Chiebot-Mirror
/
grpc
mirror of https://github.com/grpc/grpc.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #23038 from yihuazhang/multi-domain-cert

Browse Source 
Update multi-domain key materials
reviewable/pr23165/r1
yihuaz 5 years ago committed by GitHub
parent 560c0938b3 6591d0997b
commit 0676da6ffe
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 97 additions and 51 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 12
      src/core/tsi/test_creds/README
  2. 30
      src/core/tsi/test_creds/multi-domain-openssl.cnf
  3. 55
      src/core/tsi/test_creds/multi-domain.key
  4. 39
      src/core/tsi/test_creds/multi-domain.pem
  5. 12
      test/core/tsi/ssl_transport_security_test.cc

12
src/core/tsi/test_creds/README
Unescape View File

@ -62,6 +62,16 @@ common name which is set to *.test.google.com.
$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in server1.csr \
-out server1.pem -extensions req_ext -extfile server1-openssl.cnf -days 3650
multi-domain is a self-signed certificate having multiple subject alternative names:
----------------------------------------------------------------------------
$ openssl genrsa -out multi-domain.key.rsa 2048
$ openssl pkcs8 -topk8 -in multi-domain.key.rsa -out multi-domain.key -nocrypt
$ openssl req -new -key multi-domain.key -out multi-domain.csr -config
multi-domain-openssl.cnf
$ openssl req -x509 -new -extensions v3_req -key multi-domain.key -out
multi-domain.pem -days 3650 -config multi-domain-openssl.cnf
Clean up:
---------
$ rm *.rsa
@ -71,7 +81,7 @@ $ rm ca.srl
Sync up with other repositories
===============================
Copies of these keys exist in multiple locations across all the grpc repos
Copies of these keys (except for multi-domain) exist in multiple locations across all the grpc repos
(e.g., see the following partial list). You need to be careful when updating
the keys.

30
src/core/tsi/test_creds/multi-domain-openssl.cnf
Unescape View File

@ -0,0 +1,30 @@
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = CA
localityName = Locality Name (eg, city)
localityName_default = SF
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Google
commonName = Common Name (CN)
commonName_default =xpigors
commonName_max = 64
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = foo.test.domain.com
DNS.2 = bar.test.domain.com
URI.1 = https://foo.test.domain.com/test
URI.2 = https://bar.test.domain.com/test
URI.3 = spiffe://foo.com/bar/baz
email.1 = foo@test.domain.com
email.2 = bar@test.domain.com

