Exemple #1
0
// setupVerifier initializes a verifier, but does not start it and does not
// wait for it to sign anything.
func setupVerifier(t *testing.T, keyserverVerif *proto.AuthorizationPolicy, keyserverAddr string, caCert *x509.Certificate, caPool *x509.CertPool, caKey *ecdsa.PrivateKey) (cfg *proto.VerifierConfig, getKey func(string) (crypto.PrivateKey, error), db kv.DB, sv *proto.PublicKey, teardown func()) {
	dir, err := ioutil.TempDir("", "verifier")
	if err != nil {
		t.Fatal(err)
	}
	teardown = chain(func() { os.RemoveAll(dir) })
	ldb, err := leveldb.OpenFile(dir, nil)
	if err != nil {
		teardown()
		t.Fatal(err)
	}
	teardown = chain(func() { ldb.Close() }, teardown)

	pk, sk, err := ed25519.GenerateKey(rand.Reader)
	if err != nil {
		teardown()
		t.Fatal(err)
	}
	sv = &proto.PublicKey{PubkeyType: &proto.PublicKey_Ed25519{Ed25519: pk[:]}}

	cert := tlstestutil.Cert(t, caCert, caKey, fmt.Sprintf("verifier %x", proto.KeyID(sv)), nil)
	getKey = func(keyid string) (crypto.PrivateKey, error) {
		switch keyid {
		case "signing":
			return sk, nil
		case "tls":
			return cert.PrivateKey, nil
		default:
			panic("unknown key requested in tests [" + keyid + "]")
		}
	}
	cfg = &proto.VerifierConfig{
		Realm:                testingRealm,
		KeyserverAddr:        keyserverAddr,
		InitialKeyserverAuth: *keyserverVerif,
		SigningKeyID:         "signing",

		ID:  proto.KeyID(sv),
		TLS: &proto.TLSConfig{RootCAs: [][]byte{caCert.Raw}, Certificates: []*proto.CertificateAndKeyID{{cert.Certificate, "tls", nil}}},
	}
	db = leveldbkv.Wrap(ldb)
	return
}
Exemple #2
0
// setupKeyservers initializes everything needed to start a set of keyserver
// replicas, but does not actually start them yet
func setupKeyservers(t *testing.T, nReplicas int) (
	cfgs []*proto.ReplicaConfig, serverKeyGetters []func(string) (crypto.PrivateKey, error),
	clientKeyGetter func(string) (crypto.PrivateKey, error),
	clientConfig *proto.Config, caCert *x509.Certificate, caPool *x509.CertPool, caKey *ecdsa.PrivateKey, teardown func(),
) {
	caCert, caPool, caKey = tlstestutil.CA(t, nil)

	vrfPublic, vrfSecret, err := vrf.GenerateKey(rand.Reader)
	if err != nil {
		t.Fatal(err)
	}

	teardown = func() {}

	clientCert := tlstestutil.Cert(t, caCert, caKey, "client", nil)
	clientKeyGetter = func(id string) (crypto.PrivateKey, error) {
		switch id {
		case "client":
			return clientCert.PrivateKey, nil
		default:
			t.Fatalf("unknown key %s", id)
			return nil, nil
		}
	}

	pks := make(map[uint64]*proto.PublicKey)
	replicaIDs := []uint64{}
	pol := &proto.AuthorizationPolicy{}
	realmConfig := &proto.RealmConfig{
		RealmName:          testingRealm,
		Domains:            []string{realmDomain},
		VRFPublic:          vrfPublic,
		VerificationPolicy: pol,
		EpochTimeToLive:    proto.DurationStamp(time.Hour),
		ClientTLS: &proto.TLSConfig{
			RootCAs:      [][]byte{caCert.Raw},
			Certificates: []*proto.CertificateAndKeyID{{clientCert.Certificate, "client", nil}},
		},
	}
	clientConfig = &proto.Config{
		Realms: []*proto.RealmConfig{realmConfig},
	}
	for n := 0; n < nReplicas; n++ {
		pk, sk, err := ed25519.GenerateKey(rand.Reader)
		if err != nil {
			teardown()
			t.Fatal(err)
		}
		pked := &proto.PublicKey{PubkeyType: &proto.PublicKey_Ed25519{Ed25519: pk[:]}}
		replicaID := proto.KeyID(pked)
		pks[replicaID] = pked
		replicaIDs = append(replicaIDs, replicaID)

		cert := tlstestutil.Cert(t, caCert, caKey, "127.0.0.1", nil)
		pcerts := []*proto.CertificateAndKeyID{{cert.Certificate, "tls", nil}}
		cfgs = append(cfgs, &proto.ReplicaConfig{
			KeyserverConfig: proto.KeyserverConfig{
				Realm:    testingRealm,
				ServerID: replicaID,
				VRFKeyID: "vrf",

