diff --git a/test/extensions/transport_sockets/tls/BUILD b/test/extensions/transport_sockets/tls/BUILD index 48a456162df3b..f5b04d38100d1 100644 --- a/test/extensions/transport_sockets/tls/BUILD +++ b/test/extensions/transport_sockets/tls/BUILD @@ -16,12 +16,11 @@ envoy_cc_test( "ssl_socket_test.cc", ], data = [ - "gen_unittest_certs.sh", # TODO(mattklein123): We should consolidate all of our test certs in a single place as # right now we have a bunch of duplication which is confusing. "//test/config/integration/certs", + "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", "//test/extensions/transport_sockets/tls/test_data:certs", - "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data", ], external_deps = ["ssl"], shard_count = 4, @@ -74,12 +73,9 @@ envoy_cc_test( "ssl_certs_test.h", ], data = [ - "gen_unittest_certs.sh", - "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data", + "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", "//test/extensions/transport_sockets/tls/test_data:certs", ], - # Fails intermittantly on local build - tags = ["flaky_on_windows"], deps = [ ":ssl_test_utils", "//source/common/common:base64_lib", @@ -121,8 +117,6 @@ envoy_cc_test( "utility_test.cc", ], data = [ - "gen_unittest_certs.sh", - "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data", "//test/extensions/transport_sockets/tls/test_data:certs", ], external_deps = ["ssl"], @@ -171,14 +165,9 @@ envoy_cc_test( name = "handshaker_test", srcs = ["handshaker_test.cc"], data = [ - "gen_unittest_certs.sh", - "//test/config/integration/certs", "//test/extensions/transport_sockets/tls/test_data:certs", ], external_deps = ["ssl"], - # TODO(sunjayBhatia): Diagnose openssl DLL load issue on Windows - # See: https://github.com/envoyproxy/envoy/pull/13276 - tags = ["flaky_on_windows"], deps = [ ":ssl_socket_test", ":ssl_test_utils", diff --git a/test/extensions/transport_sockets/tls/context_impl_test.cc b/test/extensions/transport_sockets/tls/context_impl_test.cc index 0307ebb2daef9..9e1f377807223 100644 --- a/test/extensions/transport_sockets/tls/context_impl_test.cc +++ b/test/extensions/transport_sockets/tls/context_impl_test.cc @@ -20,6 +20,7 @@ #include "test/extensions/transport_sockets/tls/test_data/no_san_cert_info.h" #include "test/extensions/transport_sockets/tls/test_data/san_dns3_cert_info.h" #include "test/extensions/transport_sockets/tls/test_data/san_ip_cert_info.h" +#include "test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h" #include "test/mocks/init/mocks.h" #include "test/mocks/local_info/mocks.h" #include "test/mocks/secret/mocks.h" @@ -261,9 +262,9 @@ TEST_F(SslContextImplTest, TestExpiringCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -272,12 +273,10 @@ TEST_F(SslContextImplTest, TestExpiringCert) { ClientContextConfigImpl cfg(tls_context, factory_context_); Envoy::Ssl::ClientContextSharedPtr context(manager_.createSslClientContext(store_, cfg)); - // This is a total hack, but right now we generate the cert and it expires in 15 days only in the - // first second that it's valid. This can become invalid and then cause slower tests to fail. - // Optimally we would make the cert valid for 15 days and 23 hours, but that is not easy to do - // with the command line so we have this for now. Good enough. - EXPECT_TRUE(15 == context->daysUntilFirstCertExpires() || - 14 == context->daysUntilFirstCertExpires()); + // Calculate the days until test cert expires + auto cert_expiry = TestUtility::parseTime(TEST_UNITTEST_CERT_NOT_AFTER, "%b %d %H:%M:%S %Y GMT"); + int64_t days_until_expiry = absl::ToInt64Hours(cert_expiry - absl::Now()) / 24; + EXPECT_EQ(context->daysUntilFirstCertExpires(), days_until_expiry); } TEST_F(SslContextImplTest, TestExpiredCert) { @@ -302,9 +301,9 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" @@ -330,7 +329,7 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { )EOF"); std::string cert_chain_json = R"EOF({ - "path": "{{ test_tmpdir }}/unittestcert.pem", + "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem", } )EOF"; @@ -591,27 +590,27 @@ TEST_F(SslServerContextImplOcspTest, TestFilenameOcspStapleConfigLoads) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; loadConfigYaml(tls_context_yaml); } TEST_F(SslServerContextImplOcspTest, TestInlineBytesOcspStapleConfigLoads) { - auto der_response = TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute("{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der")); + auto der_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der")); auto base64_response = Base64::encode(der_response.c_str(), der_response.length(), true); const std::string tls_context_yaml = fmt::format(R"EOF( common_tls_context: tls_certificates: - certificate_chain: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_cert.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_key.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_bytes: "{}" ocsp_staple_policy: must_staple @@ -626,9 +625,9 @@ TEST_F(SslServerContextImplOcspTest, TestInlineStringOcspStapleConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_string: "abcd" ocsp_staple_policy: must_staple @@ -643,11 +642,11 @@ TEST_F(SslServerContextImplOcspTest, TestMismatchedOcspStapleConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -660,9 +659,9 @@ TEST_F(SslServerContextImplOcspTest, TestStaplingRequiredWithoutStapleConfigFail common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple_policy: must_staple )EOF"; @@ -684,9 +683,9 @@ TEST_F(SslServerContextImplOcspTest, TestUnsuccessfulOcspResponseConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_cert.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_key.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_bytes: "{}" ocsp_staple_policy: must_staple @@ -702,9 +701,9 @@ TEST_F(SslServerContextImplOcspTest, TestMustStapleCertWithoutStapleConfigFails) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple_policy: lenient_stapling )EOF"; @@ -717,9 +716,9 @@ TEST_F(SslServerContextImplOcspTest, TestMustStapleCertWithoutStapleFeatureFlagO common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple_policy: lenient_stapling )EOF"; @@ -734,11 +733,11 @@ TEST_F(SslServerContextImplOcspTest, TestGetCertInformationWithOCSP) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; @@ -748,12 +747,13 @@ TEST_F(SslServerContextImplOcspTest, TestGetCertInformationWithOCSP) { constexpr absl::string_view this_update = "This Update: "; constexpr absl::string_view next_update = "Next Update: "; - auto ocsp_text_details = - absl::StrSplit(TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute( - "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp_details.txt"), - true), - '\n'); + auto ocsp_text_details = absl::StrSplit( + TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute( + "{{ test_rundir " + "}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt"), + true), + '\n'); std::string valid_from, expiration; for (const auto& detail : ocsp_text_details) { std::string::size_type pos = detail.find(this_update); @@ -797,10 +797,10 @@ class SslServerContextImplTicketTest : public SslContextImplTest { // Must add a certificate for the config to be considered valid. envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = cfg.