Update TLS unit test certificates (#4028) (#4069)

* Refs #16199: Update CA certificates

Signed-off-by: RaulSanchez <raul@eprosima.com>

* Update TLS unit test certificates (#4028)

* Refs #19937: Update TLS unit test certificates

Signed-off-by: EduPonz <eduardoponz@eprosima.com>

* Refs #19937: Enable TLS tests in all github CIs

Signed-off-by: EduPonz <eduardoponz@eprosima.com>

---------

Signed-off-by: EduPonz <eduardoponz@eprosima.com>

---------

Signed-off-by: RaulSanchez <raul@eprosima.com>
Signed-off-by: EduPonz <eduardoponz@eprosima.com>
Co-authored-by: RaulSanchez <raul@eprosima.com>
Co-authored-by: Eduardo Ponz Segrelles <eduardoponz@eprosima.com>

.github/workflows/config/asan_colcon.meta

@@ -12,6 +12,7 @@
                 "-DFASTRTPS_API_TESTS=ON",
                 "-DFASTDDS_PIM_API_TESTS=ON",
                 "-DPERFORMANCE_TESTS=ON",
+                "-DNO_TLS=OFF",
                 "-DSECURITY=ON",
                 "-DFASTDDS_STATISTICS=ON",
                 "-DSANITIZER=Address",

.github/workflows/config/default_ci.meta

@@ -10,7 +10,7 @@
                 "-DFASTRTPS_API_TESTS=OFF",
                 "-DFASTDDS_PIM_API_TESTS=ON",
                 "-DPERFORMANCE_TESTS=ON",
-                "-DNO_TLS=ON",
+                "-DNO_TLS=OFF",
                 "-DSECURITY=ON",
                 "-DMEMORYCHECK_COMMAND_OPTIONS=-q --tool=memcheck --leak-check=yes --show-reachable=yes
                     --num-callers=50 --log-fd=2 --error-exitcode=1",

.github/workflows/config/nightly.meta

@@ -10,7 +10,7 @@
                 "-DFASTRTPS_API_TESTS=OFF",
                 "-DFASTDDS_PIM_API_TESTS=ON",
                 "-DPERFORMANCE_TESTS=ON",
-                "-DNO_TLS=ON",
+                "-DNO_TLS=OFF",
                 "-DMEMORYCHECK_COMMAND_OPTIONS=-q --tool=memcheck --leak-check=yes --show-reachable=yes
                     --num-callers=50 --log-fd=2 --error-exitcode=1",
                 "-DMEMORYCHECK_SUPPRESSIONS_FILE=../../src/fastrtps/valgrind.supp"

.github/workflows/config/tsan_colcon.meta

@@ -20,6 +20,7 @@
                 "-DFASTRTPS_API_TESTS=OFF",
                 "-DFASTDDS_PIM_API_TESTS=ON",
                 "-DPERFORMANCE_TESTS=ON",
+                "-DNO_TLS=OFF",
                 "-DSECURITY=ON",
                 "-DFASTDDS_STATISTICS=ON",
                 "-DCMAKE_C_FLAGS='-fsanitize=thread -O2 -g -fno-omit-frame-pointer'",

