true
|
||
commonNames.Wildcard = true
|
||
commonNames.SubSubdomain = true
|
||
commonNames.SubSubdomainWildcard = true
|
||
addCnTests()
|
||
|
||
roleVals.AllowedDomains = []string{"foobar.com", "example.com"}
|
||
commonNames.SecondDomain = true
|
||
roleVals.AllowBareDomains = true
|
||
commonNames.BareDomain = true
|
||
addCnTests()
|
||
|
||
roleVals.AllowedDomains = []string{"foobar.com", "*example.com"}
|
||
roleVals.AllowGlobDomains = true
|
||
commonNames.GlobDomain = true
|
||
addCnTests()
|
||
|
||
roleVals.AllowAnyName = true
|
||
roleVals.EnforceHostnames = true
|
||
commonNames.AnyHost = true
|
||
commonNames.IDN = true
|
||
addCnTests()
|
||
|
||
roleVals.EnforceHostnames = false
|
||
addCnTests()
|
||
|
||
// Ensure that we end up with acceptable key sizes since they won't be
|
||
// toggled any longer
|
||
keybitSizeRandOff = true
|
||
addCnTests()
|
||
}
|
||
// Country tests
|
||
{
|
||
roleVals.Country = []string{"foo"}
|
||
addTests(getCountryCheck(roleVals))
|
||
|
||
roleVals.Country = []string{"foo", "bar"}
|
||
addTests(getCountryCheck(roleVals))
|
||
}
|
||
// OU tests
|
||
{
|
||
roleVals.OU = []string{"foo"}
|
||
addTests(getOuCheck(roleVals))
|
||
|
||
roleVals.OU = []string{"bar", "foo"}
|
||
addTests(getOuCheck(roleVals))
|
||
}
|
||
// Organization tests
|
||
{
|
||
roleVals.Organization = []string{"system:masters"}
|
||
addTests(getOrganizationCheck(roleVals))
|
||
|
||
roleVals.Organization = []string{"foo", "bar"}
|
||
addTests(getOrganizationCheck(roleVals))
|
||
}
|
||
// Locality tests
|
||
{
|
||
roleVals.Locality = []string{"foo"}
|
||
addTests(getLocalityCheck(roleVals))
|
||
|
||
roleVals.Locality = []string{"foo", "bar"}
|
||
addTests(getLocalityCheck(roleVals))
|
||
}
|
||
// Province tests
|
||
{
|
||
roleVals.Province = []string{"foo"}
|
||
addTests(getProvinceCheck(roleVals))
|
||
|
||
roleVals.Province = []string{"foo", "bar"}
|
||
addTests(getProvinceCheck(roleVals))
|
||
}
|
||
// StreetAddress tests
|
||
{
|
||
roleVals.StreetAddress = []string{"123 foo street"}
|
||
addTests(getStreetAddressCheck(roleVals))
|
||
|
||
roleVals.StreetAddress = []string{"123 foo street", "456 bar avenue"}
|
||
addTests(getStreetAddressCheck(roleVals))
|
||
}
|
||
// PostalCode tests
|
||
{
|
||
roleVals.PostalCode = []string{"f00"}
|
||
addTests(getPostalCodeCheck(roleVals))
|
||
|
||
roleVals.PostalCode = []string{"f00", "b4r"}
|
||
addTests(getPostalCodeCheck(roleVals))
|
||
}
|
||
// NotBefore tests
|
||
{
|
||
roleVals.NotBeforeDuration = 10 * time.Second
|
||
addTests(getNotBeforeCheck(roleVals))
|
||
|
||
roleVals.NotBeforeDuration = 30 * time.Second
|
||
addTests(getNotBeforeCheck(roleVals))
|
||
|
||
roleVals.NotBeforeDuration = 0
|
||
}
|
||
|
||
// IP SAN tests
|
||
{
|
||
getIpCheck := func(expectedIp ...net.IP) logicaltest.TestCheckFunc {
|
||
return func(resp *logical.Response) error {
|
||
var certBundle certutil.CertBundle
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error parsing cert bundle: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
var emptyIPs []net.IP
|
||
var expected []net.IP = append(emptyIPs, expectedIp...)
|
||
if diff := deep.Equal(cert.IPAddresses, expected); len(diff) > 0 {
|
||
return fmt.Errorf("wrong SAN IPs, diff: %v", diff)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
addIPSANTests := func(useCSRs, useCSRSANs, allowIPSANs, errorOk bool, ipSANs string, csrIPSANs []net.IP, check logicaltest.TestCheckFunc) {
|
||
if useCSRs {
|
||
csrTemplate := &x509.CertificateRequest{
|
||
Subject: pkix.Name{
|
||
CommonName: issueVals.CommonName,
|
||
},
|
||
IPAddresses: csrIPSANs,
|
||
}
|
||
block, _ := getCsr(roleVals.KeyType, roleVals.KeyBits, csrTemplate)
|
||
issueVals.CSR = strings.TrimSpace(string(pem.EncodeToMemory(block)))
|
||
}
|
||
oldRoleVals, oldIssueVals, oldIssueTestStep := roleVals, issueVals, issueTestStep
|
||
roleVals.UseCSRSANs = useCSRSANs
|
||
roleVals.AllowIPSANs = allowIPSANs
|
||
issueVals.CommonName = "someone@example.com"
|
||
issueVals.IPSANs = ipSANs
|
||
issueTestStep.ErrorOk = errorOk
|
||
addTests(check)
|
||
roleVals, issueVals, issueTestStep = oldRoleVals, oldIssueVals, oldIssueTestStep
|
||
}
|
||
roleVals.AllowAnyName = true
|
||
roleVals.EnforceHostnames = true
|
||
roleVals.AllowLocalhost = true
|
||
roleVals.UseCSRCommonName = true
|
||
commonNames.Localhost = true
|
||
|
||
netip1, netip2 := net.IP{127, 0, 0, 1}, net.IP{170, 171, 172, 173}
|
||
textip1, textip3 := "127.0.0.1", "::1"
|
||
|
||
// IPSANs not allowed and not provided, should not be an error.
|
||
addIPSANTests(useCSRs, false, false, false, "", nil, getIpCheck())
|
||
|
||
// IPSANs not allowed, valid IPSANs provided, should be an error.
|
||
addIPSANTests(useCSRs, false, false, true, textip1+","+textip3, nil, nil)
|
||
|
||
// IPSANs allowed, bogus IPSANs provided, should be an error.
|
||
addIPSANTests(useCSRs, false, true, true, "foobar", nil, nil)
|
||
|
||
// Given IPSANs as API argument and useCSRSANs false, CSR arg ignored.
|
||
addIPSANTests(useCSRs, false, true, false, textip1,
|
||
[]net.IP{netip2}, getIpCheck(netip1))
|
||
|
||
if useCSRs {
|
||
// IPSANs not allowed, valid IPSANs provided via CSR, should be an error.
|
||
addIPSANTests(useCSRs, true, false, true, "", []net.IP{netip1}, nil)
|
||
|
||
// Given IPSANs as both API and CSR arguments and useCSRSANs=true, API arg ignored.
|
||
addIPSANTests(useCSRs, true, true, false, textip3,
|
||
[]net.IP{netip1, netip2}, getIpCheck(netip1, netip2))
|
||
}
|
||
}
|
||
|
||
{
|
||
getOtherCheck := func(expectedOthers ...otherNameUtf8) logicaltest.TestCheckFunc {
|
||
return func(resp *logical.Response) error {
|
||
var certBundle certutil.CertBundle
|
||
err := mapstructure.Decode(resp.Data, &certBundle)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
parsedCertBundle, err := certBundle.ToParsedCertBundle()
|
||
if err != nil {
|
||
return fmt.Errorf("error parsing cert bundle: %s", err)
|
||
}
|
||
cert := parsedCertBundle.Certificate
|
||
foundOthers, err := getOtherSANsFromX509Extensions(cert.Extensions)
|
||
if err != nil {
|
||
return err
|
||
}
|
||
var emptyOthers []otherNameUtf8
|
||
var expected []otherNameUtf8 = append(emptyOthers, expectedOthers...)
|
||
if diff := deep.Equal(foundOthers, expected); len(diff) > 0 {
|
||
return fmt.Errorf("wrong SAN IPs, diff: %v", diff)
|
||
}
|
||
return nil
|
||
}
|
||
}
|
||
|
||
addOtherSANTests := func(useCSRs, useCSRSANs bool, allowedOtherSANs []string, errorOk bool, otherSANs []string, csrOtherSANs []otherNameUtf8, check logicaltest.TestCheckFunc) {
|
||
otherSansMap := func(os []otherNameUtf8) map[string][]string {
|
||
ret := make(map[string][]string)
|
||
for _, o := range os {
|
||
ret[o.oid] = append(ret[o.oid], o.value)
|
||
}
|
||
return ret
|
||
}
|
||
if useCSRs {
|
||
csrTemplate := &x509.CertificateRequest{
|
||
Subject: pkix.Name{
|
||
CommonName: issueVals.CommonName,
|
||
},
|
||
}
|
||
if err := handleOtherCSRSANs(csrTemplate, otherSansMap(csrOtherSANs)); err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
block, _ := getCsr(roleVals.KeyType, roleVals.KeyBits, csrTemplate)
|
||
issueVals.CSR = strings.TrimSpace(string(pem.EncodeToMemory(block)))
|
||
}
|
||
oldRoleVals, oldIssueVals, oldIssueTestStep := roleVals, issueVals, issueTestStep
|
||
roleVals.UseCSRSANs = useCSRSANs
|
||
roleVals.AllowedOtherSANs = allowedOtherSANs
|
||
issueVals.CommonName = "someone@example.com"
|
||
issueVals.OtherSANs = strings.Join(otherSANs, ",")
|
||
issueTestStep.ErrorOk = errorOk
|
||
addTests(check)
|
||
roleVals, issueVals, issueTestStep = oldRoleVals, oldIssueVals, oldIssueTestStep
|
||
}
|
||
roleVals.AllowAnyName = true
|
||
roleVals.EnforceHostnames = true
|
||
roleVals.AllowLocalhost = true
|
||
roleVals.UseCSRCommonName = true
|
||
commonNames.Localhost = true
|
||
|
||
newOtherNameUtf8 := func(s string) (ret otherNameUtf8) {
|
||
pieces := strings.Split(s, ";")
|
||
if len(pieces) == 2 {
|
||
piecesRest := strings.Split(pieces[1], ":")
|
||
if len(piecesRest) == 2 {
|
||
switch strings.ToUpper(piecesRest[0]) {
|
||
case "UTF-8", "UTF8":
|
||
return otherNameUtf8{oid: pieces[0], value: piecesRest[1]}
|
||
}
|
||
}
|
||
}
|
||
t.Fatalf("error parsing otherName: %q", s)
|
||
return
|
||
}
|
||
oid1 := "1.3.6.1.4.1.311.20.2.3"
|
||
oth1str := oid1 + ";utf8:devops@nope.com"
|
||
oth1 := newOtherNameUtf8(oth1str)
|
||
oth2 := otherNameUtf8{oid1, "me@example.com"}
|
||
// allowNone, allowAll := []string{}, []string{oid1 + ";UTF-8:*"}
|
||
allowNone, allowAll := []string{}, []string{"*"}
|
||
|
||
// OtherSANs not allowed and not provided, should not be an error.
|
||
addOtherSANTests(useCSRs, false, allowNone, false, nil, nil, getOtherCheck())
|
||
|
||
// OtherSANs not allowed, valid OtherSANs provided, should be an error.
|
||
addOtherSANTests(useCSRs, false, allowNone, true, []string{oth1str}, nil, nil)
|
||
|
||
// OtherSANs allowed, bogus OtherSANs provided, should be an error.
|
||
addOtherSANTests(useCSRs, false, allowAll, true, []string{"foobar"}, nil, nil)
|
||
|
||
// Given OtherSANs as API argument and useCSRSANs false, CSR arg ignored.
|
||
addOtherSANTests(useCSRs, false, allowAll, false, []string{oth1str},
|
||
[]otherNameUtf8{oth2}, getOtherCheck(oth1))
|
||
|
||
if useCSRs {
|
||
// OtherSANs not allowed, valid OtherSANs provided via CSR, should be an error.
|
||
addOtherSANTests(useCSRs, true, allowNone, true, nil, []otherNameUtf8{oth1}, nil)
|
||
|
||
// Given OtherSANs as both API and CSR arguments and useCSRSANs=true, API arg ignored.
|
||
addOtherSANTests(useCSRs, false, allowAll, false, []string{oth2.String()},
|
||
[]otherNameUtf8{oth1}, getOtherCheck(oth2))
|
||
}
|
||
}
|
||
|
||
// Lease tests
|
||
{
|
||
roleTestStep.ErrorOk = true
|
||
roleVals.Lease = ""
|
||
roleVals.MaxTTL = 0
|
||
addTests(nil)
|
||
|
||
roleVals.Lease = "12h"
|
||
roleVals.MaxTTL = 6 * time.Hour
|
||
addTests(nil)
|
||
|
||
roleTestStep.ErrorOk = false
|
||
roleVals.TTL = 0
|
||
roleVals.MaxTTL = 12 * time.Hour
|
||
}
|
||
|
||
// Listing test
|
||
ret = append(ret, logicaltest.TestStep{
|
||
Operation: logical.ListOperation,
|
||
Path: "roles/",
|
||
Check: func(resp *logical.Response) error {
|
||
if resp.Data == nil {
|
||
return fmt.Errorf("nil data")
|
||
}
|
||
|
||
keysRaw, ok := resp.Data["keys"]
|
||
if !ok {
|
||
return fmt.Errorf("no keys found")
|
||
}
|
||
|
||
keys, ok := keysRaw.([]string)
|
||
if !ok {
|
||
return fmt.Errorf("could not convert keys to a string list")
|
||
}
|
||
|
||
if len(keys) != 1 {
|
||
return fmt.Errorf("unexpected keys length of %d", len(keys))
|
||
}
|
||
|
||
if keys[0] != "test" {
|
||
return fmt.Errorf("unexpected key value of %s", keys[0])
|
||
}
|
||
|
||
return nil
|
||
},
|
||
})
|
||
|
||
return ret
|
||
}
|
||
|
||
func TestRolesAltIssuer(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := createBackendWithStorage(t)
|
||
|
||
// Create two issuers.
|
||
resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "root a - example.com",
|
||
"issuer_name": "root-a",
|
||
"key_type": "ec",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
rootAPem := resp.Data["certificate"].(string)
|
||
rootACert := parseCert(t, rootAPem)
|
||
|
||
resp, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "root b - example.com",
|
||
"issuer_name": "root-b",
|
||
"key_type": "ec",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
rootBPem := resp.Data["certificate"].(string)
|
||
rootBCert := parseCert(t, rootBPem)
|
||
|
||
// Create three roles: one with no assignment, one with explicit root-a,
|
||
// one with explicit root-b.
|
||
_, err = CBWrite(b, s, "roles/use-default", map[string]interface{}{
|
||
"allow_any_name": true,
|
||
"enforce_hostnames": false,
|
||
"key_type": "ec",
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
_, err = CBWrite(b, s, "roles/use-root-a", map[string]interface{}{
|
||
"allow_any_name": true,
|
||
"enforce_hostnames": false,
|
||
"key_type": "ec",
|
||
"issuer_ref": "root-a",
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
_, err = CBWrite(b, s, "roles/use-root-b", map[string]interface{}{
|
||
"allow_any_name": true,
|
||
"enforce_hostnames": false,
|
||
"issuer_ref": "root-b",
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
// Now issue certs against these roles.
