test: Check in all TLS test certs (envoyproxy#13702)

* test: Check in all TLS test certs

- Will prevent openssl fork-emulation issues on Windows/msys2 that cause
  test flakiness
- modifies context_impl_test to no longer requires a cert that is
  generated on the fly to expire in 15 days

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>

test/extensions/transport_sockets/tls/BUILD

@@ -16,12 +16,11 @@ envoy_cc_test(
         "ssl_socket_test.cc",
     ],
     data = [
-        "gen_unittest_certs.sh",
         # TODO(mattklein123): We should consolidate all of our test certs in a single place as
         # right now we have a bunch of duplication which is confusing.
         "//test/config/integration/certs",
+        "//test/extensions/transport_sockets/tls/ocsp/test_data:certs",
         "//test/extensions/transport_sockets/tls/test_data:certs",
-        "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data",
     ],
     external_deps = ["ssl"],
     shard_count = 4,
@@ -74,12 +73,9 @@ envoy_cc_test(
         "ssl_certs_test.h",
     ],
     data = [
-        "gen_unittest_certs.sh",
-        "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data",
+        "//test/extensions/transport_sockets/tls/ocsp/test_data:certs",
         "//test/extensions/transport_sockets/tls/test_data:certs",
     ],
-    # Fails intermittantly on local build
-    tags = ["flaky_on_windows"],
     deps = [
         ":ssl_test_utils",
         "//source/common/common:base64_lib",
@@ -121,8 +117,6 @@ envoy_cc_test(
         "utility_test.cc",
     ],
     data = [
-        "gen_unittest_certs.sh",
-        "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data",
         "//test/extensions/transport_sockets/tls/test_data:certs",
     ],
     external_deps = ["ssl"],
@@ -171,14 +165,9 @@ envoy_cc_test(
     name = "handshaker_test",
     srcs = ["handshaker_test.cc"],
     data = [
-        "gen_unittest_certs.sh",
-        "//test/config/integration/certs",
         "//test/extensions/transport_sockets/tls/test_data:certs",
     ],
     external_deps = ["ssl"],
-    # TODO(sunjayBhatia): Diagnose openssl DLL load issue on Windows
-    # See: https://github.com/envoyproxy/envoy/pull/13276
-    tags = ["flaky_on_windows"],
     deps = [
         ":ssl_socket_test",
         ":ssl_test_utils",

test/extensions/transport_sockets/tls/handshaker_test.cc

@@ -82,8 +82,8 @@ class HandshakerTest : public SslCertsTest {
 
   // Read in key.pem and return a new private key.
   bssl::UniquePtr<EVP_PKEY> makeKey() {
-    std::string file = TestEnvironment::readFileToStringForTest(
-        TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem"));
+    std::string file = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(
+        "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem"));
     std::string passphrase = "";
     bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(file.data(), file.size()));
 
@@ -97,8 +97,8 @@ class HandshakerTest : public SslCertsTest {
 
   // Read in cert.pem and return a certificate.
   bssl::UniquePtr<CRYPTO_BUFFER> makeCert() {
-    std::string file = TestEnvironment::readFileToStringForTest(
-        TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem"));
+    std::string file = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(
+        "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem"));
     bssl::UniquePtr<BIO> bio(BIO_new_mem_buf(file.data(), file.size()));
 
     uint8_t* data = nullptr;

test/extensions/transport_sockets/tls/ocsp/BUILD

@@ -14,13 +14,9 @@ envoy_cc_test(
         "ocsp_test.cc",
     ],
     data = [
-        ":gen_ocsp_data",
+        "//test/extensions/transport_sockets/tls/ocsp/test_data:certs",
     ],
     external_deps = ["ssl"],
-    # TODO: Diagnose intermittent failure on Windows; this script uses the
-    # locally deployed openssl for test cert creation and manipulation, rather
-    # than envoy's current build of the most current openssl tool
-    tags = ["flaky_on_windows"],
     deps = [
         "//source/common/filesystem:filesystem_lib",
         "//source/extensions/transport_sockets/tls:utility_lib",
@@ -44,8 +40,3 @@ envoy_cc_test(
         "//test/extensions/transport_sockets/tls:ssl_test_utils",
     ],
 )
-
-filegroup(
-    name = "gen_ocsp_data",
-    srcs = ["gen_unittest_ocsp_data.sh"],
-)