				MinEpochInterval:      proto.DurationStamp(tick),
				MaxEpochInterval:      proto.DurationStamp(tick),
				ProposalRetryInterval: proto.DurationStamp(poll),
			},

			SigningKeyID:        "signing",
			ReplicaID:           replicaID,
			PublicAddr:          "localhost:0",
			VerifierAddr:        "localhost:0",
			HKPAddr:             "localhost:0",
			PublicTLS:           proto.TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, ClientCAs: [][]byte{caCert.Raw}, ClientAuth: proto.REQUIRE_AND_VERIFY_CLIENT_CERT},
			VerifierTLS:         proto.TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, ClientCAs: [][]byte{caCert.Raw}, ClientAuth: proto.REQUIRE_AND_VERIFY_CLIENT_CERT},
			HKPTLS:              proto.TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, ClientCAs: [][]byte{caCert.Raw}, ClientAuth: proto.REQUIRE_AND_VERIFY_CLIENT_CERT},
			ClientTimeout:       proto.DurationStamp(time.Hour),
			LaggingVerifierScan: 1000 * 1000 * 1000,
		})
		serverKeyGetters = append(serverKeyGetters, func(keyid string) (crypto.PrivateKey, error) {
			switch keyid {
			case "vrf":
				return vrfSecret, nil
			case "signing":
				return sk, nil
			case "tls":
				return cert.PrivateKey, nil
			default:
				panic("unknown key requested in test")
			}
		})
	}
	pol.PublicKeys = pks
	pol.PolicyType = &proto.AuthorizationPolicy_Quorum{Quorum: majorityQuorum(replicaIDs)}
	return
}
Exemple #3
0
func TestConfig(t *testing.T) {

	caCert, _, caKey := tlstestutil.CA(t, nil)
	cert := tlstestutil.Cert(t, caCert, caKey, "127.0.0.1", nil)
	st := [32]byte{1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2}
	badST := [2]byte{1, 2}
	errGetKey := errors.New("test error")
	getKey := func(keyid string) (crypto.PrivateKey, error) {
		switch keyid {
		case "tls":
			return cert.PrivateKey, nil
		case "badTLS":
			return nil, errGetKey
		case "stk":
			return st, nil
		case "badst1":
			return badST, nil
		case "badst2":
			return nil, errGetKey
		case "badst3":
			return nil, nil
		default:
			panic("unknown key requested in tests [" + keyid + "]")
		}
	}

	pcerts := []*CertificateAndKeyID{{cert.Certificate, "tls", nil}}

	goodTLS := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}}
	_, err := goodTLS.Config(getKey)
	if err != nil {
		t.Fatal(err)
	}

	pcertsBad := []*CertificateAndKeyID{{cert.Certificate, "badTLS", nil}}
	cfgBadKey := &TLSConfig{Certificates: pcertsBad, RootCAs: [][]byte{caCert.Raw}}
	_, err = cfgBadKey.Config(getKey)
	if err != errGetKey {
		t.Errorf("expected error: %v, got %v", errGetKey, err)
	}

	cfgSessionTkt := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, SessionTicketKeyID: "stk"}
	_, err = cfgSessionTkt.Config(getKey)
	if err != nil {
		t.Fatal(err)
	}

	cfgBadSessionTkt1 := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, SessionTicketKeyID: "badst1"}
	_, err = cfgBadSessionTkt1.Config(getKey)
	if err == nil {
		t.Errorf("expected error %q, got nil", "SessionTicketKey must be a [32]byte...")
	}

	cfgBadSessionTkt2 := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, SessionTicketKeyID: "badst2"}
	_, err = cfgBadSessionTkt2.Config(getKey)
	if err != errGetKey {
		t.Errorf("expected error: %v, got %v", errGetKey, err)
	}

	cfgBadSessionTkt3 := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, SessionTicketKeyID: "badst3"}
	_, err = cfgBadSessionTkt3.Config(getKey)
	if err == nil {
		t.Errorf("expected error %q, got nil", "SessionTicketKey must be a [32]byte...")
	}

	cfgCipherSuites := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, CipherSuites: []CipherSuite{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA}}
	_, err = cfgCipherSuites.Config(getKey)
	if err != nil {
		t.Fatal(err)
	}

	cfgCurvePref := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, CurvePreferences: []CurveID{P256, P384, P521}}
	_, err = cfgCurvePref.Config(getKey)
	if err != nil {
		t.Fatal(err)
	}
}