From 0aca25c52b3e619f0c7a7bc4d29129f1adfd21ee Mon Sep 17 00:00:00 2001 From: Rei Shimizu Date: Thu, 3 Dec 2020 23:45:26 +0900 Subject: [PATCH 1/7] backport to 1.16: http: fixing a bug with IPv6 hosts (#14238) Fixing a bug where HTTP parser offsets for IPv6 hosts did not include [] and Envoy assumed it did. This results in mis-parsing addresses for IPv6 CONNECT requests and IPv6 hosts in fully URLs over HTTP/1.1 Risk Level: low Testing: new unit, integration tests Docs Changes: n/a Release Notes: inline Signed-off-by: Shikugawa Co-authored-by: alyssawilk --- docs/root/version_history/current.rst | 1 + source/common/http/utility.cc | 47 +++++++++++++++---- test/common/http/utility_test.cc | 32 +++++++++++-- .../proxy_filter_integration_test.cc | 3 +- test/integration/integration_test.cc | 36 ++++++++++++++ 5 files changed, 105 insertions(+), 14 deletions(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index fe8888262ead..5cc6b6157af5 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -13,6 +13,7 @@ Bug Fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* * examples: examples use v3 configs. +* http: fixed URL parsing for HTTP/1.1 fully qualified URLs and connect requests containing IPv6 addresses. * listener: fix crash when disabling or re-enabling listeners due to overload while processing LDS updates. * proxy_proto: fixed a bug where the wrong downstream address got sent to upstream connections. * proxy_proto: fixed a bug where network filters would not have the correct downstreamRemoteAddress() when accessed from the StreamInfo. This could result in incorrect enforcement of RBAC rules in the RBAC network filter (but not in the RBAC HTTP filter), or incorrect access log addresses from tcp_proxy. diff --git a/source/common/http/utility.cc b/source/common/http/utility.cc index 8869e6bb5a2a..9dcf07691c00 100644 --- a/source/common/http/utility.cc +++ b/source/common/http/utility.cc @@ -228,6 +228,30 @@ namespace Http { static const char kDefaultPath[] = "/"; +// If http_parser encounters an IP address [address] as the host it will set the offset and +// length to point to 'address' rather than '[address]'. Fix this by adjusting the offset +// and length to include the brackets. +// @param absolute_url the absolute URL. This is usually of the form // http://host/path +// but may be host:port for CONNECT requests +// @param offset the offset for the first character of the host. For IPv6 hosts +// this will point to the first character inside the brackets and will be +// adjusted to point at the brackets +// @param len the length of the host-and-port field. For IPv6 hosts this will +// not include the brackets and will be adjusted to do so. +bool maybeAdjustForIpv6(absl::string_view absolute_url, uint64_t& offset, uint64_t& len) { + // According to https://tools.ietf.org/html/rfc3986#section-3.2.2 the only way a hostname + // may begin with '[' is if it's an ipv6 address. + if (offset == 0 || *(absolute_url.data() + offset - 1) != '[') { + return false; + } + // Start one character sooner and end one character later. + offset--; + len += 2; + // HTTP parser ensures that any [ has a closing ] + ASSERT(absolute_url.length() >= offset + len); + return true; +} + bool Utility::Url::initialize(absl::string_view absolute_url, bool is_connect) { struct http_parser_url u; http_parser_url_init(&u); @@ -244,20 +268,27 @@ bool Utility::Url::initialize(absl::string_view absolute_url, bool is_connect) { scheme_ = absl::string_view(absolute_url.data() + u.field_data[UF_SCHEMA].off, u.field_data[UF_SCHEMA].len); - uint16_t authority_len = u.field_data[UF_HOST].len; + uint64_t authority_len = u.field_data[UF_HOST].len; if ((u.field_set & (1 << UF_PORT)) == (1 << UF_PORT)) { authority_len = authority_len + u.field_data[UF_PORT].len + 1; } - host_and_port_ = - absl::string_view(absolute_url.data() + u.field_data[UF_HOST].off, authority_len); + + uint64_t authority_beginning = u.field_data[UF_HOST].off; + const bool is_ipv6 = maybeAdjustForIpv6(absolute_url, authority_beginning, authority_len); + host_and_port_ = absl::string_view(absolute_url.data() + authority_beginning, authority_len); + if (is_ipv6 && !parseAuthority(host_and_port_).is_ip_address_) { + return false; + } // RFC allows the absolute-uri to not end in /, but the absolute path form - // must start with - uint64_t path_len = absolute_url.length() - (u.field_data[UF_HOST].off + hostAndPort().length()); - if (path_len > 0) { - uint64_t path_beginning = u.field_data[UF_HOST].off + hostAndPort().length(); - path_and_query_params_ = absl::string_view(absolute_url.data() + path_beginning, path_len); + // must start with. Determine if there's a non-zero path, and if so determine + // the length of the path, query params etc. + uint64_t path_etc_len = absolute_url.length() - (authority_beginning + hostAndPort().length()); + if (path_etc_len > 0) { + uint64_t path_beginning = authority_beginning + hostAndPort().length(); + path_and_query_params_ = absl::string_view(absolute_url.data() + path_beginning, path_etc_len); } else if (!is_connect) { + ASSERT((u.field_set & (1 << UF_PATH)) == 0); path_and_query_params_ = absl::string_view(kDefaultPath, 1); } return true; diff --git a/test/common/http/utility_test.cc b/test/common/http/utility_test.cc index 87dabd8f087a..9185ac4dc76f 100644 --- a/test/common/http/utility_test.cc +++ b/test/common/http/utility_test.cc @@ -1251,6 +1251,9 @@ TEST(Url, ParsingFails) { EXPECT_FALSE(url.initialize("random_scheme://host.com/path", false)); EXPECT_FALSE(url.initialize("http://www.foo.com", true)); EXPECT_FALSE(url.initialize("foo.com", true)); + EXPECT_FALSE(url.initialize("http://[notaddress]:80/?query=param", false)); + EXPECT_FALSE(url.initialize("http://[1::z::2]:80/?query=param", false)); + EXPECT_FALSE(url.initialize("http://1.2.3.4:65536/?query=param", false)); } void validateUrl(absl::string_view raw_url, absl::string_view expected_scheme, @@ -1262,12 +1265,17 @@ void validateUrl(absl::string_view raw_url, absl::string_view expected_scheme, EXPECT_EQ(url.pathAndQueryParams(), expected_path); } -void validateConnectUrl(absl::string_view raw_url, absl::string_view expected_host_port) { +void validateConnectUrl(absl::string_view raw_url) { Utility::Url url; ASSERT_TRUE(url.initialize(raw_url, true)) << "Failed to initialize " << raw_url; EXPECT_TRUE(url.scheme().empty()); EXPECT_TRUE(url.pathAndQueryParams().empty()); - EXPECT_EQ(url.hostAndPort(), expected_host_port); + EXPECT_EQ(url.hostAndPort(), raw_url); +} + +void invalidConnectUrl(absl::string_view raw_url) { + Utility::Url url; + ASSERT_FALSE(url.initialize(raw_url, true)) << "Unexpectedly initialized " << raw_url; } TEST(Url, ParsingTest) { @@ -1302,6 +1310,14 @@ TEST(Url, ParsingTest) { validateUrl("http://www.host.com:80/?query=param", "http", "www.host.com:80", "/?query=param"); validateUrl("http://www.host.com/?query=param", "http", "www.host.com", "/?query=param"); + // Test with an ipv4 host address. + validateUrl("http://1.2.3.4/?query=param", "http", "1.2.3.4", "/?query=param"); + validateUrl("http://1.2.3.4:80/?query=param", "http", "1.2.3.4:80", "/?query=param"); + + // Test with an ipv6 address + validateUrl("http://[1::2:3]/?query=param", "http", "[1::2:3]", "/?query=param"); + validateUrl("http://[1::2:3]:80/?query=param", "http", "[1::2:3]:80", "/?query=param"); + // Test url with query parameter but without slash validateUrl("http://www.host.com:80?query=param", "http", "www.host.com:80", "?query=param"); validateUrl("http://www.host.com?query=param", "http", "www.host.com", "?query=param"); @@ -1324,8 +1340,16 @@ TEST(Url, ParsingTest) { } TEST(Url, ParsingForConnectTest) { - validateConnectUrl("host.com:443", "host.com:443"); - validateConnectUrl("host.com:80", "host.com:80"); + validateConnectUrl("host.com:443"); + validateConnectUrl("host.com:80"); + validateConnectUrl("1.2.3.4:80"); + validateConnectUrl("[1:2::3:4]:80"); + + invalidConnectUrl("[::12345678]:80"); + invalidConnectUrl("[1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1]:80"); + invalidConnectUrl("[1:1]:80"); + invalidConnectUrl("[:::]:80"); + invalidConnectUrl("[::1::]:80"); } void validatePercentEncodingEncodeDecode(absl::string_view source, diff --git a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc index e6e1e53ab4d5..8079e78a660c 100644 --- a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc +++ b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc @@ -287,8 +287,7 @@ TEST_P(ProxyFilterIntegrationTest, UpstreamTlsWithIpHost) { {":method", "POST"}, {":path", "/test/long/url"}, {":scheme", "http"}, - {":authority", fmt::format("{}:{}", Network::Test::getLoopbackAddressUrlString(GetParam()), - fake_upstreams_[0]->localAddress()->ip()->port())}}; + {":authority", fake_upstreams_[0]->localAddress()->asString()}}; auto response = codec_client_->makeHeaderOnlyRequest(request_headers); waitForNextUpstreamRequest(); diff --git a/test/integration/integration_test.cc b/test/integration/integration_test.cc index 594f5ac656c5..eb6f4a8328ef 100644 --- a/test/integration/integration_test.cc +++ b/test/integration/integration_test.cc @@ -902,6 +902,41 @@ TEST_P(IntegrationTest, AbsolutePath) { EXPECT_FALSE(response.find("HTTP/1.1 404 Not Found\r\n") == 0); } +// Make that both IPv4 and IPv6 hosts match when using relative and absolute URLs. +TEST_P(IntegrationTest, TestHostWithAddress) { + useAccessLog("%REQ(Host)%\n"); + std::string address_string; + if (GetParam() == Network::Address::IpVersion::v4) { + address_string = TestUtility::getIpv4Loopback(); + } else { + address_string = "[::1]"; + } + + auto host = config_helper_.createVirtualHost(address_string.c_str(), "/"); + host.set_require_tls(envoy::config::route::v3::VirtualHost::ALL); + config_helper_.addVirtualHost(host); + + initialize(); + std::string response; + + // Test absolute URL with ipv6. + sendRawHttpAndWaitForResponse( + lookupPort("http"), absl::StrCat("GET http://", address_string, " HTTP/1.1\r\n\r\n").c_str(), + &response, true); + EXPECT_FALSE(response.find("HTTP/1.1 404 Not Found\r\n") == 0); + EXPECT_TRUE(response.find("301") != std::string::npos); + EXPECT_THAT(waitForAccessLog(access_log_name_), HasSubstr(address_string)); + + // Test normal IPv6 request as well. + response.clear(); + sendRawHttpAndWaitForResponse( + lookupPort("http"), + absl::StrCat("GET / HTTP/1.1\r\nHost: ", address_string, "\r\n\r\n").c_str(), &response, + true); + EXPECT_FALSE(response.find("HTTP/1.1 404 Not Found\r\n") == 0); + EXPECT_TRUE(response.find("301") != std::string::npos); +} + TEST_P(IntegrationTest, AbsolutePathWithPort) { // Configure www.namewithport.com:1234 to send a redirect, and ensure the redirect is // encountered via absolute URL with a port. @@ -914,6 +949,7 @@ TEST_P(IntegrationTest, AbsolutePathWithPort) { lookupPort("http"), "GET http://www.namewithport.com:1234 HTTP/1.1\r\nHost: host\r\n\r\n", &response, true); EXPECT_FALSE(response.find("HTTP/1.1 404 Not Found\r\n") == 0); + EXPECT_TRUE(response.find("301") != std::string::npos); } TEST_P(IntegrationTest, AbsolutePathWithoutPort) { From e8b009160e794daff21f55f65ef0903700370ca7 Mon Sep 17 00:00:00 2001 From: Christoph Pakulski Date: Sat, 5 Dec 2020 10:52:56 -0500 Subject: [PATCH 2/7] backport to 1.16: vrp: allow supervisord to open its log file (#14066) (#14279) Commit Message: Allow supervisord to open its log file Additional Description: Change the default location of the log file and give supervisord permissions to write to it. Risk Level: low Testing: built image locally Docs Changes: n/a Release Notes: n/a Platform Specific Features: n/a Signed-off-by: Alex Konradi Signed-off-by: Christoph Pakulski --- ci/Dockerfile-envoy-google-vrp | 3 +++ configs/google-vrp/supervisor.conf | 1 + docs/root/version_history/current.rst | 1 + 3 files changed, 5 insertions(+) diff --git a/ci/Dockerfile-envoy-google-vrp b/ci/Dockerfile-envoy-google-vrp index 802e148851e0..abc84f1269ab 100644 --- a/ci/Dockerfile-envoy-google-vrp +++ b/ci/Dockerfile-envoy-google-vrp @@ -16,6 +16,9 @@ ADD configs/google-vrp/supervisor.conf /etc/supervisor.conf ADD test/config/integration/certs/serverkey.pem /etc/envoy/certs/serverkey.pem ADD test/config/integration/certs/servercert.pem /etc/envoy/certs/servercert.pem # ADD %local envoy bin% /usr/local/bin/envoy +RUN chmod 777 /var/log/supervisor +RUN chmod a+r /etc/supervisor.conf /etc/envoy/* /etc/envoy/certs/* +RUN chmod a+rx /usr/local/bin/launch_envoy.sh EXPOSE 10000 EXPOSE 10001 diff --git a/configs/google-vrp/supervisor.conf b/configs/google-vrp/supervisor.conf index e019581d079c..1e1d09f33660 100644 --- a/configs/google-vrp/supervisor.conf +++ b/configs/google-vrp/supervisor.conf @@ -1,5 +1,6 @@ [supervisord] nodaemon=true +logfile=/var/log/supervisor/supervisord.log [program:envoy-edge] command=launch_envoy.sh -c /etc/envoy/envoy-edge.yaml %(ENV_ENVOY_EDGE_EXTRA_ARGS)s diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 5cc6b6157af5..299de78b83f8 