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); - server_cert->mutable_private_key()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); ServerContextConfigImpl server_context_config(cfg, factory_context_); loadConfig(server_context_config); @@ -821,9 +821,9 @@ TEST_F(SslServerContextImplTicketTest, TicketKeySuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -838,9 +838,9 @@ TEST_F(SslServerContextImplTicketTest, TicketKeyInvalidLen) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -854,9 +854,9 @@ TEST_F(SslServerContextImplTicketTest, TicketKeyInvalidCannotRead) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/this_file_does_not_exist" @@ -1045,9 +1045,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionEnabledByDefaul common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1061,9 +1061,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionExplicitlyEnabl common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: false )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1078,9 +1078,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: true )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1095,9 +1095,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionEnabledWhenKeyI common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -1750,10 +1750,10 @@ TEST_F(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); - server_cert->mutable_private_key()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); server_validation_ctx->set_allow_expired_certificate(false); diff --git a/test/extensions/transport_sockets/tls/gen_unittest_certs.sh b/test/extensions/transport_sockets/tls/gen_unittest_certs.sh deleted file mode 100755 index fe731e85cd70b..0000000000000 --- a/test/extensions/transport_sockets/tls/gen_unittest_certs.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash -# -# Create a test certificate with a 15-day expiration for SSL tests. - -set -e - -TEST_CERT_DIR="${TEST_TMPDIR}" - -mkdir -p "${TEST_CERT_DIR}" - -export OPENSSL_CONF="${TEST_CERT_DIR}"/openssl.cnf -(cat << EOF -[ req ] -default_bits = 2048 -distinguished_name = req_distinguished_name - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Some-State - -localityName = Locality Name (eg, city) - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = Internet Widgits Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) - -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_max = 64 - -emailAddress = Email Address -emailAddress_max = 64 -EOF -) > "${OPENSSL_CONF}" - -openssl genrsa -out "${TEST_CERT_DIR}/unittestkey.pem" 2048 -openssl req -new -key "${TEST_CERT_DIR}/unittestkey.pem" -out "${TEST_CERT_DIR}/unittestcert.csr" \ - -sha256 < makeKey() { - std::string file = TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + std::string file = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); std::string passphrase = ""; bssl::UniquePtr bio(BIO_new_mem_buf(file.data(), file.size())); @@ -97,8 +97,8 @@ class HandshakerTest : public SslCertsTest { // Read in cert.pem and return a certificate. bssl::UniquePtr makeCert() { - std::string file = TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); + std::string file = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); bssl::UniquePtr bio(BIO_new_mem_buf(file.data(), file.size())); uint8_t* data = nullptr; diff --git a/test/extensions/transport_sockets/tls/ocsp/BUILD b/test/extensions/transport_sockets/tls/ocsp/BUILD index c6947269be4d1..262bec36ab5c6 100644 --- a/test/extensions/transport_sockets/tls/ocsp/BUILD +++ b/test/extensions/transport_sockets/tls/ocsp/BUILD @@ -14,13 +14,9 @@ envoy_cc_test( "ocsp_test.cc", ], data = [ - ":gen_ocsp_data", + "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", ], external_deps = ["ssl"], - # TODO: Diagnose intermittent failure on Windows; this script uses the - # locally deployed openssl for test cert creation and manipulation, rather - # than envoy's current build of the most current openssl tool - tags = ["flaky_on_windows"], deps = [ "//source/common/filesystem:filesystem_lib", "//source/extensions/transport_sockets/tls:utility_lib", @@ -44,8 +40,3 @@ envoy_cc_test( "//test/extensions/transport_sockets/tls:ssl_test_utils", ], ) - -filegroup( - name = "gen_ocsp_data", - srcs = ["gen_unittest_ocsp_data.sh"], -) diff --git a/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc b/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc index 70f24ccaa15e5..78e813060d867 100644 --- a/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc +++ b/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc @@ -25,13 +25,9 @@ namespace CertUtility = Envoy::Extensions::TransportSockets::Tls::Utility; class OcspFullResponseParsingTest : public testing::Test { public: - static void SetUpTestSuite() { // NOLINT(readability-identifier-naming) - TestEnvironment::exec({TestEnvironment::runfilesPath( - "test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh")}); - } - std::string fullPath(std::string filename) { - return TestEnvironment::substitute("{{ test_tmpdir }}/ocsp_test_data/" + filename); + return TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/" + filename); } std::vector readFile(std::string filename) { @@ -88,8 +84,8 @@ TEST_F(OcspFullResponseParsingTest, UnknownCertTest) { } TEST_F(OcspFullResponseParsingTest, ExpiredResponseTest) { - auto next_week = time_system_.systemTime() + std::chrono::hours(8 * 24); - time_system_.setSystemTime(next_week); + auto ten_years_forward = time_system_.systemTime() + std::chrono::hours(24 * 365 * 10); + time_system_.setSystemTime(ten_years_forward); setup("good_ocsp_resp.der"); // nextUpdate is present but in the past EXPECT_TRUE(response_->isExpired()); diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/BUILD b/test/extensions/transport_sockets/tls/ocsp/test_data/BUILD new file mode 100644 index 0000000000000..e55e87fb10111 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/BUILD @@ -0,0 +1,13 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +filegroup( + name = "certs", + srcs = glob(["*"]), +) diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/README.md b/test/extensions/transport_sockets/tls/ocsp/test_data/README.md new file mode 100644 index 0000000000000..ad1c6777eb3ae --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/README.md @@ -0,0 +1,30 @@ +# What are the identities, certificates and keys +There are 8 identities: +- **CA**: Certificate Authority for all fixtures in this directory. It has the + self-signed certificate *ca_cert.pem*. *ca_key.pem* is its private key. +- **Intermediate CA**: Intermediate Certificate Authority, signed by the **CA**. + It has the certificate *intermediate_ca_cert.pem". *intermediate_ca_key.pem* + is