From 70b9c197f19db4b72f19a57029eed83d6a1c3c0d Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Thu, 1 Aug 2024 20:53:25 +0000 Subject: [PATCH 01/17] advancedtls examples --- examples/features/advancedtls/README.md | 26 ++ examples/features/advancedtls/client/main.go | 302 ++++++++++++++++++ examples/features/advancedtls/generate.sh | 83 +++++ .../advancedtls/localhost-openssl.cnf | 24 ++ examples/features/advancedtls/openssl-ca.cnf | 94 ++++++ examples/features/advancedtls/server/main.go | 180 +++++++++++ examples/go.mod | 1 + examples/go.sum | 2 + 8 files changed, 712 insertions(+) create mode 100644 examples/features/advancedtls/README.md create mode 100644 examples/features/advancedtls/client/main.go create mode 100755 examples/features/advancedtls/generate.sh create mode 100644 examples/features/advancedtls/localhost-openssl.cnf create mode 100644 examples/features/advancedtls/openssl-ca.cnf create mode 100644 examples/features/advancedtls/server/main.go diff --git a/examples/features/advancedtls/README.md b/examples/features/advancedtls/README.md new file mode 100644 index 000000000000..8406417a84de --- /dev/null +++ b/examples/features/advancedtls/README.md @@ -0,0 +1,26 @@ +# gRPC Advanced Security Examples +This repo contains example code for different security configurations for grpc-go using `advancedtls`. + +The servers run a basic echo server with the following setups: +* Port 8885: A server with a good certificate using certificate providers and crl providers. +* Port 8884: A server with a revoked certificate using certificate providers and crl providers. +* Port 8883: A server running using InsecureCredentials. + +The clients are designed to call these servers with varying configurations of credentials and revocation configurations. +* mTLS with certificate providers and CRLs +* mTLS with custom verification +* mTLS with credentials from credentials.NewTLS (directly using the tls.Config) +* Insecure Credentials + +## Generate the credentials used in the examples +Run `./generate.sh` from `/path/to/grpc-go/examples/features/advancedtls` to generate the `creds` directory containing the certificates and CRLs needed for these examples. + +## Building and Running +``` +# Run the clients from the `grpc-go/examples/features/advancedtls` directory +$ go run client/main.go -credentials_directory $(pwd)/creds +# Run the server +$ go run server/main.go -credentials_directory $(pwd)/creds +``` + +Stop the servers with ctrl-c or by killing the process. \ No newline at end of file diff --git a/examples/features/advancedtls/client/main.go b/examples/features/advancedtls/client/main.go new file mode 100644 index 000000000000..ca0bce48599b --- /dev/null +++ b/examples/features/advancedtls/client/main.go @@ -0,0 +1,302 @@ +package main + +import ( + "context" + "crypto/tls" + "crypto/x509" + "flag" + "fmt" + "os" + "path/filepath" + "time" + + pb "google.golang.org/grpc/examples/features/proto/echo" + + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" + "google.golang.org/grpc/credentials/insecure" + "google.golang.org/grpc/credentials/tls/certprovider" + "google.golang.org/grpc/credentials/tls/certprovider/pemfile" + "google.golang.org/grpc/security/advancedtls" +) + +const credRefreshInterval = 1 * time.Minute +const serverAddr = "localhost" +const goodServerPort string = "8885" +const revokedServerPort string = "8884" +const insecurePort string = "8883" +const message string = "Hello" + +// -- TLS -- + +func makeRootProvider(credsDirectory string) certprovider.Provider { + rootOptions := pemfile.Options{ + RootFile: filepath.Join(credsDirectory, "ca_cert.pem"), + RefreshDuration: credRefreshInterval, + } + rootProvider, err := pemfile.NewProvider(rootOptions) + if err != nil { + fmt.Printf("Error %v\n", err) + os.Exit(1) + } + return rootProvider +} + +func makeIdentityProvider(revoked bool, credsDirectory string) certprovider.Provider { + var cert_file string + if revoked { + cert_file = filepath.Join(credsDirectory, "client_cert_revoked.pem") + } else { + cert_file = filepath.Join(credsDirectory, "client_cert.pem") + } + identityOptions := pemfile.Options{ + CertFile: cert_file, + KeyFile: filepath.Join(credsDirectory, "client_key.pem"), + RefreshDuration: credRefreshInterval, + } + identityProvider, err := pemfile.NewProvider(identityOptions) + if err != nil { + fmt.Printf("Error %v\n", err) + os.Exit(1) + } + return identityProvider +} + +func runClientWithProviders(rootProvider certprovider.Provider, identityProvider certprovider.Provider, crlProvider advancedtls.CRLProvider, port string, shouldFail bool) { + options := &advancedtls.Options{ + // Setup the certificates to be used + IdentityOptions: advancedtls.IdentityCertificateOptions{ + IdentityProvider: identityProvider, + }, + // Setup the roots to be used + RootOptions: advancedtls.RootCertificateOptions{ + RootProvider: rootProvider, + }, + // Tell the client to verify the server cert + VerificationType: advancedtls.CertVerification, + } + + // Configure revocation and CRLs + options.RevocationOptions = &advancedtls.RevocationOptions{ + CRLProvider: crlProvider, + } + + clientTLSCreds, err := advancedtls.NewClientCreds(options) + + if err != nil { + fmt.Printf("Error %v\n", err) + os.Exit(1) + } + fullServerAddr := serverAddr + ":" + port + runWithCredentials(clientTLSCreds, fullServerAddr, !shouldFail) +} + +func TlsWithCrlsToGoodServer(credsDirectory string) { + rootProvider := makeRootProvider(credsDirectory) + defer rootProvider.Close() + identityProvider := makeIdentityProvider(false, credsDirectory) + defer identityProvider.Close() + crlProvider := makeCrlProvider(credsDirectory) + defer crlProvider.Close() + + fmt.Println("Client running against good server.") + runClientWithProviders(rootProvider, identityProvider, crlProvider, goodServerPort, false) +} + +func TlsWithCrlsToRevokedServer(credsDirectory string) { + rootProvider := makeRootProvider(credsDirectory) + defer rootProvider.Close() + identityProvider := makeIdentityProvider(false, credsDirectory) + defer identityProvider.Close() + crlProvider := makeCrlProvider(credsDirectory) + defer crlProvider.Close() + + fmt.Println("Client running against revoked server.") + runClientWithProviders(rootProvider, identityProvider, crlProvider, revokedServerPort, true) +} + +func TlsWithCrls(credsDirectory string) { + fmt.Println("---------- Running TLS with CRLs to Good Server ----------") + TlsWithCrlsToGoodServer(credsDirectory) + fmt.Println("---------- Running TLS with CRLs to Revoked Server ----------") + TlsWithCrlsToRevokedServer(credsDirectory) +} + +func makeCrlProvider(crlDirectory string) *advancedtls.FileWatcherCRLProvider { + options := advancedtls.FileWatcherOptions{ + CRLDirectory: crlDirectory, + } + provider, err := advancedtls.NewFileWatcherCRLProvider(options) + if err != nil { + fmt.Printf("Error making CRL Provider: %v\nExiting...", err) + os.Exit(1) + } + return provider +} + +// --- Custom Verification --- +func customVerificaitonSucceed(info *advancedtls.HandshakeVerificationInfo) (*advancedtls.PostHandshakeVerificationResults, error) { + // Looks at info for what you care about as the custom verification implementer + if info.ServerName != "localhost:8885" { + return nil, fmt.Errorf("expected servername of localhost:8885, got %v", info.ServerName) + } + return &advancedtls.PostHandshakeVerificationResults{}, nil +} + +func customVerificaitonFail(info *advancedtls.HandshakeVerificationInfo) (*advancedtls.PostHandshakeVerificationResults, error) { + // Looks at info for what you care about as the custom verification implementer + if info.ServerName != "ExampleDesignedToFail" { + return nil, fmt.Errorf("expected servername of ExampleDesignedToFail, got %v", info.ServerName) + } + return &advancedtls.PostHandshakeVerificationResults{}, nil +} + +func CustomVerification(credsDirectory string) { + fmt.Println("---------- Running TLS with Custom Verification ----------") + runClientWithCustomVerification(credsDirectory, goodServerPort) + +} + +func runClientWithCustomVerification(credsDirectory string, port string) { + rootProvider := makeRootProvider(credsDirectory) + defer rootProvider.Close() + identityProvider := makeIdentityProvider(false, credsDirectory) + defer identityProvider.Close() + fullServerAddr := serverAddr + ":" + port + { + // Run with the custom verification func that will succeed + options := &advancedtls.Options{ + // Setup the certificates to be used + IdentityOptions: advancedtls.IdentityCertificateOptions{ + IdentityProvider: identityProvider, + }, + // Setup the roots to be used + RootOptions: advancedtls.RootCertificateOptions{ + RootProvider: rootProvider, + }, + // Tell the client to verify the server cert + VerificationType: advancedtls.CertVerification, + AdditionalPeerVerification: customVerificaitonSucceed, + } + + clientTLSCreds, err := advancedtls.NewClientCreds(options) + + if err != nil { + fmt.Printf("Error %v\n", err) + os.Exit(1) + } + runWithCredentials(clientTLSCreds, fullServerAddr, true) + } + { + // Run with the custom verification func that will fail + options := &advancedtls.Options{ + // Setup the certificates to be used + IdentityOptions: advancedtls.IdentityCertificateOptions{ + IdentityProvider: identityProvider, + }, + // Setup the roots to be used + RootOptions: advancedtls.RootCertificateOptions{ + RootProvider: rootProvider, + }, + // Tell the client to verify the server cert + VerificationType: advancedtls.CertVerification, + AdditionalPeerVerification: customVerificaitonFail, + } + + clientTLSCreds, err := advancedtls.NewClientCreds(options) + + if err != nil { + fmt.Printf("Error %v\n", err) + os.Exit(1) + } + runWithCredentials(clientTLSCreds, fullServerAddr, false) + } +} + +// -- credentials.NewTLS example -- +func CredentialsNewTLSExample(credsDirectory string) { + fmt.Println("---------- Running client using NewTLS to create Credentials ----------") + cert, err := tls.LoadX509KeyPair(filepath.Join(credsDirectory, "client_cert.pem"), filepath.Join(credsDirectory, "client_key.pem")) + if err != nil { + os.Exit(1) + } + rootPem, err := os.ReadFile(filepath.Join(credsDirectory, "ca_cert.pem")) + root := x509.NewCertPool() + if !root.AppendCertsFromPEM(rootPem) { + os.Exit(1) + } + + config := &tls.Config{ + Certificates: []tls.Certificate{cert}, + RootCAs: root, + } + + // Directly create credentials from a tls.Config. + creds := credentials.NewTLS(config) + port := goodServerPort + fullServerAddr := serverAddr + ":" + port + runWithCredentials(creds, fullServerAddr, true) + +} + +// -- Insecure -- +func InsecureCredentialsExample(credsDirectory string) { + fmt.Println("---------- Running client using Insecure Credentials ----------") + creds := insecure.NewCredentials() + port := insecurePort + fullServerAddr := serverAddr + ":" + port + runWithCredentials(creds, fullServerAddr, true) +} + +// -- Main and Runner -- + +// All of these examples differ in how they configure the +// credentials.TransportCredentials object. Once we have that, actually making +// the calls with gRPC is the same. +func runWithCredentials(creds credentials.TransportCredentials, fullServerAddr string, shouldSucceed bool) { + conn, err := grpc.NewClient(fullServerAddr, grpc.WithTransportCredentials(creds)) + if err != nil { + fmt.Printf("Error during grpc.NewClient %v\n", err) + os.Exit(1) + } + defer conn.Close() + client := pb.NewEchoClient(conn) + req := &pb.EchoRequest{ + Message: message, + } + context, cancel := context.WithTimeout(context.Background(), 10*time.Second) + resp, err := client.UnaryEcho(context, req) + defer cancel() + + if shouldSucceed { + if err != nil { + fmt.Printf("Error during client.UnaryEcho %v\n", err) + } else { + fmt.Printf("Response: %v\n", resp.Message) + if resp.Message != message { + fmt.Println("Didn't get correct response") + } + } + } else { + // This should fail + if err == nil { + fmt.Printf("Should have failed but didn't, got response: %v\n", resp) + } else { + fmt.Printf("Handshake failed expectedly with error: %v\n", err) + } + } + +} +func main() { + credsDirectory := flag.String("credentials_directory", "", "Path to the creds directory of this example repo") + flag.Parse() + + if *credsDirectory == "" { + fmt.Println("Must set credentials_directory argument to this repo's creds directory") + os.Exit(1) + } + TlsWithCrls(*credsDirectory) + CustomVerification(*credsDirectory) + CredentialsNewTLSExample(*credsDirectory) + InsecureCredentialsExample(*credsDirectory) +} diff --git a/examples/features/advancedtls/generate.sh b/examples/features/advancedtls/generate.sh new file mode 100755 index 000000000000..507a2ada6640 --- /dev/null +++ b/examples/features/advancedtls/generate.sh @@ -0,0 +1,83 @@ +rm -rf creds +mkdir creds +pushd creds +touch index.txt +echo "01" > serial.txt +cp "../localhost-openssl.cnf" . +cp "../openssl-ca.cnf" . + +# Create the CA private key and certificate +openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -nodes -days 3650 -subj "/C=US/ST=Georgia/L=Atlanta/O=Test CA/OU=Test CA Organzation/CN=Test CA Organization/emailAddress=test@example.com" + +#################### Server cert + +# Generate Server private key +openssl genrsa -out server_key.pem 4096 + +# Generate Server Certificate Signing Request (CSR) +openssl req -config "localhost-openssl.cnf" -new -key server_key.pem -out server_csr.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Test Server/OU=Test Server Organzation/CN=Test Server Organization/emailAddress=testserver@example.com" + +# Use the CA to sign the Server CSR +openssl ca -config "openssl-ca.cnf" -policy signing_policy -extensions signing_req -out server_cert.pem -in server_csr.pem -keyfile ca_key.pem -cert ca_cert.pem -batch + +# Verify the server cert works +openssl verify -verbose -CAfile ca_cert.pem server_cert.pem + +## Generate another server cert to be revoked +openssl req -config "localhost-openssl.cnf" -new -key server_key.pem -out server_csr_revoked.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Test server/OU=Test server Organzation/CN=Test server Organization/emailAddress=testserver@example.com" + +# Use the CA to sign the server CSR +openssl ca -config "openssl-ca.cnf" -policy signing_policy -extensions signing_req -out server_cert_revoked.pem -in server_csr_revoked.pem -keyfile ca_key.pem -cert ca_cert.pem -batch + +# Verify the server cert works +openssl verify -verbose -CAfile ca_cert.pem server_cert_revoked.pem + +# Revoke the cert +openssl ca -config "openssl-ca.cnf" -revoke server_cert_revoked.pem + +# Generate the CRL +openssl ca -config "openssl-ca.cnf" -gencrl -out server_revoked.crl + +# Make sure the cert is actually revoked +openssl verify -verbose -CAfile ca_cert.pem -CRLfile server_revoked.crl -crl_check_all server_cert_revoked.pem + +#################### Client cert +# Generate client private key +openssl genrsa -out client_key.pem 4096 + +# Generate client Certificate Signing Request (CSR) +openssl req -config "localhost-openssl.cnf" -new -key client_key.pem -out client_csr.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Test client/OU=Test client Organzation/CN=Test client Organization/emailAddress=testclient@example.com" + +# Use the CA to sign the client CSR +openssl ca -config "openssl-ca.cnf" -policy signing_policy -extensions signing_req -out client_cert.pem -in client_csr.pem -keyfile ca_key.pem -cert ca_cert.pem -batch + +# Verify the client cert works +openssl verify -verbose -CAfile ca_cert.pem client_cert.pem + +## Generate another client cert to be revoked +openssl req -config "localhost-openssl.cnf" -new -key client_key.pem -out client_csr_revoked.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Test client/OU=Test client Organzation/CN=Test client Organization/emailAddress=testclient@example.com" + +# Use the CA to sign the client CSR +openssl ca -config "openssl-ca.cnf" -policy signing_policy -extensions signing_req -out client_cert_revoked.pem -in client_csr_revoked.pem -keyfile ca_key.pem -cert ca_cert.pem -batch + +# Verify the client cert works +openssl verify -verbose -CAfile ca_cert.pem client_cert_revoked.pem + +# Revoke the cert +openssl ca -config "openssl-ca.cnf" -revoke client_cert_revoked.pem + +# Generate the CRL +openssl ca -config "openssl-ca.cnf" -gencrl -out client_revoked.crl + +# Make sure the cert is actually revoked +openssl verify -verbose -CAfile ca_cert.pem -CRLfile client_revoked.crl -crl_check_all client_cert_revoked.pem + + +# Move the crl to another directory and run openssl's rehash +mkdir crl +mv client_revoked.crl crl/ +openssl rehash crl + + + +popd \ No newline at end of file diff --git a/examples/features/advancedtls/localhost-openssl.cnf b/examples/features/advancedtls/localhost-openssl.cnf new file mode 100644 index 000000000000..bacdb0059d9a --- /dev/null +++ b/examples/features/advancedtls/localhost-openssl.cnf @@ -0,0 +1,24 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +countryName = Country Name (2 letter code) +countryName_default = US +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Georgia +localityName = Locality Name (eg, city) +localityName_default = Atlanta +organizationName = Organization Name (eg, company) +organizationName_default = Test Department +commonName = Common Name (eg, YOUR name) +commonName_max = 64 + +[v3_req] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = localhost +IP.1 = 0.0.0.0 diff --git a/examples/features/advancedtls/openssl-ca.cnf b/examples/features/advancedtls/openssl-ca.cnf new file mode 100644 index 000000000000..64d3de014076 --- /dev/null +++ b/examples/features/advancedtls/openssl-ca.cnf @@ -0,0 +1,94 @@ +base_dir = . +certificate = $base_dir/ca_cert.pem # The CA certifcate +private_key = $base_dir/ca_key.pem # The CA private key +new_certs_dir = $base_dir # Location for new certs after signing +database = $base_dir/index.txt # Database index file +serial = $base_dir/serial.txt # The current serial number + +unique_subject = no # Set to 'no' to allow creation of + # several certificates with same subject. + +HOME = . +RANDFILE = $ENV::HOME/.rnd + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] + +default_days = 10000 # How long to certify for +default_crl_days = 30 # How long before next CRL +default_md = sha256 # Use public key default MD +preserve = no # Keep passed DN ordering + +x509_extensions = ca_extensions # The extensions to add to the cert +crl_extensions = crl_ext + +email_in_dn = no # Don't concat the email in the DN +copy_extensions = copy # Required to copy SANs from CSR to cert + +#################################################################### +[ req ] +default_bits = 4096 +default_keyfile = ca_key.pem +distinguished_name = ca_distinguished_name +x509_extensions = ca_extensions +string_mask = utf8only + +#################################################################### +[ ca_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = US + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Georgia + +localityName = Locality Name (eg, city) +localityName_default = Atlanta + +organizationName = Organization Name (eg, company) +organizationName_default = Test CA + +organizationalUnitName = Organizational Unit (eg, division) +organizationalUnitName_default = Test CA Organization + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_default = Test CA Organization + +emailAddress = Email Address +emailAddress_default = test@example.com + +#################################################################### +[ ca_extensions ] + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer +basicConstraints = critical, CA:true +keyUsage = keyCertSign, cRLSign + + + + +#################################################################### +[ signing_policy ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ signing_req ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment + +[ crl_ext ] +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. +#issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always diff --git a/examples/features/advancedtls/server/main.go b/examples/features/advancedtls/server/main.go new file mode 100644 index 000000000000..d547c3898325 --- /dev/null +++ b/examples/features/advancedtls/server/main.go @@ -0,0 +1,180 @@ +package main + +import ( + "context" + "flag" + "fmt" + "net" + "os" + "path/filepath" + "time" + + pb "google.golang.org/grpc/examples/features/proto/echo" + + "google.golang.org/grpc" + "google.golang.org/grpc/credentials/insecure" + "google.golang.org/grpc/credentials/tls/certprovider" + "google.golang.org/grpc/credentials/tls/certprovider/pemfile" + "google.golang.org/grpc/security/advancedtls" +) + +type server struct { + pb.UnimplementedEchoServer + name string +} + +const credRefreshInterval = 1 * time.Minute +const goodServerWithCrlPort int = 8885 +const revokedServerWithCrlPort int = 8884 +const insecurePort int = 8883 + +func (s *server) UnaryEcho(ctx context.Context, req *pb.EchoRequest) (*pb.EchoResponse, error) { + fmt.Printf("%v Received: %v\n", s.name, req.GetMessage()) + return &pb.EchoResponse{Message: req.Message}, nil +} + +func TlsServers(credentialsDirectory string) { + go func() { + createAndRunTlsServer(credentialsDirectory, false, goodServerWithCrlPort) + }() + go func() { + createAndRunTlsServer(credentialsDirectory, true, revokedServerWithCrlPort) + }() + + fmt.Printf(`Running servers with the following configuration: + a good certificate and a crl active on 8885 + a revoked certificate and a crl active on 8884 +`) +} + +func InsecureServer(credentialsDirectory string) { + go func() { + createAndRunInsecureServer(insecurePort) + }() + fmt.Printf(`Running server with the following configuration: + insecure credentials on 8883 +`) +} + +func createAndRunInsecureServer(port int) { + creds := insecure.NewCredentials() + s := grpc.NewServer(grpc.Creds(creds)) + lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) + if err != nil { + fmt.Printf("Failed to listen: %v\n", err) + } + pb.RegisterEchoServer(s, &server{name: "Insecure Server"}) + if err := s.Serve(lis); err != nil { + fmt.Printf("Failed to serve: %v\n", err) + os.Exit(1) + } +} + +func createAndRunTlsServer(credsDirectory string, useRevokedCert bool, port int) { + identityProvider := makeIdentityProvider(useRevokedCert, credsDirectory) + defer identityProvider.Close() + + rootProvider := makeRootProvider(credsDirectory) + defer rootProvider.Close() + + crlProvider := makeCrlProvider(filepath.Join(credsDirectory, "crl")) + defer crlProvider.Close() + + options := &advancedtls.Options{ + IdentityOptions: advancedtls.IdentityCertificateOptions{ + IdentityProvider: identityProvider, + }, + RootOptions: advancedtls.RootCertificateOptions{ + RootProvider: rootProvider, + }, + RequireClientCert: true, + VerificationType: advancedtls.CertVerification, + } + + options.RevocationOptions = &advancedtls.RevocationOptions{ + CRLProvider: crlProvider, + } + + serverTLSCreds, err := advancedtls.NewServerCreds(options) + if err != nil { + fmt.Printf("Error %v\n", err) + os.Exit(1) + } + + s := grpc.NewServer(grpc.Creds(serverTLSCreds)) + lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port)) + if err != nil { + fmt.Printf("Failed to listen: %v\n", err) + } + name := "Good TLS Server" + if useRevokedCert { + name = "Revoked TLS Server" + } + pb.RegisterEchoServer(s, &server{name: name}) + if err := s.Serve(lis); err != nil { + fmt.Printf("Failed to serve: %v\n", err) + os.Exit(1) + } + +} + +func makeRootProvider(credsDirectory string) certprovider.Provider { + rootOptions := pemfile.Options{ + RootFile: filepath.Join(credsDirectory, "/ca_cert.pem"), + RefreshDuration: credRefreshInterval, + } + + rootProvider, err := pemfile.NewProvider(rootOptions) + if err != nil { + fmt.Printf("Error %v\n", err) + os.Exit(1) + } + return rootProvider +} + +func makeIdentityProvider(useRevokedCert bool, credsDirectory string) certprovider.Provider { + certFilePath := "" + if useRevokedCert { + certFilePath = filepath.Join(credsDirectory, "server_cert_revoked.pem") + } else { + certFilePath = filepath.Join(credsDirectory, "server_cert.pem") + } + identityOptions := pemfile.Options{ + CertFile: certFilePath, + KeyFile: filepath.Join(credsDirectory, "server_key.pem"), + RefreshDuration: credRefreshInterval, + } + identityProvider, err := pemfile.NewProvider(identityOptions) + if err != nil { + fmt.Printf("Error %v\n", err) + os.Exit(1) + } + return identityProvider +} + +func makeCrlProvider(crlDirectory string) *advancedtls.FileWatcherCRLProvider { + options := advancedtls.FileWatcherOptions{ + CRLDirectory: crlDirectory, + } + provider, err := advancedtls.NewFileWatcherCRLProvider(options) + if err != nil { + fmt.Printf("Error making CRL Provider: %v\nExiting...", err) + os.Exit(1) + } + return provider +} + +func main() { + credentialsDirectory := flag.String("credentials_directory", "", "Path to the creds directory of this repo") + flag.Parse() + if *credentialsDirectory == "" { + fmt.Println("Must set credentials_directory argument") + os.Exit(1) + } + TlsServers(*credentialsDirectory) + InsecureServer(*credentialsDirectory) + fmt.Printf("Ctrl-C or kill the process to stop\n") + for { + time.Sleep(1 * time.Second) + } +} diff --git a/examples/go.mod b/examples/go.mod index 54468b8f3698..21cfc8734124 100644 --- a/examples/go.mod +++ b/examples/go.mod @@ -11,6 +11,7 @@ require ( google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117 google.golang.org/grpc v1.64.0 google.golang.org/grpc/gcp/observability v1.0.1 + google.golang.org/grpc/security/advancedtls v1.0.0 google.golang.org/grpc/stats/opentelemetry v0.0.0-20240604165302-6d236200ea68 google.golang.org/protobuf v1.34.1 ) diff --git a/examples/go.sum b/examples/go.sum index e56e1cc5cef8..2f78080f7df4 100644 --- a/examples/go.sum +++ b/examples/go.sum @@ -2319,6 +2319,8 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117/go. google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/grpc/gcp/observability v1.0.1 h1:2IQ7szW1gobfZaS/sDSAu2uxO0V/aTryMZvlcyqKqQA= google.golang.org/grpc/gcp/observability v1.0.1/go.mod h1:yM0UcrYRMe/B+Nu0mDXeTJNDyIMJRJnzuxqnJMz7Ewk= +google.golang.org/grpc/security/advancedtls v1.0.0 h1:/KQ7VP/1bs53/aopk9QhuPyFAp9Dm9Ejix3lzYkCrDA= +google.golang.org/grpc/security/advancedtls v1.0.0/go.mod h1:o+s4go+e1PJ2AjuQMY5hU82W7lDlefjJA6FqEHRVHWk= google.golang.org/grpc/stats/opencensus v1.0.0 h1:evSYcRZaSToQp+borzWE52+03joezZeXcKJvZDfkUJA= google.golang.org/grpc/stats/opencensus v1.0.0/go.mod h1:FhdkeYvN43wLYUnapVuRJJ9JXkNwe403iLUW2LKSnjs= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= From 4f291d7aba84a2826393a396e611838cac406b1f Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Fri, 2 Aug 2024 14:45:17 +0000 Subject: [PATCH 02/17] go fmt and copyright --- examples/features/advancedtls/client/main.go | 18 ++++++++++++++++++ examples/features/advancedtls/server/main.go | 18 ++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/examples/features/advancedtls/client/main.go b/examples/features/advancedtls/client/main.go index ca0bce48599b..eeab57c9660a 100644 --- a/examples/features/advancedtls/client/main.go +++ b/examples/features/advancedtls/client/main.go @@ -1,3 +1,21 @@ +/* + * + * Copyright 2024 gRPC authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + package main import ( diff --git a/examples/features/advancedtls/server/main.go b/examples/features/advancedtls/server/main.go index d547c3898325..62711d12b3bf 100644 --- a/examples/features/advancedtls/server/main.go +++ b/examples/features/advancedtls/server/main.go @@ -1,3 +1,21 @@ +/* + * + * Copyright 2024 gRPC authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + package main import ( From 059bb770b075bbead19c33c459aa58fbce223995 Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Fri, 2 Aug 2024 15:40:03 +0000 Subject: [PATCH 03/17] mod tidy --- security/advancedtls/examples/go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security/advancedtls/examples/go.mod b/security/advancedtls/examples/go.mod index 1bc2967f55aa..7a43759f5dde 100644 --- a/security/advancedtls/examples/go.mod +++ b/security/advancedtls/examples/go.mod @@ -5,7 +5,7 @@ go 1.21 require ( google.golang.org/grpc v1.64.0 google.golang.org/grpc/examples v0.0.0-20240606220939-dfcabe08c639 - google.golang.org/grpc/security/advancedtls v0.0.0-20240606220939-dfcabe08c639 + google.golang.org/grpc/security/advancedtls v1.0.0 ) require ( From 7db4c2a011118f512c2c4fd8bdd03fbaa48e4fa5 Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Fri, 2 Aug 2024 15:48:38 +0000 Subject: [PATCH 04/17] vet fixes --- examples/features/advancedtls/client/main.go | 27 +++++++++++--------- examples/features/advancedtls/server/main.go | 8 +++--- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/examples/features/advancedtls/client/main.go b/examples/features/advancedtls/client/main.go index eeab57c9660a..0647c6b15a40 100644 --- a/examples/features/advancedtls/client/main.go +++ b/examples/features/advancedtls/client/main.go @@ -109,7 +109,7 @@ func runClientWithProviders(rootProvider certprovider.Provider, identityProvider runWithCredentials(clientTLSCreds, fullServerAddr, !shouldFail) } -func TlsWithCrlsToGoodServer(credsDirectory string) { +func tlsWithCrlsToGoodServer(credsDirectory string) { rootProvider := makeRootProvider(credsDirectory) defer rootProvider.Close() identityProvider := makeIdentityProvider(false, credsDirectory) @@ -121,7 +121,7 @@ func TlsWithCrlsToGoodServer(credsDirectory string) { runClientWithProviders(rootProvider, identityProvider, crlProvider, goodServerPort, false) } -func TlsWithCrlsToRevokedServer(credsDirectory string) { +func tlsWithCrlsToRevokedServer(credsDirectory string) { rootProvider := makeRootProvider(credsDirectory) defer rootProvider.Close() identityProvider := makeIdentityProvider(false, credsDirectory) @@ -133,11 +133,11 @@ func TlsWithCrlsToRevokedServer(credsDirectory string) { runClientWithProviders(rootProvider, identityProvider, crlProvider, revokedServerPort, true) } -func TlsWithCrls(credsDirectory string) { +func tlsWithCrls(credsDirectory string) { fmt.Println("---------- Running TLS with CRLs to Good Server ----------") - TlsWithCrlsToGoodServer(credsDirectory) + tlsWithCrlsToGoodServer(credsDirectory) fmt.Println("---------- Running TLS with CRLs to Revoked Server ----------") - TlsWithCrlsToRevokedServer(credsDirectory) + tlsWithCrlsToRevokedServer(credsDirectory) } func makeCrlProvider(crlDirectory string) *advancedtls.FileWatcherCRLProvider { @@ -169,7 +169,7 @@ func customVerificaitonFail(info *advancedtls.HandshakeVerificationInfo) (*advan return &advancedtls.PostHandshakeVerificationResults{}, nil } -func CustomVerification(credsDirectory string) { +func customVerification(credsDirectory string) { fmt.Println("---------- Running TLS with Custom Verification ----------") runClientWithCustomVerification(credsDirectory, goodServerPort) @@ -232,13 +232,16 @@ func runClientWithCustomVerification(credsDirectory string, port string) { } // -- credentials.NewTLS example -- -func CredentialsNewTLSExample(credsDirectory string) { +func credentialsNewTLSExample(credsDirectory string) { fmt.Println("---------- Running client using NewTLS to create Credentials ----------") cert, err := tls.LoadX509KeyPair(filepath.Join(credsDirectory, "client_cert.pem"), filepath.Join(credsDirectory, "client_key.pem")) if err != nil { os.Exit(1) } rootPem, err := os.ReadFile(filepath.Join(credsDirectory, "ca_cert.pem")) + if err != nil { + os.Exit(1) + } root := x509.NewCertPool() if !root.AppendCertsFromPEM(rootPem) { os.Exit(1) @@ -258,7 +261,7 @@ func CredentialsNewTLSExample(credsDirectory string) { } // -- Insecure -- -func InsecureCredentialsExample(credsDirectory string) { +func insecureCredentialsExample(credsDirectory string) { fmt.Println("---------- Running client using Insecure Credentials ----------") creds := insecure.NewCredentials() port := insecurePort @@ -313,8 +316,8 @@ func main() { fmt.Println("Must set credentials_directory argument to this repo's creds directory") os.Exit(1) } - TlsWithCrls(*credsDirectory) - CustomVerification(*credsDirectory) - CredentialsNewTLSExample(*credsDirectory) - InsecureCredentialsExample(*credsDirectory) + tlsWithCrls(*credsDirectory) + customVerification(*credsDirectory) + credentialsNewTLSExample(*credsDirectory) + insecureCredentialsExample(*credsDirectory) } diff --git a/examples/features/advancedtls/server/main.go b/examples/features/advancedtls/server/main.go index 62711d12b3bf..3ecf2c78bdc3 100644 --- a/examples/features/advancedtls/server/main.go +++ b/examples/features/advancedtls/server/main.go @@ -51,7 +51,7 @@ func (s *server) UnaryEcho(ctx context.Context, req *pb.EchoRequest) (*pb.EchoRe return &pb.EchoResponse{Message: req.Message}, nil } -func TlsServers(credentialsDirectory string) { +func tlsServers(credentialsDirectory string) { go func() { createAndRunTlsServer(credentialsDirectory, false, goodServerWithCrlPort) }() @@ -65,7 +65,7 @@ func TlsServers(credentialsDirectory string) { `) } -func InsecureServer(credentialsDirectory string) { +func insecureServer(credentialsDirectory string) { go func() { createAndRunInsecureServer(insecurePort) }() @@ -189,8 +189,8 @@ func main() { fmt.Println("Must set credentials_directory argument") os.Exit(1) } - TlsServers(*credentialsDirectory) - InsecureServer(*credentialsDirectory) + tlsServers(*credentialsDirectory) + insecureServer(*credentialsDirectory) fmt.Printf("Ctrl-C or kill the process to stop\n") for { time.Sleep(1 * time.Second) From cfd2b2333254893e4774d9e8427c735b21be8fa6 Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Fri, 2 Aug 2024 16:29:53 +0000 Subject: [PATCH 05/17] vet --- examples/features/advancedtls/client/main.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/features/advancedtls/client/main.go b/examples/features/advancedtls/client/main.go index 0647c6b15a40..5ad152723947 100644 --- a/examples/features/advancedtls/client/main.go +++ b/examples/features/advancedtls/client/main.go @@ -61,14 +61,14 @@ func makeRootProvider(credsDirectory string) certprovider.Provider { } func makeIdentityProvider(revoked bool, credsDirectory string) certprovider.Provider { - var cert_file string + var certFile string if revoked { - cert_file = filepath.Join(credsDirectory, "client_cert_revoked.pem") + certFile = filepath.Join(credsDirectory, "client_cert_revoked.pem") } else { - cert_file = filepath.Join(credsDirectory, "client_cert.pem") + certFile = filepath.Join(credsDirectory, "client_cert.pem") } identityOptions := pemfile.Options{ - CertFile: cert_file, + CertFile: certFile, KeyFile: filepath.Join(credsDirectory, "client_key.pem"), RefreshDuration: credRefreshInterval, } From 7d0d47bb5ea2aa6952a5633fd5d6d3c29132c0d2 Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Fri, 2 Aug 2024 17:39:12 +0000 Subject: [PATCH 06/17] vet --- examples/features/advancedtls/server/main.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/features/advancedtls/server/main.go b/examples/features/advancedtls/server/main.go index 3ecf2c78bdc3..d59abeee322d 100644 --- a/examples/features/advancedtls/server/main.go +++ b/examples/features/advancedtls/server/main.go @@ -53,10 +53,10 @@ func (s *server) UnaryEcho(ctx context.Context, req *pb.EchoRequest) (*pb.EchoRe func tlsServers(credentialsDirectory string) { go func() { - createAndRunTlsServer(credentialsDirectory, false, goodServerWithCrlPort) + createAndRunTLSServer(credentialsDirectory, false, goodServerWithCrlPort) }() go func() { - createAndRunTlsServer(credentialsDirectory, true, revokedServerWithCrlPort) + createAndRunTLSServer(credentialsDirectory, true, revokedServerWithCrlPort) }() fmt.Printf(`Running servers with the following configuration: @@ -88,7 +88,7 @@ func createAndRunInsecureServer(port int) { } } -func createAndRunTlsServer(credsDirectory string, useRevokedCert bool, port int) { +func createAndRunTLSServer(credsDirectory string, useRevokedCert bool, port int) { identityProvider := makeIdentityProvider(useRevokedCert, credsDirectory) defer identityProvider.Close() From 3204b0d597d42b57e4777c39d2800cc7557238c0 Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Thu, 8 Aug 2024 17:38:01 +0000 Subject: [PATCH 07/17] remove std out on correct path --- examples/features/advancedtls/client/main.go | 31 ++++---------------- examples/features/advancedtls/server/main.go | 13 ++------ 2 files changed, 8 insertions(+), 36 deletions(-) diff --git a/examples/features/advancedtls/client/main.go b/examples/features/advancedtls/client/main.go index 5ad152723947..2439f5781888 100644 --- a/examples/features/advancedtls/client/main.go +++ b/examples/features/advancedtls/client/main.go @@ -117,7 +117,6 @@ func tlsWithCrlsToGoodServer(credsDirectory string) { crlProvider := makeCrlProvider(credsDirectory) defer crlProvider.Close() - fmt.Println("Client running against good server.") runClientWithProviders(rootProvider, identityProvider, crlProvider, goodServerPort, false) } @@ -129,14 +128,11 @@ func tlsWithCrlsToRevokedServer(credsDirectory string) { crlProvider := makeCrlProvider(credsDirectory) defer crlProvider.Close() - fmt.Println("Client running against revoked server.") runClientWithProviders(rootProvider, identityProvider, crlProvider, revokedServerPort, true) } func tlsWithCrls(credsDirectory string) { - fmt.Println("---------- Running TLS with CRLs to Good Server ----------") tlsWithCrlsToGoodServer(credsDirectory) - fmt.Println("---------- Running TLS with CRLs to Revoked Server ----------") tlsWithCrlsToRevokedServer(credsDirectory) } @@ -170,7 +166,6 @@ func customVerificaitonFail(info *advancedtls.HandshakeVerificationInfo) (*advan } func customVerification(credsDirectory string) { - fmt.Println("---------- Running TLS with Custom Verification ----------") runClientWithCustomVerification(credsDirectory, goodServerPort) } @@ -233,7 +228,6 @@ func runClientWithCustomVerification(credsDirectory string, port string) { // -- credentials.NewTLS example -- func credentialsNewTLSExample(credsDirectory string) { - fmt.Println("---------- Running client using NewTLS to create Credentials ----------") cert, err := tls.LoadX509KeyPair(filepath.Join(credsDirectory, "client_cert.pem"), filepath.Join(credsDirectory, "client_key.pem")) if err != nil { os.Exit(1) @@ -261,8 +255,7 @@ func credentialsNewTLSExample(credsDirectory string) { } // -- Insecure -- -func insecureCredentialsExample(credsDirectory string) { - fmt.Println("---------- Running client using Insecure Credentials ----------") +func insecureCredentialsExample() { creds := insecure.NewCredentials() port := insecurePort fullServerAddr := serverAddr + ":" + port @@ -289,22 +282,10 @@ func runWithCredentials(creds credentials.TransportCredentials, fullServerAddr s resp, err := client.UnaryEcho(context, req) defer cancel() - if shouldSucceed { - if err != nil { - fmt.Printf("Error during client.UnaryEcho %v\n", err) - } else { - fmt.Printf("Response: %v\n", resp.Message) - if resp.Message != message { - fmt.Println("Didn't get correct response") - } - } - } else { - // This should fail - if err == nil { - fmt.Printf("Should have failed but didn't, got response: %v\n", resp) - } else { - fmt.Printf("Handshake failed expectedly with error: %v\n", err) - } + if shouldSucceed && err != nil { + fmt.Printf("Error during client.UnaryEcho %v\n", err) + } else if !shouldSucceed && err == nil { + fmt.Printf("Should have failed but didn't, got response: %v\n", resp) } } @@ -319,5 +300,5 @@ func main() { tlsWithCrls(*credsDirectory) customVerification(*credsDirectory) credentialsNewTLSExample(*credsDirectory) - insecureCredentialsExample(*credsDirectory) + insecureCredentialsExample() } diff --git a/examples/features/advancedtls/server/main.go b/examples/features/advancedtls/server/main.go index d59abeee322d..90c305ae90ab 100644 --- a/examples/features/advancedtls/server/main.go +++ b/examples/features/advancedtls/server/main.go @@ -47,7 +47,6 @@ const revokedServerWithCrlPort int = 8884 const insecurePort int = 8883 func (s *server) UnaryEcho(ctx context.Context, req *pb.EchoRequest) (*pb.EchoResponse, error) { - fmt.Printf("%v Received: %v\n", s.name, req.GetMessage()) return &pb.EchoResponse{Message: req.Message}, nil } @@ -58,20 +57,12 @@ func tlsServers(credentialsDirectory string) { go func() { createAndRunTLSServer(credentialsDirectory, true, revokedServerWithCrlPort) }() - - fmt.Printf(`Running servers with the following configuration: - a good certificate and a crl active on 8885 - a revoked certificate and a crl active on 8884 -`) } -func insecureServer(credentialsDirectory string) { +func insecureServer() { go func() { createAndRunInsecureServer(insecurePort) }() - fmt.Printf(`Running server with the following configuration: - insecure credentials on 8883 -`) } func createAndRunInsecureServer(port int) { @@ -190,7 +181,7 @@ func main() { os.Exit(1) } tlsServers(*credentialsDirectory) - insecureServer(*credentialsDirectory) + insecureServer() fmt.Printf("Ctrl-C or kill the process to stop\n") for { time.Sleep(1 * time.Second) From f93dfbcb6cf7d64310ab3b23f16b4cbb4d0a552d Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Thu, 8 Aug 2024 17:53:11 +0000 Subject: [PATCH 08/17] example test --- examples/examples_test.sh | 6 ++++++ examples/features/advancedtls/client/main.go | 6 +++--- examples/features/advancedtls/server/main.go | 7 +++---- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/examples/examples_test.sh b/examples/examples_test.sh index 5e95120498c7..fe9a909aad78 100755 --- a/examples/examples_test.sh +++ b/examples/examples_test.sh @@ -51,6 +51,7 @@ pass () { EXAMPLES=( "helloworld" "route_guide" + "features/advancedtls" "features/authentication" "features/authz" "features/cancellation" @@ -75,12 +76,14 @@ EXAMPLES=( declare -A SERVER_ARGS=( ["features/unix_abstract"]="-addr $UNIX_ADDR" ["default"]="-port $SERVER_PORT" + ["features/advancedtls"]="-credentials_directory $(pwd)/features/advancedtls/creds" ) declare -A CLIENT_ARGS=( ["features/unix_abstract"]="-addr $UNIX_ADDR" ["features/orca"]="-test=true" ["default"]="-addr localhost:$SERVER_PORT" + ["features/advancedtls"]="-credentials_directory $(pwd)/features/advancedtls/creds" ) declare -A SERVER_WAIT_COMMAND=( @@ -125,6 +128,7 @@ declare -A EXPECTED_SERVER_OUTPUT=( ["features/orca"]="Server listening" ["features/retry"]="request succeeded count: 4" ["features/unix_abstract"]="serving on @abstract-unix-socket" + ["features/advancedtls"]="" ) declare -A EXPECTED_CLIENT_OUTPUT=( @@ -149,6 +153,7 @@ declare -A EXPECTED_CLIENT_OUTPUT=( ["features/orca"]="Per-call load report received: map\[db_queries:10\]" ["features/retry"]="UnaryEcho reply: message:\"Try and Success\"" ["features/unix_abstract"]="calling echo.Echo/UnaryEcho to unix-abstract:abstract-unix-socket" + ["features/advancedtls"]="" ) cd ./examples @@ -166,6 +171,7 @@ for example in ${EXAMPLES[@]}; do # Start server SERVER_LOG="$(mktemp)" server_args=${SERVER_ARGS[$example]:-${SERVER_ARGS["default"]}} + echo $server_args go run ./$example/*server/*.go $server_args &> $SERVER_LOG & wait_for_server $example diff --git a/examples/features/advancedtls/client/main.go b/examples/features/advancedtls/client/main.go index 2439f5781888..54ef9c0fb9b8 100644 --- a/examples/features/advancedtls/client/main.go +++ b/examples/features/advancedtls/client/main.go @@ -40,9 +40,9 @@ import ( const credRefreshInterval = 1 * time.Minute const serverAddr = "localhost" -const goodServerPort string = "8885" -const revokedServerPort string = "8884" -const insecurePort string = "8883" +const goodServerPort string = "50051" +const revokedServerPort string = "50052" +const insecurePort string = "50053" const message string = "Hello" // -- TLS -- diff --git a/examples/features/advancedtls/server/main.go b/examples/features/advancedtls/server/main.go index 90c305ae90ab..e7585f15e5c6 100644 --- a/examples/features/advancedtls/server/main.go +++ b/examples/features/advancedtls/server/main.go @@ -42,9 +42,9 @@ type server struct { } const credRefreshInterval = 1 * time.Minute -const goodServerWithCrlPort int = 8885 -const revokedServerWithCrlPort int = 8884 -const insecurePort int = 8883 +const goodServerWithCrlPort int = 50051 +const revokedServerWithCrlPort int = 50052 +const insecurePort int = 50053 func (s *server) UnaryEcho(ctx context.Context, req *pb.EchoRequest) (*pb.EchoResponse, error) { return &pb.EchoResponse{Message: req.Message}, nil @@ -182,7 +182,6 @@ func main() { } tlsServers(*credentialsDirectory) insecureServer() - fmt.Printf("Ctrl-C or kill the process to stop\n") for { time.Sleep(1 * time.Second) } From b58ffa2d173c9cbd43bc321a0d90a11a06af522b Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Thu, 8 Aug 2024 17:55:06 +0000 Subject: [PATCH 09/17] flip client and server in example commands --- examples/features/advancedtls/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/features/advancedtls/README.md b/examples/features/advancedtls/README.md index 8406417a84de..6232be90d8d5 100644 --- a/examples/features/advancedtls/README.md +++ b/examples/features/advancedtls/README.md @@ -17,10 +17,10 @@ Run `./generate.sh` from `/path/to/grpc-go/examples/features/advancedtls` to gen ## Building and Running ``` -# Run the clients from the `grpc-go/examples/features/advancedtls` directory -$ go run client/main.go -credentials_directory $(pwd)/creds # Run the server $ go run server/main.go -credentials_directory $(pwd)/creds +# Run the clients from the `grpc-go/examples/features/advancedtls` directory +$ go run client/main.go -credentials_directory $(pwd)/creds ``` Stop the servers with ctrl-c or by killing the process. \ No newline at end of file From a5445cc40c344d119ce7025d4076b0fffa088edc Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Thu, 8 Aug 2024 18:08:01 +0000 Subject: [PATCH 10/17] add creds --- examples/examples_test.sh | 7 +- examples/features/advancedtls/client/main.go | 4 +- .../features/advancedtls/creds/ca_cert.pem | 35 +++++ .../features/advancedtls/creds/ca_key.pem | 52 +++++++ .../advancedtls/creds/client_cert.pem | 127 ++++++++++++++++++ .../advancedtls/creds/client_cert_revoked.pem | 127 ++++++++++++++++++ .../features/advancedtls/creds/client_key.pem | 52 +++++++ .../advancedtls/creds/crl/client_revoked.crl | 20 +++ .../advancedtls/creds/localhost-openssl.cnf | 24 ++++ .../features/advancedtls/creds/openssl-ca.cnf | 94 +++++++++++++ .../advancedtls/creds/server_cert.pem | 127 ++++++++++++++++++ .../advancedtls/creds/server_cert_revoked.pem | 127 ++++++++++++++++++ .../features/advancedtls/creds/server_key.pem | 52 +++++++ .../advancedtls/creds/server_revoked.crl | 19 +++ examples/features/advancedtls/generate.sh | 10 +- 15 files changed, 869 insertions(+), 8 deletions(-) create mode 100644 examples/features/advancedtls/creds/ca_cert.pem create mode 100644 examples/features/advancedtls/creds/ca_key.pem create mode 100644 examples/features/advancedtls/creds/client_cert.pem create mode 100644 examples/features/advancedtls/creds/client_cert_revoked.pem create mode 100644 examples/features/advancedtls/creds/client_key.pem create mode 100644 examples/features/advancedtls/creds/crl/client_revoked.crl create mode 100644 examples/features/advancedtls/creds/localhost-openssl.cnf create mode 100644 examples/features/advancedtls/creds/openssl-ca.cnf create mode 100644 examples/features/advancedtls/creds/server_cert.pem create mode 100644 examples/features/advancedtls/creds/server_cert_revoked.pem create mode 100644 examples/features/advancedtls/creds/server_key.pem create mode 100644 examples/features/advancedtls/creds/server_revoked.crl diff --git a/examples/examples_test.sh b/examples/examples_test.sh index fe9a909aad78..942609d42d7e 100755 --- a/examples/examples_test.sh +++ b/examples/examples_test.sh @@ -76,14 +76,16 @@ EXAMPLES=( declare -A SERVER_ARGS=( ["features/unix_abstract"]="-addr $UNIX_ADDR" ["default"]="-port $SERVER_PORT" - ["features/advancedtls"]="-credentials_directory $(pwd)/features/advancedtls/creds" + # the CI runs this from the grpc-go directory + ["features/advancedtls"]="-credentials_directory $(pwd)/examples/features/advancedtls/creds" ) declare -A CLIENT_ARGS=( ["features/unix_abstract"]="-addr $UNIX_ADDR" ["features/orca"]="-test=true" ["default"]="-addr localhost:$SERVER_PORT" - ["features/advancedtls"]="-credentials_directory $(pwd)/features/advancedtls/creds" + # the CI runs this from the grpc-go directory + ["features/advancedtls"]="-credentials_directory $(pwd)/examples/features/advancedtls/creds" ) declare -A SERVER_WAIT_COMMAND=( @@ -171,7 +173,6 @@ for example in ${EXAMPLES[@]}; do # Start server SERVER_LOG="$(mktemp)" server_args=${SERVER_ARGS[$example]:-${SERVER_ARGS["default"]}} - echo $server_args go run ./$example/*server/*.go $server_args &> $SERVER_LOG & wait_for_server $example diff --git a/examples/features/advancedtls/client/main.go b/examples/features/advancedtls/client/main.go index 54ef9c0fb9b8..f20ce44eb18d 100644 --- a/examples/features/advancedtls/client/main.go +++ b/examples/features/advancedtls/client/main.go @@ -151,8 +151,8 @@ func makeCrlProvider(crlDirectory string) *advancedtls.FileWatcherCRLProvider { // --- Custom Verification --- func customVerificaitonSucceed(info *advancedtls.HandshakeVerificationInfo) (*advancedtls.PostHandshakeVerificationResults, error) { // Looks at info for what you care about as the custom verification implementer - if info.ServerName != "localhost:8885" { - return nil, fmt.Errorf("expected servername of localhost:8885, got %v", info.ServerName) + if info.ServerName != "localhost:50051" { + return nil, fmt.Errorf("expected servername of localhost:50051, got %v", info.ServerName) } return &advancedtls.PostHandshakeVerificationResults{}, nil } diff --git a/examples/features/advancedtls/creds/ca_cert.pem b/examples/features/advancedtls/creds/ca_cert.pem new file mode 100644 index 000000000000..060473becafa --- /dev/null +++ b/examples/features/advancedtls/creds/ca_cert.pem @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGJTCCBA2gAwIBAgIUQIWlFBWaWCYUunTANnlB4XZeFeUwDQYJKoZIhvcNAQEL +BQAwgaExCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdHZW9yZ2lhMRAwDgYDVQQHDAdB +dGxhbnRhMRAwDgYDVQQKDAdUZXN0IENBMRwwGgYDVQQLDBNUZXN0IENBIE9yZ2Fu +emF0aW9uMR0wGwYDVQQDDBRUZXN0IENBIE9yZ2FuaXphdGlvbjEfMB0GCSqGSIb3 +DQEJARYQdGVzdEBleGFtcGxlLmNvbTAeFw0yNDA4MDgxODA2MjFaFw0zNDA4MDYx +ODA2MjFaMIGhMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHR2VvcmdpYTEQMA4GA1UE +BwwHQXRsYW50YTEQMA4GA1UECgwHVGVzdCBDQTEcMBoGA1UECwwTVGVzdCBDQSBP +cmdhbnphdGlvbjEdMBsGA1UEAwwUVGVzdCBDQSBPcmdhbml6YXRpb24xHzAdBgkq +hkiG9w0BCQEWEHRlc3RAZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4IC +DwAwggIKAoICAQCs+Px6CMv0x3dmmK9PEdIq95J0JQ7Y6NojD93oosZxqi0QLzxU +LiRamNOvoMSBgbUl1GtC8xcQQ/YiaBS0A+tc+7NxZ6SJXIa/i7tbJcebPY5bnbHc +ILXPOt4FLEgcBqyv9UquPstkYytJje4J0N+G/nqfKsh+mo+emnKFSy1QS7NoPr/T +fDKemnf2DBk0HOiBnIr2gh3gqThXqUt/dZlDNJALeJU+7IpLDThOM3sf1QOOkSF9 +O1IM1YJt3B9GeTDwPnqKbXVOKf23eBi51QyvWde1ZscTRh0p9HX4VRCYOGfkQnWw +0d3BpFg/a6rGVNLSPBGE2H6O68L4K1bBDV0CvdTjVD8/vgrLm/7NAOlg/58TKIaq +NxFalXeLmdKr0c5d4JZEbbPgg26O8Fsq769s8Jc1dtnAiFwB2opIOvOLZkNwzPG8 +EjAET9HmjWHHzZ/OmswWamqywPukW8jdLH5f4RsuGpGHsUvs/53fUUeAdAlceJ+1 +KuLNuk7ULRU59TRbppt6m/Ws81bWJLQtw79BdyDNgJ4q7Vyl5tCuC2mZzDqOb/uK +py5Gx6Upoy0klAsMjvUBiw3cpkVCl1/RCSx2HmV85itS20QCiFcT+KeJ3xSbIc+P +ScNvinnbwtRhENQY+fy5MAfy9kvEdlYlsM2yp3l1B+Z4My6w8e2CcQO4RwIDAQAB +o1MwUTAdBgNVHQ4EFgQUUHbDXGsS4ZIPKPjyQ6aAwpzoVtYwHwYDVR0jBBgwFoAU +UHbDXGsS4ZIPKPjyQ6aAwpzoVtYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B +AQsFAAOCAgEAe7/P+MvYYM8gBN0AHQtmG4SaPpiE+Wi8TU4KSU6n+gzM347bPUnH +TbxMs1gYkiQ4IsYnU/uY2L+lCVvBpd66aIM9dJ5WGHS1RyRjRCUwZNEu9UIizemp +JSWu6hql96ib1AFAnXbjC8uNFG8OK+aF/NhChnu1pWKLLAMgBXhG8e5z7wNjQHqB +D/FOOBEn6ljR6MhBsRyPZxz/tqEt5hGflgeQnZXC2dzmQQDRfEWq9jjDgIVGpOjZ +VNYnua0GxdJGmRtExPHCf4bmClGf9uW1GK1ViCnj6Qlsvln0eOgNkI/m/VxjuSvE +NDUF+jWK7z+O0nagDSDTIGUU/enSFpdAHrUQuyqKS1S8WHhf4AIi0DNkUhHVojk6 +40nUPxVHl8R7wPXu3K7sTCfNJFJsqY8+oMhS3lk05voDuPJAgWnvG3wnE5rDWi/Q +R7CLMnnYQ7oIyJ9mE8ZLDWd9Udov+n/y5VkFVh8WFbu9Vidvlpy9xXQKaJVP4EHa +K0nLHGSw1zRrB+zx0Ep7ow/zGDxT8kCcKMQ/Uonv6kRxpi90oBdvNNXzsTkQ+FZ3 +168nBjWf+X6XX/HalbRiKmgww6SqG+hoVXP0cFw3vJwgESeXJHbxCcu1mJdzSbr3 +HzRkGKgTKIBV0z2AMG3cLCW/DO4+45GKi/DYibz0GjvFkXT8cGhN5vM= +-----END CERTIFICATE----- diff --git a/examples/features/advancedtls/creds/ca_key.pem b/examples/features/advancedtls/creds/ca_key.pem new file mode 100644 index 000000000000..b42b13874c9b --- /dev/null +++ b/examples/features/advancedtls/creds/ca_key.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCs+Px6CMv0x3dm +mK9PEdIq95J0JQ7Y6NojD93oosZxqi0QLzxULiRamNOvoMSBgbUl1GtC8xcQQ/Yi +aBS0A+tc+7NxZ6SJXIa/i7tbJcebPY5bnbHcILXPOt4FLEgcBqyv9UquPstkYytJ +je4J0N+G/nqfKsh+mo+emnKFSy1QS7NoPr/TfDKemnf2DBk0HOiBnIr2gh3gqThX +qUt/dZlDNJALeJU+7IpLDThOM3sf1QOOkSF9O1IM1YJt3B9GeTDwPnqKbXVOKf23 +eBi51QyvWde1ZscTRh0p9HX4VRCYOGfkQnWw0d3BpFg/a6rGVNLSPBGE2H6O68L4 +K1bBDV0CvdTjVD8/vgrLm/7NAOlg/58TKIaqNxFalXeLmdKr0c5d4JZEbbPgg26O +8Fsq769s8Jc1dtnAiFwB2opIOvOLZkNwzPG8EjAET9HmjWHHzZ/OmswWamqywPuk +W8jdLH5f4RsuGpGHsUvs/53fUUeAdAlceJ+1KuLNuk7ULRU59TRbppt6m/Ws81bW +JLQtw79BdyDNgJ4q7Vyl5tCuC2mZzDqOb/uKpy5Gx6Upoy0klAsMjvUBiw3cpkVC +l1/RCSx2HmV85itS20QCiFcT+KeJ3xSbIc+PScNvinnbwtRhENQY+fy5MAfy9kvE +dlYlsM2yp3l1B+Z4My6w8e2CcQO4RwIDAQABAoICAA//iW6KEL8nkcIR/ijsh4lE +061dXhWu17oldgtVvs/1gux7yfMpP2CHwRB96J7nzcbdcjxDeo8dEg9VnBCYSjUT +7KFhCiVQQwBFXsNL573SgC+2EqS++8Haen10/ohlD6TIpasfELXMvEy1zV3oDTyR +nerJzLh0+DKdq1jrvpmuHr5WC2z2kEH+HHlL3irlP5X5UhsBptzIGfd1p49244GF +Q4tkED29J/9QDjSha1Ji48zUXIoWKf0Y5FLf6J6eh+m4haH3BMIBfT9yYqsRavZu +81YKVwBP3FOskhqxV3MUyHsisHr1tjJ6TlUzUpy8bLFYL/CfC3mRkbtdWs1JPKBk +2BFZVBU0JeTS4SB2kSSjxHMDTi5lhCzTgdzNk9z3FvrwPYAYV9eTdEoWnwRlGjQo +IAwde0EQk508JCBG7RXpn+yp7ye0y1WvmxvwTx5mshSf9S90wrquaFryOZzAO+qa +FbQBPhWdtz/NBEqZa3teNo+kvhm90Ey6BcoO75EFVVPJaDlCjZ7jrzSy4XuYi99F +NjgmXUnGTRgYu+aOItBX1ckBNUg6kSVXk4iIVpXD65wANTjNladeK8ZWBq1k1JEd +V+VBdQu5H0JzOi01i4jDzzb/6T7lIj1NFpi5PL7T6q6EelC7QpxJpoKGd3YVQPWr +zvLR1bS2Fsg3hNlkFr6RAoIBAQDYsZjJcnlGREg6aNmjyY+s2jQhk3SU65VmBH+z +IKg8Nk1erW0eVtY/nYdFVcuyH84VxpINDDIfbVzwr7tz6qAWb3+dgEKZUVv1MHv0 +S12snsO3NdZ0UKdrqr16K0d9oa3OyaCSi89zKKtfPhIPMxLRehZipXecyCM+1Rda +AHCAjmJWD9VA+izHtLQB92+d+pl3BUpWi5wxBomOP5VqJ2slOdpd2sD94EhumQbR +Gk0/4kj5PHx3r7nhgSJoAvO2HMV/PvvoiGXf+4Oi3vhgACnBA8N+zEaKvLHBRZNF +nIkoxAgu5erEsnuJJEOEgpnsiLD7ZChbnPQgpD4p9t7Da7jXAoIBAQDMWSb28T4m +DIm50G4Q2Hnhz6EEaGZSEbyq5AejWLrhgvJHpo/mOaFoNOPQuzV3WpBgM6Uvltcq +Kk6uthA6Vr3haiJkxWMXI5rnszHnEd2VMKBfsui60Z2leWOdiEH2CkBroU67ZV0x +9X7P3LlxClJ91yP9iPLz6Cx8QZWZ2WMQabODb86K8aQ5pqLcTgclujCk7NmSM9T3 +eBz8mlVMFBsnudIe1A04e4EYHkVUvWtAltQbILsvbxLVMGRGNe2rKZ+wkke/xbf+ +Agv1LL6LwyGOAdt+71DWzFsdML5UEAkJ5EA3ERiOthhpFllvmV3pr9cMCIS0ivSH +S925tO1rvt4RAoIBAGEWOSFQs7tizoW1AoYawc+tOBwvB9XNM3Ow4lIseJP5tHKN ++0zTlUyNVNUg2pHlJB2niTplU3O3OSPxaGhIIA/NRv0XQT+WL0BMx8ytk7vKql/E +tGAK3ugjaJ97Ep3cOZZjyhi+oWS0PQwAMHE07eKC89Kg1lWdagU1zi+Z8M34fWCX +2XEyZavYb6pN5Wl/pRCpgyQBiyqABlOAc35LSPs1z3urjjpxKaK7100Knr/Xr+BT +VGT/i6XYiMTXRcA7ZdVcL9uAeTyAYPsxMVE54XtEJ2wBND3myzGP7asLtnxYUF5K +zwPv/99zKvkM1tAeckVAG8DoMo0JaXy9yhL+iaMCggEAXFqSfJqM/v89o4fqppxf +gUmoOOjCDadMgGNsfEuWsmLPAsjpUiCLrR/yMhzZziZVB9Vve3GNrtXOF7Ha5bLc +QCsKfkajQQrrcHoRPKBbZ5jBcl7WRdCEkguplMHHJd5+POZ7QcBO/Uw5UtIr0UXc +AFmiP2yMeOVebY3qgcy4s+tBoU5/p1YMZa3E/xIYstlSMMeGkUfxoSJc32EU2bxg +hXS63QnzK6rNrkvIA8NT3K4OEHCbiJWHimhDeWPYFTpLnK6P1MEUJa1hIB5nw5yd +5qM6Q0T/YQSczTWBX1ab7yeESh7k3WK4542dQA2tXvcElsCm0T3Xw+nqvIpjnwV1 +MQKCAQAbK3pgm6uE4x7iC7KuFm+j1ccm1BX9t80XlSqMv3aPTufF2wbv+OIOJgLA +HmY14nobAxt1f1AQ/9NfbZxiw8lzQMo407aXpubzHLSX4+S700quSAGBpexy2cqM +Sft9gHWiblHw7NNC1IWG/H7MUv7UA+b8GQuVhRYvVi/YeErk4eb+tAvp8T3jg465 +PwQBCO4hkXZhUDYS8S0dL04vEeMSo8eh252LrNkjho/iU58ZDmGiyHr9XDq3awDR +mfdkufXVKVigaCan7HmEOJUt2Dt2sIVn1dQ3qFzulG5FDTrUi/mefsH/FaAJoNsa +/9XEh58NyCCGvjV0a6MHrcZRMl3y +-----END PRIVATE KEY----- diff --git a/examples/features/advancedtls/creds/client_cert.pem b/examples/features/advancedtls/creds/client_cert.pem new file mode 100644 index 000000000000..2555c37ee7af --- /dev/null +++ b/examples/features/advancedtls/creds/client_cert.pem @@ -0,0 +1,127 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Georgia, L=Atlanta, O=Test CA, OU=Test CA Organzation, CN=Test CA Organization/emailAddress=test@example.com + Validity + Not Before: Aug 8 18:06:22 2024 GMT + Not After : Dec 25 18:06:22 2051 GMT + Subject: C=US, ST=Georgia, L=Atlanta, O=Test client, OU=Test client Organzation, CN=Test client Organization + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + Modulus: + 00:bf:8d:88:b7:20:0e:04:3e:5e:3a:f1:a3:78:2d: + a5:44:f6:68:b3:f3:ec:3c:7e:8f:cd:e2:cd:55:9c: + 2c:a2:a6:a0:31:41:b4:10:cb:3a:a8:8e:9e:ae:b5: + 65:13:18:02:fc:35:38:7c:5e:6d:ba:e0:13:31:f0: + 65:bb:a6:d3:61:7c:7f:86:bd:d6:84:d2:b1:06:92: + fe:47:5d:dd:3e:1f:99:6c:55:6f:67:eb:44:eb:d8: + da:79:70:2e:d7:48:75:6f:1d:cb:bd:e6:59:17:22: + d7:d9:23:26:90:0c:b9:63:85:91:9f:8e:58:92:52: + b6:09:3a:80:b7:40:91:fe:47:b6:e8:3c:4d:44:97: + ef:1c:11:a7:75:e0:19:d2:79:cb:3e:5d:f9:0c:81: + 95:63:6d:df:58:43:e5:03:62:78:52:0b:5b:5a:5c: + c3:d9:8e:39:15:e5:72:37:b0:3a:ce:99:67:c0:72: + ca:9f:65:25:7b:23:bf:87:bf:1f:a9:f5:0f:f2:bf: + a1:ec:43:3b:8a:67:d0:5f:61:d8:03:74:e6:b1:25: + 91:45:70:85:d0:a2:70:65:df:4d:ed:39:6c:4d:c4: + fd:fe:8d:71:92:06:90:ad:19:8e:de:0b:35:e1:50: + 79:30:6f:f6:bb:3d:74:a7:66:dd:0e:7b:d0:63:f2: + 5d:58:dc:17:a1:a2:e4:45:4e:b7:9c:32:b8:bc:56: + 88:31:de:6f:27:f3:56:29:54:45:07:68:f3:76:9d: + b7:63:c0:d7:cf:6b:11:c5:3a:d2:9f:1a:34:96:2a: + df:64:e1:df:fe:be:1d:4a:48:58:33:be:2e:c7:ac: + c7:12:6f:9a:a6:10:e5:ef:a4:ae:0b:8d:c9:56:2c: + 49:60:ff:54:91:2c:41:05:90:74:70:3e:dd:54:58: + b3:83:ae:c4:b4:4e:91:0b:a5:f1:3d:e4:5a:6d:34: + 5c:3b:ee:f6:d7:62:0b:a8:55:8f:5d:8a:ed:56:9a: + 8d:e7:80:16:0f:97:1b:f5:eb:0d:7f:1f:9a:51:e1: + 9b:3e:14:ac:f7:c3:36:42:06:11:7c:e9:ef:75:54: + ae:1b:3b:68:b7:c4:79:fd:67:5c:26:9e:a5:d4:55: + 6c:c7:92:15:51:73:57:99:bc:de:fb:56:ab:70:db: + 98:10:1a:63:71:9c:c3:9f:11:9f:c2:c5:8b:ac:5c: + 52:69:c7:58:a1:b1:26:86:e3:68:85:23:17:68:62: + 30:01:79:1a:51:d7:e9:1b:a4:da:81:b6:46:33:1e: + 9a:2b:9b:f6:20:26:d0:21:10:b0:15:58:91:08:b5: + bd:b7:c0:05:c1:cf:2f:bd:3b:18:40:17:08:92:58: + 6e:bb:bb + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + DE:03:BD:A3:0E:63:F4:97:C2:52:70:63:E8:BE:A9:DF:F1:9A:7B:56 + X509v3 Authority Key Identifier: + 50:76:C3:5C:6B:12:E1:92:0F:28:F8:F2:43:A6:80:C2:9C:E8:56:D6 + X509v3 Basic Constraints: + CA:FALSE + X509v3 Key Usage: + Digital Signature, Key Encipherment + X509v3 Subject Alternative Name: + DNS:localhost, IP Address:0.0.0.0 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 92:69:25:55:69:46:6e:3b:c3:a1:9d:00:b2:6e:b5:ae:1b:5a: + 19:2a:77:7f:12:e3:f7:84:72:37:35:26:78:45:5e:90:3d:0b: + 57:6f:1f:42:05:77:ec:4b:0c:29:dd:d7:db:02:cb:b7:2f:7b: + cc:81:4a:cc:71:2f:54:aa:3a:27:e3:8e:cd:87:76:c1:5f:60: + b6:34:0c:16:ef:fc:b6:ae:61:44:6b:b2:e1:db:86:15:e4:24: + db:47:48:f2:29:14:fb:61:0b:10:97:b1:b2:79:c3:69:dc:f3: + 65:e9:15:a6:89:17:34:46:83:b1:a6:89:4f:12:e0:69:27:66: + f8:89:df:36:21:59:a9:a5:e5:6a:8b:10:8c:19:39:cf:6e:61: + a5:43:6f:34:b4:e1:79:7a:0a:f9:1d:2d:06:66:cb:a0:91:9c: + 04:85:4f:0b:3d:c1:54:a8:06:d3:89:2e:16:5c:f2:29:c5:f7: + 6e:d9:4b:ca:81:65:96:3c:ba:66:8e:40:16:a3:20:ca:ed:5a: + ea:72:97:7a:2c:c4:b6:b5:c2:00:83:fb:1b:8a:d0:72:85:49: + 88:ad:81:9e:87:42:31:99:1a:39:ad:b5:ff:24:b5:e0:90:07: + 08:2e:1d:4a:a7:01:ef:97:9a:07:d4:e6:09:f5:c8:36:37:ce: + e3:b2:94:2a:5e:95:e1:6a:06:68:d1:31:24:da:b4:fe:ce:af: + a5:23:87:bc:7e:35:54:dd:c3:77:a5:44:95:43:a0:b1:f5:c4: + f8:98:4d:a3:fc:33:ef:7a:d7:4b:5b:ae:de:2b:1f:7a:a1:3f: + df:85:6b:97:57:4d:fa:b1:1a:79:4b:a7:96:62:09:99:b0:54: + f1:46:65:dd:3a:31:bc:1b:07:97:ff:e7:1b:0a:d4:82:68:62: + cc:66:9c:06:d4:18:70:3b:71:82:2d:76:bf:e7:56:88:4f:d9: + 5e:1b:46:9c:f9:9c:15:bc:73:ca:f5:e5:44:3d:f1:e4:b9:55: + e6:06:80:e2:0d:4f:ba:19:e2:01:29:da:5b:6f:1f:79:6a:6c: + d4:e8:c2:e1:12:c2:13:d0:5a:63:1d:35:f1:36:d4:1b:48:26: + 72:18:df:5f:7e:30:8d:86:42:cf:22:90:db:f8:6c:9d:b0:e7: + 3b:a1:0d:8a:b1:d9:de:a1:d0:4b:de:33:a2:fc:6c:cc:b0:7d: + a6:57:43:fe:db:2a:44:e3:6c:68:ff:c8:82:91:19:68:f0:c5: + 6b:9d:3b:4c:f8:2d:8f:0e:44:04:79:4e:99:ec:08:c6:e6:25: + 90:5b:2d:16:18:94:fe:0b:86:9b:01:f2:40:66:ec:fa:ac:28: + ba:33:fc:58:c1:8e:a2:06 +-----BEGIN CERTIFICATE----- +MIIGIjCCBAqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx +EDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExEDAOBgNVBAoMB1Rl +c3QgQ0ExHDAaBgNVBAsME1Rlc3QgQ0EgT3JnYW56YXRpb24xHTAbBgNVBAMMFFRl +c3QgQ0EgT3JnYW5pemF0aW9uMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUu +Y29tMCAXDTI0MDgwODE4MDYyMloYDzIwNTExMjI1MTgwNjIyWjCBjDELMAkGA1UE +BhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExFDASBgNV +BAoMC1Rlc3QgY2xpZW50MSAwHgYDVQQLDBdUZXN0IGNsaWVudCBPcmdhbnphdGlv +bjEhMB8GA1UEAwwYVGVzdCBjbGllbnQgT3JnYW5pemF0aW9uMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEAv42ItyAOBD5eOvGjeC2lRPZos/PsPH6PzeLN +VZwsoqagMUG0EMs6qI6errVlExgC/DU4fF5tuuATMfBlu6bTYXx/hr3WhNKxBpL+ +R13dPh+ZbFVvZ+tE69jaeXAu10h1bx3LveZZFyLX2SMmkAy5Y4WRn45YklK2CTqA +t0CR/ke26DxNRJfvHBGndeAZ0nnLPl35DIGVY23fWEPlA2J4UgtbWlzD2Y45FeVy +N7A6zplnwHLKn2UleyO/h78fqfUP8r+h7EM7imfQX2HYA3TmsSWRRXCF0KJwZd9N +7TlsTcT9/o1xkgaQrRmO3gs14VB5MG/2uz10p2bdDnvQY/JdWNwXoaLkRU63nDK4 +vFaIMd5vJ/NWKVRFB2jzdp23Y8DXz2sRxTrSnxo0lirfZOHf/r4dSkhYM74ux6zH +Em+aphDl76SuC43JVixJYP9UkSxBBZB0cD7dVFizg67EtE6RC6XxPeRabTRcO+72 +12ILqFWPXYrtVpqN54AWD5cb9esNfx+aUeGbPhSs98M2QgYRfOnvdVSuGztot8R5 +/WdcJp6l1FVsx5IVUXNXmbze+1arcNuYEBpjcZzDnxGfwsWLrFxSacdYobEmhuNo +hSMXaGIwAXkaUdfpG6TagbZGMx6aK5v2ICbQIRCwFViRCLW9t8AFwc8vvTsYQBcI +klhuu7sCAwEAAaN2MHQwHQYDVR0OBBYEFN4DvaMOY/SXwlJwY+i+qd/xmntWMB8G +A1UdIwQYMBaAFFB2w1xrEuGSDyj48kOmgMKc6FbWMAkGA1UdEwQCMAAwCwYDVR0P +BAQDAgWgMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEAAAAADANBgkqhkiG9w0BAQsF +AAOCAgEAkmklVWlGbjvDoZ0Asm61rhtaGSp3fxLj94RyNzUmeEVekD0LV28fQgV3 +7EsMKd3X2wLLty97zIFKzHEvVKo6J+OOzYd2wV9gtjQMFu/8tq5hRGuy4duGFeQk +20dI8ikU+2ELEJexsnnDadzzZekVpokXNEaDsaaJTxLgaSdm+InfNiFZqaXlaosQ +jBk5z25hpUNvNLTheXoK+R0tBmbLoJGcBIVPCz3BVKgG04kuFlzyKcX3btlLyoFl +ljy6Zo5AFqMgyu1a6nKXeizEtrXCAIP7G4rQcoVJiK2BnodCMZkaOa21/yS14JAH +CC4dSqcB75eaB9TmCfXINjfO47KUKl6V4WoGaNExJNq0/s6vpSOHvH41VN3Dd6VE +lUOgsfXE+JhNo/wz73rXS1uu3isfeqE/34Vrl1dN+rEaeUunlmIJmbBU8UZl3Tox +vBsHl//nGwrUgmhizGacBtQYcDtxgi12v+dWiE/ZXhtGnPmcFbxzyvXlRD3x5LlV +5gaA4g1PuhniASnaW28feWps1OjC4RLCE9BaYx018TbUG0gmchjfX34wjYZCzyKQ +2/hsnbDnO6ENirHZ3qHQS94zovxszLB9pldD/tsqRONsaP/IgpEZaPDFa507TPgt +jw5EBHlOmewIxuYlkFstFhiU/guGmwHyQGbs+qwoujP8WMGOogY= +-----END CERTIFICATE----- diff --git a/examples/features/advancedtls/creds/client_cert_revoked.pem b/examples/features/advancedtls/creds/client_cert_revoked.pem new file mode 100644 index 000000000000..c03fb198b1fd --- /dev/null +++ b/examples/features/advancedtls/creds/client_cert_revoked.pem @@ -0,0 +1,127 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4 (0x4) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Georgia, L=Atlanta, O=Test CA, OU=Test CA Organzation, CN=Test CA Organization/emailAddress=test@example.com + Validity + Not Before: Aug 8 18:06:22 2024 GMT + Not After : Dec 25 18:06:22 2051 GMT + Subject: C=US, ST=Georgia, L=Atlanta, O=Test client, OU=Test client Organzation, CN=Test client Organization + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + Modulus: + 00:bf:8d:88:b7:20:0e:04:3e:5e:3a:f1:a3:78:2d: + a5:44:f6:68:b3:f3:ec:3c:7e:8f:cd:e2:cd:55:9c: + 2c:a2:a6:a0:31:41:b4:10:cb:3a:a8:8e:9e:ae:b5: + 65:13:18:02:fc:35:38:7c:5e:6d:ba:e0:13:31:f0: + 65:bb:a6:d3:61:7c:7f:86:bd:d6:84:d2:b1:06:92: + fe:47:5d:dd:3e:1f:99:6c:55:6f:67:eb:44:eb:d8: + da:79:70:2e:d7:48:75:6f:1d:cb:bd:e6:59:17:22: + d7:d9:23:26:90:0c:b9:63:85:91:9f:8e:58:92:52: + b6:09:3a:80:b7:40:91:fe:47:b6:e8:3c:4d:44:97: + ef:1c:11:a7:75:e0:19:d2:79:cb:3e:5d:f9:0c:81: + 95:63:6d:df:58:43:e5:03:62:78:52:0b:5b:5a:5c: + c3:d9:8e:39:15:e5:72:37:b0:3a:ce:99:67:c0:72: + ca:9f:65:25:7b:23:bf:87:bf:1f:a9:f5:0f:f2:bf: + a1:ec:43:3b:8a:67:d0:5f:61:d8:03:74:e6:b1:25: + 91:45:70:85:d0:a2:70:65:df:4d:ed:39:6c:4d:c4: + fd:fe:8d:71:92:06:90:ad:19:8e:de:0b:35:e1:50: + 79:30:6f:f6:bb:3d:74:a7:66:dd:0e:7b:d0:63:f2: + 5d:58:dc:17:a1:a2:e4:45:4e:b7:9c:32:b8:bc:56: + 88:31:de:6f:27:f3:56:29:54:45:07:68:f3:76:9d: + b7:63:c0:d7:cf:6b:11:c5:3a:d2:9f:1a:34:96:2a: + df:64:e1:df:fe:be:1d:4a:48:58:33:be:2e:c7:ac: + c7:12:6f:9a:a6:10:e5:ef:a4:ae:0b:8d:c9:56:2c: + 49:60:ff:54:91:2c:41:05:90:74:70:3e:dd:54:58: + b3:83:ae:c4:b4:4e:91:0b:a5:f1:3d:e4:5a:6d:34: + 5c:3b:ee:f6:d7:62:0b:a8:55:8f:5d:8a:ed:56:9a: + 8d:e7:80:16:0f:97:1b:f5:eb:0d:7f:1f:9a:51:e1: + 9b:3e:14:ac:f7:c3:36:42:06:11:7c:e9:ef:75:54: + ae:1b:3b:68:b7:c4:79:fd:67:5c:26:9e:a5:d4:55: + 6c:c7:92:15:51:73:57:99:bc:de:fb:56:ab:70:db: + 98:10:1a:63:71:9c:c3:9f:11:9f:c2:c5:8b:ac:5c: + 52:69:c7:58:a1:b1:26:86:e3:68:85:23:17:68:62: + 30:01:79:1a:51:d7:e9:1b:a4:da:81:b6:46:33:1e: + 9a:2b:9b:f6:20:26:d0:21:10:b0:15:58:91:08:b5: + bd:b7:c0:05:c1:cf:2f:bd:3b:18:40:17:08:92:58: + 6e:bb:bb + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + DE:03:BD:A3:0E:63:F4:97:C2:52:70:63:E8:BE:A9:DF:F1:9A:7B:56 + X509v3 Authority Key Identifier: + 50:76:C3:5C:6B:12:E1:92:0F:28:F8:F2:43:A6:80:C2:9C:E8:56:D6 + X509v3 Basic Constraints: + CA:FALSE + X509v3 Key Usage: + Digital Signature, Key Encipherment + X509v3 Subject Alternative Name: + DNS:localhost, IP Address:0.0.0.0 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 58:b7:35:45:3b:6b:5e:7d:6b:58:70:be:e6:39:96:14:2e:69: + 17:fc:a4:8e:1b:ae:ca:62:73:ec:12:92:ca:a8:1f:92:b8:1e: + 09:a5:7e:c0:49:d2:a3:29:48:2f:4c:67:ae:a6:fb:ad:7a:1b: + 2a:29:0b:75:6d:11:0f:99:8c:1d:dc:af:1c:a8:e7:cb:7c:66: + 34:de:7e:8f:e6:aa:26:6e:56:17:aa:1f:34:e9:1f:ff:7a:58: + d2:7e:7c:65:62:56:d1:de:04:bd:71:cf:a2:6c:ad:47:cb:10: + e8:72:b0:0a:9e:24:79:e0:1a:b6:e2:61:6f:fd:94:8b:3c:19: + d0:8e:62:4f:a2:3a:fd:3d:97:c2:e7:93:1f:2c:aa:13:f5:c6: + d0:03:4c:ee:90:48:94:3b:03:d9:2c:80:59:97:fb:a2:7f:00: + 23:19:51:0b:89:2a:92:36:57:94:0b:73:8b:f3:ae:5d:f0:68: + 29:ea:a1:f3:eb:83:48:f5:19:d1:42:fe:94:cd:13:37:c9:9a: + c1:65:b3:97:eb:7e:82:f1:e3:98:c8:da:0c:41:c0:6f:4f:42: + 49:38:8b:c4:57:f4:07:cb:7f:f5:70:81:f0:72:3e:c7:e1:69: + e3:38:e5:d0:4a:97:b2:b6:bf:25:c9:fe:91:79:39:d0:eb:04: + a5:5d:b6:ca:4a:83:6e:9a:32:a2:6f:b1:ed:34:71:6f:9e:ee: + ed:e4:c3:1b:07:ec:e1:d2:19:9f:f8:b0:a0:91:e6:dd:92:cf: + 2a:dd:45:b5:29:12:57:1b:6c:f2:04:37:be:4d:20:e8:f4:f4: + 2c:f1:bc:3e:76:ed:85:64:26:0f:81:c5:dc:63:f6:6e:77:fc: + 32:18:0b:a0:e4:8a:b5:af:93:d3:55:26:5d:7f:5d:a1:5d:1d: + 2e:f2:11:66:bd:5a:32:cc:80:6d:cf:c2:45:17:b4:bf:46:c6: + 99:2d:ae:1e:20:b8:21:b0:80:8f:72:25:9d:62:b6:80:71:9e: + 90:80:ef:52:19:a3:68:05:80:f9:8b:dc:f5:89:57:35:5c:1b: + 11:f0:e0:15:4e:ca:19:3c:19:61:86:8f:6b:3c:c3:d1:cf:6f: + c5:28:88:35:7d:c8:ae:1b:98:a1:7c:b8:e8:df:36:a9:9a:9b: + bd:71:48:c2:89:d6:5c:27:31:c9:c3:4c:71:95:67:aa:7a:c4: + 2e:7e:05:6f:d2:53:16:cc:6b:5b:64:43:ff:e5:1a:d5:47:d9: + ff:47:1f:28:91:43:88:5d:34:ca:61:fe:38:b7:8f:35:43:51: + 78:b1:c1:2b:e2:29:2a:a1:69:bb:1f:14:2e:c5:f3:18:9d:81: + ee:bc:d6:fc:e7:52:d6:d6 +-----BEGIN CERTIFICATE----- +MIIGIjCCBAqgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx +EDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExEDAOBgNVBAoMB1Rl +c3QgQ0ExHDAaBgNVBAsME1Rlc3QgQ0EgT3JnYW56YXRpb24xHTAbBgNVBAMMFFRl +c3QgQ0EgT3JnYW5pemF0aW9uMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUu +Y29tMCAXDTI0MDgwODE4MDYyMloYDzIwNTExMjI1MTgwNjIyWjCBjDELMAkGA1UE +BhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExFDASBgNV +BAoMC1Rlc3QgY2xpZW50MSAwHgYDVQQLDBdUZXN0IGNsaWVudCBPcmdhbnphdGlv +bjEhMB8GA1UEAwwYVGVzdCBjbGllbnQgT3JnYW5pemF0aW9uMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEAv42ItyAOBD5eOvGjeC2lRPZos/PsPH6PzeLN +VZwsoqagMUG0EMs6qI6errVlExgC/DU4fF5tuuATMfBlu6bTYXx/hr3WhNKxBpL+ +R13dPh+ZbFVvZ+tE69jaeXAu10h1bx3LveZZFyLX2SMmkAy5Y4WRn45YklK2CTqA +t0CR/ke26DxNRJfvHBGndeAZ0nnLPl35DIGVY23fWEPlA2J4UgtbWlzD2Y45FeVy +N7A6zplnwHLKn2UleyO/h78fqfUP8r+h7EM7imfQX2HYA3TmsSWRRXCF0KJwZd9N +7TlsTcT9/o1xkgaQrRmO3gs14VB5MG/2uz10p2bdDnvQY/JdWNwXoaLkRU63nDK4 +vFaIMd5vJ/NWKVRFB2jzdp23Y8DXz2sRxTrSnxo0lirfZOHf/r4dSkhYM74ux6zH +Em+aphDl76SuC43JVixJYP9UkSxBBZB0cD7dVFizg67EtE6RC6XxPeRabTRcO+72 +12ILqFWPXYrtVpqN54AWD5cb9esNfx+aUeGbPhSs98M2QgYRfOnvdVSuGztot8R5 +/WdcJp6l1FVsx5IVUXNXmbze+1arcNuYEBpjcZzDnxGfwsWLrFxSacdYobEmhuNo +hSMXaGIwAXkaUdfpG6TagbZGMx6aK5v2ICbQIRCwFViRCLW9t8AFwc8vvTsYQBcI +klhuu7sCAwEAAaN2MHQwHQYDVR0OBBYEFN4DvaMOY/SXwlJwY+i+qd/xmntWMB8G +A1UdIwQYMBaAFFB2w1xrEuGSDyj48kOmgMKc6FbWMAkGA1UdEwQCMAAwCwYDVR0P +BAQDAgWgMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEAAAAADANBgkqhkiG9w0BAQsF +AAOCAgEAWLc1RTtrXn1rWHC+5jmWFC5pF/ykjhuuymJz7BKSyqgfkrgeCaV+wEnS +oylIL0xnrqb7rXobKikLdW0RD5mMHdyvHKjny3xmNN5+j+aqJm5WF6ofNOkf/3pY +0n58ZWJW0d4EvXHPomytR8sQ6HKwCp4keeAatuJhb/2UizwZ0I5iT6I6/T2XwueT +HyyqE/XG0ANM7pBIlDsD2SyAWZf7on8AIxlRC4kqkjZXlAtzi/OuXfBoKeqh8+uD +SPUZ0UL+lM0TN8mawWWzl+t+gvHjmMjaDEHAb09CSTiLxFf0B8t/9XCB8HI+x+Fp +4zjl0EqXsra/Jcn+kXk50OsEpV22ykqDbpoyom+x7TRxb57u7eTDGwfs4dIZn/iw +oJHm3ZLPKt1FtSkSVxts8gQ3vk0g6PT0LPG8PnbthWQmD4HF3GP2bnf8MhgLoOSK +ta+T01UmXX9doV0dLvIRZr1aMsyAbc/CRRe0v0bGmS2uHiC4IbCAj3IlnWK2gHGe +kIDvUhmjaAWA+Yvc9YlXNVwbEfDgFU7KGTwZYYaPazzD0c9vxSiINX3IrhuYoXy4 +6N82qZqbvXFIwonWXCcxycNMcZVnqnrELn4Fb9JTFsxrW2RD/+Ua1UfZ/0cfKJFD +iF00ymH+OLePNUNReLHBK+IpKqFpux8ULsXzGJ2B7rzW/OdS1tY= +-----END CERTIFICATE----- diff --git a/examples/features/advancedtls/creds/client_key.pem b/examples/features/advancedtls/creds/client_key.pem new file mode 100644 index 000000000000..f9ec8c4655da --- /dev/null +++ b/examples/features/advancedtls/creds/client_key.