2018-05-23 14:43:40 -07:00
|
|
|
package ca
|
2018-04-20 20:39:51 -07:00
|
|
|
|
|
|
|
import (
|
2018-06-19 15:10:24 -07:00
|
|
|
"crypto/x509"
|
2018-05-03 12:50:45 -07:00
|
|
|
"fmt"
|
2018-04-20 20:39:51 -07:00
|
|
|
"testing"
|
2018-04-26 23:02:18 -07:00
|
|
|
"time"
|
2018-04-20 20:39:51 -07:00
|
|
|
|
2020-10-23 15:21:37 -04:00
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
|
2018-04-26 23:02:18 -07:00
|
|
|
"github.com/hashicorp/consul/agent/connect"
|
2021-12-02 17:10:25 -05:00
|
|
|
"github.com/hashicorp/consul/agent/consul/fsm"
|
2018-05-03 12:50:45 -07:00
|
|
|
"github.com/hashicorp/consul/agent/consul/state"
|
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
2018-04-20 20:39:51 -07:00
|
|
|
)
|
|
|
|
|
2018-05-03 12:50:45 -07:00
|
|
|
type consulCAMockDelegate struct {
|
|
|
|
state *state.Store
|
|
|
|
}
|
|
|
|
|
2021-11-11 19:03:52 -05:00
|
|
|
func (c *consulCAMockDelegate) ProviderState(id string) (*structs.CAConsulProviderState, error) {
|
|
|
|
_, s, err := c.state.CAProviderState(id)
|
|
|
|
return s, err
|
2018-05-03 12:50:45 -07:00
|
|
|
}
|
|
|
|
|
2020-01-09 09:32:19 -06:00
|
|
|
func (c *consulCAMockDelegate) ApplyCARequest(req *structs.CARequest) (interface{}, error) {
|
2021-12-02 17:10:25 -05:00
|
|
|
idx, _, err := c.state.CAConfig(nil)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
result := fsm.ApplyConnectCAOperationFromRequest(c.state, req, idx+1)
|
|
|
|
if err, ok := result.(error); ok && err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return result, nil
|
2018-05-03 12:50:45 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
func newMockDelegate(t *testing.T, conf *structs.CAConfiguration) *consulCAMockDelegate {
|
2020-10-23 15:21:37 -04:00
|
|
|
s := state.NewStateStore(nil)
|
2018-05-03 12:50:45 -07:00
|
|
|
if s == nil {
|
|
|
|
t.Fatalf("missing state store")
|
|
|
|
}
|
2018-06-15 17:59:08 -07:00
|
|
|
if err := s.CASetConfig(conf.RaftIndex.CreateIndex, conf); err != nil {
|
2018-05-03 12:50:45 -07:00
|
|
|
t.Fatalf("err: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return &consulCAMockDelegate{s}
|
|
|
|
}
|
|
|
|
|
|
|
|
func testConsulCAConfig() *structs.CAConfiguration {
|
|
|
|
return &structs.CAConfiguration{
|
2019-11-01 13:20:26 +00:00
|
|
|
ClusterID: connect.TestClusterID,
|
2018-05-03 12:50:45 -07:00
|
|
|
Provider: "consul",
|
2018-09-13 15:43:00 +01:00
|
|
|
Config: map[string]interface{}{
|
|
|
|
// Tests duration parsing after msgpack type mangling during raft apply.
