mirror of
https://github.com/gogrlx/nats-server.git
synced 2026-04-02 03:38:42 -07:00
Fixed local issuer determination for OCSP Staple, issue #3773
This commit is contained in:
Todd Beets
@@ -15,6 +15,7 @@ package test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
@@ -1736,19 +1737,12 @@ func TestOCSPStapleFeatureInterop(t *testing.T) {
|
||||
rootCAResponderURL := fmt.Sprintf("http://%s", rootCAResponder.Addr)
|
||||
defer rootCAResponder.Shutdown(ctx)
|
||||
setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate1/intermediate1_cert.pem", ocsp.Good)
|
||||
setOCSPStatus(t, rootCAResponderURL, "configs/certs/ocsp_peer/mini-ca/intermediate2/intermediate2_cert.pem", ocsp.Good)
|
||||
|
||||
intermediateCA1Responder := newOCSPResponderIntermediateCA1(t)
|
||||
intermediateCA1ResponderURL := fmt.Sprintf("http://%s", intermediateCA1Responder.Addr)
|
||||
defer intermediateCA1Responder.Shutdown(ctx)
|
||||
setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem", ocsp.Good)
|
||||
setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_cert.pem", ocsp.Good)
|
||||
|
||||
intermediateCA2Responder := newOCSPResponderIntermediateCA2(t)
|
||||
intermediateCA2ResponderURL := fmt.Sprintf("http://%s", intermediateCA2Responder.Addr)
|
||||
defer intermediateCA2Responder.Shutdown(ctx)
|
||||
setOCSPStatus(t, intermediateCA2ResponderURL, "configs/certs/ocsp_peer/mini-ca/client2/UserB1_cert.pem", ocsp.Good)
|
||||
|
||||
for _, test := range []struct {
|
||||
name string
|
||||
config string
|
||||
@@ -1758,7 +1752,7 @@ func TestOCSPStapleFeatureInterop(t *testing.T) {
|
||||
configure func()
|
||||
}{
|
||||
{
|
||||
"Interop: mTLS OCSP peer check on inbound client connection, client of intermediate CA 1",
|
||||
"Interop: Both Good: mTLS OCSP peer check on inbound client connection and server's OCSP staple validated at client",
|
||||
`
|
||||
port: -1
|
||||
ocsp_cache: true
|
||||
@@ -1766,8 +1760,7 @@ func TestOCSPStapleFeatureInterop(t *testing.T) {
|
||||
mode: always
|
||||
}
|
||||
tls: {
|
||||
# cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
|
||||
cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_cert.pem"
|
||||
cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
|
||||
key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
|
||||
ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
|
||||
timeout: 5
|
||||
@@ -1781,47 +1774,105 @@ func TestOCSPStapleFeatureInterop(t *testing.T) {
|
||||
}
|
||||
`,
|
||||
[]nats.Option{
|
||||
nats.Secure(&tls.Config{
|
||||
VerifyConnection: func(s tls.ConnectionState) error {
|
||||
if s.OCSPResponse == nil {
|
||||
return fmt.Errorf("expected OCSP staple to be present")
|
||||
}
|
||||
resp, err := ocsp.ParseResponse(s.OCSPResponse, s.VerifiedChains[0][1])
|
||||
if err != nil || resp.Status != ocsp.Good {
|
||||
return fmt.Errorf("expected a valid GOOD stapled response")
|
||||
}
|
||||
return nil
|
||||
},
|
||||
}),
|
||||
nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
|
||||
nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
|
||||
nats.ErrorHandler(noOpErrHandler),
|
||||
},
|
||||
nil,
|
||||
nil,
|
||||
func() {},
|
||||
func() {
|
||||
setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem", ocsp.Good)
|
||||
},
|
||||
},
|
||||
{
|
||||
"Interop: Bad Client: mTLS OCSP peer check on inbound client connection and server's OCSP staple validated at client",
|
||||
`
|
||||
port: -1
|
||||
ocsp_cache: true
|
||||
ocsp: {
|
||||
mode: always
|
||||
}
|
||||
tls: {
|
||||
cert_file: "configs/certs/ocsp_peer/mini-ca/server1/TestServer1_bundle.pem"
|
||||
key_file: "configs/certs/ocsp_peer/mini-ca/server1/private/TestServer1_keypair.pem"
|
||||
ca_file: "configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"