its private key. +- **Good** It has the certificate *good_cert.pem*, signed by the **CA**. An OCSP + request is included in *good_ocsp_req.der* and a "good" OCSP response is included in *good_ocsp_resp.der*. OCSP response details are included as + *good_ocsp_resp_details.txt*. +- **Responder Key Hash** An OCSP request and response pair for the **Good** cert + with responder key hash replacing the name in *responder_key_hash_ocsp_req.der* + and *responder_key_hash_ocsp_resp.der* +- **Revoked** It has the revoked certificate *revoked_key.pem*, signed by the + **CA**. A corresponding OCSP request and revoked response are included in + *revoked_ocsp_req.der* and *revoked_ocsp_resp.der*. +- **Unknown** An OCSP request and unknown status response is generated in + *unknown_ocsp_req.der* and *unknown_ocsp_resp.der* as the **Good** certificate + is signed by **CA** not **Intermediate CA**. +- **ECDSA** A cert (*ecdsa_cert.pem*) signed by **CA** with ECDSA key + (*ecdsa_key.pem*) and OCSP response (*ecdsa_ocsp_resp.der*). +- **Multiple Cert OCSP Response** A multi-cert OCSP request and response are + generated with **CA** as the signer for the **Good** and **Revoked** certs in + *multiple_cert_ocsp_req.der* and *multiple_cert_ocsp_resp.der*. + +# How to update certificates +**certs.sh** has the commands to generate all files. Running certs.sh directly +will cause all files to be regenerated. So if you want to regenerate a +particular file, please copy the corresponding commands from certs.sh and +execute them in command line. diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem new file mode 100644 index 0000000000000..d456c26f505f5 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID0zCCArugAwIBAgIUKtsec7QPrxG7JETQSPH7XVnH9RcwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxCzAJBgNVBAMMAmNhMB4XDTIwMTAyMjAyNTc1MVoXDTIyMTAyMjAy +NTc1MVowcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV +BAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQg +RW5naW5lZXJpbmcxCzAJBgNVBAMMAmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA2+hzTr160c7mgNKCUoOxQylskIz2dAN5hWjBT38M8CGF5FcFZBG9 +QKSdt7QgnIBXt6oOAuOufKNLNWUKrzVE4GlDhxJKKCAlzidFaeIkk1Deny9kiADD +dsVrOMHv6JXIMPcgotoOVu6iwGlYsvHr/OukbR4PAbjdzd51drC/aKIwRx4vc9Qk ++WKtVXjJKQcsyxeEKfrOJloZOkorMf2HWWAOBNg7eBLsHeQiOrLPnwJf0eFfHzOC +x2BM8hJ+fyHk+NmenjEl88XGaTkdpilmZXFqeDBCcrsLwbVPozO5sixkz4q7Uw9E +gBKpjtCy1uR+mD01vH17X2kflmgVRkjqlQIDAQABo2MwYTAdBgNVHQ4EFgQUGHhD +5J6kUeZrRjpHWi16WW54hBYwHwYDVR0jBBgwFoAUGHhD5J6kUeZrRjpHWi16WW54 +hBYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL +BQADggEBALJ5R1bD5xPeX4vto8OAEeGWNh/OJkaEp8JOllnBlws4vYVRso436kXR +2SUNXV23CC+8f03WiCkva7rLTBIa9Nwg/F118o5L279w+yh+gRZ0Z1s4ob+fbziI +0sA/NUOmtdR2SE5YNeHdAtH6A1YajgixTNo20ipZv5CNBzN2bxBGh9b/4W3LLZ0h +jgwOPUSVtcmFek525t7nkZaKB86P9g0VvM/gRJfG6y84wQZxueScv6elNUx+O9DG +E5D1ku5EkfeeH4iL0eTd+VDfE1pGZC8OB75110WbPWU4V3la9wC+tQTkN9XFHDJT +zx9HcnA2KjGZ6+8ZgjwjWCpUY+grDPc= +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem new file mode 100644 index 0000000000000..888feabbec1be --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA2+hzTr160c7mgNKCUoOxQylskIz2dAN5hWjBT38M8CGF5FcF +ZBG9QKSdt7QgnIBXt6oOAuOufKNLNWUKrzVE4GlDhxJKKCAlzidFaeIkk1Deny9k +iADDdsVrOMHv6JXIMPcgotoOVu6iwGlYsvHr/OukbR4PAbjdzd51drC/aKIwRx4v +c9Qk+WKtVXjJKQcsyxeEKfrOJloZOkorMf2HWWAOBNg7eBLsHeQiOrLPnwJf0eFf +HzOCx2BM8hJ+fyHk+NmenjEl88XGaTkdpilmZXFqeDBCcrsLwbVPozO5sixkz4q7 +Uw9EgBKpjtCy1uR+mD01vH17X2kflmgVRkjqlQIDAQABAoIBAGofrH3ETSAxM+XZ +MRE3AnWB6SV9EXZ9Msjh++AsVQcRdnbyU+St9uHaT06W++Hqweodg/N7AvqdJy9W +WqihEWMnCXKGrgjdMsFhDEuD2djJ/xVdHqvPioSn0w2p8egRWHHg4PwWNTNYqGwo +qqh4vUTqRwhtqBpRp6CxCYjE1SpdrbDb9CxFZoJ1alQdJWNGO6Vq0/plVB3mU1DE +ziuCi2N1vARvm4Uxg33ul0Vo3qzW/4fL1Nzo5tto9s8TxkWGsjwXFr3RnbpcAeg1 +Uy7tvkIioh0VqJ+z1PmQiX/COqNbaWIJUKTnpPomuHIzlTohFobVACLtysDALuTs +Lv2Zb4UCgYEA90fSuA0mIvRwpYscoy7NPFYPpwz5X3/4fSOfDC5gBU3Cuxvtufj3 +8lL3kuFoCE14cSdrye2udKSsydGFn1TInwa5cLgRzO2qXWHupvfoHu24FQ1WiYrG +0BW+O8TA1W6IEBgibO1YtohNjbnII+GjfP8ZaBJH7rl2QJuG70bDJYcCgYEA46mJ +vGllEDnd7QCB3z7gqMSxBCicQ9ASWy/yNMsgikb8ULcCYnCqLvwxlkDWgrq2GaPy +0kJh1q27MSWxjXFDeiG9/PQAWZ1sy/rru3TRbhAA+5rRxqfLZlNkg0C9nZA9BEmP +vIToCUlz1iw94Wrg43zk95ou1WuOfN4WVkyDNgMCgYBbyB/RSqgeD0aEW1b8xpFM +1NCoe2tP5ArSP9d3yPrA3TTrCBm7jkpRejQEI3/enQqYTT53y62WA81Sd182XVy9 +kdxglyGcQ5aZZJEVDizs1eUegz3cfVL/xyI9wvCkB4ufFaYpcgscbQkEErHTh5uL ++I9wjmB+nf3jSxbRVx11nwKBgDVOMArmnpxDAFyK3t3XyiCaFVyE6bnTEUk6m7qS +ySa3YkK/5xYHjUF9GVs2CUQI1bSBN8zVcDUk7oyeZ8lXeNYy6lo9A4v4GU5VjTaS +LqtXofNHl9Cs3yoxYnp9ASjQagkD9FzOvcnW4gGG0GJkdQ2u46m59zdPfMht88r3 +FU3jAoGBANNq2l4RpKrs3X/XS34mbugvCw1EqGV0Bqj+RBFLchouE2ignd1KYt/o +O23NchL4pOIuBCo+IaukCgmDm+m378EubTZjwRIYAJNqS/Xu1rMBBihAl6NadVuZ +Nsr6+U9Uqbx/t8bUdhQ3RDexQ42x+GelGwSfXKfF+NJx1zj8lOUu +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh b/test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh similarity index 86% rename from test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh rename to test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh index dad80edca9a1c..042fd74ca5245 100755 --- a/test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh @@ -4,23 +4,21 @@ set -e +readonly DEFAULT_VALIDITY_DAYS=${DEFAULT_VALIDITY_DAYS:-730} +readonly HERE=$(cd "$(dirname "$0")" && pwd) + +cd "$HERE" || exit 1 trap cleanup EXIT + cleanup() { - rm -f ./*_index* - rm -f ./*.csr - rm -f ./*.cnf - rm -f ./*_serial* + rm -f ./*.cnf + rm -f ./*.csr + rm -f ./*_index* + rm -f ./*_serial* + rm -f ./*.srl + rm -f ./100*.pem } -[[ -z "${TEST_TMPDIR}" ]] && TEST_TMPDIR="$(cd "$(dirname "$0")" && pwd)" - -TEST_OCSP_DIR="${TEST_TMPDIR}/ocsp_test_data" -mkdir -p "${TEST_OCSP_DIR}" - -rm -f "${TEST_OCSP_DIR}"/* - -cd "$TEST_OCSP_DIR" || exit 1 - ################################################## # Make the configuration file ################################################## @@ -55,17 +53,17 @@ commonName_max = 64 default_ca = CA_default [ CA_default ] -dir = ${TEST_OCSP_DIR} -certs = ${TEST_OCSP_DIR} -new_certs_dir = ${TEST_OCSP_DIR} -serial = ${TEST_OCSP_DIR} -database = ${TEST_OCSP_DIR}/$2_index.txt -serial = ${TEST_OCSP_DIR}/$2_serial +dir = ${HERE} +certs = ${HERE} +new_certs_dir = ${HERE} +serial = ${HERE} +database = ${HERE}/$2_index.txt +serial = ${HERE}/$2_serial -private_key = ${TEST_OCSP_DIR}/$2_key.pem -certificate = ${TEST_OCSP_DIR}/$2_cert.pem +private_key = ${HERE}/$2_key.pem +certificate = ${HERE}/$2_cert.pem -default_days = 375 +default_days = ${DEFAULT_VALIDITY_DAYS} default_md = sha256 preserve = no policy = policy_default @@ -102,7 +100,7 @@ generate_ca() { -config "${1}.cnf" -batch -sha256 openssl x509 -req \ -in "${1}_cert.csr" -signkey "${1}_key.pem" -out "${1}_cert.pem" \ - -extensions v3_ca -extfile "${1}.cnf" "${extra_args[@]}" + -extensions v3_ca -extfile "${1}.cnf" -days "${DEFAULT_VALIDITY_DAYS}" "${extra_args[@]}" } # $1= $2= $3=[req args] @@ -153,7 +151,7 @@ generate_ca intermediate_ca ca # Generate valid cert and OCSP response generate_config good ca generate_rsa_cert