55
src/core/tsi/test_creds/multi-domain.key
Unescape View File

@ -1,27 +1,28 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAtCJ7xmvXxypNx7d6vV9YWZ3SHtm7+OrnDP9LBokGvpkIUloJ
q6IJxVQPTepJWM7JfXGtWgkdfmUCZjswlQmvbCJSYA8+Y76Sm9M6sf26RsMayxXU
ozWdw227frCpQt2ybor7qOLBBbQ30XbsdxPIwlrJst9Shleey93g56EDkhZWQQMN
8cciakv9zUz6GwRu3XtK4KGtWb3VpsOhf8WAoVQ05o4Cevz3LrY7NcZj2IvIna5V
+E5QxQnRXpd5gNzyE1rbzN3pXmHk2SShGI7sEqgo9HOfu7EufwsfmaCXbuCNGhlS
4YfJvuqZ7ElijUbMnYu3eGKWfjymfp/7qHu87wIDAQABAoIBAQCtgU2BaJy1XN0A
Uo1p3G2IHEioqIazEuesEDaeu9uAOHzYfZs082W/6OC45sLxRHS1XIph38fF19tA
xyBbXbHXURPRLL2ma4hhiUrO6JrEz+Z92LAw6FLmS0q+k8DlBA97BGm0WX0cVmMx
YgAQDkFgWvxOS2b8uWbd7QBVezSqPzN8iV2GNmnEA7FIphqqJbkgEBOxbwJig5Ll
WJ51Q8nWWVZS1AY2kJjf2ndFJgrB3Zbuib0nnmjsG4esB5AS9Fyjadmc+ilU7ceX
y+AdccV2cO0f9k8SBPWHUrRuiuMTcwoQ/r2HN9THaho1QBWPRPjzvXetKLTzRdK0
+yzEI9x5AoGBAO+CYFKWwt8ylrqQzuGPVYu32RUaVgUtZVsWoF5vzK35WYFCfA+S
qIO+wPs06py79Ytgk/ff5QCz7DRepdlrmyq5ZqZ0xD858H8qzNByySZI0DSJU1wr
7Uw/5vf/+6/1/dmgPrT7HjZyGuvqq1XieBcjonQ5RYooEcjCcCnz9+z9AoGBAMCJ
kApBhTOVBquiXiqEsrbrT7s8u2KbqN9L7E2o5MnfG7sIhrFbY0Bjvdsut1omfBxd
XpTWnyR+OLd6xSpBB5fEBKD21dotwgNmJm+wTAER8ZpohlTLv8gQRHclkFg5chyY
2LJKfssiaXvocKMq3CwM7XAnbI8OTDnwxSqAfCtbAoGBAI7RGGzG90auXNC83pAD
r0gUBb8eqCKIMkMBl/kYA13OLP/1zBJhKlj82wgwQqHZNo64tSL+gAhOQU/tDEo8
bxcn3LzvLcJh4zWBKQY3HBjXHEfnhyyUCPkJtck1/DetoIQvmJTElPx0R/dbRHV/
CIsLtahGKmA6inhC8S0jDDhlAoGAX5svglg8q3uB33J17gkMsVYxtlkW94UyGweZ
ZIrMaQ23uG0obSNjKpMcsJ0HAOYBVRhsId5dEgL3aOy2wR+fhJYack9/q6JzJ7ru
tSFG7HUbkr/6jFrMdazWQo/NmHGWH2sql4X0ZixFUvj+DZf30ovsz3dUKclAwriz
P0Kj5ecCgYBbn1REy6+5x6lLO2SIymharMTPSG23GBiwPTSpyMD5WbzqKEQVSSJX
eIaaTPz68HOmgvBZUE7Svbz/OqhDEgZxZG9o7Pr4tsdAUzAt/LNkYA8BOjTnrx7W
ANPvr6b2UHBn26SitdwC5emdsGZIPBGS0XDzznvNwxl2+t14iteEbg==
-----END RSA PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCuGVBYD3P/D2eT
nhBhZ0izP+nuozNCEO/iQu/kyy6ZCzIEFvykt0aPzJVLcsCHCaWcNJVFPSqVDVRm
9S5ZHUyLlnSl53mKUltZI4tDDVMcEdr7KpfXeBc86lm/93DqFDgAYDkvebekRr/8
B1OJhVJRGowXjAU9sYABzuUqjkra522BleIik3m+7DborGHS4Io5X/8D8VjlXjeB
Vht6QA8ij5JVfHvO6DsZr99EITPpha6i182O6S6lO2t1V+bdWP+EPjiOQJktrmvM
QYTFjmjYkRKLCZI1xxSfCK8t7ia5sLPFOF6uDH91ck8mXmuHs96nSOyB1i/LdBy9
XdInSRGXAgMBAAECggEAWoqZqSJoPfah9DhY5n8TZP1RSKUhTDOIvc/3+LHeSwNy
gIP/4h3amYBZCELmc5QFx8Xk93xG//tNsLnD396H53RYt8s4/0GzdhkxHK76UPfM
PaE6FHnFBA4QnPAvjdzz/uYL92/CnLGauJSK0lM+qyU2RCyysRH1s3sI3Wfg8BRd
C9Xik+YzYirhCEGlYKju2D2As/tB2L0b/PRpM9FWeqd/YGCj8pUpceNrbvU8udc7
4xQS6ssgMI2H1xGc50kJVDjoZix5OLiTaHDO4oRBZT+QdPTtfkam0/y2yZ9oX6UN
Byl+ybtUpxsmsvl+I7bb/fZsILrXE3GHXtcsCMi5iQKBgQDmKi1HfmQo6KeDSnjp
R+yIMc77QpZpLuzjPlKWGxY915KlL77GOUYR2cm0rPP9CPGN2Nj5IyuR32u6uHtI
WKewR7cn69prxZI3VSNFQmsatWKBoR7dwyJ4j93cN54naEuBLA1BJQ0uXgYJtgwT
x5KP97LcudpoDNVsh+FUopon8wKBgQDBpBMeDoc+7YVLnlx4FRJudzVfWWb4bPCL
2cusycOVAlN2E0VsrD2vbVWoinpVPIeOfGgD0RZZLtVQL5Ui8mZcANmuoRXtEqaS
sQ6VxkdC62uDXgrsi+i/0nsxvACmfde4sxALu3DZ7rjNlWUW7amJt34CsDBMlVeL
eDAmD0WczQKBgQCHzSLiKATYzkzn/izRF4rL4PeK8ILmlLVYbxEzV9ALtQHlTQJ2
2pwpNCL644EiLwC2/NcoSEQQ0Y4yoV68FPL745SBjXtWU0AuPaGN395p59OzQGmB
1vyjvd7dbEN4ZOUH1gIMCdx5Gyjc2fjOQtaK808pRM9EzS2v14xv73CdWQKBgC/8
qiQrs4Z7tCm+L+ouRqgLcLWVYTg1PxNZQOksAwT9U5OSSQUaVhsQPEcNMi3HV0yP
NfOkMCafvYsmj43ehlFMgKWPE/DxS0hVCmlBfs1tq/IdLxXZwi8vSQpVLdAUpY4H
CfXuWJQZXcDMwgWBlh8j0t11rjJ8W/qbKUt1Q2oNAoGBALdy/RpspFttVvthzFbg
FLHUAwUhEsK1VSi26AYy4L0ZHw/KLnbIGEzKCEFWqn6nfWOlb9Rw5C7QlGx/1UCC
Tnn9KnZoziK4JDQw6SEl/3hNQ5+FYI8y7QGsqAm1W9dobbgl0a1IfmbtBeEOZt+e
7oFnqaxVruVmNr56M9IMCwA1
-----END PRIVATE KEY-----

