1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
|
package bundler
// This test file contains tests on checking Bundle.Status with SHA-1 deprecation warning.
import (
"crypto/x509"
"io/ioutil"
"testing"
"time"
"github.com/cloudflare/cfssl/config"
"github.com/cloudflare/cfssl/errors"
"github.com/cloudflare/cfssl/helpers"
"github.com/cloudflare/cfssl/signer"
"github.com/cloudflare/cfssl/signer/local"
"github.com/cloudflare/cfssl/ubiquity"
)
const (
sha1CA = "testdata/ca.pem"
sha1CAKey = "testdata/ca.key"
sha1Intermediate = "testdata/inter-L1-sha1.pem"
sha2Intermediate = "testdata/inter-L1.pem"
intermediateKey = "testdata/inter-L1.key"
intermediateCSR = "testdata/inter-L1.csr"
leafCSR = "testdata/cfssl-leaf-ecdsa256.csr"
)
func TestChromeWarning(t *testing.T) {
b := newCustomizedBundlerFromFile(t, sha1CA, sha1Intermediate, "")
s, err := local.NewSignerFromFile(sha1Intermediate, intermediateKey, nil)
if err != nil {
t.Fatal(err)
}
csrBytes, err := ioutil.ReadFile(leafCSR)
if err != nil {
t.Fatal(err)
}
signingRequest := signer.SignRequest{Request: string(csrBytes)}
certBytes, err := s.Sign(signingRequest)
if err != nil {
t.Fatal(err)
}
// Bundle a leaf cert with default 1 year expiration
bundle, err := b.BundleFromPEMorDER(certBytes, nil, Ubiquitous, "")
if err != nil {
t.Fatal("bundling failed: ", err)
}
// should be not ubiquitous due to SHA2 and ECDSA support issues in legacy platforms
if bundle.Status.Code&errors.BundleNotUbiquitousBit != errors.BundleNotUbiquitousBit {
t.Fatal("Incorrect bundle status code. Bundle status code:", bundle.Status.Code)
}
fullChain := append(bundle.Chain, bundle.Root)
sha1Msgs := ubiquity.SHA1DeprecationMessages(fullChain)
// Since the new SHA-1 cert is expired after 2015, it definitely trigger Chrome's deprecation policies.
if len(sha1Msgs) == 0 {
t.Fatal("SHA1 Deprecation Message should not be empty")
}
// check SHA1 deprecation warnings
var sha1MsgNotFound bool
for _, sha1Msg := range sha1Msgs {
foundMsg := false
for _, message := range bundle.Status.Messages {
if message == sha1Msg {
foundMsg = true
}
}
if !foundMsg {
sha1MsgNotFound = true
break
}
}
if sha1MsgNotFound {
t.Fatalf("Incorrect bundle status messages. Bundle status messages:%v, expected to contain: %v\n", bundle.Status.Messages, sha1Msgs)
}
}
func TestSHA2Preferences(t *testing.T) {
// create a CA signer and signs a new intermediate with SHA-1
sha1CASigner := makeCASignerFromFile(sha1CA, sha1CAKey, x509.SHA1WithRSA, t)
// create a CA signer and signs a new intermediate with SHA-2
sha2CASigner := makeCASignerFromFile(sha1CA, sha1CAKey, x509.SHA256WithRSA, t)
// sign two different intermediates
sha1InterBytes := signCSRFile(sha1CASigner, intermediateCSR, t)
sha2InterBytes := signCSRFile(sha2CASigner, intermediateCSR, t)
interKeyBytes, err := ioutil.ReadFile(intermediateKey)
if err != nil {
t.Fatal(err)
}
// create a intermediate signer from SHA-1 intermediate cert/key
sha2InterSigner := makeCASigner(sha1InterBytes, interKeyBytes, x509.SHA256WithRSA, t)
// sign a leaf cert
leafBytes := signCSRFile(sha2InterSigner, leafCSR, t)
// create a bundler with SHA-1 and SHA-2 intermediate certs of same key.
b := newCustomizedBundlerFromFile(t, sha1CA, sha1Intermediate, "")
if err != nil {
t.Fatal(err)
}
sha1Inter, _ := helpers.ParseCertificatePEM(sha1InterBytes)
sha2Inter, _ := helpers.ParseCertificatePEM(sha2InterBytes)
b.IntermediatePool.AddCert(sha1Inter)
b.IntermediatePool.AddCert(sha2Inter)
bundle, err := b.BundleFromPEMorDER(leafBytes, nil, Ubiquitous, "")
if err != nil {
t.Fatal("bundling failed: ", err)
}
if bundle.Chain[1].SignatureAlgorithm != x509.SHA256WithRSA {
t.Fatal("ubiquity selection by SHA-2 homogenity failed.")
}
}
func makeCASignerFromFile(certFile, keyFile string, sigAlgo x509.SignatureAlgorithm, t *testing.T) signer.Signer {
certBytes, err := ioutil.ReadFile(certFile)
if err != nil {
t.Fatal(err)
}
keyBytes, err := ioutil.ReadFile(keyFile)
if err != nil {
t.Fatal(err)
}
return makeCASigner(certBytes, keyBytes, sigAlgo, t)
}
func makeCASigner(certBytes, keyBytes []byte, sigAlgo x509.SignatureAlgorithm, t *testing.T) signer.Signer {
cert, err := helpers.ParseCertificatePEM(certBytes)
if err != nil {
t.Fatal(err)
}
key, err := helpers.ParsePrivateKeyPEM(keyBytes)
if err != nil {
t.Fatal(err)
}
defaultProfile := &config.SigningProfile{
Usage: []string{"cert sign"},
CAConstraint: config.CAConstraint{IsCA: true},
Expiry: time.Hour,
ExpiryString: "1h",
}
policy := &config.Signing{
Profiles: map[string]*config.SigningProfile{},
Default: defaultProfile,
}
s, err := local.NewSigner(key, cert, sigAlgo, policy)
if err != nil {
t.Fatal(err)
}
return s
}
func signCSRFile(s signer.Signer, csrFile string, t *testing.T) []byte {
csrBytes, err := ioutil.ReadFile(csrFile)
if err != nil {
t.Fatal(err)
}
signingRequest := signer.SignRequest{Request: string(csrBytes)}
certBytes, err := s.Sign(signingRequest)
if err != nil {
t.Fatal(err)
}
return certBytes
}
|