|
||
resp, err = CBWrite(b, s, "issue/use-default", map[string]interface{}{
|
||
"common_name": "testing",
|
||
"ttl": "5s",
|
||
})
|
||
require.NoError(t, err)
|
||
leafPem := resp.Data["certificate"].(string)
|
||
leafCert := parseCert(t, leafPem)
|
||
err = leafCert.CheckSignatureFrom(rootACert)
|
||
require.NoError(t, err, "should be signed by root-a but wasn't")
|
||
|
||
resp, err = CBWrite(b, s, "issue/use-root-a", map[string]interface{}{
|
||
"common_name": "testing",
|
||
"ttl": "5s",
|
||
})
|
||
require.NoError(t, err)
|
||
leafPem = resp.Data["certificate"].(string)
|
||
leafCert = parseCert(t, leafPem)
|
||
err = leafCert.CheckSignatureFrom(rootACert)
|
||
require.NoError(t, err, "should be signed by root-a but wasn't")
|
||
|
||
resp, err = CBWrite(b, s, "issue/use-root-b", map[string]interface{}{
|
||
"common_name": "testing",
|
||
"ttl": "5s",
|
||
})
|
||
require.NoError(t, err)
|
||
leafPem = resp.Data["certificate"].(string)
|
||
leafCert = parseCert(t, leafPem)
|
||
err = leafCert.CheckSignatureFrom(rootBCert)
|
||
require.NoError(t, err, "should be signed by root-b but wasn't")
|
||
|
||
// Update the default issuer to be root B and make sure that the
|
||
// use-default role updates.
|
||
_, err = CBWrite(b, s, "config/issuers", map[string]interface{}{
|
||
"default": "root-b",
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
resp, err = CBWrite(b, s, "issue/use-default", map[string]interface{}{
|
||
"common_name": "testing",
|
||
"ttl": "5s",
|
||
})
|
||
require.NoError(t, err)
|
||
leafPem = resp.Data["certificate"].(string)
|
||
leafCert = parseCert(t, leafPem)
|
||
err = leafCert.CheckSignatureFrom(rootBCert)
|
||
require.NoError(t, err, "should be signed by root-b but wasn't")
|
||
}
|
||
|
||
func TestBackend_PathFetchValidRaw(t *testing.T) {
|
||
t.Parallel()
|
||
b, storage := createBackendWithStorage(t)
|
||
|
||
resp, err := b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/generate/internal",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"common_name": "test.com",
|
||
"ttl": "6h",
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
require.NoError(t, err)
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to generate root, %#v", resp)
|
||
}
|
||
rootCaAsPem := resp.Data["certificate"].(string)
|
||
|
||
// Chain should contain the root.
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.ReadOperation,
|
||
Path: "ca_chain",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{},
|
||
MountPoint: "pki/",
|
||
})
|
||
require.NoError(t, err)
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed read ca_chain, %#v", resp)
|
||
}
|
||
if strings.Count(string(resp.Data[logical.HTTPRawBody].([]byte)), rootCaAsPem) != 1 {
|
||
t.Fatalf("expected raw chain to contain the root cert")
|
||
}
|
||
|
||
// The ca/pem should return us the actual CA...
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.ReadOperation,
|
||
Path: "ca/pem",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{},
|
||
MountPoint: "pki/",
|
||
})
|
||
require.NoError(t, err)
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed read ca/pem, %#v", resp)
|
||
}
|
||
// check the raw cert matches the response body
|
||
if bytes.Compare(resp.Data[logical.HTTPRawBody].([]byte), []byte(rootCaAsPem)) != 0 {
|
||
t.Fatalf("failed to get raw cert")
|
||
}
|
||
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "roles/example",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"allowed_domains": "example.com",
|
||
"allow_subdomains": "true",
|
||
"max_ttl": "1h",
|
||
"no_store": "false",
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
require.NoError(t, err, "error setting up pki role: %v", err)
|
||
|
||
// Now issue a short-lived certificate from our pki-external.
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "issue/example",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"common_name": "test.example.com",
|
||
"ttl": "5m",
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
require.NoError(t, err, "error issuing certificate: %v", err)
|
||
require.NotNil(t, resp, "got nil response from issuing request")
|
||
|
||
issueCrtAsPem := resp.Data["certificate"].(string)
|
||
issuedCrt := parseCert(t, issueCrtAsPem)
|
||
expectedSerial := certutil.GetHexFormatted(issuedCrt.SerialNumber.Bytes(), ":")
|
||
expectedCert := []byte(issueCrtAsPem)
|
||
|
||
// get der cert
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.ReadOperation,
|
||
Path: fmt.Sprintf("cert/%s/raw", expectedSerial),
|
||
Storage: storage,
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to get raw cert, %#v", resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// check the raw cert matches the response body
|
||
rawBody := resp.Data[logical.HTTPRawBody].([]byte)
|
||
bodyAsPem := []byte(strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rawBody}))))
|
||
if bytes.Compare(bodyAsPem, expectedCert) != 0 {
|
||
t.Fatalf("failed to get raw cert for serial number: %s", expectedSerial)
|
||
}
|
||
if resp.Data[logical.HTTPContentType] != "application/pkix-cert" {
|
||
t.Fatalf("failed to get raw cert content-type")
|
||
}
|
||
|
||
// get pem
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.ReadOperation,
|
||
Path: fmt.Sprintf("cert/%s/raw/pem", expectedSerial),
|
||
Storage: storage,
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to get raw, %#v", resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// check the pem cert matches the response body
|
||
if bytes.Compare(resp.Data[logical.HTTPRawBody].([]byte), expectedCert) != 0 {
|
||
t.Fatalf("failed to get pem cert")
|
||
}
|
||
if resp.Data[logical.HTTPContentType] != "application/pem-certificate-chain" {
|
||
t.Fatalf("failed to get raw cert content-type")
|
||
}
|
||
}
|
||
|
||
func TestBackend_PathFetchCertList(t *testing.T) {
|
||
t.Parallel()
|
||
// create the backend
|
||
b, storage := createBackendWithStorage(t)
|
||
|
||
// generate root
|
||
rootData := map[string]interface{}{
|
||
"common_name": "test.com",
|
||
"ttl": "6h",
|
||
}
|
||
|
||
resp, err := b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/generate/internal",
|
||
Storage: storage,
|
||
Data: rootData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to generate root, %#v", resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// config urls
|
||
urlsData := map[string]interface{}{
|
||
"issuing_certificates": "http://127.0.0.1:8200/v1/pki/ca",
|
||
"crl_distribution_points": "http://127.0.0.1:8200/v1/pki/crl",
|
||
}
|
||
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "config/urls",
|
||
Storage: storage,
|
||
Data: urlsData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to config urls, %#v", resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// create a role entry
|
||
roleData := map[string]interface{}{
|
||
"allowed_domains": "test.com",
|
||
"allow_subdomains": "true",
|
||
"max_ttl": "4h",
|
||
}
|
||
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "roles/test-example",
|
||
Storage: storage,
|
||
Data: roleData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to create a role, %#v", resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// issue some certs
|
||
i := 1
|
||
for i < 10 {
|
||
certData := map[string]interface{}{
|
||
"common_name": "example.test.com",
|
||
}
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "issue/test-example",
|
||
Storage: storage,
|
||
Data: certData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to issue a cert, %#v", resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
i = i + 1
|
||
}
|
||
|
||
// list certs
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.ListOperation,
|
||
Path: "certs",
|
||
Storage: storage,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to list certs, %#v", resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
// check that the root and 9 additional certs are all listed
|
||
if len(resp.Data["keys"].([]string)) != 10 {
|
||
t.Fatalf("failed to list all 10 certs")
|
||
}
|
||
|
||
// list certs/
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.ListOperation,
|
||
Path: "certs/",
|
||
Storage: storage,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to list certs, %#v", resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
// check that the root and 9 additional certs are all listed
|
||
if len(resp.Data["keys"].([]string)) != 10 {
|
||
t.Fatalf("failed to list all 10 certs")
|
||
}
|
||
}
|
||
|
||
func TestBackend_SignVerbatim(t *testing.T) {
|
||
t.Parallel()
|
||
testCases := []struct {
|
||
testName string
|
||
keyType string
|
||
}{
|
||
{testName: "RSA", keyType: "rsa"},
|
||
{testName: "ED25519", keyType: "ed25519"},
|
||
{testName: "EC", keyType: "ec"},
|
||
{testName: "Any", keyType: "any"},
|
||
}
|
||
for _, tc := range testCases {
|
||
tc := tc
|
||
t.Run(tc.testName, func(t *testing.T) {
|
||
runTestSignVerbatim(t, tc.keyType)
|
||
})
|
||
}
|
||
}
|
||
|
||
func runTestSignVerbatim(t *testing.T, keyType string) {
|
||
// create the backend
|
||
b, storage := createBackendWithStorage(t)
|
||
|
||
// generate root
|
||
rootData := map[string]interface{}{
|
||
"common_name": "test.com",
|
||
"not_after": "9999-12-31T23:59:59Z",
|
||
}
|
||
|
||
resp, err := b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/generate/internal",
|
||
Storage: storage,
|
||
Data: rootData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to generate root, %#v", *resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// create a CSR and key
|
||
key, err := rsa.GenerateKey(rand.Reader, 2048)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
csrReq := &x509.CertificateRequest{
|
||
Subject: pkix.Name{
|
||
CommonName: "foo.bar.com",
|
||
},
|
||
}
|
||
csr, err := x509.CreateCertificateRequest(rand.Reader, csrReq, key)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if len(csr) == 0 {
|
||
t.Fatal("generated csr is empty")
|
||
}
|
||
pemCSR := strings.TrimSpace(string(pem.EncodeToMemory(&pem.Block{
|
||
Type: "CERTIFICATE REQUEST",
|
||
Bytes: csr,
|
||
})))
|
||
if len(pemCSR) == 0 {
|
||
t.Fatal("pem csr is empty")
|
||
}
|
||
|
||
signVerbatimData := map[string]interface{}{
|
||
"csr": pemCSR,
|
||
}
|
||
if keyType == "rsa" {
|
||
signVerbatimData["signature_bits"] = 512
|
||
}
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "sign-verbatim",
|
||
Storage: storage,
|
||
Data: signVerbatimData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to sign-verbatim basic CSR: %#v", *resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp.Secret != nil {
|
||
t.Fatal("secret is not nil")
|
||
}
|
||
|
||
// create a role entry; we use this to check that sign-verbatim when used with a role is still honoring TTLs
|
||
roleData := map[string]interface{}{
|
||
"ttl": "4h",
|
||
"max_ttl": "8h",
|
||
"key_type": keyType,
|
||
"not_before_duration": "2h",
|
||
}
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "roles/test",
|
||
Storage: storage,
|
||
Data: roleData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to create a role, %#v", *resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "sign-verbatim/test",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"csr": pemCSR,
|
||
"ttl": "5h",
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to sign-verbatim ttl'd CSR: %#v", *resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp.Secret != nil {
|
||
t.Fatal("got a lease when we should not have")
|
||
}
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "sign-verbatim/test",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"csr": pemCSR,
|
||
"ttl": "12h",
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf(resp.Error().Error())
|
||
}
|
||
if resp.Data == nil || resp.Data["certificate"] == nil {
|
||
t.Fatal("did not get expected data")
|
||
}
|
||
certString := resp.Data["certificate"].(string)
|
||
block, _ := pem.Decode([]byte(certString))
|
||
if block == nil {
|
||
t.Fatal("nil pem block")
|
||
}
|
||
certs, err := x509.ParseCertificates(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if len(certs) != 1 {
|
||
t.Fatalf("expected a single cert, got %d", len(certs))
|
||
}
|
||
cert := certs[0]
|
||
if math.Abs(float64(time.Now().Add(12*time.Hour).Unix()-cert.NotAfter.Unix())) < 10 {
|
||
t.Fatalf("sign-verbatim did not properly cap validity period (notAfter) on signed CSR: was %v vs requested %v but should've been %v", cert.NotAfter, time.Now().Add(12*time.Hour), time.Now().Add(8*time.Hour))
|
||
}
|
||
if math.Abs(float64(time.Now().Add(-2*time.Hour).Unix()-cert.NotBefore.Unix())) > 10 {
|
||
t.Fatalf("sign-verbatim did not properly cap validity period (notBefore) on signed CSR: was %v vs expected %v", cert.NotBefore, time.Now().Add(-2*time.Hour))
|
||
}
|
||
|
||
// Now check signing a certificate using the not_after input using the Y10K value
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "sign-verbatim/test",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"csr": pemCSR,
|
||
"not_after": "9999-12-31T23:59:59Z",
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf(resp.Error().Error())
|
||
}
|
||
if resp.Data == nil || resp.Data["certificate"] == nil {
|
||
t.Fatal("did not get expected data")
|
||
}
|
||
certString = resp.Data["certificate"].(string)
|
||
block, _ = pem.Decode([]byte(certString))
|
||
if block == nil {
|
||
t.Fatal("nil pem block")
|
||
}
|
||
certs, err = x509.ParseCertificates(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if len(certs) != 1 {
|
||
t.Fatalf("expected a single cert, got %d", len(certs))
|
||
}
|
||
cert = certs[0]
|
||
notAfter := cert.NotAfter.Format(time.RFC3339)
|
||
if notAfter != "9999-12-31T23:59:59Z" {
|
||
t.Fatal(fmt.Errorf("not after from certificate is not matching with input parameter"))
|
||
}
|
||
|
||
// now check that if we set generate-lease it takes it from the role and the TTLs match
|
||
roleData = map[string]interface{}{
|
||
"ttl": "4h",
|
||
"max_ttl": "8h",
|
||
"generate_lease": true,
|
||
"key_type": keyType,
|
||
}
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "roles/test",
|
||
Storage: storage,
|
||
Data: roleData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to create a role, %#v", *resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "sign-verbatim/test",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"csr": pemCSR,
|
||
"ttl": "5h",
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to sign-verbatim role-leased CSR: %#v", *resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp.Secret == nil {
|
||
t.Fatalf("secret is nil, response is %#v", *resp)
|
||
}
|
||
if math.Abs(float64(resp.Secret.TTL-(5*time.Hour))) > float64(5*time.Hour) {
|
||
t.Fatalf("ttl not default; wanted %v, got %v", b.System().DefaultLeaseTTL(), resp.Secret.TTL)
|
||
}
|
||
}
|
||
|
||
func TestBackend_Root_Idempotency(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := createBackendWithStorage(t)
|
||
|
||
// This is a change within 1.11, we are no longer idempotent across generate/internal calls.
|
||
resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp, "expected ca info")
|
||
keyId1 := resp.Data["key_id"]
|
||
issuerId1 := resp.Data["issuer_id"]
|
||
|
||
resp, err = CBRead(b, s, "cert/ca_chain")
|
||
require.NoError(t, err, "error reading ca_chain: %v", err)
|
||
|
||
r1Data := resp.Data
|
||
|
||
// Calling generate/internal should generate a new CA as well.
