envoyproxy · mattklein123 · Jan 18, 2018 · Jan 18, 2018 · Jan 18, 2018
diff --git a/test/common/ssl/context_impl_test.cc b/test/common/ssl/context_impl_test.cc
@@ -109,8 +109,8 @@ TEST_F(SslContextImplTest, TestExpiringCert) {
 TEST_F(SslContextImplTest, TestExpiredCert) {
   std::string json = R"EOF(
   {
-      "cert_chain_file": "{{ test_tmpdir }}/unittestcert_expired.pem",
-      "private_key_file": "{{ test_tmpdir }}/unittestkey_expired.pem"
+      "cert_chain_file": "{{ test_rundir }}/test/common/ssl/test_data/expired_cert.pem",
+      "private_key_file": "{{ test_rundir }}/test/common/ssl/test_data/expired_key.pem"
   }
   )EOF";
 

diff --git a/test/common/ssl/gen_unittest_certs.sh b/test/common/ssl/gen_unittest_certs.sh
@@ -1,11 +1,14 @@
 #!/bin/bash
 #
-# Create a test certificate with a 15-day expiration for SSL tests
+# Create a test certificate with a 15-day expiration for SSL tests.
 
 set -e
 
-TEST_CERT_DIR=$TEST_TMPDIR
-export OPENSSL_CONF="$TEST_CERT_DIR"/openssl.cnf
+TEST_CERT_DIR="${TEST_TMPDIR}"
+
+mkdir -p "${TEST_CERT_DIR}"
+
+export OPENSSL_CONF="${TEST_CERT_DIR}"/openssl.cnf
 (cat << EOF
 [ req ]
 default_bits            = 2048
@@ -33,24 +36,10 @@ commonName_max                  = 64
 emailAddress                    = Email Address
 emailAddress_max                = 64
 EOF
-) > "$OPENSSL_CONF"
+) > "${OPENSSL_CONF}"
 
-mkdir -p $TEST_CERT_DIR
-openssl genrsa -out $TEST_CERT_DIR/unittestkey.pem 1024
-openssl genrsa -out $TEST_CERT_DIR/unittestkey_expired.pem 1024
-openssl req -new -key $TEST_CERT_DIR/unittestkey.pem -out $TEST_CERT_DIR/unittestcert.csr \
-    -sha256 <<EOF
-US
-California
-San Francisco
-Lyft
-Test
-Unit Test CA
-unittest@lyft.com
-
-
-EOF
-openssl req -new -key $TEST_CERT_DIR/unittestkey_expired.pem -out $TEST_CERT_DIR/unittestcert_expired.csr \
+openssl genrsa -out "${TEST_CERT_DIR}/unittestkey.pem" 1024
+openssl req -new -key "${TEST_CERT_DIR}/unittestkey.pem" -out "${TEST_CERT_DIR}/unittestcert.csr" \
     -sha256 <<EOF
 US
 California
@@ -62,7 +51,5 @@ unittest@lyft.com
 
 
 EOF
-openssl x509 -req -days 15 -in $TEST_CERT_DIR/unittestcert.csr -sha256 -signkey \
-    $TEST_CERT_DIR/unittestkey.pem -out $TEST_CERT_DIR/unittestcert.pem
-openssl x509 -req -days -365 -in $TEST_CERT_DIR/unittestcert_expired.csr -sha256 -signkey \
-    $TEST_CERT_DIR/unittestkey_expired.pem -out $TEST_CERT_DIR/unittestcert_expired.pem
+openssl x509 -req -days 15 -in "${TEST_CERT_DIR}/unittestcert.csr" -sha256 \
+    -signkey "${TEST_CERT_DIR}/unittestkey.pem" -out "${TEST_CERT_DIR}/unittestcert.pem"
diff --git a/test/common/ssl/test_data/README.md b/test/common/ssl/test_data/README.md
@@ -1,11 +1,11 @@
 # What are the identities, certificates and keys
-There are 6 identities:
+There are 9 identities:
 - **CA**: Certificate Authority for **No SAN**, **SAN With URI** and **SAN With
   DNS**. It has the self-signed certificate *ca_cert.pem*. *ca_key.pem* is its
   private key.
--- **Fake CA**: Fake Certificate Authority used to validate verification logic.
--  It has the self-signed certificate *fake_ca_cert.pem"*. *fake_ca_key.pem" is
--  its private key.
+- **Fake CA**: Fake Certificate Authority used to validate verification logic.
+  It has the self-signed certificate *fake_ca_cert.pem"*. *fake_ca_key.pem" is
+  its private key.
 - **No SAN**: It has the certificate *no_san_cert.pem*, signed by the **CA**.
   The certificate does not have SAN field. *no_san_key.pem* is its private key.
 - **SAN With URI**: It has the certificate *san_uri_cert.pem*, which is signed
@@ -21,11 +21,19 @@ There are 6 identities:
 - **SAN only**: Same as *SAN With DNS* except that the certificate doesn't have the
   CommonName set. It has certificate *san_only_dns_cert.pem*, *san_only_dns_key.pem*
   is its private key.
-- **Self-signed**: The self-signed certificate *selfsigned_cert.pem", using the
+- **Self-signed**: The self-signed certificate *selfsigned_cert.pem*, using the
   config *selfsigned_cert.cfg*. *selfsigned_key.pem* is its private key.
+- **Expired**: A self-signed, expired certificate *expired_cert.pem*,
+  using the config *selfsigned_cert.cfg*. *expired_key.pem* is its private
+  key.
 
