diff --git a/VERSION b/VERSION index 41c11ffb730c..17008736ca0b 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.16.1 +1.16.3-dev diff --git a/ci/Dockerfile-envoy-google-vrp b/ci/Dockerfile-envoy-google-vrp index 802e148851e0..abc84f1269ab 100644 --- a/ci/Dockerfile-envoy-google-vrp +++ b/ci/Dockerfile-envoy-google-vrp @@ -16,6 +16,9 @@ ADD configs/google-vrp/supervisor.conf /etc/supervisor.conf ADD test/config/integration/certs/serverkey.pem /etc/envoy/certs/serverkey.pem ADD test/config/integration/certs/servercert.pem /etc/envoy/certs/servercert.pem # ADD %local envoy bin% /usr/local/bin/envoy +RUN chmod 777 /var/log/supervisor +RUN chmod a+r /etc/supervisor.conf /etc/envoy/* /etc/envoy/certs/* +RUN chmod a+rx /usr/local/bin/launch_envoy.sh EXPOSE 10000 EXPOSE 10001 diff --git a/configs/google-vrp/supervisor.conf b/configs/google-vrp/supervisor.conf index e019581d079c..1e1d09f33660 100644 --- a/configs/google-vrp/supervisor.conf +++ b/configs/google-vrp/supervisor.conf @@ -1,5 +1,6 @@ [supervisord] nodaemon=true +logfile=/var/log/supervisor/supervisord.log [program:envoy-edge] command=launch_envoy.sh -c /etc/envoy/envoy-edge.yaml %(ENV_ENVOY_EDGE_EXTRA_ARGS)s diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index f50abcf6e447..586339d864dc 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -1,5 +1,5 @@ -1.16.1 (November 20, 2020) -========================== +1.16.3 (Pending) +================ Incompatible Behavior Changes ----------------------------- @@ -74,12 +74,10 @@ Bug Fixes Bug Fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* -* examples: examples use v3 configs. -* listener: fix crash when disabling or re-enabling listeners due to overload while processing LDS updates. -* proxy_proto: fixed a bug where the wrong downstream address got sent to upstream connections. -* proxy_proto: fixed a bug where network filters would not have the correct downstreamRemoteAddress() when accessed from the StreamInfo. This could result in incorrect enforcement of RBAC rules in the RBAC network filter (but not in the RBAC HTTP filter), or incorrect access log addresses from tcp_proxy. -* tls: fix read resumption after triggering buffer high-watermark and all remaining request/response bytes are stored in the SSL connection's internal buffers. -* udp: fixed issue in which receiving truncated UDP datagrams would cause Envoy to crash. + +* aggregate cluster: fixed a crash due to a TLS initialization issue. +* lua: fixed crash when Lua script contains streamInfo():downstreamSslConnection(). +* tls: fix detection of the upstream connection close event. Removed Config or Runtime ------------------------- diff --git a/docs/root/version_history/v1.16.1.rst b/docs/root/version_history/v1.16.1.rst new file mode 100644 index 000000000000..18ffb805e2b9 --- /dev/null +++ b/docs/root/version_history/v1.16.1.rst @@ -0,0 +1,31 @@ +1.16.1 (November 20, 2020) +========================== + +Incompatible Behavior Changes +----------------------------- +*Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* + +Minor Behavior Changes +---------------------- +*Changes that may cause incompatibilities for some users, but should not for most* + +Bug Fixes +--------- +*Changes expected to improve the state of the world and are unlikely to have negative effects* + +* examples: examples use v3 configs. +* listener: fix crash when disabling or re-enabling listeners due to overload while processing LDS updates. +* proxy_proto: fixed a bug where the wrong downstream address got sent to upstream connections. +* proxy_proto: fixed a bug where network filters would not have the correct downstreamRemoteAddress() when accessed from the StreamInfo. This could result in incorrect enforcement of RBAC rules in the RBAC network filter (but not in the RBAC HTTP filter), or incorrect access log addresses from tcp_proxy. +* tls: fix read resumption after triggering buffer high-watermark and all remaining request/response bytes are stored in the SSL connection's internal buffers. +* udp: fixed issue in which receiving truncated UDP datagrams would cause Envoy to crash. + +Removed Config or Runtime +------------------------- +*Normally occurs at the end of the* :ref:`deprecation period ` + +New Features +------------ + +Deprecated +---------- diff --git a/docs/root/version_history/v1.16.2.rst b/docs/root/version_history/v1.16.2.rst new file mode 100644 index 000000000000..b1af2497d4bd --- /dev/null +++ b/docs/root/version_history/v1.16.2.rst @@ -0,0 +1,27 @@ +1.16.2 (December 7, 2020) +========================= + +Incompatible Behavior Changes +----------------------------- +*Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* + +Minor Behavior Changes +---------------------- +*Changes that may cause incompatibilities for some users, but should not for most* + +Bug Fixes +--------- +*Changes expected to improve the state of the world and are unlikely to have negative effects* + +* http: fixed URL parsing for HTTP/1.1 fully qualified URLs and connect requests containing IPv6 addresses. +* vrp: allow supervisord to open its log file. + +Removed Config or Runtime +------------------------- +*Normally occurs at the end of the* :ref:`deprecation period ` + +New Features +------------ + +Deprecated +---------- diff --git a/docs/root/version_history/version_history.rst b/docs/root/version_history/version_history.rst index 453bda753f1f..55bdaf928aeb 100644 --- a/docs/root/version_history/version_history.rst +++ b/docs/root/version_history/version_history.rst @@ -7,6 +7,8 @@ Version history :titlesonly: current + v1.16.2 + v1.16.1 v1.16.0 v1.15.2 v1.15.1 diff --git a/include/envoy/registry/registry.h b/include/envoy/registry/registry.h index b52686036074..b90e86ca52f3 100644 --- a/include/envoy/registry/registry.h +++ b/include/envoy/registry/registry.h @@ -346,6 +346,7 @@ template class FactoryRegistry : public Logger::Loggable>(); for (const auto& [factory_name, factory] : factories()) { + UNREFERENCED_PARAMETER(factory_name); if (factory == nullptr) { continue; } diff --git a/source/common/config/new_grpc_mux_impl.cc b/source/common/config/new_grpc_mux_impl.cc index 0015a2689971..50bfc07e08e4 100644 --- a/source/common/config/new_grpc_mux_impl.cc +++ b/source/common/config/new_grpc_mux_impl.cc @@ -90,6 +90,7 @@ void NewGrpcMuxImpl::onDiscoveryResponse( void NewGrpcMuxImpl::onStreamEstablished() { for (auto& [type_url, subscription] : subscriptions_) { + UNREFERENCED_PARAMETER(type_url); subscription->sub_state_.markStreamFresh(); } trySendDiscoveryRequests(); diff --git a/source/common/http/utility.cc b/source/common/http/utility.cc index 8869e6bb5a2a..9dcf07691c00 100644 --- a/source/common/http/utility.cc +++ b/source/common/http/utility.cc @@ -228,6 +228,30 @@ namespace Http { static const char kDefaultPath[] = "/"; +// If http_parser encounters an IP address [address] as the host it will set the offset and +// length to point to 'address' rather than '[address]'. Fix this by adjusting the offset +// and length to include the brackets. +// @param absolute_url the absolute URL. This is usually of the form // http://host/path +// but may be host:port for CONNECT requests +// @param offset the offset for the first character of the host. For IPv6 hosts +// this will point to the first character inside the brackets and will be +// adjusted to point at the brackets +// @param len the length of the host-and-port field. For IPv6 hosts this will +// not include the brackets and will be adjusted to do so. +bool maybeAdjustForIpv6(absl::string_view absolute_url, uint64_t& offset, uint64_t& len) { + // According to https://tools.ietf.org/html/rfc3986#section-3.2.2 the only way a hostname + // may begin with '[' is if it's an ipv6 address. + if (offset == 0 || *(absolute_url.data() + offset - 1) != '[') { + return false; + } + // Start one character sooner and end one character later. + offset--; + len += 2; + // HTTP parser ensures that any [ has a closing ] + ASSERT(absolute_url.length() >= offset + len); + return true; +} + bool Utility::Url::initialize(absl::string_view absolute_url, bool is_connect) { struct http_parser_url u; http_parser_url_init(&u); @@ -244,20 +268,27 @@ bool Utility::Url::initialize(absl::string_view absolute_url, bool is_connect) { scheme_ = absl::string_view(absolute_url.data() + u.field_data[UF_SCHEMA].off, u.field_data[UF_SCHEMA].len); - uint16_t authority_len = u.field_data[UF_HOST].len; + uint64_t authority_len = u.field_data[UF_HOST].len; if ((u.field_set & (1 << UF_PORT)) == (1 << UF_PORT)) { authority_len = authority_len + u.field_data[UF_PORT].len + 1; } - host_and_port_ = - absl::string_view(absolute_url.data() + u.field_data[UF_HOST].off, authority_len); + + uint64_t authority_beginning = u.field_data[UF_HOST].off; + const bool is_ipv6 = maybeAdjustForIpv6(absolute_url, authority_beginning, authority_len); + host_and_port_ = absl::string_view(absolute_url.data() + authority_beginning, authority_len); + if (is_ipv6 && !parseAuthority(host_and_port_).is_ip_address_) { + return false; + } // RFC allows the absolute-uri to not end in /, but the absolute path form - // must start with - uint64_t path_len = absolute_url.length() - (u.field_data[UF_HOST].off + hostAndPort().length()); - if (path_len > 0) { - uint64_t path_beginning = u.field_data[UF_HOST].off + hostAndPort().length(); - path_and_query_params_ = absl::string_view(absolute_url.data() + path_beginning, path_len); + // must start with. Determine if there's a non-zero path, and if so determine + // the length of the path, query params etc. + uint64_t path_etc_len = absolute_url.length() - (authority_beginning + hostAndPort().length()); + if (path_etc_len > 0) { + uint64_t path_beginning = authority_beginning + hostAndPort().length(); + path_and_query_params_ = absl::string_view(absolute_url.data() + path_beginning, path_etc_len); } else if (!is_connect) { + ASSERT((u.field_set & (1 << UF_PATH)) == 0); path_and_query_params_ = absl::string_view(kDefaultPath, 1); } return true; diff --git a/source/common/init/manager_impl.cc b/source/common/init/manager_impl.cc index 650203fabbea..1440dd726414 100644 --- a/source/common/init/manager_impl.cc +++ b/source/common/init/manager_impl.cc @@ -71,6 +71,7 @@ void ManagerImpl::dumpUnreadyTargets(envoy::admin::v3::UnreadyTargetsDumps& unre auto& message = *unready_targets_dumps.mutable_unready_targets_dumps()->Add(); message.set_name(name_); for (const auto& [target_name, count] : target_names_count_) { + UNREFERENCED_PARAMETER(count); message.add_target_names(target_name); } } diff --git a/source/common/router/scoped_rds.cc b/source/common/router/scoped_rds.cc index d9ca4781e7b5..17613814efea 