From 3d44f5bf80a641aa5606e4a78a88228ee13caa2c Mon Sep 17 00:00:00 2001 From: Ben Meier Date: Sun, 28 Feb 2021 10:56:52 +0000 Subject: [PATCH] *: added client-{client,key}-file parameters for supporting separate client and server certs when communicating between peers In some environments, the CA is not able to sign certificates with both 'client auth' and 'server auth' extended usage parameters and so an operator needs to be able to set a seperate client certificate to use when making requests which is different to the certificate used for accepting requests. This applies to both proxy and etcd member mode and is available as both a CLI flag and config file field for peer TLS. Signed-off-by: Ben Meier --- pkg/transport/listener.go | 41 +++++++++++--- server/embed/config.go | 14 +++-- server/etcdmain/config.go | 4 ++ tests/e2e/etcd_config_test.go | 4 ++ tests/fixtures/ca.crt | 30 +++++------ tests/fixtures/client-clientusage.crt | 24 +++++++++ .../fixtures/client-clientusage.key.insecure | 27 ++++++++++ tests/fixtures/client-nocn.crt | 34 ++++++------ tests/fixtures/client-nocn.key.insecure | 50 +++++++++--------- tests/fixtures/gencert.json | 18 +++++++ tests/fixtures/gencerts.sh | 8 ++- tests/fixtures/revoke.crl | Bin 522 -> 522 bytes tests/fixtures/server-ecdsa.crt | 24 ++++----- tests/fixtures/server-ecdsa.key.insecure | 6 +-- tests/fixtures/server-ip.crt | 32 +++++------ tests/fixtures/server-ip.key.insecure | 50 +++++++++--------- tests/fixtures/server-ipv6.crt | 32 +++++------ tests/fixtures/server-ipv6.key.insecure | 50 +++++++++--------- tests/fixtures/server-revoked.crt | 32 +++++------ tests/fixtures/server-revoked.key.insecure | 50 +++++++++--------- tests/fixtures/server-serverusage.crt | 24 +++++++++ .../fixtures/server-serverusage.key.insecure | 27 ++++++++++ tests/fixtures/server-wildcard.crt | 32 +++++------ tests/fixtures/server-wildcard.key.insecure | 50 +++++++++--------- tests/fixtures/server.crt | 32 +++++------ tests/fixtures/server.key.insecure | 50 +++++++++--------- tests/fixtures/server2.crt | 32 +++++------ tests/fixtures/server2.key.insecure | 50 +++++++++--------- tests/fixtures/server3.crt | 34 ++++++------ tests/fixtures/server3.key.insecure | 50 +++++++++--------- tests/integration/cluster.go | 9 ++++ tests/integration/cluster_test.go | 10 ++++ 32 files changed, 556 insertions(+), 374 deletions(-) create mode 100644 tests/fixtures/client-clientusage.crt create mode 100644 tests/fixtures/client-clientusage.key.insecure create mode 100644 tests/fixtures/server-serverusage.crt create mode 100644 tests/fixtures/server-serverusage.key.insecure diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go index df9a895bb..c2f5b9df3 100644 --- a/pkg/transport/listener.go +++ b/pkg/transport/listener.go @@ -64,8 +64,16 @@ func wrapTLS(scheme string, tlsinfo *TLSInfo, l net.Listener) (net.Listener, err } type TLSInfo struct { - CertFile string - KeyFile string + // CertFile is the _server_ cert, it will also be used as a _client_ certificate if ClientCertFile is empty + CertFile string + // KeyFile