[tls_validation] add tests

3scale · Feb 10, 2025 · 3f595c0 · 3f595c0
1 parent f4e0243
commit 3f595c0
Show file tree

Hide file tree

Showing 28 changed files with 916 additions and 0 deletions.
diff --git a/t/apicast-policy-tls_validation.t b/t/apicast-policy-tls_validation.t
@@ -475,3 +475,176 @@ log_by_lua_block { collectgarbage() }
 --- error_log
 TLS certificate validation failed, err: certificate revoked
 --- user_files fixture=CA/files.pl eval
+
+
+
+=== TEST 12: TLS Client Certificate with OCSP and cert without no responder URL
+--- configuration eval
+use JSON qw(to_json);
+use File::Slurp qw(read_file);
+
+to_json({
+  services => [{
+    proxy => {
+        hosts => ['test'],
+        policy_chain => [
+          { name => 'apicast.policy.tls_validation',
+            configuration => {
+              whitelist => [
+                { pem_certificate => CORE::join('', read_file('t/fixtures/CA/intermediate-ca.crt')) }
+              ],
+              revocation_check_type => 'ocsp'
+            }
+          },
+          { name => 'apicast.policy.echo' },
+        ]
+    }
+  }]
+});
+--- test env
+proxy_ssl_verify on;
+proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.crt;
+proxy_ssl_certificate $TEST_NGINX_SERVER_ROOT/html/client.crt;
+proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client.key;
+proxy_pass https://$server_addr:$apicast_port/t;
+proxy_set_header Host test;
+log_by_lua_block { collectgarbage() }
+--- error_code: 400
+--- error_log
+client TLS certificate validation failed, err: could not extract OCSP responder URL, the client certificate may be missing the required extensions
+--- user_files fixture=CA/files.pl eval
+
+
+
+=== TEST 13: TLS Client Certificate with OCSP and cert with ocsp supported (no issuer)
+--- env eval
+(
+  'APICAST_HTTPS_CERTIFICATE' => "$Test::Nginx::Util::ServRoot/html/server.pem",
+  'APICAST_HTTPS_CERTIFICATE_KEY' => "$Test::Nginx::Util::ServRoot/html/server-key.pem",
+  'APICAST_HTTPS_SESSION_REUSE' => 'on',
+)
+--- configuration eval
+use JSON qw(to_json);
+use File::Slurp qw(read_file);
+
+to_json({
+  services => [{
+    proxy => {
+        hosts => ['test.com'],
+        policy_chain => [
+          { name => 'apicast.policy.tls_validation',
+            configuration => {
+              whitelist => [
+                { pem_certificate => CORE::join('', read_file('t/fixtures/ocsp/intermediate_ca.pem')) }
+              ],
+              revocation_check_type => 'ocsp'
+            }
+          },
+          { name => 'apicast.policy.echo' },
+        ]
+    }
+  }]
+});
+--- test env
+proxy_ssl_verify on;
+proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.pem;
+proxy_ssl_certificate $TEST_NGINX_SERVER_ROOT/html/client.pem;
+proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client-key.pem;
