Skip to content

tls: unit test: spiffe signed by intermediate cert #18914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yanavlasov merged 1 commit into from
Nov 10, 2021
Merged

tls: unit test: spiffe signed by intermediate cert #18914

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -374,6 +374,37 @@ name: envoy.tls.cert_validator.spiffe
}
}

TEST_F(TestSPIFFEValidator, TestDoVerifyCertChainIntermediateCerts) {
initialize(TestEnvironment::substitute(R"EOF(
name: envoy.tls.cert_validator.spiffe
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
trust_domains:
- name: example.com
trust_bundle:
filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem"
)EOF"));

X509StorePtr ssl_ctx = X509_STORE_new();

// Chain contains workload, intermediate, and ca cert, so it should be accepted.
auto cert = readCertFromFile(TestEnvironment::substitute(
"{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/"
"spiffe_san_signed_by_intermediate_cert.pem"));
auto intermediate_ca_cert = readCertFromFile(TestEnvironment::substitute(
"{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/"
"intermediate_ca_cert.pem"));

STACK_OF(X509)* intermediates = sk_X509_new_null();
sk_X509_push(intermediates, intermediate_ca_cert.release());

X509StoreContextPtr store_ctx = X509_STORE_CTX_new();
EXPECT_TRUE(X509_STORE_CTX_init(store_ctx.get(), ssl_ctx.get(), cert.get(), intermediates));
EXPECT_TRUE(validator().doVerifyCertChain(store_ctx.get(), nullptr, *cert, nullptr));

sk_X509_pop_free(intermediates, X509_free);
}

void addIA5StringGenNameExt(X509* cert, int type, const std::string name) {
GeneralNamesPtr gens = sk_GENERAL_NAME_new_null();
GENERAL_NAME* gen = GENERAL_NAME_new(); // ownership taken by "gens"
Expand Down
5 changes: 5 additions & 0 deletions test/extensions/transport_sockets/tls/test_data/certs.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -277,3 +277,8 @@ cp -f spiffe_san_cert.cfg expired_spiffe_san_cert.cfg
generate_rsa_key expired_spiffe_san
generate_x509_cert expired_spiffe_san ca -365
rm -f expired_spiffe_san_cert.cfg