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC/jYi3IA4EPl46 +8aN4LaVE9miz8+w8fo/N4s1VnCyipqAxQbQQyzqojp6utWUTGAL8NTh8Xm264BMx +8GW7ptNhfH+GvdaE0rEGkv5HXd0+H5lsVW9n60Tr2Np5cC7XSHVvHcu95lkXItfZ +IyaQDLljhZGfjliSUrYJOoC3QJH+R7boPE1El+8cEad14BnSecs+XfkMgZVjbd9Y +Q+UDYnhSC1taXMPZjjkV5XI3sDrOmWfAcsqfZSV7I7+Hvx+p9Q/yv6HsQzuKZ9Bf +YdgDdOaxJZFFcIXQonBl303tOWxNxP3+jXGSBpCtGY7eCzXhUHkwb/a7PXSnZt0O +e9Bj8l1Y3BehouRFTrecMri8Vogx3m8n81YpVEUHaPN2nbdjwNfPaxHFOtKfGjSW +Kt9k4d/+vh1KSFgzvi7HrMcSb5qmEOXvpK4LjclWLElg/1SRLEEFkHRwPt1UWLOD +rsS0TpELpfE95FptNFw77vbXYguoVY9diu1Wmo3ngBYPlxv16w1/H5pR4Zs+FKz3 +wzZCBhF86e91VK4bO2i3xHn9Z1wmnqXUVWzHkhVRc1eZvN77Vqtw25gQGmNxnMOf +EZ/CxYusXFJpx1ihsSaG42iFIxdoYjABeRpR1+kbpNqBtkYzHporm/YgJtAhELAV +WJEItb23wAXBzy+9OxhAFwiSWG67uwIDAQABAoICAA9XpZV5UUtrYr5uNULTxnLV +blcfgz091oR4lSwKuWkrrGqq5w0Yogb3KWQ37jO5zsoRnzJtmR9d1tu/SVQJjXu3 +mOVGFkUG38agMRKumiEMLzcwnp7gXAxXOaR+ukRkWYJADN4Vxu6l9qDoglcJAIj6 +nUp+KxTz4ABcObazyshm87z6e3vc1CTXkHtOAEjN7YaoyIuvuLNBN8wzip0bSXoq +I7PYo0KCdDW57iHiESEUGMMezqDhXT+q13/mwdap5Lrzjg4aPSNy+OBy5KDeP6NS +WCY2LYRORm9lE9zw0P5noqpn/NU5MQ7+8Y+nrotF7UxWY2462A7tG76PEdwM1ly7 +GyslA5o+V9RE1CsQJfK0yInD0W2cC9cggdcGlzm5p0jhWKk3Z3QaEXv6KxlkQjct +q9uX7xdQff01WQVnS96VG4I5YlJP8vdTww3KL+7fpsBS1uNn1/pxDZW3LgT1XEHf +lJxRSHKwyViHJtQyVaKzuzS9AOztOO1OWJvIwLAwImdjyXZeoKdBptkVLRfbX4+U +4zCE0fgwkkmuFrvFQSoXvQsul+BXULiUhRTilUaN6VweP1Q99g9dzVqkyNLmm6+2 +vaOR4F3y+DYgu5wa7wQdULnpkzpHwiPUcqulOgg5xLo7tr5Q9nVrwyQy5zvuvYas +N/LsYR2xBrMqRZRbxSWVAoIBAQD5mBydPI2jtw2jw6NBs9lqZasmUXoFkUO1IPuG +oNauIzQdhQ7OCdBmwyWVyI7QnM0ZNB495qOg+lmxMpkg3hoQlN0PFKEBvVZde6Yz +sB4eCL95x5bdp3oblUvq7h/0d4i+1I8OVKZz56zSn6CyoEH5zIxq+dXgGVsdfWOW +tqnLSGM0apZlfKWoHTPc5OtJAiXXwWA0aGBGCa3M438HJ8V6qy4QREOOxR6HapUJ +VODPsj9h6XL5jxFqcbaojjpckpb3SYh7rB3kgoriuSBgPGKM+PLjW1mCGwcLgGYB +cn+2EHxKLvm+ShzZGdwjrpCv0aRuiYIGEb1/Afu4nOGnnJXnAoIBAQDEeBQBez5E +SBiy6W5ZCIUXMS8DHFVei/GYDsAYMH0+vnbwUxBWNDKpUbiVVE6yrTjiRPfNamf0 +0zKSsI2MOMLNnb8nIkEWeVweHfQF5R1xxubemqmQ55Rd11ep59p9Er7O1WtR0968 +KWwT9ZN4OoXSRIFHV0fjY2V2Ns0VDyHl8vWgDk80JpEX/4BWFtRzuPaRCGuxFAJY +3Md5ynCwOPaPKPXMc1by1ZCKGBxpXoeErWM0/hvbt2YUfI8+n80W0ws2p1/YDWE+ +9PhCHUFPxxTvb7+rSYYHJs3tcnS7c3K3jhkxbbR9FS95IVMTopjD24nl3G6nSyPT +UJP+qnE3WgkNAoIBAEKqt5HkF60P+uuwGM423K7HozRj9OTBzUT3H1fxZAY1TvlH +jhHIm0qne0WLwWHFUB8YRa+hCDm6RPTIoBAgYvPk3zrk9rCBQy1LFrSdqR26lnJP +tmNUFZCCizmgCxcASp02J1Pblm5FBmtnycOMfLLdSPBV9SObgjPZRx19gtLSbfUV +N0C6T4Ec87pfxtzEXxlHBIxbCMQMV8jvRwHBRMUkLfSYVzcuPZ5MAKzyZ+3yHW3o +rhYseall4DUbcElDumEo2fS2n3Fm0PQIILazylr/L9k8kCbpUzNmQ1jFnYki1B/4 +diq2nwf6GUvKl8juhS4lOn6mhGgFPpgsBzX+5CcCggEAL/1Epbf81aDmp4ztL0It +gCS7Xv8kuxtjv8iak04EybasRreDXgsR9NnJRHB7aJl3M421Ga/MBLkxuTL24DFd +I+xMLLrpOxwZrCGU4Xu9XXVAH0+X65UlYGahOxcu/y38/XiT5kDiPwO/KoDprIxe +86VYDpz7Kke1GNL59RLlLM3TwWy9W/evqTT3nA+nhTzAvVxZMb+5cws6jj0smV7Q +mtdecroZmucfjxuklPhKEdZoTSFknJ6HiKmEM7/E0LZsHsVzW8qo3j/oA/4xXdM7 +AeFB6AzleAm6cy1p5f+lHcDP1or9czAhkGzbZghpWC3f2Q2m2aY48fzUqXfof6S2 +YQKCAQEAhnYgWar6sj/llQiKGmwQxxw9PkJMHGLAX44H3P9xAPwDIsgkL+hGmVIR +7/ILhEbPtBGCvaoI/bqR5zh8VdMbqnm8ocZqz4xnu4WMpMfmF07TxF8aVC9TBoas +Ad6khQfL4c91YrwTThvfyZ6im3aP/e8CSiZrkg89tF3a6rLvsJRx1qlj0DciLxW5 +/7soumtv9DCa1YmuuBAad14WprxEvAG7OVpH6SJPx6V3Di7LdWZUJQ79xeWn3Coh +jfC/JlCEkRvxmzW8oDPWxHzbIJ194ukXPQot8eFzH+oOWtGkODxjhbdiTBl6ty2f +egtZ+t//dA1KBWPMdPk3MoWZopTVgw== +-----END PRIVATE KEY----- diff --git a/examples/features/advancedtls/creds/crl/client_revoked.crl b/examples/features/advancedtls/creds/crl/client_revoked.crl new file mode 100644 index 000000000000..1792d5957be0 --- /dev/null +++ b/examples/features/advancedtls/creds/crl/client_revoked.crl @@ -0,0 +1,20 @@ +-----BEGIN X509 CRL----- +MIIDOzCCASMCAQEwDQYJKoZIhvcNAQELBQAwgaExCzAJBgNVBAYTAlVTMRAwDgYD +VQQIDAdHZW9yZ2lhMRAwDgYDVQQHDAdBdGxhbnRhMRAwDgYDVQQKDAdUZXN0IENB +MRwwGgYDVQQLDBNUZXN0IENBIE9yZ2FuemF0aW9uMR0wGwYDVQQDDBRUZXN0IENB +IE9yZ2FuaXphdGlvbjEfMB0GCSqGSIb3DQEJARYQdGVzdEBleGFtcGxlLmNvbRcN +MjQwODA4MTgwNjIyWhcNMjQwOTA3MTgwNjIyWjAoMBICAQIXDTI0MDgwODE4MDYy +MVowEgIBBBcNMjQwODA4MTgwNjIyWqAjMCEwHwYDVR0jBBgwFoAUUHbDXGsS4ZIP +KPjyQ6aAwpzoVtYwDQYJKoZIhvcNAQELBQADggIBAArFuFeXXCWCCNLy8qk0UG5r +CljVMSWrOPTy3eyQH+pSbzdwA5PYW2i5BOBcr6ULKW5aamFjhYMviqroFXrib7yU +hNhiK8FtH9cl2O7pbdFGBdjqHoGOSOWXG++0LU+Hhh5kTr/iZrgkYvB3RHycofC1 +85nY01t//fGZZJ3e8hBwf8sNdR4L7vQ2WJtbzj8mj6mU4K//UkTiqZv2yGlbDXmh +p0HDdu9/nBFLrLE35N/0m/1R4pW7AXm3R6WBiqxY8KdA4Us9tC9+qvtsWwEe/klN +5E9FLcARMTl9kwJLNJZpVoe6tyt/S4WXs4nh+XEpiD5uZgbMh0N0jwaCMWyz3wo6 +tLkMmg+4mXEViAKQZTGVU2fTVaBH1C6A4ugB7IcFG1gXVw2DnF6I1XQB9+EcPbpb +6ZTBo1msSR0Bzr0sUOdCiKhSc60DTjeNjcLhNT4k06cVvzQcyb2KePG+NnA/Tfbz +yMuDcx62T2BTL1X2aVMUSLY3mwWnqyFdHbEQOoKH084Nrhizq7H2YwdoL992UTuH +PzjyEqJN3hIePthlHl2g9fGh9dIJtxu6didm2M4WoHKeCfpWPH8fc37zhX8QYpqj +U9vDvc2F567lRpAGwyqKZti+2xg2L2K/qBSGvKdtf5hPsOvVlEnWC4mTbjo19aUn +YvLKT6e3D16ao5jVKITj +-----END X509 CRL----- diff --git a/examples/features/advancedtls/creds/localhost-openssl.cnf b/examples/features/advancedtls/creds/localhost-openssl.cnf new file mode 100644 index 000000000000..bacdb0059d9a --- /dev/null +++ b/examples/features/advancedtls/creds/localhost-openssl.cnf @@ -0,0 +1,24 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +countryName = Country Name (2 letter code) +countryName_default = US +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Georgia +localityName = Locality Name (eg, city) +localityName_default = Atlanta +organizationName = Organization Name (eg, company) +organizationName_default = Test Department +commonName = Common Name (eg, YOUR name) +commonName_max = 64 + +[v3_req] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = localhost +IP.1 = 0.0.0.0 diff --git a/examples/features/advancedtls/creds/openssl-ca.cnf b/examples/features/advancedtls/creds/openssl-ca.cnf new file mode 100644 index 000000000000..64d3de014076 --- /dev/null +++ b/examples/features/advancedtls/creds/openssl-ca.cnf @@ -0,0 +1,94 @@ +base_dir = . +certificate = $base_dir/ca_cert.pem # The CA certifcate +private_key = $base_dir/ca_key.pem # The CA private key +new_certs_dir = $base_dir # Location for new certs after signing +database = $base_dir/index.txt # Database index file +serial = $base_dir/serial.txt # The current serial number + +unique_subject = no # Set to 'no' to allow creation of + # several certificates with same subject. + +HOME = . +RANDFILE = $ENV::HOME/.rnd + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] + +default_days = 10000 # How long to certify for +default_crl_days = 30 # How long before next CRL +default_md = sha256 # Use public key default MD +preserve = no # Keep passed DN ordering + +x509_extensions = ca_extensions # The extensions to add to the cert +crl_extensions = crl_ext + +email_in_dn = no # Don't concat the email in the DN +copy_extensions = copy # Required to copy SANs from CSR to cert + +#################################################################### +[ req ] +default_bits = 4096 +default_keyfile = ca_key.pem +distinguished_name = ca_distinguished_name +x509_extensions = ca_extensions +string_mask = utf8only + +#################################################################### +[ ca_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = US + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Georgia + +localityName = Locality Name (eg, city) +localityName_default = Atlanta + +organizationName = Organization Name (eg, company) +organizationName_default = Test CA + +organizationalUnitName = Organizational Unit (eg, division) +organizationalUnitName_default = Test CA Organization + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_default = Test CA Organization + +emailAddress = Email Address +emailAddress_default = test@example.com + +#################################################################### +[ ca_extensions ] + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer +basicConstraints = critical, CA:true +keyUsage = keyCertSign, cRLSign + + + + +#################################################################### +[ signing_policy ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ signing_req ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment + +[ crl_ext ] +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. +#issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always diff --git a/examples/features/advancedtls/creds/server_cert.pem b/examples/features/advancedtls/creds/server_cert.pem new file mode 100644 index 000000000000..9d1747bb6401 --- /dev/null +++ b/examples/features/advancedtls/creds/server_cert.pem @@ -0,0 +1,127 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Georgia, L=Atlanta, O=Test CA, OU=Test CA Organzation, CN=Test CA Organization/emailAddress=test@example.com + Validity + Not Before: Aug 8 18:06:21 2024 GMT + Not After : Dec 25 18:06:21 2051 GMT + Subject: C=US, ST=Georgia, L=Atlanta, O=Test Server, OU=Test Server Organzation, CN=Test Server Organization + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + Modulus: + 00:bd:47:df:b7:d5:38:92:af:b4:69:e7:48:3b:a0: + 7b:9e:6b:83:0e:76:91:06:06:94:a3:80:a3:73:8f: + 50:e5:43:80:f8:f7:fb:65:7b:f0:a3:94:cc:8e:a6: + 7e:fe:59:43:ce:80:68:6d:55:67:8e:33:aa:90:79: + 21:ac:de:6e:f0:03:27:1e:6f:50:31:cf:d2:3e:c3: + 8e:98:f5:bb:f9:e9:44:3f:3f:59:ae:7c:a3:b8:a7: + ae:94:ff:68:70:d0:fb:7b:cb:cc:35:7d:04:81:f5: + 2b:12:78:bf:6e:1b:a3:cd:d1:74:41:41:9f:ee:02: + 1f:b3:42:fd:c9:01:b5:28:43:ee:31:03:3a:5d:60: + d3:df:8f:69:1e:73:4a:c4:83:35:95:00:93:83:6e: + d6:b0:d2:0b:30:31:7f:95:eb:ce:c9:73:83:b9:76: + eb:45:f1:20:8b:75:de:81:a3:32:b0:f7:0f:21:64: + a7:1d:cc:3b:00:82:c8:48:74:c9:3a:0b:f9:cb:6e: + 8c:ab:fc:b0:94:20:bd:60:06:eb:d0:12:15:55:48: + d7:d3:30:ef:59:67:98:df:f6:31:92:6d:63:1c:4a: + 93:7c:97:a8:99:f6:61:e5:78:12:36:a2:24:56:37: + 4b:38:ce:63:00:a2:26:b3:31:05:93:23:3c:c1:ed: + b1:fb:25:7d:fc:54:04:3a:b9:3a:f7:17:a4:58:10: + 4f:e8:6d:90:69:49:b6:1f:1b:81:fb:f5:c7:6c:aa: + b3:e0:4a:b1:38:40:77:83:a2:aa:8c:e2:7c:91:a9: + 3e:cd:43:be:90:c3:e7:b1:23:94:47:f9:68:db:e4: + 2c:df:65:e7:88:b6:64:dc:62:d0:86:33:9b:13:64: + 94:37:aa:0e:56:9f:a3:42:19:67:30:a1:e9:3b:5b: + 4a:e6:e1:81:52:81:21:2a:78:ac:c1:77:77:52:fc: + 4a:95:b9:3f:f7:e6:32:9e:59:5b:46:4c:a9:8a:12: + d3:2c:fc:33:73:3a:28:26:28:22:4c:1c:a9:b1:59: + 96:ab:a5:f6:e9:e7:55:32:a8:2b:a2:33:de:a0:e2: + 5f:77:d8:cd:d1:aa:1f:4f:c6:69:10:66:4e:9d:aa: + 77:83:82:78:96:5a:07:21:12:db:4c:97:51:cd:ba: + ea:00:cd:94:97:40:b8:50:62:90:2b:8c:b0:1b:2c: + aa:a5:63:0c:bb:7d:d5:7d:3f:c1:4a:00:6b:cb:74: + fa:23:35:26:1e:26:1a:30:b2:96:bc:1b:16:2a:62: + 96:1f:51:20:72:95:36:1a:87:20:26:9f:76:d6:84: + 1b:67:2a:32:68:b7:e0:c7:80:75:a3:fa:b7:da:a3: + 03:71:c1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 4C:57:E2:72:97:CF:DC:C4:B8:4E:DB:D4:C1:C6:3D:AE:EF:D7:0A:19 + X509v3 Authority Key Identifier: + 50:76:C3:5C:6B:12:E1:92:0F:28:F8:F2:43:A6:80:C2:9C:E8:56:D6 + X509v3 Basic Constraints: + CA:FALSE + X509v3 Key Usage: + Digital Signature, Key Encipherment + X509v3 Subject Alternative Name: + DNS:localhost, IP Address:0.0.0.0 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 10:9b:66:d5:4b:8f:e2:7b:25:8b:fe:5b:9c:a6:dd:4e:d5:ee: + 27:ad:a9:e5:c4:5d:9b:f9:2c:f1:d6:8d:0e:d6:9b:e6:9f:87: + 0b:14:1b:c9:a3:dc:da:82:d0:1e:e8:c5:f7:f4:ea:99:ea:01: + f1:2e:7c:f0:07:15:28:74:15:b0:36:27:a5:3f:2d:c7:32:fc: + 81:61:44:15:9a:9a:88:20:fb:c6:d9:8a:26:61:df:e2:04:a2: + 54:98:76:90:40:98:80:d3:eb:ff:73:29:d7:2f:3f:79:ca:ba: + c3:1b:34:53:6e:f0:da:06:f8:19:3e:97:de:34:74:d1:4c:90: + e1:ce:6a:36:31:6e:58:d2:22:b1:5a:05:71:d8:0b:d9:c2:03: + 17:0d:98:78:f5:e2:24:7c:0a:7d:7b:49:4f:fe:31:a6:c3:0e: + 11:9e:af:6e:88:83:72:5a:34:a9:34:94:ef:6b:ee:cc:c1:71: + 5c:53:c6:dd:52:7e:a7:4c:9a:48:76:e9:72:b9:c4:26:74:87: + 64:c9:89:34:7d:bc:f2:ff:8a:ac:32:b5:3d:50:19:09:5f:30: + 19:49:6e:86:4e:84:e3:13:cc:9f:4c:a9:4a:20:89:5e:e3:91: + ad:8d:5e:3f:ac:ea:63:f1:48:18:f2:22:e9:b6:c3:6f:dc:b4: + 46:fc:41:71:33:ee:a7:4b:33:79:11:0f:c9:81:4d:10:c3:df: + b6:4d:75:62:74:39:e4:8d:5d:33:37:1b:91:ce:23:a3:47:15: + 58:57:5b:09:ba:4f:d5:1b:0f:4f:7b:03:10:d7:49:76:86:e0: + 69:7f:1a:7e:cb:6c:2a:80:b4:d8:9e:03:66:5c:89:3c:d3:82: + 86:d9:50:65:d9:15:51:e1:0b:3b:2f:e8:c7:44:6d:27:e3:09: + 2d:58:ce:a1:af:f9:d9:2f:0a:fd:fb:65:3d:3b:30:5a:42:b1: + ab:34:28:20:0d:a4:31:dd:84:65:eb:87:d1:59:33:1d:db:b1: + 64:e3:e5:6f:25:1a:15:ae:f1:39:b6:cc:91:d0:82:6e:e6:82: + 9e:f0:fc:c9:41:2b:a4:d7:b5:e7:af:1e:13:46:c0:e6:04:ac: + 98:53:ab:52:f3:85:bb:95:0d:b0:fb:e0:0a:c9:5e:da:99:ec: + 63:6c:7c:78:21:12:8d:21:6b:c3:bf:6c:cb:88:dc:c3:7a:24: + b9:4b:ba:36:63:b3:01:91:b3:07:a9:b0:1f:2c:ab:ae:d4:cd: + a7:a2:46:c0:29:df:1f:c2:29:d4:f9:49:9e:c5:e0:ca:02:f7: + eb:de:b8:b9:6e:1f:18:3a:6d:0f:07:0d:97:d2:16:0d:84:2c: + 81:24:c6:e6:e5:f5:e4:59 +-----BEGIN CERTIFICATE----- +MIIGIjCCBAqgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx +EDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExEDAOBgNVBAoMB1Rl +c3QgQ0ExHDAaBgNVBAsME1Rlc3QgQ0EgT3JnYW56YXRpb24xHTAbBgNVBAMMFFRl +c3QgQ0EgT3JnYW5pemF0aW9uMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUu +Y29tMCAXDTI0MDgwODE4MDYyMVoYDzIwNTExMjI1MTgwNjIxWjCBjDELMAkGA1UE +BhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExFDASBgNV +BAoMC1Rlc3QgU2VydmVyMSAwHgYDVQQLDBdUZXN0IFNlcnZlciBPcmdhbnphdGlv +bjEhMB8GA1UEAwwYVGVzdCBTZXJ2ZXIgT3JnYW5pemF0aW9uMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEAvUfft9U4kq+0aedIO6B7nmuDDnaRBgaUo4Cj +c49Q5UOA+Pf7ZXvwo5TMjqZ+/llDzoBobVVnjjOqkHkhrN5u8AMnHm9QMc/SPsOO +mPW7+elEPz9ZrnyjuKeulP9ocND7e8vMNX0EgfUrEni/bhujzdF0QUGf7gIfs0L9 +yQG1KEPuMQM6XWDT349pHnNKxIM1lQCTg27WsNILMDF/levOyXODuXbrRfEgi3Xe +gaMysPcPIWSnHcw7AILISHTJOgv5y26Mq/ywlCC9YAbr0BIVVUjX0zDvWWeY3/Yx +km1jHEqTfJeomfZh5XgSNqIkVjdLOM5jAKImszEFkyM8we2x+yV9/FQEOrk69xek +WBBP6G2QaUm2HxuB+/XHbKqz4EqxOEB3g6KqjOJ8kak+zUO+kMPnsSOUR/lo2+Qs +32XniLZk3GLQhjObE2SUN6oOVp+jQhlnMKHpO1tK5uGBUoEhKniswXd3UvxKlbk/ +9+YynllbRkypihLTLPwzczooJigiTBypsVmWq6X26edVMqgrojPeoOJfd9jN0aof +T8ZpEGZOnap3g4J4lloHIRLbTJdRzbrqAM2Ul0C4UGKQK4ywGyyqpWMMu33VfT/B +SgBry3T6IzUmHiYaMLKWvBsWKmKWH1EgcpU2GocgJp921oQbZyoyaLfgx4B1o/q3 +2qMDccECAwEAAaN2MHQwHQYDVR0OBBYEFExX4nKXz9zEuE7b1MHGPa7v1woZMB8G +A1UdIwQYMBaAFFB2w1xrEuGSDyj48kOmgMKc6FbWMAkGA1UdEwQCMAAwCwYDVR0P +BAQDAgWgMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEAAAAADANBgkqhkiG9w0BAQsF +AAOCAgEAEJtm1UuP4nsli/5bnKbdTtXuJ62p5cRdm/ks8daNDtab5p+HCxQbyaPc +2oLQHujF9/TqmeoB8S588AcVKHQVsDYnpT8txzL8gWFEFZqaiCD7xtmKJmHf4gSi +VJh2kECYgNPr/3Mp1y8/ecq6wxs0U27w2gb4GT6X3jR00UyQ4c5qNjFuWNIisVoF +cdgL2cIDFw2YePXiJHwKfXtJT/4xpsMOEZ6vboiDclo0qTSU72vuzMFxXFPG3VJ+ +p0yaSHbpcrnEJnSHZMmJNH288v+KrDK1PVAZCV8wGUluhk6E4xPMn0ypSiCJXuOR +rY1eP6zqY/FIGPIi6bbDb9y0RvxBcTPup0szeREPyYFNEMPftk11YnQ55I1dMzcb +kc4jo0cVWFdbCbpP1RsPT3sDENdJdobgaX8afstsKoC02J4DZlyJPNOChtlQZdkV +UeELOy/ox0RtJ+MJLVjOoa/52S8K/ftlPTswWkKxqzQoIA2kMd2EZeuH0VkzHdux +ZOPlbyUaFa7xObbMkdCCbuaCnvD8yUErpNe1568eE0bA5gSsmFOrUvOFu5UNsPvg +Csle2pnsY2x8eCESjSFrw79sy4jcw3okuUu6NmOzAZGzB6mwHyyrrtTNp6JGwCnf +H8Ip1PlJnsXgygL36964uW4fGDptDwcNl9IWDYQsgSTG5uX15Fk= +-----END CERTIFICATE----- diff --git a/examples/features/advancedtls/creds/server_cert_revoked.pem b/examples/features/advancedtls/creds/server_cert_revoked.pem new file mode 100644 index 000000000000..70ab8d55c6ac --- /dev/null +++ b/examples/features/advancedtls/creds/server_cert_revoked.pem @@ -0,0 +1,127 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Georgia, L=Atlanta, O=Test CA, OU=Test CA Organzation, CN=Test CA Organization/emailAddress=test@example.com + Validity + Not Before: Aug 8 18:06:21 2024 GMT + Not After : Dec 25 18:06:21 2051 GMT + Subject: C=US, ST=Georgia, L=Atlanta, O=Test server, OU=Test server Organzation, CN=Test server Organization + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (4096 bit) + Modulus: + 00:bd:47:df:b7:d5:38:92:af:b4:69:e7:48:3b:a0: + 7b:9e:6b:83:0e:76:91:06:06:94:a3:80:a3:73:8f: + 50:e5:43:80:f8:f7:fb:65:7b:f0:a3:94:cc:8e:a6: + 7e:fe:59:43:ce:80:68:6d:55:67:8e:33:aa:90:79: + 21:ac:de:6e:f0:03:27:1e:6f:50:31:cf:d2:3e:c3: + 8e:98:f5:bb:f9:e9:44:3f:3f:59:ae:7c:a3:b8:a7: + ae:94:ff:68:70:d0:fb:7b:cb:cc:35:7d:04:81:f5: + 2b:12:78:bf:6e:1b:a3:cd:d1:74:41:41:9f:ee:02: + 1f:b3:42:fd:c9:01:b5:28:43:ee:31:03:3a:5d:60: + d3:df:8f:69:1e:73:4a:c4:83:35:95:00:93:83:6e: + d6:b0:d2:0b:30:31:7f:95:eb:ce:c9:73:83:b9:76: + eb:45:f1:20:8b:75:de:81:a3:32:b0:f7:0f:21:64: + a7:1d:cc:3b:00:82:c8:48:74:c9:3a:0b:f9:cb:6e: + 8c:ab:fc:b0:94:20:bd:60:06:eb:d0:12:15:55:48: + d7:d3:30:ef:59:67:98:df:f6:31:92:6d:63:1c:4a: + 93:7c:97:a8:99:f6:61:e5:78:12:36:a2:24:56:37: + 4b:38:ce:63:00:a2:26:b3:31:05:93:23:3c:c1:ed: + b1:fb:25:7d:fc:54:04:3a:b9:3a:f7:17:a4:58:10: + 4f:e8:6d:90:69:49:b6:1f:1b:81:fb:f5:c7:6c:aa: + b3:e0:4a:b1:38:40:77:83:a2:aa:8c:e2:7c:91:a9: + 3e:cd:43:be:90:c3:e7:b1:23:94:47:f9:68:db:e4: + 2c:df:65:e7:88:b6:64:dc:62:d0:86:33:9b:13:64: + 94:37:aa:0e:56:9f:a3:42:19:67:30:a1:e9:3b:5b: + 4a:e6:e1:81:52:81:21:2a:78:ac:c1:77:77:52:fc: + 4a:95:b9:3f:f7:e6:32:9e:59:5b:46:4c:a9:8a:12: + d3:2c:fc:33:73:3a:28:26:28:22:4c:1c:a9:b1:59: + 96:ab:a5:f6:e9:e7:55:32:a8:2b:a2:33:de:a0:e2: + 5f:77:d8:cd:d1:aa:1f:4f:c6:69:10:66:4e:9d:aa: + 77:83:82:78:96:5a:07:21:12:db:4c:97:51:cd:ba: + ea:00:cd:94:97:40:b8:50:62:90:2b:8c:b0:1b:2c: + aa:a5:63:0c:bb:7d:d5:7d:3f:c1:4a:00:6b:cb:74: + fa:23:35:26:1e:26:1a:30:b2:96:bc:1b:16:2a:62: + 96:1f:51:20:72:95:36:1a:87:20:26:9f:76:d6:84: + 1b:67:2a:32:68:b7:e0:c7:80:75:a3:fa:b7:da:a3: + 03:71:c1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 4C:57:E2:72:97:CF:DC:C4:B8:4E:DB:D4:C1:C6:3D:AE:EF:D7:0A:19 + X509v3 Authority Key Identifier: + 50:76:C3:5C:6B:12:E1:92:0F:28:F8:F2:43:A6:80:C2:9C:E8:56:D6 + X509v3 Basic Constraints: + CA:FALSE + X509v3 Key Usage: + Digital Signature, Key Encipherment + X509v3 Subject Alternative Name: + DNS:localhost, IP Address:0.0.0.0 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 07:74:84:18:37:74:23:9c:c2:f1:e8:d2:44:49:57:f8:51:fa: + cb:db:0e:42:04:6b:61:5b:60:f0:82:7a:df:1b:af:69:75:a8: + 17:62:89:18:b7:71:3e:8c:40:10:5d:2b:88:35:6a:97:9c:44: + 9f:93:24:f3:b8:d2:56:dd:2f:aa:27:55:96:67:07:fa:b1:8d: + 20:df:ea:f7:96:51:9e:46:e5:35:9a:34:53:d0:e7:60:da:a7: + 02:76:68:c2:12:6d:aa:bc:b6:81:e0:c9:96:67:b6:9e:fa:6d: + 43:63:80:19:70:49:9b:38:78:68:3d:aa:f2:5d:ec:af:45:65: + 4c:75:3c:d6:0b:92:8e:d7:7c:c9:76:55:51:ef:c6:d6:33:68: + 66:58:17:47:21:d7:14:4f:69:d1:59:1e:b2:78:bb:45:f4:24: + 8b:6b:ba:c4:83:6d:e8:11:c1:56:d8:df:84:3c:56:d2:e7:00: + 6c:b6:5c:f5:b8:33:e4:11:27:76:88:16:bd:d3:3d:ba:7b:d9: + 25:68:17:9c:0a:02:2f:d5:d0:57:b4:c9:f3:b1:9d:8e:6b:c9: + f1:6f:8f:39:8a:ad:0b:38:07:29:9b:cb:9a:3b:06:b5:03:1a: + 83:f4:ef:1e:91:a1:4b:eb:cf:fa:89:6f:91:47:5e:f2:bc:cb: + c2:8a:dd:7b:19:54:f4:9f:c7:54:7f:d2:e8:ea:a8:d9:c8:c1: + 6d:17:63:a3:47:30:05:5b:80:90:47:54:81:1f:0a:9b:11:48: + c6:ee:52:80:c3:b9:75:9d:d2:ee:1b:83:43:b2:de:05:aa:52: + d9:01:a3:f1:71:d3:23:90:28:35:25:0a:71:80:1d:ae:1a:6a: + 72:c1:2b:ee:a7:a2:72:54:f0:0e:19:87:97:a4:62:79:1a:ea: + ec:e2:73:b1:79:d5:c7:25:4f:c7:e6:a4:55:ad:be:3d:d7:59: + 8c:fb:ee:c3:2e:75:6d:1f:65:4a:be:46:c9:4e:54:bd:2e:49: + 3e:2f:70:b6:97:eb:8a:41:f4:bb:75:64:84:f4:71:29:e3:f2: + b2:30:75:41:5a:04:ac:a6:d1:d0:9c:4d:52:19:76:7f:0d:c7: + 08:f4:6e:cf:20:c7:3c:a6:d9:6f:72:88:46:16:0c:43:12:28: + 24:a1:d2:63:d3:04:4c:cd:12:67:1c:8f:00:e6:7b:47:0a:03: + 87:18:02:d6:bc:01:59:da:90:c4:c6:b1:72:b1:e6:a4:bc:23: + fd:5c:cf:32:0c:d9:e0:24:83:5b:55:7a:d0:db:3c:d6:b2:9f: + 22:a1:a0:f4:48:96:fb:d6:73:a1:43:f7:46:e0:ef:dd:b1:9a: + 0e:ef:6f:1d:1a:b4:b2:d4 +-----BEGIN CERTIFICATE----- +MIIGIjCCBAqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx +EDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExEDAOBgNVBAoMB1Rl +c3QgQ0ExHDAaBgNVBAsME1Rlc3QgQ0EgT3JnYW56YXRpb24xHTAbBgNVBAMMFFRl +c3QgQ0EgT3JnYW5pemF0aW9uMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUu +Y29tMCAXDTI0MDgwODE4MDYyMVoYDzIwNTExMjI1MTgwNjIxWjCBjDELMAkGA1UE +BhMCVVMxEDAOBgNVBAgMB0dlb3JnaWExEDAOBgNVBAcMB0F0bGFudGExFDASBgNV +BAoMC1Rlc3Qgc2VydmVyMSAwHgYDVQQLDBdUZXN0IHNlcnZlciBPcmdhbnphdGlv +bjEhMB8GA1UEAwwYVGVzdCBzZXJ2ZXIgT3JnYW5pemF0aW9uMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEAvUfft9U4kq+0aedIO6B7nmuDDnaRBgaUo4Cj +c49Q5UOA+Pf7ZXvwo5TMjqZ+/llDzoBobVVnjjOqkHkhrN5u8AMnHm9QMc/SPsOO +mPW7+elEPz9ZrnyjuKeulP9ocND7e8vMNX0EgfUrEni/bhujzdF0QUGf7gIfs0L9 +yQG1KEPuMQM6XWDT349pHnNKxIM1lQCTg27WsNILMDF/levOyXODuXbrRfEgi3Xe +gaMysPcPIWSnHcw7AILISHTJOgv5y26Mq/ywlCC9YAbr0BIVVUjX0zDvWWeY3/Yx +km1jHEqTfJeomfZh5XgSNqIkVjdLOM5jAKImszEFkyM8we2x+yV9/FQEOrk69xek +WBBP6G2QaUm2HxuB+/XHbKqz4EqxOEB3g6KqjOJ8kak+zUO+kMPnsSOUR/lo2+Qs +32XniLZk3GLQhjObE2SUN6oOVp+jQhlnMKHpO1tK5uGBUoEhKniswXd3UvxKlbk/ +9+YynllbRkypihLTLPwzczooJigiTBypsVmWq6X26edVMqgrojPeoOJfd9jN0aof +T8ZpEGZOnap3g4J4lloHIRLbTJdRzbrqAM2Ul0C4UGKQK4ywGyyqpWMMu33VfT/B +SgBry3T6IzUmHiYaMLKWvBsWKmKWH1EgcpU2GocgJp921oQbZyoyaLfgx4B1o/q3 +2qMDccECAwEAAaN2MHQwHQYDVR0OBBYEFExX4nKXz9zEuE7b1MHGPa7v1woZMB8G +A1UdIwQYMBaAFFB2w1xrEuGSDyj48kOmgMKc6FbWMAkGA1UdEwQCMAAwCwYDVR0P +BAQDAgWgMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEAAAAADANBgkqhkiG9w0BAQsF +AAOCAgEAB3SEGDd0I5zC8ejSRElX+FH6y9sOQgRrYVtg8IJ63xuvaXWoF2KJGLdx +PoxAEF0riDVql5xEn5Mk87jSVt0vqidVlmcH+rGNIN/q95ZRnkblNZo0U9DnYNqn +AnZowhJtqry2geDJlme2nvptQ2OAGXBJmzh4aD2q8l3sr0VlTHU81guSjtd8yXZV +Ue/G1jNoZlgXRyHXFE9p0Vkesni7RfQki2u6xINt6BHBVtjfhDxW0ucAbLZc9bgz +5BEndogWvdM9unvZJWgXnAoCL9XQV7TJ87GdjmvJ8W+POYqtCzgHKZvLmjsGtQMa +g/TvHpGhS+vP+olvkUde8rzLwordexlU9J/HVH/S6Oqo2cjBbRdjo0cwBVuAkEdU +gR8KmxFIxu5SgMO5dZ3S7huDQ7LeBapS2QGj8XHTI5AoNSUKcYAdrhpqcsEr7qei +clTwDhmHl6RieRrq7OJzsXnVxyVPx+akVa2+PddZjPvuwy51bR9lSr5GyU5UvS5J +Pi9wtpfrikH0u3VkhPRxKePysjB1QVoErKbR0JxNUhl2fw3HCPRuzyDHPKbZb3KI +RhYMQxIoJKHSY9METM0SZxyPAOZ7RwoDhxgC1rwBWdqQxMaxcrHmpLwj/VzPMgzZ +4CSDW1V60Ns81rKfIqGg9EiW+9ZzoUP3RuDv3bGaDu9vHRq0stQ= +-----END CERTIFICATE----- diff --git a/examples/features/advancedtls/creds/server_key.pem b/examples/features/advancedtls/creds/server_key.pem new file mode 100644 index 000000000000..6f81dc2a3ac3 --- /dev/null +++ b/examples/features/advancedtls/creds/server_key.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC9R9+31TiSr7Rp +50g7oHuea4MOdpEGBpSjgKNzj1DlQ4D49/tle/CjlMyOpn7+WUPOgGhtVWeOM6qQ +eSGs3m7wAyceb1Axz9I+w46Y9bv56UQ/P1mufKO4p66U/2hw0Pt7y8w1fQSB9SsS +eL9uG6PN0XRBQZ/uAh+zQv3JAbUoQ+4xAzpdYNPfj2kec0rEgzWVAJODbtaw0gsw +MX+V687Jc4O5dutF8SCLdd6BozKw9w8hZKcdzDsAgshIdMk6C/nLboyr/LCUIL1g +BuvQEhVVSNfTMO9ZZ5jf9jGSbWMcSpN8l6iZ9mHleBI2oiRWN0s4zmMAoiazMQWT +IzzB7bH7JX38VAQ6uTr3F6RYEE/obZBpSbYfG4H79cdsqrPgSrE4QHeDoqqM4nyR +qT7NQ76Qw+exI5RH+Wjb5CzfZeeItmTcYtCGM5sTZJQ3qg5Wn6NCGWcwoek7W0rm +4YFSgSEqeKzBd3dS/EqVuT/35jKeWVtGTKmKEtMs/DNzOigmKCJMHKmxWZarpfbp +51UyqCuiM96g4l932M3Rqh9PxmkQZk6dqneDgniWWgchEttMl1HNuuoAzZSXQLhQ +YpArjLAbLKqlYwy7fdV9P8FKAGvLdPojNSYeJhowspa8GxYqYpYfUSBylTYahyAm +n3bWhBtnKjJot+DHgHWj+rfaowNxwQIDAQABAoICAAg2RBMvtwKg3jecsdo/E4iY +qtjydUbzpiM/Li2R/DUrgT72qKY12FzgfyIj6xfnO4qMBlEoBr7OqF8YQkkZEBXD +ApbOxttCZEwWI+uoTagsDKqfJFRDqBQXglAzPI7DIlteniomlbl7BOFfnRPj3cQi +NY8B5TRoTIPJ1kTlmWcj0K5jsMvjADjkz0S478zS0dJNx23zsxt8zBYihPc2LISP +nxlperpQGdSzH8eJaGZGccDweFJR+AVaUeItiZrGcOdN5ostArmKf2zZIAX+TYVO +Yb68ksXS5CO4r1yQ+QnTL87qAttF1egkwMrfV1WTlI85tRCOoxXcfJzDnJvf+ia9 ++laYPj5av7ZoXwZQ4tIh3RqpIFHXZMQU1jRCYOibYNhdOO/H9Z6eH+8HyyFQ9ihe +7keGKouLSo/E6dSIJ9D1g+Tr8xELj816a4KL8ShYLTXP+ga43yFVdp94Yd0vFHWK +qjyu/x2wLqZAPpVbYg9PkO6Dr4tmyolhL1ZjruM5IqAI+hALzUZDccYQVXu2swpC +6p6evB24MI5LQ87+28U4rCcbo/xfdQAEY4LSP9XfvSQ32zUyDHYX1gLvF99fZD5Y +1IEX11bGbGFCT0EIwFPXJUuxJlpvMF1bZ+Z+eXVL43yTNdeu+7E7dhpPjz5W3cRa +6SKxxcUAbdxpQP2DtIP5AoIBAQD+AuqckaGK/sZotPWstgcRlG31ptW6d2ZNk5X3 +i99mqaTPDOx+UavkpsBfcUPYmYjo6fEC4yMhkx97XC9tUxi97LBXJrBfwLDnCqQL +vhOVcWs9mDcJTJDVT1P2StBm7a6DmCmiqUcxiG57UY9dgSanLwxg+6K4PgOin11Y +ChECWFNvdwdOmyQhWm+O0y0R2s7iGINKF6s1t2RweCfXw1W2N8iaTVkNei71bblW +sTjPGdEm2CFwlBf031Hkr5S2MIo23RX53tkalMzvyCGfREn+wrWcMfagygHjEjn/ +C4ZcQIOXC5u9tIc4tps1mr1C8nMScxfSrIHRManE1haqXcBLAoIBAQC+wznR5wzR +Az5r0ek1s2sr6gwsmJfbA6tNHwgqrYblsxYMR6BdbGUBkSqwEYDjDw/rreDcQk6D +nMxc6BYh2Dk6t/AJQ3c76tuJohlmZfbuFXL+KAwApVnbwpZuAQGgkNMhVm/8FAgi +PgCvuHuvOISTHmniQBU91kWGpsqFoF826Mcxa7bmbe2c+jgCmFikp0rzN7jA6Ps/ +bIRKVIpPhCtAgH5JsFEpim0HubV8qRNmeBh1oSyAFicntEAeL/VSLmDI44kjJyqO +qmspz+uyANt7/xxYfAZed1Q503K1tLUws1K8Ux+EEdo1zXGxoL6b90OfcjivJC0d +/bv8X5DEyMajAoIBAQCGYSabJBQxQ23V0P4zm60LqNmvXs6tMiOGIPDyoCXU2ySc +gPrQLQbiFTGqjHJXMYqTpcfiPiXEyl+aVH+mt5JcT85OnOIsFfXAlQmKSMl1gyY3 +1MIxAjeREcGah6PPACkV5zcHncRTORkx1kkhL4UyZxqGaDmCfRRRQTwRqmmrMu0Z +CABunnazynNAPQoX6wkN5ef3F6R064uQUJDLfcRnfQV8VDUrgxs6rgyiB2nFbqQO +h8LRGxe9bTOW5yimZfGI6teIdFOo01XD+L2I04jN5VZMxsXx9EyhQ3A5NHCld1/m +VbbT2qC66SgdaLp9o2QrO4Y75xVahYqJ3rTo9mYXAoIBAF6qrWfwPFkBPhntqsj+ +h+HcHTyIYVvL31e/XaMoSDh3fiqL5RZXs2xqqP+FQCvuDp2LxXoo4aPIzVYRyuHy +1rvACjveoi4258nOisJZOYh/VniwUPyFEinP0C05DKCtHkl+BsbW/g5YLKkHaUHU +T15fCnbADIqKaihfX0OfCYFLVYa+CJ8j0HZFakRHbD4R000Nyv7Y385iwOfOOnEp +ivlQittwx2ZRDrh1vY3mrfz8/k5ptJa/56B5gBQ7AohNAbTPzf+G8USpZ9LxHutQ +J5vKRzvWGKcKmt6zg0qPKhfH9fgFXC+DWIG4uYJH3i+yLnnTCjRIRKeMgpzEpCgz +5vcCggEBAIi6qKDHfoh4KaMFgW+/EvjssXslDtozMXlPYAswjST+5fegIKVxi8Nz +c19KRiWNpsIfACRC1VuI2p2tcJpamiHV+C3nd3e/CMGWKTcA6u6zynhO8pDjfg/A +k8Vg85S8bxGkiaVqL9DdmgRJohUbULV365gG2LvncNxps8Jr4VQaUHB4VJYNH+6B +DXwDb3N4iNs5wfmM2GB7MlPpu0pS6qoYSxZvXQexPFQ7sQzZc3mP04/BvHm11kSR +2DOV28IdXE/ewJfL9cr/ywXuoyz+0tD6FmTGUpzDSxhlvq4TcVnsWRbfqandbg8g +znviHVPPYZhKHQW5wGuGa6eMMWa6aog= +-----END PRIVATE KEY----- diff --git a/examples/features/advancedtls/creds/server_revoked.crl b/examples/features/advancedtls/creds/server_revoked.crl new file mode 100644 index 000000000000..0cad864626e1 --- /dev/null +++ b/examples/features/advancedtls/creds/server_revoked.crl @@ -0,0 +1,19 @@ +-----BEGIN X509 CRL----- +MIIDJzCCAQ8CAQEwDQYJKoZIhvcNAQELBQAwgaExCzAJBgNVBAYTAlVTMRAwDgYD +VQQIDAdHZW9yZ2lhMRAwDgYDVQQHDAdBdGxhbnRhMRAwDgYDVQQKDAdUZXN0IENB +MRwwGgYDVQQLDBNUZXN0IENBIE9yZ2FuemF0aW9uMR0wGwYDVQQDDBRUZXN0IENB +IE9yZ2FuaXphdGlvbjEfMB0GCSqGSIb3DQEJARYQdGVzdEBleGFtcGxlLmNvbRcN +MjQwODA4MTgwNjIxWhcNMjQwOTA3MTgwNjIxWjAUMBICAQIXDTI0MDgwODE4MDYy +MVqgIzAhMB8GA1UdIwQYMBaAFFB2w1xrEuGSDyj48kOmgMKc6FbWMA0GCSqGSIb3 +DQEBCwUAA4ICAQAvc4fK9H6OnUrtIzBls7ctVnmg4Up8NLWS9BWM9Ncw4MxLEXwM +4iD2Tgg5Yq51iE5pDNet5shae3l/kDNWigPixhpfiT8xwxnrOA3BUtD3affc0Nem +kS9Heq99jqvRdDF2nlEoiJesElxlSrwaljpev2SDzX/qnP5iRsBEuRS7Dr+83rcf +ysYt0Hd84MCaSJ2iITF7Kg7Zg7R+HV0O++k+ZXCuJkDDo8TGa+Kr87WtFsER1+SX +rtIgZEmikF/rEiKOHYV7QSujn8bzSsKzW2S/8/xygQnZ39vk5OPKKokPMUqesMPE +8hUwGjCnDDijj6WGyP54FHKcH61P6R5a1EsjNfTUli9J7BNSHjb7AqPFRMCz6Ihj +GUidGqCz4mpxkUpOwGJZWyefeWlKCdoBqDHlRtf8EjdE9BClOacJeVx2dmXd7k5r +y6grIFfNjHYJmVa8+o2YCV80wY9XFtRUsGpEwHFTrtAjec+y2gtILKpsv5aqyvOa ++nffFdMAR05Dx4MeFJSKYQGk64hPmgrRK+MGc224JPmQDi9uMwDKo+jB1TkCgwvR +ZTF0VpPWBfhkB6x2haYyq2whf6zHfR+jMA0npUA8vHSUIiQrgWbvwsCc3nFGt4nz +WjEZ7Q8Sw9CBfcvXrSV+WQdJF6kHgwaiI56x7DvdEAoDxuDLbmb+D/5gIg== +-----END X509 CRL----- diff --git a/examples/features/advancedtls/generate.sh b/examples/features/advancedtls/generate.sh index 507a2ada6640..e1180d84094d 100755 --- a/examples/features/advancedtls/generate.sh +++ b/examples/features/advancedtls/generate.sh @@ -72,11 +72,15 @@ openssl ca -config "openssl-ca.cnf" -gencrl -out client_revoked.crl # Make sure the cert is actually revoked openssl verify -verbose -CAfile ca_cert.pem -CRLfile client_revoked.crl -crl_check_all client_cert_revoked.pem - -# Move the crl to another directory and run openssl's rehash mkdir crl mv client_revoked.crl crl/ -openssl rehash crl + +rm 01.pem +rm 02.pem +rm 03.pem +rm 04.pem +rm *csr* +rm *.txt* From 0268c528bf2c049f59620d4328267a7fa443f385 Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Mon, 26 Aug 2024 23:16:07 +0000 Subject: [PATCH 11/17] swap to better soln than pwd --- examples/examples_test.sh | 46 +++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/examples/examples_test.sh b/examples/examples_test.sh index 2396748f264a..9bd236136448 100755 --- a/examples/examples_test.sh +++ b/examples/examples_test.sh @@ -49,35 +49,35 @@ pass () { } EXAMPLES=( - "helloworld" - "route_guide" + # "helloworld" + # "route_guide" "features/advancedtls" - "features/authentication" - "features/authz" - "features/cancellation" - "features/compression" - "features/customloadbalancer" - "features/deadline" - "features/encryption/TLS" - "features/error_details" - "features/error_handling" - "features/flow_control" - "features/interceptor" - "features/load_balancing" - "features/metadata" - "features/metadata_interceptor" - "features/multiplex" - "features/name_resolving" - "features/orca" - "features/retry" - "features/unix_abstract" + # "features/authentication" + # "features/authz" + # "features/cancellation" + # "features/compression" + # "features/customloadbalancer" + # "features/deadline" + # "features/encryption/TLS" + # "features/error_details" + # "features/error_handling" + # "features/flow_control" + # "features/interceptor" + # "features/load_balancing" + # "features/metadata" + # "features/metadata_interceptor" + # "features/multiplex" + # "features/name_resolving" + # "features/orca" + # "features/retry" + # "features/unix_abstract" ) declare -A SERVER_ARGS=( ["features/unix_abstract"]="-addr $UNIX_ADDR" ["default"]="-port $SERVER_PORT" # the CI runs this from the grpc-go directory - ["features/advancedtls"]="-credentials_directory $(pwd)/examples/features/advancedtls/creds" + ["features/advancedtls"]="-credentials_directory $(dirname $(realpath "$0"))/features/advancedtls/creds" ) declare -A CLIENT_ARGS=( @@ -85,7 +85,7 @@ declare -A CLIENT_ARGS=( ["features/orca"]="-test=true" ["default"]="-addr localhost:$SERVER_PORT" # the CI runs this from the grpc-go directory - ["features/advancedtls"]="-credentials_directory $(pwd)/examples/features/advancedtls/creds" + ["features/advancedtls"]="-credentials_directory $(dirname $(realpath "$0"))/features/advancedtls/creds" ) declare -A SERVER_WAIT_COMMAND=( From 526f2e03a0a8be6c1841c50716a41318ccbc537c Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Mon, 26 Aug 2024 23:53:36 +0000 Subject: [PATCH 12/17] don't remove creds dir, just exist script --- examples/features/advancedtls/generate.