Test client/server mTLS support. #321
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment was marked as outdated.
This comment was marked as outdated.
|
ef0d20f to
11a1ab7
Compare
This was referenced Jul 3, 2023
Previously only the `tests/server.c` code needed to load a `rustls_certified_key` (for the server cert/keypair). In a subsequent commit the `tests/client.c` code will need to do the same for optionally providing a `rustls_certified_key` for client certificate authentication. In preparation, this commit lifts the `read_file` and `load_cert_and_key` helper functions from `tests/server.c` into `tests/common.c` (updating `tests/common.h` to match) where both client and server test programs can use the shared code.
This commit updates `tests/client.c` to allow setting two new env vars, `AUTH_CERT` and `AUTH_KEY`. If neither are set, the program works as it did before: no client certificate is sent for mTLS. If one but not both of these env vars are set, the program will error: they must both be provided. If both are set, the `AUTH_CERT` and `AUTH_KEY` files are loaded into a `rustls_certified_key` and the built `rustls_client_config` will be configured to offer client certificate authentication with the server using the cert/key pair.
This commit updates the `tests/server.c` program so that if an `AUTH_CERT` env var is provided the server will be configured to require clients provide a client certificate issued that chains to the `AUTH_CERT` certificate authority. If no `AUTH_CERT` env var is set the server works as it did before, ignoring client certificate authentication.
Tests that: * A client w/ AUTH_KEY + AUTH_CERT can connect to a server that doesn't require mTLS without error. * A client w/ AUTH_KEY + AUTH_CERT can connect to a server that requires mTLS without error. * A client w/o AUTH_KEY + AUTH_CERT errors when connecting to a server that requires mTLS.
6c0a9ce to
1538cb6
Compare
ctz
approved these changes
Jul 10, 2023
|
Another test only jam & this one's been up for a bit so I'm going to merge as-is with the same disclaimer as the others: happy to revise down the road if there's any new feedback. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
In preparation for supporting client certificate revocation checking w/ CRLs it felt prudent to update the
tests/client.candtests/server.cpair of test programs to allow configuration/testing of mutually authenticated TLS (mTLS).tests: common read_file and load_cert_and_key.
Previously only the
tests/server.ccode needed to load arustls_certified_key(for the server cert/keypair). In a subsequent commit thetests/client.ccode will need to do the same for optionally providing arustls_certified_keyfor client certificate authentication.In preparation, this commit lifts the
read_fileandload_cert_and_keyhelper functions fromtests/server.cintotests/common.c(updatingtests/common.hto match) where both client and server test programs can use the shared code.tests/client: add client certificate support.
This commit updates
tests/client.cto allow setting two new env vars,AUTH_CERTandAUTH_KEY.If neither are set, the program works as it did before: no client certificate is sent for mTLS.
If one but not both of these env vars are set, the program will error: they must both be provided.
If both are set, the
AUTH_CERTandAUTH_KEYfiles are loaded into arustls_certified_keyand the builtrustls_client_configwill be configured to offer client certificate authentication with the server using the cert/key pair.tests/server: add optional required client cert auth.
This commit updates the
tests/server.cprogram so that if anAUTH_CERTenv var is provided the server will be configured to require clients provide a client certificate issued that chains to theAUTH_CERTcertificate authority. If noAUTH_CERTenv var is set the server works as it did before, ignoring client certificate authentication.tests/client-server.py: include mTLS tests.
Updates the
test/client-server.pyintegration tests to add tests to ensure that: