From a4f345ff9679f417bc6d908376c37767f447dc59 Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Thu, 23 Mar 2023 11:34:59 -0400 Subject: [PATCH] TlsCreds: Support revocation of intermediate in chain. (#32544) This PR is a small code change with a lot of new test data. [In OpenSSL, there are two flags that configure CRL checks. Coping relevant section:](https://www.openssl.org/docs/man1.0.2/man3/X509_VERIFY_PARAM_get_depth.html) > - X509_V_FLAG_CRL_CHECK enables CRL checking for the certificate chain leaf certificate. An error occurs if a suitable CRL cannot be found. > - X509_V_FLAG_CRL_CHECK_ALL enables CRL checking for the entire certificate chain. We currently only set `X509_V_FLAG_CRL_CHECK`, so we will only ever check if the leaf certificate is revoked. We should check the whole chain. I am open to making this a user configuration if we want to do it that way, but we certainly need to be able to check the whole chain. So, this PR contains the small code change in `ssl_transport_security.cc` to use the `X509_V_FLAG_CRL_CHECK_ALL` flag. Then the rest of the changes are in tests. I've added all the necessary files to have a chain built that looks as follows `Root CA -> Revoked Intermediate CA -> Leaf Certificate`, and added a test for this case as well. You can verify that on master this new test will fail (i.e. the handshake will succeed even though the intermediate CA is revoked) by checking out this branch, running `git checkout master -- ./src/core/tsi/ssl_transport_security.cc`, then running the test. I also slightly reorganized test/core/tsi/test_creds/ so that the CRLs are in their own directory, which is the way our API intends to accept CRLs. --- src/core/tsi/ssl_transport_security.cc | 6 +- test/core/tsi/BUILD | 10 +- .../tsi/crl_ssl_transport_security_test.cc | 121 ++++++++++++++++-- test/core/tsi/test_creds/crl_data/8e36c2fd.0 | 1 - test/core/tsi/test_creds/crl_data/BUILD | 6 +- test/core/tsi/test_creds/crl_data/README | 6 + test/core/tsi/test_creds/crl_data/ab06acdd.0 | 1 - test/core/tsi/test_creds/crl_data/baf02741.0 | 1 - test/core/tsi/test_creds/crl_data/crls/BUILD | 20 +++ .../crl_data/{ => crls}/ab06acdd.r0 | 0 .../tsi/test_creds/crl_data/crls/b9322cac.r0 | 1 + .../tsi/test_creds/crl_data/crls/current.crl | 15 +++ .../test_creds/crl_data/crls/intermediate.crl | 11 ++ .../crl_data/crls_missing_intermediate/BUILD | 19 +++ .../crls_missing_intermediate/ab06acdd.r0 | 1 + .../crls_missing_intermediate/current.crl | 15 +++ .../crl_data/crls_missing_root/BUILD | 19 +++ .../crl_data/crls_missing_root/b9322cac.r0 | 1 + .../crls_missing_root/intermediate.crl | 11 ++ test/core/tsi/test_creds/crl_data/current.crl | 23 ++-- .../tsi/test_creds/crl_data/demoCA/crlnumber | 2 +- .../tsi/test_creds/crl_data/demoCA/index.txt | 3 + .../tsi/test_creds/crl_data/intermediate.cnf | 38 ++++++ .../test_creds/crl_data/intermediate_ca.key | 28 ++++ .../test_creds/crl_data/intermediate_ca.pem | 23 ++++ .../test_creds/crl_data/intermediate_gen.sh | 73 +++++++++++ .../crl_data/leaf_and_intermediate_chain.pem | 43 +++++++ .../crl_data/leaf_signed_by_intermediate.cnf | 12 ++ .../crl_data/leaf_signed_by_intermediate.key | 28 ++++ .../crl_data/leaf_signed_by_intermediate.pem | 20 +++ test/cpp/client/credentials_test.cc | 2 +- test/cpp/server/credentials_test.cc | 2 +- 32 files changed, 530 insertions(+), 32 deletions(-) delete mode 120000 test/core/tsi/test_creds/crl_data/8e36c2fd.0 delete mode 120000 test/core/tsi/test_creds/crl_data/ab06acdd.0 delete mode 120000 test/core/tsi/test_creds/crl_data/baf02741.0 create mode 100644 test/core/tsi/test_creds/crl_data/crls/BUILD rename test/core/tsi/test_creds/crl_data/{ => crls}/ab06acdd.r0 (100%) create mode 120000 test/core/tsi/test_creds/crl_data/crls/b9322cac.r0 create mode 100644 test/core/tsi/test_creds/crl_data/crls/current.crl create mode 100644 test/core/tsi/test_creds/crl_data/crls/intermediate.crl create mode 100644 test/core/tsi/test_creds/crl_data/crls_missing_intermediate/BUILD create mode 120000 test/core/tsi/test_creds/crl_data/crls_missing_intermediate/ab06acdd.r0 create mode 100644 test/core/tsi/test_creds/crl_data/crls_missing_intermediate/current.crl create mode 100644 test/core/tsi/test_creds/crl_data/crls_missing_root/BUILD create mode 120000 test/core/tsi/test_creds/crl_data/crls_missing_root/b9322cac.r0 create mode 100644 test/core/tsi/test_creds/crl_data/crls_missing_root/intermediate.crl create mode 100644 test/core/tsi/test_creds/crl_data/intermediate.cnf create mode 100644 test/core/tsi/test_creds/crl_data/intermediate_ca.key create mode 100644 test/core/tsi/test_creds/crl_data/intermediate_ca.pem create mode 100644 test/core/tsi/test_creds/crl_data/intermediate_gen.sh create mode 100644 test/core/tsi/test_creds/crl_data/leaf_and_intermediate_chain.pem create mode 100644 test/core/tsi/test_creds/crl_data/leaf_signed_by_intermediate.cnf create mode 100644 test/core/tsi/test_creds/crl_data/leaf_signed_by_intermediate.key create mode 100644 test/core/tsi/test_creds/crl_data/leaf_signed_by_intermediate.pem diff --git a/src/core/tsi/ssl_transport_security.cc b/src/core/tsi/ssl_transport_security.cc index b1cca2fd991..7162fb414cc 100644 --- a/src/core/tsi/ssl_transport_security.cc +++ b/src/core/tsi/ssl_transport_security.cc @@ -2060,7 +2060,8 @@ tsi_result tsi_create_ssl_client_handshaker_factory_with_options( gpr_log(GPR_ERROR, "Failed to load CRL File from directory."); } else { X509_VERIFY_PARAM* param = X509_STORE_get0_param(cert_store); - X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); + X509_VERIFY_PARAM_set_flags( + param, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); gpr_log(GPR_INFO, "enabled client side CRL checking."); } } @@ -2244,7 +2245,8 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options( gpr_log(GPR_ERROR, "Failed to load CRL File from directory."); } else { X509_VERIFY_PARAM* param = X509_STORE_get0_param(cert_store); - X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); + X509_VERIFY_PARAM_set_flags( + param, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); gpr_log(GPR_INFO, "enabled server CRL checking."); } } diff --git a/test/core/tsi/BUILD b/test/core/tsi/BUILD index 250f9ce7fa1..ee63a43f141 100644 --- a/test/core/tsi/BUILD +++ b/test/core/tsi/BUILD @@ -105,12 +105,20 @@ grpc_cc_test( name = "crl_ssl_transport_security_test", srcs = ["crl_ssl_transport_security_test.cc"], data = [ - "//test/core/tsi/test_creds/crl_data:ab06acdd.r0", "//test/core/tsi/test_creds/crl_data:ca.pem", + "//test/core/tsi/test_creds/crl_data:intermediate_ca.key", + "//test/core/tsi/test_creds/crl_data:intermediate_ca.pem", + "//test/core/tsi/test_creds/crl_data:leaf_and_intermediate_chain.pem", + "//test/core/tsi/test_creds/crl_data:leaf_signed_by_intermediate.key", + "//test/core/tsi/test_creds/crl_data:leaf_signed_by_intermediate.pem", "//test/core/tsi/test_creds/crl_data:revoked.key", "//test/core/tsi/test_creds/crl_data:revoked.pem", "//test/core/tsi/test_creds/crl_data:valid.key", "//test/core/tsi/test_creds/crl_data:valid.pem", + "//test/core/tsi/test_creds/crl_data/crls:ab06acdd.r0", + "//test/core/tsi/test_creds/crl_data/crls:b9322cac.r0", + "//test/core/tsi/test_creds/crl_data/crls_missing_intermediate:ab06acdd.r0", + "//test/core/tsi/test_creds/crl_data/crls_missing_root:b9322cac.r0", ], external_deps = [ "gtest", diff --git a/test/core/tsi/crl_ssl_transport_security_test.cc b/test/core/tsi/crl_ssl_transport_security_test.cc index fbb00d4a96e..bb7e4e938aa 100644 --- a/test/core/tsi/crl_ssl_transport_security_test.cc +++ b/test/core/tsi/crl_ssl_transport_security_test.cc @@ -42,8 +42,15 @@ namespace { const int kSslTsiTestRevokedKeyCertPairsNum = 1; const int kSslTsiTestValidKeyCertPairsNum = 1; +const int kSslTsiTestRevokedIntermedidateKeyCertPairsNum = 1; const char* kSslTsiTestCrlSupportedCredentialsDir = "test/core/tsi/test_creds/crl_data/"; +const char* kSslTsiTestCrlSupportedCrlDir = + "test/core/tsi/test_creds/crl_data/crls/"; +const char* kSslTsiTestCrlSupportedCrlDirMissingIntermediate = + "test/core/tsi/test_creds/crl_data/crls_missing_intermediate/"; +const char* kSslTsiTestCrlSupportedCrlDirMissingRoot = + "test/core/tsi/test_creds/crl_data/crls_missing_root/"; const char* kSslTsiTestFaultyCrlsDir = "bad_path/"; class CrlSslTransportSecurityTest @@ -57,9 +64,17 @@ class CrlSslTransportSecurityTest static SslTsiTestFixture* Create(bool use_revoked_server_cert, bool use_revoked_client_cert, bool use_faulty_crl_directory) { - return new SslTsiTestFixture(use_revoked_server_cert, - use_revoked_client_cert, - use_faulty_crl_directory); + return new SslTsiTestFixture( + use_revoked_server_cert, use_revoked_client_cert, + use_faulty_crl_directory, false, false, false); + } + + static SslTsiTestFixture* CreateWithIntermediate( + bool use_revoked_intermediate, bool use_missing_intermediate_crl, + bool use_missing_root_crl) { + return new SslTsiTestFixture( + false, false, false, use_revoked_intermediate, + use_missing_intermediate_crl, use_missing_root_crl); } void Run() { @@ -70,10 +85,16 @@ class CrlSslTransportSecurityTest private: SslTsiTestFixture(bool use_revoked_server_cert, bool use_revoked_client_cert, - bool use_faulty_crl_directory) + bool use_faulty_crl_directory, + bool use_revoked_intermediate, + bool use_missing_intermediate_crl, + bool use_missing_root_crl) : use_revoked_server_cert_(use_revoked_server_cert), use_revoked_client_cert_(use_revoked_client_cert), - use_faulty_crl_directory_(use_faulty_crl_directory) { + use_faulty_crl_directory_(use_faulty_crl_directory), + use_revoked_intermediate_(use_revoked_intermediate), + use_missing_intermediate_crl_(use_missing_intermediate_crl), + use_missing_root_crl_(use_missing_root_crl) { tsi_test_fixture_init(&base_); base_.test_unused_bytes = true; base_.vtable = &kVtable; @@ -92,6 +113,16 @@ class CrlSslTransportSecurityTest absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir, "valid.key")); valid_pem_key_cert_pairs_[0].cert_chain = LoadFile( absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir, "valid.pem")); + revoked_intermediate_pem_key_cert_pairs_ = + static_cast( + gpr_malloc(sizeof(tsi_ssl_pem_key_cert_pair) * + kSslTsiTestRevokedIntermedidateKeyCertPairsNum)); + revoked_intermediate_pem_key_cert_pairs_[0].private_key = + LoadFile(absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir, + "leaf_signed_by_intermediate.key")); + revoked_intermediate_pem_key_cert_pairs_[0].cert_chain = + LoadFile(absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir, + "leaf_and_intermediate_chain.pem")); root_cert_ = LoadFile( absl::StrCat(kSslTsiTestCrlSupportedCredentialsDir, "ca.pem")); root_store_ = tsi_ssl_root_certs_store_create(root_cert_); @@ -107,6 +138,11 @@ class CrlSslTransportSecurityTest PemKeyCertPairDestroy(revoked_pem_key_cert_pairs_[i]); } gpr_free(revoked_pem_key_cert_pairs_); + for (size_t i = 0; i < kSslTsiTestRevokedIntermedidateKeyCertPairsNum; + i++) { + PemKeyCertPairDestroy(revoked_intermediate_pem_key_cert_pairs_[i]); + } + gpr_free(revoked_intermediate_pem_key_cert_pairs_); gpr_free(root_cert_); tsi_ssl_root_certs_store_destroy(root_store_); tsi_ssl_server_handshaker_factory_unref(server_handshaker_factory_); @@ -130,8 +166,13 @@ class CrlSslTransportSecurityTest } if (use_faulty_crl_directory_) { client_options.crl_directory = kSslTsiTestFaultyCrlsDir; + } else if (use_missing_intermediate_crl_) { + client_options.crl_directory = + kSslTsiTestCrlSupportedCrlDirMissingIntermediate; + } else if (use_missing_root_crl_) { + client_options.crl_directory = kSslTsiTestCrlSupportedCrlDirMissingRoot; } else { - client_options.crl_directory = kSslTsiTestCrlSupportedCredentialsDir; + client_options.crl_directory = kSslTsiTestCrlSupportedCrlDir; } client_options.root_store = root_store_; client_options.min_tls_version = GetParam(); @@ -144,12 +185,24 @@ class CrlSslTransportSecurityTest if (use_revoked_server_cert_) { server_options.pem_key_cert_pairs = revoked_pem_key_cert_pairs_; server_options.num_key_cert_pairs = kSslTsiTestRevokedKeyCertPairsNum; - } else { + } else if (!use_revoked_intermediate_) { server_options.pem_key_cert_pairs = valid_pem_key_cert_pairs_; server_options.num_key_cert_pairs = kSslTsiTestValidKeyCertPairsNum; + } else { + server_options.pem_key_cert_pairs = + revoked_intermediate_pem_key_cert_pairs_; + server_options.num_key_cert_pairs = + kSslTsiTestRevokedIntermedidateKeyCertPairsNum; } server_options.pem_client_root_certs = root_cert_; - server_options.crl_directory = kSslTsiTestCrlSupportedCredentialsDir; + if (use_missing_intermediate_crl_) { + server_options.crl_directory = + kSslTsiTestCrlSupportedCrlDirMissingIntermediate; + } else if (use_missing_root_crl_) { + server_options.crl_directory = kSslTsiTestCrlSupportedCrlDirMissingRoot; + } else { + server_options.crl_directory = kSslTsiTestCrlSupportedCrlDir; + } server_options.client_certificate_request = TSI_REQUEST_AND_REQUIRE_CLIENT_CERTIFICATE_AND_VERIFY; server_options.session_ticket_key = nullptr; @@ -185,12 +238,27 @@ class CrlSslTransportSecurityTest // For OpenSSL versions < 1.1, TLS 1.3 is not supported, so the // client-side handshake should succeed precisely when the server-side // handshake succeeds. + // + // For the intermediate cases, we have a CA -> Intermediate CA -> Leaf + // Cert chain in which the Intermediate CA cert is revoked by the CA. We + // test 3 cases. Note: A CRL not existing should not make the handshake + // fail + // 1. CRL Directory with CA's CRL and Intermediate CA's CRL -> Handshake + // fails due to revoked cert + // 2. CRL Directory with CA's CRL but missing Intermediate CA's CRL -> + // Handshake fails due to revoked cert + // 3. CRL Directory without CA's CRL with but Intermediate CA's CRL -> + // Handshake succeeds because the CRL that revokes the cert is not + // present. bool expect_server_success = - !(use_revoked_server_cert_ || use_revoked_client_cert_); + !(use_revoked_server_cert_ || use_revoked_client_cert_ || + (use_revoked_intermediate_ & !use_missing_root_crl_)); #if OPENSSL_VERSION_NUMBER >= 0x10100000 - bool expect_client_success = GetParam() == tsi_tls_version::TSI_TLS1_2 - ? expect_server_success - : !use_revoked_server_cert_; + bool expect_client_success = + GetParam() == tsi_tls_version::TSI_TLS1_2 + ? expect_server_success + : !(use_revoked_server_cert_ || + (use_revoked_intermediate_ & !use_missing_root_crl_)); #else // If using OpenSSL version < 1.1, the CRL revocation won't be enabled // anyways, so we always expect the connection to be successful. @@ -241,10 +309,14 @@ class CrlSslTransportSecurityTest bool use_revoked_server_cert_; bool use_revoked_client_cert_; bool use_faulty_crl_directory_; + bool use_revoked_intermediate_; + bool use_missing_intermediate_crl_; + bool use_missing_root_crl_; char* root_cert_; tsi_ssl_root_certs_store* root_store_; tsi_ssl_pem_key_cert_pair* revoked_pem_key_cert_pairs_; tsi_ssl_pem_key_cert_pair* valid_pem_key_cert_pairs_; + tsi_ssl_pem_key_cert_pair* revoked_intermediate_pem_key_cert_pairs_; tsi_ssl_server_handshaker_factory* server_handshaker_factory_; tsi_ssl_client_handshaker_factory* client_handshaker_factory_; }; @@ -284,6 +356,31 @@ TEST_P(CrlSslTransportSecurityTest, UseFaultyCrlDirectory) { fixture->Run(); } +TEST_P(CrlSslTransportSecurityTest, UseRevokedIntermediate) { + auto* fixture = SslTsiTestFixture::CreateWithIntermediate( + /*use_revoked_intermediate=*/true, + /*use_missing_intermediate_crl=*/false, + /*use_missing_root_crl=*/false); + fixture->Run(); +} + +TEST_P(CrlSslTransportSecurityTest, + UseRevokedIntermediateWithMissingIntermediateCrl) { + auto* fixture = SslTsiTestFixture::CreateWithIntermediate( + /*use_revoked_intermediate=*/true, + /*use_missing_intermediate_crl=*/true, + /*use_missing_root_crl=*/false); + fixture->Run(); +} + +TEST_P(CrlSslTransportSecurityTest, UseRevokedIntermediateWithMissingRootCrl) { + auto* fixture = SslTsiTestFixture::CreateWithIntermediate( + /*use_revoked_intermediate=*/true, + /*use_missing_intermediate_crl=*/false, + /*use_missing_root_crl=*/true); + fixture->Run(); +} + std::string TestNameSuffix( const ::testing::TestParamInfo& version) { if (version.param == tsi_tls_version::TSI_TLS1_2) return "TLS_1_2"; diff --git a/test/core/tsi/test_creds/crl_data/8e36c2fd.0 