|
2021-11-02 11:02:10 -07:00
|
|
|
"LeafCertTTL": []byte("72h"),
|
|
|
|
"IntermediateCertTTL": []byte("288h"),
|
|
|
|
"RootCertTTL": []byte("87600h"),
|
2018-09-13 15:43:00 +01:00
|
|
|
},
|
2018-05-03 12:50:45 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-11-18 14:22:19 +00:00
|
|
|
func testProviderConfig(caCfg *structs.CAConfiguration) ProviderConfig {
|
|
|
|
return ProviderConfig{
|
|
|
|
ClusterID: caCfg.ClusterID,
|
|
|
|
Datacenter: "dc1",
|
|
|
|
IsPrimary: true,
|
|
|
|
RawConfig: caCfg.Config,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-09-23 12:52:35 -05:00
|
|
|
func requireNotEncoded(t *testing.T, v []byte) {
|
|
|
|
t.Helper()
|
|
|
|
require.False(t, connect.IsHexString(v))
|
|
|
|
}
|
|
|
|
|
2018-06-13 01:40:03 -07:00
|
|
|
func TestConsulCAProvider_Bootstrap(t *testing.T) {
|
2018-04-20 20:39:51 -07:00
|
|
|
t.Parallel()
|
|
|
|
|
2018-09-06 19:18:54 -07:00
|
|
|
require := require.New(t)
|
2018-05-03 12:50:45 -07:00
|
|
|
conf := testConsulCAConfig()
|
|
|
|
delegate := newMockDelegate(t, conf)
|
2018-04-20 20:39:51 -07:00
|
|
|
|
2019-11-11 15:30:01 -05:00
|
|
|
provider := TestConsulProvider(t, delegate)
|
2019-11-18 14:22:19 +00:00
|
|
|
require.NoError(provider.Configure(testProviderConfig(conf)))
|
2018-09-06 19:18:54 -07:00
|
|
|
require.NoError(provider.GenerateRoot())
|
2018-04-20 20:39:51 -07:00
|
|
|
|
|
|
|
root, err := provider.ActiveRoot()
|
2018-09-06 19:18:54 -07:00
|
|
|
require.NoError(err)
|
2018-04-20 20:39:51 -07:00
|
|
|
|
2018-04-26 23:02:18 -07:00
|
|
|
// Intermediate should be the same cert.
|
|
|
|
inter, err := provider.ActiveIntermediate()
|
2018-09-06 19:18:54 -07:00
|
|
|
require.NoError(err)
|
|
|
|
require.Equal(root, inter)
|
2018-04-26 23:02:18 -07:00
|
|
|
|
2018-05-03 12:50:45 -07:00
|
|
|
// Should be a valid cert
|
|
|
|
parsed, err := connect.ParseCert(root)
|
2018-09-06 19:18:54 -07:00
|
|
|
require.NoError(err)
|
|
|
|
require.Equal(parsed.URIs[0].String(), fmt.Sprintf("spiffe://%s.consul", conf.ClusterID))
|
2019-09-23 12:52:35 -05:00
|
|
|
requireNotEncoded(t, parsed.SubjectKeyId)
|
|
|
|
requireNotEncoded(t, parsed.AuthorityKeyId)
|
2021-11-02 11:02:10 -07:00
|
|
|
|
|
|
|
// test that the root cert ttl is the same as the expected value
|
|
|
|
// notice that we allow a margin of "error" of 10 minutes between the
|
|
|
|
// generateCA() creation and this check
|
|
|
|
defaultRootCertTTL, err := time.ParseDuration(structs.DefaultRootCertTTL)
|
|
|
|
require.NoError(err)
|
|
|
|
expectedNotAfter := time.Now().Add(defaultRootCertTTL).UTC()
|
|
|
|
require.WithinDuration(expectedNotAfter, parsed.NotAfter, 10*time.Minute, "expected parsed cert ttl to be the same as the value configured")
|
2018-04-26 23:02:18 -07:00
|
|
|
}
|
|
|
|
|
2018-06-13 01:40:03 -07:00
|
|
|
func TestConsulCAProvider_Bootstrap_WithCert(t *testing.T) {
|
2018-04-26 23:02:18 -07:00
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
// Make sure setting a custom private key/root cert works.
