This is an automated email from the ASF dual-hosted git repository. cmcfarlen pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 3e0ff2d8aba34619d8cb542833fba336dcbb2939 Author: Mo Chen <[email protected]> AuthorDate: Tue Apr 9 16:59:08 2024 -0500 Restore private key passphrase behavior (#11201) Fix private key passphrase support in ssl_multicert. Add autest. (cherry picked from commit 87d88ded2884a8b4a36a2f440bd4ddb75c481192) --- src/iocore/net/SSLConfig.cc | 4 +- src/iocore/net/SSLUtils.cc | 57 ++++++++---------- tests/gold_tests/tls/ssl/passphrase.key | 30 ++++++++++ tests/gold_tests/tls/ssl/passphrase.pem | 27 +++++++++ tests/gold_tests/tls/ssl/passphrase2.key | 30 ++++++++++ tests/gold_tests/tls/ssl/passphrase2.pem | 27 +++++++++ tests/gold_tests/tls/ssl_key_dialog.test.py | 91 +++++++++++++++++++++++++++++ 7 files changed, 231 insertions(+), 35 deletions(-) diff --git a/src/iocore/net/SSLConfig.cc b/src/iocore/net/SSLConfig.cc index df1f2299e2..8d02afd265 100644 --- a/src/iocore/net/SSLConfig.cc +++ b/src/iocore/net/SSLConfig.cc @@ -975,7 +975,9 @@ SSLConfigParams::getCTX(const std::string &client_cert, const std::string &key_f biop = BIO_new_mem_buf(secret_data.data(), secret_data.size()); } - key = PEM_read_bio_PrivateKey(biop, nullptr, nullptr, nullptr); + pem_password_cb *password_cb = SSL_CTX_get_default_passwd_cb(client_ctx.get()); + void *u = SSL_CTX_get_default_passwd_cb_userdata(client_ctx.get()); + key = PEM_read_bio_PrivateKey(biop, nullptr, password_cb, u); if (!key) { SSLError("failed to load client private key file from %s", key_file_name.c_str()); goto fail; diff --git a/src/iocore/net/SSLUtils.cc b/src/iocore/net/SSLUtils.cc index 3d74f5b8a0..7845e9ca69 100644 --- a/src/iocore/net/SSLUtils.cc +++ b/src/iocore/net/SSLUtils.cc @@ -654,18 +654,6 @@ ssl_context_enable_tickets(SSL_CTX *ctx, const char *ticket_key_path) #endif /* TS_HAS_TLS_SESSION_TICKET */ } -struct passphrase_cb_userdata { - const SSLConfigParams *_configParams; - const char *_serverDialog; - const char *_serverCert; - const char *_serverKey; - - passphrase_cb_userdata(const SSLConfigParams *params, const char *dialog, const char *cert, const char *key) - : _configParams(params), _serverDialog(dialog), _serverCert(cert), _serverKey(key) - { - } -}; - // RAII implementation for struct termios struct ssl_termios : public termios { ssl_termios(int fd) @@ -741,15 +729,17 @@ ssl_private_key_passphrase_callback_exec(char *buf, int size, int rwflag, void * return 0; } - *buf = 0; - passphrase_cb_userdata *ud = static_cast<passphrase_cb_userdata *>(userdata); + *buf = 0; + const SSLMultiCertConfigParams *sslMultCertSettings = static_cast<SSLMultiCertConfigParams *>(userdata); - Dbg(dbg_ctl_ssl_load, "ssl_private_key_passphrase_callback_exec rwflag=%d