From ceae72444766afcee01c5363c9b4a52dbdab4c98 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Sun, 31 Jan 2021 22:17:03 +0900 Subject: [PATCH 01/38] Add SPIFFE validator Signed-off-by: Takeshi Yoneda --- .../transport_sockets/tls/v3/common.proto | 7 +- .../tls/v3/tls_spiffe_validator_config.proto | 23 ++++ .../tls/v4alpha/common.proto | 7 +- .../v4alpha/tls_spiffe_validator_config.proto | 26 +++++ generated_api_shadow/BUILD | 1 + .../transport_sockets/tls/v3/common.proto | 7 +- .../tls/v3/tls_spiffe_validator_config.proto | 23 ++++ .../tls/v4alpha/common.proto | 7 +- .../v4alpha/tls_spiffe_validator_config.proto | 26 +++++ include/envoy/ssl/BUILD | 1 + .../certificate_validation_context_config.h | 13 +++ source/common/ssl/BUILD | 1 + ...tificate_validation_context_config_impl.cc | 7 +- ...rtificate_validation_context_config_impl.h | 11 ++ .../tls/cert_validator/BUILD | 10 +- .../tls/cert_validator/cert_validator.h | 1 - .../tls/cert_validator/default_validator.cc | 14 +++ .../tls/cert_validator/factory.cc | 19 ++++ .../tls/cert_validator/factory.h | 35 ++++++ .../tls/cert_validator/spiffe_validator.cc | 105 ++++++++++++++++++ .../tls/cert_validator/spiffe_validator.h | 57 ++++++++++ .../transport_sockets/tls/context_impl.cc | 16 ++- .../tls/cert_validator/BUILD | 12 ++ .../tls/cert_validator/factory_test.cc | 86 ++++++++++++++ 24 files changed, 505 insertions(+), 10 deletions(-) create mode 100644 api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto create mode 100644 api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto create mode 100644 generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto create mode 100644 generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto create mode 100644 source/extensions/transport_sockets/tls/cert_validator/factory.cc create mode 100644 source/extensions/transport_sockets/tls/cert_validator/factory.h create mode 100644 source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc create mode 100644 source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h create mode 100644 test/extensions/transport_sockets/tls/cert_validator/factory_test.cc diff --git a/api/envoy/extensions/transport_sockets/tls/v3/common.proto b/api/envoy/extensions/transport_sockets/tls/v3/common.proto index 2b545b35ee12..87bbfb94c1a9 100644 --- a/api/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -3,6 +3,7 @@ syntax = "proto3"; package envoy.extensions.transport_sockets.tls.v3; import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; import "envoy/type/matcher/v3/string.proto"; import "google/protobuf/any.proto"; @@ -212,7 +213,7 @@ message TlsSessionTicketKeys { [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; } -// [#next-free-field: 12] +// [#next-free-field: 14] message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CertificateValidationContext"; @@ -372,4 +373,8 @@ message CertificateValidationContext { // Certificate trust chain verification mode. TrustChainVerification trust_chain_verification = 10 [(validate.rules).enum = {defined_only: true}]; + + // The configuration of an extension specific certificate validator. + // If specified, then the usage of all the values above depends on the chosen extension. + config.core.v3.TypedExtensionConfig custom_validator_config = 13; } diff --git a/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto new file mode 100644 index 000000000000..61126de70546 --- /dev/null +++ b/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto @@ -0,0 +1,23 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.tls.v3; + +import "envoy/config/core/v3/base.proto"; + +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3"; +option java_outer_classname = "TlsSpiffeValidatorConfigProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: SPIFFE Certificate Validator Configuration] + +// [#not-implemented-hide:] +// Configuration specific to the SPIFFE certificate validator +message SPIFFECertValidatorConfig { + map trust_bundles = 1; +} diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 30859bc2a3eb..513a435d5fb0 100644 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -3,6 +3,7 @@ syntax = "proto3"; package envoy.extensions.transport_sockets.tls.v4alpha; import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/core/v4alpha/extension.proto"; import "envoy/type/matcher/v4alpha/string.proto"; import "google/protobuf/any.proto"; @@ -214,7 +215,7 @@ message TlsSessionTicketKeys { [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; } -// [#next-free-field: 12] +// [#next-free-field: 14] message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext"; @@ -374,4 +375,8 @@ message CertificateValidationContext { // Certificate trust chain verification mode. TrustChainVerification trust_chain_verification = 10 [(validate.rules).enum = {defined_only: true}]; + + // The configuration of an extension specific certificate validator. + // If specified, then the usage of all the values above depends on the chosen extension. + config.core.v4alpha.TypedExtensionConfig custom_validator_config = 13; } diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto new file mode 100644 index 000000000000..9f13b5897068 --- /dev/null +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto @@ -0,0 +1,26 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.tls.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; + +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha"; +option java_outer_classname = "TlsSpiffeValidatorConfigProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: SPIFFE Certificate Validator Configuration] + +// [#not-implemented-hide:] +// Configuration specific to the SPIFFE certificate validator +message SPIFFECertValidatorConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig"; + + map trust_bundles = 1; +} diff --git a/generated_api_shadow/BUILD b/generated_api_shadow/BUILD index 5b4131922cd0..effde23bad70 100644 --- a/generated_api_shadow/BUILD +++ b/generated_api_shadow/BUILD @@ -166,6 +166,7 @@ proto_library( "//envoy/extensions/common/tap/v3:pkg", "//envoy/extensions/compression/gzip/compressor/v3:pkg", "//envoy/extensions/compression/gzip/decompressor/v3:pkg", + "//envoy/extensions/filters/common/dependency/v3:pkg", "//envoy/extensions/filters/common/fault/v3:pkg", "//envoy/extensions/filters/common/matcher/action/v3:pkg", "//envoy/extensions/filters/http/adaptive_concurrency/v3:pkg", diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto index 2ddca5720fc8..2c1cd53c19b6 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -3,6 +3,7 @@ syntax = "proto3"; package envoy.extensions.transport_sockets.tls.v3; import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; import "envoy/type/matcher/v3/string.proto"; import "google/protobuf/any.proto"; @@ -211,7 +212,7 @@ message TlsSessionTicketKeys { [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; } -// [#next-free-field: 12] +// [#next-free-field: 14] message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CertificateValidationContext"; @@ -370,5 +371,9 @@ message CertificateValidationContext { TrustChainVerification trust_chain_verification = 10 [(validate.rules).enum = {defined_only: true}]; + // The configuration of an extension specific certificate validator. + // If specified, then the usage of all the values above depends on the chosen extension. + config.core.v3.TypedExtensionConfig custom_validator_config = 13; + repeated string hidden_envoy_deprecated_verify_subject_alt_name = 4 [deprecated = true]; } diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto new file mode 100644 index 000000000000..61126de70546 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto @@ -0,0 +1,23 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.tls.v3; + +import "envoy/config/core/v3/base.proto"; + +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3"; +option java_outer_classname = "TlsSpiffeValidatorConfigProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: SPIFFE Certificate Validator Configuration] + +// [#not-implemented-hide:] +// Configuration specific to the SPIFFE certificate validator +message SPIFFECertValidatorConfig { + map trust_bundles = 1; +} diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 30859bc2a3eb..513a435d5fb0 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -3,6 +3,7 @@ syntax = "proto3"; package envoy.extensions.transport_sockets.tls.v4alpha; import "envoy/config/core/v4alpha/base.proto"; +import "envoy/config/core/v4alpha/extension.proto"; import "envoy/type/matcher/v4alpha/string.proto"; import "google/protobuf/any.proto"; @@ -214,7 +215,7 @@ message TlsSessionTicketKeys { [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; } -// [#next-free-field: 12] +// [#next-free-field: 14] message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext"; @@ -374,4 +375,8 @@ message CertificateValidationContext { // Certificate trust chain verification mode. TrustChainVerification trust_chain_verification = 10 [(validate.rules).enum = {defined_only: true}]; + + // The configuration of an extension specific certificate validator. + // If specified, then the usage of all the values above depends on the chosen extension. + config.core.v4alpha.TypedExtensionConfig custom_validator_config = 13; } diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto new file mode 100644 index 000000000000..9f13b5897068 --- /dev/null +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto @@ -0,0 +1,26 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.tls.v4alpha; + +import "envoy/config/core/v4alpha/base.proto"; + +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha"; +option java_outer_classname = "TlsSpiffeValidatorConfigProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: SPIFFE Certificate Validator Configuration] + +// [#not-implemented-hide:] +// Configuration specific to the SPIFFE certificate validator +message SPIFFECertValidatorConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig"; + + map trust_bundles = 1; +} diff --git a/include/envoy/ssl/BUILD b/include/envoy/ssl/BUILD index 08266cf1376f..4630ec0bac3d 100644 --- a/include/envoy/ssl/BUILD +++ b/include/envoy/ssl/BUILD @@ -57,6 +57,7 @@ envoy_cc_library( envoy_cc_library( name = "certificate_validation_context_config_interface", hdrs = ["certificate_validation_context_config.h"], + external_deps = ["abseil_optional"], deps = [ "//source/common/common:matchers_lib", "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", diff --git a/include/envoy/ssl/certificate_validation_context_config.h b/include/envoy/ssl/certificate_validation_context_config.h index 5011cb1226f0..0d5afb323187 100644 --- a/include/envoy/ssl/certificate_validation_context_config.h +++ b/include/envoy/ssl/certificate_validation_context_config.h @@ -8,6 +8,8 @@ #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" #include "envoy/type/matcher/v3/string.pb.h" +#include "absl/types/optional.h" + namespace Envoy { namespace Ssl { @@ -69,6 +71,17 @@ class CertificateValidationContextConfig { virtual envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext:: TrustChainVerification trustChainVerification() const PURE; + + /** + * @return the configuration for the custom certificate validator if configured. + */ + virtual const absl::optional& + customValidatorConfig() const PURE; + + /** + * @return Api::Api& a reference to the api object. + */ + virtual Api::Api& api() PURE; }; using CertificateValidationContextConfigPtr = std::unique_ptr; diff --git a/source/common/ssl/BUILD b/source/common/ssl/BUILD index 0be754cc4809..c02d221dd528 100644 --- a/source/common/ssl/BUILD +++ b/source/common/ssl/BUILD @@ -26,6 +26,7 @@ envoy_cc_library( name = "certificate_validation_context_config_impl_lib", srcs = ["certificate_validation_context_config_impl.cc"], hdrs = ["certificate_validation_context_config_impl.h"], + external_deps = ["abseil_optional"], deps = [ "//include/envoy/api:api_interface", "//include/envoy/ssl:certificate_validation_context_config_interface", diff --git a/source/common/ssl/certificate_validation_context_config_impl.cc b/source/common/ssl/certificate_validation_context_config_impl.cc index 2f4a1ac8bc84..151339bdacf3 100644 --- a/source/common/ssl/certificate_validation_context_config_impl.cc +++ b/source/common/ssl/certificate_validation_context_config_impl.cc @@ -32,7 +32,12 @@ CertificateValidationContextConfigImpl::CertificateValidationContextConfigImpl( verify_certificate_spki_list_(config.verify_certificate_spki().begin(), config.verify_certificate_spki().end()), allow_expired_certificate_(config.allow_expired_certificate()), - trust_chain_verification_(config.trust_chain_verification()) { + trust_chain_verification_(config.trust_chain_verification()), + custom_validator_config_( + config.has_custom_validator_config() + ? absl::make_optional( + config.custom_validator_config()) + : absl::nullopt), api_(api) { if (ca_cert_.empty()) { if (!certificate_revocation_list_.empty()) { throw EnvoyException(fmt::format("Failed to load CRL from {} without trusted CA", diff --git a/source/common/ssl/certificate_validation_context_config_impl.h b/source/common/ssl/certificate_validation_context_config_impl.h index 1636c2ed0713..211385f235dd 100644 --- a/source/common/ssl/certificate_validation_context_config_impl.h +++ b/source/common/ssl/certificate_validation_context_config_impl.h @@ -44,6 +44,15 @@ class CertificateValidationContextConfigImpl : public CertificateValidationConte return trust_chain_verification_; } + const absl::optional& + customValidatorConfig() const override { + return custom_validator_config_; + } + + Api::Api& api() override{ + return api_; + } + private: const std::string ca_cert_; const std::string ca_cert_path_; @@ -56,6 +65,8 @@ class CertificateValidationContextConfigImpl : public CertificateValidationConte const bool allow_expired_certificate_; const envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext:: TrustChainVerification trust_chain_verification_; + const absl::optional custom_validator_config_; + Api::Api& api_; }; } // namespace Ssl diff --git a/source/extensions/transport_sockets/tls/cert_validator/BUILD b/source/extensions/transport_sockets/tls/cert_validator/BUILD index 9b7e0aaca992..97651ec9f0b1 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/source/extensions/transport_sockets/tls/cert_validator/BUILD @@ -12,23 +12,31 @@ envoy_cc_library( name = "cert_validator_lib", srcs = [ "default_validator.cc", + "factory.cc", + "spiffe_validator.cc", ], hdrs = [ "cert_validator.h", "default_validator.h", + "factory.h", + "spiffe_validator.h", ], external_deps = [ "ssl", + "abseil_base", + "abseil_hash", ], - # TLS is core functionality. visibility = ["//visibility:public"], deps = [ "//include/envoy/ssl:context_config_interface", "//include/envoy/ssl:ssl_socket_extended_info_interface", "//source/common/common:assert_lib", "//source/common/common:base64_lib", + "//source/common/common:c_smart_ptr_lib", "//source/common/common:hex_lib", "//source/common/common:utility_lib", + "//source/common/config:datasource_lib", + "//source/common/config:utility_lib", "//source/common/stats:symbol_table_lib", "//source/common/stats:utility_lib", "//source/extensions/transport_sockets/tls:stats_lib", diff --git a/source/extensions/transport_sockets/tls/cert_validator/cert_validator.h b/source/extensions/transport_sockets/tls/cert_validator/cert_validator.h index e5ae5b2c1678..9b55c1cf6fa1 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/cert_validator.h +++ b/source/extensions/transport_sockets/tls/cert_validator/cert_validator.h @@ -18,7 +18,6 @@ #include "extensions/transport_sockets/tls/stats.h" -#include "absl/synchronization/mutex.h" #include "openssl/ssl.h" #include "openssl/x509v3.h" diff --git a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc index 7d4c63e88cd4..d935be9ca89e 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc @@ -6,6 +6,7 @@ #include #include +#include "envoy/registry/registry.h" #include "envoy/network/transport_socket.h" #include "envoy/ssl/context.h" #include "envoy/ssl/context_config.h" @@ -25,6 +26,7 @@ #include "common/stats/utility.h" #include "extensions/transport_sockets/tls/cert_validator/cert_validator.h" +#include "extensions/transport_sockets/tls/cert_validator/factory.h" #include "extensions/transport_sockets/tls/stats.h" #include "extensions/transport_sockets/tls/utility.h" @@ -470,6 +472,18 @@ size_t DefaultCertValidator::daysUntilFirstCertExpires() const { return Utility::getDaysUntilExpiration(ca_cert_.get(), time_source_); } +class DefaultCertValidatorFactory : public CertValidatorFactory { +public: + CertValidatorPtr createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, + SslStats& stats, TimeSource& time_source) override { + return std::make_unique(config, stats, time_source); + } + + absl::string_view name() override { return "envoy.tls.cert_validator.default"; } +}; + +REGISTER_FACTORY(DefaultCertValidatorFactory, CertValidatorFactory); + } // namespace Tls } // namespace TransportSockets } // namespace Extensions diff --git a/source/extensions/transport_sockets/tls/cert_validator/factory.cc b/source/extensions/transport_sockets/tls/cert_validator/factory.cc new file mode 100644 index 000000000000..3ab5267ad435 --- /dev/null +++ b/source/extensions/transport_sockets/tls/cert_validator/factory.cc @@ -0,0 +1,19 @@ +#include "extensions/transport_sockets/tls/cert_validator/factory.h" + +#include "envoy/ssl/context_config.h" + +namespace Envoy { +namespace Extensions { +namespace TransportSockets { +namespace Tls { + +std::string getCertValidatorName(const Envoy::Ssl::CertificateValidationContextConfig* config) { + return config != nullptr && config->customValidatorConfig().has_value() + ? config->customValidatorConfig().value().name() + : "envoy.tls.cert_validator.default"; +}; + +} // namespace Tls +} // namespace TransportSockets +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/transport_sockets/tls/cert_validator/factory.h b/source/extensions/transport_sockets/tls/cert_validator/factory.h new file mode 100644 index 000000000000..d2a090e018af --- /dev/null +++ b/source/extensions/transport_sockets/tls/cert_validator/factory.h @@ -0,0 +1,35 @@ +#pragma once + +#include "envoy/common/pure.h" +#include "envoy/ssl/context_config.h" +#include "common/common/utility.h" + +#include "extensions/transport_sockets/tls/cert_validator/cert_validator.h" +#include "extensions/transport_sockets/tls/stats.h" + +#include "absl/strings/string_view.h" + +namespace Envoy { +namespace Extensions { +namespace TransportSockets { +namespace Tls { + +std::string getCertValidatorName(const Envoy::Ssl::CertificateValidationContextConfig* config); + +class CertValidatorFactory { +public: + virtual ~CertValidatorFactory() = default; + + virtual CertValidatorPtr + createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, + TimeSource& time_source) PURE; + + virtual absl::string_view name() PURE; + + std::string category() { return "envoy.tls.cert_validator"; } +}; + +} // namespace Tls +} // namespace TransportSockets +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc new file mode 100644 index 000000000000..c97186d75997 --- /dev/null +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc @@ -0,0 +1,105 @@ +#include "extensions/transport_sockets/tls/cert_validator/spiffe_validator.h" + +#include +#include +#include +#include +#include + +#include "envoy/registry/registry.h" +#include "envoy/common/pure.h" +#include "envoy/network/transport_socket.h" +#include "envoy/ssl/context.h" +#include "envoy/ssl/context_config.h" +#include "envoy/ssl/private_key/private_key.h" +#include "envoy/ssl/ssl_socket_extended_info.h" +#include "envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.pb.h" + +#include "common/common/matchers.h" +#include "common/config/utility.h" +#include "common/stats/symbol_table_impl.h" +#include "common/protobuf/message_validator_impl.h" +#include "common/config/datasource.h" + +#include "extensions/transport_sockets/tls/stats.h" +#include "extensions/transport_sockets/tls/cert_validator/factory.h" + +#include "openssl/ssl.h" +#include "openssl/x509v3.h" + +namespace Envoy { +namespace Extensions { +namespace TransportSockets { +namespace Tls { + +using SPIFFEConfig = envoy::extensions::transport_sockets::tls::v3::SPIFFECertValidatorConfig; + +SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* config) { + if (config == nullptr) { + throw EnvoyException("SPIFFE validator connot be initialized from null configuration"); + } + + SPIFFEConfig message; + Config::Utility::translateOpaqueConfig(config->customValidatorConfig().value().typed_config(), + ProtobufWkt::Struct(), + ProtobufMessage::getStrictValidationVisitor(), message); + + trust_bundle_stores_.reserve(message.trust_bundles().size()); + for (auto& it : message.trust_bundles()) { + // TODO(@mathetake): check "spiffe://" prefix? + auto cert = Config::DataSource::read(it.second, true, config->api()); + bssl::UniquePtr bio(BIO_new_mem_buf(const_cast(cert.data()), cert.size())); + RELEASE_ASSERT(bio != nullptr, ""); + bssl::UniquePtr list( + PEM_X509_INFO_read_bio(bio.get(), nullptr, nullptr, nullptr)); + if (list == nullptr) { + throw EnvoyException(absl::StrCat("Failed to load trusted CA certificate for ", it.first)); + } + + auto store = X509StorePtr(X509_STORE_new()); + for (const X509_INFO* item : list.get()) { + if (item->x509) { + X509_STORE_add_cert(store.get(), item->x509); + } + if (item->crl) { + X509_STORE_add_crl(store.get(), item->crl); + } + } + store.get(); + trust_bundle_stores_[it.first] = std::move(store); + } +} + +void SPIFFEValidator::addClientValidationContext(SSL_CTX*, bool require_client_cert) {} + +void SPIFFEValidator::updateDigestForSessionId(bssl::ScopedEVP_MD_CTX& md, + uint8_t hash_buffer[EVP_MAX_MD_SIZE], + unsigned hash_length) {} + +int SPIFFEValidator::initializeSslContexts(std::vector contexts, + bool provides_certificates) { + return 0; +} + +int SPIFFEValidator::doVerifyCertChain( + X509_STORE_CTX* store_ctx, Ssl::SslExtendedSocketInfo* ssl_extended_info, X509& leaf_cert, + const Network::TransportSocketOptions* transport_socket_options) { + return 0; +} + +class SPIFFEValidatorFactory : public CertValidatorFactory { +public: + CertValidatorPtr createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, + SslStats& stats, TimeSource& time_source) override { + return std::make_unique(config); + } + + absl::string_view name() override { return "envoy.tls.cert_validator.spiffe"; } +}; + +REGISTER_FACTORY(SPIFFEValidatorFactory, CertValidatorFactory); + +} // namespace Tls +} // namespace TransportSockets +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h new file mode 100644 index 000000000000..de5135f3bf13 --- /dev/null +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h @@ -0,0 +1,57 @@ +#pragma once + +#include +#include +#include +#include +#include + +#include "envoy/common/pure.h" +#include "envoy/network/transport_socket.h" +#include "envoy/ssl/context.h" +#include "envoy/ssl/context_config.h" +#include "envoy/ssl/private_key/private_key.h" +#include "envoy/ssl/ssl_socket_extended_info.h" + +#include "common/common/c_smart_ptr.h" +#include "common/common/matchers.h" +#include "common/stats/symbol_table_impl.h" + +#include "extensions/transport_sockets/tls/cert_validator/cert_validator.h" +#include "extensions/transport_sockets/tls/stats.h" + +#include "openssl/ssl.h" +#include "openssl/x509v3.h" + +namespace Envoy { +namespace Extensions { +namespace TransportSockets { +namespace Tls { + +using X509StorePtr = CSmartPtr; + +class SPIFFEValidator : public CertValidator { +public: + SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* config); + ~SPIFFEValidator() override = default; + + // Tls::CertValidator + void addClientValidationContext(SSL_CTX* context, bool require_client_cert) override; + + int doVerifyCertChain(X509_STORE_CTX* store_ctx, Ssl::SslExtendedSocketInfo* ssl_extended_info, + X509& leaf_cert, + const Network::TransportSocketOptions* transport_socket_options) override; + + int initializeSslContexts(std::vector contexts, bool provides_certificates) override; + + void updateDigestForSessionId(bssl::ScopedEVP_MD_CTX& md, uint8_t hash_buffer[EVP_MAX_MD_SIZE], + unsigned hash_length) override; + +private: + absl::flat_hash_map trust_bundle_stores_; +}; + +} // namespace Tls +} // namespace TransportSockets +} // namespace Extensions +} // namespace Envoy diff --git a/source/extensions/transport_sockets/tls/context_impl.cc b/source/extensions/transport_sockets/tls/context_impl.cc index 92df19adfde4..bf85f95f647a 100644 --- a/source/extensions/transport_sockets/tls/context_impl.cc +++ b/source/extensions/transport_sockets/tls/context_impl.cc @@ -22,7 +22,7 @@ #include "common/runtime/runtime_features.h" #include "common/stats/utility.h" -#include "extensions/transport_sockets/tls/cert_validator/default_validator.h" +#include "extensions/transport_sockets/tls/cert_validator/factory.h" #include "extensions/transport_sockets/tls/stats.h" #include "extensions/transport_sockets/tls/utility.h" @@ -78,8 +78,18 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const Envoy::Ssl::ContextConfig& c ssl_curves_(stat_name_set_->add("ssl.curves")), ssl_sigalgs_(stat_name_set_->add("ssl.sigalgs")), capabilities_(config.capabilities()) { - cert_validator_ = std::make_unique(config.certificateValidationContext(), - stats_, time_source_); + auto cert_validator_name = getCertValidatorName(config.certificateValidationContext()); + auto cert_validator_factory = + Registry::FactoryRegistry::getFactory(cert_validator_name); + + if (!cert_validator_factory) { + throw EnvoyException( + absl::StrCat("Failed to get certificate validator factory for ", cert_validator_name)); + } + + cert_validator_ = cert_validator_factory->createCertValidator( + config.certificateValidationContext(), stats_, time_source_); + const auto tls_certificates = config.tlsCertificates(); tls_contexts_.resize(std::max(static_cast(1), tls_certificates.size())); diff --git a/test/extensions/transport_sockets/tls/cert_validator/BUILD b/test/extensions/transport_sockets/tls/cert_validator/BUILD index e8675ccec187..7cf97a176acf 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/test/extensions/transport_sockets/tls/cert_validator/BUILD @@ -23,3 +23,15 @@ envoy_cc_test( "//test/test_common:test_runtime_lib", ], ) + +envoy_cc_test( + name = "factory_test", + srcs = [ + "factory_test.cc", + ], + data = [], + deps = [ + "//include/envoy/ssl:context_config_interface", + "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", + ], +) diff --git a/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc b/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc new file mode 100644 index 000000000000..fca125c7bb4b --- /dev/null +++ b/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc @@ -0,0 +1,86 @@ +#include "extensions/transport_sockets/tls/cert_validator/factory.h" + +#include + +#include "envoy/ssl/context_config.h" + +#include "gtest/gtest.h" + +namespace Envoy { +namespace Extensions { +namespace TransportSockets { +namespace Tls { + +class TestCertificateValidationContextConfig + : public Envoy::Ssl::CertificateValidationContextConfig { +public: + TestCertificateValidationContextConfig(envoy::config::core::v3::TypedExtensionConfig config) + : custom_validator_config_(config){}; + TestCertificateValidationContextConfig() : custom_validator_config_(absl::nullopt){}; + + const std::string& caCert() const override { + static std::string ret = ""; + return ret; + } + const std::string& caCertPath() const override { + static std::string ret = ""; + return ret; + } + const std::string& certificateRevocationList() const override { + static std::string ret = ""; + return ret; + } + const std::string& certificateRevocationListPath() const final { + static std::string ret = ""; + return ret; + } + const std::vector& verifySubjectAltNameList() const override { + static std::vector ret = {}; + return ret; + } + const std::vector& + subjectAltNameMatchers() const override { + static std::vector ret = {}; + return ret; + } + const std::vector& verifyCertificateHashList() const override { + static std::vector ret = {}; + return ret; + } + const std::vector& verifyCertificateSpkiList() const override { + static std::vector ret = {}; + return ret; + } + bool allowExpiredCertificate() const override { return false; } + envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext:: + TrustChainVerification + trustChainVerification() const override { + return envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext:: + TrustChainVerification:: + CertificateValidationContext_TrustChainVerification_ACCEPT_UNTRUSTED; + } + + const absl::optional& + customValidatorConfig() const override { + return custom_validator_config_; + } + +private: + const absl::optional custom_validator_config_; +}; + +TEST(FactoryTest, TestGetCertValidatorName) { + EXPECT_EQ("envoy.tls.cert_validator.default", getCertValidatorName(nullptr)); + auto config = std::make_unique(); + EXPECT_EQ("envoy.tls.cert_validator.default", getCertValidatorName(config.get())); + + envoy::config::core::v3::TypedExtensionConfig custom_config = {}; + custom_config.set_name("envoy.tls.cert_validator.spiffe"); + config = std::make_unique(custom_config); + EXPECT_EQ(custom_config.name(), getCertValidatorName(config.get())); +} + +} // namespace Tls +} // namespace TransportSockets +} // namespace Extensions +} // namespace Envoy From 521c3a66b46370c741e96aa0f4543be65f3226e1 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Mon, 1 Feb 2021 15:39:26 +0900 Subject: [PATCH 02/38] Initial impl Signed-off-by: Takeshi Yoneda --- .../certificate_validation_context_config.h | 3 +- .../tls/cert_validator/default_validator.cc | 26 +++-- .../tls/cert_validator/default_validator.h | 4 +- .../tls/cert_validator/factory.h | 2 +- .../tls/cert_validator/spiffe_validator.cc | 96 ++++++++++++++++--- .../tls/cert_validator/spiffe_validator.h | 8 ++ .../tls/cert_validator/BUILD | 17 ++++ .../tls/cert_validator/factory_test.cc | 7 +- .../cert_validator/spiffe_validator_test.cc | 55 +++++++++++ .../tls/test_data/keyusage_cert_sign_cert.cfg | 35 +++++++ .../tls/test_data/keyusage_cert_sign_cert.pem | 25 +++++ .../tls/test_data/keyusage_cert_sign_key.pem | 27 ++++++ .../tls/test_data/keyusage_crl_sign_cert.cfg | 35 +++++++ .../tls/test_data/keyusage_crl_sign_cert.pem | 25 +++++ .../tls/test_data/keyusage_crl_sign_key.pem | 27 ++++++ 15 files changed, 359 insertions(+), 33 deletions(-) create mode 100644 test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc create mode 100644 test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.cfg create mode 100644 test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem create mode 100644 test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem create mode 100644 test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.cfg create mode 100644 test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem create mode 100644 test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_key.pem diff --git a/include/envoy/ssl/certificate_validation_context_config.h b/include/envoy/ssl/certificate_validation_context_config.h index 0d5afb323187..5d7b32bf7662 100644 --- a/include/envoy/ssl/certificate_validation_context_config.h +++ b/include/envoy/ssl/certificate_validation_context_config.h @@ -4,6 +4,7 @@ #include #include +#include "envoy/api/api.h" #include "envoy/common/pure.h" #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" #include "envoy/type/matcher/v3/string.pb.h" @@ -79,7 +80,7 @@ class CertificateValidationContextConfig { customValidatorConfig() const PURE; /** - * @return Api::Api& a reference to the api object. + * @return a reference to the api object. */ virtual Api::Api& api() PURE; }; diff --git a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc index d935be9ca89e..790f48379e72 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc @@ -39,9 +39,8 @@ namespace Extensions { namespace TransportSockets { namespace Tls { -DefaultCertValidator::DefaultCertValidator( - const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, - TimeSource& time_source) +DefaultCertValidator::DefaultCertValidator(Envoy::Ssl::CertificateValidationContextConfig* config, + SslStats& stats, TimeSource& time_source) : config_(config), stats_(stats), time_source_(time_source) { if (config_ != nullptr) { allow_untrusted_certificate_ = config_->trustChainVerification() == @@ -142,23 +141,22 @@ int DefaultCertValidator::initializeSslContexts(std::vector contexts, } } - const Envoy::Ssl::CertificateValidationContextConfig* cert_validation_config = config_; - if (cert_validation_config != nullptr) { - if (!cert_validation_config->verifySubjectAltNameList().empty()) { - verify_subject_alt_name_list_ = cert_validation_config->verifySubjectAltNameList(); + if (config_ != nullptr) { + if (!config_->verifySubjectAltNameList().empty()) { + verify_subject_alt_name_list_ = config_->verifySubjectAltNameList(); verify_mode = verify_mode_validation_context; } - if (!cert_validation_config->subjectAltNameMatchers().empty()) { + if (!config_->subjectAltNameMatchers().empty()) { for (const envoy::type::matcher::v3::StringMatcher& matcher : - cert_validation_config->subjectAltNameMatchers()) { + config_->subjectAltNameMatchers()) { subject_alt_name_matchers_.push_back(Matchers::StringMatcherImpl(matcher)); } verify_mode = verify_mode_validation_context; } - if (!cert_validation_config->verifyCertificateHashList().empty()) { - for (auto hash : cert_validation_config->verifyCertificateHashList()) { + if (!config_->verifyCertificateHashList().empty()) { + for (auto hash : config_->verifyCertificateHashList()) { // Remove colons from the 95 chars long colon-separated "fingerprint" // in order to get the hex-encoded string. if (hash.size() == 95) { @@ -173,8 +171,8 @@ int DefaultCertValidator::initializeSslContexts(std::vector contexts, verify_mode = verify_mode_validation_context; } - if (!cert_validation_config->verifyCertificateSpkiList().empty()) { - for (const auto& hash : cert_validation_config->verifyCertificateSpkiList()) { + if (!config_->verifyCertificateSpkiList().empty()) { + for (const auto& hash : config_->verifyCertificateSpkiList()) { const auto decoded = Base64::decode(hash); if (decoded.size() != SHA256_DIGEST_LENGTH) { throw EnvoyException(absl::StrCat("Invalid base64-encoded SHA-256 ", hash)); @@ -474,7 +472,7 @@ size_t DefaultCertValidator::daysUntilFirstCertExpires() const { class DefaultCertValidatorFactory : public CertValidatorFactory { public: - CertValidatorPtr createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, + CertValidatorPtr createCertValidator(Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, TimeSource& time_source) override { return std::make_unique(config, stats, time_source); } diff --git a/source/extensions/transport_sockets/tls/cert_validator/default_validator.h b/source/extensions/transport_sockets/tls/cert_validator/default_validator.h index 104f72155d4e..c8ec6f4074f2 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/default_validator.h +++ b/source/extensions/transport_sockets/tls/cert_validator/default_validator.h @@ -30,8 +30,8 @@ namespace Tls { class DefaultCertValidator : public CertValidator { public: - DefaultCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, - SslStats& stats, TimeSource& time_source); + DefaultCertValidator(Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, + TimeSource& time_source); ~DefaultCertValidator() override = default; diff --git a/source/extensions/transport_sockets/tls/cert_validator/factory.h b/source/extensions/transport_sockets/tls/cert_validator/factory.h index d2a090e018af..9153e2455668 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/factory.h +++ b/source/extensions/transport_sockets/tls/cert_validator/factory.h @@ -21,7 +21,7 @@ class CertValidatorFactory { virtual ~CertValidatorFactory() = default; virtual CertValidatorPtr - createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, + createCertValidator( Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, TimeSource& time_source) PURE; virtual absl::string_view name() PURE; diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc index c97186d75997..d66ee07f2b43 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc @@ -16,12 +16,14 @@ #include "envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.pb.h" #include "common/common/matchers.h" +#include "common/common/regex.h" #include "common/config/utility.h" #include "common/stats/symbol_table_impl.h" #include "common/protobuf/message_validator_impl.h" #include "common/config/datasource.h" #include "extensions/transport_sockets/tls/stats.h" +#include "extensions/transport_sockets/tls/utility.h" #include "extensions/transport_sockets/tls/cert_validator/factory.h" #include "openssl/ssl.h" @@ -46,7 +48,6 @@ SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* trust_bundle_stores_.reserve(message.trust_bundles().size()); for (auto& it : message.trust_bundles()) { - // TODO(@mathetake): check "spiffe://" prefix? auto cert = Config::DataSource::read(it.second, true, config->api()); bssl::UniquePtr bio(BIO_new_mem_buf(const_cast(cert.data()), cert.size())); RELEASE_ASSERT(bio != nullptr, ""); @@ -57,40 +58,107 @@ SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* } auto store = X509StorePtr(X509_STORE_new()); + bool has_crl = false; for (const X509_INFO* item : list.get()) { if (item->x509) { X509_STORE_add_cert(store.get(), item->x509); } if (item->crl) { + has_crl = true; X509_STORE_add_crl(store.get(), item->crl); } } - store.get(); + if (has_crl) { + X509_STORE_set_flags(store.get(), X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); + } trust_bundle_stores_[it.first] = std::move(store); } } -void SPIFFEValidator::addClientValidationContext(SSL_CTX*, bool require_client_cert) {} +void SPIFFEValidator::addClientValidationContext(SSL_CTX*, bool) { /* TODO */ +} -void SPIFFEValidator::updateDigestForSessionId(bssl::ScopedEVP_MD_CTX& md, - uint8_t hash_buffer[EVP_MAX_MD_SIZE], - unsigned hash_length) {} +void SPIFFEValidator::updateDigestForSessionId(bssl::ScopedEVP_MD_CTX&, uint8_t[EVP_MAX_MD_SIZE], + unsigned) { /* TODO */ +} -int SPIFFEValidator::initializeSslContexts(std::vector contexts, - bool provides_certificates) { - return 0; +int SPIFFEValidator::initializeSslContexts(std::vector, bool) { return SSL_VERIFY_PEER; } + +int SPIFFEValidator::doVerifyCertChain(X509_STORE_CTX* store_ctx, Ssl::SslExtendedSocketInfo*, + X509& leaf_cert, const Network::TransportSocketOptions*) { + if (!SPIFFEValidator::certificatePrecheck(&leaf_cert)) { + return 0; + } + + bssl::UniquePtr san_names(static_cast( + X509_get_ext_d2i(&leaf_cert, NID_subject_alt_name, nullptr, nullptr))); + + if (san_names == nullptr) { + return 0; + } + + std::string trust_domain; + for (const GENERAL_NAME* general_name : san_names.get()) { + const std::string san = Utility::generalNameAsString(general_name); + trust_domain = SPIFFEValidator::extractTrustDomain(san); + // we can assume that valid SVIDs have only one san + break; + } + + if (trust_domain.empty()) { + return 0; + } + + auto target_store = trust_bundle_stores_.find(trust_domain); + if (target_store == trust_bundle_stores_.end()) { + // unregisterd trust domain + return 0; + } + + store_ctx->ctx = target_store->second.get(); + return X509_verify_cert(store_ctx); } -int SPIFFEValidator::doVerifyCertChain( - X509_STORE_CTX* store_ctx, Ssl::SslExtendedSocketInfo* ssl_extended_info, X509& leaf_cert, - const Network::TransportSocketOptions* transport_socket_options) { +int SPIFFEValidator::certificatePrecheck(X509* leaf_cert) { + // Check basic constrains and key usage + // https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md#52-leaf-validation + auto ext = X509_get_extension_flags(leaf_cert); + if (ext & EXFLAG_CA) { + return 0; + } + + auto us = X509_get_key_usage(leaf_cert); + return !(us & KU_CRL_SIGN) && !