|
2018-09-06 19:18:54 -07:00
|
|
|
require := require.New(t)
|
2021-11-02 11:02:10 -07:00
|
|
|
rootCA := connect.TestCAWithTTL(t, nil, 5*time.Hour)
|
2018-05-03 12:50:45 -07:00
|
|
|
conf := testConsulCAConfig()
|
|
|
|
conf.Config = map[string]interface{}{
|
|
|
|
"PrivateKey": rootCA.SigningKey,
|
|
|
|
"RootCert": rootCA.RootCert,
|
|
|
|
}
|
|
|
|
delegate := newMockDelegate(t, conf)
|
2018-04-26 23:02:18 -07:00
|
|
|
|
2019-11-11 15:30:01 -05:00
|
|
|
provider := TestConsulProvider(t, delegate)
|
2019-11-18 14:22:19 +00:00
|
|
|
require.NoError(provider.Configure(testProviderConfig(conf)))
|
2018-09-06 19:18:54 -07:00
|
|
|
require.NoError(provider.GenerateRoot())
|
2018-04-26 23:02:18 -07:00
|
|
|
|
2018-05-03 12:50:45 -07:00
|
|
|
root, err := provider.ActiveRoot()
|
2018-09-06 19:18:54 -07:00
|
|
|
require.NoError(err)
|
|
|
|
require.Equal(root, rootCA.RootCert)
|
2021-11-02 11:02:10 -07:00
|
|
|
|
|
|
|
// Should be a valid cert
|
|
|
|
parsed, err := connect.ParseCert(root)
|
|
|
|
require.NoError(err)
|
|
|
|
|
|
|
|
// test that the default root cert ttl was not applied to the provided cert
|
|
|
|
defaultRootCertTTL, err := time.ParseDuration(structs.DefaultRootCertTTL)
|
|
|
|
require.NoError(err)
|
|
|
|
defaultNotAfter := time.Now().Add(defaultRootCertTTL).UTC()
|
|
|
|
// we can't compare given the "delta" between the time the cert is generated
|
|
|
|
// and when we start the test; so just look at the years for now, given different years
|
|
|
|
require.NotEqualf(defaultNotAfter.Year(), parsed.NotAfter.Year(), "parsed cert ttl expected to be different from default root cert ttl")
|
2018-04-26 23:02:18 -07:00
|
|
|
}
|
|
|
|
|
2018-06-13 01:40:03 -07:00
|
|
|
func TestConsulCAProvider_SignLeaf(t *testing.T) {
|
2020-12-07 13:42:55 -05:00
|
|
|
if testing.Short() {
|
|
|
|
t.Skip("too slow for testing.Short")
|
|
|
|
}
|
|
|
|
|
2018-04-26 23:02:18 -07:00
|
|
|
t.Parallel()
|
|
|
|
|
2019-11-01 13:20:26 +00:00
|
|
|
for _, tc := range KeyTestCases {
|
|
|
|
tc := tc
|
|
|
|
t.Run(tc.Desc, func(t *testing.T) {
|
|
|
|
require := require.New(t)
|
|
|
|
conf := testConsulCAConfig()
|
|
|
|
conf.Config["LeafCertTTL"] = "1h"
|
|
|
|
conf.Config["PrivateKeyType"] = tc.KeyType
|
|
|
|
conf.Config["PrivateKeyBits"] = tc.KeyBits
|
|
|
|
delegate := newMockDelegate(t, conf)
|
|
|
|
|
2019-11-11 15:30:01 -05:00
|
|
|
provider := TestConsulProvider(t, delegate)
|
2019-11-18 14:22:19 +00:00
|
|
|
require.NoError(provider.Configure(testProviderConfig(conf)))
|
2019-11-01 13:20:26 +00:00
|
|
|
require.NoError(provider.GenerateRoot())
|
|
|
|
|
|
|
|
spiffeService := &connect.SpiffeIDService{
|
2019-11-11 12:11:54 -05:00
|
|
|
Host: connect.TestClusterID + ".consul",
|
2019-11-01 13:20:26 +00:00
|
|
|
Namespace: "default",
|
|
|
|
Datacenter: "dc1",
|
|
|
|
Service: "foo",
|
|
|
|
}
|
|
|
|
|
|
|
|
// Generate a leaf cert for the service.
|
|
|
|
{
|
|
|
|
raw, _ := connect.TestCSR(t, spiffeService)
|
|
|
|
|
|
|
|
csr, err := connect.ParseCSR(raw)
|
|
|
|
require.NoError(err)
|
|
|
|
|
|
|
|
cert, err := provider.Sign(csr)
|
|
|
|
require.NoError(err)
|
2021-06-30 20:48:29 -04:00
|
|
|
requireTrailingNewline(t, cert)
|
2019-11-01 13:20:26 +00:00
|
|
|
parsed, err := connect.ParseCert(cert)
|
|
|
|
require.NoError(err)
|
2019-11-11 12:11:54 -05:00
|
|
|
require.Equal(spiffeService.URI(), parsed.URIs[0])
|
2021-06-25 13:00:00 -05:00
|
|
|
require.Empty(parsed.Subject.CommonName)
|
2021-12-02 17:10:25 -05:00
|
|
|
require.Equal(uint64(3), parsed.SerialNumber.Uint64())
|
2020-01-22 11:28:28 +01:00
|
|
|
subjectKeyID, err := connect.KeyId(csr.PublicKey)
|
|
|
|
require.NoError(err)
|
|
|
|
require.Equal(subjectKeyID, parsed.SubjectKeyId)
|
2019-11-01 13:20:26 +00:00
|
|
|
requireNotEncoded(t, parsed.SubjectKeyId)
|
|
|
|
requireNotEncoded(t, parsed.AuthorityKeyId)
|
|
|
|
|
|
|
|
// Ensure the cert is valid now and expires within the correct limit.