100644 --- a/source/common/router/scoped_rds.cc +++ b/source/common/router/scoped_rds.cc @@ -427,6 +427,7 @@ ScopedRdsConfigSubscription::detectUpdateConflictAndCleanupRemoved( absl::flat_hash_map scope_name_by_hash = scope_name_by_hash_; absl::erase_if(scope_name_by_hash, [&updated_or_removed_scopes](const auto& key_name) { auto const& [key, name] = key_name; + UNREFERENCED_PARAMETER(key); return updated_or_removed_scopes.contains(name); }); absl::flat_hash_map diff --git a/source/extensions/clusters/aggregate/cluster.cc b/source/extensions/clusters/aggregate/cluster.cc index 958c678d0202..2042ffe866a9 100644 --- a/source/extensions/clusters/aggregate/cluster.cc +++ b/source/extensions/clusters/aggregate/cluster.cc @@ -20,7 +20,9 @@ Cluster::Cluster(const envoy::config::cluster::v3::Cluster& cluster, : Upstream::ClusterImplBase(cluster, runtime, factory_context, std::move(stats_scope), added_via_api), cluster_manager_(cluster_manager), runtime_(runtime), random_(random), - tls_(tls.allocateSlot()), clusters_(config.clusters().begin(), config.clusters().end()) {} + tls_(tls.allocateSlot()), clusters_(config.clusters().begin(), config.clusters().end()) { + tls_->set([](Event::Dispatcher&) { return nullptr; }); +} PriorityContextPtr Cluster::linearizePrioritySet(const std::function& skip_predicate) { diff --git a/source/extensions/filters/http/lua/wrappers.h b/source/extensions/filters/http/lua/wrappers.h index 89f7cb6d2d24..ad3890971a91 100644 --- a/source/extensions/filters/http/lua/wrappers.h +++ b/source/extensions/filters/http/lua/wrappers.h @@ -207,7 +207,10 @@ class StreamInfoWrapper : public Filters::Common::Lua::BaseLuaObject dynamic_metadata_wrapper_; diff --git a/source/server/admin/config_dump_handler.cc b/source/server/admin/config_dump_handler.cc index dbfd13a01e2e..9e1d54e9d3e9 100644 --- a/source/server/admin/config_dump_handler.cc +++ b/source/server/admin/config_dump_handler.cc @@ -155,6 +155,7 @@ ConfigDumpHandler::addResourceToDump(envoy::admin::v3::ConfigDump& dump, } for (const auto& [name, callback] : callbacks_map) { + UNREFERENCED_PARAMETER(name); ProtobufTypes::MessagePtr message = callback(); ASSERT(message); @@ -200,6 +201,7 @@ void ConfigDumpHandler::addAllConfigToDump(envoy::admin::v3::ConfigDump& dump, } for (const auto& [name, callback] : callbacks_map) { + UNREFERENCED_PARAMETER(name); ProtobufTypes::MessagePtr message = callback(); ASSERT(message); @@ -220,6 +222,7 @@ ProtobufTypes::MessagePtr ConfigDumpHandler::dumpEndpointConfigs() const { auto endpoint_config_dump = std::make_unique(); for (const auto& [name, cluster_ref] : server_.clusterManager().clusters()) { + UNREFERENCED_PARAMETER(name); const Upstream::Cluster& cluster = cluster_ref.get(); Upstream::ClusterInfoConstSharedPtr cluster_info = cluster.info(); envoy::config::endpoint::v3::ClusterLoadAssignment cluster_load_assignment; diff --git a/source/server/filter_chain_manager_impl.cc b/source/server/filter_chain_manager_impl.cc index 0e006561ce09..65edde071124 100644 --- a/source/server/filter_chain_manager_impl.cc +++ b/source/server/filter_chain_manager_impl.cc @@ -600,6 +600,7 @@ const Network::FilterChain* FilterChainManagerImpl::findFilterChainForSourceIpAn void FilterChainManagerImpl::convertIPsToTries() { for (auto& [destination_port, destination_ips_pair] : destination_ports_map_) { + UNREFERENCED_PARAMETER(destination_port); // These variables are used as we build up the destination CIDRs used for the trie. auto& [destination_ips_map, destination_ips_trie] = destination_ips_pair; std::vector>> @@ -613,8 +614,11 @@ void FilterChainManagerImpl::convertIPsToTries() { // We need to get access to all of the source IP strings so that we can convert them into // a trie like we did for the destination IPs above. for (auto& [server_name, transport_protocols_map] : *server_names_map_ptr) { + UNREFERENCED_PARAMETER(server_name); for (auto& [transport_protocol, application_protocols_map] : transport_protocols_map) { + UNREFERENCED_PARAMETER(transport_protocol); for (auto& [application_protocol, source_arrays] : application_protocols_map) { + UNREFERENCED_PARAMETER(application_protocol); for (auto& [source_ips_map, source_ips_trie] : source_arrays) { std::vector< std::pair>> diff --git a/test/common/http/utility_test.cc b/test/common/http/utility_test.cc index 87dabd8f087a..9185ac4dc76f 100644 --- a/test/common/http/utility_test.cc +++ b/test/common/http/utility_test.cc @@ -1251,6 +1251,9 @@ TEST(Url, ParsingFails) { EXPECT_FALSE(url.initialize("random_scheme://host.com/path", false)); EXPECT_FALSE(url.initialize("http://www.foo.com", true)); EXPECT_FALSE(url.initialize("foo.com", true)); + EXPECT_FALSE(url.initialize("http://[notaddress]:80/?query=param", false)); + EXPECT_FALSE(url.initialize("http://[1::z::2]:80/?query=param", false)); + EXPECT_FALSE(url.initialize("http://1.2.3.4:65536/?query=param", false)); } void validateUrl(absl::string_view raw_url, absl::string_view expected_scheme, @@ -1262,12 +1265,17 @@ void validateUrl(absl::string_view raw_url, absl::string_view expected_scheme, EXPECT_EQ(url.pathAndQueryParams(), expected_path); } -void validateConnectUrl(absl::string_view raw_url, absl::string_view expected_host_port) { +void validateConnectUrl(absl::string_view raw_url) { Utility::Url url; ASSERT_TRUE(url.initialize(raw_url, true)) << "Failed to initialize " << raw_url; EXPECT_TRUE(url.scheme().empty()); EXPECT_TRUE(url.pathAndQueryParams().empty()); - EXPECT_EQ(url.hostAndPort(), expected_host_port); + EXPECT_EQ(url.hostAndPort(), raw_url); +} + +void invalidConnectUrl(absl::string_view raw_url) { + Utility::Url url; + ASSERT_FALSE(url.initialize(raw_url, true)) << "Unexpectedly initialized " << raw_url; } TEST(Url, ParsingTest) { @@ -1302,6 +1310,14 @@ TEST(Url, ParsingTest) { validateUrl("http://www.host.com:80/?query=param", "http", "www.host.com:80", "/?query=param"); validateUrl("http://www.host.com/?query=param", "http", "www.host.com", "/?query=param"); + // Test with an ipv4 host address. + validateUrl("http://1.2.3.4/?query=param", "http", "1.2.3.4", "/?query=param"); + validateUrl("http://1.2.3.4:80/?query=param", "http", "1.2.3.4:80", "/?query=param"); + + // Test with an ipv6 address + validateUrl("http://[1::2:3]/?query=param", "http", "[1::2:3]", "/?query=param"); + validateUrl("http://[1::2:3]:80/?query=param", "http", "[1::2:3]:80", "/?query=param"); + // Test url with query parameter but without slash validateUrl("http://www.host.com:80?query=param", "http", "www.host.com:80", "?query=param"); validateUrl("http://www.host.com?query=param", "http", "www.host.com", "?query=param"); @@ -1324,8 +1340,16 @@ TEST(Url, ParsingTest) { } TEST(Url, ParsingForConnectTest) { - validateConnectUrl("host.com:443", "host.com:443"); - validateConnectUrl("host.com:80", "host.com:80"); + validateConnectUrl("host.com:443"); + validateConnectUrl("host.com:80"); + validateConnectUrl("1.2.3.4:80"); + validateConnectUrl("[1:2::3:4]:80"); + + invalidConnectUrl("[::12345678]:80"); + invalidConnectUrl("[1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1:1]:80"); + invalidConnectUrl("[1:1]:80"); + invalidConnectUrl("[:::]:80"); + invalidConnectUrl("[::1::]:80"); } void validatePercentEncodingEncodeDecode(absl::string_view source, diff --git a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc index e6e1e53ab4d5..8079e78a660c 100644 --- a/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc +++ b/test/extensions/filters/http/dynamic_forward_proxy/proxy_filter_integration_test.cc @@ -287,8 +287,7 @@ TEST_P(ProxyFilterIntegrationTest, UpstreamTlsWithIpHost) { {":method", "POST"}, {":path", "/test/long/url"}, {":scheme", "http"}, - {":authority", fmt::format("{}:{}", Network::Test::getLoopbackAddressUrlString(GetParam()), - fake_upstreams_[0]->localAddress()->ip()->port())}}; + {":authority", fake_upstreams_[0]->localAddress()->asString()}}; auto response = codec_client_->makeHeaderOnlyRequest(request_headers); waitForNextUpstreamRequest(); diff --git a/test/extensions/filters/http/lua/lua_filter_test.cc b/test/extensions/filters/http/lua/lua_filter_test.cc index ac4ab9514037..6d7f77e98858 100644 --- a/test/extensions/filters/http/lua/lua_filter_test.cc +++ b/test/extensions/filters/http/lua/lua_filter_test.cc @@ -1881,7 +1881,7 @@ TEST_F(LuaHttpFilterTest, InspectStreamInfoDowstreamSslConnection) { Http::TestRequestHeaderMapImpl request_headers{{":path", "/"}}; - auto connection_info = std::make_shared(); + const auto connection_info = std::make_shared(); EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); EXPECT_CALL(stream_info_, downstreamSslConnection()).WillRepeatedly(Return(connection_info)); @@ -1989,6 +1989,35 @@ TEST_F(LuaHttpFilterTest, InspectStreamInfoDowstreamSslConnectionOnPlainConnecti EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, true)); } +// Should survive from multiple streamInfo():downstreamSslConnection() calls. +// This is a regression test for #14091. +TEST_F(LuaHttpFilterTest, SurviveMultipleDownstreamSslConnectionCalls) { + const std::string SCRIPT{R"EOF( + function envoy_on_request(request_handle) + if request_handle:streamInfo():downstreamSslConnection() ~= nil then + request_handle:logTrace("downstreamSslConnection is present") + end + end + )EOF"}; + + setup(SCRIPT); + + const auto connection_info = std::make_shared(); + EXPECT_CALL(decoder_callbacks_, streamInfo()).WillRepeatedly(ReturnRef(stream_info_)); + EXPECT_CALL(stream_info_, downstreamSslConnection()).WillRepeatedly(Return(connection_info)); + + for (uint64_t i = 0; i < 200; i++) { + EXPECT_CALL(*filter_, + scriptLog(spdlog::level::trace, StrEq("downstreamSslConnection is present"))); + + Http::TestRequestHeaderMapImpl request_headers{{":path", "/"}}; + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, true)); + + filter_->onDestroy(); + setupFilter(); + } +} + TEST_F(LuaHttpFilterTest, ImportPublicKey) { const std::string SCRIPT{R"EOF( function string.fromhex(str) diff --git a/test/extensions/transport_sockets/tls/BUILD b/test/extensions/transport_sockets/tls/BUILD index 48a456162df3..f5b04d38100d 100644 --- a/test/extensions/transport_sockets/tls/BUILD +++ b/test/extensions/transport_sockets/tls/BUILD @@ -16,12 +16,11 @@ envoy_cc_test( "ssl_socket_test.cc", ], data = [ - "gen_unittest_certs.sh", # TODO(mattklein123): We should consolidate all of our test certs in a single place as # right now we have a bunch of duplication which is confusing. "//test/config/integration/certs", + "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", "//test/extensions/transport_sockets/tls/test_data:certs", - "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data", ], external_deps = ["ssl"], shard_count = 4, @@ -74,12 +73,9 @@ envoy_cc_test( "ssl_certs_test.h", ], data = [ - "gen_unittest_certs.sh", - "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data", + "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", "//test/extensions/transport_sockets/tls/test_data:certs", ], - # Fails intermittantly on local build - tags = ["flaky_on_windows"], deps = [ ":ssl_test_utils", "//source/common/common:base64_lib", @@ -121,8 +117,6 @@ envoy_cc_test( "utility_test.cc", ], data = [ - "gen_unittest_certs.sh", - "//test/extensions/transport_sockets/tls/ocsp:gen_ocsp_data", "//test/extensions/transport_sockets/tls/test_data:certs", ], external_deps = ["ssl"], @@ -171,14 +165,9 @@ envoy_cc_test( name = "handshaker_test", srcs = ["handshaker_test.cc"], data = [ - "gen_unittest_certs.sh", - "//test/config/integration/certs", "//test/extensions/transport_sockets/tls/test_data:certs", ], external_deps = ["ssl"], - # TODO(sunjayBhatia): Diagnose openssl DLL load issue on Windows - # See: https://github.com/envoyproxy/envoy/pull/13276 - tags = ["flaky_on_windows"], deps = [ ":ssl_socket_test", ":ssl_test_utils", diff --git a/test/extensions/transport_sockets/tls/context_impl_test.cc b/test/extensions/transport_sockets/tls/context_impl_test.cc index 0307ebb2daef..9e1f37780722 100644 --- a/test/extensions/transport_sockets/tls/context_impl_test.cc +++ b/test/extensions/transport_sockets/tls/context_impl_test.cc @@ -20,6 +20,7 @@ #include "test/extensions/transport_sockets/tls/test_data/no_san_cert_info.h" #include "test/extensions/transport_sockets/tls/test_data/san_dns3_cert_info.h" #include "test/extensions/transport_sockets/tls/test_data/san_ip_cert_info.h" +#include "test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h" #include "test/mocks/init/mocks.h" #include "test/mocks/local_info/mocks.h" #include "test/mocks/secret/mocks.h" @@ -261,9 +262,9 @@ TEST_F(SslContextImplTest, TestExpiringCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; envoy::extensions::transport_sockets::tls::v3::UpstreamTlsContext tls_context; @@ -272,12 +273,10 @@ TEST_F(SslContextImplTest, TestExpiringCert) { ClientContextConfigImpl cfg(tls_context, factory_context_); Envoy::Ssl::ClientContextSharedPtr context(manager_.createSslClientContext(store_, cfg)); - // This is a total hack, but right now we generate the cert and it expires in 15 days only in the - // first second that it's valid. This can become invalid and then cause slower tests to fail. - // Optimally we would make the cert valid for 15 days and 23 hours, but that is not easy to do - // with the command line so we have this for now. Good enough. - EXPECT_TRUE(15 == context->daysUntilFirstCertExpires() || - 14 == context->daysUntilFirstCertExpires()); + // Calculate the days until test cert expires + auto cert_expiry = TestUtility::parseTime(TEST_UNITTEST_CERT_NOT_AFTER, "%b %d %H:%M:%S %Y GMT"); + int64_t days_until_expiry = absl::ToInt64Hours(cert_expiry - absl::Now()) / 24; + EXPECT_EQ(context->daysUntilFirstCertExpires(), days_until_expiry); } TEST_F(SslContextImplTest, TestExpiredCert) { @@ -302,9 +301,9 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/no_san_cert.pem" @@ -330,7 +329,7 @@ TEST_F(SslContextImplTest, TestGetCertInformation) { )EOF"); std::string cert_chain_json = R"EOF({ - "path": "{{ test_tmpdir }}/unittestcert.pem", + "path": "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem", } )EOF"; @@ -591,27 +590,27 @@ TEST_F(SslServerContextImplOcspTest, TestFilenameOcspStapleConfigLoads) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; loadConfigYaml(tls_context_yaml); } TEST_F(SslServerContextImplOcspTest, TestInlineBytesOcspStapleConfigLoads) { - auto der_response = TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute("{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der")); + auto der_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der")); auto base64_response = Base64::encode(der_response.c_str(), der_response.length(), true); const std::string tls_context_yaml = fmt::format(R"EOF( common_tls_context: tls_certificates: - certificate_chain: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_cert.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_key.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_bytes: "{}" ocsp_staple_policy: must_staple @@ -626,9 +625,9 @@ TEST_F(SslServerContextImplOcspTest, TestInlineStringOcspStapleConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_string: "abcd" ocsp_staple_policy: must_staple @@ -643,11 +642,11 @@ TEST_F(SslServerContextImplOcspTest, TestMismatchedOcspStapleConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -660,9 +659,9 @@ TEST_F(SslServerContextImplOcspTest, TestStaplingRequiredWithoutStapleConfigFail common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple_policy: must_staple )EOF"; @@ -684,9 +683,9 @@ TEST_F(SslServerContextImplOcspTest, TestUnsuccessfulOcspResponseConfigFails) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_cert.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{{{ test_tmpdir }}}}/ocsp_test_data/good_key.pem" + filename: "{{{{ test_rundir }}}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: inline_bytes: "{}" ocsp_staple_policy: must_staple @@ -702,9 +701,9 @@ TEST_F(SslServerContextImplOcspTest, TestMustStapleCertWithoutStapleConfigFails) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple_policy: lenient_stapling )EOF"; @@ -717,9 +716,9 @@ TEST_F(SslServerContextImplOcspTest, TestMustStapleCertWithoutStapleFeatureFlagO common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple_policy: lenient_stapling )EOF"; @@ -734,11 +733,11 @@ TEST_F(SslServerContextImplOcspTest, TestGetCertInformationWithOCSP) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" )EOF"; envoy::extensions::transport_sockets::tls::v3::DownstreamTlsContext tls_context; @@ -748,12 +747,13 @@ TEST_F(SslServerContextImplOcspTest, TestGetCertInformationWithOCSP) { constexpr absl::string_view this_update = "This Update: "; constexpr absl::string_view next_update = "Next Update: "; - auto ocsp_text_details = - absl::StrSplit(TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute( - "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp_details.txt"), - true), - '\n'); + auto ocsp_text_details = absl::StrSplit( + TestEnvironment::readFileToStringForTest( + TestEnvironment::substitute( + "{{ test_rundir " + "}}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt"), + true), + '\n'); std::string valid_from, expiration; for (const auto& detail : ocsp_text_details) { std::string::size_type pos = detail.find(this_update); @@ -797,10 +797,10 @@ class SslServerContextImplTicketTest : public SslContextImplTest { // Must add a certificate for the config to be considered valid. envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = cfg.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); - server_cert->mutable_private_key()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); ServerContextConfigImpl server_context_config(cfg, factory_context_); loadConfig(server_context_config); @@ -821,9 +821,9 @@ TEST_F(SslServerContextImplTicketTest, TicketKeySuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -838,9 +838,9 @@ TEST_F(SslServerContextImplTicketTest, TicketKeyInvalidLen) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -854,9 +854,9 @@ TEST_F(SslServerContextImplTicketTest, TicketKeyInvalidCannotRead) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/this_file_does_not_exist" @@ -1045,9 +1045,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionEnabledByDefaul common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1061,9 +1061,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionExplicitlyEnabl common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: false )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1078,9 +1078,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: true )EOF"; TestUtility::loadFromYaml(TestEnvironment::substitute(tls_context_yaml), tls_context); @@ -1095,9 +1095,9 @@ TEST_F(SslServerContextImplTicketTest, StatelessSessionResumptionEnabledWhenKeyI common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -1750,10 +1750,10 @@ TEST_F(ServerContextConfigImplTest, InvalidIgnoreCertsNoCA) { envoy::extensions::transport_sockets::tls::v3::TlsCertificate* server_cert = tls_context.mutable_common_tls_context()->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); - server_cert->mutable_private_key()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); server_validation_ctx->set_allow_expired_certificate(false); diff --git a/test/extensions/transport_sockets/tls/gen_unittest_certs.sh b/test/extensions/transport_sockets/tls/gen_unittest_certs.sh deleted file mode 100755 index fe731e85cd70..000000000000 --- a/test/extensions/transport_sockets/tls/gen_unittest_certs.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash -# -# Create a test certificate with a 15-day expiration for SSL tests. - -set -e - -TEST_CERT_DIR="${TEST_TMPDIR}" - -mkdir -p "${TEST_CERT_DIR}" - -export OPENSSL_CONF="${TEST_CERT_DIR}"/openssl.cnf -(cat << EOF -[ req ] -default_bits = 2048 -distinguished_name = req_distinguished_name - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_default = AU -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = Some-State - -localityName = Locality Name (eg, city) - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = Internet Widgits Pty Ltd - -organizationalUnitName = Organizational Unit Name (eg, section) - -commonName = Common Name (e.g. server FQDN or YOUR name) -commonName_max = 64 - -emailAddress = Email Address -emailAddress_max = 64 -EOF -) > "${OPENSSL_CONF}" - -openssl genrsa -out "${TEST_CERT_DIR}/unittestkey.pem" 2048 -openssl req -new -key "${TEST_CERT_DIR}/unittestkey.pem" -out "${TEST_CERT_DIR}/unittestcert.csr" \ - -sha256 < makeKey() { - std::string file = TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + std::string file = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); std::string passphrase = ""; bssl::UniquePtr bio(BIO_new_mem_buf(file.data(), file.size())); @@ -97,8 +97,8 @@ class HandshakerTest : public SslCertsTest { // Read in cert.pem and return a certificate. bssl::UniquePtr makeCert() { - std::string file = TestEnvironment::readFileToStringForTest( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); + std::string file = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); bssl::UniquePtr bio(BIO_new_mem_buf(file.data(), file.size())); uint8_t* data = nullptr; diff --git a/test/extensions/transport_sockets/tls/ocsp/BUILD b/test/extensions/transport_sockets/tls/ocsp/BUILD