test/unittest/transport/CMakeLists.txt

@@ -32,12 +32,14 @@ if(TLS_FOUND)
         ${CMAKE_CURRENT_BINARY_DIR}/mainsubcert.pem COPYONLY)
     configure_file(${PROJECT_SOURCE_DIR}/test/certs/mainsubkey.pem
         ${CMAKE_CURRENT_BINARY_DIR}/mainsubkey.pem COPYONLY)
-    configure_file(${PROJECT_SOURCE_DIR}/test/unittest/transport/ca.pem
-        ${CMAKE_CURRENT_BINARY_DIR}/ca.pem COPYONLY)
-    configure_file(${PROJECT_SOURCE_DIR}/test/unittest/transport/server.pem
-        ${CMAKE_CURRENT_BINARY_DIR}/server.pem COPYONLY)
-    configure_file(${PROJECT_SOURCE_DIR}/test/unittest/transport/dh2048.pem
-        ${CMAKE_CURRENT_BINARY_DIR}/dh2048.pem COPYONLY)
+    configure_file(${PROJECT_SOURCE_DIR}/test/unittest/transport/certs/ca.crt
+        ${CMAKE_CURRENT_BINARY_DIR}/ca.crt COPYONLY)
+    configure_file(${PROJECT_SOURCE_DIR}/test/unittest/transport/certs/fastdds.crt
+        ${CMAKE_CURRENT_BINARY_DIR}/fastdds.crt COPYONLY)
+    configure_file(${PROJECT_SOURCE_DIR}/test/unittest/transport/certs/fastdds.key
+        ${CMAKE_CURRENT_BINARY_DIR}/fastdds.key COPYONLY)
+    configure_file(${PROJECT_SOURCE_DIR}/test/unittest/transport/certs/dh_params.pem
+        ${CMAKE_CURRENT_BINARY_DIR}/dh_params.pem COPYONLY)
     #configure_file(${PROJECT_SOURCE_DIR}/test/certs/governance_helloworld_all_enable.smime
     #    ${CMAKE_CURRENT_BINARY_DIR}/governance_helloworld_all_enable.smime COPYONLY)
     #configure_file(${PROJECT_SOURCE_DIR}/test/certs/permissions_helloworld.smime

test/unittest/transport/TCPv4Tests.cpp

@@ -470,23 +470,26 @@ TEST_F(TCPv4Tests, send_and_receive_between_secure_ports_client_verifies)
     TCPv4TransportDescriptor recvDescriptor;
     recvDescriptor.add_listener_port(g_default_port);
     recvDescriptor.apply_security = true;
-    recvDescriptor.tls_config.password = "test";
-    recvDescriptor.tls_config.cert_chain_file = "server.pem";
-    recvDescriptor.tls_config.private_key_file = "server.pem";
-    recvDescriptor.tls_config.tmp_dh_file = "dh2048.pem";
+    recvDescriptor.tls_config.password = "fastddspwd";
+    recvDescriptor.tls_config.cert_chain_file = "fastdds.crt";
+    recvDescriptor.tls_config.private_key_file = "fastdds.key";
+    recvDescriptor.tls_config.tmp_dh_file = "dh_params.pem";
+    recvDescriptor.tls_config.verify_mode = TLSVerifyMode::VERIFY_PEER;
     recvDescriptor.tls_config.add_option(TLSOptions::DEFAULT_WORKAROUNDS);
     recvDescriptor.tls_config.add_option(TLSOptions::SINGLE_DH_USE);
-    //recvDescriptor.tls_config.add_option(TLSOptions::NO_COMPRESSION);
     recvDescriptor.tls_config.add_option(TLSOptions::NO_SSLV2);
-    //recvDescriptor.tls_config.add_option(TLSOptions::NO_SSLV3);
+    recvDescriptor.tls_config.add_option(TLSOptions::NO_COMPRESSION);
     TCPv4Transport receiveTransportUnderTest(recvDescriptor);
     receiveTransportUnderTest.init();
 
     TCPv4TransportDescriptor sendDescriptor;
     sendDescriptor.apply_security = true;
-    //sendDescriptor.tls_config.password = "test";
-    sendDescriptor.tls_config.verify_file = "ca.pem";
+    sendDescriptor.tls_config.verify_file = "ca.crt";
     sendDescriptor.tls_config.verify_mode = TLSVerifyMode::VERIFY_PEER;
+    recvDescriptor.tls_config.add_option(TLSOptions::DEFAULT_WORKAROUNDS);
+    sendDescriptor.tls_config.add_option(TLSOptions::SINGLE_DH_USE);
+    sendDescriptor.tls_config.add_option(TLSOptions::NO_SSLV2);
+    recvDescriptor.tls_config.add_option(TLSOptions::NO_COMPRESSION);
     TCPv4Transport sendTransportUnderTest(sendDescriptor);
     sendTransportUnderTest.init();
 