|
|
|
|
now := time.Now()
|
|
|
|
require.True(parsed.NotAfter.Sub(now) < time.Hour)
|
|
|
|
require.True(parsed.NotBefore.Before(now))
|
|
|
|
}
|
|
|
|
|
|
|
|
// Generate a new cert for another service and make sure
|
|
|
|
// the serial number is incremented.
|
|
|
|
spiffeService.Service = "bar"
|
|
|
|
{
|
|
|
|
raw, _ := connect.TestCSR(t, spiffeService)
|
|
|
|
|
|
|
|
csr, err := connect.ParseCSR(raw)
|
|
|
|
require.NoError(err)
|
|
|
|
|
|
|
|
cert, err := provider.Sign(csr)
|
|
|
|
require.NoError(err)
|
|
|
|
|
|
|
|
parsed, err := connect.ParseCert(cert)
|
|
|
|
require.NoError(err)
|
2019-11-11 12:11:54 -05:00
|
|
|
require.Equal(spiffeService.URI(), parsed.URIs[0])
|
2021-06-25 13:00:00 -05:00
|
|
|
require.Empty(parsed.Subject.CommonName)
|
2021-12-02 17:10:25 -05:00
|
|
|
require.Equal(uint64(4), parsed.SerialNumber.Uint64())
|
2019-11-01 13:20:26 +00:00
|
|
|
requireNotEncoded(t, parsed.SubjectKeyId)
|
|
|
|
requireNotEncoded(t, parsed.AuthorityKeyId)
|
|
|
|
|
|
|
|
// Ensure the cert is valid now and expires within the correct limit.
|
|
|
|
require.True(time.Until(parsed.NotAfter) < 3*24*time.Hour)
|
|
|
|
require.True(parsed.NotBefore.Before(time.Now()))
|
|
|
|
}
|
|
|
|
|
|
|
|
spiffeAgent := &connect.SpiffeIDAgent{
|
2019-11-11 12:11:54 -05:00
|
|
|
Host: connect.TestClusterID + ".consul",
|
2019-11-01 13:20:26 +00:00
|
|
|
Datacenter: "dc1",
|
|
|
|
Agent: "uuid",
|
|
|
|
}
|
|
|
|
// Generate a leaf cert for an agent.
|
|
|
|
{
|
|
|
|
raw, _ := connect.TestCSR(t, spiffeAgent)
|
|
|
|
|
|
|
|
csr, err := connect.ParseCSR(raw)
|
|
|
|
require.NoError(err)
|
|
|
|
|
|
|
|
cert, err := provider.Sign(csr)
|
|
|
|
require.NoError(err)
|
|
|
|
|
|
|
|
parsed, err := connect.ParseCert(cert)
|
|
|
|
require.NoError(err)
|
|
|
|
require.Equal(spiffeAgent.URI(), parsed.URIs[0])
|
2021-06-25 13:00:00 -05:00
|
|
|
require.Empty(parsed.Subject.CommonName)
|
2021-12-02 17:10:25 -05:00
|
|
|
require.Equal(uint64(5), parsed.SerialNumber.Uint64())
|
2019-11-01 13:20:26 +00:00
|
|
|
requireNotEncoded(t, parsed.SubjectKeyId)
|
|
|
|
requireNotEncoded(t, parsed.AuthorityKeyId)
|
|
|
|
|
|
|
|
// Ensure the cert is valid now and expires within the correct limit.