(us & KU_KEY_CERT_SIGN); +} + +std::string SPIFFEValidator::extractTrustDomain(const std::string& san) { + static const std::regex reg = Envoy::Regex::Utility::parseStdRegex("spiffe:\\/\\/([^\\/]+)\\/"); + std::smatch m; + if (!std::regex_search(san, m, reg) || m.size() < 2) { + return ""; + } + return m[1]; +} + +size_t SPIFFEValidator::daysUntilFirstCertExpires() const { + /* TODO */ return 0; } +std::string SPIFFEValidator::getCaFileName() const { + /* TODO */ + return ""; +} + +Envoy::Ssl::CertificateDetailsPtr SPIFFEValidator::getCaCertInformation() const { + /* TODO */ + return nullptr; +}; + class SPIFFEValidatorFactory : public CertValidatorFactory { public: - CertValidatorPtr createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, - SslStats& stats, TimeSource& time_source) override { + CertValidatorPtr createCertValidator(Envoy::Ssl::CertificateValidationContextConfig* config, + SslStats&, TimeSource&) override { return std::make_unique(config); } diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h index de5135f3bf13..80bf1c4ee187 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h @@ -47,6 +47,14 @@ class SPIFFEValidator : public CertValidator { void updateDigestForSessionId(bssl::ScopedEVP_MD_CTX& md, uint8_t hash_buffer[EVP_MAX_MD_SIZE], unsigned hash_length) override; + size_t daysUntilFirstCertExpires() const override; + std::string getCaFileName() const override; + Envoy::Ssl::CertificateDetailsPtr getCaCertInformation() const override; + + // utility functions + static std::string extractTrustDomain(const std::string& san); + static int certificatePrecheck(X509* leaf_cert); + private: absl::flat_hash_map trust_bundle_stores_; }; diff --git a/test/extensions/transport_sockets/tls/cert_validator/BUILD b/test/extensions/transport_sockets/tls/cert_validator/BUILD index 7cf97a176acf..fe94728e80a3 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/test/extensions/transport_sockets/tls/cert_validator/BUILD @@ -24,6 +24,22 @@ envoy_cc_test( ], ) +envoy_cc_test( + name = "spiffe_validator_test", + srcs = [ + "spiffe_validator_test.cc", + ], + data = [ + "//test/extensions/transport_sockets/tls/test_data:certs", + ], + deps = [ + "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", + "//test/extensions/transport_sockets/tls:ssl_test_utils", + "//test/test_common:environment_lib", + "//test/test_common:test_runtime_lib", + ], +) + envoy_cc_test( name = "factory_test", srcs = [ @@ -33,5 +49,6 @@ envoy_cc_test( deps = [ "//include/envoy/ssl:context_config_interface", "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", + "//test/mocks/api:api_mocks", ], ) diff --git a/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc b/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc index fca125c7bb4b..7f637b2fdfdc 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc @@ -4,6 +4,8 @@ #include "envoy/ssl/context_config.h" +#include "test/mocks/api/mocks.h" + #include "gtest/gtest.h" namespace Envoy { @@ -65,7 +67,10 @@ class TestCertificateValidationContextConfig return custom_validator_config_; } + Api::Api& api() override { return api_; } + private: + Api::MockApi api_; const absl::optional custom_validator_config_; }; @@ -76,7 +81,7 @@ TEST(FactoryTest, TestGetCertValidatorName) { envoy::config::core::v3::TypedExtensionConfig custom_config = {}; custom_config.set_name("envoy.tls.cert_validator.spiffe"); - config = std::make_unique(custom_config); + config.reset(new TestCertificateValidationContextConfig(custom_config)); EXPECT_EQ(custom_config.name(), getCertValidatorName(config.get())); } diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc new file mode 100644 index 000000000000..da0ee4608966 --- /dev/null +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc @@ -0,0 +1,55 @@ +#include +#include + +#include "extensions/transport_sockets/tls/cert_validator/spiffe_validator.h" + +#include "test/extensions/transport_sockets/tls/ssl_test_utility.h" +#include "test/test_common/environment.h" +#include "test/test_common/test_runtime.h" +#include "test/test_common/utility.h" + +#include "gtest/gtest.h" +#include "openssl/x509v3.h" + +namespace Envoy { +namespace Extensions { +namespace TransportSockets { +namespace Tls { + +TEST(SPIFFEValidator, TestExtractTrustDomain) { + EXPECT_EQ("abc.com", SPIFFEValidator::extractTrustDomain("spiffe://abc.com/")); + EXPECT_EQ("dev.envoy.com", + SPIFFEValidator::extractTrustDomain("spiffe://dev.envoy.com/workload1")); + EXPECT_EQ("k8s-west.example.com", SPIFFEValidator::extractTrustDomain( + "spiffe://k8s-west.example.com/ns/staging/sa/default")); +} + +TEST(SPIFFEValidator, TestCertificatePrecheck) { + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + // basicConstraints: CA:True, + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + EXPECT_EQ(0, SPIFFEValidator::certificatePrecheck(cert.get())); + + cert = readCertFromFile(TestEnvironment::substitute( + // basicConstraints CA:False, keyUsage has keyCertSign + "{{ test_rundir " + "}}/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem")); + EXPECT_EQ(0, SPIFFEValidator::certificatePrecheck(cert.get())); + + cert = readCertFromFile(TestEnvironment::substitute( + // basicConstraints CA:False, keyUsage has cRLSign + "{{ test_rundir " + "}}/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem")); + EXPECT_EQ(0, SPIFFEValidator::certificatePrecheck(cert.get())); + + cert = readCertFromFile(TestEnvironment::substitute( + // basicConstraints CA:False, keyUsage does not have keyCertSign and cRLSign + // should be considered valid (i.e. return 1) + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); + EXPECT_EQ(1, SPIFFEValidator::certificatePrecheck(cert.get())); +} + +} // namespace Tls +} // namespace TransportSockets +} // namespace Extensions +} // namespace Envoy diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.cfg b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.cfg new file mode 100644 index 000000000000..b5daa7d2ca7d --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.cfg @@ -0,0 +1,35 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +countryName = US +countryName_default = US +stateOrProvinceName = California +stateOrProvinceName_default = California +localityName = San Francisco +localityName_default = San Francisco +organizationName = Lyft +organizationName_default = Lyft +organizationalUnitName = Lyft Engineering +organizationalUnitName_default = Lyft Engineering +commonName = Test Cert +commonName_default = Test Cert +commonName_max = 64 + +[v3_req] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyCertSign +extendedKeyUsage = clientAuth, serverAuth +subjectKeyIdentifier = hash +1.2.3.4.5.6.7.8 = ASN1:UTF8String:Something +1.2.3.4.5.6.7.9 = DER:30:03:01:01:FF + +[v3_ca] +basicConstraints = critical, CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyCertSign +extendedKeyUsage = clientAuth, serverAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always +1.2.3.4.5.6.7.8 = ASN1:UTF8String:Something +1.2.3.4.5.6.7.9 = DER:30:03:01:01:FF \ No newline at end of file diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem new file mode 100644 index 000000000000..e6a465f9c9a1 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEJDCCAwygAwIBAgIUEsrhIGfn5HWMHmXqN//+MkKNzlowDQYJKoZIhvcNAQEL +BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAxMDYzNjExWhcNMjMw +MjAxMDYzNjExWjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ +THlmdCBFbmdpbmVlcmluZzESMBAGA1UEAwwJVGVzdCBDZXJ0MIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvmYfQM1vForFFYeCg73EvFHXjGFtUjdY6cVN +kOYFXHkRS0cLvLmNmDK28xlvmFcf5Igxm1yco6PK2MrArfDuZ1l6jMcwmYbe5Ln0 +ZLzTt/FF5QlUwoqm0KIzubaZ37wKr0TSaQnOheBGeMLovM++BbZs+YE92yLzgp+p +g116pHPhoIR6nIDl644yaoQilEH+xnEOKpZ0P9KOLPdRIh47CVSeSDBspunEPO2/ +1Pc047cbvjHR426xBLplddpdwgZU9fVOgW2fFpIkHh7lZ3gu2ab+M8cHHW7Iy7rj +sfMn9poYSrRAiZOUYcP2MVIFDxEfg2NJo37bmU4QhJy6GiR24QIDAQABo4GnMIGk +MAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgLkMB0GA1UdJQQWMBQGCCsGAQUFBwMC +BggrBgEFBQcDATAdBgNVHQ4EFgQUGAeDFYXu6DZt6cHqONVSYBVpPfAwHwYDVR0j +BBgwFoAU08ELI+PDqPIyvl9UwT94OBNVA9kwFgYHKgMEBQYHCAQLDAlTb21ldGhp +bmcwEAYHKgMEBQYHCQQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKmVaItLkrC3 +AyXsN6n37PjLJQNq0tHu8xVa9qy3BStvl4Wjs6WY8QQE+ms75b1OXmDvW/VI2xkd +gu0sWyyUjEMjtKXPNhh/IfCJ6LeMbV/n0XvJRgG0L3QZQs94G/BjH4EeE8WsLHtq +SknT3LJ2MR72cPATIHdkRS/VEicpCzqBFg+IvHn1kqOFjPD+ISsoLxmaHeNCs8Rl +l2WyEY0moykLQjHRI1ssnoDQGeMPwEmABo4NZyga4YE+MolDkdYIb+bNDGT6Nlaq +AOUDNTAaGsCC3G01lrn8YeUHQS6D+06agqSk6G8YMLyaWBUwH7/Dvv9rIIGpIbmo +TFTDqZE2ugA= +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem new file mode 100644 index 000000000000..5cd64b00be59 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAvmYfQM1vForFFYeCg73EvFHXjGFtUjdY6cVNkOYFXHkRS0cL +vLmNmDK28xlvmFcf5Igxm1yco6PK2MrArfDuZ1l6jMcwmYbe5Ln0ZLzTt/FF5QlU +woqm0KIzubaZ37wKr0TSaQnOheBGeMLovM++BbZs+YE92yLzgp+pg116pHPhoIR6 +nIDl644yaoQilEH+xnEOKpZ0P9KOLPdRIh47CVSeSDBspunEPO2/1Pc047cbvjHR +426xBLplddpdwgZU9fVOgW2fFpIkHh7lZ3gu2ab+M8cHHW7Iy7rjsfMn9poYSrRA +iZOUYcP2MVIFDxEfg2NJo37bmU4QhJy6GiR24QIDAQABAoIBAGaGYynn9Xuz+fBf +6d264CdwApurEs0E1LH89omh8x0abD+W4DEd0as1E+LPvZHQyHGtDNlWA1ryphYb +B6oiZJ3uRtlroTXqtDeCEqH0NCWGnFZ6sdOYCb+quCO2uiEKBs7eRlcdWsIoRIpe +miihzPcShpfMClzn8yxRgVwliBbpCTuynz6zj7uJy7Xjzopk2QR7di9JVsMvK+Wy +XDAcxySFKTayJZHIvC5gdXY+KlrwESoP7ocnuoG/DQmVGaLqS8twf7lbyuyG8DKg +bT6lAQYIbG+j1mWZQiJ4DAba8+ZVpcCbs45dOR5pCddZ/WCHXrur2XClnHZnMQ9C +0CjQsAkCgYEA68fATDo+rWNAZEgmV4r/wuuwlGxCFbismqrZ/z/+wVFMJiMFeUqu +qHBwnq7fKelNLqw9GSAyQkNSz/04Tlef99pP6SxSwVcE3HrFOr/qREJqHFttn2ar +gwhGL9GLecZyULD0WcdhplNAa2T8Ms6LxSkT8xJtXDzSsIWpKG21gCMCgYEAzroV +Cz/eNijbWq3TAMYPeSvzoI/6k5/t0zTTnkQxRKNMZj4vUNLZWfzxKyPVVEB8cB+K +1d9/Gds7kwd7Oh0V1lAQCdCTGE06HNdx+8q/9UaiJavV6mURly+3RyT24w/OFqAx +/nNDj7Jtmo0qxQuwyCT8ysKxnkOS1sIPj1Nu2ysCgYAF+N1KEP+dbLIo2BsAhKjN +yyKB3+wcmLzmfgVfjcNqKiD/pktxMw8RfSedHVjRuvMVh49Un5gmTYY/dm6CrX2D +zafQhCrkcsvQudtdDZdlezks1rQEIZmejAsbEvexcfFbUeAelgpHKDyte7VXpBuu +NsgmlATpHTFI/1m1iHHceQKBgDz0aVgT0PWvPl6SenDz9YQJDaD+UyhMM9fe77bu +7IgMjm5nT5RJV4VNK99IhZJ+ITL+WfWOHPAG0J4dypvsD5BNsyzxry2vN79hV16i +/c7YsN7iuASRIIqvqx7zK0jwVBgfzB325qjsN50mmsHXHJ0nKtKubaj4y8c/GU9t +jnZZAoGAN6Z2AyBWuonC/4jZPPfTXfdlbxpbwUIjtnO17nKwsldcTKBbOzDdhj2T +3ilN2g3sDldm0TJiFyUgmxbp1Nc/IrETSl4xHZLcizbofZraLBnK+VGIq6FHUoN2 +AbChbvVKRtz0iQ+j9930fbq8rCB0KidQcORg8+tnfsMqoCJ9fu4= +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.cfg b/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.cfg new file mode 100644 index 000000000000..3a3e3d04cbd8 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.cfg @@ -0,0 +1,35 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +countryName = US +countryName_default = US +stateOrProvinceName = California +stateOrProvinceName_default = California +localityName = San Francisco +localityName_default = San Francisco +organizationName = Lyft +organizationName_default = Lyft +organizationalUnitName = Lyft Engineering +organizationalUnitName_default = Lyft Engineering +commonName = Test Cert +commonName_default = Test Cert +commonName_max = 64 + +[v3_req] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment, cRLSign +extendedKeyUsage = clientAuth, serverAuth +subjectKeyIdentifier = hash +1.2.3.4.5.6.7.8 = ASN1:UTF8String:Something +1.2.3.4.5.6.7.9 = DER:30:03:01:01:FF + +[v3_ca] +basicConstraints = critical, CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment, cRLSign +extendedKeyUsage = clientAuth, serverAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always +1.2.3.4.5.6.7.8 = ASN1:UTF8String:Something +1.2.3.4.5.6.7.9 = DER:30:03:01:01:FF \ No newline at end of file diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem b/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem new file mode 100644 index 000000000000..8b57cc2c3aec --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEJDCCAwygAwIBAgIUEsrhIGfn5HWMHmXqN//+MkKNzlswDQYJKoZIhvcNAQEL +BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAxMDYzNjExWhcNMjMw +MjAxMDYzNjExWjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ +THlmdCBFbmdpbmVlcmluZzESMBAGA1UEAwwJVGVzdCBDZXJ0MIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtFo8H/NuNdB6MvktAsTNvn9yIiPibm2/29c4 +9drq7wBKJAGNxcy4YnovQ8LHxXFv9pu9bUniPjShWF6Kw6yGwQsTaE3z4+BG63a+ +ryrBNLor0zmgbElo4nMpdrHUDKca1vDqPp1T+nF9gGmkvp4RbFG4cTjBRhl0SkgO +h5EUzjhWKzi9g+IZea5+GrzgqVadzazH91pjX2SmeDRZo+7KfsZzAhWE/RM6l8Jk +5dV7RtA5mjYIet8DZQHYNgcXZRjvcdJPACk55i09nQjJ2baaLVVek1K9AXKfM6EL +kwbJrOLY2uCTFES2bbm+dI6n4qKe+Ypz+BASrDhC6mpp3VJ71QIDAQABo4GnMIGk +MAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgHiMB0GA1UdJQQWMBQGCCsGAQUFBwMC +BggrBgEFBQcDATAdBgNVHQ4EFgQU4y+0Gay4Da0IuXDx6CfunT/4rlYwHwYDVR0j +BBgwFoAU08ELI+PDqPIyvl9UwT94OBNVA9kwFgYHKgMEBQYHCAQLDAlTb21ldGhp +bmcwEAYHKgMEBQYHCQQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABRvbUIQkEI8 +2hpCw037eRNdHo/TUyg9hUEHR36MQBkk6tcsAeZAiiqkjR9M7mGRTW/Mr5nDuSA3 +Sq1l4ZVd11yG/LYLhB6fyyrg6kW2XXK77yLWsIT+tXNpe4pNX0Hb56I8vLs+oeg4 +B/o22RPzCYrXst9/FGxy8OheAt10qfU030XNaOUhNepXIAPKxhrFplDm03Vp2mtN +kX/vwW1vZ8G//U/7dSrnMoqecPM2pib45ohGDWr8OkElNLO6hSbeZ2cwTYPsQG19 +3YvkxVpvywzysylQgpYsEblh1ykMIJIqifyXwzhjB0XVrzY+9jWeqtUY0jrbHil2 +IH+aBJtqgzo= +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_key.pem b/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_key.pem new file mode 100644 index 000000000000..e74cafb8b59b --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAtFo8H/NuNdB6MvktAsTNvn9yIiPibm2/29c49drq7wBKJAGN +xcy4YnovQ8LHxXFv9pu9bUniPjShWF6Kw6yGwQsTaE3z4+BG63a+ryrBNLor0zmg +bElo4nMpdrHUDKca1vDqPp1T+nF9gGmkvp4RbFG4cTjBRhl0SkgOh5EUzjhWKzi9 +g+IZea5+GrzgqVadzazH91pjX2SmeDRZo+7KfsZzAhWE/RM6l8Jk5dV7RtA5mjYI +et8DZQHYNgcXZRjvcdJPACk55i09nQjJ2baaLVVek1K9AXKfM6ELkwbJrOLY2uCT +FES2bbm+dI6n4qKe+Ypz+BASrDhC6mpp3VJ71QIDAQABAoIBAASkef28j261MiAT +x/PVSxKHR1HXqKF9E749+QpjGz8Ru9bXb2XTEj/+sy7EWc4cUGyBr8ubZkaBplGX +BW1qCIH5ngNGVmvcPxcalGf/6r9Ht48VYarH7Po/SqbyhunYd1lnFDCObjX5K+jd +T09U1E/8fonzkw4R46tx1WXp9yYjxArBFTyxu05v8UDHJlczZZ+An6kFMCIEfCVp +sDHBgHnvSUq7xyDYxOQyfT7m2UQ5bkx6ncSZuwTIBHUtUV4YWTLPZ6G50wKCUsz4 +P/JVoYitxc92jdd0QLE43Tpvnb8Nx9csSKBK2IwVIuDZX5ASD4FrEo3KZacLomlm +aiVh/WECgYEA3aY/qWLnWpK2zxosNE0JUF+KUDW4SQcUb7xezBYNZX7QT9nTvHIC +OCQhNuuKnFR522+ZCSaTwpmyJORkws/9TOM7DsFD6zw/AmMY0v1V6+VyHgvJMWv5 +qQW0TVV6XCvdTENmZPtDQpCdHUAY05eWQWn6xR7WU5o+rR8Dgko6bF0CgYEA0E2Q +1B/sBqdY2YjGOPp2wa9ZYEoUCvy3Exaa4sUC5VAe7F97nt6LNP01OBXleiynoDDZ +DWi0UiroUsb4SgyTxn9TDHrEav1+WHgli1WJhWnVN4pdfezdjH2CJa/9msZxToiW +SLfQnSZ0WKvZKYIwsp5/JYlpyJAvsKYZIFv9FdkCgYEAjTiLf0UA2vh3eWTXnUso +EAmPeqN/kyfroXWHgMjcKDqwRvAms/5/431BnFherFQ2f9WO0AHAS1DZ7B+JA4a5 +gO+WhUQmHg74pnC1NFktEWvTVcl0mwSMwWBdDJjVqTxZd2nKJ7Tfmd3B/Q0FxGrk +1TDNEiMfs4ynOm50MeNRbhECgYA/eDL1/5gKWvlepydG+0IuOACyrz+2LVSXM18U +U9VTC/uwKFPhj4u5JKIPqdRXSr30uI2aYVn4Y2yQtGG5JmXsqKUke0/YDc9uo4VF +FFYn2ZyHJNjh4seK5D9AvoQ2odqqhEHOfHvLNoli71HnLO0rr9GsHVenLg/p8mJb +ksvl2QKBgA5K3GNulEOOl04BSRyVFaDhBxR05cYsykCHgayreLLRejNVdhCf1UF6 +XmV00A/avxvkPtBe5VODsQGnfHyiov5IcuGfEBodp34KtjdDNav6sQkRUSazGRJk +DMHvUPr++L7aaAuR57SpvctLZ5qv+jPFNoZudEp+qX8LJpm/dMjV +-----END RSA PRIVATE KEY----- From d82ca2c3ac30fe195118ac932991dd3d6cb32ca3 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Mon, 1 Feb 2021 18:17:21 +0900 Subject: [PATCH 03/38] Test Signed-off-by: Takeshi Yoneda --- ...tificate_validation_context_config_impl.cc | 3 +- ...rtificate_validation_context_config_impl.h | 4 +- .../tls/cert_validator/BUILD | 1 + .../tls/cert_validator/default_validator.cc | 2 +- .../tls/cert_validator/factory.h | 3 +- .../tls/cert_validator/spiffe_validator.cc | 29 +++---- .../tls/cert_validator/spiffe_validator.h | 5 ++ .../tls/cert_validator/BUILD | 17 +++- .../tls/cert_validator/factory_test.cc | 67 +--------------- .../cert_validator/spiffe_validator_test.cc | 22 ++++++ .../tls/cert_validator/util.h | 77 +++++++++++++++++++ 11 files changed, 143 insertions(+), 87 deletions(-) create mode 100644 test/extensions/transport_sockets/tls/cert_validator/util.h diff --git a/source/common/ssl/certificate_validation_context_config_impl.cc b/source/common/ssl/certificate_validation_context_config_impl.cc index 151339bdacf3..a8a50fa01482 100644 --- a/source/common/ssl/certificate_validation_context_config_impl.cc +++ b/source/common/ssl/certificate_validation_context_config_impl.cc @@ -37,7 +37,8 @@ CertificateValidationContextConfigImpl::CertificateValidationContextConfigImpl( config.has_custom_validator_config() ? absl::make_optional( config.custom_validator_config()) - : absl::nullopt), api_(api) { + : absl::nullopt), + api_(api) { if (ca_cert_.empty()) { if (!certificate_revocation_list_.empty()) { throw EnvoyException(fmt::format("Failed to load CRL from {} without trusted CA", diff --git a/source/common/ssl/certificate_validation_context_config_impl.h b/source/common/ssl/certificate_validation_context_config_impl.h index 211385f235dd..da15a49c1078 100644 --- a/source/common/ssl/certificate_validation_context_config_impl.h +++ b/source/common/ssl/certificate_validation_context_config_impl.h @@ -49,9 +49,7 @@ class CertificateValidationContextConfigImpl : public CertificateValidationConte return custom_validator_config_; } - Api::Api& api() override{ - return api_; - } + Api::Api& api() override { return api_; } private: const std::string ca_cert_; diff --git a/source/extensions/transport_sockets/tls/cert_validator/BUILD b/source/extensions/transport_sockets/tls/cert_validator/BUILD index 97651ec9f0b1..7dc295405d2b 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/source/extensions/transport_sockets/tls/cert_validator/BUILD @@ -41,5 +41,6 @@ envoy_cc_library( "//source/common/stats:utility_lib", "//source/extensions/transport_sockets/tls:stats_lib", "//source/extensions/transport_sockets/tls:utility_lib", + "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", ], ) diff --git a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc index 790f48379e72..e0afb01d8e39 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc @@ -6,8 +6,8 @@ #include #include -#include "envoy/registry/registry.h" #include "envoy/network/transport_socket.h" +#include "envoy/registry/registry.h" #include "envoy/ssl/context.h" #include "envoy/ssl/context_config.h" #include "envoy/ssl/private_key/private_key.h" diff --git a/source/extensions/transport_sockets/tls/cert_validator/factory.h b/source/extensions/transport_sockets/tls/cert_validator/factory.h index 9153e2455668..6a87fc5b0d7d 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/factory.h +++ b/source/extensions/transport_sockets/tls/cert_validator/factory.h @@ -2,6 +2,7 @@ #include "envoy/common/pure.h" #include "envoy/ssl/context_config.h" + #include "common/common/utility.h" #include "extensions/transport_sockets/tls/cert_validator/cert_validator.h" @@ -21,7 +22,7 @@ class CertValidatorFactory { virtual ~CertValidatorFactory() = default; virtual CertValidatorPtr - createCertValidator( Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, + createCertValidator(Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, TimeSource& time_source) PURE; virtual absl::string_view name() PURE; diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc index d66ee07f2b43..7c20ca2073eb 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc @@ -6,25 +6,25 @@ #include #include -#include "envoy/registry/registry.h" #include "envoy/common/pure.h" +#include "envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.pb.h" #include "envoy/network/transport_socket.h" +#include "envoy/registry/registry.h" #include "envoy/ssl/context.h" #include "envoy/ssl/context_config.h" #include "envoy/ssl/private_key/private_key.h" #include "envoy/ssl/ssl_socket_extended_info.h" -#include "envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.pb.h" #include "common/common/matchers.h" #include "common/common/regex.h" +#include "common/config/datasource.h" #include "common/config/utility.h" -#include "common/stats/symbol_table_impl.h" #include "common/protobuf/message_validator_impl.h" -#include "common/config/datasource.h" +#include "common/stats/symbol_table_impl.h" +#include "extensions/transport_sockets/tls/cert_validator/factory.h" #include "extensions/transport_sockets/tls/stats.h" #include "extensions/transport_sockets/tls/utility.h" -#include "extensions/transport_sockets/tls/cert_validator/factory.h" #include "openssl/ssl.h" #include "openssl/x509v3.h" @@ -90,11 +90,16 @@ int SPIFFEValidator::doVerifyCertChain(X509_STORE_CTX* store_ctx, Ssl::SslExtend return 0; } - bssl::UniquePtr san_names(static_cast( - X509_get_ext_d2i(&leaf_cert, NID_subject_alt_name, nullptr, nullptr))); + auto trust_bundle = getTrustBundleStore(&leaf_cert); + store_ctx->ctx = trust_bundle; + return X509_verify_cert(store_ctx); +} +X509_STORE* SPIFFEValidator::getTrustBundleStore(X509* leaf_cert) { + bssl::UniquePtr san_names(static_cast( + X509_get_ext_d2i(leaf_cert, NID_subject_alt_name, nullptr, nullptr))); if (san_names == nullptr) { - return 0; + return nullptr; } std::string trust_domain; @@ -106,17 +111,15 @@ int SPIFFEValidator::doVerifyCertChain(X509_STORE_CTX* store_ctx, Ssl::SslExtend } if (trust_domain.empty()) { - return 0; + return nullptr; } auto target_store = trust_bundle_stores_.find(trust_domain); if (target_store == trust_bundle_stores_.end()) { - // unregisterd trust domain - return 0; + return nullptr; } - store_ctx->ctx = target_store->second.get(); - return X509_verify_cert(store_ctx); + return target_store->second.get(); } int SPIFFEValidator::certificatePrecheck(X509* leaf_cert) { diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h index 80bf1c4ee187..a1d6153174b7 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h @@ -32,6 +32,7 @@ using X509StorePtr = CSmartPtr; class SPIFFEValidator : public CertValidator { public: + SPIFFEValidator() = default; SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* config); ~SPIFFEValidator() override = default; @@ -52,8 +53,12 @@ class SPIFFEValidator : public CertValidator { Envoy::Ssl::CertificateDetailsPtr getCaCertInformation() const override; // utility functions + X509_STORE* getTrustBundleStore(X509* leaf_cert); static std::string extractTrustDomain(const std::string& san); static int certificatePrecheck(X509* leaf_cert); + absl::flat_hash_map& trustBundleStores() { + return trust_bundle_stores_; + }; private: absl::flat_hash_map trust_bundle_stores_; diff --git a/test/extensions/transport_sockets/tls/cert_validator/BUILD b/test/extensions/transport_sockets/tls/cert_validator/BUILD index fe94728e80a3..0a26ca388fb6 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/test/extensions/transport_sockets/tls/cert_validator/BUILD @@ -1,6 +1,7 @@ load( "//bazel:envoy_build_system.bzl", "envoy_cc_test", + "envoy_cc_test_library", "envoy_package", ) @@ -33,6 +34,9 @@ envoy_cc_test( "//test/extensions/transport_sockets/tls/test_data:certs", ], deps = [ + ":util", + # "//source/common/protobuf:utility_lib", + "//test/test_common:utility_lib", "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", "//test/extensions/transport_sockets/tls:ssl_test_utils", "//test/test_common:environment_lib", @@ -45,10 +49,17 @@ envoy_cc_test( srcs = [ "factory_test.cc", ], - data = [], deps = [ - "//include/envoy/ssl:context_config_interface", + ":util", "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", - "//test/mocks/api:api_mocks", + ], +) + +envoy_cc_test_library( + name = "util", + hdrs = ["util.h"], + deps = [ + "//include/envoy/ssl:context_config_interface", + "//test/test_common:utility_lib", ], ) diff --git a/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc b/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc index 7f637b2fdfdc..cfb8ca70b2b6 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc @@ -1,10 +1,8 @@ -#include "extensions/transport_sockets/tls/cert_validator/factory.h" - #include -#include "envoy/ssl/context_config.h" +#include "extensions/transport_sockets/tls/cert_validator/factory.h" -#include "test/mocks/api/mocks.h" +#include "test/extensions/transport_sockets/tls/cert_validator/util.h" #include "gtest/gtest.h" @@ -13,67 +11,6 @@ namespace Extensions { namespace TransportSockets { namespace Tls { -class TestCertificateValidationContextConfig - : public Envoy::Ssl::CertificateValidationContextConfig { -public: - TestCertificateValidationContextConfig(envoy::config::core::v3::TypedExtensionConfig config) - : custom_validator_config_(config){}; - TestCertificateValidationContextConfig() : custom_validator_config_(absl::nullopt){}; - - const std::string& caCert() const override { - static std::string ret = ""; - return ret; - } - const std::string& caCertPath() const override { - static std::string ret = ""; - return ret; - } - const std::string& certificateRevocationList() const override { - static std::string ret = ""; - return ret; - } - const std::string& certificateRevocationListPath() const final { - static std::string ret = ""; - return ret; - } - const std::vector& verifySubjectAltNameList() const override { - static std::vector ret = {}; - return ret; - } - const std::vector& - subjectAltNameMatchers() const override { - static std::vector ret = {}; - return ret; - } - const std::vector& verifyCertificateHashList() const override { - static std::vector ret = {}; - return ret; - } - const std::vector& verifyCertificateSpkiList() const override { - static std::vector ret = {}; - return ret; - } - bool allowExpiredCertificate() const override { return false; } - envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext:: - TrustChainVerification - trustChainVerification() const override { - return envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext:: - TrustChainVerification:: - CertificateValidationContext_TrustChainVerification_ACCEPT_UNTRUSTED; - } - - const absl::optional& - customValidatorConfig() const override { - return custom_validator_config_; - } - - Api::Api& api() override { return api_; } - -private: - Api::MockApi api_; - const absl::optional custom_validator_config_; -}; - TEST(FactoryTest, TestGetCertValidatorName) { EXPECT_EQ("envoy.tls.cert_validator.default", getCertValidatorName(nullptr)); auto config = std::make_unique(); diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc index da0ee4608966..73ccc44d59ae 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc @@ -3,6 +3,7 @@ #include "extensions/transport_sockets/tls/cert_validator/spiffe_validator.h" +#include "test/extensions/transport_sockets/tls/cert_validator/util.h" #include "test/extensions/transport_sockets/tls/ssl_test_utility.h" #include "test/test_common/environment.h" #include "test/test_common/test_runtime.h" @@ -16,7 +17,28 @@ namespace Extensions { namespace TransportSockets { namespace Tls { +TEST(SPIFFEValidator, Constructor) { + envoy::config::core::v3::TypedExtensionConfig conf; + std::string yaml = TestEnvironment::substitute(R"EOF( +name: envoy.tls.cert_validator.spiffe +typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig + trust_bundles: + example.com: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + k8s-west.example.com: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem" + )EOF"); + + TestUtility::loadFromYaml(yaml, conf); + TestCertificateValidationContextConfig config(conf); + + auto validator = SPIFFEValidator(&config); + EXPECT_EQ(2, validator.trustBundleStores().size()); +} + TEST(SPIFFEValidator, TestExtractTrustDomain) { + EXPECT_EQ("", SPIFFEValidator::extractTrustDomain("abc.com/")); EXPECT_EQ("abc.com", SPIFFEValidator::extractTrustDomain("spiffe://abc.com/")); EXPECT_EQ("dev.envoy.com", SPIFFEValidator::extractTrustDomain("spiffe://dev.envoy.com/workload1")); diff --git a/test/extensions/transport_sockets/tls/cert_validator/util.h b/test/extensions/transport_sockets/tls/cert_validator/util.h new file mode 100644 index 000000000000..825bd02ccca8 --- /dev/null +++ b/test/extensions/transport_sockets/tls/cert_validator/util.h @@ -0,0 +1,77 @@ +#include + +#include "envoy/ssl/context_config.h" + +#include "test/test_common/utility.h" + +namespace Envoy { +namespace Extensions { +namespace TransportSockets { +namespace Tls { + +class TestCertificateValidationContextConfig + : public Envoy::Ssl::CertificateValidationContextConfig { +public: + TestCertificateValidationContextConfig(envoy::config::core::v3::TypedExtensionConfig config) + : api_(Api::createApiForTest()), custom_validator_config_(config){}; + TestCertificateValidationContextConfig() + : api_(Api::createApiForTest()), custom_validator_config_(absl::nullopt){}; + + const std::string& caCert() const override { + static std::string ret = ""; + return ret; + } + const std::string& caCertPath() const override { + static std::string ret = ""; + return ret; + } + const std::string& certificateRevocationList() const override { + static std::string ret = ""; + return ret; + } + const std::string& certificateRevocationListPath() const final { + static std::string ret = ""; + return ret; + } + const std::vector& verifySubjectAltNameList() const override { + static std::vector ret = {}; + return ret; + } + const std::vector& + subjectAltNameMatchers() const override { + static std::vector ret = {}; + return ret; + } + const std::vector& verifyCertificateHashList() const override { + static std::vector ret = {}; + return ret; + } + const std::vector& verifyCertificateSpkiList() const override { + static std::vector ret = {}; + return ret; + } + bool allowExpiredCertificate() const override { return false; } + envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext:: + TrustChainVerification + trustChainVerification() const override { + return envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext:: + TrustChainVerification:: + CertificateValidationContext_TrustChainVerification_ACCEPT_UNTRUSTED; + } + + const absl::optional& + customValidatorConfig() const override { + return custom_validator_config_; + } + + Api::Api& api() override { return *api_; } + +private: + Api::ApiPtr api_; + const absl::optional custom_validator_config_; +}; + +} // namespace Tls +} // namespace TransportSockets +} // namespace Extensions +} // namespace Envoy \ No newline at end of file From 3e57b43a760a212bdbe88f59ea6f08799a67cbe7 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Mon, 1 Feb 2021 18:18:46 +0900 Subject: [PATCH 04/38] Trust bundle nullcheck Signed-off-by: Takeshi Yoneda --- .../transport_sockets/tls/cert_validator/spiffe_validator.cc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc index 7c20ca2073eb..1e74bd6ab8e4 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc @@ -91,6 +91,9 @@ int SPIFFEValidator::doVerifyCertChain(X509_STORE_CTX* store_ctx, Ssl::SslExtend } auto trust_bundle = getTrustBundleStore(&leaf_cert); + if (!trust_bundle) { + return 0; + } store_ctx->ctx = trust_bundle; return X509_verify_cert(store_ctx); } From 8476b3a529094c917c69e0d43533dcba0635b4c6 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Tue, 2 Feb 2021 13:57:12 +0900 Subject: [PATCH 05/38] add tests Signed-off-by: Takeshi Yoneda --- include/envoy/ssl/context_config.h | 2 +- .../tls/cert_validator/spiffe_validator.cc | 24 ++- .../tls/context_config_impl.h | 3 +- .../tls/cert_validator/BUILD | 4 +- .../cert_validator/spiffe_validator_test.cc | 140 ++++++++++++++++-- .../tls/cert_validator/util.h | 32 ++-- .../transport_sockets/tls/test_data/certs.sh | 9 ++ .../tls/test_data/keyusage_cert_sign_cert.pem | 34 ++--- .../tls/test_data/keyusage_cert_sign_key.pem | 50 +++---- .../tls/test_data/keyusage_crl_sign_cert.pem | 34 ++--- .../tls/test_data/keyusage_crl_sign_key.pem | 50 +++---- .../tls/test_data/spiffe_san_cert.cfg | 36 +++++ .../tls/test_data/spiffe_san_cert.pem | 25 ++++ .../tls/test_data/spiffe_san_key.pem | 27 ++++ tools/code_format/check_format.py | 1 + 15 files changed, 348 insertions(+), 123 deletions(-) create mode 100644 test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.cfg create mode 100644 test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem create mode 100644 test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem diff --git a/include/envoy/ssl/context_config.h b/include/envoy/ssl/context_config.h index 675bddde27de..c2244cff2f99 100644 --- a/include/envoy/ssl/context_config.h +++ b/include/envoy/ssl/context_config.h @@ -50,7 +50,7 @@ class ContextConfig { /** * @return CertificateValidationContextConfig the certificate validation context config. */ - virtual const CertificateValidationContextConfig* certificateValidationContext() const PURE; + virtual CertificateValidationContextConfig* certificateValidationContext() const PURE; /** * @return The minimum TLS protocol version to negotiate. diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc index 1e74bd6ab8e4..fb03a28295eb 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc @@ -38,7 +38,7 @@ using SPIFFEConfig = envoy::extensions::transport_sockets::tls::v3::SPIFFECertVa SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* config) { if (config == nullptr) { - throw EnvoyException("SPIFFE validator connot be initialized from null configuration"); + throw EnvoyException("SPIFFE cert validator connot be initialized from null configuration"); } SPIFFEConfig message; @@ -46,7 +46,12 @@ SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* ProtobufWkt::Struct(), ProtobufMessage::getStrictValidationVisitor(), message); - trust_bundle_stores_.reserve(message.trust_bundles().size()); + auto size = message.trust_bundles().size(); + if (size == 0) { + throw EnvoyException("SPIFFE cert validator requires at least one trusted CA"); + } + + trust_bundle_stores_.reserve(size); for (auto& it : message.trust_bundles()) { auto cert = Config::DataSource::read(it.second, true, config->api()); bssl::UniquePtr bio(BIO_new_mem_buf(const_cast(cert.data()), cert.size())); @@ -84,7 +89,8 @@ void SPIFFEValidator::updateDigestForSessionId(bssl::ScopedEVP_MD_CTX&, uint8_t[ int SPIFFEValidator::initializeSslContexts(std::vector, bool) { return SSL_VERIFY_PEER; } -int SPIFFEValidator::doVerifyCertChain(X509_STORE_CTX* store_ctx, Ssl::SslExtendedSocketInfo*, +int SPIFFEValidator::doVerifyCertChain(X509_STORE_CTX* store_ctx, + Ssl::SslExtendedSocketInfo* ssl_extended_info, X509& leaf_cert, const Network::TransportSocketOptions*) { if (!SPIFFEValidator::certificatePrecheck(&leaf_cert)) { return 0; @@ -94,8 +100,17 @@ int SPIFFEValidator::doVerifyCertChain(X509_STORE_CTX* store_ctx, Ssl::SslExtend if (!trust_bundle) { return 0; } + + // set the trust bundle's certificate store on the context, and do the verification store_ctx->ctx = trust_bundle; - return X509_verify_cert(store_ctx); + auto ret = X509_verify_cert(store_ctx); + if (ssl_extended_info) { + ssl_extended_info->setCertificateValidationStatus( + ret == 1 ? Envoy::Ssl::ClientValidationStatus::Validated + : Envoy::Ssl::ClientValidationStatus::Failed); + } + + return ret; } X509_STORE* SPIFFEValidator::getTrustBundleStore(X509* leaf_cert) { @@ -140,6 +155,7 @@ int SPIFFEValidator::certificatePrecheck(X509* leaf_cert) { std::string SPIFFEValidator::extractTrustDomain(const std::string& san) { static const std::regex reg = Envoy::Regex::Utility::parseStdRegex("spiffe:\\/\\/([^\\/]+)\\/"); std::smatch m; + if (!std::regex_search(san, m, reg) || m.size() < 2) { return ""; } diff --git a/source/extensions/transport_sockets/tls/context_config_impl.h b/source/extensions/transport_sockets/tls/context_config_impl.h index 44c5a8cc619d..23d02adc69bf 100644 --- a/source/extensions/transport_sockets/tls/context_config_impl.h +++ b/source/extensions/transport_sockets/tls/context_config_impl.h @@ -37,8 +37,7 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { } return configs; } - const Envoy::Ssl::CertificateValidationContextConfig* - certificateValidationContext() const override { + Envoy::Ssl::CertificateValidationContextConfig* certificateValidationContext() const override { return validation_context_config_.get(); } unsigned minProtocolVersion() const override { return min_protocol_version_; }; diff --git a/test/extensions/transport_sockets/tls/cert_validator/BUILD b/test/extensions/transport_sockets/tls/cert_validator/BUILD index 0a26ca388fb6..afeacb949428 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/test/extensions/transport_sockets/tls/cert_validator/BUILD @@ -35,12 +35,11 @@ envoy_cc_test( ], deps = [ ":util", - # "//source/common/protobuf:utility_lib", - "//test/test_common:utility_lib", "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", "//test/extensions/transport_sockets/tls:ssl_test_utils", "//test/test_common:environment_lib", "//test/test_common:test_runtime_lib", + "//test/test_common:utility_lib", ], ) @@ -60,6 +59,7 @@ envoy_cc_test_library( hdrs = ["util.h"], deps = [ "//include/envoy/ssl:context_config_interface", + "//source/common/common:macros", "//test/test_common:utility_lib", ], ) diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc index 73ccc44d59ae..cd31ea68461b 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc @@ -1,3 +1,4 @@ +#include #include #include @@ -10,6 +11,7 @@ #include "test/test_common/utility.h" #include "gtest/gtest.h" +#include "openssl/ssl.h" #include "openssl/x509v3.h" namespace Envoy { @@ -17,9 +19,36 @@ namespace Extensions { namespace TransportSockets { namespace Tls { -TEST(SPIFFEValidator, Constructor) { - envoy::config::core::v3::TypedExtensionConfig conf; - std::string yaml = TestEnvironment::substitute(R"EOF( +using SPIFFEValidatorPtr = std::unique_ptr; +using X509StoreContextPtr = CSmartPtr; +using SSLContextPtr = CSmartPtr; + +class TestSPIFFEValidator : public SPIFFEValidator, public testing::Test { +public: + void initialize(std::string yaml) { + envoy::config::core::v3::TypedExtensionConfig typed_conf; + TestUtility::loadFromYaml(yaml, typed_conf); + TestCertificateValidationContextConfig config(typed_conf); + validator_ = std::make_unique(&config); + }; + + SPIFFEValidator& validator() { return *validator_; }; + +private: + SPIFFEValidatorPtr validator_; +}; + +TEST_F(TestSPIFFEValidator, Constructor) { + EXPECT_THROW_WITH_MESSAGE(initialize(TestEnvironment::substitute(R"EOF( +name: envoy.tls.cert_validator.spiffe +typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig + trust_bundles: {} + )EOF")), + EnvoyException, + "SPIFFE cert validator requires at least one trusted CA"); + + initialize(TestEnvironment::substitute(R"EOF( name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig @@ -28,13 +57,9 @@ name: envoy.tls.cert_validator.spiffe filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" k8s-west.example.com: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem" - )EOF"); - - TestUtility::loadFromYaml(yaml, conf); - TestCertificateValidationContextConfig config(conf); + )EOF")); - auto validator = SPIFFEValidator(&config); - EXPECT_EQ(2, validator.trustBundleStores().size()); + EXPECT_EQ(2, validator().trustBundleStores().size()); } TEST(SPIFFEValidator, TestExtractTrustDomain) { @@ -71,6 +96,103 @@ TEST(SPIFFEValidator, TestCertificatePrecheck) { EXPECT_EQ(1, SPIFFEValidator::certificatePrecheck(cert.get())); } +TEST(SPIFFEValidator, TestInitializeSslContexts) { + auto validator = SPIFFEValidator{}; + EXPECT_EQ(SSL_VERIFY_PEER, validator.initializeSslContexts({}, false)); +} + +TEST(SPIFFEValidator, TestGetTrustBundleStore) { + auto validator = SPIFFEValidator{}; + // no san + auto cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); + EXPECT_FALSE(validator.getTrustBundleStore(cert.get())); + + // spiffe san + cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); + + // trust bundle not provided + EXPECT_FALSE(validator.getTrustBundleStore(cert.get())); + + // trust bundle provided + validator.trustBundleStores().emplace("lyft.com", X509StorePtr(X509_STORE_new())); + EXPECT_TRUE(validator.getTrustBundleStore(cert.get())); +} + +TEST_F(TestSPIFFEValidator, TestDoVerifyCertChainSingleTrustDomain) { + initialize(TestEnvironment::substitute(R"EOF( +name: envoy.tls.cert_validator.spiffe +typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig + trust_bundles: + lyft.com: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + )EOF")); + + X509StorePtr ssl_ctx = X509_STORE_new(); + + // trust domain match so should be accepted + auto cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); + X509StoreContextPtr store_ctx = X509_STORE_CTX_new(); + EXPECT_TRUE(X509_STORE_CTX_init(store_ctx.get(), ssl_ctx.get(), cert.get(), nullptr)); + EXPECT_TRUE(validator().doVerifyCertChain(store_ctx.get(), nullptr, *cert, nullptr)); + + // different trust domain so should be rejected + cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem")); + + store_ctx = X509_STORE_CTX_new(); + EXPECT_TRUE(X509_STORE_CTX_init(store_ctx.get(), ssl_ctx.get(), cert.get(), nullptr)); + EXPECT_FALSE(validator().doVerifyCertChain(store_ctx.get(), nullptr, *cert, nullptr)); + + // does not have san + cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); + + store_ctx = X509_STORE_CTX_new(); + EXPECT_TRUE(X509_STORE_CTX_init(store_ctx.get(), ssl_ctx.get(), cert.get(), nullptr)); + EXPECT_FALSE(validator().doVerifyCertChain(store_ctx.get(), nullptr, *cert, nullptr)); +} + +TEST_F(TestSPIFFEValidator, TestDoVerifyCertChainMultipleTrustDomain) { + initialize(TestEnvironment::substitute(R"EOF( +name: envoy.tls.cert_validator.spiffe +typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig + trust_bundles: + lyft.com: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + example.com: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + )EOF")); + + X509StorePtr ssl_ctx = X509_STORE_new(); + + // trust domain match so should be accepted + auto cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); + X509StoreContextPtr store_ctx = X509_STORE_CTX_new(); + EXPECT_TRUE(X509_STORE_CTX_init(store_ctx.get(), ssl_ctx.get(), cert.get(), nullptr)); + EXPECT_TRUE(validator().doVerifyCertChain(store_ctx.get(), nullptr, *cert, nullptr)); + + cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem")); + + store_ctx = X509_STORE_CTX_new(); + EXPECT_TRUE(X509_STORE_CTX_init(store_ctx.get(), ssl_ctx.get(), cert.get(), nullptr)); + EXPECT_TRUE(validator().doVerifyCertChain(store_ctx.get(), nullptr, *cert, nullptr)); + + // does not have san + cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); + + store_ctx = X509_STORE_CTX_new(); + EXPECT_TRUE(X509_STORE_CTX_init(store_ctx.get(), ssl_ctx.get(), cert.get(), nullptr)); + EXPECT_FALSE(validator().doVerifyCertChain(store_ctx.get(), nullptr, *cert, nullptr)); +} + } // namespace Tls } // namespace TransportSockets } // namespace Extensions diff --git a/test/extensions/transport_sockets/tls/cert_validator/util.h b/test/extensions/transport_sockets/tls/cert_validator/util.h index 825bd02ccca8..781be5c9e848 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/util.h +++ b/test/extensions/transport_sockets/tls/cert_validator/util.h @@ -2,6 +2,8 @@ #include "envoy/ssl/context_config.h" +#include "common/common/macros.h" + #include "test/test_common/utility.h" namespace Envoy { @@ -17,38 +19,26 @@ class TestCertificateValidationContextConfig TestCertificateValidationContextConfig() : api_(Api::createApiForTest()), custom_validator_config_(absl::nullopt){}; - const std::string& caCert() const override { - static std::string ret = ""; - return ret; - } - const std::string& caCertPath() const override { - static std::string ret = ""; - return ret; - } + const std::string& caCert() const override { CONSTRUCT_ON_FIRST_USE(std::string, ""); } + const std::string& caCertPath() const override { CONSTRUCT_ON_FIRST_USE(std::string, ""); } const std::string& certificateRevocationList() const override { - static std::string ret = ""; - return ret; + CONSTRUCT_ON_FIRST_USE(std::string, ""); } const std::string& certificateRevocationListPath() const final { - static std::string ret = ""; - return ret; + CONSTRUCT_ON_FIRST_USE(std::string, ""); } const std::vector& verifySubjectAltNameList() const override { - static std::vector ret = {}; - return ret; + CONSTRUCT_ON_FIRST_USE(std::vector, {}); } const std::vector& subjectAltNameMatchers() const override { - static std::vector ret = {}; - return ret; + CONSTRUCT_ON_FIRST_USE(std::vector, {}); } const std::vector& verifyCertificateHashList() const override { - static std::vector ret = {}; - return ret; + CONSTRUCT_ON_FIRST_USE(std::vector, {}); } const std::vector& verifyCertificateSpkiList() const override { - static std::vector ret = {}; - return ret; + CONSTRUCT_ON_FIRST_USE(std::vector, {}); } bool allowExpiredCertificate() const override { return false; } envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext:: @@ -74,4 +64,4 @@ class TestCertificateValidationContextConfig } // namespace Tls } // namespace TransportSockets } // namespace Extensions -} // namespace Envoy \ No newline at end of file +} // namespace Envoy diff --git a/test/extensions/transport_sockets/tls/test_data/certs.sh b/test/extensions/transport_sockets/tls/test_data/certs.sh index b1155f18d9fe..b06d46eb8c8b 100755 --- a/test/extensions/transport_sockets/tls/test_data/certs.sh +++ b/test/extensions/transport_sockets/tls/test_data/certs.sh @@ -260,3 +260,12 @@ generate_x509_cert_nosubject no_subject ca # Generate unit test certificate generate_rsa_key unittest generate_selfsigned_x509_cert unittest + +generate_rsa_key keyusage_cert_sign +generate_x509_cert keyusage_cert_sign ca + +generate_rsa_key keyusage_crl_sign +generate_x509_cert keyusage_crl_sign ca + +generate_rsa_key spiffe_san +generate_x509_cert spiffe_san ca diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem index e6a465f9c9a1..3bf712b40875 100644 --- a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEJDCCAwygAwIBAgIUEsrhIGfn5HWMHmXqN//+MkKNzlowDQYJKoZIhvcNAQEL +MIIEJDCCAwygAwIBAgIUCGcq/Wzl3SBFQkro7Owk9sUnjqwwDQYJKoZIhvcNAQEL BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n -aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAxMDYzNjExWhcNMjMw -MjAxMDYzNjExWjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAyMDQwOTI3WhcNMjMw +MjAyMDQwOTI3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ THlmdCBFbmdpbmVlcmluZzESMBAGA1UEAwwJVGVzdCBDZXJ0MIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvmYfQM1vForFFYeCg73EvFHXjGFtUjdY6cVN -kOYFXHkRS0cLvLmNmDK28xlvmFcf5Igxm1yco6PK2MrArfDuZ1l6jMcwmYbe5Ln0 -ZLzTt/FF5QlUwoqm0KIzubaZ37wKr0TSaQnOheBGeMLovM++BbZs+YE92yLzgp+p -g116pHPhoIR6nIDl644yaoQilEH+xnEOKpZ0P9KOLPdRIh47CVSeSDBspunEPO2/ -1Pc047cbvjHR426xBLplddpdwgZU9fVOgW2fFpIkHh7lZ3gu2ab+M8cHHW7Iy7rj -sfMn9poYSrRAiZOUYcP2MVIFDxEfg2NJo37bmU4QhJy6GiR24QIDAQABo4GnMIGk +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwCu9C0MjZir120U6L1057DYAnfsjog8istS4 +YBy5uDkTJX5BZUOltIUgwdC54B2j3we3qNzWBD3EFeDTFWtHBRvbWcaxbDfN9/jo +5764fIthmR3iFUU2+YQZeSjwgLZWfv/ucBvmVt4jwfV0kkt50/hmEd81Pp7ZuJRM +bKNrj0yJThLSxTl5qiI29PR9u4EcMwLe0BSGJNKM7YSIPt+46lPlds+dS9Y2/Szb +ulrM0wj6h/UnkDNSZMYij6s/A9tB6piI7VfC9t9Q429GLV1mtihSp0nqOfjpfCFj +hCRLaPm9TWwcYQk8ftW9G4NfL9ou74mj0Or3bemz/9ctgdjdkwIDAQABo4GnMIGk MAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgLkMB0GA1UdJQQWMBQGCCsGAQUFBwMC -BggrBgEFBQcDATAdBgNVHQ4EFgQUGAeDFYXu6DZt6cHqONVSYBVpPfAwHwYDVR0j +BggrBgEFBQcDATAdBgNVHQ4EFgQUzWNy6ZlGKurbxD6U+n5wNKVkJYUwHwYDVR0j