@@ -565,8 +568,7 @@ TEST_F(TCPv4Tests, send_and_receive_between_secure_ports_server_verifies)
     recvDescriptor.add_listener_port(g_default_port);
     recvDescriptor.apply_security = true;
     recvDescriptor.tls_config.handshake_role = TLSHSRole::CLIENT;
-    recvDescriptor.tls_config.password = "test";
-    recvDescriptor.tls_config.verify_file = "maincacert.pem";
+    recvDescriptor.tls_config.verify_file = "ca.crt";
     recvDescriptor.tls_config.verify_mode = TLSVerifyMode::VERIFY_PEER;
     recvDescriptor.tls_config.add_option(TLSOptions::DEFAULT_WORKAROUNDS);
     recvDescriptor.tls_config.add_option(TLSOptions::SINGLE_DH_USE);
@@ -578,10 +580,10 @@ TEST_F(TCPv4Tests, send_and_receive_between_secure_ports_server_verifies)
     TCPv4TransportDescriptor sendDescriptor;
     sendDescriptor.apply_security = true;
     sendDescriptor.tls_config.handshake_role = TLSHSRole::SERVER;
-    sendDescriptor.tls_config.password = "test";
-    sendDescriptor.tls_config.cert_chain_file = "server.pem";
-    sendDescriptor.tls_config.private_key_file = "server.pem";
-    sendDescriptor.tls_config.tmp_dh_file = "dh2048.pem";
+    sendDescriptor.tls_config.password = "fastddspwd";
+    sendDescriptor.tls_config.cert_chain_file = "fastdds.crt";
+    sendDescriptor.tls_config.private_key_file = "fastdds.key";
+    sendDescriptor.tls_config.tmp_dh_file = "dh_params.pem";
     sendDescriptor.tls_config.verify_mode = TLSVerifyMode::VERIFY_PEER | TLSVerifyMode::VERIFY_FAIL_IF_NO_PEER_CERT;
     sendDescriptor.tls_config.add_option(TLSOptions::DEFAULT_WORKAROUNDS);
     sendDescriptor.tls_config.add_option(TLSOptions::SINGLE_DH_USE);

test/unittest/transport/certs/README.md

@@ -0,0 +1,60 @@
+# FAST DDS SECURITY RESOURCES
+
+This directory contains several sample files needed to implement secure **TLS over TCP** communication.
+These files are required to configure the TCP transport protocol with TLS in Fast DDS.
+
+> :warning: Do not use these files in a real scenario. Generate your own certificates and parameters.
+
+## COMMANDS
+
+Following are the commands used to generate this example's keys and certificates
+
+### Certification Authority (CA)
+
+```sh
+# Generate the Certificate Authority (CA) Private Key > ca.key
+openssl ecparam -name prime256v1 -genkey -noout -out ca.key
+# openssl ecparam -name prime256v1 -genkey | openssl ec -aes256 -out ca.key -passout pass:cakey # with password
+
+# Generate the Certificate Authority Certificate > ca.crt
+openssl req -new -x509 -sha256 -key ca.key -out ca.crt -days 1825 -config ca.cnf
+# openssl req -new -x509 -sha256 -key ca.key -out ca.crt -days 1825 -config ca.cnf -passin pass:cakey # with password
+```
+
+### Fast DDS Certificate
+
+```sh
+# Generate the Fast DDS Certificate Private Key > fastdds.key
+openssl ecparam -name prime256v1 -genkey -noout -out fastdds.key
+# openssl ecparam -name prime256v1 -genkey | openssl ec -aes256 -out fastdds.key -passout pass:fastddspwd # with password
+
+# Generate the Fast DDS Certificate Signing Request  > fastdds.csr
+openssl req -new -sha256 -key fastdds.key -out fastdds.csr -config fastdds.cnf
+# openssl req -new -sha256 -key fastdds.key -out fastdds.csr -config fastdds.cnf -passin pass:fastddspwd # with password
+
+# Generate the Fast DDS Certificate (computed on the CA side) > fastdds.crt
+openssl x509 -req -in fastdds.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out fastdds.crt -days 1825 -sha256
+# openssl x509 -req -in fastdds.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out fastdds.crt -days 1825 -sha256 -passin pass:cakey # with password
+```
+
+### DH PARAMETERS
+
+```sh
+# Generate the Diffie-Hellman (DF) parameters to define how OpenSSL performs the DF key-exchange > dh_params.pem
+openssl dhparam -out dh_params.pem 2048
+```
+
+## Use
+
+```cpp
+TCPv4TransportDescriptor recvDescriptor;
+recvDescriptor.apply_security = true;
+recvDescriptor.tls_config.password = "fastdds";
+recvDescriptor.tls_config.cert_chain_file = "fastdds.crt";
+recvDescriptor.tls_config.private_key_file = "fastdds.key";
+recvDescriptor.tls_config.tmp_dh_file = "dh2048.pem";
+
+TCPv4TransportDescriptor sendDescriptor;
+sendDescriptor.apply_security = true;
+sendDescriptor.tls_config.verify_file = "ca.crt";
+```

