From cb24f9958266a601d8dedb742316203fd4df81fa Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Wed, 4 Nov 2020 13:20:33 -0800 Subject: [PATCH 1/5] tls: fix detection of the upstream connection close event. (#13858) Fixes #13856. Signed-off-by: Piotr Sikora Signed-off-by: Christoph Pakulski --- docs/root/version_history/current.rst | 7 + .../transport_sockets/tls/ssl_handshaker.h | 2 +- .../transport_sockets/tls/ssl_socket.cc | 10 +- .../transport_sockets/tls/ssl_socket_test.cc | 179 ++++++++++++++++++ 4 files changed, 196 insertions(+), 2 deletions(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 1d3a13b0a455..c3e609b72bb5 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -14,6 +14,13 @@ Bug Fixes *Changes expected to improve the state of the world and are unlikely to have negative effects* * lua: fixed crash when Lua script contains streamInfo():downstreamSslConnection(). +* dns: fix a bug where custom resolvers provided in configuration were not preserved after network issues. +* http: fixed URL parsing for HTTP/1.1 fully qualified URLs and connect requests containing IPv6 addresses. +* http: sending CONNECT_ERROR for HTTP/2 where appropriate during CONNECT requests. +* proxy_proto: fixed a bug where the wrong downstream address got sent to upstream connections. +* tls: fix detection of the upstream connection close event. +* tls: fix read resumption after triggering buffer high-watermark and all remaining request/response bytes are stored in the SSL connection's internal buffers. +* watchdog: touch the watchdog before most event loop operations to avoid misses when handling bursts of callbacks. Removed Config or Runtime ------------------------- diff --git a/source/extensions/transport_sockets/tls/ssl_handshaker.h b/source/extensions/transport_sockets/tls/ssl_handshaker.h index 8eaec861a8f1..50090f6f43a7 100644 --- a/source/extensions/transport_sockets/tls/ssl_handshaker.h +++ b/source/extensions/transport_sockets/tls/ssl_handshaker.h @@ -67,7 +67,7 @@ class SslHandshakerImpl : public Ssl::ConnectionInfo, public Ssl::Handshaker { // Ssl::Handshaker Network::PostIoAction doHandshake() override; - Ssl::SocketState state() { return state_; } + Ssl::SocketState state() const { return state_; } void setState(Ssl::SocketState state) { state_ = state; } SSL* ssl() const { return ssl_.get(); } Ssl::HandshakeCallbacks* handshakeCallbacks() { return handshake_callbacks_; } diff --git a/source/extensions/transport_sockets/tls/ssl_socket.cc b/source/extensions/transport_sockets/tls/ssl_socket.cc index 485468443096..f00494763040 100644 --- a/source/extensions/transport_sockets/tls/ssl_socket.cc +++ b/source/extensions/transport_sockets/tls/ssl_socket.cc @@ -140,10 +140,18 @@ Network::IoResult SslSocket::doRead(Buffer::Instance& read_buffer) { case SSL_ERROR_WANT_READ: break; case SSL_ERROR_ZERO_RETURN: + // Graceful shutdown using close_notify TLS alert. end_stream = true; break; + case SSL_ERROR_SYSCALL: + if (result.error_.value() == 0) { + // Non-graceful shutdown by closing the underlying socket. + end_stream = true; + break; + } + FALLTHRU; case SSL_ERROR_WANT_WRITE: - // Renegotiation has started. We don't handle renegotiation so just fall through. + // Renegotiation has started. We don't handle renegotiation so just fall through. default: drainErrorQueue(); action = PostIoAction::Close; diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index b4bdb84e5737..3019040bc9c9 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -2534,6 +2534,185 @@ TEST_P(SslSocketTest, HalfClose) { dispatcher_->run(Event::Dispatcher::RunType::Block); } +TEST_P(SslSocketTest, ShutdownWithCloseNotify) { + const std::string server_ctx_yaml = R"EOF( + common_tls_context: + tls_certificates: + certificate_chain: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + private_key: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + validation_context: + trusted_ca: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" +)EOF"; + + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; + TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); + auto server_cfg = std::make_unique(server_tls_context, factory_context_); + ContextManagerImpl manager(time_system_); + Stats::TestUtil::TestStore server_stats_store; + ServerSslSocketFactory server_ssl_socket_factory(std::move(server_cfg), manager, + server_stats_store, std::vector{}); + + auto socket = std::make_shared( + Network::Test::getCanonicalLoopbackAddress(GetParam()), nullptr, true); + Network::MockTcpListenerCallbacks listener_callbacks; + Network::MockConnectionHandler connection_handler; + Network::ListenerPtr listener = + dispatcher_->createListener(socket, listener_callbacks, true, ENVOY_TCP_BACKLOG_SIZE); + std::shared_ptr server_read_filter(new Network::MockReadFilter()); + std::shared_ptr client_read_filter(new Network::MockReadFilter()); + + const std::string client_ctx_yaml = R"EOF( + common_tls_context: + )EOF"; + + envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; + TestUtility::loadFromYaml(TestEnvironment::substitute(client_ctx_yaml), tls_context); + auto client_cfg = std::make_unique(tls_context, factory_context_); + Stats::TestUtil::TestStore client_stats_store; + ClientSslSocketFactory client_ssl_socket_factory(std::move(client_cfg), manager, + client_stats_store); + Network::ClientConnectionPtr client_connection = dispatcher_->createClientConnection( + socket->localAddress(), Network::Address::InstanceConstSharedPtr(), + client_ssl_socket_factory.createTransportSocket(nullptr), nullptr); + Network::MockConnectionCallbacks client_connection_callbacks; + client_connection->enableHalfClose(true); + client_connection->addReadFilter(client_read_filter); + client_connection->addConnectionCallbacks(client_connection_callbacks); + client_connection->connect(); + + Network::ConnectionPtr server_connection; + Network::MockConnectionCallbacks server_connection_callbacks; + EXPECT_CALL(listener_callbacks, onAccept_(_)) + .WillOnce(Invoke([&](Network::ConnectionSocketPtr& socket) -> void { + server_connection = dispatcher_->createServerConnection( + std::move(socket), server_ssl_socket_factory.createTransportSocket(nullptr), + stream_info_); + server_connection->enableHalfClose(true); + server_connection->addReadFilter(server_read_filter); + server_connection->addConnectionCallbacks(server_connection_callbacks); + })); + EXPECT_CALL(*server_read_filter, onNewConnection()); + EXPECT_CALL(server_connection_callbacks, onEvent(Network::ConnectionEvent::Connected)) + .WillOnce(Invoke([&](Network::ConnectionEvent) -> void { + Buffer::OwnedImpl data("hello"); + server_connection->write(data, true); + EXPECT_EQ(data.length(), 0); + })); + + EXPECT_CALL(*client_read_filter, onNewConnection()) + .WillOnce(Return(Network::FilterStatus::Continue)); + EXPECT_CALL(client_connection_callbacks, onEvent(Network::ConnectionEvent::Connected)); + EXPECT_CALL(*client_read_filter, onData(BufferStringEqual("hello"), true)) + .WillOnce(Invoke([&](Buffer::Instance& read_buffer, bool) -> Network::FilterStatus { + read_buffer.drain(read_buffer.length()); + client_connection->close(Network::ConnectionCloseType::NoFlush); + return Network::FilterStatus::StopIteration; + })); + EXPECT_CALL(*server_read_filter, onData(_, true)); + + EXPECT_CALL(client_connection_callbacks, onEvent(Network::ConnectionEvent::LocalClose)); + EXPECT_CALL(server_connection_callbacks, onEvent(Network::ConnectionEvent::RemoteClose)) + .WillOnce(Invoke([&](Network::ConnectionEvent) -> void { + server_connection->close(Network::ConnectionCloseType::NoFlush); + dispatcher_->exit(); + })); + + dispatcher_->run(Event::Dispatcher::RunType::Block); +} + +TEST_P(SslSocketTest, ShutdownWithoutCloseNotify) { + const std::string server_ctx_yaml = R"EOF( + common_tls_context: + tls_certificates: + certificate_chain: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" + private_key: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" + validation_context: + trusted_ca: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" +)EOF"; + + envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext server_tls_context; + TestUtility::loadFromYaml(TestEnvironment::substitute(server_ctx_yaml), server_tls_context); + auto server_cfg = std::make_unique(server_tls_context, factory_context_); + ContextManagerImpl manager(time_system_); + Stats::TestUtil::TestStore server_stats_store; + ServerSslSocketFactory server_ssl_socket_factory(std::move(server_cfg), manager, + server_stats_store, std::vector{}); + + auto socket = std::make_shared( + Network::Test::getCanonicalLoopbackAddress(GetParam()), nullptr, true); + Network::MockTcpListenerCallbacks listener_callbacks; + Network::MockConnectionHandler connection_handler; + Network::ListenerPtr listener = + dispatcher_->createListener(socket, listener_callbacks, true, ENVOY_TCP_BACKLOG_SIZE); + std::shared_ptr server_read_filter(new Network::MockReadFilter()); + std::shared_ptr client_read_filter(new Network::MockReadFilter()); + + const std::string client_ctx_yaml = R"EOF( + common_tls_context: + )EOF"; + + envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; + TestUtility::loadFromYaml(TestEnvironment::substitute(client_ctx_yaml), tls_context); + auto client_cfg = std::make_unique(tls_context, factory_context_); + Stats::TestUtil::TestStore client_stats_store; + ClientSslSocketFactory client_ssl_socket_factory(std::move(client_cfg), manager, + client_stats_store); + Network::ClientConnectionPtr client_connection = dispatcher_->createClientConnection( + socket->localAddress(), Network::Address::InstanceConstSharedPtr(), + client_ssl_socket_factory.createTransportSocket(nullptr), nullptr); + Network::MockConnectionCallbacks client_connection_callbacks; + client_connection->enableHalfClose(true); + client_connection->addReadFilter(client_read_filter); + client_connection->addConnectionCallbacks(client_connection_callbacks); + client_connection->connect(); + + Network::ConnectionPtr server_connection; + Network::MockConnectionCallbacks server_connection_callbacks; + EXPECT_CALL(listener_callbacks, onAccept_(_)) + .WillOnce(Invoke([&](Network::ConnectionSocketPtr& socket) -> void { + server_connection = dispatcher_->createServerConnection( + std::move(socket), server_ssl_socket_factory.createTransportSocket(nullptr), + stream_info_); + server_connection->enableHalfClose(true); + server_connection->addReadFilter(server_read_filter); + server_connection->addConnectionCallbacks(server_connection_callbacks); + })); + EXPECT_CALL(server_connection_callbacks, onEvent(Network::ConnectionEvent::Connected)) + .WillOnce(Invoke([&](Network::ConnectionEvent) -> void { + Buffer::OwnedImpl data("hello"); + server_connection->write(data, false); + EXPECT_EQ(data.length(), 0); + // Close without sending close_notify alert. + const SslHandshakerImpl* ssl_socket = + dynamic_cast(server_connection->ssl().get()); + EXPECT_EQ(ssl_socket->state(), Ssl::SocketState::HandshakeComplete); + SSL_set_quiet_shutdown(ssl_socket->ssl(), 1); + server_connection->close(Network::ConnectionCloseType::NoFlush); + })); + + EXPECT_CALL(*client_read_filter, onNewConnection()) + .WillOnce(Return(Network::FilterStatus::Continue)); + EXPECT_CALL(client_connection_callbacks, onEvent(Network::ConnectionEvent::Connected)); + EXPECT_CALL(*client_read_filter, onData(BufferStringEqual("hello"), true)) + .WillOnce(Invoke([&](Buffer::Instance& read_buffer, bool) -> Network::FilterStatus { + read_buffer.drain(read_buffer.length()); + client_connection->close(Network::ConnectionCloseType::NoFlush); + return Network::FilterStatus::StopIteration; + })); + + EXPECT_CALL(server_connection_callbacks, onEvent(Network::ConnectionEvent::LocalClose)); + EXPECT_CALL(client_connection_callbacks, onEvent(Network::ConnectionEvent::LocalClose)) + .WillOnce(Invoke([&](Network::ConnectionEvent) -> void { dispatcher_->exit(); })); + + dispatcher_->run(Event::Dispatcher::RunType::Block); +} + TEST_P(SslSocketTest, ClientAuthMultipleCAs) { const std::string server_ctx_yaml = R"EOF( common_tls_context: From 99484c6ed2657c94228331c0546aa2eae82304c7 Mon Sep 17 00:00:00 2001 From: Christoph Pakulski Date: Wed, 16 Dec 2020 21:33:59 +0000 Subject: [PATCH 2/5] Corrected release notes. Signed-off-by: Christoph Pakulski --- docs/root/version_history/current.rst | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index c3e609b72bb5..462f146d0b2e 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -19,8 +19,6 @@ Bug Fixes * http: sending CONNECT_ERROR for HTTP/2 where appropriate during CONNECT requests. * proxy_proto: fixed a bug where the wrong downstream address got sent to upstream connections. * tls: fix detection of the upstream connection close event. -* tls: fix read resumption after triggering buffer high-watermark and all remaining request/response bytes are stored in the SSL connection's internal buffers. -* watchdog: touch the watchdog before most event loop operations to avoid misses when handling bursts of callbacks. Removed Config or Runtime ------------------------- From 43c8a2d2442afe7f92146a7e28bd1866d27ceee3 Mon Sep 17 00:00:00 2001 From: Taylor Barrella Date: Thu, 12 Nov 2020 12:48:15 -0800 Subject: [PATCH 3/5] build: Fix some unused variable warnings (#13987) Signed-off-by: Taylor Barrella Signed-off-by: Christoph Pakulski --- include/envoy/registry/registry.h | 1 + source/common/config/new_grpc_mux_impl.cc | 1 + source/common/init/manager_impl.cc | 1 + source/common/router/scoped_rds.cc | 1 + source/server/admin/config_dump_handler.cc | 3 +++ source/server/filter_chain_manager_impl.cc | 4 ++++ 6 files changed, 11 insertions(+) diff --git a/include/envoy/registry/registry.h b/include/envoy/registry/registry.h index b52686036074..b90e86ca52f3 100644 --- a/include/envoy/registry/registry.h +++ b/include/envoy/registry/registry.h @@ -346,6 +346,7 @@ template class FactoryRegistry : public Logger::Loggable>(); for (const auto& [factory_name, factory] : factories()) { + UNREFERENCED_PARAMETER(factory_name); if (factory == nullptr) { continue; } diff --git a/source/common/config/new_grpc_mux_impl.cc b/source/common/config/new_grpc_mux_impl.cc index 0015a2689971..50bfc07e08e4 100644 --- a/source/common/config/new_grpc_mux_impl.cc +++ b/source/common/config/new_grpc_mux_impl.cc @@ -90,6 +90,7 @@ void NewGrpcMuxImpl::onDiscoveryResponse( void NewGrpcMuxImpl::onStreamEstablished() { for (auto& [type_url, subscription] : subscriptions_) { + UNREFERENCED_PARAMETER(type_url); subscription->sub_state_.markStreamFresh(); } trySendDiscoveryRequests(); diff --git a/source/common/init/manager_impl.cc b/source/common/init/manager_impl.cc index 650203fabbea..1440dd726414 100644 --- a/source/common/init/manager_impl.cc +++ b/source/common/init/manager_impl.cc @@ -71,6 +71,7 @@ void ManagerImpl::dumpUnreadyTargets(envoy::admin::v3::UnreadyTargetsDumps& unre auto& message = *unready_targets_dumps.mutable_unready_targets_dumps()->Add(); message.set_name(name_); for (const auto& [target_name, count] : target_names_count_) { + UNREFERENCED_PARAMETER(count); message.add_target_names(target_name); } } diff --git a/source/common/router/scoped_rds.cc b/source/common/router/scoped_rds.cc index d9ca4781e7b5..17613814efea 100644 --- a/source/common/router/scoped_rds.cc +++ b/source/common/router/scoped_rds.cc @@ -427,6 +427,7 @@ ScopedRdsConfigSubscription::detectUpdateConflictAndCleanupRemoved( absl::flat_hash_map scope_name_by_hash = scope_name_by_hash_; absl::erase_if(scope_name_by_hash, [&updated_or_removed_scopes](const auto& key_name) { auto const& [key, name] = key_name; + UNREFERENCED_PARAMETER(key); return updated_or_removed_scopes.contains(name); }); absl::flat_hash_map diff --git a/source/server/admin/config_dump_handler.cc b/source/server/admin/config_dump_handler.cc index dbfd13a01e2e..9e1d54e9d3e9 100644 --- a/source/server/admin/config_dump_handler.cc +++ b/source/server/admin/config_dump_handler.cc @@ -155,6 +155,7 @@ ConfigDumpHandler::addResourceToDump(envoy::admin::v3::ConfigDump& dump, } for (const auto& [name, callback] : callbacks_map) { + UNREFERENCED_PARAMETER(name); ProtobufTypes::MessagePtr message = callback(); ASSERT(message); @@ -200,6 +201,7 @@ void ConfigDumpHandler::addAllConfigToDump(envoy::admin::v3::ConfigDump& dump, } for (const auto& [name, callback] : callbacks_map) { + UNREFERENCED_PARAMETER(name); ProtobufTypes::MessagePtr message = callback(); ASSERT(message); @@ -220,6 +222,7 @@ ProtobufTypes::MessagePtr ConfigDumpHandler::dumpEndpointConfigs() const { auto endpoint_config_dump = std::make_unique(); for (const auto& [name, cluster_ref] : server_.clusterManager().clusters()) { + UNREFERENCED_PARAMETER(name); const Upstream::Cluster& cluster = cluster_ref.get(); Upstream::ClusterInfoConstSharedPtr cluster_info = cluster.info(); envoy::config::endpoint::v3::ClusterLoadAssignment cluster_load_assignment; diff --git a/source/server/filter_chain_manager_impl.cc b/source/server/filter_chain_manager_impl.cc index 0de4282f3314..29d47d8be53c 100644 --- a/source/server/filter_chain_manager_impl.cc +++ b/source/server/filter_chain_manager_impl.cc @@ -555,6 +555,7 @@ const Network::FilterChain* FilterChainManagerImpl::findFilterChainForSourceIpAn void FilterChainManagerImpl::convertIPsToTries() { for (auto& [destination_port, destination_ips_pair] : destination_ports_map_) { + UNREFERENCED_PARAMETER(destination_port); // These variables are used as we build up the destination CIDRs used for the trie. auto& [destination_ips_map, destination_ips_trie] = destination_ips_pair; std::vector>> @@ -568,8 +569,11 @@ void FilterChainManagerImpl::convertIPsToTries() { // We need to get access to all of the source IP strings so that we can convert them into // a trie like we did for the destination IPs above. for (auto& [server_name, transport_protocols_map] : *server_names_map_ptr) { + UNREFERENCED_PARAMETER(server_name); for (auto& [transport_protocol, application_protocols_map] : transport_protocols_map) { + UNREFERENCED_PARAMETER(transport_protocol); for (auto& [application_protocol, source_arrays] : application_protocols_map) { + UNREFERENCED_PARAMETER(application_protocol); for (auto& [source_ips_map, source_ips_trie] : source_arrays) { std::vector< std::pair>> From 2d39d82937300e0f6b4c5a29badb89c6ed05c84f Mon Sep 17 00:00:00 2001 From: Sunjay Bhatia <5337253+sunjayBhatia@users.noreply.github.com> Date: Thu, 22 Oct 2020 18:23:01 -0400 Subject: [PATCH 4/5] test: Check in all TLS test certs (#13702) * test: Check in all TLS test certs - Will prevent openssl fork-emulation issues on Windows/msys2 that cause test flakiness - modifies context_impl_test to no longer requires a cert that is generated on the fly to expire in 15 days Signed-off-by: Sunjay Bhatia Signed-off-by: Christoph Pakulski --- test/extensions/transport_sockets/tls/BUILD | 15 +- .../tls/context_impl_test.cc | 124 +++---- .../tls/gen_unittest_certs.sh | 55 --- .../transport_sockets/tls/handshaker_test.cc | 8 +- .../transport_sockets/tls/ocsp/BUILD | 11 +- .../transport_sockets/tls/ocsp/ocsp_test.cc | 12 +- .../tls/ocsp/test_data/BUILD | 13 + .../tls/ocsp/test_data/README.md | 30 ++ .../tls/ocsp/test_data/ca_cert.pem | 23 ++ .../tls/ocsp/test_data/ca_key.pem | 27 ++ .../certs.sh} | 46 ++- .../tls/ocsp/test_data/ecdsa_cert.pem | 16 + .../tls/ocsp/test_data/ecdsa_key.pem | 8 + .../tls/ocsp/test_data/ecdsa_ocsp_req.der | Bin 0 -> 106 bytes .../tls/ocsp/test_data/ecdsa_ocsp_resp.der | Bin 0 -> 1559 bytes .../tls/ocsp/test_data/good_cert.pem | 20 ++ .../tls/ocsp/test_data/good_key.pem | 27 ++ .../tls/ocsp/test_data/good_ocsp_req.der | Bin 0 -> 106 bytes .../tls/ocsp/test_data/good_ocsp_resp.der | Bin 0 -> 1579 bytes .../ocsp/test_data/good_ocsp_resp_details.txt | 118 +++++++ .../ocsp/test_data/intermediate_ca_cert.pem | 25 ++ .../ocsp/test_data/intermediate_ca_key.pem | 27 ++ .../ocsp/test_data/multiple_cert_ocsp_req.der | Bin 0 -> 171 bytes .../test_data/multiple_cert_ocsp_resp.der | Bin 0 -> 1660 bytes .../test_data/responder_key_hash_ocsp_req.der | Bin 0 -> 106 bytes .../responder_key_hash_ocsp_resp.der | Bin 0 -> 1466 bytes .../tls/ocsp/test_data/revoked_cert.pem | 21 ++ .../tls/ocsp/test_data/revoked_key.pem | 27 ++ .../tls/ocsp/test_data/revoked_ocsp_req.der | Bin 0 -> 106 bytes .../tls/ocsp/test_data/revoked_ocsp_resp.der | Bin 0 -> 1577 bytes .../tls/ocsp/test_data/unknown_ocsp_req.der | Bin 0 -> 106 bytes .../tls/ocsp/test_data/unknown_ocsp_resp.der | Bin 0 -> 1686 bytes .../transport_sockets/tls/ssl_certs_test.h | 8 - .../transport_sockets/tls/ssl_socket_test.cc | 312 +++++++++--------- .../transport_sockets/tls/test_data/certs.sh | 4 + .../tls/test_data/unittest_cert.cfg | 23 ++ .../tls/test_data/unittest_cert.pem | 23 ++ .../tls/test_data/unittest_cert_info.h | 8 + .../tls/test_data/unittest_key.pem | 27 ++ 39 files changed, 720 insertions(+), 338 deletions(-) delete mode 100755 test/extensions/transport_sockets/tls/gen_unittest_certs.sh create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/BUILD create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/README.md create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem rename test/extensions/transport_sockets/tls/ocsp/{gen_unittest_ocsp_data.sh => test_data/certs.sh} (86%) create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der create mode 100644 test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der create mode 100644 test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg create mode 100644 test/extensions/transport_sockets/tls/test_data/unittest_cert.pem create mode 100644 test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h create mode 100644 test/extensions/transport_sockets/tls/test_data/unittest_key.pem diff --git a/test/extensions/transport_sockets/tls/BUILD b/test/extensions/transport_sockets/tls/BUILD index 48a456162df3..f5b04d38100d 100644 --- a/test/extensions/transport_sockets/tls/BUILD +++ b/test/extensions/transport_sockets/tls/BUILD @@ -16,12 +16,11 @@ envoy_cc_test( "ssl_socket_test.cc", ], data = [ - "gen_unittest_certs.sh", # TODO(mattklein123): We should consolidate all of our test certs in a single place as # right now we have a bunch of duplication which is confusing. "//test/config/integration/certs", + "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", "//test/extensions/transport_sockets/tls/test_data:certs", - "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data", ], external_deps = ["ssl"], shard_count = 4, @@ -74,12 +73,9 @@ envoy_cc_test( "ssl_certs_test.h", ], data = [ - "gen_unittest_certs.sh", - "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data", + "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", "//test/extensions/transport_sockets/tls/test_data:certs", ], - # Fails intermittantly on local build - tags = ["flaky_on_windows"], deps = [ ":ssl_test_utils", "//source/common/common:base64_lib", @@ -121,8 +117,6 @@ envoy_cc_test( "utility_test.cc", ], data = [ - "gen_unittest_certs.sh", - "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data", "//test/extensions/transport_sockets/tls/test_data:certs", ], external_deps = ["ssl"], @@ -171,14 +165,9 @@ envoy_cc_test( name = "handshaker_test", srcs = ["handshaker_test.cc"], data = [ - "gen_unittest_certs.sh", - "//test/config/integration/certs", "//test/extensions/transport_sockets/tls/test_data:certs", ], external_deps = ["ssl"], - # TODO(sunjayBhatia): Diagnose openssl DLL load issue on Windows - # See: https://github.com/envoyproxy/envoy/pull/13276 - tags = ["flaky_on_windows"], deps = [ ":ssl_socket_test", ":ssl_test_utils", diff --git a/test/extensions/transport_sockets/tls/context_impl_test.cc b/test/extensions/transport_sockets/tls/context_impl_test.cc index 0307ebb2daef..9e1f37780722 100644 --- a/test/extensions/transport_sockets/tls/context_impl_test.cc +++ b/test/extensions/transport_sockets/tls/context_impl_test.cc @@ -20,6 +20,7 @@ #include "test/extensions/transport_sockets/tls/test_data/no_san_cert_info.h" #include "test/extensions/transport_sockets/tls/test_data/san_dns3_cert_info.h" #include "test/extensions/transport_sockets/tls/test_data/san_ip_cert_info.h" +#include "test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h" #include "test/mocks/init/mocks.h" #include "test/mocks/local_info/mocks.h" #include "test/mocks/secret/mocks.h" @@ -261,9 +262,9 @@ TEST_F(SslContextImplTest, TestExpiringCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -272,12 +273,10 @@ TEST_F(SslContextImplTest, TestExpiringCert) { ClientContextConfigImpl cfg(tls_context, factory_context_); Envoy::Ssl::ClientContextSharedPtr context(manager_.createSslClientContext(store_, cfg)); - // This is a total hack, but right now we generate the cert and it expires in 15 days only in the - // first second that it's valid. This can become invalid and then cause slower tests to fail. - // Optimally we would make the cert valid for 15 days and 23 hours, but that is not easy to do - // with the command line so we have this for now. Good enough. - EXPECT_TRUE(15 == context->daysUntilFirstCertExpires() || - 14 == context->daysUntilFirstCertExpires()); + // Calculate the days until test cert expires + auto cert_expiry = TestUtility::parseTime(TEST_UNITTEST_CERT_NOT_AFTER, "%b %d %H:%M:%S %Y GMT"); + int64_t days_until_expiry = absl::ToInt64Hours(cert_expiry - absl::Now()) / 24; + EXPECT_EQ(context->daysUntilFirstCertExpires(), days_until_expiry); } TEST_F(SslContextImplTest, TestExpiredCert) { @@ -302,9 +301,9 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" @@ -330,7 +329,7 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { )EOF"); std::string cert_chain_json = R"EOF({ - "path": "{{ test_tmpdir }}/unittestcert.pem", + "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem", } )EOF"; @@ -591,27 +590,27 @@ TEST_F(SslServerContextImplOcspTest, TestFilenameOcspStapleConfigLoads) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; loadConfigYaml(tls_context_yaml); } TEST_F(SslServerContextImplOcspTest, TestInlineBytesOcspStapleConfigLoads) { - auto der_response = TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute("{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der")); + auto der_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der")); auto base64_response = Base64::encode(der_response.c_str(), der_response.length(), true); const std::string tls_context_yaml = fmt::format(R"EOF( common_tls_context: tls_certificates: - certificate_chain: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_cert.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_key.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_bytes: "{}" ocsp_staple_policy: must_staple @@ -626,9 +625,9 @@ TEST_F(SslServerContextImplOcspTest, TestInlineStringOcspStapleConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_string: "abcd" ocsp_staple_policy: must_staple @@ -643,11 +642,11 @@ TEST_F(SslServerContextImplOcspTest, TestMismatchedOcspStapleConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -660,9 +659,9 @@ TEST_F(SslServerContextImplOcspTest, TestStaplingRequiredWithoutStapleConfigFail common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple_policy: must_staple )EOF"; @@ -684,9 +683,9 @@ TEST_F(SslServerContextImplOcspTest, TestUnsuccessfulOcspResponseConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_cert.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_key.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_bytes: "{}" ocsp_staple_policy: must_staple @@ -702,9 +701,9 @@ TEST_F(SslServerContextImplOcspTest, TestMustStapleCertWithoutStapleConfigFails) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple_policy: lenient_stapling )EOF"; @@ -717,9 +716,9 @@ TEST_F(SslServerContextImplOcspTest, TestMustStapleCertWithoutStapleFeatureFlagO common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple_policy: lenient_stapling )EOF"; @@ -734,11 +733,11 @@ TEST_F(SslServerContextImplOcspTest, TestGetCertInformationWithOCSP) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; @@ -748,12 +747,13 @@ TEST_F(SslServerContextImplOcspTest, TestGetCertInformationWithOCSP) { constexpr absl::string_view this_update = "This Update: "; constexpr absl::string_view next_update = "Next Update: "; - auto ocsp_text_details = - absl::StrSplit(TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute( - "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp_details.txt"), - true), - '\n'); + auto ocsp_text_details = absl::StrSplit( + TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute( + "{{ test_rundir " + "}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt"), + true), + '\n'); std::string valid_from, expiration; for (const auto& detail : ocsp_text_details) { std::string::size_type pos = detail.find(this_update); @@ -797,10 +797,10 @@ class SslServerContextImplTicketTest : public SslContextImplTest { // Must add a certificate for the config to be considered valid. envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = cfg.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); - server_cert->mutable_private_key()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); ServerContextConfigImpl server_context_config(cfg, factory_context_); loadConfig(server_context_config); @@ -821,9 +821,9 @@ TEST_F(SslServerContextImplTicketTest, TicketKeySuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -838,9 +838,9 @@ TEST_F(SslServerContextImplTicketTest, TicketKeyInvalidLen) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -854,9 +854,9 @@ TEST_F(SslServerContextImplTicketTest, TicketKeyInvalidCannotRead) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/this_file_does_not_exist" @@ -1045,9 +1045,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionEnabledByDefaul common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1061,9 +1061,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionExplicitlyEnabl common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: false )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1078,9 +1078,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: true )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1095,9 +1095,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionEnabledWhenKeyI common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -1750,10 +1750,10 @@ TEST_F(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); - server_cert->mutable_private_key()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); server_validation_ctx->set_allow_expired_certificate(false); diff --git a/test/extensions/transport_sockets/tls/gen_unittest_certs.sh b/test/extensions/transport_sockets/tls/gen_unittest_certs.sh deleted file mode 100755 index fe731e85cd70..000000000000 --- a/test/extensions/transport_sockets/tls/gen_unittest_certs.