diff --git a/builtin/credential/cert/test-fixtures/keys/cert.pem b/builtin/credential/cert/test-fixtures/keys/cert.pem index 942d26698b12..5b7fa1aed069 100644 --- a/builtin/credential/cert/test-fixtures/keys/cert.pem +++ b/builtin/credential/cert/test-fixtures/keys/cert.pem @@ -1,22 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIDtTCCAp2gAwIBAgIUf+jhKTFBnqSs34II0WS1L4QsbbAwDQYJKoZIhvcNAQEL -BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTYwMjI5MDIyNzQxWhcNMjUw -MTA1MTAyODExWjAbMRkwFwYDVQQDExBjZXJ0LmV4YW1wbGUuY29tMIIBIjANBgkq -hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxS -TRAVnygAftetT8puHflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGn -SgMld6ZWRhNheZhA6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmi -YYMiIWplidMmMO5NTRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5 -donyqtnaHuIJGuUdy54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVG -B+5+AAGF5iuHC3N2DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABo4H1 -MIHyMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUm++e -HpyM3p708bgZJuRYEdX1o+UwHwYDVR0jBBgwFoAUncSzT/6HMexyuiU9/7EgHu+o -k5swOwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzAChh9odHRwOi8vMTI3LjAuMC4x -OjgyMDAvdjEvcGtpL2NhMCEGA1UdEQQaMBiCEGNlcnQuZXhhbXBsZS5jb22HBH8A -AAEwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovLzEyNy4wLjAuMTo4MjAwL3YxL3Br -aS9jcmwwDQYJKoZIhvcNAQELBQADggEBABsuvmPSNjjKTVN6itWzdQy+SgMIrwfs -X1Yb9Lefkkwmp9ovKFNQxa4DucuCuzXcQrbKwWTfHGgR8ct4rf30xCRoA7dbQWq4 -aYqNKFWrRaBRAaaYZ/O1ApRTOrXqRx9Eqr0H1BXLsoAq+mWassL8sf6siae+CpwA -KqBko5G0dNXq5T4i2LQbmoQSVetIrCJEeMrU+idkuqfV2h1BQKgSEhFDABjFdTCN -QDAHsEHsi2M4/jRW9fqEuhHSDfl2n7tkFUI8wTHUUCl7gXwweJ4qtaSXIwKXYzNj -xqKHA8Purc1Yfybz4iE1JCROi9fInKlzr5xABq8nb9Qc/J9DIQM+Xmk= +MIIC2zCCAcOgAwIBAgIJAJIiPq+77hewMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV +BAMTC2V4YW1wbGUuY29tMCAXDTI1MDEwNjE0MzgzMloYDzIwNTAwMTA3MTQzODMy +WjAbMRkwFwYDVQQDExBjZXJ0LmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAsZx0Svr82YJpFpIy4fJNW5fKA6B8mhxSTRAVnygAftet +T8puHflY0ss7Y6X2OXjsU0PRn+1PswtivhKi+eLtgWkUF9cFYFGnSgMld6ZWRhNh +eZhA6ZfQmeM/BF2pa5HK2SDF36ljgjL9T+nWrru2Uv0BCoHzLAmiYYMiIWplidMm +MO5NTRG3k+3AN0TkfakB6JVzjLGhTcXdOcVEMXkeQVqJMAuGouU5donyqtnaHuIJ +GuUdy54YDnX86txhOQhAv6r7dHXzZxS4pmLvw8UI1rsSf/GLcUVGB+5+AAGF5iuH +C3N2DTl4xz3FcN4Cb4w9pbaQ7+mCzz+anqiJfyr2nwIDAQABoyUwIzAhBgNVHREE +GjAYghBjZXJ0LmV4YW1wbGUuY29thwR/AAABMA0GCSqGSIb3DQEBCwUAA4IBAQB/ +0M2jZ8cZJW23s1xpMDS5u2ScrW4QdpVsPbuBu5dxi3SNx7MK0CbvcNVUEZE0WV6b +rCYvYS0+SBi0skudHRV7IeRADPcvzbXY/AdFktWt0adtQ/5B/DKeZIRrnhGtlzhD +m8b3TTnKLoGdV7iS5HO8emvlzaihY/5PjObkztLRLLDRmBAOwYv4z/xBhEqZJRV1 +Ztywy/Qy5srNJug+sHmj8JlBldob/Ohk7Eon04XvXMuCIBptPG/QytnmgGbDGghD +WO/HpCWBh6GHrwzQtof8y7Upxi16i5DSiFbRwNXgRyST4W/ChpZoggvOJ/RI4o2g +5serAZLPfBGztdRbTef2 -----END CERTIFICATE----- diff --git a/builtin/credential/cert/test-fixtures/keys/rebuild-cert.md b/builtin/credential/cert/test-fixtures/keys/rebuild-cert.md new file mode 100644 index 000000000000..6a69ff78e460 --- /dev/null +++ b/builtin/credential/cert/test-fixtures/keys/rebuild-cert.md @@ -0,0 +1,6 @@ +To rebuild the cert.pem within this folder run the following commands + +```shell +$ openssl x509 -in cert.pem -signkey key.pem -x509toreq -out cert.csr +$ openssl x509 -req -in cert.csr -CA ../root/rootcacert.pem -CAkey ../root/rootcakey.pem -CAcreateserial -out cert.pem -days 9132 -sha256 -extensions v3_req -extfile <(echo "[v3_req]\nsubjectAltName=DNS:cert.example.com,IP:127.0.0.1") +``` diff --git a/vault/diagnose/tls_verification_test.go b/vault/diagnose/tls_verification_test.go index 769330fb776d..9a7640fba1d0 100644 --- a/vault/diagnose/tls_verification_test.go +++ b/vault/diagnose/tls_verification_test.go @@ -14,6 +14,7 @@ import ( pkihelper "github.com/hashicorp/vault/helper/testhelpers/pki" "github.com/hashicorp/vault/internalshared/configutil" + "github.com/stretchr/testify/require" ) // TestTLSValidCert is the positive test case to show that specifying a valid cert and key @@ -124,13 +125,14 @@ func TestTLSExpiredCert(t *testing.T) { // TestTLSMismatchedCryptographicInfo verifies that a cert and key of differing cryptographic // types, when specified together, is met with a unique error message. func TestTLSMismatchedCryptographicInfo(t *testing.T) { + testCaFiles := pkihelper.GenerateCertWithRoot(t) listeners := []*configutil.Listener{ { Type: "tcp", Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201", - TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", - TLSKeyFile: "./test-fixtures/ecdsa.key", + TLSCertFile: testCaFiles.Leaf.CertFile, + TLSKeyFile: "./test-fixtures/goodkey.pem", // pkihelper uses EC keys, this file is an RSA key TLSMinVersion: "tls10", TLSDisableClientCerts: true, }, @@ -148,7 +150,7 @@ func TestTLSMismatchedCryptographicInfo(t *testing.T) { Type: "tcp", Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201", - TLSCertFile: "./test-fixtures/ecdsa.crt", + TLSCertFile: testCaFiles.Leaf.CertFile, TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem", TLSMinVersion: "tls10", @@ -189,13 +191,15 @@ func TestTLSMultiKeys(t *testing.T) { // TestTLSCertAsKey verifies that a unique error message is thrown when a cert is specified twice. func TestTLSCertAsKey(t *testing.T) { + testCaFiles := pkihelper.GenerateCertWithRoot(t) + listeners := []*configutil.Listener{ { Type: "tcp", Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201", - TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", - TLSKeyFile: "./../../api/test-fixtures/keys/cert.pem", + TLSCertFile: testCaFiles.Leaf.CertFile, + TLSKeyFile: testCaFiles.Leaf.CertFile, TLSMinVersion: "tls10", TLSDisableClientCerts: true, }, @@ -213,13 +217,21 @@ func TestTLSCertAsKey(t *testing.T) { // the root. The root certificate used in this test is the Baltimore Cyber Trust root // certificate, downloaded from: https://www.digicert.com/kb/digicert-root-certificates.htm func TestTLSInvalidRoot(t *testing.T) { + testCaFiles := pkihelper.GenerateCertWithRoot(t) + otherRoot := pkihelper.GenerateRootCa(t) + + tempDir := t.TempDir() + mixedRoots := filepath.Join(tempDir, "leaf-with-bad-root.pem") + err := os.WriteFile(mixedRoots, append(pem.EncodeToMemory(testCaFiles.Leaf.CertPem), pem.EncodeToMemory(otherRoot.CertPem)...), 0o644) + require.NoError(t, err, "Failed to write