From da7a8b63bc4f4835512b027fd62cd5b5437c8f45 Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Tue, 14 Mar 2023 17:01:42 -0700 Subject: [PATCH] Reword ocsp routes/gateways terminology to 'peers' instead Add test for verify_and_map usage with ocsp Signed-off-by: Waldemar Quevedo --- server/ocsp.go | 20 ++++---- test/ocsp_test.go | 124 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 133 insertions(+), 11 deletions(-) diff --git a/server/ocsp.go b/server/ocsp.go index db27d214..9c5dcb93 100644 --- a/server/ocsp.go +++ b/server/ocsp.go @@ -433,18 +433,18 @@ func (srv *Server) NewOCSPMonitor(config *tlsConfigKind) (*tls.Config, *OCSPMoni }, nil } - // Check whether need to verify staples from a client connection depending on the type. + // Check whether need to verify staples from a peer router or gateway connection. switch kind { case kindStringMap[ROUTER], kindStringMap[GATEWAY]: tc.VerifyConnection = func(s tls.ConnectionState) error { oresp := s.OCSPResponse if oresp == nil { - return fmt.Errorf("%s client missing OCSP Staple", kind) + return fmt.Errorf("%s peer missing OCSP Staple", kind) } - // Client route connections will verify the response of the staple. + // Peer connections will verify the response of the staple. if len(s.VerifiedChains) == 0 { - return fmt.Errorf("%s client missing TLS verified chains", kind) + return fmt.Errorf("%s peer missing TLS verified chains", kind) } chain := s.VerifiedChains[0] @@ -453,7 +453,7 @@ func (srv *Server) NewOCSPMonitor(config *tlsConfigKind) (*tls.Config, *OCSPMoni resp, err := ocsp.ParseResponseForCert(oresp, leaf, parent) if err != nil { - return fmt.Errorf("failed to parse OCSP response from %s client: %w", kind, err) + return fmt.Errorf("failed to parse OCSP response from %s peer: %w", kind, err) } if resp.Certificate == nil { if err := resp.CheckSignatureFrom(parent); err != nil { @@ -475,13 +475,13 @@ func (srv *Server) NewOCSPMonitor(config *tlsConfigKind) (*tls.Config, *OCSPMoni } } if resp.Status != ocsp.Good { - return fmt.Errorf("bad status for OCSP Staple from %s client: %s", kind, ocspStatusString(resp.Status)) + return fmt.Errorf("bad status for OCSP Staple from %s peer: %s", kind, ocspStatusString(resp.Status)) } return nil } - // When server makes a client connection, need to also present an OCSP Staple. + // When server makes a peer connection, need to also present an OCSP Staple. tc.GetClientCertificate = func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) { raw, _, err := mon.getStatus() if err != nil { @@ -563,8 +563,7 @@ func (s *Server) configureOCSP() []*tlsConfigKind { if opts.Verify { tc.ClientAuth = tls.RequireAndVerifyClientCert } - // GetClientCertificate is used by a client to send the client cert - // to a server. We're a server, so we must not set this. + // We're a leaf hub server, so we must not set this. tc.GetClientCertificate = nil sopts.LeafNode.TLSConfig = tc }, @@ -581,8 +580,7 @@ func (s *Server) configureOCSP() []*tlsConfigKind { tlsConfig: config, tlsOpts: opts, apply: func(tc *tls.Config) { - // GetCertificate is used by a server to send the server cert to a - // client. We're a client, so we must not set this. + // We're a leaf client, so we must not set this. tc.GetCertificate = nil r.TLSConfig = tc }, diff --git a/test/ocsp_test.go b/test/ocsp_test.go index 1725a6bf..c1d2a542 100644 --- a/test/ocsp_test.go +++ b/test/ocsp_test.go @@ -1886,9 +1886,133 @@ func TestOCSPLeafVerifyLeafRemote(t *testing.T) { t.Fatal(err) } defer cA.Close() + + // Should not have been able to connect. checkLeafNodeConnections(t, srvA, 0) } +func TestOCSPLeafVerifyAndMapLeafRemote(t *testing.T) { + const ( + caCert = "configs/certs/ocsp/ca-cert.pem" + caKey = "configs/certs/ocsp/ca-key.pem" + ) + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + ocspr := newOCSPResponder(t, caCert, caKey) + defer ocspr.Shutdown(ctx) + addr := fmt.Sprintf("http://%s", ocspr.Addr) + setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-01-cert.pem", ocsp.Good) + setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-02-cert.pem", ocsp.Good) + setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-03-cert.pem", ocsp.Good) + setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-04-cert.pem", ocsp.Good) + setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-05-cert.pem", ocsp.Good) + setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-06-cert.pem", ocsp.Good) + setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-07-cert.pem", ocsp.Good) + setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-08-cert.pem", ocsp.Good) + setOCSPStatus(t, addr, "configs/certs/ocsp/client-cert.pem", ocsp.Good) + + // Store Dirs + storeDirA := t.TempDir() + storeDirB := t.TempDir() + + // LeafNode server configuration + srvConfA := ` + host: "127.0.0.1" + port: -1 + + server_name: "AAA" + + tls { + cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem" + key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem" + ca_file: "configs/certs/ocsp/ca-cert.pem" + timeout: 5 + verify_and_map: true + } + store_dir: '%s' + + leafnodes { + host: "127.0.0.1" + port: -1 + advertise: "127.0.0.1" + + tls { + cert_file: "configs/certs/ocsp/server-status-request-url-02-cert.pem" + key_file: "configs/certs/ocsp/server-status-request-url-02-key.pem" + ca_file: "configs/certs/ocsp/ca-cert.pem" + timeout: 5 + verify_and_map: true + } + } + + accounts: { + leaf: { + users: [ {user: "C=US, ST=CA, L=San Francisco, O=Synadia, OU=nats.io, CN=localhost server-status-request-url-04"} ] + } + client: { + users: [ {user: "C=US, ST=CA, L=San Francisco, O=Synadia, OU=nats.io, CN=localhost client"} ] + } + } + + ` + srvConfA = fmt.Sprintf(srvConfA, storeDirA) + sconfA := createConfFile(t, []byte(srvConfA)) + srvA, optsA := RunServerWithConfig(sconfA) + defer srvA.Shutdown() + + // LeafNode remote that will connect to A and will not present certs. + srvConfB := ` + host: "127.0.0.1" + port: -1 + + server_name: "BBB" + + tls { + cert_file: "configs/certs/ocsp/server-status-request-url-03-cert.pem" + key_file: "configs/certs/ocsp/server-status-request-url-03-key.pem" + ca_file: "configs/certs/ocsp/ca-cert.pem" + timeout: 5 + } + store_dir: '%s' + + leafnodes { + remotes: [ { + url: "tls://127.0.0.1:%d" + tls { + cert_file: "configs/certs/ocsp/server-status-request-url-04-cert.pem" + key_file: "configs/certs/ocsp/server-status-request-url-04-key.pem" + ca_file: "configs/certs/ocsp/ca-cert.pem" + timeout: 5 + } + } ] + } + ` + srvConfB = fmt.Sprintf(srvConfB, storeDirB, optsA.LeafNode.Port) + conf := createConfFile(t, []byte(srvConfB)) + srvB, _ := RunServerWithConfig(conf) + defer srvB.Shutdown() + + // Client connects to server A. + cA, err := nats.Connect(fmt.Sprintf("tls://127.0.0.1:%d", optsA.Port), + nats.Secure(&tls.Config{ + VerifyConnection: func(s tls.ConnectionState) error { + if s.OCSPResponse == nil { + return fmt.Errorf("missing OCSP Staple from server") + } + return nil + }, + }), + nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"), + nats.RootCAs(caCert), + nats.ErrorHandler(noOpErrHandler), + ) + if err != nil { + t.Fatal(err) + } + defer cA.Close() + checkLeafNodeConnections(t, srvA, 1) +} + func TestOCSPGateway(t *testing.T) { const ( caCert = "configs/certs/ocsp/ca-cert.pem"