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash -# -# Create a test certificate with a 15-day expiration for SSL tests. - -set -e - -TEST_CERT_DIR="${TEST_TMPDIR}" - -mkdir -p "${TEST_CERT_DIR}" - -export OPENSSL_CONF="${TEST_CERT_DIR}"/openssl.cnf -(cat << EOF -[ req ] -default_bits = 2048 -distinguished_name = req_distinguished_name - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Some-State - -localityName = Locality Name (eg, city) - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = Internet Widgits Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) - -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_max = 64 - -emailAddress = Email Address -emailAddress_max = 64 -EOF -) > "${OPENSSL_CONF}" - -openssl genrsa -out "${TEST_CERT_DIR}/unittestkey.pem" 2048 -openssl req -new -key "${TEST_CERT_DIR}/unittestkey.pem" -out "${TEST_CERT_DIR}/unittestcert.csr" \ - -sha256 < makeKey() { - std::string file = TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + std::string file = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); std::string passphrase = ""; bssl::UniquePtr bio(BIO_new_mem_buf(file.data(), file.size())); @@ -97,8 +97,8 @@ class HandshakerTest : public SslCertsTest { // Read in cert.pem and return a certificate. bssl::UniquePtr makeCert() { - std::string file = TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); + std::string file = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); bssl::UniquePtr bio(BIO_new_mem_buf(file.data(), file.size())); uint8_t* data = nullptr; diff --git a/test/extensions/transport_sockets/tls/ocsp/BUILD b/test/extensions/transport_sockets/tls/ocsp/BUILD index c6947269be4d..262bec36ab5c 100644 --- a/test/extensions/transport_sockets/tls/ocsp/BUILD +++ b/test/extensions/transport_sockets/tls/ocsp/BUILD @@ -14,13 +14,9 @@ envoy_cc_test( "ocsp_test.cc", ], data = [ - ":gen_ocsp_data", + "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", ], external_deps = ["ssl"], - # TODO: Diagnose intermittent failure on Windows; this script uses the - # locally deployed openssl for test cert creation and manipulation, rather - # than envoy's current build of the most current openssl tool - tags = ["flaky_on_windows"], deps = [ "//source/common/filesystem:filesystem_lib", "//source/extensions/transport_sockets/tls:utility_lib", @@ -44,8 +40,3 @@ envoy_cc_test( "//test/extensions/transport_sockets/tls:ssl_test_utils", ], ) - -filegroup( - name = "gen_ocsp_data", - srcs = ["gen_unittest_ocsp_data.sh"], -) diff --git a/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc b/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc index 70f24ccaa15e..78e813060d86 100644 --- a/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc +++ b/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc @@ -25,13 +25,9 @@ namespace CertUtility = Envoy::Extensions::TransportSockets::Tls::Utility; class OcspFullResponseParsingTest : public testing::Test { public: - static void SetUpTestSuite() { // NOLINT(readability-identifier-naming) - TestEnvironment::exec({TestEnvironment::runfilesPath( - "test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh")}); - } - std::string fullPath(std::string filename) { - return TestEnvironment::substitute("{{ test_tmpdir }}/ocsp_test_data/" + filename); + return TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/" + filename); } std::vector readFile(std::string filename) { @@ -88,8 +84,8 @@ TEST_F(OcspFullResponseParsingTest, UnknownCertTest) { } TEST_F(OcspFullResponseParsingTest, ExpiredResponseTest) { - auto next_week = time_system_.systemTime() + std::chrono::hours(8 * 24); - time_system_.setSystemTime(next_week); + auto ten_years_forward = time_system_.systemTime() + std::chrono::hours(24 * 365 * 10); + time_system_.setSystemTime(ten_years_forward); setup("good_ocsp_resp.der"); // nextUpdate is present but in the past EXPECT_TRUE(response_->isExpired()); diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/BUILD b/test/extensions/transport_sockets/tls/ocsp/test_data/BUILD new file mode 100644 index 000000000000..e55e87fb1011 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/BUILD @@ -0,0 +1,13 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +filegroup( + name = "certs", + srcs = glob(["*"]), +) diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/README.md b/test/extensions/transport_sockets/tls/ocsp/test_data/README.md new file mode 100644 index 000000000000..ad1c6777eb3a --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/README.md @@ -0,0 +1,30 @@ +# What are the identities, certificates and keys +There are 8 identities: +- **CA**: Certificate Authority for all fixtures in this directory. It has the + self-signed certificate *ca_cert.pem*. *ca_key.pem* is its private key. +- **Intermediate CA**: Intermediate Certificate Authority, signed by the **CA**. + It has the certificate *intermediate_ca_cert.pem". *intermediate_ca_key.pem* + is its private key. +- **Good** It has the certificate *good_cert.pem*, signed by the **CA**. An OCSP + request is included in *good_ocsp_req.der* and a "good" OCSP response is included in *good_ocsp_resp.der*. OCSP response details are included as + *good_ocsp_resp_details.txt*. +- **Responder Key Hash** An OCSP request and response pair for the **Good** cert + with responder key hash replacing the name in *responder_key_hash_ocsp_req.der* + and *responder_key_hash_ocsp_resp.der* +- **Revoked** It has the revoked certificate *revoked_key.pem*, signed by the + **CA**. A corresponding OCSP request and revoked response are included in + *revoked_ocsp_req.der* and *revoked_ocsp_resp.der*. +- **Unknown** An OCSP request and unknown status response is generated in + *unknown_ocsp_req.der* and *unknown_ocsp_resp.der* as the **Good** certificate + is signed by **CA** not **Intermediate CA**. +- **ECDSA** A cert (*ecdsa_cert.pem*) signed by **CA** with ECDSA key + (*ecdsa_key.pem*) and OCSP response (*ecdsa_ocsp_resp.der*). +- **Multiple Cert OCSP Response** A multi-cert OCSP request and response are + generated with **CA** as the signer for the **Good** and **Revoked** certs in + *multiple_cert_ocsp_req.der* and *multiple_cert_ocsp_resp.der*. + +# How to update certificates +**certs.sh** has the commands to generate all files. Running certs.sh directly +will cause all files to be regenerated. So if you want to regenerate a +particular file, please copy the corresponding commands from certs.sh and +execute them in command line. diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem new file mode 100644 index 000000000000..d456c26f505f --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID0zCCArugAwIBAgIUKtsec7QPrxG7JETQSPH7XVnH9RcwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxCzAJBgNVBAMMAmNhMB4XDTIwMTAyMjAyNTc1MVoXDTIyMTAyMjAy +NTc1MVowcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV +BAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQg +RW5naW5lZXJpbmcxCzAJBgNVBAMMAmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA2+hzTr160c7mgNKCUoOxQylskIz2dAN5hWjBT38M8CGF5FcFZBG9 +QKSdt7QgnIBXt6oOAuOufKNLNWUKrzVE4GlDhxJKKCAlzidFaeIkk1Deny9kiADD +dsVrOMHv6JXIMPcgotoOVu6iwGlYsvHr/OukbR4PAbjdzd51drC/aKIwRx4vc9Qk ++WKtVXjJKQcsyxeEKfrOJloZOkorMf2HWWAOBNg7eBLsHeQiOrLPnwJf0eFfHzOC +x2BM8hJ+fyHk+NmenjEl88XGaTkdpilmZXFqeDBCcrsLwbVPozO5sixkz4q7Uw9E +gBKpjtCy1uR+mD01vH17X2kflmgVRkjqlQIDAQABo2MwYTAdBgNVHQ4EFgQUGHhD +5J6kUeZrRjpHWi16WW54hBYwHwYDVR0jBBgwFoAUGHhD5J6kUeZrRjpHWi16WW54 +hBYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL +BQADggEBALJ5R1bD5xPeX4vto8OAEeGWNh/OJkaEp8JOllnBlws4vYVRso436kXR +2SUNXV23CC+8f03WiCkva7rLTBIa9Nwg/F118o5L279w+yh+gRZ0Z1s4ob+fbziI +0sA/NUOmtdR2SE5YNeHdAtH6A1YajgixTNo20ipZv5CNBzN2bxBGh9b/4W3LLZ0h +jgwOPUSVtcmFek525t7nkZaKB86P9g0VvM/gRJfG6y84wQZxueScv6elNUx+O9DG +E5D1ku5EkfeeH4iL0eTd+VDfE1pGZC8OB75110WbPWU4V3la9wC+tQTkN9XFHDJT +zx9HcnA2KjGZ6+8ZgjwjWCpUY+grDPc= +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem new file mode 100644 index 000000000000..888feabbec1b --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA2+hzTr160c7mgNKCUoOxQylskIz2dAN5hWjBT38M8CGF5FcF +ZBG9QKSdt7QgnIBXt6oOAuOufKNLNWUKrzVE4GlDhxJKKCAlzidFaeIkk1Deny9k +iADDdsVrOMHv6JXIMPcgotoOVu6iwGlYsvHr/OukbR4PAbjdzd51drC/aKIwRx4v +c9Qk+WKtVXjJKQcsyxeEKfrOJloZOkorMf2HWWAOBNg7eBLsHeQiOrLPnwJf0eFf +HzOCx2BM8hJ+fyHk+NmenjEl88XGaTkdpilmZXFqeDBCcrsLwbVPozO5sixkz4q7 +Uw9EgBKpjtCy1uR+mD01vH17X2kflmgVRkjqlQIDAQABAoIBAGofrH3ETSAxM+XZ +MRE3AnWB6SV9EXZ9Msjh++AsVQcRdnbyU+St9uHaT06W++Hqweodg/N7AvqdJy9W +WqihEWMnCXKGrgjdMsFhDEuD2djJ/xVdHqvPioSn0w2p8egRWHHg4PwWNTNYqGwo +qqh4vUTqRwhtqBpRp6CxCYjE1SpdrbDb9CxFZoJ1alQdJWNGO6Vq0/plVB3mU1DE +ziuCi2N1vARvm4Uxg33ul0Vo3qzW/4fL1Nzo5tto9s8TxkWGsjwXFr3RnbpcAeg1 +Uy7tvkIioh0VqJ+z1PmQiX/COqNbaWIJUKTnpPomuHIzlTohFobVACLtysDALuTs +Lv2Zb4UCgYEA90fSuA0mIvRwpYscoy7NPFYPpwz5X3/4fSOfDC5gBU3Cuxvtufj3 +8lL3kuFoCE14cSdrye2udKSsydGFn1TInwa5cLgRzO2qXWHupvfoHu24FQ1WiYrG +0BW+O8TA1W6IEBgibO1YtohNjbnII+GjfP8ZaBJH7rl2QJuG70bDJYcCgYEA46mJ +vGllEDnd7QCB3z7gqMSxBCicQ9ASWy/yNMsgikb8ULcCYnCqLvwxlkDWgrq2GaPy +0kJh1q27MSWxjXFDeiG9/PQAWZ1sy/rru3TRbhAA+5rRxqfLZlNkg0C9nZA9BEmP +vIToCUlz1iw94Wrg43zk95ou1WuOfN4WVkyDNgMCgYBbyB/RSqgeD0aEW1b8xpFM +1NCoe2tP5ArSP9d3yPrA3TTrCBm7jkpRejQEI3/enQqYTT53y62WA81Sd182XVy9 +kdxglyGcQ5aZZJEVDizs1eUegz3cfVL/xyI9wvCkB4ufFaYpcgscbQkEErHTh5uL ++I9wjmB+nf3jSxbRVx11nwKBgDVOMArmnpxDAFyK3t3XyiCaFVyE6bnTEUk6m7qS +ySa3YkK/5xYHjUF9GVs2CUQI1bSBN8zVcDUk7oyeZ8lXeNYy6lo9A4v4GU5VjTaS +LqtXofNHl9Cs3yoxYnp9ASjQagkD9FzOvcnW4gGG0GJkdQ2u46m59zdPfMht88r3 +FU3jAoGBANNq2l4RpKrs3X/XS34mbugvCw1EqGV0Bqj+RBFLchouE2ignd1KYt/o +O23NchL4pOIuBCo+IaukCgmDm+m378EubTZjwRIYAJNqS/Xu1rMBBihAl6NadVuZ +Nsr6+U9Uqbx/t8bUdhQ3RDexQ42x+GelGwSfXKfF+NJx1zj8lOUu +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh b/test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh similarity index 