diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 56fae1d4db8..16cc6c57284 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -929,7 +929,7 @@ SSLPrivateKeyHandler(SSL_CTX *ctx, const SSLConfigParams *params, const std::str ENGINE *e = nullptr; if (false) { #endif - } else if (!keyPath) { + } else if (!keyPath || keyPath[0] == '\0') { // assume private key is contained in cert obtained from multicert file. if (!SSL_CTX_use_PrivateKey_file(ctx, completeServerCertPath.c_str(), SSL_FILETYPE_PEM)) { SSLError("failed to load server private key from %s", completeServerCertPath.c_str()); @@ -1429,7 +1429,9 @@ SSLMultiCertConfigLoader::_store_ssl_ctx(SSLCertLookup *lookup, const shared_SSL SSLMultiCertConfigLoader::CertLoadData single_data; single_data.cert_names_list.push_back(data.cert_names_list[i]); - single_data.key_list.push_back(i < data.key_list.size() ? data.key_list[i] : ""); + if (i < data.key_list.size()) { + single_data.key_list.push_back(data.key_list[i]); + } single_data.ca_list.push_back(i < data.ca_list.size() ? data.ca_list[i] : ""); single_data.ocsp_list.push_back(i < data.ocsp_list.size() ? data.ocsp_list[i] : ""); @@ -1925,8 +1927,6 @@ SSLMultiCertConfigLoader::load_certs_and_cross_reference_names(std::vectorkey) { key_tok.setString((const char *)sslMultCertSettings->key); - } else if (sslMultCertSettings && sslMultCertSettings->cert) { - key_tok.setString((const char *)sslMultCertSettings->cert); } else { key_tok.setString(""); } @@ -2111,7 +2111,7 @@ SSLMultiCertConfigLoader::load_certs(SSL_CTX *ctx, SSLMultiCertConfigLoader::Cer // Load up any additional chain certificates SSL_CTX_add_extra_chain_cert_bio(ctx, bio); - const char *keyPath = data.key_list[i].c_str(); + const char *keyPath = i < data.key_list.size() ? data.key_list[i].c_str() : nullptr; if (!SSLPrivateKeyHandler(ctx, params, completeServerCertPath, keyPath)) { return false; } diff --git a/tests/gold_tests/tls/ssl/combined-ec.pem b/tests/gold_tests/tls/ssl/combined-ec.pem new file mode 100644 index 00000000000..e9ced49ee53 --- /dev/null +++ b/tests/gold_tests/tls/ssl/combined-ec.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIB+jCCAZ+gAwIBAgIJAPW97i/S9OcdMAoGCCqGSM49BAMCMFkxCzAJBgNVBAYT +AlVTMQswCQYDVQQIDAJJTDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MQ8wDQYDVQQK +DAZBcGFjaGUxFTATBgNVBAMMDGNvbWJpbmVkLmNvbTAeFw0yMDA2MjIxOTU3MDZa +Fw0zMDAzMjIxOTU3MDZaMFkxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJJTDEVMBMG +A1UEBwwMRGVmYXVsdCBDaXR5MQ8wDQYDVQQKDAZBcGFjaGUxFTATBgNVBAMMDGNv +bWJpbmVkLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIBVN2VZFf4FnTKc +KF/E3MfOGw9AgggHkOBjmXTy0UBopJ2GU39kHvAk0AzuNsVhs63X3tSMjPGaoy4X +lwEfmLWjUDBOMB0GA1UdDgQWBBR0yi0/z4mhyD00kmscLF4aUlGC3zAfBgNVHSME +GDAWgBR0yi0/z4mhyD00kmscLF4aUlGC3zAMBgNVHRMEBTADAQH/MAoGCCqGSM49 +BAMCA0kAMEYCIQDE2BERQi0cN/hR+T2uPxdaLEKjhaH/FSZ8WPVQ+B60VwIhAOk2 +QwhkNb8Kj5Zr6NwMdmK2xowyP7QdeYSqQmLOSC0w +-----END CERTIFICATE----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIHl0cmnC4+n9FSVl/k6/kzcP3z8rxBwWxPuTlYM7LfZYoAoGCCqGSM49 +AwEHoUQDQgAEgFU3ZVkV/gWdMpwoX8Tcx84bD0CCCAeQ4GOZdPLRQGiknYZTf2Qe +8CTQDO42xWGzrdfe1IyM8ZqjLheXAR+YtQ== +-----END EC PRIVATE KEY----- diff --git a/tests/gold_tests/tls/ssl/combined.pem b/tests/gold_tests/tls/ssl/combined.pem new file mode 100644 index 00000000000..8f8c973fb4b --- /dev/null +++ b/tests/gold_tests/tls/ssl/combined.pem @@ -0,0 +1,84 @@ +-----BEGIN CERTIFICATE----- +MIIFhTCCA22gAwIBAgIJAJ+SIgl5BIzFMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV +BAYTAlVTMQswCQYDVQQIDAJJTDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MQ8wDQYD +VQQKDAZBcGFjaGUxFTATBgNVBAMMDGNvbWJpbmVkLmNvbTAeFw0yMDA2MjIxNzU0 +MTFaFw0zMDA2MjAxNzU0MTFaMFkxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJJTDEV +MBMGA1UEBwwMRGVmYXVsdCBDaXR5MQ8wDQYDVQQKDAZBcGFjaGUxFTATBgNVBAMM +DGNvbWJpbmVkLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMk+ +3gIBko7xQUrlQwaHZBtD2g4gwc70baOnJTUY8thtO4HkwDF7QtR+8kTIzc3RBxbN +0WjZidhBHUphMdopay7cO7C/NMRogNJjTQnMyzVXygwn0nDCYlqgbn8xO6Q3uJ54 +vILWZ75B+Q3uR77LBr3IBpD6OEgipIEhhCa/9F5I4OFX2T0mpjKnfka8VwjcA413 +kSoa90ilfMLfWQoX6scFHRlRYZ5rDR2/paQQL6DPhnIY2Fp0vU2H3AdiHS1uz4/5 +z1gYov7ozgWEOnxCg1fUXzAfvbrBkvtTxk8mENizRYmYZg6GON1g1ELmrcV1XDus +iTX+qEj3BzNhp3dmUuqEjb46gVfWD9BNuF2tuNG6J3cxJCYUgkI+YpXirgHCmv8d +XQ6575YFk021nn79eo6aX7K+x1yy1SA4j+ZH317ZTBr3gaCZYrkCzEbwmDo29llz +sv3D4lOH+JVWIW0sRUCHxd5oRDyHhNS62fuGXxCym9E8T+wfZ1nQTuggRkpy1MIj +nVI/tHiUXSaU/XdTk47qqRgxvVRbtgIxnvZ81JfsvX3BzGvNvUMI/UKw7bK2EkbW +yhxag1z/WAfdOnOJuW9KCe/ljsyZ18lIeL+LvxtkFnhznZbQGtUXE1FsFSaywa2q +l+z046iTcY1bTOWP+GSKby89fHoOH1ClbJBIIcQNAgMBAAGjUDBOMB0GA1UdDgQW +BBRwYTUpRi+YDV1jSAg0ccfHP4+V8zAfBgNVHSMEGDAWgBRwYTUpRi+YDV1jSAg0 +ccfHP4+V8zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBeNcLzVyGZ +5ZMyISTPBSWZTX0G80tT0m7JmIAvKoe2poroUYhoGr5ZycC0pRImzYj4zpNhI1sD +o5n83Z8Xvo1JNuhL8vyxc/QZEGczNSkxY5SF/gPt0D8brRryrjNSO04UOIdBTkOn +yX7cx+c7zEFiRQSmZKd7WcbEV9iOcF0+6JHVrICxCd8gp1LCj9cuH68f05BRXW9V +b0DVh7dC2BPQU2QvwVlbIX7HzDM7QyVOdnw0vcDJPZwehNquCW/wJfqrjI6OoUWJ +k/Zgb8Xj0TYqldUUkJgCEoiNL3Msznv8nyWAgo7saOMFDVTSDES3+TltZsewjgMP +b3KO1G8fUaGkMyEDgTfSl8KXbtd2FD6N3+jH6y+aeLIsVUjtHNBTjnX6ZPo4tka1 +L/9w/Op1UjqIL+vwLcXEdrcxdh3JEqb4oFYhr5g9fpkSZrzP1xHuCx2IAJlrz3GP +csI9fTzb04p4QX4aa62O70FkvVQhHIVHLzQ0lXi3+nJovLlV4Yop8mkFpvV0JefP +UDa+PcvgAq4+LsM1Y8N3IlF4VIfE2ThahEyQ0kVtNRr2wKjFxcvPWbQ0EPXcl+EY +A678CWbTxwsy+H4iIGjBmMalPjl+4W5a3UBKx6wQ1ZVPJDMpu8FIZ/JC8A1V9YcH +6GutNoBaA8oeWn8u+oYbL62dcqrQUxytaw== +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDJPt4CAZKO8UFK +5UMGh2QbQ9oOIMHO9G2jpyU1GPLYbTuB5MAxe0LUfvJEyM3N0QcWzdFo2YnYQR1K +YTHaKWsu3DuwvzTEaIDSY00JzMs1V8oMJ9JwwmJaoG5/MTukN7ieeLyC1me+QfkN +7ke+ywa9yAaQ+jhIIqSBIYQmv/ReSODhV9k9JqYyp35GvFcI3AONd5EqGvdIpXzC +31kKF+rHBR0ZUWGeaw0dv6WkEC+gz4ZyGNhadL1Nh9wHYh0tbs+P+c9YGKL+6M4F +hDp8QoNX1F8wH726wZL7U8ZPJhDYs0WJmGYOhjjdYNRC5q3FdVw7rIk1/qhI9wcz +Yad3ZlLqhI2+OoFX1g/QTbhdrbjRuid3MSQmFIJCPmKV4q4Bwpr/HV0Oue+WBZNN +tZ5+/XqOml+yvsdcstUgOI/mR99e2Uwa94GgmWK5AsxG8Jg6NvZZc7L9w+JTh/iV +ViFtLEVAh8XeaEQ8h4TUutn7hl8QspvRPE/sH2dZ0E7oIEZKctTCI51SP7R4lF0m +lP13U5OO6qkYMb1UW7YCMZ72fNSX7L19wcxrzb1DCP1CsO2ythJG1socWoNc/1gH +3TpziblvSgnv5Y7MmdfJSHi/i78bZBZ4c52W0BrVFxNRbBUmssGtqpfs9OOok3GN +W0zlj/hkim8vPXx6Dh9QpWyQSCHEDQIDAQABAoICAB3lgQW7RhKGNLTzqilmI7EJ +O3Ot2hzsov0U76obsrgEQjrhyMuRDDSVR1iAnFJfIzZ4DQwOhTPjOH68QbOvQ4UK +orN3NFeZTsnyhpdWHToneJSltdWaixH7k27B2aJjxMGGHjsxrufM1TsEkxP9BVtc +Q911zraortegKwm2qo73NLFFY7h57WbJCzFm+WcPiFeT07T1nJbmPsqUc53UP8Sh +Ndl1BZOLQ7+PoQPmg6zYJ5j7p+iIPzctX7qZEMyXEa7J5cuonU5RN4oKQsYC+5Ao +tJtpm74K09MSdvt7JDWNLF9sjHzL49a/c8kci+QxsyoKT7f9xPJSAHfZog9S3C5H +WXXds+SFfhMQeqw6zJDoWukEeZ5Hg3oqUd2kwAbZZUobNwBaEnKG759+qlCaSNls ++C29WOLBkc4fqxR4/33A7tN9DlGycocG1yqfaQaKRt0Ny9UyhtDyi/i+mZAqe8Bp +I2bKvtkyPrXcyoIdmVP0PCfY2mrbAag2T1RrkTg24Z9YJt++c+HNBfZzrsO6oWs7 +5FHCUlWEt5baapVZxfA7ua2dwHdwQlQMV2hkh0U6qg8YA33liAdU6Os0Tjld1TJ0 +E8+TuG0NtiC9ng7O61r+43qJ6q5cMgb+Xbhv0XAKgJPwPly2W59RCd7TuThzuVIy +rGR2EFIx2vh8HmYcsNkBAoIBAQDqaAMHFHzhn5e5biUzK47OhZEwWB7xF++TylVq +Xx/+tz24CzJVhnEmUurugh7Yz8COrXd0fpt7bY6w9kovz7N0qHxhkYLykCXyyots +8Veaj1+ZJ5gLBBXbyTm6cu3jqk+rhD/h4GKawCp6OMFla2hfFo4hEK8KZA0xRLHi +1jZKLAqg7224QOdTXiCG5N6Jx1DL8ca3pVDJPG4Xb0kd1cjcWM5rc2KgG964wnkK +UEGkB63lz3h5lcXcJDhfxeJGthFvpIGpuOelyzjmYuwfoq5Ec9PIQSGjnlSt0CE6 +XgdexX6pZ1SmYCYcnk0veF0hgkQKuHhcIqCsw7nYFklNNH/lAoIBAQDbyNQLaW5g +SAdlBRnVZ0zjVAgYtTy/qWKANS0nYiPHW1q654nnztWIUa0T15v5FfzNLdkexvbK +vgghVjATVEcLHll8276NQju63HYilUT4Lz/9OsDZKDGliOG+9dblAU6MpHy08K8x +xD3UE+X8DKYTkfyBoSptqdCDfuLdKHWMvSryolN0ongyssjMif4kUyKiaLU4Wx7x +a5nwf54cb+0ZzxaiwafD/JJqbtSyMXv1PeCeCChf02DyZNHgfoPnIGNJ7dqT+Tae +j917/YTUY6+JRdcDJs9x5IrrIwkiGZJJqVhsMv0m9V82bQXBmbwMY+F/ilpCnmrj +OGYGKWnRTeEJAoIBABgf9lfPMv8hpsLt5CQ9EmiM9KFuIFkd5olmZJ4bBjb38wEz +Hc4RlSmllQpRGA2mbCIDFm1F7oiogOwTnRUIomaaRJriGAEQ9ubjE7B1sld09BjW +K17O39UMA8X9uCAbUjHL3atIpb1Zk8Wae8UNZeOLdbtPdURzgawVbt1ywImnuLxR +iBBTlbtNz7kyavjxK46h5prWB9d+QbJlwLeyXgbXmP8UFA14cNbBJSX7lpXkOHCT +hsm0sXVzwN2ShzRR3r+HxdSK9ERrAwMrITQsURU4eo58rZKiZAKzjgfsz4NgfiW/ +PcYV1TZS0IzXLXaaaphT3gdVhQXi6wijWo34nkUCggEAZCDVQbGxoFmQTNyLDWb3 +Z2WkHqWK3IJtpp0TSiryw+MBrb7IW/wl2enj4PNMUqlKt6sYjGX2jx0OFSnv0w6F +IzKbcD+oSzCOh63igBTjC/Jyw4ody5D9NT3sIpRbZ4812ushCUnRdunBhTnff/m/ +O5E5qVDkRHulzBJlhn3lN84Cn/GF9dAC1I4Q3uZLCv94+uabEOaqbTApPKDXRntT +WHu5A0MYjDgn+Ccv7VKP94VOLJDo2+cv9p4p442fyA9ATLD48IsL8Cb4r4ErH5ue +n/paX0wyG+ATzdXzVj6yH67v4rNEE5ib3O7EPZQtULO8St+cCVekuIm8KTh6xekm +CQKCAQEAw0E87tJ/H2HArgCeFWzrYhPU5eqrtNf0Ylweu5WqoaaH334WT2POszpY +k+pbeW9rPxHtUXLwfE4t3/vCv+yhpUYCTqD0jBxx6VehoGorf7d6AsJrxDaDMTR1 +7ZXUDP+hWRhLPRtGfVU6c4+aPVrOk5Dh/Ty0hX3k2C6PeI0XQubs2KCrM3BE3rqW +2QOzV215i8BsYxRO74KoPFDpd1690TA5YA4neaVXmNyojrMxsgfE3kIW+KgsFTMm +YMU8TBw96tGxHXfefAqhfAzzRDsKGFLtFGfFWnpdfLt5NYVStG/jbBEWIQ4DB+w/ +gRlOmSYtTPvP/KWvkgZ8WifJ4xMCOw== +-----END PRIVATE KEY----- diff --git a/tests/gold_tests/tls/ssl/signed-foo-ec.pem b/tests/gold_tests/tls/ssl/signed-foo-ec.pem index 14289ad6f7e..c6f362b0733 100644 --- a/tests/gold_tests/tls/ssl/signed-foo-ec.pem +++ b/tests/gold_tests/tls/ssl/signed-foo-ec.pem @@ -12,3 +12,11 @@ MdxfJxmgJiAPGCclJGiAdAnRAUhR0i2XlSnkFiCzxbIc8rwv84beztmeRnnLUcJK Qc4eSdrsHyfH3g8eFmzNW0sVDaYOiXVRReif4wQzO0mf8a3m5tBWcwBt2VucO0bL Qh8dytlcF7egrVhXMVGHVwzk -----END CERTIFICATE----- +-----BEGIN EC PARAMETERS----- +BggqhkjOPQMBBw== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIG2eKyPB3C9Efe1s7MQm6wdbFpAsIbpovesRCIJnYMb4oAoGCCqGSM49 +AwEHoUQDQgAEpz5axf97f4X/kx6PN8nyjkx5ree8nPmRI/TB0rq3e0ldH32hCrVQ +chq/mZzJCD3D/uuS27xJhl6t29JyABfAlw== +-----END EC PRIVATE KEY----- diff --git a/tests/gold_tests/tls/ssl/signed-foo.pem b/tests/gold_tests/tls/ssl/signed-foo.pem index 6f6aecf53d7..e3bf4cd29f1 100644 --- a/tests/gold_tests/tls/ssl/signed-foo.pem +++ b/tests/gold_tests/tls/ssl/signed-foo.pem @@ -17,3 +17,31 @@ m0yOR8w6MX8fxHKaekhJH1U84G64Ub0gbn2beOdLBQkG+4czLiOOOgyeukPaJJ81 od2ooE7DrGUPGnbHYxW/70EtVF5nQEctcqpKNF/d04mVKrqI90919MJSxJ5KedHK 2H11+gUPwDWy/mAwJzEJ -----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDJheOsr0o4C0QV +elo8viYl/IjWvkj4Y6YojnO/E9T5HSfWxkRikRT8X7yqs9ClrjNcYoPNNQP5vgl1 +qAIeixUrbZZklcZ3kHF/MXdzuYV//uT3YfWrsOTdfbcu6adHtBr/Qc0w9GSbBpp4 +2ZALxzjZ2hZZq51XmKvcz55/gm/9YvlGErzvsPzkejdH6U1GKeLqGaZOqkV7N2J4 +zKmJyiPzwrmR/8y7k+9jDHQX+A2wa5gaiAMGdIM8aTV+XsNNAvespvXyX7UhwxDs +w0er0GLv4ssYCru5hF+tUcjeOCHxSnCoEC45b2zDZHATLLjr7AIJ52TcSo1kTaTi +rAOAiHRLAgMBAAECggEAB7fXBnAYOZlE3EW5WwY1U9MeMotLJCg83uTFzhWmXHwf +YHxrdhL0aM4J3cfRP+cyFGG5hox3QINkvVrX6e+NugISdnu+BCpGDocIeigq0sIi +Zs8bp524xjrgXy2XuIlPV2NfxnY1vDI+jE5Y0/qnVMCjhn+qIQa53lUdTujh/SRR +3U7di+QMK4mdGwRnInos++ENy33A+2LqtUK8i0ERkzPFa1yMQEE4DOFPzZcW+jhK +arvzBwPIn37PZmL5oyiQB1YiGPGt4XNfPBwACTMYM8LlYBfEBHG77k3bMtUf0WqE +GctoT5SIe5+YbyrWkpfHgoKPxggH3I3TrFnVvqrKQQKBgQDmcV1YbuNEQLeif521 +iGqMgPQYmnpO6k27RsZrM9ikhIgm9bVJsOqnaYzQFeSfJ3eNLXYUL6IF8g46xddw +fDBtrEjDAA9OUkNRcizbeKF+GJRMtX11d4ZNbnG1wyMZYkArZGfraZBLHPEF1pya +2iFdVfokQCBpLmX7BMQEPePyuwKBgQDf33H9njf9oO0l9GfuWDvSoaV8GwqV9x55 +sFjggQYD/xqwEprrzr524X5Y2ZiTUpBu+kqqM8GYfm3bzBKkZU1rnjwxADUwBw8U +L2U/Z7Id3om8tAdzHOSI9d7mxWA8uTsScMm0IFv2l/XBQo1+AAJSD03pcsabr4Lf +SuJGmoFTsQKBgQDVzPASEC+DL5gwh75Gop5YZXwTJ5+6f+BGlM+avquNV/kKTIU6 +LY5IbMFcfjNzBicBMOCQsfDdG0rgdJYBovc7idCoOvH4dJJIimnb5fvPBfbxhKE1 +zwMn7ARL4xQ5hNKMb8eKvpJFXkCwbgE2GpNCCXbfEy/+5jFvx2gll1ZZ6QKBgG3J +OzJ/w796irHBQLKOzI+HvAq3jCJs9KICjCNUwql1EhZkmVqooZjVDkvuMbeVlsUF +s1XyWa852RAf7Mh38VakW6pACtVJsOhaMdG9PYkOWAeVVc3qzlwoDy6mfoJo6AIs +E45lDBRLAzbKN28h/AFYBgJEygcRNCHirEKphGCRAoGAEhcaxbmMo2fHBYuvOR1Q +ZAIq1EPvysDROUBHhdTJqN1wHsuJsmVJxX42+YHcZdjtgeCdjU3HMoyCnTaRxDee +K3VeB4PobN1WpQwFklFoqcvAhW6eicdZXme7ktK120NPQsXrmjgN6Lfg3PNjosn0 +tqSxQhQ4DrSf60fxx0/M/rw= +-----END PRIVATE KEY----- diff --git a/tests/gold_tests/tls/ssl/signed-san-ec.pem b/tests/gold_tests/tls/ssl/signed-san-ec.pem index 78cc9d467c2..1030f0affe6 100644 --- a/tests/gold_tests/tls/ssl/signed-san-ec.pem +++ b/tests/gold_tests/tls/ssl/signed-san-ec.pem @@ -13,3 +13,8 @@ V++/kil6USZaQ0TTNhAtCeao9p5WCN1NdHNtnulacu0cYPCI0cbpy2CVZC6JMrNE 21SFssxKaeM1yoyIDEjIkr5IaCCOnr5XdOAO6/eISapkIPE/1GEbxyEgk1yqTJkr KB22uwprz1abKaQNBfTR2bV+57JlmnNuzg== -----END CERTIFICATE----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIBh9PX40P1qCTpRxqbrxRyHsy1dAlEMZmUJpOZjgS2eXoAoGCCqGSM49 +AwEHoUQDQgAEBwvhzslwxPu7OdDlJFHpFoCTfa2zxqD7MI9AI5263g5Dov8Kcs1t +Kr1GTz3sunVCEOjVv5ASNokITXFu7+Bvcw== +-----END EC PRIVATE KEY----- diff --git a/tests/gold_tests/tls/ssl/signed-san.pem