good ca -generate_ocsp_response good ca good -ndays 7 +generate_ocsp_response good ca good -ndays "${DEFAULT_VALIDITY_DAYS}" dump_ocsp_details good ca # Generate OCSP response with the responder key hash instead of name diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem new file mode 100644 index 0000000000000..724ea898ea248 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICdzCCAV8CAhACMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQK +DARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMQswCQYDVQQDDAJjYTAe +Fw0yMDEwMjIwMjU3NTNaFw0yMjEwMjIwMjU3NTNaMFwxCzAJBgNVBAYTAlVTMRMw +EQYDVQQIDApDYWxpZm9ybmlhMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0 +IEVuZ2luZWVyaW5nMQ4wDAYDVQQDDAVlY2RzYTBZMBMGByqGSM49AgEGCCqGSM49 +AwEHA0IABBH5TFHZK1e7SPtmeTESrQD/Kce4uLKz+on7qlHOd2D4yNoI62TyXMq/ +o6660I5SJVIEIueDZdh/ocVezGYuUt8wDQYJKoZIhvcNAQELBQADggEBAD5jqxzW +76B6WOLJlRTWpAKv2L7CdtRjV2inNvS7n+NOSQllP9IfHGM9qEHM7xvDymLZb/TR +tOcpUENLJVOmRsjs90cy21Nc8ZkRFBhJOPggTTL3PpkM2sYmsSBzjDvkvqrH+hY3 +FTGAdgDaIf9gBeI61Ind/z6lqcE7yJlVtTvKVYPC0MFtzBS44I92x7g5htTzfEv7 +rO866GmsiG+b/w/d8TCHOt1L+gyk3BbAbBOI3DkZt/UtUpev8ZXKEjigcpxHy+Je +BLDYq6S7RPPtkPk+z8Iz3HRmyykvrckU2kjcTdqY8KygCgFBZETIYsk5d1CJxGcV +gDVhAiuki1Lwuzo= +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem new file mode 100644 index 0000000000000..8fac462fe37b8 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIOShXROw7kmo0cMJgNQ8rdZfjceLh+KMocrzYIqphTYYoAoGCCqGSM49 +AwEHoUQDQgAEEflMUdkrV7tI+2Z5MRKtAP8px7i4srP6ifuqUc53YPjI2gjrZPJc +yr+jrrrQjlIlUgQi54Nl2H+hxV7MZi5S3w== +-----END EC PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der new file mode 100644 index 0000000000000..6769a837244d5 Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der new file mode 100644 index 0000000000000..8bc4f54bfd7fb Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem new file mode 100644 index 0000000000000..4c25d638be7cc --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQTCCAikCAhAAMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQK +DARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMQswCQYDVQQDDAJjYTAe +Fw0yMDEwMjIwMjU3NTJaFw0yMjEwMjIwMjU3NTJaMFsxCzAJBgNVBAYTAlVTMRMw +EQYDVQQIDApDYWxpZm9ybmlhMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0 +IEVuZ2luZWVyaW5nMQ0wCwYDVQQDDARnb29kMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA5wzIeQ43mRZy7lfnZl2ELODYH7cXhuPLv/9v/om7WcB1vuT4 +cCyZph8Rr2jZucaD6i40JGABDzERWShUI19QelNtXPFTv4SkNtJK+ONevMuyx8gO +fXOSfVXtg9fUKCSN5oLEj3+EKu+zmjyZ4xBTrXa+yaiTc7859WCZ+wlGCP0XSymX +qYnc95U4PXLGD009TbKtL2SAs7v+00Ohbq1iybeKFWn2TCQryNkc5X7MJZ2io8pL +MQqbhHuGVZTbRgoYFZ8gh8F1q4Ldfn84K3BEHy+pXMrC9mbYeNNpqDzo9dOrisQy +BVyyZmJK3KGxW7exNJYVtXOQh0pfGny4cjbGowIDAQABMA0GCSqGSIb3DQEBCwUA +A4IBAQBD2wITti7SV7hHMKjeB4vv9HrpYHe58LkthZWHAWfcV4usdQl8/R/pe6xp +vbda1dPkDOL3h9DWXb3OtDxZszk/muQ2O3IMzkm3RdOYK4TxiyhRiilYI8nOHCNS +/nzl2TGdoaHMYNKDopJaSuWo78ojcI6y/xJHSJFFHTazHrcLZsoanqYNUh352E1U +j7x8b0h6KB2ODeUa2z8g4sMqTexSDDKz4ND9vfoSPn02mG/3RuVsIxX5F1LNCP5W +RfxRA4uDR3/FSmWAHRPDpdh1NfNDZyh1yXlEyJS2XhuKUCDfCMqHYrxOfgQs6f+2 +d1z/R2EV8f4bBFxyL0nfOuo2J4+u +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem new file mode 100644 index 0000000000000..5a6e6a2a14638 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA5wzIeQ43mRZy7lfnZl2ELODYH7cXhuPLv/9v/om7WcB1vuT4 +cCyZph8Rr2jZucaD6i40JGABDzERWShUI19QelNtXPFTv4SkNtJK+ONevMuyx8gO +fXOSfVXtg9fUKCSN5oLEj3+EKu+zmjyZ4xBTrXa+yaiTc7859WCZ+wlGCP0XSymX +qYnc95U4PXLGD009TbKtL2SAs7v+00Ohbq1iybeKFWn2TCQryNkc5X7MJZ2io8pL +MQqbhHuGVZTbRgoYFZ8gh8F1q4Ldfn84K3BEHy+pXMrC9mbYeNNpqDzo9dOrisQy +BVyyZmJK3KGxW7exNJYVtXOQh0pfGny4cjbGowIDAQABAoIBAQCqpOtPVSvE+iqK +VAwIs5rSVoHo8p4Cty2dsTfzA6CGijmscon2t0oHwjyak9LyfWaiR9uk3e8KXFAW +zE1QDq5umj1Ufrw+3+U0xB4xMiSfRcbV/LCPARO5VARm8rmzqEPRctVfsmtYFs9M +Y+O4Ky/SFriUUdgNjbdtvhobqV67dWIxATeYET0ayACgeJITcfH4XaAdQt5LJbDI +qemCu3hvvc4qqk0Ad/nqCl+B0D8/zWuyX5bKnNw+1g868VCFskdGiM7uZTZIXBja +6N3VBv6dENebcX+j9t+RxtOIRMm5ndFGzAq50ylKKiw5M/hRHxgHb0l7OF1Ud2Jw +QSumpj8pAoGBAPh6VgAvEHRECDHUs+RscNcrhTTJF/A787rx/7kJMHxVMlr3GPvv +clxhK7GquFEpYlB6+R+otWvfowq7F+sEGutepfgI0vp0QriwziVQw1xg4lnfK4TR +uKLmL/wQGEIMi4G2n8RacYGSGGl39mmRchCEeYWHV+P0j7ss7SkJ3WNVAoGBAO4L +YiV1TBpmD+3cWZh0BEvjYQePmFoLdFypd/tOZYL9jhtiCIV7uDPUwTe8UCPrLpUi +XPHp9Sfhoo0gLGQVxHowHaDQBUnzo+LzdMPu8YlJv1okH0rkdwQ355yAVgTVz3sv +XTJtVGnSLmA/BthLMrFJfn5Sbus/c3vNgw7Cu3IXAoGAPSEDpVnux1uxVGkKtKiE +/jqDs9/BFuX46UX97oy3M+9VyxE9QUXAMb/qGvRwEe+Hc1s9jK9ZqqdDGjG7CaNh +6APJ+wJYvSr6+yrsHDwJQ+HF7ew8bZmWveS5a16eSSmC7K98ELdbc0/414Geyovw +ruWYa+RHGBqjfZ3o3o7Bu10CgYEAt9GyiJp7micWRefSiBeO+cssMlqAm4gc4zE6 +paV0XiLOifa5/dn79IpmalPQzuvdnOxcObMgzRtAGxqtLNxiTLi7KGN6shCija7S +jDsH6aw5R7J9N6gU//zrrb6sri8teUKqBTbH6K+VgF0rO/tVufG27HVbke39j6yz +d8KIXSECgYB3JaYxWdoxptUvpqITvIBRNEfhNVrxzdGz95EcS6RqmG7UxJlTN2Yk +LKZ9pIOD43QQ3i5D2cF6XN4BCSZ+wRVzOt43RP8DUMgbLzLf8h9N/6cQGEbFqtlb +9x5wTSPF7VRJY+ToSnnBWyFRPLkwm9u1VpeBIUa3bGDDbV/SdJIeUg== +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der new file mode 100644 index 0000000000000..f5d7e4150fe3b Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der new file mode 100644 index 0000000000000..c2478b1632608 Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt new file mode 100644 index 0000000000000..312a01481fd52 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt @@ -0,0 +1,118 @@ +OCSP Response Data: + OCSP Response Status: successful (0x0) + Response Type: Basic OCSP Response + Version: 1 (0x0) + Responder Id: C = US, ST = California, L = San Francisco, O = Lyft, OU = Lyft Engineering, CN = ca + Produced At: Oct 22 02:57:52 2020 GMT + Responses: + Certificate ID: + Hash Algorithm: sha1 + Issuer Name Hash: 16C50680A809B68F302789AB234F8F4B30B0E06C + Issuer Key Hash: 187843E49EA451E66B463A475A2D7A596E788416 + Serial Number: 1000 + Cert Status: good + This Update: Oct 22 02:57:52 2020 GMT + Next Update: Oct 22 02:57:52 2022 GMT + + Response Extensions: + OCSP Nonce: + 04109C5C7305A9C99B599CAD3612F1A32885 + Signature Algorithm: sha256WithRSAEncryption + b6:2f:7e:dd:b5:eb:5b:e6:e6:1f:d4:fb:7f:59:35:de:b2:31: + 2a:52:4a:7d:81:8a:ec:7d:dc:cc:7a:92:61:7d:f1:02:25:c9: + 2c:ed:ea:ec:14:c1:a8:8f:78:44:01:4a:e6:07:ff:fc:61:0e: + 3b:ba:66:d6:c5:6b:6d:77:7c:ef:ea:a6:b6:75:87:14:34:b1: + 75:02:ef:7d:6e:a3:5d:5b:29:e2:60:4e:39:ae:ce:1a:5f:ef: + 35:9f:ce:d5:e1:0f:f9:f4:51:2d:07:f8:38:4c:5c:96:ba:60: + 66:07:e0:7a:ea:ac:ba:70:ea:1a:8f:bf:b9:26:94:a9:83:13: + 17:70:61:f7:38:4e:06:73:1a:3d:b3:02:4b:19:82:a3:4a:e1: + 7c:07:d8:fd:b7:91:56:16:25:86:e9:a8:ff:a5:c2:cb:6e:c8: + ee:b1:da:77:2d:6a:e9:7e:a5:48:54:f4:1f:82:0e:b3:72:0c: + 53:03:95:a3:b0:3c:4e:55:74:ee:96:d6:f7:b2:03:1b:7f:24: + 61:e1:dc:ed:d6:a3:0d:13:02:82:0d:ed:bd:ed:ba:ab:2e:8c: + d0:19:f6:c9:8e:59:ad:68:ea:34:6f:33:5d:96:73:b3:3e:df: + a0:10:d6:ac:18:f6:ab:12:fe:9d:35:41:0d:34:4f:da:70:c3: + 4e:7d:52:46 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2a:db:1e:73:b4:0f:af:11:bb:24:44:d0:48:f1:fb:5d:59:c7:f5:17 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=California, L=San Francisco, O=Lyft, OU=Lyft