// setupVerifier initializes a verifier, but does not start it and does not
// wait for it to sign anything.
func setupVerifier(t *testing.T, keyserverVerif *proto.AuthorizationPolicy, keyserverAddr string, caCert *x509.Certificate, caPool *x509.CertPool, caKey *ecdsa.PrivateKey) (cfg *proto.VerifierConfig, getKey func(string) (crypto.PrivateKey, error), db kv.DB, sv *proto.PublicKey, teardown func()) {
dir, err := ioutil.TempDir("", "verifier")
if err != nil {
t.Fatal(err)
}
teardown = chain(func() { os.RemoveAll(dir) })
ldb, err := leveldb.OpenFile(dir, nil)
if err != nil {
teardown()
t.Fatal(err)
}
teardown = chain(func() { ldb.Close() }, teardown)
pk, sk, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
teardown()
t.Fatal(err)
}
sv = &proto.PublicKey{PubkeyType: &proto.PublicKey_Ed25519{Ed25519: pk[:]}}
cert := tlstestutil.Cert(t, caCert, caKey, fmt.Sprintf("verifier %x", proto.KeyID(sv)), nil)
getKey = func(keyid string) (crypto.PrivateKey, error) {
switch keyid {
case "signing":
return sk, nil
case "tls":
return cert.PrivateKey, nil
default:
panic("unknown key requested in tests [" + keyid + "]")
}
}
cfg = &proto.VerifierConfig{
Realm: testingRealm,
KeyserverAddr: keyserverAddr,
InitialKeyserverAuth: *keyserverVerif,
SigningKeyID: "signing",
ID: proto.KeyID(sv),
TLS: &proto.TLSConfig{RootCAs: [][]byte{caCert.Raw}, Certificates: []*proto.CertificateAndKeyID{{cert.Certificate, "tls", nil}}},
}
db = leveldbkv.Wrap(ldb)
return
}
// setupKeyservers initializes everything needed to start a set of keyserver
// replicas, but does not actually start them yet
func setupKeyservers(t *testing.T, nReplicas int) (
cfgs []*proto.ReplicaConfig, serverKeyGetters []func(string) (crypto.PrivateKey, error),
clientKeyGetter func(string) (crypto.PrivateKey, error),
clientConfig *proto.Config, caCert *x509.Certificate, caPool *x509.CertPool, caKey *ecdsa.PrivateKey, teardown func(),
) {
caCert, caPool, caKey = tlstestutil.CA(t, nil)
vrfPublic, vrfSecret, err := vrf.GenerateKey(rand.Reader)
if err != nil {
t.Fatal(err)
}
teardown = func() {}
clientCert := tlstestutil.Cert(t, caCert, caKey, "client", nil)
clientKeyGetter = func(id string) (crypto.PrivateKey, error) {
switch id {
case "client":
return clientCert.PrivateKey, nil
default:
t.Fatalf("unknown key %s", id)
return nil, nil
}
}
pks := make(map[uint64]*proto.PublicKey)
replicaIDs := []uint64{}
pol := &proto.AuthorizationPolicy{}
realmConfig := &proto.RealmConfig{
RealmName: testingRealm,
Domains: []string{realmDomain},
VRFPublic: vrfPublic,
VerificationPolicy: pol,
EpochTimeToLive: proto.DurationStamp(time.Hour),
ClientTLS: &proto.TLSConfig{
RootCAs: [][]byte{caCert.Raw},
Certificates: []*proto.CertificateAndKeyID{{clientCert.Certificate, "client", nil}},
},
}
clientConfig = &proto.Config{
Realms: []*proto.RealmConfig{realmConfig},
}
for n := 0; n < nReplicas; n++ {
pk, sk, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
teardown()
t.Fatal(err)
}
pked := &proto.PublicKey{PubkeyType: &proto.PublicKey_Ed25519{Ed25519: pk[:]}}
replicaID := proto.KeyID(pked)
pks[replicaID] = pked
replicaIDs = append(replicaIDs, replicaID)
cert := tlstestutil.Cert(t, caCert, caKey, "127.0.0.1", nil)
pcerts := []*proto.CertificateAndKeyID{{cert.Certificate, "tls", nil}}
cfgs = append(cfgs, &proto.ReplicaConfig{
KeyserverConfig: proto.KeyserverConfig{
Realm: testingRealm,
ServerID: replicaID,
VRFKeyID: "vrf",
MinEpochInterval: proto.DurationStamp(tick),
MaxEpochInterval: proto.DurationStamp(tick),