test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc

@@ -25,13 +25,9 @@ namespace CertUtility = Envoy::Extensions::TransportSockets::Tls::Utility;
 
 class OcspFullResponseParsingTest : public testing::Test {
 public:
-  static void SetUpTestSuite() { // NOLINT(readability-identifier-naming)
-    TestEnvironment::exec({TestEnvironment::runfilesPath(
-        "test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh")});
-  }
-
   std::string fullPath(std::string filename) {
-    return TestEnvironment::substitute("{{ test_tmpdir }}/ocsp_test_data/" + filename);
+    return TestEnvironment::substitute(
+        "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/" + filename);
   }
 
   std::vector<uint8_t> readFile(std::string filename) {
@@ -88,8 +84,8 @@ TEST_F(OcspFullResponseParsingTest, UnknownCertTest) {
 }
 
 TEST_F(OcspFullResponseParsingTest, ExpiredResponseTest) {
-  auto next_week = time_system_.systemTime() + std::chrono::hours(8 * 24);
-  time_system_.setSystemTime(next_week);
+  auto ten_years_forward = time_system_.systemTime() + std::chrono::hours(24 * 365 * 10);
+  time_system_.setSystemTime(ten_years_forward);
   setup("good_ocsp_resp.der");
   // nextUpdate is present but in the past
   EXPECT_TRUE(response_->isExpired());

test/extensions/transport_sockets/tls/ocsp/test_data/BUILD

@@ -0,0 +1,13 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_package()
+
+filegroup(
+    name = "certs",
+    srcs = glob(["*"]),
+)

test/extensions/transport_sockets/tls/ocsp/test_data/README.md

@@ -0,0 +1,30 @@
+# What are the identities, certificates and keys
+There are 8 identities:
+- **CA**: Certificate Authority for all fixtures in this directory. It has the
+  self-signed certificate *ca_cert.pem*. *ca_key.pem* is its private key.
+- **Intermediate CA**: Intermediate Certificate Authority, signed by the **CA**.
+  It has the certificate *intermediate_ca_cert.pem". *intermediate_ca_key.pem*
+  is its private key.
+- **Good** It has the certificate *good_cert.pem*, signed by the **CA**. An OCSP
+  request is included in *good_ocsp_req.der* and a "good" OCSP response is included in *good_ocsp_resp.der*. OCSP response details are included as
+  *good_ocsp_resp_details.txt*.
+- **Responder Key Hash** An OCSP request and response pair for the **Good** cert
+  with responder key hash replacing the name in *responder_key_hash_ocsp_req.der*
+  and *responder_key_hash_ocsp_resp.der*
+- **Revoked** It has the revoked certificate *revoked_key.pem*, signed by the
+  **CA**. A corresponding OCSP request and revoked response are included in
+  *revoked_ocsp_req.der* and *revoked_ocsp_resp.der*.
+- **Unknown** An OCSP request and unknown status response is generated in
+  *unknown_ocsp_req.der* and *unknown_ocsp_resp.der* as the **Good** certificate
+  is signed by **CA** not **Intermediate CA**.
+- **ECDSA** A cert (*ecdsa_cert.pem*) signed by **CA** with ECDSA key
+  (*ecdsa_key.pem*) and OCSP response (*ecdsa_ocsp_resp.der*).
+- **Multiple Cert OCSP Response** A multi-cert OCSP request and response are
+  generated with **CA** as the signer for the **Good** and **Revoked** certs in
+  *multiple_cert_ocsp_req.der* and *multiple_cert_ocsp_resp.der*.
+
+# How to update certificates
+**certs.sh** has the commands to generate all files. Running certs.sh directly
+will cause all files to be regenerated. So if you want to regenerate a
+particular file, please copy the corresponding commands from certs.sh and
+execute them in command line.

