backport of commit d3a91f7 (#29292)

Co-authored-by: Steven Clark <[email protected]>

builtin/credential/cert/test-fixtures/keys/cert.pem

@@ -1,22 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIDtTCCAp2gAwIBAgIUf+jhKTFBnqSs34II0WS1L4QsbbAwDQYJKoZIhvcNAQEL
-BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzQxWhcNMjUw
-MTA1MTAyODExWjAbMRkwFwYDVQQDExBjZXJ0LmV4YW1wbGUuY29tMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxS
-TRAVnygAftetT8puHflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGn
-SgMld6ZWRhNheZhA6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmi
-YYMiIWplidMmMO5NTRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5
-donyqtnaHuIJGuUdy54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVG
-B+5+AAGF5iuHC3N2DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABo4H1
-MIHyMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUm++e
-HpyM3p708bgZJuRYEdX1o+UwHwYDVR0jBBgwFoAUncSzT/6HMexyuiU9/7EgHu+o
-k5swOwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzAChh9odHRwOi8vMTI3LjAuMC4x
-OjgyMDAvdjEvcGtpL2NhMCEGA1UdEQQaMBiCEGNlcnQuZXhhbXBsZS5jb22HBH8A
-AAEwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3Br
-aS9jcmwwDQYJKoZIhvcNAQELBQADggEBABsuvmPSNjjKTVN6itWzdQy+SgMIrwfs
-X1Yb9Lefkkwmp9ovKFNQxa4DucuCuzXcQrbKwWTfHGgR8ct4rf30xCRoA7dbQWq4
-aYqNKFWrRaBRAaaYZ/O1ApRTOrXqRx9Eqr0H1BXLsoAq+mWassL8sf6siae+CpwA
-KqBko5G0dNXq5T4i2LQbmoQSVetIrCJEeMrU+idkuqfV2h1BQKgSEhFDABjFdTCN
-QDAHsEHsi2M4/jRW9fqEuhHSDfl2n7tkFUI8wTHUUCl7gXwweJ4qtaSXIwKXYzNj
-xqKHA8Purc1Yfybz4iE1JCROi9fInKlzr5xABq8nb9Qc/J9DIQM+Xmk=
+MIIC2zCCAcOgAwIBAgIJAJIiPq+77hewMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV
+BAMTC2V4YW1wbGUuY29tMCAXDTI1MDEwNjE0MzgzMloYDzIwNTAwMTA3MTQzODMy
+WjAbMRkwFwYDVQQDExBjZXJ0LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxSTRAVnygAftet
+T8puHflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGnSgMld6ZWRhNh
+eZhA6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmiYYMiIWplidMm
+MO5NTRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5donyqtnaHuIJ
+GuUdy54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVGB+5+AAGF5iuH
+C3N2DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABoyUwIzAhBgNVHREE
+GjAYghBjZXJ0LmV4YW1wbGUuY29thwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQB/
+0M2jZ8cZJW23s1xpMDS5u2ScrW4QdpVsPbuBu5dxi3SNx7MK0CbvcNVUEZE0WV6b
+rCYvYS0+SBi0skudHRV7IeRADPcvzbXY/AdFktWt0adtQ/5B/DKeZIRrnhGtlzhD
+m8b3TTnKLoGdV7iS5HO8emvlzaihY/5PjObkztLRLLDRmBAOwYv4z/xBhEqZJRV1
+Ztywy/Qy5srNJug+sHmj8JlBldob/Ohk7Eon04XvXMuCIBptPG/QytnmgGbDGghD
+WO/HpCWBh6GHrwzQtof8y7Upxi16i5DSiFbRwNXgRyST4W/ChpZoggvOJ/RI4o2g
+5serAZLPfBGztdRbTef2
 -----END CERTIFICATE-----

builtin/credential/cert/test-fixtures/keys/rebuild-cert.md

@@ -0,0 +1,6 @@
+To rebuild the cert.pem within this folder run the following commands
+
+```shell
+$ openssl x509 -in cert.pem -signkey key.pem -x509toreq -out cert.csr
+$ openssl x509 -req -in cert.csr -CA ../root/rootcacert.pem -CAkey ../root/rootcakey.pem -CAcreateserial -out cert.pem -days 9132 -sha256 -extensions v3_req -extfile <(echo "[v3_req]\nsubjectAltName=DNS:cert.example.com,IP:127.0.0.1")
+```

vault/diagnose/tls_verification_test.go

@@ -14,6 +14,7 @@ import (
 
 	pkihelper "github.com/hashicorp/vault/helper/testhelpers/pki"
 	"github.com/hashicorp/vault/internalshared/configutil"
+	"github.com/stretchr/testify/require"
 )
 
