kris
/
th5
1
0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 0 Wiki Aktivität
Alternative TLS implementation in Go
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
505 Commits
3 Branches
2.6 MiB
 
 
Struktur: 1ea9624098
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „1ea9624098“
${ noResults }
th5/subcerts_test.go

337 Zeilen
12 KiB
Originalformat Blame Verlauf 

  1. // Copyright 2018 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package tls

  6. 

  7. import (

  8. 	"crypto"

  9. 	"crypto/x509"

  10. 	"encoding/asn1"

  11. 	"encoding/pem"

  12. 	"fmt"

  13. 	"testing"

  14. 	"time"

  15. )

  16. 

  17. // These test keys were generated with the following program, available in the

  18. // crypto/tls directory:

  19. //

  20. //		go run generate_cert.go -ecdsa-curve P256 -host 127.0.0.1 -dc

  21. //

  22. // To get a certificate without the DelegationUsage extension, remove the `-dc`

  23. // parameter.

  24. var delegatorCertPEM = `-----BEGIN CERTIFICATE-----

  25. MIIBdzCCAR2gAwIBAgIQLVIvEpo0/0TzRja4ImvB1TAKBggqhkjOPQQDAjASMRAw

  26. DgYDVQQKEwdBY21lIENvMB4XDTE4MDcwMzE2NTE1M1oXDTE5MDcwMzE2NTE1M1ow

  27. EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOhB

  28. U6adaAgliLaFc1PAo9HBO4Wish1G4df3IK5EXLy+ooYfmkfzT1FxqbNLZufNYzve

  29. 25fmpal/1VJAjpVyKq2jVTBTMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr

  30. BgEFBQcDATAMBgNVHRMBAf8EAjAAMA8GA1UdEQQIMAaHBH8AAAEwDQYJKwYBBAGC

  31. 2kssBAAwCgYIKoZIzj0EAwIDSAAwRQIhAPNwRk6cygm6zO5rjOzohKYWS+1KuWCM

  32. OetDIvU4mdyoAiAGN97y3GJccYn9ZOJS4UOqhr9oO8PuZMLgdq4OrMRiiA==

  33. -----END CERTIFICATE-----

  34. `

  35. 

  36. var delegatorKeyPEM = `-----BEGIN EC PRIVATE KEY-----

  37. MHcCAQEEIJDVlo+sJolMcNjMkfCGDUjMJcE4UgclcXGCrOtbJAi2oAoGCCqGSM49

  38. AwEHoUQDQgAE6EFTpp1oCCWItoVzU8Cj0cE7haKyHUbh1/cgrkRcvL6ihh+aR/NP

  39. UXGps0tm581jO97bl+alqX/VUkCOlXIqrQ==

  40. -----END EC PRIVATE KEY-----

  41. `

  42. 

  43. var nonDelegatorCertPEM = `-----BEGIN CERTIFICATE-----

  44. MIIBaTCCAQ6gAwIBAgIQSUo+9uaip3qCW+1EPeHZgDAKBggqhkjOPQQDAjASMRAw

  45. DgYDVQQKEwdBY21lIENvMB4XDTE4MDYxMjIzNDAyNloXDTE5MDYxMjIzNDAyNlow

  46. EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLf7

  47. fiznPVdc3V5mM3ymswU2/IoJaq/deA6dgdj50ozdYyRiAPjxzcz9zRsZw1apTF/h

  48. yNfiLhV4EE1VrwXcT5OjRjBEMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr

  49. BgEFBQcDATAMBgNVHRMBAf8EAjAAMA8GA1UdEQQIMAaHBH8AAAEwCgYIKoZIzj0E

  50. AwIDSQAwRgIhANXG0zmrVtQBK0TNZZoEGMOtSwxmiZzXNe+IjdpxO3TiAiEA5VYx

  51. 0CWJq5zqpVXbJMeKVMASo2nrXZoA6NhJvFQ97hw=

  52. -----END CERTIFICATE-----

  53. `

  54. 