|
||
resp, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp, "expected ca info")
|
||
keyId2 := resp.Data["key_id"]
|
||
issuerId2 := resp.Data["issuer_id"]
|
||
|
||
// Make sure that we actually generated different issuer and key values
|
||
require.NotEqual(t, keyId1, keyId2)
|
||
require.NotEqual(t, issuerId1, issuerId2)
|
||
|
||
// Now because the issued CA's have no links, the call to ca_chain should return the same data (ca chain from default)
|
||
resp, err = CBRead(b, s, "cert/ca_chain")
|
||
require.NoError(t, err, "error reading ca_chain: %v", err)
|
||
|
||
r2Data := resp.Data
|
||
if !reflect.DeepEqual(r1Data, r2Data) {
|
||
t.Fatal("got different ca certs")
|
||
}
|
||
|
||
// Now let's validate that the import bundle is idempotent.
|
||
pemBundleRootCA := rootCACertPEM + "\n" + rootCAKeyPEM
|
||
resp, err = CBWrite(b, s, "config/ca", map[string]interface{}{
|
||
"pem_bundle": pemBundleRootCA,
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp, "expected ca info")
|
||
firstImportedKeys := resp.Data["imported_keys"].([]string)
|
||
firstImportedIssuers := resp.Data["imported_issuers"].([]string)
|
||
|
||
require.NotContains(t, firstImportedKeys, keyId1)
|
||
require.NotContains(t, firstImportedKeys, keyId2)
|
||
require.NotContains(t, firstImportedIssuers, issuerId1)
|
||
require.NotContains(t, firstImportedIssuers, issuerId2)
|
||
|
||
// Performing this again should result in no key/issuer ids being imported/generated.
|
||
resp, err = CBWrite(b, s, "config/ca", map[string]interface{}{
|
||
"pem_bundle": pemBundleRootCA,
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp, "expected ca info")
|
||
secondImportedKeys := resp.Data["imported_keys"]
|
||
secondImportedIssuers := resp.Data["imported_issuers"]
|
||
|
||
require.Nil(t, secondImportedKeys)
|
||
require.Nil(t, secondImportedIssuers)
|
||
|
||
resp, err = CBDelete(b, s, "root")
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.Equal(t, 1, len(resp.Warnings))
|
||
|
||
// Make sure we can delete twice...
|
||
resp, err = CBDelete(b, s, "root")
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
require.Equal(t, 1, len(resp.Warnings))
|
||
|
||
_, err = CBRead(b, s, "cert/ca_chain")
|
||
require.Error(t, err, "expected an error fetching deleted ca_chain")
|
||
|
||
// We should be able to import the same ca bundle as before and get a different key/issuer ids
|
||
resp, err = CBWrite(b, s, "config/ca", map[string]interface{}{
|
||
"pem_bundle": pemBundleRootCA,
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp, "expected ca info")
|
||
postDeleteImportedKeys := resp.Data["imported_keys"]
|
||
postDeleteImportedIssuers := resp.Data["imported_issuers"]
|
||
|
||
// Make sure that we actually generated different issuer and key values, then the previous import
|
||
require.NotNil(t, postDeleteImportedKeys)
|
||
require.NotNil(t, postDeleteImportedIssuers)
|
||
require.NotEqual(t, postDeleteImportedKeys, firstImportedKeys)
|
||
require.NotEqual(t, postDeleteImportedIssuers, firstImportedIssuers)
|
||
|
||
resp, err = CBRead(b, s, "cert/ca_chain")
|
||
require.NoError(t, err)
|
||
|
||
caChainPostDelete := resp.Data
|
||
if reflect.DeepEqual(r1Data, caChainPostDelete) {
|
||
t.Fatal("ca certs from ca_chain were the same post delete, should have changed.")
|
||
}
|
||
}
|
||
|
||
func TestBackend_SignIntermediate_AllowedPastCA(t *testing.T) {
|
||
t.Parallel()
|
||
b_root, s_root := createBackendWithStorage(t)
|
||
b_int, s_int := createBackendWithStorage(t)
|
||
var err error
|
||
|
||
// Direct issuing from root
|
||
_, err = CBWrite(b_root, s_root, "root/generate/internal", map[string]interface{}{
|
||
"ttl": "40h",
|
||
"common_name": "myvault.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
_, err = CBWrite(b_root, s_root, "roles/test", map[string]interface{}{
|
||
"allow_bare_domains": true,
|
||
"allow_subdomains": true,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
resp, err := CBWrite(b_int, s_int, "intermediate/generate/internal", map[string]interface{}{
|
||
"common_name": "myint.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
csr := resp.Data["csr"]
|
||
|
||
_, err = CBWrite(b_root, s_root, "sign/test", map[string]interface{}{
|
||
"common_name": "myint.com",
|
||
"csr": csr,
|
||
"ttl": "60h",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
_, err = CBWrite(b_root, s_root, "sign-verbatim/test", map[string]interface{}{
|
||
"common_name": "myint.com",
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.3;utf8:caadmin@example.com",
|
||
"csr": csr,
|
||
"ttl": "60h",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
resp, err = CBWrite(b_root, s_root, "root/sign-intermediate", map[string]interface{}{
|
||
"common_name": "myint.com",
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.3;utf8:caadmin@example.com",
|
||
"csr": csr,
|
||
"ttl": "60h",
|
||
})
|
||
if err != nil {
|
||
t.Fatalf("got error: %v", err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("got nil response")
|
||
}
|
||
if len(resp.Warnings) == 0 {
|
||
t.Fatalf("expected warnings, got %#v", *resp)
|
||
}
|
||
}
|
||
|
||
func TestBackend_ConsulSignLeafWithLegacyRole(t *testing.T) {
|
||
t.Parallel()
|
||
// create the backend
|
||
b, s := createBackendWithStorage(t)
|
||
|
||
// generate root
|
||
data, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"ttl": "40h",
|
||
"common_name": "myvault.com",
|
||
})
|
||
require.NoError(t, err, "failed generating internal root cert")
|
||
rootCaPem := data.Data["certificate"].(string)
|
||
|
||
// Create a signing role like Consul did with the default args prior to Vault 1.10
|
||
_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
|
||
"allow_any_name": true,
|
||
"allowed_serial_numbers": []string{"MySerialNumber"},
|
||
"key_type": "any",
|
||
"key_bits": "2048",
|
||
"signature_bits": "256",
|
||
})
|
||
require.NoError(t, err, "failed creating legacy role")
|
||
|
||
_, csrPem := generateTestCsr(t, certutil.ECPrivateKey, 256)
|
||
data, err = CBWrite(b, s, "sign/test", map[string]interface{}{
|
||
"csr": csrPem,
|
||
})
|
||
require.NoError(t, err, "failed signing csr")
|
||
certAsPem := data.Data["certificate"].(string)
|
||
|
||
signedCert := parseCert(t, certAsPem)
|
||
rootCert := parseCert(t, rootCaPem)
|
||
requireSignedBy(t, signedCert, rootCert.PublicKey)
|
||
}
|
||
|
||
func TestBackend_SignSelfIssued(t *testing.T) {
|
||
t.Parallel()
|
||
// create the backend
|
||
b, storage := createBackendWithStorage(t)
|
||
|
||
// generate root
|
||
rootData := map[string]interface{}{
|
||
"common_name": "test.com",
|
||
"ttl": "172800",
|
||
}
|
||
|
||
resp, err := b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/generate/internal",
|
||
Storage: storage,
|
||
Data: rootData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to generate root, %#v", *resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
key, err := rsa.GenerateKey(rand.Reader, 2048)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
template := &x509.Certificate{
|
||
Subject: pkix.Name{
|
||
CommonName: "foo.bar.com",
|
||
},
|
||
SerialNumber: big.NewInt(1234),
|
||
IsCA: false,
|
||
BasicConstraintsValid: true,
|
||
}
|
||
|
||
ss, _ := getSelfSigned(t, template, template, key)
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-self-issued",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"certificate": ss,
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("got nil response")
|
||
}
|
||
if !resp.IsError() {
|
||
t.Fatalf("expected error due to non-CA; got: %#v", *resp)
|
||
}
|
||
|
||
// Set CA to true, but leave issuer alone
|
||
template.IsCA = true
|
||
|
||
issuer := &x509.Certificate{
|
||
Subject: pkix.Name{
|
||
CommonName: "bar.foo.com",
|
||
},
|
||
SerialNumber: big.NewInt(2345),
|
||
IsCA: true,
|
||
BasicConstraintsValid: true,
|
||
}
|
||
ss, ssCert := getSelfSigned(t, template, issuer, key)
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-self-issued",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"certificate": ss,
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("got nil response")
|
||
}
|
||
if !resp.IsError() {
|
||
t.Fatalf("expected error due to different issuer; cert info is\nIssuer\n%#v\nSubject\n%#v\n", ssCert.Issuer, ssCert.Subject)
|
||
}
|
||
|
||
ss, ssCert = getSelfSigned(t, template, template, key)
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-self-issued",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"certificate": ss,
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("got nil response")
|
||
}
|
||
if resp.IsError() {
|
||
t.Fatalf("error in response: %s", resp.Error().Error())
|
||
}
|
||
|
||
newCertString := resp.Data["certificate"].(string)
|
||
block, _ := pem.Decode([]byte(newCertString))
|
||
newCert, err := x509.ParseCertificate(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
sc := b.makeStorageContext(context.Background(), storage)
|
||
signingBundle, err := sc.fetchCAInfo(defaultRef, ReadOnlyUsage)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if reflect.DeepEqual(newCert.Subject, newCert.Issuer) {
|
||
t.Fatal("expected different subject/issuer")
|
||
}
|
||
if !reflect.DeepEqual(newCert.Issuer, signingBundle.Certificate.Subject) {
|
||
t.Fatalf("expected matching issuer/CA subject\n\nIssuer:\n%#v\nSubject:\n%#v\n", newCert.Issuer, signingBundle.Certificate.Subject)
|
||
}
|
||
if bytes.Equal(newCert.AuthorityKeyId, newCert.SubjectKeyId) {
|
||
t.Fatal("expected different authority/subject")
|
||
}
|
||
if !bytes.Equal(newCert.AuthorityKeyId, signingBundle.Certificate.SubjectKeyId) {
|
||
t.Fatal("expected authority on new cert to be same as signing subject")
|
||
}
|
||
if newCert.Subject.CommonName != "foo.bar.com" {
|
||
t.Fatalf("unexpected common name on new cert: %s", newCert.Subject.CommonName)
|
||
}
|
||
}
|
||
|
||
// TestBackend_SignSelfIssued_DifferentTypes tests the functionality of the
|
||
// require_matching_certificate_algorithms flag.
|
||
func TestBackend_SignSelfIssued_DifferentTypes(t *testing.T) {
|
||
t.Parallel()
|
||
// create the backend
|
||
b, storage := createBackendWithStorage(t)
|
||
|
||
// generate root
|
||
rootData := map[string]interface{}{
|
||
"common_name": "test.com",
|
||
"ttl": "172800",
|
||
"key_type": "ec",
|
||
"key_bits": "521",
|
||
}
|
||
|
||
resp, err := b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/generate/internal",
|
||
Storage: storage,
|
||
Data: rootData,
|
||
MountPoint: "pki/",
|
||
})
|
||
if resp != nil && resp.IsError() {
|
||
t.Fatalf("failed to generate root, %#v", *resp)
|
||
}
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
key, err := rsa.GenerateKey(rand.Reader, 2048)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
template := &x509.Certificate{
|
||
Subject: pkix.Name{
|
||
CommonName: "foo.bar.com",
|
||
},
|
||
SerialNumber: big.NewInt(1234),
|
||
IsCA: true,
|
||
BasicConstraintsValid: true,
|
||
}
|
||
|
||
// Tests absent the flag
|
||
ss, _ := getSelfSigned(t, template, template, key)
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-self-issued",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"certificate": ss,
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("got nil response")
|
||
}
|
||
|
||
// Set CA to true, but leave issuer alone
|
||
template.IsCA = true
|
||
|
||
// Tests with flag present but false
|
||
ss, _ = getSelfSigned(t, template, template, key)
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-self-issued",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"certificate": ss,
|
||
"require_matching_certificate_algorithms": false,
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("got nil response")
|
||
}
|
||
|
||
// Test with flag present and true
|
||
ss, _ = getSelfSigned(t, template, template, key)
|
||
resp, err = b.HandleRequest(context.Background(), &logical.Request{
|
||
Operation: logical.UpdateOperation,
|
||
Path: "root/sign-self-issued",
|
||
Storage: storage,
|
||
Data: map[string]interface{}{
|
||
"certificate": ss,
|
||
"require_matching_certificate_algorithms": true,
|
||
},
|
||
MountPoint: "pki/",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error due to mismatched algorithms")
|
||
}
|
||
}
|
||
|
||
// This is a really tricky test because the Go stdlib asn1 package is incapable
|
||
// of doing the right thing with custom OID SANs (see comments in the package,
|
||
// it's readily admitted that it's too magic) but that means that any
|
||
// validation logic written for this test isn't being independently verified,
|
||
// as in, if cryptobytes is used to decode it to make the test work, that
|
||
// doesn't mean we're encoding and decoding correctly, only that we made the
|
||
// test pass. Instead, when run verbosely it will first perform a bunch of
|
||
// checks to verify that the OID SAN logic doesn't screw up other SANs, then
|
||
// will spit out the PEM. This can be validated independently.
|
||
//
|
||
// You want the hex dump of the octet string corresponding to the X509v3
|
||
// Subject Alternative Name. There's a nice online utility at
|
||
// https://lapo.it/asn1js that can be used to view the structure of an
|
||
// openssl-generated other SAN at
|
||
// https://lapo.it/asn1js/#3022A020060A2B060104018237140203A0120C106465766F7073406C6F63616C686F7374
|
||
// (openssl asn1parse can also be used with -strparse using an offset of the
|
||
// hex blob for the subject alternative names extension).
|
||
//
|
||
// The structure output from here should match that precisely (even if the OID
|
||
// itself doesn't) in the second test.
|
||
//
|
||
// The test that encodes two should have them be in separate elements in the
|
||
// top-level sequence; see
|
||
// https://lapo.it/asn1js/#3046A020060A2B060104018237140203A0120C106465766F7073406C6F63616C686F7374A022060A2B060104018237140204A0140C12322D6465766F7073406C6F63616C686F7374 for an openssl-generated example.
|
||
//
|
||
// The good news is that it's valid to simply copy and paste the PEM output from
|
||
// here into the form at that site as it will do the right thing so it's pretty
|
||
// easy to validate.