test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID0zCCArugAwIBAgIUKtsec7QPrxG7JETQSPH7XVnH9RcwDQYJKoZIhvcNAQEL
+BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n
+aW5lZXJpbmcxCzAJBgNVBAMMAmNhMB4XDTIwMTAyMjAyNTc1MVoXDTIyMTAyMjAy
+NTc1MVowcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV
+BAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQg
+RW5naW5lZXJpbmcxCzAJBgNVBAMMAmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEA2+hzTr160c7mgNKCUoOxQylskIz2dAN5hWjBT38M8CGF5FcFZBG9
+QKSdt7QgnIBXt6oOAuOufKNLNWUKrzVE4GlDhxJKKCAlzidFaeIkk1Deny9kiADD
+dsVrOMHv6JXIMPcgotoOVu6iwGlYsvHr/OukbR4PAbjdzd51drC/aKIwRx4vc9Qk
++WKtVXjJKQcsyxeEKfrOJloZOkorMf2HWWAOBNg7eBLsHeQiOrLPnwJf0eFfHzOC
+x2BM8hJ+fyHk+NmenjEl88XGaTkdpilmZXFqeDBCcrsLwbVPozO5sixkz4q7Uw9E
+gBKpjtCy1uR+mD01vH17X2kflmgVRkjqlQIDAQABo2MwYTAdBgNVHQ4EFgQUGHhD
+5J6kUeZrRjpHWi16WW54hBYwHwYDVR0jBBgwFoAUGHhD5J6kUeZrRjpHWi16WW54
+hBYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL
+BQADggEBALJ5R1bD5xPeX4vto8OAEeGWNh/OJkaEp8JOllnBlws4vYVRso436kXR
+2SUNXV23CC+8f03WiCkva7rLTBIa9Nwg/F118o5L279w+yh+gRZ0Z1s4ob+fbziI
+0sA/NUOmtdR2SE5YNeHdAtH6A1YajgixTNo20ipZv5CNBzN2bxBGh9b/4W3LLZ0h
+jgwOPUSVtcmFek525t7nkZaKB86P9g0VvM/gRJfG6y84wQZxueScv6elNUx+O9DG
+E5D1ku5EkfeeH4iL0eTd+VDfE1pGZC8OB75110WbPWU4V3la9wC+tQTkN9XFHDJT
+zx9HcnA2KjGZ6+8ZgjwjWCpUY+grDPc=
+-----END CERTIFICATE-----