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -19,6 +19,7 @@ Bug Fixes * proxy_proto: fixed a bug where network filters would not have the correct downstreamRemoteAddress() when accessed from the StreamInfo. This could result in incorrect enforcement of RBAC rules in the RBAC network filter (but not in the RBAC HTTP filter), or incorrect access log addresses from tcp_proxy. * tls: fix read resumption after triggering buffer high-watermark and all remaining request/response bytes are stored in the SSL connection's internal buffers. * udp: fixed issue in which receiving truncated UDP datagrams would cause Envoy to crash. +* vrp: allow supervisord to open its log file. Removed Config or Runtime ------------------------- From e98e41a8e168af7acae8079fc0cd68155f699aa3 Mon Sep 17 00:00:00 2001 From: Christoph Pakulski Date: Mon, 7 Dec 2020 20:17:40 -0500 Subject: [PATCH 3/7] Closing release 1.16.2. (#14308) Signed-off-by: Christoph Pakulski --- VERSION | 2 +- docs/root/version_history/current.rst | 11 ++----- docs/root/version_history/v1.16.1.rst | 31 +++++++++++++++++++ docs/root/version_history/version_history.rst | 1 + 4 files changed, 36 insertions(+), 9 deletions(-) create mode 100644 docs/root/version_history/v1.16.1.rst diff --git a/VERSION b/VERSION index 41c11ffb730c..4a02d2c3170b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.16.1 +1.16.2 diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 299de78b83f8..b1af2497d4bd 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -1,5 +1,5 @@ -1.16.1 (November 20, 2020) -========================== +1.16.2 (December 7, 2020) +========================= Incompatible Behavior Changes ----------------------------- @@ -12,13 +12,8 @@ Minor Behavior Changes Bug Fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* -* examples: examples use v3 configs. + * http: fixed URL parsing for HTTP/1.1 fully qualified URLs and connect requests containing IPv6 addresses. -* listener: fix crash when disabling or re-enabling listeners due to overload while processing LDS updates. -* proxy_proto: fixed a bug where the wrong downstream address got sent to upstream connections. -* proxy_proto: fixed a bug where network filters would not have the correct downstreamRemoteAddress() when accessed from the StreamInfo. This could result in incorrect enforcement of RBAC rules in the RBAC network filter (but not in the RBAC HTTP filter), or incorrect access log addresses from tcp_proxy. -* tls: fix read resumption after triggering buffer high-watermark and all remaining request/response bytes are stored in the SSL connection's internal buffers. -* udp: fixed issue in which receiving truncated UDP datagrams would cause Envoy to crash. * vrp: allow supervisord to open its log file. Removed Config or Runtime diff --git a/docs/root/version_history/v1.16.1.rst b/docs/root/version_history/v1.16.1.rst new file mode 100644 index 000000000000..18ffb805e2b9 --- /dev/null +++ b/docs/root/version_history/v1.16.1.rst @@ -0,0 +1,31 @@ +1.16.1 (November 20, 2020) +========================== + +Incompatible Behavior Changes +----------------------------- +*Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* + +Minor Behavior Changes +---------------------- +*Changes that may cause incompatibilities for some users, but should not for most* + +Bug Fixes +--------- +*Changes expected to improve the state of the world and are unlikely to have negative effects* + +* examples: examples use v3 configs. +* listener: fix crash when disabling or re-enabling listeners due to overload while processing LDS updates. +* proxy_proto: fixed a bug where the wrong downstream address got sent to upstream connections. +* proxy_proto: fixed a bug where network filters would not have the correct downstreamRemoteAddress() when accessed from the StreamInfo. This could result in incorrect enforcement of RBAC rules in the RBAC network filter (but not in the RBAC HTTP filter), or incorrect access log addresses from tcp_proxy. +* tls: fix read resumption after triggering buffer high-watermark and all remaining request/response bytes are stored in the SSL connection's internal buffers. +* udp: fixed issue in which receiving truncated UDP datagrams would cause Envoy to crash. + +Removed Config or Runtime +------------------------- +*Normally occurs at the end of the* :ref:`deprecation period ` + +New Features +------------ + +Deprecated +---------- diff --git a/docs/root/version_history/version_history.rst b/docs/root/version_history/version_history.rst index 453bda753f1f..c01875afafcc 100644 --- a/docs/root/version_history/version_history.rst +++ b/docs/root/version_history/version_history.rst @@ -7,6 +7,7 @@ Version history :titlesonly: current + v1.16.1 v1.16.0 v1.15.2 v1.15.1 From 9c117fbe1e01e5de8f7177ca44d15d6c1f061d1a Mon Sep 17 00:00:00 2001 From: Christoph Pakulski Date: Tue, 8 Dec 2020 19:51:06 -0500 Subject: [PATCH 4/7] Kick-off rel 1.16.3. (#14321) Signed-off-by: Christoph Pakulski --- VERSION | 2 +- docs/root/version_history/current.rst | 7 ++--- docs/root/version_history/v1.16.2.rst | 27 +++++++++++++++++++ docs/root/version_history/version_history.rst | 1 + 4 files changed, 31 insertions(+), 6 deletions(-) create mode 100644 docs/root/version_history/v1.16.2.rst diff --git a/VERSION b/VERSION index 4a02d2c3170b..17008736ca0b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.16.2 +1.16.3-dev diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index b1af2497d4bd..7a589a9f34fe 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -1,5 +1,5 @@ -1.16.2 (December 7, 2020) -========================= +1.16.3 (Pending) +================ Incompatible Behavior Changes ----------------------------- @@ -13,9 +13,6 @@ Bug Fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* -* http: fixed URL parsing for HTTP/1.1 fully qualified URLs and connect requests containing IPv6 addresses. -* vrp: allow supervisord to open its log file. - Removed Config or Runtime ------------------------- *Normally occurs at the end of the* :ref:`deprecation period ` diff --git a/docs/root/version_history/v1.16.2.rst b/docs/root/version_history/v1.16.2.rst new file mode 100644 index 000000000000..b1af2497d4bd --- /dev/null +++ b/docs/root/version_history/v1.16.2.rst @@ -0,0 +1,27 @@ +1.16.2 (December 7, 2020) +========================= + +Incompatible Behavior Changes +----------------------------- +*Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* + +Minor Behavior Changes +---------------------- +*Changes that may cause incompatibilities for some users, but should not for most* + +Bug Fixes +--------- +*Changes expected to improve the state of the world and are unlikely to have negative effects* + +* http: fixed URL parsing for HTTP/1.1 fully qualified URLs and connect requests containing IPv6 addresses. +* vrp: allow supervisord to open its log file. + +Removed Config or Runtime +------------------------- +*Normally occurs at the end of the* :ref:`deprecation period ` + +New Features +------------ + +Deprecated +---------- diff --git a/docs/root/version_history/version_history.rst b/docs/root/version_history/version_history.rst index c01875afafcc..55bdaf928aeb 100644 --- a/docs/root/version_history/version_history.rst +++ b/docs/root/version_history/version_history.rst @@ -7,6 +7,7 @@ Version history :titlesonly: current + v1.16.2 v1.16.1 v1.16.0 v1.15.2 From db0ae3de6635d649cc75bf71a1f95c8118d9b9ef Mon Sep 17 00:00:00 2001 From: Christoph Pakulski Date: Mon, 21 Dec 2020 22:17:28 -0500 Subject: [PATCH 5/7] lua: reset downstream_ssl_connection in StreamInfoWrapper when object is marked dead by Lua GC (#14092) (#14449) Co-authored-by: Marcin Falkowski --- docs/root/version_history/current.rst | 2 ++ source/extensions/filters/http/lua/wrappers.h | 5 ++- .../filters/http/lua/lua_filter_test.cc | 31 ++++++++++++++++++- 3 files changed, 36 insertions(+), 2 deletions(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 7a589a9f34fe..1d3a13b0a455 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -13,6 +13,8 @@ Bug Fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* +* lua: fixed crash when Lua script contains streamInfo():downstreamSslConnection(). + Removed Config or Runtime ------------------------- *Normally occurs at the end of the* :ref:`deprecation period ` diff --git a/source/extensions/filters/http/lua/wrappers.h b/source/extensions/filters/http/lua/wrappers.h index 89f7cb6d2d24..ad3890971a91 100644 --- a/source/extensions/filters/http/lua/wrappers.h +++ b/source/extensions/filters/http/lua/wrappers.h @@ -207,7 +207,10 @@ class StreamInfoWrapper : public Filters::Common::Lua::BaseLuaObject dynamic_metadata_wrapper_; diff --git a/test/extensions/filters/http/lua/lua_filter_test.cc b/test/extensions/filters/http/lua/lua_filter_test.cc index ac4ab9514037..6d7f77e98858 100644 --- a/test/extensions/filters/http/lua/lua_filter_test.cc +++ b/test/extensions/filters/http/lua/lua_filter_test.cc @@ -1881,7 +1881,7 @@ TEST_F(LuaHttpFilterTest, InspectStreamInfoDowstreamSslConnection) { Http::TestRequestHeaderMapImpl request_headers{{":path", "/"}}; - auto connection_info = std::make_shared(); + const auto connection_info = std::make_shared(); EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); EXPECT_CALL(stream_info_, downstreamSslConnection()).WillRepeatedly(Return(connection_info)); @@ -1989,6 +1989,35 @@ TEST_F(LuaHttpFilterTest, InspectStreamInfoDowstreamSslConnectionOnPlainConnecti EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, true)); } +// Should survive from multiple streamInfo():downstreamSslConnection() calls. +// This is a regression test for #14091. +TEST_F(LuaHttpFilterTest, SurviveMultipleDownstreamSslConnectionCalls) { + const std::string SCRIPT{R"EOF( + function envoy_on_request(request_handle) + if request_handle:streamInfo():downstreamSslConnection() ~= nil then + request_handle:logTrace("downstreamSslConnection is present") + end + end + )EOF"}; + + setup(SCRIPT); + + const auto connection_info = std::make_shared(); + EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); + EXPECT_CALL(stream_info_, downstreamSslConnection()).WillRepeatedly(Return(connection_info)); + + for (uint64_t i = 0; i < 200; i++) { + EXPECT_CALL(*filter_, + scriptLog(spdlog::level::trace, StrEq("downstreamSslConnection is present"))); + + Http::TestRequestHeaderMapImpl request_headers{{":path", "/"}}; + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, true)); + + filter_->onDestroy(); + setupFilter(); + } +} + TEST_F(LuaHttpFilterTest, ImportPublicKey) { const std::string SCRIPT{R"EOF( function string.fromhex(str) From 15f02f0c1e95eb08ab8a8a2393ac39a0f265ec92 Mon Sep 17 00:00:00 2001 From: Christoph Pakulski Date: Mon, 28 Dec 2020 20:02:29 -0500 Subject: [PATCH 6/7] backport to 1.16: tls: fix detection of the upstream connection close event. (#13858) (#14452) Fixes #13856. This change also contains the following backports: - build: Fix some unused variable warnings (#13987) - test: Check in all TLS test certs (#13702) Signed-off-by: Piotr Sikora Signed-off-by: Christoph Pakulski --- docs/root/version_history/current.rst | 1 + include/envoy/registry/registry.h | 1 + source/common/config/new_grpc_mux_impl.cc | 1 + source/common/init/manager_impl.cc | 1 + source/common/router/scoped_rds.cc | 1 + .../transport_sockets/tls/ssl_handshaker.h | 2 +- .../transport_sockets/tls/ssl_socket.cc | 10 +- source/server/admin/config_dump_handler.cc | 3 + source/server/filter_chain_manager_impl.cc | 4 + test/extensions/transport_sockets/tls/BUILD | 15 +- .../tls/context_impl_test.cc | 124 ++--- .../tls/gen_unittest_certs.sh | 55 -- .../transport_sockets/tls/handshaker_test.cc | 8 +- .../transport_sockets/tls/ocsp/BUILD | 11 +- .../transport_sockets/tls/ocsp/ocsp_test.cc | 12 +- .../tls/ocsp/test_data/BUILD | 13 + .../tls/ocsp/test_data/README.md | 30 ++ .../tls/ocsp/test_data/ca_cert.pem | 23 + .../tls/ocsp/test_data/ca_key.pem | 27 + .../certs.sh} | 46 +- .../tls/ocsp/test_data/ecdsa_cert.pem | 16 + .../tls/ocsp/test_data/ecdsa_key.pem | 8 + .../tls/ocsp/test_data/ecdsa_ocsp_req.der | Bin 0 -> 106 bytes .../tls/ocsp/test_data/ecdsa_ocsp_resp.der | Bin 0 -> 1559 bytes .../tls/ocsp/test_data/good_cert.pem | 20 + .../tls/ocsp/test_data/good_key.pem | 27 + .../tls/ocsp/test_data/good_ocsp_req.der | Bin 0 -> 106 bytes .../tls/ocsp/test_data/good_ocsp_resp.der | Bin 0 -> 1579 bytes .../ocsp/test_data/good_ocsp_resp_details.txt | 118 +++++ .../ocsp/test_data/intermediate_ca_cert.pem | 25 + .../ocsp/test_data/intermediate_ca_key.pem | 27 + .../ocsp/test_data/multiple_cert_ocsp_req.der | Bin 0 -> 171 bytes .../test_data/multiple_cert_ocsp_resp.der | Bin 0 -> 1660 bytes .../test_data/responder_key_hash_ocsp_req.der | Bin 0 -> 106 bytes .../responder_key_hash_ocsp_resp.der | Bin 0 -> 1466 bytes .../tls/ocsp/test_data/revoked_cert.pem | 21 + .../tls/ocsp/test_data/revoked_key.pem | 27 + .../tls/ocsp/test_data/revoked_ocsp_req.der | Bin 0 -> 106 bytes .../tls/ocsp/test_data/revoked_ocsp_resp.der | Bin 0 -> 1577 bytes .../tls/ocsp/test_data/unknown_ocsp_req.der | Bin 0 -> 106 bytes .../tls/ocsp/test_data/unknown_ocsp_resp.der | Bin 0 -> 1686 bytes .../transport_sockets/tls/ssl_certs_test.h | 8 - .../transport_sockets/tls/ssl_socket_test.cc | 491 ++++++++++++------ .../transport_sockets/tls/test_data/certs.sh | 4 + .../tls/test_data/unittest_cert.cfg | 23 + .../tls/test_data/unittest_cert.pem | 23 + .../tls/test_data/unittest_cert_info.h | 8 + .../tls/test_data/unittest_key.pem | 27 + 48 files changed, 921 insertions(+), 340 deletions(-) delete mode 100755 test/extensions/transport_sockets/tls/gen_unittest_certs.sh create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/BUILD create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/README.md create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem rename test/extensions/transport_sockets/tls/ocsp/{gen_unittest_ocsp_data.sh => test_data/certs.sh} (86%) create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg create mode 100644 test/extensions/transport_sockets/tls/test_data/unittest_cert.pem create mode 100644 test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h create mode 100644 test/extensions/transport_sockets/tls/test_data/unittest_key.pem diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 1d3a13b0a455..ce19f6f7fbca 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -14,6 +14,7 @@ Bug Fixes *Changes expected to improve the state of the world and are unlikely to have negative effects* * lua: fixed crash when Lua script contains streamInfo():downstreamSslConnection(). +* tls: fix detection of the upstream connection close event. Removed Config or Runtime ------------------------- diff --git a/include/envoy/registry/registry.h b/include/envoy/registry/registry.h index b52686036074..b90e86ca52f3 100644 --- a/include/envoy/registry/registry.h +++ b/include/envoy/registry/registry.h @@ -346,6 +346,7 @@ template class FactoryRegistry : public Logger::Loggable>(); for (const auto& [factory_name, factory] : factories()) { + UNREFERENCED_PARAMETER(factory_name); if (factory == nullptr) { continue; } diff --git a/source/common/config/new_grpc_mux_impl.cc b/source/common/config/new_grpc_mux_impl.cc index 0015a2689971..50bfc07e08e4 100644 --- a/source/common/config/new_grpc_mux_impl.cc +++ b/source/common/config/new_grpc_mux_impl.cc @@ -90,6 +90,7 @@ void NewGrpcMuxImpl::onDiscoveryResponse( void NewGrpcMuxImpl::onStreamEstablished() { for (auto& [type_url, subscription] : subscriptions_) { + UNREFERENCED_PARAMETER(type_url); subscription->sub_state_.markStreamFresh(); } trySendDiscoveryRequests(); diff --git a/source/common/init/manager_impl.cc b/source/common/init/manager_impl.cc index 650203fabbea..1440dd726414 100644 --- a/source/common/init/manager_impl.cc +++ b/source/common/init/manager_impl.cc @@ -71,6 +71,7 @@ void ManagerImpl::dumpUnreadyTargets(envoy::admin::v3::UnreadyTargetsDumps& unre auto& message = *unready_targets_dumps.mutable_unready_targets_dumps()->Add(); message.set_name(name_); for (const auto& [target_name, count] : target_names_count_) { + UNREFERENCED_PARAMETER(count); message.add_target_names(target_name); } } diff --git a/source/common/router/scoped_rds.cc b/source/common/router/scoped_rds.cc index d9ca4781e7b5..17613814efea 100644 --- a/source/common/router/scoped_rds.cc +++ b/source/common/router/scoped_rds.cc @@ -427,6 +427,7 @@ ScopedRdsConfigSubscription::detectUpdateConflictAndCleanupRemoved( absl::flat_hash_map scope_name_by_hash = scope_name_by_hash_; absl::erase_if(scope_name_by_hash, [&updated_or_removed_scopes](const auto& key_name) { auto const& [key, name] = key_name; + UNREFERENCED_PARAMETER(key); return updated_or_removed_scopes.contains(name); }); absl::flat_hash_map diff --git a/source/extensions/transport_sockets/tls/ssl_handshaker.h b/source/extensions/transport_sockets/tls/ssl_handshaker.h index 8eaec861a8f1..50090f6f43a7 100644 --- a/source/extensions/transport_sockets/tls/ssl_handshaker.h +++ b/source/extensions/transport_sockets/tls/ssl_handshaker.h @@ -67,7 +67,7 @@ class SslHandshakerImpl : public Ssl::ConnectionInfo, public Ssl::Handshaker { // Ssl::Handshaker Network::PostIoAction doHandshake() override; - Ssl::SocketState state() { return state_; } + Ssl::SocketState state() const { return state_; } void setState(Ssl::SocketState state) { state_ = state; } SSL* ssl() const { return ssl_.get(); } Ssl::HandshakeCallbacks* handshakeCallbacks() { return handshake_callbacks_; } diff --git a/source/extensions/transport_sockets/tls/ssl_socket.cc b/source/extensions/transport_sockets/tls/ssl_socket.cc index 485468443096..f00494763040 100644 --- a/source/extensions/transport_sockets/tls/ssl_socket.cc +++ b/source/extensions/transport_sockets/tls/ssl_socket.cc @@ -140,10 +140,18 @@ Network::IoResult SslSocket::doRead(Buffer::Instance& read_buffer) { case SSL_ERROR_WANT_READ: break; case SSL_ERROR_ZERO_RETURN: + // Graceful shutdown using close_notify TLS alert. end_stream = true; break; + case SSL_ERROR_SYSCALL: + if (result.error_.value() == 0) { + // Non-graceful shutdown by closing the underlying socket. + end_stream = true; + break; + } + FALLTHRU; case SSL_ERROR_WANT_WRITE: - // Renegotiation has started. We don't handle renegotiation so just fall through. + // Renegotiation has started. We don't handle renegotiation so just fall through. default: drainErrorQueue(); action = PostIoAction::Close; diff --git a/source/server/admin/config_dump_handler.cc b/source/server/admin/config_dump_handler.cc index dbfd13a01e2e..9e1d54e9d3e9 100644 --- a/source/server/admin/config_dump_handler.cc +++ b/source/server/admin/config_dump_handler.cc @@ -155,6 +155,7 @@ ConfigDumpHandler::addResourceToDump(envoy::admin::v3::ConfigDump& dump, } for (const auto& [name, callback] : callbacks_map) { + UNREFERENCED_PARAMETER(name); ProtobufTypes::MessagePtr message = callback(); ASSERT(message); @@ -200,6 +201,7 @@ void ConfigDumpHandler::addAllConfigToDump(envoy::admin::v3::ConfigDump& dump, } for (const auto& [name, callback] : callbacks_map) { + UNREFERENCED_PARAMETER(name); ProtobufTypes::MessagePtr message = callback(); ASSERT(message); @@ -220,6 +222,7 @@ ProtobufTypes::MessagePtr ConfigDumpHandler::dumpEndpointConfigs() const { auto endpoint_config_dump = std::make_unique(); for (const auto& [name, cluster_ref] : server_.clusterManager().clusters()) { + UNREFERENCED_PARAMETER(name); const Upstream::Cluster& cluster = cluster_ref.get(); Upstream::ClusterInfoConstSharedPtr cluster_info = cluster.info(); envoy::config::endpoint::v3::ClusterLoadAssignment cluster_load_assignment; diff --git a/source/server/filter_chain_manager_impl.cc b/source/server/filter_chain_manager_impl.cc index 0de4282f3314..29d47d8be53c 100644 --- a/source/server/filter_chain_manager_impl.cc +++ b/source/server/filter_chain_manager_impl.cc @@ -555,6 +555,7 @@ const Network::FilterChain* FilterChainManagerImpl::findFilterChainForSourceIpAn void FilterChainManagerImpl::convertIPsToTries() { for (auto& [destination_port, destination_ips_pair] : destination_ports_map_) { + UNREFERENCED_PARAMETER(destination_port); // These variables are used as we build up the destination CIDRs used for the trie. auto& [destination_ips_map, destination_ips_trie] = destination_ips_pair; std::vector>> @@ -568,8 +569,11 @@ void FilterChainManagerImpl::convertIPsToTries() { // We need to get access to all of the source IP strings so that we can convert them into // a trie like we did for the destination IPs above. for (auto& [server_name, transport_protocols_map] : *server_names_map_ptr) { + UNREFERENCED_PARAMETER(server_name); for (auto& [transport_protocol, application_protocols_map] : transport_protocols_map) { + UNREFERENCED_PARAMETER(transport_protocol); for (auto& [application_protocol, source_arrays] : application_protocols_map) { + UNREFERENCED_PARAMETER(application_protocol); for (auto& [source_ips_map, source_ips_trie] : source_arrays) { std::vector< std::pair>> diff --git a/test/extensions/transport_sockets/tls/BUILD b/test/extensions/transport_sockets/tls/BUILD index 48a456162df3..f5b04d38100d 100644 --- a/test/extensions/transport_sockets/tls/BUILD +++ b/test/extensions/transport_sockets/tls/BUILD @@ -16,12 +16,11 @@ envoy_cc_test( "ssl_socket_test.cc", ], data = [ - "gen_unittest_certs.sh", # TODO(mattklein123): We should consolidate all of our test certs in a single place as # right now we have a bunch of duplication which is confusing. "//test/config/integration/certs", + "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", "//test/extensions/transport_sockets/tls/test_data:certs", - "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data", ], external_deps = ["ssl"], shard_count = 4, @@ -74,12 +73,9 @@ envoy_cc_test( "ssl_certs_test.h", ], data = [ - "gen_unittest_certs.sh", - "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data", + "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", "//test/extensions/transport_sockets/tls/test_data:certs", ], - # Fails intermittantly on local build - tags = ["flaky_on_windows"], deps = [ ":ssl_test_utils", "//source/common/common:base64_lib", @@ -121,8 +117,6 @@ envoy_cc_test( "utility_test.cc", ], data = [ - "gen_unittest_certs.sh", - "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data", "//test/extensions/transport_sockets/tls/test_data:certs", ], external_deps = ["ssl"], @@ -171,14 +165,9 @@ envoy_cc_test( name = "handshaker_test", srcs = ["handshaker_test.cc"], data = [ - "gen_unittest_certs.sh", - "//test/config/integration/certs", "//test/extensions/transport_sockets/tls/test_data:certs", ], external_deps = ["ssl"], - # TODO(sunjayBhatia): Diagnose openssl DLL load issue on Windows - # See: https://github.com/envoyproxy/envoy/pull/13276 - tags = ["flaky_on_windows"], deps = [ ":ssl_socket_test", ":ssl_test_utils", diff --git a/test/extensions/transport_sockets/tls/context_impl_test.cc b/test/extensions/transport_sockets/tls/context_impl_test.cc index 0307ebb2daef..9e1f37780722 100644 --- a/test/extensions/transport_sockets/tls/context_impl_test.cc +++ b/test/extensions/transport_sockets/tls/context_impl_test.cc @@ -20,6 +20,7 @@ #include "test/extensions/transport_sockets/tls/test_data/no_san_cert_info.h" #include "test/extensions/transport_sockets/tls/test_data/san_dns3_cert_info.h" #include "test/extensions/transport_sockets/tls/test_data/san_ip_cert_info.h" +#include "test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h" #include "test/mocks/init/mocks.h" #include "test/mocks/local_info/mocks.h" #include "test/mocks/secret/mocks.h" @@ -261,9 +262,9 @@ TEST_F(SslContextImplTest, TestExpiringCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -272,12 +273,10 @@ TEST_F(SslContextImplTest, TestExpiringCert) { ClientContextConfigImpl cfg(tls_context, factory_context_); Envoy::Ssl::ClientContextSharedPtr context(manager_.createSslClientContext(store_, cfg)); - // This is a total hack, but right now we generate the cert and it expires in 15 days only in the - // first second that it's valid. This can become invalid and then cause slower tests to fail. - // Optimally we would make the cert valid for 15 days and 23 hours, but that is not easy to do - // with the command line so we have this for now. Good enough. - EXPECT_TRUE(15 == context->daysUntilFirstCertExpires() || - 14 == context->daysUntilFirstCertExpires()); + // Calculate the days until test cert expires + auto cert_expiry = TestUtility::parseTime(TEST_UNITTEST_CERT_NOT_AFTER, "%b %d %H:%M:%S %Y GMT"); + int64_t days_until_expiry = absl::ToInt64Hours(cert_expiry - absl::Now()) / 24; + EXPECT_EQ(context->daysUntilFirstCertExpires(), days_until_expiry); } TEST_F(SslContextImplTest, TestExpiredCert) { @@ -302,9 +301,9 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" @@ -330,7 +329,7 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { )EOF"); std::string cert_chain_json = R"EOF({ - "path": "{{ test_tmpdir }}/unittestcert.pem", + "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem", } )EOF"; @@ -591,27 +590,27 @@ TEST_F(SslServerContextImplOcspTest, TestFilenameOcspStapleConfigLoads) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; loadConfigYaml(tls_context_yaml); } TEST_F(SslServerContextImplOcspTest, TestInlineBytesOcspStapleConfigLoads) { - auto der_response = TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute("{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der")); + auto der_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der")); auto base64_response = Base64::encode(der_response.c_str(), der_response.length(), true); const std::string tls_context_yaml = fmt::format(R"EOF( common_tls_context: tls_certificates: - certificate_chain: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_cert.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_key.