b/test/core/tsi/test_creds/crl_data/8e36c2fd.0 deleted file mode 120000 index c4afefdebe4..00000000000 --- a/test/core/tsi/test_creds/crl_data/8e36c2fd.0 +++ /dev/null @@ -1 +0,0 @@ -valid.pem \ No newline at end of file diff --git a/test/core/tsi/test_creds/crl_data/BUILD b/test/core/tsi/test_creds/crl_data/BUILD index a2a5cfe89cb..ae3e58f7f72 100644 --- a/test/core/tsi/test_creds/crl_data/BUILD +++ b/test/core/tsi/test_creds/crl_data/BUILD @@ -20,5 +20,9 @@ exports_files([ "revoked.pem", "valid.key", "valid.pem", - "ab06acdd.r0", + "leaf_signed_by_intermediate.key", + "leaf_signed_by_intermediate.pem", + "leaf_and_intermediate_chain.pem", + "intermediate_ca.key", + "intermediate_ca.pem", ]) diff --git a/test/core/tsi/test_creds/crl_data/README b/test/core/tsi/test_creds/crl_data/README index e8b99803766..80f3568e95a 100644 --- a/test/core/tsi/test_creds/crl_data/README +++ b/test/core/tsi/test_creds/crl_data/README @@ -41,6 +41,12 @@ Generate the CRL file: $ openssl ca -gencrl -out current.crl -keyfile ca.key -cert ca.pem -crldays 3650 $ openssl rehash ./ +Generate a chain with a leaf cert signed by an intermediate CA and revoke the intermediate certificate +---------------------------------------------------------------------------- + +Run `intermediate_gen.sh` from the `test/core/tsi/test_creds/crl_data` directory + + Clean up: --------- $ rm *.rsa diff --git a/test/core/tsi/test_creds/crl_data/ab06acdd.0 b/test/core/tsi/test_creds/crl_data/ab06acdd.0 deleted file mode 120000 index e375f5ab0d5..00000000000 --- a/test/core/tsi/test_creds/crl_data/ab06acdd.0 +++ /dev/null @@ -1 +0,0 @@ -ca.pem \ No newline at end of file diff --git a/test/core/tsi/test_creds/crl_data/baf02741.0 b/test/core/tsi/test_creds/crl_data/baf02741.0 deleted file mode 120000 index 6b2cd064e1e..00000000000 --- a/test/core/tsi/test_creds/crl_data/baf02741.0 +++ /dev/null @@ -1 +0,0 @@ -revoked.pem \ No newline at end of file diff --git a/test/core/tsi/test_creds/crl_data/crls/BUILD b/test/core/tsi/test_creds/crl_data/crls/BUILD new file mode 100644 index 00000000000..911cfaa1e13 --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/crls/BUILD @@ -0,0 +1,20 @@ +# Copyright 2021 gRPC authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +licenses(["notice"]) + +exports_files([ + "ab06acdd.r0", + "b9322cac.r0", +]) diff --git a/test/core/tsi/test_creds/crl_data/ab06acdd.r0 b/test/core/tsi/test_creds/crl_data/crls/ab06acdd.r0 similarity index 100% rename from test/core/tsi/test_creds/crl_data/ab06acdd.r0 rename to test/core/tsi/test_creds/crl_data/crls/ab06acdd.r0 diff --git a/test/core/tsi/test_creds/crl_data/crls/b9322cac.r0 b/test/core/tsi/test_creds/crl_data/crls/b9322cac.r0 new file mode 120000 index 00000000000..c3ea7e55948 --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/crls/b9322cac.r0 @@ -0,0 +1 @@ +intermediate.crl \ No newline at end of file diff --git a/test/core/tsi/test_creds/crl_data/crls/current.crl b/test/core/tsi/test_creds/crl_data/crls/current.crl new file mode 100644 index 00000000000..92855e11816 --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/crls/current.crl @@ -0,0 +1,15 @@ +-----BEGIN X509 CRL----- +MIICUDCCATgCAQEwDQYJKoZIhvcNAQELBQAwVjELMAkGA1UEBhMCQVUxEzARBgNV +BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0 +ZDEPMA0GA1UEAwwGdGVzdGNhFw0yMzAzMDMxODA2NDNaFw0zMzAyMjgxODA2NDNa +MIGcMCUCFEpMyQOrk+uXDu20PhHwDJeua83mFw0yMzAzMDMxNjU5NTNaMCUCFEpM +yQOrk+uXDu20PhHwDJeua83nFw0yMzAzMDMxNzMxNDBaMCUCFEpMyQOrk+uXDu20 +PhHwDJeua83xFw0yMzAzMDMxODA2NDNaMCUCFFIgumScY9chZ0u8tUhjsOUh38hB +Fw0yMjAyMDQyMjExMTFaoA8wDTALBgNVHRQEBAICEAgwDQYJKoZIhvcNAQELBQAD +ggEBADohIZwm/gWLIc2yFJJbKzkdRmOq1s/MqnJxi5NutNumXTIPrZJqGzk8O4U6 +VasicIB2YD0o3arzUxCDyHv7VyJI7SVS0lqlmOxoOEOv2+CB6MxAOdKItkzbVVxu +0erx5HcKAGa7ZIAeekX1F1DcAgpN5Gt5uGhkMw3ObTCpEFRw+ZKET3WFQ6bG4AJ6 +GwOnNYG1LjaNigxG/k4K7A+grs/XnsNcpULbCROl7Qw4kyf1esrjS9utEO0YQQz4 +LgBTPZzQHlsirmxp+e5WR8LiDsKmbmAaBL+gV1Bkjj73c4pNJvoV/V1Ubdv0LCvH +DjrJtp10F0RGMRm6m9OuZYUSFzs= +-----END X509 CRL----- diff --git a/test/core/tsi/test_creds/crl_data/crls/intermediate.crl b/test/core/tsi/test_creds/crl_data/crls/intermediate.crl new file mode 100644 index 00000000000..f5a3c13a243 --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/crls/intermediate.crl @@ -0,0 +1,11 @@ +-----BEGIN X509 CRL----- +MIIBojCBiwIBATANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDDBxpbnRlcm1lZGlh +dGVjZXJ0LmV4YW1wbGUuY29tFw0yMzAzMDMxODA2NDNaFw0zMzAyMjgxODA2NDNa +oDAwLjAfBgNVHSMEGDAWgBQntaYTZK7gR27u8WK7r/uIsnctozALBgNVHRQEBAIC +EAAwDQYJKoZIhvcNAQELBQADggEBAFrJtN/19+NMpZxNkm3FrJpcCNIRtyE/oVo/ +Hympoe7BJjvaCVd5R0xBye+18X2woBMC4/ejTAI/6UF7FuFf6VakGJjEcg5A6616 +DDEaAvyWzX85Gv+ZF4ahYFNSrJtNZtHwT9ws0vgveeLFRJX8eYiPzVUAwKunh8n1 +Q9AefCUjspcXlCd6L5mI3BILeIxgBW+2/njtQsFZGp/gqsyjsHA/FGOXrRhhwH7y +BJSvFFrrQMKasgZBJ9f4ZN85//H397erNYenDPximpSg99IP84eODuO4opZaKiTk +CUKMjLTM5lUvLVmM/Qr3IsmzphGqHHzwkgfHVPl7xCRoBx2hzPU= +-----END X509 CRL----- diff --git a/test/core/tsi/test_creds/crl_data/crls_missing_intermediate/BUILD b/test/core/tsi/test_creds/crl_data/crls_missing_intermediate/BUILD new file mode 100644 index 00000000000..523b61beb23 --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/crls_missing_intermediate/BUILD @@ -0,0 +1,19 @@ +# Copyright 2021 gRPC authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +licenses(["notice"]) + +exports_files([ + "ab06acdd.r0", +]) diff --git