 // TestTLSValidCert is the positive test case to show that specifying a valid cert and key
@@ -124,13 +125,14 @@ func TestTLSExpiredCert(t *testing.T) {
 // TestTLSMismatchedCryptographicInfo verifies that a cert and key of differing cryptographic
 // types, when specified together, is met with a unique error message.
 func TestTLSMismatchedCryptographicInfo(t *testing.T) {
+	testCaFiles := pkihelper.GenerateCertWithRoot(t)
 	listeners := []*configutil.Listener{
 		{
 			Type:                  "tcp",
 			Address:               "127.0.0.1:443",
 			ClusterAddress:        "127.0.0.1:8201",
-			TLSCertFile:           "./../../api/test-fixtures/keys/cert.pem",
-			TLSKeyFile:            "./test-fixtures/ecdsa.key",
+			TLSCertFile:           testCaFiles.Leaf.CertFile,
+			TLSKeyFile:            "./test-fixtures/goodkey.pem", // pkihelper uses EC keys, this file is an RSA key
 			TLSMinVersion:         "tls10",
 			TLSDisableClientCerts: true,
 		},
@@ -148,7 +150,7 @@ func TestTLSMismatchedCryptographicInfo(t *testing.T) {
 			Type:                  "tcp",
 			Address:               "127.0.0.1:443",
 			ClusterAddress:        "127.0.0.1:8201",
-			TLSCertFile:           "./test-fixtures/ecdsa.crt",
+			TLSCertFile:           testCaFiles.Leaf.CertFile,
 			TLSKeyFile:            "./../../api/test-fixtures/keys/key.pem",
 			TLSClientCAFile:       "./../../api/test-fixtures/root/rootcacert.pem",
 			TLSMinVersion:         "tls10",
@@ -189,13 +191,15 @@ func TestTLSMultiKeys(t *testing.T) {
 