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_bytes: "{}" ocsp_staple_policy: must_staple @@ -626,9 +625,9 @@ TEST_F(SslServerContextImplOcspTest, TestInlineStringOcspStapleConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_string: "abcd" ocsp_staple_policy: must_staple @@ -643,11 +642,11 @@ TEST_F(SslServerContextImplOcspTest, TestMismatchedOcspStapleConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -660,9 +659,9 @@ TEST_F(SslServerContextImplOcspTest, TestStaplingRequiredWithoutStapleConfigFail common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple_policy: must_staple )EOF"; @@ -684,9 +683,9 @@ TEST_F(SslServerContextImplOcspTest, TestUnsuccessfulOcspResponseConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_cert.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_key.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_bytes: "{}" ocsp_staple_policy: must_staple @@ -702,9 +701,9 @@ TEST_F(SslServerContextImplOcspTest, TestMustStapleCertWithoutStapleConfigFails) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple_policy: lenient_stapling )EOF"; @@ -717,9 +716,9 @@ TEST_F(SslServerContextImplOcspTest, TestMustStapleCertWithoutStapleFeatureFlagO common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple_policy: lenient_stapling )EOF"; @@ -734,11 +733,11 @@ TEST_F(SslServerContextImplOcspTest, TestGetCertInformationWithOCSP) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; @@ -748,12 +747,13 @@ TEST_F(SslServerContextImplOcspTest, TestGetCertInformationWithOCSP) { constexpr absl::string_view this_update = "This Update: "; constexpr absl::string_view next_update = "Next Update: "; - auto ocsp_text_details = - absl::StrSplit(TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute( - "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp_details.txt"), - true), - '\n'); + auto ocsp_text_details = absl::StrSplit( + TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute( + "{{ test_rundir " + "}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt"), + true), + '\n'); std::string valid_from, expiration; for (const auto& detail : ocsp_text_details) { std::string::size_type pos = detail.find(this_update); @@ -797,10 +797,10 @@ class SslServerContextImplTicketTest : public SslContextImplTest { // Must add a certificate for the config to be considered valid. envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = cfg.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); - server_cert->mutable_private_key()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); ServerContextConfigImpl server_context_config(cfg, factory_context_); loadConfig(server_context_config); @@ -821,9 +821,9 @@ TEST_F(SslServerContextImplTicketTest, TicketKeySuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -838,9 +838,9 @@ TEST_F(SslServerContextImplTicketTest, TicketKeyInvalidLen) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -854,9 +854,9 @@ TEST_F(SslServerContextImplTicketTest, TicketKeyInvalidCannotRead) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/this_file_does_not_exist" @@ -1045,9 +1045,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionEnabledByDefaul common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1061,9 +1061,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionExplicitlyEnabl common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: false )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1078,9 +1078,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: true )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1095,9 +1095,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionEnabledWhenKeyI common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -1750,10 +1750,10 @@ TEST_F(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); - server_cert->mutable_private_key()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); server_validation_ctx->set_allow_expired_certificate(false); diff --git a/test/extensions/transport_sockets/tls/gen_unittest_certs.sh b/test/extensions/transport_sockets/tls/gen_unittest_certs.sh deleted file mode 100755 index fe731e85cd70..000000000000 --- a/test/extensions/transport_sockets/tls/gen_unittest_certs.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash -# -# Create a test certificate with a 15-day expiration for SSL tests. - -set -e - -TEST_CERT_DIR="${TEST_TMPDIR}" - -mkdir -p "${TEST_CERT_DIR}" - -export OPENSSL_CONF="${TEST_CERT_DIR}"/openssl.cnf -(cat << EOF -[ req ] -default_bits = 2048 -distinguished_name = req_distinguished_name - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Some-State - -localityName = Locality Name (eg, city) - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = Internet Widgits Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) - -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_max = 64 - -emailAddress = Email Address -emailAddress_max = 64 -EOF -) > "${OPENSSL_CONF}" - -openssl genrsa -out "${TEST_CERT_DIR}/unittestkey.pem" 2048 -openssl req -new -key "${TEST_CERT_DIR}/unittestkey.pem" -out "${TEST_CERT_DIR}/unittestcert.csr" \ - -sha256 < makeKey() { - std::string file = TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + std::string file = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); std::string passphrase = ""; bssl::UniquePtr bio(BIO_new_mem_buf(file.data(), file.size())); @@ -97,8 +97,8 @@ class HandshakerTest : public SslCertsTest { // Read in cert.pem and return a certificate. bssl::UniquePtr makeCert() { - std::string file = TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); + std::string file = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); bssl::UniquePtr bio(BIO_new_mem_buf(file.data(), file.size())); uint8_t* data = nullptr; diff --git a/test/extensions/transport_sockets/tls/ocsp/BUILD b/test/extensions/transport_sockets/tls/ocsp/BUILD index c6947269be4d..262bec36ab5c 100644 --- a/test/extensions/transport_sockets/tls/ocsp/BUILD +++ b/test/extensions/transport_sockets/tls/ocsp/BUILD @@ -14,13 +14,9 @@ envoy_cc_test( "ocsp_test.cc", ], data = [ - ":gen_ocsp_data", + "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", ], external_deps = ["ssl"], - # TODO: Diagnose intermittent failure on Windows; this script uses the - # locally deployed openssl for test cert creation and manipulation, rather - # than envoy's current build of the most current openssl tool - tags = ["flaky_on_windows"], deps = [ "//source/common/filesystem:filesystem_lib", "//source/extensions/transport_sockets/tls:utility_lib", @@ -44,8 +40,3 @@ envoy_cc_test( "//test/extensions/transport_sockets/tls:ssl_test_utils", ], ) - -filegroup( - name = "gen_ocsp_data", - srcs = ["gen_unittest_ocsp_data.sh"], -) diff --git a/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc b/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc index 70f24ccaa15e..78e813060d86 100644 --- a/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc +++ b/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc @@ -25,13 +25,9 @@ namespace CertUtility = Envoy::Extensions::TransportSockets::Tls::Utility; class OcspFullResponseParsingTest : public testing::Test { public: - static void SetUpTestSuite() { // NOLINT(readability-identifier-naming) - TestEnvironment::exec({TestEnvironment::runfilesPath( - "test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh")}); - } - std::string fullPath(std::string filename) { - return TestEnvironment::substitute("{{ test_tmpdir }}/ocsp_test_data/" + filename); + return TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/" + filename); } std::vector readFile(std::string filename) { @@ -88,8 +84,8 @@ TEST_F(OcspFullResponseParsingTest, UnknownCertTest) { } TEST_F(OcspFullResponseParsingTest, ExpiredResponseTest) { - auto next_week = time_system_.systemTime() + std::chrono::hours(8 * 24); - time_system_.setSystemTime(next_week); + auto ten_years_forward = time_system_.systemTime() + std::chrono::hours(24 * 365 * 10); + time_system_.setSystemTime(ten_years_forward); setup("good_ocsp_resp.der"); // nextUpdate is present but in the past EXPECT_TRUE(response_->isExpired()); diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/BUILD b/test/extensions/transport_sockets/tls/ocsp/test_data/BUILD new file mode 100644 index 000000000000..e55e87fb1011 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/BUILD @@ -0,0 +1,13 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +filegroup( + name = "certs", + srcs = glob(["*"]), +) diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/README.md b/test/extensions/transport_sockets/tls/ocsp/test_data/README.md new file mode 100644 index 000000000000..ad1c6777eb3a --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/README.md @@ -0,0 +1,30 @@ +# What are the identities, certificates and keys +There are 8 identities: +- **CA**: Certificate Authority for all fixtures in this directory. It has the + self-signed certificate *ca_cert.pem*. *ca_key.pem* is its private key. +- **Intermediate CA**: Intermediate Certificate Authority, signed by the **CA**. + It has the certificate *intermediate_ca_cert.pem". *intermediate_ca_key.pem* + is its private key. +- **Good** It has the certificate *good_cert.pem*, signed by the **CA**. An OCSP + request is included in *good_ocsp_req.der* and a "good" OCSP response is included in *good_ocsp_resp.der*. OCSP response details are included as + *good_ocsp_resp_details.txt*. +- **Responder Key Hash** An OCSP request and response pair for the **Good** cert + with responder key hash replacing the name in *responder_key_hash_ocsp_req.der* + and *responder_key_hash_ocsp_resp.der* +- **Revoked** It has the revoked certificate *revoked_key.pem*, signed by the + **CA**. A corresponding OCSP request and revoked response are included in + *revoked_ocsp_req.der* and *revoked_ocsp_resp.der*. +- **Unknown** An OCSP request and unknown status response is generated in + *unknown_ocsp_req.der* and *unknown_ocsp_resp.der* as the **Good** certificate + is signed by **CA** not **Intermediate CA**. +- **ECDSA** A cert (*ecdsa_cert.pem*) signed by **CA** with ECDSA key + (*ecdsa_key.pem*) and OCSP response (*ecdsa_ocsp_resp.der*). +- **Multiple Cert OCSP Response** A multi-cert OCSP request and response are + generated with **CA** as the signer for the **Good** and **Revoked** certs in + *multiple_cert_ocsp_req.der* and *multiple_cert_ocsp_resp.der*. + +# How to update certificates +**certs.sh** has the commands to generate all files. Running certs.sh directly +will cause all files to be regenerated. So if you want to regenerate a +particular file, please copy the corresponding commands from certs.sh and +execute them in command line. diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem new file mode 100644 index 000000000000..d456c26f505f --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID0zCCArugAwIBAgIUKtsec7QPrxG7JETQSPH7XVnH9RcwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxCzAJBgNVBAMMAmNhMB4XDTIwMTAyMjAyNTc1MVoXDTIyMTAyMjAy +NTc1MVowcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV +BAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQg +RW5naW5lZXJpbmcxCzAJBgNVBAMMAmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA2+hzTr160c7mgNKCUoOxQylskIz2dAN5hWjBT38M8CGF5FcFZBG9 +QKSdt7QgnIBXt6oOAuOufKNLNWUKrzVE4GlDhxJKKCAlzidFaeIkk1Deny9kiADD +dsVrOMHv6JXIMPcgotoOVu6iwGlYsvHr/OukbR4PAbjdzd51drC/aKIwRx4vc9Qk ++WKtVXjJKQcsyxeEKfrOJloZOkorMf2HWWAOBNg7eBLsHeQiOrLPnwJf0eFfHzOC +x2BM8hJ+fyHk+NmenjEl88XGaTkdpilmZXFqeDBCcrsLwbVPozO5sixkz4q7Uw9E +gBKpjtCy1uR+mD01vH17X2kflmgVRkjqlQIDAQABo2MwYTAdBgNVHQ4EFgQUGHhD +5J6kUeZrRjpHWi16WW54hBYwHwYDVR0jBBgwFoAUGHhD5J6kUeZrRjpHWi16WW54 +hBYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL +BQADggEBALJ5R1bD5xPeX4vto8OAEeGWNh/OJkaEp8JOllnBlws4vYVRso436kXR +2SUNXV23CC+8f03WiCkva7rLTBIa9Nwg/F118o5L279w+yh+gRZ0Z1s4ob+fbziI +0sA/NUOmtdR2SE5YNeHdAtH6A1YajgixTNo20ipZv5CNBzN2bxBGh9b/4W3LLZ0h +jgwOPUSVtcmFek525t7nkZaKB86P9g0VvM/gRJfG6y84wQZxueScv6elNUx+O9DG +E5D1ku5EkfeeH4iL0eTd+VDfE1pGZC8OB75110WbPWU4V3la9wC+tQTkN9XFHDJT +zx9HcnA2KjGZ6+8ZgjwjWCpUY+grDPc= +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem new file mode 100644 index 000000000000..888feabbec1b --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA2+hzTr160c7mgNKCUoOxQylskIz2dAN5hWjBT38M8CGF5FcF +ZBG9QKSdt7QgnIBXt6oOAuOufKNLNWUKrzVE4GlDhxJKKCAlzidFaeIkk1Deny9k +iADDdsVrOMHv6JXIMPcgotoOVu6iwGlYsvHr/OukbR4PAbjdzd51drC/aKIwRx4v +c9Qk+WKtVXjJKQcsyxeEKfrOJloZOkorMf2HWWAOBNg7eBLsHeQiOrLPnwJf0eFf +HzOCx2BM8hJ+fyHk+NmenjEl88XGaTkdpilmZXFqeDBCcrsLwbVPozO5sixkz4q7 +Uw9EgBKpjtCy1uR+mD01vH17X2kflmgVRkjqlQIDAQABAoIBAGofrH3ETSAxM+XZ +MRE3AnWB6SV9EXZ9Msjh++AsVQcRdnbyU+St9uHaT06W++Hqweodg/N7AvqdJy9W +WqihEWMnCXKGrgjdMsFhDEuD2djJ/xVdHqvPioSn0w2p8egRWHHg4PwWNTNYqGwo +qqh4vUTqRwhtqBpRp6CxCYjE1SpdrbDb9CxFZoJ1alQdJWNGO6Vq0/plVB3mU1DE +ziuCi2N1vARvm4Uxg33ul0Vo3qzW/4fL1Nzo5tto9s8TxkWGsjwXFr3RnbpcAeg1 +Uy7tvkIioh0VqJ+z1PmQiX/COqNbaWIJUKTnpPomuHIzlTohFobVACLtysDALuTs +Lv2Zb4UCgYEA90fSuA0mIvRwpYscoy7NPFYPpwz5X3/4fSOfDC5gBU3Cuxvtufj3 +8lL3kuFoCE14cSdrye2udKSsydGFn1TInwa5cLgRzO2qXWHupvfoHu24FQ1WiYrG +0BW+O8TA1W6IEBgibO1YtohNjbnII+GjfP8ZaBJH7rl2QJuG70bDJYcCgYEA46mJ +vGllEDnd7QCB3z7gqMSxBCicQ9ASWy/yNMsgikb8ULcCYnCqLvwxlkDWgrq2GaPy +0kJh1q27MSWxjXFDeiG9/PQAWZ1sy/rru3TRbhAA+5rRxqfLZlNkg0C9nZA9BEmP +vIToCUlz1iw94Wrg43zk95ou1WuOfN4WVkyDNgMCgYBbyB/RSqgeD0aEW1b8xpFM +1NCoe2tP5ArSP9d3yPrA3TTrCBm7jkpRejQEI3/enQqYTT53y62WA81Sd182XVy9 +kdxglyGcQ5aZZJEVDizs1eUegz3cfVL/xyI9wvCkB4ufFaYpcgscbQkEErHTh5uL ++I9wjmB+nf3jSxbRVx11nwKBgDVOMArmnpxDAFyK3t3XyiCaFVyE6bnTEUk6m7qS +ySa3YkK/5xYHjUF9GVs2CUQI1bSBN8zVcDUk7oyeZ8lXeNYy6lo9A4v4GU5VjTaS +LqtXofNHl9Cs3yoxYnp9ASjQagkD9FzOvcnW4gGG0GJkdQ2u46m59zdPfMht88r3 +FU3jAoGBANNq2l4RpKrs3X/XS34mbugvCw1EqGV0Bqj+RBFLchouE2ignd1KYt/o +O23NchL4pOIuBCo+IaukCgmDm+m378EubTZjwRIYAJNqS/Xu1rMBBihAl6NadVuZ +Nsr6+U9Uqbx/t8bUdhQ3RDexQ42x+GelGwSfXKfF+NJx1zj8lOUu +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh b/test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh similarity index 86% rename from test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh rename to test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh index dad80edca9a1..042fd74ca524 100755 --- a/test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh @@ -4,23 +4,21 @@ set -e +readonly DEFAULT_VALIDITY_DAYS=${DEFAULT_VALIDITY_DAYS:-730} +readonly HERE=$(cd "$(dirname "$0")" && pwd) + +cd "$HERE" || exit 1 trap cleanup EXIT + cleanup() { - rm -f ./*_index* - rm -f ./*.csr - rm -f ./*.cnf - rm -f ./*_serial* + rm -f ./*.cnf + rm -f ./*.csr + rm -f ./*_index* + rm -f ./*_serial* + rm -f ./*.srl + rm -f ./100*.pem } -[[ -z "${TEST_TMPDIR}" ]] && TEST_TMPDIR="$(cd "$(dirname "$0")" && pwd)" - -TEST_OCSP_DIR="${TEST_TMPDIR}/ocsp_test_data" -mkdir -p "${TEST_OCSP_DIR}" - -rm -f "${TEST_OCSP_DIR}"/* - -cd "$TEST_OCSP_DIR" || exit 1 - ################################################## # Make the configuration file ################################################## @@ -55,17 +53,17 @@ commonName_max = 64 default_ca = CA_default [ CA_default ] -dir = ${TEST_OCSP_DIR} -certs = ${TEST_OCSP_DIR} -new_certs_dir = ${TEST_OCSP_DIR} -serial = ${TEST_OCSP_DIR} -database = ${TEST_OCSP_DIR}/$2_index.txt -serial = ${TEST_OCSP_DIR}/$2_serial +dir = ${HERE} +certs = ${HERE} +new_certs_dir = ${HERE} +serial = ${HERE} +database = ${HERE}/$2_index.txt +serial = ${HERE}/$2_serial -private_key = ${TEST_OCSP_DIR}/$2_key.pem -certificate = ${TEST_OCSP_DIR}/$2_cert.pem +private_key = ${HERE}/$2_key.pem +certificate = ${HERE}/$2_cert.pem -default_days = 375 +default_days = ${DEFAULT_VALIDITY_DAYS} default_md = sha256 preserve = no policy = policy_default @@ -102,7 +100,7 @@ generate_ca() { -config "${1}.cnf" -batch -sha256 openssl x509 -req \ -in "${1}_cert.csr" -signkey "${1}_key.pem" -out "${1}_cert.pem" \ - -extensions v3_ca -extfile "${1}.cnf" "${extra_args[@]}" + -extensions v3_ca -extfile "${1}.cnf" -days "${DEFAULT_VALIDITY_DAYS}" "${extra_args[@]}" } # $1= $2= $3=[req args] @@ -153,7 +151,7 @@ generate_ca intermediate_ca ca # Generate valid cert and OCSP response generate_config good ca generate_rsa_cert good ca -generate_ocsp_response good ca good -ndays 7 +generate_ocsp_response good ca good -ndays "${DEFAULT_VALIDITY_DAYS}" dump_ocsp_details good ca # Generate OCSP response with the responder key hash instead of name diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem new file mode 100644 index 000000000000..724ea898ea24 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICdzCCAV8CAhACMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQK +DARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMQswCQYDVQQDDAJjYTAe +Fw0yMDEwMjIwMjU3NTNaFw0yMjEwMjIwMjU3NTNaMFwxCzAJBgNVBAYTAlVTMRMw +EQYDVQQIDApDYWxpZm9ybmlhMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0 +IEVuZ2luZWVyaW5nMQ4wDAYDVQQDDAVlY2RzYTBZMBMGByqGSM49AgEGCCqGSM49 +AwEHA0IABBH5TFHZK1e7SPtmeTESrQD/Kce4uLKz+on7qlHOd2D4yNoI62TyXMq/ +o6660I5SJVIEIueDZdh/ocVezGYuUt8wDQYJKoZIhvcNAQELBQADggEBAD5jqxzW +76B6WOLJlRTWpAKv2L7CdtRjV2inNvS7n+NOSQllP9IfHGM9qEHM7xvDymLZb/TR +tOcpUENLJVOmRsjs90cy21Nc8ZkRFBhJOPggTTL3PpkM2sYmsSBzjDvkvqrH+hY3 +FTGAdgDaIf9gBeI61Ind/z6lqcE7yJlVtTvKVYPC0MFtzBS44I92x7g5htTzfEv7 +rO866GmsiG+b/w/d8TCHOt1L+gyk3BbAbBOI3DkZt/UtUpev8ZXKEjigcpxHy+Je +BLDYq6S7RPPtkPk+z8Iz3HRmyykvrckU2kjcTdqY8KygCgFBZETIYsk5d1CJxGcV +gDVhAiuki1Lwuzo= +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem new file mode 100644 index 000000000000..8fac462fe37b --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIOShXROw7kmo0cMJgNQ8rdZfjceLh+KMocrzYIqphTYYoAoGCCqGSM49 +AwEHoUQDQgAEEflMUdkrV7tI+2Z5MRKtAP8px7i4srP6ifuqUc53YPjI2gjrZPJc +yr+jrrrQjlIlUgQi54Nl2H+hxV7MZi5S3w== +-----END EC PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der new file mode 100644 index 0000000000000000000000000000000000000000..6769a837244d56ca8d0de3380c69d521a84447e3 GIT binary patch literal 106 zcmV-w0G0nRXfS3lKQKKoJ1_|b1uG5%0vZJX1QZs<27ssuwvR9;iK`<|k4rGH;A{jG z7T!G^*Hf*=kD50`UdPG(wuQC?=Ep_qXPNRXX}H#jj*!L2AUFFCU~Ip2`ifEy&v z#lzxLnO0&bX&?^ba`Om)xC*X$>6v+{sYRK2=`cH(d6<$DCHRdDj0_A7jDVD>xv6oK zL6AX!fi=(-tlE6cOj4{2EFxk@*&0@GZtFKt?_90y-|ua(;Xw|Ih(v|+lX*)5pJlsQ zxku?%Mdnqsh%qqn7L5dK+!-R;cF%qAr^rHD);=_6yGekwk7c50(%Jt170>x ztu~Lg@4SqR+^h`DO^l2THFuZn=Sh2;c-Z`s{LIrl5B2w$^~>K@JN70`B9cq^;*rnH zC4UVs7ae!yWjcXYXH?7yEA)XD2zlmFy^0E@K2;UBNtGcR1c;LLmX zlhNl#0$C*|-)i0It?vCLeDT$(K+zbEFFoC6yIPYz)rtJN-D<$QpL?-hmFiNv+0i>I zZk&6>_2Bz$cAl2cE9WS%yk=LpYpcS$YqjixCg$4)P0ZJU__9G0)9wY#OpHuSB3ifQ zins8u7u>Dla>3){@7T!WU&YaaZvc{#ft)xmQc^OE0&rGuAWIDGCd1)x9o>O=C5;VQIb|(+J=AIBNO;oZdg|cy^(#QWVPx1e5Uw|598&Hn~o>=d=jdw zSA6p0=Dc}^s-KS@%e0hTrkR#nm{nomRJ5D>;8y>|#ydCZq@3^C9nA02AhfdY!lr9a z>SoxQ?y0Sg&y=5*A?oJwYAO>mBLm~&WP?NlSzu`)%f}*yJ!1oNFHl;UMZ!R=0c*}T z;0GxXW@P-&!fL<_qzw2#0{kEW7GSDvLyiVm_TE(K9(MS-@V)r%w~G%q2tJ%4bV(ocQf zxAzzP)~IU~D@l*GSh#eR!AY;xFbfsXmU4KDW#+X+`dz z(93RImM`Gee(nFm+|#;q75jMjY+a^qJ=t32SN81Q^NG{C*w6KU;}zX={(;N%W3Tls z4zd;Qd@^VM@};Ieb=DV-2~YSs>7C2O@AKq4x-UMt`!nFaaFkn$J|FwO((A6XZBs46 rE2F+M?Ayxn#Qf?}8KdCy^6o_iW?F_bU%!`ZvQduE3Q2yU&GQ`q&e|~o literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem new file mode 100644 index 000000000000..4c25d638be7c --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQTCCAikCAhAAMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQK +DARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMQswCQYDVQQDDAJjYTAe +Fw0yMDEwMjIwMjU3NTJaFw0yMjEwMjIwMjU3NTJaMFsxCzAJBgNVBAYTAlVTMRMw +EQYDVQQIDApDYWxpZm9ybmlhMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0 +IEVuZ2luZWVyaW5nMQ0wCwYDVQQDDARnb29kMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA5wzIeQ43mRZy7lfnZl2ELODYH7cXhuPLv/9v/om7WcB1vuT4 +cCyZph8Rr2jZucaD6i40JGABDzERWShUI19QelNtXPFTv4SkNtJK+ONevMuyx8gO +fXOSfVXtg9fUKCSN5oLEj3+EKu+zmjyZ4xBTrXa+yaiTc7859WCZ+wlGCP0XSymX +qYnc95U4PXLGD009TbKtL2SAs7v+00Ohbq1iybeKFWn2TCQryNkc5X7MJZ2io8pL +MQqbhHuGVZTbRgoYFZ8gh8F1q4Ldfn84K3BEHy+pXMrC9mbYeNNpqDzo9dOrisQy +BVyyZmJK3KGxW7exNJYVtXOQh0pfGny4cjbGowIDAQABMA0GCSqGSIb3DQEBCwUA +A4IBAQBD2wITti7SV7hHMKjeB4vv9HrpYHe58LkthZWHAWfcV4usdQl8/R/pe6xp +vbda1dPkDOL3h9DWXb3OtDxZszk/muQ2O3IMzkm3RdOYK4TxiyhRiilYI8nOHCNS +/nzl2TGdoaHMYNKDopJaSuWo78ojcI6y/xJHSJFFHTazHrcLZsoanqYNUh352E1U +j7x8b0h6KB2ODeUa2z8g4sMqTexSDDKz4ND9vfoSPn02mG/3RuVsIxX5F1LNCP5W +RfxRA4uDR3/FSmWAHRPDpdh1NfNDZyh1yXlEyJS2XhuKUCDfCMqHYrxOfgQs6f+2 +d1z/R2EV8f4bBFxyL0nfOuo2J4+u +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem new file mode 100644 index 000000000000..5a6e6a2a1463 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA5wzIeQ43mRZy7lfnZl2ELODYH7cXhuPLv/9v/om7WcB1vuT4 +cCyZph8Rr2jZucaD6i40JGABDzERWShUI19QelNtXPFTv4SkNtJK+ONevMuyx8gO +fXOSfVXtg9fUKCSN5oLEj3+EKu+zmjyZ4xBTrXa+yaiTc7859WCZ+wlGCP0XSymX +qYnc95U4PXLGD009TbKtL2SAs7v+00Ohbq1iybeKFWn2TCQryNkc5X7MJZ2io8pL +MQqbhHuGVZTbRgoYFZ8gh8F1q4Ldfn84K3BEHy+pXMrC9mbYeNNpqDzo9dOrisQy +BVyyZmJK3KGxW7exNJYVtXOQh0pfGny4cjbGowIDAQABAoIBAQCqpOtPVSvE+iqK +VAwIs5rSVoHo8p4Cty2dsTfzA6CGijmscon2t0oHwjyak9LyfWaiR9uk3e8KXFAW +zE1QDq5umj1Ufrw+3+U0xB4xMiSfRcbV/LCPARO5VARm8rmzqEPRctVfsmtYFs9M +Y+O4Ky/SFriUUdgNjbdtvhobqV67dWIxATeYET0ayACgeJITcfH4XaAdQt5LJbDI +qemCu3hvvc4qqk0Ad/nqCl+B0D8/zWuyX5bKnNw+1g868VCFskdGiM7uZTZIXBja +6N3VBv6dENebcX+j9t+RxtOIRMm5ndFGzAq50ylKKiw5M/hRHxgHb0l7OF1Ud2Jw +QSumpj8pAoGBAPh6VgAvEHRECDHUs+RscNcrhTTJF/A787rx/7kJMHxVMlr3GPvv +clxhK7GquFEpYlB6+R+otWvfowq7F+sEGutepfgI0vp0QriwziVQw1xg4lnfK4TR +uKLmL/wQGEIMi4G2n8RacYGSGGl39mmRchCEeYWHV+P0j7ss7SkJ3WNVAoGBAO4L +YiV1TBpmD+3cWZh0BEvjYQePmFoLdFypd/tOZYL9jhtiCIV7uDPUwTe8UCPrLpUi +XPHp9Sfhoo0gLGQVxHowHaDQBUnzo+LzdMPu8YlJv1okH0rkdwQ355yAVgTVz3sv +XTJtVGnSLmA/BthLMrFJfn5Sbus/c3vNgw7Cu3IXAoGAPSEDpVnux1uxVGkKtKiE +/jqDs9/BFuX46UX97oy3M+9VyxE9QUXAMb/qGvRwEe+Hc1s9jK9ZqqdDGjG7CaNh +6APJ+wJYvSr6+yrsHDwJQ+HF7ew8bZmWveS5a16eSSmC7K98ELdbc0/414Geyovw +ruWYa+RHGBqjfZ3o3o7Bu10CgYEAt9GyiJp7micWRefSiBeO+cssMlqAm4gc4zE6 +paV0XiLOifa5/dn79IpmalPQzuvdnOxcObMgzRtAGxqtLNxiTLi7KGN6shCija7S +jDsH6aw5R7J9N6gU//zrrb6sri8teUKqBTbH6K+VgF0rO/tVufG27HVbke39j6yz +d8KIXSECgYB3JaYxWdoxptUvpqITvIBRNEfhNVrxzdGz95EcS6RqmG7UxJlTN2Yk +LKZ9pIOD43QQ3i5D2cF6XN4BCSZ+wRVzOt43RP8DUMgbLzLf8h9N/6cQGEbFqtlb +9x5wTSPF7VRJY+ToSnnBWyFRPLkwm9u1VpeBIUa3bGDDbV/SdJIeUg== +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der new file mode 100644 index 0000000000000000000000000000000000000000..f5d7e4150fe3b8b53638a51f19d59260531ed227 GIT binary patch literal 106 zcmV-w0G0nRXfS3lKQKKoJ1_|b1uG5%0vZJX1QZs<27ssuwvR9;iK`<|k4rGH;A{jG z7$Ok~52w^9^|oxIyAv zJS;wyX(fh|2I3$tH;({_tKgcKo|%`LT9lcW4zq)qhbcKxg5Su%$iUFR2uPWln;JzK zq#7g}SOZ}Jx1QUx8i@=XGhLiYbNw@ zu|}%_FB_*;n@8JsUPeZ4RtDxKMn;Bh`gM1=zK(wOO#aI6`bg7zn+&yrylNY}-qhYX zQ#C2E_9K((Nu9T^-iRDr(O==h==F^K|DQxY>s@Krj%MeU*SvqVY+Gr&h{?uMruVgZ zi({iTA0_x%t~)0c|K4=|xvLNPe|`znW&dH}6EkgBLK^#ns#j}v6}*z_-@j9B%F1S8 z@q)zf7Jh8SQns6!yd|3!dp)dSzwvkb#4s_{wwEjZFFkZR@5H-}x5{<1Ue+!32>Bx4 z#J9PKCzyHa;te)_p(XF8UHiU?S-M^&@!_4f*B0{%Gd1zP-TQXeYQ3HdlHX4DMXt?w zWs+|kJFR%L-Tegu*VagUTP^f&uBjuhiT|yF!+y0vZVQ^2ZyPi*UkBpL22D)67cet1 zGBJs0-Igof!oOZ{w~EUJkB`4&BaeR-M+?3INL>bU;=D+y%Pn*#eRFME}nbVaH%P%d84yt&V-(CCCrtr83+CAc|It%J_%<{ z5!~yrWbXDY3UeC5x3A)3dc3Y?vA1a|*LqWz2bs?8LS7mQs^`>QGaso;4!Ad8Kc$1= zaM{spi-Yf9Og&-nU18BJzOZ+T4rE4b`uO_K>m|8z{ER#9p1oIEwqbw9A_I3h{o*Ss zKaG_Q(W2mK)X;LT_ZBC|PYfKc6Z7;=_1(J^{-xH)g0q3Y+O$1*KtmuaS@7G_l#I2G;YKDgC?vGLALIw|M7b_esjGzhKi zyRhlnle!tUrh96u<1^)_Wr(_Yyqe0y%*epFIN2c4Ko(el$nvp>VbANp+zXUeW|1%u zYrt9<81RD>2s1MNXJIv922uumAOU`m01GhHwjoCYEPHRNbPqfHT=-sm_uIvX8w4Lt zGm}53=GLN9`kdhw3lzI3?m_EGAbnzE+m{cFfMxR?| zm$V}HPv~VgF3T5iYrppYVeV<&xr%)}e6}uAx1MaR@+*6G@A<@OUF_%jzwwIhIsd?A z`mxvg76;i1cRrc3fB8~VpE~Oc$Al+*o%GIS;`e#-9o-k7-2EAFUpUGwMW2s-U+Hz% w*|w<`;gwO}8TM^ud18L`sEkqYd3pDu0y8bcnXlhVHrXggXoV!d(B}CL01N~(mH+?% literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt new file mode 100644 index 000000000000..312a01481fd5 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt @@ -0,0 +1,118 @@ +OCSP Response Data: + OCSP Response Status: successful (0x0) + Response Type: Basic OCSP Response + Version: 1 (0x0) + Responder Id: C = US, ST = California, L = San Francisco, O = Lyft, OU = Lyft Engineering, CN = ca + Produced At: Oct 22 02:57:52 2020 GMT + Responses: + Certificate ID: + Hash Algorithm: sha1 + Issuer Name Hash: 16C50680A809B68F302789AB234F8F4B30B0E06C + Issuer Key Hash: 187843E49EA451E66B463A475A2D7A596E788416 + Serial Number: 1000 + Cert Status: good + This Update: Oct 22 02:57:52 2020 GMT + Next Update: Oct 22 02:57:52 2022 GMT + + Response Extensions: + OCSP Nonce: + 04109C5C7305A9C99B599CAD3612F1A32885 + Signature Algorithm: sha256WithRSAEncryption + b6:2f:7e:dd:b5:eb:5b:e6:e6:1f:d4:fb:7f:59:35:de:b2:31: + 2a:52:4a:7d:81:8a:ec:7d:dc:cc:7a:92:61:7d:f1:02:25:c9: + 2c:ed:ea:ec:14:c1:a8:8f:78:44:01:4a:e6:07:ff:fc:61:0e: + 3b:ba:66:d6:c5:6b:6d:77:7c:ef:ea:a6:b6:75:87:14:34:b1: + 75:02:ef:7d:6e:a3:5d:5b:29:e2:60:4e:39:ae:ce:1a:5f:ef: + 35:9f:ce:d5:e1:0f:f9:f4:51:2d:07:f8:38:4c:5c:96:ba:60: + 66:07:e0:7a:ea:ac:ba:70:ea:1a:8f:bf:b9:26:94:a9:83:13: + 17:70:61:f7:38:4e:06:73:1a:3d:b3:02:4b:19:82:a3:4a:e1: + 7c:07:d8:fd:b7:91:56:16:25:86:e9:a8:ff:a5:c2:cb:6e:c8: + ee:b1:da:77:2d:6a:e9:7e:a5:48:54:f4:1f:82:0e:b3:72:0c: + 53:03:95:a3:b0:3c:4e:55:74:ee:96:d6:f7:b2:03:1b:7f:24: + 61:e1:dc:ed:d6:a3:0d:13:02:82:0d:ed:bd:ed:ba:ab:2e:8c: + d0:19:f6:c9:8e:59:ad:68:ea:34:6f:33:5d:96:73:b3:3e:df: + a0:10:d6:ac:18:f6:ab:12:fe:9d:35:41:0d:34:4f:da:70:c3: + 4e:7d:52:46 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2a:db:1e:73:b4:0f:af:11:bb:24:44:d0:48:f1:fb:5d:59:c7:f5:17 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=California, L=San Francisco, O=Lyft, OU=Lyft Engineering, CN=ca + Validity + Not Before: Oct 22 02:57:51 2020 GMT + Not After : Oct 22 02:57:51 2022 GMT + Subject: C=US, ST=California, L=San Francisco, O=Lyft, OU=Lyft Engineering, CN=ca + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:db:e8:73:4e:bd:7a:d1:ce:e6:80:d2:82:52:83: + b1:43:29:6c:90:8c:f6:74:03:79:85:68:c1:4f:7f: + 0c:f0:21:85:e4:57:05:64:11:bd:40:a4:9d:b7:b4: + 20:9c:80:57:b7:aa:0e:02:e3:ae:7c:a3:4b:35:65: + 0a:af:35:44:e0:69:43:87:12:4a:28:20:25:ce:27: + 45:69:e2:24:93:50:de:9f:2f:64:88:00:c3:76:c5: + 6b:38:c1:ef:e8:95:c8:30:f7:20:a2:da:0e:56:ee: + a2:c0:69:58:b2:f1:eb:fc:eb:a4:6d:1e:0f:01:b8: + dd:cd:de:75:76:b0:bf:68:a2:30:47:1e:2f:73:d4: + 24:f9:62:ad:55:78:c9:29:07:2c:cb:17:84:29:fa: + ce:26:5a:19:3a:4a:2b:31:fd:87:59:60:0e:04:d8: + 3b:78:12:ec:1d:e4:22:3a:b2:cf:9f:02:5f:d1:e1: + 5f:1f:33:82:c7:60:4c:f2:12:7e:7f:21:e4:f8:d9: + 9e:9e:31:25:f3:c5:c6:69:39:1d:a6:29:66:65:71: + 6a:78:30:42:72:bb:0b:c1:b5:4f:a3:33:b9:b2:2c: + 64:cf:8a:bb:53:0f:44:80:12:a9:8e:d0:b2:d6:e4: + 7e:98:3d:35:bc:7d:7b:5f:69:1f:96:68:15:46:48: + ea:95 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 18:78:43:E4:9E:A4:51:E6:6B:46:3A:47:5A:2D:7A:59:6E:78:84:16 + X509v3 Authority Key Identifier: + keyid:18:78:43:E4:9E:A4:51:E6:6B:46:3A:47:5A:2D:7A:59:6E:78:84:16 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: sha256WithRSAEncryption + b2:79:47:56:c3:e7:13:de:5f:8b:ed:a3:c3:80:11:e1:96:36: + 1f:ce:26:46:84:a7:c2:4e:96:59:c1:97:0b:38:bd:85:51:b2: + 8e:37:ea:45:d1:d9:25:0d:5d:5d:b7:08:2f:bc:7f:4d:d6:88: + 29:2f:6b:ba:cb:4c:12:1a:f4:dc:20:fc:5d:75:f2:8e:4b:db: + bf:70:fb:28:7e:81:16:74:67:5b:38:a1:bf:9f:6f:38:88:d2: + c0:3f:35:43:a6:b5:d4:76:48:4e:58:35:e1:dd:02:d1:fa:03: + 56:1a:8e:08:b1:4c:da:36:d2:2a:59:bf:90:8d:07:33:76:6f: + 10:46:87:d6:ff:e1:6d:cb:2d:9d:21:8e:0c:0e:3d:44:95:b5: + c9:85:7a:4e:76:e6:de:e7:91:96:8a:07:ce:8f:f6:0d:15:bc: + cf:e0:44:97:c6:eb:2f:38:c1:06:71:b9:e4:9c:bf:a7:a5:35: + 4c:7e:3b:d0:c6:13:90:f5:92:ee:44:91:f7:9e:1f:88:8b:d1: + e4:dd:f9:50:df:13:5a:46:64:2f:0e:07:be:75:d7:45:9b:3d: + 65:38:57:79:5a:f7:00:be:b5:04:e4:37:d5:c5:1c:32:53:cf: + 1f:47:72:70:36:2a:31:99:eb:ef:19:82:3c:23:58:2a:54:63: + e8:2b:0c:f7 +-----BEGIN CERTIFICATE----- +MIID0zCCArugAwIBAgIUKtsec7QPrxG7JETQSPH7XVnH9RcwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxCzAJBgNVBAMMAmNhMB4XDTIwMTAyMjAyNTc1MVoXDTIyMTAyMjAy +NTc1MVowcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV +BAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQg +RW5naW5lZXJpbmcxCzAJBgNVBAMMAmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA2+hzTr160c7mgNKCUoOxQylskIz2dAN5hWjBT38M8CGF5FcFZBG9 +QKSdt7QgnIBXt6oOAuOufKNLNWUKrzVE4GlDhxJKKCAlzidFaeIkk1Deny9kiADD +dsVrOMHv6JXIMPcgotoOVu6iwGlYsvHr/OukbR4PAbjdzd51drC/aKIwRx4vc9Qk ++WKtVXjJKQcsyxeEKfrOJloZOkorMf2HWWAOBNg7eBLsHeQiOrLPnwJf0eFfHzOC +x2BM8hJ+fyHk+NmenjEl88XGaTkdpilmZXFqeDBCcrsLwbVPozO5sixkz4q7Uw9E +gBKpjtCy1uR+mD01vH17X2kflmgVRkjqlQIDAQABo2MwYTAdBgNVHQ4EFgQUGHhD +5J6kUeZrRjpHWi16WW54hBYwHwYDVR0jBBgwFoAUGHhD5J6kUeZrRjpHWi16WW54 +hBYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL +BQADggEBALJ5R1bD5xPeX4vto8OAEeGWNh/OJkaEp8JOllnBlws4vYVRso436kXR +2SUNXV23CC+8f03WiCkva7rLTBIa9Nwg/F118o5L279w+yh+gRZ0Z1s4ob+fbziI +0sA/NUOmtdR2SE5YNeHdAtH6A1YajgixTNo20ipZv5CNBzN2bxBGh9b/4W3LLZ0h +jgwOPUSVtcmFek525t7nkZaKB86P9g0VvM/gRJfG6y84wQZxueScv6elNUx+O9DG +E5D1ku5EkfeeH4iL0eTd+VDfE1pGZC8OB75110WbPWU4V3la9wC+tQTkN9XFHDJT +zx9HcnA2KjGZ6+8ZgjwjWCpUY+grDPc= +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem new file mode 100644 index 000000000000..f9f104f8d05c --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQzCCAyugAwIBAgIUCmwXC1yqJjKspOZeS0lbJsJomIMwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxCzAJBgNVBAMMAmNhMB4XDTIwMTAyMjAyNTc1MVoXDTIyMTAyMjAy +NTc1MVowfjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV +BAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQg +RW5naW5lZXJpbmcxGDAWBgNVBAMMD2ludGVybWVkaWF0ZV9jYTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAKI2heFAYYMEzvOJ7WVjvkczC3Vf/zo1WS5n +uN2LMO7Rgkbo+XENakPud7L7EN13ySIcjh65s9qq0cqaAbLzjgYoU6av8IufU2rh +pgpoNIU7X8dKlImlIBGytARa9qIblnsinDLhfly78yw/gWU83h+QPWYwhXBeDMMc +Wzo6MvZyZ1IgvdLmue8zcCKYA12YkXRnljG2sp8kstKWh4A8wMfUyE+bVkyr8qTk +Scslqnzx62y3UovwRzaRw8wusq3Vj/MSR4BLlbWRxiAIQr3IwswBphqNif3T7RQw +0IdB/OKfKtt3le4LNES1QZtRpB1seYRNgMXiL8zVJmbsp6hRphUCAwEAAaOBxTCB +wjAdBgNVHQ4EFgQU/d1VXIK/EJrCj1MuJa71mxNR1LwwHwYDVR0jBBgwFoAU/d1V +XIK/EJrCj1MuJa71mxNR1LwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0OBBYEFP3dVVyCvxCawo9TLiWu9ZsTUdS8MB8GA1UdIwQYMBaAFBh4 +Q+SepFHma0Y6R1otellueIQWMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD +AgGGMA0GCSqGSIb3DQEBCwUAA4IBAQAt1udv9BBzcmErW0JjBAZajzoY0QwVqusZ +j11ex6LNI1rnFomVk+76QQJCeAR4rWeMJBfA9UmAtHVXZuLcQDDL5yTgAnBmSmJR +18kS8KQg8V7AjtmIcx5uZgC2KZYsFx5qp3hGpqLyrN2ZvdeDFacNVWEtb2eVIIky +yy/UsmZr5STI3OU0k12fexiS/yh6G0XFvoecdxCoOvEp+EiLzCmwLRq/1q7CUbeO +woHCUHnwpGZi4PsFF9HkyM5KYgorMM0F+LWR1sVUtxSR6fWLZ0TTFi4NbLupD34S +yFXm0VYhXwV7mVVigQg2/A76PqmSXcSmvSvT43G+u3syc4kbxKLz +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem new file mode 100644 index 000000000000..f8347a170136 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAojaF4UBhgwTO84ntZWO+RzMLdV//OjVZLme43Ysw7tGCRuj5 +cQ1qQ+53svsQ3XfJIhyOHrmz2qrRypoBsvOOBihTpq/wi59TauGmCmg0hTtfx0qU +iaUgEbK0BFr2ohuWeyKcMuF+XLvzLD+BZTzeH5A9ZjCFcF4MwxxbOjoy9nJnUiC9 +0ua57zNwIpgDXZiRdGeWMbaynySy0paHgDzAx9TIT5tWTKvypORJyyWqfPHrbLdS +i/BHNpHDzC6yrdWP8xJHgEuVtZHGIAhCvcjCzAGmGo2J/dPtFDDQh0H84p8q23eV +7gs0RLVBm1GkHWx5hE2AxeIvzNUmZuynqFGmFQIDAQABAoIBAQCQG3wIxtdaPDVW +qpwaTOhH/JMbbXMi1S4rSb40I2oPYFUqheLEirRzMTFp8h3jgn1PLqsbpMKhaswB +/5uuzSzJT54xIXDDuYG0HE8UQ8sU6dCHDjyzo9y/nFDM5brh/TxMnEzD7wwBen/o +OWrM86wpwkypskV5tDQGSfTJ39ZSlZoaHS4/ih88JG2OTQXx7wi5U6s6Qkk1vuNA +prkqj6F6Y73qwiCuwtccEu3GDJiUjVAj7uFTOlpOBzT+2elraq16Y3DmfJ3aljp7 +pqTboytXYHixQ2x081WBv8Iy/flZP3HYe6ms2N5l27vd/tg3f2+p/WIrRolmOqwP +wHtR1oZBAoGBAM1tJ896YZXrLM9CBNcoAue8VhsipqvO8SodP0x5LRCqfnanoNPE +qFW8PwC0g/tGgAl5eA5iBbLOkaEuW1nxudSidlRBxYQ6lZjebscv9Mqe+P3RJd9y +Dv0te/I0lua7ElAUXTw4yGQ6/USr+kLlvOzBLWhbj3BQa4OCXsb5fFMNAoGBAMol +3+2l3G0BEFaXfGv2CRAR58KHA48lOHaIiSnNrWpnsXm4Fr2oYvvPDh5auulToeK3 +9DjfMhyPmgrCIbeHCVt01gvFU/NAGb79Xw21NQPREVhwZY6P4sFb5coO9E2jiESl +7PSaHtuLx8G6AwcIx8xjh+Fuy9ZfirfAB9g/h30pAoGBAMLMGY4zXMpPIkS/M9vb +AzZAb953c1lEeYgYB+g6mDNPmXBm8KkfuQjj41KF2wmyBsP1PZVV+lVecNZJITMf +d7pc/JxVajlDXIyDkMStgxGIwk/dvm4uuGv4b6pzmAzfpDPvu6HZrpztGzG9ayl4 +tThEzwxAlrpIaEtimwFPn0cZAoGAdD0lL61BO/jxoSlIpXf7rB7vqr8iP8zCU/6d +CMm5X0czGW/Ou8445N0iHDhF5Gdv3kOzDoThduToSilpY/QlYE6lymz0ohqI83cU +knhRfNlaZQV0kG6SkGc8klzZBE/1yquyvtBk0A/nlLFWjlPxN8k/2FRyp9mWlaS5 +nhKh4UkCgYBMCtGuPwmSYU6jI1AhygvEWNeN9U9GNH+C7hbDxtYtppjN/7ZUUIIn +kKceZAWbkZlItoOfVVSQLs8IZ5m5Q2g0rOb9/oVmtnK8bPYE16i0gk3VgOKQh+wv +q1Oqidvs4edxeI2sDe9w+Qw8qUo14+Uux7KMAlDrtB42gP5BQOWh0w== +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der new file mode 100644 index 0000000000000000000000000000000000000000..02da216fd77a34c5b39a173db82577e42f992c0a GIT binary patch literal 171 zcmXqLTw&0-)S%A5*1+0;lZ{oIkC{n|m4QV>>?m8q3eIi)2I`%wmHqp@4K_T;VG)t2 zaDFmxN#L_=H!Jrj-KxmEiWV^@CIJS@v@XXDgnV`ODzH(+F95n>Uz_vOL) RAHo~!t+>n!rSEd~0RW^QGEe{j literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der new file mode 100644 index 0000000000000000000000000000000000000000..e6af4d98fe86587fa311139739e63645581efaca GIT binary patch literal 1660 zcmXqLVyoa{WLVI|R%p<~mdnPe&Bn;e%5K2O$kN0X2Na4jXktuWSZq*e$Zf#M#vIDR zCd?EXY$$9X2;y+?a5*RDWTxd8$Ok~52w^9^|oxIyAv zJS;wyX(fh|2I3$tH;({_tKgcKo|%`LT9lcW4zq)qhbcKxg5Su%$iUFR2uPWln;J(M zG;TErFt7$XgH@Z4nMsP3fki~@C|kn{&Tah$>Yb~V{rkNQHay5-5s|2Hell-K;InKu zEB7efs>r;G7BMC!0fq(!OhXeXF_CehAexCrQD_3jQ45s~6bXf4Hjf^7F5s9iO*qw^+J4eL9mGoU{9p&cpnvH+EX}B>obO zUzfaG4WocuBY5gH zj2Z|hH8Cn72Mi-PUGXyjvoseID1qI6QS7(3>f*U)4VRjNnm0OY=1l1MR>EA_nsLy- zp67#N>yvQS6v4d?OXhChqA;f+eETXsrpN1Q7JHkfa;-OYd64PcF65=5pn6W-HS>|m z_8{U+yUUi7oxq=Y4yB!EcSaMzNCgXp4pW=jU5=TsmNH>bz|0l`;>%2-AmmnJ)ff z4wLHR*ywZ1?2=aG{t3P8#%1{eZtd6pKg>O?J6ExfhtJk!>eiF3Reoj9?meG4t&9C! z|2JOIJ?9^|Oh5Ko-{K%!;m#*>_Ag&*>QiTZ;h6A*uan-nO#D7izN7o%le<3y?h8k` zrRejq?<>9TI@>nYBD^x{JHx)MEKkg@9+fc)J}>WHRA8oMIP>*;$tD}+2(6Ih7ur1E E0TydUZU6uP literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der new file mode 100644 index 0000000000000000000000000000000000000000..71d48a2acc5a09cfd178681ebc87a5e2790cc779 GIT binary patch literal 106 zcmV-w0G0nRXfS3lKQKKoJ1_|b1uG5%0vZJX1QZs<27ssuwvR9;iK`<|k4rGH;A{jG z7uNSmZ8k<$R(1nMMwTYlIY6Nq291jriLr=CR5(AGwvTur}aiW7XzkW|CrMU=a~J%GR)g zb6dZGdgp3o|9)?S4G(g#o5sW>z|g>eVdg?*14RRQgu|FvgjfXL{C!q;;YwJ+qJ!)W z5hXVs8t}4lYPET^edlFlg6sM-pG&R{N;_u2MeH^eEG-AfNwd-z+@Haq(NYkz(l#ZA}fv zV1>+<6;GUfrgZWbF4)s=|9qif+p2m-Bhyz0jI-iyzP65i*65oUB7N?Ca>J%+uGh;W zu3bB)d0u?4+e3jHT$!$pTbq{Yt(eYjTIH&vbZnEy!EG;CyQ);{_1@1Y)!4PKi6P1T z@DBIc_pU#=zd!41{aG_s5r?N!pZ=0<_vShN?5t{a*v+jAnwW1JG%;TX;>!k2OuH8_ zGchtTiD=!HE8fDtUU0XH%LR{*zhfhhe-%dyK7&F-ZeS!bhqAB|o|$N=`J86X!)rN`_HDt`R(C8Ac6+lbRTnkOPJhoUZs8 z44N3Zm_P~a_KRY_y;T>_J!`ns6x6)YSuc4dL5Y@i9GKSF_mLG?i<;smp^*=XN144F%P6>aLlOR3-=9o3EeJ!Em_jXtu?{ z_b;ZNF!-*p=oVktyF~{wBQ||}{pak6SavQLz(Hl3f(6o2tyyu5MK@dTewLUr|u zPk!8-H_uS@^U-6Oma@w<(^3nwDh!;8c5@%x>c7}{=O&$$^If}x`CS@>R`y-kbnQvq z3|rGZwbk*N^3yUz-8^1RWnyMzU|gJRkZ2$ajAB_n797O{F!utbm02VV#2T=cBL@5+ z1;UJs|5;cKn1Pf5A4q^7B)|epwQb1J0L$K+D&4~lKNr3i-~D#+;ReBn)6C@0skyZ* zKjb$p^5ArCi@mLZoBGUOxn8`f${QQIokM?5z3;USP5ta$r+tK^zT8px6I=SJ&-?cN zg5Mf-jbbI~(H0B$&(F8$xOBkY)Op#~D`g&j5vC9CGF|+|946JrvC-$2*(I&W{S$iG zjmz={+}f}Gf0%n(cdlX|51*~e)U795tNhBI-FrT9S{M7d{%^dZd(J;_nSSiGzQsYd z!ktg%>|egr)Thq+!ZG0qUnjkDnfQI4d`I`iCwG4a+!u~=OVQ_J-&cCwb+&D)MR;Y@ pcZPjiS)Q0*Jt|`qd|uwYsK89iaOUgxl1($Ok~52w^9^|oxIyAv zJS;wyX(fh|2I3$tH;({_tKgcKo|%`LT9lcW4zq)qhbcKxg5Su%$iUFR2uPWln;JzK zBpW0eSOZWFMiy8 z%V{z3eXPyShcgZ<9$u=hxt{ax5f8zj+GU&Hzu3DzA#w4sv%zKBnJF)Ho-O@!m-Wo% zTNQWwxzBk8CYdokU05kQz4@5P{e9PW{XE6H$Jp=5Y>9*mQ`%Ilzgst$SUg{T^I`Yf z<$El9zSX5Bv+Vm7e_-wp$FBU%PSgLM`=!D@@3E+PTH0#App3u8*ZC8=-?tf_y4hyA zztwuL*F@O`(-JgW({ERf*U)4VRjNnm0OY=1l1MR>EA_nsLy-p67#N>yvQS6v4d? zOXhChqA;f+eETXsrpN1Q7JHkfa;-OYd64PcF65=5pn6W-HS>|m4bV(ocQf zxAzzP)~IU~D@l*GSh#eR!AY;xFbfsXmU4KDW#+X+`dz z(93RImM`Gee(nFm+|#;q75jMjY+a^qJ=t32SN81Q^NG{C*w6KU;}zX={(;N%W3Tls z4zd;Qd@^VM@};Ieb=DV-2~YSs>7C2O@AKq4x-UMt`!nFaaFkn$J|FwO((A6XZBs46 rE2F+M?Ayxn#Qf?}8KdCy^6o_iW?F_bU%!`ZvQduE3Q2yU&GQ`q{!BG3 literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der new file mode 100644 index 0000000000000000000000000000000000000000..a81d57b98f99badc7f8e09bec0c54ff56323219e GIT binary patch literal 106 zcmV-w0G0nRXfS3lKQKKoJ1_|b1uG5%0vZJX1QZs<27ssuwvR9;iK`<|k4rGH;A{jG z{oPeug1-=&!jDrfC9d_G6H(N>0s;^Kq9ZUNFdqg9D+U1t1qUzz0t6BS5b>?X-BICg MWtKXX+b^ge-DF@P!2kdN literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der new file mode 100644 index 0000000000000000000000000000000000000000..e3ebdc126fcc5849c7895dc47e817972604cf712 GIT binary patch literal 1686 zcmXqLVw=Rp$grS^t=pi9t(}cin~jl`mEC}mk)?^P0w`2s(8S2Qu(83Q&XC)HlZ`o) zg-w_#G}utsKoG>?;Nfyk%*jm4FUreIG!!!s0SU76@CGO5DYz9S<|StqC+8dT8gPTe zxp-K7D$_~~B@M(uTy7o#5Ldx9FFi9aHMJ-+FWpeWKnx_s%)_6VSCU$ko0^iDSdto_ zoG8I>WME`qXkY}SOwCP=q6~rz0t~EyPGZ&OV`h?KWnd8zJIdCuf^%EHfqLg^W&eI} zgAEUISVaEb4UK8qFEHy+f3TkFy05c^1F!61ViI6zV!$wSp|XLZfjlA*m{^2Z1U{}k zb~o^0Ug|Wfskil4$lo>KW#iOp^Jx3d%gD&h%D~*j$jIQsfBbkvQ0k#+7Sk0so`0rR z+x26wc}AK&Pnuw~tXv7p*H>8^D%S{nmF%{D>GmyW-q+4 zoQLOd?yqgOFWIx0bK?)U)$y~HTW`!UD_!~OdJy-l1>2VjXRc}dGxyiQ+guL0T^EiW z=H4W@*=*v<2t)gK+**5`*=$7e)47irUI|+EM@c7O&+GDLwzy{|HqJ^_cYZ3(;6D21 zX0yEbt=!bLcQ2%6b_jL+ZxQJUIK1Opjo>NEFlwNaIxxp6A%_wpIFa!)0L8hOK&fq!S?fcG#AcRrpF7{CChv1M z<}Qu@Z)F;(m%ig}x52xMO>QrK7V>5}zboJLTi|Z_NhO&+xt*JDt-5$>7UQPReQX-R z%hrGBo*$g`a2Z#INvn1Iajz+zOBDn+ZDEP}wn%zfwbC4;hjlT#KkL{xrrO+-pJ1D2 z&{`13b66(Y%F5_lQF@TV-b>GRzBevVn!y}9V`54AG{bG1=BsSFG_AeC=D_hQC;VrJ z`Ki*zvHu3Noy-jPc_J0;~Z}6VFb>cAv4yU~*4xM3KCe_>d z_wrj2gA47Be;&=(x?Mi?9k+?gR>#?aOJs8@TYMXiKGHvPRW0q!@)d#0M46Zw85kEg z9yMq@WFQMHE@b&w#IWacU}gqNE3*KLl?JQ@fdM~AfiNTEe->5)W*}w22NK{139tYY zaT_TXNK`mKnYSeHS+<*%dz5ZfWL`y!7-0*r6eqgZp67oNC@xCWj&@3BVT4FOU2ss9u@HeUp*VPl!m80y5nGQ`nk#jrh+uD zq`>PZg+44%_!xJf?`B7_TwWT(HqB`|;&NHbE8LbX`n2Zm%)Qr}MVIr2ChF#=PgUqN zI<0?YQ(E>@l@oWKnoN$JUoA1|zebg`>(PDfbIJu)Sbfy|;n96YbAztb{%h+F1#a&< z)OaYM^23s}qzAuQ#VyNDyuN@89E;8}u*Y0$e%VK)GIlEW#*9n~n seReTSF`l)0W@u6)huI&#Uv?