serverDialog=%s", rwflag, ud->_serverDialog); + Dbg(dbg_ctl_ssl_load, "ssl_private_key_passphrase_callback_exec rwflag=%d dialog=%s", rwflag, sslMultCertSettings->dialog.get()); // only respond to reading private keys, not writing them (does ats even do that?) if (0 == rwflag) { // execute the dialog program and use the first line output as the passphrase - FILE *f = popen(ud->_serverDialog, "r"); + ink_assert(strncmp(sslMultCertSettings->dialog, "exec:", 5) == 0); + const char *serverDialog = &sslMultCertSettings->dialog[5]; + FILE *f = popen(serverDialog, "r"); if (f) { if (fgets(buf, size, f)) { // remove any ending CR or LF @@ -762,7 +752,7 @@ ssl_private_key_passphrase_callback_exec(char *buf, int size, int rwflag, void * } pclose(f); } else { // popen failed - Error("could not open dialog '%s' - %s", ud->_serverDialog, strerror(errno)); + Error("could not open dialog '%s' - %s", serverDialog, strerror(errno)); } } return strlen(buf); @@ -775,19 +765,19 @@ ssl_private_key_passphrase_callback_builtin(char *buf, int size, int rwflag, voi return 0; } - *buf = 0; - passphrase_cb_userdata *ud = static_cast<passphrase_cb_userdata *>(userdata); + *buf = 0; + const SSLMultiCertConfigParams *sslMultCertSettings = static_cast<SSLMultiCertConfigParams *>(userdata); - Dbg(dbg_ctl_ssl_load, "ssl_private_key_passphrase_callback rwflag=%d serverDialog=%s", rwflag, ud->_serverDialog); + Dbg(dbg_ctl_ssl_load, "ssl_private_key_passphrase_callback rwflag=%d dialog=%s", rwflag, sslMultCertSettings->dialog.get()); // only respond to reading private keys, not writing them (does ats even do that?) if (0 == rwflag) { // output request fprintf(stdout, "Some of your private key files are encrypted for security reasons.\n"); fprintf(stdout, "In order to read them you have to provide the pass phrases.\n"); - fprintf(stdout, "ssl_cert_name=%s", ud->_serverCert); - if (ud->_serverKey) { // output ssl_key_name if provided - fprintf(stdout, " ssl_key_name=%s", ud->_serverKey); + fprintf(stdout, "ssl_cert_name=%s", sslMultCertSettings->cert.get()); + if (sslMultCertSettings->key.get()) { // output ssl_key_name if provided + fprintf(stdout, " ssl_key_name=%s", sslMultCertSettings->key.get()); } fprintf(stdout, "\n"); // get passphrase @@ -975,7 +965,10 @@ SSLPrivateKeyHandler(SSL_CTX *ctx, const SSLConfigParams *params, const char *ke #endif if (pkey == nullptr) { scoped_BIO bio(BIO_new_mem_buf(secret_data, secret_data_len)); - pkey = PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr); + + pem_password_cb *password_cb = SSL_CTX_get_default_passwd_cb(ctx); + void *u = SSL_CTX_get_default_passwd_cb_userdata(ctx); + pkey = PEM_read_bio_PrivateKey(bio.get(), nullptr, password_cb, u); if (nullptr == pkey) { Dbg(dbg_ctl_ssl_load, "failed to load server private key (%.