trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jackso...@apache.org
Subject [1/4] trafficserver git commit: Add tests for intermediate cert selection for ECDSA and mix
Date Mon, 20 Apr 2015 21:21:53 GMT
Repository: trafficserver
Updated Branches:
  refs/heads/master d73914f75 -> 07e920707


Add tests for intermediate cert selection for ECDSA and mix


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/98c87a72
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/98c87a72
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/98c87a72

Branch: refs/heads/master
Commit: 98c87a72824d170296b246c3770758009159be04
Parents: 3181fc7
Author: Thomas Jackson <jacksontj@apache.org>
Authored: Mon Apr 13 13:19:59 2015 -0700
Committer: Thomas Jackson <jacksontj@apache.org>
Committed: Mon Apr 20 14:20:42 2015 -0700

----------------------------------------------------------------------
 ci/new_tsqa/files/ec_keys/README.rst          | 21 ++++++++++
 ci/new_tsqa/files/ec_keys/ca.crt              | 12 ++++++
 ci/new_tsqa/files/ec_keys/ca.key              |  8 ++++
 ci/new_tsqa/files/ec_keys/intermediate.crt    | 10 +++++
 ci/new_tsqa/files/ec_keys/intermediate.key    |  8 ++++
 ci/new_tsqa/files/ec_keys/www.example.com.pem | 15 +++----
 ci/new_tsqa/files/ec_keys/www.test.com.pem    | 19 ++++-----
 ci/new_tsqa/tests/test_https.py               | 49 ++++++++++++++++++----
 8 files changed, 115 insertions(+), 27 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/98c87a72/ci/new_tsqa/files/ec_keys/README.rst
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/files/ec_keys/README.rst b/ci/new_tsqa/files/ec_keys/README.rst
index 12329c7..c3dd1e1 100644
--- a/ci/new_tsqa/files/ec_keys/README.rst
+++ b/ci/new_tsqa/files/ec_keys/README.rst
@@ -6,3 +6,24 @@ Try to use existing certs if possible rather than generating your own.
 # generated using (make sure to set "hostname"):
 openssl ecparam -name prime256v1 -genkey -out key.pem
 openssl req -new -x509 -key key.pem -out cert.pem
+
+
+## Since we want to verify all of the certificate verification, we need to generate
+## our own CA and intermediate CA
+# Create CA
+openssl ecparam -name prime256v1 -genkey -out ca.key
+openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt
+
+# Create Intermediate
+openssl ecparam -name prime256v1 -genkey -out intermediate.key
+openssl req -new -sha1 -key intermediate.key -out intermediate.csr
+
+# CA signs Intermediate
+openssl x509 -req -days 1825 -in intermediate.csr -CA ca.crt -CAkey ca.key -set_serial 01
-out intermediate.crt
+
+# Create Server
+openssl ecparam -name prime256v1 -genkey -out www.example.com.key
+openssl req -new -key test.example.com.key -out test.example.com.csr
+
+# Intermediate signs Server
+openssl x509 -req -days 1825 -in test.example.com.csr -CA intermediate.crt -CAkey intermediate.key
-set_serial 01 -out test.example.com.crt

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/98c87a72/ci/new_tsqa/files/ec_keys/ca.crt
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/files/ec_keys/ca.crt b/ci/new_tsqa/files/ec_keys/ca.crt
new file mode 100644
index 0000000..a70f990
--- /dev/null
+++ b/ci/new_tsqa/files/ec_keys/ca.crt
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIByDCCAW6gAwIBAgIJAP0vC/lirtMJMAkGByqGSM49BAEwQTELMAkGA1UEBhMC
+WFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEMMAoGA1UECgwDQVRTMQ0wCwYDVQQD
+DARyb290MB4XDTE1MDQxMzIwMTEwMloXDTIwMDQxMTIwMTEwMlowQTELMAkGA1UE
+BhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEMMAoGA1UECgwDQVRTMQ0wCwYD
+VQQDDARyb290MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVRCzxLeGp2zzqqz6
+YTHRJ+sTuEzrFNUUQX/sEb4s1uceiqtTgFJ8kglWGMk/3WIC09PF4aRvkXM+xVvx
+U9EcaKNQME4wHQYDVR0OBBYEFF9E7e3RCj6b4rQeNVTnNHGgRhzvMB8GA1UdIwQY
+MBaAFF9E7e3RCj6b4rQeNVTnNHGgRhzvMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0E
+AQNJADBGAiEAtKiG3JParqhQz1N+QOGKJtbgFS/qwNpK9FanbC6MOLQCIQD+heQN
+eow8AF4hAUZNYvxyhZDd5FKzF2kRdxJUGkZK8w==
+-----END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/98c87a72/ci/new_tsqa/files/ec_keys/ca.key
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/files/ec_keys/ca.key b/ci/new_tsqa/files/ec_keys/ca.key
new file mode 100644
index 0000000..275e3e9
--- /dev/null
+++ b/ci/new_tsqa/files/ec_keys/ca.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIKR1N01PYCnkwa07tTnZ3Ri6dsGxu/OlTmExDWS1JIt6oAoGCCqGSM49
+AwEHoUQDQgAEVRCzxLeGp2zzqqz6YTHRJ+sTuEzrFNUUQX/sEb4s1uceiqtTgFJ8
+kglWGMk/3WIC09PF4aRvkXM+xVvxU9EcaA==
+-----END EC PRIVATE KEY-----