is the key for the CertFile + KeyFile string + // ClientCertFile is a _client_ cert for initiating connections when ClientCertAuth is defined. If ClientCertAuth + // is true but this value is empty, the CertFile will be used instead. + ClientCertFile string + // ClientKeyFile is the key for the ClientCertFile + ClientKeyFile string + TrustedCAFile string ClientCertAuth bool CRLFile string @@ -107,7 +115,7 @@ type TLSInfo struct { } func (info TLSInfo) String() string { - return fmt.Sprintf("cert = %s, key = %s, trusted-ca = %s, client-cert-auth = %v, crl-file = %s", info.CertFile, info.KeyFile, info.TrustedCAFile, info.ClientCertAuth, info.CRLFile) + return fmt.Sprintf("cert = %s, key = %s, client-cert=%s, client-key=%s, trusted-ca = %s, client-cert-auth = %v, crl-file = %s", info.CertFile, info.KeyFile, info.ClientCertFile, info.ClientKeyFile, info.TrustedCAFile, info.ClientCertAuth, info.CRLFile) } func (info TLSInfo) Empty() bool { @@ -142,6 +150,8 @@ func SelfCert(lg *zap.Logger, dirpath string, hosts []string, selfSignedCertVali if errcert == nil && errkey == nil { info.CertFile = certPath info.KeyFile = keyPath + info.ClientCertFile = certPath + info.ClientKeyFile = keyPath info.selfCert = true return } @@ -278,6 +288,17 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) { return nil, err } + // Perform prevalidation of client cert and key if either are provided. This makes sure we crash before accepting any connections. + if (info.ClientKeyFile == "") != (info.ClientCertFile == "") { + return nil, fmt.Errorf("ClientKeyFile and ClientCertFile must both be present or both absent: key: %v, cert: %v]", info.ClientKeyFile, info.ClientCertFile) + } + if info.ClientCertFile != "" { + _, err := tlsutil.NewCert(info.ClientCertFile, info.ClientKeyFile, info.parseFunc) + if err != nil { + return nil, err + } + } + cfg := &tls.Config{ MinVersion: tls.VersionTLS12, ServerName: info.ServerName, @@ -342,13 +363,17 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) { return cert, err } cfg.GetClientCertificate = func(unused *tls.CertificateRequestInfo) (cert *tls.Certificate, err error) { - cert, err = tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc) + certfile, keyfile := info.CertFile, info.KeyFile + if info.ClientCertFile != "" { + certfile, keyfile = info.ClientCertFile, info.ClientKeyFile + } + cert, err = tlsutil.NewCert(certfile, keyfile, info.parseFunc) if os.IsNotExist(err) { if info.Logger != nil { info.Logger.Warn( "failed to find client cert files", - zap.String("cert-file", info.CertFile), - zap.String("key-file", info.KeyFile), + zap.String("cert-file", certfile), + zap.String("key-file", keyfile), zap.Error(err), ) } @@ -356,8 +381,8 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) { if info.Logger != nil { info.Logger.Warn( "failed to create client certificate", - zap.String("cert-file", info.CertFile), - zap.String("key-file", info.KeyFile), + zap.String("cert-file", certfile), + zap.String("key-file", keyfile), zap.Error(err), ) } diff --git a/server/embed/config.go b/server/embed/config.go