b/tests/gold_tests/tls/ssl/signed-san.pem index 15aeed3bb18..3ab771cb5a8 100644 --- a/tests/gold_tests/tls/ssl/signed-san.pem +++ b/tests/gold_tests/tls/ssl/signed-san.pem @@ -17,3 +17,31 @@ AAOBgQA00nnSb9iqOa8EPJrkbEasuAqe5gw7ehDgaVHLxUrWeJUPwNJdnbYK4hLw qWeRKM6Qgxt8rjC/vqDjAxuNjHqFbdhL3supu2bHaBH5xFRqibY5rOY6AkL9SfMU r8Lj/NQvqtIzoFM81rhSTDRoHNazVv0TjbcZKTAT25ARX4HQIw== -----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCtQayAL7EHSxEP +uclHEa4mMh/pO5N8VULdVA6sHN9k5mUAEnL3p3nNsdVE9pLtHIxgcoXCcLAPG+eL +bSAk+C/l+pubz8GAWHdOC/3xpdrzQjOiYzi2Megl6M+VpwaMOd0s14zdFZloS37y +M7GnjLKIRO8dMz744SSAPZYIvnx1XAJ/zA9uLbYzvFWbwkuT8G2+Jo+IHl4FyMX2 +wTTXLeYf66RKUnTFcNG7ysNbUr7hDJR8E/lek00K3t8YGzYrqCtHIH3OLkpKNU3l +HhWRQ0zrNRwfF+hWfYXq3SZ5+C1eo2RZe8SHPbNPbpJxGMMkxNRkCyWuMywoc2dA +nm1HyI2nAgMBAAECggEAKkhOyvHYqEj/nvDeWEPOVnABLbBma/960/0Bn6tkMYGw +wHXALQRoS3TM8Ymjjc5by+XnEu7haK6MsZAuOhd/yQaCF2J6fNIaO6fdj63EY32S +kFzaqExBtY69qm4awPoWKi1oqUPuLm/OSVmoT5WctHjuShgJlD+N4uYkyXmDcjhd +cED+Uy6LCK0TelhkN2J3TBMD1yI2bccORTVtihXWQhr7ROzXiyV5O143LFvSTNdr +l8FlOQbJhIxThUmydecONi1PYAkP/ySYFqLjLfCmonoVJFdjdgJsiXBEtUJ/8CQY ++ar2vqRL4/4Y+9eerlZFy3e6lidofPu0YGTWdCTcUQKBgQDSvBW5+61DZ8p9f3UX +04an8CyKgHDcH/lqKQMB8GvEhWCQG2nnrs6fQieiKj4P5bwuf01oNu4txxIg1GnS +r5MTZfzCEe89X06vcwzcTOQsMfUlzx7qMpQaqzshwchFLpCD2pj2vGIlL+g6piN0 ++X7RjRykBe0Nx5wYx3RYI78DCwKBgQDSeLuz2Q3n8Oqz+m9Zl+g1jMNgY861+zv5 +fZb43xXegef82RUata9ZGaRelODYdWmNiRGGAgfe1ddOW0xc3Ve1W9lonFLE84je +Oc57S2q9LiVuKJbhDQ6br1eGLv8RywsUhNdWRBIH9Mn3+1nIXAtlHt7Jp3lDeVO/ +WJa3vvyBVQKBgFDTMsISdXHU7SUVLaPlzU+8HllAygijetXsxOqJe8v0HAUpfoUN +1tHeXbUk3ojaZEKxMM83wkJsh9dvoObd0FswUrFcj5XKaDOCvPwBwcHxp0TJG+JX +Y9aWtidMW7OtGGB6BxEbT8lTho54CkFjL/DPXpzKaRFP7d7TIRxtGWXhAoGANjTw +KvbZNQaAfFAgw5NzM++IFlg+UfJd1Pj6nChgqokMpbuHSvTGL42CHvX7HuTGhbRq +tffp7QNoS38KINTFFSmNyfqQ+ra6Znm+61RWLlknPMLpcRb6zzAOu7l46i1AMk2w +ZEBt4Gy0Y9Dxo7/JE4cq3AbtHWqvHhYD41kmEW0CgYB2gL7IbeCeQG0wNOb0xHtu +aXQzK5JUOut811QJLNPzxS+G70bbSRC9gkqFAizCSvCqzao7/3pw9unQzaR0h/3V +OKEZF8angN9ORP5mOmlMQSvUtAZYfiuCMnZ4EeAhklA9hbAqGScevrdJUxnCN2c3 +DtR0mYMkmrdwISjW9aZnrg== +-----END PRIVATE KEY----- diff --git a/tests/gold_tests/tls/tls_check_dual_cert_selection.test.py b/tests/gold_tests/tls/tls_check_dual_cert_selection.test.py index 633144a5f74..5a1ca7f6e3c 100644 --- a/tests/gold_tests/tls/tls_check_dual_cert_selection.test.py +++ b/tests/gold_tests/tls/tls_check_dual_cert_selection.test.py @@ -77,13 +77,21 @@ san_ec_string = "" san_rsa_string = "" with open(os.path.join(Test.TestDirectory,'ssl', 'signed-foo-ec.pem'), 'r') as myfile: - foo_ec_string = re.escape(myfile.read()) + file_string = myfile.read() + cert_end = file_string.find("END CERTIFICATE-----") + foo_ec_string = re.escape(file_string[0:cert_end]) with open(os.path.join(Test.TestDirectory,'ssl', 'signed-foo.pem'), 'r') as myfile: - foo_rsa_string = re.escape(myfile.read()) + file_string = myfile.read() + cert_end = file_string.find("END CERTIFICATE-----") + foo_rsa_string = re.escape(file_string[0:cert_end]) with open(os.path.join(Test.TestDirectory,'ssl', 'signed-san-ec.pem'), 'r') as myfile: - san_ec_string = re.escape(myfile.read()) + file_string = myfile.read() + cert_end = file_string.find("END CERTIFICATE-----") + san_ec_string = re.escape(file_string[0:cert_end]) with open(os.path.join(Test.TestDirectory,'ssl', 'signed-san.pem'), 'r') as myfile: - san_rsa_string = re.escape(myfile.read()) + file_string = myfile.read() + cert_end = file_string.find("END CERTIFICATE-----") + san_rsa_string = re.escape(file_string[0:cert_end]) # Should receive a EC cert since ATS cipher list prefers EC tr = Test.AddTestRun("Default for foo should return EC cert") diff --git a/tests/gold_tests/tls/tls_check_dual_cert_selection2.test.py b/tests/gold_tests/tls/tls_check_dual_cert_selection2.test.py new file mode 100644 index 00000000000..e74ff81f0c3 --- /dev/null +++ b/tests/gold_tests/tls/tls_check_dual_cert_selection2.test.py @@ -0,0 +1,180 @@ +''' +''' +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +Test.Summary = ''' +Test ATS offering both RSA and EC certificates +Combined key and cert files. Faulty key path +''' + +import os +import re + +# Define default ATS +ts = Test.MakeATSProcess("ts", select_ports=True, enable_tls=True) +server = Test.MakeOriginServer("server", ssl=True) +dns = Test.MakeDNServer("dns") + +request_header = {"headers": "GET / HTTP/1.1\r\n\r\n", "timestamp": "1469733493.993", "body": ""} +response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": ""} +server.addResponse("sessionlog.json", request_header, response_header) + +# add ssl materials like key, certificates for the server +ts.addSSLfile("ssl/signed-foo.pem") +ts.addSSLfile("ssl/signed-foo.key") +ts.addSSLfile("ssl/signed-foo-ec.pem") +ts.addSSLfile("ssl/signed-foo-ec.key") +ts.addSSLfile("ssl/signed-san.pem") +ts.addSSLfile("ssl/signed-san.key") +ts.addSSLfile("ssl/signed-san-ec.pem") +ts.addSSLfile("ssl/signed-san-ec.key") +ts.addSSLfile("ssl/combined-ec.pem") +ts.addSSLfile("ssl/combined.pem") +ts.addSSLfile("ssl/signer.pem") +ts.addSSLfile("ssl/signer.key") + +ts.Disk.remap_config.AddLine( + 'map / https://foo.com:{1}'.format(ts.Variables.ssl_port, server.Variables.SSL_Port)) + +ts.Disk.ssl_multicert_config.AddLines([ + 'ssl_cert_name=combined-ec.pem,combined.pem', + 'ssl_cert_name=signed-foo-ec.pem,signed-foo.pem', + 'dest_ip=* ssl_cert_name=signed-san-ec.pem,signed-san.pem' +]) + +# Case 1, global config policy=permissive properties=signature +# override for foo.com policy=enforced properties=all +ts.Disk.records_config.update({ + 'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir), + 'proxy.config.ssl.server.private_key.path': '/tmp', # Faulty key path should not matter, since there are no key files + 'proxy.config.ssl.server.cipher_suite': 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256', + 'proxy.config.url_remap.pristine_host_hdr': 1, + 'proxy.config.dns.nameservers': '127.0.0.1:{0}'.format(dns.Variables.Port), + 'proxy.config.exec_thread.autoconfig.scale': 1.0, + 'proxy.config.dns.resolv_conf': 'NULL', + 'proxy.config.diags.debug.tags': 'ssl', + 'proxy.config.diags.debug.enabled': 0 +}) + +dns.addRecords(records={"foo.com.": ["127.0.0.1"]}) +dns.addRecords(records={"bar.com.": ["127.0.0.1"]}) + +foo_ec_string = "" +foo_rsa_string = "" +san_ec_string = "" +san_rsa_string = "" +combo_ec_string = "" +combo_rsa_string = "" +with open(os.path.join(Test.TestDirectory,'ssl', 'signed-foo-ec.pem'), 'r') as myfile: + file_string = myfile.read() + cert_end = file_string.find("END CERTIFICATE-----") + foo_ec_string = re.escape(file_string[0:cert_end]) +with open(os.path.join(Test.TestDirectory,'ssl', 'signed-foo.pem'), 'r') as myfile: + file_string = myfile.read() + cert_end = file_string.find("END CERTIFICATE-----") + foo_rsa_string = re.escape(file_string[0:cert_end]) +with open(os.path.join(Test.TestDirectory,'ssl', 'signed-san-ec.pem'), 'r') as myfile: + file_string = myfile.read() + cert_end = file_string.find("END CERTIFICATE-----") + san_ec_string = re.escape(file_string[0:cert_end]) +with open(os.path.join(Test.TestDirectory,'ssl', 'signed-san.pem'), 'r') as myfile: + file_string = myfile.read() + cert_end = file_string.find("END CERTIFICATE-----") + san_rsa_string = re.escape(file_string[0:cert_end]) +with open(os.path.join(Test.TestDirectory,'ssl', 'combined-ec.pem'), 'r') as myfile: + file_string = myfile.read() + cert_end = file_string.find("END CERTIFICATE-----") + combo_ec_string = re.escape(file_string[0 : cert_end]) +with open(os.path.join(Test.TestDirectory,'ssl', 'combined.pem'), 'r') as myfile: + file_string = myfile.read() + cert_end = file_string.find("END CERTIFICATE-----") + combo_rsa_string = re.escape(file_string[0 : cert_end]) + +# Should receive a EC cert since ATS cipher list prefers EC +tr = Test.AddTestRun("Default for foo should return EC cert") +tr.Setup.Copy("ssl/signer.pem") +tr.Processes.Default.Command = "echo foo | openssl s_client -tls1_2 -servername foo.com -connect 127.0.0.1:{0}".format(ts.Variables.ssl_port, foo_ec_string) +tr.ReturnCode = 0 +tr.Processes.Default.StartBefore(server) +tr.Processes.Default.StartBefore(dns) +tr.Processes.Default.StartBefore(Test.Processes.ts, ready=When.PortOpen(ts.Variables.ssl_port)) +tr.StillRunningAfter = server +tr.StillRunningAfter = ts +tr.Processes.Default.Streams.All += Testers.ContainsExpression(foo_ec_string, "Should select EC cert",reflags=re.S | re.M) + +# Should receive a RSA cert +tr = Test.AddTestRun("Only offer RSA ciphers, should receive RSA cert") +tr.Processes.Default.Command = "echo foo | openssl s_client -tls1_2 -servername foo.com -cipher 'ECDHE-RSA-AES128-GCM-SHA256' -connect 127.0.0.1:{0}".format(ts.Variables.ssl_port) +tr.ReturnCode = 0 +tr.StillRunningAfter = server +tr.StillRunningAfter = ts +tr.Processes.Default.Streams.All += Testers.ContainsExpression(foo_rsa_string, "Should select RSA cert",reflags=re.S | re.M) + +# Should receive a EC cert +tr = Test.AddTestRun("Default for two.com should return EC cert") +tr.Processes.Default.Command = "echo foo | openssl s_client -tls1_2 -servername two.com -connect 127.0.0.1:{0}".format(ts.Variables.ssl_port) +tr.ReturnCode = 0 +tr.StillRunningAfter = server +tr.StillRunningAfter = ts +tr.Processes.Default.Streams.All += Testers.ContainsExpression(san_ec_string, "Should select EC cert", reflags=re.S | re.M) +tr.Processes.Default.Streams.All += Testers.ContainsExpression("CN = group.com", "Should select a group SAN"); + +# Should receive a RSA cert +tr = Test.AddTestRun("Only offer RSA ciphers, should receive RSA cert") +tr.Processes.Default.Command = "echo foo | openssl s_client -tls1_2 -servername two.com -cipher 'ECDHE-RSA-AES128-GCM-SHA256' -connect 127.0.0.1:{0}".format(ts.Variables.ssl_port) +tr.ReturnCode = 0 +tr.StillRunningAfter = server +tr.StillRunningAfter = ts +tr.Processes.Default.Streams.All += Testers.ContainsExpression(san_rsa_string, "Should select RSA cert", reflags=re.S | re.M) +tr.Processes.Default.Streams.All += Testers.ContainsExpression("CN = group.com", "Should select a group SAN"); + +# Should receive a RSA cert +tr = Test.AddTestRun("rsa.com only in rsa cert") +tr.Processes.Default.Command = "echo foo | openssl s_client -tls1_2 -servername rsa.com -connect 127.0.0.1:{0}".format(ts.Variables.ssl_port) +tr.ReturnCode = 0 +tr.StillRunningAfter = server +tr.StillRunningAfter = ts +tr.Processes.Default.Streams.All += Testers.ContainsExpression(san_rsa_string, "Should select RSA cert", reflags=re.S | re.M) +tr.Processes.Default.Streams.All += Testers.ContainsExpression("CN = group.com", "Should select a group SAN"); + +# Should receive a EC cert +tr = Test.AddTestRun("ec.com only in ec cert") +tr.Processes.Default.Command = "echo foo | openssl s_client -tls1_2 -servername ec.com -connect 127.0.0.1:{0}".format(ts.Variables.ssl_port) +tr.ReturnCode = 0 +tr.StillRunningAfter = server +tr.StillRunningAfter = ts +tr.Processes.Default.Streams.All += Testers.ContainsExpression(san_ec_string, "Should select EC cert", reflags=re.S | re.M) +tr.Processes.Default.Streams.All += Testers.ContainsExpression("CN = group.com", "Should select a group SAN"); + +# Should receive a EC cert +tr = Test.AddTestRun("Default for combined.com should return EC cert") +tr.Processes.Default.Command = "echo foo | openssl s_client -tls1_2 -servername combined.com -connect 127.0.0.1:{0}".format(ts.Variables.ssl_port) +tr.ReturnCode = 0 +tr.StillRunningAfter = server +tr.StillRunningAfter = ts +tr.Processes.Default.Streams.All += Testers.ContainsExpression(combo_ec_string, "Should select EC cert", reflags=re.S | re.M) +tr.Processes.Default.Streams.All += Testers.ContainsExpression("CN = combined.com", "Should select combined pem") + +# Should receive a RSA cert +tr = Test.AddTestRun("Only offer RSA ciphers, should receive RSA cert") +tr.Processes.Default.Command = "echo foo | openssl s_client -tls1_2 -servername combined.com -cipher 'ECDHE-RSA-AES128-GCM-SHA256' -connect 127.0.0.1:{0}".format(ts.Variables.ssl_port) +tr.ReturnCode = 0 +tr.StillRunningAfter = server +tr.StillRunningAfter = ts +tr.Processes.Default.Streams.All += Testers.ContainsExpression(combo_rsa_string, "Should select RSA cert", reflags=re.S | re.M) +tr.Processes.Default.Streams.All += Testers.ContainsExpression("CN = combined.com", "Should select combined pem") +