|
||
func TestBackend_OID_SANs(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := createBackendWithStorage(t)
|
||
|
||
var err error
|
||
var resp *logical.Response
|
||
var certStr string
|
||
var block *pem.Block
|
||
var cert *x509.Certificate
|
||
|
||
_, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"ttl": "40h",
|
||
"common_name": "myvault.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
|
||
"allowed_domains": []string{"foobar.com", "zipzap.com"},
|
||
"allow_bare_domains": true,
|
||
"allow_subdomains": true,
|
||
"allow_ip_sans": true,
|
||
"allowed_other_sans": "1.3.6.1.4.1.311.20.2.3;UTF8:devops@*,1.3.6.1.4.1.311.20.2.4;utf8:d*e@foobar.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Get a baseline before adding OID SANs. In the next sections we'll verify
|
||
// that the SANs are all added even as the OID SAN inclusion forces other
|
||
// adding logic (custom rather than built-in Golang logic)
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foobar.com,foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
certStr = resp.Data["certificate"].(string)
|
||
block, _ = pem.Decode([]byte(certStr))
|
||
cert, err = x509.ParseCertificate(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if cert.IPAddresses[0].String() != "1.2.3.4" {
|
||
t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
|
||
}
|
||
if len(cert.DNSNames) != 3 ||
|
||
cert.DNSNames[0] != "bar.foobar.com" ||
|
||
cert.DNSNames[1] != "foo.foobar.com" ||
|
||
cert.DNSNames[2] != "foobar.com" {
|
||
t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
|
||
}
|
||
|
||
// First test some bad stuff that shouldn't work
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
// Not a valid value for the first possibility
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.3;UTF8:devop@nope.com",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
// Not a valid OID for the first possibility
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.5;UTF8:devops@nope.com",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
// Not a valid name for the second possibility
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.4;UTF8:d34g@foobar.com",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
// Not a valid OID for the second possibility
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.5;UTF8:d34e@foobar.com",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
// Not a valid type
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.5;UTF2:d34e@foobar.com",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
// Valid for first possibility
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.3;utf8:devops@nope.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
certStr = resp.Data["certificate"].(string)
|
||
block, _ = pem.Decode([]byte(certStr))
|
||
cert, err = x509.ParseCertificate(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if cert.IPAddresses[0].String() != "1.2.3.4" {
|
||
t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
|
||
}
|
||
if len(cert.DNSNames) != 3 ||
|
||
cert.DNSNames[0] != "bar.foobar.com" ||
|
||
cert.DNSNames[1] != "foo.foobar.com" ||
|
||
cert.DNSNames[2] != "foobar.com" {
|
||
t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
|
||
}
|
||
if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
|
||
t.Logf("certificate 1 to check:\n%s", certStr)
|
||
}
|
||
|
||
// Valid for second possibility
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
"other_sans": "1.3.6.1.4.1.311.20.2.4;UTF8:d234e@foobar.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
certStr = resp.Data["certificate"].(string)
|
||
block, _ = pem.Decode([]byte(certStr))
|
||
cert, err = x509.ParseCertificate(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if cert.IPAddresses[0].String() != "1.2.3.4" {
|
||
t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
|
||
}
|
||
if len(cert.DNSNames) != 3 ||
|
||
cert.DNSNames[0] != "bar.foobar.com" ||
|
||
cert.DNSNames[1] != "foo.foobar.com" ||
|
||
cert.DNSNames[2] != "foobar.com" {
|
||
t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
|
||
}
|
||
if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
|
||
t.Logf("certificate 2 to check:\n%s", certStr)
|
||
}
|
||
|
||
// Valid for both
|
||
oid1, type1, val1 := "1.3.6.1.4.1.311.20.2.3", "utf8", "devops@nope.com"
|
||
oid2, type2, val2 := "1.3.6.1.4.1.311.20.2.4", "utf-8", "d234e@foobar.com"
|
||
otherNames := []string{
|
||
fmt.Sprintf("%s;%s:%s", oid1, type1, val1),
|
||
fmt.Sprintf("%s;%s:%s", oid2, type2, val2),
|
||
}
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
"other_sans": strings.Join(otherNames, ","),
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
certStr = resp.Data["certificate"].(string)
|
||
block, _ = pem.Decode([]byte(certStr))
|
||
cert, err = x509.ParseCertificate(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if cert.IPAddresses[0].String() != "1.2.3.4" {
|
||
t.Fatalf("unexpected IP SAN %q", cert.IPAddresses[0].String())
|
||
}
|
||
if len(cert.DNSNames) != 3 ||
|
||
cert.DNSNames[0] != "bar.foobar.com" ||
|
||
cert.DNSNames[1] != "foo.foobar.com" ||
|
||
cert.DNSNames[2] != "foobar.com" {
|
||
t.Fatalf("unexpected DNS SANs %v", cert.DNSNames)
|
||
}
|
||
expectedOtherNames := []otherNameUtf8{{oid1, val1}, {oid2, val2}}
|
||
foundOtherNames, err := getOtherSANsFromX509Extensions(cert.Extensions)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if diff := deep.Equal(expectedOtherNames, foundOtherNames); len(diff) != 0 {
|
||
t.Errorf("unexpected otherNames: %v", diff)
|
||
}
|
||
if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
|
||
t.Logf("certificate 3 to check:\n%s", certStr)
|
||
}
|
||
}
|
||
|
||
func TestBackend_AllowedSerialNumbers(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := createBackendWithStorage(t)
|
||
|
||
var err error
|
||
var resp *logical.Response
|
||
var certStr string
|
||
var block *pem.Block
|
||
var cert *x509.Certificate
|
||
|
||
_, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"ttl": "40h",
|
||
"common_name": "myvault.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// First test that Serial Numbers are not allowed
|
||
_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
|
||
"allow_any_name": true,
|
||
"enforce_hostnames": false,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar",
|
||
"ttl": "1h",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar",
|
||
"ttl": "1h",
|
||
"serial_number": "foobar",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
// Update the role to allow serial numbers
|
||
_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
|
||
"allow_any_name": true,
|
||
"enforce_hostnames": false,
|
||
"allowed_serial_numbers": "f00*,b4r*",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar",
|
||
"ttl": "1h",
|
||
// Not a valid serial number
|
||
"serial_number": "foobar",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
// Valid for first possibility
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar",
|
||
"serial_number": "f00bar",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
certStr = resp.Data["certificate"].(string)
|
||
block, _ = pem.Decode([]byte(certStr))
|
||
cert, err = x509.ParseCertificate(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if cert.Subject.SerialNumber != "f00bar" {
|
||
t.Fatalf("unexpected Subject SerialNumber %s", cert.Subject.SerialNumber)
|
||
}
|
||
if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
|
||
t.Logf("certificate 1 to check:\n%s", certStr)
|
||
}
|
||
|
||
// Valid for second possibility
|
||
resp, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar",
|
||
"serial_number": "b4rf00",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
certStr = resp.Data["certificate"].(string)
|
||
block, _ = pem.Decode([]byte(certStr))
|
||
cert, err = x509.ParseCertificate(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if cert.Subject.SerialNumber != "b4rf00" {
|
||
t.Fatalf("unexpected Subject SerialNumber %s", cert.Subject.SerialNumber)
|
||
}
|
||
if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
|
||
t.Logf("certificate 2 to check:\n%s", certStr)
|
||
}
|
||
}
|
||
|
||
func TestBackend_URI_SANs(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := createBackendWithStorage(t)
|
||
|
||
var err error
|
||
|
||
_, err = CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"ttl": "40h",
|
||
"common_name": "myvault.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
_, err = CBWrite(b, s, "roles/test", map[string]interface{}{
|
||
"allowed_domains": []string{"foobar.com", "zipzap.com"},
|
||
"allow_bare_domains": true,
|
||
"allow_subdomains": true,
|
||
"allow_ip_sans": true,
|
||
"allowed_uri_sans": []string{"http://someuri/abc", "spiffe://host.com/*"},
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// First test some bad stuff that shouldn't work
|
||
_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
"uri_sans": "http://www.mydomain.com/zxf",
|
||
})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
// Test valid single entry
|
||
_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
"uri_sans": "http://someuri/abc",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Test globed entry
|
||
_, err = CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
"uri_sans": "spiffe://host.com/something",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Test multiple entries
|
||
resp, err := CBWrite(b, s, "issue/test", map[string]interface{}{
|
||
"common_name": "foobar.com",
|
||
"ip_sans": "1.2.3.4",
|
||
"alt_names": "foo.foobar.com,bar.foobar.com",
|
||
"ttl": "1h",
|
||
"uri_sans": "spiffe://host.com/something,http://someuri/abc",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
certStr := resp.Data["certificate"].(string)
|
||
block, _ := pem.Decode([]byte(certStr))
|
||
cert, err := x509.ParseCertificate(block.Bytes)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
URI0, _ := url.Parse("spiffe://host.com/something")
|
||
URI1, _ := url.Parse("http://someuri/abc")
|
||
|
||
if len(cert.URIs) != 2 {
|
||
t.Fatalf("expected 2 valid URIs SANs %v", cert.URIs)
|
||
}
|
||
|
||
if cert.URIs[0].String() != URI0.String() || cert.URIs[1].String() != URI1.String() {
|
||
t.Fatalf(
|
||
"expected URIs SANs %v to equal provided values spiffe://host.com/something, http://someuri/abc",
|
||
cert.URIs)
|
||
}
|
||
}
|
||
|
||
func TestBackend_AllowedURISANsTemplate(t *testing.T) {
|
||
t.Parallel()
|
||
coreConfig := &vault.CoreConfig{
|
||
CredentialBackends: map[string]logical.Factory{
|
||
"userpass": userpass.Factory,
|
||
},
|
||
LogicalBackends: map[string]logical.Factory{
|
||
"pki": Factory,
|
||
},
|
||
}
|
||
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
||
HandlerFunc: vaulthttp.Handler,
|
||
})
|
||
cluster.Start()
|
||
defer cluster.Cleanup()
|
||
client := cluster.Cores[0].Client
|
||
|
||
// Write test policy for userpass auth method.
|
||
err := client.Sys().PutPolicy("test", `
|
||
path "pki/*" {
|
||
capabilities = ["update"]
|
||
}`)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Enable userpass auth method.
|
||
if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Configure test role for userpass.
|
||
if _, err := client.Logical().Write("auth/userpass/users/userpassname", map[string]interface{}{
|
||
"password": "test",
|
||
"policies": "test",
|
||
}); err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Login userpass for test role and keep client token.
|
||
secret, err := client.Logical().Write("auth/userpass/login/userpassname", map[string]interface{}{
|
||
"password": "test",
|
||
})
|
||
if err != nil || secret == nil {
|
||
t.Fatal(err)
|
||
}
|
||
userpassToken := secret.Auth.ClientToken
|
||
|
||
// Get auth accessor for identity template.
|
||
auths, err := client.Sys().ListAuth()
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
userpassAccessor := auths["userpass/"].Accessor
|
||
|
||
// Mount PKI.
|
||
err = client.Sys().Mount("pki", &api.MountInput{
|
||
Type: "pki",
|
||
Config: api.MountConfigInput{
|
||
DefaultLeaseTTL: "16h",
|
||
MaxLeaseTTL: "60h",
|
||
},
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Generate internal CA.
|
||
_, err = client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
|
||
"ttl": "40h",
|
||
"common_name": "myvault.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Write role PKI.
|
||
_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
|
||
"allowed_uri_sans": []string{
|
||
"spiffe://domain/{{identity.entity.aliases." + userpassAccessor + ".name}}",
|
||
"spiffe://domain/{{identity.entity.aliases." + userpassAccessor + ".name}}/*", "spiffe://domain/foo",
|
||
},
|
||
"allowed_uri_sans_template": true,
|
||
"require_cn": false,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue certificate with identity templating
|
||
client.SetToken(userpassToken)
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"uri_sans": "spiffe://domain/userpassname, spiffe://domain/foo"})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue certificate with identity templating and glob
|
||
client.SetToken(userpassToken)
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"uri_sans": "spiffe://domain/userpassname/bar"})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue certificate with non-matching identity template parameter
|
||
client.SetToken(userpassToken)
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"uri_sans": "spiffe://domain/unknownuser"})
|
||
if err == nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Set allowed_uri_sans_template to false.
|
||
_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
|
||
"allowed_uri_sans_template": false,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue certificate with userpassToken.
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"uri_sans": "spiffe://domain/users/userpassname"})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
}
|
||
|
||
func TestBackend_AllowedDomainsTemplate(t *testing.T) {
|
||
t.Parallel()
|
||
coreConfig := &vault.CoreConfig{
|
||
CredentialBackends: map[string]logical.Factory{
|
||
"userpass": userpass.Factory,
|
||
},
|
||
LogicalBackends: map[string]logical.Factory{
|
||
"pki": Factory,
|
||
},
|
||
}
|
||
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
||
HandlerFunc: vaulthttp.Handler,
|
||
})
|
||
cluster.Start()
|
||
defer cluster.Cleanup()
|
||
client := cluster.Cores[0].Client
|
||
|
||
// Write test policy for userpass auth method.
|
||
err := client.Sys().PutPolicy("test", `
|
||
path "pki/*" {
|
||
capabilities = ["update"]
|
||
}`)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Enable userpass auth method.
|
||
if err := client.Sys().EnableAuth("userpass", "userpass", ""); err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Configure test role for userpass.
|
||
if _, err := client.Logical().Write("auth/userpass/users/userpassname", map[string]interface{}{
|
||
"password": "test",
|
||
"policies": "test",
|
||
}); err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Login userpass for test role and set client token
|
||
userpassAuth, err := auth.NewUserpassAuth("userpassname", &auth.Password{FromString: "test"})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Get auth accessor for identity template.
|
||
auths, err := client.Sys().ListAuth()
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
userpassAccessor := auths["userpass/"].Accessor
|
||
|
||
// Mount PKI.
|
||
err = client.Sys().Mount("pki", &api.MountInput{
|
||
Type: "pki",
|
||
Config: api.MountConfigInput{
|
||
DefaultLeaseTTL: "16h",
|
||
MaxLeaseTTL: "60h",
|
||
},
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Generate internal CA.
|
||
_, err = client.Logical().Write("pki/root/generate/internal", map[string]interface{}{
|
||
"ttl": "40h",
|
||
"common_name": "myvault.com",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Write role PKI.
|
||
_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
|
||
"allowed_domains": []string{
|
||
"foobar.com", "zipzap.com", "{{identity.entity.aliases." + userpassAccessor + ".name}}",
|
||
"foo.{{identity.entity.aliases." + userpassAccessor + ".name}}.example.com",
|
||
},
|
||
"allowed_domains_template": true,
|
||
"allow_bare_domains": true,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue certificate with userpassToken.
|
||
secret, err := client.Auth().Login(context.TODO(), userpassAuth)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if err != nil || secret == nil {
|
||
t.Fatal(err)
|
||
}
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "userpassname"})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue certificate for foobar.com to verify allowed_domain_templae doesnt break plain domains.
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "foobar.com"})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue certificate for unknown userpassname.
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "unknownuserpassname"})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
// Issue certificate for foo.userpassname.domain.