index c6947269be4d..262bec36ab5c 100644 --- a/test/extensions/transport_sockets/tls/ocsp/BUILD +++ b/test/extensions/transport_sockets/tls/ocsp/BUILD @@ -14,13 +14,9 @@ envoy_cc_test( "ocsp_test.cc", ], data = [ - ":gen_ocsp_data", + "//test/extensions/transport_sockets/tls/ocsp/test_data:certs", ], external_deps = ["ssl"], - # TODO: Diagnose intermittent failure on Windows; this script uses the - # locally deployed openssl for test cert creation and manipulation, rather - # than envoy's current build of the most current openssl tool - tags = ["flaky_on_windows"], deps = [ "//source/common/filesystem:filesystem_lib", "//source/extensions/transport_sockets/tls:utility_lib", @@ -44,8 +40,3 @@ envoy_cc_test( "//test/extensions/transport_sockets/tls:ssl_test_utils", ], ) - -filegroup( - name = "gen_ocsp_data", - srcs = ["gen_unittest_ocsp_data.sh"], -) diff --git a/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc b/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc index 70f24ccaa15e..78e813060d86 100644 --- a/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc +++ b/test/extensions/transport_sockets/tls/ocsp/ocsp_test.cc @@ -25,13 +25,9 @@ namespace CertUtility = Envoy::Extensions::TransportSockets::Tls::Utility; class OcspFullResponseParsingTest : public testing::Test { public: - static void SetUpTestSuite() { // NOLINT(readability-identifier-naming) - TestEnvironment::exec({TestEnvironment::runfilesPath( - "test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh")}); - } - std::string fullPath(std::string filename) { - return TestEnvironment::substitute("{{ test_tmpdir }}/ocsp_test_data/" + filename); + return TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/" + filename); } std::vector readFile(std::string filename) { @@ -88,8 +84,8 @@ TEST_F(OcspFullResponseParsingTest, UnknownCertTest) { } TEST_F(OcspFullResponseParsingTest, ExpiredResponseTest) { - auto next_week = time_system_.systemTime() + std::chrono::hours(8 * 24); - time_system_.setSystemTime(next_week); + auto ten_years_forward = time_system_.systemTime() + std::chrono::hours(24 * 365 * 10); + time_system_.setSystemTime(ten_years_forward); setup("good_ocsp_resp.der"); // nextUpdate is present but in the past EXPECT_TRUE(response_->isExpired()); diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/BUILD b/test/extensions/transport_sockets/tls/ocsp/test_data/BUILD new file mode 100644 index 000000000000..e55e87fb1011 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/BUILD @@ -0,0 +1,13 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_package() + +filegroup( + name = "certs", + srcs = glob(["*"]), +) diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/README.md b/test/extensions/transport_sockets/tls/ocsp/test_data/README.md new file mode 100644 index 000000000000..ad1c6777eb3a --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/README.md @@ -0,0 +1,30 @@ +# What are the identities, certificates and keys +There are 8 identities: +- **CA**: Certificate Authority for all fixtures in this directory. It has the + self-signed certificate *ca_cert.pem*. *ca_key.pem* is its private key. +- **Intermediate CA**: Intermediate Certificate Authority, signed by the **CA**. + It has the certificate *intermediate_ca_cert.pem". *intermediate_ca_key.pem* + is its private key. +- **Good** It has the certificate *good_cert.pem*, signed by the **CA**. An OCSP + request is included in *good_ocsp_req.der* and a "good" OCSP response is included in *good_ocsp_resp.der*. OCSP response details are included as + *good_ocsp_resp_details.txt*. +- **Responder Key Hash** An OCSP request and response pair for the **Good** cert + with responder key hash replacing the name in *responder_key_hash_ocsp_req.der* + and *responder_key_hash_ocsp_resp.der* +- **Revoked** It has the revoked certificate *revoked_key.pem*, signed by the + **CA**. A corresponding OCSP request and revoked response are included in + *revoked_ocsp_req.der* and *revoked_ocsp_resp.der*. +- **Unknown** An OCSP request and unknown status response is generated in + *unknown_ocsp_req.der* and *unknown_ocsp_resp.der* as the **Good** certificate + is signed by **CA** not **Intermediate CA**. +- **ECDSA** A cert (*ecdsa_cert.pem*) signed by **CA** with ECDSA key + (*ecdsa_key.pem*) and OCSP response (*ecdsa_ocsp_resp.der*). +- **Multiple Cert OCSP Response** A multi-cert OCSP request and response are + generated with **CA** as the signer for the **Good** and **Revoked** certs in + *multiple_cert_ocsp_req.der* and *multiple_cert_ocsp_resp.der*. + +# How to update certificates +**certs.sh** has the commands to generate all files. Running certs.sh directly +will cause all files to be regenerated. So if you want to regenerate a +particular file, please copy the corresponding commands from certs.sh and +execute them in command line. diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem new file mode 100644 index 000000000000..d456c26f505f --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID0zCCArugAwIBAgIUKtsec7QPrxG7JETQSPH7XVnH9RcwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxCzAJBgNVBAMMAmNhMB4XDTIwMTAyMjAyNTc1MVoXDTIyMTAyMjAy +NTc1MVowcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV +BAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQg +RW5naW5lZXJpbmcxCzAJBgNVBAMMAmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA2+hzTr160c7mgNKCUoOxQylskIz2dAN5hWjBT38M8CGF5FcFZBG9 +QKSdt7QgnIBXt6oOAuOufKNLNWUKrzVE4GlDhxJKKCAlzidFaeIkk1Deny9kiADD +dsVrOMHv6JXIMPcgotoOVu6iwGlYsvHr/OukbR4PAbjdzd51drC/aKIwRx4vc9Qk ++WKtVXjJKQcsyxeEKfrOJloZOkorMf2HWWAOBNg7eBLsHeQiOrLPnwJf0eFfHzOC +x2BM8hJ+fyHk+NmenjEl88XGaTkdpilmZXFqeDBCcrsLwbVPozO5sixkz4q7Uw9E +gBKpjtCy1uR+mD01vH17X2kflmgVRkjqlQIDAQABo2MwYTAdBgNVHQ4EFgQUGHhD +5J6kUeZrRjpHWi16WW54hBYwHwYDVR0jBBgwFoAUGHhD5J6kUeZrRjpHWi16WW54 +hBYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL +BQADggEBALJ5R1bD5xPeX4vto8OAEeGWNh/OJkaEp8JOllnBlws4vYVRso436kXR +2SUNXV23CC+8f03WiCkva7rLTBIa9Nwg/F118o5L279w+yh+gRZ0Z1s4ob+fbziI +0sA/NUOmtdR2SE5YNeHdAtH6A1YajgixTNo20ipZv5CNBzN2bxBGh9b/4W3LLZ0h +jgwOPUSVtcmFek525t7nkZaKB86P9g0VvM/gRJfG6y84wQZxueScv6elNUx+O9DG +E5D1ku5EkfeeH4iL0eTd+VDfE1pGZC8OB75110WbPWU4V3la9wC+tQTkN9XFHDJT +zx9HcnA2KjGZ6+8ZgjwjWCpUY+grDPc= +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem new file mode 100644 index 000000000000..888feabbec1b --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ca_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA2+hzTr160c7mgNKCUoOxQylskIz2dAN5hWjBT38M8CGF5FcF +ZBG9QKSdt7QgnIBXt6oOAuOufKNLNWUKrzVE4GlDhxJKKCAlzidFaeIkk1Deny9k +iADDdsVrOMHv6JXIMPcgotoOVu6iwGlYsvHr/OukbR4PAbjdzd51drC/aKIwRx4v +c9Qk+WKtVXjJKQcsyxeEKfrOJloZOkorMf2HWWAOBNg7eBLsHeQiOrLPnwJf0eFf +HzOCx2BM8hJ+fyHk+NmenjEl88XGaTkdpilmZXFqeDBCcrsLwbVPozO5sixkz4q7 +Uw9EgBKpjtCy1uR+mD01vH17X2kflmgVRkjqlQIDAQABAoIBAGofrH3ETSAxM+XZ +MRE3AnWB6SV9EXZ9Msjh++AsVQcRdnbyU+St9uHaT06W++Hqweodg/N7AvqdJy9W +WqihEWMnCXKGrgjdMsFhDEuD2djJ/xVdHqvPioSn0w2p8egRWHHg4PwWNTNYqGwo +qqh4vUTqRwhtqBpRp6CxCYjE1SpdrbDb9CxFZoJ1alQdJWNGO6Vq0/plVB3mU1DE +ziuCi2N1vARvm4Uxg33ul0Vo3qzW/4fL1Nzo5tto9s8TxkWGsjwXFr3RnbpcAeg1 +Uy7tvkIioh0VqJ+z1PmQiX/COqNbaWIJUKTnpPomuHIzlTohFobVACLtysDALuTs +Lv2Zb4UCgYEA90fSuA0mIvRwpYscoy7NPFYPpwz5X3/4fSOfDC5gBU3Cuxvtufj3 +8lL3kuFoCE14cSdrye2udKSsydGFn1TInwa5cLgRzO2qXWHupvfoHu24FQ1WiYrG +0BW+O8TA1W6IEBgibO1YtohNjbnII+GjfP8ZaBJH7rl2QJuG70bDJYcCgYEA46mJ +vGllEDnd7QCB3z7gqMSxBCicQ9ASWy/yNMsgikb8ULcCYnCqLvwxlkDWgrq2GaPy +0kJh1q27MSWxjXFDeiG9/PQAWZ1sy/rru3TRbhAA+5rRxqfLZlNkg0C9nZA9BEmP +vIToCUlz1iw94Wrg43zk95ou1WuOfN4WVkyDNgMCgYBbyB/RSqgeD0aEW1b8xpFM +1NCoe2tP5ArSP9d3yPrA3TTrCBm7jkpRejQEI3/enQqYTT53y62WA81Sd182XVy9 +kdxglyGcQ5aZZJEVDizs1eUegz3cfVL/xyI9wvCkB4ufFaYpcgscbQkEErHTh5uL ++I9wjmB+nf3jSxbRVx11nwKBgDVOMArmnpxDAFyK3t3XyiCaFVyE6bnTEUk6m7qS +ySa3YkK/5xYHjUF9GVs2CUQI1bSBN8zVcDUk7oyeZ8lXeNYy6lo9A4v4GU5VjTaS +LqtXofNHl9Cs3yoxYnp9ASjQagkD9FzOvcnW4gGG0GJkdQ2u46m59zdPfMht88r3 +FU3jAoGBANNq2l4RpKrs3X/XS34mbugvCw1EqGV0Bqj+RBFLchouE2ignd1KYt/o +O23NchL4pOIuBCo+IaukCgmDm+m378EubTZjwRIYAJNqS/Xu1rMBBihAl6NadVuZ +Nsr6+U9Uqbx/t8bUdhQ3RDexQ42x+GelGwSfXKfF+NJx1zj8lOUu +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh b/test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh similarity index 86% rename from test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh rename to test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh index dad80edca9a1..042fd74ca524 100755 --- a/test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/certs.sh @@ -4,23 +4,21 @@ set -e +readonly DEFAULT_VALIDITY_DAYS=${DEFAULT_VALIDITY_DAYS:-730} +readonly HERE=$(cd "$(dirname "$0")" && pwd) + +cd "$HERE" || exit 1 trap cleanup EXIT + cleanup() { - rm -f ./*_index* - rm -f ./*.csr - rm -f ./*.cnf - rm -f ./*_serial* + rm -f ./*.cnf + rm -f ./*.csr + rm -f ./*_index* + rm -f ./*_serial* + rm -f ./*.srl + rm -f ./100*.pem } -[[ -z "${TEST_TMPDIR}" ]] && TEST_TMPDIR="$(cd "$(dirname "$0")" && pwd)" - -TEST_OCSP_DIR="${TEST_TMPDIR}/ocsp_test_data" -mkdir -p "${TEST_OCSP_DIR}" - -rm -f "${TEST_OCSP_DIR}"/* - -cd "$TEST_OCSP_DIR" || exit 1 - ################################################## # Make the configuration file ################################################## @@ -55,17 +53,17 @@ commonName_max = 64 default_ca = CA_default [ CA_default ] -dir = ${TEST_OCSP_DIR} -certs = ${TEST_OCSP_DIR} -new_certs_dir = ${TEST_OCSP_DIR} -serial = ${TEST_OCSP_DIR} -database = ${TEST_OCSP_DIR}/$2_index.txt -serial = ${TEST_OCSP_DIR}/$2_serial +dir = ${HERE} +certs = ${HERE} +new_certs_dir = ${HERE} +serial = ${HERE} +database = ${HERE}/$2_index.txt +serial = ${HERE}/$2_serial -private_key = ${TEST_OCSP_DIR}/$2_key.pem -certificate = ${TEST_OCSP_DIR}/$2_cert.pem +private_key = ${HERE}/$2_key.pem +certificate = ${HERE}/$2_cert.pem -default_days = 375 +default_days = ${DEFAULT_VALIDITY_DAYS} default_md = sha256 preserve = no policy = policy_default @@ -102,7 +100,7 @@ generate_ca() { -config "${1}.cnf" -batch -sha256 openssl x509 -req \ -in "${1}_cert.csr" -signkey "${1}_key.pem" -out "${1}_cert.pem" \ - -extensions v3_ca -extfile "${1}.cnf" "${extra_args[@]}" + -extensions v3_ca -extfile "${1}.cnf" -days "${DEFAULT_VALIDITY_DAYS}" "${extra_args[@]}" } # $1= $2= $3=[req args] @@ -153,7 +151,7 @@ generate_ca intermediate_ca ca # Generate valid cert and OCSP response generate_config good ca generate_rsa_cert good ca -generate_ocsp_response good ca good -ndays 7 +generate_ocsp_response good ca good -ndays "${DEFAULT_VALIDITY_DAYS}" dump_ocsp_details good ca # Generate OCSP response with the responder key hash instead of name diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem new file mode 100644 index 000000000000..724ea898ea24 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICdzCCAV8CAhACMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQK +DARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMQswCQYDVQQDDAJjYTAe +Fw0yMDEwMjIwMjU3NTNaFw0yMjEwMjIwMjU3NTNaMFwxCzAJBgNVBAYTAlVTMRMw +EQYDVQQIDApDYWxpZm9ybmlhMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0 +IEVuZ2luZWVyaW5nMQ4wDAYDVQQDDAVlY2RzYTBZMBMGByqGSM49AgEGCCqGSM49 +AwEHA0IABBH5TFHZK1e7SPtmeTESrQD/Kce4uLKz+on7qlHOd2D4yNoI62TyXMq/ +o6660I5SJVIEIueDZdh/ocVezGYuUt8wDQYJKoZIhvcNAQELBQADggEBAD5jqxzW +76B6WOLJlRTWpAKv2L7CdtRjV2inNvS7n+NOSQllP9IfHGM9qEHM7xvDymLZb/TR +tOcpUENLJVOmRsjs90cy21Nc8ZkRFBhJOPggTTL3PpkM2sYmsSBzjDvkvqrH+hY3 +FTGAdgDaIf9gBeI61Ind/z6lqcE7yJlVtTvKVYPC0MFtzBS44I92x7g5htTzfEv7 +rO866GmsiG+b/w/d8TCHOt1L+gyk3BbAbBOI3DkZt/UtUpev8ZXKEjigcpxHy+Je +BLDYq6S7RPPtkPk+z8Iz3HRmyykvrckU2kjcTdqY8KygCgFBZETIYsk5d1CJxGcV +gDVhAiuki1Lwuzo= +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem new file mode 100644 index 000000000000..8fac462fe37b --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIOShXROw7kmo0cMJgNQ8rdZfjceLh+KMocrzYIqphTYYoAoGCCqGSM49 +AwEHoUQDQgAEEflMUdkrV7tI+2Z5MRKtAP8px7i4srP6ifuqUc53YPjI2gjrZPJc +yr+jrrrQjlIlUgQi54Nl2H+hxV7MZi5S3w== +-----END EC PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der new file mode 100644 index 000000000000..6769a837244d Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_req.