  55. var nonDelegatorKeyPEM = `-----BEGIN EC PRIVATE KEY-----

  56. MHcCAQEEIMw9DiOfGI1E/XZrrW2huZSjYi0EKwvVjAe+dYtyFsSloAoGCCqGSM49

  57. AwEHoUQDQgAEt/t+LOc9V1zdXmYzfKazBTb8iglqr914Dp2B2PnSjN1jJGIA+PHN

  58. zP3NGxnDVqlMX+HI1+IuFXgQTVWvBdxPkw==

  59. -----END EC PRIVATE KEY-----

  60. `

  61. 

  62. var dcTestDCsPEM = `-----BEGIN DC TEST DATA-----

  63. MIIGQzCCAToTBXRsczEyAgIDAwICBAMEga0ACUp3AFswWTATBgcqhkjOPQIBBggq

  64. hkjOPQMBBwNCAAQ9z9RDrMvyRzPOkw9SK2S/O5DiwfRNjAwYcq7e/sKdN0ZcSP1K

  65. se/+ZDXfruwyviuq+h5oSzWPoejHHx7jnwBTBAMASDBGAiEAtYH/x0Ue2B2a34WG

  66. Oj9wVPJeyYBXxIbUrCdqfoQzq2oCIQCJYtwRE9UJvAQKve4ulJOr+zGjN8jG4tdg

  67. 9YSb/yOQgQR5MHcCAQEEIOBCmSaGwzZtXOJRCbA03GgxegoSV5GasVjJlttpUAPh

  68. oAoGCCqGSM49AwEHoUQDQgAEPc/UQ6zL8kczzpMPUitkvzuQ4sH0TYwMGHKu3v7C

  69. nTdGXEj9SrHv/mQ1367sMr4rqvoeaEs1j6Hoxx8e458AUzCCATgTBXRsczEzAgJ/

  70. FwICBAMEgasACUp3AFswWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARcqxvo0JO1

  71. yiXoBhV/T2hmkUhwMnP5XtTJCGGfI0ILShmTeuTcScmiTuzo3qA/HVmr2sdnfBvx

  72. zhQOYXrsfTNxBAMARjBEAiB8xrQk3DRFkACXMLZTJ1jAml/2zj/Vqc4cav0xi9zk

  73. dQIgDSrNtkK1akKGeNt7Iquv0lLZgyLp1i+rwQwOTdbw6ScEeTB3AgEBBCC7JqZM

  74. yIFzXdTmuYIUqOGQ602V4VtQttg/Oh2NuSCteKAKBggqhkjOPQMBB6FEA0IABFyr

  75. G+jQk7XKJegGFX9PaGaRSHAyc/le1MkIYZ8jQgtKGZN65NxJyaJO7OjeoD8dWava

  76. x2d8G/HOFA5heux9M3EwggE9EwdpbnZhbGlkAgMA/wACAgQDBIGtAAlKdwBbMFkw

  77. EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdlKK5Dv35nOxaTS0LGqBnQstHSqVFIoZ

  78. FsHGdXuR2N4pAoMkUF0w94+BZ/KHm1Djv/ugELm0aMHp8SBbJV3JVQQDAEgwRgIh

  79. AL/gfo5JGFV/pNZe4ktc2yO41a4ipFvb8WIv8qn29gjoAiEAw1DB1EelNEfjl+fp

  80. CDMT+mdFKRDMnXTRrM2K8gI1QsEEeTB3AgEBBCCdu3sMkUAsbHAcYOZ9wJnQujWr

  81. 5UqPQotIys9hqJ3PTaAKBggqhkjOPQMBB6FEA0IABHZSiuQ79+ZzsWk0tCxqgZ0L

  82. LR0qlRSKGRbBxnV7kdjeKQKDJFBdMPePgWfyh5tQ47/7oBC5tGjB6fEgWyVdyVUw

  83. ggFAEwttYWxmb3JtZWQxMgICAwMCAgQDBIGtAAlKdwBbMFkwEwYHKoZIzj0CAQYI

  84. KoZIzj0DAQcDQgAEn8Rr7eedTHuGJjv7mglv7nJrV7KMDE2A33v8EAMGU+AvRq2m

  85. XNIoc+a6JxpYetjTnT3s8TW4qWXq9dJzw3VAVgQDAEgwRgIhAKEVbifQNllzjTwX

  86. s5CUsN42Eo8R8WTiFNSbhJmqDKsCAiEA4cqhQA2Cop2WtuOAG3aMnO9MKAPxLeUc