test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA2+hzTr160c7mgNKCUoOxQylskIz2dAN5hWjBT38M8CGF5FcF
+ZBG9QKSdt7QgnIBXt6oOAuOufKNLNWUKrzVE4GlDhxJKKCAlzidFaeIkk1Deny9k
+iADDdsVrOMHv6JXIMPcgotoOVu6iwGlYsvHr/OukbR4PAbjdzd51drC/aKIwRx4v
+c9Qk+WKtVXjJKQcsyxeEKfrOJloZOkorMf2HWWAOBNg7eBLsHeQiOrLPnwJf0eFf
+HzOCx2BM8hJ+fyHk+NmenjEl88XGaTkdpilmZXFqeDBCcrsLwbVPozO5sixkz4q7
+Uw9EgBKpjtCy1uR+mD01vH17X2kflmgVRkjqlQIDAQABAoIBAGofrH3ETSAxM+XZ
+MRE3AnWB6SV9EXZ9Msjh++AsVQcRdnbyU+St9uHaT06W++Hqweodg/N7AvqdJy9W
+WqihEWMnCXKGrgjdMsFhDEuD2djJ/xVdHqvPioSn0w2p8egRWHHg4PwWNTNYqGwo
+qqh4vUTqRwhtqBpRp6CxCYjE1SpdrbDb9CxFZoJ1alQdJWNGO6Vq0/plVB3mU1DE
+ziuCi2N1vARvm4Uxg33ul0Vo3qzW/4fL1Nzo5tto9s8TxkWGsjwXFr3RnbpcAeg1
+Uy7tvkIioh0VqJ+z1PmQiX/COqNbaWIJUKTnpPomuHIzlTohFobVACLtysDALuTs
+Lv2Zb4UCgYEA90fSuA0mIvRwpYscoy7NPFYPpwz5X3/4fSOfDC5gBU3Cuxvtufj3
+8lL3kuFoCE14cSdrye2udKSsydGFn1TInwa5cLgRzO2qXWHupvfoHu24FQ1WiYrG
+0BW+O8TA1W6IEBgibO1YtohNjbnII+GjfP8ZaBJH7rl2QJuG70bDJYcCgYEA46mJ
+vGllEDnd7QCB3z7gqMSxBCicQ9ASWy/yNMsgikb8ULcCYnCqLvwxlkDWgrq2GaPy
+0kJh1q27MSWxjXFDeiG9/PQAWZ1sy/rru3TRbhAA+5rRxqfLZlNkg0C9nZA9BEmP
+vIToCUlz1iw94Wrg43zk95ou1WuOfN4WVkyDNgMCgYBbyB/RSqgeD0aEW1b8xpFM
+1NCoe2tP5ArSP9d3yPrA3TTrCBm7jkpRejQEI3/enQqYTT53y62WA81Sd182XVy9
+kdxglyGcQ5aZZJEVDizs1eUegz3cfVL/xyI9wvCkB4ufFaYpcgscbQkEErHTh5uL
++I9wjmB+nf3jSxbRVx11nwKBgDVOMArmnpxDAFyK3t3XyiCaFVyE6bnTEUk6m7qS
+ySa3YkK/5xYHjUF9GVs2CUQI1bSBN8zVcDUk7oyeZ8lXeNYy6lo9A4v4GU5VjTaS
+LqtXofNHl9Cs3yoxYnp9ASjQagkD9FzOvcnW4gGG0GJkdQ2u46m59zdPfMht88r3
+FU3jAoGBANNq2l4RpKrs3X/XS34mbugvCw1EqGV0Bqj+RBFLchouE2ignd1KYt/o
+O23NchL4pOIuBCo+IaukCgmDm+m378EubTZjwRIYAJNqS/Xu1rMBBihAl6NadVuZ
+Nsr6+U9Uqbx/t8bUdhQ3RDexQ42x+GelGwSfXKfF+NJx1zj8lOUu
+-----END RSA PRIVATE KEY-----

test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh → test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh

@@ -4,23 +4,21 @@
 
 set -e
 
+readonly DEFAULT_VALIDITY_DAYS=${DEFAULT_VALIDITY_DAYS:-730}
+readonly HERE=$(cd "$(dirname "$0")" && pwd)
+
+cd "$HERE" || exit 1
 trap cleanup EXIT
+
 cleanup() {
-  rm -f ./*_index*
-  rm -f ./*.csr
-  rm -f ./*.cnf
-  rm -f ./*_serial*
+    rm -f ./*.cnf
+    rm -f ./*.csr
+    rm -f ./*_index*
+    rm -f ./*_serial*
+    rm -f ./*.srl
+    rm -f ./100*.pem
 }
 
-[[ -z "${TEST_TMPDIR}" ]] && TEST_TMPDIR="$(cd "$(dirname "$0")" && pwd)"
-
-TEST_OCSP_DIR="${TEST_TMPDIR}/ocsp_test_data"
-mkdir -p "${TEST_OCSP_DIR}"
-
-rm -f "${TEST_OCSP_DIR}"/*
-
-cd "$TEST_OCSP_DIR" || exit 1
-
 ##################################################
 # Make the configuration file
 ##################################################
@@ -55,17 +53,17 @@ commonName_max  = 64
 default_ca = CA_default
 