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/98c87a72/ci/new_tsqa/files/ec_keys/intermediate.crt
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/files/ec_keys/intermediate.crt b/ci/new_tsqa/files/ec_keys/intermediate.crt
new file mode 100644
index 0000000..2a2fc1d
--- /dev/null
+++ b/ci/new_tsqa/files/ec_keys/intermediate.crt
@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBcTCCARcCAQEwCQYHKoZIzj0EATBBMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwM
+RGVmYXVsdCBDaXR5MQwwCgYDVQQKDANBVFMxDTALBgNVBAMMBHJvb3QwHhcNMTUw
+NDEzMjAxMTQ4WhcNMjAwNDExMjAxMTQ4WjBJMQswCQYDVQQGEwJYWDEVMBMGA1UE
+BwwMRGVmYXVsdCBDaXR5MQwwCgYDVQQKDANBVFMxFTATBgNVBAMMDGludGVybWVk
+aWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCLloHhXc49EwEI94gb6186J
+zp5mHmEBD49I3pFuQwkVLu249uCsyEnjhoAlMohC/Oc/ROtvZTnujcdBZ2OBh4cw
+CQYHKoZIzj0EAQNJADBGAiEAzevMu2yohbN5dzRp5/TTxKSOrenLh56jtSJrtFai
+/wUCIQDV40abfGSiioLyb5PoyJRPa6M+AhWbK9caa2SQei+KnQ==
+-----END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/98c87a72/ci/new_tsqa/files/ec_keys/intermediate.key
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/files/ec_keys/intermediate.key b/ci/new_tsqa/files/ec_keys/intermediate.key
new file mode 100644
index 0000000..bb1cdc5
--- /dev/null
+++ b/ci/new_tsqa/files/ec_keys/intermediate.key
@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIMtffsDv9JDl4AFznb1ftzA8IqIVxA344PSpyZU6PfA/oAoGCCqGSM49
+AwEHoUQDQgAEIuWgeFdzj0TAQj3iBvrXzonOnmYeYQEPj0jekW5DCRUu7bj24KzI
+SeOGgCUyiEL85z9E629lOe6Nx0FnY4GHhw==
+-----END EC PRIVATE KEY-----