  87. fEmnM658P3kEeTB3AgEBBCAR4EtE/WbJIc6id2bLOR4xgis7mzOWJdiRAiGKNshB

  88. iKAKBggqhkjOPQMBB6FEA0IABF/2VNK9W/QsMdiBn3qdG19trNMAFvVM0JbeBHin

  89. gl/7WVXGBk0WzgvmA0qSH4Bc7d8z8n3JKdmByYPgpxTjbFUwggFAEwttYWxmb3Jt

  90. ZWQxMwICAwQCAgQDBIGtAAlKdwBbMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE

  91. FGWBYWhjdr9al2imEFlGx+r0tQdcEqL/Qtf7imo/z5fr2z+tG3TawC0QeHU6uyRX

  92. 8zPvZGJ/Xps5q3RBI0tVggQDAEgwRgIhAMv30xlPKpajZuahNRHx3AlGtM9mNt5K

  93. WbWvhqDXhlVgAiEAxqI0K57Y9p9lLC8cSoy2arppjPMWKkVA4G2ck2n4NwUEeTB3

  94. AgEBBCCaruxlln2bwAX0EGy4oge0EpSDObt8Z+pNqx1nxDYyYKAKBggqhkjOPQMB

  95. B6FEA0IABBYfBBlgDC3TLkbJJTTJaZMXiXvDkUiWMeYFpcbAHdvMI8zoS6b++Zgc

  96. HJbn52hmB027JEIMPWsxKxPkr7udk7Q=

  97. -----END DC TEST DATA-----

  98. `

  99. 

  100. type dcTestDC struct {

  101. 	Name       string

  102. 	Version    int

  103. 	Scheme     int

  104. 	DC         []byte

  105. 	PrivateKey []byte

  106. }

  107. 

  108. var dcTestDCs []dcTestDC

  109. var dcTestConfig *Config

  110. var dcTestDelegationCert Certificate

  111. var dcTestCert Certificate

  112. var dcTestNow time.Time

  113. 

  114. func init() {

  115. 

  116. 	// Parse the PEM-encoded DER block containing the test DCs.

  117. 	block, _ := pem.Decode([]byte(dcTestDCsPEM))

  118. 	if block == nil {

  119. 		panic("failed to decode DC tests PEM block")

  120. 	}

  121. 

  122. 	// Parse the DER-encoded test DCs.

  123. 	_, err := asn1.Unmarshal(block.Bytes, &dcTestDCs)

  124. 	if err != nil {

  125. 		panic("failed to unmarshal DC test ASN.1 data")

  126. 	}

  127. 

  128. 	// Use a static time for testing. This is the point at which the test DCs

  129. 	// were generated.

  130. 	dcTestNow = time.Date(2018, 07, 03, 18, 0, 0, 234234, time.UTC)

  131. 

  132. 	// The base configuration for the client and server.

  133. 	dcTestConfig = &Config{

  134. 		Time: func() time.Time {

  135. 			return dcTestNow

  136. 		},

  137. 		Rand:         zeroSource{},

  138. 		Certificates: nil,

  139. 		MinVersion:   VersionTLS10,

  140. 		MaxVersion:   VersionTLS13Draft22,

  141. 		CipherSuites: allCipherSuites(),

  142. 	}

  143. 