Engineering, CN=ca + Validity + Not Before: Oct 22 02:57:51 2020 GMT + Not After : Oct 22 02:57:51 2022 GMT + Subject: C=US, ST=California, L=San Francisco, O=Lyft, OU=Lyft Engineering, CN=ca + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:db:e8:73:4e:bd:7a:d1:ce:e6:80:d2:82:52:83: + b1:43:29:6c:90:8c:f6:74:03:79:85:68:c1:4f:7f: + 0c:f0:21:85:e4:57:05:64:11:bd:40:a4:9d:b7:b4: + 20:9c:80:57:b7:aa:0e:02:e3:ae:7c:a3:4b:35:65: + 0a:af:35:44:e0:69:43:87:12:4a:28:20:25:ce:27: + 45:69:e2:24:93:50:de:9f:2f:64:88:00:c3:76:c5: + 6b:38:c1:ef:e8:95:c8:30:f7:20:a2:da:0e:56:ee: + a2:c0:69:58:b2:f1:eb:fc:eb:a4:6d:1e:0f:01:b8: + dd:cd:de:75:76:b0:bf:68:a2:30:47:1e:2f:73:d4: + 24:f9:62:ad:55:78:c9:29:07:2c:cb:17:84:29:fa: + ce:26:5a:19:3a:4a:2b:31:fd:87:59:60:0e:04:d8: + 3b:78:12:ec:1d:e4:22:3a:b2:cf:9f:02:5f:d1:e1: + 5f:1f:33:82:c7:60:4c:f2:12:7e:7f:21:e4:f8:d9: + 9e:9e:31:25:f3:c5:c6:69:39:1d:a6:29:66:65:71: + 6a:78:30:42:72:bb:0b:c1:b5:4f:a3:33:b9:b2:2c: + 64:cf:8a:bb:53:0f:44:80:12:a9:8e:d0:b2:d6:e4: + 7e:98:3d:35:bc:7d:7b:5f:69:1f:96:68:15:46:48: + ea:95 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 18:78:43:E4:9E:A4:51:E6:6B:46:3A:47:5A:2D:7A:59:6E:78:84:16 + X509v3 Authority Key Identifier: + keyid:18:78:43:E4:9E:A4:51:E6:6B:46:3A:47:5A:2D:7A:59:6E:78:84:16 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: sha256WithRSAEncryption + b2:79:47:56:c3:e7:13:de:5f:8b:ed:a3:c3:80:11:e1:96:36: + 1f:ce:26:46:84:a7:c2:4e:96:59:c1:97:0b:38:bd:85:51:b2: + 8e:37:ea:45:d1:d9:25:0d:5d:5d:b7:08:2f:bc:7f:4d:d6:88: + 29:2f:6b:ba:cb:4c:12:1a:f4:dc:20:fc:5d:75:f2:8e:4b:db: + bf:70:fb:28:7e:81:16:74:67:5b:38:a1:bf:9f:6f:38:88:d2: + c0:3f:35:43:a6:b5:d4:76:48:4e:58:35:e1:dd:02:d1:fa:03: + 56:1a:8e:08:b1:4c:da:36:d2:2a:59:bf:90:8d:07:33:76:6f: + 10:46:87:d6:ff:e1:6d:cb:2d:9d:21:8e:0c:0e:3d:44:95:b5: + c9:85:7a:4e:76:e6:de:e7:91:96:8a:07:ce:8f:f6:0d:15:bc: + cf:e0:44:97:c6:eb:2f:38:c1:06:71:b9:e4:9c:bf:a7:a5:35: + 4c:7e:3b:d0:c6:13:90:f5:92:ee:44:91:f7:9e:1f:88:8b:d1: + e4:dd:f9:50:df:13:5a:46:64:2f:0e:07:be:75:d7:45:9b:3d: + 65:38:57:79:5a:f7:00:be:b5:04:e4:37:d5:c5:1c:32:53:cf: + 1f:47:72:70:36:2a:31:99:eb:ef:19:82:3c:23:58:2a:54:63: + e8:2b:0c:f7 +-----BEGIN CERTIFICATE----- +MIID0zCCArugAwIBAgIUKtsec7QPrxG7JETQSPH7XVnH9RcwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxCzAJBgNVBAMMAmNhMB4XDTIwMTAyMjAyNTc1MVoXDTIyMTAyMjAy +NTc1MVowcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV +BAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQg +RW5naW5lZXJpbmcxCzAJBgNVBAMMAmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA2+hzTr160c7mgNKCUoOxQylskIz2dAN5hWjBT38M8CGF5FcFZBG9 +QKSdt7QgnIBXt6oOAuOufKNLNWUKrzVE4GlDhxJKKCAlzidFaeIkk1Deny9kiADD +dsVrOMHv6JXIMPcgotoOVu6iwGlYsvHr/OukbR4PAbjdzd51drC/aKIwRx4vc9Qk ++WKtVXjJKQcsyxeEKfrOJloZOkorMf2HWWAOBNg7eBLsHeQiOrLPnwJf0eFfHzOC +x2BM8hJ+fyHk+NmenjEl88XGaTkdpilmZXFqeDBCcrsLwbVPozO5sixkz4q7Uw9E +gBKpjtCy1uR+mD01vH17X2kflmgVRkjqlQIDAQABo2MwYTAdBgNVHQ4EFgQUGHhD +5J6kUeZrRjpHWi16WW54hBYwHwYDVR0jBBgwFoAUGHhD5J6kUeZrRjpHWi16WW54 +hBYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL +BQADggEBALJ5R1bD5xPeX4vto8OAEeGWNh/OJkaEp8JOllnBlws4vYVRso436kXR +2SUNXV23CC+8f03WiCkva7rLTBIa9Nwg/F118o5L279w+yh+gRZ0Z1s4ob+fbziI +0sA/NUOmtdR2SE5YNeHdAtH6A1YajgixTNo20ipZv5CNBzN2bxBGh9b/4W3LLZ0h +jgwOPUSVtcmFek525t7nkZaKB86P9g0VvM/gRJfG6y84wQZxueScv6elNUx+O9DG +E5D1ku5EkfeeH4iL0eTd+VDfE1pGZC8OB75110WbPWU4V3la9wC+tQTkN9XFHDJT +zx9HcnA2KjGZ6+8ZgjwjWCpUY+grDPc= +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem new file mode 100644 index 0000000000000..f9f104f8d05c7 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQzCCAyugAwIBAgIUCmwXC1yqJjKspOZeS0lbJsJomIMwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxCzAJBgNVBAMMAmNhMB4XDTIwMTAyMjAyNTc1MVoXDTIyMTAyMjAy +NTc1MVowfjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV +BAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQg +RW5naW5lZXJpbmcxGDAWBgNVBAMMD2ludGVybWVkaWF0ZV9jYTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAKI2heFAYYMEzvOJ7WVjvkczC3Vf/zo1WS5n +uN2LMO7Rgkbo+XENakPud7L7EN13ySIcjh65s9qq0cqaAbLzjgYoU6av8IufU2rh +pgpoNIU7X8dKlImlIBGytARa9qIblnsinDLhfly78yw/gWU83h+QPWYwhXBeDMMc +Wzo6MvZyZ1IgvdLmue8zcCKYA12YkXRnljG2sp8kstKWh4A8wMfUyE+bVkyr8qTk +Scslqnzx62y3UovwRzaRw8wusq3Vj/MSR4BLlbWRxiAIQr3IwswBphqNif3T7RQw +0IdB/OKfKtt3le4LNES1QZtRpB1seYRNgMXiL8zVJmbsp6hRphUCAwEAAaOBxTCB +wjAdBgNVHQ4EFgQU/d1VXIK/EJrCj1MuJa71mxNR1LwwHwYDVR0jBBgwFoAU/d1V +XIK/EJrCj1MuJa71mxNR1LwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0OBBYEFP3dVVyCvxCawo9TLiWu9ZsTUdS8MB8GA1UdIwQYMBaAFBh4 +Q+SepFHma0Y6R1otellueIQWMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD +AgGGMA0GCSqGSIb3DQEBCwUAA4IBAQAt1udv9BBzcmErW0JjBAZajzoY0QwVqusZ +j11ex6LNI1rnFomVk+76QQJCeAR4rWeMJBfA9UmAtHVXZuLcQDDL5yTgAnBmSmJR +18kS8KQg8V7AjtmIcx5uZgC2KZYsFx5qp3hGpqLyrN2ZvdeDFacNVWEtb2eVIIky +yy/UsmZr5STI3OU0k12fexiS/yh6G0XFvoecdxCoOvEp+EiLzCmwLRq/1q7CUbeO +woHCUHnwpGZi4PsFF9HkyM5KYgorMM0F+LWR1sVUtxSR6fWLZ0TTFi4NbLupD34S +yFXm0VYhXwV7mVVigQg2/A76PqmSXcSmvSvT43G+u3syc4kbxKLz +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem new file mode 100644 index 0000000000000..f8347a1701365 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAojaF4UBhgwTO84ntZWO+RzMLdV//OjVZLme43Ysw7tGCRuj5 +cQ1qQ+53svsQ3XfJIhyOHrmz2qrRypoBsvOOBihTpq/wi59TauGmCmg0hTtfx0qU +iaUgEbK0BFr2ohuWeyKcMuF+XLvzLD+BZTzeH5A9ZjCFcF4MwxxbOjoy9nJnUiC9 +0ua57zNwIpgDXZiRdGeWMbaynySy0paHgDzAx9TIT5tWTKvypORJyyWqfPHrbLdS +i/BHNpHDzC6yrdWP8xJHgEuVtZHGIAhCvcjCzAGmGo2J/dPtFDDQh0H84p8q23eV +7gs0RLVBm1GkHWx5hE2AxeIvzNUmZuynqFGmFQIDAQABAoIBAQCQG3wIxtdaPDVW +qpwaTOhH/JMbbXMi1S4rSb40I2oPYFUqheLEirRzMTFp8h3jgn1PLqsbpMKhaswB +/5uuzSzJT54xIXDDuYG0HE8UQ8sU6dCHDjyzo9y/nFDM5brh/TxMnEzD7wwBen/o +OWrM86wpwkypskV5tDQGSfTJ39ZSlZoaHS4/ih88JG2OTQXx7wi5U6s6Qkk1vuNA +prkqj6F6Y73qwiCuwtccEu3GDJiUjVAj7uFTOlpOBzT+2elraq16Y3DmfJ3aljp7 +pqTboytXYHixQ2x081WBv8Iy/flZP3HYe6ms2N5l27vd/tg3f2+p/WIrRolmOqwP +wHtR1oZBAoGBAM1tJ896YZXrLM9CBNcoAue8VhsipqvO8SodP0x5LRCqfnanoNPE +qFW8PwC0g/tGgAl5eA5iBbLOkaEuW1nxudSidlRBxYQ6lZjebscv9Mqe+P3RJd9y +Dv0te/I0lua7ElAUXTw4yGQ6/USr+kLlvOzBLWhbj3BQa4OCXsb5fFMNAoGBAMol +3+2l3G0BEFaXfGv2CRAR58KHA48lOHaIiSnNrWpnsXm4Fr2oYvvPDh5auulToeK3 +9DjfMhyPmgrCIbeHCVt01gvFU/NAGb79Xw21NQPREVhwZY6P4sFb5coO9E2jiESl +7PSaHtuLx8G6AwcIx8xjh+Fuy9ZfirfAB9g/h30pAoGBAMLMGY4zXMpPIkS/M9vb +AzZAb953c1lEeYgYB+g6mDNPmXBm8KkfuQjj41KF2wmyBsP1PZVV+lVecNZJITMf +d7pc/JxVajlDXIyDkMStgxGIwk/dvm4uuGv4b6pzmAzfpDPvu6HZrpztGzG9ayl4 +tThEzwxAlrpIaEtimwFPn0cZAoGAdD0lL61BO/jxoSlIpXf7rB7vqr8iP8zCU/6d +CMm5X0czGW/Ou8445N0iHDhF5Gdv3kOzDoThduToSilpY/QlYE6lymz0ohqI83cU +knhRfNlaZQV0kG6SkGc8klzZBE/1yquyvtBk0A/nlLFWjlPxN8k/2FRyp9mWlaS5 +nhKh4UkCgYBMCtGuPwmSYU6jI1AhygvEWNeN9U9GNH+C7hbDxtYtppjN/7ZUUIIn +kKceZAWbkZlItoOfVVSQLs8IZ5m5Q2g0rOb9/oVmtnK8bPYE16i0gk3VgOKQh+wv +q1Oqidvs4edxeI2sDe9w+Qw8qUo14+Uux7KMAlDrtB42gP5BQOWh0w== +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der new file mode 100644 index 0000000000000..02da216fd77a3 Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der new file mode 