|
|
|
|
now := time.Now()
|
|
|
|
require.True(parsed.NotAfter.Sub(now) < time.Hour)
|
|
|
|
require.True(parsed.NotBefore.Before(now))
|
|
|
|
}
|
|
|
|
})
|
2019-06-27 22:22:07 +02:00
|
|
|
}
|
2018-04-26 23:02:18 -07:00
|
|
|
}
|
|
|
|
|
2018-06-13 01:40:03 -07:00
|
|
|
func TestConsulCAProvider_CrossSignCA(t *testing.T) {
|
2020-12-07 13:42:55 -05:00
|
|
|
if testing.Short() {
|
|
|
|
t.Skip("too slow for testing.Short")
|
|
|
|
}
|
|
|
|
|
2018-04-26 23:02:18 -07:00
|
|
|
t.Parallel()
|
2018-06-15 17:59:08 -07:00
|
|
|
|
2019-11-01 13:20:26 +00:00
|
|
|
tests := CASigningKeyTypeCases()
|
|
|
|
|
|
|
|
for _, tc := range tests {
|
|
|
|
tc := tc
|
|
|
|
t.Run(tc.Desc, func(t *testing.T) {
|
|
|
|
require := require.New(t)
|
|
|
|
|
|
|
|
conf1 := testConsulCAConfig()
|
|
|
|
delegate1 := newMockDelegate(t, conf1)
|
2019-11-11 15:30:01 -05:00
|
|
|
provider1 := TestConsulProvider(t, delegate1)
|
2019-11-01 13:20:26 +00:00
|
|
|
conf1.Config["PrivateKeyType"] = tc.SigningKeyType
|
|
|
|
conf1.Config["PrivateKeyBits"] = tc.SigningKeyBits
|
2019-11-18 14:22:19 +00:00
|
|
|
require.NoError(provider1.Configure(testProviderConfig(conf1)))
|
2019-11-01 13:20:26 +00:00
|
|
|
require.NoError(provider1.GenerateRoot())
|
|
|
|
|
|
|
|
conf2 := testConsulCAConfig()
|
|
|
|
conf2.CreateIndex = 10
|
|
|
|
delegate2 := newMockDelegate(t, conf2)
|
2019-11-11 15:30:01 -05:00
|
|
|
provider2 := TestConsulProvider(t, delegate2)
|
2019-11-01 13:20:26 +00:00
|
|
|
conf2.Config["PrivateKeyType"] = tc.CSRKeyType
|
|
|
|
conf2.Config["PrivateKeyBits"] = tc.CSRKeyBits
|
2019-11-18 14:22:19 +00:00
|
|
|
require.NoError(provider2.Configure(testProviderConfig(conf2)))
|
2019-11-01 13:20:26 +00:00
|
|
|
require.NoError(provider2.GenerateRoot())
|
|
|
|
|
|
|
|
testCrossSignProviders(t, provider1, provider2)
|
|
|
|
})
|
|
|
|
}
|
2018-06-19 16:46:18 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
func testCrossSignProviders(t *testing.T, provider1, provider2 Provider) {
|
|
|
|
require := require.New(t)
|
|
|
|
|
|
|
|
// Get the root from the new provider to be cross-signed.
|
|
|
|
newRootPEM, err := provider2.ActiveRoot()
|
|
|
|
require.NoError(err)
|
|
|
|
newRoot, err := connect.ParseCert(newRootPEM)
|
2018-06-15 17:59:08 -07:00
|
|
|
require.NoError(err)
|
2018-06-19 16:46:18 -07:00
|
|
|
oldSubject := newRoot.Subject.CommonName
|
2019-09-23 12:52:35 -05:00
|
|
|
requireNotEncoded(t, newRoot.SubjectKeyId)
|
|
|
|
requireNotEncoded(t, newRoot.AuthorityKeyId)
|
2018-06-15 17:59:08 -07:00
|
|
|
|
2018-06-19 16:46:18 -07:00
|
|
|
newInterPEM, err := provider2.ActiveIntermediate()
|
|
|
|
require.NoError(err)
|
|
|
|
newIntermediate, err := connect.ParseCert(newInterPEM)
|
2018-06-15 17:59:08 -07:00
|
|
|
require.NoError(err)
|
2019-09-23 12:52:35 -05:00
|
|
|
requireNotEncoded(t, newIntermediate.SubjectKeyId)
|
|
|
|
requireNotEncoded(t, newIntermediate.AuthorityKeyId)
|
2018-04-26 23:02:18 -07:00
|
|
|
|
2018-06-19 16:46:18 -07:00
|
|
|
// Have provider1 cross sign our new root cert.