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der new file mode 100644 index 000000000000..8bc4f54bfd7f Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem new file mode 100644 index 000000000000..4c25d638be7c --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQTCCAikCAhAAMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQK +DARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMQswCQYDVQQDDAJjYTAe +Fw0yMDEwMjIwMjU3NTJaFw0yMjEwMjIwMjU3NTJaMFsxCzAJBgNVBAYTAlVTMRMw +EQYDVQQIDApDYWxpZm9ybmlhMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0 +IEVuZ2luZWVyaW5nMQ0wCwYDVQQDDARnb29kMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEA5wzIeQ43mRZy7lfnZl2ELODYH7cXhuPLv/9v/om7WcB1vuT4 +cCyZph8Rr2jZucaD6i40JGABDzERWShUI19QelNtXPFTv4SkNtJK+ONevMuyx8gO +fXOSfVXtg9fUKCSN5oLEj3+EKu+zmjyZ4xBTrXa+yaiTc7859WCZ+wlGCP0XSymX +qYnc95U4PXLGD009TbKtL2SAs7v+00Ohbq1iybeKFWn2TCQryNkc5X7MJZ2io8pL +MQqbhHuGVZTbRgoYFZ8gh8F1q4Ldfn84K3BEHy+pXMrC9mbYeNNpqDzo9dOrisQy +BVyyZmJK3KGxW7exNJYVtXOQh0pfGny4cjbGowIDAQABMA0GCSqGSIb3DQEBCwUA +A4IBAQBD2wITti7SV7hHMKjeB4vv9HrpYHe58LkthZWHAWfcV4usdQl8/R/pe6xp +vbda1dPkDOL3h9DWXb3OtDxZszk/muQ2O3IMzkm3RdOYK4TxiyhRiilYI8nOHCNS +/nzl2TGdoaHMYNKDopJaSuWo78ojcI6y/xJHSJFFHTazHrcLZsoanqYNUh352E1U +j7x8b0h6KB2ODeUa2z8g4sMqTexSDDKz4ND9vfoSPn02mG/3RuVsIxX5F1LNCP5W +RfxRA4uDR3/FSmWAHRPDpdh1NfNDZyh1yXlEyJS2XhuKUCDfCMqHYrxOfgQs6f+2 +d1z/R2EV8f4bBFxyL0nfOuo2J4+u +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem new file mode 100644 index 000000000000..5a6e6a2a1463 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA5wzIeQ43mRZy7lfnZl2ELODYH7cXhuPLv/9v/om7WcB1vuT4 +cCyZph8Rr2jZucaD6i40JGABDzERWShUI19QelNtXPFTv4SkNtJK+ONevMuyx8gO +fXOSfVXtg9fUKCSN5oLEj3+EKu+zmjyZ4xBTrXa+yaiTc7859WCZ+wlGCP0XSymX +qYnc95U4PXLGD009TbKtL2SAs7v+00Ohbq1iybeKFWn2TCQryNkc5X7MJZ2io8pL +MQqbhHuGVZTbRgoYFZ8gh8F1q4Ldfn84K3BEHy+pXMrC9mbYeNNpqDzo9dOrisQy +BVyyZmJK3KGxW7exNJYVtXOQh0pfGny4cjbGowIDAQABAoIBAQCqpOtPVSvE+iqK +VAwIs5rSVoHo8p4Cty2dsTfzA6CGijmscon2t0oHwjyak9LyfWaiR9uk3e8KXFAW +zE1QDq5umj1Ufrw+3+U0xB4xMiSfRcbV/LCPARO5VARm8rmzqEPRctVfsmtYFs9M +Y+O4Ky/SFriUUdgNjbdtvhobqV67dWIxATeYET0ayACgeJITcfH4XaAdQt5LJbDI +qemCu3hvvc4qqk0Ad/nqCl+B0D8/zWuyX5bKnNw+1g868VCFskdGiM7uZTZIXBja +6N3VBv6dENebcX+j9t+RxtOIRMm5ndFGzAq50ylKKiw5M/hRHxgHb0l7OF1Ud2Jw +QSumpj8pAoGBAPh6VgAvEHRECDHUs+RscNcrhTTJF/A787rx/7kJMHxVMlr3GPvv +clxhK7GquFEpYlB6+R+otWvfowq7F+sEGutepfgI0vp0QriwziVQw1xg4lnfK4TR +uKLmL/wQGEIMi4G2n8RacYGSGGl39mmRchCEeYWHV+P0j7ss7SkJ3WNVAoGBAO4L +YiV1TBpmD+3cWZh0BEvjYQePmFoLdFypd/tOZYL9jhtiCIV7uDPUwTe8UCPrLpUi +XPHp9Sfhoo0gLGQVxHowHaDQBUnzo+LzdMPu8YlJv1okH0rkdwQ355yAVgTVz3sv +XTJtVGnSLmA/BthLMrFJfn5Sbus/c3vNgw7Cu3IXAoGAPSEDpVnux1uxVGkKtKiE +/jqDs9/BFuX46UX97oy3M+9VyxE9QUXAMb/qGvRwEe+Hc1s9jK9ZqqdDGjG7CaNh +6APJ+wJYvSr6+yrsHDwJQ+HF7ew8bZmWveS5a16eSSmC7K98ELdbc0/414Geyovw +ruWYa+RHGBqjfZ3o3o7Bu10CgYEAt9GyiJp7micWRefSiBeO+cssMlqAm4gc4zE6 +paV0XiLOifa5/dn79IpmalPQzuvdnOxcObMgzRtAGxqtLNxiTLi7KGN6shCija7S +jDsH6aw5R7J9N6gU//zrrb6sri8teUKqBTbH6K+VgF0rO/tVufG27HVbke39j6yz +d8KIXSECgYB3JaYxWdoxptUvpqITvIBRNEfhNVrxzdGz95EcS6RqmG7UxJlTN2Yk +LKZ9pIOD43QQ3i5D2cF6XN4BCSZ+wRVzOt43RP8DUMgbLzLf8h9N/6cQGEbFqtlb +9x5wTSPF7VRJY+ToSnnBWyFRPLkwm9u1VpeBIUa3bGDDbV/SdJIeUg== +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der new file mode 100644 index 000000000000..f5d7e4150fe3 Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_req.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der new file mode 100644 index 000000000000..c2478b163260 Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt new file mode 100644 index 000000000000..312a01481fd5 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp_details.txt @@ -0,0 +1,118 @@ +OCSP Response Data: + OCSP Response Status: successful (0x0) + Response Type: Basic OCSP Response + Version: 1 (0x0) + Responder Id: C = US, ST = California, L = San Francisco, O = Lyft, OU = Lyft Engineering, CN = ca + Produced At: Oct 22 02:57:52 2020 GMT + Responses: + Certificate ID: + Hash Algorithm: sha1 + Issuer Name Hash: 16C50680A809B68F302789AB234F8F4B30B0E06C + Issuer Key Hash: 187843E49EA451E66B463A475A2D7A596E788416 + Serial Number: 1000 + Cert Status: good + This Update: Oct 22 02:57:52 2020 GMT + Next Update: Oct 22 02:57:52 2022 GMT + + Response Extensions: + OCSP Nonce: + 04109C5C7305A9C99B599CAD3612F1A32885 + Signature Algorithm: sha256WithRSAEncryption + b6:2f:7e:dd:b5:eb:5b:e6:e6:1f:d4:fb:7f:59:35:de:b2:31: + 2a:52:4a:7d:81:8a:ec:7d:dc:cc:7a:92:61:7d:f1:02:25:c9: + 2c:ed:ea:ec:14:c1:a8:8f:78:44:01:4a:e6:07:ff:fc:61:0e: + 3b:ba:66:d6:c5:6b:6d:77:7c:ef:ea:a6:b6:75:87:14:34:b1: + 75:02:ef:7d:6e:a3:5d:5b:29:e2:60:4e:39:ae:ce:1a:5f:ef: + 35:9f:ce:d5:e1:0f:f9:f4:51:2d:07:f8:38:4c:5c:96:ba:60: + 66:07:e0:7a:ea:ac:ba:70:ea:1a:8f:bf:b9:26:94:a9:83:13: + 17:70:61:f7:38:4e:06:73:1a:3d:b3:02:4b:19:82:a3:4a:e1: + 7c:07:d8:fd:b7:91:56:16:25:86:e9:a8:ff:a5:c2:cb:6e:c8: + ee:b1:da:77:2d:6a:e9:7e:a5:48:54:f4:1f:82:0e:b3:72:0c: + 53:03:95:a3:b0:3c:4e:55:74:ee:96:d6:f7:b2:03:1b:7f:24: + 61:e1:dc:ed:d6:a3:0d:13:02:82:0d:ed:bd:ed:ba:ab:2e:8c: + d0:19:f6:c9:8e:59:ad:68:ea:34:6f:33:5d:96:73:b3:3e:df: + a0:10:d6:ac:18:f6:ab:12:fe:9d:35:41:0d:34:4f:da:70:c3: + 4e:7d:52:46 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2a:db:1e:73:b4:0f:af:11:bb:24:44:d0:48:f1:fb:5d:59:c7:f5:17 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=California, L=San Francisco, O=Lyft, OU=Lyft Engineering, CN=ca + Validity + Not Before: Oct 22 02:57:51 2020 GMT + Not After : Oct 22 02:57:51 2022 GMT + Subject: C=US, ST=California, L=San Francisco, O=Lyft, OU=Lyft Engineering, CN=ca + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:db:e8:73:4e:bd:7a:d1:ce:e6:80:d2:82:52:83: + b1:43:29:6c:90:8c:f6:74:03:79:85:68:c1:4f:7f: + 0c:f0:21:85:e4:57:05:64:11:bd:40:a4:9d:b7:b4: + 20:9c:80:57:b7:aa:0e:02:e3:ae:7c:a3:4b:35:65: + 0a:af:35:44:e0:69:43:87:12:4a:28:20:25:ce:27: + 45:69:e2:24:93:50:de:9f:2f:64:88:00:c3:76:c5: + 6b:38:c1:ef:e8:95:c8:30:f7:20:a2:da:0e:56:ee: + a2:c0:69:58:b2:f1:eb:fc:eb:a4:6d:1e:0f:01:b8: + dd:cd:de:75:76:b0:bf:68:a2:30:47:1e:2f:73:d4: + 24:f9:62:ad:55:78:c9:29:07:2c:cb:17:84:29:fa: + ce:26:5a:19:3a:4a:2b:31:fd:87:59:60:0e:04:d8: + 3b:78:12:ec:1d:e4:22:3a:b2:cf:9f:02:5f:d1:e1: + 5f:1f:33:82:c7:60:4c:f2:12:7e:7f:21:e4:f8:d9: + 9e:9e:31:25:f3:c5:c6:69:39:1d:a6:29:66:65:71: + 6a:78:30:42:72:bb:0b:c1:b5:4f:a3:33:b9:b2:2c: + 64:cf:8a:bb:53:0f:44:80:12:a9:8e:d0:b2:d6:e4: + 7e:98:3d:35:bc:7d:7b:5f:69:1f:96:68:15:46:48: + ea:95 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 18:78:43:E4:9E:A4:51:E6:6B:46:3A:47:5A:2D:7A:59:6E:78:84:16 + X509v3 Authority Key Identifier: + keyid:18:78:43:E4:9E:A4:51:E6:6B:46:3A:47:5A:2D:7A:59:6E:78:84:16 + + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + Signature Algorithm: sha256WithRSAEncryption + b2:79:47:56:c3:e7:13:de:5f:8b:ed:a3:c3:80:11:e1:96:36: + 1f:ce:26:46:84:a7:c2:4e:96:59:c1:97:0b:38:bd:85:51:b2: + 8e:37:ea:45:d1:d9:25:0d:5d:5d:b7:08:2f:bc:7f:4d:d6:88: + 29:2f:6b:ba:cb:4c:12:1a:f4:dc:20:fc:5d:75:f2:8e:4b:db: + bf:70:fb:28:7e:81:16:74:67:5b:38:a1:bf:9f:6f:38:88:d2: + c0:3f:35:43:a6:b5:d4:76:48:4e:58:35:e1:dd:02:d1:fa:03: + 56:1a:8e:08:b1:4c:da:36:d2:2a:59:bf:90:8d:07:33:76:6f: + 10:46:87:d6:ff:e1:6d:cb:2d:9d:21:8e:0c:0e:3d:44:95:b5: + c9:85:7a:4e:76:e6:de:e7:91:96:8a:07:ce:8f:f6:0d:15:bc: + cf:e0:44:97:c6:eb:2f:38:c1:06:71:b9:e4:9c:bf:a7:a5:35: + 4c:7e:3b:d0:c6:13:90:f5:92:ee:44:91:f7:9e:1f:88:8b:d1: + e4:dd:f9:50:df:13:5a:46:64:2f:0e:07:be:75:d7:45:9b:3d: + 65:38:57:79:5a:f7:00:be:b5:04:e4:37:d5:c5:1c:32:53:cf: + 1f:47:72:70:36:2a:31:99:eb:ef:19:82:3c:23:58:2a:54:63: + e8:2b:0c:f7 +-----BEGIN CERTIFICATE----- +MIID0zCCArugAwIBAgIUKtsec7QPrxG7JETQSPH7XVnH9RcwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxCzAJBgNVBAMMAmNhMB4XDTIwMTAyMjAyNTc1MVoXDTIyMTAyMjAy +NTc1MVowcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV +BAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQg +RW5naW5lZXJpbmcxCzAJBgNVBAMMAmNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEA2+hzTr160c7mgNKCUoOxQylskIz2dAN5hWjBT38M8CGF5FcFZBG9 +QKSdt7QgnIBXt6oOAuOufKNLNWUKrzVE4GlDhxJKKCAlzidFaeIkk1Deny9kiADD +dsVrOMHv6JXIMPcgotoOVu6iwGlYsvHr/OukbR4PAbjdzd51drC/aKIwRx4vc9Qk ++WKtVXjJKQcsyxeEKfrOJloZOkorMf2HWWAOBNg7eBLsHeQiOrLPnwJf0eFfHzOC +x2BM8hJ+fyHk+NmenjEl88XGaTkdpilmZXFqeDBCcrsLwbVPozO5sixkz4q7Uw9E +gBKpjtCy1uR+mD01vH17X2kflmgVRkjqlQIDAQABo2MwYTAdBgNVHQ4EFgQUGHhD +5J6kUeZrRjpHWi16WW54hBYwHwYDVR0jBBgwFoAUGHhD5J6kUeZrRjpHWi16WW54 +hBYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL +BQADggEBALJ5R1bD5xPeX4vto8OAEeGWNh/OJkaEp8JOllnBlws4vYVRso436kXR +2SUNXV23CC+8f03WiCkva7rLTBIa9Nwg/F118o5L279w+yh+gRZ0Z1s4ob+fbziI +0sA/NUOmtdR2SE5YNeHdAtH6A1YajgixTNo20ipZv5CNBzN2bxBGh9b/4W3LLZ0h +jgwOPUSVtcmFek525t7nkZaKB86P9g0VvM/gRJfG6y84wQZxueScv6elNUx+O9DG +E5D1ku5EkfeeH4iL0eTd+VDfE1pGZC8OB75110WbPWU4V3la9wC+tQTkN9XFHDJT +zx9HcnA2KjGZ6+8ZgjwjWCpUY+grDPc= +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem new file mode 100644 index 000000000000..f9f104f8d05c --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_cert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQzCCAyugAwIBAgIUCmwXC1yqJjKspOZeS0lbJsJomIMwDQYJKoZIhvcNAQEL +BQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5n +aW5lZXJpbmcxCzAJBgNVBAMMAmNhMB4XDTIwMTAyMjAyNTc1MVoXDTIyMTAyMjAy +NTc1MVowfjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV +BAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQg +RW5naW5lZXJpbmcxGDAWBgNVBAMMD2ludGVybWVkaWF0ZV9jYTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAKI2heFAYYMEzvOJ7WVjvkczC3Vf/zo1WS5n +uN2LMO7Rgkbo+XENakPud7L7EN13ySIcjh65s9qq0cqaAbLzjgYoU6av8IufU2rh +pgpoNIU7X8dKlImlIBGytARa9qIblnsinDLhfly78yw/gWU83h+QPWYwhXBeDMMc +Wzo6MvZyZ1IgvdLmue8zcCKYA12YkXRnljG2sp8kstKWh4A8wMfUyE+bVkyr8qTk +Scslqnzx62y3UovwRzaRw8wusq3Vj/MSR4BLlbWRxiAIQr3IwswBphqNif3T7RQw +0IdB/OKfKtt3le4LNES1QZtRpB1seYRNgMXiL8zVJmbsp6hRphUCAwEAAaOBxTCB +wjAdBgNVHQ4EFgQU/d1VXIK/EJrCj1MuJa71mxNR1LwwHwYDVR0jBBgwFoAU/d1V +XIK/EJrCj1MuJa71mxNR1LwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AYYwHQYDVR0OBBYEFP3dVVyCvxCawo9TLiWu9ZsTUdS8MB8GA1UdIwQYMBaAFBh4 +Q+SepFHma0Y6R1otellueIQWMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD +AgGGMA0GCSqGSIb3DQEBCwUAA4IBAQAt1udv9BBzcmErW0JjBAZajzoY0QwVqusZ +j11ex6LNI1rnFomVk+76QQJCeAR4rWeMJBfA9UmAtHVXZuLcQDDL5yTgAnBmSmJR +18kS8KQg8V7AjtmIcx5uZgC2KZYsFx5qp3hGpqLyrN2ZvdeDFacNVWEtb2eVIIky +yy/UsmZr5STI3OU0k12fexiS/yh6G0XFvoecdxCoOvEp+EiLzCmwLRq/1q7CUbeO +woHCUHnwpGZi4PsFF9HkyM5KYgorMM0F+LWR1sVUtxSR6fWLZ0TTFi4NbLupD34S +yFXm0VYhXwV7mVVigQg2/A76PqmSXcSmvSvT43G+u3syc4kbxKLz +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem new file mode 100644 index 000000000000..f8347a170136 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/intermediate_ca_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAojaF4UBhgwTO84ntZWO+RzMLdV//OjVZLme43Ysw7tGCRuj5 +cQ1qQ+53svsQ3XfJIhyOHrmz2qrRypoBsvOOBihTpq/wi59TauGmCmg0hTtfx0qU +iaUgEbK0BFr2ohuWeyKcMuF+XLvzLD+BZTzeH5A9ZjCFcF4MwxxbOjoy9nJnUiC9 +0ua57zNwIpgDXZiRdGeWMbaynySy0paHgDzAx9TIT5tWTKvypORJyyWqfPHrbLdS +i/BHNpHDzC6yrdWP8xJHgEuVtZHGIAhCvcjCzAGmGo2J/dPtFDDQh0H84p8q23eV +7gs0RLVBm1GkHWx5hE2AxeIvzNUmZuynqFGmFQIDAQABAoIBAQCQG3wIxtdaPDVW +qpwaTOhH/JMbbXMi1S4rSb40I2oPYFUqheLEirRzMTFp8h3jgn1PLqsbpMKhaswB +/5uuzSzJT54xIXDDuYG0HE8UQ8sU6dCHDjyzo9y/nFDM5brh/TxMnEzD7wwBen/o +OWrM86wpwkypskV5tDQGSfTJ39ZSlZoaHS4/ih88JG2OTQXx7wi5U6s6Qkk1vuNA +prkqj6F6Y73qwiCuwtccEu3GDJiUjVAj7uFTOlpOBzT+2elraq16Y3DmfJ3aljp7 +pqTboytXYHixQ2x081WBv8Iy/flZP3HYe6ms2N5l27vd/tg3f2+p/WIrRolmOqwP +wHtR1oZBAoGBAM1tJ896YZXrLM9CBNcoAue8VhsipqvO8SodP0x5LRCqfnanoNPE +qFW8PwC0g/tGgAl5eA5iBbLOkaEuW1nxudSidlRBxYQ6lZjebscv9Mqe+P3RJd9y +Dv0te/I0lua7ElAUXTw4yGQ6/USr+kLlvOzBLWhbj3BQa4OCXsb5fFMNAoGBAMol +3+2l3G0BEFaXfGv2CRAR58KHA48lOHaIiSnNrWpnsXm4Fr2oYvvPDh5auulToeK3 +9DjfMhyPmgrCIbeHCVt01gvFU/NAGb79Xw21NQPREVhwZY6P4sFb5coO9E2jiESl +7PSaHtuLx8G6AwcIx8xjh+Fuy9ZfirfAB9g/h30pAoGBAMLMGY4zXMpPIkS/M9vb +AzZAb953c1lEeYgYB+g6mDNPmXBm8KkfuQjj41KF2wmyBsP1PZVV+lVecNZJITMf +d7pc/JxVajlDXIyDkMStgxGIwk/dvm4uuGv4b6pzmAzfpDPvu6HZrpztGzG9ayl4 +tThEzwxAlrpIaEtimwFPn0cZAoGAdD0lL61BO/jxoSlIpXf7rB7vqr8iP8zCU/6d +CMm5X0czGW/Ou8445N0iHDhF5Gdv3kOzDoThduToSilpY/QlYE6lymz0ohqI83cU +knhRfNlaZQV0kG6SkGc8klzZBE/1yquyvtBk0A/nlLFWjlPxN8k/2FRyp9mWlaS5 +nhKh4UkCgYBMCtGuPwmSYU6jI1AhygvEWNeN9U9GNH+C7hbDxtYtppjN/7ZUUIIn +kKceZAWbkZlItoOfVVSQLs8IZ5m5Q2g0rOb9/oVmtnK8bPYE16i0gk3VgOKQh+wv +q1Oqidvs4edxeI2sDe9w+Qw8qUo14+Uux7KMAlDrtB42gP5BQOWh0w== +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der new file mode 100644 index 000000000000..02da216fd77a Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_req.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der new file mode 100644 index 000000000000..e6af4d98fe86 Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/multiple_cert_ocsp_resp.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der new file mode 100644 index 000000000000..71d48a2acc5a Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_req.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der new file mode 100644 index 000000000000..dec1446b6ee7 Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/responder_key_hash_ocsp_resp.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem new file mode 100644 index 000000000000..58e8b6ca6aa5 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDYDCCAkigAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwcTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTAL +BgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5naW5lZXJpbmcxCzAJBgNVBAMM +AmNhMB4XDTIwMTAyMjAyNTc1MloXDTIyMTAyMjAyNTc1MlowXjELMAkGA1UEBhMC +VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsM +EEx5ZnQgRW5naW5lZXJpbmcxEDAOBgNVBAMMB3Jldm9rZWQwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCxmvUb+/sG/GYQNdpaCWP4cmMun5RPmc4s+tLI +1XutvZxouwo7HNBPq95SAO4FkzwBLJ19r8D9Tn/1zHxVgTC3r9JymlpMQphQDPTu +qiJhq2gkB6SXMhOYPnXMWiX0qbzdQZtuUl63qhWsQHYvjilyLSp0+qAIeRlm7hGG +amxVrtbWzB2BR1zwZN4ysyMTDslUD1/UfBFLYUO05RCiu4dhYRLwCDcmTuM5ROt7 +lmYmI2HbCwbc2I3OMuDx5MsLzc3/lzUdwfii6IYCYSep0uNC2KstjVp4pnOaF9S1 +r2hVpuFBN7CJDrucbGup06wOcbCzGY3+KcvL2jV2pi1TOK4tAgMBAAGjFTATMBEG +CCsGAQUFBwEYBAUwAwIBBTANBgkqhkiG9w0BAQsFAAOCAQEAyKdZ7vxkP0ipl94h +0E+etmeY7GpcyJtlcSRrBUUbQLlpieuICDVpVYPUHajcGYp4crkxL/5lAUsTlUIM +LvquncT16JBEMz5baV8Q4A+csCd9OoJ0FaZV4E5IRW63WckBlUcZtEDKYh5jHxeb +OaH6NG0br8a+avj0a0oow6VA03j2Kv11Bqvz2tSxWvYl7BLKviP0EDUhmL5xz3sU +md0u5IdE4iCGdcysBbqYT9OuwKvHmaIBfbN6J/gNItZcxu6cuLxEvK6Df8Gao50b +xrMoBp6P6B3Vwge/IjYev83LzxoTNb1X5MTPE9myf+TkmQP2FYU18CPWsyW34pDf +zTm2kg== +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem b/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem new file mode 100644 index 000000000000..0e9c699b2a84 --- /dev/null +++ b/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAsZr1G/v7BvxmEDXaWglj+HJjLp+UT5nOLPrSyNV7rb2caLsK +OxzQT6veUgDuBZM8ASydfa/A/U5/9cx8VYEwt6/ScppaTEKYUAz07qoiYatoJAek +lzITmD51zFol9Km83UGbblJet6oVrEB2L44pci0qdPqgCHkZZu4RhmpsVa7W1swd +gUdc8GTeMrMjEw7JVA9f1HwRS2FDtOUQoruHYWES8Ag3Jk7jOUTre5ZmJiNh2wsG +3NiNzjLg8eTLC83N/5c1HcH4ouiGAmEnqdLjQtirLY1aeKZzmhfUta9oVabhQTew +iQ67nGxrqdOsDnGwsxmN/inLy9o1dqYtUziuLQIDAQABAoIBAAYqTeXpyl4EtvpL +FEhZ2RmPxvegXIKi4TBYiKamGoP+eAZ+r607o9OQMMiB9cFFyih0RwdM6ZMhfXmn +3o0NTgaiWNjXmNja2vS0bnA2gbkIPTY6+bCx8VIwoOA2JOkoV0EK/P1IaLdRdS0k +k7W05qVrAfVLmfCRW5tiGkOjQB19RHMltBnjhY/xKaxqfN5u0x64hfkfYLJ7onsf +0Vd9LOTyh97MrDr+f+dXGLFRBuHsI+1EqyGiG31idpQ+ZLU3Gj1PFE+D9ZfkDRpq +ToHZrZL4mBD2sAip5InyHT339lqOgnRIy8CGf30oEgOKmpEoneNSid/QC0HPnSz0 +/A9ohvUCgYEA2h2iqdLDjVNUsZGq6K3m3dCDXlN7NYQu+wQ9YUXj7xPBxlamfHWT +JES7ieb3N9UCuHjzeUIDCXv3hoBIYLeo33hzOgtjg3rJNA+2dnGbEmsNlpFduRSJ +jTIzhcmHiIyX0DvBtj9h1sdrDmMqQaOnPTRmIlhUxAt6hshvfZ/UN8sCgYEA0HQN +hGGzeM17HmKsfHUrWJqnuNncTq8w0z0OQfOSH1KGkE2zwieXv6X+EYbszW+7hDQA +U9gieMm9xtc59ZG312nY973UmWhNkc+f5foxzdgcqKItfiFkcdh1Vcb/qmOTD1tK +ibljEwHXQonFbD6L/j+GYysvuDX6vyhmgjIIQucCgYEAq3tjOMsIjaL3UkfpK9gV +S001C0Ls+k07NoTF0SVGp99LmKjlabJyhbA4FZptwQqKgggtu6bHhnxdRfSzcr7S +WSd0yCzOBz/Q0kqMNKDqv1dFLpyJKArafhT65vNjyFpovQFOMf+w51CPfZc/UK3e +vULmDZiOxDcWFMOezBCNo3MCgYBk8H2HKCRXD/FZcmCh178IpcMn4N8sfur+rycT +SpXscvLUN7we/TsfQ4r3A8XxaPR9fQzXjOaMZOxvt9LKFijWt9ung5XKP1aoj8iW +/YNWcRrXkcjDtfnEoxOWWMl+wb75hbRfYpUWJCMPhlVCKDtz/2Dc7pGp+wGTxUV2 +MDIN6wKBgQCtzZ1CqsSzVA3aHpxACvzMqv4nFY1am4W3gfaO4y3+5w0T+oQlf1/p +MJBq//t6XYBJhkVs+jEwZ1NxS2oRefH0liLiX7uPCe0+lNmrPK6L68NAgCSrJPYi +pEzdIsQsJwnWRq+iJwHqLV06EJqR8Q2RjVJbUcoP0bVRRczgpNNAZg== +-----END RSA PRIVATE KEY----- diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_req.der new file mode 100644 index 000000000000..b733ba5b845b Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_req.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der new file mode 100644 index 000000000000..92a875f0c491 Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der b/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der new file mode 100644 index 000000000000..a81d57b98f99 Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_req.der differ diff --git a/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der b/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der new file mode 100644 index 000000000000..e3ebdc126fcc Binary files /dev/null and b/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der differ diff --git a/test/extensions/transport_sockets/tls/ssl_certs_test.h b/test/extensions/transport_sockets/tls/ssl_certs_test.h index 1fac8ff469c5..0fe7d2183b27 100644 --- a/test/extensions/transport_sockets/tls/ssl_certs_test.h +++ b/test/extensions/transport_sockets/tls/ssl_certs_test.h @@ -10,14 +10,6 @@ using testing::ReturnRef; namespace Envoy { class SslCertsTest : public testing::Test { -public: - static void SetUpTestSuite() { // NOLINT(readability-identifier-naming) - TestEnvironment::exec({TestEnvironment::runfilesPath( - "test/extensions/transport_sockets/tls/gen_unittest_certs.sh")}); - TestEnvironment::exec({TestEnvironment::runfilesPath( - "test/extensions/transport_sockets/tls/ocsp/gen_unittest_ocsp_data.sh")}); - } - protected: SslCertsTest() : api_(Api::createApiForTest(store_, time_system_)) { ON_CALL(factory_context_, api()).WillByDefault(ReturnRef(*api_)); diff --git a/test/extensions/transport_sockets/tls/ssl_socket_test.cc b/test/extensions/transport_sockets/tls/ssl_socket_test.cc index dec59d696ff1..e2a383d07115 100644 --- a/test/extensions/transport_sockets/tls/ssl_socket_test.cc +++ b/test/extensions/transport_sockets/tls/ssl_socket_test.cc @@ -795,10 +795,10 @@ void configureServerAndExpiredClientCertificate( filter_chain->mutable_hidden_envoy_deprecated_tls_context() ->mutable_common_tls_context() ->add_tls_certificates(); - server_cert->mutable_certificate_chain()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestcert.pem")); - server_cert->mutable_private_key()->set_filename( - TestEnvironment::substitute("{{ test_tmpdir }}/unittestkey.pem")); + server_cert->mutable_certificate_chain()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem")); + server_cert->mutable_private_key()->set_filename(TestEnvironment::substitute( + "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem")); envoy::extensions::transport_sockets::tls::v3::CertificateValidationContext* server_validation_ctx = filter_chain->mutable_hidden_envoy_deprecated_tls_context() ->mutable_common_tls_context() @@ -1003,9 +1003,9 @@ TEST_P(SslSocketTest, GetUriWithUriSan) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1077,9 +1077,9 @@ TEST_P(SslSocketTest, GetNoUriWithDnsSan) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1099,9 +1099,9 @@ TEST_P(SslSocketTest, NoCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); @@ -1287,9 +1287,9 @@ TEST_P(SslSocketTest, NoCertUntrustedNotPermitted) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -1395,9 +1395,9 @@ TEST_P(SslSocketTest, FailedClientAuthCaVerificationNoClientCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1422,9 +1422,9 @@ TEST_P(SslSocketTest, FailedClientAuthCaVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1443,9 +1443,9 @@ TEST_P(SslSocketTest, FailedClientAuthSanVerificationNoClientCert) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1470,9 +1470,9 @@ TEST_P(SslSocketTest, FailedClientAuthSanVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1620,9 +1620,9 @@ TEST_P(SslSocketTest, ClientCertificateHashVerification) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1648,9 +1648,9 @@ TEST_P(SslSocketTest, ClientCertificateHashVerificationNoCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -1743,9 +1743,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoClientCertificate common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1765,9 +1765,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoCANoClientCertifi common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -1790,9 +1790,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationWrongClientCertific common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -1817,9 +1817,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationNoCAWrongClientCert common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: verify_certificate_hash: ")EOF", TEST_SAN_URI_CERT_256_HASH, "\""); @@ -1842,9 +1842,9 @@ TEST_P(SslSocketTest, FailedClientCertificateHashVerificationWrongCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -2399,9 +2399,9 @@ TEST_P(SslSocketTest, FlushCloseDuringHandshake) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" @@ -2456,9 +2456,9 @@ TEST_P(SslSocketTest, HalfClose) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" @@ -2539,9 +2539,9 @@ TEST_P(SslSocketTest, ShutdownWithCloseNotify) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" @@ -2628,9 +2628,9 @@ TEST_P(SslSocketTest, ShutdownWithoutCloseNotify) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" @@ -2718,9 +2718,9 @@ TEST_P(SslSocketTest, ClientAuthMultipleCAs) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_certificates.pem" @@ -3035,9 +3035,9 @@ TEST_P(SslSocketTest, TicketSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -3059,9 +3059,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionCustomTimeout) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -3081,9 +3081,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionWithClientCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -3110,9 +3110,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionRotateKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -3122,9 +3122,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionRotateKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" @@ -3144,9 +3144,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionWrongKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_a" @@ -3156,9 +3156,9 @@ TEST_P(SslSocketTest, TicketSessionResumptionWrongKey) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" session_ticket_keys: keys: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ticket_key_b" @@ -3319,9 +3319,9 @@ TEST_P(SslSocketTest, StatelessSessionResumptionDisabled) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: true )EOF"; @@ -3337,9 +3337,9 @@ TEST_P(SslSocketTest, SatelessSessionResumptionEnabledExplicitly) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" disable_stateless_session_resumption: false )EOF"; @@ -3355,9 +3355,9 @@ TEST_P(SslSocketTest, StatelessSessionResumptionEnabledByDefault) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3374,9 +3374,9 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -3387,9 +3387,9 @@ TEST_P(SslSocketTest, ClientAuthCrossListenerSessionResumption) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -3661,9 +3661,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDefault) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3682,9 +3682,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDisabledTls12) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3704,9 +3704,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionEnabledTls12) { tls_maximum_protocol_version: TLSv1_2 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3729,9 +3729,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionDisabledTls13) { tls_maximum_protocol_version: TLSv1_3 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3754,9 +3754,9 @@ TEST_P(SslSocketTest, ClientSessionResumptionEnabledTls13) { tls_maximum_protocol_version: TLSv1_3 tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" )EOF"; const std::string client_ctx_yaml = R"EOF( @@ -3775,9 +3775,9 @@ TEST_P(SslSocketTest, SslError) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/fake_ca_cert.pem" @@ -4282,9 +4282,9 @@ TEST_P(SslSocketTest, RevokedCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -4326,9 +4326,9 @@ TEST_P(SslSocketTest, RevokedCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert_with_crl.pem" @@ -4376,9 +4376,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem" @@ -4401,9 +4401,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificate) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain.pem" @@ -4465,9 +4465,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl_chain.pem" @@ -4486,9 +4486,9 @@ TEST_P(SslSocketTest, RevokedIntermediateCertificateCRLInTrustedCA) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert_chain_with_crl.pem" @@ -4914,9 +4914,9 @@ class SslReadBufferLimitTest : public SslSocketTest { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key: - filename: "{{ test_tmpdir }}/unittestkey.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" validation_context: trusted_ca: filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/ca_cert.pem" @@ -5063,13 +5063,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -5097,13 +5097,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncDecryptSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt sync_mode: false mode: rsa @@ -5131,13 +5131,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncSignSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: true mode: rsa @@ -5165,13 +5165,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncDecryptSuccess) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt sync_mode: true mode: rsa @@ -5199,13 +5199,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false crypto_error: true @@ -5234,13 +5234,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSyncSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: true crypto_error: true @@ -5269,13 +5269,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderSignFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign method_error: true mode: rsa @@ -5303,13 +5303,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderDecryptFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt method_error: true mode: rsa @@ -5337,13 +5337,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncSignCompleteFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign async_method_error: true mode: rsa @@ -5372,13 +5372,13 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderAsyncDecryptCompleteFailure) { common_tls_context: tls_certificates: certificate_chain: - filename: "{{ test_tmpdir }}/unittestcert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem" private_key_provider: provider_name: test typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: decrypt async_method_error: true mode: rsa @@ -5426,7 +5426,7 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderMultiCertSuccess) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -5466,7 +5466,7 @@ TEST_P(SslSocketTest, RsaPrivateKeyProviderMultiCertFail) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -5546,7 +5546,7 @@ TEST_P(SslSocketTest, RsaAndEcdsaPrivateKeyProviderMultiCertSuccess) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false async_method_error: true @@ -5590,7 +5590,7 @@ TEST_P(SslSocketTest, RsaAndEcdsaPrivateKeyProviderMultiCertFail) { typed_config: "@type": type.googleapis.com/google.protobuf.Struct value: - private_key_file: "{{ test_tmpdir }}/unittestkey.pem" + private_key_file: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/unittest_key.pem" expected_operation: sign sync_mode: false mode: rsa @@ -5617,11 +5617,11 @@ TEST_P(SslSocketTest, TestStaplesOcspResponseSuccess) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5633,7 +5633,8 @@ TEST_P(SslSocketTest, TestStaplesOcspResponseSuccess) { )EOF"; TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); - std::string ocsp_response_path = "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der"; + std::string ocsp_response_path = + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); @@ -5647,11 +5648,11 @@ TEST_P(SslSocketTest, TestNoOcspStapleWhenNotEnabledOnClient) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5670,11 +5671,11 @@ TEST_P(SslSocketTest, TestOcspStapleOmittedOnSkipStaplingAndResponseExpired) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5693,11 +5694,11 @@ TEST_P(SslSocketTest, TestConnectionFailsOnStapleRequiredAndOcspExpired) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5716,9 +5717,9 @@ TEST_P(SslSocketTest, TestConnectionSucceedsWhenRejectOnExpiredNoOcspResponse) { common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple_policy: strict_stapling )EOF"; @@ -5737,11 +5738,11 @@ TEST_P(SslSocketTest, TestConnectionFailsWhenRejectOnExpiredAndResponseExpired) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/unknown_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/unknown_ocsp_resp.der" ocsp_staple_policy: strict_stapling )EOF"; @@ -5761,11 +5762,11 @@ TEST_P(SslSocketTest, TestConnectionFailsWhenCertIsMustStapleAndResponseExpired) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5785,11 +5786,11 @@ TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertExpirationValidatio common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5805,7 +5806,9 @@ TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertExpirationValidatio {{"envoy.reloadable_features.check_ocsp_policy", "false"}}); TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); - std::string ocsp_response_path = "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der"; + std::string ocsp_response_path = + "{{ test_rundir " + "}}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); testUtil(test_options.enableOcspStapling() @@ -5818,9 +5821,9 @@ TEST_P(SslSocketTest, TestConnectionSucceedsForMustStapleCertNoValidationNoRespo common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple_policy: lenient_stapling )EOF"; @@ -5846,17 +5849,17 @@ TEST_P(SslSocketTest, TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst) common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der" - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; @@ -5868,7 +5871,8 @@ TEST_P(SslSocketTest, TestFilterMultipleCertsFilterByOcspPolicyFallbackOnFirst) - TLS_RSA_WITH_AES_128_GCM_SHA256 )EOF"; - std::string ocsp_response_path = "{{ test_tmpdir }}/ocsp_test_data/good_ocsp_resp.der"; + std::string ocsp_response_path = + "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/good_ocsp_resp.der"; std::string expected_response = TestEnvironment::readFileToStringForTest(TestEnvironment::substitute(ocsp_response_path)); TestUtilOptions test_options(client_ctx_yaml, server_ctx_yaml, true, GetParam()); @@ -5882,17 +5886,17 @@ TEST_P(SslSocketTest, TestConnectionFailsOnMultipleCertificatesNonePassOcspPolic common_tls_context: tls_certificates: - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/revoked_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/revoked_ocsp_resp.der" - certificate_chain: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_cert.