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "foo.userpassname.example.com"})
|
||
if err != nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
|
||
// Set allowed_domains_template to false.
|
||
_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
|
||
"allowed_domains_template": false,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Issue certificate with userpassToken.
|
||
_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "userpassname"})
|
||
if err == nil {
|
||
t.Fatal("expected error")
|
||
}
|
||
}
|
||
|
||
func TestReadWriteDeleteRoles(t *testing.T) {
|
||
t.Parallel()
|
||
ctx := context.Background()
|
||
coreConfig := &vault.CoreConfig{
|
||
CredentialBackends: map[string]logical.Factory{
|
||
"userpass": userpass.Factory,
|
||
},
|
||
LogicalBackends: map[string]logical.Factory{
|
||
"pki": Factory,
|
||
},
|
||
}
|
||
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
||
HandlerFunc: vaulthttp.Handler,
|
||
})
|
||
cluster.Start()
|
||
defer cluster.Cleanup()
|
||
client := cluster.Cores[0].Client
|
||
|
||
// Mount PKI.
|
||
err := client.Sys().MountWithContext(ctx, "pki", &api.MountInput{
|
||
Type: "pki",
|
||
Config: api.MountConfigInput{
|
||
DefaultLeaseTTL: "16h",
|
||
MaxLeaseTTL: "60h",
|
||
},
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
resp, err := client.Logical().ReadWithContext(ctx, "pki/roles/test")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
if resp != nil {
|
||
t.Fatalf("response should have been emtpy but was:\n%#v", resp)
|
||
}
|
||
|
||
// Write role PKI.
|
||
_, err = client.Logical().WriteWithContext(ctx, "pki/roles/test", map[string]interface{}{})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Read the role.
|
||
resp, err = client.Logical().ReadWithContext(ctx, "pki/roles/test")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
if resp.Data == nil {
|
||
t.Fatal("default data within response was nil when it should have contained data")
|
||
}
|
||
|
||
// Validate that we have not changed any defaults unknowingly
|
||
expectedData := map[string]interface{}{
|
||
"key_type": "rsa",
|
||
"use_csr_sans": true,
|
||
"client_flag": true,
|
||
"allowed_serial_numbers": []interface{}{},
|
||
"generate_lease": false,
|
||
"signature_bits": json.Number("256"),
|
||
"use_pss": false,
|
||
"allowed_domains": []interface{}{},
|
||
"allowed_uri_sans_template": false,
|
||
"enforce_hostnames": true,
|
||
"policy_identifiers": []interface{}{},
|
||
"require_cn": true,
|
||
"allowed_domains_template": false,
|
||
"allow_token_displayname": false,
|
||
"country": []interface{}{},
|
||
"not_after": "",
|
||
"postal_code": []interface{}{},
|
||
"use_csr_common_name": true,
|
||
"allow_localhost": true,
|
||
"allow_subdomains": false,
|
||
"allow_wildcard_certificates": true,
|
||
"allowed_other_sans": []interface{}{},
|
||
"allowed_uri_sans": []interface{}{},
|
||
"basic_constraints_valid_for_non_ca": false,
|
||
"key_usage": []interface{}{"DigitalSignature", "KeyAgreement", "KeyEncipherment"},
|
||
"not_before_duration": json.Number("30"),
|
||
"allow_glob_domains": false,
|
||
"ttl": json.Number("0"),
|
||
"ou": []interface{}{},
|
||
"email_protection_flag": false,
|
||
"locality": []interface{}{},
|
||
"server_flag": true,
|
||
"allow_bare_domains": false,
|
||
"allow_ip_sans": true,
|
||
"ext_key_usage_oids": []interface{}{},
|
||
"allow_any_name": false,
|
||
"ext_key_usage": []interface{}{},
|
||
"key_bits": json.Number("2048"),
|
||
"max_ttl": json.Number("0"),
|
||
"no_store": false,
|
||
"organization": []interface{}{},
|
||
"province": []interface{}{},
|
||
"street_address": []interface{}{},
|
||
"code_signing_flag": false,
|
||
"issuer_ref": "default",
|
||
"cn_validations": []interface{}{"email", "hostname"},
|
||
}
|
||
|
||
if diff := deep.Equal(expectedData, resp.Data); len(diff) > 0 {
|
||
t.Fatalf("pki role default values have changed, diff: %v", diff)
|
||
}
|
||
|
||
_, err = client.Logical().DeleteWithContext(ctx, "pki/roles/test")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
resp, err = client.Logical().ReadWithContext(ctx, "pki/roles/test")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
if resp != nil {
|
||
t.Fatalf("response should have been empty but was:\n%#v", resp)
|
||
}
|
||
}
|
||
|
||
func setCerts() {
|
||
cak, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
marshaledKey, err := x509.MarshalECPrivateKey(cak)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
keyPEMBlock := &pem.Block{
|
||
Type: "EC PRIVATE KEY",
|
||
Bytes: marshaledKey,
|
||
}
|
||
ecCAKey = strings.TrimSpace(string(pem.EncodeToMemory(keyPEMBlock)))
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
subjKeyID, err := certutil.GetSubjKeyID(cak)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
caCertTemplate := &x509.Certificate{
|
||
Subject: pkix.Name{
|
||
CommonName: "root.localhost",
|
||
},
|
||
SubjectKeyId: subjKeyID,
|
||
DNSNames: []string{"root.localhost"},
|
||
KeyUsage: x509.KeyUsage(x509.KeyUsageCertSign | x509.KeyUsageCRLSign),
|
||
SerialNumber: big.NewInt(mathrand.Int63()),
|
||
NotAfter: time.Now().Add(262980 * time.Hour),
|
||
BasicConstraintsValid: true,
|
||
IsCA: true,
|
||
}
|
||
caBytes, err := x509.CreateCertificate(rand.Reader, caCertTemplate, caCertTemplate, cak.Public(), cak)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
caCertPEMBlock := &pem.Block{
|
||
Type: "CERTIFICATE",
|
||
Bytes: caBytes,
|
||
}
|
||
ecCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock)))
|
||
|
||
rak, err := rsa.GenerateKey(rand.Reader, 2048)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
marshaledKey = x509.MarshalPKCS1PrivateKey(rak)
|
||
keyPEMBlock = &pem.Block{
|
||
Type: "RSA PRIVATE KEY",
|
||
Bytes: marshaledKey,
|
||
}
|
||
rsaCAKey = strings.TrimSpace(string(pem.EncodeToMemory(keyPEMBlock)))
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
subjKeyID, err = certutil.GetSubjKeyID(rak)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
caBytes, err = x509.CreateCertificate(rand.Reader, caCertTemplate, caCertTemplate, rak.Public(), rak)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
caCertPEMBlock = &pem.Block{
|
||
Type: "CERTIFICATE",
|
||
Bytes: caBytes,
|
||
}
|
||
rsaCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock)))
|
||
|
||
_, edk, err := ed25519.GenerateKey(rand.Reader)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
marshaledKey, err = x509.MarshalPKCS8PrivateKey(edk)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
keyPEMBlock = &pem.Block{
|
||
Type: "PRIVATE KEY",
|
||
Bytes: marshaledKey,
|
||
}
|
||
edCAKey = strings.TrimSpace(string(pem.EncodeToMemory(keyPEMBlock)))
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
subjKeyID, err = certutil.GetSubjKeyID(edk)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
caBytes, err = x509.CreateCertificate(rand.Reader, caCertTemplate, caCertTemplate, edk.Public(), edk)
|
||
if err != nil {
|
||
panic(err)
|
||
}
|
||
caCertPEMBlock = &pem.Block{
|
||
Type: "CERTIFICATE",
|
||
Bytes: caBytes,
|
||
}
|
||
edCACert = strings.TrimSpace(string(pem.EncodeToMemory(caCertPEMBlock)))
|
||
}
|
||
|
||
func TestBackend_RevokePlusTidy_Intermediate(t *testing.T) {
|
||
// Use a ridiculously long time to minimize the chance
|
||
// that we have to deal with more than one interval.
|
||
// InMemSink rounds down to an interval boundary rather than
|
||
// starting one at the time of initialization.
|
||
//
|
||
// This test is not parallelizable.
|
||
inmemSink := metrics.NewInmemSink(
|
||
1000000*time.Hour,
|
||
2000000*time.Hour)
|
||
|
||
metricsConf := metrics.DefaultConfig("")
|
||
metricsConf.EnableHostname = false
|
||
metricsConf.EnableHostnameLabel = false
|
||
metricsConf.EnableServiceLabel = false
|
||
metricsConf.EnableTypePrefix = false
|
||
|
||
metrics.NewGlobal(metricsConf, inmemSink)
|
||
|
||
// Enable PKI secret engine
|
||
coreConfig := &vault.CoreConfig{
|
||
LogicalBackends: map[string]logical.Factory{
|
||
"pki": Factory,
|
||
},
|
||
}
|
||
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
||
HandlerFunc: vaulthttp.Handler,
|
||
})
|
||
cluster.Start()
|
||
defer cluster.Cleanup()
|
||
cores := cluster.Cores
|
||
vault.TestWaitActive(t, cores[0].Core)
|
||
client := cores[0].Client
|
||
|
||
var err error
|
||
|
||
// Mount /pki as a root CA
|
||
err = client.Sys().Mount("pki", &api.MountInput{
|
||
Type: "pki",
|
||
Config: api.MountConfigInput{
|
||
DefaultLeaseTTL: "16h",
|
||
MaxLeaseTTL: "32h",
|
||
},
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Set the cluster's certificate as the root CA in /pki
|
||
pemBundleRootCA := string(cluster.CACertPEM) + string(cluster.CAKeyPEM)
|
||
_, err = client.Logical().Write("pki/config/ca", map[string]interface{}{
|
||
"pem_bundle": pemBundleRootCA,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Mount /pki2 to operate as an intermediate CA
|
||
err = client.Sys().Mount("pki2", &api.MountInput{
|
||
Type: "pki",
|
||
Config: api.MountConfigInput{
|
||
DefaultLeaseTTL: "16h",
|
||
MaxLeaseTTL: "32h",
|
||
},
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Create a CSR for the intermediate CA
|
||
secret, err := client.Logical().Write("pki2/intermediate/generate/internal", nil)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
intermediateCSR := secret.Data["csr"].(string)
|
||
|
||
// Sign the intermediate CSR using /pki
|
||
secret, err = client.Logical().Write("pki/root/sign-intermediate", map[string]interface{}{
|
||
"permitted_dns_domains": ".myvault.com",
|
||
"csr": intermediateCSR,
|
||
"ttl": "10s",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
intermediateCertSerial := secret.Data["serial_number"].(string)
|
||
intermediateCASerialColon := strings.ReplaceAll(strings.ToLower(intermediateCertSerial), ":", "-")
|
||
|
||
// Get the intermediate cert after signing
|
||
secret, err = client.Logical().Read("pki/cert/" + intermediateCASerialColon)
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if secret == nil || len(secret.Data) == 0 || len(secret.Data["certificate"].(string)) == 0 {
|
||
t.Fatal("expected certificate information from read operation")
|
||
}
|
||
|
||
// Issue a revoke on on /pki
|
||
_, err = client.Logical().Write("pki/revoke", map[string]interface{}{
|
||
"serial_number": intermediateCertSerial,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Revoke adds a fixed 2s buffer, so we sleep for a bit longer to ensure
|
||
// the revocation time is past the current time.
|
||
time.Sleep(3 * time.Second)
|
||
|
||
// Issue a tidy on /pki
|
||
_, err = client.Logical().Write("pki/tidy", map[string]interface{}{
|
||
"tidy_cert_store": true,
|
||
"tidy_revoked_certs": true,
|
||
"safety_buffer": "1s",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Sleep a bit to make sure we're past the safety buffer
|
||
time.Sleep(2 * time.Second)
|
||
|
||
// Get CRL and ensure the tidied cert is still in the list after the tidy
|
||
// operation since it's not past the NotAfter (ttl) value yet.
|
||
crl := getParsedCrl(t, client, "pki")
|
||
|
||
revokedCerts := crl.TBSCertList.RevokedCertificates
|
||
if len(revokedCerts) == 0 {
|
||
t.Fatal("expected CRL to be non-empty")
|
||
}
|
||
|
||
sn := certutil.GetHexFormatted(revokedCerts[0].SerialNumber.Bytes(), ":")
|
||
if sn != intermediateCertSerial {
|
||
t.Fatalf("expected: %v, got: %v", intermediateCertSerial, sn)
|
||
}
|
||
|
||
// Wait for cert to expire
|
||
time.Sleep(10 * time.Second)
|
||
|
||
// Issue a tidy on /pki
|
||
_, err = client.Logical().Write("pki/tidy", map[string]interface{}{
|
||
"tidy_cert_store": true,
|
||
"tidy_revoked_certs": true,
|
||
"safety_buffer": "1s",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Sleep a bit to make sure we're past the safety buffer
|
||
time.Sleep(2 * time.Second)
|
||
|
||
// Issue a tidy-status on /pki
|
||
{
|
||
tidyStatus, err := client.Logical().Read("pki/tidy-status")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
expectedData := map[string]interface{}{
|
||
"safety_buffer": json.Number("1"),
|
||
"tidy_cert_store": true,
|
||
"tidy_revoked_certs": true,
|
||
"state": "Finished",
|
||
"error": nil,
|
||
"time_started": nil,
|
||
"time_finished": nil,
|
||
"message": nil,
|
||
"cert_store_deleted_count": json.Number("1"),
|
||
"revoked_cert_deleted_count": json.Number("1"),
|
||
}
|
||
// Let's copy the times from the response so that we can use deep.Equal()
|
||
timeStarted, ok := tidyStatus.Data["time_started"]
|
||
if !ok || timeStarted == "" {
|
||
t.Fatal("Expected tidy status response to include a value for time_started")
|
||
}
|
||
expectedData["time_started"] = timeStarted
|
||
timeFinished, ok := tidyStatus.Data["time_finished"]
|
||
if !ok || timeFinished == "" {
|
||
t.Fatal("Expected tidy status response to include a value for time_finished")
|
||
}
|
||
expectedData["time_finished"] = timeFinished
|
||
|
||
if diff := deep.Equal(expectedData, tidyStatus.Data); diff != nil {
|
||
t.Fatal(diff)
|
||
}
|
||
}
|
||
// Check the tidy metrics
|
||
{
|
||
// Map of gagues to expected value
|
||
expectedGauges := map[string]float32{
|
||
"secrets.pki.tidy.cert_store_current_entry": 0,
|
||
"secrets.pki.tidy.cert_store_total_entries": 1,
|
||
"secrets.pki.tidy.revoked_cert_current_entry": 0,
|
||
"secrets.pki.tidy.revoked_cert_total_entries": 1,
|
||
"secrets.pki.tidy.start_time_epoch": 0,
|
||
}
|
||
// Map of counters to the sum of the metrics for that counter
|
||
expectedCounters := map[string]float64{
|
||
"secrets.pki.tidy.cert_store_deleted_count": 1,
|
||
"secrets.pki.tidy.revoked_cert_deleted_count": 1,
|
||
"secrets.pki.tidy.success": 2,
|
||
// Note that "secrets.pki.tidy.failure" won't be in the captured metrics
|
||
}
|
||
|
||
// If the metrics span mnore than one interval, skip the checks
|
||
intervals := inmemSink.Data()
|
||
if len(intervals) == 1 {
|
||
interval := inmemSink.Data()[0]
|
||
|
||
for gauge, value := range expectedGauges {
|
||
if _, ok := interval.Gauges[gauge]; !ok {
|
||
t.Fatalf("Expected metrics to include a value for gauge %s", gauge)
|
||
}
|
||
if value != interval.Gauges[gauge].Value {
|
||
t.Fatalf("Expected value metric %s to be %f but got %f", gauge, value, interval.Gauges[gauge].Value)
|
||
}
|
||
|
||
}
|
||
for counter, value := range expectedCounters {
|
||
if _, ok := interval.Counters[counter]; !ok {
|
||
t.Fatalf("Expected metrics to include a value for couter %s", counter)
|
||
}
|
||
if value != interval.Counters[counter].Sum {
|
||
t.Fatalf("Expected the sum of metric %s to be %f but got %f", counter, value, interval.Counters[counter].Sum)
|
||
}
|
||
}
|
||
|
||
tidyDuration, ok := interval.Samples["secrets.pki.tidy.duration"]
|
||
if !ok {
|
||
t.Fatal("Expected metrics to include a value for sample secrets.pki.tidy.duration")
|
||
}
|
||
if tidyDuration.Count <= 0 {
|
||
t.Fatalf("Expected metrics to have count > 0 for sample secrets.pki.tidy.duration, but got %d", tidyDuration.Count)
|
||
}
|
||
}
|
||
}
|
||
|
||
crl = getParsedCrl(t, client, "pki")
|
||
|
||
revokedCerts = crl.TBSCertList.RevokedCertificates
|
||
if len(revokedCerts) != 0 {
|
||
t.Fatal("expected CRL to be empty")
|
||
}
|
||
}
|
||
|
||
func TestBackend_Root_FullCAChain(t *testing.T) {
|
||
t.Parallel()
|
||
testCases := []struct {
|
||
testName string
|
||
keyType string
|
||
}{
|
||
{testName: "RSA", keyType: "rsa"},
|
||
{testName: "ED25519", keyType: "ed25519"},
|
||
{testName: "EC", keyType: "ec"},
|
||
}
|
||
for _, tc := range testCases {
|
||
tc := tc
|
||
t.Run(tc.testName, func(t *testing.T) {
|
||
runFullCAChainTest(t, tc.keyType)
|
||
})
|
||
}
|
||
}
|
||
|
||
func runFullCAChainTest(t *testing.T, keyType string) {
|
||
// Generate a root CA at /pki-root
|
||
b_root, s_root := createBackendWithStorage(t)
|
||
|
||
var err error
|
||
|
||
resp, err := CBWrite(b_root, s_root, "root/generate/exported", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_type": keyType,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected ca info")
|
||
}
|
||
rootData := resp.Data
|
||
rootCert := rootData["certificate"].(string)
|
||
|
||
// Validate that root's /cert/ca-chain now contains the certificate.