+proxy_pass https://$server_addr:$apicast_port/t;
+proxy_set_header Host test.com;
+log_by_lua_block { collectgarbage() }
+--- error_code: 400
+--- error_log
+no issuer certificate in chain
+--- user_files fixture=ocsp/files.pl eval
+
+
+
+=== TEST 14: TLS Client Certificate with OCSP and cert with ocsp supported (issuer
+cert not next to the leaf cert)
+--- env eval
+(
+  'APICAST_HTTPS_CERTIFICATE' => "$Test::Nginx::Util::ServRoot/html/server.pem",
+  'APICAST_HTTPS_CERTIFICATE_KEY' => "$Test::Nginx::Util::ServRoot/html/server-key.pem",
+  'APICAST_HTTPS_SESSION_REUSE' => 'on',
+  'APICAST_HTTPS_VERIFY_DEPTH' => 3
+)
+--- configuration eval
+use JSON qw(to_json);
+use File::Slurp qw(read_file);
+
+to_json({
+  services => [{
+    proxy => {
+        hosts => ['test'],
+        policy_chain => [
+          { name => 'apicast.policy.tls_validation',
+            configuration => {
+              whitelist => [
+                { pem_certificate => CORE::join('', read_file('t/fixtures/ocsp/intermediate_ca.pem')) }
+              ],
+              revocation_check_type => 'ocsp'
+            }
+          },
+          { name => 'apicast.policy.echo' },
+        ]
+    }
+  }]
+});
+--- test env
+proxy_ssl_verify on;
+proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.pem;
+proxy_ssl_certificate $TEST_NGINX_SERVER_ROOT/html/wrong-issuer-order-chain.pem;
+proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client-key.pem;
+proxy_pass https://$server_addr:$apicast_port/t;
+proxy_set_header Host test;
+log_by_lua_block { collectgarbage() }
+--- error_code: 400
+--- error_log
+issuer certificate not next to leaf
+--- user_files fixture=ocsp/files.pl eval
+
+
+
+=== TEST 15: TLS Client Certificate with OCSP and unreachable OCSP responder URL
+--- env eval
+(
+  'APICAST_HTTPS_CERTIFICATE' => "$Test::Nginx::Util::ServRoot/html/server.pem",
+  'APICAST_HTTPS_CERTIFICATE_KEY' => "$Test::Nginx::Util::ServRoot/html/server-key.pem",
+  'APICAST_HTTPS_SESSION_REUSE' => 'on',
+  'APICAST_HTTPS_VERIFY_DEPTH' => 3
+)
+--- configuration eval
+use JSON qw(to_json);
+use File::Slurp qw(read_file);
+
+to_json({
+  services => [{
+    proxy => {
+        hosts => ['test'],
+        policy_chain => [
+          { name => 'apicast.policy.tls_validation',
+            configuration => {
+              whitelist => [
+                { pem_certificate => CORE::join('', read_file('t/fixtures/ocsp/intermediate_ca.pem')) }
+              ],
+              revocation_check_type => 'ocsp'
+            }
+          },
+          { name => 'apicast.policy.echo' },
+        ]
+    }
+  }]
+});
+--- test env
+proxy_ssl_verify on;
+proxy_ssl_trusted_certificate $TEST_NGINX_SERVER_ROOT/html/ca.pem;
+proxy_ssl_certificate $TEST_NGINX_SERVER_ROOT/html/chain.pem;
+proxy_ssl_certificate_key $TEST_NGINX_SERVER_ROOT/html/client-key.pem;