86% rename from test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh rename to test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh index dad80edca9a1..042fd74ca524 100755 --- a/test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh @@ -4,23 +4,21 @@ set -e +readonly DEFAULT_VALIDITY_DAYS=${DEFAULT_VALIDITY_DAYS:-730} +readonly HERE=$(cd "$(dirname "$0")" && pwd) + +cd "$HERE" || exit 1 trap cleanup EXIT + cleanup() { - rm -f ./*_index* - rm -f ./*.csr - rm -f ./*.cnf - rm -f ./*_serial* + rm -f ./*.cnf + rm -f ./*.csr + rm -f ./*_index* + rm -f ./*_serial* + rm -f ./*.srl + rm -f ./100*.pem } -[[ -z "${TEST_TMPDIR}" ]] && TEST_TMPDIR="$(cd "$(dirname "$0")" && pwd)" - -TEST_OCSP_DIR="${TEST_TMPDIR}/ocsp_test_data" -mkdir -p "${TEST_OCSP_DIR}" - -rm -f "${TEST_OCSP_DIR}"/* - -cd "$TEST_OCSP_DIR" || exit 1 - ################################################## # Make the configuration file ################################################## @@ -55,17 +53,17 @@ commonName_max = 64 default_ca = CA_default [ CA_default ] -dir = ${TEST_OCSP_DIR} -certs = ${TEST_OCSP_DIR} -new_certs_dir = ${TEST_OCSP_DIR} -serial = ${TEST_OCSP_DIR} -database = ${TEST_OCSP_DIR}/$2_index.txt -serial = ${TEST_OCSP_DIR}/$2_serial +dir = ${HERE} +certs = ${HERE} +new_certs_dir = ${HERE} +serial = ${HERE} +database = ${HERE}/$2_index.txt +serial = ${HERE}/$2_serial -private_key = ${TEST_OCSP_DIR}/$2_key.pem -certificate = ${TEST_OCSP_DIR}/$2_cert.pem +private_key = ${HERE}/$2_key.pem +certificate = ${HERE}/$2_cert.pem -default_days = 375 +default_days = ${DEFAULT_VALIDITY_DAYS} default_md = sha256 preserve = no policy = policy_default @@ -102,7 +100,7 @@ generate_ca() { -config "${1}.cnf" -batch -sha256 openssl x509 -req \ -in "${1}_cert.csr" -signkey "${1}_key.pem" -out "${1}_cert.pem" \ - -extensions v3_ca -extfile "${1}.cnf" "${extra_args[@]}" + -extensions v3_ca -extfile "${1}.cnf" -days "${DEFAULT_VALIDITY_DAYS}" "${extra_args[@]}" } # $1= $2= $3=[req args] @@ -153,7 +151,7 @@ generate_ca intermediate_ca ca # Generate valid cert and OCSP response generate_config good ca generate_rsa_cert good ca -generate_ocsp_response good ca good -ndays 7 +generate_ocsp_response good ca good -ndays "${DEFAULT_VALIDITY_DAYS}" dump_ocsp_details good ca # Generate OCSP response with the responder key hash instead of name diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem new file mode 100644 index 000000000000..724ea898ea24 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICdzCCAV8CAhACMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQK +DARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMQswCQYDVQQDDAJjYTAe +Fw0yMDEwMjIwMjU3NTNaFw0yMjEwMjIwMjU3NTNaMFwxCzAJBgNVBAYTAlVTMRMw +EQYDVQQIDApDYWxpZm9ybmlhMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0 +IEVuZ2luZWVyaW5nMQ4wDAYDVQQDDAVlY2RzYTBZMBMGByqGSM49AgEGCCqGSM49 +AwEHA0IABBH5TFHZK1e7SPtmeTESrQD/Kce4uLKz+on7qlHOd2D4yNoI62TyXMq/ +o6660I5SJVIEIueDZdh/ocVezGYuUt8wDQYJKoZIhvcNAQELBQADggEBAD5jqxzW +76B6WOLJlRTWpAKv2L7CdtRjV2inNvS7n+NOSQllP9IfHGM9qEHM7xvDymLZb/TR +tOcpUENLJVOmRsjs90cy21Nc8ZkRFBhJOPggTTL3PpkM2sYmsSBzjDvkvqrH+hY3 +FTGAdgDaIf9gBeI61Ind/z6lqcE7yJlVtTvKVYPC0MFtzBS44I92x7g5htTzfEv7 +rO866GmsiG+b/w/d8TCHOt1L+gyk3BbAbBOI3DkZt/UtUpev8ZXKEjigcpxHy+Je +BLDYq6S7RPPtkPk+z8Iz3HRmyykvrckU2kjcTdqY8KygCgFBZETIYsk5d1CJxGcV +gDVhAiuki1Lwuzo= +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem new file mode 100644 index 000000000000..8fac462fe37b --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIOShXROw7kmo0cMJgNQ8rdZfjceLh+KMocrzYIqphTYYoAoGCCqGSM49 +AwEHoUQDQgAEEflMUdkrV7tI+2Z5MRKtAP8px7i4srP6ifuqUc53YPjI2gjrZPJc +yr+jrrrQjlIlUgQi54Nl2H+hxV7MZi5S3w== +-----END EC PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der new file mode 100644 index 0000000000000000000000000000000000000000..6769a837244d56ca8d0de3380c69d521a84447e3 GIT binary patch literal 106 zcmV-w0G0nRXfS3lKQKKoJ1_|b1uG5%0vZJX1QZs<27ssuwvR9;iK`<|k4rGH;A{jG z7T!G^*Hf*=kD50`UdPG(wuQC?=Ep_qXPNRXX}H#jj*!L2AUFFCU~Ip2`ifEy&v z#lzxLnO0&bX&?^ba`Om)xC*X$>6v+{sYRK2=`cH(d6<$DCHRdDj0_A7jDVD>xv6oK zL6AX!fi=(-tlE6cOj4{2EFxk@*&0@GZtFKt?_90y-|ua(;Xw|Ih(v|+lX*)5pJlsQ zxku?%Mdnqsh%qqn7L5dK+!-R;cF%qAr^rHD);=_6yGekwk7c50(%Jt170>x ztu~Lg@4SqR+^h`DO^l2THFuZn=Sh2;c-Z`s{LIrl5B2w$^~>K@JN70`B9cq^;*rnH zC4UVs7ae!yWjcXYXH?7yEA)XD2zlmFy^0E@K2;UBNtGcR1c;LLmX zlhNl#0$C*|-)i0It?vCLeDT$(K+zbEFFoC6yIPYz)rtJN-D<$QpL?-hmFiNv+0i>I zZk&6>_2Bz$cAl2cE9WS%yk=LpYpcS$YqjixCg$4)P0ZJU__9G0)9wY#OpHuSB3ifQ zins8u7u>Dla>3){@7T!WU&YaaZvc{#ft)xmQc^OE0&rGuAWIDGCd1)x9o>O=C5;VQIb|(+J=AIBNO;oZdg|cy^(#QWVPx1e5Uw|598&Hn~o>=d=jdw zSA6p0=Dc}^s-KS@%e0hTrkR#nm{nomRJ5D>;8y>|#ydCZq@3^C9nA02AhfdY!lr9a z>SoxQ?y0Sg&y=5*A?oJwYAO>mBLm~&WP?NlSzu`)%f}*yJ!1oNFHl;UMZ!R=0c*}T z;0GxXW@P-&!fL<_qzw2#0{kEW7GSDvLyiVm_TE(K9(MS-@V)r%w~G%q2tJ%4bV(ocQf zxAzzP)~IU~D@l*GSh#eR!AY;xFbfsXmU4KDW#+X+`dz z(93RImM`Gee(nFm+|#;q75jMjY+a^qJ=t32SN81Q^NG{C*w6KU;}zX={(;N%W3Tls z4zd;Qd@^VM@};Ieb=DV-2~YSs>7C2O@AKq4x-UMt`!nFaaFkn$J|FwO((A6XZBs46 rE2F+M?Ayxn#Qf?}8KdCy^6o_iW?F_bU%!`ZvQduE3Q2yU&GQ`q&e|~o literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem new file mode 100644 index 000000000000..4c25d638be7c --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQTCCAikCAhAAMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQK +DARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMQswCQYDVQQDDAJjYTAe +Fw0yMDEwMjIwMjU3NTJaFw0yMjEwMjIwMjU3NTJaMFsxCzAJBgNVBAYTAlVTMRMw +EQYDVQQIDApDYWxpZm9ybmlhMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0 +IEVuZ2luZWVyaW5nMQ0wCwYDVQQDDARnb29kMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA5wzIeQ43mRZy7lfnZl2ELODYH7cXhuPLv/9v/om7WcB1vuT4 +cCyZph8Rr2jZucaD6i40JGABDzERWShUI19QelNtXPFTv4SkNtJK+ONevMuyx8gO +fXOSfVXtg9fUKCSN5oLEj3+EKu+zmjyZ4xBTrXa+yaiTc7859WCZ+wlGCP0XSymX +qYnc95U4PXLGD009TbKtL2SAs7v+00Ohbq1iybeKFWn2TCQryNkc5X7MJZ2io8pL +MQqbhHuGVZTbRgoYFZ8gh8F1q4Ldfn84K3BEHy+pXMrC9mbYeNNpqDzo9dOrisQy +BVyyZmJK3KGxW7exNJYVtXOQh0pfGny4cjbGowIDAQABMA0GCSqGSIb3DQEBCwUA +A4IBAQBD2wITti7SV7hHMKjeB4vv9HrpYHe58LkthZWHAWfcV4usdQl8/R/pe6xp +vbda1dPkDOL3h9DWXb3OtDxZszk/muQ2O3IMzkm3RdOYK4TxiyhRiilYI8nOHCNS +/nzl2TGdoaHMYNKDopJaSuWo78ojcI6y/xJHSJFFHTazHrcLZsoanqYNUh352E1U +j7x8b0h6KB2ODeUa2z8g4sMqTexSDDKz4ND9vfoSPn02mG/3RuVsIxX5F1LNCP5W +RfxRA4uDR3/FSmWAHRPDpdh1NfNDZyh1yXlEyJS2XhuKUCDfCMqHYrxOfgQs6f+2 +d1z/R2EV8f4bBFxyL0nfOuo2J4+u +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem new file mode 100644 index 000000000000..5a6e6a2a1463 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA5wzIeQ43mRZy7lfnZl2ELODYH7cXhuPLv/9v/om7WcB1vuT4 +cCyZph8Rr2jZucaD6i40JGABDzERWShUI19QelNtXPFTv4SkNtJK+ONevMuyx8gO +fXOSfVXtg9fUKCSN5oLEj3+EKu+zmjyZ4xBTrXa+yaiTc7859WCZ+wlGCP0XSymX +qYnc95U4PXLGD009TbKtL2SAs7v+00Ohbq1iybeKFWn2TCQryNkc5X7MJZ2io8pL +MQqbhHuGVZTbRgoYFZ8gh8F1q4Ldfn84K3BEHy+pXMrC9mbYeNNpqDzo9dOrisQy +BVyyZmJK3KGxW7exNJYVtXOQh0pfGny4cjbGowIDAQABAoIBAQCqpOtPVSvE+iqK +VAwIs5rSVoHo8p4Cty2dsTfzA6CGijmscon2t0oHwjyak9LyfWaiR9uk3e8KXFAW +zE1QDq5umj1Ufrw+3+U0xB4xMiSfRcbV/LCPARO5VARm8rmzqEPRctVfsmtYFs9M +Y+O4Ky/SFriUUdgNjbdtvhobqV67dWIxATeYET0ayACgeJITcfH4XaAdQt5LJbDI +qemCu3hvvc4qqk0Ad/nqCl+B0D8/zWuyX5bKnNw+1g868VCFskdGiM7uZTZIXBja +6N3VBv6dENebcX+j9t+RxtOIRMm5ndFGzAq50ylKKiw5M/hRHxgHb0l7OF1Ud2Jw +QSumpj8pAoGBAPh6VgAvEHRECDHUs+RscNcrhTTJF/A787rx/7kJMHxVMlr3GPvv +clxhK7GquFEpYlB6+R+otWvfowq7F+sEGutepfgI0vp0QriwziVQw1xg4lnfK4TR +uKLmL/wQGEIMi4G2n8RacYGSGGl39mmRchCEeYWHV+P0j7ss7SkJ3WNVAoGBAO4L +YiV1TBpmD+3cWZh0BEvjYQePmFoLdFypd/tOZYL9jhtiCIV7uDPUwTe8UCPrLpUi +XPHp9Sfhoo0gLGQVxHowHaDQBUnzo+LzdMPu8YlJv1okH0rkdwQ355yAVgTVz3sv +XTJtVGnSLmA/BthLMrFJfn5Sbus/c3vNgw7Cu3IXAoGAPSEDpVnux1uxVGkKtKiE +/jqDs9/BFuX46UX97oy3M+9VyxE9QUXAMb/qGvRwEe+Hc1s9jK9ZqqdDGjG7CaNh +6APJ+wJYvSr6+yrsHDwJQ+HF7ew8bZmWveS5a16eSSmC7K98ELdbc0/414Geyovw +ruWYa+RHGBqjfZ3o3o7Bu10CgYEAt9GyiJp7micWRefSiBeO+cssMlqAm4gc4zE6 +paV0XiLOifa5/dn79IpmalPQzuvdnOxcObMgzRtAGxqtLNxiTLi7KGN6shCija7S +jDsH6aw5R7J9N6gU//zrrb6sri8teUKqBTbH6K+VgF0rO/tVufG27HVbke39j6yz +d8KIXSECgYB3JaYxWdoxptUvpqITvIBRNEfhNVrxzdGz95EcS6RqmG7UxJlTN2Yk +LKZ9pIOD43QQ3i5D2cF6XN4BCSZ+wRVzOt43RP8DUMgbLzLf8h9N/6cQGEbFqtlb +9x5wTSPF7VRJY+ToSnnBWyFRPLkwm9u1VpeBIUa3bGDDbV/SdJIeUg== +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der new file mode 100644 index 0000000000000000000000000000000000000000..f5d7e4150fe3b8b53638a51f19d59260531ed227 GIT binary patch literal 106 zcmV-w0G0nRXfS3lKQKKoJ1_|b1uG5%0vZJX1QZs<27ssuwvR9;iK`<|k4rGH;A{jG z7$Ok~52w^9^|oxIyAv zJS;wyX(fh|2I3$tH;({_tKgcKo|%`LT9lcW4zq)qhbcKxg5Su%$iUFR2uPWln;JzK zq#7g}SOZ}Jx1QUx8i@=XGhLiYbNw@ zu|}%_FB_*;n@8JsUPeZ4RtDxKMn;Bh`gM1=zK(wOO#aI6`bg7zn+&yrylNY}-qhYX zQ#C2E_9K((Nu9T^-iRDr(O==h==F^K|DQxY>s@Krj%MeU*SvqVY+Gr&h{?uMruVgZ zi({iTA0_x%t~)0c|K4=|xvLNPe|`znW&dH}6EkgBLK^#ns#j}v6}*z_-@j9B%F1S8 z@q)zf7Jh8SQns6!yd|3!dp)dSzwvkb#4s_{wwEjZFFkZR@5H-}x5{<1Ue+!32>Bx4 z#J9PKCzyHa;te)_p(XF8UHiU?S-M^&@!_4f*B0{%Gd1zP-TQXeYQ3HdlHX4DMXt?w zWs+|kJFR%L-Tegu*VagUTP^f&uBjuhiT|yF!+y0vZVQ^2ZyPi*UkBpL22D)67cet1 zGBJs0-Igof!oOZ{w~EUJkB`4&BaeR-M+?3INL>bU;=D+y%Pn*#eRFME}nbVaH%P%d84yt&V-(CCCrtr83+CAc|It%J_%<{ z5!~yrWbXDY3UeC5x3A)3dc3Y?vA1a|*LqWz2bs?8LS7mQs^`>QGaso;4!Ad8Kc$1= zaM{spi-Yf9Og&-nU18BJzOZ+T4rE4b`uO_K>m|8z{ER#9p1oIEwqbw9A_I3h{o*Ss zKaG_Q(W2mK)X;LT_ZBC|PYfKc6Z7;=_1(J^{-xH)g0q3Y+O$1*KtmuaS@7G_l#I2G;YKDgC?vGLALIw|M7b_esjGzhKi zyRhlnle!tUrh96u<1^)_Wr(_Yyqe0y%*epFIN2c4Ko(el$nvp>VbANp+zXUeW|1%u zYrt9<81RD>2s1MNXJIv922uumAOU`m01GhHwjoCYEPHRNbPqfHT=-sm_uIvX8w4Lt zGm}53=GLN9`kdhw3lzI3?m_EGAbnzE+m{cFfMxR?| zm$V}HPv~VgF3T5iYrppYVeV<&xr%)}e6}uAx1MaR@+*6G@A<@OUF_%jzwwIhIsd?A z`mxvg76;i1cRrc3fB8~VpE~Oc$Al+*o%GIS;`e#-9o-k7-2EAFUpUGwMW2s-U+Hz% w*|w<`;gwO}8TM^ud18L`sEkqYd3pDu0y8bcnXlhVHrXggXoV!d(B}CL01N~(mH+?% literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt new file mode 100644 index 000000000000..312a01481fd5 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt @@ -0,0 +1,118 @@ +OCSP Response Data: + OCSP Response Status: successful (0x0) + Response Type: Basic OCSP Response + Version: 1 (0x0) + Responder Id: C = US, ST = California, L = San Francisco, O = Lyft, OU = Lyft Engineering, CN = ca + Produced At: Oct 22 02:57:52 2020 GMT + Responses: + Certificate ID: + Hash Algorithm: sha1 + Issuer Name Hash: 16C50680A809B68F302789AB234F8F4B30B0E06C + Issuer Key Hash: 187843E49EA451E66B463A475A2D7A596E788416 + Serial Number: 1000 + Cert Status: good + This Update: Oct 22 02:57:52 2020 GMT + Next Update: Oct 22 02:57:52 2022 GMT + + Response Extensions: + OCSP Nonce: + 04109C5C7305A9C99B599CAD3612F1A32885 + Signature Algorithm: sha256WithRSAEncryption + b6:2f:7e:dd:b5:eb:5b:e6:e6:1f:d4:fb:7f:59:35:de:b2:31: + 2a:52:4a:7d:81:8a:ec:7d:dc:cc:7a:92:61:7d:f1:02:25:c9: + 2c:ed:ea:ec:14:c1:a8:8f:78:44:01:4a:e6:07:ff:fc:61:0e: + 3b:ba:66:d6:c5:6b:6d:77:7c:ef:ea:a6:b6:75:87:14:34:b1: + 75:02:ef:7d:6e:a3:5d:5b:29:e2:60:4e:39:ae:ce:1a:5f:ef: + 35:9f:ce:d5:e1:0f:f9:f4:51:2d:07:f8:38:4c:5c:96:ba:60: + 66:07:e0:7a:ea:ac:ba:70:ea:1a:8f:bf:b9:26:94:a9:83:13: + 17:70:61:f7:38:4e:06:73:1a:3d:b3:02:4b:19:82:a3:4a:e1: + 7c:07:d8:fd:b7:91:56:16:25:86:e9:a8:ff:a5:c2:cb:6e:c8: + ee:b1:da:77:2d:6a:e9:7e:a5:48:54:f4:1f:82:0e:b3:72:0c: + 53:03:95:a3:b0:3c:4e:55:74:ee:96:d6:f7:b2:03:1b:7f:24: + 61:e1:dc:ed:d6:a3:0d:13:02:82:0d:ed:bd:ed:ba:ab:2e:8c: + d0:19:f6:c9:8e:59:ad:68:ea:34:6f:33:5d:96:73:b3:3e:df: + a0:10:d6:ac:18:f6:ab:12:fe:9d:35:41:0d:34:4f:da:70:c3: + 4e:7d:52:46 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2a:db:1e:73:b4:0f:af:11:bb:24:44:d0:48:f1:fb:5d:59:c7:f5:17 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=California, L=San Francisco, O=Lyft, OU=Lyft Engineering, CN=ca + Validity + Not Before: Oct 22 02:57:51 2020 GMT + Not After : Oct 22 02:57:51 2022 GMT + Subject: C=US, ST=California, L=San Francisco, O=Lyft, OU=Lyft Engineering, CN=ca + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:db:e8:73:4e:bd:7a:d1:ce:e6:80:d2:82:52:83: + b1:43:29:6c:90:8c:f6:74:03:79:85:68:c1:4f:7f: + 0c:f0:21:85:e4:57:05:64:11:bd:40:a4:9d:b7:b4: + 20:9c:80:57:b7:aa:0e:02:e3:ae:7c:a3:4b:35:65: + 0a:af:35:44:e0:69:43:87:12:4a:28:20:25:ce:27: + 45:69:e2:24:93:50:de:9f:2f:64:88:00:c3:76:c5: + 6b:38:c1:ef:e8:95:c8:30:f7:20:a2:da:0e:56:ee: + a2:c0:69:58:b2:f1:eb:fc:eb:a4:6d:1e:0f:01:b8: + dd:cd:de:75:76:b0:bf:68:a2:30:47:1e:2f:73:d4: + 24:f9:62:ad:55:78:c9:29:07:2c:cb:17:84:29:fa: + ce:26:5a:19:3a:4a:2b:31:fd:87:59:60:0e:04:d8: + 3b:78:12:ec:1d:e4:22:3a:b2:cf:9f:02:5f:d1:e1: + 5f:1f:33:82:c7:60:4c:f2:12:7e:7f:21:e4:f8:d9: + 9e:9e:31:25:f3:c5:c6:69:39:1d:a6:29:66:65:71: + 6a:78:30:42:72:bb:0b:c1:b5:4f:a3:33:b9:b2:2c: + 64:cf:8a:bb:53:0f:44:80:12:a9:8e:d0:b2:d6:e4: + 7e:98:3d:35:bc:7d:7b:5f:69:1f:96:68:15:46:48: + ea:95 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 18:78:43:E4:9E:A4:51:E6:6B:46:3A:47:5A:2D:7A:59:6E:78:84:16 + X509v3 Authority Key Identifier: + keyid:18:78:43:E4:9E:A4:51:E6:6B:46:3A:47:5A:2D:7A:59:6E:78:84:16 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: sha256WithRSAEncryption + b2:79:47:56:c3:e7:13:de:5f:8b:ed:a3:c3:80:11:e1:96:36: + 1f:ce:26:46:84:a7:c2:4e:96:59:c1:97:0b:38:bd:85:51:b2: + 8e:37:ea:45:d1:d9:25:0d:5d:5d:b7:08:2f:bc:7f:4d:d6:88: + 29:2f:6b:ba:cb:4c:12:1a:f4:dc:20:fc:5d:75:f2:8e:4b:db: + bf:70:fb:28:7e:81:16:74:67:5b:38:a1:bf:9f:6f:38:88:d2: + c0:3f:35:43:a6:b5:d4:76:48:4e:58:35:e1:dd:02:d1:fa:03: + 56:1a:8e:08:b1:4c:da:36:d2:2a:59:bf:90:8d:07:33:76:6f: + 10:46:87:d6:ff:e1:6d:cb:2d:9d:21:8e:0c:0e:3d:44:95:b5: + c9:85:7a:4e:76:e6:de:e7:91:96:8a:07:ce:8f:f6:0d:15:bc: + cf:e0:44:97:c6:eb:2f:38:c1:06:71:b9:e4:9c:bf:a7:a5:35: + 4c:7e:3b:d0:c6:13:90:f5:92:ee:44:91:f7:9e:1f:88:8b:d1: + e4:dd:f9:50:df:13:5a:46:64:2f:0e:07:be:75:d7:45:9b:3d: + 65:38:57:79:5a:f7:00:be:b5:04:e4:37:d5:c5:1c:32:53:cf: + 1f:47:72:70:36:2a:31:99:eb:ef:19:82:3c:23:58:2a:54:63: + e8:2b:0c:f7 +-----BEGIN CERTIFICATE----- +MIID0zCCArugAwIBAgIUKtsec7QPrxG7JETQSPH7XVnH9RcwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxCzAJBgNVBAMMAmNhMB4XDTIwMTAyMjAyNTc1MVoXDTIyMTAyMjAy +NTc1MVowcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV +BAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQg +RW5naW5lZXJpbmcxCzAJBgNVBAMMAmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA2+hzTr160c7mgNKCUoOxQylskIz2dAN5hWjBT38M8CGF5FcFZBG9 +QKSdt7QgnIBXt6oOAuOufKNLNWUKrzVE4GlDhxJKKCAlzidFaeIkk1Deny9kiADD +dsVrOMHv6JXIMPcgotoOVu6iwGlYsvHr/OukbR4PAbjdzd51drC/aKIwRx4vc9Qk ++WKtVXjJKQcsyxeEKfrOJloZOkorMf2HWWAOBNg7eBLsHeQiOrLPnwJf0eFfHzOC +x2BM8hJ+fyHk+NmenjEl88XGaTkdpilmZXFqeDBCcrsLwbVPozO5sixkz4q7Uw9E +gBKpjtCy1uR+mD01vH17X2kflmgVRkjqlQIDAQABo2MwYTAdBgNVHQ4EFgQUGHhD +5J6kUeZrRjpHWi16WW54hBYwHwYDVR0jBBgwFoAUGHhD5J6kUeZrRjpHWi16WW54 +hBYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL +BQADggEBALJ5R1bD5xPeX4vto8OAEeGWNh/OJkaEp8JOllnBlws4vYVRso436kXR +2SUNXV23CC+8f03WiCkva7rLTBIa9Nwg/F118o5L279w+yh+gRZ0Z1s4ob+fbziI +0sA/NUOmtdR2SE5YNeHdAtH6A1YajgixTNo20ipZv5CNBzN2bxBGh9b/4W3LLZ0h +jgwOPUSVtcmFek525t7nkZaKB86P9g0VvM/gRJfG6y84wQZxueScv6elNUx+O9DG +E5D1ku5EkfeeH4iL0eTd+VDfE1pGZC8OB75110WbPWU4V3la9wC+tQTkN9XFHDJT +zx9HcnA2KjGZ6+8ZgjwjWCpUY+grDPc= +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem new file mode 100644 index 000000000000..f9f104f8d05c --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQzCCAyugAwIBAgIUCmwXC1yqJjKspOZeS0lbJsJomIMwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxCzAJBgNVBAMMAmNhMB4XDTIwMTAyMjAyNTc1MVoXDTIyMTAyMjAy +NTc1MVowfjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV +BAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQg +RW5naW5lZXJpbmcxGDAWBgNVBAMMD2ludGVybWVkaWF0ZV9jYTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAKI2heFAYYMEzvOJ7WVjvkczC3Vf/zo1WS5n +uN2LMO7Rgkbo+XENakPud7L7EN13ySIcjh65s9qq0cqaAbLzjgYoU6av8IufU2rh +pgpoNIU7X8dKlImlIBGytARa9qIblnsinDLhfly78yw/gWU83h+QPWYwhXBeDMMc +Wzo6MvZyZ1IgvdLmue8zcCKYA12YkXRnljG2sp8kstKWh4A8wMfUyE+bVkyr8qTk +Scslqnzx62y3UovwRzaRw8wusq3Vj/MSR4BLlbWRxiAIQr3IwswBphqNif3T7RQw +0IdB/OKfKtt3le4LNES1QZtRpB1seYRNgMXiL8zVJmbsp6hRphUCAwEAAaOBxTCB +wjAdBgNVHQ4EFgQU/d1VXIK/EJrCj1MuJa71mxNR1LwwHwYDVR0jBBgwFoAU/d1V +XIK/EJrCj1MuJa71mxNR1LwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0OBBYEFP3dVVyCvxCawo9TLiWu9ZsTUdS8MB8GA1UdIwQYMBaAFBh4 +Q+SepFHma0Y6R1otellueIQWMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD +AgGGMA0GCSqGSIb3DQEBCwUAA4IBAQAt1udv9BBzcmErW0JjBAZajzoY0QwVqusZ +j11ex6LNI1rnFomVk+76QQJCeAR4rWeMJBfA9UmAtHVXZuLcQDDL5yTgAnBmSmJR +18kS8KQg8V7AjtmIcx5uZgC2KZYsFx5qp3hGpqLyrN2ZvdeDFacNVWEtb2eVIIky +yy/UsmZr5STI3OU0k12fexiS/yh6G0XFvoecdxCoOvEp+EiLzCmwLRq/1q7CUbeO +woHCUHnwpGZi4PsFF9HkyM5KYgorMM0F+LWR1sVUtxSR6fWLZ0TTFi4NbLupD34S +yFXm0VYhXwV7mVVigQg2/A76PqmSXcSmvSvT43G+u3syc4kbxKLz +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem new file mode 100644 index 000000000000..f8347a170136 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAojaF4UBhgwTO84ntZWO+RzMLdV//OjVZLme43Ysw7tGCRuj5 +cQ1qQ+53svsQ3XfJIhyOHrmz2qrRypoBsvOOBihTpq/wi59TauGmCmg0hTtfx0qU +iaUgEbK0BFr2ohuWeyKcMuF+XLvzLD+BZTzeH5A9ZjCFcF4MwxxbOjoy9nJnUiC9 +0ua57zNwIpgDXZiRdGeWMbaynySy0paHgDzAx9TIT5tWTKvypORJyyWqfPHrbLdS +i/BHNpHDzC6yrdWP8xJHgEuVtZHGIAhCvcjCzAGmGo2J/dPtFDDQh0H84p8q23eV +7gs0RLVBm1GkHWx5hE2AxeIvzNUmZuynqFGmFQIDAQABAoIBAQCQG3wIxtdaPDVW +qpwaTOhH/JMbbXMi1S4rSb40I2oPYFUqheLEirRzMTFp8h3jgn1PLqsbpMKhaswB +/5uuzSzJT54xIXDDuYG0HE8UQ8sU6dCHDjyzo9y/nFDM5brh/TxMnEzD7wwBen/o +OWrM86wpwkypskV5tDQGSfTJ39ZSlZoaHS4/ih88JG2OTQXx7wi5U6s6Qkk1vuNA +prkqj6F6Y73qwiCuwtccEu3GDJiUjVAj7uFTOlpOBzT+2elraq16Y3DmfJ3aljp7 +pqTboytXYHixQ2x081WBv8Iy/flZP3HYe6ms2N5l27vd/tg3f2+p/WIrRolmOqwP +wHtR1oZBAoGBAM1tJ896YZXrLM9CBNcoAue8VhsipqvO8SodP0x5LRCqfnanoNPE +qFW8PwC0g/tGgAl5eA5iBbLOkaEuW1nxudSidlRBxYQ6lZjebscv9Mqe+P3RJd9y +Dv0te/I0lua7ElAUXTw4yGQ6/USr+kLlvOzBLWhbj3BQa4OCXsb5fFMNAoGBAMol +3+2l3G0BEFaXfGv2CRAR58KHA48lOHaIiSnNrWpnsXm4Fr2oYvvPDh5auulToeK3 +9DjfMhyPmgrCIbeHCVt01gvFU/NAGb79Xw21NQPREVhwZY6P4sFb5coO9E2jiESl +7PSaHtuLx8G6AwcIx8xjh+Fuy9ZfirfAB9g/h30pAoGBAMLMGY4zXMpPIkS/M9vb +AzZAb953c1lEeYgYB+g6mDNPmXBm8KkfuQjj41KF2wmyBsP1PZVV+lVecNZJITMf +d7pc/JxVajlDXIyDkMStgxGIwk/dvm4uuGv4b6pzmAzfpDPvu6HZrpztGzG9ayl4 +tThEzwxAlrpIaEtimwFPn0cZAoGAdD0lL61BO/jxoSlIpXf7rB7vqr8iP8zCU/6d +CMm5X0czGW/Ou8445N0iHDhF5Gdv3kOzDoThduToSilpY/QlYE6lymz0ohqI83cU +knhRfNlaZQV0kG6SkGc8klzZBE/1yquyvtBk0A/nlLFWjlPxN8k/2FRyp9mWlaS5 +nhKh4UkCgYBMCtGuPwmSYU6jI1AhygvEWNeN9U9GNH+C7hbDxtYtppjN/7ZUUIIn +kKceZAWbkZlItoOfVVSQLs8IZ5m5Q2g0rOb9/oVmtnK8bPYE16i0gk3VgOKQh+wv +q1Oqidvs4edxeI2sDe9w+Qw8qUo14+Uux7KMAlDrtB42gP5BQOWh0w== +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der new file mode 100644 index 0000000000000000000000000000000000000000..02da216fd77a34c5b39a173db82577e42f992c0a GIT binary patch literal 171 zcmXqLTw&0-)S%A5*1+0;lZ{oIkC{n|m4QV>>?m8q3eIi)2I`%wmHqp@4K_T;VG)t2 zaDFmxN#L_=H!Jrj-KxmEiWV^@CIJS@v@XXDgnV`ODzH(+F95n>Uz_vOL) RAHo~!t+>n!rSEd~0RW^QGEe{j literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der new file mode 100644 index 0000000000000000000000000000000000000000..e6af4d98fe86587fa311139739e63645581efaca GIT binary patch literal 1660 zcmXqLVyoa{WLVI|R%p<~mdnPe&Bn;e%5K2O$kN0X2Na4jXktuWSZq*e$Zf#M#vIDR zCd?EXY$$9X2;y+?a5*RDWTxd8$Ok~52w^9^|oxIyAv zJS;wyX(fh|2I3$tH;({_tKgcKo|%`LT9lcW4zq)qhbcKxg5Su%$iUFR2uPWln;J(M zG;TErFt7$XgH@Z4nMsP3fki~@C|kn{&Tah$>Yb~V{rkNQHay5-5s|2Hell-K;InKu zEB7efs>r;G7BMC!0fq(!OhXeXF_CehAexCrQD_3jQ45s~6bXf4Hjf^7F5s9iO*qw^+J4eL9mGoU{9p&cpnvH+EX}B>obO zUzfaG4WocuBY5gH zj2Z|hH8Cn72Mi-PUGXyjvoseID1qI6QS7(3>f*U)4VRjNnm0OY=1l1MR>EA_nsLy- zp67#N>yvQS6v4d?OXhChqA;f+eETXsrpN1Q7JHkfa;-OYd64PcF65=5pn6W-HS>|m z_8{U+yUUi7oxq=Y4yB!EcSaMzNCgXp4pW=jU5=TsmNH>bz|0l`;>%2-AmmnJ)ff z4wLHR*ywZ1?2=aG{t3P8#%1{eZtd6pKg>O?J6ExfhtJk!>eiF3Reoj9?meG4t&9C! z|2JOIJ?9^|Oh5Ko-{K%!;m#*>_Ag&*>QiTZ;h6A*uan-nO#D7izN7o%le<3y?h8k` zrRejq?<>9TI@>nYBD^x{JHx)MEKkg@9+fc)J}>WHRA8oMIP>*;$tD}+2(6Ih7ur1E E0TydUZU6uP literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der new file mode 100644 index 0000000000000000000000000000000000000000..71d48a2acc5a09cfd178681ebc87a5e2790cc779 GIT binary patch literal 106 zcmV-w0G0nRXfS3lKQKKoJ1_|b1uG5%0vZJX1QZs<27ssuwvR9;iK`<|k4rGH;A{jG z7uNSmZ8k<$R(1nMMwTYlIY6Nq291jriLr=CR5(AGwvTur}aiW7XzkW|CrMU=a~J%GR)g zb6dZGdgp3o|9)?S4G(g#o5sW>z|g>eVdg?*14RRQgu|FvgjfXL{C!q;;YwJ+qJ!)W z5hXVs8t}4lYPET^edlFlg6sM-pG&R{N;_u2MeH^eEG-AfNwd-z+@Haq(NYkz(l#ZA}fv zV1>+<6;GUfrgZWbF4)s=|9qif+p2m-Bhyz0jI-iyzP65i*65oUB7N?Ca>J%+uGh;W zu3bB)d0u?4+e3jHT$!$pTbq{Yt(eYjTIH&vbZnEy!EG;CyQ);{_1@1Y)!4PKi6P1T z@DBIc_pU#=zd!41{aG_s5r?N!pZ=0<_vShN?5t{a*v+jAnwW1JG%;TX;>!k2OuH8_ zGchtTiD=!HE8fDtUU0XH%LR{*zhfhhe-%dyK7&F-ZeS!bhqAB|o|$N=`J86X!)rN`_HDt`R(C8Ac6+lbRTnkOPJhoUZs8 z44N3Zm_P~a_KRY_y;T>_J!