// setupKeyservers initializes everything needed to start a set of keyserver // replicas, but does not actually start them yet func setupKeyservers(t *testing.T, nReplicas int) ( cfgs []*proto.ReplicaConfig, serverKeyGetters []func(string) (crypto.PrivateKey, error), clientKeyGetter func(string) (crypto.PrivateKey, error), clientConfig *proto.Config, caCert *x509.Certificate, caPool *x509.CertPool, caKey *ecdsa.PrivateKey, teardown func(), ) { caCert, caPool, caKey = tlstestutil.CA(t, nil) vrfPublic, vrfSecret, err := vrf.GenerateKey(rand.Reader) if err != nil { t.Fatal(err) } teardown = func() {} clientCert := tlstestutil.Cert(t, caCert, caKey, "client", nil) clientKeyGetter = func(id string) (crypto.PrivateKey, error) { switch id { case "client": return clientCert.PrivateKey, nil default: t.Fatalf("unknown key %s", id) return nil, nil } } pks := make(map[uint64]*proto.PublicKey) replicaIDs := []uint64{} pol := &proto.AuthorizationPolicy{} realmConfig := &proto.RealmConfig{ RealmName: testingRealm, Domains: []string{realmDomain}, VRFPublic: vrfPublic, VerificationPolicy: pol, EpochTimeToLive: proto.DurationStamp(time.Hour), ClientTLS: &proto.TLSConfig{ RootCAs: [][]byte{caCert.Raw}, Certificates: []*proto.CertificateAndKeyID{{clientCert.Certificate, "client", nil}}, }, } clientConfig = &proto.Config{ Realms: []*proto.RealmConfig{realmConfig}, } for n := 0; n < nReplicas; n++ { pk, sk, err := ed25519.GenerateKey(rand.Reader) if err != nil { teardown() t.Fatal(err) } pked := &proto.PublicKey{PubkeyType: &proto.PublicKey_Ed25519{Ed25519: pk[:]}} replicaID := proto.KeyID(pked) pks[replicaID] = pked replicaIDs = append(replicaIDs, replicaID) cert := tlstestutil.Cert(t, caCert, caKey, "127.0.0.1", nil) pcerts := []*proto.CertificateAndKeyID{{cert.Certificate, "tls", nil}} cfgs = append(cfgs, &proto.ReplicaConfig{ KeyserverConfig: proto.KeyserverConfig{ Realm: testingRealm, ServerID: replicaID, VRFKeyID: "vrf", MinEpochInterval: proto.DurationStamp(tick), MaxEpochInterval: proto.DurationStamp(tick), ProposalRetryInterval: proto.DurationStamp(poll), }, SigningKeyID: "signing", ReplicaID: replicaID, PublicAddr: "localhost:0", VerifierAddr: "localhost:0", HKPAddr: "localhost:0", PublicTLS: proto.TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, ClientCAs: [][]byte{caCert.Raw}, ClientAuth: proto.REQUIRE_AND_VERIFY_CLIENT_CERT}, VerifierTLS: proto.TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, ClientCAs: [][]byte{caCert.Raw}, ClientAuth: proto.REQUIRE_AND_VERIFY_CLIENT_CERT}, HKPTLS: proto.TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, ClientCAs: [][]byte{caCert.Raw}, ClientAuth: proto.REQUIRE_AND_VERIFY_CLIENT_CERT}, ClientTimeout: proto.DurationStamp(time.Hour), LaggingVerifierScan: 1000 * 1000 * 1000, }) serverKeyGetters = append(serverKeyGetters, func(keyid string) (crypto.PrivateKey, error) { switch keyid { case "vrf": return vrfSecret, nil case "signing": return sk, nil case "tls": return cert.PrivateKey, nil default: panic("unknown key requested in test") } }) } pol.PublicKeys = pks pol.PolicyType = &proto.AuthorizationPolicy_Quorum{Quorum: majorityQuorum(replicaIDs)} return }
func TestConfig(t *testing.T) { caCert, _, caKey := tlstestutil.CA(t, nil) cert := tlstestutil.Cert(t, caCert, caKey, "127.0.0.1", nil) st := [32]byte{1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2, 3, 4, 5, 1, 2} badST := [2]byte{1, 2} errGetKey := errors.New("test error") getKey := func(keyid string) (crypto.PrivateKey, error) { switch keyid { case "tls": return cert.PrivateKey, nil case "badTLS": return nil, errGetKey case "stk": return st, nil case "badst1": return badST, nil case "badst2": return nil, errGetKey case "badst3": return nil, nil default: panic("unknown key requested in tests [" + keyid + "]") } } pcerts := []*CertificateAndKeyID{{cert.Certificate, "tls", nil}} goodTLS := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}} _, err := goodTLS.Config(getKey) if err != nil { t.Fatal(err) } pcertsBad := []*CertificateAndKeyID{{cert.Certificate, "badTLS", nil}} cfgBadKey := &TLSConfig{Certificates: pcertsBad, RootCAs: [][]byte{caCert.Raw}} _, err = cfgBadKey.Config(getKey) if err != errGetKey { t.Errorf("expected error: %v, got %v", errGetKey, err) } cfgSessionTkt := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, SessionTicketKeyID: "stk"} _, err = cfgSessionTkt.Config(getKey) if err != nil { t.Fatal(err) } cfgBadSessionTkt1 := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, SessionTicketKeyID: "badst1"} _, err = cfgBadSessionTkt1.Config(getKey) if err == nil { t.Errorf("expected error %q, got nil", "SessionTicketKey must be a [32]byte...") } cfgBadSessionTkt2 := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, SessionTicketKeyID: "badst2"} _, err = cfgBadSessionTkt2.Config(getKey) if err != errGetKey { t.Errorf("expected error: %v, got %v", errGetKey, err) } cfgBadSessionTkt3 := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, SessionTicketKeyID: "badst3"} _, err = cfgBadSessionTkt3.Config(getKey) if err == nil { t.Errorf("expected error %q, got nil", "SessionTicketKey must be a [32]byte...") } cfgCipherSuites := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, CipherSuites: []CipherSuite{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_RC4_128_SHA}} _, err = cfgCipherSuites.Config(getKey) if err != nil { t.Fatal(err) } cfgCurvePref := &TLSConfig{Certificates: pcerts, RootCAs: [][]byte{caCert.Raw}, CurvePreferences: []CurveID{P256, P384, P521}} _, err = cfgCurvePref.Config(getKey) if err != nil { t.Fatal(err) } }