gogrlx/nats-server
1
0
Fork 0
mirror of https://github.com/gogrlx/nats-server.git synced 2026-04-02 03:38:42 -07:00
Code Issues Packages Projects Releases Wiki Activity

Reword ocsp routes/gateways terminology to 'peers' instead

Browse Source 
Add test for verify_and_map usage with ocsp

Signed-off-by: Waldemar Quevedo <wally@nats.io>
This commit is contained in:
Waldemar Quevedo
2023-03-14 17:01:42 -07:00
parent f8914788f5
commit da7a8b63bc
2 changed files with 133 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
server/ocsp.go
View File

@@ -433,18 +433,18 @@ func (srv *Server) NewOCSPMonitor(config *tlsConfigKind) (*tls.Config, *OCSPMoni
}, nil }, nil
} }
// Check whether need to verify staples from a client connection depending on the type. // Check whether need to verify staples from a peer router or gateway connection.
switch kind { switch kind {
case kindStringMap[ROUTER], kindStringMap[GATEWAY]: case kindStringMap[ROUTER], kindStringMap[GATEWAY]:
tc.VerifyConnection = func(s tls.ConnectionState) error { tc.VerifyConnection = func(s tls.ConnectionState) error {
oresp := s.OCSPResponse oresp := s.OCSPResponse
if oresp == nil { if oresp == nil {
return fmt.Errorf("%s client missing OCSP Staple", kind) return fmt.Errorf("%s peer missing OCSP Staple", kind)
} }
// Client route connections will verify the response of the staple. // Peer connections will verify the response of the staple.
if len(s.VerifiedChains) == 0 { if len(s.VerifiedChains) == 0 {
return fmt.Errorf("%s client missing TLS verified chains", kind) return fmt.Errorf("%s peer missing TLS verified chains", kind)
} }
chain := s.VerifiedChains[0] chain := s.VerifiedChains[0]
@@ -453,7 +453,7 @@ func (srv *Server) NewOCSPMonitor(config *tlsConfigKind) (*tls.Config, *OCSPMoni
resp, err := ocsp.ParseResponseForCert(oresp, leaf, parent) resp, err := ocsp.ParseResponseForCert(oresp, leaf, parent)
if err != nil { if err != nil {
return fmt.Errorf("failed to parse OCSP response from %s client: %w", kind, err) return fmt.Errorf("failed to parse OCSP response from %s peer: %w", kind, err)
} }
if resp.Certificate == nil { if resp.Certificate == nil {
if err := resp.CheckSignatureFrom(parent); err != nil { if err := resp.CheckSignatureFrom(parent); err != nil {
@@ -475,13 +475,13 @@ func (srv *Server) NewOCSPMonitor(config *tlsConfigKind) (*tls.Config, *OCSPMoni
} }
} }
if resp.Status != ocsp.Good { if resp.Status != ocsp.Good {
return fmt.Errorf("bad status for OCSP Staple from %s client: %s", kind, ocspStatusString(resp.Status)) return fmt.Errorf("bad status for OCSP Staple from %s peer: %s", kind, ocspStatusString(resp.Status))
} }
return nil return nil
} }
// When server makes a client connection, need to also present an OCSP Staple. // When server makes a peer connection, need to also present an OCSP Staple.
tc.GetClientCertificate = func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) { tc.GetClientCertificate = func(info *tls.CertificateRequestInfo) (*tls.Certificate, error) {
raw, _, err := mon.getStatus() raw, _, err := mon.getStatus()
if err != nil { if err != nil {
@@ -563,8 +563,7 @@ func (s *Server) configureOCSP() []*tlsConfigKind {
if opts.Verify { if opts.Verify {
tc.ClientAuth = tls.RequireAndVerifyClientCert tc.ClientAuth = tls.RequireAndVerifyClientCert
} }
// GetClientCertificate is used by a client to send the client cert // We're a leaf hub server, so we must not set this.
// to a server. We're a server, so we must not set this.
tc.GetClientCertificate = nil tc.GetClientCertificate = nil
sopts.LeafNode.TLSConfig = tc sopts.LeafNode.TLSConfig = tc
}, },
@@ -581,8 +580,7 @@ func (s *Server) configureOCSP() []*tlsConfigKind {
tlsConfig: config, tlsConfig: config,
tlsOpts: opts, tlsOpts: opts,
apply: func(tc *tls.Config) { apply: func(tc *tls.Config) {
// GetCertificate is used by a server to send the server cert to a // We're a leaf client, so we must not set this.
// client. We're a client, so we must not set this.
tc.GetCertificate = nil tc.GetCertificate = nil
r.TLSConfig = tc r.TLSConfig = tc
}, },

