From ff045fde0d04649cf6bdd271ea7cb6da51d6bab4 Mon Sep 17 00:00:00 2001 From: yihuaz Date: Sun, 7 Jun 2020 16:01:38 -0700 Subject: [PATCH 1/2] Update multi-domain key materials --- src/core/tsi/test_creds/README | 12 +++- .../tsi/test_creds/multi-domain-openssl.cnf | 30 ++++++++++ src/core/tsi/test_creds/multi-domain.key | 55 ++++++++++--------- src/core/tsi/test_creds/multi-domain.pem | 39 ++++++------- test/core/tsi/ssl_transport_security_test.cc | 6 +- 5 files changed, 93 insertions(+), 49 deletions(-) create mode 100644 src/core/tsi/test_creds/multi-domain-openssl.cnf diff --git a/src/core/tsi/test_creds/README b/src/core/tsi/test_creds/README index 645fe9fe502..ee9b60ec590 100644 --- a/src/core/tsi/test_creds/README +++ b/src/core/tsi/test_creds/README @@ -62,6 +62,16 @@ common name which is set to *.test.google.com. $ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in server1.csr \ -out server1.pem -extensions req_ext -extfile server1-openssl.cnf -days 3650 +multi-domain is a self-signed certificate having multiple subject alternative names: +---------------------------------------------------------------------------- + +$ openssl genrsa -out multi-domain.key.rsa 2048 +$ openssl pkcs8 -topk8 -in multi-domain.key.rsa -out multi-domain.key -nocrypt +$ openssl req -new -key multi-domain.key -out multi-domain.csr -config +multi-domain-openssl.cnf +$ openssl req -x509 -new -extensions v3_req -key multi-domain.key -out +multi-domain.pem -days 3650 -config multi-domain-openssl.cnf + Clean up: --------- $ rm *.rsa @@ -71,7 +81,7 @@ $ rm ca.srl Sync up with other repositories =============================== -Copies of these keys exist in multiple locations across all the grpc repos +Copies of these keys (except for multi-domain) exist in multiple locations across all the grpc repos (e.g., see the following partial list). You need to be careful when updating the keys. diff --git a/src/core/tsi/test_creds/multi-domain-openssl.cnf b/src/core/tsi/test_creds/multi-domain-openssl.cnf new file mode 100644 index 00000000000..265950f56d6 --- /dev/null +++ b/src/core/tsi/test_creds/multi-domain-openssl.cnf @@ -0,0 +1,30 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +countryName = Country Name (2 letter code) +countryName_default = US +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = CA +localityName = Locality Name (eg, city) +localityName_default = SF +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = Google +commonName = Common Name (CN) +commonName_default =xpigors +commonName_max = 64 + +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = foo.test.domain.com +DNS.2 = bar.test.domain.com +URI.1 = https://foo.test.domain.com/test +URI.2 = https://bar.test.domain.com/test +URI.3 = spiffe://foo.com/bar/baz +email.1 = foo@test.domain.com +email.2 = bar@test.domain.com diff --git a/src/core/tsi/test_creds/multi-domain.key b/src/core/tsi/test_creds/multi-domain.key index 74e8122e186..b5789e92f94 100644 --- a/src/core/tsi/test_creds/multi-domain.key +++ b/src/core/tsi/test_creds/multi-domain.key @@ -1,27 +1,28 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAtCJ7xmvXxypNx7d6vV9YWZ3SHtm7+OrnDP9LBokGvpkIUloJ -q6IJxVQPTepJWM7JfXGtWgkdfmUCZjswlQmvbCJSYA8+Y76Sm9M6sf26RsMayxXU -ozWdw227frCpQt2ybor7qOLBBbQ30XbsdxPIwlrJst9Shleey93g56EDkhZWQQMN -8cciakv9zUz6GwRu3XtK4KGtWb3VpsOhf8WAoVQ05o4Cevz3LrY7NcZj2IvIna5V -+E5QxQnRXpd5gNzyE1rbzN3pXmHk2SShGI7sEqgo9HOfu7EufwsfmaCXbuCNGhlS -4YfJvuqZ7ElijUbMnYu3eGKWfjymfp/7qHu87wIDAQABAoIBAQCtgU2BaJy1XN0A -Uo1p3G2IHEioqIazEuesEDaeu9uAOHzYfZs082W/6OC45sLxRHS1XIph38fF19tA -xyBbXbHXURPRLL2ma4hhiUrO6JrEz+Z92LAw6FLmS0q+k8DlBA97BGm0WX0cVmMx -YgAQDkFgWvxOS2b8uWbd7QBVezSqPzN8iV2GNmnEA7FIphqqJbkgEBOxbwJig5Ll -WJ51Q8nWWVZS1AY2kJjf2ndFJgrB3Zbuib0nnmjsG4esB5AS9Fyjadmc+ilU7ceX -y+AdccV2cO0f9k8SBPWHUrRuiuMTcwoQ/r2HN9THaho1QBWPRPjzvXetKLTzRdK0 -+yzEI9x5AoGBAO+CYFKWwt8ylrqQzuGPVYu32RUaVgUtZVsWoF5vzK35WYFCfA+S -qIO+wPs06py79Ytgk/ff5QCz7DRepdlrmyq5ZqZ0xD858H8qzNByySZI0DSJU1wr -7Uw/5vf/+6/1/dmgPrT7HjZyGuvqq1XieBcjonQ5RYooEcjCcCnz9+z9AoGBAMCJ -kApBhTOVBquiXiqEsrbrT7s8u2KbqN9L7E2o5MnfG7sIhrFbY0Bjvdsut1omfBxd -XpTWnyR+OLd6xSpBB5fEBKD21dotwgNmJm+wTAER8ZpohlTLv8gQRHclkFg5chyY -2LJKfssiaXvocKMq3CwM7XAnbI8OTDnwxSqAfCtbAoGBAI7RGGzG90auXNC83pAD -r0gUBb8eqCKIMkMBl/kYA13OLP/1zBJhKlj82wgwQqHZNo64tSL+gAhOQU/tDEo8 -bxcn3LzvLcJh4zWBKQY3HBjXHEfnhyyUCPkJtck1/DetoIQvmJTElPx0R/dbRHV/ -CIsLtahGKmA6inhC8S0jDDhlAoGAX5svglg8q3uB33J17gkMsVYxtlkW94UyGweZ -ZIrMaQ23uG0obSNjKpMcsJ0HAOYBVRhsId5dEgL3aOy2wR+fhJYack9/q6JzJ7ru -tSFG7HUbkr/6jFrMdazWQo/NmHGWH2sql4X0ZixFUvj+DZf30ovsz3dUKclAwriz -P0Kj5ecCgYBbn1REy6+5x6lLO2SIymharMTPSG23GBiwPTSpyMD5WbzqKEQVSSJX -eIaaTPz68HOmgvBZUE7Svbz/OqhDEgZxZG9o7Pr4tsdAUzAt/LNkYA8BOjTnrx7W -ANPvr6b2UHBn26SitdwC5emdsGZIPBGS0XDzznvNwxl2+t14iteEbg== ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCuGVBYD3P/D2eT +nhBhZ0izP+nuozNCEO/iQu/kyy6ZCzIEFvykt0aPzJVLcsCHCaWcNJVFPSqVDVRm +9S5ZHUyLlnSl53mKUltZI4tDDVMcEdr7KpfXeBc86lm/93DqFDgAYDkvebekRr/8 +B1OJhVJRGowXjAU9sYABzuUqjkra522BleIik3m+7DborGHS4Io5X/8D8VjlXjeB +Vht6QA8ij5JVfHvO6DsZr99EITPpha6i182O6S6lO2t1V+bdWP+EPjiOQJktrmvM +QYTFjmjYkRKLCZI1xxSfCK8t7ia5sLPFOF6uDH91ck8mXmuHs96nSOyB1i/LdBy9 +XdInSRGXAgMBAAECggEAWoqZqSJoPfah9DhY5n8TZP1RSKUhTDOIvc/3+LHeSwNy +gIP/4h3amYBZCELmc5QFx8Xk93xG//tNsLnD396H53RYt8s4/0GzdhkxHK76UPfM +PaE6FHnFBA4QnPAvjdzz/uYL92/CnLGauJSK0lM+qyU2RCyysRH1s3sI3Wfg8BRd +C9Xik+YzYirhCEGlYKju2D2As/tB2L0b/PRpM9FWeqd/YGCj8pUpceNrbvU8udc7 +4xQS6ssgMI2H1xGc50kJVDjoZix5OLiTaHDO4oRBZT+QdPTtfkam0/y2yZ9oX6UN +Byl+ybtUpxsmsvl+I7bb/fZsILrXE3GHXtcsCMi5iQKBgQDmKi1HfmQo6KeDSnjp +R+yIMc77QpZpLuzjPlKWGxY915KlL77GOUYR2cm0rPP9CPGN2Nj5IyuR32u6uHtI +WKewR7cn69prxZI3VSNFQmsatWKBoR7dwyJ4j93cN54naEuBLA1BJQ0uXgYJtgwT +x5KP97LcudpoDNVsh+FUopon8wKBgQDBpBMeDoc+7YVLnlx4FRJudzVfWWb4bPCL +2cusycOVAlN2E0VsrD2vbVWoinpVPIeOfGgD0RZZLtVQL5Ui8mZcANmuoRXtEqaS +sQ6VxkdC62uDXgrsi+i/0nsxvACmfde4sxALu3DZ7rjNlWUW7amJt34CsDBMlVeL +eDAmD0WczQKBgQCHzSLiKATYzkzn/izRF4rL4PeK8ILmlLVYbxEzV9ALtQHlTQJ2 +2pwpNCL644EiLwC2/NcoSEQQ0Y4yoV68FPL745SBjXtWU0AuPaGN395p59OzQGmB +1vyjvd7dbEN4ZOUH1gIMCdx5Gyjc2fjOQtaK808pRM9EzS2v14xv73CdWQKBgC/8 +qiQrs4Z7tCm+L+ouRqgLcLWVYTg1PxNZQOksAwT9U5OSSQUaVhsQPEcNMi3HV0yP +NfOkMCafvYsmj43ehlFMgKWPE/DxS0hVCmlBfs1tq/IdLxXZwi8vSQpVLdAUpY4H +CfXuWJQZXcDMwgWBlh8j0t11rjJ8W/qbKUt1Q2oNAoGBALdy/RpspFttVvthzFbg +FLHUAwUhEsK1VSi26AYy4L0ZHw/KLnbIGEzKCEFWqn6nfWOlb9Rw5C7QlGx/1UCC +Tnn9KnZoziK4JDQw6SEl/3hNQ5+FYI8y7QGsqAm1W9dobbgl0a1IfmbtBeEOZt+e +7oFnqaxVruVmNr56M9IMCwA1 +-----END PRIVATE KEY----- diff --git a/src/core/tsi/test_creds/multi-domain.pem b/src/core/tsi/test_creds/multi-domain.pem index cf28b4a6cfa..d4ff936fde3 100644 --- a/src/core/tsi/test_creds/multi-domain.pem +++ b/src/core/tsi/test_creds/multi-domain.pem @@ -1,23 +1,24 @@ -----BEGIN CERTIFICATE----- -MIID5DCCAsygAwIBAgIUMmNBVcGnMw2sMASWhdn5IvFktoYwDQYJKoZIhvcNAQEL +MIID/jCCAuagAwIBAgIUV2eOzlQQj1U+++TDdNyRHjRNamQwDQYJKoZIhvcNAQEL BQAwSjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0G -A1UECwwGR29vZ2xlMRAwDgYDVQQDDAd4cGlnb3JzMB4XDTE5MDgwNzIxMDY0NVoX -DTIwMDgwNjIxMDY0NVowSjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYD +A1UECwwGR29vZ2xlMRAwDgYDVQQDDAd4cGlnb3JzMB4XDTIwMDYwNzIyNTk1MFoX +DTMwMDYwNTIyNTk1MFowSjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYD VQQHDAJTRjEPMA0GA1UECwwGR29vZ2xlMRAwDgYDVQQDDAd4cGlnb3JzMIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtCJ7xmvXxypNx7d6vV9YWZ3SHtm7 -+OrnDP9LBokGvpkIUloJq6IJxVQPTepJWM7JfXGtWgkdfmUCZjswlQmvbCJSYA8+ -Y76Sm9M6sf26RsMayxXUozWdw227frCpQt2ybor7qOLBBbQ30XbsdxPIwlrJst9S -hleey93g56EDkhZWQQMN8cciakv9zUz6GwRu3XtK4KGtWb3VpsOhf8WAoVQ05o4C -evz3LrY7NcZj2IvIna5V+E5QxQnRXpd5gNzyE1rbzN3pXmHk2SShGI7sEqgo9HOf -u7EufwsfmaCXbuCNGhlS4YfJvuqZ7ElijUbMnYu3eGKWfjymfp/7qHu87wIDAQAB -o4HBMIG+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMIGjBgNVHREEgZswgZiCE2Zv -by50ZXN0LmRvbWFpbi5jb22CE2Jhci50ZXN0LmRvbWFpbi5jb22BE2Zvb0B0ZXN0 -LmRvbWFpbi5jb22BE2JhckB0ZXN0LmRvbWFpbi5jb22GIGh0dHBzOi8vZm9vLnRl -c3QuZG9tYWluLmNvbS90ZXN0hiBodHRwczovL2Jhci50ZXN0LmRvbWFpbi5jb20v -dGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAIu99zFdybv5OoLNYeyhZsiGjHJQ/ECYr -dp4XeRftwO5lvLUbxDz4nfs7dedDYqk+amfgJsVg9zDykeAslvjmuWHJ1IgACAqm -SlR43gwWt1YMXH7NJ8unAxF3OwGDMdIA5WJfYo2XFz4o55wWCiUbxCpWJYu8hwz6 -6IRmn6hWWsxlflWmgaV5hYKL8bLF13Ku9gZbNFFJw6knyqw+x4b1LwsnKeZGvS7E -EvGVyhMylPVFc0ZZy0TZvk3UOR9TbIMXiztQIWrw30izwPNElvUTzSkAbAg+h6+8 -G7xSZYDr6l81M0a3S2VU75yjMCHKP5/wE9hsfTr/NpWN7w5w5PmqdA== +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArhlQWA9z/w9nk54QYWdIsz/p7qMz +QhDv4kLv5MsumQsyBBb8pLdGj8yVS3LAhwmlnDSVRT0qlQ1UZvUuWR1Mi5Z0ped5 +ilJbWSOLQw1THBHa+yqX13gXPOpZv/dw6hQ4AGA5L3m3pEa//AdTiYVSURqMF4wF +PbGAAc7lKo5K2udtgZXiIpN5vuw26Kxh0uCKOV//A/FY5V43gVYbekAPIo+SVXx7 +zug7Ga/fRCEz6YWuotfNjukupTtrdVfm3Vj/hD44jkCZLa5rzEGExY5o2JESiwmS +NccUnwivLe4mubCzxThergx/dXJPJl5rh7Pep0jsgdYvy3QcvV3SJ0kRlwIDAQAB +o4HbMIHYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMIG9BgNVHREEgbUwgbKCE2Zv +by50ZXN0LmRvbWFpbi5jb22CE2Jhci50ZXN0LmRvbWFpbi5jb22GIGh0dHBzOi8v +Zm9vLnRlc3QuZG9tYWluLmNvbS90ZXN0hiBodHRwczovL2Jhci50ZXN0LmRvbWFp +bi5jb20vdGVzdIYYc3BpZmZlOi8vZm9vLmNvbS9iYXIvYmF6gRNmb29AdGVzdC5k +b21haW4uY29tgRNiYXJAdGVzdC5kb21haW4uY29tMA0GCSqGSIb3DQEBCwUAA4IB +AQBlLNl/uXN01VARQFd5CNFMhwez879uB5N3s/pGBjzE8Z+NA9YjsBFkBSQlebFM +5UP304rsvG2opHwcSkblG9a3TbpQVNaYjcHgudip3FqLTJ3NhYtx1A3uCBp4ABeP ++AVlCcsNVysGwGvMzXlN++Y++U0A9BbfrP85VBslLaKn4rYpfB5pAdzu277ICdEy +nyFZ+jo2OS1lbv7kE7IW6slCXbCFaxPIKvjPbpGFngsLt44sZ9VvSJCeKhDglMfn +HKkhd4/UMnRn+8tZZ6eH/C5tpeKAChMUF+bkuwk3dBwnHq484KbBAKd2cwzZhTB7 +8unku1S1GumvoEYAgbG1P4gC -----END CERTIFICATE----- diff --git a/test/core/tsi/ssl_transport_security_test.cc b/test/core/tsi/ssl_transport_security_test.cc index 1319004a9ca..b7efa3176ea 100644 --- a/test/core/tsi/ssl_transport_security_test.cc +++ b/test/core/tsi/ssl_transport_security_test.cc @@ -875,8 +875,8 @@ void