|
|
|
|
xcPEM, err := provider1.CrossSignCA(newRoot)
|
2018-06-15 17:59:08 -07:00
|
|
|
require.NoError(err)
|
2018-04-26 23:02:18 -07:00
|
|
|
xc, err := connect.ParseCert(xcPEM)
|
2018-06-15 17:59:08 -07:00
|
|
|
require.NoError(err)
|
2019-09-23 12:52:35 -05:00
|
|
|
requireNotEncoded(t, xc.SubjectKeyId)
|
|
|
|
requireNotEncoded(t, xc.AuthorityKeyId)
|
2018-06-15 17:59:08 -07:00
|
|
|
|
2018-06-19 16:46:18 -07:00
|
|
|
oldRootPEM, err := provider1.ActiveRoot()
|
2018-06-15 17:59:08 -07:00
|
|
|
require.NoError(err)
|
2018-06-19 16:46:18 -07:00
|
|
|
oldRoot, err := connect.ParseCert(oldRootPEM)
|
2018-06-15 17:59:08 -07:00
|
|
|
require.NoError(err)
|
2019-09-23 12:52:35 -05:00
|
|
|
requireNotEncoded(t, oldRoot.SubjectKeyId)
|
|
|
|
requireNotEncoded(t, oldRoot.AuthorityKeyId)
|
2018-04-26 23:02:18 -07:00
|
|
|
|
2018-06-19 16:46:18 -07:00
|
|
|
// AuthorityKeyID should now be the signing root's, SubjectKeyId should be kept.
|
2019-11-11 12:11:54 -05:00
|
|
|
require.Equal(oldRoot.SubjectKeyId, xc.AuthorityKeyId,
|
|
|
|
"newSKID=%x\nnewAKID=%x\noldSKID=%x\noldAKID=%x\nxcSKID=%x\nxcAKID=%x",
|
|
|
|
newRoot.SubjectKeyId, newRoot.AuthorityKeyId,
|
|
|
|
oldRoot.SubjectKeyId, oldRoot.AuthorityKeyId,
|
|
|
|
xc.SubjectKeyId, xc.AuthorityKeyId)
|
2018-06-19 16:46:18 -07:00
|
|
|
require.Equal(newRoot.SubjectKeyId, xc.SubjectKeyId)
|
2018-04-26 23:02:18 -07:00
|
|
|
|
|
|
|
// Subject name should not have changed.
|
2018-06-15 17:59:08 -07:00
|
|
|
require.Equal(oldSubject, xc.Subject.CommonName)
|
2018-04-26 23:02:18 -07:00
|
|
|
|
|
|
|
// Issuer should be the signing root.
|
2018-06-19 16:46:18 -07:00
|
|
|
require.Equal(oldRoot.Issuer.CommonName, xc.Issuer.CommonName)
|
2018-06-19 15:10:24 -07:00
|
|
|
|
|
|
|
// Get a leaf cert so we can verify against the cross-signed cert.
|
|
|
|
spiffeService := &connect.SpiffeIDService{
|
2019-11-11 12:11:54 -05:00
|
|
|
Host: connect.TestClusterID + ".consul",
|
2018-06-19 15:10:24 -07:00
|
|
|
Namespace: "default",
|
|
|
|
Datacenter: "dc1",
|
|
|
|
Service: "foo",
|
|
|
|
}
|
2019-08-27 17:45:58 -04:00
|
|
|
raw, _ := connect.TestCSR(t, spiffeService)
|
2018-06-19 15:10:24 -07:00
|
|
|
|
|
|
|
leafCsr, err := connect.ParseCSR(raw)
|
|
|
|
require.NoError(err)
|
|
|
|
|
|
|
|
leafPEM, err := provider2.Sign(leafCsr)
|
|
|
|
require.NoError(err)
|
|
|
|
|
|
|
|
cert, err := connect.ParseCert(leafPEM)
|
|
|
|
require.NoError(err)
|
2019-09-23 12:52:35 -05:00
|
|
|
requireNotEncoded(t, cert.SubjectKeyId)
|
|
|
|
requireNotEncoded(t, cert.AuthorityKeyId)
|
2018-06-19 15:10:24 -07:00
|
|
|
|
2018-06-19 16:46:18 -07:00
|
|
|
// Check that the leaf signed by the new cert can be verified by either root
|
|
|
|
// certificate by using the new intermediate + cross-signed cert.