cp -f spiffe_san_cert.cfg spiffe_san_signed_by_intermediate_cert.cfg
generate_rsa_key spiffe_san_signed_by_intermediate
generate_x509_cert spiffe_san_signed_by_intermediate intermediate_ca
rm -f spiffe_san_signed_by_intermediate_cert.cfg
26 changes: 26 additions & 0 deletions test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_cert.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
-----BEGIN CERTIFICATE-----
MIIEUjCCAzqgAwIBAgIUTXzlcveB7pdkyzbQUqaTsAROFXswDQYJKoZIhvcNAQEL
BQAwgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH
DA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVu
Z2luZWVyaW5nMR0wGwYDVQQDDBRUZXN0IEludGVybWVkaWF0ZSBDQTAeFw0yMTEx
MDUxNDQxNDlaFw0yMzExMDUxNDQxNDlaMHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
DApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARM
eWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRQwEgYDVQQDDAtUZXN0IFNl
cnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMUT5l1GdPh2XJD6
xnr4FAJi0krqtnbSGk9DdtCCckpRXJrs8qXU1ksQG1FTHRlfbKhOs9LVqQSj8jQu
haeG+M7Lr4gT2twZCOAo/mzCfvUGGWghtZDZj9ksbpE2Y1BxawpzOpjAjrQ7nNIw
BDTxBv0ySOvJnfx6CnUQAwjj6ovtqWLHfmeSYiQMQLfHWFZiMh0GGUkyf1tm2INS
cI1LQX4XfLb4u99m4mw1OOILbrF5PQWxHSg94jxFUMBmB7B+C87T7qZdfzZAOxJ6
weeQ/6B0V3K7+XIZPG12FfVevX2PvTJq801me9Eto0e1rcdP05ckYFTyXkPSLorg
owvbDNMCAwEAAaOBxTCBwjAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF4DAdBgNV
HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwRgYDVR0RBD8wPYIJZW52b3kuY29t
hh1zcGlmZmU6Ly9leGFtcGxlLmNvbS93b3JrbG9hZIERZW52b3lAZXhhbXBsZS5j
b20wHQYDVR0OBBYEFMo38WSUt+hgmycQhiFjugeebBApMB8GA1UdIwQYMBaAFKbQ
dxTWui6GjBedEeOPwmCUdTCwMA0GCSqGSIb3DQEBCwUAA4IBAQB/no6yxvq/joiE
JYFQH7eDIpF6HB30SqMAYQMi4QQ6dP7FOmiHa1jV7NM/+iNq71/H5AFg+h1veVT/
gAcg2hIuL6wk16MUqEzHng8nLI6Vy1pAHOE6YlFCOI5jgTkm9gfWWmGDQl4+7TZ1
NRpfaogAsSxCTFnauR9Lau6HoOQEUknv1yERcB3c8JsjRGT5SQrpiVOxbXts2gTL
lnYWogZeNzchEeq0tgiljG/hSdrGar/irfU3LMLSP4i1H1kvdZQ+Htdt0OXh4H4A
cdXEN6ltFeN7DQbiXHNTjqbwZYGXcjYcFjoTNaAIDNVweYipUMQcMMC1ufhgcth1
k00XU3J9
-----END CERTIFICATE-----
12 changes: 12 additions & 0 deletions .../extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_cert_info.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
// NOLINT(namespace-envoy)
constexpr char TEST_SPIFFE_SAN_SIGNED_BY_INTERMEDIATE_CERT_256_HASH[] =
"dbe6287d60a13301a0029545571416209be7d07d9a3b7a024e0e50c62dc9c196";
constexpr char TEST_SPIFFE_SAN_SIGNED_BY_INTERMEDIATE_CERT_1_HASH[] =
"301c86cf68eae1fed88dff935d5425a33acac6cd";
constexpr char TEST_SPIFFE_SAN_SIGNED_BY_INTERMEDIATE_CERT_SPKI[] =
"7HyQL+bBrylQPcFkicayv3jTPp6DEnZzQfpvxchaQMA=";
constexpr char TEST_SPIFFE_SAN_SIGNED_BY_INTERMEDIATE_CERT_SERIAL[] =
"4d7ce572f781ee9764cb36d052a693b0044e157b";
constexpr char TEST_SPIFFE_SAN_SIGNED_BY_INTERMEDIATE_CERT_NOT_BEFORE[] =
"Nov 5 14:41:49 2021 GMT";
constexpr char TEST_SPIFFE_SAN_SIGNED_BY_INTERMEDIATE_CERT_NOT_AFTER[] = "Nov 5 14:41:49 2023 GMT";
27 changes: 27 additions & 0 deletions test/extensions/transport_sockets/tls/test_data/spiffe_san_signed_by_intermediate_key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxRPmXUZ0+HZckPrGevgUAmLSSuq2dtIaT0N20IJySlFcmuzy
pdTWSxAbUVMdGV9sqE6z0tWpBKPyNC6Fp4b4zsuviBPa3BkI4Cj+bMJ+9QYZaCG1
kNmP2SxukTZjUHFrCnM6mMCOtDuc0jAENPEG/TJI68md/HoKdRADCOPqi+2pYsd+
Z5JiJAxAt8dYVmIyHQYZSTJ/W2bYg1JwjUtBfhd8tvi732bibDU44gtusXk9BbEd
KD3iPEVQwGYHsH4LztPupl1/NkA7EnrB55D/oHRXcrv5chk8bXYV9V69fY+9Mmrz
TWZ70S2jR7Wtx0/TlyRgVPJeQ9IuiuCjC9sM0wIDAQABAoIBACUWOprBAJAlTgQm
fSV0++b7C9H3W4D+xt61tm1ErxdXOlMZVgxpAi68CDgEqQw2Te9aaDK77IOoCpNR
UeuV1cqswAqemegjee0dKcvzygp4LF3RQibRGmXnG6OOFaB0x4z+5D8MtY4rTbas
PI5t8T/Cr8BXf7icis0+xyNsKJ5ONPucYUMYel2AeuLDx0Hkg3CIptyy06Ai7rBX
SqTzoXZ3t+TBwFQvPZj8P8QDtBJiAg7TUFPJfbaYx8lsU8cvWTeCBIytphCh2YB5
ILVdJXvql4dlET0W8pFEi29dhRkl0yGIcyJqYtkzCuKf4HuyJ1PahR+nHUXN/b+d
GOefGgECgYEA/6WkoQeulNsSXlpUP6osLGlC2d99O4rPECe0HFRxCKVvtBLF59x/
XL0V+DK+hSp2D9grYIJ2sMzCz88+I+SLRu8umeahXQz2bAgJUBz13sREhHzaKEgy
/9pfO2CFB+YxxqG9UHaSMMntOEUbHFYuoIkxPGJMWsIe7VieQLfAkdMCgYEAxVmO
SVghy2A07kZP6YonLIR0cdiPAJ/H5tg+7bz3kHX9+zzlkVHFNwJXYrim+fckS8cO
e6Iw27S+9jd1X2qn+NpZC/WYlNxCeofzF0eBebiLf/kWTJVbK3H/8aUKxR/pCAkP
A/x45KQd8Dd/lNWPpgzFD0UcxJJ3dk0/PS3DuQECgYAn8rlsFGg6iJUxO0pI/I2U
jwpMQ3ktUb6TlrC1cJiNMlTnPbvBRJp+YmnJdByDcKQsS6pTlW94pzaWBJuAPllp
Rzzv/bMfeEQVk5fo9e2R1veiAGSSwN1/T59sBuQi3NzQXjvYE/86MoOoNFxNLEZy
/Z09A1tNH2J30k5AbLZh0wKBgQCvQxtj84r/rM8VFQh/JRwpIvCu8l39dej4D+/C
/mD1wHPwnWJbLj1w3vlwSQCxWVS4n20zSxUM6XX1/8aTGItYK8GNJ218Nigr3XR7
phtMWCI7YqD1Hmc7LCDbH3FzIyW25ySYq61JkJ6t6Pu61/acxxZyuzQTNug0/eE9
mdkKAQKBgQCGS8VAgnFfgOSRUH2gk+tbedyGSwqDZIDfC0Ky+vZQuW7NAeBh7xh0
46IoCsL2rAdEOq9GrjFrWwb29U3MVVJnNb0BKC4UsIuelNFTuULHGKFq8uG4pTp4
Lc8UKDyavNZ8IQV8LLCsbAYnWGjjQAXtnBano+syQsJuYs2k68wrow==
-----END RSA PRIVATE KEY-----