`e#U5Fmutable_hidden_envoy_deprecated_tls_context() ->mutable_common_tls_context() ->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); - server_cert->mutable_private_key()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() ->mutable_common_tls_context() @@ -1003,9 +1003,9 @@ TEST_P(SslSocketTest, GetUriWithUriSan) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1077,9 +1077,9 @@ TEST_P(SslSocketTest, GetNoUriWithDnsSan) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1099,9 +1099,9 @@ TEST_P(SslSocketTest, NoCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); @@ -1287,9 +1287,9 @@ TEST_P(SslSocketTest, NoCertUntrustedNotPermitted) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -1395,9 +1395,9 @@ TEST_P(SslSocketTest, FailedClientAuthCaVerificationNoClientCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1422,9 +1422,9 @@ TEST_P(SslSocketTest, FailedClientAuthCaVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1443,9 +1443,9 @@ TEST_P(SslSocketTest, FailedClientAuthSanVerificationNoClientCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1470,9 +1470,9 @@ TEST_P(SslSocketTest, FailedClientAuthSanVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1620,9 +1620,9 @@ TEST_P(SslSocketTest, ClientCertificateHashVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1648,9 +1648,9 @@ TEST_P(SslSocketTest, ClientCertificateHashVerificationNoCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -1743,9 +1743,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoClientCertificate common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1765,9 +1765,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoCANoClientCertifi common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -1790,9 +1790,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationWrongClientCertific common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1817,9 +1817,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoCAWrongClientCert common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -1842,9 +1842,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationWrongCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -2399,9 +2399,9 @@ TEST_P(SslSocketTest, FlushCloseDuringHandshake) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" @@ -2456,9 +2456,9 @@ TEST_P(SslSocketTest, HalfClose) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" @@ -2534,14 +2534,193 @@ TEST_P(SslSocketTest, HalfClose) { dispatcher_->run(Event::Dispatcher::RunType::Block); } +TEST_P(SslSocketTest, ShutdownWithCloseNotify) { + const std::string server_ctx_yaml = R"EOF( + common_tls_context: + tls_certificates: + certificate_chain: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + private_key: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + validation_context: + trusted_ca: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" +)EOF"; + + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; + TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); + auto server_cfg = std::make_unique(server_tls_context, factory_context_); + ContextManagerImpl manager(time_system_); + Stats::TestUtil::TestStore server_stats_store; + ServerSslSocketFactory server_ssl_socket_factory(std::move(server_cfg), manager, + server_stats_store, std::vector{}); + + auto socket = std::make_shared( + Network::Test::getCanonicalLoopbackAddress(GetParam()), nullptr, true); + Network::MockTcpListenerCallbacks listener_callbacks; + Network::MockConnectionHandler connection_handler; + Network::ListenerPtr listener = + dispatcher_->createListener(socket, listener_callbacks, true, ENVOY_TCP_BACKLOG_SIZE); + std::shared_ptr server_read_filter(new Network::MockReadFilter()); + std::shared_ptr client_read_filter(new Network::MockReadFilter()); + + const std::string client_ctx_yaml = R"EOF( + common_tls_context: + )EOF"; + + envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; + TestUtility::loadFromYaml(TestEnvironment::substitute(client_ctx_yaml), tls_context); + auto client_cfg = std::make_unique(tls_context, factory_context_); + Stats::TestUtil::TestStore client_stats_store; + ClientSslSocketFactory client_ssl_socket_factory(std::move(client_cfg), manager, + client_stats_store); + Network::ClientConnectionPtr client_connection = dispatcher_->createClientConnection( + socket->localAddress(), Network::Address::InstanceConstSharedPtr(), + client_ssl_socket_factory.createTransportSocket(nullptr), nullptr); + Network::MockConnectionCallbacks client_connection_callbacks; + client_connection->enableHalfClose(true); + client_connection->addReadFilter(client_read_filter); + client_connection->addConnectionCallbacks(client_connection_callbacks); + client_connection->connect(); + + Network::ConnectionPtr server_connection; + Network::MockConnectionCallbacks server_connection_callbacks; + EXPECT_CALL(listener_callbacks, onAccept_(_)) + .WillOnce(Invoke([&](Network::ConnectionSocketPtr& socket) -> void { + server_connection = dispatcher_->createServerConnection( + std::move(socket), server_ssl_socket_factory.createTransportSocket(nullptr), + stream_info_); + server_connection->enableHalfClose(true); + server_connection->addReadFilter(server_read_filter); + server_connection->addConnectionCallbacks(server_connection_callbacks); + })); + EXPECT_CALL(*server_read_filter, onNewConnection()); + EXPECT_CALL(server_connection_callbacks, onEvent(Network::ConnectionEvent::Connected)) + .WillOnce(Invoke([&](Network::ConnectionEvent) -> void { + Buffer::OwnedImpl data("hello"); + server_connection->write(data, true); + EXPECT_EQ(data.length(), 0); + })); + + EXPECT_CALL(*client_read_filter, onNewConnection()) + .WillOnce(Return(Network::FilterStatus::Continue)); + EXPECT_CALL(client_connection_callbacks, onEvent(Network::ConnectionEvent::Connected)); + EXPECT_CALL(*client_read_filter, onData(BufferStringEqual("hello"), true)) + .WillOnce(Invoke([&](Buffer::Instance& read_buffer, bool) -> Network::FilterStatus { + read_buffer.drain(read_buffer.length()); + client_connection->close(Network::ConnectionCloseType::NoFlush); + return Network::FilterStatus::StopIteration; + })); + EXPECT_CALL(*server_read_filter, onData(_, true)); + + EXPECT_CALL(client_connection_callbacks, onEvent(Network::ConnectionEvent::LocalClose)); + EXPECT_CALL(server_connection_callbacks, onEvent(Network::ConnectionEvent::RemoteClose)) + .WillOnce(Invoke([&](Network::ConnectionEvent) -> void { + server_connection->close(Network::ConnectionCloseType::NoFlush); + dispatcher_->exit(); + })); + + dispatcher_->run(Event::Dispatcher::RunType::Block); +} + +TEST_P(SslSocketTest, ShutdownWithoutCloseNotify) { + const std::string server_ctx_yaml = R"EOF( + common_tls_context: + tls_certificates: + certificate_chain: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + private_key: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + validation_context: + trusted_ca: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" +)EOF"; + + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; + TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); + auto server_cfg = std::make_unique(server_tls_context, factory_context_); + ContextManagerImpl manager(time_system_); + Stats::TestUtil::TestStore server_stats_store; + ServerSslSocketFactory server_ssl_socket_factory(std::move(server_cfg), manager, + server_stats_store, std::vector{}); + + auto socket = std::make_shared( + Network::Test::getCanonicalLoopbackAddress(GetParam()), nullptr, true); + Network::MockTcpListenerCallbacks listener_callbacks; + Network::MockConnectionHandler connection_handler; + Network::ListenerPtr listener = + dispatcher_->createListener(socket, listener_callbacks, true, ENVOY_TCP_BACKLOG_SIZE); + std::shared_ptr server_read_filter(new Network::MockReadFilter()); + std::shared_ptr client_read_filter(new Network::MockReadFilter()); + + const std::string client_ctx_yaml = R"EOF( + common_tls_context: + )EOF"; + + envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; + TestUtility::loadFromYaml(TestEnvironment::substitute(client_ctx_yaml), tls_context); + auto client_cfg = std::make_unique(tls_context, factory_context_); + Stats::TestUtil::TestStore client_stats_store; + ClientSslSocketFactory client_ssl_socket_factory(std::move(client_cfg), manager, + client_stats_store); + Network::ClientConnectionPtr client_connection = dispatcher_->createClientConnection( + socket->localAddress(), Network::Address::InstanceConstSharedPtr(), + client_ssl_socket_factory.createTransportSocket(nullptr), nullptr); + Network::MockConnectionCallbacks client_connection_callbacks; + client_connection->enableHalfClose(true); + client_connection->addReadFilter(client_read_filter); + client_connection->addConnectionCallbacks(client_connection_callbacks); + client_connection->connect(); + + Network::ConnectionPtr server_connection; + Network::MockConnectionCallbacks server_connection_callbacks; + EXPECT_CALL(listener_callbacks, onAccept_(_)) + .WillOnce(Invoke([&](Network::ConnectionSocketPtr& socket) -> void { + server_connection = dispatcher_->createServerConnection( + std::move(socket), server_ssl_socket_factory.createTransportSocket(nullptr), + stream_info_); + server_connection->enableHalfClose(true); + server_connection->addReadFilter(server_read_filter); + server_connection->addConnectionCallbacks(server_connection_callbacks); + })); + EXPECT_CALL(server_connection_callbacks, onEvent(Network::ConnectionEvent::Connected)) + .WillOnce(Invoke([&](Network::ConnectionEvent) -> void { + Buffer::OwnedImpl data("hello"); + server_connection->write(data, false); + EXPECT_EQ(data.length(), 0); + // Close without sending close_notify alert. + const SslHandshakerImpl* ssl_socket = + dynamic_cast(server_connection->ssl().get()); + EXPECT_EQ(ssl_socket->state(), Ssl::SocketState::HandshakeComplete); + SSL_set_quiet_shutdown(ssl_socket->ssl(), 1); + server_connection->close(Network::ConnectionCloseType::NoFlush); + })); + + EXPECT_CALL(*client_read_filter, onNewConnection()) + .WillOnce(Return(Network::FilterStatus::Continue)); + EXPECT_CALL(client_connection_callbacks, onEvent(Network::ConnectionEvent::Connected)); + EXPECT_CALL(*client_read_filter, onData(BufferStringEqual("hello"), true)) + .WillOnce(Invoke([&](Buffer::Instance& read_buffer, bool) -> Network::FilterStatus { + read_buffer.drain(read_buffer.length()); + client_connection->close(Network::ConnectionCloseType::NoFlush); + return Network::FilterStatus::StopIteration; + })); + + EXPECT_CALL(server_connection_callbacks, onEvent(Network::ConnectionEvent::LocalClose)); + EXPECT_CALL(client_connection_callbacks, onEvent(Network::ConnectionEvent::LocalClose)) + .WillOnce(Invoke([&](Network::ConnectionEvent) -> void { dispatcher_->exit(); })); + + dispatcher_->run(Event::Dispatcher::RunType::Block); +} + TEST_P(SslSocketTest, ClientAuthMultipleCAs) { const std::string server_ctx_yaml = R"EOF( common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" @@ -2856,9 +3035,9 @@ TEST_P(SslSocketTest, TicketSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -2880,9 +3059,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionCustomTimeout) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -2902,9 +3081,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionWithClientCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -2931,9 +3110,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionRotateKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -2943,9 +3122,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionRotateKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" @@ -2965,9 +3144,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionWrongKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -2977,9 +3156,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionWrongKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" @@ -3140,9 +3319,9 @@ TEST_P(SslSocketTest, StatelessSessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: true )EOF"; @@ -3158,9 +3337,9 @@ TEST_P(SslSocketTest, SatelessSessionResumptionEnabledExplicitly) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: false )EOF"; @@ -3176,9 +3355,9 @@ TEST_P(SslSocketTest, StatelessSessionResumptionEnabledByDefault) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3195,9 +3374,9 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -3208,9 +3387,9 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -3482,9 +3661,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDefault) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3503,9 +3682,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDisabledTls12) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3525,9 +3704,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionEnabledTls12) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3550,9 +3729,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDisabledTls13) { tls_maximum_protocol_version: TLSv1_3 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3575,9 +3754,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionEnabledTls13) { tls_maximum_protocol_version: TLSv1_3 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3596,9 +3775,9 @@ TEST_P(SslSocketTest, SslError) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -4103,9 +4282,9 @@ TEST_P(SslSocketTest, RevokedCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -4147,9 +4326,9 @@ TEST_P(SslSocketTest, RevokedCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" @@ -4197,9 +4376,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem" @@ -4222,9 +4401,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem" @@ -4286,9 +4465,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem" @@ -4307,9 +4486,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl.pem" @@ -4735,9 +4914,9 @@ class SslReadBufferLimitTest : public SslSocketTest { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -4884,13 +5063,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -4918,13 +5097,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncDecryptSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt sync_mode: false mode: rsa @@ -4952,13 +5131,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncSignSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: true mode: rsa @@ -4986,13 +5165,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncDecryptSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt sync_mode: true mode: rsa @@ -5020,13 +5199,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false