ProposalRetryInterval: proto.DurationStamp(poll),
},
SigningKeyID: "signing",
ReplicaID: replicaID,
PublicAddr: "localhost:0",
VerifierAddr: "localhost:0",
HKPAddr: "localhost:0",
PublicTLS: proto.TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, ClientCAs: [][]byte{caCert.Raw}, ClientAuth: proto.REQUIRE_AND_VERIFY_CLIENT_CERT},
VerifierTLS: proto.TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, ClientCAs: [][]byte{caCert.Raw}, ClientAuth: proto.REQUIRE_AND_VERIFY_CLIENT_CERT},
HKPTLS: proto.TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, ClientCAs: [][]byte{caCert.Raw}, ClientAuth: proto.REQUIRE_AND_VERIFY_CLIENT_CERT},
ClientTimeout: proto.DurationStamp(time.Hour),
LaggingVerifierScan: 1000 * 1000 * 1000,
})
serverKeyGetters = append(serverKeyGetters, func(keyid string) (crypto.PrivateKey, error) {
switch keyid {
case "vrf":
return vrfSecret, nil
case "signing":
return sk, nil
case "tls":
return cert.PrivateKey, nil
default:
panic("unknown key requested in test")
}
})
}
pol.PublicKeys = pks
pol.PolicyType = &proto.AuthorizationPolicy_Quorum{Quorum: majorityQuorum(replicaIDs)}
return
}
func TestConfig(t *testing.T) {
caCert, _, caKey := tlstestutil.CA(t, nil)
cert := tlstestutil.Cert(t, caCert, caKey, "127.0.0.1", nil)
st := [32]byte{1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2}
badST := [2]byte{1, 2}
errGetKey := errors.New("test error")
getKey := func(keyid string) (crypto.PrivateKey, error) {
switch keyid {
case "tls":
return cert.PrivateKey, nil
case "badTLS":
return nil, errGetKey
case "stk":
return st, nil
case "badst1":
return badST, nil
case "badst2":
return nil, errGetKey
case "badst3":
return nil, nil
default:
panic("unknown key requested in tests [" + keyid + "]")
}
}
pcerts := []*CertificateAndKeyID{{cert.Certificate, "tls", nil}}
goodTLS := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}}
_, err := goodTLS.Config(getKey)
if err != nil {
t.Fatal(err)
}
pcertsBad := []*CertificateAndKeyID{{cert.Certificate, "badTLS", nil}}
cfgBadKey := &TLSConfig{Certificates: pcertsBad, RootCAs: [][]byte{caCert.Raw}}
_, err = cfgBadKey.Config(getKey)
if err != errGetKey {
t.Errorf("expected error: %v, got %v", errGetKey, err)
}
cfgSessionTkt := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, SessionTicketKeyID: "stk"}
_, err = cfgSessionTkt.Config(getKey)
if err != nil {
t.Fatal(err)
}
cfgBadSessionTkt1 := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, SessionTicketKeyID: "badst1"}
_, err = cfgBadSessionTkt1.Config(getKey)
if err == nil {
t.Errorf("expected error %q, got nil", "SessionTicketKey must be a [32]byte...")
}
cfgBadSessionTkt2 := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, SessionTicketKeyID: "badst2"}
_, err = cfgBadSessionTkt2.Config(getKey)
if err != errGetKey {
t.Errorf("expected error: %v, got %v", errGetKey, err)
}
cfgBadSessionTkt3 := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, SessionTicketKeyID: "badst3"}
_, err = cfgBadSessionTkt3.Config(getKey)
if err == nil {
t.Errorf("expected error %q, got nil", "SessionTicketKey must be a [32]byte...")
}
cfgCipherSuites := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, CipherSuites: []CipherSuite{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA}}
_, err = cfgCipherSuites.Config(getKey)
if err != nil {
t.Fatal(err)
}
cfgCurvePref := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, CurvePreferences: []CurveID{P256, P384, P521}}
_, err = cfgCurvePref.Config(getKey)
if err != nil {
t.Fatal(err)
}
}