+proxy_pass https://$server_addr:$apicast_port/t;
+proxy_set_header Host test;
+log_by_lua_block { collectgarbage() }
+--- error_code: 400
+--- error_log
+ocsp-responder.test could not be resolved (3: Host not found)
+--- user_files fixture=ocsp/files.pl eval
diff --git a/t/fixtures/ocsp/README.md b/t/fixtures/ocsp/README.md
@@ -0,0 +1,58 @@
+
+## Requirements
+* cfssl - following steps require https://github.com/cloudflare/cfssl
+
+## Steps
+Initiate CA by creating root certificate pair:
+
+```
+cfssl gencert -initca cfssl/ca_csr.json | cfssljson -bare ca
+```
+
+Continue with intermediate certificate pair for signing:
+
+```
+cfssl gencert -ca ca.pem -ca-key ca-key.pem -config=cfssl/cfssl_config.json -profile=intermediate cfssl/intermediate_ca_csr.json | cfssljson -bare intermediate_ca
+```
+
+Also create OCSP certificate pair to sign OCSP responses:
+
+```
+cfssl gencert -ca intermediate_ca.pem -ca-key intermediate_ca-key.pem -config=cfssl/cfssl_config.json -profile=ocsp cfssl/ocsp_csr.json | cfssljson -bare ocsp
+```
+
+Create a leaf certificate:
+
+```
+cfssl gencert -ca intermediate_ca.pem -ca-key intermediate_ca-key.pem -config cfssl/cfssl_config.json -profile server cfssl/leaf_csr.json | cfssljson -bare leaf
+```
+
+Create a client certificate:
+
+```
+cfssl gencert -ca intermediate_ca.pem -ca-key intermediate_ca-key.pem -config cfssl/cfssl_config.json -profile client cfssl/leaf_csr.json | cfssljson -bare client
+```
+
+Create an OCSP response for the certificate:
+
+```
+cfssl ocspsign -ca intermediate_ca.pem -responder ocsp.pem -responder-key ocsp-key.pem -cert leaf.pem -status good | cfssljson -bare ocsp-response-good
+```
+
+Bundle certificate to be installed at Nginx:
+
+```
+cat leaf.pem intermediate_ca.pem ca.pem > leaf-bundle.pem
+```
+
+Inspect OCSP response to see what is the Next Update:
+
+```
+openssl ocsp -text -no_cert_verify -respin t/cert/ocsp/cfssl/ocsp-response-good-response.der | grep "Next Update"
+```
+
+Create an OCSP response with revoked status for the certificate:
+
+```
+cfssl ocspsign -ca intermediate_ca.pem -responder ocsp.pem -responder-key ocsp-key.pem -cert leaf.pem -status revoked -reason 1 | cfssljson -bare ocsp-response-good
+```
diff --git a/t/fixtures/ocsp/ca-key.pem b/t/fixtures/ocsp/ca-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAt2e0klGfWpwv2iCIlJU3Gq6T2e/d4KBph6k8PX8wyIlUWL6C
+4xknOMAyUlOjUoqPdXBV9iepQioRFBonFAYtoy+WKN+V1HOkmVPSABG4FHoKKCwM
+izTTC8teOJwa+oIHATcJbPIR005hFg32DwdpCqxIxVSRtP93rSXoqLM4AQQ+WFdW
+hG6KfzjTMZ9D0CLzshUKRRKyQ7+gAf6ZrvirExZ7UT4rHyPUKnh1CGxrnUTdoXhU
+UaBKod1MkiRlCBahT6MZhnl3gnK+VVEL0F2k56UOEbhsXnpPxVozwSTFjlcQveF8
+P4WGPI/9Q1f+pgnHBcq16OicoOVGKB4VkhO8KQIDAQABAoIBAH1/pCsfWSiaiY/8
+BRmPBVbnsNpHbY8glTW0UzlNiGcguavEKTIW6yTFN2noO3DmyYW16cx3lTVmLauQ
+vb7Q/3eTv2+WlyL6Qt58Yc2UUl8Ip1yXz7mN2wBOF9oqz7ctNHfbXkLDXfk2v+5k
+fUQJcRJRk7YbyVyOFylPMGYHxMHEKc4wyeF3krD+JvQIwRPf+p7kp0jWTe9//DOc
+I5HilERUcdJoOeDqQLo/11ySJ5CxMBVPQbLJh6Fa5tiAzcVUWdaquPjZcH4HpON1
+wo0xDaNwURcM5RereKKsKQ2dD2ZRDMn9iX6G/pqMveRmThcQF86NUKyFm6v6s41W
+DMdiAbUCgYEA4bzhZ/kaetmXck3gKp1HQA7s1w2E5K6sVA8H2OnsFo4Yog7FqP4H
+y8jbIjVx7D1t/LFyhZgWLYTc3KV8QaNAv4X8XZ/S1J3t3k1/WLlzZHl2h5UAi3FI
+Dh9O5N6Bxq8sBgMhI7YgQwp+NG8fI1UiKZhydcwiH1Od48CGMOpHc+sCgYEAz/4B
+BqZmxGNPL+Los6PTDOiMcmngjMBdIIg6qTF5/UiKKIYTq7uCCQGiJ7pZT2OgJAEo
+ZrtZCma8bKPEK+BD3KrCVj7ba9wKg0WNrSiaNopWKZnq6BN95Jwcyg9c0IiFa0oX
+WlK3XLQ49DxrTlu+homxVMLbvE88GHYp8KtjzzsCgYBA7zhX1ExNsnHiK4ykNYHd
+Z22xnu3val+f/oLfXsrO4ikr1Nv+9LQBZtHCUWVn83PEELdEvq8CgQmXXvMTXoat
+kTk7JVJcXuGh5OERAKe060uxTKdPdVKo3VCwfWEPaixbvmK2BxnYrxgGtUBbxY2C
+MZwbTpEyObddYHA5eer76QKBgDXMxgcqU7rI1VrVnsuYvKbCIFIYAPVnbK9VjZbm
+LV/Ou63vwHbTcbdSrNcJ5MAcTPgDNKgeHdIK8QJI+h0/TU5u/QXCDI/BwxZhj1wS
+/JDPB6qLHbAaGp5fozLA9okaRyiRaaj7bGKWW4URe9Aw+v9h7nS2UpBLDohlSEPw
+kUixAoGAAiLrCo9BZeCTTVZcDLrIh7H+ptUTI4LttzaPEI57LbkPLH1w5PN4ZE2R
+CeMU5pgMMTFlmBttbhx5EvT5SFGva9i43JwfkTfjclq9OKr2xpuWO5Jl7aFHUyCs
+R0E2U2ZbznMO/fnH+JdifchH/Ge/O5gyDe1DxWzNaAbQ9Ci+zq0=
+-----END RSA PRIVATE KEY-----
diff --git a/t/fixtures/ocsp/ca.csr b/t/fixtures/ocsp/ca.csr
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICvTCCAaUCAQAweDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDzAN
+BgNVBAcTBk90dGF3YTESMBAGA1UEChMJTHVhIE5naW54MRgwFgYDVQQLEw9BUElj
+YXN0IFJvb3QgQ0ExGDAWBgNVBAMTD0FQSWNhc3QgUm9vdCBDQTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBALdntJJRn1qcL9ogiJSVNxquk9nv3eCgaYep
+PD1/MMiJVFi+guMZJzjAMlJTo1KKj3VwVfYnqUIqERQaJxQGLaMvlijfldRzpJlT
+0gARuBR6CigsDIs00wvLXjicGvqCBwE3CWzyEdNOYRYN9g8HaQqsSMVUkbT/d60l
+6KizOAEEPlhXVoRuin840zGfQ9Ai87IVCkUSskO/oAH+ma74qxMWe1E+Kx8j1Cp4
+dQhsa51E3aF4VFGgSqHdTJIkZQgWoU+jGYZ5d4JyvlVRC9BdpOelDhG4bF56T8Va
+M8EkxY5XEL3hfD+FhjyP/UNX/qYJxwXKtejonKDlRigeFZITvCkCAwEAAaAAMA0G
+CSqGSIb3DQEBCwUAA4IBAQAXv+NudAib4JeSu5d8bM0p84HC4iarRTv1UYMULBE9
+eQRt04khs4wjtHoki0EkyE9M027W8x7otTdLsNSCh7QP4UxiZH3z/jF/Pa6WdKZy
+qDtLVJ/i1fpMba0Jct8HwJo1uO0boexakR7OkgxfAn4RKZ/IR9PzsoQ10WMHbXGz
+5PYWAZEGUSt4zkhqaSwYaA6oZ6HvJzo+QtkyIDnlfV6FX9v7jgGP/KadBkYbtVuj
+xBgE88dNUVsBsxFxDms03SiSqtPc7YSEZO3koKC4ziZ8QUKMHRlnsvILf1nSYr6+
+osOP1tycj9Pd1WyOkhORssBZOGBMrTeCdaCHJ19Rkw5v
+-----END CERTIFICATE REQUEST-----
diff --git a/t/fixtures/ocsp/ca.pem b/t/fixtures/ocsp/ca.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwDCCAqigAwIBAgIUcSXJIwYu13xp3Iewm41m+UYc7zIwDQYJKoZIhvcNAQEL
+BQAweDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90
+dGF3YTESMBAGA1UEChMJTHVhIE5naW54MRgwFgYDVQQLEw9BUEljYXN0IFJvb3Qg
+Q0ExGDAWBgNVBAMTD0FQSWNhc3QgUm9vdCBDQTAeFw0yNTAyMDQwNTI1MDBaFw0z
+MDAyMDMwNTI1MDBaMHgxCzAJBgNVBAYTAkNBMRAwDgYDVQQIEwdPbnRhcmlvMQ8w
+DQYDVQQHEwZPdHRhd2ExEjAQBgNVBAoTCUx1YSBOZ2lueDEYMBYGA1UECxMPQVBJ