 [ CA_default ]
-dir           = ${TEST_OCSP_DIR}
-certs         = ${TEST_OCSP_DIR}
-new_certs_dir = ${TEST_OCSP_DIR}
-serial        = ${TEST_OCSP_DIR}
-database      = ${TEST_OCSP_DIR}/$2_index.txt
-serial        = ${TEST_OCSP_DIR}/$2_serial
+dir           = ${HERE}
+certs         = ${HERE}
+new_certs_dir = ${HERE}
+serial        = ${HERE}
+database      = ${HERE}/$2_index.txt
+serial        = ${HERE}/$2_serial
 
-private_key   = ${TEST_OCSP_DIR}/$2_key.pem
-certificate   = ${TEST_OCSP_DIR}/$2_cert.pem
+private_key   = ${HERE}/$2_key.pem
+certificate   = ${HERE}/$2_cert.pem
 
-default_days  = 375
+default_days  = ${DEFAULT_VALIDITY_DAYS}
 default_md    = sha256
 preserve      = no
 policy        = policy_default
@@ -102,7 +100,7 @@ generate_ca() {
     -config "${1}.cnf" -batch -sha256
   openssl x509 -req \
     -in "${1}_cert.csr" -signkey "${1}_key.pem" -out "${1}_cert.pem" \
-    -extensions v3_ca -extfile "${1}.cnf" "${extra_args[@]}"
+    -extensions v3_ca -extfile "${1}.cnf" -days "${DEFAULT_VALIDITY_DAYS}" "${extra_args[@]}"
 }
 
 # $1=<certificate name> $2=<CA name> $3=[req args]
@@ -153,7 +151,7 @@ generate_ca intermediate_ca ca
 # Generate valid cert and OCSP response
 generate_config good ca
 generate_rsa_cert good ca
-generate_ocsp_response good ca good -ndays 7
+generate_ocsp_response good ca good -ndays "${DEFAULT_VALIDITY_DAYS}"
 dump_ocsp_details good ca
 
 # Generate OCSP response with the responder key hash instead of name

test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICdzCCAV8CAhACMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAlVTMRMwEQYD
+VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQK
+DARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMQswCQYDVQQDDAJjYTAe
+Fw0yMDEwMjIwMjU3NTNaFw0yMjEwMjIwMjU3NTNaMFwxCzAJBgNVBAYTAlVTMRMw
+EQYDVQQIDApDYWxpZm9ybmlhMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0
+IEVuZ2luZWVyaW5nMQ4wDAYDVQQDDAVlY2RzYTBZMBMGByqGSM49AgEGCCqGSM49
+AwEHA0IABBH5TFHZK1e7SPtmeTESrQD/Kce4uLKz+on7qlHOd2D4yNoI62TyXMq/
+o6660I5SJVIEIueDZdh/ocVezGYuUt8wDQYJKoZIhvcNAQELBQADggEBAD5jqxzW
+76B6WOLJlRTWpAKv2L7CdtRjV2inNvS7n+NOSQllP9IfHGM9qEHM7xvDymLZb/TR
+tOcpUENLJVOmRsjs90cy21Nc8ZkRFBhJOPggTTL3PpkM2sYmsSBzjDvkvqrH+hY3
+FTGAdgDaIf9gBeI61Ind/z6lqcE7yJlVtTvKVYPC0MFtzBS44I92x7g5htTzfEv7
+rO866GmsiG+b/w/d8TCHOt1L+gyk3BbAbBOI3DkZt/UtUpev8ZXKEjigcpxHy+Je
+BLDYq6S7RPPtkPk+z8Iz3HRmyykvrckU2kjcTdqY8KygCgFBZETIYsk5d1CJxGcV
+gDVhAiuki1Lwuzo=
+-----END CERTIFICATE-----

test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIOShXROw7kmo0cMJgNQ8rdZfjceLh+KMocrzYIqphTYYoAoGCCqGSM49
+AwEHoUQDQgAEEflMUdkrV7tI+2Z5MRKtAP8px7i4srP6ifuqUc53YPjI2gjrZPJc
+yr+jrrrQjlIlUgQi54Nl2H+hxV7MZi5S3w==
+-----END EC PRIVATE KEY-----