|
||
resp, err = CBRead(b_root, s_root, "cert/ca_chain")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected intermediate chain information")
|
||
}
|
||
|
||
fullChain := resp.Data["ca_chain"].(string)
|
||
requireCertInCaChainString(t, fullChain, rootCert, "expected root cert within root cert/ca_chain")
|
||
|
||
// Make sure when we issue a leaf certificate we get the full chain back.
|
||
resp, err = CBWrite(b_root, s_root, "roles/example", map[string]interface{}{
|
||
"allowed_domains": "example.com",
|
||
"allow_subdomains": "true",
|
||
"max_ttl": "1h",
|
||
})
|
||
require.NoError(t, err, "error setting up pki root role: %v", err)
|
||
|
||
resp, err = CBWrite(b_root, s_root, "issue/example", map[string]interface{}{
|
||
"common_name": "test.example.com",
|
||
"ttl": "5m",
|
||
})
|
||
require.NoError(t, err, "error issuing certificate from pki root: %v", err)
|
||
fullChainArray := resp.Data["ca_chain"].([]string)
|
||
requireCertInCaChainArray(t, fullChainArray, rootCert, "expected root cert within root issuance pki-root/issue/example")
|
||
|
||
// Now generate an intermediate at /pki-intermediate, signed by the root.
|
||
b_int, s_int := createBackendWithStorage(t)
|
||
|
||
resp, err = CBWrite(b_int, s_int, "intermediate/generate/exported", map[string]interface{}{
|
||
"common_name": "intermediate myvault.com",
|
||
"key_type": keyType,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected intermediate CSR info")
|
||
}
|
||
intermediateData := resp.Data
|
||
intermediateKey := intermediateData["private_key"].(string)
|
||
|
||
resp, err = CBWrite(b_root, s_root, "root/sign-intermediate", map[string]interface{}{
|
||
"csr": intermediateData["csr"],
|
||
"format": "pem_bundle",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected signed intermediate info")
|
||
}
|
||
intermediateSignedData := resp.Data
|
||
intermediateCert := intermediateSignedData["certificate"].(string)
|
||
|
||
rootCaCert := parseCert(t, rootCert)
|
||
intermediaryCaCert := parseCert(t, intermediateCert)
|
||
requireSignedBy(t, intermediaryCaCert, rootCaCert.PublicKey)
|
||
intermediateCaChain := intermediateSignedData["ca_chain"].([]string)
|
||
|
||
require.Equal(t, parseCert(t, intermediateCaChain[0]), intermediaryCaCert, "intermediate signed cert should have been part of ca_chain")
|
||
require.Equal(t, parseCert(t, intermediateCaChain[1]), rootCaCert, "root cert should have been part of ca_chain")
|
||
|
||
resp, err = CBWrite(b_int, s_int, "intermediate/set-signed", map[string]interface{}{
|
||
"certificate": intermediateCert + "\n" + rootCert + "\n",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Validate that intermediate's ca_chain field now includes the full
|
||
// chain.
|
||
resp, err = CBRead(b_int, s_int, "cert/ca_chain")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected intermediate chain information")
|
||
}
|
||
|
||
// Verify we have a proper CRL now
|
||
crl := getParsedCrlFromBackend(t, b_int, s_int, "crl")
|
||
require.Equal(t, 0, len(crl.TBSCertList.RevokedCertificates))
|
||
|
||
fullChain = resp.Data["ca_chain"].(string)
|
||
requireCertInCaChainString(t, fullChain, intermediateCert, "expected full chain to contain intermediate certificate from pki-intermediate/cert/ca_chain")
|
||
requireCertInCaChainString(t, fullChain, rootCert, "expected full chain to contain root certificate from pki-intermediate/cert/ca_chain")
|
||
|
||
// Make sure when we issue a leaf certificate we get the full chain back.
|
||
resp, err = CBWrite(b_int, s_int, "roles/example", map[string]interface{}{
|
||
"allowed_domains": "example.com",
|
||
"allow_subdomains": "true",
|
||
"max_ttl": "1h",
|
||
})
|
||
require.NoError(t, err, "error setting up pki intermediate role: %v", err)
|
||
|
||
resp, err = CBWrite(b_int, s_int, "issue/example", map[string]interface{}{
|
||
"common_name": "test.example.com",
|
||
"ttl": "5m",
|
||
})
|
||
require.NoError(t, err, "error issuing certificate from pki intermediate: %v", err)
|
||
fullChainArray = resp.Data["ca_chain"].([]string)
|
||
requireCertInCaChainArray(t, fullChainArray, intermediateCert, "expected full chain to contain intermediate certificate from pki-intermediate/issue/example")
|
||
requireCertInCaChainArray(t, fullChainArray, rootCert, "expected full chain to contain root certificate from pki-intermediate/issue/example")
|
||
|
||
// Finally, import this signing cert chain into a new mount to ensure
|
||
// "external" CAs behave as expected.
|
||
b_ext, s_ext := createBackendWithStorage(t)
|
||
|
||
resp, err = CBWrite(b_ext, s_ext, "config/ca", map[string]interface{}{
|
||
"pem_bundle": intermediateKey + "\n" + intermediateCert + "\n" + rootCert + "\n",
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
// Validate the external chain information was loaded correctly.
|
||
resp, err = CBRead(b_ext, s_ext, "cert/ca_chain")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected intermediate chain information")
|
||
}
|
||
|
||
fullChain = resp.Data["ca_chain"].(string)
|
||
if strings.Count(fullChain, intermediateCert) != 1 {
|
||
t.Fatalf("expected full chain to contain intermediate certificate; got %v occurrences", strings.Count(fullChain, intermediateCert))
|
||
}
|
||
if strings.Count(fullChain, rootCert) != 1 {
|
||
t.Fatalf("expected full chain to contain root certificate; got %v occurrences", strings.Count(fullChain, rootCert))
|
||
}
|
||
|
||
// Now issue a short-lived certificate from our pki-external.
|
||
resp, err = CBWrite(b_ext, s_ext, "roles/example", map[string]interface{}{
|
||
"allowed_domains": "example.com",
|
||
"allow_subdomains": "true",
|
||
"max_ttl": "1h",
|
||
})
|
||
require.NoError(t, err, "error setting up pki role: %v", err)
|
||
|
||
resp, err = CBWrite(b_ext, s_ext, "issue/example", map[string]interface{}{
|
||
"common_name": "test.example.com",
|
||
"ttl": "5m",
|
||
})
|
||
require.NoError(t, err, "error issuing certificate: %v", err)
|
||
require.NotNil(t, resp, "got nil response from issuing request")
|
||
issueCrtAsPem := resp.Data["certificate"].(string)
|
||
issuedCrt := parseCert(t, issueCrtAsPem)
|
||
|
||
// Verify that the certificates are signed by the intermediary CA key...
|
||
requireSignedBy(t, issuedCrt, intermediaryCaCert.PublicKey)
|
||
}
|
||
|
||
func requireCertInCaChainArray(t *testing.T, chain []string, cert string, msgAndArgs ...interface{}) {
|
||
var fullChain string
|
||
for _, caCert := range chain {
|
||
fullChain = fullChain + "\n" + caCert
|
||
}
|
||
|
||
requireCertInCaChainString(t, fullChain, cert, msgAndArgs)
|
||
}
|
||
|
||
func requireCertInCaChainString(t *testing.T, chain string, cert string, msgAndArgs ...interface{}) {
|
||
count := strings.Count(chain, cert)
|
||
if count != 1 {
|
||
failMsg := fmt.Sprintf("Found %d occurrances of the cert in the provided chain", count)
|
||
require.FailNow(t, failMsg, msgAndArgs...)
|
||
}
|
||
}
|
||
|
||
type MultiBool int
|
||
|
||
const (
|
||
MFalse MultiBool = iota
|
||
MTrue MultiBool = iota
|
||
MAny MultiBool = iota
|
||
)
|
||
|
||
func (o MultiBool) ToValues() []bool {
|
||
if o == MTrue {
|
||
return []bool{true}
|
||
}
|
||
|
||
if o == MFalse {
|
||
return []bool{false}
|
||
}
|
||
|
||
if o == MAny {
|
||
return []bool{true, false}
|
||
}
|
||
|
||
return []bool{}
|
||
}
|
||
|
||
type IssuanceRegression struct {
|
||
AllowedDomains []string
|
||
AllowBareDomains MultiBool
|
||
AllowGlobDomains MultiBool
|
||
AllowSubdomains MultiBool
|
||
AllowLocalhost MultiBool
|
||
AllowWildcardCertificates MultiBool
|
||
CNValidations []string
|
||
CommonName string
|
||
Issued bool
|
||
}
|
||
|
||
func RoleIssuanceRegressionHelper(t *testing.T, b *backend, s logical.Storage, index int, test IssuanceRegression) int {
|
||
tested := 0
|
||
for _, AllowBareDomains := range test.AllowBareDomains.ToValues() {
|
||
for _, AllowGlobDomains := range test.AllowGlobDomains.ToValues() {
|
||
for _, AllowSubdomains := range test.AllowSubdomains.ToValues() {
|
||
for _, AllowLocalhost := range test.AllowLocalhost.ToValues() {
|
||
for _, AllowWildcardCertificates := range test.AllowWildcardCertificates.ToValues() {
|
||
role := fmt.Sprintf("issuance-regression-%d-bare-%v-glob-%v-subdomains-%v-localhost-%v-wildcard-%v", index, AllowBareDomains, AllowGlobDomains, AllowSubdomains, AllowLocalhost, AllowWildcardCertificates)
|
||
resp, err := CBWrite(b, s, "roles/"+role, map[string]interface{}{
|
||
"allowed_domains": test.AllowedDomains,
|
||
"allow_bare_domains": AllowBareDomains,
|
||
"allow_glob_domains": AllowGlobDomains,
|
||
"allow_subdomains": AllowSubdomains,
|
||
"allow_localhost": AllowLocalhost,
|
||
"allow_wildcard_certificates": AllowWildcardCertificates,
|
||
"cn_validations": test.CNValidations,
|
||
// TODO: test across this vector as well. Currently certain wildcard
|
||
// matching is broken with it enabled (such as x*x.foo).
|
||
"enforce_hostnames": false,
|
||
"key_type": "ec",
|
||
"key_bits": 256,
|
||
"no_store": true,
|
||
// With the CN Validations field, ensure we prevent CN from appearing
|
||
// in SANs.
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
resp, err = CBWrite(b, s, "issue/"+role, map[string]interface{}{
|
||
"common_name": test.CommonName,
|
||
"exclude_cn_from_sans": true,
|
||
})
|
||
|
||
haveErr := err != nil || resp == nil
|
||
expectErr := !test.Issued
|
||
|
||
if haveErr != expectErr {
|
||
t.Fatalf("issuance regression test [%d] failed: haveErr: %v, expectErr: %v, err: %v, resp: %v, test case: %v, role: %v", index, haveErr, expectErr, err, resp, test, role)
|
||
}
|
||
|
||
tested += 1
|
||
}
|
||
}
|
||
}
|
||
}
|
||
}
|
||
|
||
return tested
|
||
}
|
||
|
||
func TestBackend_Roles_IssuanceRegression(t *testing.T) {
|
||
t.Parallel()
|
||
// Regression testing of role's issuance policy.
|
||
testCases := []IssuanceRegression{
|
||
// allowed, bare, glob, subdomains, localhost, wildcards, cn, issued
|
||
|
||
// === Globs not allowed but used === //
|
||
// Allowed contains globs, but globbing not allowed, resulting in all
|
||
// issuances failing. Note that tests against issuing a wildcard with
|
||
// a bare domain will be covered later.
|
||
/* 0 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "baz.fud.bar.foo", false},
|
||
/* 1 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.fud.bar.foo", false},
|
||
/* 2 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "fud.bar.foo", false},
|
||
/* 3 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.bar.foo", false},
|
||
/* 4 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "bar.foo", false},
|
||
/* 5 */ {[]string{"*.*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.foo", false},
|
||
/* 6 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "foo", false},
|
||
/* 7 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "baz.fud.bar.foo", false},
|
||
/* 8 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.fud.bar.foo", false},
|
||
/* 9 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "fud.bar.foo", false},
|
||
/* 10 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "*.bar.foo", false},
|
||
/* 11 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "bar.foo", false},
|
||
/* 12 */ {[]string{"*.foo"}, MAny, MFalse, MAny, MAny, MAny, nil, "foo", false},
|
||
|
||
// === Localhost sanity === //
|
||
// Localhost forbidden, not matching allowed domains -> not issued
|
||
/* 13 */ {[]string{"*.*.foo"}, MAny, MAny, MAny, MFalse, MAny, nil, "localhost", false},
|
||
// Localhost allowed, not matching allowed domains -> issued
|
||
/* 14 */ {[]string{"*.*.foo"}, MAny, MAny, MAny, MTrue, MAny, nil, "localhost", true},
|
||
// Localhost allowed via allowed domains (and bare allowed), not by AllowLocalhost -> issued
|
||
/* 15 */ {[]string{"localhost"}, MTrue, MAny, MAny, MFalse, MAny, nil, "localhost", true},
|
||
// Localhost allowed via allowed domains (and bare not allowed), not by AllowLocalhost -> not issued
|
||
/* 16 */ {[]string{"localhost"}, MFalse, MAny, MAny, MFalse, MAny, nil, "localhost", false},
|
||
// Localhost allowed via allowed domains (but bare not allowed), and by AllowLocalhost -> issued
|
||
/* 17 */ {[]string{"localhost"}, MFalse, MAny, MAny, MTrue, MAny, nil, "localhost", true},
|
||
|
||
// === Bare wildcard issuance == //
|
||
// allowed_domains contains one or more wildcards and bare domains allowed,
|
||
// resulting in the cert being issued.