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/98c87a72/ci/new_tsqa/files/ec_keys/www.example.com.pem
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/files/ec_keys/www.example.com.pem b/ci/new_tsqa/files/ec_keys/www.example.com.pem
index 4db7e23..ee31b56 100644
--- a/ci/new_tsqa/files/ec_keys/www.example.com.pem
+++ b/ci/new_tsqa/files/ec_keys/www.example.com.pem
@@ -4,15 +4,12 @@ AwEHoUQDQgAEwNOf/ym+XidKYjQg2WDM3GPK2eMbRz2VmvdB4dbzBxQ4gMYCIl2l
 2L7lLqGtmUcuUhDaOxf91hhXAfprU+qRvA==
 -----END EC PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
-MIIB/TCCAaSgAwIBAgIJAI8scEv82xNQMAkGByqGSM49BAEwXDELMAkGA1UEBhMC
-WFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21w
-YW55IEx0ZDEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMB4XDTE1MDQwNjIyMzEz
-OVoXDTE1MDUwNjIyMzEzOVowXDELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1
-bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEYMBYGA1UEAwwP
+MIIBfDCCASICAQEwCQYHKoZIzj0EATBJMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwM
+RGVmYXVsdCBDaXR5MQwwCgYDVQQKDANBVFMxFTATBgNVBAMMDGludGVybWVkaWF0
+ZTAeFw0xNTA0MTMyMDEzMjlaFw0yMDA0MTEyMDEzMjlaMEwxCzAJBgNVBAYTAlhY
+MRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxDDAKBgNVBAoMA0FUUzEYMBYGA1UEAwwP
 d3d3LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwNOf/ym+
 XidKYjQg2WDM3GPK2eMbRz2VmvdB4dbzBxQ4gMYCIl2l2L7lLqGtmUcuUhDaOxf9
-1hhXAfprU+qRvKNQME4wHQYDVR0OBBYEFFju5RlYt02MzdcnwBKzCIRnKp2vMB8G
-A1UdIwQYMBaAFFju5RlYt02MzdcnwBKzCIRnKp2vMAwGA1UdEwQFMAMBAf8wCQYH
-KoZIzj0EAQNIADBFAiEAhmfh1lZz99IjJ9n5Num1O6BK491eDP+rENyTC7Y6a/YC
-ID/HGrCAtz1n4lPZ2kSxe6E8lqotrEmEDEx14hlmdw7K
+1hhXAfprU+qRvDAJBgcqhkjOPQQBA0kAMEYCIQCU7CxO/zdFc4BDUCHO07wVuFe7
+RyiVVJs4llEZTXoBiAIhAIwrXtE2psZBRx/TE7miPunqa+1E4IxrtWn2fkzJyJ57
 -----END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/98c87a72/ci/new_tsqa/files/ec_keys/www.test.com.pem
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/files/ec_keys/www.test.com.pem b/ci/new_tsqa/files/ec_keys/www.test.com.pem
index 97b33b3..e519276 100644
--- a/ci/new_tsqa/files/ec_keys/www.test.com.pem
+++ b/ci/new_tsqa/files/ec_keys/www.test.com.pem
@@ -4,15 +4,12 @@ AwEHoUQDQgAEh4NjyzcxA2B/b281cUsRHaF+yAUV4CnIhUkPQigXw10GO9lQx69w
 of7PjZkJRdeBlEMBVUcwTKEuENMZ7a3+Tw==
 -----END EC PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
-MIIB9zCCAZ6gAwIBAgIJAOofwBNPt6PwMAkGByqGSM49BAEwWTELMAkGA1UEBhMC
-WFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21w
-YW55IEx0ZDEVMBMGA1UEAwwMd3d3LnRlc3QuY29tMB4XDTE1MDQwNjIyMzI0MVoX
-DTE1MDUwNjIyMzI0MVowWTELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQg
-Q2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEVMBMGA1UEAwwMd3d3
-LnRlc3QuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEh4NjyzcxA2B/b281
-cUsRHaF+yAUV4CnIhUkPQigXw10GO9lQx69wof7PjZkJRdeBlEMBVUcwTKEuENMZ
-7a3+T6NQME4wHQYDVR0OBBYEFJKeIbf5+FuFSDl+qyszoefkIdYNMB8GA1UdIwQY
-MBaAFJKeIbf5+FuFSDl+qyszoefkIdYNMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0E
-AQNIADBFAiEAs79BVAgcBZStdk8xLUXEpRoX68MVNpq2P/9OcMPmb2cCIEv/OFq3
-TYlabCBevc+jjmnry8C//Z+ffY/IEwbTxJlQ
+MIIBdzCCAR8CAQEwCQYHKoZIzj0EATBJMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwM
+RGVmYXVsdCBDaXR5MQwwCgYDVQQKDANBVFMxFTATBgNVBAMMDGludGVybWVkaWF0
+ZTAeFw0xNTA0MTMyMDEzMzZaFw0yMDA0MTEyMDEzMzZaMEkxCzAJBgNVBAYTAlhY
+MRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxDDAKBgNVBAoMA0FUUzEVMBMGA1UEAwwM
+d3d3LnRlc3QuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEh4NjyzcxA2B/
+b281cUsRHaF+yAUV4CnIhUkPQigXw10GO9lQx69wof7PjZkJRdeBlEMBVUcwTKEu
+ENMZ7a3+TzAJBgcqhkjOPQQBA0cAMEQCIH083uGRd7b1crw6TH8paBZNeliJTiFU
+eg6lrnGEVIKpAiBtCERpWAlJhYBrR5ApPp6jSoM+Zk6YfswUSg2YR7c4Sg==
 -----END CERTIFICATE-----