test/unittest/transport/certs/ca.cnf

@@ -0,0 +1,14 @@
+# Configuration file for CA request
+
+[ req ]
+distinguished_name     = req_distinguished_name
+prompt                 = no
+
+[ req_distinguished_name ]
+countryName            = ES
+stateOrProvinceName    = MA
+localityName           = Madrid
+organizationName       = eProsima
+organizationalUnitName = eProsima
+commonName             = eProsima CA
+emailAddress           = support@eprosima.com

test/unittest/transport/certs/ca.crt

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICFDCCAbsCFDIlAUpPsmDIvCdkZWk4YACbWvCIMAoGCCqGSM49BAMCMIGMMQsw
+CQYDVQQGEwJFUzELMAkGA1UECAwCTUExDzANBgNVBAcMBk1hZHJpZDERMA8GA1UE
+CgwIZVByb3NpbWExETAPBgNVBAsMCGVQcm9zaW1hMRQwEgYDVQQDDAtlUHJvc2lt
+YSBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBlcHJvc2ltYS5jb20wHhcNMjMx
+MTE3MDcwODIzWhcNMjgxMTE1MDcwODIzWjCBjDELMAkGA1UEBhMCRVMxCzAJBgNV
+BAgMAk1BMQ8wDQYDVQQHDAZNYWRyaWQxETAPBgNVBAoMCGVQcm9zaW1hMREwDwYD
+VQQLDAhlUHJvc2ltYTEUMBIGA1UEAwwLZVByb3NpbWEgQ0ExIzAhBgkqhkiG9w0B
+CQEWFHN1cHBvcnRAZXByb3NpbWEuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
+QgAEs4pxHmiZi+/ze7NvNNSFbcKEB6bVZ21gl5ERxioMDUkDR0K9NANvCskAiOsS
+J2af5dmj/H35NGHm5A1DxbCsSzAKBggqhkjOPQQDAgNHADBEAiA3BeLmwYptJ1Mx
+6dEwKb972V8kPu784iJ75/hIWYMAAwIgB+W/TFXYffZu1IwedhkQZ349KSYKNhl4
+UFg1oI2OFHU=
+-----END CERTIFICATE-----

test/unittest/transport/certs/ca.key

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIOCJ0vBvNovjuZGUFBKcg9O8ikmRKyZTQxSuGE7iFWZFoAoGCCqGSM49
+AwEHoUQDQgAEs4pxHmiZi+/ze7NvNNSFbcKEB6bVZ21gl5ERxioMDUkDR0K9NANv
+CskAiOsSJ2af5dmj/H35NGHm5A1DxbCsSw==
+-----END EC PRIVATE KEY-----

test/unittest/transport/certs/ca.srl

@@ -0,0 +1 @@
+331DDA80816B3193F7538FF21576275FA01CD950

test/unittest/transport/certs/dh_params.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAzCEhe/gGZrlKlCXeX56Q+PTOpBJc4fXeflaoVi34Mo4nmZyd2ben
+zNq2scVGhiRCem+1zqTj5+fUUC3tieoOgNHsQ2RMX5sAMVqcz34ybJfb3+dzwYA0
+iJmDAgz5LevE3R/Cy0pnwqPLLDLBnnOtuXZnHVddp5gQAVs7NiF3OFOmh1vH44j8
+OvX8gXsSfWv1EKv7MdYp7r+785MhGDdin287NHMXP7Wxb6bO+EM9RSb1Fgw1EFs6
+svgjCDyPzngZCqhPd1rzPf2ZpE6N6qDf+fX4m832JLHISVpC1FbxcZTxw3gGnF4K
+xvbhWNAxZubaX7LrOW8k4Xuiy1DxahGjwwIBAg==
+-----END DH PARAMETERS-----

