Repository: trafficserver Updated Branches: refs/heads/master 661201486 -> f5e6d357a
ECDSA certificate selection tests Add tests for ECDSA and RSA certificate selection. Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/f5e6d357 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/f5e6d357 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/f5e6d357 Branch: refs/heads/master Commit: f5e6d357abdaf55207f15c911da48321094aaf2e Parents: 6612014 Author: Thomas Jackson <[email protected]> Authored: Mon Apr 6 16:14:09 2015 -0700 Committer: Thomas Jackson <[email protected]> Committed: Mon Apr 6 16:16:15 2015 -0700 ---------------------------------------------------------------------- ci/new_tsqa/files/ec_keys/README.rst | 8 ++ ci/new_tsqa/files/ec_keys/www.example.com.pem | 18 +++ ci/new_tsqa/files/ec_keys/www.test.com.pem | 18 +++ ci/new_tsqa/tests/test_https.py | 131 +++++++++++++++++---- 4 files changed, 153 insertions(+), 22 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5e6d357/ci/new_tsqa/files/ec_keys/README.rst ---------------------------------------------------------------------- diff --git a/ci/new_tsqa/files/ec_keys/README.rst b/ci/new_tsqa/files/ec_keys/README.rst new file mode 100644 index 0000000..12329c7 --- /dev/null +++ b/ci/new_tsqa/files/ec_keys/README.rst @@ -0,0 +1,8 @@ +All of these certificates are self-signed and are *not* secure. They are intended +only for use in testing. + +Try to use existing certs if possible rather than generating your own. + +# generated using (make sure to set "hostname"): +openssl ecparam -name prime256v1 -genkey -out key.pem +openssl req -new -x509 -key key.pem -out cert.pem http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5e6d357/ci/new_tsqa/files/ec_keys/www.example.com.pem ---------------------------------------------------------------------- diff --git a/ci/new_tsqa/files/ec_keys/www.example.com.pem b/ci/new_tsqa/files/ec_keys/www.example.com.pem new file mode 100644 index 0000000..4db7e23 --- /dev/null +++ b/ci/new_tsqa/files/ec_keys/www.example.com.pem @@ -0,0 +1,18 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIGCAR+s6Sno+AteQgnMBOsS7sD4EbSxGN7anPQaossvkoAoGCCqGSM49 +AwEHoUQDQgAEwNOf/ym+XidKYjQg2WDM3GPK2eMbRz2VmvdB4dbzBxQ4gMYCIl2l +2L7lLqGtmUcuUhDaOxf91hhXAfprU+qRvA== +-----END EC PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIB/TCCAaSgAwIBAgIJAI8scEv82xNQMAkGByqGSM49BAEwXDELMAkGA1UEBhMC +WFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21w +YW55IEx0ZDEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMB4XDTE1MDQwNjIyMzEz +OVoXDTE1MDUwNjIyMzEzOVowXDELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1 +bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEYMBYGA1UEAwwP +d3d3LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwNOf/ym+ +XidKYjQg2WDM3GPK2eMbRz2VmvdB4dbzBxQ4gMYCIl2l2L7lLqGtmUcuUhDaOxf9 +1hhXAfprU+qRvKNQME4wHQYDVR0OBBYEFFju5RlYt02MzdcnwBKzCIRnKp2vMB8G +A1UdIwQYMBaAFFju5RlYt02MzdcnwBKzCIRnKp2vMAwGA1UdEwQFMAMBAf8wCQYH +KoZIzj0EAQNIADBFAiEAhmfh1lZz99IjJ9n5Num1O6BK491eDP+rENyTC7Y6a/YC +ID/HGrCAtz1n4lPZ2kSxe6E8lqotrEmEDEx14hlmdw7K +-----END CERTIFICATE----- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5e6d357/ci/new_tsqa/files/ec_keys/www.test.com.pem ---------------------------------------------------------------------- diff --git a/ci/new_tsqa/files/ec_keys/www.test.com.pem b/ci/new_tsqa/files/ec_keys/www.test.com.pem new file mode 100644 index 0000000..97b33b3 --- /dev/null +++ b/ci/new_tsqa/files/ec_keys/www.test.com.pem @@ -0,0 +1,18 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEILVRI/Y9isXZJKXwb4srPN4hjx+ZUWGmSL3cn8AEhTVQoAoGCCqGSM49 +AwEHoUQDQgAEh4NjyzcxA2B/b281cUsRHaF+yAUV4CnIhUkPQigXw10GO9lQx69w +of7PjZkJRdeBlEMBVUcwTKEuENMZ7a3+Tw== +-----END EC PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIB9zCCAZ6gAwIBAgIJAOofwBNPt6PwMAkGByqGSM49BAEwWTELMAkGA1UEBhMC +WFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21w +YW55IEx0ZDEVMBMGA1UEAwwMd3d3LnRlc3QuY29tMB4XDTE1MDQwNjIyMzI0MVoX +DTE1MDUwNjIyMzI0MVowWTELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQg +Q2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEVMBMGA1UEAwwMd3d3 +LnRlc3QuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEh4NjyzcxA2B/b281 +cUsRHaF+yAUV4CnIhUkPQigXw10GO9lQx69wof7PjZkJRdeBlEMBVUcwTKEuENMZ +7a3+T6NQME4wHQYDVR0OBBYEFJKeIbf5+FuFSDl+qyszoefkIdYNMB8GA1UdIwQY +MBaAFJKeIbf5+FuFSDl+qyszoefkIdYNMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0E +AQNIADBFAiEAs79BVAgcBZStdk8xLUXEpRoX68MVNpq2P/9OcMPmb2cCIEv/OFq3 +TYlabCBevc+jjmnry8C//Z+ffY/IEwbTxJlQ +-----END CERTIFICATE----- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5e6d357/ci/new_tsqa/tests/test_https.py ---------------------------------------------------------------------- diff --git a/ci/new_tsqa/tests/test_https.py b/ci/new_tsqa/tests/test_https.py index 2b38614..fcc6bad 100644 --- a/ci/new_tsqa/tests/test_https.py +++ b/ci/new_tsqa/tests/test_https.py @@ -21,38 +21,26 @@ import socket import helpers import tsqa.utils +# some ciphers to test with +CIPHER_MAP = { + 'rsa': 'ECDHE-RSA-AES256-GCM-SHA384', + 'ecdsa': 'ECDHE-ECDSA-AES256-GCM-SHA384', +} -class TestSSL(helpers.EnvironmentCase): - @classmethod - def setUpEnv(cls, env): - ''' - This function is responsible for setting up the environment for this fixture - This includes everything pre-daemon start - ''' - - # add an SSL port to ATS - cls.ssl_port = tsqa.utils.bind_unused_port()[1] - cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port) - cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.enabled'] = 1 - cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.tags'] = 'ssl' - # configure SSL multicert - cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem'))) - cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.test.com.pem'))) - - cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem'))) - cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.test.com.pem'))) - - def _get_cert(self, addr, sni_name=None): +class CertSelectionMixin(object): + def _get_cert(self, addr, sni_name=None, ciphers=None): ''' Return the certificate for addr. Optionally sending sni_name ''' - ctx = SSL.Context(SSL.SSLv23_METHOD) + ctx = SSL.Context(SSL.TLSv1_2_METHOD) # Set up client sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM)) sock.connect(addr) if sni_name is not None: sock.set_tlsext_host_name(sni_name) + if ciphers is not None: + ctx.set_cipher_list(ciphers) sock.do_handshake() return sock.get_peer_certificate() @@ -93,3 +81,102 @@ class TestSSL(helpers.EnvironmentCase): cert = self._get_cert(addr, sni_name='www.example.com') self.assertEqual(cert.get_subject().commonName.decode(), 'www.example.com') + + +class TestRSA(helpers.EnvironmentCase, CertSelectionMixin): + ''' + Tests for https for ATS configured with RSA certificates + ''' + @classmethod + def setUpEnv(cls, env): + # add an SSL port to ATS + cls.ssl_port = tsqa.utils.bind_unused_port()[1] + cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port) + cls.configs['records.config']['CONFIG'].update({ + 'proxy.config.diags.debug.enabled': 1, + 'proxy.config.diags.debug.tags': 'ssl', + 'proxy.config.ssl.server.cipher_suite': CIPHER_MAP['rsa'], + }) + + # configure SSL multicert + cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem'))) + cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.test.com.pem'))) + + cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem'))) + cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.test.com.pem'))) + + def