a/test/core/tsi/test_creds/crl_data/crls_missing_intermediate/ab06acdd.r0 b/test/core/tsi/test_creds/crl_data/crls_missing_intermediate/ab06acdd.r0 new file mode 120000 index 00000000000..2cf6617a426 --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/crls_missing_intermediate/ab06acdd.r0 @@ -0,0 +1 @@ +current.crl \ No newline at end of file diff --git a/test/core/tsi/test_creds/crl_data/crls_missing_intermediate/current.crl b/test/core/tsi/test_creds/crl_data/crls_missing_intermediate/current.crl new file mode 100644 index 00000000000..92855e11816 --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/crls_missing_intermediate/current.crl @@ -0,0 +1,15 @@ +-----BEGIN X509 CRL----- +MIICUDCCATgCAQEwDQYJKoZIhvcNAQELBQAwVjELMAkGA1UEBhMCQVUxEzARBgNV +BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0 +ZDEPMA0GA1UEAwwGdGVzdGNhFw0yMzAzMDMxODA2NDNaFw0zMzAyMjgxODA2NDNa +MIGcMCUCFEpMyQOrk+uXDu20PhHwDJeua83mFw0yMzAzMDMxNjU5NTNaMCUCFEpM +yQOrk+uXDu20PhHwDJeua83nFw0yMzAzMDMxNzMxNDBaMCUCFEpMyQOrk+uXDu20 +PhHwDJeua83xFw0yMzAzMDMxODA2NDNaMCUCFFIgumScY9chZ0u8tUhjsOUh38hB +Fw0yMjAyMDQyMjExMTFaoA8wDTALBgNVHRQEBAICEAgwDQYJKoZIhvcNAQELBQAD +ggEBADohIZwm/gWLIc2yFJJbKzkdRmOq1s/MqnJxi5NutNumXTIPrZJqGzk8O4U6 +VasicIB2YD0o3arzUxCDyHv7VyJI7SVS0lqlmOxoOEOv2+CB6MxAOdKItkzbVVxu +0erx5HcKAGa7ZIAeekX1F1DcAgpN5Gt5uGhkMw3ObTCpEFRw+ZKET3WFQ6bG4AJ6 +GwOnNYG1LjaNigxG/k4K7A+grs/XnsNcpULbCROl7Qw4kyf1esrjS9utEO0YQQz4 +LgBTPZzQHlsirmxp+e5WR8LiDsKmbmAaBL+gV1Bkjj73c4pNJvoV/V1Ubdv0LCvH +DjrJtp10F0RGMRm6m9OuZYUSFzs= +-----END X509 CRL----- diff --git a/test/core/tsi/test_creds/crl_data/crls_missing_root/BUILD b/test/core/tsi/test_creds/crl_data/crls_missing_root/BUILD new file mode 100644 index 00000000000..8f234b585c2 --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/crls_missing_root/BUILD @@ -0,0 +1,19 @@ +# Copyright 2021 gRPC authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +licenses(["notice"]) + +exports_files([ + "b9322cac.r0", +]) diff --git a/test/core/tsi/test_creds/crl_data/crls_missing_root/b9322cac.r0 b/test/core/tsi/test_creds/crl_data/crls_missing_root/b9322cac.r0 new file mode 120000 index 00000000000..c3ea7e55948 --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/crls_missing_root/b9322cac.r0 @@ -0,0 +1 @@ +intermediate.crl \ No newline at end of file diff --git a/test/core/tsi/test_creds/crl_data/crls_missing_root/intermediate.crl b/test/core/tsi/test_creds/crl_data/crls_missing_root/intermediate.crl new file mode 100644 index 00000000000..f5a3c13a243 --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/crls_missing_root/intermediate.crl @@ -0,0 +1,11 @@ +-----BEGIN X509 CRL----- +MIIBojCBiwIBATANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDDBxpbnRlcm1lZGlh +dGVjZXJ0LmV4YW1wbGUuY29tFw0yMzAzMDMxODA2NDNaFw0zMzAyMjgxODA2NDNa +oDAwLjAfBgNVHSMEGDAWgBQntaYTZK7gR27u8WK7r/uIsnctozALBgNVHRQEBAIC +EAAwDQYJKoZIhvcNAQELBQADggEBAFrJtN/19+NMpZxNkm3FrJpcCNIRtyE/oVo/ +Hympoe7BJjvaCVd5R0xBye+18X2woBMC4/ejTAI/6UF7FuFf6VakGJjEcg5A6616 +DDEaAvyWzX85Gv+ZF4ahYFNSrJtNZtHwT9ws0vgveeLFRJX8eYiPzVUAwKunh8n1 +Q9AefCUjspcXlCd6L5mI3BILeIxgBW+2/njtQsFZGp/gqsyjsHA/FGOXrRhhwH7y +BJSvFFrrQMKasgZBJ9f4ZN85//H397erNYenDPximpSg99IP84eODuO4opZaKiTk +CUKMjLTM5lUvLVmM/Qr3IsmzphGqHHzwkgfHVPl7xCRoBx2hzPU= +-----END X509 CRL----- diff --git a/test/core/tsi/test_creds/crl_data/current.crl b/test/core/tsi/test_creds/crl_data/current.crl index c07da6391c4..92855e11816 100644 --- a/test/core/tsi/test_creds/crl_data/current.crl +++ b/test/core/tsi/test_creds/crl_data/current.crl @@ -1,12 +1,15 @@ -----BEGIN X509 CRL----- -MIIB2TCBwgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJBVTETMBEGA1UE -CAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk -MQ8wDQYDVQQDDAZ0ZXN0Y2EXDTIyMDIwNDIyMTI1MFoXDTMyMDIwMjIyMTI1MFow -JzAlAhRSILpknGPXIWdLvLVIY7DlId/IQRcNMjIwMjA0MjIxMTExWqAPMA0wCwYD -VR0UBAQCAhABMA0GCSqGSIb3DQEBCwUAA4IBAQAZXNfxSjT/EZDTGV71eE0jKKsg -Ur8TNkRGypZXbV8cQ+YFlqt2Zp+dsWEP2FLsc048QGVe4sRuJrPOm7eSmvgZUHSX -l1yI2T6si1wxhX2DKIKDZGWWYx6rOyocL9EjhxZjLSeJ43eLxzD6TnGE29cbDLXv -bs9slsGyc+UZaD9KY9RpeJjQEV0Yh7+iwIG3PBVKNSFR2R2m8XK+Ioc5Z7zsWwZu -7gCZ/CW/07/SXfFxM6Q8XTRFStIjqb3cuwivc+ig/X+RbpxDygy0SQA/oJXuABIh -0y4+YxRUQauODK4vxLPeC1m7tHyh1poVY/jnp3tAn3ax6uFbwDz1wbNtTOeT +MIICUDCCATgCAQEwDQYJKoZIhvcNAQELBQAwVjELMAkGA1UEBhMCQVUxEzARBgNV +BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0 +ZDEPMA0GA1UEAwwGdGVzdGNhFw0yMzAzMDMxODA2NDNaFw0zMzAyMjgxODA2NDNa +MIGcMCUCFEpMyQOrk+uXDu20PhHwDJeua83mFw0yMzAzMDMxNjU5NTNaMCUCFEpM +yQOrk+uXDu20PhHwDJeua83nFw0yMzAzMDMxNzMxNDBaMCUCFEpMyQOrk+uXDu20 +PhHwDJeua83xFw0yMzAzMDMxODA2NDNaMCUCFFIgumScY9chZ0u8tUhjsOUh38hB +Fw0yMjAyMDQyMjExMTFaoA8wDTALBgNVHRQEBAICEAgwDQYJKoZIhvcNAQELBQAD +ggEBADohIZwm/gWLIc2yFJJbKzkdRmOq1s/MqnJxi5NutNumXTIPrZJqGzk8O4U6 +VasicIB2YD0o3arzUxCDyHv7VyJI7SVS0lqlmOxoOEOv2+CB6MxAOdKItkzbVVxu +0erx5HcKAGa7ZIAeekX1F1DcAgpN5Gt5uGhkMw3ObTCpEFRw+ZKET3WFQ6bG4AJ6 +GwOnNYG1LjaNigxG/k4K7A+grs/XnsNcpULbCROl7Qw4kyf1esrjS9utEO0YQQz4 +LgBTPZzQHlsirmxp+e5WR8LiDsKmbmAaBL+gV1Bkjj73c4pNJvoV/V1Ubdv0LCvH +DjrJtp10F0RGMRm6m9OuZYUSFzs= -----END X509 CRL----- diff --git a/test/core/tsi/test_creds/crl_data/demoCA/crlnumber b/test/core/tsi/test_creds/crl_data/demoCA/crlnumber index 7d802a3e710..6cb3869343b 100644 --- a/test/core/tsi/test_creds/crl_data/demoCA/crlnumber +++ b/test/core/tsi/test_creds/crl_data/demoCA/crlnumber @@ -1 +1 @@ -1002 +1009 diff --git a/test/core/tsi/test_creds/crl_data/demoCA/index.txt b/test/core/tsi/test_creds/crl_data/demoCA/index.txt