Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: make SSL certificates a bit more realistic. #1228

Merged
merged 2 commits into from
Jul 10, 2017
Merged

test: make SSL certificates a bit more realistic. #1228

merged 2 commits into from
Jul 10, 2017

Conversation

PiotrSikora
Copy link
Contributor

This commit includes few of small changes:

  • all certificates are generated with X509v3 extensions, and have
    "Subject Key Identifier" and "Authority Key Identifier" set,
  • CA certificates have "Basic Constraints: CA:TRUE",
  • leaf certificates have "Extended Key Usage" set,
  • "California" is used consistently for the state name,
  • "Lyft Engineering" is used for the Organizational Unit.

No functional changes.

@PiotrSikora
test: make SSL certificates a bit more realistic.
762a8f7 
This commit includes few of small changes:
- all certificates are generated with X509v3 extensions, and have
  "Subject Key Identifier" and "Authority Key Identifier" set,
- CA certificates have "Basic Constraints: CA:TRUE",
- leaf certificates have "Extended Key Usage" set,
- "California" is used consistently for the state name,
- "Lyft Engineering" is used for the Organizational Unit.

No functional changes.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
@PiotrSikora
Copy link
Contributor Author

@mattklein123 @myidpt PTAL, I've made most of those changes while chasing #1220, so I figured that I might as well send them out. However, none of them are really necessary, so feel free to reject this PR (or parts of it).

Also, please note that selfsigned_cert.cfg from #1203 doesn't include those changes, so one of those 2 PRs needs to be updated with the necessary changes before it's merged.

myidpt
myidpt approved these changes Jul 9, 2017
View reviewed changes
Copy link
Contributor

@myidpt myidpt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

test/common/ssl/test_data/san_uri_cert.cfg Outdated
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always

[alt_names]
URI.1 = istio:account1.foo.cluster.local
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since you are changing the cert fields, could you change this (and corresponding tests) to:
spiffe://lyft.com/foo
Istio auth has recently changed the SAN format. We have updated other certs but not this one, so it would be great to keep them consistent :)

htuch
htuch previously approved these changes Jul 9, 2017
View reviewed changes
Copy link
Member

@htuch htuch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I wonder if it's work taking some of the common parts (e.g. [req_distinguished_name]) and defining them in one place, then merging them together during build, but it's probably not worth the effort.

@mattklein123
Copy link
Member

This is fine with me as long as @myidpt is good with it. @PiotrSikora will approve/merge once you fix his small comment.

@PiotrSikora
review: migrate san_uri_cert to spiffe://lyft.com/test-team.
acd14fe 
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
@PiotrSikora
Copy link
Contributor Author

@htuch OpenSSL config files don't support includes, and automagically merging them during bazel test would make it harder to use them directly from the command line, so I'd say it's definitely not worth it.

@myidpt @mattklein123 Done.

@mattklein123 mattklein123 merged commit 5c2a170 into envoyproxy:master Jul 10, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@myidpt myidpt myidpt approved these changes

@mattklein123 mattklein123 mattklein123 approved these changes

@htuch htuch htuch left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@PiotrSikora @mattklein123 @myidpt @htuch