|
||
/* 18 */ {[]string{"*.foo"}, MTrue, MAny, MAny, MAny, MTrue, nil, "*.foo", true},
|
||
/* 19 */ {[]string{"*.*.foo"}, MTrue, MAny, MAny, MAny, MAny, nil, "*.*.foo", false}, // Does not conform to RFC 6125
|
||
|
||
// === Double Leading Glob Testing === //
|
||
// Allowed contains globs, but glob allowed so certain matches work.
|
||
// The value of bare and localhost does not impact these results.
|
||
/* 20 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "baz.fud.bar.foo", true}, // glob domains allow infinite subdomains
|
||
/* 21 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MTrue, nil, "*.fud.bar.foo", true}, // glob domain allows wildcard of subdomains
|
||
/* 22 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "fud.bar.foo", true},
|
||
/* 23 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MTrue, nil, "*.bar.foo", true}, // Regression fix: Vault#13530
|
||
/* 24 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "bar.foo", false},
|
||
/* 25 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "*.foo", false},
|
||
/* 26 */ {[]string{"*.*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "foo", false},
|
||
|
||
// Allowed contains globs, but glob and subdomain both work, so we expect
|
||
// wildcard issuance to work as well. The value of bare and localhost does
|
||
// not impact these results.
|
||
/* 27 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "baz.fud.bar.foo", true},
|
||
/* 28 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MTrue, nil, "*.fud.bar.foo", true},
|
||
/* 29 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "fud.bar.foo", true},
|
||
/* 30 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MTrue, nil, "*.bar.foo", true}, // Regression fix: Vault#13530
|
||
/* 31 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "bar.foo", false},
|
||
/* 32 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "*.foo", false},
|
||
/* 33 */ {[]string{"*.*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "foo", false},
|
||
|
||
// === Single Leading Glob Testing === //
|
||
// Allowed contains globs, but glob allowed so certain matches work.
|
||
// The value of bare and localhost does not impact these results.
|
||
/* 34 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "baz.fud.bar.foo", true}, // glob domains allow infinite subdomains
|
||
/* 35 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MTrue, nil, "*.fud.bar.foo", true}, // glob domain allows wildcard of subdomains
|
||
/* 36 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "fud.bar.foo", true}, // glob domains allow infinite subdomains
|
||
/* 37 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MTrue, nil, "*.bar.foo", true}, // glob domain allows wildcards of subdomains
|
||
/* 38 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "bar.foo", true},
|
||
/* 39 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MAny, nil, "foo", false},
|
||
|
||
// Allowed contains globs, but glob and subdomain both work, so we expect
|
||
// wildcard issuance to work as well. The value of bare and localhost does
|
||
// not impact these results.
|
||
/* 40 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "baz.fud.bar.foo", true},
|
||
/* 41 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MTrue, nil, "*.fud.bar.foo", true},
|
||
/* 42 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "fud.bar.foo", true},
|
||
/* 43 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MTrue, nil, "*.bar.foo", true},
|
||
/* 44 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "bar.foo", true},
|
||
/* 45 */ {[]string{"*.foo"}, MAny, MTrue, MTrue, MAny, MAny, nil, "foo", false},
|
||
|
||
// === Only base domain name === //
|
||
// Allowed contains only domain components, but subdomains not allowed. This
|
||
// results in most issuances failing unless we allow bare domains, in which
|
||
// case only the final issuance for "foo" will succeed.
|
||
/* 46 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "baz.fud.bar.foo", false},
|
||
/* 47 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "*.fud.bar.foo", false},
|
||
/* 48 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "fud.bar.foo", false},
|
||
/* 49 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "*.bar.foo", false},
|
||
/* 50 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "bar.foo", false},
|
||
/* 51 */ {[]string{"foo"}, MAny, MAny, MFalse, MAny, MAny, nil, "*.foo", false},
|
||
/* 52 */ {[]string{"foo"}, MFalse, MAny, MFalse, MAny, MAny, nil, "foo", false},
|
||
/* 53 */ {[]string{"foo"}, MTrue, MAny, MFalse, MAny, MAny, nil, "foo", true},
|
||
|
||
// Allowed contains only domain components, and subdomains are now allowed.
|
||
// This results in most issuances succeeding, with the exception of the
|
||
// base foo, which is still governed by base's value.
|
||
/* 54 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MAny, nil, "baz.fud.bar.foo", true},
|
||
/* 55 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "*.fud.bar.foo", true},
|
||
/* 56 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MAny, nil, "fud.bar.foo", true},
|
||
/* 57 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "*.bar.foo", true},
|
||
/* 58 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MAny, nil, "bar.foo", true},
|
||
/* 59 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "*.foo", true},
|
||
/* 60 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "x*x.foo", true}, // internal wildcards should be allowed per RFC 6125/6.4.3
|
||
/* 61 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "*x.foo", true}, // prefix wildcards should be allowed per RFC 6125/6.4.3
|
||
/* 62 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MTrue, nil, "x*.foo", true}, // suffix wildcards should be allowed per RFC 6125/6.4.3
|
||
/* 63 */ {[]string{"foo"}, MFalse, MAny, MTrue, MAny, MAny, nil, "foo", false},
|
||
/* 64 */ {[]string{"foo"}, MTrue, MAny, MTrue, MAny, MAny, nil, "foo", true},
|
||
|
||
// === Internal Glob Matching === //
|
||
// Basic glob matching requirements
|
||
/* 65 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xerox.foo", true},
|
||
/* 66 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xylophone.files.pyrex.foo", true}, // globs can match across subdomains
|
||
/* 67 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xercex.bar.foo", false}, // x.foo isn't matched
|
||
/* 68 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "bar.foo", false}, // x*x isn't matched.
|
||
/* 69 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.foo", false}, // unrelated wildcard
|
||
/* 70 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.x*x.foo", false}, // Does not conform to RFC 6125
|
||
/* 71 */ {[]string{"x*x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.xyx.foo", false}, // Globs and Subdomains do not layer per docs.
|
||
|
||
// Various requirements around x*x.foo wildcard matching.
|
||
/* 72 */ {[]string{"x*x.foo"}, MFalse, MFalse, MAny, MAny, MAny, nil, "x*x.foo", false}, // base disabled, shouldn't match wildcard
|
||
/* 73 */ {[]string{"x*x.foo"}, MFalse, MTrue, MAny, MAny, MTrue, nil, "x*x.foo", true}, // base disallowed, but globbing allowed and should match
|
||
/* 74 */ {[]string{"x*x.foo"}, MTrue, MAny, MAny, MAny, MTrue, nil, "x*x.foo", true}, // base allowed, should match wildcard
|
||
|
||
// Basic glob matching requirements with internal dots.
|
||
/* 75 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xerox.foo", false}, // missing dots
|
||
/* 76 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "x.ero.x.foo", true},
|
||
/* 77 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xylophone.files.pyrex.foo", false}, // missing dots
|
||
/* 78 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "x.ylophone.files.pyre.x.foo", true}, // globs can match across subdomains
|
||
/* 79 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "xercex.bar.foo", false}, // x.foo isn't matched
|
||
/* 80 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "bar.foo", false}, // x.*.x isn't matched.
|
||
/* 81 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.foo", false}, // unrelated wildcard
|
||
/* 82 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.x.*.x.foo", false}, // Does not conform to RFC 6125
|
||
/* 83 */ {[]string{"x.*.x.foo"}, MAny, MTrue, MAny, MAny, MAny, nil, "*.x.y.x.foo", false}, // Globs and Subdomains do not layer per docs.
|
||
|
||
// === Wildcard restriction testing === //
|
||
/* 84 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MFalse, nil, "*.fud.bar.foo", false}, // glob domain allows wildcard of subdomains
|
||
/* 85 */ {[]string{"*.foo"}, MAny, MTrue, MFalse, MAny, MFalse, nil, "*.bar.foo", false}, // glob domain allows wildcards of subdomains
|
||
/* 86 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "*.fud.bar.foo", false},
|
||
/* 87 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "*.bar.foo", false},
|
||
/* 88 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "*.foo", false},
|
||
/* 89 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "x*x.foo", false},
|
||
/* 90 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "*x.foo", false},
|
||
/* 91 */ {[]string{"foo"}, MAny, MAny, MTrue, MAny, MFalse, nil, "x*.foo", false},
|
||
/* 92 */ {[]string{"x*x.foo"}, MTrue, MAny, MAny, MAny, MFalse, nil, "x*x.foo", false},
|
||
/* 93 */ {[]string{"*.foo"}, MFalse, MFalse, MAny, MAny, MAny, nil, "*.foo", false}, // Bare and globs forbidden despite (potentially) allowing wildcards.
|
||
/* 94 */ {[]string{"x.*.x.foo"}, MAny, MAny, MAny, MAny, MAny, nil, "x.*.x.foo", false}, // Does not conform to RFC 6125
|
||
|
||
// === CN validation allowances === //
|
||
/* 95 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "*.fud.bar.foo", true},
|
||
/* 96 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "*.fud.*.foo", true},
|
||
/* 97 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "*.bar.*.bar", true},
|
||
/* 98 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "foo@foo", true},
|
||
/* 99 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "foo@foo@foo", true},
|
||
/* 100 */ {[]string{"foo"}, MAny, MAny, MAny, MAny, MAny, []string{"disabled"}, "bar@bar@bar", true},
|
||
/* 101 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar@bar@bar", false},
|
||
/* 102 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar@bar", false},
|
||
/* 103 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar@foo", true},
|
||
/* 104 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"hostname"}, "bar@foo", false},
|
||
/* 105 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"hostname"}, "bar@bar", false},
|
||
/* 106 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"hostname"}, "bar.foo", true},
|
||
/* 107 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"hostname"}, "bar.bar", false},
|
||
/* 108 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar.foo", false},
|
||
/* 109 */ {[]string{"foo"}, MTrue, MTrue, MTrue, MTrue, MTrue, []string{"email"}, "bar.bar", false},
|
||
}
|
||
|
||
if len(testCases) != 110 {
|
||
t.Fatalf("misnumbered test case entries will make it hard to find bugs: %v", len(testCases))
|
||
}
|
||
|
||
b, s := createBackendWithStorage(t)
|
||
|
||
// We need a RSA key so all signature sizes are valid with it.
|
||
resp, err := CBWrite(b, s, "root/generate/exported", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
"ttl": "128h",
|
||
"key_type": "rsa",
|
||
"key_bits": 2048,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected ca info")
|
||
}
|
||
|
||
tested := 0
|
||
for index, test := range testCases {
|
||
tested += RoleIssuanceRegressionHelper(t, b, s, index, test)
|
||
}
|
||
|
||
t.Log(fmt.Sprintf("Issuance regression expanded matrix test scenarios: %d", tested))
|
||
}
|
||
|
||
type KeySizeRegression struct {
|
||
// Values reused for both Role and CA configuration.
|
||
RoleKeyType string
|
||
RoleKeyBits []int
|
||
|
||
// Signature Bits presently is only specified on the role.
|
||
RoleSignatureBits []int
|
||
RoleUsePSS bool
|
||
|
||
// These are tuples; must be of the same length.
|
||
TestKeyTypes []string
|
||
TestKeyBits []int
|
||
|
||
// All of the above key types/sizes must pass or fail together.
|
||
ExpectError bool
|
||
}
|
||
|
||
func (k KeySizeRegression) KeyTypeValues() []string {
|
||
if k.RoleKeyType == "any" {
|
||
return []string{"rsa", "ec", "ed25519"}
|
||
}
|
||
|
||
return []string{k.RoleKeyType}
|
||
}
|
||
|
||
func RoleKeySizeRegressionHelper(t *testing.T, b *backend, s logical.Storage, index int, test KeySizeRegression) int {
|
||
tested := 0
|
||
|
||
for _, caKeyType := range test.KeyTypeValues() {
|
||
for _, caKeyBits := range test.RoleKeyBits {
|
||
// Generate a new CA key.
|
||
resp, err := CBWrite(b, s, "root/generate/exported", map[string]interface{}{
|
||
"common_name": "myvault.com",
|
||
"ttl": "128h",
|
||
"key_type": caKeyType,
|
||
"key_bits": caKeyBits,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
if resp == nil {
|
||
t.Fatal("expected ca info")
|
||
}
|
||
|
||
for _, roleKeyBits := range test.RoleKeyBits {
|
||
for _, roleSignatureBits := range test.RoleSignatureBits {
|
||
role := fmt.Sprintf("key-size-regression-%d-keytype-%v-keybits-%d-signature-bits-%d", index, test.RoleKeyType, roleKeyBits, roleSignatureBits)
|
||
resp, err := CBWrite(b, s, "roles/"+role, map[string]interface{}{
|
||
"key_type": test.RoleKeyType,
|
||
"key_bits": roleKeyBits,
|
||
"signature_bits": roleSignatureBits,
|
||
"use_pss": test.RoleUsePSS,
|
||
})
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
|
||
for index, keyType := range test.TestKeyTypes {
|
||
keyBits := test.TestKeyBits[index]
|
||
|
||
_, _, csrPem := generateCSR(t, &x509.CertificateRequest{
|
||
Subject: pkix.Name{
|
||
CommonName: "localhost",
|
||
},
|
||
}, keyType, keyBits)
|
||
|
||
resp, err = CBWrite(b, s, "sign/"+role, map[string]interface{}{
|
||
"common_name": "localhost",
|
||
"csr": csrPem,
|
||
})
|
||
|
||
haveErr := err != nil || resp == nil
|
||
|
||
if haveErr != test.ExpectError {
|
||
t.Fatalf("key size regression test [%d] failed: haveErr: %v, expectErr: %v, err: %v, resp: %v, test case: %v, caKeyType: %v, caKeyBits: %v, role: %v, keyType: %v, keyBits: %v", index, haveErr, test.ExpectError, err, resp, test, caKeyType, caKeyBits, role, keyType, keyBits)
|
||
}
|
||
|
||
if resp != nil && test.RoleUsePSS && caKeyType == "rsa" {
|
||
leafCert := parseCert(t, resp.Data["certificate"].(string))
|
||
switch leafCert.SignatureAlgorithm {
|
||
case x509.SHA256WithRSAPSS, x509.SHA384WithRSAPSS, x509.SHA512WithRSAPSS:
|
||
default:
|
||
t.Fatalf("key size regression test [%d] failed on role %v: unexpected signature algorithm; expected RSA-type CA to sign a leaf cert with PSS algorithm; got %v", index, role, leafCert.SignatureAlgorithm.String())
|
||
}
|
||
}
|
||
|
||
tested += 1
|
||
}
|
||
}
|
||
}
|
||
|
||
_, err = CBDelete(b, s, "root")
|
||
if err != nil {
|
||
t.Fatal(err)
|
||
}
|
||
}
|
||
}
|
||
|
||
return tested
|
||
}
|
||
|
||
func TestBackend_Roles_KeySizeRegression(t *testing.T) {
|
||
t.Parallel()
|
||
// Regression testing of role's issuance policy.