39
src/core/tsi/test_creds/multi-domain.pem
Unescape View File

@ -1,23 +1,24 @@
-----BEGIN CERTIFICATE-----
MIID5DCCAsygAwIBAgIUMmNBVcGnMw2sMASWhdn5IvFktoYwDQYJKoZIhvcNAQEL
MIID/jCCAuagAwIBAgIUV2eOzlQQj1U+++TDdNyRHjRNamQwDQYJKoZIhvcNAQEL
BQAwSjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0G
A1UECwwGR29vZ2xlMRAwDgYDVQQDDAd4cGlnb3JzMB4XDTE5MDgwNzIxMDY0NVoX
DTIwMDgwNjIxMDY0NVowSjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYD
A1UECwwGR29vZ2xlMRAwDgYDVQQDDAd4cGlnb3JzMB4XDTIwMDYwNzIyNTk1MFoX
DTMwMDYwNTIyNTk1MFowSjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYD
VQQHDAJTRjEPMA0GA1UECwwGR29vZ2xlMRAwDgYDVQQDDAd4cGlnb3JzMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtCJ7xmvXxypNx7d6vV9YWZ3SHtm7
+OrnDP9LBokGvpkIUloJq6IJxVQPTepJWM7JfXGtWgkdfmUCZjswlQmvbCJSYA8+
Y76Sm9M6sf26RsMayxXUozWdw227frCpQt2ybor7qOLBBbQ30XbsdxPIwlrJst9S
hleey93g56EDkhZWQQMN8cciakv9zUz6GwRu3XtK4KGtWb3VpsOhf8WAoVQ05o4C
evz3LrY7NcZj2IvIna5V+E5QxQnRXpd5gNzyE1rbzN3pXmHk2SShGI7sEqgo9HOf
u7EufwsfmaCXbuCNGhlS4YfJvuqZ7ElijUbMnYu3eGKWfjymfp/7qHu87wIDAQAB
o4HBMIG+MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMIGjBgNVHREEgZswgZiCE2Zv
by50ZXN0LmRvbWFpbi5jb22CE2Jhci50ZXN0LmRvbWFpbi5jb22BE2Zvb0B0ZXN0
LmRvbWFpbi5jb22BE2JhckB0ZXN0LmRvbWFpbi5jb22GIGh0dHBzOi8vZm9vLnRl
c3QuZG9tYWluLmNvbS90ZXN0hiBodHRwczovL2Jhci50ZXN0LmRvbWFpbi5jb20v
dGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAIu99zFdybv5OoLNYeyhZsiGjHJQ/ECYr
dp4XeRftwO5lvLUbxDz4nfs7dedDYqk+amfgJsVg9zDykeAslvjmuWHJ1IgACAqm
SlR43gwWt1YMXH7NJ8unAxF3OwGDMdIA5WJfYo2XFz4o55wWCiUbxCpWJYu8hwz6
6IRmn6hWWsxlflWmgaV5hYKL8bLF13Ku9gZbNFFJw6knyqw+x4b1LwsnKeZGvS7E
EvGVyhMylPVFc0ZZy0TZvk3UOR9TbIMXiztQIWrw30izwPNElvUTzSkAbAg+h6+8
G7xSZYDr6l81M0a3S2VU75yjMCHKP5/wE9hsfTr/NpWN7w5w5PmqdA==
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArhlQWA9z/w9nk54QYWdIsz/p7qMz
QhDv4kLv5MsumQsyBBb8pLdGj8yVS3LAhwmlnDSVRT0qlQ1UZvUuWR1Mi5Z0ped5
ilJbWSOLQw1THBHa+yqX13gXPOpZv/dw6hQ4AGA5L3m3pEa//AdTiYVSURqMF4wF
PbGAAc7lKo5K2udtgZXiIpN5vuw26Kxh0uCKOV//A/FY5V43gVYbekAPIo+SVXx7
zug7Ga/fRCEz6YWuotfNjukupTtrdVfm3Vj/hD44jkCZLa5rzEGExY5o2JESiwmS
NccUnwivLe4mubCzxThergx/dXJPJl5rh7Pep0jsgdYvy3QcvV3SJ0kRlwIDAQAB
o4HbMIHYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMIG9BgNVHREEgbUwgbKCE2Zv
by50ZXN0LmRvbWFpbi5jb22CE2Jhci50ZXN0LmRvbWFpbi5jb22GIGh0dHBzOi8v
Zm9vLnRlc3QuZG9tYWluLmNvbS90ZXN0hiBodHRwczovL2Jhci50ZXN0LmRvbWFp
bi5jb20vdGVzdIYYc3BpZmZlOi8vZm9vLmNvbS9iYXIvYmF6gRNmb29AdGVzdC5k
b21haW4uY29tgRNiYXJAdGVzdC5kb21haW4uY29tMA0GCSqGSIb3DQEBCwUAA4IB
AQBlLNl/uXN01VARQFd5CNFMhwez879uB5N3s/pGBjzE8Z+NA9YjsBFkBSQlebFM
5UP304rsvG2opHwcSkblG9a3TbpQVNaYjcHgudip3FqLTJ3NhYtx1A3uCBp4ABeP
+AVlCcsNVysGwGvMzXlN++Y++U0A9BbfrP85VBslLaKn4rYpfB5pAdzu277ICdEy
nyFZ+jo2OS1lbv7kE7IW6slCXbCFaxPIKvjPbpGFngsLt44sZ9VvSJCeKhDglMfn
HKkhd4/UMnRn+8tZZ6eH/C5tpeKAChMUF+bkuwk3dBwnHq484KbBAKd2cwzZhTB7
8unku1S1GumvoEYAgbG1P4gC
-----END CERTIFICATE-----