ssl_tsi_test_extract_x509_subject_names() { GPR_ASSERT(tsi_ssl_extract_x509_subject_names_from_pem_cert(cert, &peer) == TSI_OK); // tsi_peer should include one common name, one certificate, one security - // level, six SAN fields, and two URI fields. - size_t expected_property_count = 10; + // level, seven SAN fields, three URI fields. + size_t expected_property_count = 12; GPR_ASSERT(peer.property_count == expected_property_count); // Check common name const char* expected_cn = "xpigors"; @@ -893,10 +893,12 @@ void ssl_tsi_test_extract_x509_subject_names() { GPR_ASSERT(check_subject_alt_name(&peer, "foo.test.domain.com") == 1); GPR_ASSERT(check_subject_alt_name(&peer, "bar.test.domain.com") == 1); // Check URI + GPR_ASSERT(check_subject_alt_name(&peer, "spiffe://foo.com/bar/baz") == 1); GPR_ASSERT( check_subject_alt_name(&peer, "https://foo.test.domain.com/test") == 1); GPR_ASSERT( check_subject_alt_name(&peer, "https://bar.test.domain.com/test") == 1); + GPR_ASSERT(check_uri(&peer, "spiffe://foo.com/bar/baz") == 1); GPR_ASSERT(check_uri(&peer, "https://foo.test.domain.com/test") == 1); GPR_ASSERT(check_uri(&peer, "https://bar.test.domain.com/test") == 1); // Check email address From 6591d0997b6c9a98c8f31d921346c1fe282c1f64 Mon Sep 17 00:00:00 2001 From: yihuaz Date: Sun, 7 Jun 2020 16:44:48 -0700 Subject: [PATCH 2/2] add length check --- test/core/tsi/ssl_transport_security_test.cc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/test/core/tsi/ssl_transport_security_test.cc b/test/core/tsi/ssl_transport_security_test.cc index b7efa3176ea..8c4e736fc8b 100644 --- a/test/core/tsi/ssl_transport_security_test.cc +++ b/test/core/tsi/ssl_transport_security_test.cc @@ -251,7 +251,8 @@ static bool check_subject_alt_name(tsi_peer* peer, const char* name) { const tsi_peer_property* prop = &peer->properties[i]; if (strcmp(prop->name, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) == 0) { - if (memcmp(prop->value.data, name, prop->value.length) == 0) { + if (strlen(name) == prop->value.length && + memcmp(prop->value.data, name, prop->value.length) == 0) { return true; } } @@ -263,7 +264,8 @@ static bool check_uri(tsi_peer* peer, const char* name) { for (size_t i = 0; i < peer->property_count; i++) { const tsi_peer_property* prop = &peer->properties[i]; if (strcmp(prop->name, TSI_X509_URI_PEER_PROPERTY) == 0) { - if (memcmp(prop->value.data, name, prop->value.length) == 0) { + if (strlen(name) == prop->value.length && + memcmp(prop->value.data, name, prop->value.length) == 0) { return true; } }