BBgwFoAU08ELI+PDqPIyvl9UwT94OBNVA9kwFgYHKgMEBQYHCAQLDAlTb21ldGhp -bmcwEAYHKgMEBQYHCQQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAKmVaItLkrC3 -AyXsN6n37PjLJQNq0tHu8xVa9qy3BStvl4Wjs6WY8QQE+ms75b1OXmDvW/VI2xkd -gu0sWyyUjEMjtKXPNhh/IfCJ6LeMbV/n0XvJRgG0L3QZQs94G/BjH4EeE8WsLHtq -SknT3LJ2MR72cPATIHdkRS/VEicpCzqBFg+IvHn1kqOFjPD+ISsoLxmaHeNCs8Rl -l2WyEY0moykLQjHRI1ssnoDQGeMPwEmABo4NZyga4YE+MolDkdYIb+bNDGT6Nlaq -AOUDNTAaGsCC3G01lrn8YeUHQS6D+06agqSk6G8YMLyaWBUwH7/Dvv9rIIGpIbmo -TFTDqZE2ugA= +bmcwEAYHKgMEBQYHCQQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIyzMxqaLqsO +xJWmPaP0kwSxHhdFcvgygEYr2YSFiKJ6/MJZvy67W3IylRPVBkglbZ8m6lj96XsV +bC3k7aUIPj5dT59vSLwTOX2lSciuQ+rtxFLOLyXRbbr7z3uI8KOUn6a4KUs4cBB6 +1Ku7jAUeC1IwvXU0C+UOVDJMVBqD/pvte4a7FA9/0N+bMREh/1zOnE7I7pTxje3O +TVvFZA0i/zbt64wlnCDqq58Ilr5hAG6MmIq3RrfjAUQvP54nzAlbp41d+du9OuNn ++NS6Ayr6AtIvwMT+2u5bNmA8IjoyjTmPALe3pszy4OpU1F8Sk/A2MJb4FP790hJs +oOCbZto9Nyk= -----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem index 5cd64b00be59..8ded0612d497 100644 --- a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAvmYfQM1vForFFYeCg73EvFHXjGFtUjdY6cVNkOYFXHkRS0cL -vLmNmDK28xlvmFcf5Igxm1yco6PK2MrArfDuZ1l6jMcwmYbe5Ln0ZLzTt/FF5QlU -woqm0KIzubaZ37wKr0TSaQnOheBGeMLovM++BbZs+YE92yLzgp+pg116pHPhoIR6 -nIDl644yaoQilEH+xnEOKpZ0P9KOLPdRIh47CVSeSDBspunEPO2/1Pc047cbvjHR -426xBLplddpdwgZU9fVOgW2fFpIkHh7lZ3gu2ab+M8cHHW7Iy7rjsfMn9poYSrRA -iZOUYcP2MVIFDxEfg2NJo37bmU4QhJy6GiR24QIDAQABAoIBAGaGYynn9Xuz+fBf -6d264CdwApurEs0E1LH89omh8x0abD+W4DEd0as1E+LPvZHQyHGtDNlWA1ryphYb -B6oiZJ3uRtlroTXqtDeCEqH0NCWGnFZ6sdOYCb+quCO2uiEKBs7eRlcdWsIoRIpe -miihzPcShpfMClzn8yxRgVwliBbpCTuynz6zj7uJy7Xjzopk2QR7di9JVsMvK+Wy -XDAcxySFKTayJZHIvC5gdXY+KlrwESoP7ocnuoG/DQmVGaLqS8twf7lbyuyG8DKg -bT6lAQYIbG+j1mWZQiJ4DAba8+ZVpcCbs45dOR5pCddZ/WCHXrur2XClnHZnMQ9C -0CjQsAkCgYEA68fATDo+rWNAZEgmV4r/wuuwlGxCFbismqrZ/z/+wVFMJiMFeUqu -qHBwnq7fKelNLqw9GSAyQkNSz/04Tlef99pP6SxSwVcE3HrFOr/qREJqHFttn2ar -gwhGL9GLecZyULD0WcdhplNAa2T8Ms6LxSkT8xJtXDzSsIWpKG21gCMCgYEAzroV -Cz/eNijbWq3TAMYPeSvzoI/6k5/t0zTTnkQxRKNMZj4vUNLZWfzxKyPVVEB8cB+K -1d9/Gds7kwd7Oh0V1lAQCdCTGE06HNdx+8q/9UaiJavV6mURly+3RyT24w/OFqAx -/nNDj7Jtmo0qxQuwyCT8ysKxnkOS1sIPj1Nu2ysCgYAF+N1KEP+dbLIo2BsAhKjN -yyKB3+wcmLzmfgVfjcNqKiD/pktxMw8RfSedHVjRuvMVh49Un5gmTYY/dm6CrX2D -zafQhCrkcsvQudtdDZdlezks1rQEIZmejAsbEvexcfFbUeAelgpHKDyte7VXpBuu -NsgmlATpHTFI/1m1iHHceQKBgDz0aVgT0PWvPl6SenDz9YQJDaD+UyhMM9fe77bu -7IgMjm5nT5RJV4VNK99IhZJ+ITL+WfWOHPAG0J4dypvsD5BNsyzxry2vN79hV16i -/c7YsN7iuASRIIqvqx7zK0jwVBgfzB325qjsN50mmsHXHJ0nKtKubaj4y8c/GU9t -jnZZAoGAN6Z2AyBWuonC/4jZPPfTXfdlbxpbwUIjtnO17nKwsldcTKBbOzDdhj2T -3ilN2g3sDldm0TJiFyUgmxbp1Nc/IrETSl4xHZLcizbofZraLBnK+VGIq6FHUoN2 -AbChbvVKRtz0iQ+j9930fbq8rCB0KidQcORg8+tnfsMqoCJ9fu4= +MIIEowIBAAKCAQEAwCu9C0MjZir120U6L1057DYAnfsjog8istS4YBy5uDkTJX5B +ZUOltIUgwdC54B2j3we3qNzWBD3EFeDTFWtHBRvbWcaxbDfN9/jo5764fIthmR3i +FUU2+YQZeSjwgLZWfv/ucBvmVt4jwfV0kkt50/hmEd81Pp7ZuJRMbKNrj0yJThLS +xTl5qiI29PR9u4EcMwLe0BSGJNKM7YSIPt+46lPlds+dS9Y2/SzbulrM0wj6h/Un +kDNSZMYij6s/A9tB6piI7VfC9t9Q429GLV1mtihSp0nqOfjpfCFjhCRLaPm9TWwc +YQk8ftW9G4NfL9ou74mj0Or3bemz/9ctgdjdkwIDAQABAoIBAHmwOLmU/imIMr9z +CvFLO46Uc7eWfG3236YWhdp21jQOEE3BsW+KcrfpRWD1534/xrFIlchcbzmoUy73 +ezMpB4P4q+Ihq+A3RjosaG+3meNj752iCrQlbDZ8rBTJE+KtlAA/2KEtSaLgcAw2 +fmbVXIQZ26idi33n4T68ydhRc579YJ5lnyjJ56Fe3i4cNvgCu/8STDWVqqh8chpe +qGxrHhGmg1wRop+RRaFhjcz3LiDWE1cu0flti2WEXa/I5qUU9xNCpNtR9AQtQlEk +/hRUnS5+inEcvnzUHGUv+ZiP12N6KLXKlfKIZsQQ0o/0He3gW1cybLj9opg327MH +2LqDCOECgYEA/wxH+gGE+QM09jFdKAvi/dNqPPirtD86xBOmzcdOPITntQD82MIX +7Dn50BgGYyIdIBex7ZwShM6TLWxAA6GaxYVFFNJ7Ak286ZHjDBKFW4vAiTeCeAX6 +TDhB9tuLbQ3Kgoi5NvhEjE+5pa8XaPiclaPMopZsqcDVS9kNkEhfIR0CgYEAwONf +huEDFsCySIF/XnGyxXWXhrmETle+XB3wXX+ddmU/DZQ3ZjMDLSlCTKk7i92Oe64P +NHlsf/2WZsoBqJtAu1CdAhIvJT8MzD93KNldhj+gm18BXC7+iGHf+Yw8ryhepzbG +N9DbO54sT61TB1o3GhNrdJYYknt+PLTLEkqZ6m8CgYBGLKrhLunXWfqIgqyPCDY8 +gJ8Kh6E2xu70ZDPRCrWMEUVvmAX53e2XIZyKlRGs1QYOfnaGWhr+T5hPNyml1iEv +l6uaPw95YspHucwu1im7NoiTOKK9Q2fK8O+1bFLAfrrpj5TmewjhUk5SOArI5x6u +TZNQaPMdAeGuLNp+iGskQQKBgQCJYqnMsQH5N8EEYbAtvb/+YrZNkF+LSXXduLlW +bynhhVW2v0YCNf1iMkv1vGgcQ+9TanOMBZxhQWbZybIKvKILiOx76CXKWrEr3Vxr +LP8vOqyTXcTjOtmynDviS5+Bhrh8U0g1wz4TpaKcEbDcwMYUfZaA0NOpqeoNJRyq +55XfYwKBgEX4SiuCPzECulUh+5WSDJr6XcW/lDYAGtjz+B+vA8VLoHTMHctqM3vJ +IKHLKwfWUcpaxJSOs3JS7OckLHkposlDMG6sKX2VMaI8+UcRTjLUu32zc1DDDuLa +40tPHXkZ3y8uBbQyXMt1UkM6UIR/1b9JGf7Jq/pb+RpJyTXpg8eH -----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem b/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem index 8b57cc2c3aec..ea6ac44cc84b 100644 --- a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEJDCCAwygAwIBAgIUEsrhIGfn5HWMHmXqN//+MkKNzlswDQYJKoZIhvcNAQEL +MIIEJDCCAwygAwIBAgIUCGcq/Wzl3SBFQkro7Owk9sUnjq0wDQYJKoZIhvcNAQEL BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n -aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAxMDYzNjExWhcNMjMw -MjAxMDYzNjExWjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAyMDQwOTI3WhcNMjMw +MjAyMDQwOTI3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ THlmdCBFbmdpbmVlcmluZzESMBAGA1UEAwwJVGVzdCBDZXJ0MIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtFo8H/NuNdB6MvktAsTNvn9yIiPibm2/29c4 -9drq7wBKJAGNxcy4YnovQ8LHxXFv9pu9bUniPjShWF6Kw6yGwQsTaE3z4+BG63a+ -ryrBNLor0zmgbElo4nMpdrHUDKca1vDqPp1T+nF9gGmkvp4RbFG4cTjBRhl0SkgO -h5EUzjhWKzi9g+IZea5+GrzgqVadzazH91pjX2SmeDRZo+7KfsZzAhWE/RM6l8Jk -5dV7RtA5mjYIet8DZQHYNgcXZRjvcdJPACk55i09nQjJ2baaLVVek1K9AXKfM6EL -kwbJrOLY2uCTFES2bbm+dI6n4qKe+Ypz+BASrDhC6mpp3VJ71QIDAQABo4GnMIGk +9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7Zy44YmX+9tUKYpJe+Q5cKtggFgC03mVxlVE +mHe0wQn+EiZsa6JKpVH0f4YAwVhEskxexHyPX2H1zeqrxHoRJAZzHeNjL/SMuK6L +Ko9yE5Y7Ih9PKb96s3jWzTmErU6l/03ZHBudJ1BhUo+7uEYp0JWlhtIPjOg5eNPN +FiI4eOMf1kB+xM/JASA89lX8AnpUyqUqG/27/jmOYn5WqPr9krluGdKfj+J0EmwB +Rda/oXDWpxzxND2Xjal1NjPfpwiC+tK4hZWfQxFoz8gwYuCEbPrRijQIsGy2kzNy +PGZE44QWSXMzzQN3QQad2pgqefAzJyatFHCrFmgrT71H8LuAPwIDAQABo4GnMIGk MAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgHiMB0GA1UdJQQWMBQGCCsGAQUFBwMC -BggrBgEFBQcDATAdBgNVHQ4EFgQU4y+0Gay4Da0IuXDx6CfunT/4rlYwHwYDVR0j +BggrBgEFBQcDATAdBgNVHQ4EFgQUIZWJJIF4dn435rFAoC/dps39SGowHwYDVR0j BBgwFoAU08ELI+PDqPIyvl9UwT94OBNVA9kwFgYHKgMEBQYHCAQLDAlTb21ldGhp -bmcwEAYHKgMEBQYHCQQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABRvbUIQkEI8 -2hpCw037eRNdHo/TUyg9hUEHR36MQBkk6tcsAeZAiiqkjR9M7mGRTW/Mr5nDuSA3 -Sq1l4ZVd11yG/LYLhB6fyyrg6kW2XXK77yLWsIT+tXNpe4pNX0Hb56I8vLs+oeg4 -B/o22RPzCYrXst9/FGxy8OheAt10qfU030XNaOUhNepXIAPKxhrFplDm03Vp2mtN -kX/vwW1vZ8G//U/7dSrnMoqecPM2pib45ohGDWr8OkElNLO6hSbeZ2cwTYPsQG19 -3YvkxVpvywzysylQgpYsEblh1ykMIJIqifyXwzhjB0XVrzY+9jWeqtUY0jrbHil2 -IH+aBJtqgzo= +bmcwEAYHKgMEBQYHCQQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEXVACXt+AvN +mNCSLxCSLcc+ZkuYUKMZPUNEf75RFh8OhKcosALjKGCITqKDSlv5r/KqW/fyNhy8 +o63h3B0Z9YmUkMTjzr1aEK+lr5iC5BJNREaO7Z0E+lqdZU2jjS/MUwoX3QrQnuWa +yRHONho7AHzbnfdDi3ff+8/pCdO+25IByLn5iJqSNjOULbqr/lUMWBMih9+jtqWu +RqmQ1rYyeDedf4kNin97zqCCBBd+DB9QVUrifoFuJI1XWKbQ9hqIBqJ8LpXYhUfy +XYaPimMiipTKRzT8Is9XNvDGJMJCBzQiRzek+tIQyT+nZpYFpEo6cjxJnBUqhav+ ++Z7Igbkp6h8= -----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_key.pem b/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_key.pem index e74cafb8b59b..e92488feb507 100644 --- a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_key.pem +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAtFo8H/NuNdB6MvktAsTNvn9yIiPibm2/29c49drq7wBKJAGN -xcy4YnovQ8LHxXFv9pu9bUniPjShWF6Kw6yGwQsTaE3z4+BG63a+ryrBNLor0zmg -bElo4nMpdrHUDKca1vDqPp1T+nF9gGmkvp4RbFG4cTjBRhl0SkgOh5EUzjhWKzi9 -g+IZea5+GrzgqVadzazH91pjX2SmeDRZo+7KfsZzAhWE/RM6l8Jk5dV7RtA5mjYI -et8DZQHYNgcXZRjvcdJPACk55i09nQjJ2baaLVVek1K9AXKfM6ELkwbJrOLY2uCT -FES2bbm+dI6n4qKe+Ypz+BASrDhC6mpp3VJ71QIDAQABAoIBAASkef28j261MiAT -x/PVSxKHR1HXqKF9E749+QpjGz8Ru9bXb2XTEj/+sy7EWc4cUGyBr8ubZkaBplGX -BW1qCIH5ngNGVmvcPxcalGf/6r9Ht48VYarH7Po/SqbyhunYd1lnFDCObjX5K+jd -T09U1E/8fonzkw4R46tx1WXp9yYjxArBFTyxu05v8UDHJlczZZ+An6kFMCIEfCVp -sDHBgHnvSUq7xyDYxOQyfT7m2UQ5bkx6ncSZuwTIBHUtUV4YWTLPZ6G50wKCUsz4 -P/JVoYitxc92jdd0QLE43Tpvnb8Nx9csSKBK2IwVIuDZX5ASD4FrEo3KZacLomlm -aiVh/WECgYEA3aY/qWLnWpK2zxosNE0JUF+KUDW4SQcUb7xezBYNZX7QT9nTvHIC -OCQhNuuKnFR522+ZCSaTwpmyJORkws/9TOM7DsFD6zw/AmMY0v1V6+VyHgvJMWv5 -qQW0TVV6XCvdTENmZPtDQpCdHUAY05eWQWn6xR7WU5o+rR8Dgko6bF0CgYEA0E2Q -1B/sBqdY2YjGOPp2wa9ZYEoUCvy3Exaa4sUC5VAe7F97nt6LNP01OBXleiynoDDZ -DWi0UiroUsb4SgyTxn9TDHrEav1+WHgli1WJhWnVN4pdfezdjH2CJa/9msZxToiW -SLfQnSZ0WKvZKYIwsp5/JYlpyJAvsKYZIFv9FdkCgYEAjTiLf0UA2vh3eWTXnUso -EAmPeqN/kyfroXWHgMjcKDqwRvAms/5/431BnFherFQ2f9WO0AHAS1DZ7B+JA4a5 -gO+WhUQmHg74pnC1NFktEWvTVcl0mwSMwWBdDJjVqTxZd2nKJ7Tfmd3B/Q0FxGrk -1TDNEiMfs4ynOm50MeNRbhECgYA/eDL1/5gKWvlepydG+0IuOACyrz+2LVSXM18U -U9VTC/uwKFPhj4u5JKIPqdRXSr30uI2aYVn4Y2yQtGG5JmXsqKUke0/YDc9uo4VF -FFYn2ZyHJNjh4seK5D9AvoQ2odqqhEHOfHvLNoli71HnLO0rr9GsHVenLg/p8mJb -ksvl2QKBgA5K3GNulEOOl04BSRyVFaDhBxR05cYsykCHgayreLLRejNVdhCf1UF6 -XmV00A/avxvkPtBe5VODsQGnfHyiov5IcuGfEBodp34KtjdDNav6sQkRUSazGRJk -DMHvUPr++L7aaAuR57SpvctLZ5qv+jPFNoZudEp+qX8LJpm/dMjV +MIIEpAIBAAKCAQEA7Zy44YmX+9tUKYpJe+Q5cKtggFgC03mVxlVEmHe0wQn+EiZs +a6JKpVH0f4YAwVhEskxexHyPX2H1zeqrxHoRJAZzHeNjL/SMuK6LKo9yE5Y7Ih9P +Kb96s3jWzTmErU6l/03ZHBudJ1BhUo+7uEYp0JWlhtIPjOg5eNPNFiI4eOMf1kB+ +xM/JASA89lX8AnpUyqUqG/27/jmOYn5WqPr9krluGdKfj+J0EmwBRda/oXDWpxzx +ND2Xjal1NjPfpwiC+tK4hZWfQxFoz8gwYuCEbPrRijQIsGy2kzNyPGZE44QWSXMz +zQN3QQad2pgqefAzJyatFHCrFmgrT71H8LuAPwIDAQABAoIBABwC89Cy1dX9H0je +YpdWamcb7P50YbDojn2ZI8MNqaNwOCGPogx2T3J53OcDtycT7tVOJ4XmYUiPVdj2 +p1U8RrUGhZ+qZNEMdWJ4QTO9QWeJuGLnaf+z8RUjU79R3pBHy03zsXqczsQJt89x +3mF09A0A90iTjv2/irbx0SWg1yN4+OepPn05VWpPxS1BP6o4ibQUqUdFVWNZa4F/ +wz4xEoB89Zovv53U7gzjZVOAt1SAmK3zDVpc2q297TmMiXadpPQV3x+txFdQuzLH +xr+uPC42frxeVMCxCMt1VMsVAcgEgBVxwECWNYFjEdHl48IwMc8iaVckQ/HW6kPX +pCZdCKECgYEA/AUgBt90Tn7nx0XObnbJmj6zWimM8R6AG3TuS+ul6+pI+Z4/qUmo +wrb5FVMAd0MaJhxHoKHoJeQItEnNCkf4OvBx82etrvOxt3GdfKBKlK/+YTwGQnDp +BD0GptES04mIiUO8UwRbsQWXMK/4tco5np62WFHO0Ev9GCc3f8t5GAcCgYEA8V1Z +Qav5PuCukcEEPfkpRp7Rwkw3P55bDXBFVNSmGAjQNjerSh6T9MJzT+t6zYfCeKip +3WoI7yhhw+xG7JgE1L16T17SIqOiJPVcr2d/m7F/wP5J1euOx9ujV8PNe6fXGWIq +h1/vE9jwetouWEELVtuqkQOn6lxQ1BxVAe6/GAkCgYEAkA8F7afRvgUAzIH0rGQu +fYMV1pYlwLakmA1RIgjDwYUczcNNtKEsXJFm9G+LtqCe0+Yac5HZN7+P0i7Vi+jz +1g0XtgEv4O/gSHIjide+ihvIFyDOmzAbopaXtMeSMWVOrNgRUIsPNrNxZx1P1+qO +4ULsDLRGuf6V4DaanOxcfgUCgYBXfnxVlw6yIWaGxY5RHNo+lGH7af95G2FsXK91 +UeSnv8IidUmtg6okxrxgUz9f8/+mF5YEAmUctOnDyQnoyC6wI8OLtBa+ocysUxl3 +KDCU8uIZxtRjLJHElzT+IqeBVNVfiTtbeYZEDpcWIbM9IM8IfHa3PLkI9tACJAcY +vUAeaQKBgQDsDmF+eRXBR3rc5cPGkexrjqr/NhkRYpPaVviZVsT/eUPOsSzZ1hY2 +3Ri/VVqgeyeWjNyCq7vA4ZrqrYmm18RQckuO7r0Nb6Nb++TPPAJQUi0voZHfvrYU +iyyFvupApmYn4iYQ4bTA3tCGGLRCxLyHvZdblvfWZVEvropIR7Cu9A== -----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.cfg b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.cfg new file mode 100644 index 000000000000..f8b6a7794bf0 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.cfg @@ -0,0 +1,36 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +countryName = US +countryName_default = US +stateOrProvinceName = California +stateOrProvinceName_default = California +localityName = San Francisco +localityName_default = San Francisco +organizationName = Lyft +organizationName_default = Lyft +organizationalUnitName = Lyft Engineering +organizationalUnitName_default = Lyft Engineering +commonName = Test Server +commonName_default = Test Server +commonName_max = 64 + +[v3_req] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, serverAuth +subjectAltName = @alt_names +subjectKeyIdentifier = hash + +[v3_ca] +basicConstraints = critical, CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, serverAuth +subjectAltName = @alt_names +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[alt_names] +URI.1 = spiffe://example.com/workload diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem new file mode 100644 index 000000000000..e4582fe77178 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEJjCCAw6gAwIBAgIUCGcq/Wzl3SBFQkro7Owk9sUnjq4wDQYJKoZIhvcNAQEL +BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAyMDQwOTI3WhcNMjMw +MjAyMDQwOTI3WjB6MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ +THlmdCBFbmdpbmVlcmluZzEUMBIGA1UEAwwLVGVzdCBTZXJ2ZXIwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDt+X3Nrq4xJyEjU19k28D9fFCBut+Fv73W +CffsBdDTsPetKlT8imPtZYzrCjVkcCjrqbkXs8LneRaPrHDi4FThI84O+axvOSHt +UnslRM5/qBNd1TNmUzK0jOc49IlIRjr9jI9MO0W6KcL1mA2dj9lGllvT9AJHHh5l +hE4mv20Dh/LQRaMfrDrRD8sDMWbwW8G+NDykbcxF3IkUAhEJkiZgWvIF3yjCtIE0 +d1D50gEURjoW9+vP5RlWFgg7TGEwBDKaYw+2lD8vVtmcCWNFQ+8vEmPo1dwlqNoR +5nToF0ScUDBn1mLl8sahzhtpr0Q5kJhplnZYGBrsYggTvOQVYEDrAgMBAAGjgacw +gaQwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH +AwIGCCsGAQUFBwMBMCgGA1UdEQQhMB+GHXNwaWZmZTovL2V4YW1wbGUuY29tL3dv +cmtsb2FkMB0GA1UdDgQWBBTXgAUzCJMxtKCZ/RiptQaEPAzMFjAfBgNVHSMEGDAW +gBTTwQsj48Oo8jK+X1TBP3g4E1UD2TANBgkqhkiG9w0BAQsFAAOCAQEAKTjo2IIg +happyS6X6ewjKjxnQSPInrr66+S1TeWVBdaBRttSsQmZ3GbDE267B+Oz304gEFha +759+CJLJMh+k72i3xRfl1JReM56MmQVawBhcfw5BX5q+1gnn4USucQQPez40KJj2 +Yqi0BoGD5vWpYHHPfbsoY8e2nqLQHhG/9BTw1QK+4yfalW8fdt9BSwdpEDzWIe8R +OYu1Id/Z6ulv9p2t/AwcclCqbNCzDsfuMTSy5g45ZwB/5wridMXrwHVUxhn3+uJ/ +rN5kAhgONFHTP0ffEvsbLosFS8MXP7O8aAS6YqCMg4sE2tkLIggWohoNvUecTnUC +KJ3OsK+PJ81Hrw== +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem b/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem new file mode 100644 index 000000000000..ec079d382389 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA7fl9za6uMSchI1NfZNvA/XxQgbrfhb+91gn37AXQ07D3rSpU +/Ipj7WWM6wo1ZHAo66m5F7PC53kWj6xw4uBU4SPODvmsbzkh7VJ7JUTOf6gTXdUz +ZlMytIznOPSJSEY6/YyPTDtFuinC9ZgNnY/ZRpZb0/QCRx4eZYROJr9tA4fy0EWj +H6w60Q/LAzFm8FvBvjQ8pG3MRdyJFAIRCZImYFryBd8owrSBNHdQ+dIBFEY6Fvfr +z+UZVhYIO0xhMAQymmMPtpQ/L1bZnAljRUPvLxJj6NXcJajaEeZ06BdEnFAwZ9Zi +5fLGoc4baa9EOZCYaZZ2WBga7GIIE7zkFWBA6wIDAQABAoIBADf2mDMqhSRiA1T/ +YkuhsjzqYzRe8fnOIaKYLYl/xKBD2bsLXXkWQnGtk/oiKHQ6PCVPgIumZotw2nFn +KBTylINtnCPBa1+sm+Hnp7YX/EfhCsziOngx0JbNHAM03qP0gCLoTzqqJbel4odG +/syy63HCIk4x7+cxmgxdlNNf6Q8PEVinf+4ZgmyYD9e7qGmBYjJI58T3J+L5BO61 ++J4gt7a292rxgRB+3tbAje3LTptmsnx/6oGhWdOWn16vWN4LFRTmsKAUNj3l1pwo +xRQzf6T/mbyaLdTLZye6OPJ9eqp3feJrpGKROoWkQ5o3pFUzlKpvgs3bCUi2oURf +od3CaeECgYEA/GUgVsvU3QPq8NArVKF56l6c1ycLTJ1UfhY5OGLdWmL1k8dXr/hj +mmK6ZAziU35n+HFGpx+rE432CviRagtXgecsSZ6+i0PRGPMW/MVYvyp0ZcqbF1su +6cyXLTNVC/vR09bgxav4MKBG6BNoLeqxuBr37kdZuzOw2WYAesVvcVUCgYEA8V+j +IQwgcZDoDQfYSm6cjCq3/DcKcv/BHjKOuI7l3d9A2zB+ooyGuwHaFQRvo1/2V+sm +jfKrtqJP6T1vscFHUI8j0ANsWqdaF4hVk8v8If2WPW8GLEH8CEVJbAmyhZE+G0no +aX+EPDIM/ld8dsR5UnypEzz2mRCYkOVmMwGZ6T8CgYAZg5uGSqqlAP1iBJksv/oU +ECZotYC16P2elV6Jba0UswZCPxeFKWXgOHTBInBKom+eNM1AnbnsiyBBMal5f9YD +wru+YXa/m0Zq8D/1o3l6Ma98jsOo08XlSpJJtnO1d2pZsNIeCWlYeQtR8IxKf/wh +MVC43Kucefg5sc8Ami7O1QKBgQC6wDYk0Y8gju8bdeBg5mf1AvBLEgLhqwOt64wF +O3qaSauSa1jvRy7O7cXf0QjXLN4ac/Pmi8VTjw2o9kG/FD2rFLSuspdZJHZOEsuz +iHXRjrR5X7c08vCfLYx7LJ2VPiUBVBOf3Gthb5AiEWpZMfZ0XcMrAVYCY5bHNNX3 +zNtaXQKBgQD4YXg3z+Ygqx3zkaB2LrAu5drHjJtWny0iwbIT86wBfma/KlhJkiPY +Bs+4M3XvuR5hGgg5ncoULcLsH1JDYVm5TbwuNyBfar+CRqW43gxT1m0nvw6U3wKD ++2kYGZxv7od/MOlKchENfZS20xkOFN0h6nQDBEWPbAUT+hEq1pZBhg== +-----END RSA PRIVATE KEY----- diff --git a/tools/code_format/check_format.py b/tools/code_format/check_format.py index 71645f4cbfd0..6bd3fce1fb9f 100755 --- a/tools/code_format/check_format.py +++ b/tools/code_format/check_format.py @@ -98,6 +98,7 @@ "./source/common/stats/tag_extractor_impl.cc", "./source/common/formatter/substitution_formatter.cc", "./source/extensions/filters/http/squash/squash_filter.h", + "./source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc", "./source/extensions/filters/http/squash/squash_filter.cc", "./source/server/admin/utils.h", "./source/server/admin/utils.cc", "./source/server/admin/stats_handler.h", "./source/server/admin/stats_handler.cc", "./source/server/admin/prometheus_stats.h", From d8c90767e71ab9410ab9a4f7025bea57b7fc87b5 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Tue, 2 Feb 2021 15:11:51 +0900 Subject: [PATCH 06/38] add additional tests Signed-off-by: Takeshi Yoneda --- .../tls/cert_validator/spiffe_validator.cc | 40 +++++++++++++------ .../tls/cert_validator/spiffe_validator.h | 9 +++-- .../tls/cert_validator/factory_test.cc | 2 +- .../cert_validator/spiffe_validator_test.cc | 25 +++++++++--- 4 files changed, 55 insertions(+), 21 deletions(-) diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc index fb03a28295eb..5f3565a9ba4e 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc @@ -1,6 +1,8 @@ #include "extensions/transport_sockets/tls/cert_validator/spiffe_validator.h" +#include #include +#include #include #include #include @@ -36,7 +38,9 @@ namespace Tls { using SPIFFEConfig = envoy::extensions::transport_sockets::tls::v3::SPIFFECertValidatorConfig; -SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* config) { +SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* config, + TimeSource& time_source) + : time_source_(time_source) { if (config == nullptr) { throw EnvoyException("SPIFFE cert validator connot be initialized from null configuration"); } @@ -52,6 +56,7 @@ SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* } trust_bundle_stores_.reserve(size); + std::vector ca_file_names = {}; for (auto& it : message.trust_bundles()) { auto cert = Config::DataSource::read(it.second, true, config->api()); bssl::UniquePtr bio(BIO_new_mem_buf(const_cast(cert.data()), cert.size())); @@ -68,6 +73,8 @@ SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* if (item->x509) { X509_STORE_add_cert(store.get(), item->x509); } + X509_up_ref(item->x509); + ca_certs_.push_back(bssl::UniquePtr(item->x509)); if (item->crl) { has_crl = true; X509_STORE_add_crl(store.get(), item->crl); @@ -77,7 +84,14 @@ SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* X509_STORE_set_flags(store.get(), X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); } trust_bundle_stores_[it.first] = std::move(store); + + auto name = it.second.filename(); + if (name.empty()) { + name = ""; + } + ca_file_names.push_back(absl::StrCat(it.first, ": ", name)); } + ca_file_names_ = absl::StrJoin(ca_file_names, ", "); } void SPIFFEValidator::addClientValidationContext(SSL_CTX*, bool) { /* TODO */ @@ -163,25 +177,27 @@ std::string SPIFFEValidator::extractTrustDomain(const std::string& san) { } size_t SPIFFEValidator::daysUntilFirstCertExpires() const { - /* TODO */ - return 0; -} - -std::string SPIFFEValidator::getCaFileName() const { - /* TODO */ - return ""; + size_t ret = SIZE_MAX; + for (auto& iter : ca_certs_) { + ret = std::min(ret, Utility::getDaysUntilExpiration(iter.get(), time_source_)); + } + return ret; } Envoy::Ssl::CertificateDetailsPtr SPIFFEValidator::getCaCertInformation() const { - /* TODO */ - return nullptr; + if (ca_certs_.empty()) { + return nullptr; + } + // TODO: with the current interface, we cannot pass the multiple cert information. + // So temporarily we return the first CA's info here. + return Utility::certificateDetails(ca_certs_[0].get(), getCaFileName(), time_source_);; }; class SPIFFEValidatorFactory : public CertValidatorFactory { public: CertValidatorPtr createCertValidator(Envoy::Ssl::CertificateValidationContextConfig* config, - SslStats&, TimeSource&) override { - return std::make_unique(config); + SslStats&, TimeSource& time_source) override { + return std::make_unique(config, time_source); } absl::string_view name() override { return "envoy.tls.cert_validator.spiffe"; } diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h index a1d6153174b7..ad128b3edd5a 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h @@ -32,8 +32,8 @@ using X509StorePtr = CSmartPtr; class SPIFFEValidator : public CertValidator { public: - SPIFFEValidator() = default; - SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* config); + SPIFFEValidator(TimeSource& time_source): time_source_(time_source){}; + SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* config, TimeSource& time_source); ~SPIFFEValidator() override = default; // Tls::CertValidator @@ -49,7 +49,7 @@ class SPIFFEValidator : public CertValidator { unsigned hash_length) override; size_t daysUntilFirstCertExpires() const override; - std::string getCaFileName() const override; + std::string getCaFileName() const override { return ca_file_names_; } Envoy::Ssl::CertificateDetailsPtr getCaCertInformation() const override; // utility functions @@ -61,7 +61,10 @@ class SPIFFEValidator : public CertValidator { }; private: + std::vector> ca_certs_; + std::string ca_file_names_; absl::flat_hash_map trust_bundle_stores_; + TimeSource& time_source_; }; } // namespace Tls diff --git a/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc b/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc index cfb8ca70b2b6..844ca55ee97a 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/factory_test.cc @@ -18,7 +18,7 @@ TEST(FactoryTest, TestGetCertValidatorName) { envoy::config::core::v3::TypedExtensionConfig custom_config = {}; custom_config.set_name("envoy.tls.cert_validator.spiffe"); - config.reset(new TestCertificateValidationContextConfig(custom_config)); + config = std::make_unique(custom_config); EXPECT_EQ(custom_config.name(), getCertValidatorName(config.get())); } diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc index cd31ea68461b..2c18caf3158b 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc @@ -1,4 +1,5 @@ #include +#include #include #include @@ -23,13 +24,14 @@ using SPIFFEValidatorPtr = std::unique_ptr; using X509StoreContextPtr = CSmartPtr; using SSLContextPtr = CSmartPtr; -class TestSPIFFEValidator : public SPIFFEValidator, public testing::Test { +class TestSPIFFEValidator : public testing::Test { public: void initialize(std::string yaml) { envoy::config::core::v3::TypedExtensionConfig typed_conf; TestUtility::loadFromYaml(yaml, typed_conf); TestCertificateValidationContextConfig config(typed_conf); - validator_ = std::make_unique(&config); + validator_ = std::make_unique( + &config, TestCertificateValidationContextConfig{}.api().timeSource()); }; SPIFFEValidator& validator() { return *validator_; }; @@ -53,13 +55,22 @@ name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig trust_bundles: - example.com: + hello.com: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" k8s-west.example.com: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem" )EOF")); EXPECT_EQ(2, validator().trustBundleStores().size()); + + EXPECT_NE(validator().getCaFileName().find("test_data/ca_cert.pem"), + std::string::npos); + EXPECT_NE(validator().getCaFileName().find("test_data/keyusage_crl_sign_cert.pem"), + std::string::npos); + EXPECT_NE(validator().getCaFileName().find("hello.com"), + std::string::npos); + EXPECT_NE(validator().getCaFileName().find("k8s-west.example.com"), + std::string::npos); } TEST(SPIFFEValidator, TestExtractTrustDomain) { @@ -97,12 +108,12 @@ TEST(SPIFFEValidator, TestCertificatePrecheck) { } TEST(SPIFFEValidator, TestInitializeSslContexts) { - auto validator = SPIFFEValidator{}; + auto validator = SPIFFEValidator(TestCertificateValidationContextConfig{}.api().timeSource()); EXPECT_EQ(SSL_VERIFY_PEER, validator.initializeSslContexts({}, false)); } TEST(SPIFFEValidator, TestGetTrustBundleStore) { - auto validator = SPIFFEValidator{}; + auto validator = SPIFFEValidator(TestCertificateValidationContextConfig{}.api().timeSource()); // no san auto cert = readCertFromFile(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); @@ -156,6 +167,10 @@ name: envoy.tls.cert_validator.spiffe EXPECT_FALSE(validator().doVerifyCertChain(store_ctx.get(), nullptr, *cert, nullptr)); } +TEST_F(TestSPIFFEValidator, TestGetCaCertInformation) {} + +TEST_F(TestSPIFFEValidator, TestDaysUntilFirstCertExpires) {} + TEST_F(TestSPIFFEValidator, TestDoVerifyCertChainMultipleTrustDomain) { initialize(TestEnvironment::substitute(R"EOF( name: envoy.tls.cert_validator.spiffe From 8d88b16ba898aa140fd17010fb1a6a128c14adec Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Tue, 2 Feb 2021 18:43:46 +0900 Subject: [PATCH 07/38] impl addClientValidationContext and add additional tests Signed-off-by: Takeshi Yoneda --- .../tls/cert_validator/spiffe_validator.cc | 60 +++++--- .../tls/cert_validator/spiffe_validator.h | 6 +- .../tls/cert_validator/BUILD | 1 + .../cert_validator/spiffe_validator_test.cc | 128 +++++++++++++++--- 4 files changed, 156 insertions(+), 39 deletions(-) diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc index 5f3565a9ba4e..9b576a952f77 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc @@ -56,7 +56,6 @@ SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* } trust_bundle_stores_.reserve(size); - std::vector ca_file_names = {}; for (auto& it : message.trust_bundles()) { auto cert = Config::DataSource::read(it.second, true, config->api()); bssl::UniquePtr bio(BIO_new_mem_buf(const_cast(cert.data()), cert.size())); @@ -69,12 +68,25 @@ SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* auto store = X509StorePtr(X509_STORE_new()); bool has_crl = false; + bool ca_loaded = false; for (const X509_INFO* item : list.get()) { if (item->x509) { X509_STORE_add_cert(store.get(), item->x509); + X509_up_ref(item->x509); + ca_certs_.push_back(bssl::UniquePtr(item->x509)); + if (!ca_loaded) { + // TODO: with the current interface, we cannot return the multiple + // cert information on getCaCertInformation method. + // So temporarily we return the first CA's info here. + ca_loaded = true; + auto name = it.second.filename(); + if (name.empty()) { + name = ""; + } + ca_file_name_ = absl::StrCat(it.first, ": ", name); + } } - X509_up_ref(item->x509); - ca_certs_.push_back(bssl::UniquePtr(item->x509)); + if (item->crl) { has_crl = true; X509_STORE_add_crl(store.get(), item->crl); @@ -84,24 +96,37 @@ SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* X509_STORE_set_flags(store.get(), X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); } trust_bundle_stores_[it.first] = std::move(store); - - auto name = it.second.filename(); - if (name.empty()) { - name = ""; - } - ca_file_names.push_back(absl::StrCat(it.first, ": ", name)); } - ca_file_names_ = absl::StrJoin(ca_file_names, ", "); } -void SPIFFEValidator::addClientValidationContext(SSL_CTX*, bool) { /* TODO */ +void SPIFFEValidator::addClientValidationContext(SSL_CTX* ctx, bool) { + bssl::UniquePtr list(sk_X509_NAME_new( + [](const X509_NAME** a, const X509_NAME** b) -> int { return X509_NAME_cmp(*a, *b); })); + + for (auto& ca : ca_certs_) { + X509_NAME* name = X509_get_subject_name(ca.get()); + if (name == nullptr) { + throw EnvoyException(absl::StrCat("Failed to load trusted client CA certificate")); + } + // Check for duplicates. + if (sk_X509_NAME_find(list.get(), nullptr, name)) { + continue; + } + bssl::UniquePtr name_dup(X509_NAME_dup(name)); + if (name_dup == nullptr || !sk_X509_NAME_push(list.get(), name_dup.release())) { + throw EnvoyException(absl::StrCat("Failed to load trusted client CA certificate")); + } + } + SSL_CTX_set_client_CA_list(ctx, list.release()); } void SPIFFEValidator::updateDigestForSessionId(bssl::ScopedEVP_MD_CTX&, uint8_t[EVP_MAX_MD_SIZE], unsigned) { /* TODO */ } -int SPIFFEValidator::initializeSslContexts(std::vector, bool) { return SSL_VERIFY_PEER; } +int SPIFFEValidator::initializeSslContexts(std::vector, bool) { + return SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; +} int SPIFFEValidator::doVerifyCertChain(X509_STORE_CTX* store_ctx, Ssl::SslExtendedSocketInfo* ssl_extended_info, @@ -177,11 +202,12 @@ std::string SPIFFEValidator::extractTrustDomain(const std::string& san) { } size_t SPIFFEValidator::daysUntilFirstCertExpires() const { - size_t ret = SIZE_MAX; - for (auto& iter : ca_certs_) { - ret = std::min(ret, Utility::getDaysUntilExpiration(iter.get(), time_source_)); + if (ca_certs_.empty()) { + return 0; } - return ret; + // TODO: with the current interface, we cannot pass the multiple cert information. + // So temporarily we return the first CA's info here. + return Utility::getDaysUntilExpiration(ca_certs_[0].get(), time_source_); } Envoy::Ssl::CertificateDetailsPtr SPIFFEValidator::getCaCertInformation() const { @@ -190,7 +216,7 @@ Envoy::Ssl::CertificateDetailsPtr SPIFFEValidator::getCaCertInformation() const } // TODO: with the current interface, we cannot pass the multiple cert information. // So temporarily we return the first CA's info here. - return Utility::certificateDetails(ca_certs_[0].get(), getCaFileName(), time_source_);; + return Utility::certificateDetails(ca_certs_[0].get(), getCaFileName(), time_source_); }; class SPIFFEValidatorFactory : public CertValidatorFactory { diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h index ad128b3edd5a..46272e12c565 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h @@ -32,7 +32,7 @@ using X509StorePtr = CSmartPtr; class SPIFFEValidator : public CertValidator { public: - SPIFFEValidator(TimeSource& time_source): time_source_(time_source){}; + SPIFFEValidator(TimeSource& time_source) : time_source_(time_source){}; SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* config, TimeSource& time_source); ~SPIFFEValidator() override = default; @@ -49,7 +49,7 @@ class SPIFFEValidator : public CertValidator { unsigned hash_length) override; size_t daysUntilFirstCertExpires() const override; - std::string getCaFileName() const override { return ca_file_names_; } + std::string getCaFileName() const override { return ca_file_name_; } Envoy::Ssl::CertificateDetailsPtr getCaCertInformation() const override; // utility functions @@ -62,7 +62,7 @@ class SPIFFEValidator : public CertValidator { private: std::vector> ca_certs_; - std::string ca_file_names_; + std::string ca_file_name_; absl::flat_hash_map trust_bundle_stores_; TimeSource& time_source_; }; diff --git a/test/extensions/transport_sockets/tls/cert_validator/BUILD b/test/extensions/transport_sockets/tls/cert_validator/BUILD index afeacb949428..03acead518d6 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/test/extensions/transport_sockets/tls/cert_validator/BUILD @@ -38,6 +38,7 @@ envoy_cc_test( "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", "//test/extensions/transport_sockets/tls:ssl_test_utils", "//test/test_common:environment_lib", + "//test/test_common:simulated_time_system_lib", "//test/test_common:test_runtime_lib", "//test/test_common:utility_lib", ], diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc index 2c18caf3158b..99c56506012d 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc @@ -8,6 +8,7 @@ #include "test/extensions/transport_sockets/tls/cert_validator/util.h" #include "test/extensions/transport_sockets/tls/ssl_test_utility.h" #include "test/test_common/environment.h" +#include "test/test_common/simulated_time_system.h" #include "test/test_common/test_runtime.h" #include "test/test_common/utility.h" @@ -20,23 +21,32 @@ namespace Extensions { namespace TransportSockets { namespace Tls { +using TestCertificateValidationContextConfigPtr = + std::unique_ptr; using SPIFFEValidatorPtr = std::unique_ptr; using X509StoreContextPtr = CSmartPtr; using SSLContextPtr = CSmartPtr; class TestSPIFFEValidator : public testing::Test { public: + void initialize(std::string yaml, TimeSource& time_source) { + envoy::config::core::v3::TypedExtensionConfig typed_conf; + TestUtility::loadFromYaml(yaml, typed_conf); + config_ = std::make_unique(typed_conf); + validator_ = std::make_unique(config_.get(), time_source); + } + void initialize(std::string yaml) { envoy::config::core::v3::TypedExtensionConfig typed_conf; TestUtility::loadFromYaml(yaml, typed_conf); - TestCertificateValidationContextConfig config(typed_conf); - validator_ = std::make_unique( - &config, TestCertificateValidationContextConfig{}.api().timeSource()); + config_ = std::make_unique(typed_conf); + validator_ = std::make_unique(config_.get(), config_->api().timeSource()); }; SPIFFEValidator& validator() { return *validator_; }; private: + TestCertificateValidationContextConfigPtr config_; SPIFFEValidatorPtr validator_; }; @@ -49,6 +59,18 @@ name: envoy.tls.cert_validator.spiffe )EOF")), EnvoyException, "SPIFFE cert validator requires at least one trusted CA"); + initialize(TestEnvironment::substitute(R"EOF( +name: envoy.tls.cert_validator.spiffe +typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig + trust_bundles: + hello.com: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + )EOF")); + + EXPECT_EQ(1, validator().trustBundleStores().size()); + EXPECT_NE(validator().getCaFileName().find("test_data/ca_cert.pem"), std::string::npos); + EXPECT_NE(validator().getCaFileName().find("hello.com"), std::string::npos); initialize(TestEnvironment::substitute(R"EOF( name: envoy.tls.cert_validator.spiffe @@ -62,15 +84,6 @@ name: envoy.tls.cert_validator.spiffe )EOF")); EXPECT_EQ(2, validator().trustBundleStores().size()); - - EXPECT_NE(validator().getCaFileName().find("test_data/ca_cert.pem"), - std::string::npos); - EXPECT_NE(validator().getCaFileName().find("test_data/keyusage_crl_sign_cert.pem"), - std::string::npos); - EXPECT_NE(validator().getCaFileName().find("hello.com"), - std::string::npos); - EXPECT_NE(validator().getCaFileName().find("k8s-west.example.com"), - std::string::npos); } TEST(SPIFFEValidator, TestExtractTrustDomain) { @@ -108,12 +121,15 @@ TEST(SPIFFEValidator, TestCertificatePrecheck) { } TEST(SPIFFEValidator, TestInitializeSslContexts) { - auto validator = SPIFFEValidator(TestCertificateValidationContextConfig{}.api().timeSource()); - EXPECT_EQ(SSL_VERIFY_PEER, validator.initializeSslContexts({}, false)); + Event::TestRealTimeSystem time_system; + auto validator = SPIFFEValidator(time_system); + EXPECT_EQ(SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, + validator.initializeSslContexts({}, false)); } TEST(SPIFFEValidator, TestGetTrustBundleStore) { - auto validator = SPIFFEValidator(TestCertificateValidationContextConfig{}.api().timeSource()); + Event::TestRealTimeSystem time_system; + auto validator = SPIFFEValidator(time_system); // no san auto cert = readCertFromFile(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); @@ -167,10 +183,6 @@ name: envoy.tls.cert_validator.spiffe EXPECT_FALSE(validator().doVerifyCertChain(store_ctx.get(), nullptr, *cert, nullptr)); } -TEST_F(TestSPIFFEValidator, TestGetCaCertInformation) {} - -TEST_F(TestSPIFFEValidator, TestDaysUntilFirstCertExpires) {} - TEST_F(TestSPIFFEValidator, TestDoVerifyCertChainMultipleTrustDomain) { initialize(TestEnvironment::substitute(R"EOF( name: envoy.tls.cert_validator.spiffe @@ -208,6 +220,84 @@ name: envoy.tls.cert_validator.spiffe EXPECT_FALSE(validator().doVerifyCertChain(store_ctx.get(), nullptr, *cert, nullptr)); } +TEST_F(TestSPIFFEValidator, TestGetCaCertInformation) { + Event::TestRealTimeSystem time_system; + EXPECT_FALSE(SPIFFEValidator(time_system).getCaCertInformation()); // should be nullptr + + initialize(TestEnvironment::substitute(R"EOF( +name: envoy.tls.cert_validator.spiffe +typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig + trust_bundles: + lyft.com: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" + example.com: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + )EOF"), + time_system); + + auto actual = validator().getCaCertInformation(); + EXPECT_TRUE(actual); +} + +TEST_F(TestSPIFFEValidator, TestDaysUntilFirstCertExpires) { + Event::SimulatedTimeSystem time_system; + time_system.setSystemTime(std::chrono::milliseconds(0)); + + initialize(TestEnvironment::substitute(R"EOF( +name: envoy.tls.cert_validator.spiffe +typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig + trust_bundles: + lyft.com: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + example.com: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + )EOF"), + time_system); + EXPECT_EQ(19224, validator().daysUntilFirstCertExpires()); + time_system.setSystemTime(std::chrono::milliseconds(864000000)); + EXPECT_EQ(19214, validator().daysUntilFirstCertExpires()); +} + +TEST_F(TestSPIFFEValidator, TestAddClientValidationContext) { + Event::TestRealTimeSystem time_system; + initialize(TestEnvironment::substitute(R"EOF( +name: envoy.tls.cert_validator.spiffe +typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig + trust_bundles: + lyft.com: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" + example.com: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + )EOF"), + time_system); + + bool foundTestServer = false; + bool foundTestCA = false; + SSLContextPtr ctx = SSL_CTX_new(TLS_method()); + validator().addClientValidationContext(ctx.get(), false); + for (const X509_NAME* name : SSL_CTX_get_client_CA_list(ctx.get())) { + const int cn_index = X509_NAME_get_index_by_NID(name, NID_commonName, -1); + EXPECT_TRUE(cn_index >= 0); + X509_NAME_ENTRY* cn_entry = X509_NAME_get_entry(name, cn_index); + EXPECT_TRUE(cn_entry); + ASN1_STRING* cn_asn1 = X509_NAME_ENTRY_get_data(cn_entry); + EXPECT_TRUE(cn_asn1); + + auto cn_str = std::string(reinterpret_cast(ASN1_STRING_data(cn_asn1))); + if (cn_str == "Test Server") { + foundTestServer = true; + } else if (cn_str == "Test CA") { + foundTestCA = true; + } + } + + EXPECT_TRUE(foundTestServer); + EXPECT_TRUE(foundTestCA); +} + } // namespace Tls } // namespace TransportSockets } // namespace Extensions From 0dd80aa7fa69f88415432f57113b615b001dba59 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Tue, 2 Feb 2021 19:07:33 +0900 Subject: [PATCH 08/38] impl updateDigestForSessionId Signed-off-by: Takeshi Yoneda --- .../tls/cert_validator/spiffe_validator.cc | 14 +++++++++++-- .../cert_validator/spiffe_validator_test.cc | 20 +++++++++++++++++++ 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc index 9b576a952f77..3b25093d6b4c 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc @@ -120,8 +120,18 @@ void SPIFFEValidator::addClientValidationContext(SSL_CTX* ctx, bool) { SSL_CTX_set_client_CA_list(ctx, list.release()); } -void SPIFFEValidator::updateDigestForSessionId(bssl::ScopedEVP_MD_CTX&, uint8_t[EVP_MAX_MD_SIZE], - unsigned) { /* TODO */ +void SPIFFEValidator::updateDigestForSessionId(bssl::ScopedEVP_MD_CTX& md, + uint8_t hash_buffer[EVP_MAX_MD_SIZE], + unsigned hash_length) { + int rc; + for (auto& ca : ca_certs_) { + rc = X509_digest(ca.get(), EVP_sha256(), hash_buffer, &hash_length); + RELEASE_ASSERT(rc == 1, Utility::getLastCryptoError().value_or("")); + RELEASE_ASSERT(hash_length == SHA256_DIGEST_LENGTH, + fmt::format("invalid SHA256 hash length {}", hash_length)); + rc = EVP_DigestUpdate(md.get(), hash_buffer, hash_length); + RELEASE_ASSERT(rc == 1, Utility::getLastCryptoError().value_or("")); + } } int SPIFFEValidator::initializeSslContexts(std::vector, bool) { diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc index 99c56506012d..bdc7514aefbd 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc @@ -298,6 +298,26 @@ name: envoy.tls.cert_validator.spiffe EXPECT_TRUE(foundTestCA); } +TEST_F(TestSPIFFEValidator, TestUpdateDigestForSessionId) { + Event::TestRealTimeSystem time_system; + initialize(TestEnvironment::substitute(R"EOF( +name: envoy.tls.cert_validator.spiffe +typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig + trust_bundles: + lyft.com: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" + example.com: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + )EOF"), + time_system); + uint8_t hash_buffer[EVP_MAX_MD_SIZE]; + bssl::ScopedEVP_MD_CTX md; + EVP_DigestInit(md.get(), EVP_sha256()); + validator().updateDigestForSessionId(md, hash_buffer, 0); + validator().updateDigestForSessionId(md, hash_buffer, SHA256_DIGEST_LENGTH); +} + } // namespace Tls } // namespace TransportSockets } // namespace Extensions From 6d2732f251010abceb73972a5e33c6a0dca6a6e2 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Tue, 2 Feb 2021 20:24:43 +0900 Subject: [PATCH 09/38] fix format Signed-off-by: Takeshi Yoneda --- .../transport_sockets/tls/cert_validator/spiffe_validator.cc | 2 +- tools/spelling/spelling_dictionary.txt | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc index 3b25093d6b4c..f3c3e397e41d 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc @@ -173,7 +173,7 @@ X509_STORE* SPIFFEValidator::getTrustBundleStore(X509* leaf_cert) { for (const GENERAL_NAME* general_name : san_names.get()) { const std::string san = Utility::generalNameAsString(general_name); trust_domain = SPIFFEValidator::extractTrustDomain(san); - // we can assume that valid SVIDs have only one san + // we can assume that valid SVID has only one san break; } diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index ecf2e82a8c2a..a877055e5ee2 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -306,6 +306,7 @@ STL STRLEN STS SVG +SVID Symbolizer TBD TCLAP @@ -511,6 +512,7 @@ coverity cplusplus cpuset creds +cRLSign crypto cryptographic cryptographically From e34f79c4efb2f2e28887a1b730e1de6c05a46123 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Tue, 2 Feb 2021 21:42:19 +0900 Subject: [PATCH 10/38] fix test build Signed-off-by: Takeshi Yoneda --- test/mocks/ssl/mocks.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/mocks/ssl/mocks.h b/test/mocks/ssl/mocks.h index 3cc0ac4e7d55..90586b7ad265 100644 --- a/test/mocks/ssl/mocks.h +++ b/test/mocks/ssl/mocks.h @@ -84,7 +84,7 @@ class MockClientContextConfig : public ClientContextConfig { MOCK_METHOD(const std::string&, ecdhCurves, (), (const)); MOCK_METHOD(std::vector>, tlsCertificates, (), (const)); - MOCK_METHOD(const CertificateValidationContextConfig*, certificateValidationContext, (), (const)); + MOCK_METHOD(CertificateValidationContextConfig*, certificateValidationContext, (), (const)); MOCK_METHOD(unsigned, minProtocolVersion, (), (const)); MOCK_METHOD(unsigned, maxProtocolVersion, (), (const)); MOCK_METHOD(bool, isReady, (), (const)); @@ -109,7 +109,7 @@ class MockServerContextConfig : public ServerContextConfig { MOCK_METHOD(const std::string&, ecdhCurves, (), (const)); MOCK_METHOD(std::vector>, tlsCertificates, (), (const)); - MOCK_METHOD(const CertificateValidationContextConfig*, certificateValidationContext, (), (const)); + MOCK_METHOD(CertificateValidationContextConfig*, certificateValidationContext, (), (const)); MOCK_METHOD(unsigned, minProtocolVersion, (), (const)); MOCK_METHOD(unsigned, maxProtocolVersion, (), (const)); MOCK_METHOD(bool, isReady, (), (const)); From 6619ad70c2904ac9de0576fa07ebaa289b833a34 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Wed, 3 Feb 2021 09:43:33 +0900 Subject: [PATCH 11/38] fix build failure in quic Signed-off-by: Takeshi Yoneda --- .../transport_sockets/tls/cert_validator/spiffe_validator.cc | 2 +- .../quic_listeners/quiche/envoy_quic_proof_source_test.cc | 2 ++ .../quic_listeners/quiche/envoy_quic_proof_verifier_test.cc | 2 ++ .../tls/cert_validator/spiffe_validator_test.cc | 1 - test/mocks/ssl/mocks.h | 4 ++++ 5 files changed, 9 insertions(+), 2 deletions(-) diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc index f3c3e397e41d..9f159767aa91 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc @@ -198,7 +198,7 @@ int SPIFFEValidator::certificatePrecheck(X509* leaf_cert) { } auto us = X509_get_key_usage(leaf_cert); - return !(us & KU_CRL_SIGN) && !(us & KU_KEY_CERT_SIGN); + return !