|
||||
timeout: 5
|
||||
verify: true
|
||||
# Long form configuration, non-default ca_timeout
|
||||
ocsp_peer: {
|
||||
verify: true
|
||||
ca_timeout: 5
|
||||
allowed_clockskew: 30
|
||||
}
|
||||
}
|
||||
`,
|
||||
[]nats.Option{
|
||||
nats.Secure(&tls.Config{
|
||||
VerifyConnection: func(s tls.ConnectionState) error {
|
||||
if s.OCSPResponse == nil {
|
||||
return fmt.Errorf("expected OCSP staple to be present")
|
||||
}
|
||||
resp, err := ocsp.ParseResponse(s.OCSPResponse, s.VerifiedChains[0][1])
|
||||
if err != nil || resp.Status != ocsp.Good {
|
||||
return fmt.Errorf("expected a valid GOOD stapled response")
|
||||
}
|
||||
return nil
|
||||
},
|
||||
}),
|
||||
nats.ClientCert("./configs/certs/ocsp_peer/mini-ca/client1/UserA1_bundle.pem", "./configs/certs/ocsp_peer/mini-ca/client1/private/UserA1_keypair.pem"),
|
||||
nats.RootCAs("./configs/certs/ocsp_peer/mini-ca/root/root_cert.pem"),
|
||||
nats.ErrorHandler(noOpErrHandler),
|
||||
},
|
||||
fmt.Errorf("remote error: tls: bad certificate"),
|
||||
nil,
|
||||
func() {
|
||||
setOCSPStatus(t, intermediateCA1ResponderURL, "configs/certs/ocsp_peer/mini-ca/client1/UserA1_cert.pem", ocsp.Revoked)
|
||||
},
|
||||
},
|
||||
} {
|
||||
t.Run(test.name, func(t *testing.T) {
|
||||
// TODO(tgb) - come back to this test after fixing OCSP Staple issue https://github.com/nats-io/nats-server/issues/3773
|
||||
//deleteLocalStore(t, "")
|
||||
//test.configure()
|
||||
//content := test.config
|
||||
//conf := createConfFile(t, []byte(content))
|
||||
//
|
||||
//s, opts := RunServerWithConfig(conf)
|
||||
//defer s.Shutdown()
|
||||
//nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
|
||||
//if test.err == nil && err != nil {
|
||||
// t.Errorf("Expected to connect, got %v", err)
|
||||
//} else if test.err != nil && err == nil {
|
||||
// t.Errorf("Expected error on connect")
|
||||
//} else if test.err != nil && err != nil {
|
||||
// // Error on connect was expected
|
||||
// if test.err.Error() != err.Error() {
|
||||
// t.Errorf("Expected error %s, got: %s", test.err, err)
|
||||
// }
|
||||
// return
|
||||
//}
|
||||
//defer nc.Close()
|
||||
//nc.Subscribe("ping", func(m *nats.Msg) {
|
||||
// m.Respond([]byte("pong"))
|
||||
//})
|
||||
//nc.Flush()
|
||||
//_, err = nc.Request("ping", []byte("ping"), 250*time.Millisecond)
|
||||
//if test.rerr != nil && err == nil {
|
||||
// t.Errorf("Expected error getting response")
|
||||
//} else if test.rerr == nil && err != nil {
|
||||
// t.Errorf("Expected response")
|
||||
//}
|
||||
deleteLocalStore(t, "")
|
||||
test.configure()
|
||||
content := test.config
|
||||
conf := createConfFile(t, []byte(content))
|
||||
|
||||
s, opts := RunServerWithConfig(conf)
|
||||
defer s.Shutdown()
|
||||
nc, err := nats.Connect(fmt.Sprintf("tls://localhost:%d", opts.Port), test.opts...)
|
||||
if test.err == nil && err != nil {
|
||||
t.Errorf("Expected to connect, got %v", err)
|
||||
} else if test.err != nil && err == nil {
|
||||
t.Errorf("Expected error on connect")
|
||||
} else if test.err != nil && err != nil {
|
||||
// Error on connect was expected
|
||||
if test.err.Error() != err.Error() {
|
||||
t.Errorf("Expected error %s, got: %s", test.err, err)
|
||||
}
|
||||
return
|
||||
}
|
||||
defer nc.Close()
|
||||
nc.Subscribe("ping", func(m *nats.Msg) {
|
||||
m.Respond([]byte("pong"))
|
||||
})
|
||||
nc.Flush()
|
||||
_, err = nc.Request("ping", []byte("ping"), 250*time.Millisecond)
|
||||
if test.rerr != nil && err == nil {
|
||||
t.Errorf("Expected error getting response")
|
||||
} else if test.rerr == nil && err != nil {
|
||||
t.Errorf("Expected response")
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user