index 85cc59527ff..65d3ec88d1f 100644 --- a/test/core/tsi/test_creds/crl_data/demoCA/index.txt +++ b/test/core/tsi/test_creds/crl_data/demoCA/index.txt @@ -1 +1,4 @@ R 311201211735Z 220204221111Z 5220BA649C63D721674BBCB54863B0E521DFC841 unknown /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=revoked +R 330228163732Z 230303165953Z 4A4CC903AB93EB970EEDB43E11F00C97AE6BCDE6 unknown /CN=intermediatecert.example.com +R 330228173104Z 230303173140Z 4A4CC903AB93EB970EEDB43E11F00C97AE6BCDE7 unknown /CN=intermediatecert.example.com +R 330228180643Z 230303180643Z 4A4CC903AB93EB970EEDB43E11F00C97AE6BCDF1 unknown /CN=intermediatecert.example.com diff --git a/test/core/tsi/test_creds/crl_data/intermediate.cnf b/test/core/tsi/test_creds/crl_data/intermediate.cnf new file mode 100644 index 00000000000..e23546143f7 --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/intermediate.cnf @@ -0,0 +1,38 @@ +[ca] +default_ca = CA_intermediate + +[CA_intermediate] +dir = . +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial +RANDFILE = $dir/private/.rand +private_key = $dir/intermediate_ca.key +certificate = $dir/intermediate_ca.pem +crl = $dir/intermediate.crl + +# For certificate revocation lists. +crlnumber = $dir/crlnumber +crl = $dir/crl/intermediate.crl +crl_extensions = crl_ext +default_crl_days = 3650 + +default_md = sha256 + +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[req_distinguished_name] +CN = intermediatecert.example.com + +[crl_ext] +authorityKeyIdentifier=keyid:always + +[v3_req] +keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign, cRLSign +extendedKeyUsage = clientAuth, serverAuth +basicConstraints = critical, CA:true \ No newline at end of file diff --git a/test/core/tsi/test_creds/crl_data/intermediate_ca.key b/test/core/tsi/test_creds/crl_data/intermediate_ca.key new file mode 100644 index 00000000000..cdfca379c77 --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/intermediate_ca.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRURiGLzjbPAG1 +VHMVEz7xF8/bHRnNAMIBodJlUWh28cfXvk2Le5XP8K/PXuHtWvEodcV6yL1ZDitp +Pv1iX9WywJ/moYjBIIzNHWt/TxWpinMtot9ppgGrG1Ae6dSLFDl/3ylXnbQ8pHq+ +CtkbkLvb1j0r9EHoA/qLq2r1qwfnVzVyOet76u0+anT22yQhVsxnTT/lVHcLbzX/ +AwYgycETKx9Ph1+oIr78Z0gIp/yy75G0yGvoZ/9vssCIKWy+ObuZVlPLlZ8gJAUh +JK+ytgImZ7GxDG8gXSFMDuJ217ZVgkYYND7pTSEzIQB72l4phZFvuG2iiNA0a3Q7 +Kxeu0S3xAgMBAAECggEALi1P1bpxNpxkXBaHVOzsA9AXAOXInVs/cZC7k7KD80mf +ps7K2Kyo/jjA8GSkPvLDJQPmTxIeA5mGpi9JQvyVblvkasLUIpcFuPJ2lp1h0AdF +JZo641nGIHNkF43KX+xUSwt2WWfnLUGz+lz2TIh/iR4YXKwEJiVKjqmAbTYQBk7m +xHLr1lpER7qUNRllxeV/oHWJT6Ak35yWG5rbtKRa4PliLkd/894jutKKvFVaxNwQ +ncAe+WV3EnGxgs6hedf/gO+K9GEnM913vfNQJfFin1pp0GdNzc2yhzc9jHRqMw84 +K8votcLA2ouGq8NB842naBhyQsUtfk+b+Ur81re4YQKBgQDhG2r5kDlVHuL7mAoe +XbN3r7vdHLc9duKT16d14iRuvGIW5G8HHH4cQuuYtB0JmAE+Tj9nuqEtYvaqQnyr +OX2uzaPp7eB9K/xQKSpneRV86WtroRZdx8PzFj/ayMQ5IhlaHpeVUALdtf/188dw +hjCZQpv5w/jjaHpfRkWs+YE6/QKBgQDuCuyLjgZTfjVIJvEgaEAKokywWlAEE19h +c3Fj2IOL03gzPRBftcho6eNGhyVvylD+1nZgVO+AbLCvUWTc2U9YCBfEaxLy6Eeo +BJDkO3D8fvD94FiwZryoi7BrcY5cPZ560BI5c7DqMJhTY3VPeDS6B+4gTwsoQ5Uc +BfK60UdTBQKBgQCZyyin/pAdBrAfIj3vhycBI3AfXeoXNS0RwumnUWyAt3Xwm/r7 +Cc1jM5lQx+V6034t+jm5fbl2j8Fki24vcWTb06UkQp/4BOAqSCWvcftrTvJUI0dr +pPrMDqxrpnThb9mQR4xat8JthVWtzPK6fwOfAfIcj3Zwr8XDZ/hceE6BZQKBgBlu +vVsjr3VYNKUi0/xcZws7z+m/nHDzCOvGg8ThKxzTWTJQQeGX8HOVGZ09bziEaybv +DvK34GbeNfplPduCtEF5i+CGeB3Px2giJMDdwPKZNXJKd+9Q6rMvSYgRN96PDtGc +TXYp8Cr1SjEOnUgCVc/SbRSynUSOA+5cjFR9a5tpAoGBANwrAUON/wCpRUU5JEnM +3w89v3/d7YJvce065FVybNdBjE6Xofh9slOO4GJ6AWIzfOVeqYfBR0J4IK2jCjtX +pCHk5GI3tCHuF3xaVct1m8tr4TpC5gxsOXlxHAUVQzMfQh2jvD0qAKm4isH2jGGk +sj3cvdQldHQSlTJl01Ex5EjS +-----END PRIVATE KEY----- diff --git a/test/core/tsi/test_creds/crl_data/intermediate_ca.pem b/test/core/tsi/test_creds/crl_data/intermediate_ca.pem new file mode 100644 index 00000000000..210b997aca2 --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/intermediate_ca.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID6zCCAtOgAwIBAgIUSkzJA6uT65cO7bQ+EfAMl65rzfEwDQYJKoZIhvcNAQEL +BQAwVjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGdGVzdGNhMB4XDTIz +MDMwMzE4MDY0M1oXDTMzMDIyODE4MDY0M1owJzElMCMGA1UEAwwcaW50ZXJtZWRp +YXRlY2VydC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBANFRGIYvONs8AbVUcxUTPvEXz9sdGc0AwgGh0mVRaHbxx9e+TYt7lc/wr89e +4e1a8Sh1xXrIvVkOK2k+/WJf1bLAn+ahiMEgjM0da39PFamKcy2i32mmAasbUB7p +1IsUOX/fKVedtDyker4K2RuQu9vWPSv0QegD+ouravWrB+dXNXI563vq7T5qdPbb +JCFWzGdNP+VUdwtvNf8DBiDJwRMrH0+HX6givvxnSAin/LLvkbTIa+hn/2+ywIgp +bL45u5lWU8uVnyAkBSEkr7K2AiZnsbEMbyBdIUwO4nbXtlWCRhg0PulNITMhAHva +XimFkW+4baKI0DRrdDsrF67RLfECAwEAAaOB3zCB3DAOBgNVHQ8BAf8EBAMCAaYw +HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8w +HQYDVR0OBBYEFCe1phNkruBHbu7xYruv+4iydy2jMHsGA1UdIwR0MHKhWqRYMFYx +CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl +cm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnRlc3RjYYIUKnHtxUGUlsyz +9jW7POo/RqJKKTswDQYJKoZIhvcNAQELBQADggEBAHMB89zLQTZhvSBpCZpSFIBt +z0ebZk4APrEskCZRJ0coWglT7/RjJTEi8fVYfFUVbUXOwFIT4jvtlkcp1LUZDT5X +qazTRa7ECFzw1TrO+IJadVczKBTRFxlYOWgOTHTXZlU8QV53Vi+g7dbYrEYxu5TO +NUggqSoxUhl4901NdMGTSiKXeuye4EdHAKI9RYO6suxYMo9wctm/es3OFd5kjPlh +CqoUId3Lgc7Lb1xcfBSZ9n2dWcFDf32GPYYPlBbxuba0VVZlKZSd3yV36v4gKdSI +MjdluRpwdoyTcsLi6ysPduOfkWSbQJ3bbvpeTNiagn5o9oeF1DO5LDvVVo1RZ2A= +-----END CERTIFICATE----- diff --git a/test/core/tsi/test_creds/crl_data/intermediate_gen.sh b/test/core/tsi/test_creds/crl_data/intermediate_gen.sh new file mode 100644 index 00000000000..dd9fa2b0473 --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/intermediate_gen.sh @@ -0,0 +1,73 @@ +#!