|
||
testCases := []KeySizeRegression{
|
||
// RSA with default parameters should fail to issue smaller RSA keys
|
||
// and any size ECDSA/Ed25519 keys.
|
||
/* 0 */ {"rsa", []int{0, 2048}, []int{0, 256, 384, 512}, false, []string{"rsa", "ec", "ec", "ec", "ec", "ed25519"}, []int{1024, 224, 256, 384, 521, 0}, true},
|
||
// But it should work to issue larger RSA keys.
|
||
/* 1 */ {"rsa", []int{0, 2048}, []int{0, 256, 384, 512}, false, []string{"rsa", "rsa"}, []int{2048, 3072}, false},
|
||
|
||
// EC with default parameters should fail to issue smaller EC keys
|
||
// and any size RSA/Ed25519 keys.
|
||
/* 2 */ {"ec", []int{0}, []int{0}, false, []string{"rsa", "ec", "ed25519"}, []int{2048, 224, 0}, true},
|
||
// But it should work to issue larger EC keys. Note that we should be
|
||
// independent of signature bits as that's computed from the issuer
|
||
// type (for EC based issuers).
|
||
/* 3 */ {"ec", []int{224}, []int{0, 256, 384, 521}, false, []string{"ec", "ec", "ec", "ec"}, []int{224, 256, 384, 521}, false},
|
||
/* 4 */ {"ec", []int{0, 256}, []int{0, 256, 384, 521}, false, []string{"ec", "ec", "ec"}, []int{256, 384, 521}, false},
|
||
/* 5 */ {"ec", []int{384}, []int{0, 256, 384, 521}, false, []string{"ec", "ec"}, []int{384, 521}, false},
|
||
/* 6 */ {"ec", []int{521}, []int{0, 256, 384, 512}, false, []string{"ec"}, []int{521}, false},
|
||
|
||
// Ed25519 should reject RSA and EC keys.
|
||
/* 7 */ {"ed25519", []int{0}, []int{0}, false, []string{"rsa", "ec", "ec"}, []int{2048, 256, 521}, true},
|
||
// But it should work to issue Ed25519 keys.
|
||
/* 8 */ {"ed25519", []int{0}, []int{0}, false, []string{"ed25519"}, []int{0}, false},
|
||
|
||
// Any key type should reject insecure RSA key sizes.
|
||
/* 9 */ {"any", []int{0}, []int{0, 256, 384, 512}, false, []string{"rsa", "rsa"}, []int{512, 1024}, true},
|
||
// But work for everything else.
|
||
/* 10 */ {"any", []int{0}, []int{0, 256, 384, 512}, false, []string{"rsa", "rsa", "ec", "ec", "ec", "ec", "ed25519"}, []int{2048, 3072, 224, 256, 384, 521, 0}, false},
|
||
|
||
// RSA with larger than default key size should reject smaller ones.
|
||
/* 11 */ {"rsa", []int{3072}, []int{0, 256, 384, 512}, false, []string{"rsa"}, []int{2048}, true},
|
||
|
||
// We should be able to sign with PSS with any CA key type.
|
||
/* 12 */ {"rsa", []int{0}, []int{0, 256, 384, 512}, true, []string{"rsa"}, []int{2048}, false},
|
||
/* 13 */ {"ec", []int{0}, []int{0}, true, []string{"ec"}, []int{256}, false},
|
||
/* 14 */ {"ed25519", []int{0}, []int{0}, true, []string{"ed25519"}, []int{0}, false},
|
||
}
|
||
|
||
if len(testCases) != 15 {
|
||
t.Fatalf("misnumbered test case entries will make it hard to find bugs: %v", len(testCases))
|
||
}
|
||
|
||
b, s := createBackendWithStorage(t)
|
||
|
||
tested := 0
|
||
for index, test := range testCases {
|
||
tested += RoleKeySizeRegressionHelper(t, b, s, index, test)
|
||
}
|
||
|
||
t.Log(fmt.Sprintf("Key size regression expanded matrix test scenarios: %d", tested))
|
||
}
|
||
|
||
func TestRootWithExistingKey(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := createBackendWithStorage(t)
|
||
var err error
|
||
|
||
// Fail requests if type is existing, and we specify the key_type param
|
||
_, err = CBWrite(b, s, "root/generate/existing", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_type": "rsa",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "key_type nor key_bits arguments can be set in this mode")
|
||
|
||
// Fail requests if type is existing, and we specify the key_bits param
|
||
_, err = CBWrite(b, s, "root/generate/existing", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_bits": "2048",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "key_type nor key_bits arguments can be set in this mode")
|
||
|
||
// Fail if the specified key does not exist.
|
||
_, err = CBWrite(b, s, "issuers/generate/root/existing", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"issuer_name": "my-issuer1",
|
||
"key_ref": "my-key1",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "unable to find PKI key for reference: my-key1")
|
||
|
||
// Fail if the specified key name is default.
|
||
_, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"issuer_name": "my-issuer1",
|
||
"key_name": "Default",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "reserved keyword 'default' can not be used as key name")
|
||
|
||
// Fail if the specified issuer name is default.
|
||
_, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"issuer_name": "DEFAULT",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "reserved keyword 'default' can not be used as issuer name")
|
||
|
||
// Create the first CA
|
||
resp, err := CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_type": "rsa",
|
||
"issuer_name": "my-issuer1",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp.Data["certificate"])
|
||
myIssuerId1 := resp.Data["issuer_id"]
|
||
myKeyId1 := resp.Data["key_id"]
|
||
require.NotEmpty(t, myIssuerId1)
|
||
require.NotEmpty(t, myKeyId1)
|
||
|
||
// Fetch the parsed CRL; it should be empty as we've not revoked anything
|
||
parsedCrl := getParsedCrlFromBackend(t, b, s, "issuer/my-issuer1/crl/der")
|
||
require.Equal(t, len(parsedCrl.TBSCertList.RevokedCertificates), 0, "should have no revoked certificates")
|
||
|
||
// Fail if the specified issuer name is re-used.
|
||
_, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"issuer_name": "my-issuer1",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "issuer name already in use")
|
||
|
||
// Create the second CA
|
||
resp, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_type": "rsa",
|
||
"issuer_name": "my-issuer2",
|
||
"key_name": "root-key2",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp.Data["certificate"])
|
||
myIssuerId2 := resp.Data["issuer_id"]
|
||
myKeyId2 := resp.Data["key_id"]
|
||
require.NotEmpty(t, myIssuerId2)
|
||
require.NotEmpty(t, myKeyId2)
|
||
|
||
// Fetch the parsed CRL; it should be empty as we've not revoked anything
|
||
parsedCrl = getParsedCrlFromBackend(t, b, s, "issuer/my-issuer2/crl/der")
|
||
require.Equal(t, len(parsedCrl.TBSCertList.RevokedCertificates), 0, "should have no revoked certificates")
|
||
|
||
// Fail if the specified key name is re-used.
|
||
_, err = CBWrite(b, s, "issuers/generate/root/internal", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"issuer_name": "my-issuer3",
|
||
"key_name": "root-key2",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "key name already in use")
|
||
|
||
// Create a third CA re-using key from CA 1
|
||
resp, err = CBWrite(b, s, "issuers/generate/root/existing", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"issuer_name": "my-issuer3",
|
||
"key_ref": myKeyId1,
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp.Data["certificate"])
|
||
myIssuerId3 := resp.Data["issuer_id"]
|
||
myKeyId3 := resp.Data["key_id"]
|
||
require.NotEmpty(t, myIssuerId3)
|
||
require.NotEmpty(t, myKeyId3)
|
||
|
||
// Fetch the parsed CRL; it should be empty as we've not revoking anything.
|
||
parsedCrl = getParsedCrlFromBackend(t, b, s, "issuer/my-issuer3/crl/der")
|
||
require.Equal(t, len(parsedCrl.TBSCertList.RevokedCertificates), 0, "should have no revoked certificates")
|
||
// Signatures should be the same since this is just a reissued cert. We
|
||
// use signature as a proxy for "these two CRLs are equal".
|
||
firstCrl := getParsedCrlFromBackend(t, b, s, "issuer/my-issuer1/crl/der")
|
||
require.Equal(t, parsedCrl.SignatureValue, firstCrl.SignatureValue)
|
||
|
||
require.NotEqual(t, myIssuerId1, myIssuerId2)
|
||
require.NotEqual(t, myIssuerId1, myIssuerId3)
|
||
require.NotEqual(t, myKeyId1, myKeyId2)
|
||
require.Equal(t, myKeyId1, myKeyId3)
|
||
|
||
resp, err = CBList(b, s, "issuers")
|
||
require.NoError(t, err)
|
||
require.Equal(t, 3, len(resp.Data["keys"].([]string)))
|
||
require.Contains(t, resp.Data["keys"], string(myIssuerId1.(issuerID)))
|
||
require.Contains(t, resp.Data["keys"], string(myIssuerId2.(issuerID)))
|
||
require.Contains(t, resp.Data["keys"], string(myIssuerId3.(issuerID)))
|
||
}
|
||
|
||
func TestIntermediateWithExistingKey(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := createBackendWithStorage(t)
|
||
|
||
var err error
|
||
|
||
// Fail requests if type is existing, and we specify the key_type param
|
||
_, err = CBWrite(b, s, "intermediate/generate/existing", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_type": "rsa",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "key_type nor key_bits arguments can be set in this mode")
|
||
|
||
// Fail requests if type is existing, and we specify the key_bits param
|
||
_, err = CBWrite(b, s, "intermediate/generate/existing", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_bits": "2048",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "key_type nor key_bits arguments can be set in this mode")
|
||
|
||
// Fail if the specified key does not exist.
|
||
_, err = CBWrite(b, s, "issuers/generate/intermediate/existing", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_ref": "my-key1",
|
||
})
|
||
require.Error(t, err)
|
||
require.Contains(t, err.Error(), "unable to find PKI key for reference: my-key1")
|
||
|
||
// Create the first intermediate CA
|
||
resp, err := CBWrite(b, s, "issuers/generate/intermediate/internal", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_type": "rsa",
|
||
})
|
||
require.NoError(t, err)
|
||
// csr1 := resp.Data["csr"]
|
||
myKeyId1 := resp.Data["key_id"]
|
||
require.NotEmpty(t, myKeyId1)
|
||
|
||
// Create the second intermediate CA
|
||
resp, err = CBWrite(b, s, "issuers/generate/intermediate/internal", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_type": "rsa",
|
||
"key_name": "interkey1",
|
||
})
|
||
require.NoError(t, err)
|
||
// csr2 := resp.Data["csr"]
|
||
myKeyId2 := resp.Data["key_id"]
|
||
require.NotEmpty(t, myKeyId2)
|
||
|
||
// Create a third intermediate CA re-using key from intermediate CA 1
|
||
resp, err = CBWrite(b, s, "issuers/generate/intermediate/existing", map[string]interface{}{
|
||
"common_name": "root myvault.com",
|
||
"key_ref": myKeyId1,
|
||
})
|
||
require.NoError(t, err)
|
||
// csr3 := resp.Data["csr"]
|
||
myKeyId3 := resp.Data["key_id"]
|
||
require.NotEmpty(t, myKeyId3)
|
||
|
||
require.NotEqual(t, myKeyId1, myKeyId2)
|
||
require.Equal(t, myKeyId1, myKeyId3, "our new ca did not seem to reuse the key as we expected.")
|
||
}
|
||
|
||
func TestIssuanceTTLs(t *testing.T) {
|
||
t.Parallel()
|
||
b, s := createBackendWithStorage(t)
|
||
|
||
resp, err := CBWrite(b, s, "root/generate/internal", map[string]interface{}{
|
||
"common_name": "root example.com",
|
||
"issuer_name": "root",
|
||
"ttl": "10s",
|
||
"key_type": "ec",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
rootCert := parseCert(t, resp.Data["certificate"].(string))
|
||
|
||
_, err = CBWrite(b, s, "roles/local-testing", map[string]interface{}{
|
||
"allow_any_name": true,
|
||
"enforce_hostnames": false,
|
||
"key_type": "ec",
|
||
})
|
||
require.NoError(t, err)
|
||
|
||
_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
|
||
"common_name": "testing",
|
||
"ttl": "1s",
|
||
})
|
||
require.NoError(t, err, "expected issuance to succeed due to shorter ttl than cert ttl")
|
||
|
||
_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
|
||
"common_name": "testing",
|
||
})
|
||
require.Error(t, err, "expected issuance to fail due to longer default ttl than cert ttl")
|
||
|
||
resp, err = CBWrite(b, s, "issuer/root", map[string]interface{}{
|
||
"issuer_name": "root",
|
||
"leaf_not_after_behavior": "permit",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
|
||
_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
|
||
"common_name": "testing",
|
||
})
|
||
require.NoError(t, err, "expected issuance to succeed due to permitted longer TTL")
|
||
|
||
resp, err = CBWrite(b, s, "issuer/root", map[string]interface{}{
|
||
"issuer_name": "root",
|
||
"leaf_not_after_behavior": "truncate",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
|
||
_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
|
||
"common_name": "testing",
|
||
})
|
||
require.NoError(t, err, "expected issuance to succeed due to truncated ttl")
|
||
|
||
// Sleep until the parent cert expires and the clock rolls over
|
||
// to the next second.
|
||
time.Sleep(rootCert.NotAfter.Sub(time.Now()) + (1500 * time.Millisecond))
|
||
|
||
resp, err = CBWrite(b, s, "issuer/root", map[string]interface{}{
|
||
"issuer_name": "root",
|
||
"leaf_not_after_behavior": "err",
|
||
})
|
||
require.NoError(t, err)
|
||
require.NotNil(t, resp)
|
||
|
||
// Even 1s ttl should now fail.
|
||
_, err = CBWrite(b, s, "issue/local-testing", map[string]interface{}{
|
||
"common_name": "testing",
|
||
"ttl": "1s",
|
||
})
|
||
require.Error(t, err, "expected issuance to fail due to longer default ttl than cert ttl")
|
||
}
|
||
|
||
func TestSealWrappedStorageConfigured(t *testing.T) {
|
||
t.Parallel()
|
||
b, _ := createBackendWithStorage(t)
|
||
wrappedEntries := b.Backend.PathsSpecial.SealWrapStorage
|
||
|
||
// Make sure our legacy bundle is within the list
|
||
// NOTE: do not convert these test values to constants, we should always have these paths within seal wrap config
|
||
require.Contains(t, wrappedEntries, "config/ca_bundle", "Legacy bundle missing from seal wrap")
|
||
// The trailing / is important as it treats the entire folder requiring seal wrapping, not just config/key
|
||
require.Contains(t, wrappedEntries, "config/key/", "key prefix with trailing / missing from seal wrap.")
|
||
}
|
||
|
||
var (
|
||
initTest sync.Once
|
||
rsaCAKey string
|
||
rsaCACert string
|
||
ecCAKey string
|
||
ecCACert string
|
||
edCAKey string
|
||
edCACert string
|
||
)
|