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/examples/features/advancedtls/generate.sh b/examples/features/advancedtls/generate.sh index e1180d84094d..db838899608f 100755 --- a/examples/features/advancedtls/generate.sh +++ b/examples/features/advancedtls/generate.sh @@ -1,4 +1,8 @@ -rm -rf creds +#!/bin/bash +if [ -d "creds" ]; then + echo "creds directory already exists. Remove it and re-run this script." + exit 1 +fi mkdir creds pushd creds touch index.txt From 20348615b6bca23d975327230bed4605b554928f Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Mon, 26 Aug 2024 23:56:50 +0000 Subject: [PATCH 13/17] modify README to make the credentials generation as a footnote --- examples/features/advancedtls/README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/examples/features/advancedtls/README.md b/examples/features/advancedtls/README.md index 6232be90d8d5..8f421a5bc1a1 100644 --- a/examples/features/advancedtls/README.md +++ b/examples/features/advancedtls/README.md @@ -12,9 +12,6 @@ The clients are designed to call these servers with varying configurations of cr * mTLS with credentials from credentials.NewTLS (directly using the tls.Config) * Insecure Credentials -## Generate the credentials used in the examples -Run `./generate.sh` from `/path/to/grpc-go/examples/features/advancedtls` to generate the `creds` directory containing the certificates and CRLs needed for these examples. - ## Building and Running ``` # Run the server @@ -23,4 +20,9 @@ $ go run server/main.go -credentials_directory $(pwd)/creds $ go run client/main.go -credentials_directory $(pwd)/creds ``` -Stop the servers with ctrl-c or by killing the process. \ No newline at end of file +Stop the servers with ctrl-c or by killing the process. + +## Developer Note - Generate the credentials used in the examples +The credentials used for these examples were generated by running the `examples/features/advancedtls/generate.sh` script. + +If the credentials need to be re-generated, run `./generate.sh` from `/path/to/grpc-go/examples/features/advancedtls` to re-create the `creds` directory containing the certificates and CRLs needed for these examples. From 1421754b6a06578020b39cab81a386fd2701cc1d Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Tue, 27 Aug 2024 00:10:18 +0000 Subject: [PATCH 14/17] make server wait in a cleaner way --- examples/examples_test.sh | 44 ++++++++++---------- examples/features/advancedtls/client/main.go | 4 +- examples/features/advancedtls/server/main.go | 8 ++-- 3 files changed, 26 insertions(+), 30 deletions(-) diff --git a/examples/examples_test.sh b/examples/examples_test.sh index 9bd236136448..ef0d34769482 100755 --- a/examples/examples_test.sh +++ b/examples/examples_test.sh @@ -49,34 +49,33 @@ pass () { } EXAMPLES=( - # "helloworld" - # "route_guide" + "helloworld" + "route_guide" "features/advancedtls" - # "features/authentication" - # "features/authz" - # "features/cancellation" - # "features/compression" - # "features/customloadbalancer" - # "features/deadline" - # "features/encryption/TLS" - # "features/error_details" - # "features/error_handling" - # "features/flow_control" - # "features/interceptor" - # "features/load_balancing" - # "features/metadata" - # "features/metadata_interceptor" - # "features/multiplex" - # "features/name_resolving" - # "features/orca" - # "features/retry" - # "features/unix_abstract" + "features/authentication" + "features/authz" + "features/cancellation" + "features/compression" + "features/customloadbalancer" + "features/deadline" + "features/encryption/TLS" + "features/error_details" + "features/error_handling" + "features/flow_control" + "features/interceptor" + "features/load_balancing" + "features/metadata" + "features/metadata_interceptor" + "features/multiplex" + "features/name_resolving" + "features/orca" + "features/retry" + "features/unix_abstract" ) declare -A SERVER_ARGS=( ["features/unix_abstract"]="-addr $UNIX_ADDR" ["default"]="-port $SERVER_PORT" - # the CI runs this from the grpc-go directory ["features/advancedtls"]="-credentials_directory $(dirname $(realpath "$0"))/features/advancedtls/creds" ) @@ -84,7 +83,6 @@ declare -A CLIENT_ARGS=( ["features/unix_abstract"]="-addr $UNIX_ADDR" ["features/orca"]="-test=true" ["default"]="-addr localhost:$SERVER_PORT" - # the CI runs this from the grpc-go directory ["features/advancedtls"]="-credentials_directory $(dirname $(realpath "$0"))/features/advancedtls/creds" ) diff --git a/examples/features/advancedtls/client/main.go b/examples/features/advancedtls/client/main.go index f20ce44eb18d..06a0e121939a 100644 --- a/examples/features/advancedtls/client/main.go +++ b/examples/features/advancedtls/client/main.go @@ -41,8 +41,8 @@ import ( const credRefreshInterval = 1 * time.Minute const serverAddr = "localhost" const goodServerPort string = "50051" -const revokedServerPort string = "50052" -const insecurePort string = "50053" +const revokedServerPort string = "50053" +const insecurePort string = "50054" const message string = "Hello" // -- TLS -- diff --git a/examples/features/advancedtls/server/main.go b/examples/features/advancedtls/server/main.go index e7585f15e5c6..4f0bbed7b868 100644 --- a/examples/features/advancedtls/server/main.go +++ b/examples/features/advancedtls/server/main.go @@ -43,8 +43,8 @@ type server struct { const credRefreshInterval = 1 * time.Minute const goodServerWithCrlPort int = 50051 -const revokedServerWithCrlPort int = 50052 -const insecurePort int = 50053 +const revokedServerWithCrlPort int = 50053 +const insecurePort int = 50054 func (s *server) UnaryEcho(ctx context.Context, req *pb.EchoRequest) (*pb.EchoResponse, error) { return &pb.EchoResponse{Message: req.Message}, nil @@ -182,7 +182,5 @@ func main() { } tlsServers(*credentialsDirectory) insecureServer() - for { - time.Sleep(1 * time.Second) - } + <-make(chan struct{}) } From 05156626576706e4cdf4b38e22633e7612005fc5 Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Tue, 27 Aug 2024 00:11:53 +0000 Subject: [PATCH 15/17] newline --- examples/features/advancedtls/generate.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/features/advancedtls/generate.sh b/examples/features/advancedtls/generate.sh index db838899608f..94d72635bac5 100755 --- a/examples/features/advancedtls/generate.sh +++ b/examples/features/advancedtls/generate.sh @@ -88,4 +88,4 @@ rm *.txt* -popd \ No newline at end of file +popd From 9ff45297233cc5ecfdc6d9ebb7afe13238fe40c7 Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Tue, 27 Aug 2024 00:14:10 +0000 Subject: [PATCH 16/17] better go practices --- examples/features/advancedtls/server/main.go | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/examples/features/advancedtls/server/main.go b/examples/features/advancedtls/server/main.go index 4f0bbed7b868..ab49db76b016 100644 --- a/examples/features/advancedtls/server/main.go +++ b/examples/features/advancedtls/server/main.go @@ -50,19 +50,8 @@ func (s *server) UnaryEcho(ctx context.Context, req *pb.EchoRequest) (*pb.EchoRe return &pb.EchoResponse{Message: req.Message}, nil } -func tlsServers(credentialsDirectory string) { - go func() { - createAndRunTLSServer(credentialsDirectory, false, goodServerWithCrlPort) - }() - go func() { - createAndRunTLSServer(credentialsDirectory, true, revokedServerWithCrlPort) - }() -} - func insecureServer() { - go func() { - createAndRunInsecureServer(insecurePort) - }() + createAndRunInsecureServer(insecurePort) } func createAndRunInsecureServer(port int) { @@ -180,7 +169,7 @@ func main() { fmt.Println("Must set credentials_directory argument") os.Exit(1) } - tlsServers(*credentialsDirectory) + go createAndRunTLSServer(*credentialsDirectory, false, goodServerWithCrlPort) + go createAndRunTLSServer(*credentialsDirectory, true, revokedServerWithCrlPort) insecureServer() - <-make(chan struct{}) } From a0d39018e2e39d204cea39a415800c5f73f5d320 Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Tue, 27 Aug 2024 00:15:57 +0000 Subject: [PATCH 17/17] Crl -> CRL --- examples/features/advancedtls/client/main.go | 18 +++++++++--------- examples/features/advancedtls/server/main.go | 12 ++++++------ 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/examples/features/advancedtls/client/main.go b/examples/features/advancedtls/client/main.go index 06a0e121939a..a4cd98ca1a61 100644 --- a/examples/features/advancedtls/client/main.go +++ b/examples/features/advancedtls/client/main.go @@ -109,34 +109,34 @@ func runClientWithProviders(rootProvider certprovider.Provider, identityProvider runWithCredentials(clientTLSCreds, fullServerAddr, !shouldFail) } -func tlsWithCrlsToGoodServer(credsDirectory string) { +func tlsWithCRLsToGoodServer(credsDirectory string) { rootProvider := makeRootProvider(credsDirectory) defer rootProvider.Close() identityProvider := makeIdentityProvider(false, credsDirectory) defer identityProvider.Close() - crlProvider := makeCrlProvider(credsDirectory) + crlProvider := makeCRLProvider(credsDirectory) defer crlProvider.Close() runClientWithProviders(rootProvider, identityProvider, crlProvider, goodServerPort, false) } -func tlsWithCrlsToRevokedServer(credsDirectory string) { +func tlsWithCRLsToRevokedServer(credsDirectory string) { rootProvider := makeRootProvider(credsDirectory) defer rootProvider.Close() identityProvider := makeIdentityProvider(false, credsDirectory) defer identityProvider.Close() - crlProvider := makeCrlProvider(credsDirectory) + crlProvider := makeCRLProvider(credsDirectory) defer crlProvider.Close() runClientWithProviders(rootProvider, identityProvider, crlProvider, revokedServerPort, true) } -func tlsWithCrls(credsDirectory string) { - tlsWithCrlsToGoodServer(credsDirectory) - tlsWithCrlsToRevokedServer(credsDirectory) +func tlsWithCRLs(credsDirectory string) { + tlsWithCRLsToGoodServer(credsDirectory) + tlsWithCRLsToRevokedServer(credsDirectory) } -func makeCrlProvider(crlDirectory string) *advancedtls.FileWatcherCRLProvider { +func makeCRLProvider(crlDirectory string) *advancedtls.FileWatcherCRLProvider { options := advancedtls.FileWatcherOptions{ CRLDirectory: crlDirectory, } @@ -297,7 +297,7 @@ func main() { fmt.Println("Must set credentials_directory argument to this repo's creds directory") os.Exit(1) } - tlsWithCrls(*credsDirectory) + tlsWithCRLs(*credsDirectory) customVerification(*credsDirectory) credentialsNewTLSExample(*credsDirectory) insecureCredentialsExample() diff --git a/examples/features/advancedtls/server/main.go b/examples/features/advancedtls/server/main.go index ab49db76b016..56c1b4193555 100644 --- a/examples/features/advancedtls/server/main.go +++ b/examples/features/advancedtls/server/main.go @@ -42,8 +42,8 @@ type server struct { } const credRefreshInterval = 1 * time.Minute -const goodServerWithCrlPort int = 50051 -const revokedServerWithCrlPort int = 50053 +const goodServerWithCRLPort int = 50051 +const revokedServerWithCRLPort int = 50053 const insecurePort int = 50054 func (s *server) UnaryEcho(ctx context.Context, req *pb.EchoRequest) (*pb.EchoResponse, error) { @@ -75,7 +75,7 @@ func createAndRunTLSServer(credsDirectory string, useRevokedCert bool, port int) rootProvider := makeRootProvider(credsDirectory) defer rootProvider.Close() - crlProvider := makeCrlProvider(filepath.Join(credsDirectory, "crl")) + crlProvider := makeCRLProvider(filepath.Join(credsDirectory, "crl")) defer crlProvider.Close() options := &advancedtls.Options{ @@ -150,7 +150,7 @@ func makeIdentityProvider(useRevokedCert bool, credsDirectory string) certprovid return identityProvider } -func makeCrlProvider(crlDirectory string) *advancedtls.FileWatcherCRLProvider { +func makeCRLProvider(crlDirectory string) *advancedtls.FileWatcherCRLProvider { options := advancedtls.FileWatcherOptions{ CRLDirectory: crlDirectory, } @@ -169,7 +169,7 @@ func main() { fmt.Println("Must set credentials_directory argument") os.Exit(1) } - go createAndRunTLSServer(*credentialsDirectory, false, goodServerWithCrlPort) - go createAndRunTLSServer(*credentialsDirectory, true, revokedServerWithCrlPort) + go createAndRunTLSServer(*credentialsDirectory, false, goodServerWithCRLPort) + go createAndRunTLSServer(*credentialsDirectory, true, revokedServerWithCRLPort) insecureServer() }