index e91518cbc..be22efa5c 100644 --- a/server/embed/config.go +++ b/server/embed/config.go @@ -368,11 +368,13 @@ type configJSON struct { } type securityConfig struct { - CertFile string `json:"cert-file"` - KeyFile string `json:"key-file"` - CertAuth bool `json:"client-cert-auth"` - TrustedCAFile string `json:"trusted-ca-file"` - AutoTLS bool `json:"auto-tls"` + CertFile string `json:"cert-file"` + KeyFile string `json:"key-file"` + ClientCertFile string `json:"client-cert-file"` + ClientKeyFile string `json:"client-key-file"` + CertAuth bool `json:"client-cert-auth"` + TrustedCAFile string `json:"trusted-ca-file"` + AutoTLS bool `json:"auto-tls"` } // NewConfig creates a new Config populated with default values. @@ -523,6 +525,8 @@ func (cfg *configYAML) configFromFile(path string) error { copySecurityDetails := func(tls *transport.TLSInfo, ysc *securityConfig) { tls.CertFile = ysc.CertFile tls.KeyFile = ysc.KeyFile + tls.ClientCertFile = ysc.ClientCertFile + tls.ClientKeyFile = ysc.ClientKeyFile tls.ClientCertAuth = ysc.CertAuth tls.TrustedCAFile = ysc.TrustedCAFile } diff --git a/server/etcdmain/config.go b/server/etcdmain/config.go index 6cc3e08e5..ef00427e9 100644 --- a/server/etcdmain/config.go +++ b/server/etcdmain/config.go @@ -202,6 +202,8 @@ func newConfig() *config { // security fs.StringVar(&cfg.ec.ClientTLSInfo.CertFile, "cert-file", "", "Path to the client server TLS cert file.") fs.StringVar(&cfg.ec.ClientTLSInfo.KeyFile, "key-file", "", "Path to the client server TLS key file.") + fs.StringVar(&cfg.ec.ClientTLSInfo.ClientCertFile, "client-cert-file", "", "Path to an explicit peer client TLS cert file otherwise cert file will be used when client auth is required.") + fs.StringVar(&cfg.ec.ClientTLSInfo.ClientKeyFile, "client-key-file", "", "Path to an explicit peer client TLS key file otherwise key file will be used when client auth is required.") fs.BoolVar(&cfg.ec.ClientTLSInfo.ClientCertAuth, "client-cert-auth", false, "Enable client cert authentication.") fs.StringVar(&cfg.ec.ClientTLSInfo.CRLFile, "client-crl-file", "", "Path to the client certificate revocation list file.") fs.StringVar(&cfg.ec.ClientTLSInfo.AllowedHostname, "client-cert-allowed-hostname", "", "Allowed TLS hostname for client cert authentication.") @@ -209,6 +211,8 @@ func newConfig() *config { fs.BoolVar(&cfg.ec.ClientAutoTLS, "auto-tls", false, "Client TLS using generated certificates") fs.StringVar(&cfg.ec.PeerTLSInfo.CertFile, "peer-cert-file", "", "Path to the peer server TLS cert file.") fs.StringVar(&cfg.ec.PeerTLSInfo.KeyFile, "peer-key-file", "", "Path to the peer server TLS key file.") + fs.StringVar(&cfg.ec.PeerTLSInfo.ClientCertFile, "peer-client-cert-file", "", "Path to an explicit peer client TLS cert file otherwise peer cert file will be used when client auth is required.") + fs.StringVar(&cfg.ec.PeerTLSInfo.ClientKeyFile, "peer-client-key-file", "", "Path to an explicit peer client TLS key file otherwise peer key file will be used when client auth is required.") fs.BoolVar(&cfg.ec.PeerTLSInfo.ClientCertAuth, "peer-client-cert-auth", false, "Enable