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_cert.pem" private_key: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_key.pem" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_key.pem" ocsp_staple: - filename: "{{ test_tmpdir }}/ocsp_test_data/ecdsa_ocsp_resp.der" + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/ocsp/test_data/ecdsa_ocsp_resp.der" ocsp_staple_policy: must_staple )EOF"; diff --git a/test/extensions/transport_sockets/tls/test_data/certs.sh b/test/extensions/transport_sockets/tls/test_data/certs.sh index d3ad086c98d4..b1155f18d9fe 100755 --- a/test/extensions/transport_sockets/tls/test_data/certs.sh +++ b/test/extensions/transport_sockets/tls/test_data/certs.sh @@ -256,3 +256,7 @@ openssl rand 79 > ticket_key_wrong_len # Generate a certificate with no subject CN and no altnames. generate_rsa_key no_subject generate_x509_cert_nosubject no_subject ca + +# Generate unit test certificate +generate_rsa_key unittest +generate_selfsigned_x509_cert unittest diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg b/test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg new file mode 100644 index 000000000000..2e485f9fa0c5 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_cert.cfg @@ -0,0 +1,23 @@ +[ req ] +default_bits = 2048 +distinguished_name = req_distinguished_name + +[ req_distinguished_name ] +countryName = US +countryName_default = US +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = California +stateOrProvinceName_default = California +localityName = San Francisco +localityName_default = San Francisco +organizationName = Lyft +organizationName_default = Lyft +organizationalUnitName = Lyft Engineering +organizationalUnitName_default = Lyft Engineering +commonName = Unit Test CA +commonName_default = Unit Test CA +commonName_max = 64 +emailAddress = unittest@lyft.com +emailAddress_default = unittest@lyft.com +emailAddress_max = 64 diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem b/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem new file mode 100644 index 000000000000..6ff804b3e4de --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_cert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwzCCAqsCFFhdk4KsJ1P+AdrZbrUMmzyfNxrPMA0GCSqGSIb3DQEBCwUAMIGd +MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu +IEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVl +cmluZzEVMBMGA1UEAwwMVW5pdCBUZXN0IENBMSAwHgYJKoZIhvcNAQkBFhF1bml0 +dGVzdEBseWZ0LmNvbTAeFw0yMDEwMjEyMzA3NThaFw0yMjEwMjEyMzA3NThaMIGd +MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2Fu +IEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVl +cmluZzEVMBMGA1UEAwwMVW5pdCBUZXN0IENBMSAwHgYJKoZIhvcNAQkBFhF1bml0 +dGVzdEBseWZ0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL93 +hRLp1s4yNZHUzG+ofX13rgNfiRC9pFVJt4aZYldh440+ZfQDotPsQCaa1Nm+zPHz +leZCxWfRVK82VGWmVy3PLExzuMr8Ar/ypwvQXxnCaZAeIYd1e917LM21jHu/CfV8 +VLF1ZtrknowZWoCll1CarmYDkQfYDSk+RcQo8XIkLeYV5JHbGK7jGoDMYmBO2Gdp +XW4FpVi9vb7pRUfUu3ot0q1SCYGew+YrwT3yWteku66nw8cutIQEbEo00OI8wbHG +Vuh7yY8bTdBS9r4rsQpOCSm6k5a1eKPpv8CfJdKyuXDbx2gbvFjFF6hjgp8+LCE2 +0GpLvf0VMxOVf9XZE/cCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAt9aJc3imaGQD +1+c81ZiItdBpFJRLuO1MHmXgwJUnouJz4uT+KFkDbThaABg/L3Q/s0boWy+u9S5s +ae8FcFvniMUBIjKzkizw6ZI6xTG6VMPDTklwWxNrNEzIBkNrcUkje/X/reyi56B+ +cbjpRJ8j0joV6xqBMFn+qMPIvAMSDJD4lMnjSxGZliDIlPvuk96RVNlF8Y18d/6G +ThWuVgN3CyoG+JXs2sSGbqLzWCnB8zgU0VN7CZZu4yh/cE9uNc0z5M66Adrh4eJl +pO/WWWxXHxIveRtH7DV9vhWE78KJRCcIec5Ta+X1evX1beKiNZd/5Elkyb613hTJ +lCkcOlSebQ== +-----END CERTIFICATE----- diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h b/test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h new file mode 100644 index 000000000000..bc725d6e6b4e --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_cert_info.h @@ -0,0 +1,8 @@ +// NOLINT(namespace-envoy) +constexpr char TEST_UNITTEST_CERT_256_HASH[] = + "36c86c016f8b243b681a094c11d394ac06edac336a3ece479a1b2eeb455b1492"; +constexpr char TEST_UNITTEST_CERT_1_HASH[] = "82be621a0f4b6046365496788befbe2e95977eb1"; +constexpr char TEST_UNITTEST_CERT_SPKI[] = "eWpfAfOA1JddINxIW/64Lc6XHpeo0u9IHx6dE42p9jw="; +constexpr char TEST_UNITTEST_CERT_SERIAL[] = "585d9382ac2753fe01dad96eb50c9b3c9f371acf"; +constexpr char TEST_UNITTEST_CERT_NOT_BEFORE[] = "Oct 21 23:07:58 2020 GMT"; +constexpr char TEST_UNITTEST_CERT_NOT_AFTER[] = "Oct 21 23:07:58 2022 GMT"; diff --git a/test/extensions/transport_sockets/tls/test_data/unittest_key.pem b/test/extensions/transport_sockets/tls/test_data/unittest_key.pem new file mode 100644 index 000000000000..dd3456d15fb6 --- /dev/null +++ b/test/extensions/transport_sockets/tls/test_data/unittest_key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAv3eFEunWzjI1kdTMb6h9fXeuA1+JEL2kVUm3hpliV2HjjT5l +9AOi0+xAJprU2b7M8fOV5kLFZ9FUrzZUZaZXLc8sTHO4yvwCv/KnC9BfGcJpkB4h +h3V73XsszbWMe78J9XxUsXVm2uSejBlagKWXUJquZgORB9gNKT5FxCjxciQt5hXk +kdsYruMagMxiYE7YZ2ldbgWlWL29vulFR9S7ei3SrVIJgZ7D5ivBPfJa16S7rqfD +xy60hARsSjTQ4jzBscZW6HvJjxtN0FL2viuxCk4JKbqTlrV4o+m/wJ8l0rK5cNvH +aBu8WMUXqGOCnz4sITbQaku9/RUzE5V/1dkT9wIDAQABAoIBAFZlFAMIyQiZ11pK +b0Ui/h0TV83l2e9X40Mo1EtEAv/zB77AHTkSOvLtc7T3wHvQgKHcjBMupezGpDO7 +jDGh8UyWYyLMROIy/Pqn/4BxMbhp5UBGmFKLTK0P25OnDBD6jv/abkz08MhsyK3m +8tOB5NlWMsONcG/dqXKmysxMvUYHDMlF3Re5PmvyWVKpclqYxWWXRSAy/FygSUPN +bCwKSv1QXytNefkN7n/G8WaGLU52pff3HMpt4JwTl5rnOiPRZGowFPJnNgO9uW85 +Rj620Db+MZzmJvTeSkxgpIUYUuDtgrvARYa+4y0Lajl4EHkCKg0YYzXbDPORFQ3M +WwN9LqECgYEA8B5I/lYU2QNyIlHjXx2KeKArCriL5sd0KCBHgcE586wyVb5vonET +ovNq8IH+2F4h8d+gbkzoQ2oGYsmM1AiCoxkio6c2KgAUHBbpGfjf92zSDirqBTqg +xha25eXElbu44EkiDWxpy944LkFlNiCLb9+5yqyfqqyixvxRtSBWtAsCgYEAzCF2 +WFn73i7zBNA/6yjodLUXy0BUjL38WV4HU3WDEbPp28e/+NLoWXH/B9BH950J+EGI +LPwjpk6ODhYeMknsdzYV8X5RkOuft7B0yrrdInN+vtIlvZmRd47esuJTcnj3zuUB +2B4TkmWUFf6kLn+TXwLB0wbsj9ieZMJzQkdSx0UCgYEAlBjJwnyLTTHv4jUJfK+2 +qSF4ips6RnN8NAd8sw3fVWg+f13+cn01tEpYCdDTwtWEMC9SPtWWZ4XsPF+9SUWa +dUfacn9+S7dSr+R9jvROBsgKYoybW/BGGwcFdZQahJOMumDA7PCR7Bi6I+VXrGO0 +PKMLb3K648SofPxA1OsGLvMCgYEAqzOhYuZNRIIR1cam5R6RH1jGlPPmNYgdvgIL +mOakv9Mp3ud/zTtuHZ5rK212/mhZ9TlY8YmiiJe3sn7AYqL3TOAytTChTi8f7Fp1 +CZaBYqSE95uehY7nnuNXSaZiIE7uXzpYOp63AYBqG6xOnKTov7W7Q7a57sbZyV4A +duUEuxUCgYEAnxFo8ln1H2QcxQS/y8l8r4MRXj9weDhlp/eXtfgd8JiJ5m+E6r+D +tr2wg6Q92ertogdaMvXiPfi/5qiTqsJvTahqx1E2WYRHxywkfbte1a/3bGNxe3Gr +bba7Pd1JXwJ1s8ahB7yoS/xyYLSl5fmE3N14j8wwkmtv1q3TNstmg3Y= +-----END RSA PRIVATE KEY----- diff --git a/test/integration/integration_test.cc b/test/integration/integration_test.cc index 1037cad075bc..3fe60c8bf1f5 100644 --- a/test/integration/integration_test.cc +++ b/test/integration/integration_test.cc @@ -908,6 +908,41 @@ TEST_P(IntegrationTest, AbsolutePath) { EXPECT_FALSE(response.find("HTTP/1.1 404 Not Found\r\n") == 0); } +// Make that both IPv4 and IPv6 hosts match when using relative and absolute URLs. +TEST_P(IntegrationTest, TestHostWithAddress) { + useAccessLog("%REQ(Host)%\n"); + std::string address_string; + if (GetParam() == Network::Address::IpVersion::v4) { + address_string = TestUtility::getIpv4Loopback(); + } else { + address_string = "[::1]"; + } + + auto host = config_helper_.createVirtualHost(address_string.c_str(), "/"); + host.set_require_tls(envoy::config::route::v3::VirtualHost::ALL); + config_helper_.addVirtualHost(host); + + initialize(); + std::string response; + + // Test absolute URL with ipv6. + sendRawHttpAndWaitForResponse( + lookupPort("http"), absl::StrCat("GET http://", address_string, " HTTP/1.1\r\n\r\n").c_str(), + &response, true); + EXPECT_FALSE(response.find("HTTP/1.1 404 Not Found\r\n") == 0); + EXPECT_TRUE(response.find("301") != std::string::npos); + EXPECT_THAT(waitForAccessLog(access_log_name_), HasSubstr(address_string)); + + // Test normal IPv6 request as well. + response.clear(); + sendRawHttpAndWaitForResponse( + lookupPort("http"), + absl::StrCat("GET / HTTP/1.1\r\nHost: ", address_string, "\r\n\r\n").c_str(), &response, + true); + EXPECT_FALSE(response.find("HTTP/1.1 404 Not Found\r\n") == 0); + EXPECT_TRUE(response.find("301") != std::string::npos); +} + TEST_P(IntegrationTest, AbsolutePathWithPort) { // Configure www.namewithport.com:1234 to send a redirect, and ensure the redirect is // encountered via absolute URL with a port. @@ -920,6 +955,7 @@ TEST_P(IntegrationTest, AbsolutePathWithPort) { lookupPort("http"), "GET http://www.namewithport.com:1234 HTTP/1.1\r\nHost: host\r\n\r\n", &response, true); EXPECT_FALSE(response.find("HTTP/1.1 404 Not Found\r\n") == 0); + EXPECT_TRUE(response.find("301") != std::string::npos); } TEST_P(IntegrationTest, AbsolutePathWithoutPort) { diff --git a/test/mocks/thread_local/mocks.h b/test/mocks/thread_local/mocks.h index dc6518c5068a..b3cdd0cc5539 100644 --- a/test/mocks/thread_local/mocks.h +++ b/test/mocks/thread_local/mocks.h @@ -58,17 +58,23 @@ class MockInstance : public Instance { } // ThreadLocal::Slot - ThreadLocalObjectSharedPtr get() override { return parent_.data_[index_]; } + ThreadLocalObjectSharedPtr get() override { + EXPECT_TRUE(was_set_); + return parent_.data_[index_]; + } bool currentThreadRegistered() override { return parent_.registered_; } void runOnAllThreads(const UpdateCb& cb) override { + EXPECT_TRUE(was_set_); parent_.runOnAllThreads([cb, this]() { parent_.data_[index_] = cb(parent_.data_[index_]); }); } void runOnAllThreads(const UpdateCb& cb, Event::PostCb main_callback) override { + EXPECT_TRUE(was_set_); parent_.runOnAllThreads([cb, this]() { parent_.data_[index_] = cb(parent_.data_[index_]); }, main_callback); } void set(InitializeCb cb) override { + was_set_ = true; if (parent_.defer_data) { parent_.deferred_data_[index_] = cb; } else { @@ -78,6 +84,7 @@ class MockInstance : public Instance { MockInstance& parent_; const uint32_t index_; + bool was_set_{}; // set() must be called before other functions. }; void call() {