|
2018-06-19 15:10:24 -07:00
|
|
|
intermediatePool := x509.NewCertPool()
|
2018-06-19 16:46:18 -07:00
|
|
|
intermediatePool.AddCert(newIntermediate)
|
2018-06-19 15:10:24 -07:00
|
|
|
intermediatePool.AddCert(xc)
|
|
|
|
|
2018-06-19 16:46:18 -07:00
|
|
|
for _, root := range []*x509.Certificate{oldRoot, newRoot} {
|
|
|
|
rootPool := x509.NewCertPool()
|
|
|
|
rootPool.AddCert(root)
|
2018-06-19 15:10:24 -07:00
|
|
|
|
2018-06-19 16:46:18 -07:00
|
|
|
_, err = cert.Verify(x509.VerifyOptions{
|
|
|
|
Intermediates: intermediatePool,
|
|
|
|
Roots: rootPool,
|
|
|
|
})
|
|
|
|
require.NoError(err)
|
|
|
|
}
|
2018-04-20 20:39:51 -07:00
|
|
|
}
|
2018-09-12 13:44:15 -07:00
|
|
|
|
2018-09-12 19:52:24 -07:00
|
|
|
func TestConsulProvider_SignIntermediate(t *testing.T) {
|
2020-12-07 13:42:55 -05:00
|
|
|
if testing.Short() {
|
|
|
|
t.Skip("too slow for testing.Short")
|
|
|
|
}
|
|
|
|
|
2018-09-12 19:52:24 -07:00
|
|
|
t.Parallel()
|
|
|
|
|
2019-11-01 13:20:26 +00:00
|
|
|
tests := CASigningKeyTypeCases()
|
|
|
|
|
|
|
|
for _, tc := range tests {
|
|
|
|
tc := tc
|
|
|
|
t.Run(tc.Desc, func(t *testing.T) {
|
|
|
|
require := require.New(t)
|
|
|
|
|
|
|
|
conf1 := testConsulCAConfig()
|
|
|
|
delegate1 := newMockDelegate(t, conf1)
|
2019-11-11 15:30:01 -05:00
|
|
|
provider1 := TestConsulProvider(t, delegate1)
|
2019-11-01 13:20:26 +00:00
|
|
|
conf1.Config["PrivateKeyType"] = tc.SigningKeyType
|
|
|
|
conf1.Config["PrivateKeyBits"] = tc.SigningKeyBits
|
2019-11-18 14:22:19 +00:00
|
|
|
require.NoError(provider1.Configure(testProviderConfig(conf1)))
|
2019-11-01 13:20:26 +00:00
|
|
|
require.NoError(provider1.GenerateRoot())
|
|
|
|
|
|
|
|
conf2 := testConsulCAConfig()
|
|
|
|
conf2.CreateIndex = 10
|
|
|
|
delegate2 := newMockDelegate(t, conf2)
|
2019-11-11 15:30:01 -05:00
|
|
|
provider2 := TestConsulProvider(t, delegate2)
|
2019-11-01 13:20:26 +00:00
|
|
|
conf2.Config["PrivateKeyType"] = tc.CSRKeyType
|
|
|
|
conf2.Config["PrivateKeyBits"] = tc.CSRKeyBits
|
2019-11-18 14:22:19 +00:00
|
|
|
cfg := testProviderConfig(conf2)
|
|
|
|
cfg.IsPrimary = false
|
|
|
|
cfg.Datacenter = "dc2"
|
|
|
|
require.NoError(provider2.Configure(cfg))
|
2019-11-01 13:20:26 +00:00
|
|
|
|
|
|
|
testSignIntermediateCrossDC(t, provider1, provider2)
|
|
|
|
})
|
|
|
|
}
|
2018-09-12 19:52:24 -07:00
|
|
|
|
2018-09-13 13:09:07 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
func testSignIntermediateCrossDC(t *testing.T, provider1, provider2 Provider) {
|
|
|
|
require := require.New(t)
|
|
|
|
|
2018-09-12 19:52:24 -07:00
|
|
|
// Get the intermediate CSR from provider2.
|
|
|
|
csrPEM, err := provider2.GenerateIntermediateCSR()
|
|
|
|
require.NoError(err)
|
|
|
|
csr, err := connect.ParseCSR(csrPEM)
|
|
|
|
require.NoError(err)
|
|
|
|
|
|
|
|
// Sign the CSR with provider1.
|
|
|
|
intermediatePEM, err := provider1.SignIntermediate(csr)
|
|
|
|
require.NoError(err)
|
|
|
|
rootPEM, err := provider1.ActiveRoot()
|
|
|
|
require.NoError(err)
|
|
|
|
|
|
|
|
// Give the new intermediate to provider2 to use.