*s) from %s", secret_data_len < 50 ? secret_data_len : 50, secret_data, (!keyPath || keyPath[0] == '\0') ? "[empty key path]" : keyPath); @@ -1431,16 +1424,14 @@ bool SSLMultiCertConfigLoader::_setup_dialog(SSL_CTX *ctx, const SSLMultiCertConfigParams *sslMultCertSettings) { if (sslMultCertSettings->dialog) { - passphrase_cb_userdata ud(this->_params, sslMultCertSettings->dialog, sslMultCertSettings->first_cert, - sslMultCertSettings->key); // pass phrase dialog configuration pem_password_cb *passwd_cb = nullptr; if (strncmp(sslMultCertSettings->dialog, "exec:", 5) == 0) { - ud._serverDialog = &sslMultCertSettings->dialog[5]; + const char *serverDialog = &sslMultCertSettings->dialog[5]; + Dbg(dbg_ctl_ssl_load, "exec:%s", serverDialog); // validate the exec program - if (!ssl_private_key_validate_exec(ud._serverDialog)) { - SSLError("failed to access '%s' pass phrase program: %s", (const char *)ud._serverDialog, strerror(errno)); - memset(static_cast<void *>(&ud), 0, sizeof(ud)); + if (!ssl_private_key_validate_exec(serverDialog)) { + SSLError("failed to access '%s' pass phrase program: %s", serverDialog, strerror(errno)); return false; } passwd_cb = ssl_private_key_passphrase_callback_exec; @@ -1448,13 +1439,10 @@ SSLMultiCertConfigLoader::_setup_dialog(SSL_CTX *ctx, const SSLMultiCertConfigPa passwd_cb = ssl_private_key_passphrase_callback_builtin; } else { // unknown config SSLError("unknown %s configuration value '%s'", SSL_KEY_DIALOG.data(), (const char *)sslMultCertSettings->dialog); - memset(static_cast<void *>(&ud), 0, sizeof(ud)); return false; } SSL_CTX_set_default_passwd_cb(ctx, passwd_cb); - SSL_CTX_set_default_passwd_cb_userdata(ctx, &ud); - // Clear any password info lingering in the UD data structure - memset(static_cast<void *>(&ud), 0, sizeof(ud)); + SSL_CTX_set_default_passwd_cb_userdata(ctx, const_cast<SSLMultiCertConfigParams *>(sslMultCertSettings)); } return true; } @@ -2556,6 +2544,7 @@ SSLMultiCertConfigLoader::_dbg_ctl() const void SSLMultiCertConfigLoader::clear_pw_references(SSL_CTX *ssl_ctx) { + Dbg(dbg_ctl_ssl_load, "clearing pw preferences"); SSL_CTX_set_default_passwd_cb(ssl_ctx, nullptr); SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, nullptr); } diff --git a/tests/gold_tests/tls/ssl/passphrase.key b/tests/gold_tests/tls/ssl/passphrase.key new file mode 100644 index 0000000000..152197bf99 --- /dev/null +++ b/tests/gold_tests/tls/ssl/passphrase.