  144. 	// The delegation certificate.

  145. 	dcTestDelegationCert, err = X509KeyPair([]byte(delegatorCertPEM), []byte(delegatorKeyPEM))

  146. 	if err != nil {

  147. 		panic(err)

  148. 	}

  149. 	dcTestDelegationCert.Leaf, err = x509.ParseCertificate(dcTestDelegationCert.Certificate[0])

  150. 	if err != nil {

  151. 		panic(err)

  152. 	}

  153. 

  154. 	// A certificate without the the DelegationUsage extension for X.509.

  155. 	dcTestCert, err = X509KeyPair([]byte(nonDelegatorCertPEM), []byte(nonDelegatorKeyPEM))

  156. 	if err != nil {

  157. 		panic(err)

  158. 	}

  159. 	dcTestCert.Leaf, err = x509.ParseCertificate(dcTestCert.Certificate[0])

  160. 	if err != nil {

  161. 		panic(err)

  162. 	}

  163. 

  164. 	// Make these roots of these certificates the client's trusted CAs.

  165. 	dcTestConfig.RootCAs = x509.NewCertPool()

  166. 

  167. 	raw := dcTestDelegationCert.Certificate[len(dcTestDelegationCert.Certificate)-1]

  168. 	root, err := x509.ParseCertificate(raw)

  169. 	if err != nil {

  170. 		panic(err)

  171. 	}

  172. 	dcTestConfig.RootCAs.AddCert(root)

  173. 

  174. 	raw = dcTestCert.Certificate[len(dcTestCert.Certificate)-1]

  175. 	root, err = x509.ParseCertificate(raw)

  176. 	if err != nil {

  177. 		panic(err)

  178. 	}

  179. 	dcTestConfig.RootCAs.AddCert(root)

  180. }

  181. 

  182. // Tests the handshake and one round of application data. Returns true if the

  183. // connection used a DC.

  184. func testConnWithDC(t *testing.T, clientMsg, serverMsg string, clientConfig, serverConfig *Config) (bool, error) {

  185. 	ln := newLocalListener(t)

  186. 	defer ln.Close()

  187. 

  188. 	// Listen for and serve a single client connection.

  189. 	srvCh := make(chan *Conn, 1)

  190. 	var serr error

  191. 	go func() {

  192. 		sconn, err := ln.Accept()

  193. 		if err != nil {

  194. 			serr = err

  195. 			srvCh <- nil

  196. 			return

  197. 		}

  198. 		srv := Server(sconn, serverConfig)

  199. 		if err := srv.Handshake(); err != nil {

  200. 			serr = fmt.Errorf("handshake: %v", err)

  201. 			srvCh <- nil

  202. 			return

  203. 		}

  204. 		srvCh <- srv

  205. 	}()

  206. 

  207. 	// Dial the server.

  208. 	cli, err := Dial("tcp", ln.Addr().String(), clientConfig)

  209. 	if err != nil {

  210. 		return false, err

  211. 	}

  212. 	defer cli.Close()

  213. 

  214. 	srv := <-srvCh

  215. 	if srv == nil {

  216. 		return false, serr

  217. 	}

  218. 

  219. 	bufLen := len(clientMsg)

  220. 	if len(serverMsg) > len(clientMsg) {

  221. 		bufLen = len(serverMsg)

  222. 	}

  223. 	buf := make([]byte, bufLen)

  224. 

  225. 	// Client sends a message to the server, which is read by the server.

  226. 	cli.Write([]byte(clientMsg))

  227. 	n, err := srv.Read(buf)

  228. 	if n != len(clientMsg) || string(buf[:n]) != clientMsg {

  229. 		return false, fmt.Errorf("Server read = %d, buf= %q; want %d, %s", n, buf, len(clientMsg), clientMsg)

  230. 	}

  231. 

  232. 	// Server reads a message from the client, which is read by the client.