`ns6x6)YSuc4dL5Y@i9GKSF_mLG?i<;smp^*=XN144F%P6>aLlOR3-=9o3EeJ!Em_jXtu?{ z_b;ZNF!-*p=oVktyF~{wBQ||}{pak6SavQLz(Hl3f(6o2tyyu5MK@dTewLUr|u zPk!8-H_uS@^U-6Oma@w<(^3nwDh!;8c5@%x>c7}{=O&$$^If}x`CS@>R`y-kbnQvq z3|rGZwbk*N^3yUz-8^1RWnyMzU|gJRkZ2$ajAB_n797O{F!utbm02VV#2T=cBL@5+ z1;UJs|5;cKn1Pf5A4q^7B)|epwQb1J0L$K+D&4~lKNr3i-~D#+;ReBn)6C@0skyZ* zKjb$p^5ArCi@mLZoBGUOxn8`f${QQIokM?5z3;USP5ta$r+tK^zT8px6I=SJ&-?cN zg5Mf-jbbI~(H0B$&(F8$xOBkY)Op#~D`g&j5vC9CGF|+|946JrvC-$2*(I&W{S$iG zjmz={+}f}Gf0%n(cdlX|51*~e)U795tNhBI-FrT9S{M7d{%^dZd(J;_nSSiGzQsYd z!ktg%>|egr)Thq+!ZG0qUnjkDnfQI4d`I`iCwG4a+!u~=OVQ_J-&cCwb+&D)MR;Y@ pcZPjiS)Q0*Jt|`qd|uwYsK89iaOUgxl1($Ok~52w^9^|oxIyAv zJS;wyX(fh|2I3$tH;({_tKgcKo|%`LT9lcW4zq)qhbcKxg5Su%$iUFR2uPWln;JzK zBpW0eSOZWFMiy8 z%V{z3eXPyShcgZ<9$u=hxt{ax5f8zj+GU&Hzu3DzA#w4sv%zKBnJF)Ho-O@!m-Wo% zTNQWwxzBk8CYdokU05kQz4@5P{e9PW{XE6H$Jp=5Y>9*mQ`%Ilzgst$SUg{T^I`Yf z<$El9zSX5Bv+Vm7e_-wp$FBU%PSgLM`=!D@@3E+PTH0#App3u8*ZC8=-?tf_y4hyA zztwuL*F@O`(-JgW({ERf*U)4VRjNnm0OY=1l1MR>EA_nsLy-p67#N>yvQS6v4d? zOXhChqA;f+eETXsrpN1Q7JHkfa;-OYd64PcF65=5pn6W-HS>|m4bV(ocQf zxAzzP)~IU~D@l*GSh#eR!AY;xFbfsXmU4KDW#+X+`dz z(93RImM`Gee(nFm+|#;q75jMjY+a^qJ=t32SN81Q^NG{C*w6KU;}zX={(;N%W3Tls z4zd;Qd@^VM@};Ieb=DV-2~YSs>7C2O@AKq4x-UMt`!nFaaFkn$J|FwO((A6XZBs46 rE2F+M?Ayxn#Qf?}8KdCy^6o_iW?F_bU%!`ZvQduE3Q2yU&GQ`q{!BG3 literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der new file mode 100644 index 0000000000000000000000000000000000000000..a81d57b98f99badc7f8e09bec0c54ff56323219e GIT binary patch literal 106 zcmV-w0G0nRXfS3lKQKKoJ1_|b1uG5%0vZJX1QZs<27ssuwvR9;iK`<|k4rGH;A{jG z{oPeug1-=&!jDrfC9d_G6H(N>0s;^Kq9ZUNFdqg9D+U1t1qUzz0t6BS5b>?X-BICg MWtKXX+b^ge-DF@P!2kdN literal 0 HcmV?d00001 diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der new file mode 100644 index 0000000000000000000000000000000000000000..e3ebdc126fcc5849c7895dc47e817972604cf712 GIT binary patch literal 1686 zcmXqLVw=Rp$grS^t=pi9t(}cin~jl`mEC}mk)?^P0w`2s(8S2Qu(83Q&XC)HlZ`o) zg-w_#G}utsKoG>?;Nfyk%*jm4FUreIG!!!s0SU76@CGO5DYz9S<|StqC+8dT8gPTe zxp-K7D$_~~B@M(uTy7o#5Ldx9FFi9aHMJ-+FWpeWKnx_s%)_6VSCU$ko0^iDSdto_ zoG8I>WME`qXkY}SOwCP=q6~rz0t~EyPGZ&OV`h?KWnd8zJIdCuf^%EHfqLg^W&eI} zgAEUISVaEb4UK8qFEHy+f3TkFy05c^1F!61ViI6zV!$wSp|XLZfjlA*m{^2Z1U{}k zb~o^0Ug|Wfskil4$lo>KW#iOp^Jx3d%gD&h%D~*j$jIQsfBbkvQ0k#+7Sk0so`0rR z+x26wc}AK&Pnuw~tXv7p*H>8^D%S{nmF%{D>GmyW-q+4 zoQLOd?yqgOFWIx0bK?)U)$y~HTW`!UD_!~OdJy-l1>2VjXRc}dGxyiQ+guL0T^EiW z=H4W@*=*v<2t)gK+**5`*=$7e)47irUI|+EM@c7O&+GDLwzy{|HqJ^_cYZ3(;6D21 zX0yEbt=!bLcQ2%6b_jL+ZxQJUIK1Opjo>NEFlwNaIxxp6A%_wpIFa!)0L8hOK&fq!S?fcG#AcRrpF7{CChv1M z<}Qu@Z)F;(m%ig}x52xMO>QrK7V>5}zboJLTi|Z_NhO&+xt*JDt-5$>7UQPReQX-R z%hrGBo*$g`a2Z#INvn1Iajz+zOBDn+ZDEP}wn%zfwbC4;hjlT#KkL{xrrO+-pJ1D2 z&{`13b66(Y%F5_lQF@TV-b>GRzBevVn!y}9V`54AG{bG1=BsSFG_AeC=D_hQC;VrJ z`Ki*zvHu3Noy-jPc_J0;~Z}6VFb>cAv4yU~*4xM3KCe_>d z_wrj2gA47Be;&=(x?Mi?9k+?gR>#?aOJs8@TYMXiKGHvPRW0q!@)d#0M46Zw85kEg z9yMq@WFQMHE@b&w#IWacU}gqNE3*KLl?JQ@fdM~AfiNTEe->5)W*}w22NK{139tYY zaT_TXNK`mKnYSeHS+<*%dz5ZfWL`y!7-0*r6eqgZp67oNC@xCWj&@3BVT4FOU2ss9u@HeUp*VPl!m80y5nGQ`nk#jrh+uD zq`>PZg+44%_!xJf?`B7_TwWT(HqB`|;&NHbE8LbX`n2Zm%)Qr}MVIr2ChF#=PgUqN zI<0?YQ(E>@l@oWKnoN$JUoA1|zebg`>(PDfbIJu)Sbfy|;n96YbAztb{%h+F1#a&< z)OaYM^23s}qzAuQ#VyNDyuN@89E;8}u*Y0$e%VK)GIlEW#*9n~n seReTSF`l)0W@u6)huI&#Uv?`e#U5Fmutable_hidden_envoy_deprecated_tls_context() ->mutable_common_tls_context() ->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); - server_cert->mutable_private_key()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() ->mutable_common_tls_context() @@ -1003,9 +1003,9 @@ TEST_P(SslSocketTest, GetUriWithUriSan) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1077,9 +1077,9 @@ TEST_P(SslSocketTest, GetNoUriWithDnsSan) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1099,9 +1099,9 @@ TEST_P(SslSocketTest, NoCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); @@ -1287,9 +1287,9 @@ TEST_P(SslSocketTest, NoCertUntrustedNotPermitted) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -1395,9 +1395,9 @@ TEST_P(SslSocketTest, FailedClientAuthCaVerificationNoClientCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1422,9 +1422,9 @@ TEST_P(SslSocketTest, FailedClientAuthCaVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1443,9 +1443,9 @@ TEST_P(SslSocketTest, FailedClientAuthSanVerificationNoClientCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1470,9 +1470,9 @@ TEST_P(SslSocketTest, FailedClientAuthSanVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1620,9 +1620,9 @@ TEST_P(SslSocketTest, ClientCertificateHashVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1648,9 +1648,9 @@ TEST_P(SslSocketTest, ClientCertificateHashVerificationNoCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -1743,9 +1743,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoClientCertificate common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1765,9 +1765,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoCANoClientCertifi common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -1790,9 +1790,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationWrongClientCertific common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1817,9 +1817,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoCAWrongClientCert common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -1842,9 +1842,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationWrongCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -2399,9 +2399,9 @@ TEST_P(SslSocketTest, FlushCloseDuringHandshake) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" @@ -2456,9 +2456,9 @@ TEST_P(SslSocketTest, HalfClose) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" @@ -2718,9 +2718,9 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" @@ -3035,9 +3035,9 @@ TEST_P(SslSocketTest, TicketSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -3059,9 +3059,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionCustomTimeout) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -3081,9 +3081,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionWithClientCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -3110,9 +3110,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionRotateKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -3122,9 +3122,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionRotateKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" @@ -3144,9 +3144,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionWrongKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -3156,9 +3156,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionWrongKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" @@ -3319,9 +3319,9 @@ TEST_P(SslSocketTest, StatelessSessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: true )EOF"; @@ -3337,9 +3337,9 @@ TEST_P(SslSocketTest, SatelessSessionResumptionEnabledExplicitly) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: false )EOF"; @@ -3355,9 +3355,9 @@ TEST_P(SslSocketTest, StatelessSessionResumptionEnabledByDefault) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3374,9 +3374,9 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -3387,9 +3387,9 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -3661,9 +3661,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDefault) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3682,9 +3682,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDisabledTls12) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3704,9 +3704,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionEnabledTls12) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3729,9 +3729,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDisabledTls13) { tls_maximum_protocol_version: TLSv1_3 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3754,9 +3754,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionEnabledTls13) { tls_maximum_protocol_version: TLSv1_3 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3775,9 +3775,9 @@ TEST_P(SslSocketTest, SslError) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -4282,9 +4282,9 @@ TEST_P(SslSocketTest, RevokedCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -4326,9 +4326,9 @@ TEST_P(SslSocketTest, RevokedCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" @@ -4376,9 +4376,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem" @@ -4401,9 +4401,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem" @@ -4465,9 +4465,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem" @@ -4486,9 +4486,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl.pem" @@ -4914,9 +4914,9 @@ class SslReadBufferLimitTest : public SslSocketTest { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -5063,13 +5063,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -5097,13 +5097,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncDecryptSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt sync_mode: false mode: rsa @@ -5131,13 +5131,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncSignSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: true mode: rsa @@ -5165,13 +5165,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncDecryptSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt sync_mode: true mode: rsa @@ -5199,13 +5199,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false crypto_error: true @@ -5234,13 +5234,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: true crypto_error: true @@ -5269,13 +5269,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign method_error: true mode: rsa @@ -5303,13 +5303,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderDecryptFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt method_error: true mode: rsa @@ -5337,13 +5337,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignCompleteFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign async_method_error: true mode: rsa @@ -5372,13 +5372,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncDecryptCompleteFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt async_method_error: true mode: rsa @@ -5426,7 +5426,7 