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFJDBWBgkqhkiG9w0BBQ0wSTAxBgkqhkiG9w0BBQwwJAQQBZQrPgU+cHs3Ls4O +gfcPBwICCAAwDAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIBRDrt5DRnIoEggTI +S5O31tiNE8pgNMZ9MAoiNfGGJHcnvQcOnP/bosrxfXRVrumLzxLhpXhPREtBiIUk +ksuPmvobWS7AcZIPD72RpCN8NZw3lTANHnN3N7HP7qgUDbXsYhT2ssuT+BQsNRhA +y8uh0tKysVCbVNClYJvgrM2xzU7JFghaeHkJkabYJ2FKnHVRIZwkwbJWDeW0Ce/V +r858mzdmbJGack2Rg3FT5xDAqmzUc6PWSZgBXkrOwbmHJehoWTzfMSl4uBsrFKnd +KGHQJ6m24DP4Am79BOce6YoM1P36i56Rwo/q7LHI5AAadVSTLMaoD8gey6Ny9ZO9 +eflyKDW80wqmJxDevEhCKqOQbunogBuVfyo4dc2G4XPfwBhN4Vp+dVcfx9TBTdGo +gxNEd8+Nr8Ihzoff6brst9iJrBx/uWkEblSQXlp1cI9qfv8w/ji4PeLJilRaHfwV +VSr2BupIseW2GDjOOiziFvgl7Crj2kOevThunNl/IdNf8LmidUCIRJimwh38KsLx +VyG8+VFpISnkgPd89S9UEUpmUJi5hshmqpWZXLSuYUrYPucqJSKJHpqPdzcTBWg3 +kH/82T5VCYWJ/lfsl7HcfZHxfeng8636ZYZsXMwUpX3mHEGA08fuUROuekN9konO +xXxvmtmWZcyJz+eVHCL+gqyP4ecfOmkvIVin2mXSneA420lmxyzY36pox4iZbqm3 +a8NpmUd+envWlJjq7dCHIsGjBfFr3hGyjDsE3ZRuoMnGGVbwM98Nrkw5bsKWUfXQ +N3PZFZKQT/cXxpUIW/g7TLXFmP4I7o2NycV/84/vfX2tlh6nFk67JdgX54m2Et9n +M8RMNb6gU8AWfZY2kDaDd44Qx/i/7huNsEmJ5u4ze0+GoN3R+Bj6fbEKqar/SP2v +9or8yK64+A1ZHXUf6W12n9VBFsALqDIbHKxRfWiYfLv2eTnpGtxzicGp1OZMBWD4 +b1wpzGz5QjkQ3OC8zNRqSmynIJcnTSviJbAlHBSogUmOK/NAeSe8OIznpAUCHzGU +zZylmM/2O1Fpf75iuqOL6flPGbXoT5IRirmP5KevJWbadBX3O5DPP2irjO+RiGf9 +0NdbLNvZh5WWUXycjUbnS36uzPiBKD+ZclgqZBH1UYPg26/p4hR1m3cCswg1AbsL +lwjF+8w73ULHSF5VsSAa9U7QZ1DiJXFzaOyCDuCBlzFYc9v1A+kYrQVpZ1fsSubd +k14BbrDlOuSfYWL8jpRg3RBBh41zCXa297fFG0GtqVVYG90Ij2za5od+fy/Q/W1I +SJYuZndyIpf1hvGfVwRCPKcXIr7mf+//SPHBKJe5aHrpVDznEpswG3Tjcz+qM7OZ +qZG4mfNUNUa6xWcVFSdZfXRszXzJdY0N3P2JFolpmJO3oDkbZoa63ILtTf355S9Z +UVMTwX1QxGsKFG0jz92s474R2Z58A7TyRiZLQw+JxiaIDCVxaW73tr+/pCjqQwkW +RT3iHNd/BeQnbl3RV8o+jE6wKMz10mulml7yq38vmyjHtBMSwPZz668T6lb161ti +vMh/B4/bQu22DRpdtQS3B5h3XATJ7bkoG+hQUHzowz0jiK93ICZumpCYBu5V58nr +QsIKSU9+bBOlU8y28KJgNuALBZgSZ/fs +-----END ENCRYPTED PRIVATE KEY----- diff --git a/tests/gold_tests/tls/ssl/passphrase.pem b/tests/gold_tests/tls/ssl/passphrase.pem new file mode 100644 index 0000000000..8d9ea6b746 --- /dev/null +++ b/tests/gold_tests/tls/ssl/passphrase.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEfjCCAmagAwIBAgIUWqf2OgjUkTeH4qDkqxeaeOA9EVIwDQYJKoZIhvcNAQEL +BQAwVDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAklMMQ4wDAYDVQQKDAVZYWhvbzEN +MAsGA1UECwwERWRnZTEZMBcGA1UEAwwQc2lnbmVyLnlhaG9vLmNvbTAeFw0yNDA0 +MDIyMTU5MzNaFw0yNTA0MDIyMTU5MzNaMFoxCzAJBgNVBAYTAkFVMRMwEQYDVQQI +DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx +EzARBgNVBAMMCnBhc3NwaHJhc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDRSJlZF7fVu/8etpbSYDbPL0m2Q8DHKfwinK6nqbbF7OWbQoCeHpaEppyk +9iQ/eIPCtnDD0rdA1cC9DwdOfaeaBhjXy2OaLrJGaeTUhhNcLhSwbfX26dKn5EEi +B5bRaEruKsh/MmmSe691TT6kEfpFQCK4WO9B9UXejEtI7NZ4wskaO38UjVEYLguW +wJ25mnzWQpjhYWR2G1+2Q3SCtZ82cXKJTQWuOPJHmJ5FjQQpldFJg0PKf6zAY9Vr +vkggeHiLwNKTk5R+975EB9fLoV3R69zkqf2NoMVDTvG9jd974haT/iRO9fy2pGXt +ACaxoYoVEyUbbZd9i9aR3gmczqEFAgMBAAGjQjBAMB0GA1UdDgQWBBRRijjaYGCs +ZE5bO2i7l5JA+nlGtDAfBgNVHSMEGDAWgBS8vY4PSrVikT05kO3dCxqr9MMboTAN +BgkqhkiG9w0BAQsFAAOCAgEAX2O9IBogwv+338jsvXb+ZVwHLUHFkXugqXNEI8hm +A9JFcqHwsVfOJmYGuAEjGReyjzfZou5YuzPT14VvF+wnJPA6/PbWrAKxoioq4pho +2/LRQSqe4O+T+QcSX32Nsu8h5bnv6i9MSAAWltErhOTmQkWEqYIzCh86YuHloBll +txVJ/KvWu4xetHREo1OILV5w2a5jZ7AhTqe/Yx9NmRSvQIt4MRp4DBPS8nNaUwak +3rgJV8QCIFk4+S1FqSb+4t5O7VQh4aPSmsEKHkP1Km4qFtUa4BKpDTWQTjtC/c+2 +V/ja6vFJFApniTHLpsRuu7Ma8xVulHiGuNwcvlgBtDcRAzdLcCPHCrhHpWTkrG6p +OnqznwwlBFmZHa8yiu8EHZbxH8hrPdf8VguNOc2sPEaskllmebl+XJlD0d3ulwQj +g1Gv3em0/eRWBs0sTcjTX6s852QLHPeTgsn5Z+/VVOnFQ4rY/obrrmd/44QHDN2l +SoEHGWT6KWK+bUUytkm+uGdJjElsPYj2dXftTLc0n4AraRCEKATMHrH/dx3HuNez +YjR8oYsSQp/OpzsaYFPoid/03n66rbtLm7DSeS4SdLdnrs8f7CbEhyyZPtG8VyoI +/YMSkidOMhgfiOdGl2JcC4JDhJCOlH6cQwxU+jxLFBomqTkX03kZNzbXdiCb3SiG +sk8= +-----END CERTIFICATE----- diff --git a/tests/gold_tests/tls/ssl/passphrase2.key b/tests/gold_tests/tls/ssl/passphrase2.key new file mode 100644 index 0000000000..152197bf99 --- /dev/null +++ b/tests/gold_tests/tls/ssl/passphrase2.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFJDBWBgkqhkiG9w0BBQ0wSTAxBgkqhkiG9w0BBQwwJAQQBZQrPgU+cHs3Ls4O +gfcPBwICCAAwDAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIBRDrt5DRnIoEggTI +S5O31tiNE8pgNMZ9MAoiNfGGJHcnvQcOnP/bosrxfXRVrumLzxLhpXhPREtBiIUk +ksuPmvobWS7AcZIPD72RpCN8NZw3lTANHnN3N7HP7qgUDbXsYhT2ssuT+BQsNRhA +y8uh0tKysVCbVNClYJvgrM2xzU7JFghaeHkJkabYJ2FKnHVRIZwkwbJWDeW0Ce/V +r858mzdmbJGack2Rg3FT5xDAqmzUc6PWSZgBXkrOwbmHJehoWTzfMSl4uBsrFKnd +KGHQJ6m24DP4Am79BOce6YoM1P36i56Rwo/q7LHI5AAadVSTLMaoD8gey6Ny9ZO9 +eflyKDW80wqmJxDevEhCKqOQbunogBuVfyo4dc2G4XPfwBhN4Vp+dVcfx9TBTdGo +gxNEd8+Nr8Ihzoff6brst9iJrBx/uWkEblSQXlp1cI9qfv8w/ji4PeLJilRaHfwV +VSr2BupIseW2GDjOOiziFvgl7Crj2kOevThunNl/IdNf8LmidUCIRJimwh38KsLx +VyG8+VFpISnkgPd89S9UEUpmUJi5hshmqpWZXLSuYUrYPucqJSKJHpqPdzcTBWg3 +kH/82T5VCYWJ/lfsl7HcfZHxfeng8636ZYZsXMwUpX3mHEGA08fuUROuekN9konO +xXxvmtmWZcyJz+eVHCL+gqyP4ecfOmkvIVin2mXSneA420lmxyzY36pox4iZbqm3 +a8NpmUd+envWlJjq7dCHIsGjBfFr3hGyjDsE3ZRuoMnGGVbwM98Nrkw5bsKWUfXQ +N3PZFZKQT/cXxpUIW/g7TLXFmP4I7o2NycV/84/vfX2tlh6nFk67JdgX54m2Et9n +M8RMNb6gU8AWfZY2kDaDd44Qx/i/7huNsEmJ5u4ze0+GoN3R+Bj6fbEKqar/SP2v +9or8yK64+A1ZHXUf6W12n9VBFsALqDIbHKxRfWiYfLv2eTnpGtxzicGp1OZMBWD4 +b1wpzGz5QjkQ3OC8zNRqSmynIJcnTSviJbAlHBSogUmOK/NAeSe8OIznpAUCHzGU +zZylmM/2O1Fpf75iuqOL6flPGbXoT5IRirmP5KevJWbadBX3O5DPP2irjO+RiGf9 +0NdbLNvZh5WWUXycjUbnS36uzPiBKD+ZclgqZBH1UYPg26/p4hR1m3cCswg1AbsL +lwjF+8w73ULHSF5VsSAa9U7QZ1DiJXFzaOyCDuCBlzFYc9v1A+kYrQVpZ1fsSubd +k14BbrDlOuSfYWL8jpRg3RBBh41zCXa297fFG0GtqVVYG90Ij2za5od+fy/Q/W1I +SJYuZndyIpf1hvGfVwRCPKcXIr7mf+//SPHBKJe5aHrpVDznEpswG3Tjcz+qM7OZ +qZG4mfNUNUa6xWcVFSdZfXRszXzJdY0N3P2JFolpmJO3oDkbZoa63ILtTf355S9Z +UVMTwX1QxGsKFG0jz92s474R2Z58A7TyRiZLQw+JxiaIDCVxaW73tr+/pCjqQwkW +RT3iHNd/BeQnbl3RV8o+jE6wKMz10mulml7yq38vmyjHtBMSwPZz668T6lb161ti +vMh/B4/bQu22DRpdtQS3B5h3XATJ7bkoG+hQUHzowz0jiK93ICZumpCYBu5V58nr +QsIKSU9+bBOlU8y28KJgNuALBZgSZ/fs +-----END ENCRYPTED PRIVATE KEY----- diff --git a/tests/gold_tests/tls/ssl/passphrase2.pem b/tests/gold_tests/tls/ssl/passphrase2.pem new file mode 100644 index 0000000000..8d9ea6b746 --- /dev/null +++ b/tests/gold_tests/tls/ssl/passphrase2.