file %s", mixedRoots) + listeners := []*configutil.Listener{ { Type: "tcp", Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201", - TLSCertFile: "./test-fixtures/goodcertbadroot.pem", - TLSKeyFile: "./test-fixtures/goodkey.pem", + TLSCertFile: mixedRoots, + TLSKeyFile: testCaFiles.Leaf.KeyFile, TLSMinVersion: "tls10", TLSDisableClientCerts: true, }, @@ -237,13 +249,15 @@ func TestTLSInvalidRoot(t *testing.T) { // is still accepted by diagnose as valid. This is an acceptable, though less secure, // server configuration. func TestTLSNoRoot(t *testing.T) { + testCaFiles := pkihelper.GenerateCertWithRoot(t) + listeners := []*configutil.Listener{ { Type: "tcp", Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201", - TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", - TLSKeyFile: "./test-fixtures/goodkey.pem", + TLSCertFile: testCaFiles.Leaf.CertFile, + TLSKeyFile: testCaFiles.Leaf.KeyFile, TLSMinVersion: "tls10", TLSDisableClientCerts: true, }, @@ -258,14 +272,16 @@ func TestTLSNoRoot(t *testing.T) { // TestTLSInvalidMinVersion checks that a listener with an invalid minimum configured // version errors appropriately. func TestTLSInvalidMinVersion(t *testing.T) { + testCaFiles := pkihelper.GenerateCertWithRoot(t) + listeners := []*configutil.Listener{ { Type: "tcp", Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201", - TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", - TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", - TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem", + TLSCertFile: testCaFiles.Leaf.CertFile, + TLSKeyFile: testCaFiles.Leaf.KeyFile, + TLSClientCAFile: testCaFiles.RootCa.CertFile, TLSMinVersion: "0", TLSDisableClientCerts: true, }, @@ -282,14 +298,16 @@ func TestTLSInvalidMinVersion(t *testing.T) { // TestTLSInvalidMaxVersion checks that a listener with an invalid maximum configured // version errors appropriately. func TestTLSInvalidMaxVersion(t *testing.T) { + testCaFiles := pkihelper.GenerateCertWithRoot(t) + listeners := []*configutil.Listener{ { Type: "tcp", Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201", - TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", - TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", - TLSClientCAFile: "./../../api/test-fixtures/root/rootcacert.pem", + TLSCertFile: testCaFiles.Leaf.CertFile, + TLSKeyFile: testCaFiles.Leaf.KeyFile, + TLSClientCAFile: testCaFiles.RootCa.CertFile, TLSMaxVersion: "0", TLSDisableClientCerts: true, }, @@ -549,13 +567,15 @@ func TestTLSMultipleRootInClientCACert(t *testing.T) { // TestTLSSelfSignedCerts tests invalid self-signed cert as TLSClientCAFile func TestTLSSelfSignedCert(t *testing.T) { + testCaFiles := pkihelper.GenerateCertWithRoot(t) + listeners := []*configutil.Listener{ { Type: "tcp", Address: "127.0.0.1:443", ClusterAddress: "127.0.0.1:8201", - TLSCertFile: "./../../api/test-fixtures/keys/cert.pem", - TLSKeyFile: "./../../api/test-fixtures/keys/key.pem", + TLSCertFile: testCaFiles.Leaf.CertFile, + TLSKeyFile: testCaFiles.Leaf.KeyFile, TLSClientCAFile: "test-fixtures/selfSignedCert.pem", TLSMinVersion: "tls10", TLSRequireAndVerifyClientCert: true,