(us & (KU_CRL_SIGN | KU_KEY_CERT_SIGN)); } std::string SPIFFEValidator::extractTrustDomain(const std::string& san) { diff --git a/test/extensions/quic_listeners/quiche/envoy_quic_proof_source_test.cc b/test/extensions/quic_listeners/quiche/envoy_quic_proof_source_test.cc index 84b8711a6ceb..f3e2b828219a 100644 --- a/test/extensions/quic_listeners/quiche/envoy_quic_proof_source_test.cc +++ b/test/extensions/quic_listeners/quiche/envoy_quic_proof_source_test.cc @@ -70,6 +70,8 @@ class TestGetProofCallback : public quic::ProofSource::Callback { .WillByDefault(ReturnRef(empty_string_list)); ON_CALL(cert_validation_ctx_config_, verifyCertificateSpkiList()) .WillByDefault(ReturnRef(empty_string_list)); + const absl::optional nullopt = absl::nullopt; + ON_CALL(cert_validation_ctx_config_, customValidatorConfig()).WillByDefault(ReturnRef(nullopt)); verifier_ = std::make_unique(store_, client_context_config_, time_system_); } diff --git a/test/extensions/quic_listeners/quiche/envoy_quic_proof_verifier_test.cc b/test/extensions/quic_listeners/quiche/envoy_quic_proof_verifier_test.cc index 9cdc169cd6f5..09b3dcbd44d6 100644 --- a/test/extensions/quic_listeners/quiche/envoy_quic_proof_verifier_test.cc +++ b/test/extensions/quic_listeners/quiche/envoy_quic_proof_verifier_test.cc @@ -65,6 +65,8 @@ class EnvoyQuicProofVerifierTest : public testing::Test { .WillRepeatedly(ReturnRef(empty_string_list_)); EXPECT_CALL(cert_validation_ctx_config_, verifyCertificateSpkiList()) .WillRepeatedly(ReturnRef(empty_string_list_)); + EXPECT_CALL(cert_validation_ctx_config_, customValidatorConfig()) + .WillRepeatedly(ReturnRef(absl::nullopt)); verifier_ = std::make_unique(store_, client_context_config_, time_system_); } diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc index bdc7514aefbd..67bb21b2f6df 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc @@ -314,7 +314,6 @@ name: envoy.tls.cert_validator.spiffe uint8_t hash_buffer[EVP_MAX_MD_SIZE]; bssl::ScopedEVP_MD_CTX md; EVP_DigestInit(md.get(), EVP_sha256()); - validator().updateDigestForSessionId(md, hash_buffer, 0); validator().updateDigestForSessionId(md, hash_buffer, SHA256_DIGEST_LENGTH); } diff --git a/test/mocks/ssl/mocks.h b/test/mocks/ssl/mocks.h index 90586b7ad265..ad00e4508f61 100644 --- a/test/mocks/ssl/mocks.h +++ b/test/mocks/ssl/mocks.h @@ -3,6 +3,7 @@ #include #include +#include "envoy/api/api.h" #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h" #include "envoy/ssl/certificate_validation_context_config.h" #include "envoy/ssl/connection.h" @@ -153,6 +154,9 @@ class MockCertificateValidationContextConfig : public CertificateValidationConte MOCK_METHOD(const std::vector&, verifyCertificateHashList, (), (const)); MOCK_METHOD(const std::vector&, verifyCertificateSpkiList, (), (const)); MOCK_METHOD(bool, allowExpiredCertificate, (), (const)); + MOCK_METHOD(const absl::optional&, + customValidatorConfig, (), (const)); + MOCK_METHOD(Api::Api&, api, (), ()); MOCK_METHOD(envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext:: TrustChainVerification, trustChainVerification, (), (const)); From ee204d0da924093d2e4ee389d784c41584c9a612 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Wed, 3 Feb 2021 13:47:35 +0900 Subject: [PATCH 12/38] Add integration test Signed-off-by: Takeshi Yoneda --- .../tls/cert_validator/spiffe_validator.cc | 13 +++-- .../tls/cert_validator/spiffe_validator.h | 2 +- test/config/utility.cc | 12 ++-- test/config/utility.h | 7 +++ .../cert_validator/spiffe_validator_test.cc | 8 +-- .../tls/integration/ssl_integration_test.cc | 55 ++++++++++++++++++- .../tls/integration/ssl_integration_test.h | 1 + 7 files changed, 84 insertions(+), 14 deletions(-) diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc index 9f159767aa91..362ad66d3a18 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc @@ -142,11 +142,17 @@ int SPIFFEValidator::doVerifyCertChain(X509_STORE_CTX* store_ctx, Ssl::SslExtendedSocketInfo* ssl_extended_info, X509& leaf_cert, const Network::TransportSocketOptions*) { if (!SPIFFEValidator::certificatePrecheck(&leaf_cert)) { + if (ssl_extended_info) { + ssl_extended_info->setCertificateValidationStatus(Envoy::Ssl::ClientValidationStatus::Failed); + } return 0; } auto trust_bundle = getTrustBundleStore(&leaf_cert); if (!trust_bundle) { + if (ssl_extended_info) { + ssl_extended_info->setCertificateValidationStatus(Envoy::Ssl::ClientValidationStatus::Failed); + } return 0; } @@ -158,7 +164,6 @@ int SPIFFEValidator::doVerifyCertChain(X509_STORE_CTX* store_ctx, ret == 1 ? Envoy::Ssl::ClientValidationStatus::Validated : Envoy::Ssl::ClientValidationStatus::Failed); } - return ret; } @@ -189,16 +194,16 @@ X509_STORE* SPIFFEValidator::getTrustBundleStore(X509* leaf_cert) { return target_store->second.get(); } -int SPIFFEValidator::certificatePrecheck(X509* leaf_cert) { +bool SPIFFEValidator::certificatePrecheck(X509* leaf_cert) { // Check basic constrains and key usage // https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md#52-leaf-validation auto ext = X509_get_extension_flags(leaf_cert); if (ext & EXFLAG_CA) { - return 0; + return false; } auto us = X509_get_key_usage(leaf_cert); - return !(us & (KU_CRL_SIGN | KU_KEY_CERT_SIGN)); + return (us & (KU_CRL_SIGN | KU_KEY_CERT_SIGN)) == 0; } std::string SPIFFEValidator::extractTrustDomain(const std::string& san) { diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h index 46272e12c565..43aae5709a8a 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h @@ -55,7 +55,7 @@ class SPIFFEValidator : public CertValidator { // utility functions X509_STORE* getTrustBundleStore(X509* leaf_cert); static std::string extractTrustDomain(const std::string& san); - static int certificatePrecheck(X509* leaf_cert); + static bool certificatePrecheck(X509* leaf_cert); absl::flat_hash_map& trustBundleStores() { return trust_bundle_stores_; }; diff --git a/test/config/utility.cc b/test/config/utility.cc index 928d9416738e..31a8db0c47e7 100644 --- a/test/config/utility.cc +++ b/test/config/utility.cc @@ -1079,10 +1079,14 @@ void ConfigHelper::initializeTls( common_tls_context.add_alpn_protocols(Http::Utility::AlpnNames::get().Http11); auto* validation_context = common_tls_context.mutable_validation_context(); - validation_context->mutable_trusted_ca()->set_filename( - TestEnvironment::runfilesPath("test/config/integration/certs/cacert.pem")); - validation_context->add_verify_certificate_hash( - options.expect_client_ecdsa_cert_ ? TEST_CLIENT_ECDSA_CERT_HASH : TEST_CLIENT_CERT_HASH); + if (options.custom_validator_config_) { + validation_context->set_allocated_custom_validator_config(options.custom_validator_config_); + } else { + validation_context->mutable_trusted_ca()->set_filename( + TestEnvironment::runfilesPath("test/config/integration/certs/cacert.pem")); + validation_context->add_verify_certificate_hash( + options.expect_client_ecdsa_cert_ ? TEST_CLIENT_ECDSA_CERT_HASH : TEST_CLIENT_CERT_HASH); + } // We'll negotiate up to TLSv1.3 for the tests that care, but it really // depends on what the client sets. diff --git a/test/config/utility.h b/test/config/utility.h index b6368fdf0e04..84162b458147 100644 --- a/test/config/utility.h +++ b/test/config/utility.h @@ -68,6 +68,13 @@ class ConfigHelper { return *this; } + ServerSslOptions& setCustomValidatorConfig( + envoy::config::core::v3::TypedExtensionConfig* custom_validator_config) { + custom_validator_config_ = custom_validator_config; + return *this; + } + + envoy::config::core::v3::TypedExtensionConfig* custom_validator_config_; bool rsa_cert_{true}; bool rsa_cert_ocsp_staple_{true}; bool ecdsa_cert_{false}; diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc index 67bb21b2f6df..f22be3f65bd0 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc @@ -99,25 +99,25 @@ TEST(SPIFFEValidator, TestCertificatePrecheck) { bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( // basicConstraints: CA:True, "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); - EXPECT_EQ(0, SPIFFEValidator::certificatePrecheck(cert.get())); + EXPECT_FALSE(SPIFFEValidator::certificatePrecheck(cert.get())); cert = readCertFromFile(TestEnvironment::substitute( // basicConstraints CA:False, keyUsage has keyCertSign "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem")); - EXPECT_EQ(0, SPIFFEValidator::certificatePrecheck(cert.get())); + EXPECT_FALSE(SPIFFEValidator::certificatePrecheck(cert.get())); cert = readCertFromFile(TestEnvironment::substitute( // basicConstraints CA:False, keyUsage has cRLSign "{{ test_rundir " "}}/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem")); - EXPECT_EQ(0, SPIFFEValidator::certificatePrecheck(cert.get())); + EXPECT_FALSE(SPIFFEValidator::certificatePrecheck(cert.get())); cert = readCertFromFile(TestEnvironment::substitute( // basicConstraints CA:False, keyUsage does not have keyCertSign and cRLSign // should be considered valid (i.e. return 1) "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); - EXPECT_EQ(1, SPIFFEValidator::certificatePrecheck(cert.get())); + EXPECT_TRUE(SPIFFEValidator::certificatePrecheck(cert.get())); } TEST(SPIFFEValidator, TestInitializeSslContexts) { diff --git a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc b/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc index 16896443a6a8..af4c1e7afd0a 100644 --- a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc +++ b/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc @@ -41,7 +41,8 @@ void SslIntegrationTestBase::initialize() { .setEcdsaCertOcspStaple(server_ecdsa_cert_ocsp_staple_) .setOcspStapleRequired(ocsp_staple_required_) .setTlsV13(server_tlsv1_3_) - .setExpectClientEcdsaCert(client_ecdsa_cert_)); + .setExpectClientEcdsaCert(client_ecdsa_cert_) + .setCustomValidatorConfig(custom_validator_config_)); HttpIntegrationTest::initialize(); context_manager_ = @@ -352,6 +353,58 @@ TEST_P(SslCertficateIntegrationTest, ServerRsa) { checkStats(); } +// Server configured on SPIFFE certificate validation for mTLS +// clientcert.pem's san is "spiffe://lyft.com/frontend-team" so it should be accepted. +TEST_P(SslCertficateIntegrationTest, ServerRsaSPIFFEValidatorAccepted) { + auto typed_conf = new envoy::config::core::v3::TypedExtensionConfig(); + TestUtility::loadFromYaml(TestEnvironment::substitute(R"EOF( +name: envoy.tls.cert_validator.spiffe +typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig + trust_bundles: + lyft.com: + filename: "{{ test_rundir }}/test/config/integration/certs/cacert.pem" + )EOF"), + *typed_conf); + + custom_validator_config_ = typed_conf; + server_rsa_cert_ = true; + ConnectionCreationFunction creator = [&]() -> Network::ClientConnectionPtr { + return makeSslClientConnection({}); + }; + testRouterRequestAndResponseWithBody(1024, 512, false, false, &creator); + checkStats(); +} + +// Server configured on SPIFFE certificate validation for mTLS +// clientcert.pem's san is "spiffe://lyft.com/frontend-team" so it should be rejected. +TEST_P(SslCertficateIntegrationTest, ServerRsaSPIFFEValidatorRejected) { + auto typed_conf = new envoy::config::core::v3::TypedExtensionConfig(); + TestUtility::loadFromYaml(TestEnvironment::substitute(R"EOF( +name: envoy.tls.cert_validator.spiffe +typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig + trust_bundles: + example.com: + filename: "{{ test_rundir }}/test/config/integration/certs/cacert.pem" + )EOF"), + *typed_conf); + custom_validator_config_ = typed_conf; + server_rsa_cert_ = true; + initialize(); + auto conn = makeSslClientConnection({}); + if (tls_version_ == envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_2) { + auto codec = makeRawHttpConnection(std::move(conn), absl::nullopt); + EXPECT_FALSE(codec->connected()); + } else { + makeHttpConnection(std::move(conn))->close(); + } + // handshake fails so the handshake counter must be 0 + Stats::CounterSharedPtr counter = test_server_->counter(listenerStatPrefix("ssl.handshake")); + EXPECT_EQ(0, counter->value()); + counter->reset(); +} + // Server with an ECDSA certificate and a client with RSA/ECDSA cipher suites works. TEST_P(SslCertficateIntegrationTest, ServerEcdsa) { server_rsa_cert_ = false; diff --git a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.h b/test/extensions/transport_sockets/tls/integration/ssl_integration_test.h index e7f615c54476..909f72dc08f3 100644 --- a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.h +++ b/test/extensions/transport_sockets/tls/integration/ssl_integration_test.h @@ -29,6 +29,7 @@ class SslIntegrationTestBase : public HttpIntegrationTest { void checkStats(); protected: + envoy::config::core::v3::TypedExtensionConfig* custom_validator_config_{nullptr}; bool server_tlsv1_3_{false}; bool server_rsa_cert_{true}; bool server_rsa_cert_ocsp_staple_{false}; From 2f53ac2993e7341848ce7745b050f3d62c97f5ba Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Wed, 3 Feb 2021 13:56:20 +0900 Subject: [PATCH 13/38] Add additonal integration test Signed-off-by: Takeshi Yoneda --- .../transport_sockets/tls/integration/BUILD | 1 + .../tls/integration/ssl_integration_test.cc | 34 ++++++++++++++++++- 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/test/extensions/transport_sockets/tls/integration/BUILD b/test/extensions/transport_sockets/tls/integration/BUILD index 277e6346cb21..5d535e86e2cd 100644 --- a/test/extensions/transport_sockets/tls/integration/BUILD +++ b/test/extensions/transport_sockets/tls/integration/BUILD @@ -16,6 +16,7 @@ envoy_cc_test( ], data = [ "//test/config/integration/certs", + "//test/extensions/transport_sockets/tls/test_data:certs", ], deps = [ "//source/common/event:dispatcher_includes", diff --git a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc b/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc index af4c1e7afd0a..9aaffcac61fe 100644 --- a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc +++ b/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc @@ -378,7 +378,7 @@ name: envoy.tls.cert_validator.spiffe // Server configured on SPIFFE certificate validation for mTLS // clientcert.pem's san is "spiffe://lyft.com/frontend-team" so it should be rejected. -TEST_P(SslCertficateIntegrationTest, ServerRsaSPIFFEValidatorRejected) { +TEST_P(SslCertficateIntegrationTest, ServerRsaSPIFFEValidatorRejected1) { auto typed_conf = new envoy::config::core::v3::TypedExtensionConfig(); TestUtility::loadFromYaml(TestEnvironment::substitute(R"EOF( name: envoy.tls.cert_validator.spiffe @@ -405,6 +405,38 @@ name: envoy.tls.cert_validator.spiffe counter->reset(); } +// Server configured on SPIFFE certificate validation for mTLS +// clientcert.pem's san is "spiffe://lyft.com/frontend-team" but the corresponding trust bundle does +// not match with the client cert. So this should also be rejected. +TEST_P(SslCertficateIntegrationTest, ServerRsaSPIFFEValidatorRejected2) { + auto typed_conf = new envoy::config::core::v3::TypedExtensionConfig(); + TestUtility::loadFromYaml(TestEnvironment::substitute(R"EOF( +name: envoy.tls.cert_validator.spiffe +typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig + trust_bundles: + lyft.com: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" + example.com: + filename: "{{ test_rundir }}/test/config/integration/certs/cacert.pem" + )EOF"), + *typed_conf); + custom_validator_config_ = typed_conf; + server_rsa_cert_ = true; + initialize(); + auto conn = makeSslClientConnection({}); + if (tls_version_ == envoy::extensions::transport_sockets::tls::v3::TlsParameters::TLSv1_2) { + auto codec = makeRawHttpConnection(std::move(conn), absl::nullopt); + EXPECT_FALSE(codec->connected()); + } else { + makeHttpConnection(std::move(conn))->close(); + } + // handshake fails so the handshake counter must be 0 + Stats::CounterSharedPtr counter = test_server_->counter(listenerStatPrefix("ssl.handshake")); + EXPECT_EQ(0, counter->value()); + counter->reset(); +} + // Server with an ECDSA certificate and a client with RSA/ECDSA cipher suites works. TEST_P(SslCertficateIntegrationTest, ServerEcdsa) { server_rsa_cert_ = false; From 093cf70dc6df9e3d9bacd0499bee54e08c5b99e0 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Wed, 3 Feb 2021 16:03:03 +0900 Subject: [PATCH 14/38] Add stats Signed-off-by: Takeshi Yoneda --- generated_api_shadow/BUILD | 1 + .../tls/cert_validator/spiffe_validator.cc | 17 ++++--- .../tls/cert_validator/spiffe_validator.h | 8 ++- .../cert_validator/spiffe_validator_test.cc | 49 ++++++++++++------- .../tls/integration/ssl_integration_test.cc | 18 ++++--- 5 files changed, 60 insertions(+), 33 deletions(-) diff --git a/generated_api_shadow/BUILD b/generated_api_shadow/BUILD index effde23bad70..300420c00238 100644 --- a/generated_api_shadow/BUILD +++ b/generated_api_shadow/BUILD @@ -146,6 +146,7 @@ proto_library( "//envoy/config/retry/omit_canary_hosts/v2:pkg", "//envoy/config/retry/omit_canary_hosts/v3:pkg", "//envoy/config/retry/previous_hosts/v2:pkg", + "//envoy/config/retry/previous_hosts/v3:pkg", "//envoy/config/route/v3:pkg", "//envoy/config/tap/v3:pkg", "//envoy/config/trace/v3:pkg", diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc index 362ad66d3a18..e91aee4d16fd 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc @@ -39,8 +39,8 @@ namespace Tls { using SPIFFEConfig = envoy::extensions::transport_sockets::tls::v3::SPIFFECertValidatorConfig; SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* config, - TimeSource& time_source) - : time_source_(time_source) { + SslStats& stats, TimeSource& time_source) + : stats_(stats), time_source_(time_source) { if (config == nullptr) { throw EnvoyException("SPIFFE cert validator connot be initialized from null configuration"); } @@ -145,6 +145,7 @@ int SPIFFEValidator::doVerifyCertChain(X509_STORE_CTX* store_ctx, if (ssl_extended_info) { ssl_extended_info->setCertificateValidationStatus(Envoy::Ssl::ClientValidationStatus::Failed); } + stats_.fail_verify_error_.inc(); return 0; } @@ -153,6 +154,7 @@ int SPIFFEValidator::doVerifyCertChain(X509_STORE_CTX* store_ctx, if (ssl_extended_info) { ssl_extended_info->setCertificateValidationStatus(Envoy::Ssl::ClientValidationStatus::Failed); } + stats_.fail_verify_error_.inc(); return 0; } @@ -164,6 +166,9 @@ int SPIFFEValidator::doVerifyCertChain(X509_STORE_CTX* store_ctx, ret == 1 ? Envoy::Ssl::ClientValidationStatus::Validated : Envoy::Ssl::ClientValidationStatus::Failed); } + if (!ret) { + stats_.fail_verify_error_.inc(); + } return ret; } @@ -220,7 +225,7 @@ size_t SPIFFEValidator::daysUntilFirstCertExpires() const { if (ca_certs_.empty()) { return 0; } - // TODO: with the current interface, we cannot pass the multiple cert information. + // TODO(mathetake): with the current interface, we cannot pass the multiple cert information. // So temporarily we return the first CA's info here. return Utility::getDaysUntilExpiration(ca_certs_[0].get(), time_source_); } @@ -229,7 +234,7 @@ Envoy::Ssl::CertificateDetailsPtr SPIFFEValidator::getCaCertInformation() const if (ca_certs_.empty()) { return nullptr; } - // TODO: with the current interface, we cannot pass the multiple cert information. + // TODO(mathetake): with the current interface, we cannot pass the multiple cert information. // So temporarily we return the first CA's info here. return Utility::certificateDetails(ca_certs_[0].get(), getCaFileName(), time_source_); }; @@ -237,8 +242,8 @@ Envoy::Ssl::CertificateDetailsPtr SPIFFEValidator::getCaCertInformation() const class SPIFFEValidatorFactory : public CertValidatorFactory { public: CertValidatorPtr createCertValidator(Envoy::Ssl::CertificateValidationContextConfig* config, - SslStats&, TimeSource& time_source) override { - return std::make_unique(config, time_source); + SslStats& stats, TimeSource& time_source) override { + return std::make_unique(config, stats, time_source); } absl::string_view name() override { return "envoy.tls.cert_validator.spiffe"; } diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h index 43aae5709a8a..3a2bb2051c56 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h @@ -32,8 +32,10 @@ using X509StorePtr = CSmartPtr; class SPIFFEValidator : public CertValidator { public: - SPIFFEValidator(TimeSource& time_source) : time_source_(time_source){}; - SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* config, TimeSource& time_source); + SPIFFEValidator(SslStats& stats, TimeSource& time_source) + : stats_(stats), time_source_(time_source){}; + SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, + TimeSource& time_source); ~SPIFFEValidator() override = default; // Tls::CertValidator @@ -64,6 +66,8 @@ class SPIFFEValidator : public CertValidator { std::vector> ca_certs_; std::string ca_file_name_; absl::flat_hash_map trust_bundle_stores_; + + SslStats& stats_; TimeSource& time_source_; }; diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc index f22be3f65bd0..e96adef85191 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc @@ -3,7 +3,10 @@ #include #include +#include "common/event/real_time_system.h" + #include "extensions/transport_sockets/tls/cert_validator/spiffe_validator.h" +#include "extensions/transport_sockets/tls/stats.h" #include "test/extensions/transport_sockets/tls/cert_validator/util.h" #include "test/extensions/transport_sockets/tls/ssl_test_utility.h" @@ -29,25 +32,33 @@ using SSLContextPtr = CSmartPtr; class TestSPIFFEValidator : public testing::Test { public: + TestSPIFFEValidator() : stats_(generateSslStats(store_)) {} void initialize(std::string yaml, TimeSource& time_source) { envoy::config::core::v3::TypedExtensionConfig typed_conf; TestUtility::loadFromYaml(yaml, typed_conf); config_ = std::make_unique(typed_conf); - validator_ = std::make_unique(config_.get(), time_source); + validator_ = std::make_unique(config_.get(), stats_, time_source); } void initialize(std::string yaml) { envoy::config::core::v3::TypedExtensionConfig typed_conf; TestUtility::loadFromYaml(yaml, typed_conf); config_ = std::make_unique(typed_conf); - validator_ = std::make_unique(config_.get(), config_->api().timeSource()); + validator_ = + std::make_unique(config_.get(), stats_, config_->api().timeSource()); }; - SPIFFEValidator& validator() { return *validator_; }; + void initialize() { validator_ = std::make_unique(stats_, time_system_); } + + SPIFFEValidator& validator() { return *validator_; } + SslStats& stats() { return stats_; } private: TestCertificateValidationContextConfigPtr config_; SPIFFEValidatorPtr validator_; + Stats::TestUtil::TestStore store_; + SslStats stats_; + Event::TestRealTimeSystem time_system_; }; TEST_F(TestSPIFFEValidator, Constructor) { @@ -120,31 +131,30 @@ TEST(SPIFFEValidator, TestCertificatePrecheck) { EXPECT_TRUE(SPIFFEValidator::certificatePrecheck(cert.get())); } -TEST(SPIFFEValidator, TestInitializeSslContexts) { - Event::TestRealTimeSystem time_system; - auto validator = SPIFFEValidator(time_system); +TEST_F(TestSPIFFEValidator, TestInitializeSslContexts) { + initialize(); EXPECT_EQ(SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, - validator.initializeSslContexts({}, false)); + validator().initializeSslContexts({}, false)); } -TEST(SPIFFEValidator, TestGetTrustBundleStore) { - Event::TestRealTimeSystem time_system; - auto validator = SPIFFEValidator(time_system); +TEST_F(TestSPIFFEValidator, TestGetTrustBundleStore) { + initialize(); + // no san auto cert = readCertFromFile(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); - EXPECT_FALSE(validator.getTrustBundleStore(cert.get())); + EXPECT_FALSE(validator().getTrustBundleStore(cert.get())); // spiffe san cert = readCertFromFile(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); // trust bundle not provided - EXPECT_FALSE(validator.getTrustBundleStore(cert.get())); + EXPECT_FALSE(validator().getTrustBundleStore(cert.get())); // trust bundle provided - validator.trustBundleStores().emplace("lyft.com", X509StorePtr(X509_STORE_new())); - EXPECT_TRUE(validator.getTrustBundleStore(cert.get())); + validator().trustBundleStores().emplace("lyft.com", X509StorePtr(X509_STORE_new())); + EXPECT_TRUE(validator().getTrustBundleStore(cert.get())); } TEST_F(TestSPIFFEValidator, TestDoVerifyCertChainSingleTrustDomain) { @@ -181,6 +191,8 @@ name: envoy.tls.cert_validator.spiffe store_ctx = X509_STORE_CTX_new(); EXPECT_TRUE(X509_STORE_CTX_init(store_ctx.get(), ssl_ctx.get(), cert.get(), nullptr)); EXPECT_FALSE(validator().doVerifyCertChain(store_ctx.get(), nullptr, *cert, nullptr)); + + EXPECT_EQ(2, stats().fail_verify_error_.value()); } TEST_F(TestSPIFFEValidator, TestDoVerifyCertChainMultipleTrustDomain) { @@ -218,11 +230,13 @@ name: envoy.tls.cert_validator.spiffe store_ctx = X509_STORE_CTX_new(); EXPECT_TRUE(X509_STORE_CTX_init(store_ctx.get(), ssl_ctx.get(), cert.get(), nullptr)); EXPECT_FALSE(validator().doVerifyCertChain(store_ctx.get(), nullptr, *cert, nullptr)); + + EXPECT_EQ(1, stats().fail_verify_error_.value()); } TEST_F(TestSPIFFEValidator, TestGetCaCertInformation) { - Event::TestRealTimeSystem time_system; - EXPECT_FALSE(SPIFFEValidator(time_system).getCaCertInformation()); // should be nullptr + initialize(); + EXPECT_FALSE(validator().getCaCertInformation()); // should be nullptr initialize(TestEnvironment::substitute(R"EOF( name: envoy.tls.cert_validator.spiffe @@ -233,8 +247,7 @@ name: envoy.tls.cert_validator.spiffe filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" example.com: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" - )EOF"), - time_system); + )EOF")); auto actual = validator().getCaCertInformation(); EXPECT_TRUE(actual); diff --git a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc b/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc index 9aaffcac61fe..00179e9cc4f9 100644 --- a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc +++ b/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc @@ -374,8 +374,11 @@ name: envoy.tls.cert_validator.spiffe }; testRouterRequestAndResponseWithBody(1024, 512, false, false, &creator); checkStats(); + Stats::CounterSharedPtr counter = + test_server_->counter(listenerStatPrefix("ssl.fail_verify_error")); + EXPECT_EQ(0, counter->value()); + counter->reset(); } - // Server configured on SPIFFE certificate validation for mTLS // clientcert.pem's san is "spiffe://lyft.com/frontend-team" so it should be rejected. TEST_P(SslCertficateIntegrationTest, ServerRsaSPIFFEValidatorRejected1) { @@ -399,9 +402,10 @@ name: envoy.tls.cert_validator.spiffe } else { makeHttpConnection(std::move(conn))->close(); } - // handshake fails so the handshake counter must be 0 - Stats::CounterSharedPtr counter = test_server_->counter(listenerStatPrefix("ssl.handshake")); - EXPECT_EQ(0, counter->value()); + + Stats::CounterSharedPtr counter = + test_server_->counter(listenerStatPrefix("ssl.fail_verify_error")); + EXPECT_EQ(1, counter->value()); counter->reset(); } @@ -431,9 +435,9 @@ name: envoy.tls.cert_validator.spiffe } else { makeHttpConnection(std::move(conn))->close(); } - // handshake fails so the handshake counter must be 0 - Stats::CounterSharedPtr counter = test_server_->counter(listenerStatPrefix("ssl.handshake")); - EXPECT_EQ(0, counter->value()); + Stats::CounterSharedPtr counter = + test_server_->counter(listenerStatPrefix("ssl.fail_verify_error")); + EXPECT_EQ(1, counter->value()); counter->reset(); } From 3eb65f9c6c777f5603b22ae2a7994dcce22c3fc2 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Wed, 3 Feb 2021 18:19:36 +0900 Subject: [PATCH 15/38] Add doc Signed-off-by: Takeshi Yoneda --- .../transport_sockets/tls/v3/common.proto | 9 ++++--- .../tls/v3/tls_spiffe_validator_config.proto | 27 +++++++++++++++++-- .../tls/v4alpha/common.proto | 9 ++++--- .../v4alpha/tls_spiffe_validator_config.proto | 27 +++++++++++++++++-- .../transport_sockets/tls/v3/common.proto | 9 ++++--- .../tls/v3/tls_spiffe_validator_config.proto | 27 +++++++++++++++++-- .../tls/v4alpha/common.proto | 9 ++++--- .../v4alpha/tls_spiffe_validator_config.proto | 27 +++++++++++++++++-- .../tls/integration/ssl_integration_test.cc | 2 +- tools/spelling/spelling_dictionary.txt | 3 ++- 10 files changed, 127 insertions(+), 22 deletions(-) diff --git a/api/envoy/extensions/transport_sockets/tls/v3/common.proto b/api/envoy/extensions/transport_sockets/tls/v3/common.proto index 87bbfb94c1a9..1d80b5c02a8a 100644 --- a/api/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -213,7 +213,7 @@ message TlsSessionTicketKeys { [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; } -// [#next-free-field: 14] +// [#next-free-field: 13] message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CertificateValidationContext"; @@ -375,6 +375,9 @@ message CertificateValidationContext { [(validate.rules).enum = {defined_only: true}]; // The configuration of an extension specific certificate validator. - // If specified, then the usage of all the values above depends on the chosen extension. - config.core.v3.TypedExtensionConfig custom_validator_config = 13; + // If specified, all the values above are *ignored*. + // Currently only + // :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ` + // is implemented in Envoy. + config.core.v3.TypedExtensionConfig custom_validator_config = 12; } diff --git a/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto index 61126de70546..f68d761ed041 100644 --- a/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +++ b/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto @@ -16,8 +16,31 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: SPIFFE Certificate Validator Configuration] -// [#not-implemented-hide:] -// Configuration specific to the SPIFFE certificate validator +// Configuration specific to the SPIFFE certificate validator provided at +// :ref:`envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config`. +// +// Example: +// +// .. code-block:: yaml +// +// custom_validator_config: +// name: envoy.tls.cert_validator.spiffe +// typed_config: +// "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig +// trust_bundles: +// foo.com: +// filename: "foo.pem" +// envoy.com: +// filename: "envoy.pem" +// +// In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against +// the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint +// a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` +// SAN would be rejected since Envoy selects the trust bundle accodrding to the presented SAN before validate the certificate. message SPIFFECertValidatorConfig { + // This field specifies the x.509 trust bundles used for validating incoming X.509-SVID(s). + // The key is a SPIFFE trust domain, `example.com`, `foo.bar.gov` for example, + // and maps to a data source storing x.509 trust bundle. + // Note that the key must *not* have "spiffe://" prefix. map trust_bundles = 1; } diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 513a435d5fb0..92205edd916b 100644 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -215,7 +215,7 @@ message TlsSessionTicketKeys { [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; } -// [#next-free-field: 14] +// [#next-free-field: 13] message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext"; @@ -377,6 +377,9 @@ message CertificateValidationContext { [(validate.rules).enum = {defined_only: true}]; // The configuration of an extension specific certificate validator. - // If specified, then the usage of all the values above depends on the chosen extension. - config.core.v4alpha.TypedExtensionConfig custom_validator_config = 13; + // If specified, all the values above are *ignored*. + // Currently only + // :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ` + // is implemented in Envoy. + config.core.v4alpha.TypedExtensionConfig custom_validator_config = 12; } diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto index 9f13b5897068..5c9e7d7579f3 100644 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto @@ -16,11 +16,34 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // [#protodoc-title: SPIFFE Certificate Validator Configuration] -// [#not-implemented-hide:] -// Configuration specific to the SPIFFE certificate validator +// Configuration specific to the SPIFFE certificate validator provided at +// :ref:`envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config`. +// +// Example: +// +// .. code-block:: yaml +// +// custom_validator_config: +// name: envoy.tls.cert_validator.spiffe +// typed_config: +// "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig +// trust_bundles: +// foo.com: +// filename: "foo.pem" +// envoy.com: +// filename: "envoy.pem" +// +// In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against +// the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint +// a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` +// SAN would be rejected since Envoy selects the trust bundle accodrding to the presented SAN before validate the certificate. message SPIFFECertValidatorConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig"; + // This field specifies the x.509 trust bundles used for validating incoming X.509-SVID(s). + // The key is a SPIFFE trust domain, `example.com`, `foo.bar.gov` for example, + // and maps to a data source storing x.509 trust bundle. + // Note that the key must *not* have "spiffe://" prefix. map trust_bundles = 1; } diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto index 2c1cd53c19b6..4d1a5f1874c6 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -212,7 +212,7 @@ message TlsSessionTicketKeys { [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; } -// [#next-free-field: 14] +// [#next-free-field: 13] message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CertificateValidationContext"; @@ -372,8 +372,11 @@ message CertificateValidationContext { [(validate.rules).enum = {defined_only: true}]; // The configuration of an extension specific certificate validator. - // If specified, then the usage of all the values above depends on the chosen extension. - config.core.v3.TypedExtensionConfig custom_validator_config = 13; + // If specified, all the values above are *ignored*. + // Currently only + // :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ` + // is implemented in Envoy. + config.core.v3.TypedExtensionConfig custom_validator_config = 12; repeated string hidden_envoy_deprecated_verify_subject_alt_name = 4 [deprecated = true]; } diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto index 61126de70546..f68d761ed041 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto @@ -16,8 +16,31 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: SPIFFE Certificate Validator Configuration] -// [#not-implemented-hide:] -// Configuration specific to the SPIFFE certificate validator +// Configuration specific to the SPIFFE certificate validator provided at +// :ref:`envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config`. +// +// Example: +// +// .. code-block:: yaml +// +// custom_validator_config: +// name: envoy.tls.cert_validator.spiffe +// typed_config: +// "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig +// trust_bundles: +// foo.com: +// filename: "foo.pem" +// envoy.com: +// filename: "envoy.pem" +// +// In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against +// the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint +// a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` +// SAN would be rejected since Envoy selects the trust bundle accodrding to the presented SAN before validate the certificate. message SPIFFECertValidatorConfig { + // This field specifies the x.509 trust bundles used for validating incoming X.509-SVID(s). + // The key is a SPIFFE trust domain, `example.com`, `foo.bar.gov` for example, + // and maps to a data source storing x.509 trust bundle. + // Note that the key must *not* have "spiffe://" prefix. map trust_bundles = 1; } diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 513a435d5fb0..92205edd916b 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -215,7 +215,7 @@ message TlsSessionTicketKeys { [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; } -// [#next-free-field: 14] +// [#next-free-field: 13] message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext"; @@ -377,6 +377,9 @@ message CertificateValidationContext { [(validate.rules).enum = {defined_only: true}]; // The configuration of an extension specific certificate validator. - // If specified, then the usage of all the values above depends on the chosen extension. - config.core.v4alpha.TypedExtensionConfig custom_validator_config = 13; + // If specified, all the values above are *ignored*. + // Currently only + // :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ` + // is implemented in Envoy. + config.core.v4alpha.TypedExtensionConfig custom_validator_config = 12; } diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto index 9f13b5897068..5c9e7d7579f3 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto @@ -16,11 +16,34 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // [#protodoc-title: SPIFFE Certificate Validator Configuration] -// [#not-implemented-hide:] -// Configuration specific to the SPIFFE certificate validator +// Configuration specific to the SPIFFE certificate validator provided at +// :ref:`envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config`. +// +// Example: +// +// .. code-block:: yaml +// +// custom_validator_config: +// name: envoy.tls.cert_validator.spiffe +// typed_config: +// "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig +// trust_bundles: +// foo.com: +// filename: "foo.pem" +// envoy.com: +// filename: "envoy.pem" +// +// In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against +// the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint +// a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` +// SAN would be rejected since Envoy selects the trust bundle accodrding to the presented SAN before validate the certificate. message SPIFFECertValidatorConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig"; + // This field specifies the x.509 trust bundles used for validating incoming X.509-SVID(s). + // The key is a SPIFFE trust domain, `example.com`, `foo.bar.gov` for example, + // and maps to a data source storing x.509 trust bundle. + // Note that the key must *not* have "spiffe://" prefix. map trust_bundles = 1; } diff --git a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc b/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc index 00179e9cc4f9..0254d906a38f 100644 --- a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc +++ b/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc @@ -374,7 +374,7 @@ name: envoy.tls.cert_validator.spiffe }; testRouterRequestAndResponseWithBody(1024, 512, false, false, &creator); checkStats(); - Stats::CounterSharedPtr counter = + Stats::CounterSharedPtr counter = test_server_->counter(listenerStatPrefix("ssl.fail_verify_error")); EXPECT_EQ(0, counter->value()); counter->reset(); diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index c1ab6a75b0a2..a5593c61bfa8 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -45,6 +45,7 @@ CHMOD CHLOS CHLOs CIDR +CITT CLA CLI CMSG @@ -482,7 +483,7 @@ ci ciphersuite ciphersuites circllhist -CITT +clientcert cloneable cloneability cmd From 7d8514a510f88c1d7bc93e6192aaf827bc163c6b Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Wed, 3 Feb 2021 18:28:08 +0900 Subject: [PATCH 16/38] fix doc Signed-off-by: Takeshi Yoneda --- .../tls/v3/tls_spiffe_validator_config.proto | 2 +- .../v4alpha/tls_spiffe_validator_config.proto | 2 +- .../tls/v3/tls_spiffe_validator_config.proto | 2 +- .../v4alpha/tls_spiffe_validator_config.proto | 2 +- .../tls/test_data/keyusage_cert_sign_cert.pem | 36 ++++++------- .../test_data/keyusage_cert_sign_cert_info.h | 8 +++ .../tls/test_data/keyusage_cert_sign_key.pem | 50 +++++++++---------- .../tls/test_data/spiffe_san_cert.pem | 34 ++++++------- .../tls/test_data/spiffe_san_cert_info.h | 8 +++ .../tls/test_data/spiffe_san_key.pem | 50 +++++++++---------- 10 files changed, 105 insertions(+), 89 deletions(-) create mode 100644 test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert_info.h create mode 100644 test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h diff --git a/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto index f68d761ed041..3521a2d975f9 100644 --- a/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +++ b/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto @@ -36,7 +36,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against // the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint // a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` -// SAN would be rejected since Envoy selects the trust bundle accodrding to the presented SAN before validate the certificate. +// SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. message SPIFFECertValidatorConfig { // This field specifies the x.509 trust bundles used for validating incoming X.509-SVID(s). // The key is a SPIFFE trust domain, `example.com`, `foo.bar.gov` for example, diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto index 5c9e7d7579f3..fc69177c8b00 100644 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto @@ -36,7 +36,7 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against // the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint // a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` -// SAN would be rejected since Envoy selects the trust bundle accodrding to the presented SAN before validate the certificate. +// SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. message SPIFFECertValidatorConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig"; diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto index f68d761ed041..3521a2d975f9 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto @@ -36,7 +36,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against // the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint // a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` -// SAN would be rejected since Envoy selects the trust bundle accodrding to the presented SAN before validate the certificate. +// SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. message SPIFFECertValidatorConfig { // This field specifies the x.509 trust bundles used for validating incoming X.509-SVID(s). // The key is a SPIFFE trust domain, `example.com`, `foo.bar.gov` for example, diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto index 5c9e7d7579f3..fc69177c8b00 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto @@ -36,7 +36,7 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against // the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint // a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` -// SAN would be rejected since Envoy selects the trust bundle accodrding to the presented SAN before validate the certificate. +// SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. message SPIFFECertValidatorConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig"; diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem index 3bf712b40875..25028b5d2351 100644 --- a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEJDCCAwygAwIBAgIUCGcq/Wzl3SBFQkro7Owk9sUnjqwwDQYJKoZIhvcNAQEL +MIIEJDCCAwygAwIBAgIUAYmAZ+6hbKuqZM2Il52MljE1a0wwDQYJKoZIhvcNAQEL BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n -aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAyMDQwOTI3WhcNMjMw -MjAyMDQwOTI3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAzMDkyMDUxWhcNMjMw +MjAzMDkyMDUxWjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ THlmdCBFbmdpbmVlcmluZzESMBAGA1UEAwwJVGVzdCBDZXJ0MIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwCu9C0MjZir120U6L1057DYAnfsjog8istS4 -YBy5uDkTJX5BZUOltIUgwdC54B2j3we3qNzWBD3EFeDTFWtHBRvbWcaxbDfN9/jo -5764fIthmR3iFUU2+YQZeSjwgLZWfv/ucBvmVt4jwfV0kkt50/hmEd81Pp7ZuJRM -bKNrj0yJThLSxTl5qiI29PR9u4EcMwLe0BSGJNKM7YSIPt+46lPlds+dS9Y2/Szb -ulrM0wj6h/UnkDNSZMYij6s/A9tB6piI7VfC9t9Q429GLV1mtihSp0nqOfjpfCFj -hCRLaPm9TWwcYQk8ftW9G4NfL9ou74mj0Or3bemz/9ctgdjdkwIDAQABo4GnMIGk +9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2gCzm3gD6JZfomjzCozSPUWr25ui6ZJGoWag +NN3l177h0F0r5QO5WGS/fuPLXMlzpPrhqp+RL0tpydyZYOTmunFdEWeusRSOsjoC +KCyj2ZyBHk6GJR8cajXWWbygfU6EQstK+pbBvekpD7bRGtQp9vFizlHFujQMZINJ +58T4U9W80kxjSCzpLSMx2Wxr5Wl3bJlhkYZXG2veYWyX7fiJjyZN0Ocqx+o8lf78 +6usdAZqWd2SR70fi9w7rIxd3MaFnJIsYdU9ZLsY+2IbKXg9UUiOsMt1fiQooDaMj +ecKUQA9qfjzHICmmWY8cF9754TNV9ThL+piltaMVmIoktCJENQIDAQABo4GnMIGk MAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgLkMB0GA1UdJQQWMBQGCCsGAQUFBwMC -BggrBgEFBQcDATAdBgNVHQ4EFgQUzWNy6ZlGKurbxD6U+n5wNKVkJYUwHwYDVR0j -BBgwFoAU08ELI+PDqPIyvl9UwT94OBNVA9kwFgYHKgMEBQYHCAQLDAlTb21ldGhp -bmcwEAYHKgMEBQYHCQQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIyzMxqaLqsO -xJWmPaP0kwSxHhdFcvgygEYr2YSFiKJ6/MJZvy67W3IylRPVBkglbZ8m6lj96XsV -bC3k7aUIPj5dT59vSLwTOX2lSciuQ+rtxFLOLyXRbbr7z3uI8KOUn6a4KUs4cBB6 -1Ku7jAUeC1IwvXU0C+UOVDJMVBqD/pvte4a7FA9/0N+bMREh/1zOnE7I7pTxje3O -TVvFZA0i/zbt64wlnCDqq58Ilr5hAG6MmIq3RrfjAUQvP54nzAlbp41d+du9OuNn -+NS6Ayr6AtIvwMT+2u5bNmA8IjoyjTmPALe3pszy4OpU1F8Sk/A2MJb4FP790hJs -oOCbZto9Nyk= +BggrBgEFBQcDATAdBgNVHQ4EFgQU8R6+50oNvEzhzt+iNudChI1FYkEwHwYDVR0j +BBgwFoAU9w1V3h+WSaNIeCDs7lPMZeUWOM8wFgYHKgMEBQYHCAQLDAlTb21ldGhp +bmcwEAYHKgMEBQYHCQQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACvaFh0JnLzi +lnGeuaYiNk1ZERAQPaCefAn2uMq8U6MPVIwVQhnWXC6f+VIaNgeBbGPdYuhEXoJ+ +gfJi5ce4HzYy/+qjJ6EhYy2TAI1JmXjBEi8MwSDw+tO+h6iARSVk7bb6bgcR3xYm +Xgt3jJQj2NWRE6/wQwWUBWZGjEXa3Obx+jVODEDwVFzTwzAhWh/DQ3ivOAXw7MaG +DQRwETPOpcx1YLD5r29O9iKECV8MpKanwxjcVhsVTIHmL1jKDFY0sBqA9l+1pbCJ +es/hbIRNN59OsGrX9znXRRdkR69E71RInxwPud9fnrlwFk7IXiHjZLdAhc+AFjFf +XrE7uAWd1Iw= -----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert_info.h b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert_info.h new file mode 100644 index 000000000000..d73ebd61e1e1 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert_info.h @@ -0,0 +1,8 @@ +// NOLINT(namespace-envoy) +constexpr char TEST_KEYUSAGE_CERT_SIGN_CERT_256_HASH[] = + "78a03bd801ac785546db1cda5da2ac3996f1b5c1eec8d81ec5e52f37884f0eb8"; +constexpr char TEST_KEYUSAGE_CERT_SIGN_CERT_1_HASH[] = "f0cd30df5854569a48225b7499119f18341edcb1"; +constexpr char TEST_KEYUSAGE_CERT_SIGN_CERT_SPKI[] = "zWTXHWKCT1bO9yFW9d/5tTyKaRfrcqCE9SE4LTWfxys="; +constexpr char TEST_KEYUSAGE_CERT_SIGN_CERT_SERIAL[] = "01898067eea16cabaa64cd88979d8c9631356b4c"; +constexpr char TEST_KEYUSAGE_CERT_SIGN_CERT_NOT_BEFORE[] = "Feb 3 09:20:51 2021 GMT"; +constexpr char TEST_KEYUSAGE_CERT_SIGN_CERT_NOT_AFTER[] = "Feb 3 09:20:51 2023 GMT"; diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem index 8ded0612d497..9cc2ff1d2a07 100644 --- a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAwCu9C0MjZir120U6L1057DYAnfsjog8istS4YBy5uDkTJX5B -ZUOltIUgwdC54B2j3we3qNzWBD3EFeDTFWtHBRvbWcaxbDfN9/jo5764fIthmR3i -FUU2+YQZeSjwgLZWfv/ucBvmVt4jwfV0kkt50/hmEd81Pp7ZuJRMbKNrj0yJThLS -xTl5qiI29PR9u4EcMwLe0BSGJNKM7YSIPt+46lPlds+dS9Y2/SzbulrM0wj6h/Un -kDNSZMYij6s/A9tB6piI7VfC9t9Q429GLV1mtihSp0nqOfjpfCFjhCRLaPm9TWwc -YQk8ftW9G4NfL9ou74mj0Or3bemz/9ctgdjdkwIDAQABAoIBAHmwOLmU/imIMr9z -CvFLO46Uc7eWfG3236YWhdp21jQOEE3BsW+KcrfpRWD1534/xrFIlchcbzmoUy73 -ezMpB4P4q+Ihq+A3RjosaG+3meNj752iCrQlbDZ8rBTJE+KtlAA/2KEtSaLgcAw2 -fmbVXIQZ26idi33n4T68ydhRc579YJ5lnyjJ56Fe3i4cNvgCu/8STDWVqqh8chpe -qGxrHhGmg1wRop+RRaFhjcz3LiDWE1cu0flti2WEXa/I5qUU9xNCpNtR9AQtQlEk -/hRUnS5+inEcvnzUHGUv+ZiP12N6KLXKlfKIZsQQ0o/0He3gW1cybLj9opg327MH -2LqDCOECgYEA/wxH+gGE+QM09jFdKAvi/dNqPPirtD86xBOmzcdOPITntQD82MIX -7Dn50BgGYyIdIBex7ZwShM6TLWxAA6GaxYVFFNJ7Ak286ZHjDBKFW4vAiTeCeAX6 -TDhB9tuLbQ3Kgoi5NvhEjE+5pa8XaPiclaPMopZsqcDVS9kNkEhfIR0CgYEAwONf -huEDFsCySIF/XnGyxXWXhrmETle+XB3wXX+ddmU/DZQ3ZjMDLSlCTKk7i92Oe64P -NHlsf/2WZsoBqJtAu1CdAhIvJT8MzD93KNldhj+gm18BXC7+iGHf+Yw8ryhepzbG -N9DbO54sT61TB1o3GhNrdJYYknt+PLTLEkqZ6m8CgYBGLKrhLunXWfqIgqyPCDY8 -gJ8Kh6E2xu70ZDPRCrWMEUVvmAX53e2XIZyKlRGs1QYOfnaGWhr+T5hPNyml1iEv -l6uaPw95YspHucwu1im7NoiTOKK9Q2fK8O+1bFLAfrrpj5TmewjhUk5SOArI5x6u -TZNQaPMdAeGuLNp+iGskQQKBgQCJYqnMsQH5N8EEYbAtvb/+YrZNkF+LSXXduLlW -bynhhVW2v0YCNf1iMkv1vGgcQ+9TanOMBZxhQWbZybIKvKILiOx76CXKWrEr3Vxr -LP8vOqyTXcTjOtmynDviS5+Bhrh8U0g1wz4TpaKcEbDcwMYUfZaA0NOpqeoNJRyq -55XfYwKBgEX4SiuCPzECulUh+5WSDJr6XcW/lDYAGtjz+B+vA8VLoHTMHctqM3vJ -IKHLKwfWUcpaxJSOs3JS7OckLHkposlDMG6sKX2VMaI8+UcRTjLUu32zc1DDDuLa -40tPHXkZ3y8uBbQyXMt1UkM6UIR/1b9JGf7Jq/pb+RpJyTXpg8eH +MIIEowIBAAKCAQEA2gCzm3gD6JZfomjzCozSPUWr25ui6ZJGoWagNN3l177h0F0r +5QO5WGS/fuPLXMlzpPrhqp+RL0tpydyZYOTmunFdEWeusRSOsjoCKCyj2ZyBHk6G +JR8cajXWWbygfU6EQstK+pbBvekpD7bRGtQp9vFizlHFujQMZINJ58T4U9W80kxj +SCzpLSMx2Wxr5Wl3bJlhkYZXG2veYWyX7fiJjyZN0Ocqx+o8lf786usdAZqWd2SR +70fi9w7rIxd3MaFnJIsYdU9ZLsY+2IbKXg9UUiOsMt1fiQooDaMjecKUQA9qfjzH +ICmmWY8cF9754TNV9ThL+piltaMVmIoktCJENQIDAQABAoIBAE2WpFX38AQuyNjH +24BswELYciMWEHRrAEJfgTNvqmcP49TB5GZ83dGNAe7Kak2a0VLti7WrVwPrJjqX +DevDbC79O+9+5FjYBTV/mdbslGBV6Ep+DhZWLUnL4X9MuB4A/Oe87PGlCE1sF5Yl +LeULj+f4336o8eOktKhtZbdcjjlfl7R/Dg62P/OINQwgJ44r2UUUQ4aF3YKTnzKA +IAoeywSbzMcRzfV6tiEHlVjXiS9EGyMVjizEXHECBgj0U6dbOjqcx6ELw5XGfGxK +8roAJ8F7phLR06HYAA+dp5Mvfs+WWJKmYxBlXp7RVj5c+VfTMHgpOmrNP3UCg5Re +I6KWa30CgYEA9EbGbdpDteegXdnhnJVYFyVL6R+T1KirFPTMHF1yji/ny87rOqIt +InzEhMNg2P3f/EOTERdspMoEp2BKH3BKRCr8hUZxyso+2aw6ToiyyCcfNHo76Ugs +jTvlNNzgEFeLJNkkpIMKx2bz4BX38ovoP9FyMh0SOHsJSeEL7jqO9nsCgYEA5Hcf +a8HTOGkO90qRRx24MlCG63gW1m1AwwkLRFKrC03IzdDfwMkh3vSKfIo4gpC0PkKE +ipMlFS3QcjKora9JiCAaLcA1Kl5Q6VGT9Hmb4MJO5Xg03etOTPmx//HVT9y9COhJ +KkyDS47DnK58x47BH4US2GWlIgMTqNlxXyFuiQ8CgYB4JlO1drT1RR+o6eFBrmds +wwiKeuCwqeG0Zg/7J6+P5lpB8d3bsic3Hl1e2+bH9F92ahptPrNOfps5ZHAw9H9i +9i3Ms/CGiWHOmRr4w94D+tIrcrADN1/KfBpqHPYMs7KaBkAyts3XdHkh0ExrvYsX +0MI1if0LUOEpuIqwu5bT/wKBgDYcSKLa+03nBBZp4NK5JUE1dV8byDztD2OiJrr9 +4WkB+UdV60jb2lvWC17H1e6Gm0oLsxynESdc/Huvp+fLFl1ZTRn85hqsz/kSyzoh ++1tWah1LRSoyaw8sLI50FpOdsmADtCCCkq44l/fqE7+n/fGbMQVzvZK6q9NX/NQN +NQLdAoGBALHeeISRGSOYqByRjh7/lOjeU1OEobQ8TqL2CcYVx1IdnWCJ7M90vw9y +Z+KhMr5K0PaBjDaCf3+/pgPGsUAXz+w011DhwthFvMnoLz1D3jUSgLPYjzaGzpxn +o5x9sAenJc0VLzE5+qiL3PLfJaCslXASaQXCuEpQTQLfM2S/t/ox -----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem index e4582fe77178..08a9264001ab 100644 --- a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEJjCCAw6gAwIBAgIUCGcq/Wzl3SBFQkro7Owk9sUnjq4wDQYJKoZIhvcNAQEL +MIIEJjCCAw6gAwIBAgIUAYmAZ+6hbKuqZM2Il52MljE1a04wDQYJKoZIhvcNAQEL BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n -aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAyMDQwOTI3WhcNMjMw -MjAyMDQwOTI3WjB6MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAzMDkyMDUxWhcNMjMw +MjAzMDkyMDUxWjB6MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ THlmdCBFbmdpbmVlcmluZzEUMBIGA1UEAwwLVGVzdCBTZXJ2ZXIwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDt+X3Nrq4xJyEjU19k28D9fFCBut+Fv73W -CffsBdDTsPetKlT8imPtZYzrCjVkcCjrqbkXs8LneRaPrHDi4FThI84O+axvOSHt -UnslRM5/qBNd1TNmUzK0jOc49IlIRjr9jI9MO0W6KcL1mA2dj9lGllvT9AJHHh5l -hE4mv20Dh/LQRaMfrDrRD8sDMWbwW8G+NDykbcxF3IkUAhEJkiZgWvIF3yjCtIE0 -d1D50gEURjoW9+vP5RlWFgg7TGEwBDKaYw+2lD8vVtmcCWNFQ+8vEmPo1dwlqNoR -5nToF0ScUDBn1mLl8sahzhtpr0Q5kJhplnZYGBrsYggTvOQVYEDrAgMBAAGjgacw +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLeu3FnLHgZMwwYzKHBy8uOTqZZMBh/K/x +9qJ0P6SFuItgdiVZvZPrHJnOm/Mhm01iKEmvKFlGdlBkdscRd69m9mEZ/A/7EaE0 +TBc0/eow+s8sBxMw1tA7L3JX70jocP8dvLdla746Gn3D95ZXY0Tp5y+KOssgKE1O +SNrhtDsDl1laUikoJatPlr+DQTx/gDd4tCKErIXr9PNQNDYbJwwj7KcZ0/yC7duB +oqouzTtw/B4HHJX18g034f/JWXiMSYfRdFcx6147il2WCNJC9AEjxR2H+ewhTwnX +hmtUAXqTLgVyG4UMnaUEqY9P1wnNDmUKpS+YMcUFNtuwVgY+XyTbAgMBAAGjgacw gaQwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH AwIGCCsGAQUFBwMBMCgGA1UdEQQhMB+GHXNwaWZmZTovL2V4YW1wbGUuY29tL3dv -cmtsb2FkMB0GA1UdDgQWBBTXgAUzCJMxtKCZ/RiptQaEPAzMFjAfBgNVHSMEGDAW -gBTTwQsj48Oo8jK+X1TBP3g4E1UD2TANBgkqhkiG9w0BAQsFAAOCAQEAKTjo2IIg -happyS6X6ewjKjxnQSPInrr66+S1TeWVBdaBRttSsQmZ3GbDE267B+Oz304gEFha -759+CJLJMh+k72i3xRfl1JReM56MmQVawBhcfw5BX5q+1gnn4USucQQPez40KJj2 -Yqi0BoGD5vWpYHHPfbsoY8e2nqLQHhG/9BTw1QK+4yfalW8fdt9BSwdpEDzWIe8R -OYu1Id/Z6ulv9p2t/AwcclCqbNCzDsfuMTSy5g45ZwB/5wridMXrwHVUxhn3+uJ/ -rN5kAhgONFHTP0ffEvsbLosFS8MXP7O8aAS6YqCMg4sE2tkLIggWohoNvUecTnUC -KJ3OsK+PJ81Hrw== +cmtsb2FkMB0GA1UdDgQWBBRzJVlTF/N4v6Trb1h0Kqmidy87OzAfBgNVHSMEGDAW +gBT3DVXeH5ZJo0h4IOzuU8xl5RY4zzANBgkqhkiG9w0BAQsFAAOCAQEAbiImeWv1 +//xbp3pDatDC7Mi/z3TDs5NbWlzxTX4nGnySnpa2KDDtBcBieSXxsRpy3EITKedL +IS6kH8EXsfg9oEciBcUOITUx5x5iUVn6/YoEHSBrkQpBiqljUkuhDKYsd8yfV1uF +Wfo2zN4Pq4ro4O9CXhs8BCGb24Co7tN2nkh9lmrnOAPh1LymKyciUhmKFmVyk5Tr +MRe3WCgqFS8R/4iWJpiZ5ItSvLgQnkebdeIn1G6zjoWqEsUuAYggJFlkpyRJ7XCW +TtWuiTYN5ig82J0dDbInqBF2wfMrRPmRs4Sq+Nqp4xxvLtLdmb084+F4J0oTBrm6 +yNgT1lxr0OCfkw== -----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h new file mode 100644 index 000000000000..0028cf27c092 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h @@ -0,0 +1,8 @@ +// NOLINT(namespace-envoy) +constexpr char TEST_SPIFFE_SAN_CERT_256_HASH[] = + "88773cb9c974569309d6046f95445897b88354cc5c75a65309f79d2585b69da5"; +constexpr char TEST_SPIFFE_SAN_CERT_1_HASH[] = "8cd2497f8391b55350788dc38b457ca4e0bb88e5"; +constexpr char TEST_SPIFFE_SAN_CERT_SPKI[] = "N33Itj55FatWYheYQmwh25oa2ebUlYBz2KaCw7pYRGA="; +constexpr char TEST_SPIFFE_SAN_CERT_SERIAL[] = "01898067eea16cabaa64cd88979d8c9631356b4e"; +constexpr char TEST_SPIFFE_SAN_CERT_NOT_BEFORE[] = "Feb 3 09:20:51 2021 GMT"; +constexpr char TEST_SPIFFE_SAN_CERT_NOT_AFTER[] = "Feb 3 09:20:51 2023 GMT"; diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem b/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem index ec079d382389..79fbbc95f7c8 100644 --- a/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA7fl9za6uMSchI1NfZNvA/XxQgbrfhb+91gn37AXQ07D3rSpU -/Ipj7WWM6wo1ZHAo66m5F7PC53kWj6xw4uBU4SPODvmsbzkh7VJ7JUTOf6gTXdUz -ZlMytIznOPSJSEY6/YyPTDtFuinC9ZgNnY/ZRpZb0/QCRx4eZYROJr9tA4fy0EWj -H6w60Q/LAzFm8FvBvjQ8pG3MRdyJFAIRCZImYFryBd8owrSBNHdQ+dIBFEY6Fvfr -z+UZVhYIO0xhMAQymmMPtpQ/L1bZnAljRUPvLxJj6NXcJajaEeZ06BdEnFAwZ9Zi -5fLGoc4baa9EOZCYaZZ2WBga7GIIE7zkFWBA6wIDAQABAoIBADf2mDMqhSRiA1T/ -YkuhsjzqYzRe8fnOIaKYLYl/xKBD2bsLXXkWQnGtk/oiKHQ6PCVPgIumZotw2nFn -KBTylINtnCPBa1+sm+Hnp7YX/EfhCsziOngx0JbNHAM03qP0gCLoTzqqJbel4odG -/syy63HCIk4x7+cxmgxdlNNf6Q8PEVinf+4ZgmyYD9e7qGmBYjJI58T3J+L5BO61 -+J4gt7a292rxgRB+3tbAje3LTptmsnx/6oGhWdOWn16vWN4LFRTmsKAUNj3l1pwo -xRQzf6T/mbyaLdTLZye6OPJ9eqp3feJrpGKROoWkQ5o3pFUzlKpvgs3bCUi2oURf -od3CaeECgYEA/GUgVsvU3QPq8NArVKF56l6c1ycLTJ1UfhY5OGLdWmL1k8dXr/hj -mmK6ZAziU35n+HFGpx+rE432CviRagtXgecsSZ6+i0PRGPMW/MVYvyp0ZcqbF1su -6cyXLTNVC/vR09bgxav4MKBG6BNoLeqxuBr37kdZuzOw2WYAesVvcVUCgYEA8V+j -IQwgcZDoDQfYSm6cjCq3/DcKcv/BHjKOuI7l3d9A2zB+ooyGuwHaFQRvo1/2V+sm -jfKrtqJP6T1vscFHUI8j0ANsWqdaF4hVk8v8If2WPW8GLEH8CEVJbAmyhZE+G0no -aX+EPDIM/ld8dsR5UnypEzz2mRCYkOVmMwGZ6T8CgYAZg5uGSqqlAP1iBJksv/oU -ECZotYC16P2elV6Jba0UswZCPxeFKWXgOHTBInBKom+eNM1AnbnsiyBBMal5f9YD -wru+YXa/m0Zq8D/1o3l6Ma98jsOo08XlSpJJtnO1d2pZsNIeCWlYeQtR8IxKf/wh -MVC43Kucefg5sc8Ami7O1QKBgQC6wDYk0Y8gju8bdeBg5mf1AvBLEgLhqwOt64wF -O3qaSauSa1jvRy7O7cXf0QjXLN4ac/Pmi8VTjw2o9kG/FD2rFLSuspdZJHZOEsuz -iHXRjrR5X7c08vCfLYx7LJ2VPiUBVBOf3Gthb5AiEWpZMfZ0XcMrAVYCY5bHNNX3 -zNtaXQKBgQD4YXg3z+Ygqx3zkaB2LrAu5drHjJtWny0iwbIT86wBfma/KlhJkiPY -Bs+4M3XvuR5hGgg5ncoULcLsH1JDYVm5TbwuNyBfar+CRqW43gxT1m0nvw6U3wKD -+2kYGZxv7od/MOlKchENfZS20xkOFN0h6nQDBEWPbAUT+hEq1pZBhg== +MIIEowIBAAKCAQEAy3rtxZyx4GTMMGMyhwcvLjk6mWTAYfyv8faidD+khbiLYHYl +Wb2T6xyZzpvzIZtNYihJryhZRnZQZHbHEXevZvZhGfwP+xGhNEwXNP3qMPrPLAcT +MNbQOy9yV+9I6HD/Hby3ZWu+Ohp9w/eWV2NE6ecvijrLIChNTkja4bQ7A5dZWlIp +KCWrT5a/g0E8f4A3eLQihKyF6/TzUDQ2GycMI+ynGdP8gu3bgaKqLs07cPweBxyV +9fINN+H/yVl4jEmH0XRXMeteO4pdlgjSQvQBI8Udh/nsIU8J14ZrVAF6ky4FchuF +DJ2lBKmPT9cJzQ5lCqUvmDHFBTbbsFYGPl8k2wIDAQABAoIBAQC2pzF6+u6dPD4i +jVkU5nkOqCaW/V7IVrhlnfw0F9EKjB7oxwU+KjP2j+TtFwZHu43aN8n05mZFHv2J +QSnu3x3fcfi2B5Mcz7WCKW+HjQpFT07a+brbU2j2R9//WXd717raKcYCz5WhuJf+ +amhVJ3H7+R+umJov0p2aUUHR6yQyUncMxIG6JWq7TdBXEYn9ZKkKWu41mGjr2AZn +kXrL8qr/Tu5S2j4a/LJ/QmE5JdesJ6W1i2QnonfUgg6BQFetgkw4aRaQqxkXlORS +jZO6OSoRle+wRkSER7JwHrr3Qnyg3eaZ2JhX+qCz+0SiDtvjCS1LGcjPSqdkdkYB +ypXrPhipAoGBAOS5JOoVnozrHz+eMx6oz8GWGfFC2RHuwQL7X9hNIt7yoKvUZIOU +jiKb2aQdBVbeaTfCySnpUj6NaGPEl2EtwUvBYBhCAjZS3rBtnAc6ghZRZlCYSdd8 +XFpuALOsUIOJGfpDYj9JcmdNSqH9IhDdrI1FyJlfNaFPvRCWMF/bK6qNAoGBAOO/ +HztqCI2YJfg63ETOtcJDqRFsRM0asr9fkvtsCcKGv9gnoP+B8RSx1z4cgdmxjkh0 +mQFg6FeN3SFgUP9759GPDHBu6d3CUw1ep617b7WxuGPV7BXwT/Vh3f04PZd1mpoH +cgOp2xYJKdxriPTNMQIAAP0AqiBYN9oCquoaeicHAoGAWINVx8kKDJrJAwOj4M+P +ZulBrN4jxw7QXukM1FY1knXuu9B7/Xe18arCdQJOGKoFqfCVjMSgcVij90gTFSZx +0XFKUNjqpj83sqsYYKvBwAVMRRBKMzwLOWuslduvZNff17vP/5Ha1iNRKJMfZcuD +hUBmOwRfasfC8PJOUiotIdkCgYA6TEoqY1IdLL1LdYW890z/lWJJ23UhK5xl8Ikn +Yth8uxGQu1QzE4gqy/tVIub6WsEZOv+PosbW4rGgQY96VrVYp01/2mRzJ7Mq0PgL +KHXIBN42cCQm2YUeQxcYIrVhd/FDTHSbC3fRhDb6/Wvpfjz1ThryqKDj9rEVVWl6 +05xBMQKBgDm6S91itOi8w6xm9hXB5mfcPOGdPMsHvKqpjfCmQ19LpAgIazuZ/36H +t2t4Zyhz5HASrr0Gjk/t+Kj4eybjBlOZGc5Z1Vf1+E2TSkpTlFvdxiDUoFBMs8/h +ec0p5xEUrumGgaxxpK5quN0uJ9zBfGBdPsibY3VpqoX5diOmLnPW -----END RSA PRIVATE KEY----- From 1b3d25671ea228c6bf589248b16ab00ece27e125 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Wed, 3 Feb 2021 20:56:49 +0900 Subject: [PATCH 17/38] fix -c opt test failure Signed-off-by: Takeshi Yoneda --- .../quiche/envoy_quic_proof_verifier_test.cc | 4 +- .../tls/test_data/keyusage_cert_sign_cert.pem | 36 ++++++------- .../test_data/keyusage_cert_sign_cert_info.h | 12 ++--- .../tls/test_data/keyusage_cert_sign_key.pem | 50 +++++++++---------- .../tls/test_data/keyusage_crl_sign_cert.pem | 34 ++++++------- .../test_data/keyusage_crl_sign_cert_info.h | 8 +++ .../tls/test_data/keyusage_crl_sign_key.pem | 50 +++++++++---------- .../tls/test_data/spiffe_san_cert.pem | 34 ++++++------- .../tls/test_data/spiffe_san_cert_info.h | 12 ++--- .../tls/test_data/spiffe_san_key.pem | 50 +++++++++---------- 10 files changed, 150 insertions(+), 140 deletions(-) create mode 100644 test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert_info.h diff --git a/test/extensions/quic_listeners/quiche/envoy_quic_proof_verifier_test.cc b/test/extensions/quic_listeners/quiche/envoy_quic_proof_verifier_test.cc index 09b3dcbd44d6..a0f13fd900e5 100644 --- a/test/extensions/quic_listeners/quiche/envoy_quic_proof_verifier_test.cc +++ b/test/extensions/quic_listeners/quiche/envoy_quic_proof_verifier_test.cc @@ -66,7 +66,7 @@ class EnvoyQuicProofVerifierTest : public testing::Test { EXPECT_CALL(cert_validation_ctx_config_, verifyCertificateSpkiList()) .WillRepeatedly(ReturnRef(empty_string_list_)); EXPECT_CALL(cert_validation_ctx_config_, customValidatorConfig()) - .WillRepeatedly(ReturnRef(absl::nullopt)); + .WillRepeatedly(ReturnRef(custom_validator_config_)); verifier_ = std::make_unique(store_, client_context_config_, time_system_); } @@ -81,6 +81,8 @@ class EnvoyQuicProofVerifierTest : public testing::Test { const std::string cert_chain_{quic::test::kTestCertificateChainPem}; const std::string root_ca_cert_; const std::string leaf_cert_; + const absl::optional custom_validator_config_{ + absl::nullopt}; NiceMock store_; Event::GlobalTimeSystem time_system_; NiceMock client_context_config_; diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem index 25028b5d2351..8f6a5adf8f4d 100644 --- a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEJDCCAwygAwIBAgIUAYmAZ+6hbKuqZM2Il52MljE1a0wwDQYJKoZIhvcNAQEL +MIIEJDCCAwygAwIBAgIUGf0AE7012IPTiBn6CB+c3SVvbcgwDQYJKoZIhvcNAQEL BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n -aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAzMDkyMDUxWhcNMjMw -MjAzMDkyMDUxWjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAzMTExNjM4WhcNMjMw +MjAzMTExNjM4WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ THlmdCBFbmdpbmVlcmluZzESMBAGA1UEAwwJVGVzdCBDZXJ0MIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2gCzm3gD6JZfomjzCozSPUWr25ui6ZJGoWag -NN3l177h0F0r5QO5WGS/fuPLXMlzpPrhqp+RL0tpydyZYOTmunFdEWeusRSOsjoC -KCyj2ZyBHk6GJR8cajXWWbygfU6EQstK+pbBvekpD7bRGtQp9vFizlHFujQMZINJ -58T4U9W80kxjSCzpLSMx2Wxr5Wl3bJlhkYZXG2veYWyX7fiJjyZN0Ocqx+o8lf78 -6usdAZqWd2SR70fi9w7rIxd3MaFnJIsYdU9ZLsY+2IbKXg9UUiOsMt1fiQooDaMj -ecKUQA9qfjzHICmmWY8cF9754TNV9ThL+piltaMVmIoktCJENQIDAQABo4GnMIGk +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlePKCulIVDnvv7pvlaDtAfR+PJ504y6Ncxgd +nTyNnRCKHBnwlq56WWYkilc60FKdE4DehXWY9akyIlrA8nna3ckZ1PSM9GdHJRCn +JWUh1RirWS8xdhT7zbFH54BnGjj+7KT6JzsMKrP3vYa1Y5Ff/N6q9KFY5hQUWJ8X +gaWqxySi+yxFGhevjp3Gq0FTX3thoeMYOHt5AfwlFnXaKlc+xupWaAFl5VQAM8VS +G8IG+YOsxZmI8wNdk9BIJCUIubvNykYMrwveVkgnCYB1K3wYwNNjJt9Q5bFKtRfl +MKQ4KzugNlWU/PowIbDlla/NwSO866iYkROIZeW9aty5L+1KhQIDAQABo4GnMIGk MAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgLkMB0GA1UdJQQWMBQGCCsGAQUFBwMC -BggrBgEFBQcDATAdBgNVHQ4EFgQU8R6+50oNvEzhzt+iNudChI1FYkEwHwYDVR0j -BBgwFoAU9w1V3h+WSaNIeCDs7lPMZeUWOM8wFgYHKgMEBQYHCAQLDAlTb21ldGhp -bmcwEAYHKgMEBQYHCQQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACvaFh0JnLzi -lnGeuaYiNk1ZERAQPaCefAn2uMq8U6MPVIwVQhnWXC6f+VIaNgeBbGPdYuhEXoJ+ -gfJi5ce4HzYy/+qjJ6EhYy2TAI1JmXjBEi8MwSDw+tO+h6iARSVk7bb6bgcR3xYm -Xgt3jJQj2NWRE6/wQwWUBWZGjEXa3Obx+jVODEDwVFzTwzAhWh/DQ3ivOAXw7MaG -DQRwETPOpcx1YLD5r29O9iKECV8MpKanwxjcVhsVTIHmL1jKDFY0sBqA9l+1pbCJ -es/hbIRNN59OsGrX9znXRRdkR69E71RInxwPud9fnrlwFk7IXiHjZLdAhc+AFjFf -XrE7uAWd1Iw= +BggrBgEFBQcDATAdBgNVHQ4EFgQUkGcFiogsv4LFO6e7juYw1Z/PsvUwHwYDVR0j +BBgwFoAU08ELI+PDqPIyvl9UwT94OBNVA9kwFgYHKgMEBQYHCAQLDAlTb21ldGhp +bmcwEAYHKgMEBQYHCQQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADvpQnMwqH09 +TetXraNmhvXUmhnTCaoStVQpWtEvOnnqHZ760Lc2XG1dKL6v40AovGK4PLlf7kds +Uz5oj65Wb7Z7pxz5Aa4P02VocMoASgYFMQrIJe4e0SIwfKX3UUhvmSG3e4mxu3nV +JHm4A2NZ9weuOIx6+6Hb6S8PfMLUbmmf3/ZCvNVMNlwllfsOwpMsDffT29GrbiZO +3UIQ5nq+aKuGzOCjg1tjB0fETdEE2/MqRUMdB8lOcT49ZhsJq/MLGw29NGyCB+ky +59xUk8U9c/C1NwxtaFFJzhMhDlOxjXXxpGt06QbOoH+B2yIW0r4uVymWhAUq/ewx +9RYva+yssd0= -----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert_info.h b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert_info.h index d73ebd61e1e1..2d1971cf2508 100644 --- a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert_info.h +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_cert_info.h @@ -1,8 +1,8 @@ // NOLINT(namespace-envoy) constexpr char TEST_KEYUSAGE_CERT_SIGN_CERT_256_HASH[] = - "78a03bd801ac785546db1cda5da2ac3996f1b5c1eec8d81ec5e52f37884f0eb8"; -constexpr char TEST_KEYUSAGE_CERT_SIGN_CERT_1_HASH[] = "f0cd30df5854569a48225b7499119f18341edcb1"; -constexpr char TEST_KEYUSAGE_CERT_SIGN_CERT_SPKI[] = "zWTXHWKCT1bO9yFW9d/5tTyKaRfrcqCE9SE4LTWfxys="; -constexpr char TEST_KEYUSAGE_CERT_SIGN_CERT_SERIAL[] = "01898067eea16cabaa64cd88979d8c9631356b4c"; -constexpr char TEST_KEYUSAGE_CERT_SIGN_CERT_NOT_BEFORE[] = "Feb 3 09:20:51 2021 GMT"; -constexpr char TEST_KEYUSAGE_CERT_SIGN_CERT_NOT_AFTER[] = "Feb 3 09:20:51 2023 GMT"; + "182894ffefcf77ca5be0907d37cf20142bedfa9f65979ca1b33668e2884732a0"; +constexpr char TEST_KEYUSAGE_CERT_SIGN_CERT_1_HASH[] = "448a4b76b671cc6ebd7db9740958d2e150fc7c5f"; +constexpr char TEST_KEYUSAGE_CERT_SIGN_CERT_SPKI[] = "U4oa9edhO4+vrb95H+HrAM4+laJ/eoQOAtToNDoiciE="; +constexpr char TEST_KEYUSAGE_CERT_SIGN_CERT_SERIAL[] = "19fd0013bd35d883d38819fa081f9cdd256f6dc8"; +constexpr char TEST_KEYUSAGE_CERT_SIGN_CERT_NOT_BEFORE[] = "Feb 3 11:16:38 2021 GMT"; +constexpr char TEST_KEYUSAGE_CERT_SIGN_CERT_NOT_AFTER[] = "Feb 3 11:16:38 2023 GMT"; diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem index 9cc2ff1d2a07..d6df1edef0f2 100644 --- a/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_cert_sign_key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA2gCzm3gD6JZfomjzCozSPUWr25ui6ZJGoWagNN3l177h0F0r -5QO5WGS/fuPLXMlzpPrhqp+RL0tpydyZYOTmunFdEWeusRSOsjoCKCyj2ZyBHk6G -JR8cajXWWbygfU6EQstK+pbBvekpD7bRGtQp9vFizlHFujQMZINJ58T4U9W80kxj -SCzpLSMx2Wxr5Wl3bJlhkYZXG2veYWyX7fiJjyZN0Ocqx+o8lf786usdAZqWd2SR -70fi9w7rIxd3MaFnJIsYdU9ZLsY+2IbKXg9UUiOsMt1fiQooDaMjecKUQA9qfjzH -ICmmWY8cF9754TNV9ThL+piltaMVmIoktCJENQIDAQABAoIBAE2WpFX38AQuyNjH -24BswELYciMWEHRrAEJfgTNvqmcP49TB5GZ83dGNAe7Kak2a0VLti7WrVwPrJjqX -DevDbC79O+9+5FjYBTV/mdbslGBV6Ep+DhZWLUnL4X9MuB4A/Oe87PGlCE1sF5Yl -LeULj+f4336o8eOktKhtZbdcjjlfl7R/Dg62P/OINQwgJ44r2UUUQ4aF3YKTnzKA -IAoeywSbzMcRzfV6tiEHlVjXiS9EGyMVjizEXHECBgj0U6dbOjqcx6ELw5XGfGxK -8roAJ8F7phLR06HYAA+dp5Mvfs+WWJKmYxBlXp7RVj5c+VfTMHgpOmrNP3UCg5Re -I6KWa30CgYEA9EbGbdpDteegXdnhnJVYFyVL6R+T1KirFPTMHF1yji/ny87rOqIt -InzEhMNg2P3f/EOTERdspMoEp2BKH3BKRCr8hUZxyso+2aw6ToiyyCcfNHo76Ugs -jTvlNNzgEFeLJNkkpIMKx2bz4BX38ovoP9FyMh0SOHsJSeEL7jqO9nsCgYEA5Hcf -a8HTOGkO90qRRx24MlCG63gW1m1AwwkLRFKrC03IzdDfwMkh3vSKfIo4gpC0PkKE -ipMlFS3QcjKora9JiCAaLcA1Kl5Q6VGT9Hmb4MJO5Xg03etOTPmx//HVT9y9COhJ -KkyDS47DnK58x47BH4US2GWlIgMTqNlxXyFuiQ8CgYB4JlO1drT1RR+o6eFBrmds -wwiKeuCwqeG0Zg/7J6+P5lpB8d3bsic3Hl1e2+bH9F92ahptPrNOfps5ZHAw9H9i -9i3Ms/CGiWHOmRr4w94D+tIrcrADN1/KfBpqHPYMs7KaBkAyts3XdHkh0ExrvYsX -0MI1if0LUOEpuIqwu5bT/wKBgDYcSKLa+03nBBZp4NK5JUE1dV8byDztD2OiJrr9 -4WkB+UdV60jb2lvWC17H1e6Gm0oLsxynESdc/Huvp+fLFl1ZTRn85hqsz/kSyzoh -+1tWah1LRSoyaw8sLI50FpOdsmADtCCCkq44l/fqE7+n/fGbMQVzvZK6q9NX/NQN -NQLdAoGBALHeeISRGSOYqByRjh7/lOjeU1OEobQ8TqL2CcYVx1IdnWCJ7M90vw9y -Z+KhMr5K0PaBjDaCf3+/pgPGsUAXz+w011DhwthFvMnoLz1D3jUSgLPYjzaGzpxn -o5x9sAenJc0VLzE5+qiL3PLfJaCslXASaQXCuEpQTQLfM2S/t/ox +MIIEogIBAAKCAQEAlePKCulIVDnvv7pvlaDtAfR+PJ504y6NcxgdnTyNnRCKHBnw +lq56WWYkilc60FKdE4DehXWY9akyIlrA8nna3ckZ1PSM9GdHJRCnJWUh1RirWS8x +dhT7zbFH54BnGjj+7KT6JzsMKrP3vYa1Y5Ff/N6q9KFY5hQUWJ8XgaWqxySi+yxF +Ghevjp3Gq0FTX3thoeMYOHt5AfwlFnXaKlc+xupWaAFl5VQAM8VSG8IG+YOsxZmI +8wNdk9BIJCUIubvNykYMrwveVkgnCYB1K3wYwNNjJt9Q5bFKtRflMKQ4KzugNlWU +/PowIbDlla/NwSO866iYkROIZeW9aty5L+1KhQIDAQABAoIBAFQ4YdYvrgxlYWkB +gKE6gvGOR0AYaOUdyyzYaAtpcsjF+lQ/3wdLkkOZOP7idJGJWekTh/TFVuTx5NGY +3MFh5rCnxnP51RmezkLtUH2ajaAG9IBwHAKVV8cDzbsuUsBRNiwRpt1UOEnmRVWg +01rW3HBhTP2XizP8JFKHUdXvGD48Y5PLoFxDuP4Nth8WlcoYXdT8v0RyN/XGBS7E +w1gX3f4EtWFvFZGBeUrcaRZkdj6GLNr046GAxeY+DIdRFIxevIep06X0xAOTiuwC +tKBFj9KJqAFhCbjen2pUvrOZN3tXKlnlCDpwT/OAk/zoYHwIgJRvnYCNY7TA3AnG +NBYNIgECgYEAxT4kJEwzO8LQERcsVI4j0AXJkjV9v+U3l3xy9mjZ46AiEh146iGy +R/VzVw5f7w9xSICwk76uN4N9p+p/u1RC0HmTP30oLr/JoNmCAh5V00P/GDPVIEUc +S6Kab9NDtUU/fInNOseuu8uo0utLjWBmcWB16zaQI4qA/zhSYsZ++FUCgYEAwop7 +gJNbJ944r21lcAwHl/fnVA9wURxWPwnlnvsV3kC8c9sMPpUkuzdwmPthcwxM7oW+ ++kbSdJmqpYbprtpo90Oj35rx6Ozsp3LqlxHclGfoS/wnT6XOuUSD9VWlntdsRu1U +VjUfx4LMdMoeMY2rk8Ek3vY3uguxJ1lKATv7+XECgYBjCQKInyISXYyvKB2ADyZ4 +Ko+9M9KB6YtyKnBmvNq6agrxYY72sBid/OX+zh7pH63Xo5YFePZstT8AcsPTwUkS ++BgxBpyIbI/Gja+zdJvPShLpigz2+PxuFaTJhSA4Ah8QXviHDP/1FxsbXD1BLSgC +wVYz1d+lmMOQYi0rn1LdSQKBgFp2YOWyIAJTAJL60N+giGtvWL+rCjR9c9GOfZtG +8K1P9xH8ux3i5pi0OAS7aF5CSwfjY6IoCrczubmNGd84KvVIG8zf1TvV6FoZQuMK +6EKOauPiljkgRhe6t43+zKwnSm9U7xHDVErHFOH+Fro+QZnMh6OyZMl7pF5C0/ns +9cfRAoGAWeCaaX/IbVtCrp6IEcyc3vVI+vLxWEh6wW/8dCrxO06S+gy0NlPa8+JZ +mTgz3U5il3f5X33oeQ2zVSDqzICrvpvBdf38pi66NEJnkgVeIijPkVKFnwHcW91t +AQNkEbeiDPqcZoKKm4n8SDfTbk+i9mC/CzUMufwhbPDB71DtvZA= -----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem b/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem index ea6ac44cc84b..fadd8b850595 100644 --- a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEJDCCAwygAwIBAgIUCGcq/Wzl3SBFQkro7Owk9sUnjq0wDQYJKoZIhvcNAQEL +MIIEJDCCAwygAwIBAgIUGf0AE7012IPTiBn6CB+c3SVvbckwDQYJKoZIhvcNAQEL BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n -aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAyMDQwOTI3WhcNMjMw -MjAyMDQwOTI3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAzMTExNjM4WhcNMjMw +MjAzMTExNjM4WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ THlmdCBFbmdpbmVlcmluZzESMBAGA1UEAwwJVGVzdCBDZXJ0MIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7Zy44YmX+9tUKYpJe+Q5cKtggFgC03mVxlVE -mHe0wQn+EiZsa6JKpVH0f4YAwVhEskxexHyPX2H1zeqrxHoRJAZzHeNjL/SMuK6L -Ko9yE5Y7Ih9PKb96s3jWzTmErU6l/03ZHBudJ1BhUo+7uEYp0JWlhtIPjOg5eNPN -FiI4eOMf1kB+xM/JASA89lX8AnpUyqUqG/27/jmOYn5WqPr9krluGdKfj+J0EmwB -Rda/oXDWpxzxND2Xjal1NjPfpwiC+tK4hZWfQxFoz8gwYuCEbPrRijQIsGy2kzNy -PGZE44QWSXMzzQN3QQad2pgqefAzJyatFHCrFmgrT71H8LuAPwIDAQABo4GnMIGk +9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6e0liMSEiPQFXUiM+Z6qzajpxGrFZP19v2Ds +1V2W5j/L5RIBfUWT4Cwsq44/r3GHjfCq++uJe828/F7Ukg9pMksRidEs0TUD/lpP +Heil6RGKRGZpzCiXYv0LZPKPDHJZyXLTXnlTAO3jE/jAujCwHNZroRs803g/5RaZ +5P3bhMdRgQDbB15v86aP5uaaXYUzcy1mGq3bSa0tAkhbYngsbSqhpLvtiAN11cgn +sh+TMs6TbcDGJXD5jXnNdHZfbrynrd/sLnvT0FoRdxEo4uO1+LG0khx4v4lAZ66n +GGMhYDBbBHA/9nSrwlZ6nmp3piQD6BKOn1xxqADdKl5Cs1OrrQIDAQABo4GnMIGk MAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgHiMB0GA1UdJQQWMBQGCCsGAQUFBwMC -BggrBgEFBQcDATAdBgNVHQ4EFgQUIZWJJIF4dn435rFAoC/dps39SGowHwYDVR0j +BggrBgEFBQcDATAdBgNVHQ4EFgQUnDiVycGw/XZydkQvsH23x3J8h1gwHwYDVR0j BBgwFoAU08ELI+PDqPIyvl9UwT94OBNVA9kwFgYHKgMEBQYHCAQLDAlTb21ldGhp -bmcwEAYHKgMEBQYHCQQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAEXVACXt+AvN -mNCSLxCSLcc+ZkuYUKMZPUNEf75RFh8OhKcosALjKGCITqKDSlv5r/KqW/fyNhy8 -o63h3B0Z9YmUkMTjzr1aEK+lr5iC5BJNREaO7Z0E+lqdZU2jjS/MUwoX3QrQnuWa -yRHONho7AHzbnfdDi3ff+8/pCdO+25IByLn5iJqSNjOULbqr/lUMWBMih9+jtqWu -RqmQ1rYyeDedf4kNin97zqCCBBd+DB9QVUrifoFuJI1XWKbQ9hqIBqJ8LpXYhUfy -XYaPimMiipTKRzT8Is9XNvDGJMJCBzQiRzek+tIQyT+nZpYFpEo6cjxJnBUqhav+ -+Z7Igbkp6h8= +bmcwEAYHKgMEBQYHCQQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBABC0KwNn/rk0 +vY8YEbMkTErBHt1vM13Lg8bb0Qu/yA9Id4VqW7zzvaapUGNKvvx4t3H6ZBMMNNug +CPi2zW71HYKUEkhJZfpJtsrsRG9ezENjheW2uKDO977Cq78EBMrfWSQwfHP3iYyc +tBCHOb+v7oEZGohw3NgT4HoG3a66i9jpCenVUdWOgRvI6VbVc16C3FYrnDLdRx+h +9AyDOTe68s/tcBgn7DJyiUvXX+DFHcBfeddPfbVQ7luiT5ITPBfkzVkRePCyEySc +UONdq0bGTGEj/8YQLBvTMQ8JAxAHoRJJhKLHDJtsUR+RGTsp9IEqA7me/rvGKSla +jI9kdKxjF7I= -----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert_info.h b/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert_info.h new file mode 100644 index 000000000000..67ba22d31c19 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert_info.h @@ -0,0 +1,8 @@ +// NOLINT(namespace-envoy) +constexpr char TEST_KEYUSAGE_CRL_SIGN_CERT_256_HASH[] = + "11a37b30d2fa15b30decc49bae67dfcf2b30d2fafa63ee52ebaad4503631c733"; +constexpr char TEST_KEYUSAGE_CRL_SIGN_CERT_1_HASH[] = "1e5a16317bc06aea66f0264ca4da234ba7db1758"; +constexpr char TEST_KEYUSAGE_CRL_SIGN_CERT_SPKI[] = "w5R7NEmc1JYbaSAYDJYRZZKzuI/mNbN0hoODeP2iM98="; +constexpr char TEST_KEYUSAGE_CRL_SIGN_CERT_SERIAL[] = "19fd0013bd35d883d38819fa081f9cdd256f6dc9"; +constexpr char TEST_KEYUSAGE_CRL_SIGN_CERT_NOT_BEFORE[] = "Feb 3 11:16:38 2021 GMT"; +constexpr char TEST_KEYUSAGE_CRL_SIGN_CERT_NOT_AFTER[] = "Feb 3 11:16:38 2023 GMT"; diff --git a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_key.pem b/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_key.pem index e92488feb507..43380d2e195b 100644 --- a/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_key.pem +++ b/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA7Zy44YmX+9tUKYpJe+Q5cKtggFgC03mVxlVEmHe0wQn+EiZs -a6JKpVH0f4YAwVhEskxexHyPX2H1zeqrxHoRJAZzHeNjL/SMuK6LKo9yE5Y7Ih9P -Kb96s3jWzTmErU6l/03ZHBudJ1BhUo+7uEYp0JWlhtIPjOg5eNPNFiI4eOMf1kB+ -xM/JASA89lX8AnpUyqUqG/27/jmOYn5WqPr9krluGdKfj+J0EmwBRda/oXDWpxzx -ND2Xjal1NjPfpwiC+tK4hZWfQxFoz8gwYuCEbPrRijQIsGy2kzNyPGZE44QWSXMz -zQN3QQad2pgqefAzJyatFHCrFmgrT71H8LuAPwIDAQABAoIBABwC89Cy1dX9H0je -YpdWamcb7P50YbDojn2ZI8MNqaNwOCGPogx2T3J53OcDtycT7tVOJ4XmYUiPVdj2 -p1U8RrUGhZ+qZNEMdWJ4QTO9QWeJuGLnaf+z8RUjU79R3pBHy03zsXqczsQJt89x -3mF09A0A90iTjv2/irbx0SWg1yN4+OepPn05VWpPxS1BP6o4ibQUqUdFVWNZa4F/ -wz4xEoB89Zovv53U7gzjZVOAt1SAmK3zDVpc2q297TmMiXadpPQV3x+txFdQuzLH -xr+uPC42frxeVMCxCMt1VMsVAcgEgBVxwECWNYFjEdHl48IwMc8iaVckQ/HW6kPX -pCZdCKECgYEA/AUgBt90Tn7nx0XObnbJmj6zWimM8R6AG3TuS+ul6+pI+Z4/qUmo -wrb5FVMAd0MaJhxHoKHoJeQItEnNCkf4OvBx82etrvOxt3GdfKBKlK/+YTwGQnDp -BD0GptES04mIiUO8UwRbsQWXMK/4tco5np62WFHO0Ev9GCc3f8t5GAcCgYEA8V1Z -Qav5PuCukcEEPfkpRp7Rwkw3P55bDXBFVNSmGAjQNjerSh6T9MJzT+t6zYfCeKip -3WoI7yhhw+xG7JgE1L16T17SIqOiJPVcr2d/m7F/wP5J1euOx9ujV8PNe6fXGWIq -h1/vE9jwetouWEELVtuqkQOn6lxQ1BxVAe6/GAkCgYEAkA8F7afRvgUAzIH0rGQu -fYMV1pYlwLakmA1RIgjDwYUczcNNtKEsXJFm9G+LtqCe0+Yac5HZN7+P0i7Vi+jz -1g0XtgEv4O/gSHIjide+ihvIFyDOmzAbopaXtMeSMWVOrNgRUIsPNrNxZx1P1+qO -4ULsDLRGuf6V4DaanOxcfgUCgYBXfnxVlw6yIWaGxY5RHNo+lGH7af95G2FsXK91 -UeSnv8IidUmtg6okxrxgUz9f8/+mF5YEAmUctOnDyQnoyC6wI8OLtBa+ocysUxl3 -KDCU8uIZxtRjLJHElzT+IqeBVNVfiTtbeYZEDpcWIbM9IM8IfHa3PLkI9tACJAcY -vUAeaQKBgQDsDmF+eRXBR3rc5cPGkexrjqr/NhkRYpPaVviZVsT/eUPOsSzZ1hY2 -3Ri/VVqgeyeWjNyCq7vA4ZrqrYmm18RQckuO7r0Nb6Nb++TPPAJQUi0voZHfvrYU -iyyFvupApmYn4iYQ4bTA3tCGGLRCxLyHvZdblvfWZVEvropIR7Cu9A== +MIIEpAIBAAKCAQEA6e0liMSEiPQFXUiM+Z6qzajpxGrFZP19v2Ds1V2W5j/L5RIB +fUWT4Cwsq44/r3GHjfCq++uJe828/F7Ukg9pMksRidEs0TUD/lpPHeil6RGKRGZp +zCiXYv0LZPKPDHJZyXLTXnlTAO3jE/jAujCwHNZroRs803g/5RaZ5P3bhMdRgQDb +B15v86aP5uaaXYUzcy1mGq3bSa0tAkhbYngsbSqhpLvtiAN11cgnsh+TMs6TbcDG +JXD5jXnNdHZfbrynrd/sLnvT0FoRdxEo4uO1+LG0khx4v4lAZ66nGGMhYDBbBHA/ +9nSrwlZ6nmp3piQD6BKOn1xxqADdKl5Cs1OrrQIDAQABAoIBAF214MlvYGC00MlT +3RXKmEYXGr7Svwz797oJDBdVjLPkbrvvgKU8kEbHq4V2UNDpvBICjZyp+MOd4c1/ +98wjXFMHe5koMLoGcPkeGH+0yXIa0rcgB9X/lNXU5RGlkeS8knd/BmncVIIUylkf +16U/B+4lf6xkivN0QrR1X2U6xQvlQPtiX5W4ykaogABHSxWzJP32XPmE4ojjfLd5 +DEqeyoxha3it4e+zmFpRIELStN9EboxqFPdqM7MDYjEJz8egBE5utC8Kw3jqEMat +Z3fXzuoIa8+OaEn8ILQus+BKADU46hmNrG/lOKlw+zXadDrg12TPX/tTXW8kUlYX +chKc4wkCgYEA/DGnSTBt8VL1A6ZfdQvptkDC0p6fwqSBQ5BX2dIRaVP1fDWk16+O +BfzXA609nvuSWf0DFlNcIstaJK/fxtlbCRSR3rfdB5iGbL8LmZZATkTZrD/z5K95 +xpq/1G+S7nCkX7Q8fOYvQVVYETav0BCEw0p8Nd/HAIUv9YKumdcdt5MCgYEA7XTq +p09l+TOrxNay1gPLAhdBsPP0FJJQJmr1yxvKJr2+mKZJWt3OikDzOMT8Ps90GUsO +rwujqL3hl8Ici7zB5olcsULpbRJtQxXry+YV34rlh34JEKLnpXtD453GxlZ8XgvZ +wuRqOsvBqEVUy8RMhe2ndiZ2SkiS6e7Ftuugl78CgYEAq0iSBJx232Nnc34o8RcR +Oa5MY75GZW1TOe8sK42IM9BJN347oh3iyOBLrHyaEINuh93WnfAp8JvKcoZc5vIy +6TzmQa0A2qrWCb/LghnRPRd3+4xH+rbPb3sk9IR+96DbkwCX4IB58dakBLTuvdKq +SPUq3XBJ+Wl8BDQon+XBki8CgYATSzWpxITHm9AwHTXIt+Qt1k/rHddOOJk0lepE +x4xEW5R5+MDrFiyrBR3+FdtdCyQmzfdyd6KjmlITL518KSkkHzMd4A7xYtbn5YcU +OSy7ziBaQv5fkKz7wClC/FXjVbGjPplCAac0AcxJbOC38co585Zwvi1MWds+EL2V +4E1bJwKBgQDO7fqUhSjDYNrOWoLQdShv9Ru/7hkhnWM4/Itdy+a70QXg0/uUqh3M +iPu0CcKYR1qU78dUnNJow4Ph9cITBcO1X0VAbysnKl+F3g6Yp9ilxNVtDUteP7mI +AN2Pu8bbYVMeYxdIH8FpVZf7qiESGIkAMnDmZmfVA7UWmRjAABRbzA== -----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem index 08a9264001ab..a3a45d796ffc 100644 --- a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEJjCCAw6gAwIBAgIUAYmAZ+6hbKuqZM2Il52MljE1a04wDQYJKoZIhvcNAQEL +MIIEJjCCAw6gAwIBAgIUGf0AE7012IPTiBn6CB+c3SVvbcowDQYJKoZIhvcNAQEL BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n -aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAzMDkyMDUxWhcNMjMw -MjAzMDkyMDUxWjB6MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAzMTExNjM4WhcNMjMw +MjAzMTExNjM4WjB6MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ THlmdCBFbmdpbmVlcmluZzEUMBIGA1UEAwwLVGVzdCBTZXJ2ZXIwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLeu3FnLHgZMwwYzKHBy8uOTqZZMBh/K/x -9qJ0P6SFuItgdiVZvZPrHJnOm/Mhm01iKEmvKFlGdlBkdscRd69m9mEZ/A/7EaE0 -TBc0/eow+s8sBxMw1tA7L3JX70jocP8dvLdla746Gn3D95ZXY0Tp5y+KOssgKE1O -SNrhtDsDl1laUikoJatPlr+DQTx/gDd4tCKErIXr9PNQNDYbJwwj7KcZ0/yC7duB -oqouzTtw/B4HHJX18g034f/JWXiMSYfRdFcx6147il2WCNJC9AEjxR2H+ewhTwnX -hmtUAXqTLgVyG4UMnaUEqY9P1wnNDmUKpS+YMcUFNtuwVgY+XyTbAgMBAAGjgacw +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQsNVpNSI479pPWEjYdbK6Ux7+Cs5F8p0A +Xsp66dnckitHpsODtLzx0IYoaglHJaSKO2Pp1hkBVNv3EjnHCfHMGPIxHf9ohlBK +rT+1CcJT3zz7osUkEmmywff9fo72QDeSlJK82Ho52+AcaN+8xKdHPmg/qrRG3uTO +t+YgHgwu3+yHYze2vVsqvVbJBpV2r6NmECKP4dLEDxQoSMMQjH64q7P5mmKNixPW +CaBNcepaxP0TeOJV8OxiYw4XyiRGKi1FaWFAyeb06imlsa/wdM7117PioVV0gIZI +XnCjD2YckmPAJvuU9eXjewgaaO/NPxf6CFmDs8VihYxDpghgZ/1ZAgMBAAGjgacw gaQwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH AwIGCCsGAQUFBwMBMCgGA1UdEQQhMB+GHXNwaWZmZTovL2V4YW1wbGUuY29tL3dv -cmtsb2FkMB0GA1UdDgQWBBRzJVlTF/N4v6Trb1h0Kqmidy87OzAfBgNVHSMEGDAW -gBT3DVXeH5ZJo0h4IOzuU8xl5RY4zzANBgkqhkiG9w0BAQsFAAOCAQEAbiImeWv1 -//xbp3pDatDC7Mi/z3TDs5NbWlzxTX4nGnySnpa2KDDtBcBieSXxsRpy3EITKedL -IS6kH8EXsfg9oEciBcUOITUx5x5iUVn6/YoEHSBrkQpBiqljUkuhDKYsd8yfV1uF -Wfo2zN4Pq4ro4O9CXhs8BCGb24Co7tN2nkh9lmrnOAPh1LymKyciUhmKFmVyk5Tr -MRe3WCgqFS8R/4iWJpiZ5ItSvLgQnkebdeIn1G6zjoWqEsUuAYggJFlkpyRJ7XCW -TtWuiTYN5ig82J0dDbInqBF2wfMrRPmRs4Sq+Nqp4xxvLtLdmb084+F4J0oTBrm6 -yNgT1lxr0OCfkw== +cmtsb2FkMB0GA1UdDgQWBBRAy5jyMoSnx92zBv4b/hjPFwuj+zAfBgNVHSMEGDAW +gBTTwQsj48Oo8jK+X1TBP3g4E1UD2TANBgkqhkiG9w0BAQsFAAOCAQEAaUaI2xAk +vZ4s6iVEkVbsbhAwc0810qABj7d1ARRko903IV9tQJtrSHJNXkAtkcXGtzASuy8q +NapoMyEV5ra94kRlzy+2R74BFpWkjEffHyxx5tlzxJ5ioh0iTYZwYJ2DARq3G2Dq +xFbJ9oobb4GduuKiQAEYNr1HNNJG0J5H5Fq9fEXbVsdtOUpLrrfjR2UciiU25zIp +BOiqGhVfZGuwjecfAixTWjKqx4WmVFawdNSoKlBNxC4OCxiWb3Xf+QhyK65TlfoK +Z3s2aFnyFMjcB24vnRVkghPfTqYGwslwOeer0efEX2wpTlKMslfVJiZILn6RkG45 +/xqHkWx0BJfxdA== -----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h index 0028cf27c092..8867d8859810 100644 --- a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h @@ -1,8 +1,8 @@ // NOLINT(namespace-envoy) constexpr char TEST_SPIFFE_SAN_CERT_256_HASH[] = - "88773cb9c974569309d6046f95445897b88354cc5c75a65309f79d2585b69da5"; -constexpr char TEST_SPIFFE_SAN_CERT_1_HASH[] = "8cd2497f8391b55350788dc38b457ca4e0bb88e5"; -constexpr char TEST_SPIFFE_SAN_CERT_SPKI[] = "N33Itj55FatWYheYQmwh25oa2ebUlYBz2KaCw7pYRGA="; -constexpr char TEST_SPIFFE_SAN_CERT_SERIAL[] = "01898067eea16cabaa64cd88979d8c9631356b4e"; -constexpr char TEST_SPIFFE_SAN_CERT_NOT_BEFORE[] = "Feb 3 09:20:51 2021 GMT"; -constexpr char TEST_SPIFFE_SAN_CERT_NOT_AFTER[] = "Feb 3 09:20:51 2023 GMT"; + "6f9b044e82a9783325de306fb7dc33e45a5e225d3f91106e294f7c28c7fde89e"; +constexpr char TEST_SPIFFE_SAN_CERT_1_HASH[] = "c7891225170cb8270ecbe357be7d82b1637362ca"; +constexpr char TEST_SPIFFE_SAN_CERT_SPKI[] = "3HHRKyemZkfmwJlJg58DmchURq3j7+w9zbd+h6SwK1c="; +constexpr char TEST_SPIFFE_SAN_CERT_SERIAL[] = "19fd0013bd35d883d38819fa081f9cdd256f6dca"; +constexpr char TEST_SPIFFE_SAN_CERT_NOT_BEFORE[] = "Feb 3 11:16:38 2021 GMT"; +constexpr char TEST_SPIFFE_SAN_CERT_NOT_AFTER[] = "Feb 3 11:16:38 2023 GMT"; diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem b/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem index 79fbbc95f7c8..db5fa2ffc9ce 100644 --- a/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAy3rtxZyx4GTMMGMyhwcvLjk6mWTAYfyv8faidD+khbiLYHYl -Wb2T6xyZzpvzIZtNYihJryhZRnZQZHbHEXevZvZhGfwP+xGhNEwXNP3qMPrPLAcT -MNbQOy9yV+9I6HD/Hby3ZWu+Ohp9w/eWV2NE6ecvijrLIChNTkja4bQ7A5dZWlIp -KCWrT5a/g0E8f4A3eLQihKyF6/TzUDQ2GycMI+ynGdP8gu3bgaKqLs07cPweBxyV -9fINN+H/yVl4jEmH0XRXMeteO4pdlgjSQvQBI8Udh/nsIU8J14ZrVAF6ky4FchuF -DJ2lBKmPT9cJzQ5lCqUvmDHFBTbbsFYGPl8k2wIDAQABAoIBAQC2pzF6+u6dPD4i -jVkU5nkOqCaW/V7IVrhlnfw0F9EKjB7oxwU+KjP2j+TtFwZHu43aN8n05mZFHv2J -QSnu3x3fcfi2B5Mcz7WCKW+HjQpFT07a+brbU2j2R9//WXd717raKcYCz5WhuJf+ -amhVJ3H7+R+umJov0p2aUUHR6yQyUncMxIG6JWq7TdBXEYn9ZKkKWu41mGjr2AZn -kXrL8qr/Tu5S2j4a/LJ/QmE5JdesJ6W1i2QnonfUgg6BQFetgkw4aRaQqxkXlORS -jZO6OSoRle+wRkSER7JwHrr3Qnyg3eaZ2JhX+qCz+0SiDtvjCS1LGcjPSqdkdkYB -ypXrPhipAoGBAOS5JOoVnozrHz+eMx6oz8GWGfFC2RHuwQL7X9hNIt7yoKvUZIOU -jiKb2aQdBVbeaTfCySnpUj6NaGPEl2EtwUvBYBhCAjZS3rBtnAc6ghZRZlCYSdd8 -XFpuALOsUIOJGfpDYj9JcmdNSqH9IhDdrI1FyJlfNaFPvRCWMF/bK6qNAoGBAOO/ -HztqCI2YJfg63ETOtcJDqRFsRM0asr9fkvtsCcKGv9gnoP+B8RSx1z4cgdmxjkh0 -mQFg6FeN3SFgUP9759GPDHBu6d3CUw1ep617b7WxuGPV7BXwT/Vh3f04PZd1mpoH -cgOp2xYJKdxriPTNMQIAAP0AqiBYN9oCquoaeicHAoGAWINVx8kKDJrJAwOj4M+P -ZulBrN4jxw7QXukM1FY1knXuu9B7/Xe18arCdQJOGKoFqfCVjMSgcVij90gTFSZx -0XFKUNjqpj83sqsYYKvBwAVMRRBKMzwLOWuslduvZNff17vP/5Ha1iNRKJMfZcuD -hUBmOwRfasfC8PJOUiotIdkCgYA6TEoqY1IdLL1LdYW890z/lWJJ23UhK5xl8Ikn -Yth8uxGQu1QzE4gqy/tVIub6WsEZOv+PosbW4rGgQY96VrVYp01/2mRzJ7Mq0PgL -KHXIBN42cCQm2YUeQxcYIrVhd/FDTHSbC3fRhDb6/Wvpfjz1ThryqKDj9rEVVWl6 -05xBMQKBgDm6S91itOi8w6xm9hXB5mfcPOGdPMsHvKqpjfCmQ19LpAgIazuZ/36H -t2t4Zyhz5HASrr0Gjk/t+Kj4eybjBlOZGc5Z1Vf1+E2TSkpTlFvdxiDUoFBMs8/h -ec0p5xEUrumGgaxxpK5quN0uJ9zBfGBdPsibY3VpqoX5diOmLnPW +MIIEowIBAAKCAQEA0LDVaTUiOO/aT1hI2HWyulMe/grORfKdAF7KeunZ3JIrR6bD +g7S88dCGKGoJRyWkijtj6dYZAVTb9xI5xwnxzBjyMR3/aIZQSq0/tQnCU988+6LF +JBJpssH3/X6O9kA3kpSSvNh6OdvgHGjfvMSnRz5oP6q0Rt7kzrfmIB4MLt/sh2M3 +tr1bKr1WyQaVdq+jZhAij+HSxA8UKEjDEIx+uKuz+ZpijYsT1gmgTXHqWsT9E3ji +VfDsYmMOF8okRiotRWlhQMnm9OoppbGv8HTO9dez4qFVdICGSF5wow9mHJJjwCb7 +lPXl43sIGmjvzT8X+ghZg7PFYoWMQ6YIYGf9WQIDAQABAoIBAQCXHKS7lLTeI5eh +wpyk2Lz9PDkB3RM2BRJ4dSsKy5Bsrg7WyENkeBgkxUiPtRBYy0IUsiKL7PKYSzkn +87OQk3vZvOqKdF0/85nqKP8reRCUqN5Am8FCeG6++MM4dE7SsvdKlXiXc+01PihO +igYQaxlxdhgImfQGKVnm8bSZ5wgNW9rqXbRtkGcXPEW2C28xcPNOVEZf9CcR0lu9 +GrdGHGzqtFoYCrgihpIw+MnLsw4zXuaYlz/mxh6/c/Bnm2vo3T2zsTTbBmnBboG5 +ltykgnBeDs/dCqHesuqz/k4FatM2YfZ8NKRUmmR3283A/l6lrUsyGR3cusM02YEI +7XwPg/rNAoGBAOlOkL16W59ZiLPhTS2FjvjBYNwGKlmjOLVXgcBNR1UXIAseNUCR +eFPvBnto5DYgCSDLSwsSmPOGplk/Vs5Iu5t+G/HDJg+GE/nwHUDCcj1m6kXfimwe +me30l8RuQNL5T50anrZtemGUDWqx5gBF6bidoTtP1yXtO+5jPXJStxHnAoGBAOT9 +UQp67tHxPfmDda+/+KwoXQPe1cIbOYZz04TPmpMuRyvJbp2P/oxluczz+jo3wsgr +FN3fDYTE6hH8RuMa+Mq1OyqfTP7MTqWGyLZDHPsrubkbAEKU7qcBo1lPJ6hTmGpr +fcT2Hj58n18IIZN9y9JzyWFrgOpQxI30cPQFkQ6/AoGARaZjxX06zxaenfzb2oQt +y4uHjAf3Kq10p4aJQMyRSBDQSyFoim8jOgN4ru0AfDwSHY0zSQnzSXhgPvKOyqSi +BWiflQxKV4YSfqI1SXkDO9t2gweaPm7gS06i5Ex548H0B5XD3fhO+cSGQNz9KgW1 +IZ1FXfyW4Uayhpdv56pT5u8CgYBmhNbshz82tPfXJrjgt2TAxs1l9zTiU0f83wxa +0ItWy4hHnUYtupLvDngRv0VPHTnSXh9Yeg1WXMaiyLx/3sp2Do9vtKRHCvdG+kIP +/5oRBXF/4wvJw13ZXU1hpaOOo+Z/9qH3NW0y8p5zcHN/0fkXvojxWaz8uq5VE5Qi +W/+mhwKBgBs8BZP06ID+Gbvui1slZHTYF5tZtnSw0julGev7c1HL/IJ0m6xA/6Ee +TXnJBy76F8wDZNGg+5+E8RfnYasrudRr+n7fAdbGdxY93qWT7szHrAwkQmGx8lGH +2i3j5gwG3uTqLuY90DJ0bTFpleltpg5t2SWW6YngI5Hz87k7D2lo -----END RSA PRIVATE KEY----- From 4c83dc01c2bd62e8b24b8d57a32a2c480e6f0749 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Wed, 3 Feb 2021 23:55:10 +0900 Subject: [PATCH 18/38] fix compiletime_option build & add tests for coverage Signed-off-by: Takeshi Yoneda --- .../tls/cert_validator/spiffe_validator.cc | 17 ++----- .../cert_validator/spiffe_validator_test.cc | 40 +++++++++++++-- .../transport_sockets/tls/test_data/certs.sh | 3 ++ .../tls/test_data/non_spiffe_san_cert.cfg | 36 +++++++++++++ .../tls/test_data/non_spiffe_san_cert.pem | 24 +++++++++ .../tls/test_data/non_spiffe_san_cert_info.h | 8 +++ .../tls/test_data/non_spiffe_san_key.pem | 27 ++++++++++ .../tls/test_data/spiffe_san_cert.pem | 34 ++++++------- .../tls/test_data/spiffe_san_cert_info.h | 12 ++--- .../tls/test_data/spiffe_san_key.pem | 50 +++++++++---------- 10 files changed, 186 insertions(+), 65 deletions(-) create mode 100644 test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.cfg create mode 100644 test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.pem create mode 100644 test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert_info.h create mode 100644 test/extensions/transport_sockets/tls/test_data/non_spiffe_san_key.pem diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc index e91aee4d16fd..c3731f9cc536 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc @@ -62,7 +62,7 @@ SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* RELEASE_ASSERT(bio != nullptr, ""); bssl::UniquePtr list( PEM_X509_INFO_read_bio(bio.get(), nullptr, nullptr, nullptr)); - if (list == nullptr) { + if (list == nullptr || sk_X509_INFO_num(list.get()) == 0) { throw EnvoyException(absl::StrCat("Failed to load trusted CA certificate for ", it.first)); } @@ -79,11 +79,8 @@ SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* // cert information on getCaCertInformation method. // So temporarily we return the first CA's info here. ca_loaded = true; - auto name = it.second.filename(); - if (name.empty()) { - name = ""; - } - ca_file_name_ = absl::StrCat(it.first, ": ", name); + ca_file_name_ = absl::StrCat( + it.first, ": ", it.second.filename().empty() ? "" : it.second.filename()); } } @@ -175,7 +172,7 @@ int SPIFFEValidator::doVerifyCertChain(X509_STORE_CTX* store_ctx, X509_STORE* SPIFFEValidator::getTrustBundleStore(X509* leaf_cert) { bssl::UniquePtr san_names(static_cast( X509_get_ext_d2i(leaf_cert, NID_subject_alt_name, nullptr, nullptr))); - if (san_names == nullptr) { + if (!san_names) { return nullptr; } @@ -192,11 +189,7 @@ X509_STORE* SPIFFEValidator::getTrustBundleStore(X509* leaf_cert) { } auto target_store = trust_bundle_stores_.find(trust_domain); - if (target_store == trust_bundle_stores_.end()) { - return nullptr; - } - - return target_store->second.get(); + return target_store != trust_bundle_stores_.end() ? target_store->second.get() : nullptr; } bool SPIFFEValidator::certificatePrecheck(X509* leaf_cert) { diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc index e96adef85191..4540a1376244 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc @@ -48,6 +48,10 @@ class TestSPIFFEValidator : public testing::Test { std::make_unique(config_.get(), stats_, config_->api().timeSource()); }; + void initializeWithNullptr() { + validator_ = std::make_unique(nullptr, stats_, time_system_); + } + void initialize() { validator_ = std::make_unique(stats_, time_system_); } SPIFFEValidator& validator() { return *validator_; } @@ -61,6 +65,23 @@ class TestSPIFFEValidator : public testing::Test { Event::TestRealTimeSystem time_system_; }; +TEST_F(TestSPIFFEValidator, NullConfigException) { + EXPECT_THROW_WITH_MESSAGE(initializeWithNullptr(), EnvoyException, + "SPIFFE cert validator connot be initialized from null configuration"); +} + +TEST_F(TestSPIFFEValidator, InvalidCA) { + EXPECT_THROW_WITH_MESSAGE(initialize(TestEnvironment::substitute(R"EOF( +name: envoy.tls.cert_validator.spiffe +typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig + trust_bundles: + hello.com: + inline_string: "invalid" + )EOF")), + EnvoyException, "Failed to load trusted CA certificate for hello.com"); +} + TEST_F(TestSPIFFEValidator, Constructor) { EXPECT_THROW_WITH_MESSAGE(initialize(TestEnvironment::substitute(R"EOF( name: envoy.tls.cert_validator.spiffe @@ -70,17 +91,18 @@ name: envoy.tls.cert_validator.spiffe )EOF")), EnvoyException, "SPIFFE cert validator requires at least one trusted CA"); + initialize(TestEnvironment::substitute(R"EOF( name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig trust_bundles: hello.com: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" )EOF")); EXPECT_EQ(1, validator().trustBundleStores().size()); - EXPECT_NE(validator().getCaFileName().find("test_data/ca_cert.pem"), std::string::npos); + EXPECT_NE(validator().getCaFileName().find("test_data/ca_cert_with_crl.pem"), std::string::npos); EXPECT_NE(validator().getCaFileName().find("hello.com"), std::string::npos); initialize(TestEnvironment::substitute(R"EOF( @@ -145,15 +167,20 @@ TEST_F(TestSPIFFEValidator, TestGetTrustBundleStore) { "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); EXPECT_FALSE(validator().getTrustBundleStore(cert.get())); + // non spiffe san + cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.pem")); + EXPECT_FALSE(validator().getTrustBundleStore(cert.get())); + // spiffe san cert = readCertFromFile(TestEnvironment::substitute( - "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem")); // trust bundle not provided EXPECT_FALSE(validator().getTrustBundleStore(cert.get())); // trust bundle provided - validator().trustBundleStores().emplace("lyft.com", X509StorePtr(X509_STORE_new())); + validator().trustBundleStores().emplace("example.com", X509StorePtr(X509_STORE_new())); EXPECT_TRUE(validator().getTrustBundleStore(cert.get())); } @@ -254,6 +281,9 @@ name: envoy.tls.cert_validator.spiffe } TEST_F(TestSPIFFEValidator, TestDaysUntilFirstCertExpires) { + initialize(); + EXPECT_EQ(0, validator().daysUntilFirstCertExpires()); + Event::SimulatedTimeSystem time_system; time_system.setSystemTime(std::chrono::milliseconds(0)); @@ -291,7 +321,7 @@ name: envoy.tls.cert_validator.spiffe bool foundTestCA = false; SSLContextPtr ctx = SSL_CTX_new(TLS_method()); validator().addClientValidationContext(ctx.get(), false); - for (const X509_NAME* name : SSL_CTX_get_client_CA_list(ctx.get())) { + for (X509_NAME* name : SSL_CTX_get_client_CA_list(ctx.get())) { const int cn_index = X509_NAME_get_index_by_NID(name, NID_commonName, -1); EXPECT_TRUE(cn_index >= 0); X509_NAME_ENTRY* cn_entry = X509_NAME_get_entry(name, cn_index); diff --git a/test/extensions/transport_sockets/tls/test_data/certs.sh b/test/extensions/transport_sockets/tls/test_data/certs.sh index b06d46eb8c8b..da9ce8f7d9cc 100755 --- a/test/extensions/transport_sockets/tls/test_data/certs.sh +++ b/test/extensions/transport_sockets/tls/test_data/certs.sh @@ -269,3 +269,6 @@ generate_x509_cert