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEfjCCAmagAwIBAgIUWqf2OgjUkTeH4qDkqxeaeOA9EVIwDQYJKoZIhvcNAQEL +BQAwVDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAklMMQ4wDAYDVQQKDAVZYWhvbzEN +MAsGA1UECwwERWRnZTEZMBcGA1UEAwwQc2lnbmVyLnlhaG9vLmNvbTAeFw0yNDA0 +MDIyMTU5MzNaFw0yNTA0MDIyMTU5MzNaMFoxCzAJBgNVBAYTAkFVMRMwEQYDVQQI +DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx +EzARBgNVBAMMCnBhc3NwaHJhc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQDRSJlZF7fVu/8etpbSYDbPL0m2Q8DHKfwinK6nqbbF7OWbQoCeHpaEppyk +9iQ/eIPCtnDD0rdA1cC9DwdOfaeaBhjXy2OaLrJGaeTUhhNcLhSwbfX26dKn5EEi +B5bRaEruKsh/MmmSe691TT6kEfpFQCK4WO9B9UXejEtI7NZ4wskaO38UjVEYLguW +wJ25mnzWQpjhYWR2G1+2Q3SCtZ82cXKJTQWuOPJHmJ5FjQQpldFJg0PKf6zAY9Vr +vkggeHiLwNKTk5R+975EB9fLoV3R69zkqf2NoMVDTvG9jd974haT/iRO9fy2pGXt +ACaxoYoVEyUbbZd9i9aR3gmczqEFAgMBAAGjQjBAMB0GA1UdDgQWBBRRijjaYGCs +ZE5bO2i7l5JA+nlGtDAfBgNVHSMEGDAWgBS8vY4PSrVikT05kO3dCxqr9MMboTAN +BgkqhkiG9w0BAQsFAAOCAgEAX2O9IBogwv+338jsvXb+ZVwHLUHFkXugqXNEI8hm +A9JFcqHwsVfOJmYGuAEjGReyjzfZou5YuzPT14VvF+wnJPA6/PbWrAKxoioq4pho +2/LRQSqe4O+T+QcSX32Nsu8h5bnv6i9MSAAWltErhOTmQkWEqYIzCh86YuHloBll +txVJ/KvWu4xetHREo1OILV5w2a5jZ7AhTqe/Yx9NmRSvQIt4MRp4DBPS8nNaUwak +3rgJV8QCIFk4+S1FqSb+4t5O7VQh4aPSmsEKHkP1Km4qFtUa4BKpDTWQTjtC/c+2 +V/ja6vFJFApniTHLpsRuu7Ma8xVulHiGuNwcvlgBtDcRAzdLcCPHCrhHpWTkrG6p +OnqznwwlBFmZHa8yiu8EHZbxH8hrPdf8VguNOc2sPEaskllmebl+XJlD0d3ulwQj +g1Gv3em0/eRWBs0sTcjTX6s852QLHPeTgsn5Z+/VVOnFQ4rY/obrrmd/44QHDN2l +SoEHGWT6KWK+bUUytkm+uGdJjElsPYj2dXftTLc0n4AraRCEKATMHrH/dx3HuNez +YjR8oYsSQp/OpzsaYFPoid/03n66rbtLm7DSeS4SdLdnrs8f7CbEhyyZPtG8VyoI +/YMSkidOMhgfiOdGl2JcC4JDhJCOlH6cQwxU+jxLFBomqTkX03kZNzbXdiCb3SiG +sk8= +-----END CERTIFICATE----- diff --git a/tests/gold_tests/tls/ssl_key_dialog.test.py b/tests/gold_tests/tls/ssl_key_dialog.test.py new file mode 100644 index 0000000000..70bb365c70 --- /dev/null +++ b/tests/gold_tests/tls/ssl_key_dialog.test.py @@ -0,0 +1,91 @@ +''' +''' +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding right ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +Test.Summary = ''' +Test that Trafficserver starts with default configurations. +''' + +ts = Test.MakeATSProcess("ts", enable_tls=True) +server = Test.MakeOriginServer("server") + +ts.addSSLfile("ssl/passphrase.pem") +ts.addSSLfile("ssl/passphrase.key") + +ts.addSSLfile("ssl/passphrase2.pem") +ts.addSSLfile("ssl/passphrase2.key") + +ts.Disk.remap_config.AddLine(f"map https://passphrase:{ts.Variables.ssl_port}/ http://127.0.0.1:{server.Variables.Port}";) +ts.Disk.records_config.update( + { + 'proxy.config.diags.debug.enabled': 1, + 'proxy.config.diags.debug.tags': 