test/unittest/transport/certs/fastdds.cnf

@@ -0,0 +1,14 @@
+# Configuration file for CA request
+
+[ req ]
+distinguished_name     = req_distinguished_name
+prompt                 = no
+
+[ req_distinguished_name ]
+countryName            = ES
+stateOrProvinceName    = MA
+localityName           = Madrid
+organizationName       = eProsima
+organizationalUnitName = eProsima
+commonName             = eProsima DB
+emailAddress           = support@eprosima.com

test/unittest/transport/certs/fastdds.crt

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICFTCCAbsCFBGqg+luTTvQ3zP0TMW1xPag9Iw4MAoGCCqGSM49BAMCMIGMMQsw
+CQYDVQQGEwJFUzELMAkGA1UECAwCTUExDzANBgNVBAcMBk1hZHJpZDERMA8GA1UE
+CgwIZVByb3NpbWExETAPBgNVBAsMCGVQcm9zaW1hMRQwEgYDVQQDDAtlUHJvc2lt
+YSBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBlcHJvc2ltYS5jb20wHhcNMjMx
+MTE3MDcwODU4WhcNMjgxMTE1MDcwODU4WjCBjDELMAkGA1UEBhMCRVMxCzAJBgNV
+BAgMAk1BMQ8wDQYDVQQHDAZNYWRyaWQxETAPBgNVBAoMCGVQcm9zaW1hMREwDwYD
+VQQLDAhlUHJvc2ltYTEUMBIGA1UEAwwLZVByb3NpbWEgREIxIzAhBgkqhkiG9w0B
+CQEWFHN1cHBvcnRAZXByb3NpbWEuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD
+QgAERpOOxdxOyNKP5xazr5Yo/hxTkP0xbk0C1dLx8ohD515uzGPUE7fldGTCuMIh
+zoZKDhcvK98XfSpNr1PSAVXBjDAKBggqhkjOPQQDAgNIADBFAiAEP2q5dOdZWfco
+svCJpkydRpHgozKm1rxh03mH6TeVRwIhAKgYJZmaXaWxvXasrn7ToHQknXJfkkGO
+DtxzqPeDgot4
+-----END CERTIFICATE-----

test/unittest/transport/certs/fastdds.csr

@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBSDCB7wIBADCBjDELMAkGA1UEBhMCRVMxCzAJBgNVBAgMAk1BMQ8wDQYDVQQH
+DAZNYWRyaWQxETAPBgNVBAoMCGVQcm9zaW1hMREwDwYDVQQLDAhlUHJvc2ltYTEU
+MBIGA1UEAwwLZVByb3NpbWEgREIxIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRAZXBy
+b3NpbWEuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERpOOxdxOyNKP5xaz
+r5Yo/hxTkP0xbk0C1dLx8ohD515uzGPUE7fldGTCuMIhzoZKDhcvK98XfSpNr1PS
+AVXBjKAAMAoGCCqGSM49BAMCA0gAMEUCIBNHR6vyWtxu7jnMNPRiJRMq9RKp88OQ
+bj+66uL/QDn8AiEAwKVHN9FcM1E2bvTU5A4l/2l+/W+EcRa2b7bzVkfRs4o=
+-----END CERTIFICATE REQUEST-----

test/unittest/transport/certs/fastdds.key

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIBRqOIY28pjNczTDrKr9DJJVHvn61Ir4BxWdnrw6R0eloAoGCCqGSM49
+AwEHoUQDQgAERpOOxdxOyNKP5xazr5Yo/hxTkP0xbk0C1dLx8ohD515uzGPUE7fl
+dGTCuMIhzoZKDhcvK98XfSpNr1PSAVXBjA==
+-----END EC PRIVATE KEY-----