keyusage_crl_sign ca generate_rsa_key spiffe_san generate_x509_cert spiffe_san ca + +generate_rsa_key non_spiffe_san +generate_x509_cert non_spiffe_san ca \ No newline at end of file diff --git a/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.cfg b/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.cfg new file mode 100644 index 000000000000..d9284904cd41 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.cfg @@ -0,0 +1,36 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +countryName = US +countryName_default = US +stateOrProvinceName = California +stateOrProvinceName_default = California +localityName = San Francisco +localityName_default = San Francisco +organizationName = Lyft +organizationName_default = Lyft +organizationalUnitName = Lyft Engineering +organizationalUnitName_default = Lyft Engineering +commonName = Test Server +commonName_default = Test Server +commonName_max = 64 + +[v3_req] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, serverAuth +subjectAltName = @alt_names +subjectKeyIdentifier = hash + +[v3_ca] +basicConstraints = critical, CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, serverAuth +subjectAltName = @alt_names +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always + +[alt_names] +URI.1 = test.com diff --git a/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.pem b/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.pem new file mode 100644 index 000000000000..4e93ff690c44 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEETCCAvmgAwIBAgIUasNGF+BDin79dyPNS4BoEOLI5VEwDQYJKoZIhvcNAQEL +BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAzMTQ1MTIzWhcNMjMw +MjAzMTQ1MTIzWjB6MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ +THlmdCBFbmdpbmVlcmluZzEUMBIGA1UEAwwLVGVzdCBTZXJ2ZXIwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5efz3MfhC5kYFKCmVDKDAQolqKIxsuNEj +P59VdfUgr+u0pArp8lLix2gfMerYN1YkQudW7UYjz3qtSN5miQPCinNhBiqwLear +ZwNJ4MuRIFlYyx96cN+vIsxdhf8EU0l9HV44u3afV1D7OIJWPO6M8W1idyr7lF2r +8IpGeuVjB099PcVbahXRw+9jhXUyYJSpiuOAPA8ONigpMO26itkjU6ByKXf51+Ln +E8hMKLjUL6Wgn12Sab1y/C6nfnVnJ2EdB1H/mVYuuAp9SRYIosOmLCa7logWOcUY +iT4DJBC5XnV5R1U8eozHKkn6CzEr2ZJfqukMj0zJs7YboAC0xw8HAgMBAAGjgZIw +gY8wDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH +AwIGCCsGAQUFBwMBMBMGA1UdEQQMMAqGCHRlc3QuY29tMB0GA1UdDgQWBBS7M5f/ +9VlsFlRvdGM2KBw21tKOFjAfBgNVHSMEGDAWgBTTwQsj48Oo8jK+X1TBP3g4E1UD +2TANBgkqhkiG9w0BAQsFAAOCAQEAeGAL4on8MvnywhQa8lrjtZ+a6efWBnqHVSY6 +uHX9+WmCv7alwjksD9S5kwwOg1dGYG0lR6280gYnnjiCVRH+H8UukdJFWQ9Zb1Sg +cBITUVvOsWj9Ri7IV1Gi0I9QNcNUmpfy5ikTnbdIKbHrVJxWDa2l7f5whz0KXHgT +oNbdkxmlaJ3dFad4nZg+Fo/AbF7/BO97hfYLacH+gvEWhADMwuNuVfvQmt6+LP9I +YfyCBbdDoI7jOYniAr0eYoy0T+6GPeRGeCfPCT7jlRI+6nCBfQoF+MQtaK27l85C +VnLj4pVPdZFaiFfW8D7V3+QtX8ncAr/sbsvK2Ea6XE55pDbXuA== +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert_info.h b/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert_info.h new file mode 100644 index 000000000000..db4f8d2ac30e --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert_info.h @@ -0,0 +1,8 @@ +// NOLINT(namespace-envoy) +constexpr char TEST_NON_SPIFFE_SAN_CERT_256_HASH[] = + "f47a053ad90243ec948df601d156911b0aaf75c9474c989fddd4f6bca44cf692"; +constexpr char TEST_NON_SPIFFE_SAN_CERT_1_HASH[] = "846c80075e0bf5261709e34d9e429a55fb6fd2c3"; +constexpr char TEST_NON_SPIFFE_SAN_CERT_SPKI[] = "Xv64COw0ddwG6Ht4kW+hqYcW8m+xnd4GlPeN8TphvcU="; +constexpr char TEST_NON_SPIFFE_SAN_CERT_SERIAL[] = "6ac34617e0438a7efd7723cd4b806810e2c8e551"; +constexpr char TEST_NON_SPIFFE_SAN_CERT_NOT_BEFORE[] = "Feb 3 14:51:23 2021 GMT"; +constexpr char TEST_NON_SPIFFE_SAN_CERT_NOT_AFTER[] = "Feb 3 14:51:23 2023 GMT"; diff --git a/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_key.pem b/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_key.pem new file mode 100644 index 000000000000..83e920bfc122 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAuXn89zH4QuZGBSgplQygwEKJaiiMbLjRIz+fVXX1IK/rtKQK +6fJS4sdoHzHq2DdWJELnVu1GI896rUjeZokDwopzYQYqsC3mq2cDSeDLkSBZWMsf +enDfryLMXYX/BFNJfR1eOLt2n1dQ+ziCVjzujPFtYncq+5Rdq/CKRnrlYwdPfT3F +W2oV0cPvY4V1MmCUqYrjgDwPDjYoKTDtuorZI1Ogcil3+dfi5xPITCi41C+loJ9d +kmm9cvwup351ZydhHQdR/5lWLrgKfUkWCKLDpiwmu5aIFjnFGIk+AyQQuV51eUdV +PHqMxypJ+gsxK9mSX6rpDI9MybO2G6AAtMcPBwIDAQABAoIBAQCBL41ZY62mcxtM +Fjg4P45ruyxZC5sbUvMgGP1SmhE9TirfK+8KGaVPnVJRgAQxywEtyoe1TRiwcp/g +uENnqYE77BEHADOVeLMUqXBp8a/4Ck8RAJGRR7MVGii770u7aINkKKNq4m9x9nBK +OobVqCUDeFkW3yfKCQHhc23sP0csXEgIj3LCRTDPOhX7AF+a4ECfz8eDcjLP8TKM +wqfTXu9TwiZMibGmJgrM2CIeW9vR0xKrEuhFGoL7I1wX0F+Be7kkbqY0NLJxREwY +QjeABNb3vfF92EyJ7QrYrxLDYdIVnrRyMqcoT3KGR85Bc/aQwkDej107apHyhofm +PIFDcIkxAoGBAOfZtCIxzi4Zw7Xu3XiUKQEifYnm4GV8vlhFOuzF7CEweOOXJ9Ko +7yxVn+aNdv0UqYOmsMd0GTXyUhvJSPLxEUCJC3N7eOuzWNLhiNtOMfvCY2iLhI4a +mHI2UavmWgNx7ZA7Q/vK5MDkEHlCAw8AMZ47hOLNPqqL+IjkODjdvm+ZAoGBAMzL +uUQ3Y4ZhKcqqBEommATE4YIpjEMWepua3g8N9wzdbaD5FtJM/ZfNSwl/wjFPZhK7 +c+pFLOZLl245uj52RS1QQ+6EbKai4jC8NEEb8Zo9rerWFkJRIs705Jxmq0yYAqdV +UJhycJeaVmX1bJJU4iQzCvF8nrLYvZpFLr9a4RefAoGAf1UgSjtiSg1aYBv8xFFS +p83ido83JGW7QE1dTFZzFdNCQXRtqZOgL5AjDoMZG2tyodw1cIVBp1AbailFCC// +Upsxj837Hi/Uk5TMDe3HI8ahw/QD6+uNWASfHDKZsxSp7TGvZ6UJtypKJd5sQZvQ +pF953vnr9cyDxeLZQdn+0dkCgYEAvhyogaEBbO+pwg8OKF+nY1X5GcHECUtGykh7 +t3H5UyIC8RoKi3MZPuA+tjS5atkQIneNZX6N7cNicdp5AB7+nNAUH8kiq5Ytb5xm +zcJJCCwV1RikVS/IpmJEDsRoZJQAcqIKTVp/Ft0ZM1EfVsAhpgUUNZTAJbp6WEm8 +2bpdlnUCgYEApAqC2nnimtbbN4XSyeLqiU9V2BCJoIbbtpM8Vy0gJUGFDUHgJKFz +ag01gHoh9wTSbsEyGi4qpeDLA5m9oRVlpcX6qOt7XCaGyl4mJbTzls8BFc+yh4Ty +2dAoFYZxlVpslZ/khFeVlmYGjU1Nr1gMSluWVrjou02jte2CX/x8ez4= +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem index a3a45d796ffc..c7cab7053bd0 100644 --- a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEJjCCAw6gAwIBAgIUGf0AE7012IPTiBn6CB+c3SVvbcowDQYJKoZIhvcNAQEL +MIIEJjCCAw6gAwIBAgIUasNGF+BDin79dyPNS4BoEOLI5VAwDQYJKoZIhvcNAQEL BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n -aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAzMTExNjM4WhcNMjMw -MjAzMTExNjM4WjB6MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAzMTQ1MTIzWhcNMjMw +MjAzMTQ1MTIzWjB6MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ THlmdCBFbmdpbmVlcmluZzEUMBIGA1UEAwwLVGVzdCBTZXJ2ZXIwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQsNVpNSI479pPWEjYdbK6Ux7+Cs5F8p0A -Xsp66dnckitHpsODtLzx0IYoaglHJaSKO2Pp1hkBVNv3EjnHCfHMGPIxHf9ohlBK -rT+1CcJT3zz7osUkEmmywff9fo72QDeSlJK82Ho52+AcaN+8xKdHPmg/qrRG3uTO -t+YgHgwu3+yHYze2vVsqvVbJBpV2r6NmECKP4dLEDxQoSMMQjH64q7P5mmKNixPW -CaBNcepaxP0TeOJV8OxiYw4XyiRGKi1FaWFAyeb06imlsa/wdM7117PioVV0gIZI -XnCjD2YckmPAJvuU9eXjewgaaO/NPxf6CFmDs8VihYxDpghgZ/1ZAgMBAAGjgacw +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6NPgoLJ6OMopMwPh61ptBofbr58Rl4sQI +0sMtZY97iLXsmIZuzTEabEzyINpbOMOFh+1Fl+O+PPnLJi2eiT7OSOBNfxu7rUb3 +i0/r93dVsGGP8exlnnAXxPKdBtkXuklz6hHJZEEFWaEFBfaLPElsqcgwUFW5B9S0 +/fvl4LXpALe3asA/6SJmxr5WVEcqDod6xOpKP6vkHq+ccz8WT4feJgykANz3mXZF +BmtueoOhkXO3llg9kNI2TyEW9GTawMqTJdxrFTFigRdCp40lZadHYUgcfAGfKu7u +G5Wh7+KqNhLlhl9fWc+JgTg4/YkF4AVTKpxEuP75Mbu2vN2NmP/rAgMBAAGjgacw gaQwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH AwIGCCsGAQUFBwMBMCgGA1UdEQQhMB+GHXNwaWZmZTovL2V4YW1wbGUuY29tL3dv -cmtsb2FkMB0GA1UdDgQWBBRAy5jyMoSnx92zBv4b/hjPFwuj+zAfBgNVHSMEGDAW -gBTTwQsj48Oo8jK+X1TBP3g4E1UD2TANBgkqhkiG9w0BAQsFAAOCAQEAaUaI2xAk -vZ4s6iVEkVbsbhAwc0810qABj7d1ARRko903IV9tQJtrSHJNXkAtkcXGtzASuy8q -NapoMyEV5ra94kRlzy+2R74BFpWkjEffHyxx5tlzxJ5ioh0iTYZwYJ2DARq3G2Dq -xFbJ9oobb4GduuKiQAEYNr1HNNJG0J5H5Fq9fEXbVsdtOUpLrrfjR2UciiU25zIp -BOiqGhVfZGuwjecfAixTWjKqx4WmVFawdNSoKlBNxC4OCxiWb3Xf+QhyK65TlfoK -Z3s2aFnyFMjcB24vnRVkghPfTqYGwslwOeer0efEX2wpTlKMslfVJiZILn6RkG45 -/xqHkWx0BJfxdA== +cmtsb2FkMB0GA1UdDgQWBBQp3EwAA0kQssBzjmeht4teGloHLzAfBgNVHSMEGDAW +gBTTwQsj48Oo8jK+X1TBP3g4E1UD2TANBgkqhkiG9w0BAQsFAAOCAQEAiisHG4ub +RIMbnfZi8wizikx93LDGyrPVXVdd/ws3KSpYvx4H2ODB1GhxOVV+XHO+khoQOC1S +6FzuNivQ/yeasrHqFj/9BBGZq885huqNtA3HmjOO5m8ykg42nhoosAbp3NjISHb3 +0xLwkZO80DIxfBXF5QQi92n5wlDxc8B7Yai7/Rp3R69PHENxR8uqqTh/r18ZnfAd +fAW4EMlsruJ+H2n1lOQjfipF/+9RNdYwYDdilfBhvRwCBhdjBFOSxW0Sc/bo/4O2 +vW56BZMrY555/EiEyBYreRWj1uhmGijU4WLgXtikvsoWg+yQQ48B71nvXLcJ6N9F +XAsVoksRXsa/MQ== -----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h index 8867d8859810..b49101b8026d 100644 --- a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h @@ -1,8 +1,8 @@ // NOLINT(namespace-envoy) constexpr char TEST_SPIFFE_SAN_CERT_256_HASH[] = - "6f9b044e82a9783325de306fb7dc33e45a5e225d3f91106e294f7c28c7fde89e"; -constexpr char TEST_SPIFFE_SAN_CERT_1_HASH[] = "c7891225170cb8270ecbe357be7d82b1637362ca"; -constexpr char TEST_SPIFFE_SAN_CERT_SPKI[] = "3HHRKyemZkfmwJlJg58DmchURq3j7+w9zbd+h6SwK1c="; -constexpr char TEST_SPIFFE_SAN_CERT_SERIAL[] = "19fd0013bd35d883d38819fa081f9cdd256f6dca"; -constexpr char TEST_SPIFFE_SAN_CERT_NOT_BEFORE[] = "Feb 3 11:16:38 2021 GMT"; -constexpr char TEST_SPIFFE_SAN_CERT_NOT_AFTER[] = "Feb 3 11:16:38 2023 GMT"; + "7e107378ec276f4bdd58b6310ef0af6397b72b67a26583b46eadabe4d361f645"; +constexpr char TEST_SPIFFE_SAN_CERT_1_HASH[] = "adbbe8488082c50ca1c73448addb4dde94d88ce9"; +constexpr char TEST_SPIFFE_SAN_CERT_SPKI[] = "4eIY7EzJdIddfSSYIEDODf2G8hDGbOP95lC74b9ybkM="; +constexpr char TEST_SPIFFE_SAN_CERT_SERIAL[] = "6ac34617e0438a7efd7723cd4b806810e2c8e550"; +constexpr char TEST_SPIFFE_SAN_CERT_NOT_BEFORE[] = "Feb 3 14:51:23 2021 GMT"; +constexpr char TEST_SPIFFE_SAN_CERT_NOT_AFTER[] = "Feb 3 14:51:23 2023 GMT"; diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem b/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem index db5fa2ffc9ce..4f7d1d6cc643 100644 --- a/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA0LDVaTUiOO/aT1hI2HWyulMe/grORfKdAF7KeunZ3JIrR6bD -g7S88dCGKGoJRyWkijtj6dYZAVTb9xI5xwnxzBjyMR3/aIZQSq0/tQnCU988+6LF -JBJpssH3/X6O9kA3kpSSvNh6OdvgHGjfvMSnRz5oP6q0Rt7kzrfmIB4MLt/sh2M3 -tr1bKr1WyQaVdq+jZhAij+HSxA8UKEjDEIx+uKuz+ZpijYsT1gmgTXHqWsT9E3ji -VfDsYmMOF8okRiotRWlhQMnm9OoppbGv8HTO9dez4qFVdICGSF5wow9mHJJjwCb7 -lPXl43sIGmjvzT8X+ghZg7PFYoWMQ6YIYGf9WQIDAQABAoIBAQCXHKS7lLTeI5eh -wpyk2Lz9PDkB3RM2BRJ4dSsKy5Bsrg7WyENkeBgkxUiPtRBYy0IUsiKL7PKYSzkn -87OQk3vZvOqKdF0/85nqKP8reRCUqN5Am8FCeG6++MM4dE7SsvdKlXiXc+01PihO -igYQaxlxdhgImfQGKVnm8bSZ5wgNW9rqXbRtkGcXPEW2C28xcPNOVEZf9CcR0lu9 -GrdGHGzqtFoYCrgihpIw+MnLsw4zXuaYlz/mxh6/c/Bnm2vo3T2zsTTbBmnBboG5 -ltykgnBeDs/dCqHesuqz/k4FatM2YfZ8NKRUmmR3283A/l6lrUsyGR3cusM02YEI -7XwPg/rNAoGBAOlOkL16W59ZiLPhTS2FjvjBYNwGKlmjOLVXgcBNR1UXIAseNUCR -eFPvBnto5DYgCSDLSwsSmPOGplk/Vs5Iu5t+G/HDJg+GE/nwHUDCcj1m6kXfimwe -me30l8RuQNL5T50anrZtemGUDWqx5gBF6bidoTtP1yXtO+5jPXJStxHnAoGBAOT9 -UQp67tHxPfmDda+/+KwoXQPe1cIbOYZz04TPmpMuRyvJbp2P/oxluczz+jo3wsgr -FN3fDYTE6hH8RuMa+Mq1OyqfTP7MTqWGyLZDHPsrubkbAEKU7qcBo1lPJ6hTmGpr -fcT2Hj58n18IIZN9y9JzyWFrgOpQxI30cPQFkQ6/AoGARaZjxX06zxaenfzb2oQt -y4uHjAf3Kq10p4aJQMyRSBDQSyFoim8jOgN4ru0AfDwSHY0zSQnzSXhgPvKOyqSi -BWiflQxKV4YSfqI1SXkDO9t2gweaPm7gS06i5Ex548H0B5XD3fhO+cSGQNz9KgW1 -IZ1FXfyW4Uayhpdv56pT5u8CgYBmhNbshz82tPfXJrjgt2TAxs1l9zTiU0f83wxa -0ItWy4hHnUYtupLvDngRv0VPHTnSXh9Yeg1WXMaiyLx/3sp2Do9vtKRHCvdG+kIP -/5oRBXF/4wvJw13ZXU1hpaOOo+Z/9qH3NW0y8p5zcHN/0fkXvojxWaz8uq5VE5Qi -W/+mhwKBgBs8BZP06ID+Gbvui1slZHTYF5tZtnSw0julGev7c1HL/IJ0m6xA/6Ee -TXnJBy76F8wDZNGg+5+E8RfnYasrudRr+n7fAdbGdxY93qWT7szHrAwkQmGx8lGH -2i3j5gwG3uTqLuY90DJ0bTFpleltpg5t2SWW6YngI5Hz87k7D2lo +MIIEowIBAAKCAQEAujT4KCyejjKKTMD4etabQaH26+fEZeLECNLDLWWPe4i17JiG +bs0xGmxM8iDaWzjDhYftRZfjvjz5yyYtnok+zkjgTX8bu61G94tP6/d3VbBhj/Hs +ZZ5wF8TynQbZF7pJc+oRyWRBBVmhBQX2izxJbKnIMFBVuQfUtP375eC16QC3t2rA +P+kiZsa+VlRHKg6HesTqSj+r5B6vnHM/Fk+H3iYMpADc95l2RQZrbnqDoZFzt5ZY +PZDSNk8hFvRk2sDKkyXcaxUxYoEXQqeNJWWnR2FIHHwBnyru7huVoe/iqjYS5YZf +X1nPiYE4OP2JBeAFUyqcRLj++TG7trzdjZj/6wIDAQABAoIBADWSXb75L1jL05xH +fHWi3qIgXfD7Cjch6bJ8KKkb6g7pgyWhsDOal0D53Z1ftFLAXwhA1hPKojwuQNOg +lUliRQ6GSvog0rLJJHy9uO2zkcK2bytBt/h4f9lm0UI6ISVBdDaEJj/htw85/Sh7 +0bW3T4ySwESeKDuGtDyqQdmeL9fr3aIDbv64hVZvuhBxV6qGOD5G3dsHqP4e5v3F +C37BiDNuwAjDgAzSa3l/TfjC4t6tWCF4xkmg+xRgihe2GKF9wGuLiLMVMzn7eYRM +Wfhw3J14x4IuYPlbC88PYVM2gjGK4CrRftGMJOfFbpMxlr7r8HQYQTV0ZJ8Xbxky +kD9klJECgYEA8hqDpPvSR6UvYJqh41v1ttYH4Wtj43gM67JWyllYOEvUuW4xomzd +i605ocbEFTNh4T0peV0keYxcRTq6cyYJP8KH/G7dRIPdszUvNlGEATjfbObYf7Wg +1t2Ga0d0ZsN0LZWUTjCZufwMwzZIsEezPS8Alg0pgh2S7+SUwBYJqIMCgYEAxOUb +HvvrPlGzKmigGYn+p5stsoG5jeE6toEr9SslPlC2e7DTfpZEtCKy4Dg+srrr/Ks1 +tZUlo8TE3bsDghQ26X+8wo4KPz2dkq4eVOOQxJZlqBB6qjMgzMADLVUYLJGLmqQr +ju9bwV/bleZeTkZOItnKqrJHDUJtRvVeAs1DHnkCgYA04bu9js/InHkzxbL0wYJz +VF7WSym/ZtqTpRm2Czvs2At4EWzACL1/o+/BuXPdGaMYms5zVvf/oLwK1yAgxL8i +cTBY4DJuo8sKOOS+HaISzkRnOikyBA9Ev5B74Fi5lZnL1y9UwOLjL/3tqe7IqnCp +PZoILInThPgydCBVsLqdVwKBgGdKvdCiXkYCPFjaLGtZfnPVL8L+1SY+azvFRhdH +PDGVzDXVjQ5SrNZHgcmpGBNRhm22L+YDyYxBtPmRm4SJMEmMzqzOMUf9/gUuPRFR +lOfc8pWZl5BkZCel78S/aIAxFqjYyVUh8uPecucPxJeRwHn+AZlND4NAPu3D2T7l +CfoZAoGBAKy6lnN9p6GWMncSV/cN67YTlmGLoAeocZOLpxEL9UDLyav4f7fWcitZ +bVpCQgRMw+PB2RDE9VCbKiBPjW30CytoIALjq7vZEyESM8hVgJ8PWHpjM6by+Bdm +QWuDIDYo6NcGNS7ecA919BeBZcKxfSTajHW5gT8NNGbJ7PNyFwhP -----END RSA PRIVATE KEY----- From f1aa35847f2911b1eb8aa2b63a403a1773685f04 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Thu, 4 Feb 2021 09:59:33 +0900 Subject: [PATCH 19/38] increase coverage Signed-off-by: Takeshi Yoneda --- include/envoy/ssl/BUILD | 3 +-- .../tls/cert_validator/spiffe_validator.cc | 5 ++--- .../transport_sockets/tls/cert_validator/BUILD | 1 + .../tls/cert_validator/spiffe_validator_test.cc | 17 +++++++++++++++++ .../transport_sockets/tls/cert_validator/util.h | 16 ++++++++++++++++ 5 files changed, 37 insertions(+), 5 deletions(-) diff --git a/include/envoy/ssl/BUILD b/include/envoy/ssl/BUILD index 4630ec0bac3d..00fcb263b276 100644 --- a/include/envoy/ssl/BUILD +++ b/include/envoy/ssl/BUILD @@ -68,8 +68,7 @@ envoy_cc_library( envoy_cc_library( name = "ssl_socket_extended_info_interface", hdrs = ["ssl_socket_extended_info.h"], - deps = [ - ], + deps = [], ) envoy_cc_library( diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc index c3731f9cc536..348a3c80440a 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc @@ -102,13 +102,12 @@ void SPIFFEValidator::addClientValidationContext(SSL_CTX* ctx, bool) { for (auto& ca : ca_certs_) { X509_NAME* name = X509_get_subject_name(ca.get()); - if (name == nullptr) { - throw EnvoyException(absl::StrCat("Failed to load trusted client CA certificate")); - } + // Check for duplicates. if (sk_X509_NAME_find(list.get(), nullptr, name)) { continue; } + bssl::UniquePtr name_dup(X509_NAME_dup(name)); if (name_dup == nullptr || !sk_X509_NAME_push(list.get(), name_dup.release())) { throw EnvoyException(absl::StrCat("Failed to load trusted client CA certificate")); diff --git a/test/extensions/transport_sockets/tls/cert_validator/BUILD b/test/extensions/transport_sockets/tls/cert_validator/BUILD index 03acead518d6..7c2a93c01749 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/test/extensions/transport_sockets/tls/cert_validator/BUILD @@ -60,6 +60,7 @@ envoy_cc_test_library( hdrs = ["util.h"], deps = [ "//include/envoy/ssl:context_config_interface", + "//include/envoy/ssl:ssl_socket_extended_info_interface", "//source/common/common:macros", "//test/test_common:utility_lib", ], diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc index 4540a1376244..94a84e4e376a 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc @@ -3,6 +3,8 @@ #include #include +#include "envoy/common/exception.h" + #include "common/event/real_time_system.h" #include "extensions/transport_sockets/tls/cert_validator/spiffe_validator.h" @@ -184,6 +186,19 @@ TEST_F(TestSPIFFEValidator, TestGetTrustBundleStore) { EXPECT_TRUE(validator().getTrustBundleStore(cert.get())); } +TEST_F(TestSPIFFEValidator, TestDoVerifyCertChainPrecheckFailure) { + initialize(); + X509StoreContextPtr store_ctx = X509_STORE_CTX_new(); + bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( + // basicConstraints: CA:True, + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); + + TestSslExtendedSocketInfo info; + EXPECT_FALSE(validator().doVerifyCertChain(store_ctx.get(), &info, *cert, nullptr)); + EXPECT_EQ(1, stats().fail_verify_error_.value()); + EXPECT_EQ(info.certificateValidationStatus(), Envoy::Ssl::ClientValidationStatus::Failed); +} + TEST_F(TestSPIFFEValidator, TestDoVerifyCertChainSingleTrustDomain) { initialize(TestEnvironment::substitute(R"EOF( name: envoy.tls.cert_validator.spiffe @@ -314,6 +329,8 @@ name: envoy.tls.cert_validator.spiffe filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" example.com: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + foo.com: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" )EOF"), time_system); diff --git a/test/extensions/transport_sockets/tls/cert_validator/util.h b/test/extensions/transport_sockets/tls/cert_validator/util.h index 781be5c9e848..3dabff82cf3d 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/util.h +++ b/test/extensions/transport_sockets/tls/cert_validator/util.h @@ -1,6 +1,7 @@ #include #include "envoy/ssl/context_config.h" +#include "envoy/ssl/ssl_socket_extended_info.h" #include "common/common/macros.h" @@ -11,6 +12,21 @@ namespace Extensions { namespace TransportSockets { namespace Tls { +class TestSslExtendedSocketInfo : public Envoy::Ssl::SslExtendedSocketInfo { +public: + TestSslExtendedSocketInfo(){}; + + void setCertificateValidationStatus(Envoy::Ssl::ClientValidationStatus validated) override { + status_ = validated; + } + Envoy::Ssl::ClientValidationStatus certificateValidationStatus() const override { + return status_; + } + +private: + Envoy::Ssl::ClientValidationStatus status_; +}; + class TestCertificateValidationContextConfig : public Envoy::Ssl::CertificateValidationContextConfig { public: From 8cbbbd10c1abc41fbf6444e063ed672048997487 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Thu, 4 Feb 2021 11:27:02 +0900 Subject: [PATCH 20/38] fix format Signed-off-by: Takeshi Yoneda --- api/envoy/extensions/transport_sockets/tls/v3/common.proto | 2 +- api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto | 2 +- .../envoy/extensions/transport_sockets/tls/v3/common.proto | 2 +- .../envoy/extensions/transport_sockets/tls/v4alpha/common.proto | 2 +- test/extensions/transport_sockets/tls/cert_validator/util.h | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/api/envoy/extensions/transport_sockets/tls/v3/common.proto b/api/envoy/extensions/transport_sockets/tls/v3/common.proto index 1d80b5c02a8a..58203c02505e 100644 --- a/api/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -375,7 +375,7 @@ message CertificateValidationContext { [(validate.rules).enum = {defined_only: true}]; // The configuration of an extension specific certificate validator. - // If specified, all the values above are *ignored*. + // If specified, the usage of all the values above depends on the custom validator. // Currently only // :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ` // is implemented in Envoy. diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 92205edd916b..2e1eeb1c865f 100644 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -377,7 +377,7 @@ message CertificateValidationContext { [(validate.rules).enum = {defined_only: true}]; // The configuration of an extension specific certificate validator. - // If specified, all the values above are *ignored*. + // If specified, the usage of all the values above depends on the custom validator. // Currently only // :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ` // is implemented in Envoy. diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto index 4d1a5f1874c6..7b879e472801 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -372,7 +372,7 @@ message CertificateValidationContext { [(validate.rules).enum = {defined_only: true}]; // The configuration of an extension specific certificate validator. - // If specified, all the values above are *ignored*. + // If specified, the usage of all the values above depends on the custom validator. // Currently only // :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ` // is implemented in Envoy. diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 92205edd916b..2e1eeb1c865f 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -377,7 +377,7 @@ message CertificateValidationContext { [(validate.rules).enum = {defined_only: true}]; // The configuration of an extension specific certificate validator. - // If specified, all the values above are *ignored*. + // If specified, the usage of all the values above depends on the custom validator. // Currently only // :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ` // is implemented in Envoy. diff --git a/test/extensions/transport_sockets/tls/cert_validator/util.h b/test/extensions/transport_sockets/tls/cert_validator/util.h index 3dabff82cf3d..e15a681c99e1 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/util.h +++ b/test/extensions/transport_sockets/tls/cert_validator/util.h @@ -14,7 +14,7 @@ namespace Tls { class TestSslExtendedSocketInfo : public Envoy::Ssl::SslExtendedSocketInfo { public: - TestSslExtendedSocketInfo(){}; + TestSslExtendedSocketInfo() = default; void setCertificateValidationStatus(Envoy::Ssl::ClientValidationStatus validated) override { status_ = validated; From 5346527fc46c32257f45df892b6cc8870456f8d0 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Fri, 5 Feb 2021 19:02:51 +0900 Subject: [PATCH 21/38] Review: define TrustDomain msg Signed-off-by: Takeshi Yoneda --- .../tls/v3/tls_spiffe_validator_config.proto | 24 +++-- .../v4alpha/tls_spiffe_validator_config.proto | 27 +++-- .../tls/v3/tls_spiffe_validator_config.proto | 24 +++-- .../v4alpha/tls_spiffe_validator_config.proto | 27 +++-- include/envoy/ssl/BUILD | 2 - .../tls/cert_validator/spiffe_validator.cc | 19 ++-- .../cert_validator/spiffe_validator_test.cc | 102 ++++++++++-------- .../tls/integration/ssl_integration_test.cc | 26 +++-- 8 files changed, 155 insertions(+), 96 deletions(-) diff --git a/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto index 3521a2d975f9..9f55a5995df6 100644 --- a/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +++ b/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto @@ -27,10 +27,12 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // name: envoy.tls.cert_validator.spiffe // typed_config: // "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig -// trust_bundles: -// foo.com: +// trust_domains: +// - name: foo.com +// trust_bundle: // filename: "foo.pem" -// envoy.com: +// - name: envoy.com +// trust_bundle: // filename: "envoy.pem" // // In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against @@ -38,9 +40,15 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` // SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. message SPIFFECertValidatorConfig { - // This field specifies the x.509 trust bundles used for validating incoming X.509-SVID(s). - // The key is a SPIFFE trust domain, `example.com`, `foo.bar.gov` for example, - // and maps to a data source storing x.509 trust bundle. - // Note that the key must *not* have "spiffe://" prefix. - map trust_bundles = 1; + message TrustDomain { + // Name of the trust domain, `example.com`, `foo.bar.gov` for example. + // Note that this must *not* have "spiffe://" prefix. + string name = 1; + + // Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain. + config.core.v3.DataSource trust_bundle = 2; + } + + // This field specifies trust domains used for validating incoming X.509-SVID(s). + repeated TrustDomain trust_domains = 1; } diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto index fc69177c8b00..b29f21c26305 100644 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto @@ -27,10 +27,12 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // name: envoy.tls.cert_validator.spiffe // typed_config: // "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig -// trust_bundles: -// foo.com: +// trust_domains: +// - name: foo.com +// trust_bundle: // filename: "foo.pem" -// envoy.com: +// - name: envoy.com +// trust_bundle: // filename: "envoy.pem" // // In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against @@ -41,9 +43,18 @@ message SPIFFECertValidatorConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig"; - // This field specifies the x.509 trust bundles used for validating incoming X.509-SVID(s). - // The key is a SPIFFE trust domain, `example.com`, `foo.bar.gov` for example, - // and maps to a data source storing x.509 trust bundle. - // Note that the key must *not* have "spiffe://" prefix. - map trust_bundles = 1; + message TrustDomain { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain"; + + // Name of the trust domain, `example.com`, `foo.bar.gov` for example. + // Note that this must *not* have "spiffe://" prefix. + string name = 1; + + // Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain. + config.core.v4alpha.DataSource trust_bundle = 2; + } + + // This field specifies trust domains used for validating incoming X.509-SVID(s). + repeated TrustDomain trust_domains = 1; } diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto index 3521a2d975f9..9f55a5995df6 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto @@ -27,10 +27,12 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // name: envoy.tls.cert_validator.spiffe // typed_config: // "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig -// trust_bundles: -// foo.com: +// trust_domains: +// - name: foo.com +// trust_bundle: // filename: "foo.pem" -// envoy.com: +// - name: envoy.com +// trust_bundle: // filename: "envoy.pem" // // In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against @@ -38,9 +40,15 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` // SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. message SPIFFECertValidatorConfig { - // This field specifies the x.509 trust bundles used for validating incoming X.509-SVID(s). - // The key is a SPIFFE trust domain, `example.com`, `foo.bar.gov` for example, - // and maps to a data source storing x.509 trust bundle. - // Note that the key must *not* have "spiffe://" prefix. - map trust_bundles = 1; + message TrustDomain { + // Name of the trust domain, `example.com`, `foo.bar.gov` for example. + // Note that this must *not* have "spiffe://" prefix. + string name = 1; + + // Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain. + config.core.v3.DataSource trust_bundle = 2; + } + + // This field specifies trust domains used for validating incoming X.509-SVID(s). + repeated TrustDomain trust_domains = 1; } diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto index fc69177c8b00..b29f21c26305 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto @@ -27,10 +27,12 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // name: envoy.tls.cert_validator.spiffe // typed_config: // "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig -// trust_bundles: -// foo.com: +// trust_domains: +// - name: foo.com +// trust_bundle: // filename: "foo.pem" -// envoy.com: +// - name: envoy.com +// trust_bundle: // filename: "envoy.pem" // // In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against @@ -41,9 +43,18 @@ message SPIFFECertValidatorConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig"; - // This field specifies the x.509 trust bundles used for validating incoming X.509-SVID(s). - // The key is a SPIFFE trust domain, `example.com`, `foo.bar.gov` for example, - // and maps to a data source storing x.509 trust bundle. - // Note that the key must *not* have "spiffe://" prefix. - map trust_bundles = 1; + message TrustDomain { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain"; + + // Name of the trust domain, `example.com`, `foo.bar.gov` for example. + // Note that this must *not* have "spiffe://" prefix. + string name = 1; + + // Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain. + config.core.v4alpha.DataSource trust_bundle = 2; + } + + // This field specifies trust domains used for validating incoming X.509-SVID(s). + repeated TrustDomain trust_domains = 1; } diff --git a/include/envoy/ssl/BUILD b/include/envoy/ssl/BUILD index 00fcb263b276..30f15f687f3e 100644 --- a/include/envoy/ssl/BUILD +++ b/include/envoy/ssl/BUILD @@ -68,13 +68,11 @@ envoy_cc_library( envoy_cc_library( name = "ssl_socket_extended_info_interface", hdrs = ["ssl_socket_extended_info.h"], - deps = [], ) envoy_cc_library( name = "ssl_socket_state", hdrs = ["ssl_socket_state.h"], - deps = [], ) envoy_cc_library( diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc index 348a3c80440a..39b04fb5fcca 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc @@ -50,20 +50,21 @@ SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* ProtobufWkt::Struct(), ProtobufMessage::getStrictValidationVisitor(), message); - auto size = message.trust_bundles().size(); + auto size = message.trust_domains().size(); if (size == 0) { - throw EnvoyException("SPIFFE cert validator requires at least one trusted CA"); + throw EnvoyException("SPIFFE cert validator requires at least one trust domain"); } trust_bundle_stores_.reserve(size); - for (auto& it : message.trust_bundles()) { - auto cert = Config::DataSource::read(it.second, true, config->api()); + for (auto& domain : message.trust_domains()) { + auto cert = Config::DataSource::read(domain.trust_bundle(), true, config->api()); bssl::UniquePtr bio(BIO_new_mem_buf(const_cast(cert.data()), cert.size())); RELEASE_ASSERT(bio != nullptr, ""); bssl::UniquePtr list( PEM_X509_INFO_read_bio(bio.get(), nullptr, nullptr, nullptr)); if (list == nullptr || sk_X509_INFO_num(list.get()) == 0) { - throw EnvoyException(absl::StrCat("Failed to load trusted CA certificate for ", it.first)); + throw EnvoyException( + absl::StrCat("Failed to load trusted CA certificate for ", domain.name())); } auto store = X509StorePtr(X509_STORE_new()); @@ -79,8 +80,10 @@ SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* // cert information on getCaCertInformation method. // So temporarily we return the first CA's info here. ca_loaded = true; - ca_file_name_ = absl::StrCat( - it.first, ": ", it.second.filename().empty() ? "" : it.second.filename()); + ca_file_name_ = absl::StrCat(domain.name(), ": ", + domain.trust_bundle().filename().empty() + ? "" + : domain.trust_bundle().filename()); } } @@ -92,7 +95,7 @@ SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* if (has_crl) { X509_STORE_set_flags(store.get(), X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); } - trust_bundle_stores_[it.first] = std::move(store); + trust_bundle_stores_[domain.name()] = std::move(store); } } diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc index 94a84e4e376a..b3be72bd3ede 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc @@ -77,9 +77,10 @@ TEST_F(TestSPIFFEValidator, InvalidCA) { name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig - trust_bundles: - hello.com: - inline_string: "invalid" + trust_domains: + - name: hello.com + trust_bundle: + inline_string: "invalid" )EOF")), EnvoyException, "Failed to load trusted CA certificate for hello.com"); } @@ -89,18 +90,19 @@ TEST_F(TestSPIFFEValidator, Constructor) { name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig - trust_bundles: {} + trust_domains: [] )EOF")), EnvoyException, - "SPIFFE cert validator requires at least one trusted CA"); + "SPIFFE cert validator requires at least one trust domain"); initialize(TestEnvironment::substitute(R"EOF( name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig - trust_bundles: - hello.com: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" + trust_domains: + - name: hello.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" )EOF")); EXPECT_EQ(1, validator().trustBundleStores().size()); @@ -111,11 +113,13 @@ name: envoy.tls.cert_validator.spiffe name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig - trust_bundles: - hello.com: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" - k8s-west.example.com: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem" + trust_domains: + - name: hello.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + - name: k8s-west.example.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/keyusage_crl_sign_cert.pem" )EOF")); EXPECT_EQ(2, validator().trustBundleStores().size()); @@ -204,9 +208,10 @@ TEST_F(TestSPIFFEValidator, TestDoVerifyCertChainSingleTrustDomain) { name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig - trust_bundles: - lyft.com: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + trust_domains: + - name: lyft.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" )EOF")); X509StorePtr ssl_ctx = X509_STORE_new(); @@ -242,11 +247,13 @@ TEST_F(TestSPIFFEValidator, TestDoVerifyCertChainMultipleTrustDomain) { name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig - trust_bundles: - lyft.com: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" - example.com: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + trust_domains: + - name: lyft.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + - name: example.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" )EOF")); X509StorePtr ssl_ctx = X509_STORE_new(); @@ -284,11 +291,13 @@ TEST_F(TestSPIFFEValidator, TestGetCaCertInformation) { name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig - trust_bundles: - lyft.com: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" - example.com: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + trust_domains: + - name: lyft.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" + - name: example.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" )EOF")); auto actual = validator().getCaCertInformation(); @@ -306,11 +315,13 @@ TEST_F(TestSPIFFEValidator, TestDaysUntilFirstCertExpires) { name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig - trust_bundles: - lyft.com: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" - example.com: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + trust_domains: + - name: lyft.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + - name: example.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" )EOF"), time_system); EXPECT_EQ(19224, validator().daysUntilFirstCertExpires()); @@ -324,13 +335,16 @@ TEST_F(TestSPIFFEValidator, TestAddClientValidationContext) { name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig - trust_bundles: - lyft.com: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" - example.com: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" - foo.com: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + trust_domains: + - name: lyft.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" + - name: example.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + - name: foo.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" )EOF"), time_system); @@ -364,11 +378,13 @@ TEST_F(TestSPIFFEValidator, TestUpdateDigestForSessionId) { name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig - trust_bundles: - lyft.com: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" - example.com: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + trust_domains: + - name: lyft.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" + - name: example.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" )EOF"), time_system); uint8_t hash_buffer[EVP_MAX_MD_SIZE]; diff --git a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc b/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc index 0254d906a38f..d32b1d8dcb67 100644 --- a/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc +++ b/test/extensions/transport_sockets/tls/integration/ssl_integration_test.cc @@ -361,9 +361,10 @@ TEST_P(SslCertficateIntegrationTest, ServerRsaSPIFFEValidatorAccepted) { name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig - trust_bundles: - lyft.com: - filename: "{{ test_rundir }}/test/config/integration/certs/cacert.pem" + trust_domains: + - name: lyft.com + trust_bundle: + filename: "{{ test_rundir }}/test/config/integration/certs/cacert.pem" )EOF"), *typed_conf); @@ -387,9 +388,10 @@ TEST_P(SslCertficateIntegrationTest, ServerRsaSPIFFEValidatorRejected1) { name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig - trust_bundles: - example.com: - filename: "{{ test_rundir }}/test/config/integration/certs/cacert.pem" + trust_domains: + - name: example.com + trust_bundle: + filename: "{{ test_rundir }}/test/config/integration/certs/cacert.pem" )EOF"), *typed_conf); custom_validator_config_ = typed_conf; @@ -418,11 +420,13 @@ TEST_P(SslCertficateIntegrationTest, ServerRsaSPIFFEValidatorRejected2) { name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig - trust_bundles: - lyft.com: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" - example.com: - filename: "{{ test_rundir }}/test/config/integration/certs/cacert.pem" + trust_domains: + - name: lyft.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" + - name: example.com + trust_bundle: + filename: "{{ test_rundir }}/test/config/integration/certs/cacert.pem" )EOF"), *typed_conf); custom_validator_config_ = typed_conf; From 7339c3cf9c0e68dd1a76f7658f417dfbe9879d28 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Sun, 7 Feb 2021 21:46:31 +0900 Subject: [PATCH 22/38] Do manual parsing instead of regexp Signed-off-by: Takeshi Yoneda --- .../tls/cert_validator/spiffe_validator.cc | 20 +++++++++++++++---- .../cert_validator/spiffe_validator_test.cc | 1 + 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc index 39b04fb5fcca..29fe73dd8473 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc @@ -207,13 +207,25 @@ bool SPIFFEValidator::certificatePrecheck(X509* leaf_cert) { } std::string SPIFFEValidator::extractTrustDomain(const std::string& san) { - static const std::regex reg = Envoy::Regex::Utility::parseStdRegex("spiffe:\\/\\/([^\\/]+)\\/"); - std::smatch m; + static const std::string prefix = "spiffe://"; + size_t begin = 0; + for (; begin < san.size() && begin < prefix.size(); begin++) { + if (prefix[begin] != san[begin]) { + break; + } + } - if (!std::regex_search(san, m, reg) || m.size() < 2) { + if (begin != prefix.size()) { return ""; } - return m[1]; + + size_t end = begin; + for (; end < san.size(); end++) { + if (san[end] == '/') { + break; + } + } + return end < san.size() ? san.substr(begin, end - begin) : ""; } size_t SPIFFEValidator::daysUntilFirstCertExpires() const { diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc index b3be72bd3ede..93729a728963 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc @@ -127,6 +127,7 @@ name: envoy.tls.cert_validator.spiffe TEST(SPIFFEValidator, TestExtractTrustDomain) { EXPECT_EQ("", SPIFFEValidator::extractTrustDomain("abc.com/")); + EXPECT_EQ("", SPIFFEValidator::extractTrustDomain("spiffe://")); EXPECT_EQ("abc.com", SPIFFEValidator::extractTrustDomain("spiffe://abc.com/")); EXPECT_EQ("dev.envoy.com", SPIFFEValidator::extractTrustDomain("spiffe://dev.envoy.com/workload1")); From 8cfadd7b6ab22532b60c1b2201ec9d414f115919 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Sun, 7 Feb 2021 22:57:51 +0900 Subject: [PATCH 23/38] review: use envoy_cc_extensions and mv files Signed-off-by: Takeshi Yoneda --- source/extensions/extensions_build_config.bzl | 7 +++ source/extensions/quic_listeners/quiche/BUILD | 2 +- .../quiche/envoy_quic_proof_verifier.cc | 1 + .../quiche/envoy_quic_proof_verifier.h | 1 - .../tls/cert_validator/BUILD | 5 --- .../tls/cert_validator/default/BUILD | 42 ++++++++++++++++++ .../{ => default}/default_validator.cc | 2 +- .../{ => default}/default_validator.h | 0 .../tls/cert_validator/spiffe/BUILD | 43 +++++++++++++++++++ .../{ => spiffe}/spiffe_validator.cc | 2 +- .../{ => spiffe}/spiffe_validator.h | 0 .../tls/cert_validator/BUILD | 35 --------------- .../tls/cert_validator/default/BUILD | 26 +++++++++++ .../{ => default}/default_validator_test.cc | 2 +- .../tls/cert_validator/spiffe/BUILD | 28 ++++++++++++ .../{ => spiffe}/spiffe_validator_test.cc | 3 +- .../transport_sockets/tls/integration/BUILD | 2 + tools/code_format/check_format.py | 1 - 18 files changed, 155 insertions(+), 47 deletions(-) create mode 100644 source/extensions/transport_sockets/tls/cert_validator/default/BUILD rename source/extensions/transport_sockets/tls/cert_validator/{ => default}/default_validator.cc (99%) rename source/extensions/transport_sockets/tls/cert_validator/{ => default}/default_validator.h (100%) create mode 100644 source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD rename source/extensions/transport_sockets/tls/cert_validator/{ => spiffe}/spiffe_validator.cc (99%) rename source/extensions/transport_sockets/tls/cert_validator/{ => spiffe}/spiffe_validator.h (100%) create mode 100644 test/extensions/transport_sockets/tls/cert_validator/default/BUILD rename test/extensions/transport_sockets/tls/cert_validator/{ => default}/default_validator_test.cc (99%) create mode 100644 test/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD rename test/extensions/transport_sockets/tls/cert_validator/{ => spiffe}/spiffe_validator_test.cc (99%) diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index 1f861f0a2299..50d9410853ff 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -241,6 +241,13 @@ EXTENSIONS = { # "envoy.io_socket.user_space": "//source/extensions/io_socket/user_space:config", + + # + # TLS peer certification validators + # + + "envoy.tls.cert_validator.default": "//source/extensions/transport_sockets/tls/cert_validator/default:config", + "envoy.tls.cert_validator.spiffe": "//source/extensions/transport_sockets/tls/cert_validator/spiffe:config", } # These can be changed to ["//visibility:public"], for downstream builds which diff --git a/source/extensions/quic_listeners/quiche/BUILD b/source/extensions/quic_listeners/quiche/BUILD index 97b30b620f07..7864b29ce8c5 100644 --- a/source/extensions/quic_listeners/quiche/BUILD +++ b/source/extensions/quic_listeners/quiche/BUILD @@ -107,7 +107,7 @@ envoy_cc_library( ":envoy_quic_proof_verifier_base_lib", ":envoy_quic_utils_lib", "//source/extensions/transport_sockets/tls:context_lib", - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", + "//source/extensions/transport_sockets/tls/cert_validator/default:config", ], ) diff --git a/source/extensions/quic_listeners/quiche/envoy_quic_proof_verifier.cc b/source/extensions/quic_listeners/quiche/envoy_quic_proof_verifier.cc index 98b52e8ccc0e..0e2a26f14813 100644 --- a/source/extensions/quic_listeners/quiche/envoy_quic_proof_verifier.cc +++ b/source/extensions/quic_listeners/quiche/envoy_quic_proof_verifier.cc @@ -1,6 +1,7 @@ #include "extensions/quic_listeners/quiche/envoy_quic_proof_verifier.h" #include "extensions/quic_listeners/quiche/envoy_quic_utils.h" +#include "extensions/transport_sockets/tls/cert_validator/default/default_validator.h" #include "quiche/quic/core/crypto/certificate_view.h" diff --git a/source/extensions/quic_listeners/quiche/envoy_quic_proof_verifier.h b/source/extensions/quic_listeners/quiche/envoy_quic_proof_verifier.h index 983ed91df703..a29eb999119f 100644 --- a/source/extensions/quic_listeners/quiche/envoy_quic_proof_verifier.h +++ b/source/extensions/quic_listeners/quiche/envoy_quic_proof_verifier.h @@ -1,7 +1,6 @@ #pragma once #include "extensions/quic_listeners/quiche/envoy_quic_proof_verifier_base.h" -#include "extensions/transport_sockets/tls/cert_validator/default_validator.h" #include "extensions/transport_sockets/tls/context_impl.h" namespace Envoy { diff --git a/source/extensions/transport_sockets/tls/cert_validator/BUILD b/source/extensions/transport_sockets/tls/cert_validator/BUILD index 7dc295405d2b..600d194d3781 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/source/extensions/transport_sockets/tls/cert_validator/BUILD @@ -11,15 +11,11 @@ envoy_extension_package() envoy_cc_library( name = "cert_validator_lib", srcs = [ - "default_validator.cc", "factory.cc", - "spiffe_validator.cc", ], hdrs = [ "cert_validator.h", - "default_validator.h", "factory.h", - "spiffe_validator.h", ], external_deps = [ "ssl", @@ -41,6 +37,5 @@ envoy_cc_library( "//source/common/stats:utility_lib", "//source/extensions/transport_sockets/tls:stats_lib", "//source/extensions/transport_sockets/tls:utility_lib", - "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", ], ) diff --git a/source/extensions/transport_sockets/tls/cert_validator/default/BUILD b/source/extensions/transport_sockets/tls/cert_validator/default/BUILD new file mode 100644 index 000000000000..06669770303e --- /dev/null +++ b/source/extensions/transport_sockets/tls/cert_validator/default/BUILD @@ -0,0 +1,42 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_extension", + "envoy_extension_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_extension_package() + +envoy_cc_extension( + name = "config", + srcs = [ + "default_validator.cc", + ], + hdrs = [ + "default_validator.h", + ], + external_deps = [ + "ssl", + "abseil_base", + "abseil_hash", + ], + security_posture = "unknown", + visibility = ["//visibility:public"], + deps = [ + "//include/envoy/ssl:context_config_interface", + "//include/envoy/ssl:ssl_socket_extended_info_interface", + "//source/common/common:assert_lib", + "//source/common/common:base64_lib", + "//source/common/common:c_smart_ptr_lib", + "//source/common/common:hex_lib", + "//source/common/common:utility_lib", + "//source/common/config:datasource_lib", + "//source/common/config:utility_lib", + "//source/common/stats:symbol_table_lib", + "//source/common/stats:utility_lib", + "//source/extensions/transport_sockets/tls:stats_lib", + "//source/extensions/transport_sockets/tls:utility_lib", + "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", + ], +) diff --git a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/default/default_validator.cc similarity index 99% rename from source/extensions/transport_sockets/tls/cert_validator/default_validator.cc rename to source/extensions/transport_sockets/tls/cert_validator/default/default_validator.cc index e0afb01d8e39..2827127e0a77 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/default/default_validator.cc @@ -1,4 +1,4 @@ -#include "extensions/transport_sockets/tls/cert_validator/default_validator.h" +#include "extensions/transport_sockets/tls/cert_validator/default/default_validator.h" #include #include diff --git a/source/extensions/transport_sockets/tls/cert_validator/default_validator.h b/source/extensions/transport_sockets/tls/cert_validator/default/default_validator.h similarity index 100% rename from source/extensions/transport_sockets/tls/cert_validator/default_validator.h rename to source/extensions/transport_sockets/tls/cert_validator/default/default_validator.h diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD b/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD new file mode 100644 index 000000000000..70dfe7a4af00 --- /dev/null +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD @@ -0,0 +1,43 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_extension", + "envoy_extension_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_extension_package() + +envoy_cc_extension( + name = "config", + srcs = [ + "spiffe_validator.cc", + ], + hdrs = [ + "spiffe_validator.h", + ], + external_deps = [ + "ssl", + "abseil_base", + "abseil_hash", + ], + security_posture = "unknown", + visibility = ["//visibility:public"], + deps = [ + "//include/envoy/ssl:context_config_interface", + "//include/envoy/ssl:ssl_socket_extended_info_interface", + "//source/common/common:assert_lib", + "//source/common/common:base64_lib", + "//source/common/common:c_smart_ptr_lib", + "//source/common/common:hex_lib", + "//source/common/common:utility_lib", + "//source/common/config:datasource_lib", + "//source/common/config:utility_lib", + "//source/common/stats:symbol_table_lib", + "//source/common/stats:utility_lib", + "//source/extensions/transport_sockets/tls:stats_lib", + "//source/extensions/transport_sockets/tls:utility_lib", + "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", + "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto", + ], +) diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc similarity index 99% rename from source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc rename to source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc index 29fe73dd8473..f66c36f15f57 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc @@ -1,4 +1,4 @@ -#include "extensions/transport_sockets/tls/cert_validator/spiffe_validator.h" +#include "extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h" #include #include diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h similarity index 100% rename from source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.h rename to source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h diff --git a/test/extensions/transport_sockets/tls/cert_validator/BUILD b/test/extensions/transport_sockets/tls/cert_validator/BUILD index 7c2a93c01749..988513effea0 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/test/extensions/transport_sockets/tls/cert_validator/BUILD @@ -9,41 +9,6 @@ licenses(["notice"]) # Apache 2 envoy_package() -envoy_cc_test( - name = "default_validator_test", - srcs = [ - "default_validator_test.cc", - ], - data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", - ], - deps = [ - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", - "//test/extensions/transport_sockets/tls:ssl_test_utils", - "//test/test_common:environment_lib", - "//test/test_common:test_runtime_lib", - ], -) - -envoy_cc_test( - name = "spiffe_validator_test", - srcs = [ - "spiffe_validator_test.cc", - ], - data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", - ], - deps = [ - ":util", - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", - "//test/extensions/transport_sockets/tls:ssl_test_utils", - "//test/test_common:environment_lib", - "//test/test_common:simulated_time_system_lib", - "//test/test_common:test_runtime_lib", - "//test/test_common:utility_lib", - ], -) - envoy_cc_test( name = "factory_test", srcs = [ diff --git a/test/extensions/transport_sockets/tls/cert_validator/default/BUILD b/test/extensions/transport_sockets/tls/cert_validator/default/BUILD new file mode 100644 index 000000000000..25b692883413 --- /dev/null +++ b/test/extensions/transport_sockets/tls/cert_validator/default/BUILD @@ -0,0 +1,26 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_test", + "envoy_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +envoy_cc_test( + name = "default_validator_test", + srcs = [ + "default_validator_test.cc", + ], + data = [ + "//test/extensions/transport_sockets/tls/test_data:certs", + ], + deps = [ + "//source/extensions/transport_sockets/tls/cert_validator/default:config", + "//test/extensions/transport_sockets/tls:ssl_test_utils", + "//test/extensions/transport_sockets/tls/cert_validator:util", + "//test/test_common:environment_lib", + "//test/test_common:test_runtime_lib", + ], +) diff --git a/test/extensions/transport_sockets/tls/cert_validator/default_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/default/default_validator_test.cc similarity index 99% rename from test/extensions/transport_sockets/tls/cert_validator/default_validator_test.cc rename to test/extensions/transport_sockets/tls/cert_validator/default/default_validator_test.cc index 70bf0ca9fe57..550e561ad30b 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/default_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/default/default_validator_test.cc @@ -1,7 +1,7 @@ #include #include -#include "extensions/transport_sockets/tls/cert_validator/default_validator.h" +#include "extensions/transport_sockets/tls/cert_validator/default/default_validator.h" #include "test/extensions/transport_sockets/tls/ssl_test_utility.h" #include "test/test_common/environment.h" diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD b/test/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD new file mode 100644 index 000000000000..a3f4decb5685 --- /dev/null +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD @@ -0,0 +1,28 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_test", + "envoy_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +envoy_cc_test( + name = "spiffe_validator_test", + srcs = [ + "spiffe_validator_test.cc", + ], + data = [ + "//test/extensions/transport_sockets/tls/test_data:certs", + ], + deps = [ + "//source/extensions/transport_sockets/tls/cert_validator/spiffe:config", + "//test/extensions/transport_sockets/tls:ssl_test_utils", + "//test/extensions/transport_sockets/tls/cert_validator:util", + "//test/test_common:environment_lib", + "//test/test_common:simulated_time_system_lib", + "//test/test_common:test_runtime_lib", + "//test/test_common:utility_lib", + ], +) diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc similarity index 99% rename from test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc rename to test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc index 93729a728963..d6dbc81ad49d 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc @@ -7,7 +7,7 @@ #include "common/event/real_time_system.h" -#include "extensions/transport_sockets/tls/cert_validator/spiffe_validator.h" +#include "extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h" #include "extensions/transport_sockets/tls/stats.h" #include "test/extensions/transport_sockets/tls/cert_validator/util.h" @@ -127,6 +127,7 @@ name: envoy.tls.cert_validator.spiffe TEST(SPIFFEValidator, TestExtractTrustDomain) { EXPECT_EQ("", SPIFFEValidator::extractTrustDomain("abc.com/")); + EXPECT_EQ("", SPIFFEValidator::extractTrustDomain("abc.com/workload/")); EXPECT_EQ("", SPIFFEValidator::extractTrustDomain("spiffe://")); EXPECT_EQ("abc.com", SPIFFEValidator::extractTrustDomain("spiffe://abc.com/")); EXPECT_EQ("dev.envoy.com", diff --git a/test/extensions/transport_sockets/tls/integration/BUILD b/test/extensions/transport_sockets/tls/integration/BUILD index 5d535e86e2cd..64efbfb2a668 100644 --- a/test/extensions/transport_sockets/tls/integration/BUILD +++ b/test/extensions/transport_sockets/tls/integration/BUILD @@ -26,6 +26,8 @@ envoy_cc_test( "//source/extensions/transport_sockets/tls:config", "//source/extensions/transport_sockets/tls:context_config_lib", "//source/extensions/transport_sockets/tls:context_lib", + "//source/extensions/transport_sockets/tls/cert_validator/default:config", + "//source/extensions/transport_sockets/tls/cert_validator/spiffe:config", "//test/extensions/common/tap:common", "//test/integration:http_integration_lib", "//test/mocks/secret:secret_mocks", diff --git a/tools/code_format/check_format.py b/tools/code_format/check_format.py index dfcb197767a2..af6b1bd43b4b 100755 --- a/tools/code_format/check_format.py +++ b/tools/code_format/check_format.py @@ -98,7 +98,6 @@ "./source/common/stats/tag_extractor_impl.cc", "./source/common/formatter/substitution_formatter.cc", "./source/extensions/filters/http/squash/squash_filter.h", - "./source/extensions/transport_sockets/tls/cert_validator/spiffe_validator.cc", "./source/extensions/filters/http/squash/squash_filter.cc", "./source/server/admin/utils.h", "./source/server/admin/utils.cc", "./source/server/admin/stats_handler.h", "./source/server/admin/stats_handler.cc", "./source/server/admin/prometheus_stats.h", From 19aa7bd173fa41641debb181b30263773f3f4956 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Mon, 8 Feb 2021 13:37:43 +0900 Subject: [PATCH 24/38] fix doc Signed-off-by: Takeshi Yoneda --- .../transport_sockets/tls/v3/common.proto | 13 +++++++++---- .../tls/v3/tls_spiffe_validator_config.proto | 2 +- .../transport_sockets/tls/v4alpha/common.proto | 13 +++++++++---- .../tls/v4alpha/tls_spiffe_validator_config.proto | 2 +- bazel/envoy_library.bzl | 1 + .../transport_sockets/tls/v3/common.proto | 13 +++++++++---- .../tls/v3/tls_spiffe_validator_config.proto | 2 +- .../transport_sockets/tls/v4alpha/common.proto | 13 +++++++++---- .../tls/v4alpha/tls_spiffe_validator_config.proto | 2 +- .../transport_sockets/tls/cert_validator/BUILD | 1 + .../tls/cert_validator/default/BUILD | 4 +++- .../transport_sockets/tls/cert_validator/factory.cc | 4 +++- .../tls/cert_validator/spiffe/BUILD | 2 ++ .../tls/cert_validator/spiffe/spiffe_validator.cc | 4 ++-- 14 files changed, 52 insertions(+), 24 deletions(-) diff --git a/api/envoy/extensions/transport_sockets/tls/v3/common.proto b/api/envoy/extensions/transport_sockets/tls/v3/common.proto index ec8abb6fd9aa..6a654834d17e 100644 --- a/api/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -213,6 +213,7 @@ message TlsSessionTicketKeys { } // [#next-free-field: 13] +// .. _extension_envoy.tls.cert_validator.default: message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CertificateValidationContext"; @@ -374,9 +375,13 @@ message CertificateValidationContext { [(validate.rules).enum = {defined_only: true}]; // The configuration of an extension specific certificate validator. - // If specified, the usage of all the values above depends on the custom validator. - // Currently only - // :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ` - // is implemented in Envoy. + // If specified, the usage of all the values above depends on the custom validator. Otherwise, the default validator is used. + // If you do not want custom validation algorithm, then there is no need to set this field. + // The following names are available here: + // + // .. _extension_envoy.tls.cert_validator.spiffe: + // + // **envoy.tls.cert_validator.spiffe**: `SPIFFE `_ certificate validator. + // Please refer to :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ` for more information. config.core.v3.TypedExtensionConfig custom_validator_config = 12; } diff --git a/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto index 9f55a5995df6..6f7f33b45a45 100644 --- a/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +++ b/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto @@ -14,7 +14,7 @@ option java_outer_classname = "TlsSpiffeValidatorConfigProto"; option java_multiple_files = true; option (udpa.annotations.file_status).package_version_status = ACTIVE; -// [#protodoc-title: SPIFFE Certificate Validator Configuration] +// [#protodoc-title: SPIFFE Certificate Validator] // Configuration specific to the SPIFFE certificate validator provided at // :ref:`envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config`. diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 3f1803d6c353..43d121e4f446 100644 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -215,6 +215,7 @@ message TlsSessionTicketKeys { } // [#next-free-field: 13] +// .. _extension_envoy.tls.cert_validator.default: message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext"; @@ -376,9 +377,13 @@ message CertificateValidationContext { [(validate.rules).enum = {defined_only: true}]; // The configuration of an extension specific certificate validator. - // If specified, the usage of all the values above depends on the custom validator. - // Currently only - // :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ` - // is implemented in Envoy. + // If specified, the usage of all the values above depends on the custom validator. Otherwise, the default validator is used. + // If you do not want custom validation algorithm, then there is no need to set this field. + // The following names are available here: + // + // .. _extension_envoy.tls.cert_validator.spiffe: + // + // **envoy.tls.cert_validator.spiffe**: `SPIFFE `_ certificate validator. + // Please refer to :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ` for more information. config.core.v4alpha.TypedExtensionConfig custom_validator_config = 12; } diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto index b29f21c26305..3ef2126dfcd3 100644 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto @@ -14,7 +14,7 @@ option java_outer_classname = "TlsSpiffeValidatorConfigProto"; option java_multiple_files = true; option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; -// [#protodoc-title: SPIFFE Certificate Validator Configuration] +// [#protodoc-title: SPIFFE Certificate Validator] // Configuration specific to the SPIFFE certificate validator provided at // :ref:`envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config`. diff --git a/bazel/envoy_library.bzl b/bazel/envoy_library.bzl index d052c481ace5..44bd205ae7a9 100644 --- a/bazel/envoy_library.bzl +++ b/bazel/envoy_library.bzl @@ -93,6 +93,7 @@ EXTENSION_CATEGORIES = [ "envoy.tracers", "envoy.transport_sockets.downstream", "envoy.transport_sockets.upstream", + "envoy.tls.cert_validator", "envoy.upstreams", "envoy.wasm.runtime", "DELIBERATELY_OMITTED", diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto index 7b879e472801..6cead5394455 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -213,6 +213,7 @@ message TlsSessionTicketKeys { } // [#next-free-field: 13] +// .. _extension_envoy.tls.cert_validator.default: message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CertificateValidationContext"; @@ -372,10 +373,14 @@ message CertificateValidationContext { [(validate.rules).enum = {defined_only: true}]; // The configuration of an extension specific certificate validator. - // If specified, the usage of all the values above depends on the custom validator. - // Currently only - // :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ` - // is implemented in Envoy. + // If specified, the usage of all the values above depends on the custom validator. Otherwise, the default validator is used. + // If you do not want custom validation algorithm, then there is no need to set this field. + // The following names are available here: + // + // .. _extension_envoy.tls.cert_validator.spiffe: + // + // **envoy.tls.cert_validator.spiffe**: `SPIFFE `_ certificate validator. + // Please refer to :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ` for more information. config.core.v3.TypedExtensionConfig custom_validator_config = 12; repeated string hidden_envoy_deprecated_verify_subject_alt_name = 4 [deprecated = true]; diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto index 9f55a5995df6..6f7f33b45a45 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto @@ -14,7 +14,7 @@ option java_outer_classname = "TlsSpiffeValidatorConfigProto"; option java_multiple_files = true; option (udpa.annotations.file_status).package_version_status = ACTIVE; -// [#protodoc-title: SPIFFE Certificate Validator Configuration] +// [#protodoc-title: SPIFFE Certificate Validator] // Configuration specific to the SPIFFE certificate validator provided at // :ref:`envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config`. diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 3f1803d6c353..43d121e4f446 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -215,6 +215,7 @@ message TlsSessionTicketKeys { } // [#next-free-field: 13] +// .. _extension_envoy.tls.cert_validator.default: message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext"; @@ -376,9 +377,13 @@ message CertificateValidationContext { [(validate.rules).enum = {defined_only: true}]; // The configuration of an extension specific certificate validator. - // If specified, the usage of all the values above depends on the custom validator. - // Currently only - // :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ` - // is implemented in Envoy. + // If specified, the usage of all the values above depends on the custom validator. Otherwise, the default validator is used. + // If you do not want custom validation algorithm, then there is no need to set this field. + // The following names are available here: + // + // .. _extension_envoy.tls.cert_validator.spiffe: + // + // **envoy.tls.cert_validator.spiffe**: `SPIFFE `_ certificate validator. + // Please refer to :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ` for more information. config.core.v4alpha.TypedExtensionConfig custom_validator_config = 12; } diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto index b29f21c26305..3ef2126dfcd3 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto @@ -14,7 +14,7 @@ option java_outer_classname = "TlsSpiffeValidatorConfigProto"; option java_multiple_files = true; option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; -// [#protodoc-title: SPIFFE Certificate Validator Configuration] +// [#protodoc-title: SPIFFE Certificate Validator] // Configuration specific to the SPIFFE certificate validator provided at // :ref:`envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config`. diff --git a/source/extensions/transport_sockets/tls/cert_validator/BUILD b/source/extensions/transport_sockets/tls/cert_validator/BUILD index 600d194d3781..bd4619a38bc7 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/source/extensions/transport_sockets/tls/cert_validator/BUILD @@ -16,6 +16,7 @@ envoy_cc_library( hdrs = [ "cert_validator.h", "factory.h", + "well_known_names.h", ], external_deps = [ "ssl", diff --git a/source/extensions/transport_sockets/tls/cert_validator/default/BUILD b/source/extensions/transport_sockets/tls/cert_validator/default/BUILD index 06669770303e..48ee6875e87b 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/default/BUILD +++ b/source/extensions/transport_sockets/tls/cert_validator/default/BUILD @@ -16,12 +16,14 @@ envoy_cc_extension( hdrs = [ "default_validator.h", ], + category = "envoy.tls.cert_validator", external_deps = [ "ssl", "abseil_base", "abseil_hash", ], - security_posture = "unknown", + security_posture = "robust_to_untrusted_downstream_and_upstream", + status = "stable", visibility = ["//visibility:public"], deps = [ "//include/envoy/ssl:context_config_interface", diff --git a/source/extensions/transport_sockets/tls/cert_validator/factory.cc b/source/extensions/transport_sockets/tls/cert_validator/factory.cc index 3ab5267ad435..349b04e260b4 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/factory.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/factory.cc @@ -2,6 +2,8 @@ #include "envoy/ssl/context_config.h" +#include "extensions/transport_sockets/tls/cert_validator/well_known_names.h" + namespace Envoy { namespace Extensions { namespace TransportSockets { @@ -10,7 +12,7 @@ namespace Tls { std::string getCertValidatorName(const Envoy::Ssl::CertificateValidationContextConfig* config) { return config != nullptr && config->customValidatorConfig().has_value() ? config->customValidatorConfig().value().name() - : "envoy.tls.cert_validator.default"; + : CertValidatorNames::get().Default; }; } // namespace Tls diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD b/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD index 70dfe7a4af00..d6f74254f3a0 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD @@ -16,12 +16,14 @@ envoy_cc_extension( hdrs = [ "spiffe_validator.h", ], + category = "envoy.tls.cert_validator", external_deps = [ "ssl", "abseil_base", "abseil_hash", ], security_posture = "unknown", + status = "wip", visibility = ["//visibility:public"], deps = [ "//include/envoy/ssl:context_config_interface", diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc index f66c36f15f57..712a2b8c9790 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc @@ -222,10 +222,10 @@ std::string SPIFFEValidator::extractTrustDomain(const std::string& san) { size_t end = begin; for (; end < san.size(); end++) { if (san[end] == '/') { - break; + return san.substr(begin, end - begin); } } - return end < san.size() ? san.substr(begin, end - begin) : ""; + return ""; } size_t SPIFFEValidator::daysUntilFirstCertExpires() const { From 5dc2e31067280f043994df156bfc9a53b8e17691 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Mon, 8 Feb 2021 14:23:15 +0900 Subject: [PATCH 25/38] add well_known_names.h Signed-off-by: Takeshi Yoneda --- .../tls/cert_validator/well_known_names.h | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 source/extensions/transport_sockets/tls/cert_validator/well_known_names.h diff --git a/source/extensions/transport_sockets/tls/cert_validator/well_known_names.h b/source/extensions/transport_sockets/tls/cert_validator/well_known_names.h new file mode 100644 index 000000000000..226830cd514c --- /dev/null +++ b/source/extensions/transport_sockets/tls/cert_validator/well_known_names.h @@ -0,0 +1,29 @@ +#pragma once + +#include + +#include "common/singleton/const_singleton.h" + +namespace Envoy { +namespace Extensions { +namespace TransportSockets { +namespace Tls { + +/** + * Well-known certificate validator's names. + */ +class CertValidatorValues { +public: + // default certificate validator + const std::string Default = "envoy.tls.cert_validator.default"; + + // SPIFFE(https://github.com/spiffe/spiffe) + const std::string SPIFFE = "envoy.tls.cert_validator.spiffe"; +}; + +using CertValidatorNames = ConstSingleton; + +} // namespace Tls +} // namespace TransportSockets +} // namespace Extensions +} // namespace Envoy From 8c8c6b976d74fd610d2eaeeb335eb3e636dfda47 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Mon, 8 Feb 2021 16:13:19 +0900 Subject: [PATCH 26/38] fix test build Signed-off-by: Takeshi Yoneda --- source/extensions/transport_sockets/tls/BUILD | 1 + 1 file changed, 1 insertion(+) diff --git a/source/extensions/transport_sockets/tls/BUILD b/source/extensions/transport_sockets/tls/BUILD index 1622e9101655..bbcbd85bb699 100644 --- a/source/extensions/transport_sockets/tls/BUILD +++ b/source/extensions/transport_sockets/tls/BUILD @@ -167,6 +167,7 @@ envoy_cc_library( "//source/common/stats:symbol_table_lib", "//source/common/stats:utility_lib", "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", + "//source/extensions/transport_sockets/tls/cert_validator/default:config", "//source/extensions/transport_sockets/tls/ocsp:ocsp_lib", "//source/extensions/transport_sockets/tls/private_key:private_key_manager_lib", "@envoy_api//envoy/admin/v3:pkg_cc_proto", From 81452ded2d14feea0e28e1b9f90c0e62c89f647d Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Mon, 8 Feb 2021 17:56:53 +0900 Subject: [PATCH 27/38] fix coverage exception Signed-off-by: Takeshi Yoneda --- test/per_file_coverage.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/per_file_coverage.sh b/test/per_file_coverage.sh index 7aaa025ba7be..b239f9934fb1 100755 --- a/test/per_file_coverage.sh +++ b/test/per_file_coverage.sh @@ -58,7 +58,8 @@ declare -a KNOWN_LOW_COVERAGE=( "source/extensions/tracers/opencensus:91.6" "source/extensions/tracers/xray:94.0" "source/extensions/transport_sockets:95.1" -"source/extensions/transport_sockets/tls/cert_validator:95.1" +"source/extensions/transport_sockets/tls/cert_validator:75.0" +"source/extensions/transport_sockets/tls/cert_validator/default:95.1" "source/extensions/transport_sockets/tls/private_key:76.9" "source/extensions/transport_sockets/tls:94.4" "source/extensions/wasm_runtime:50.0" From 306d52f90d891e14a851de3dd6ced534cd40c5da Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Wed, 10 Feb 2021 08:52:17 +0900 Subject: [PATCH 28/38] Revert default_validator modification Signed-off-by: Takeshi Yoneda --- .../transport_sockets/tls/v3/common.proto | 1 - .../tls/v4alpha/common.proto | 1 - .../transport_sockets/tls/v3/common.proto | 1 - .../tls/v4alpha/common.proto | 1 - .../certificate_validation_context_config.h | 2 +- source/extensions/extensions_build_config.bzl | 1 - source/extensions/quic_listeners/quiche/BUILD | 1 - .../quiche/envoy_quic_proof_verifier.cc | 2 +- source/extensions/transport_sockets/tls/BUILD | 1 - .../tls/cert_validator/BUILD | 2 + .../tls/cert_validator/default/BUILD | 44 ------------------- .../{default => }/default_validator.cc | 21 ++++----- .../{default => }/default_validator.h | 0 .../tls/cert_validator/BUILD | 17 +++++++ .../tls/cert_validator/default/BUILD | 26 ----------- .../{default => }/default_validator_test.cc | 2 +- .../transport_sockets/tls/integration/BUILD | 1 - test/per_file_coverage.sh | 3 +- 18 files changed, 34 insertions(+), 93 deletions(-) delete mode 100644 source/extensions/transport_sockets/tls/cert_validator/default/BUILD rename source/extensions/transport_sockets/tls/cert_validator/{default => }/default_validator.cc (96%) rename source/extensions/transport_sockets/tls/cert_validator/{default => }/default_validator.h (100%) delete mode 100644 test/extensions/transport_sockets/tls/cert_validator/default/BUILD rename test/extensions/transport_sockets/tls/cert_validator/{default => }/default_validator_test.cc (99%) diff --git a/api/envoy/extensions/transport_sockets/tls/v3/common.proto b/api/envoy/extensions/transport_sockets/tls/v3/common.proto index 6a654834d17e..67fc13342cd1 100644 --- a/api/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -213,7 +213,6 @@ message TlsSessionTicketKeys { } // [#next-free-field: 13] -// .. _extension_envoy.tls.cert_validator.default: message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CertificateValidationContext"; diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 43d121e4f446..54f246a8c242 100644 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -215,7 +215,6 @@ message TlsSessionTicketKeys { } // [#next-free-field: 13] -// .. _extension_envoy.tls.cert_validator.default: message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext"; diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto index 6cead5394455..8453d24ebf2e 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -213,7 +213,6 @@ message TlsSessionTicketKeys { } // [#next-free-field: 13] -// .. _extension_envoy.tls.cert_validator.default: message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CertificateValidationContext"; diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 43d121e4f446..54f246a8c242 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -215,7 +215,6 @@ message TlsSessionTicketKeys { } // [#next-free-field: 13] -// .. _extension_envoy.tls.cert_validator.default: message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext"; diff --git a/include/envoy/ssl/certificate_validation_context_config.h b/include/envoy/ssl/certificate_validation_context_config.h index 5d7b32bf7662..8bb9f221aaea 100644 --- a/include/envoy/ssl/certificate_validation_context_config.h +++ b/include/envoy/ssl/certificate_validation_context_config.h @@ -74,7 +74,7 @@ class CertificateValidationContextConfig { trustChainVerification() const PURE; /** - * @return the configuration for the custom certificate validator if configured. + * @return the configuration for the custom certificate validator if configured. */ virtual const absl::optional& customValidatorConfig() const PURE; diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index 50d9410853ff..07fa9f404b8d 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -246,7 +246,6 @@ EXTENSIONS = { # TLS peer certification validators # - "envoy.tls.cert_validator.default": "//source/extensions/transport_sockets/tls/cert_validator/default:config", "envoy.tls.cert_validator.spiffe": "//source/extensions/transport_sockets/tls/cert_validator/spiffe:config", } diff --git a/source/extensions/quic_listeners/quiche/BUILD b/source/extensions/quic_listeners/quiche/BUILD index 8896f5c944f3..a8d736b6f741 100644 --- a/source/extensions/quic_listeners/quiche/BUILD +++ b/source/extensions/quic_listeners/quiche/BUILD @@ -107,7 +107,6 @@ envoy_cc_library( ":envoy_quic_proof_verifier_base_lib", ":envoy_quic_utils_lib", "//source/extensions/transport_sockets/tls:context_lib", - "//source/extensions/transport_sockets/tls/cert_validator/default:config", ], ) diff --git a/source/extensions/quic_listeners/quiche/envoy_quic_proof_verifier.cc b/source/extensions/quic_listeners/quiche/envoy_quic_proof_verifier.cc index 0e2a26f14813..4064f45e205b 100644 --- a/source/extensions/quic_listeners/quiche/envoy_quic_proof_verifier.cc +++ b/source/extensions/quic_listeners/quiche/envoy_quic_proof_verifier.cc @@ -1,7 +1,7 @@ #include "extensions/quic_listeners/quiche/envoy_quic_proof_verifier.h" #include "extensions/quic_listeners/quiche/envoy_quic_utils.h" -#include "extensions/transport_sockets/tls/cert_validator/default/default_validator.h" +#include "extensions/transport_sockets/tls/cert_validator/default_validator.h" #include "quiche/quic/core/crypto/certificate_view.h" diff --git a/source/extensions/transport_sockets/tls/BUILD b/source/extensions/transport_sockets/tls/BUILD index bbcbd85bb699..1622e9101655 100644 --- a/source/extensions/transport_sockets/tls/BUILD +++ b/source/extensions/transport_sockets/tls/BUILD @@ -167,7 +167,6 @@ envoy_cc_library( "//source/common/stats:symbol_table_lib", "//source/common/stats:utility_lib", "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", - "//source/extensions/transport_sockets/tls/cert_validator/default:config", "//source/extensions/transport_sockets/tls/ocsp:ocsp_lib", "//source/extensions/transport_sockets/tls/private_key:private_key_manager_lib", "@envoy_api//envoy/admin/v3:pkg_cc_proto", diff --git a/source/extensions/transport_sockets/tls/cert_validator/BUILD b/source/extensions/transport_sockets/tls/cert_validator/BUILD index bd4619a38bc7..2ee8207c168b 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/source/extensions/transport_sockets/tls/cert_validator/BUILD @@ -11,10 +11,12 @@ envoy_extension_package() envoy_cc_library( name = "cert_validator_lib", srcs = [ + "default_validator.cc", "factory.cc", ], hdrs = [ "cert_validator.h", + "default_validator.h", "factory.h", "well_known_names.h", ], diff --git a/source/extensions/transport_sockets/tls/cert_validator/default/BUILD b/source/extensions/transport_sockets/tls/cert_validator/default/BUILD deleted file mode 100644 index 48ee6875e87b..000000000000 --- a/source/extensions/transport_sockets/tls/cert_validator/default/BUILD +++ /dev/null @@ -1,44 +0,0 @@ -load( - "//bazel:envoy_build_system.bzl", - "envoy_cc_extension", - "envoy_extension_package", -) - -licenses(["notice"]) # Apache 2 - -envoy_extension_package() - -envoy_cc_extension( - name = "config", - srcs = [ - "default_validator.cc", - ], - hdrs = [ - "default_validator.h", - ], - category = "envoy.tls.cert_validator", - external_deps = [ - "ssl", - "abseil_base", - "abseil_hash", - ], - security_posture = "robust_to_untrusted_downstream_and_upstream", - status = "stable", - visibility = ["//visibility:public"], - deps = [ - "//include/envoy/ssl:context_config_interface", - "//include/envoy/ssl:ssl_socket_extended_info_interface", - "//source/common/common:assert_lib", - "//source/common/common:base64_lib", - "//source/common/common:c_smart_ptr_lib", - "//source/common/common:hex_lib", - "//source/common/common:utility_lib", - "//source/common/config:datasource_lib", - "//source/common/config:utility_lib", - "//source/common/stats:symbol_table_lib", - "//source/common/stats:utility_lib", - "//source/extensions/transport_sockets/tls:stats_lib", - "//source/extensions/transport_sockets/tls:utility_lib", - "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", - ], -) diff --git a/source/extensions/transport_sockets/tls/cert_validator/default/default_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc similarity index 96% rename from source/extensions/transport_sockets/tls/cert_validator/default/default_validator.cc rename to source/extensions/transport_sockets/tls/cert_validator/default_validator.cc index 2827127e0a77..7cc54c83faf9 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/default/default_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc @@ -1,4 +1,4 @@ -#include "extensions/transport_sockets/tls/cert_validator/default/default_validator.h" +#include "extensions/transport_sockets/tls/cert_validator/default_validator.h" #include #include @@ -141,22 +141,23 @@ int DefaultCertValidator::initializeSslContexts(std::vector contexts, } } - if (config_ != nullptr) { - if (!config_->verifySubjectAltNameList().empty()) { - verify_subject_alt_name_list_ = config_->verifySubjectAltNameList(); + const Envoy::Ssl::CertificateValidationContextConfig* cert_validation_config = config_; + if (cert_validation_config != nullptr) { + if (!cert_validation_config->verifySubjectAltNameList().empty()) { + verify_subject_alt_name_list_ = cert_validation_config->verifySubjectAltNameList(); verify_mode = verify_mode_validation_context; } - if (!config_->subjectAltNameMatchers().empty()) { + if (!cert_validation_config->subjectAltNameMatchers().empty()) { for (const envoy::type::matcher::v3::StringMatcher& matcher : - config_->subjectAltNameMatchers()) { + cert_validation_config->subjectAltNameMatchers()) { subject_alt_name_matchers_.push_back(Matchers::StringMatcherImpl(matcher)); } verify_mode = verify_mode_validation_context; } - if (!config_->verifyCertificateHashList().empty()) { - for (auto hash : config_->verifyCertificateHashList()) { + if (!cert_validation_config->verifyCertificateHashList().empty()) { + for (auto hash : cert_validation_config->verifyCertificateHashList()) { // Remove colons from the 95 chars long colon-separated "fingerprint" // in order to get the hex-encoded string. if (hash.size() == 95) { @@ -171,8 +172,8 @@ int DefaultCertValidator::initializeSslContexts(std::vector contexts, verify_mode = verify_mode_validation_context; } - if (!config_->verifyCertificateSpkiList().empty()) { - for (const auto& hash : config_->verifyCertificateSpkiList()) { + if (!cert_validation_config->verifyCertificateSpkiList().empty()) { + for (const auto& hash : cert_validation_config->verifyCertificateSpkiList()) { const auto decoded = Base64::decode(hash); if (decoded.size() != SHA256_DIGEST_LENGTH) { throw EnvoyException(absl::StrCat("Invalid base64-encoded SHA-256 ", hash)); diff --git a/source/extensions/transport_sockets/tls/cert_validator/default/default_validator.h b/source/extensions/transport_sockets/tls/cert_validator/default_validator.h similarity index 100% rename from source/extensions/transport_sockets/tls/cert_validator/default/default_validator.h rename to source/extensions/transport_sockets/tls/cert_validator/default_validator.h diff --git a/test/extensions/transport_sockets/tls/cert_validator/BUILD b/test/extensions/transport_sockets/tls/cert_validator/BUILD index 988513effea0..796f127d7718 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/test/extensions/transport_sockets/tls/cert_validator/BUILD @@ -30,3 +30,20 @@ envoy_cc_test_library( "//test/test_common:utility_lib", ], ) + +envoy_cc_test( + name = "default_validator_test", + srcs = [ + "default_validator_test.cc", + ], + data = [ + "//test/extensions/transport_sockets/tls/test_data:certs", + ], + deps = [ + "//source/extensions/transport_sockets/tls/cert_validator:cert_validator_lib", + "//test/extensions/transport_sockets/tls:ssl_test_utils", + "//test/extensions/transport_sockets/tls/cert_validator:util", + "//test/test_common:environment_lib", + "//test/test_common:test_runtime_lib", + ], +) diff --git a/test/extensions/transport_sockets/tls/cert_validator/default/BUILD b/test/extensions/transport_sockets/tls/cert_validator/default/BUILD deleted file mode 100644 index 25b692883413..000000000000 --- a/test/extensions/transport_sockets/tls/cert_validator/default/BUILD +++ /dev/null @@ -1,26 +0,0 @@ -load( - "//bazel:envoy_build_system.bzl", - "envoy_cc_test", - "envoy_package", -) - -licenses(["notice"]) # Apache 2 - -envoy_package() - -envoy_cc_test( - name = "default_validator_test", - srcs = [ - "default_validator_test.cc", - ], - data = [ - "//test/extensions/transport_sockets/tls/test_data:certs", - ], - deps = [ - "//source/extensions/transport_sockets/tls/cert_validator/default:config", - "//test/extensions/transport_sockets/tls:ssl_test_utils", - "//test/extensions/transport_sockets/tls/cert_validator:util", - "//test/test_common:environment_lib", - "//test/test_common:test_runtime_lib", - ], -) diff --git a/test/extensions/transport_sockets/tls/cert_validator/default/default_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/default_validator_test.cc similarity index 99% rename from test/extensions/transport_sockets/tls/cert_validator/default/default_validator_test.cc rename to test/extensions/transport_sockets/tls/cert_validator/default_validator_test.cc index 550e561ad30b..70bf0ca9fe57 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/default/default_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/default_validator_test.cc @@ -1,7 +1,7 @@ #include #include -#include "extensions/transport_sockets/tls/cert_validator/default/default_validator.h" +#include "extensions/transport_sockets/tls/cert_validator/default_validator.h" #include "test/extensions/transport_sockets/tls/ssl_test_utility.h" #include "test/test_common/environment.h" diff --git a/test/extensions/transport_sockets/tls/integration/BUILD b/test/extensions/transport_sockets/tls/integration/BUILD index 64efbfb2a668..884f16890d9d 100644 --- a/test/extensions/transport_sockets/tls/integration/BUILD +++ b/test/extensions/transport_sockets/tls/integration/BUILD @@ -26,7 +26,6 @@ envoy_cc_test( "//source/extensions/transport_sockets/tls:config", "//source/extensions/transport_sockets/tls:context_config_lib", "//source/extensions/transport_sockets/tls:context_lib", - "//source/extensions/transport_sockets/tls/cert_validator/default:config", "//source/extensions/transport_sockets/tls/cert_validator/spiffe:config", "//test/extensions/common/tap:common", "//test/integration:http_integration_lib", diff --git a/test/per_file_coverage.sh b/test/per_file_coverage.sh index b239f9934fb1..7aaa025ba7be 100755 --- a/test/per_file_coverage.sh +++ b/test/per_file_coverage.sh @@ -58,8 +58,7 @@ declare -a KNOWN_LOW_COVERAGE=( "source/extensions/tracers/opencensus:91.6" "source/extensions/tracers/xray:94.0" "source/extensions/transport_sockets:95.1" -"source/extensions/transport_sockets/tls/cert_validator:75.0" -"source/extensions/transport_sockets/tls/cert_validator/default:95.1" +"source/extensions/transport_sockets/tls/cert_validator:95.1" "source/extensions/transport_sockets/tls/private_key:76.9" "source/extensions/transport_sockets/tls:94.4" "source/extensions/wasm_runtime:50.0" From 5664a317badeffbe8701f3d5609e3ca53e855290 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Wed, 24 Feb 2021 10:57:33 +0900 Subject: [PATCH 29/38] Review: style and simplification Signed-off-by: Takeshi Yoneda --- .../transport_sockets/tls/v3/common.proto | 5 ++- .../tls/v3/tls_spiffe_validator_config.proto | 4 +- .../tls/v4alpha/common.proto | 5 ++- .../v4alpha/tls_spiffe_validator_config.proto | 4 +- generated_api_shadow/BUILD | 1 - .../transport_sockets/tls/v3/common.proto | 5 ++- .../tls/v3/tls_spiffe_validator_config.proto | 4 +- .../tls/v4alpha/common.proto | 5 ++- .../v4alpha/tls_spiffe_validator_config.proto | 4 +- .../tls/cert_validator/BUILD | 3 -- .../tls/cert_validator/default_validator.cc | 3 +- .../cert_validator/spiffe/spiffe_validator.cc | 43 ++++++++----------- .../cert_validator/spiffe/spiffe_validator.h | 2 +- .../spiffe/spiffe_validator_test.cc | 36 ++++++++-------- 14 files changed, 59 insertions(+), 65 deletions(-) diff --git a/api/envoy/extensions/transport_sockets/tls/v3/common.proto b/api/envoy/extensions/transport_sockets/tls/v3/common.proto index 67fc13342cd1..3fdb751152c9 100644 --- a/api/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -374,8 +374,9 @@ message CertificateValidationContext { [(validate.rules).enum = {defined_only: true}]; // The configuration of an extension specific certificate validator. - // If specified, the usage of all the values above depends on the custom validator. Otherwise, the default validator is used. - // If you do