'ssl_load|http', + 'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir), + 'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir), + }) + +ts.Disk.ssl_multicert_config.AddLines( + [ + 'dest_ip=* ssl_cert_name=passphrase.pem ssl_key_name=passphrase.key ssl_key_dialog="exec:/bin/bash -c \'echo -n passphrase\'"', + ]) + +request_header = {"headers": "GET / HTTP/1.1\r\nHost: bogus\r\n\r\n", "timestamp": "1469733493.993", "body": ""} +response_header = {"headers": "HTTP/1.1 200 OK\r\nConnection: close\r\n\r\n", "timestamp": "1469733493.993", "body": "success!"} +server.addResponse("sessionlog.json", request_header, response_header) + +tr = Test.AddTestRun("use a key with passphrase") +tr.Setup.Copy("ssl/signer.pem") +tr.Processes.Default.Command = f"curl -v --cacert ./signer.pem --resolve 'passphrase:{ts.Variables.ssl_port}:127.0.0.1' https://passphrase:{ts.Variables.ssl_port}/"; +tr.ReturnCode = 0 +tr.Processes.Default.StartBefore(server) +tr.Processes.Default.StartBefore(Test.Processes.ts) +tr.Processes.Default.Streams.stderr.Content = Testers.ContainsExpression("200", "expected 200 OK response") +tr.Processes.Default.Streams.stdout.Content = Testers.ContainsExpression("success!", "expected success") +tr.StillRunningAfter = server +tr.StillRunningAfter = ts + +tr2 = Test.AddTestRun("Update config files") +# Update the multicert config +sslcertpath = ts.Disk.ssl_multicert_config.AbsPath +tr2.Disk.File(sslcertpath, id="ssl_multicert_config", typename="ats:config"), +tr2.Disk.ssl_multicert_config.AddLines( + [ + 'dest_ip=* ssl_cert_name=passphrase2.pem ssl_key_name=passphrase2.key ssl_key_dialog="exec:/bin/bash -c \'echo -n passphrase\'"', + ]) +tr2.StillRunningAfter = ts +tr2.StillRunningAfter = server +tr2.Processes.Default.Command = 'echo Updated configs' +# Need to copy over the environment so traffic_ctl knows where to find the unix domain socket +tr2.Processes.Default.Env = ts.Env +tr2.Processes.Default.ReturnCode = 0 + +tr2reload = Test.AddTestRun("Reload config") +tr2reload.StillRunningAfter = ts +tr2reload.StillRunningAfter = server +tr2reload.Processes.Default.Command = 'traffic_ctl config reload' +# Need to copy over the environment so traffic_ctl knows where to find the unix domain socket +tr2reload.Processes.Default.Env = ts.Env +tr2reload.Processes.Default.ReturnCode = 0 + +tr3 = Test.AddTestRun("use a key with passphrase") +tr3.Setup.Copy("ssl/signer.pem") +tr3.Processes.Default.Command = f"curl -v --cacert ./signer.pem --resolve 'passphrase:{ts.Variables.ssl_port}:127.0.0.1' https://passphrase:{ts.Variables.ssl_port}/"; +tr3.ReturnCode = 0 +tr3.Processes.Default.Streams.stderr.Content = Testers.ContainsExpression("200", "expected 200 OK response") +tr3.Processes.Default.Streams.stdout.Content = Testers.ContainsExpression("success!", "expected success") +tr3.StillRunningAfter = server +tr3.StillRunningAfter = ts