/bin/bash +# Copyright 2023 gRPC authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +# Meant to be run from test/core/tsi/test_creds/crl_data +# Sets up an intermediate ca, generates certificates and crl files, then copies then up and deletes unnecessary files + +rm -rf intermediate_ca +mkdir intermediate_ca +cp intermediate.cnf intermediate_ca/ +cp leaf_signed_by_intermediate.cnf intermediate_ca/ +pushd intermediate_ca +touch index.txt +echo 1 > ./serial +echo 1000 > ./crlnumber + +# Generating the intermediate CA +openssl genrsa -out temp.rsa 2048 +openssl pkcs8 -topk8 -in temp.rsa -out intermediate_ca.key -nocrypt +rm temp.rsa +openssl req -key intermediate_ca.key -new -out temp.csr -config intermediate.cnf +openssl x509 -req -days 3650 -in temp.csr -CA "../ca.pem" -CAkey "../ca.key" -CAcreateserial -out intermediate_ca.pem -extfile intermediate.cnf -extensions 'v3_req' + +# Generating the leaf and chain +openssl genrsa -out temp.rsa 2048 +openssl pkcs8 -topk8 -in temp.rsa -out leaf_signed_by_intermediate.key -nocrypt +openssl req -key leaf_signed_by_intermediate.key -new -out temp.csr -config leaf_signed_by_intermediate.cnf +openssl x509 -req -days 3650 -in temp.csr -CA intermediate_ca.pem -CAkey intermediate_ca.key -CAcreateserial -out leaf_signed_by_intermediate.pem -extfile leaf_signed_by_intermediate.cnf -extensions 'v3_req' +cat leaf_signed_by_intermediate.pem intermediate_ca.pem > leaf_and_intermediate_chain.pem + +# Generate empty CRL for the intermediate +openssl ca -config=intermediate.cnf -gencrl -out intermediate.crl -keyfile intermediate_ca.key -cert intermediate_ca.pem -crldays 3650 +popd + +# Copy files up to the higher directory +cp "./intermediate_ca/leaf_signed_by_intermediate.key" ./ +cp "./intermediate_ca/leaf_signed_by_intermediate.pem" ./ +cp "./intermediate_ca/leaf_and_intermediate_chain.pem" ./ +cp "./intermediate_ca/intermediate_ca.key" ./ +cp "./intermediate_ca/intermediate_ca.pem" ./ + +# Revoke the intermediate +openssl ca -revoke intermediate_ca.pem -keyfile ca.key -cert ca.pem -days 3650 +openssl ca -gencrl -out current.crl -keyfile ca.key -cert ca.pem -crldays 3650 + + +# Copy CRLs into their own directory and run rehash +cp "./intermediate_ca/intermediate.crl" ./crls +cp current.crl ./crls/ +openssl rehash ./crls/ + +mkdir crls_missing_intermediate +cp current.crl ./crls_missing_intermediate/ +openssl rehash ./crls_missing_intermediate/ + +mkdir crls_missing_root +cp intermediate.crl ./crls_missing_root/ +openssl rehash ./crls_missing_root/ + +rm intermediate_ca diff --git a/test/core/tsi/test_creds/crl_data/leaf_and_intermediate_chain.pem b/test/core/tsi/test_creds/crl_data/leaf_and_intermediate_chain.pem new file mode 100644 index 00000000000..24f2bc3de51 --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/leaf_and_intermediate_chain.pem @@ -0,0 +1,43 @@ +-----BEGIN CERTIFICATE----- +MIIDUzCCAjugAwIBAgIUIkXUE1956T996LuTKMiv5nci6X0wDQYJKoZIhvcNAQEL +BQAwJzElMCMGA1UEAwwcaW50ZXJtZWRpYXRlY2VydC5leGFtcGxlLmNvbTAeFw0y +MzAzMDMxODA2NDNaFw0zMzAyMjgxODA2NDNaMB8xHTAbBgNVBAMMFCoudGVzdC5n +b29nbGUuY29tLmF1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2NNY +lYVfOBbDwRlBzw997mTck19zxCqEoqGDBE4p2zpSdo4D5fhp/o7f4T0S58EF95Q3 +6nsTruLlz0OBj1hsOYYUecOM8gYPYOh6Q4kEpS3G7Up36bdAXpsgdAWUgA5Zcsb7 +dvnZeGPymbmn1IySlo0/8TMnCcLJf3V0jUVvBZI/oawwAZd4Rpb1lh/kIxRqNiU5 +WFW7hZzjOnA1m5gmXJnDox0mLth7RLb9YQHmz5czxC+aBQ1e3iTc1BJ4ETPAvIwo +XH3UI47Zg/YFW8rZPym9qdSGydxw23g9XVawWXJUyBQz5e/iCPDFMHM//l3hBBLZ +jP+QRZUIiRpzISGitwIDAQABo38wfTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw +FAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCwG +luxpu/XDakGPtEnuIiW0rk/oMB8GA1UdIwQYMBaAFCe1phNkruBHbu7xYruv+4iy +dy2jMA0GCSqGSIb3DQEBCwUAA4IBAQBoUzdASVjpUN31jw4h3K5rWC2+CVhguyhb +BcFXNr73ySryPZwJDrCZINXMpjM+GGKrFKjC3hemlUpnTYiOgaHseN5NB3pZYJma +48DZzZ51wEI3vzmqOyjD0Eh2LytI+p87bJhBEwWR+okADWDB9vdZKiJi/7iHfvxs +NIasCagJgJ5XeMiTehRksKuQv3w8KhUzRCjy0wsTwjmrQw+8kMS0WnRC4EVA76IZ +HnLfoMGg/R1w/NrrAmQfx+W0qnJAvkQddqfEptITJbqoOfFASgngVBhHnogOLod/ +es3Tbls2qrJg0GnMScJYHJAvlp6Lke6a8kf8jyT+yN2opWVll1tK +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIID6zCCAtOgAwIBAgIUSkzJA6uT65cO7bQ+EfAMl65rzfEwDQYJKoZIhvcNAQEL +BQAwVjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGdGVzdGNhMB4XDTIz +MDMwMzE4MDY0M1oXDTMzMDIyODE4MDY0M1owJzElMCMGA1UEAwwcaW50ZXJtZWRp +YXRlY2VydC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBANFRGIYvONs8AbVUcxUTPvEXz9sdGc0AwgGh0mVRaHbxx9e+TYt7lc/wr89e +4e1a8Sh1xXrIvVkOK2k+/WJf1bLAn+ahiMEgjM0da39PFamKcy2i32mmAasbUB7p +1IsUOX/fKVedtDyker4K2RuQu9vWPSv0QegD+ouravWrB+dXNXI563vq7T5qdPbb +JCFWzGdNP+VUdwtvNf8DBiDJwRMrH0+HX6givvxnSAin/LLvkbTIa+hn/2+ywIgp +bL45u5lWU8uVnyAkBSEkr7K2AiZnsbEMbyBdIUwO4nbXtlWCRhg0PulNITMhAHva +XimFkW+4baKI0DRrdDsrF67RLfECAwEAAaOB3zCB3DAOBgNVHQ8BAf8EBAMCAaYw +HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8w +HQYDVR0OBBYEFCe1phNkruBHbu7xYruv+4iydy2jMHsGA1UdIwR0MHKhWqRYMFYx +CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl +cm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnRlc3RjYYIUKnHtxUGUlsyz +9jW7POo/RqJKKTswDQYJKoZIhvcNAQELBQADggEBAHMB89zLQTZhvSBpCZpSFIBt +z0ebZk4APrEskCZRJ0coWglT7/RjJTEi8fVYfFUVbUXOwFIT4jvtlkcp1LUZDT5X +qazTRa7ECFzw1TrO+IJadVczKBTRFxlYOWgOTHTXZlU8QV53Vi+g7dbYrEYxu5TO +NUggqSoxUhl4901NdMGTSiKXeuye4EdHAKI9RYO6suxYMo9wctm/es3OFd5kjPlh +CqoUId3Lgc7Lb1xcfBSZ9n2dWcFDf32GPYYPlBbxuba0VVZlKZSd3yV36v4gKdSI +MjdluRpwdoyTcsLi6ysPduOfkWSbQJ3bbvpeTNiagn5o9oeF1DO5LDvVVo1RZ2A= +-----END CERTIFICATE----- diff --git a/test/core/tsi/test_creds/crl_data/leaf_signed_by_intermediate.cnf b/test/core/tsi/test_creds/crl_data/leaf_signed_by_intermediate.cnf new file mode 100644 index 00000000000..5123cf8c0a2 --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/leaf_signed_by_intermediate.cnf @@ -0,0 +1,12 @@ +[req] +distinguished_name = req_distinguished_name +req_extensions = v3_req +prompt = no + +[req_distinguished_name] +CN = *.test.google.com.au + +[v3_req] +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, serverAuth +basicConstraints = critical, CA:false \ No newline at end of file diff --git a/test/core/tsi/test_creds/crl_data/leaf_signed_by_intermediate.key b/test/core/tsi/test_creds/crl_data/leaf_signed_by_intermediate.key new file mode 100644 index 00000000000..f8ac11d2a1b --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/leaf_signed_by_intermediate.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDY01iVhV84FsPB +GUHPD33uZNyTX3PEKoSioYMETinbOlJ2jgPl+Gn+jt/hPRLnwQX3lDfqexOu4uXP +Q4GPWGw5hhR5w4zyBg9g6HpDiQSlLcbtSnfpt0BemyB0BZSADllyxvt2+dl4Y/KZ +uafUjJKWjT/xMycJwsl/dXSNRW8Fkj+hrDABl3hGlvWWH+QjFGo2JTlYVbuFnOM6 +cDWbmCZcmcOjHSYu2HtEtv1hAebPlzPEL5oFDV7eJNzUEngRM8C8jChcfdQjjtmD +9gVbytk/Kb2p1IbJ3HDbeD1dVrBZclTIFDPl7+II8MUwcz/+XeEEEtmM/5BFlQiJ +GnMhIaK3AgMBAAECggEANLtNn2uEyUzMBdHBLfzcCRbRiCveKTaX9D9ocCscRdtM +w9VtAEhmasjPjOVADEnmzBvpb2bIVi+LaVlHEJgWFfVUVHqo9BFiOxS+617O2Ocl +qn8CY74z8u4yOdVDlNMokN/wtzIzX/KaxSUgOnKHkgK/KsdgdqC/RXbIxjS9N/Kz +SycN2+4M+63A90+j3EZsBEHFOfs16CwJ+cLbUzeqIl7XwUgDEGoqj7cL3xI3RDpE +s2MCGMrjlbLAOC250AJlZQUHI4GUFuBmfkDh+9RPoSU8cTPNk/sDknigkZ5T2MEl +p9VccGsbRRLqjuVdnsZwiFCWpJoiYH3iuF+EOmryoQKBgQDj8Dg2nr5zEw+eQxnn +qoteBhHQciFyvyWF4bonttHyN/sfgWW2tObIlBf+4s9ZODIYnVYJ5BZfpXQG2TFs +6nreQgoWRqn4ISewAi+eM5lhCHlYkllfvmvsRTxKcCcj+wQ+2csg9msZqC1VJQl6 +HsRvRtrmeEHIx208MdBJERliYQKBgQDzhORl6mDMs0/iuRwuR5c3p/Cg2rJvWXK2 +XzX3875ywEpY3UoMqmw7vyOfXYzzfvj2qj9g7TCnDJRwpcr7n7Ij6ljixE+Ork3L +cmn4zSqo+k6eHrJmgAOeVYSq9Tv9GtmxViHhAuFgKJOUYRZz0d2a+Ts183T60vca +iIwYmsVMFwKBgQCbr6kFjZmxibRiOZzJAlCc0PJ7+GhmMq7TaiE3HQT7N0db9ord +p2P2XkihfJN5cgutilGJAfRSMfU09EZxCRsREfRH0M4pP6QW8PdLTB0YDKytVZCb +97lJMOUERuRFDB+TOjkm84ilhpwoCtsVQUyUYMYFIuBz3dr7gV6teXNoIQKBgQDt +I6B3TsJtFMDafIDg4H51iGlfexkALg7zYcxgZVA01uSPnQ8bPmqf1AaQjr1P8Xno +WunVLaWPR0TWXd1JI76KEw/z5E/FFiBT2lswGjtMylP8zs/T2R2s9oJ3KND+LUOI +2eOsBu4KgfkVKWZ/6wLug34Rj79+8ioIAKjM3Qr8iQKBgQDONSP+75QpvN1xrTwY +bQTFY6AF9CLWp/0WPMQQtWI1Y/3uprpnj1/zK9yL0VVYYD33qyttjOVyGPimhQA+ +/AzlGtvdI+SNiNaFA9i0a5skWJoJoo00Fdi3Mg3o5UBcamYKcFkqtSbCIoz8yVJd +7HSdJ94o4+Yw1818aNB6VjxkrA== +-----END PRIVATE KEY----- diff --git a/test/core/tsi/test_creds/crl_data/leaf_signed_by_intermediate.pem b/test/core/tsi/test_creds/crl_data/leaf_signed_by_intermediate.pem new file mode 100644 index 00000000000..8947fdd0dbc --- /dev/null +++ b/test/core/tsi/test_creds/crl_data/leaf_signed_by_intermediate.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDUzCCAjugAwIBAgIUIkXUE1956T996LuTKMiv5nci6X0wDQYJKoZIhvcNAQEL +BQAwJzElMCMGA1UEAwwcaW50ZXJtZWRpYXRlY2VydC5leGFtcGxlLmNvbTAeFw0y +MzAzMDMxODA2NDNaFw0zMzAyMjgxODA2NDNaMB8xHTAbBgNVBAMMFCoudGVzdC5n +b29nbGUuY29tLmF1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2NNY +lYVfOBbDwRlBzw997mTck19zxCqEoqGDBE4p2zpSdo4D5fhp/o7f4T0S58EF95Q3 +6nsTruLlz0OBj1hsOYYUecOM8gYPYOh6Q4kEpS3G7Up36bdAXpsgdAWUgA5Zcsb7 +dvnZeGPymbmn1IySlo0/8TMnCcLJf3V0jUVvBZI/oawwAZd4Rpb1lh/kIxRqNiU5 +WFW7hZzjOnA1m5gmXJnDox0mLth7RLb9YQHmz5czxC+aBQ1e3iTc1BJ4ETPAvIwo +XH3UI47Zg/YFW8rZPym9qdSGydxw23g9XVawWXJUyBQz5e/iCPDFMHM//l3hBBLZ +jP+QRZUIiRpzISGitwIDAQABo38wfTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw +FAYIKwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCwG +luxpu/XDakGPtEnuIiW0rk/oMB8GA1UdIwQYMBaAFCe1phNkruBHbu7xYruv+4iy +dy2jMA0GCSqGSIb3DQEBCwUAA4IBAQBoUzdASVjpUN31jw4h3K5rWC2+CVhguyhb +BcFXNr73ySryPZwJDrCZINXMpjM+GGKrFKjC3hemlUpnTYiOgaHseN5NB3pZYJma +48DZzZ51wEI3vzmqOyjD0Eh2LytI+p87bJhBEwWR+okADWDB9vdZKiJi/7iHfvxs +NIasCagJgJ5XeMiTehRksKuQv3w8KhUzRCjy0wsTwjmrQw+8kMS0WnRC4EVA76IZ +HnLfoMGg/R1w/NrrAmQfx+W0qnJAvkQddqfEptITJbqoOfFASgngVBhHnogOLod/ +es3Tbls2qrJg0GnMScJYHJAvlp6Lke6a8kf8jyT+yN2opWVll1tK +-----END CERTIFICATE----- diff --git a/test/cpp/client/credentials_test.cc b/test/cpp/client/credentials_test.cc index ad91306e544..bd4137c9e2a 100644 --- a/test/cpp/client/credentials_test.cc +++ b/test/cpp/client/credentials_test.cc @@ -36,7 +36,7 @@ #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem" #define SERVER_CERT_PATH "src/core/tsi/test_creds/server1.pem" #define SERVER_KEY_PATH "src/core/tsi/test_creds/server1.key" -#define CRL_DIR_PATH "test/core/tsi/test_creds/crl_data" +#define CRL_DIR_PATH "test/core/tsi/test_creds/crl_data/crls" namespace { diff --git a/test/cpp/server/credentials_test.cc b/test/cpp/server/credentials_test.cc index 3accfee9763..97db8d5be10 100644 --- a/test/cpp/server/credentials_test.cc +++ b/test/cpp/server/credentials_test.cc @@ -32,7 +32,7 @@ #define CA_CERT_PATH "src/core/tsi/test_creds/ca.pem" #define SERVER_CERT_PATH "src/core/tsi/test_creds/server1.pem" #define SERVER_KEY_PATH "src/core/tsi/test_creds/server1.key" -#define CRL_DIR_PATH "test/core/tsi/test_creds/crl_data" +#define CRL_DIR_PATH "test/core/tsi/test_creds/crl_data/crls" namespace {