100644 index 0000000000000..e6af4d98fe865 Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der new file mode 100644 index 0000000000000..71d48a2acc5a0 Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der new file mode 100644 index 0000000000000..dec1446b6ee7f Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem new file mode 100644 index 0000000000000..58e8b6ca6aa56 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYDCCAkigAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwcTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTAL +BgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5naW5lZXJpbmcxCzAJBgNVBAMM +AmNhMB4XDTIwMTAyMjAyNTc1MloXDTIyMTAyMjAyNTc1MlowXjELMAkGA1UEBhMC +VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsM +EEx5ZnQgRW5naW5lZXJpbmcxEDAOBgNVBAMMB3Jldm9rZWQwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCxmvUb+/sG/GYQNdpaCWP4cmMun5RPmc4s+tLI +1XutvZxouwo7HNBPq95SAO4FkzwBLJ19r8D9Tn/1zHxVgTC3r9JymlpMQphQDPTu +qiJhq2gkB6SXMhOYPnXMWiX0qbzdQZtuUl63qhWsQHYvjilyLSp0+qAIeRlm7hGG +amxVrtbWzB2BR1zwZN4ysyMTDslUD1/UfBFLYUO05RCiu4dhYRLwCDcmTuM5ROt7 +lmYmI2HbCwbc2I3OMuDx5MsLzc3/lzUdwfii6IYCYSep0uNC2KstjVp4pnOaF9S1 +r2hVpuFBN7CJDrucbGup06wOcbCzGY3+KcvL2jV2pi1TOK4tAgMBAAGjFTATMBEG +CCsGAQUFBwEYBAUwAwIBBTANBgkqhkiG9w0BAQsFAAOCAQEAyKdZ7vxkP0ipl94h +0E+etmeY7GpcyJtlcSRrBUUbQLlpieuICDVpVYPUHajcGYp4crkxL/5lAUsTlUIM +LvquncT16JBEMz5baV8Q4A+csCd9OoJ0FaZV4E5IRW63WckBlUcZtEDKYh5jHxeb +OaH6NG0br8a+avj0a0oow6VA03j2Kv11Bqvz2tSxWvYl7BLKviP0EDUhmL5xz3sU +md0u5IdE4iCGdcysBbqYT9OuwKvHmaIBfbN6J/gNItZcxu6cuLxEvK6Df8Gao50b +xrMoBp6P6B3Vwge/IjYev83LzxoTNb1X5MTPE9myf+TkmQP2FYU18CPWsyW34pDf +zTm2kg== +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem new file mode 100644 index 0000000000000..0e9c699b2a84b --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAsZr1G/v7BvxmEDXaWglj+HJjLp+UT5nOLPrSyNV7rb2caLsK +OxzQT6veUgDuBZM8ASydfa/A/U5/9cx8VYEwt6/ScppaTEKYUAz07qoiYatoJAek +lzITmD51zFol9Km83UGbblJet6oVrEB2L44pci0qdPqgCHkZZu4RhmpsVa7W1swd +gUdc8GTeMrMjEw7JVA9f1HwRS2FDtOUQoruHYWES8Ag3Jk7jOUTre5ZmJiNh2wsG +3NiNzjLg8eTLC83N/5c1HcH4ouiGAmEnqdLjQtirLY1aeKZzmhfUta9oVabhQTew +iQ67nGxrqdOsDnGwsxmN/inLy9o1dqYtUziuLQIDAQABAoIBAAYqTeXpyl4EtvpL +FEhZ2RmPxvegXIKi4TBYiKamGoP+eAZ+r607o9OQMMiB9cFFyih0RwdM6ZMhfXmn +3o0NTgaiWNjXmNja2vS0bnA2gbkIPTY6+bCx8VIwoOA2JOkoV0EK/P1IaLdRdS0k +k7W05qVrAfVLmfCRW5tiGkOjQB19RHMltBnjhY/xKaxqfN5u0x64hfkfYLJ7onsf +0Vd9LOTyh97MrDr+f+dXGLFRBuHsI+1EqyGiG31idpQ+ZLU3Gj1PFE+D9ZfkDRpq +ToHZrZL4mBD2sAip5InyHT339lqOgnRIy8CGf30oEgOKmpEoneNSid/QC0HPnSz0 +/A9ohvUCgYEA2h2iqdLDjVNUsZGq6K3m3dCDXlN7NYQu+wQ9YUXj7xPBxlamfHWT +JES7ieb3N9UCuHjzeUIDCXv3hoBIYLeo33hzOgtjg3rJNA+2dnGbEmsNlpFduRSJ +jTIzhcmHiIyX0DvBtj9h1sdrDmMqQaOnPTRmIlhUxAt6hshvfZ/UN8sCgYEA0HQN +hGGzeM17HmKsfHUrWJqnuNncTq8w0z0OQfOSH1KGkE2zwieXv6X+EYbszW+7hDQA +U9gieMm9xtc59ZG312nY973UmWhNkc+f5foxzdgcqKItfiFkcdh1Vcb/qmOTD1tK +ibljEwHXQonFbD6L/j+GYysvuDX6vyhmgjIIQucCgYEAq3tjOMsIjaL3UkfpK9gV +S001C0Ls+k07NoTF0SVGp99LmKjlabJyhbA4FZptwQqKgggtu6bHhnxdRfSzcr7S +WSd0yCzOBz/Q0kqMNKDqv1dFLpyJKArafhT65vNjyFpovQFOMf+w51CPfZc/UK3e +vULmDZiOxDcWFMOezBCNo3MCgYBk8H2HKCRXD/FZcmCh178IpcMn4N8sfur+rycT +SpXscvLUN7we/TsfQ4r3A8XxaPR9fQzXjOaMZOxvt9LKFijWt9ung5XKP1aoj8iW +/YNWcRrXkcjDtfnEoxOWWMl+wb75hbRfYpUWJCMPhlVCKDtz/2Dc7pGp+wGTxUV2 +MDIN6wKBgQCtzZ1CqsSzVA3aHpxACvzMqv4nFY1am4W3gfaO4y3+5w0T+oQlf1/p +MJBq//t6XYBJhkVs+jEwZ1NxS2oRefH0liLiX7uPCe0+lNmrPK6L68NAgCSrJPYi +pEzdIsQsJwnWRq+iJwHqLV06EJqR8Q2RjVJbUcoP0bVRRczgpNNAZg== +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_req.der new file mode 100644 index 0000000000000..b733ba5b845b8 Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_req.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der new file mode 100644 index 0000000000000..92a875f0c4913 Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der new file mode 100644 index 0000000000000..a81d57b98f99b Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der new file mode 100644 index 0000000000000..e3ebdc126fcc5 Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der differ diff --git a/test/extensions/transport_sockets/tls/ssl_certs_test.h b/test/extensions/transport_sockets/tls/ssl_certs_test.h index 1fac8ff469c59..0fe7d2183b273 100644 --- a/test/extensions/transport_sockets/tls/ssl_certs_test.h +++ b/test/extensions/transport_sockets/tls/ssl_certs_test.h @@ -10,14 +10,6 @@ using testing::ReturnRef; namespace Envoy { class SslCertsTest : public testing::Test { -public: - static void SetUpTestSuite() { // NOLINT(readability-identifier-naming) - TestEnvironment::exec({TestEnvironment::runfilesPath( - "test/extensions/transport_sockets/tls/gen_unittest_certs.sh")}); - TestEnvironment::exec({TestEnvironment::runfilesPath( - "test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh")}); - } - protected: SslCertsTest() : api_(Api::createApiForTest(store_, time_system_)) { ON_CALL(factory_context_, api()).WillByDefault(ReturnRef(*api_)); diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index b4bdb84e57370..c97d5e3779bce 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -795,10 +795,10 @@ void configureServerAndExpiredClientCertificate( filter_chain->mutable_hidden_envoy_deprecated_tls_context() ->mutable_common_tls_context() ->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); - server_cert->mutable_private_key()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() ->mutable_common_tls_context() @@ -1003,9 +1003,9 @@ TEST_P(SslSocketTest, GetUriWithUriSan) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1077,9 +1077,9 @@ TEST_P(SslSocketTest, GetNoUriWithDnsSan) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1099,9 +1099,9 @@ TEST_P(SslSocketTest, NoCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); @@ -1287,9 +1287,9 @@ TEST_P(SslSocketTest, NoCertUntrustedNotPermitted) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -1395,9 +1395,9 @@ TEST_P(SslSocketTest, FailedClientAuthCaVerificationNoClientCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1422,9 +1422,9 @@ TEST_P(SslSocketTest, FailedClientAuthCaVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1443,9 +1443,9 @@ TEST_P(SslSocketTest, FailedClientAuthSanVerificationNoClientCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1470,9 +1470,9 @@ TEST_P(SslSocketTest, FailedClientAuthSanVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1620,9 +1620,9 @@ TEST_P(SslSocketTest, ClientCertificateHashVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1648,9 +1648,9 @@ TEST_P(SslSocketTest, ClientCertificateHashVerificationNoCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -1743,9 +1743,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoClientCertificate common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1765,9 +1765,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoCANoClientCertifi common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -1790,9 +1790,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationWrongClientCertific common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1817,9 +1817,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoCAWrongClientCert common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -1842,9 +1842,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationWrongCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -2399,9 +2399,9 @@ TEST_P(SslSocketTest, FlushCloseDuringHandshake) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" @@ -2456,9 +2456,9 @@ TEST_P(SslSocketTest, HalfClose) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" @@ -2539,9 +2539,9 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" @@ -2856,9 +2856,9 @@ TEST_P(SslSocketTest, TicketSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -2880,9 +2880,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionCustomTimeout) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -2902,9 +2902,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionWithClientCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -2931,9 +2931,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionRotateKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -2943,9 +2943,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionRotateKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" @@ -2965,9 +2965,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionWrongKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -2977,9 +2977,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionWrongKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" @@ -3140,9 +3140,9 @@ TEST_P(SslSocketTest, StatelessSessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: true )EOF"; @@ -3158,9 +3158,9 @@ TEST_P(SslSocketTest, SatelessSessionResumptionEnabledExplicitly) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: false )EOF"; @@ -3176,9 +3176,9 @@ TEST_P(SslSocketTest, StatelessSessionResumptionEnabledByDefault) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3195,9 +3195,9 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -3208,9 +3208,9 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -3482,9 +3482,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDefault) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3503,9 +3503,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDisabledTls12) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3525,9 +3525,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionEnabledTls12) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3550,9 +3550,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDisabledTls13) { tls_maximum_protocol_version: TLSv1_3 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3575,9 +3575,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionEnabledTls13) { tls_maximum_protocol_version: TLSv1_3 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3596,9 +3596,9 @@ TEST_P(SslSocketTest, SslError) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -4103,9 +4103,9 @@ TEST_P(SslSocketTest, RevokedCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -4147,9 +4147,9 @@ TEST_P(SslSocketTest, RevokedCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" @@ -4197,9 +4197,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem" @@ -4222,9 +4222,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem" @@ -4286,9 +4286,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem" @@ -4307,9 +4307,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl.pem" @@ -4735,9 +4735,9 @@ class SslReadBufferLimitTest : public SslSocketTest { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -4884,13 +4884,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -4918,13 +4918,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncDecryptSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt sync_mode: false mode: rsa @@ -4952,13 +4952,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncSignSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: true mode: rsa @@ -4986,13 +4986,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncDecryptSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt sync_mode: true mode: rsa @@ -5020,13 +5020,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false crypto_error: true @@ -5055,13 +5055,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: true crypto_error: true @@ -5090,13 +5090,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign method_error: true mode: rsa @@ -5124,13 +5124,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderDecryptFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt method_error: true mode: rsa @@ -5158,13 +5158,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignCompleteFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign async_method_error: true mode: rsa @@ -5193,13 +5193,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncDecryptCompleteFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt async_method_error: true mode: rsa @@ -5247,7 +5247,7 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderMultiCertSuccess) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -5287,7 +5287,7 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderMultiCertFail) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -5367,7 +5367,7 @@ TEST_P(SslSocketTest, RsaAndEcdsaPrivateKeyProviderMultiCertSuccess) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false async_method_error: true @@ -5411,7 +5411,7 @@ TEST_P(SslSocketTest, RsaAndEcdsaPrivateKeyProviderMultiCertFail) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -5438,11 +5438,11 @@ TEST_P(SslSocketTest, TestStaplesOcspResponseSuccess) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5454,7 +5454,8 @@ TEST_P(SslSocketTest, TestStaplesOcspResponseSuccess) { )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); - std::string ocsp_response_path = "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der"; + std::string ocsp_response_path = + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); @@ -5468,11 +5469,11 @@ TEST_P(SslSocketTest, TestNoOcspStapleWhenNotEnabledOnClient) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5491,11 +5492,11 @@ TEST_P(SslSocketTest, TestOcspStapleOmittedOnSkipStaplingAndResponseExpired) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5514,11 +5515,11 @@ TEST_P(SslSocketTest, TestConnectionFailsOnStapleRequiredAndOcspExpired) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5537,9 +5538,9 @@ TEST_P(SslSocketTest, TestConnectionSucceedsWhenRejectOnExpiredNoOcspResponse) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple_policy: strict_stapling )EOF"; @@ -5558,11 +5559,11 @@ TEST_P(SslSocketTest, TestConnectionFailsWhenRejectOnExpiredAndResponseExpired) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: strict_stapling )EOF"; @@ -5582,11 +5583,11 @@ TEST_P(SslSocketTest, TestConnectionFailsWhenCertIsMustStapleAndResponseExpired) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5606,11 +5607,11 @@ TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertExpirationValidatio common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5626,7 +5627,9 @@ TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertExpirationValidatio {{"envoy.reloadable_features.check_ocsp_policy", "false"}}); TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); - std::string ocsp_response_path = "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der"; + std::string ocsp_response_path = + "{{ test_rundir " + "}}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); testUtil(test_options.enableOcspStapling() @@ -5639,9 +5642,9 @@ TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertNoValidationNoRespo common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5667,17 +5670,17 @@ TEST_P(SslSocketTest, TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5689,7 +5692,8 @@ TEST_P(SslSocketTest, TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst) - TLS_RSA_WITH_AES_128_GCM_SHA256 )EOF"; - std::string ocsp_response_path = "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der"; + std::string ocsp_response_path = + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); @@ -5703,17 +5707,17 @@ TEST_P(SslSocketTest, TestConnectionFailsOnMultipleCertificatesNonePassOcspPolic common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; diff --git a/test/extensions/transport_sockets/tls/test_data/certs.sh b/test/extensions/transport_sockets/tls/test_data/certs.sh index d3ad086c98d4e..b1155f18d9fe0 100755 --- a/test/extensions/transport_sockets/tls/test_data/certs.sh +++ b/test/extensions/transport_sockets/tls/test_data/certs.sh @@ -256,3 +256,7 @@ openssl rand 79 > ticket_key_wrong_len # Generate a certificate with no subject CN and no altnames. generate_rsa_key no_subject generate_x509_cert_nosubject no_subject ca + +# Generate unit test certificate +generate_rsa_key unittest +generate_selfsigned_x509_cert unittest diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg b/test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg new file mode 100644 index 0000000000000..2e485f9fa0c56 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg @@ -0,0 +1,23 @@ +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name + +[ req_distinguished_name ] +countryName = US +countryName_default = US +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = California +stateOrProvinceName_default = California +localityName = San Francisco +localityName_default = San Francisco +organizationName = Lyft +organizationName_default = Lyft +organizationalUnitName = Lyft Engineering +organizationalUnitName_default = Lyft Engineering +commonName = Unit Test CA +commonName_default = Unit Test CA +commonName_max = 64 +emailAddress = unittest@lyft.com +emailAddress_default = unittest@lyft.com +emailAddress_max = 64 diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem b/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem new file mode 100644 index 0000000000000..6ff804b3e4de5 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwzCCAqsCFFhdk4KsJ1P+AdrZbrUMmzyfNxrPMA0GCSqGSIb3DQEBCwUAMIGd +MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu +IEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVl +cmluZzEVMBMGA1UEAwwMVW5pdCBUZXN0IENBMSAwHgYJKoZIhvcNAQkBFhF1bml0 +dGVzdEBseWZ0LmNvbTAeFw0yMDEwMjEyMzA3NThaFw0yMjEwMjEyMzA3NThaMIGd +MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu +IEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVl +cmluZzEVMBMGA1UEAwwMVW5pdCBUZXN0IENBMSAwHgYJKoZIhvcNAQkBFhF1bml0 +dGVzdEBseWZ0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL93 +hRLp1s4yNZHUzG+ofX13rgNfiRC9pFVJt4aZYldh440+ZfQDotPsQCaa1Nm+zPHz +leZCxWfRVK82VGWmVy3PLExzuMr8Ar/ypwvQXxnCaZAeIYd1e917LM21jHu/CfV8 +VLF1ZtrknowZWoCll1CarmYDkQfYDSk+RcQo8XIkLeYV5JHbGK7jGoDMYmBO2Gdp +XW4FpVi9vb7pRUfUu3ot0q1SCYGew+YrwT3yWteku66nw8cutIQEbEo00OI8wbHG +Vuh7yY8bTdBS9r4rsQpOCSm6k5a1eKPpv8CfJdKyuXDbx2gbvFjFF6hjgp8+LCE2 +0GpLvf0VMxOVf9XZE/cCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAt9aJc3imaGQD +1+c81ZiItdBpFJRLuO1MHmXgwJUnouJz4uT+KFkDbThaABg/L3Q/s0boWy+u9S5s +ae8FcFvniMUBIjKzkizw6ZI6xTG6VMPDTklwWxNrNEzIBkNrcUkje/X/reyi56B+ +cbjpRJ8j0joV6xqBMFn+qMPIvAMSDJD4lMnjSxGZliDIlPvuk96RVNlF8Y18d/6G +ThWuVgN3CyoG+JXs2sSGbqLzWCnB8zgU0VN7CZZu4yh/cE9uNc0z5M66Adrh4eJl +pO/WWWxXHxIveRtH7DV9vhWE78KJRCcIec5Ta+X1evX1beKiNZd/5Elkyb613hTJ +lCkcOlSebQ== +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h b/test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h new file mode 100644 index 0000000000000..bc725d6e6b4ee --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h @@ -0,0 +1,8 @@ +// NOLINT(namespace-envoy) +constexpr char TEST_UNITTEST_CERT_256_HASH[] = + "36c86c016f8b243b681a094c11d394ac06edac336a3ece479a1b2eeb455b1492"; +constexpr char TEST_UNITTEST_CERT_1_HASH[] = "82be621a0f4b6046365496788befbe2e95977eb1"; +constexpr char TEST_UNITTEST_CERT_SPKI[] = "eWpfAfOA1JddINxIW/64Lc6XHpeo0u9IHx6dE42p9jw="; +constexpr char TEST_UNITTEST_CERT_SERIAL[] = "585d9382ac2753fe01dad96eb50c9b3c9f371acf"; +constexpr char TEST_UNITTEST_CERT_NOT_BEFORE[] = "Oct 21 23:07:58 2020 GMT"; +constexpr char TEST_UNITTEST_CERT_NOT_AFTER[] = "Oct 21 23:07:58 2022 GMT"; diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_key.pem b/test/extensions/transport_sockets/tls/test_data/unittest_key.pem new file mode 100644 index 0000000000000..dd3456d15fb62 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAv3eFEunWzjI1kdTMb6h9fXeuA1+JEL2kVUm3hpliV2HjjT5l +9AOi0+xAJprU2b7M8fOV5kLFZ9FUrzZUZaZXLc8sTHO4yvwCv/KnC9BfGcJpkB4h +h3V73XsszbWMe78J9XxUsXVm2uSejBlagKWXUJquZgORB9gNKT5FxCjxciQt5hXk +kdsYruMagMxiYE7YZ2ldbgWlWL29vulFR9S7ei3SrVIJgZ7D5ivBPfJa16S7rqfD +xy60hARsSjTQ4jzBscZW6HvJjxtN0FL2viuxCk4JKbqTlrV4o+m/wJ8l0rK5cNvH +aBu8WMUXqGOCnz4sITbQaku9/RUzE5V/1dkT9wIDAQABAoIBAFZlFAMIyQiZ11pK +b0Ui/h0TV83l2e9X40Mo1EtEAv/zB77AHTkSOvLtc7T3wHvQgKHcjBMupezGpDO7 +jDGh8UyWYyLMROIy/Pqn/4BxMbhp5UBGmFKLTK0P25OnDBD6jv/abkz08MhsyK3m +8tOB5NlWMsONcG/dqXKmysxMvUYHDMlF3Re5PmvyWVKpclqYxWWXRSAy/FygSUPN +bCwKSv1QXytNefkN7n/G8WaGLU52pff3HMpt4JwTl5rnOiPRZGowFPJnNgO9uW85 +Rj620Db+MZzmJvTeSkxgpIUYUuDtgrvARYa+4y0Lajl4EHkCKg0YYzXbDPORFQ3M +WwN9LqECgYEA8B5I/lYU2QNyIlHjXx2KeKArCriL5sd0KCBHgcE586wyVb5vonET +ovNq8IH+2F4h8d+gbkzoQ2oGYsmM1AiCoxkio6c2KgAUHBbpGfjf92zSDirqBTqg +xha25eXElbu44EkiDWxpy944LkFlNiCLb9+5yqyfqqyixvxRtSBWtAsCgYEAzCF2 +WFn73i7zBNA/6yjodLUXy0BUjL38WV4HU3WDEbPp28e/+NLoWXH/B9BH950J+EGI +LPwjpk6ODhYeMknsdzYV8X5RkOuft7B0yrrdInN+vtIlvZmRd47esuJTcnj3zuUB +2B4TkmWUFf6kLn+TXwLB0wbsj9ieZMJzQkdSx0UCgYEAlBjJwnyLTTHv4jUJfK+2 +qSF4ips6RnN8NAd8sw3fVWg+f13+cn01tEpYCdDTwtWEMC9SPtWWZ4XsPF+9SUWa +dUfacn9+S7dSr+R9jvROBsgKYoybW/BGGwcFdZQahJOMumDA7PCR7Bi6I+VXrGO0 +PKMLb3K648SofPxA1OsGLvMCgYEAqzOhYuZNRIIR1cam5R6RH1jGlPPmNYgdvgIL +mOakv9Mp3ud/zTtuHZ5rK212/mhZ9TlY8YmiiJe3sn7AYqL3TOAytTChTi8f7Fp1 +CZaBYqSE95uehY7nnuNXSaZiIE7uXzpYOp63AYBqG6xOnKTov7W7Q7a57sbZyV4A +duUEuxUCgYEAnxFo8ln1H2QcxQS/y8l8r4MRXj9weDhlp/eXtfgd8JiJ5m+E6r+D +tr2wg6Q92ertogdaMvXiPfi/5qiTqsJvTahqx1E2WYRHxywkfbte1a/3bGNxe3Gr +bba7Pd1JXwJ1s8ahB7yoS/xyYLSl5fmE3N14j8wwkmtv1q3TNstmg3Y= +-----END RSA PRIVATE KEY-----