124
test/ocsp_test.go
View File

@@ -1886,9 +1886,133 @@ func TestOCSPLeafVerifyLeafRemote(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
defer cA.Close() defer cA.Close()
// Should not have been able to connect.
checkLeafNodeConnections(t, srvA, 0) checkLeafNodeConnections(t, srvA, 0)
} }
func TestOCSPLeafVerifyAndMapLeafRemote(t *testing.T) {
const (
caCert = "configs/certs/ocsp/ca-cert.pem"
caKey = "configs/certs/ocsp/ca-key.pem"
)
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
ocspr := newOCSPResponder(t, caCert, caKey)
defer ocspr.Shutdown(ctx)
addr := fmt.Sprintf("http://%s", ocspr.Addr)
setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-01-cert.pem", ocsp.Good)
setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-02-cert.pem", ocsp.Good)
setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-03-cert.pem", ocsp.Good)
setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-04-cert.pem", ocsp.Good)
setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-05-cert.pem", ocsp.Good)
setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-06-cert.pem", ocsp.Good)
setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-07-cert.pem", ocsp.Good)
setOCSPStatus(t, addr, "configs/certs/ocsp/server-status-request-url-08-cert.pem", ocsp.Good)
setOCSPStatus(t, addr, "configs/certs/ocsp/client-cert.pem", ocsp.Good)
// Store Dirs
storeDirA := t.TempDir()
storeDirB := t.TempDir()
// LeafNode server configuration
srvConfA := `
host: "127.0.0.1"
port: -1
server_name: "AAA"
tls {
cert_file: "configs/certs/ocsp/server-status-request-url-01-cert.pem"
key_file: "configs/certs/ocsp/server-status-request-url-01-key.pem"
ca_file: "configs/certs/ocsp/ca-cert.pem"
timeout: 5
verify_and_map: true
}
store_dir: '%s'
leafnodes {
host: "127.0.0.1"
port: -1
advertise: "127.0.0.1"
tls {
cert_file: "configs/certs/ocsp/server-status-request-url-02-cert.pem"
key_file: "configs/certs/ocsp/server-status-request-url-02-key.pem"
ca_file: "configs/certs/ocsp/ca-cert.pem"
timeout: 5
verify_and_map: true
}
}
accounts: {
leaf: {
users: [ {user: "C=US, ST=CA, L=San Francisco, O=Synadia, OU=nats.io, CN=localhost server-status-request-url-04"} ]
}
client: {
users: [ {user: "C=US, ST=CA, L=San Francisco, O=Synadia, OU=nats.io, CN=localhost client"} ]
}
}
`
srvConfA = fmt.Sprintf(srvConfA, storeDirA)
sconfA := createConfFile(t, []byte(srvConfA))
srvA, optsA := RunServerWithConfig(sconfA)
defer srvA.Shutdown()
// LeafNode remote that will connect to A and will not present certs.
srvConfB := `
host: "127.0.0.1"
port: -1
server_name: "BBB"
tls {
cert_file: "configs/certs/ocsp/server-status-request-url-03-cert.pem"
key_file: "configs/certs/ocsp/server-status-request-url-03-key.pem"
ca_file: "configs/certs/ocsp/ca-cert.pem"
timeout: 5
}
store_dir: '%s'
leafnodes {
remotes: [ {
url: "tls://127.0.0.1:%d"
tls {
cert_file: "configs/certs/ocsp/server-status-request-url-04-cert.pem"
key_file: "configs/certs/ocsp/server-status-request-url-04-key.pem"
ca_file: "configs/certs/ocsp/ca-cert.pem"
timeout: 5
}
} ]
}
`
srvConfB = fmt.Sprintf(srvConfB, storeDirB, optsA.LeafNode.Port)
conf := createConfFile(t, []byte(srvConfB))
srvB, _ := RunServerWithConfig(conf)
defer srvB.Shutdown()
// Client connects to server A.
cA, err := nats.Connect(fmt.Sprintf("tls://127.0.0.1:%d", optsA.Port),
nats.Secure(&tls.Config{
VerifyConnection: func(s tls.ConnectionState) error {
if s.OCSPResponse == nil {
return fmt.Errorf("missing OCSP Staple from server")
}
return nil
},
}),
nats.ClientCert("./configs/certs/ocsp/client-cert.pem", "./configs/certs/ocsp/client-key.pem"),
nats.RootCAs(caCert),
nats.ErrorHandler(noOpErrHandler),
)
if err != nil {
t.Fatal(err)
}
defer cA.Close()
checkLeafNodeConnections(t, srvA, 1)
}
func TestOCSPGateway(t *testing.T) { func TestOCSPGateway(t *testing.T) {
const ( const (
caCert = "configs/certs/ocsp/ca-cert.pem" caCert = "configs/certs/ocsp/ca-cert.pem"