not want custom validation algorithm, then there is no need to set this field. + // If specified, all validation is done by the specified validator, + // and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). + // Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. // The following names are available here: // // .. _extension_envoy.tls.cert_validator.spiffe: diff --git a/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto index 6f7f33b45a45..b6fb921d65b8 100644 --- a/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +++ b/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto @@ -43,12 +43,12 @@ message SPIFFECertValidatorConfig { message TrustDomain { // Name of the trust domain, `example.com`, `foo.bar.gov` for example. // Note that this must *not* have "spiffe://" prefix. - string name = 1; + string name = 1 [(validate.rules).string = {min_len: 1}]; // Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain. config.core.v3.DataSource trust_bundle = 2; } // This field specifies trust domains used for validating incoming X.509-SVID(s). - repeated TrustDomain trust_domains = 1; + repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}]; } diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 54f246a8c242..69f3f6ea30fd 100644 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -376,8 +376,9 @@ message CertificateValidationContext { [(validate.rules).enum = {defined_only: true}]; // The configuration of an extension specific certificate validator. - // If specified, the usage of all the values above depends on the custom validator. Otherwise, the default validator is used. - // If you do not want custom validation algorithm, then there is no need to set this field. + // If specified, all validation is done by the specified validator, + // and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). + // Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. // The following names are available here: // // .. _extension_envoy.tls.cert_validator.spiffe: diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto index 3ef2126dfcd3..27770eece81a 100644 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto @@ -49,12 +49,12 @@ message SPIFFECertValidatorConfig { // Name of the trust domain, `example.com`, `foo.bar.gov` for example. // Note that this must *not* have "spiffe://" prefix. - string name = 1; + string name = 1 [(validate.rules).string = {min_len: 1}]; // Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain. config.core.v4alpha.DataSource trust_bundle = 2; } // This field specifies trust domains used for validating incoming X.509-SVID(s). - repeated TrustDomain trust_domains = 1; + repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}]; } diff --git a/generated_api_shadow/BUILD b/generated_api_shadow/BUILD index e2e5b3bfeb77..046fac3d012d 100644 --- a/generated_api_shadow/BUILD +++ b/generated_api_shadow/BUILD @@ -145,7 +145,6 @@ proto_library( "//envoy/config/resource_monitor/injected_resource/v2alpha:pkg", "//envoy/config/retry/omit_canary_hosts/v2:pkg", "//envoy/config/retry/previous_hosts/v2:pkg", - "//envoy/config/retry/previous_hosts/v3:pkg", "//envoy/config/route/v3:pkg", "//envoy/config/tap/v3:pkg", "//envoy/config/trace/v3:pkg", diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto index 8453d24ebf2e..91e77dd5ef4e 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -372,8 +372,9 @@ message CertificateValidationContext { [(validate.rules).enum = {defined_only: true}]; // The configuration of an extension specific certificate validator. - // If specified, the usage of all the values above depends on the custom validator. Otherwise, the default validator is used. - // If you do not want custom validation algorithm, then there is no need to set this field. + // If specified, all validation is done by the specified validator, + // and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). + // Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. // The following names are available here: // // .. _extension_envoy.tls.cert_validator.spiffe: diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto index 6f7f33b45a45..b6fb921d65b8 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto @@ -43,12 +43,12 @@ message SPIFFECertValidatorConfig { message TrustDomain { // Name of the trust domain, `example.com`, `foo.bar.gov` for example. // Note that this must *not* have "spiffe://" prefix. - string name = 1; + string name = 1 [(validate.rules).string = {min_len: 1}]; // Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain. config.core.v3.DataSource trust_bundle = 2; } // This field specifies trust domains used for validating incoming X.509-SVID(s). - repeated TrustDomain trust_domains = 1; + repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}]; } diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 54f246a8c242..69f3f6ea30fd 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -376,8 +376,9 @@ message CertificateValidationContext { [(validate.rules).enum = {defined_only: true}]; // The configuration of an extension specific certificate validator. - // If specified, the usage of all the values above depends on the custom validator. Otherwise, the default validator is used. - // If you do not want custom validation algorithm, then there is no need to set this field. + // If specified, all validation is done by the specified validator, + // and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). + // Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. // The following names are available here: // // .. _extension_envoy.tls.cert_validator.spiffe: diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto index 3ef2126dfcd3..27770eece81a 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto @@ -49,12 +49,12 @@ message SPIFFECertValidatorConfig { // Name of the trust domain, `example.com`, `foo.bar.gov` for example. // Note that this must *not* have "spiffe://" prefix. - string name = 1; + string name = 1 [(validate.rules).string = {min_len: 1}]; // Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain. config.core.v4alpha.DataSource trust_bundle = 2; } // This field specifies trust domains used for validating incoming X.509-SVID(s). - repeated TrustDomain trust_domains = 1; + repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}]; } diff --git a/source/extensions/transport_sockets/tls/cert_validator/BUILD b/source/extensions/transport_sockets/tls/cert_validator/BUILD index 2ee8207c168b..9c9340cf567f 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/BUILD +++ b/source/extensions/transport_sockets/tls/cert_validator/BUILD @@ -31,11 +31,8 @@ envoy_cc_library( "//include/envoy/ssl:ssl_socket_extended_info_interface", "//source/common/common:assert_lib", "//source/common/common:base64_lib", - "//source/common/common:c_smart_ptr_lib", "//source/common/common:hex_lib", "//source/common/common:utility_lib", - "//source/common/config:datasource_lib", - "//source/common/config:utility_lib", "//source/common/stats:symbol_table_lib", "//source/common/stats:utility_lib", "//source/extensions/transport_sockets/tls:stats_lib", diff --git a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc index 7cc54c83faf9..f981b9c4bed6 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc @@ -27,6 +27,7 @@ #include "extensions/transport_sockets/tls/cert_validator/cert_validator.h" #include "extensions/transport_sockets/tls/cert_validator/factory.h" +#include "extensions/transport_sockets/tls/cert_validator/well_known_names.h" #include "extensions/transport_sockets/tls/stats.h" #include "extensions/transport_sockets/tls/utility.h" @@ -478,7 +479,7 @@ class DefaultCertValidatorFactory : public CertValidatorFactory { return std::make_unique(config, stats, time_source); } - absl::string_view name() override { return "envoy.tls.cert_validator.default"; } + absl::string_view name() override { return CertValidatorNames::get().Default; } }; REGISTER_FACTORY(DefaultCertValidatorFactory, CertValidatorFactory); diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc index 712a2b8c9790..092b85c25804 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc @@ -25,6 +25,7 @@ #include "common/stats/symbol_table_impl.h" #include "extensions/transport_sockets/tls/cert_validator/factory.h" +#include "extensions/transport_sockets/tls/cert_validator/well_known_names.h" #include "extensions/transport_sockets/tls/stats.h" #include "extensions/transport_sockets/tls/utility.h" @@ -41,9 +42,7 @@ using SPIFFEConfig = envoy::extensions::transport_sockets::tls::v3::SPIFFECertVa SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, TimeSource& time_source) : stats_(stats), time_source_(time_source) { - if (config == nullptr) { - throw EnvoyException("SPIFFE cert validator connot be initialized from null configuration"); - } + ASSERT(config != nullptr); SPIFFEConfig message; Config::Utility::translateOpaqueConfig(config->customValidatorConfig().value().typed_config(), @@ -51,12 +50,13 @@ SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* ProtobufMessage::getStrictValidationVisitor(), message); auto size = message.trust_domains().size(); - if (size == 0) { - throw EnvoyException("SPIFFE cert validator requires at least one trust domain"); - } - trust_bundle_stores_.reserve(size); for (auto& domain : message.trust_domains()) { + if (trust_bundle_stores_.find(domain.name()) != trust_bundle_stores_.end()) { + throw EnvoyException(absl::StrCat( + "Multiple trust bundles are given for one trust domain for ", domain.name())); + } + auto cert = Config::DataSource::read(domain.trust_bundle(), true, config->api()); bssl::UniquePtr bio(BIO_new_mem_buf(const_cast(cert.data()), cert.size())); RELEASE_ASSERT(bio != nullptr, ""); @@ -76,7 +76,7 @@ SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* X509_up_ref(item->x509); ca_certs_.push_back(bssl::UniquePtr(item->x509)); if (!ca_loaded) { - // TODO: with the current interface, we cannot return the multiple + // TODO: With the current interface, we cannot return the multiple // cert information on getCaCertInformation method. // So temporarily we return the first CA's info here. ca_loaded = true; @@ -157,7 +157,7 @@ int SPIFFEValidator::doVerifyCertChain(X509_STORE_CTX* store_ctx, return 0; } - // set the trust bundle's certificate store on the context, and do the verification + // Set the trust bundle's certificate store on the context, and do the verification. store_ctx->ctx = trust_bundle; auto ret = X509_verify_cert(store_ctx); if (ssl_extended_info) { @@ -182,7 +182,7 @@ X509_STORE* SPIFFEValidator::getTrustBundleStore(X509* leaf_cert) { for (const GENERAL_NAME* general_name : san_names.get()) { const std::string san = Utility::generalNameAsString(general_name); trust_domain = SPIFFEValidator::extractTrustDomain(san); - // we can assume that valid SVID has only one san + // We can assume that valid SVID has only one san. break; } @@ -195,7 +195,7 @@ X509_STORE* SPIFFEValidator::getTrustBundleStore(X509* leaf_cert) { } bool SPIFFEValidator::certificatePrecheck(X509* leaf_cert) { - // Check basic constrains and key usage + // Check basic constrains and key usage. // https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md#52-leaf-validation auto ext = X509_get_extension_flags(leaf_cert); if (ext & EXFLAG_CA) { @@ -208,22 +208,13 @@ bool SPIFFEValidator::certificatePrecheck(X509* leaf_cert) { std::string SPIFFEValidator::extractTrustDomain(const std::string& san) { static const std::string prefix = "spiffe://"; - size_t begin = 0; - for (; begin < san.size() && begin < prefix.size(); begin++) { - if (prefix[begin] != san[begin]) { - break; - } - } - - if (begin != prefix.size()) { + if (!absl::StartsWith(san, prefix)) { return ""; } - size_t end = begin; - for (; end < san.size(); end++) { - if (san[end] == '/') { - return san.substr(begin, end - begin); - } + auto pos = san.find('/', prefix.size()); + if (pos != std::string::npos) { + return san.substr(prefix.size(), pos - prefix.size()); } return ""; } @@ -241,7 +232,7 @@ Envoy::Ssl::CertificateDetailsPtr SPIFFEValidator::getCaCertInformation() const if (ca_certs_.empty()) { return nullptr; } - // TODO(mathetake): with the current interface, we cannot pass the multiple cert information. + // TODO(mathetake): With the current interface, we cannot pass the multiple cert information. // So temporarily we return the first CA's info here. return Utility::certificateDetails(ca_certs_[0].get(), getCaFileName(), time_source_); }; @@ -253,7 +244,7 @@ class SPIFFEValidatorFactory : public CertValidatorFactory { return std::make_unique(config, stats, time_source); } - absl::string_view name() override { return "envoy.tls.cert_validator.spiffe"; } + absl::string_view name() override { return CertValidatorNames::get().SPIFFE; } }; REGISTER_FACTORY(SPIFFEValidatorFactory, CertValidatorFactory); diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h index 3a2bb2051c56..5d2cae2692eb 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h @@ -54,7 +54,7 @@ class SPIFFEValidator : public CertValidator { std::string getCaFileName() const override { return ca_file_name_; } Envoy::Ssl::CertificateDetailsPtr getCaCertInformation() const override; - // utility functions + // Utility functions X509_STORE* getTrustBundleStore(X509* leaf_cert); static std::string extractTrustDomain(const std::string& san); static bool certificatePrecheck(X509* leaf_cert); diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc index d6dbc81ad49d..c23c5bb1f2aa 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc @@ -67,11 +67,6 @@ class TestSPIFFEValidator : public testing::Test { Event::TestRealTimeSystem time_system_; }; -TEST_F(TestSPIFFEValidator, NullConfigException) { - EXPECT_THROW_WITH_MESSAGE(initializeWithNullptr(), EnvoyException, - "SPIFFE cert validator connot be initialized from null configuration"); -} - TEST_F(TestSPIFFEValidator, InvalidCA) { EXPECT_THROW_WITH_MESSAGE(initialize(TestEnvironment::substitute(R"EOF( name: envoy.tls.cert_validator.spiffe @@ -90,10 +85,16 @@ TEST_F(TestSPIFFEValidator, Constructor) { name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig - trust_domains: [] + trust_domains: + - name: hello.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" + - name: hello.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" )EOF")), EnvoyException, - "SPIFFE cert validator requires at least one trust domain"); + "Multiple trust bundles are given for one trust domain for hello.com"); initialize(TestEnvironment::substitute(R"EOF( name: envoy.tls.cert_validator.spiffe @@ -126,6 +127,7 @@ name: envoy.tls.cert_validator.spiffe } TEST(SPIFFEValidator, TestExtractTrustDomain) { + EXPECT_EQ("", SPIFFEValidator::extractTrustDomain("foo")); EXPECT_EQ("", SPIFFEValidator::extractTrustDomain("abc.com/")); EXPECT_EQ("", SPIFFEValidator::extractTrustDomain("abc.com/workload/")); EXPECT_EQ("", SPIFFEValidator::extractTrustDomain("spiffe://")); @@ -156,7 +158,7 @@ TEST(SPIFFEValidator, TestCertificatePrecheck) { cert = readCertFromFile(TestEnvironment::substitute( // basicConstraints CA:False, keyUsage does not have keyCertSign and cRLSign - // should be considered valid (i.e. return 1) + // should be considered valid (i.e. return 1). "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); EXPECT_TRUE(SPIFFEValidator::certificatePrecheck(cert.get())); } @@ -170,24 +172,24 @@ TEST_F(TestSPIFFEValidator, TestInitializeSslContexts) { TEST_F(TestSPIFFEValidator, TestGetTrustBundleStore) { initialize(); - // no san + // No SAN auto cert = readCertFromFile(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); EXPECT_FALSE(validator().getTrustBundleStore(cert.get())); - // non spiffe san + // Non-SPIFFE SAN cert = readCertFromFile(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/non_spiffe_san_cert.pem")); EXPECT_FALSE(validator().getTrustBundleStore(cert.get())); - // spiffe san + // SPIFFE SAN cert = readCertFromFile(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem")); - // trust bundle not provided + // Trust bundle not provided. EXPECT_FALSE(validator().getTrustBundleStore(cert.get())); - // trust bundle provided + // Trust bundle provided. validator().trustBundleStores().emplace("example.com", X509StorePtr(X509_STORE_new())); EXPECT_TRUE(validator().getTrustBundleStore(cert.get())); } @@ -196,7 +198,7 @@ TEST_F(TestSPIFFEValidator, TestDoVerifyCertChainPrecheckFailure) { initialize(); X509StoreContextPtr store_ctx = X509_STORE_CTX_new(); bssl::UniquePtr cert = readCertFromFile(TestEnvironment::substitute( - // basicConstraints: CA:True, + // basicConstraints: CA:True "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem")); TestSslExtendedSocketInfo info; @@ -218,14 +220,14 @@ name: envoy.tls.cert_validator.spiffe X509StorePtr ssl_ctx = X509_STORE_new(); - // trust domain match so should be accepted + // Trust domain match so should be accepted. auto cert = readCertFromFile(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/san_uri_cert.pem")); X509StoreContextPtr store_ctx = X509_STORE_CTX_new(); EXPECT_TRUE(X509_STORE_CTX_init(store_ctx.get(), ssl_ctx.get(), cert.get(), nullptr)); EXPECT_TRUE(validator().doVerifyCertChain(store_ctx.get(), nullptr, *cert, nullptr)); - // different trust domain so should be rejected + // Different trust domain so should be rejected. cert = readCertFromFile(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem")); @@ -233,7 +235,7 @@ name: envoy.tls.cert_validator.spiffe EXPECT_TRUE(X509_STORE_CTX_init(store_ctx.get(), ssl_ctx.get(), cert.get(), nullptr)); EXPECT_FALSE(validator().doVerifyCertChain(store_ctx.get(), nullptr, *cert, nullptr)); - // does not have san + // Does not have san. cert = readCertFromFile(TestEnvironment::substitute( "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/extensions_cert.pem")); From 85738e3c91c8e17add5b14673d02e88b5899f0e6 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Wed, 24 Feb 2021 11:23:27 +0900 Subject: [PATCH 30/38] Review: take min of expiration days over all certs Signed-off-by: Takeshi Yoneda --- .../tls/cert_validator/spiffe/spiffe_validator.cc | 11 ++++++++--- .../cert_validator/spiffe/spiffe_validator_test.cc | 8 ++++---- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc index 092b85c25804..e4cc2397227e 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc @@ -223,9 +223,14 @@ size_t SPIFFEValidator::daysUntilFirstCertExpires() const { if (ca_certs_.empty()) { return 0; } - // TODO(mathetake): with the current interface, we cannot pass the multiple cert information. - // So temporarily we return the first CA's info here. - return Utility::getDaysUntilExpiration(ca_certs_[0].get(), time_source_); + size_t ret = SIZE_MAX; + for (auto& cert : ca_certs_) { + size_t tmp = Utility::getDaysUntilExpiration(cert.get(), time_source_); + if (tmp < ret) { + ret = tmp; + } + } + return ret; } Envoy::Ssl::CertificateDetailsPtr SPIFFEValidator::getCaCertInformation() const { diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc index c23c5bb1f2aa..c16ed75e27b5 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc @@ -322,15 +322,15 @@ name: envoy.tls.cert_validator.spiffe trust_domains: - name: lyft.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" - name: example.com trust_bundle: - filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.pem" )EOF"), time_system); - EXPECT_EQ(19224, validator().daysUntilFirstCertExpires()); + EXPECT_EQ(19231, validator().daysUntilFirstCertExpires()); time_system.setSystemTime(std::chrono::milliseconds(864000000)); - EXPECT_EQ(19214, validator().daysUntilFirstCertExpires()); + EXPECT_EQ(19221, validator().daysUntilFirstCertExpires()); } TEST_F(TestSPIFFEValidator, TestAddClientValidationContext) { From 63e4901a74abcef1910d91f410180128de4dc6e5 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Thu, 25 Feb 2021 10:31:07 +0900 Subject: [PATCH 31/38] Review: constify certificateValidationContext Signed-off-by: Takeshi Yoneda --- include/envoy/ssl/certificate_validation_context_config.h | 2 +- include/envoy/ssl/context_config.h | 2 +- .../ssl/certificate_validation_context_config_impl.h | 2 +- .../tls/cert_validator/default_validator.cc | 7 ++++--- .../tls/cert_validator/default_validator.h | 4 ++-- .../transport_sockets/tls/cert_validator/factory.h | 2 +- .../tls/cert_validator/spiffe/spiffe_validator.cc | 4 ++-- .../tls/cert_validator/spiffe/spiffe_validator.h | 2 +- .../extensions/transport_sockets/tls/context_config_impl.h | 3 ++- 9 files changed, 15 insertions(+), 13 deletions(-) diff --git a/include/envoy/ssl/certificate_validation_context_config.h b/include/envoy/ssl/certificate_validation_context_config.h index 8bb9f221aaea..4098c0b7369c 100644 --- a/include/envoy/ssl/certificate_validation_context_config.h +++ b/include/envoy/ssl/certificate_validation_context_config.h @@ -82,7 +82,7 @@ class CertificateValidationContextConfig { /** * @return a reference to the api object. */ - virtual Api::Api& api() PURE; + virtual Api::Api& api() const PURE; }; using CertificateValidationContextConfigPtr = std::unique_ptr; diff --git a/include/envoy/ssl/context_config.h b/include/envoy/ssl/context_config.h index c2244cff2f99..675bddde27de 100644 --- a/include/envoy/ssl/context_config.h +++ b/include/envoy/ssl/context_config.h @@ -50,7 +50,7 @@ class ContextConfig { /** * @return CertificateValidationContextConfig the certificate validation context config. */ - virtual CertificateValidationContextConfig* certificateValidationContext() const PURE; + virtual const CertificateValidationContextConfig* certificateValidationContext() const PURE; /** * @return The minimum TLS protocol version to negotiate. diff --git a/source/common/ssl/certificate_validation_context_config_impl.h b/source/common/ssl/certificate_validation_context_config_impl.h index da15a49c1078..56765baa7434 100644 --- a/source/common/ssl/certificate_validation_context_config_impl.h +++ b/source/common/ssl/certificate_validation_context_config_impl.h @@ -49,7 +49,7 @@ class CertificateValidationContextConfigImpl : public CertificateValidationConte return custom_validator_config_; } - Api::Api& api() override { return api_; } + Api::Api& api() const override { return api_; } private: const std::string ca_cert_; diff --git a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc index f5df49cd570b..c9177d390363 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc @@ -40,8 +40,9 @@ namespace Extensions { namespace TransportSockets { namespace Tls { -DefaultCertValidator::DefaultCertValidator(Envoy::Ssl::CertificateValidationContextConfig* config, - SslStats& stats, TimeSource& time_source) +DefaultCertValidator::DefaultCertValidator( + const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, + TimeSource& time_source) : config_(config), stats_(stats), time_source_(time_source) { if (config_ != nullptr) { allow_untrusted_certificate_ = config_->trustChainVerification() == @@ -477,7 +478,7 @@ size_t DefaultCertValidator::daysUntilFirstCertExpires() const { class DefaultCertValidatorFactory : public CertValidatorFactory { public: - CertValidatorPtr createCertValidator(Envoy::Ssl::CertificateValidationContextConfig* config, + CertValidatorPtr createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, TimeSource& time_source) override { return std::make_unique(config, stats, time_source); } diff --git a/source/extensions/transport_sockets/tls/cert_validator/default_validator.h b/source/extensions/transport_sockets/tls/cert_validator/default_validator.h index c8ec6f4074f2..104f72155d4e 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/default_validator.h +++ b/source/extensions/transport_sockets/tls/cert_validator/default_validator.h @@ -30,8 +30,8 @@ namespace Tls { class DefaultCertValidator : public CertValidator { public: - DefaultCertValidator(Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, - TimeSource& time_source); + DefaultCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, + SslStats& stats, TimeSource& time_source); ~DefaultCertValidator() override = default; diff --git a/source/extensions/transport_sockets/tls/cert_validator/factory.h b/source/extensions/transport_sockets/tls/cert_validator/factory.h index 6a87fc5b0d7d..590bf15fcde9 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/factory.h +++ b/source/extensions/transport_sockets/tls/cert_validator/factory.h @@ -22,7 +22,7 @@ class CertValidatorFactory { virtual ~CertValidatorFactory() = default; virtual CertValidatorPtr - createCertValidator(Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, + createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, TimeSource& time_source) PURE; virtual absl::string_view name() PURE; diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc index e4cc2397227e..4df9986773c9 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc @@ -39,7 +39,7 @@ namespace Tls { using SPIFFEConfig = envoy::extensions::transport_sockets::tls::v3::SPIFFECertValidatorConfig; -SPIFFEValidator::SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* config, +SPIFFEValidator::SPIFFEValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, TimeSource& time_source) : stats_(stats), time_source_(time_source) { ASSERT(config != nullptr); @@ -244,7 +244,7 @@ Envoy::Ssl::CertificateDetailsPtr SPIFFEValidator::getCaCertInformation() const class SPIFFEValidatorFactory : public CertValidatorFactory { public: - CertValidatorPtr createCertValidator(Envoy::Ssl::CertificateValidationContextConfig* config, + CertValidatorPtr createCertValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, TimeSource& time_source) override { return std::make_unique(config, stats, time_source); } diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h index 5d2cae2692eb..487c6a3fa790 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h @@ -34,7 +34,7 @@ class SPIFFEValidator : public CertValidator { public: SPIFFEValidator(SslStats& stats, TimeSource& time_source) : stats_(stats), time_source_(time_source){}; - SPIFFEValidator(Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, + SPIFFEValidator(const Envoy::Ssl::CertificateValidationContextConfig* config, SslStats& stats, TimeSource& time_source); ~SPIFFEValidator() override = default; diff --git a/source/extensions/transport_sockets/tls/context_config_impl.h b/source/extensions/transport_sockets/tls/context_config_impl.h index 23d02adc69bf..44c5a8cc619d 100644 --- a/source/extensions/transport_sockets/tls/context_config_impl.h +++ b/source/extensions/transport_sockets/tls/context_config_impl.h @@ -37,7 +37,8 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig { } return configs; } - Envoy::Ssl::CertificateValidationContextConfig* certificateValidationContext() const override { + const Envoy::Ssl::CertificateValidationContextConfig* + certificateValidationContext() const override { return validation_context_config_.get(); } unsigned minProtocolVersion() const override { return min_protocol_version_; }; From 67024cb0f575962764ce0fe20f376f67042cf8f5 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Thu, 25 Feb 2021 10:32:17 +0900 Subject: [PATCH 32/38] Fix test build failure Signed-off-by: Takeshi Yoneda --- test/extensions/transport_sockets/tls/cert_validator/util.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/extensions/transport_sockets/tls/cert_validator/util.h b/test/extensions/transport_sockets/tls/cert_validator/util.h index e15a681c99e1..7691bf50e44d 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/util.h +++ b/test/extensions/transport_sockets/tls/cert_validator/util.h @@ -70,7 +70,7 @@ class TestCertificateValidationContextConfig return custom_validator_config_; } - Api::Api& api() override { return *api_; } + Api::Api& api() const override { return *api_; } private: Api::ApiPtr api_; From 9825778bda3875aef96752ae9f10ba29e97509a6 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Thu, 25 Feb 2021 11:01:06 +0900 Subject: [PATCH 33/38] Fix mock signature Signed-off-by: Takeshi Yoneda --- test/mocks/ssl/mocks.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/mocks/ssl/mocks.h b/test/mocks/ssl/mocks.h index ad00e4508f61..46ad79bd895a 100644 --- a/test/mocks/ssl/mocks.h +++ b/test/mocks/ssl/mocks.h @@ -85,7 +85,7 @@ class MockClientContextConfig : public ClientContextConfig { MOCK_METHOD(const std::string&, ecdhCurves, (), (const)); MOCK_METHOD(std::vector>, tlsCertificates, (), (const)); - MOCK_METHOD(CertificateValidationContextConfig*, certificateValidationContext, (), (const)); + MOCK_METHOD(const CertificateValidationContextConfig*, certificateValidationContext, (), (const)); MOCK_METHOD(unsigned, minProtocolVersion, (), (const)); MOCK_METHOD(unsigned, maxProtocolVersion, (), (const)); MOCK_METHOD(bool, isReady, (), (const)); @@ -110,7 +110,7 @@ class MockServerContextConfig : public ServerContextConfig { MOCK_METHOD(const std::string&, ecdhCurves, (), (const)); MOCK_METHOD(std::vector>, tlsCertificates, (), (const)); - MOCK_METHOD(CertificateValidationContextConfig*, certificateValidationContext, (), (const)); + MOCK_METHOD(const CertificateValidationContextConfig*, certificateValidationContext, (), (const)); MOCK_METHOD(unsigned, minProtocolVersion, (), (const)); MOCK_METHOD(unsigned, maxProtocolVersion, (), (const)); MOCK_METHOD(bool, isReady, (), (const)); @@ -156,7 +156,7 @@ class MockCertificateValidationContextConfig : public CertificateValidationConte MOCK_METHOD(bool, allowExpiredCertificate, (), (const)); MOCK_METHOD(const absl::optional&, customValidatorConfig, (), (const)); - MOCK_METHOD(Api::Api&, api, (), ()); + MOCK_METHOD(Api::Api&, api, (), (const)); MOCK_METHOD(envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext:: TrustChainVerification, trustChainVerification, (), (const)); From e6b2c0fdca1e411e814d097457f958b8dda5b84c Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Mon, 1 Mar 2021 10:03:50 +0900 Subject: [PATCH 34/38] review: check only URI SAN Signed-off-by: Takeshi Yoneda --- .../cert_validator/spiffe/spiffe_validator.cc | 6 ++- .../tls/test_data/spiffe_san_cert.cfg | 1 + .../tls/test_data/spiffe_san_cert.pem | 38 +++++++------- .../tls/test_data/spiffe_san_cert_info.h | 12 ++--- .../tls/test_data/spiffe_san_key.pem | 50 +++++++++---------- 5 files changed, 56 insertions(+), 51 deletions(-) diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc index 4df9986773c9..fd8fb2769bc3 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc @@ -180,9 +180,13 @@ X509_STORE* SPIFFEValidator::getTrustBundleStore(X509* leaf_cert) { std::string trust_domain; for (const GENERAL_NAME* general_name : san_names.get()) { + if (general_name->type != GEN_URI) { + continue; + } + const std::string san = Utility::generalNameAsString(general_name); trust_domain = SPIFFEValidator::extractTrustDomain(san); - // We can assume that valid SVID has only one san. + // We can assume that valid SVID has only one URI san. break; } diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.cfg b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.cfg index f8b6a7794bf0..f4578f4f15a9 100644 --- a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.cfg +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.cfg @@ -33,4 +33,5 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always [alt_names] +DNS.1 = envoy.com URI.1 = spiffe://example.com/workload diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem index c7cab7053bd0..cdd919911be0 100644 --- a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEJjCCAw6gAwIBAgIUasNGF+BDin79dyPNS4BoEOLI5VAwDQYJKoZIhvcNAQEL +MIIEMTCCAxmgAwIBAgIULfVpq633gV4mwbFj7nwmn5GYaFgwDQYJKoZIhvcNAQEL BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n -aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMjAzMTQ1MTIzWhcNMjMw -MjAzMTQ1MTIzWjB6MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +aW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjEwMzAxMDA1NTU5WhcNMjMw +MzAxMDA1NTU5WjB6MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQ THlmdCBFbmdpbmVlcmluZzEUMBIGA1UEAwwLVGVzdCBTZXJ2ZXIwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6NPgoLJ6OMopMwPh61ptBofbr58Rl4sQI -0sMtZY97iLXsmIZuzTEabEzyINpbOMOFh+1Fl+O+PPnLJi2eiT7OSOBNfxu7rUb3 -i0/r93dVsGGP8exlnnAXxPKdBtkXuklz6hHJZEEFWaEFBfaLPElsqcgwUFW5B9S0 -/fvl4LXpALe3asA/6SJmxr5WVEcqDod6xOpKP6vkHq+ccz8WT4feJgykANz3mXZF -BmtueoOhkXO3llg9kNI2TyEW9GTawMqTJdxrFTFigRdCp40lZadHYUgcfAGfKu7u -G5Wh7+KqNhLlhl9fWc+JgTg4/YkF4AVTKpxEuP75Mbu2vN2NmP/rAgMBAAGjgacw -gaQwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH -AwIGCCsGAQUFBwMBMCgGA1UdEQQhMB+GHXNwaWZmZTovL2V4YW1wbGUuY29tL3dv -cmtsb2FkMB0GA1UdDgQWBBQp3EwAA0kQssBzjmeht4teGloHLzAfBgNVHSMEGDAW -gBTTwQsj48Oo8jK+X1TBP3g4E1UD2TANBgkqhkiG9w0BAQsFAAOCAQEAiisHG4ub -RIMbnfZi8wizikx93LDGyrPVXVdd/ws3KSpYvx4H2ODB1GhxOVV+XHO+khoQOC1S -6FzuNivQ/yeasrHqFj/9BBGZq885huqNtA3HmjOO5m8ykg42nhoosAbp3NjISHb3 -0xLwkZO80DIxfBXF5QQi92n5wlDxc8B7Yai7/Rp3R69PHENxR8uqqTh/r18ZnfAd -fAW4EMlsruJ+H2n1lOQjfipF/+9RNdYwYDdilfBhvRwCBhdjBFOSxW0Sc/bo/4O2 -vW56BZMrY555/EiEyBYreRWj1uhmGijU4WLgXtikvsoWg+yQQ48B71nvXLcJ6N9F -XAsVoksRXsa/MQ== +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3YjGzHUr6FNKh1PfMPFE7NmAYSeLStc5+ +44lTku418R5ZbJ9+1OhXPbHjrqXM90jLZPLHOOginVVvNtZRk+LJrhUidzNmS69M +N2N9xosif0/zafI1/sToBwC8g/lP/TAmBwIzsbX3D526R1iVvIkyhxAK3AUTXG2x +Ilg2+sn4iIGmmPZNDtmoqLabDRWBToH0ijx+wxpF1IB5Tj2Ymeb7svG17e+MsG7G +bXo6+qT00n5hjpY1Cfj0I2mpUIw4aEqdk7+5MPFnnOmv2LuH73p/7goIs8Mw2ucX +xpF2f8lqFLt5+ZZT9BEdUT/sR23f7vQCaAjz7JATxrr9X2wqwHArAgMBAAGjgbIw +ga8wDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH +AwIGCCsGAQUFBwMBMDMGA1UdEQQsMCqGHXNwaWZmZTovL2V4YW1wbGUuY29tL3dv +cmtsb2FkggllbnZveS5jb20wHQYDVR0OBBYEFEaJC8Z4FIvUx44gnSSHh4uaeWTf +MB8GA1UdIwQYMBaAFNPBCyPjw6jyMr5fVME/eDgTVQPZMA0GCSqGSIb3DQEBCwUA +A4IBAQCEDoSAAvBuwAnrWuXuPgt++fqG6OQVnxRcJXL2GS14KUt2g2IniSTPm8Hi +mZj3hXS/RSpuyz3ObvtfKZ0gsf1QCBAigkQmSPFHTe/rhyWN+Vx+WkfEkrTqTmlN +UMAUlcO0SwbM9UABYPpMQI8Dn/XSiWgZaKHwGbzs2mQ00DosjcIGnav6+aPMCWfj +BTzw+GFzKcDqyhMRjEKBydTrzoTB2SK/hpE2ZDFn4xysfR9lf26MYsKHSRfLgK6E +ou/Tpl9twMoYSu40vdIO16gOK/KviUnCZ2nfcmhzDIcFQSNQQMNBPKPkpjji4xkl +udMoBC5KNZsvpC4gtGbY2X+DLI1P -----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h index b49101b8026d..e368ebf2848e 100644 --- a/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert_info.h @@ -1,8 +1,8 @@ // NOLINT(namespace-envoy) constexpr char TEST_SPIFFE_SAN_CERT_256_HASH[] = - "7e107378ec276f4bdd58b6310ef0af6397b72b67a26583b46eadabe4d361f645"; -constexpr char TEST_SPIFFE_SAN_CERT_1_HASH[] = "adbbe8488082c50ca1c73448addb4dde94d88ce9"; -constexpr char TEST_SPIFFE_SAN_CERT_SPKI[] = "4eIY7EzJdIddfSSYIEDODf2G8hDGbOP95lC74b9ybkM="; -constexpr char TEST_SPIFFE_SAN_CERT_SERIAL[] = "6ac34617e0438a7efd7723cd4b806810e2c8e550"; -constexpr char TEST_SPIFFE_SAN_CERT_NOT_BEFORE[] = "Feb 3 14:51:23 2021 GMT"; -constexpr char TEST_SPIFFE_SAN_CERT_NOT_AFTER[] = "Feb 3 14:51:23 2023 GMT"; + "52c784aa74dc6aadd581d6a9aad0a379a8cf8fb0b175e30874e19acf924dfe10"; +constexpr char TEST_SPIFFE_SAN_CERT_1_HASH[] = "3c2978c764c322a776bfb8aa04bb9a69e0f8bff2"; +constexpr char TEST_SPIFFE_SAN_CERT_SPKI[] = "7drIzHFClgoBw1tG6lbnubSOw9d9cKhKyUTWT77hpX0="; +constexpr char TEST_SPIFFE_SAN_CERT_SERIAL[] = "2df569abadf7815e26c1b163ee7c269f91986858"; +constexpr char TEST_SPIFFE_SAN_CERT_NOT_BEFORE[] = "Mar 1 00:55:59 2021 GMT"; +constexpr char TEST_SPIFFE_SAN_CERT_NOT_AFTER[] = "Mar 1 00:55:59 2023 GMT"; diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem b/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem index 4f7d1d6cc643..0a89f805d095 100644 --- a/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_key.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAujT4KCyejjKKTMD4etabQaH26+fEZeLECNLDLWWPe4i17JiG -bs0xGmxM8iDaWzjDhYftRZfjvjz5yyYtnok+zkjgTX8bu61G94tP6/d3VbBhj/Hs -ZZ5wF8TynQbZF7pJc+oRyWRBBVmhBQX2izxJbKnIMFBVuQfUtP375eC16QC3t2rA -P+kiZsa+VlRHKg6HesTqSj+r5B6vnHM/Fk+H3iYMpADc95l2RQZrbnqDoZFzt5ZY -PZDSNk8hFvRk2sDKkyXcaxUxYoEXQqeNJWWnR2FIHHwBnyru7huVoe/iqjYS5YZf -X1nPiYE4OP2JBeAFUyqcRLj++TG7trzdjZj/6wIDAQABAoIBADWSXb75L1jL05xH -fHWi3qIgXfD7Cjch6bJ8KKkb6g7pgyWhsDOal0D53Z1ftFLAXwhA1hPKojwuQNOg -lUliRQ6GSvog0rLJJHy9uO2zkcK2bytBt/h4f9lm0UI6ISVBdDaEJj/htw85/Sh7 -0bW3T4ySwESeKDuGtDyqQdmeL9fr3aIDbv64hVZvuhBxV6qGOD5G3dsHqP4e5v3F -C37BiDNuwAjDgAzSa3l/TfjC4t6tWCF4xkmg+xRgihe2GKF9wGuLiLMVMzn7eYRM -Wfhw3J14x4IuYPlbC88PYVM2gjGK4CrRftGMJOfFbpMxlr7r8HQYQTV0ZJ8Xbxky -kD9klJECgYEA8hqDpPvSR6UvYJqh41v1ttYH4Wtj43gM67JWyllYOEvUuW4xomzd -i605ocbEFTNh4T0peV0keYxcRTq6cyYJP8KH/G7dRIPdszUvNlGEATjfbObYf7Wg -1t2Ga0d0ZsN0LZWUTjCZufwMwzZIsEezPS8Alg0pgh2S7+SUwBYJqIMCgYEAxOUb -HvvrPlGzKmigGYn+p5stsoG5jeE6toEr9SslPlC2e7DTfpZEtCKy4Dg+srrr/Ks1 -tZUlo8TE3bsDghQ26X+8wo4KPz2dkq4eVOOQxJZlqBB6qjMgzMADLVUYLJGLmqQr -ju9bwV/bleZeTkZOItnKqrJHDUJtRvVeAs1DHnkCgYA04bu9js/InHkzxbL0wYJz -VF7WSym/ZtqTpRm2Czvs2At4EWzACL1/o+/BuXPdGaMYms5zVvf/oLwK1yAgxL8i -cTBY4DJuo8sKOOS+HaISzkRnOikyBA9Ev5B74Fi5lZnL1y9UwOLjL/3tqe7IqnCp -PZoILInThPgydCBVsLqdVwKBgGdKvdCiXkYCPFjaLGtZfnPVL8L+1SY+azvFRhdH -PDGVzDXVjQ5SrNZHgcmpGBNRhm22L+YDyYxBtPmRm4SJMEmMzqzOMUf9/gUuPRFR -lOfc8pWZl5BkZCel78S/aIAxFqjYyVUh8uPecucPxJeRwHn+AZlND4NAPu3D2T7l -CfoZAoGBAKy6lnN9p6GWMncSV/cN67YTlmGLoAeocZOLpxEL9UDLyav4f7fWcitZ -bVpCQgRMw+PB2RDE9VCbKiBPjW30CytoIALjq7vZEyESM8hVgJ8PWHpjM6by+Bdm -QWuDIDYo6NcGNS7ecA919BeBZcKxfSTajHW5gT8NNGbJ7PNyFwhP +MIIEpAIBAAKCAQEAt2Ixsx1K+hTSodT3zDxROzZgGEni0rXOfuOJU5LuNfEeWWyf +ftToVz2x466lzPdIy2TyxzjoIp1VbzbWUZPiya4VInczZkuvTDdjfcaLIn9P82ny +Nf7E6AcAvIP5T/0wJgcCM7G19w+dukdYlbyJMocQCtwFE1xtsSJYNvrJ+IiBppj2 +TQ7ZqKi2mw0VgU6B9Io8fsMaRdSAeU49mJnm+7Lxte3vjLBuxm16Ovqk9NJ+YY6W +NQn49CNpqVCMOGhKnZO/uTDxZ5zpr9i7h+96f+4KCLPDMNrnF8aRdn/JahS7efmW +U/QRHVE/7Edt3+70AmgI8+yQE8a6/V9sKsBwKwIDAQABAoIBAF5MXAoisf9O3dDh +1lprWcn8+AUFWWHIo1qUXnVfRKbwSg7p0EpD6QWTb/oIQLHZJtGQI1dWZ+gEx33c +0PA5/5B9t9h1OzULDiU/BiYTBlDC7rXYcPha/Z3im/pUUstTAoNLb1Jtu4hDu3Oi +ZGb7AAG/efxbjzCZgr5nTr1W0Ky/hWLpP1V1dLvWItlr/ieOPiNDg7dQqytIbSAV +cT1XpimTGSrS1UPEYVnHM9qNBMRJ9CmMigVdipaAPYV5u4SGuHU3oyClE5j4jWeE +vwugRkTap9L8xbG+JDYE5sjtPXxRtPb4DOEY6KElbPAt9S/zGkEu0N/9Qe1BYeeV +Q7uuduECgYEA7Cax4Ptc4C7lYTvGh+5gyylKQdUdfa7d4ixU48aG/X/3EKicSKvW ++ap6zd3olGy9tDPV29VF4f+9UrYuy04UxEpLeo8XDy5iauDAlU8lAPIrr0tkVm6w +ODJEiLgkljLFaxIvqiXE+661o3cBn3KcRcADAuQAzvvB8dGheyhzCY8CgYEAxswX +E2Je+W94iKLkiCNo6ljdiXwQu6TxocqJ8lYAiEzmXjJEnZ8NQbXgw4ESMPk/W1XL +ikJLjLrEEpdu7QSvIVqaw89l6DGpS034Ct8wQLGEJk/D253yumlX4gxyjGLrZV3Q +hHcQ1jbN0q86CWQstk81k20BtWgXJSvuOsdGyaUCgYEAgfuWg1i4OWl2tnt5fo6W +Vp0mk2/jqK9c0EZIf4th+By8eD3msBVt4cSVjcUsZK4qCQtTFoqgyZHDusgun5cd +1SFzxEUIk0GbyGpndoe2vXuO0hD0bKLGelgo4vxAny/Y/GNpOwVJFKOItS4nBYXH +QJk8zxWC4GswyJLziF+uWj8CgYEArePr82rCxNE6z9ocqPDAXuzoq9A4GssHCYzO +6YlM4ezSPWcfGfj8cZQUTS7jqK79Onlrlz6yMyFTTSflQbItNrG4WrtZ2qdF/Lbw +1yGvZYdhntl66unYXjKzSum0cRQ97+cF9DjqI1bA5x+bVoenjLjwlkptii7IwB0T +P5r8UnkCgYBPniQR7jINhnkGdR01GqsstvSgwoGG4+IeO9EuhBePoktI7W48HEs2 +Ng23QoXJRwWo+KM2GqpOD9y3lxaJnawki2PsiUcRE84wHmclOxOadEn6tun7e0Qw +rHu+7hAxcFl9xvK5zE7h1BjZCNR5hNpyMXyAmNpl8mX/mgZPc9HhHg== -----END RSA PRIVATE KEY----- From cdfb3ced2b5125432a40c56697164eedab8f3d15 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Mon, 1 Mar 2021 10:05:04 +0900 Subject: [PATCH 35/38] review: up_ref after append Signed-off-by: Takeshi Yoneda --- .../tls/cert_validator/spiffe/spiffe_validator.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc index fd8fb2769bc3..72a680ead567 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc @@ -73,8 +73,8 @@ SPIFFEValidator::SPIFFEValidator(const Envoy::Ssl::CertificateValidationContextC for (const X509_INFO* item : list.get()) { if (item->x509) { X509_STORE_add_cert(store.get(), item->x509); - X509_up_ref(item->x509); ca_certs_.push_back(bssl::UniquePtr(item->x509)); + X509_up_ref(item->x509); if (!ca_loaded) { // TODO: With the current interface, we cannot return the multiple // cert information on getCaCertInformation method. From 88517d2deb30f90ae8882a24f4eb93bc6ecd27ca Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Tue, 2 Mar 2021 16:27:25 +0900 Subject: [PATCH 36/38] review: add CODEOWNER and add version history Signed-off-by: Takeshi Yoneda --- CODEOWNERS | 2 ++ docs/root/version_history/current.rst | 1 + 2 files changed, 3 insertions(+) diff --git a/CODEOWNERS b/CODEOWNERS index 8b71656fcb5a..ecc2d39285c4 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -41,6 +41,8 @@ extensions/filters/common/original_src @snowp @klarose /*/extensions/transport_sockets/alts @htuch @yangminzhu # tls transport socket extension /*/extensions/transport_sockets/tls @PiotrSikora @lizan @asraa @ggreenway +# tls SPIFFE certificate validator extension +/*/extensions/transport_sockets/tls/cert_validator/spiffe @mathetake @lizan # proxy protocol socket extension /*/extensions/transport_sockets/proxy_protocol @alyssawilk @wez470 # common transport socket diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 2d984f50e3a2..6a90654ede42 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -114,6 +114,7 @@ New Features * tcp_proxy: add support for converting raw TCP streams into HTTP/1.1 CONNECT requests. See :ref:`upgrade documentation ` for details. * tcp_proxy: added a :ref:`use_post field ` for using HTTP POST to proxy TCP streams. * tcp_proxy: added a :ref:`headers_to_add field ` for setting additional headers to the HTTP requests for TCP proxing. +* tls peer certificate validation: added :ref:`SPIFFE validator ` for supporting isolated multiple trust bundles in a single listener. Deprecated ---------- From a75b70d47e7d6125150dbaba2a26afa70db0079d Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Wed, 3 Mar 2021 08:13:12 +0900 Subject: [PATCH 37/38] review: not only listener but also cluster Signed-off-by: Takeshi Yoneda --- docs/root/version_history/current.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 40098a96d9a4..b56ccd5183b0 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -116,7 +116,7 @@ New Features * tcp_proxy: add support for converting raw TCP streams into HTTP/1.1 CONNECT requests. See :ref:`upgrade documentation ` for details. * tcp_proxy: added a :ref:`use_post field ` for using HTTP POST to proxy TCP streams. * tcp_proxy: added a :ref:`headers_to_add field ` for setting additional headers to the HTTP requests for TCP proxing. -* tls peer certificate validation: added :ref:`SPIFFE validator ` for supporting isolated multiple trust bundles in a single listener. +* tls peer certificate validation: added :ref:`SPIFFE validator ` for supporting isolated multiple trust bundles in a single listener or cluster. Deprecated ---------- From 684420f55a0e009e96d89d815fea78d418f56ac2 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Wed, 3 Mar 2021 08:14:33 +0900 Subject: [PATCH 38/38] fix order of new features Signed-off-by: Takeshi Yoneda --- docs/root/version_history/current.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index ff8245f1bc15..ce1aeba00abd 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -122,8 +122,8 @@ New Features * tcp_proxy: add support for converting raw TCP streams into HTTP/1.1 CONNECT requests. See :ref:`upgrade documentation ` for details. * tcp_proxy: added a :ref:`use_post field ` for using HTTP POST to proxy TCP streams. * tcp_proxy: added a :ref:`headers_to_add field ` for setting additional headers to the HTTP requests for TCP proxing. -* tls peer certificate validation: added :ref:`SPIFFE validator ` for supporting isolated multiple trust bundles in a single listener or cluster. * thrift_proxy: added a :ref:`max_requests_per_connection field ` for setting maximum requests for per downstream connection. +* tls peer certificate validation: added :ref:`SPIFFE validator ` for supporting isolated multiple trust bundles in a single listener or cluster. Deprecated ----------