+Y2FzdCBSb290IENBMRgwFgYDVQQDEw9BUEljYXN0IFJvb3QgQ0EwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3Z7SSUZ9anC/aIIiUlTcarpPZ793goGmH
+qTw9fzDIiVRYvoLjGSc4wDJSU6NSio91cFX2J6lCKhEUGicUBi2jL5Yo35XUc6SZ
+U9IAEbgUegooLAyLNNMLy144nBr6ggcBNwls8hHTTmEWDfYPB2kKrEjFVJG0/3et
+JeioszgBBD5YV1aEbop/ONMxn0PQIvOyFQpFErJDv6AB/pmu+KsTFntRPisfI9Qq
+eHUIbGudRN2heFRRoEqh3UySJGUIFqFPoxmGeXeCcr5VUQvQXaTnpQ4RuGxeek/F
+WjPBJMWOVxC94Xw/hYY8j/1DV/6mCccFyrXo6Jyg5UYoHhWSE7wpAgMBAAGjQjBA
+MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQaaSka
+5maUzsFM/Vnn+cUUp54uSTANBgkqhkiG9w0BAQsFAAOCAQEAIhIQpkC8EVxA6Lhm
+uDutU9LGKQjp0PrzJLWCCcDCnxQ8cbaH2CUr2mw0et/cBM8R5TR35JMZe6MOGSbt
+lFfWKfLE+QzNPaLhQkOI21YZMqY1kcGNmsc2UyHxhPo6PZ+J1IF/9N/P7+BjDQeN
+yCd+dwXpUZlRZRyEVVXNl2yKUKLynViiNpa9rRb/mT5pqD/b523/Icva0mi6xyJZ
+UbaYQBE4IozQ2YEChP3EpfUjJepZCeHWbCEzKgC61H21uSK62K33pPPN3+zKKJrk
+eu2xwIugYpLwf3dvFGdW47vfUvxZdYltRkrAASDOPTpaU5dHwfR8MsoGy2h2A2jz
+qOUrUg==
+-----END CERTIFICATE-----
diff --git a/t/fixtures/ocsp/cfssl/ca_csr.json b/t/fixtures/ocsp/cfssl/ca_csr.json
@@ -0,0 +1,16 @@
+{
+  "CN": "APIcast Root CA",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "CA",
+      "L": "Ottawa",
+      "O": "Lua Nginx",
+      "OU": "APIcast Root CA",
+      "ST": "Ontario"
+    }
+  ]
+}
diff --git a/t/fixtures/ocsp/cfssl/cfssl_config.json b/t/fixtures/ocsp/cfssl/cfssl_config.json
@@ -0,0 +1,32 @@
+{
+  "signing": {
+    "default": {
+      "ocsp_url": "https://ocsp-responder.test",
+      "expiry": "2190000h",
+      "usages": [
+        "signing",
+        "key encipherment",
+        "client auth"
+      ]
+    },
+    "profiles": {
+      "ocsp": {
+        "usages": ["digital signature", "ocsp signing"],
+        "expiry": "876000h"
+      },
+      "intermediate": {
+        "usages": ["cert sign", "crl sign"],
+        "expiry": "2190000h",
+        "ca_constraint": {"is_ca": true}
+      },
+      "server": {
+        "usages": ["signing", "key encipherment", "server auth"],
+        "expiry": "876000h"
+      },
+      "client": {
+        "usages": ["signing", "key encipherment", "client auth"],
+        "expiry": "876000h"
+      }
+    }
+  }
+}
diff --git a/t/fixtures/ocsp/cfssl/intermediate_ca_csr.json b/t/fixtures/ocsp/cfssl/intermediate_ca_csr.json
@@ -0,0 +1,16 @@
+{
+  "CN": "APIcast Intermediate CA",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "CA",
+      "L": "Ottawa",
+      "O": "Lua Nginx",
+      "OU": "APIcast Intermediate CA",
+      "ST": "Ontario"
+    }
+  ]
+}
diff --git a/t/fixtures/ocsp/cfssl/leaf_csr.json b/t/fixtures/ocsp/cfssl/leaf_csr.json
@@ -0,0 +1,20 @@
+{
+  "CN": "test.com",
+  "hosts": [
+    "localhost",
+    "test"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "San Francisco",
+      "O": "Customer",
+      "OU": "Website",
+      "ST": "California"
+    }
+  ]
+}