 // TestTLSCertAsKey verifies that a unique error message is thrown when a cert is specified twice.
 func TestTLSCertAsKey(t *testing.T) {
+	testCaFiles := pkihelper.GenerateCertWithRoot(t)
+
 	listeners := []*configutil.Listener{
 		{
 			Type:                  "tcp",
 			Address:               "127.0.0.1:443",
 			ClusterAddress:        "127.0.0.1:8201",
-			TLSCertFile:           "./../../api/test-fixtures/keys/cert.pem",
-			TLSKeyFile:            "./../../api/test-fixtures/keys/cert.pem",
+			TLSCertFile:           testCaFiles.Leaf.CertFile,
+			TLSKeyFile:            testCaFiles.Leaf.CertFile,
 			TLSMinVersion:         "tls10",
 			TLSDisableClientCerts: true,
 		},
@@ -213,13 +217,21 @@ func TestTLSCertAsKey(t *testing.T) {
 // the root. The root certificate used in this test is the Baltimore Cyber Trust root
 // certificate, downloaded from: https://www.digicert.com/kb/digicert-root-certificates.htm
 func TestTLSInvalidRoot(t *testing.T) {
+	testCaFiles := pkihelper.GenerateCertWithRoot(t)
+	otherRoot := pkihelper.GenerateRootCa(t)
+
+	tempDir := t.TempDir()
+	mixedRoots := filepath.Join(tempDir, "leaf-with-bad-root.pem")
+	err := os.WriteFile(mixedRoots, append(pem.EncodeToMemory(testCaFiles.Leaf.CertPem), pem.EncodeToMemory(otherRoot.CertPem)...), 0o644)
+	require.NoError(t, err, "Failed to write file %s", mixedRoots)
+
 	listeners := []*configutil.Listener{
 		{
 			Type:                  "tcp",
 			Address:               "127.0.0.1:443",
 			ClusterAddress:        "127.0.0.1:8201",
-			TLSCertFile:           "./test-fixtures/goodcertbadroot.pem",
-			TLSKeyFile:            "./test-fixtures/goodkey.pem",
+			TLSCertFile:           mixedRoots,
+			TLSKeyFile:            testCaFiles.Leaf.KeyFile,
 			TLSMinVersion:         "tls10",
 			TLSDisableClientCerts: true,
 		},
@@ -237,13 +249,15 @@ func TestTLSInvalidRoot(t *testing.T) {
 // is still accepted by diagnose as valid. This is an acceptable, though less secure,
 // server configuration.
 func TestTLSNoRoot(t *testing.T) {
+	testCaFiles := pkihelper.GenerateCertWithRoot(t)
+
 	listeners := []*configutil.Listener{
 		{
 			Type:                  "tcp",
 			Address:               "127.0.0.1:443",
 			ClusterAddress:        "127.0.0.1:8201",
-			TLSCertFile:           "./../../api/test-fixtures/keys/cert.pem",
-			TLSKeyFile:            "./test-fixtures/goodkey.pem",
+			TLSCertFile:           testCaFiles.Leaf.CertFile,
+			TLSKeyFile:            testCaFiles.Leaf.KeyFile,
 			TLSMinVersion:         "tls10",
 			TLSDisableClientCerts: true,
 		},
@@ -258,14 +272,16 @@ func TestTLSNoRoot(t *testing.T) {
 // TestTLSInvalidMinVersion checks that a listener with an invalid minimum configured
 // version errors appropriately.
 func TestTLSInvalidMinVersion(t *testing.T) {
+	testCaFiles := pkihelper.GenerateCertWithRoot(t)
+
 	listeners := []*configutil.Listener{
 		{
 			Type:                  "tcp",
 			Address:               "127.0.0.1:443",
 			ClusterAddress:        "127.0.0.1:8201",
-			TLSCertFile:           "./../../api/test-fixtures/keys/cert.pem",
-			TLSKeyFile:            "./../../api/test-fixtures/keys/key.pem",
-			TLSClientCAFile:       "./../../api/test-fixtures/root/rootcacert.pem",
+			TLSCertFile:           testCaFiles.Leaf.CertFile,
+			TLSKeyFile:            testCaFiles.Leaf.KeyFile,
+			TLSClientCAFile:       testCaFiles.RootCa.CertFile,
 			TLSMinVersion:         "0",
 			TLSDisableClientCerts: true,
 		},
@@ -282,14 +298,16 @@ func TestTLSInvalidMinVersion(t *testing.T) {
 // TestTLSInvalidMaxVersion checks that a listener with an invalid maximum configured
 // version errors appropriately.
 func TestTLSInvalidMaxVersion(t *testing.T) {
+	testCaFiles := pkihelper.GenerateCertWithRoot(t)
+
 	listeners := []*configutil.Listener{
 		{
 			Type:                  "tcp",
 			Address:               "127.0.0.1:443",
 			ClusterAddress:        "127.0.0.1:8201",
-			TLSCertFile:           "./../../api/test-fixtures/keys/cert.pem",
-			TLSKeyFile:            "./../../api/test-fixtures/keys/key.pem",
-			TLSClientCAFile:       "./../../api/test-fixtures/root/rootcacert.pem",
+			TLSCertFile:           testCaFiles.Leaf.CertFile,
+			TLSKeyFile:            testCaFiles.Leaf.KeyFile,
+			TLSClientCAFile:       testCaFiles.RootCa.CertFile,
 			TLSMaxVersion:         "0",
 			TLSDisableClientCerts: true,
 		},
@@ -549,13 +567,15 @@ func TestTLSMultipleRootInClientCACert(t *testing.T) {
 
 // TestTLSSelfSignedCerts tests invalid self-signed cert as TLSClientCAFile
 func TestTLSSelfSignedCert(t *testing.T) {
+	testCaFiles := pkihelper.GenerateCertWithRoot(t)
+
 	listeners := []*configutil.Listener{
 		{
 			Type:                          "tcp",
 			Address:                       "127.0.0.1:443",
 			ClusterAddress:                "127.0.0.1:8201",
-			TLSCertFile:                   "./../../api/test-fixtures/keys/cert.pem",
-			TLSKeyFile:                    "./../../api/test-fixtures/keys/key.pem",
+			TLSCertFile:                   testCaFiles.Leaf.CertFile,
+			TLSKeyFile:                    testCaFiles.Leaf.KeyFile,
 			TLSClientCAFile:               "test-fixtures/selfSignedCert.pem",
 			TLSMinVersion:                 "tls10",
 			TLSRequireAndVerifyClientCert: true,