diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc index cf77bdf3737a8..07206e156a72b 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc @@ -374,6 +374,37 @@ name: envoy.tls.cert_validator.spiffe } } +TEST_F(TestSPIFFEValidator, TestDoVerifyCertChainIntermediateCerts) { + initialize(TestEnvironment::substitute(R"EOF( +name: envoy.tls.cert_validator.spiffe +typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig + trust_domains: + - name: example.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" + )EOF")); + + X509StorePtr ssl_ctx = X509_STORE_new(); + + // Chain contains workload, intermediate, and ca cert, so it should be accepted. + auto cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/" + "spiffe_san_signed_by_intermediate_cert.pem")); + auto intermediate_ca_cert = readCertFromFile(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/" + "intermediate_ca_cert.pem")); + + STACK_OF(X509)* intermediates = sk_X509_new_null(); + sk_X509_push(intermediates, intermediate_ca_cert.release()); + + X509StoreContextPtr store_ctx = X509_STORE_CTX_new(); + EXPECT_TRUE(X509_STORE_CTX_init(store_ctx.get(), ssl_ctx.get(), cert.get(), intermediates)); + EXPECT_TRUE(validator().doVerifyCertChain(store_ctx.get(), nullptr, *cert, nullptr)); + + sk_X509_pop_free(intermediates, X509_free); +} + void addIA5StringGenNameExt(X509* cert, int type, const std::string name) { GeneralNamesPtr gens = sk_GENERAL_NAME_new_null(); GENERAL_NAME* gen = GENERAL_NAME_new(); // ownership taken by "gens" diff --git a/test/extensions/transport_sockets/tls/test_data/certs.sh b/test/extensions/transport_sockets/tls/test_data/certs.sh index 4afb702255f75..fc45baa58ca39 100755 --- a/test/extensions/transport_sockets/tls/test_data/certs.sh +++ b/test/extensions/transport_sockets/tls/test_data/certs.sh @@ -277,3 +277,8 @@ cp -f spiffe_san_cert.cfg expired_spiffe_san_cert.cfg generate_rsa_key expired_spiffe_san generate_x509_cert expired_spiffe_san ca -365 rm -f expired_spiffe_san_cert.cfg + +cp -f spiffe_san_cert.cfg spiffe_san_signed_by_intermediate_cert.cfg +generate_rsa_key spiffe_san_signed_by_intermediate +generate_x509_cert spiffe_san_signed_by_intermediate intermediate_ca +rm -f spiffe_san_signed_by_intermediate_cert.cfg diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_cert.pem b/test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_cert.pem new file mode 100644 index 0000000000000..81a786bc61aa6 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_cert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEUjCCAzqgAwIBAgIUTXzlcveB7pdkyzbQUqaTsAROFXswDQYJKoZIhvcNAQEL +BQAwgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH +DA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVu +Z2luZWVyaW5nMR0wGwYDVQQDDBRUZXN0IEludGVybWVkaWF0ZSBDQTAeFw0yMTEx +MDUxNDQxNDlaFw0yMzExMDUxNDQxNDlaMHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQI +DApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARM +eWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRQwEgYDVQQDDAtUZXN0IFNl +cnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMUT5l1GdPh2XJD6 +xnr4FAJi0krqtnbSGk9DdtCCckpRXJrs8qXU1ksQG1FTHRlfbKhOs9LVqQSj8jQu +haeG+M7Lr4gT2twZCOAo/mzCfvUGGWghtZDZj9ksbpE2Y1BxawpzOpjAjrQ7nNIw +BDTxBv0ySOvJnfx6CnUQAwjj6ovtqWLHfmeSYiQMQLfHWFZiMh0GGUkyf1tm2INS +cI1LQX4XfLb4u99m4mw1OOILbrF5PQWxHSg94jxFUMBmB7B+C87T7qZdfzZAOxJ6 +weeQ/6B0V3K7+XIZPG12FfVevX2PvTJq801me9Eto0e1rcdP05ckYFTyXkPSLorg +owvbDNMCAwEAAaOBxTCBwjAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF4DAdBgNV +HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwRgYDVR0RBD8wPYIJZW52b3kuY29t +hh1zcGlmZmU6Ly9leGFtcGxlLmNvbS93b3JrbG9hZIERZW52b3lAZXhhbXBsZS5j +b20wHQYDVR0OBBYEFMo38WSUt+hgmycQhiFjugeebBApMB8GA1UdIwQYMBaAFKbQ +dxTWui6GjBedEeOPwmCUdTCwMA0GCSqGSIb3DQEBCwUAA4IBAQB/no6yxvq/joiE +JYFQH7eDIpF6HB30SqMAYQMi4QQ6dP7FOmiHa1jV7NM/+iNq71/H5AFg+h1veVT/ +gAcg2hIuL6wk16MUqEzHng8nLI6Vy1pAHOE6YlFCOI5jgTkm9gfWWmGDQl4+7TZ1 +NRpfaogAsSxCTFnauR9Lau6HoOQEUknv1yERcB3c8JsjRGT5SQrpiVOxbXts2gTL +lnYWogZeNzchEeq0tgiljG/hSdrGar/irfU3LMLSP4i1H1kvdZQ+Htdt0OXh4H4A +cdXEN6ltFeN7DQbiXHNTjqbwZYGXcjYcFjoTNaAIDNVweYipUMQcMMC1ufhgcth1 +k00XU3J9 +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_cert_info.h b/test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_cert_info.h new file mode 100644 index 0000000000000..7d9a92c283a5c --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_cert_info.h @@ -0,0 +1,12 @@ +// NOLINT(namespace-envoy) +constexpr char TEST_SPIFFE_SAN_SIGNED_BY_INTERMEDIATE_CERT_256_HASH[] = + "dbe6287d60a13301a0029545571416209be7d07d9a3b7a024e0e50c62dc9c196"; +constexpr char TEST_SPIFFE_SAN_SIGNED_BY_INTERMEDIATE_CERT_1_HASH[] = + "301c86cf68eae1fed88dff935d5425a33acac6cd"; +constexpr char TEST_SPIFFE_SAN_SIGNED_BY_INTERMEDIATE_CERT_SPKI[] = + "7HyQL+bBrylQPcFkicayv3jTPp6DEnZzQfpvxchaQMA="; +constexpr char TEST_SPIFFE_SAN_SIGNED_BY_INTERMEDIATE_CERT_SERIAL[] = + "4d7ce572f781ee9764cb36d052a693b0044e157b"; +constexpr char TEST_SPIFFE_SAN_SIGNED_BY_INTERMEDIATE_CERT_NOT_BEFORE[] = + "Nov 5 14:41:49 2021 GMT"; +constexpr char TEST_SPIFFE_SAN_SIGNED_BY_INTERMEDIATE_CERT_NOT_AFTER[] = "Nov 5 14:41:49 2023 GMT"; diff --git a/test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_key.pem b/test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_key.pem new file mode 100644 index 0000000000000..ad5b35d7c7ab7 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAxRPmXUZ0+HZckPrGevgUAmLSSuq2dtIaT0N20IJySlFcmuzy +pdTWSxAbUVMdGV9sqE6z0tWpBKPyNC6Fp4b4zsuviBPa3BkI4Cj+bMJ+9QYZaCG1 +kNmP2SxukTZjUHFrCnM6mMCOtDuc0jAENPEG/TJI68md/HoKdRADCOPqi+2pYsd+ +Z5JiJAxAt8dYVmIyHQYZSTJ/W2bYg1JwjUtBfhd8tvi732bibDU44gtusXk9BbEd +KD3iPEVQwGYHsH4LztPupl1/NkA7EnrB55D/oHRXcrv5chk8bXYV9V69fY+9Mmrz +TWZ70S2jR7Wtx0/TlyRgVPJeQ9IuiuCjC9sM0wIDAQABAoIBACUWOprBAJAlTgQm +fSV0++b7C9H3W4D+xt61tm1ErxdXOlMZVgxpAi68CDgEqQw2Te9aaDK77IOoCpNR +UeuV1cqswAqemegjee0dKcvzygp4LF3RQibRGmXnG6OOFaB0x4z+5D8MtY4rTbas +PI5t8T/Cr8BXf7icis0+xyNsKJ5ONPucYUMYel2AeuLDx0Hkg3CIptyy06Ai7rBX +SqTzoXZ3t+TBwFQvPZj8P8QDtBJiAg7TUFPJfbaYx8lsU8cvWTeCBIytphCh2YB5 +ILVdJXvql4dlET0W8pFEi29dhRkl0yGIcyJqYtkzCuKf4HuyJ1PahR+nHUXN/b+d +GOefGgECgYEA/6WkoQeulNsSXlpUP6osLGlC2d99O4rPECe0HFRxCKVvtBLF59x/ +XL0V+DK+hSp2D9grYIJ2sMzCz88+I+SLRu8umeahXQz2bAgJUBz13sREhHzaKEgy +/9pfO2CFB+YxxqG9UHaSMMntOEUbHFYuoIkxPGJMWsIe7VieQLfAkdMCgYEAxVmO +SVghy2A07kZP6YonLIR0cdiPAJ/H5tg+7bz3kHX9+zzlkVHFNwJXYrim+fckS8cO +e6Iw27S+9jd1X2qn+NpZC/WYlNxCeofzF0eBebiLf/kWTJVbK3H/8aUKxR/pCAkP +A/x45KQd8Dd/lNWPpgzFD0UcxJJ3dk0/PS3DuQECgYAn8rlsFGg6iJUxO0pI/I2U +jwpMQ3ktUb6TlrC1cJiNMlTnPbvBRJp+YmnJdByDcKQsS6pTlW94pzaWBJuAPllp +Rzzv/bMfeEQVk5fo9e2R1veiAGSSwN1/T59sBuQi3NzQXjvYE/86MoOoNFxNLEZy +/Z09A1tNH2J30k5AbLZh0wKBgQCvQxtj84r/rM8VFQh/JRwpIvCu8l39dej4D+/C +/mD1wHPwnWJbLj1w3vlwSQCxWVS4n20zSxUM6XX1/8aTGItYK8GNJ218Nigr3XR7 +phtMWCI7YqD1Hmc7LCDbH3FzIyW25ySYq61JkJ6t6Pu61/acxxZyuzQTNug0/eE9 +mdkKAQKBgQCGS8VAgnFfgOSRUH2gk+tbedyGSwqDZIDfC0Ky+vZQuW7NAeBh7xh0 +46IoCsL2rAdEOq9GrjFrWwb29U3MVVJnNb0BKC4UsIuelNFTuULHGKFq8uG4pTp4 +Lc8UKDyavNZ8IQV8LLCsbAYnWGjjQAXtnBano+syQsJuYs2k68wrow== +-----END RSA PRIVATE KEY-----