12
test/core/tsi/ssl_transport_security_test.cc
Unescape View File

@ -251,7 +251,8 @@ static bool check_subject_alt_name(tsi_peer* peer, const char* name) {
const tsi_peer_property* prop = &peer->properties[i];
if (strcmp(prop->name, TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) ==
0) {
if (memcmp(prop->value.data, name, prop->value.length) == 0) {
if (strlen(name) == prop->value.length &&
memcmp(prop->value.data, name, prop->value.length) == 0) {
return true;
}
}
@ -263,7 +264,8 @@ static bool check_uri(tsi_peer* peer, const char* name) {
for (size_t i = 0; i < peer->property_count; i++) {
const tsi_peer_property* prop = &peer->properties[i];
if (strcmp(prop->name, TSI_X509_URI_PEER_PROPERTY) == 0) {
if (memcmp(prop->value.data, name, prop->value.length) == 0) {
if (strlen(name) == prop->value.length &&
memcmp(prop->value.data, name, prop->value.length) == 0) {
return true;
}
}
@ -875,8 +877,8 @@ void ssl_tsi_test_extract_x509_subject_names() {
GPR_ASSERT(tsi_ssl_extract_x509_subject_names_from_pem_cert(cert, &peer) ==
TSI_OK);
// tsi_peer should include one common name, one certificate, one security
// level, six SAN fields, and two URI fields.
size_t expected_property_count = 10;
// level, seven SAN fields, three URI fields.
size_t expected_property_count = 12;
GPR_ASSERT(peer.property_count == expected_property_count);
// Check common name
const char* expected_cn = "xpigors";
@ -893,10 +895,12 @@ void ssl_tsi_test_extract_x509_subject_names() {
GPR_ASSERT(check_subject_alt_name(&peer, "foo.test.domain.com") == 1);
GPR_ASSERT(check_subject_alt_name(&peer, "bar.test.domain.com") == 1);
// Check URI
GPR_ASSERT(check_subject_alt_name(&peer, "spiffe://foo.com/bar/baz") == 1);
GPR_ASSERT(
check_subject_alt_name(&peer, "https://foo.test.domain.com/test") == 1);
GPR_ASSERT(
check_subject_alt_name(&peer, "https://bar.test.domain.com/test") == 1);
GPR_ASSERT(check_uri(&peer, "spiffe://foo.com/bar/baz") == 1);
GPR_ASSERT(check_uri(&peer, "https://foo.test.domain.com/test") == 1);
GPR_ASSERT(check_uri(&peer, "https://bar.test.domain.com/test") == 1);
// Check email address

Write Preview
Loading…
Cancel
Save