peer client cert authentication.") fs.StringVar(&cfg.ec.PeerTLSInfo.TrustedCAFile, "peer-trusted-ca-file", "", "Path to the peer server TLS trusted CA file.") fs.BoolVar(&cfg.ec.PeerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates") diff --git a/tests/e2e/etcd_config_test.go b/tests/e2e/etcd_config_test.go index 88fdbb0a7..0a0b58032 100644 --- a/tests/e2e/etcd_config_test.go +++ b/tests/e2e/etcd_config_test.go @@ -163,6 +163,8 @@ func TestEtcdPeerCNAuth(t *testing.T) { args = []string{ "--peer-cert-file", certPath, "--peer-key-file", privateKeyPath, + "--peer-client-cert-file", certPath, + "--peer-client-key-file", privateKeyPath, "--peer-trusted-ca-file", caPath, "--peer-client-cert-auth", "--peer-cert-allowed-cn", "example.com", @@ -171,6 +173,8 @@ func TestEtcdPeerCNAuth(t *testing.T) { args = []string{ "--peer-cert-file", certPath2, "--peer-key-file", privateKeyPath2, + "--peer-client-cert-file", certPath2, + "--peer-client-key-file", privateKeyPath2, "--peer-trusted-ca-file", caPath, "--peer-client-cert-auth", "--peer-cert-allowed-cn", "example2.com", diff --git a/tests/fixtures/ca.crt b/tests/fixtures/ca.crt index 8c628d185..8e3737207 100644 --- a/tests/fixtures/ca.crt +++ b/tests/fixtures/ca.crt @@ -1,22 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDrjCCApagAwIBAgIUb9uSXkXCq2x822QXvNdvkf/3ClkwDQYJKoZIhvcNAQEL +MIIDrjCCApagAwIBAgIUNkN+TZ3hgHno+H9j56nWkmb4dBEwDQYJKoZIhvcNAQEL BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl -Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0yMDA5MDcwOTQzMDBaFw0zMDA5MDUwOTQz +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0yMTAyMjgxMDQ4MDBaFw0zMTAyMjYxMDQ4 MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQCQfDHia502Omwu1BkWB6yO4tQ2pMUkJccU6NWV1jhEJotXr6Nl84u4Z5Mf -EUUKNJ9frS928RXnL9bWepk1iyILHECOTZbQvolEy4u9xkuddovDvYr3Id7AopkX -z08OKPdclxTrcRPP5MUtYJ2Z7nwAYBamRMIl/oTXiDNf406V0dP9fk3MHs5DcDa5 -FpFXUII5fM3rHCv6UtwYJ++H1imy1LfpYyOd+/71Mk082/5EtHr35O/LG/ySTozp -bi6pkNVhy6aylNdsGml03dQNzam8G19KW+W01c9EOI00SgZxanK2JxUQisAbXUba -fseHa7eKMTdlr7wZe6Cw2s1x2ROBAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP -BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTRTZxGpVyNLLwH02fkOEb3hsqgEzAN -BgkqhkiG9w0BAQsFAAOCAQEAa7LXcHHXKRSxNv3+InYyi5/5pMjHO+v22s8/+3cJ -qIIdUgCDrtoxLalyhpRbMYOGWfIjM3bUGW+I03AGzMwQDlmz01vP5UDv6toMswFE -5F32sDbJw08qIngFOUmz629fi4/D5XOVzDBBh8Nw6ZAd5RJLbutNb+R/dnZYh+Cf -Uwv4iY3qksXlNXLoGUc41Fi8rNBwVsx2R2dF3qKGoKoQV+8aMiCvYObHptIS5DZe -T0pgg6RRTH3QeVEFUKNn4L0TDTm4NrqdSXysOFG6YhSI+Yp3gXLSWmH9XJLOKS64 -KgAUhYSWjzQ2TAiZD7cKzSvaWg29j9QlA4Bx6DnAvJLNrg== +AoIBAQDZwQPFZB+Kt6RIzYvTgbNlRIX/cLVknIy4ZqhLYDQNOdosJn04jjkCfS3k +F5JZuabkUs6d6JcLTbLWV5hCrwZVlCFf3PDn6DvK12GZpybhuqMPZ2T8P2U17AFP +mUj/Rm+25t8Er5r+8ijZmqVi1X1Ef041CFGESr3KjaMjec2kYf38cfEOp2Yq1JWO +0wpVfLElnyDQY9XILdnBepCRZYPq1eW1OSkRk+dZQnJP6BO95IoyREDuBUeTrteR +7dHHTF9AAgR5tnyZ+eLuVUZ2kskcWLxH3y9RyjvVJ+1uCzbdydVPf0H1pBoqWcuA +PYjYkLKMOKBWfYJhSzykhf+QMC7xAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP +BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQpJiv07dkY9WB0zgB6wOb/HMi8oDAN +BgkqhkiG9w0BAQsFAAOCAQEA0TQ8rRmLt4wYjz0BKh+jElMIg6LBPsCPpfmGDLmK +fdj4Jp7QFlLmXlQSmm8zKz3ftKoOFPYGQYHUkIirIrQB/tdHoXJLgxCzI0SrdCiM +m/DPVjfOTa9Mm5rPcUR79rGDLj2BgzDB+NTETVDXo8mAL5MjFdUyh6jOGBctkCG/ +TWdUaN33ZLwUl488NLaw98fIZ/F4d/dsyCJvHEaoo++dgjduoQxmH9Scr2Frmd8G +zYxOoZHG3ARBDp2mpr+I3UCR1/KTITF/NXL6gDcNY3wyZzoaGua7Bd/ysMSi1w3j +CyvClSvRPJRLQemGUP7B/Y8FUkbJ2i/7tz6ozn8sLi3V2Q== -----END CERTIFICATE----- diff --git a/tests/fixtures/client-clientusage.crt b/tests/fixtures/client-clientusage.crt new file mode 100644 index 000000000..71b305fbc --- /dev/null +++ b/tests/fixtures/client-clientusage.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIECDCCAvCgAwIBAgIULbzkAv8zbkJzZIRDPnBwXl0/BH0wDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0yMTAyMjgxMDQ4MDBaFw0zMTAyMjYxMDQ4 +MDBaMHgxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQDWBNo9tYRoQKv76xabz0EPXGJKHIrUjf0NbXz3d9jbP2sH +3hutXr/A221pULfZYIZdaUtmEuEr1905nYwJ2gnO9Y/iSc6fQ/4EjoT+VZLdINQw +I1dG2rtv2ZuYL5oYfgCjLkV1LzYuyfY/zJ93WoJW0YA0t50MEQNGEqD7pYlhsPej +iGyjagSi7zsoAkAagNprULH6RyAqDG7db+MfJOUzHUv4PWGBXPb0PHY3xA+WayFB +nP5AZO16oDh/UnzvfEAJULXeIOLs4eOmtzKMwZwrWzgCB+jBeVlc1FOwXQcmBamN +eYUs75GoO9aSSLROvnQiw2P0z0xVNmDokDXGsSRxAgMBAAGjgZIwgY8wDgYDVR0P +AQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD +VR0OBBYEFCB4ysDF81d6lkKIvebj08BcRWNoMB8GA1UdIwQYMBaAFCkmK/Tt2Rj1 +YHTOAHrA5v8cyLygMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG +9w0BAQsFAAOCAQEAo2B+piCBTjdpCLFj/kc+A0alZTbNdr0+BTsN+5aBE9k4JlZS +smkIQL0vyzjKw/W/o2EyPVcVKJX52/GQsC3bQrBb2lH1jRYgt5pRo24kKHy4Nlc3 +IaYg++ssfT2ZdpYiL3lzLyOHEumcynz3nI5M81e5CCIdEennxaM8FuiYN5OXDOR3 +j+bCYHLYPaWYZopfiSrnq+Z4gRUS2sMI1yqtiPSUdIJLnTfyEEdexvs/KUtFWvFO +4AcecKvT6HA8oNDiWfE6e854uDLTkbXW1rK+FWPU9pv5NR50+GBCvxvmDGtGXxQu +yu+kOsx2gfgNc4idIv1pjZF/1YzrrKGAhChN2A== +-----END CERTIFICATE----- diff --git a/tests/fixtures/client-clientusage.key.insecure b/tests/fixtures/client-clientusage.key.insecure new file mode 100644 index 000000000..ea139257c --- /dev/null +++ b/tests/fixtures/client-clientusage.key.insecure @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEA1gTaPbWEaECr++sWm89BD1xiShyK1I39DW1893fY2z9rB94b +rV6/wNttaVC32WCGXWlLZhLhK9fdOZ2MCdoJzvWP4knOn0P+BI6E/lWS3SDUMCNX +Rtq7b9mbmC+aGH4Aoy5FdS82Lsn2P8yfd1qCVtGANLedDBEDRhKg+6WJYbD3o4hs +o2oEou87KAJAGoDaa1Cx+kcgKgxu3W/jHyTlMx1L+D1hgVz29Dx2N8QPlmshQZz+ +QGTteqA4f1J873xACVC13iDi7OHjprcyjMGcK1s4AgfowXlZXNRTsF0HJgWpjXmF +LO+RqDvWkki0Tr50IsNj9M9MVTZg6JA1xrEkcQIDAQABAoIBAAGBZTub5EOLeOo7 +vBv6eD2wa6yTyNI38Xi/tWpUOH1KU+lpQY6VpQmpQXrFK5Xm3OsZS4N7TIQvb4nx +NsP2+aywA4QW+tIZ+1Zy3jKfzXmqunNgPEPuU/U0dai7ZP0ZHc4IDEsHuvzXRNks +Ck8fnt0XeixkwkEMeZZrmSBMCMxcHAWxiv+oXF+olN3vTD2aDC8T6YwahMyQUQfW +IA9fuO8Dzzmk2I7mDHa29cbB+PW4E5tkJmHVZqEu8jPgMjCJGc2IR1YpLAXF8YBB +vgh6ZgI6JOg1OiNETuQekamAMOblFVOdPUjPSxuyJzEE8VpIdD3Z9UMNq+FDQh/F +j1lEEEECgYEA9nYwUh+e0H9c9IRBLNYAbq2PV4SpFKvFrHOTQpylMPisUTgdHKLT +CvO1wbNprElBAulOWobCyKshWGd5ECFsCvsWS6xmGi442q3ov5xtAMmvSmtW8s+8 +tUeVRQGS/Yn5Uxj2msUPe6vJEniLgsxmbFbDYqvr65COrAsCDEY3DkkCgYEA3k09 +EGhiO1joDtJPI21vUzzecBuep32oKiwip3OgS/mct04/QR+6lp1x4sPMYlyxbyk9 +jPdkzU07d8r+mES9RweE5lc1aCaF5eA8y6qtL9vBgsXRiEXlpYLxb0TOQaYNU0qM +aYumYPWjsjwYDvRKaVzThFUkYwapKFqtMV98BOkCgYAkIOkucLIwMCtpMKX5M5m2 +n7yegLTkcdW1VO/mWN4iUqG3+jjSRNAZD+a58VnxRn/ANIEm5hBRqDxoICrwAWY8 +Kdh32VrSRapR7CJtTDnyXp5Sk2+YgnlQPaEVD4kDn6Er3EHyKCb/4wvDqGYTE3GE +OifEJB2eV3+Cms5/DB/v+QKBgFzV8r9saEGSkm7GI2iPJiOj0t0Mm8gksNrTzbES +l4nC91CR69adkoWdwNbLoAof3bWnil3ZXw5hx4jyjDo40rbcDANJvjL9i4OBjsIb +R/Ipmvmq9SMs1Ye2VG98U4qU9xGmm1bkjBoH21HuyLlOCdlQe8DS8bwtJu2EWLm6 +v4cpAoGAP3pqi6iIZAbJVqw6p5Xd/BLzn3iS+lwQjwF/IWp5UnFCGovnVSJG2wqP +kxL9jy4asMDDuMKzEzO3+UT6WBRI+idV8PgDNEYkXcnVAA5lZ+2kCJwRICsC6MYH +1nIHJtPngUrwT3TUhMp/WfpYUjTdiOC3aJmKq/NGZxE8/Sb3G6U= +-----END RSA PRIVATE KEY----- diff --git a/tests/fixtures/client-nocn.crt b/tests/fixtures/client-nocn.crt index 4640feefe..a75a70191 100644 --- a/tests/fixtures/client-nocn.crt +++ b/tests/fixtures/client-nocn.crt @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIID/DCCAuSgAwIBAgIUWFc9bqAgLYdNGvkVaddwlCvrGskwDQYJKoZIhvcNAQEL +MIID/DCCAuSgAwIBAgIUCzIuVb3586z5C2rQ65jeo4wfbfowDQYJKoZIhvcNAQEL BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl -Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0yMDA5MDcwOTQzMDBaFw0zMDA5MDUwOTQz +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0yMTAyMjgxMDQ4MDBaFw0zMTAyMjYxMDQ4 MDBaMGIxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT -ZWN1cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKtllzAymU7Q -/TVdZwqP84zXC2btrq8I0nXRQ3dx5MyATb8/RGRgIYLUc3k9w5OvS3Eo6Tloxz2L -BzZ2Y/aJibfzVl/mKbGrQYYGD/iGKDLv+iJ7+uOLf/eqERDe4K41OIJRfGD/a9Y8 -XXBIxYrtayfjv1gbonWjgwdcrEX3vsDWZ5cWK7BBoaBuL0lUPJgU0QCSBQqKC8EO -2KXVjnSZglywRDDPa4vZrmSdpGeci9b1jj3CeBjcVjbEmgQxLZ83W1ASe74+IBtH -fHtNSGNF5/joxqeF0X3Ve+luzhRyHUd3k2bfVXZJ+vEAymabY680Hvp5mfYPKUIu -NL5gF6bfZ68CAwEAAaOBnDCBmTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI -KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFLtGYQh2 -/fZo6O14SmcaAIiTVgHOMB8GA1UdIwQYMBaAFNFNnEalXI0svAfTZ+Q4RveGyqAT +ZWN1cml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKmOrIfZ9mH9 +O3wLgGinUXDAG+XAP6P6NG9VkWaCUfOkY8x8RKSeuOri31EgYGmFYmQXCtS/WlHD +GCLrUhTnIrC1/WqvuPJIoMMTw7JLh59IuIWdlxds7FWjyuLmi4oUHvCG6aXiT/Z3 +ylp4r/HBL+R6KKqQpRjFfwhb1bIWpxZe5ghUtx4AuAW7ayQgpC7FJ3aVW/SS5p0m +IxyKqGvl45IsZuZY59Sa/X2AWSRpr+qe0tM4n1R+1bDhjcV6EuhyfubdSkZHfUJp +PaoUdynHT/VuI5xMF4OXbiwXP36XvHiHd9LIrPOyubrRYvn8dKweBJkvNCnlQo09 +zVH5zb9p0DsCAwEAAaOBnDCBmTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI +KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFG5evtY/ +UIPMBcah3B/1BWDI14nUMB8GA1UdIwQYMBaAFCkmK/Tt2Rj1YHTOAHrA5v8cyLyg MBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA -EYaGSg5EaDBNte90AkjcP/NPbK22mE4aOUDMoNXMCmjmT4LVUhxV9MnwPmfAIvzz -GHLZsVTZPt91ex3lzf/mKV5CPbAnpn29U7tTHkgGaUhXuVN1/U7SEIEygApuvPTX -tYdY5vCTIRdlylNjYm29tQFIY/+L4og5lxFnfbjVyr3QPxHPB/9T7j0Tl5ppDjoL -zOhWe6PSUI0hVDpEwL70JH6CvqdS/5VjcToPwUw6YtUXNc2SvgJZK1biaSiJMnLf -k+ao0d/33BfZMzY2TTzX3UUNhcRk6plv1ljtyQiXsIOeUpNptQ/SdPVZlOI0biMW -Lo+BNaBpRERregCuiuuVnw== +VBjy5UtSe/f66d7dKgZVVfKDiOeSb1knATSy7/JyubxVgq64yTN6fqIYRQg4gyVW +IPf8W4BbhEXeA7VumVuTTKjILoufGecjrjA1Skb4lWGfV21A51Fs9TcMLPiQYZ1b +e2J2Trtd0CsteQj4BDrbgiSxahJBaj+4PfXM1tef51DJs+gEg16DGxdzFBtlY+ih +SwOX6YcUyxYzYX2szafPpVRuQqU0B63FkvBbsNMX1KamtAsLtvf/JxYpPY9eg5t/ +b5L6pXQkp6bK3q8Gv1WApjD8tcwqBkcJrbjgJ6gfW9h3zEbLmxkAv46sJodVLInL +SYrHgrQ7TRd29DybB6cPAQ== -----END CERTIFICATE----- diff --git a/tests/fixtures/client-nocn.key.insecure b/tests/fixtures/client-nocn.key.insecure index 4089fa09b..87f20c646 100644 --- a/tests/fixtures/client-nocn.key.insecure +++ b/tests/fixtures/client-nocn.key.insecure @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAq2WXMDKZTtD9NV1nCo/zjNcLZu2urwjSddFDd3HkzIBNvz9E -ZGAhgtRzeT3Dk69LcSjpOWjHPYsHNnZj9omJt/NWX+YpsatBhgYP+IYoMu/6Inv6 -44t/96oREN7grjU4glF8YP9r1jxdcEjFiu1rJ+O/WBuidaODB1ysRfe+wNZnlxYr -sEGhoG4vSVQ8mBTRAJIFCooLwQ7YpdWOdJmCXLBEMM9ri9muZJ2kZ5yL1vWOPcJ4 -GNxWNsSaBDEtnzdbUBJ7vj4gG0d8e01IY0Xn+OjGp4XRfdV76W7OFHIdR3eTZt9V -dkn68QDKZptjrzQe+nmZ9g8pQi40vmAXpt9nrwIDAQABAoIBAAZjRmO29wy/cDht -bzovDEIq/5NJ93ExkHpwnqWUepT+kSc4Cen9xTH1jgouOZxG87ZXcn2/wHE0PcQT -XH1jOd0/te/kCZjEC7CdiDnYciYX2Igxe7PATrghv/oTfGcxt5XvyIVq749v94GI -TMh1OcGmVMrJWOAuhGMhWpBO/+5634pt/GwbE8xAimMpOLtk5G/wHM9yWEPu3fVK -fhz57gvlZXwWtSAsNgvGnRYw5FABJ+TxskM8TJmnWkeea6kmg7IhRQpXIPoxYyGJ -P9d6xGNBoPzLoXcZfQUL/E3m93gN51P4bCQ7O2sIX9WKbnuFQ5B27zQtitnT0JCZ -TwHyD+ECgYEA1hJE5x5LuNRS5Tq8miGmo2YPg+zYQ+5gQNwAbdae8s1G+HnKbdS0 -U3RUcLa/RD/F0cvNpUC8FIQNTBFX9+vfek3kB37AiGDgRJHmRD+yudhympbj9RvM -iw2zQzr56V8nHBY3gS7Gq6EgZqN+9JCtHof2cBa6EnBGPVfpZ6UtMKECgYEAzPeV -EdUKGHOcZsEFYfCFkY7sSOD+KlDcMmuCEzRgpNrhhqwmxSFWEbrQ11+Il5/WL58e -x1J8ZwQAarjeAHMGCbZaxWmN6Owz08XvwSQWasHeRqR0jiuJywSbsg94lUY87mSl -7k8FJ4+fhp7fAzjBr9LwM448TGRPKe2T6yVFpk8CgYBtNMqzwM/OTXqweCNo2cvh -xZoaqgO1u/Cchd8uKXPS14fiEHeFSiJoBItjKMcwMPxgx4B0Ui7gpHEIIjznPAw4 -n225qR7dM9aVBH0cygYKKvJkDJ/kFbdmJKoTnQ2K0UDpYigUneE6Ayu9UKDecMPw -NFoy2lU4PNCIUMXAWxJPoQKBgA8aSxymQvksQ6D6pgfibiUcj+KK2Y+Kp777VvlN -SbW7/xQqSS0LWMkzp8HG40yw1Vpq8hyjwlDg5Zr3hjwoPZCnpCaZsYAxL1xyYEkt -/IzfPh6cbY4wPRX9f+9t3me5ZjH2rpdRsUKJ/aowuKQHIZZwB4z09RJ37bFcNSMF -ew1XAoGBAM9lh717yxLq7my60R68AKpvACOz3fyhGDDJdQT8h3b4UcO9C8luOtIS -LRVZHkv9O4uCLh+XHik87qc9ntxDIGElikjymey19xWjuk8HQSYAyWbw5SHdDsth -1W8QacI9KLlHAujZwi1VB9HuUnGhtlLt6IW5sZxFItiV0OxJZX79 +MIIEowIBAAKCAQEAqY6sh9n2Yf07fAuAaKdRcMAb5cA/o/o0b1WRZoJR86RjzHxE +pJ646uLfUSBgaYViZBcK1L9aUcMYIutSFOcisLX9aq+48kigwxPDskuHn0i4hZ2X +F2zsVaPK4uaLihQe8IbppeJP9nfKWniv8cEv5HooqpClGMV/CFvVshanFl7mCFS3 +HgC4BbtrJCCkLsUndpVb9JLmnSYjHIqoa+Xjkixm5ljn1Jr9fYBZJGmv6p7S0zif +VH7VsOGNxXoS6HJ+5t1KRkd9Qmk9qhR3KcdP9W4jnEwXg5duLBc/fpe8eId30sis +87K5utFi+fx0rB4EmS80KeVCjT3NUfnNv2nQOwIDAQABAoIBAECPnM4VhiUFgTLY +RkqS+wWNgJHYw+KyEGkcEcMQeBfnTkC8SH7OGOcG/7UqOMu1CCPISk17lu5u9K/H +HnfrEmBqy1VmF2vZj6z3x5oJ/FgAHpJx0OgQh2SMe2IuGo+23ZkEJc8N/xh/wEL2 +lTfeMVgz02wuq05lVNtf7FxlF7YCSaxxxDtQQTDR3BSq6l12tB81TQvAD+yh35Gs +1jGhPeKHWc1jny309vczpJq4eIK2xhE+MT8YZAiuHCLGOHUlBBpleo5knyMueVE/ +/Ezbz6eFiIFYpoHA3d3pv3Dy+5WVnhD0YDQPe+jCQrzxyFGDiN488JQ2tVeRM85b +q0naaZECgYEA1T8XWPqRkhjMy0vJxTVux+wdD3u9DIvgBfHxjBUS2xlZdOiLLmBD +CDVLKe+Twn0KiTb0eU+zNn4g1qnxLXmAH7xYWPLtqoI4mM0O89SWxr06ExplamHp +w5k5O3eJr0veKyCUqVbZRZsOQLi1zqEbaOqpA7TrsQOOT5io+0vVoV0CgYEAy407 +JRaGBTBNOPayBVFY+7PRsSRPtcjzbOHriCe4rDn8aIPPmzHyWEIL0pXk5I1eW978 +veC/2oZMsxO2vaKta1bSSOrNA8UJQ+t5Ipp6Fj6yAI5dMDcgOIctE8ctxDUfccQM +kS5DDw0W3zYMI7ixyOe6ydX4OAlcpZgqFpNIJncCgYEAuB1pAyIUXZeb+krNQsAH +jgWGcb/cUeDS408pxlDLnvAcFJxSzw+90HBzHRoE8X8UgbQ5ECSIDxyHLdA8s46b +2Mq9XM8h9H3Kb+NcbZm3NJBce/Hmbhtrwb2hdH6ZGgjfIU1YDX02yqo9fBP+pRDk +oYk5tEGY3ZS8YmzkOVQYduECgYACgnNAOc7dMYNCOIhpWF9oewcS0AfLjfayWPa2 +bwbv2KcsArQEjdEXFXlf10lDKBsJtu4WyTaUUyOO8adHH0JUGHXvQDXW3g8HL1gG +/TCUJaG8MAUmGwfiqof7vnDqAl2o4WnmQFPDU738coYjypsmhvTemCy/RB5ITF/4 +d0hkcQKBgAWpzCnPAh4tPWw1OGE2QSsbRR15hR+67BltiZ+nxJnDcXXS2i08QBkA +3VR0ywWsos+Sox6jm8LpH8RiKqZ5laUjHHUUuX1Tgfxn4EmHo6bBffw7k9vkY7xr +w5Nw/gMRevkRrDQ4Z66z2HspyCHfmdPzWX9zsaSc4nzNs7fw2/uf -----END RSA PRIVATE KEY----- diff --git a/tests/fixtures/gencert.json b/tests/fixtures/gencert.json index 09b67267b..3a88f68d9 100644 --- a/tests/fixtures/gencert.json +++ b/tests/fixtures/gencert.json @@ -8,6 +8,24 @@ "client auth" ], "expiry": "87600h" + }, + "profiles": { + "client-only": { + "usages": [ + "signing", + "key encipherment", + "client auth" + ], + "expiry": "87600h" + }, + "server-only": { + "usages": [ + "signing", + "key encipherment", + "server auth" + ], + "expiry": "87600h" + } } } } diff --git a/tests/fixtures/gencerts.sh b/tests/fixtures/gencerts.sh index a800b8058..e4226fca0 100755 --- a/tests/fixtures/gencerts.sh +++ b/tests/fixtures/gencerts.sh @@ -31,9 +31,15 @@ function gencert { mv $2-key.pem $2.key.insecure } -# generate DNS: localhost, IP: 127.0.0.1, CN: example.com certificates +# generate DNS: localhost, IP: 127.0.0.1, CN: example.com certificates, with dual usage gencert ./server-ca-csr.json server +#generates certificate that only has the 'server auth' usage +gencert "--profile=server-only ./server-ca-csr.json" server-serverusage + +#generates certificate that only has the 'client auth' usage +gencert "--profile=client-only ./server-ca-csr.json" client-clientusage + #generates certificate that does not contain CN, to be used for proxy -> server connections. gencert ./client-ca-csr-nocn.json client-nocn diff --git a/tests/fixtures/revoke.crl b/tests/fixtures/revoke.crl index dd90fc21ce45ae912f17e2efd5774cc7a4a7b9ee..61862f41b91bfa933b385d026dd293c94799eb18 100644 GIT binary patch delta 390 zcmeBT>0+7CTW@G!WMpAzU}|Jy93{?cWN2V)U=HOPs2ivSzy4+ z#;Mij(e|B}k&&B~fw_s1kzw)P`qQDUxBk0xi!J+LaM)^%Kl23fWe=<_PknCDA^Q2I ztcgmy)0TCM`ZO)Sq-st+BVy|Oe2IUcm0riYQ;o@&tafO%?{=?=l-#eZ0TzKcl^?G)0sLJJ~P~vZQ2(y`I_M3;}Vr;wAb7?djIb! z%i0_Esyh-Lui3@@FWd6-)ra+e6593O7Nv_ksFv`af7|o$>fm$93p-zU-zxdObK`Q0 i7S=CuHy7;c@;Gh%cv0+7CTW?@sX<%+(X<}h$5GBrQ1mqf;K)D9$2C7UVrg4wvt?Uxpto7%9_2pA# z91~r9Qy~iB`W7e~C>qGKF^9@3vq%_-HHcjFo#VDNrdMYV`{nc}7H;3$PAw2N;AP{~ zYV&CO&dbQi&C0;s#K_1X#98m4v^!e$0CVBAoZPc_O+4nloV8XtCF~db3A;qYE&1<_ zrpo&{ocnB$&KQ1UcHNEDYu-&VxOK6$#d$Bs#Qk?;(m4*a$#^DwzGf66_bjAy_W5wb4Zgpw)!Ut^ zyU1-?a^(2@B^ylI-)y$@u8#Qev*1&)X};*A(|J}aKdj(g`)!K0*P$~v#EXo#7aIF1 z*l2fq&JDhHYU`dofzIar0yi>^6Te()TH`Pw=<=e7#T}mM?+o*2RG4kb-