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/98c87a72/ci/new_tsqa/tests/test_https.py
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/tests/test_https.py b/ci/new_tsqa/tests/test_https.py
index 6786cbd..619d327 100644
--- a/ci/new_tsqa/tests/test_https.py
+++ b/ci/new_tsqa/tests/test_https.py
@@ -98,6 +98,12 @@ class CertSelectionMixin(object):
         self.assertEqual(cert.get_subject().commonName.decode(), 'www.example.com')
 
     def _intermediate_ca_t(self, cipher):
+        '''
+        Method for testing intermediate CAs. We assume that www.example.com should
+        return a certificate chaing of len 2 which includes intermediate.
+        We also assume that www.test.com returns a single cert in the chain which
+        is *not* intermediate
+        '''
         # send a request that *should* get an intermediate CA
         addr = ('127.0.0.1', self.ssl_port)
         cert_chain = self._get_cert_chain(addr, ciphers=CIPHER_MAP[cipher])
@@ -168,10 +174,10 @@ class TestECDSA(helpers.EnvironmentCase, CertSelectionMixin):
         })
 
         # configure SSL multicert
-        cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0}'.format(helpers.tests_file_path('ec_keys/www.example.com.pem')))
+        cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0}
ssl_ca_name={1}'.format(helpers.tests_file_path('ec_keys/www.example.com.pem'), helpers.tests_file_path('ec_keys/intermediate.crt')))
         cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0}'.format(helpers.tests_file_path('ec_keys/www.test.com.pem')))
 
-        cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format(helpers.tests_file_path('ec_keys/www.example.com.pem')))
+        cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0} ssl_ca_name={1}'.format(helpers.tests_file_path('ec_keys/www.example.com.pem'),
helpers.tests_file_path('ec_keys/intermediate.crt')))
         cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format(helpers.tests_file_path('ec_keys/www.test.com.pem')))
 
     def test_rsa(self):
@@ -185,6 +191,13 @@ class TestECDSA(helpers.EnvironmentCase, CertSelectionMixin):
         cert = self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa'])
         self.assertEqual(cert.get_subject().commonName.decode(), 'www.example.com')
 
+    def test_intermediate_ca_rsa(self):
+        with self.assertRaises(Exception):
+            self._intermediate_ca_t('rsa')
+
+    def test_intermediate_ca_ecdsa(self):
+        self._intermediate_ca_t('ecdsa')
+
 class TestMix(helpers.EnvironmentCase, CertSelectionMixin):
     '''
     Tests for https for ATS configured with both ECDSA and RSA certificates
@@ -201,11 +214,27 @@ class TestMix(helpers.EnvironmentCase, CertSelectionMixin):
         })
 
         # configure SSL multicert
-        cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0},{1}'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem'),
helpers.tests_file_path('ec_keys/www.example.com.pem')))
-        cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0},{1}'.format(helpers.tests_file_path('rsa_keys/www.test.com.pem'),
helpers.tests_file_path('ec_keys/www.test.com.pem')))
-
-        cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0},{1}'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem'),
helpers.tests_file_path('ec_keys/www.example.com.pem')))
-        cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0},{1}'.format(helpers.tests_file_path('rsa_keys/www.test.com.pem'),
helpers.tests_file_path('ec_keys/www.test.com.pem')))
+        cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0},{1}
ssl_ca_name={2},{3}'.format(
+            helpers.tests_file_path('rsa_keys/www.example.com.pem'),
+            helpers.tests_file_path('ec_keys/www.example.com.pem'),
+            helpers.tests_file_path('rsa_keys/intermediate.crt'),
+            helpers.tests_file_path('ec_keys/intermediate.crt'),
+            ))
+        cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0},{1}'.format(
+            helpers.tests_file_path('rsa_keys/www.test.com.pem'),
+            helpers.tests_file_path('ec_keys/www.test.com.pem'),
+            ))
+
+        cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0},{1} ssl_ca_name={2},{3}'.format(
+            helpers.tests_file_path('rsa_keys/www.example.com.pem'),
+            helpers.tests_file_path('ec_keys/www.example.com.pem'),
+            helpers.tests_file_path('rsa_keys/intermediate.crt'),
+            helpers.tests_file_path('ec_keys/intermediate.crt'),
+            ))
+        cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0},{1}'.format(
+            helpers.tests_file_path('rsa_keys/www.test.com.pem'),
+            helpers.tests_file_path('ec_keys/www.test.com.pem'),
+            ))
 
     def test_rsa(self):
         addr = ('127.0.0.1', self.ssl_port)
@@ -216,3 +245,9 @@ class TestMix(helpers.EnvironmentCase, CertSelectionMixin):
         addr = ('127.0.0.1', self.ssl_port)
         cert = self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa'])
         self.assertEqual(cert.get_subject().commonName.decode(), 'www.example.com')
+
+    def test_intermediate_ca_rsa(self):
+        self._intermediate_ca_t('rsa')
+
+    def test_intermediate_ca_ecdsa(self):
+        self._intermediate_ca_t('ecdsa')


Mime
View raw message