crypto_error: true @@ -5055,13 +5234,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: true crypto_error: true @@ -5090,13 +5269,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign method_error: true mode: rsa @@ -5124,13 +5303,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderDecryptFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt method_error: true mode: rsa @@ -5158,13 +5337,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignCompleteFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign async_method_error: true mode: rsa @@ -5193,13 +5372,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncDecryptCompleteFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt async_method_error: true mode: rsa @@ -5247,7 +5426,7 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderMultiCertSuccess) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -5287,7 +5466,7 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderMultiCertFail) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -5367,7 +5546,7 @@ TEST_P(SslSocketTest, RsaAndEcdsaPrivateKeyProviderMultiCertSuccess) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false async_method_error: true @@ -5411,7 +5590,7 @@ TEST_P(SslSocketTest, RsaAndEcdsaPrivateKeyProviderMultiCertFail) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -5438,11 +5617,11 @@ TEST_P(SslSocketTest, TestStaplesOcspResponseSuccess) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5454,7 +5633,8 @@ TEST_P(SslSocketTest, TestStaplesOcspResponseSuccess) { )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); - std::string ocsp_response_path = "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der"; + std::string ocsp_response_path = + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); @@ -5468,11 +5648,11 @@ TEST_P(SslSocketTest, TestNoOcspStapleWhenNotEnabledOnClient) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5491,11 +5671,11 @@ TEST_P(SslSocketTest, TestOcspStapleOmittedOnSkipStaplingAndResponseExpired) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5514,11 +5694,11 @@ TEST_P(SslSocketTest, TestConnectionFailsOnStapleRequiredAndOcspExpired) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5537,9 +5717,9 @@ TEST_P(SslSocketTest, TestConnectionSucceedsWhenRejectOnExpiredNoOcspResponse) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple_policy: strict_stapling )EOF"; @@ -5558,11 +5738,11 @@ TEST_P(SslSocketTest, TestConnectionFailsWhenRejectOnExpiredAndResponseExpired) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: strict_stapling )EOF"; @@ -5582,11 +5762,11 @@ TEST_P(SslSocketTest, TestConnectionFailsWhenCertIsMustStapleAndResponseExpired) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5606,11 +5786,11 @@ TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertExpirationValidatio common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5626,7 +5806,9 @@ TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertExpirationValidatio {{"envoy.reloadable_features.check_ocsp_policy", "false"}}); TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); - std::string ocsp_response_path = "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der"; + std::string ocsp_response_path = + "{{ test_rundir " + "}}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); testUtil(test_options.enableOcspStapling() @@ -5639,9 +5821,9 @@ TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertNoValidationNoRespo common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5667,17 +5849,17 @@ TEST_P(SslSocketTest, TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5689,7 +5871,8 @@ TEST_P(SslSocketTest, TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst) - TLS_RSA_WITH_AES_128_GCM_SHA256 )EOF"; - std::string ocsp_response_path = "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der"; + std::string ocsp_response_path = + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); @@ -5703,17 +5886,17 @@ TEST_P(SslSocketTest, TestConnectionFailsOnMultipleCertificatesNonePassOcspPolic common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; diff --git a/test/extensions/transport_sockets/tls/test_data/certs.sh b/test/extensions/transport_sockets/tls/test_data/certs.sh index d3ad086c98d4..b1155f18d9fe 100755 --- a/test/extensions/transport_sockets/tls/test_data/certs.sh +++ b/test/extensions/transport_sockets/tls/test_data/certs.sh @@ -256,3 +256,7 @@ openssl rand 79 > ticket_key_wrong_len # Generate a certificate with no subject CN and no altnames. generate_rsa_key no_subject generate_x509_cert_nosubject no_subject ca + +# Generate unit test certificate +generate_rsa_key unittest +generate_selfsigned_x509_cert unittest diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg b/test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg new file mode 100644 index 000000000000..2e485f9fa0c5 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg @@ -0,0 +1,23 @@ +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name + +[ req_distinguished_name ] +countryName = US +countryName_default = US +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = California +stateOrProvinceName_default = California +localityName = San Francisco +localityName_default = San Francisco +organizationName = Lyft +organizationName_default = Lyft +organizationalUnitName = Lyft Engineering +organizationalUnitName_default = Lyft Engineering +commonName = Unit Test CA +commonName_default = Unit Test CA +commonName_max = 64 +emailAddress = unittest@lyft.com +emailAddress_default = unittest@lyft.com +emailAddress_max = 64 diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem b/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem new file mode 100644 index 000000000000..6ff804b3e4de --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwzCCAqsCFFhdk4KsJ1P+AdrZbrUMmzyfNxrPMA0GCSqGSIb3DQEBCwUAMIGd +MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu +IEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVl +cmluZzEVMBMGA1UEAwwMVW5pdCBUZXN0IENBMSAwHgYJKoZIhvcNAQkBFhF1bml0 +dGVzdEBseWZ0LmNvbTAeFw0yMDEwMjEyMzA3NThaFw0yMjEwMjEyMzA3NThaMIGd +MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu +IEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVl +cmluZzEVMBMGA1UEAwwMVW5pdCBUZXN0IENBMSAwHgYJKoZIhvcNAQkBFhF1bml0 +dGVzdEBseWZ0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL93 +hRLp1s4yNZHUzG+ofX13rgNfiRC9pFVJt4aZYldh440+ZfQDotPsQCaa1Nm+zPHz +leZCxWfRVK82VGWmVy3PLExzuMr8Ar/ypwvQXxnCaZAeIYd1e917LM21jHu/CfV8 +VLF1ZtrknowZWoCll1CarmYDkQfYDSk+RcQo8XIkLeYV5JHbGK7jGoDMYmBO2Gdp +XW4FpVi9vb7pRUfUu3ot0q1SCYGew+YrwT3yWteku66nw8cutIQEbEo00OI8wbHG +Vuh7yY8bTdBS9r4rsQpOCSm6k5a1eKPpv8CfJdKyuXDbx2gbvFjFF6hjgp8+LCE2 +0GpLvf0VMxOVf9XZE/cCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAt9aJc3imaGQD +1+c81ZiItdBpFJRLuO1MHmXgwJUnouJz4uT+KFkDbThaABg/L3Q/s0boWy+u9S5s +ae8FcFvniMUBIjKzkizw6ZI6xTG6VMPDTklwWxNrNEzIBkNrcUkje/X/reyi56B+ +cbjpRJ8j0joV6xqBMFn+qMPIvAMSDJD4lMnjSxGZliDIlPvuk96RVNlF8Y18d/6G +ThWuVgN3CyoG+JXs2sSGbqLzWCnB8zgU0VN7CZZu4yh/cE9uNc0z5M66Adrh4eJl +pO/WWWxXHxIveRtH7DV9vhWE78KJRCcIec5Ta+X1evX1beKiNZd/5Elkyb613hTJ +lCkcOlSebQ== +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h b/test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h new file mode 100644 index 000000000000..bc725d6e6b4e --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h @@ -0,0 +1,8 @@ +// NOLINT(namespace-envoy) +constexpr char TEST_UNITTEST_CERT_256_HASH[] = + "36c86c016f8b243b681a094c11d394ac06edac336a3ece479a1b2eeb455b1492"; +constexpr char TEST_UNITTEST_CERT_1_HASH[] = "82be621a0f4b6046365496788befbe2e95977eb1"; +constexpr char TEST_UNITTEST_CERT_SPKI[] = "eWpfAfOA1JddINxIW/64Lc6XHpeo0u9IHx6dE42p9jw="; +constexpr char TEST_UNITTEST_CERT_SERIAL[] = "585d9382ac2753fe01dad96eb50c9b3c9f371acf"; +constexpr char TEST_UNITTEST_CERT_NOT_BEFORE[] = "Oct 21 23:07:58 2020 GMT"; +constexpr char TEST_UNITTEST_CERT_NOT_AFTER[] = "Oct 21 23:07:58 2022 GMT"; diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_key.pem b/test/extensions/transport_sockets/tls/test_data/unittest_key.pem new file mode 100644 index 000000000000..dd3456d15fb6 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAv3eFEunWzjI1kdTMb6h9fXeuA1+JEL2kVUm3hpliV2HjjT5l +9AOi0+xAJprU2b7M8fOV5kLFZ9FUrzZUZaZXLc8sTHO4yvwCv/KnC9BfGcJpkB4h +h3V73XsszbWMe78J9XxUsXVm2uSejBlagKWXUJquZgORB9gNKT5FxCjxciQt5hXk +kdsYruMagMxiYE7YZ2ldbgWlWL29vulFR9S7ei3SrVIJgZ7D5ivBPfJa16S7rqfD +xy60hARsSjTQ4jzBscZW6HvJjxtN0FL2viuxCk4JKbqTlrV4o+m/wJ8l0rK5cNvH +aBu8WMUXqGOCnz4sITbQaku9/RUzE5V/1dkT9wIDAQABAoIBAFZlFAMIyQiZ11pK +b0Ui/h0TV83l2e9X40Mo1EtEAv/zB77AHTkSOvLtc7T3wHvQgKHcjBMupezGpDO7 +jDGh8UyWYyLMROIy/Pqn/4BxMbhp5UBGmFKLTK0P25OnDBD6jv/abkz08MhsyK3m +8tOB5NlWMsONcG/dqXKmysxMvUYHDMlF3Re5PmvyWVKpclqYxWWXRSAy/FygSUPN +bCwKSv1QXytNefkN7n/G8WaGLU52pff3HMpt4JwTl5rnOiPRZGowFPJnNgO9uW85 +Rj620Db+MZzmJvTeSkxgpIUYUuDtgrvARYa+4y0Lajl4EHkCKg0YYzXbDPORFQ3M +WwN9LqECgYEA8B5I/lYU2QNyIlHjXx2KeKArCriL5sd0KCBHgcE586wyVb5vonET +ovNq8IH+2F4h8d+gbkzoQ2oGYsmM1AiCoxkio6c2KgAUHBbpGfjf92zSDirqBTqg +xha25eXElbu44EkiDWxpy944LkFlNiCLb9+5yqyfqqyixvxRtSBWtAsCgYEAzCF2 +WFn73i7zBNA/6yjodLUXy0BUjL38WV4HU3WDEbPp28e/+NLoWXH/B9BH950J+EGI +LPwjpk6ODhYeMknsdzYV8X5RkOuft7B0yrrdInN+vtIlvZmRd47esuJTcnj3zuUB +2B4TkmWUFf6kLn+TXwLB0wbsj9ieZMJzQkdSx0UCgYEAlBjJwnyLTTHv4jUJfK+2 +qSF4ips6RnN8NAd8sw3fVWg+f13+cn01tEpYCdDTwtWEMC9SPtWWZ4XsPF+9SUWa +dUfacn9+S7dSr+R9jvROBsgKYoybW/BGGwcFdZQahJOMumDA7PCR7Bi6I+VXrGO0 +PKMLb3K648SofPxA1OsGLvMCgYEAqzOhYuZNRIIR1cam5R6RH1jGlPPmNYgdvgIL +mOakv9Mp3ud/zTtuHZ5rK212/mhZ9TlY8YmiiJe3sn7AYqL3TOAytTChTi8f7Fp1 +CZaBYqSE95uehY7nnuNXSaZiIE7uXzpYOp63AYBqG6xOnKTov7W7Q7a57sbZyV4A +duUEuxUCgYEAnxFo8ln1H2QcxQS/y8l8r4MRXj9weDhlp/eXtfgd8JiJ5m+E6r+D +tr2wg6Q92ertogdaMvXiPfi/5qiTqsJvTahqx1E2WYRHxywkfbte1a/3bGNxe3Gr +bba7Pd1JXwJ1s8ahB7yoS/xyYLSl5fmE3N14j8wwkmtv1q3TNstmg3Y= +-----END RSA PRIVATE KEY----- From 08c9c49a46fcbf153919f8aef7f403569b378654 Mon Sep 17 00:00:00 2001 From: Taylor Barrella Date: Thu, 14 Jan 2021 16:04:29 -0800 Subject: [PATCH 7/7] backport to 1.16: aggregate cluster: fix TLS init issue (#14456) Additional Description: Based on #14388 Risk Level: Low Testing: Build and run the repro from #14119 without crashing, `bazel test test/extensions/clusters/aggregate:cluster_test` Docs Changes: N/A Release Notes: #14119 Signed-off-by: Taylor Barrella --- docs/root/version_history/current.rst | 1 + source/extensions/clusters/aggregate/cluster.cc | 4 +++- test/mocks/thread_local/mocks.h | 9 ++++++++- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index ce19f6f7fbca..97285daa7e90 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -13,6 +13,7 @@ Bug Fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* +* aggregate cluster: fixed a crash due to a TLS initialization issue. * lua: fixed crash when Lua script contains streamInfo():downstreamSslConnection(). * tls: fix detection of the upstream connection close event. diff --git a/source/extensions/clusters/aggregate/cluster.cc b/source/extensions/clusters/aggregate/cluster.cc index 958c678d0202..2042ffe866a9 100644 --- a/source/extensions/clusters/aggregate/cluster.cc +++ b/source/extensions/clusters/aggregate/cluster.cc @@ -20,7 +20,9 @@ Cluster::Cluster(const envoy::config::cluster::v3::Cluster& cluster, : Upstream::ClusterImplBase(cluster, runtime, factory_context, std::move(stats_scope), added_via_api), cluster_manager_(cluster_manager), runtime_(runtime), random_(random), - tls_(tls.allocateSlot()), clusters_(config.clusters().begin(), config.clusters().end()) {} + tls_(tls.allocateSlot()), clusters_(config.clusters().begin(), config.clusters().end()) { + tls_->set([](Event::Dispatcher&) { return nullptr; }); +} PriorityContextPtr Cluster::linearizePrioritySet(const std::function& skip_predicate) { diff --git a/test/mocks/thread_local/mocks.h b/test/mocks/thread_local/mocks.h index dc6518c5068a..b3cdd0cc5539 100644 --- a/test/mocks/thread_local/mocks.h +++ b/test/mocks/thread_local/mocks.h @@ -58,17 +58,23 @@ class MockInstance : public Instance { } // ThreadLocal::Slot - ThreadLocalObjectSharedPtr get() override { return parent_.data_[index_]; } + ThreadLocalObjectSharedPtr get() override { + EXPECT_TRUE(was_set_); + return parent_.data_[index_]; + } bool currentThreadRegistered() override { return parent_.registered_; } void runOnAllThreads(const UpdateCb& cb) override { + EXPECT_TRUE(was_set_); parent_.runOnAllThreads([cb, this]() { parent_.data_[index_] = cb(parent_.data_[index_]); }); } void runOnAllThreads(const UpdateCb& cb, Event::PostCb main_callback) override { + EXPECT_TRUE(was_set_); parent_.runOnAllThreads([cb, this]() { parent_.data_[index_] = cb(parent_.data_[index_]); }, main_callback); } void set(InitializeCb cb) override { + was_set_ = true; if (parent_.defer_data) { parent_.deferred_data_[index_] = cb; } else { @@ -78,6 +84,7 @@ class MockInstance : public Instance { MockInstance& parent_; const uint32_t index_; + bool was_set_{}; // set() must be called before other functions. }; void call() {