test_rsa(self): + addr = ('127.0.0.1', self.ssl_port) + cert = self._get_cert(addr, ciphers=CIPHER_MAP['rsa']) + self.assertEqual(cert.get_subject().commonName.decode(), 'www.example.com') + + def test_ecdsa(self): + addr = ('127.0.0.1', self.ssl_port) + with self.assertRaises(Exception): + cert = self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa']) + self.assertEqual(cert.get_subject().commonName.decode(), 'www.example.com') + +class TestECDSA(helpers.EnvironmentCase, CertSelectionMixin): + ''' + Tests for https for ATS configured with ECDSA certificates + ''' + @classmethod + def setUpEnv(cls, env): + # add an SSL port to ATS + cls.ssl_port = tsqa.utils.bind_unused_port()[1] + cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port) + cls.configs['records.config']['CONFIG'].update({ + 'proxy.config.diags.debug.enabled': 1, + 'proxy.config.diags.debug.tags': 'ssl', + 'proxy.config.ssl.server.cipher_suite': CIPHER_MAP['ecdsa'], + }) + + # configure SSL multicert + cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0}'.format(helpers.tests_file_path('ec_keys/www.example.com.pem'))) + cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0}'.format(helpers.tests_file_path('ec_keys/www.test.com.pem'))) + + cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format(helpers.tests_file_path('ec_keys/www.example.com.pem'))) + cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format(helpers.tests_file_path('ec_keys/www.test.com.pem'))) + + def test_rsa(self): + addr = ('127.0.0.1', self.ssl_port) + with self.assertRaises(Exception): + cert = self._get_cert(addr, ciphers=CIPHER_MAP['rsa']) + self.assertEqual(cert.get_subject().commonName.decode(), 'www.example.com') + + def test_ecdsa(self): + addr = ('127.0.0.1', self.ssl_port) + cert = self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa']) + self.assertEqual(cert.get_subject().commonName.decode(), 'www.example.com') + +class TestMix(helpers.EnvironmentCase, CertSelectionMixin): + ''' + Tests for https for ATS configured with both ECDSA and RSA certificates + ''' + @classmethod + def setUpEnv(cls, env): + # add an SSL port to ATS + cls.ssl_port = tsqa.utils.bind_unused_port()[1] + cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port) + cls.configs['records.config']['CONFIG'].update({ + 'proxy.config.diags.debug.enabled': 1, + 'proxy.config.diags.debug.tags': 'ssl', + 'proxy.config.ssl.server.cipher_suite': '{0}:{1}'.format(CIPHER_MAP['ecdsa'], CIPHER_MAP['rsa']), + }) + + # configure SSL multicert + cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0},{1}'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem'), helpers.tests_file_path('ec_keys/www.example.com.pem'))) + cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0},{1}'.format(helpers.tests_file_path('rsa_keys/www.test.com.pem'), helpers.tests_file_path('ec_keys/www.test.com.pem'))) + + cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0},{1}'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem'), helpers.tests_file_path('ec_keys/www.example.com.pem'))) + cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0},{1}'.format(helpers.tests_file_path('rsa_keys/www.test.com.pem'), helpers.tests_file_path('ec_keys/www.test.com.pem'))) + + def test_rsa(self): + addr = ('127.0.0.1', self.ssl_port) + cert = self._get_cert(addr, ciphers=CIPHER_MAP['rsa']) + self.assertEqual(cert.get_subject().commonName.decode(), 'www.example.com') + + def test_ecdsa(self): + addr = ('127.0.0.1', self.ssl_port) + cert = self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa']) + self.assertEqual(cert.get_subject().commonName.decode(), 'www.example.com')