|
|
|
|
require.NoError(provider2.SetIntermediate(intermediatePEM, rootPEM))
|
|
|
|
|
|
|
|
// Have provider2 sign a leaf cert and make sure the chain is correct.
|
|
|
|
spiffeService := &connect.SpiffeIDService{
|
2019-11-11 12:11:54 -05:00
|
|
|
Host: connect.TestClusterID + ".consul",
|
2018-09-12 19:52:24 -07:00
|
|
|
Namespace: "default",
|
|
|
|
Datacenter: "dc1",
|
|
|
|
Service: "foo",
|
|
|
|
}
|
2019-08-27 17:45:58 -04:00
|
|
|
raw, _ := connect.TestCSR(t, spiffeService)
|
2018-09-12 19:52:24 -07:00
|
|
|
|
|
|
|
leafCsr, err := connect.ParseCSR(raw)
|
|
|
|
require.NoError(err)
|
|
|
|
|
|
|
|
leafPEM, err := provider2.Sign(leafCsr)
|
|
|
|
require.NoError(err)
|
|
|
|
|
|
|
|
cert, err := connect.ParseCert(leafPEM)
|
|
|
|
require.NoError(err)
|
2019-09-23 12:52:35 -05:00
|
|
|
requireNotEncoded(t, cert.SubjectKeyId)
|
|
|
|
requireNotEncoded(t, cert.AuthorityKeyId)
|
2018-09-12 19:52:24 -07:00
|
|
|
|
2018-09-14 16:08:54 -07:00
|
|
|
// Check that the leaf signed by the new cert can be verified using the
|
|
|
|
// returned cert chain (signed intermediate + remote root).
|
2018-09-12 19:52:24 -07:00
|
|
|
intermediatePool := x509.NewCertPool()
|
|
|
|
intermediatePool.AppendCertsFromPEM([]byte(intermediatePEM))
|
|
|
|
rootPool := x509.NewCertPool()
|
|
|
|
rootPool.AppendCertsFromPEM([]byte(rootPEM))
|
|
|
|
|
|
|
|
_, err = cert.Verify(x509.VerifyOptions{
|
|
|
|
Intermediates: intermediatePool,
|
|
|
|
Roots: rootPool,
|
|
|
|
})
|
|
|
|
require.NoError(err)
|
|
|
|
}
|
|
|
|
|
2018-09-12 13:44:15 -07:00
|
|
|
func TestConsulCAProvider_MigrateOldID(t *testing.T) {
|
2021-07-13 11:12:07 -05:00
|
|
|
cases := []struct {
|
|
|
|
name string
|
|
|
|
oldID string
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
name: "original-unhashed",
|
|
|
|
oldID: ",",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "hash-v1",
|
|
|
|
oldID: hexStringHash(",,true"),
|
|
|
|
},
|
|
|
|
}
|
2018-09-12 13:44:15 -07:00
|
|
|
|
2021-07-13 11:12:07 -05:00
|
|
|
for _, tc := range cases {
|
|
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
|
|
conf := testConsulCAConfig()
|
|
|
|
delegate := newMockDelegate(t, conf)
|
2018-09-12 13:44:15 -07:00
|
|
|
|
2021-07-13 11:12:07 -05:00
|
|
|
// Create an entry with an old-style ID.
|
|
|
|
_, err := delegate.ApplyCARequest(&structs.CARequest{
|
|
|
|
Op: structs.CAOpSetProviderState,
|
|
|
|
ProviderState: &structs.CAConsulProviderState{
|
|
|
|
ID: tc.oldID,
|
|
|
|
},
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
|
|
_, providerState, err := delegate.state.CAProviderState(tc.oldID)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotNil(t, providerState)
|
2018-09-12 13:44:15 -07:00
|
|
|
|
2021-07-13 11:12:07 -05:00
|
|
|
provider := TestConsulProvider(t, delegate)
|
|
|
|
require.NoError(t, provider.Configure(testProviderConfig(conf)))
|
|
|
|
require.NoError(t, provider.GenerateRoot())
|
2018-09-12 13:44:15 -07:00
|
|
|
|
2021-07-13 11:12:07 -05:00
|
|
|
// After running Configure, the old ID entry should be gone.
|
|
|
|
_, providerState, err = delegate.state.CAProviderState(tc.oldID)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Nil(t, providerState)
|
|
|
|
})
|
|
|
|
}
|
2018-09-12 13:44:15 -07:00
|
|
|
}
|