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderMultiCertSuccess) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -5466,7 +5466,7 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderMultiCertFail) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -5546,7 +5546,7 @@ TEST_P(SslSocketTest, RsaAndEcdsaPrivateKeyProviderMultiCertSuccess) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false async_method_error: true @@ -5590,7 +5590,7 @@ TEST_P(SslSocketTest, RsaAndEcdsaPrivateKeyProviderMultiCertFail) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -5617,11 +5617,11 @@ TEST_P(SslSocketTest, TestStaplesOcspResponseSuccess) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5633,7 +5633,8 @@ TEST_P(SslSocketTest, TestStaplesOcspResponseSuccess) { )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); - std::string ocsp_response_path = "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der"; + std::string ocsp_response_path = + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); @@ -5647,11 +5648,11 @@ TEST_P(SslSocketTest, TestNoOcspStapleWhenNotEnabledOnClient) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5670,11 +5671,11 @@ TEST_P(SslSocketTest, TestOcspStapleOmittedOnSkipStaplingAndResponseExpired) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5693,11 +5694,11 @@ TEST_P(SslSocketTest, TestConnectionFailsOnStapleRequiredAndOcspExpired) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5716,9 +5717,9 @@ TEST_P(SslSocketTest, TestConnectionSucceedsWhenRejectOnExpiredNoOcspResponse) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple_policy: strict_stapling )EOF"; @@ -5737,11 +5738,11 @@ TEST_P(SslSocketTest, TestConnectionFailsWhenRejectOnExpiredAndResponseExpired) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: strict_stapling )EOF"; @@ -5761,11 +5762,11 @@ TEST_P(SslSocketTest, TestConnectionFailsWhenCertIsMustStapleAndResponseExpired) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5785,11 +5786,11 @@ TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertExpirationValidatio common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5805,7 +5806,9 @@ TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertExpirationValidatio {{"envoy.reloadable_features.check_ocsp_policy", "false"}}); TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); - std::string ocsp_response_path = "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der"; + std::string ocsp_response_path = + "{{ test_rundir " + "}}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); testUtil(test_options.enableOcspStapling() @@ -5818,9 +5821,9 @@ TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertNoValidationNoRespo common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5846,17 +5849,17 @@ TEST_P(SslSocketTest, TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5868,7 +5871,8 @@ TEST_P(SslSocketTest, TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst) - TLS_RSA_WITH_AES_128_GCM_SHA256 )EOF"; - std::string ocsp_response_path = "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der"; + std::string ocsp_response_path = + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); @@ -5882,17 +5886,17 @@ TEST_P(SslSocketTest, TestConnectionFailsOnMultipleCertificatesNonePassOcspPolic common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; diff --git a/test/extensions/transport_sockets/tls/test_data/certs.sh b/test/extensions/transport_sockets/tls/test_data/certs.sh index d3ad086c98d4..b1155f18d9fe 100755 --- a/test/extensions/transport_sockets/tls/test_data/certs.sh +++ b/test/extensions/transport_sockets/tls/test_data/certs.sh @@ -256,3 +256,7 @@ openssl rand 79 > ticket_key_wrong_len # Generate a certificate with no subject CN and no altnames. generate_rsa_key no_subject generate_x509_cert_nosubject no_subject ca + +# Generate unit test certificate +generate_rsa_key unittest +generate_selfsigned_x509_cert unittest diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg b/test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg new file mode 100644 index 000000000000..2e485f9fa0c5 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg @@ -0,0 +1,23 @@ +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name + +[ req_distinguished_name ] +countryName = US +countryName_default = US +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = California +stateOrProvinceName_default = California +localityName = San Francisco +localityName_default = San Francisco +organizationName = Lyft +organizationName_default = Lyft +organizationalUnitName = Lyft Engineering +organizationalUnitName_default = Lyft Engineering +commonName = Unit Test CA +commonName_default = Unit Test CA +commonName_max = 64 +emailAddress = unittest@lyft.com +emailAddress_default = unittest@lyft.com +emailAddress_max = 64 diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem b/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem new file mode 100644 index 000000000000..6ff804b3e4de --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwzCCAqsCFFhdk4KsJ1P+AdrZbrUMmzyfNxrPMA0GCSqGSIb3DQEBCwUAMIGd +MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu +IEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVl +cmluZzEVMBMGA1UEAwwMVW5pdCBUZXN0IENBMSAwHgYJKoZIhvcNAQkBFhF1bml0 +dGVzdEBseWZ0LmNvbTAeFw0yMDEwMjEyMzA3NThaFw0yMjEwMjEyMzA3NThaMIGd +MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu +IEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVl +cmluZzEVMBMGA1UEAwwMVW5pdCBUZXN0IENBMSAwHgYJKoZIhvcNAQkBFhF1bml0 +dGVzdEBseWZ0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL93 +hRLp1s4yNZHUzG+ofX13rgNfiRC9pFVJt4aZYldh440+ZfQDotPsQCaa1Nm+zPHz +leZCxWfRVK82VGWmVy3PLExzuMr8Ar/ypwvQXxnCaZAeIYd1e917LM21jHu/CfV8 +VLF1ZtrknowZWoCll1CarmYDkQfYDSk+RcQo8XIkLeYV5JHbGK7jGoDMYmBO2Gdp +XW4FpVi9vb7pRUfUu3ot0q1SCYGew+YrwT3yWteku66nw8cutIQEbEo00OI8wbHG +Vuh7yY8bTdBS9r4rsQpOCSm6k5a1eKPpv8CfJdKyuXDbx2gbvFjFF6hjgp8+LCE2 +0GpLvf0VMxOVf9XZE/cCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAt9aJc3imaGQD +1+c81ZiItdBpFJRLuO1MHmXgwJUnouJz4uT+KFkDbThaABg/L3Q/s0boWy+u9S5s +ae8FcFvniMUBIjKzkizw6ZI6xTG6VMPDTklwWxNrNEzIBkNrcUkje/X/reyi56B+ +cbjpRJ8j0joV6xqBMFn+qMPIvAMSDJD4lMnjSxGZliDIlPvuk96RVNlF8Y18d/6G +ThWuVgN3CyoG+JXs2sSGbqLzWCnB8zgU0VN7CZZu4yh/cE9uNc0z5M66Adrh4eJl +pO/WWWxXHxIveRtH7DV9vhWE78KJRCcIec5Ta+X1evX1beKiNZd/5Elkyb613hTJ +lCkcOlSebQ== +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h b/test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h new file mode 100644 index 000000000000..bc725d6e6b4e --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h @@ -0,0 +1,8 @@ +// NOLINT(namespace-envoy) +constexpr char TEST_UNITTEST_CERT_256_HASH[] = + "36c86c016f8b243b681a094c11d394ac06edac336a3ece479a1b2eeb455b1492"; +constexpr char TEST_UNITTEST_CERT_1_HASH[] = "82be621a0f4b6046365496788befbe2e95977eb1"; +constexpr char TEST_UNITTEST_CERT_SPKI[] = "eWpfAfOA1JddINxIW/64Lc6XHpeo0u9IHx6dE42p9jw="; +constexpr char TEST_UNITTEST_CERT_SERIAL[] = "585d9382ac2753fe01dad96eb50c9b3c9f371acf"; +constexpr char TEST_UNITTEST_CERT_NOT_BEFORE[] = "Oct 21 23:07:58 2020 GMT"; +constexpr char TEST_UNITTEST_CERT_NOT_AFTER[] = "Oct 21 23:07:58 2022 GMT"; diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_key.pem b/test/extensions/transport_sockets/tls/test_data/unittest_key.pem new file mode 100644 index 000000000000..dd3456d15fb6 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAv3eFEunWzjI1kdTMb6h9fXeuA1+JEL2kVUm3hpliV2HjjT5l +9AOi0+xAJprU2b7M8fOV5kLFZ9FUrzZUZaZXLc8sTHO4yvwCv/KnC9BfGcJpkB4h +h3V73XsszbWMe78J9XxUsXVm2uSejBlagKWXUJquZgORB9gNKT5FxCjxciQt5hXk +kdsYruMagMxiYE7YZ2ldbgWlWL29vulFR9S7ei3SrVIJgZ7D5ivBPfJa16S7rqfD +xy60hARsSjTQ4jzBscZW6HvJjxtN0FL2viuxCk4JKbqTlrV4o+m/wJ8l0rK5cNvH +aBu8WMUXqGOCnz4sITbQaku9/RUzE5V/1dkT9wIDAQABAoIBAFZlFAMIyQiZ11pK +b0Ui/h0TV83l2e9X40Mo1EtEAv/zB77AHTkSOvLtc7T3wHvQgKHcjBMupezGpDO7 +jDGh8UyWYyLMROIy/Pqn/4BxMbhp5UBGmFKLTK0P25OnDBD6jv/abkz08MhsyK3m +8tOB5NlWMsONcG/dqXKmysxMvUYHDMlF3Re5PmvyWVKpclqYxWWXRSAy/FygSUPN +bCwKSv1QXytNefkN7n/G8WaGLU52pff3HMpt4JwTl5rnOiPRZGowFPJnNgO9uW85 +Rj620Db+MZzmJvTeSkxgpIUYUuDtgrvARYa+4y0Lajl4EHkCKg0YYzXbDPORFQ3M +WwN9LqECgYEA8B5I/lYU2QNyIlHjXx2KeKArCriL5sd0KCBHgcE586wyVb5vonET +ovNq8IH+2F4h8d+gbkzoQ2oGYsmM1AiCoxkio6c2KgAUHBbpGfjf92zSDirqBTqg +xha25eXElbu44EkiDWxpy944LkFlNiCLb9+5yqyfqqyixvxRtSBWtAsCgYEAzCF2 +WFn73i7zBNA/6yjodLUXy0BUjL38WV4HU3WDEbPp28e/+NLoWXH/B9BH950J+EGI +LPwjpk6ODhYeMknsdzYV8X5RkOuft7B0yrrdInN+vtIlvZmRd47esuJTcnj3zuUB +2B4TkmWUFf6kLn+TXwLB0wbsj9ieZMJzQkdSx0UCgYEAlBjJwnyLTTHv4jUJfK+2 +qSF4ips6RnN8NAd8sw3fVWg+f13+cn01tEpYCdDTwtWEMC9SPtWWZ4XsPF+9SUWa +dUfacn9+S7dSr+R9jvROBsgKYoybW/BGGwcFdZQahJOMumDA7PCR7Bi6I+VXrGO0 +PKMLb3K648SofPxA1OsGLvMCgYEAqzOhYuZNRIIR1cam5R6RH1jGlPPmNYgdvgIL +mOakv9Mp3ud/zTtuHZ5rK212/mhZ9TlY8YmiiJe3sn7AYqL3TOAytTChTi8f7Fp1 +CZaBYqSE95uehY7nnuNXSaZiIE7uXzpYOp63AYBqG6xOnKTov7W7Q7a57sbZyV4A +duUEuxUCgYEAnxFo8ln1H2QcxQS/y8l8r4MRXj9weDhlp/eXtfgd8JiJ5m+E6r+D +tr2wg6Q92ertogdaMvXiPfi/5qiTqsJvTahqx1E2WYRHxywkfbte1a/3bGNxe3Gr +bba7Pd1JXwJ1s8ahB7yoS/xyYLSl5fmE3N14j8wwkmtv1q3TNstmg3Y= +-----END RSA PRIVATE KEY----- From b649f1394d6f5243a1f57c137e2825dfdba0b16c Mon Sep 17 00:00:00 2001 From: Christoph Pakulski Date: Tue, 22 Dec 2020 22:44:32 +0000 Subject: [PATCH 5/5] Corrected release notes. Signed-off-by: Christoph Pakulski --- docs/root/version_history/current.rst | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 462f146d0b2e..ce19f6f7fbca 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -14,10 +14,6 @@ Bug Fixes *Changes expected to improve the state of the world and are unlikely to have negative effects* * lua: fixed crash when Lua script contains streamInfo():downstreamSslConnection(). -* dns: fix a bug where custom resolvers provided in configuration were not preserved after network issues. -* http: fixed URL parsing for HTTP/1.1 fully qualified URLs and connect requests containing IPv6 addresses. -* http: sending CONNECT_ERROR for HTTP/2 where appropriate during CONNECT requests. -* proxy_proto: fixed a bug where the wrong downstream address got sent to upstream connections. * tls: fix detection of the upstream connection close event. Removed Config or Runtime