 # How to update certificates
 **certs.sh** has the commands to generate all files except the private key
 files. Running certs.sh directly will cause the certificate files to be
 regenerated. So if you want to regenerate a particular file, please copy the
 corresponding commands from certs.sh and execute them in command line.
+
+Note that Mac OS is unable to generate the expired unit test cert starting
+with its switch from OpenSSL to LibreSSL in High Sierra (10.13). Specifically,
+that version of the openssl command will not accept a non-positive "-days"
+parameter.
diff --git a/test/common/ssl/test_data/certs.sh b/test/common/ssl/test_data/certs.sh
@@ -11,6 +11,7 @@ set -e
 # openssl genrsa -out san_multiple_dns_key.pem 1024
 # openssl genrsa -out san_uri_key.pem 1024
 # openssl genrsa -out selfsigned_key.pem 1024
+# openssl genrsa -out expired_key.pem 1024
 
 # Generate ca_cert.pem.
 openssl req -new -key ca_key.pem -out ca_cert.csr -config ca_cert.cfg -batch -sha256
@@ -50,6 +51,10 @@ openssl x509 -req -days 730 -in san_uri_cert.csr -sha256 -CA ca_cert.pem -CAkey
 # Generate selfsigned_cert.pem.
 openssl req -new -x509 -days 730 -key selfsigned_key.pem -out selfsigned_cert.pem -config selfsigned_cert.cfg -batch -sha256
 
+# Generate expired_cert.pem (will fail on Mac OS 10.13+ because of negative days value).
+openssl req -new -key expired_key.pem -out expired_cert.csr -config selfsigned_cert.cfg -batch -sha256
+openssl x509 -req -days -365 -in expired_cert.csr -signkey expired_key.pem -out expired_cert.pem
+
 # Write session ticket key files
 openssl rand 80 > ticket_key_a
 openssl rand 80 > ticket_key_b

diff --git a/test/common/ssl/test_data/expired_cert.pem b/test/common/ssl/test_data/expired_cert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICazCCAdQCCQDsBjAJnQmA2DANBgkqhkiG9w0BAQsFADB6MQswCQYDVQQGEwJV
+UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEN
+MAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVlcmluZzEUMBIGA1UE
+AwwLVGVzdCBTZXJ2ZXIwHhcNMTgwMTE4MDEyMTEwWhcNMTcwMTE4MDEyMTEwWjB6
+MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu
+IEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVl
+cmluZzEUMBIGA1UEAwwLVGVzdCBTZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAL9RYeyNkS3mXJwsmRJgl2M6hMeAP1O11uSwbru9sWitb1brdhCRQGIc
+4OopVXoyg97mm0DjuC61+OJwpFrMlIxu56i1Lf5n7CEL1WDncO5SEf6ihsK+fUcA
+eX9kBw1Puuj9bYlYFHFu1O8r+N1R2mHI/zrwh5oPk81erZ279dxLAgMBAAEwDQYJ
+KoZIhvcNAQELBQADgYEADbFxNpKsTBbe2s8oBvIpOzk2hMurd3flI+w+I4pt5etn
+3PBpVKewwxwnjUoJ01im9UL0G6u7n4DdSSftaiazXV5peSMU4dHq3x+4bAUsQQFI
+r76dCksa1N85UA0lxE9tTIxYEDbDHvmJ2rUhvaNh1hipeL77RdNPmkDvEcUHwOY=
+-----END CERTIFICATE-----
diff --git a/test/common/ssl/test_data/expired_key.pem b/test/common/ssl/test_data/expired_key.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC/UWHsjZEt5lycLJkSYJdjOoTHgD9TtdbksG67vbForW9W63YQ
+kUBiHODqKVV6MoPe5ptA47gutfjicKRazJSMbueotS3+Z+whC9Vg53DuUhH+oobC
+vn1HAHl/ZAcNT7ro/W2JWBRxbtTvK/jdUdphyP868IeaD5PNXq2du/XcSwIDAQAB
+AoGAcVkaFzhYh0UwIScbGZQ4nQWSnVASNNpLEvqk4H4mmcoHaQvfyzkDWB2b85/B
+kMBU+L7PxMYl3Sba6e2qslD6wKEZRmxbGpssgLHWlWr/h8CXEVEmEh60I2VrDIcx
+3h4Fdb4Rhx6d3EPnYaK2Zj+7m+LP1ipeAbLPMwABsPdIKcECQQD31ruLp+ido/cR
+2fTTptGEo2LJ4xvySkB1LofL+9bzz5I0hCoMMGEXJ0egezAT8T+vTbweonbyny65
+YKXzAhxpAkEAxZ4ujkirfjqVOAq5J4KSUYpyH4h+ErSAdHbdatn+AFRiE1BZkpb1
+Fny/0gLnxnTU/zeKns9aVQteEGwOEEGskwJAFymle4bk0Z7aX3u8Su+jUz8l43Jr
+UTipT4pavLC7xSuYIXpcp6j52f0cz53Tv3ljl1GvjDlo3oIMDt0+hTikSQJBALYU
+aRDwJBLKJ3Lbbn3Y8Lfwt/YV7ROO/ExSuPAaqs3i8fqZre5C6M8vYg4+Xw+b1iTR
+KAfrRW/WaXT4Gn0gBcECQQDK6bFpQuoEZTFqThfmvfurnNZDnfWaK6As9DW0F6lA
+FMr1bcuJqVxW85hWwnf7is8sEHXUNUV3z56GFTW4S5PC
+-----END RSA PRIVATE KEY-----