  233. 	srv.Write([]byte(serverMsg))

  234. 	n, err = cli.Read(buf)

  235. 	if n != len(serverMsg) || err != nil || string(buf[:n]) != serverMsg {

  236. 		return false, fmt.Errorf("Client read = %d, %v, data %q; want %d, nil, %s", n, err, buf, len(serverMsg), serverMsg)

  237. 	}

  238. 

  239. 	// Return true if the client's conn.dc structure was instantiated.

  240. 	return (cli.verifiedDc != nil), nil

  241. }

  242. 

  243. // Checks that the client suppports a version >= 1.2 and accepts delegated

  244. // credentials. If so, it returns the delegation certificate; otherwise it

  245. // returns a plain certificate.

  246. func testServerGetCertificate(ch *ClientHelloInfo) (*Certificate, error) {

  247. 	versOk := false

  248. 	for _, vers := range ch.SupportedVersions {

  249. 		versOk = versOk || (vers >= uint16(VersionTLS12))

  250. 	}

  251. 

  252. 	if versOk && ch.AcceptsDelegatedCredential {

  253. 		return &dcTestDelegationCert, nil

  254. 	}

  255. 	return &dcTestCert, nil

  256. }

  257. 

  258. // Various test cases for handshakes involving DCs.

  259. var dcTests = []struct {

  260. 	clientDC         bool

  261. 	serverDC         bool

  262. 	clientSkipVerify bool

  263. 	clientMaxVers    uint16

  264. 	serverMaxVers    uint16

  265. 	nowOffset        time.Duration

  266. 	dcTestName       string

  267. 	expectSuccess    bool

  268. 	expectDC         bool

  269. 	name             string

  270. }{

  271. 	{true, true, false, VersionTLS12, VersionTLS12, 0, "tls12", true, true, "tls12"},

  272. 	{true, true, false, VersionTLS13, VersionTLS13, 0, "tls13", true, true, "tls13"},

  273. 	{true, true, false, VersionTLS12, VersionTLS12, 0, "malformed12", false, false, "tls12, malformed dc"},

  274. 	{true, true, false, VersionTLS13, VersionTLS13, 0, "malformed13", false, false, "tls13, malformed dc"},

  275. 	{true, true, true, VersionTLS12, VersionTLS12, 0, "invalid", true, true, "tls12, invalid dc, skip verify"},

  276. 	{true, true, true, VersionTLS13, VersionTLS13, 0, "invalid", true, true, "tls13, invalid dc, skip verify"},

  277. 	{false, true, false, VersionTLS12, VersionTLS12, 0, "tls12", true, false, "client no dc"},

  278. 	{true, false, false, VersionTLS12, VersionTLS12, 0, "tls12", true, false, "server no dc"},

  279. 	{true, true, false, VersionTLS11, VersionTLS12, 0, "tls12", true, false, "client old"},

  280. 	{true, true, false, VersionTLS12, VersionTLS11, 0, "tls12", true, false, "server old"},

  281. 	{true, true, false, VersionTLS13, VersionTLS13, dcMaxTTL, "tls13", false, false, "expired dc"},

  282. }

  283. 

  284. // Tests the handshake with the delegated credential extension for each test

  285. // case in dcTests.

  286. func TestDCHandshake(t *testing.T) {

  287. 	serverMsg := "hello"

  288. 	clientMsg := "world"

  289. 

  290. 	clientConfig := dcTestConfig.Clone()

  291. 	serverConfig := dcTestConfig.Clone()

  292. 	serverConfig.GetCertificate = testServerGetCertificate

  293. 

  294. 	for i, test := range dcTests {

  295. 		clientConfig.MaxVersion = test.clientMaxVers

  296. 		serverConfig.MaxVersion = test.serverMaxVers

  297. 		clientConfig.InsecureSkipVerify = test.clientSkipVerify

  298. 		clientConfig.AcceptDelegatedCredential = test.clientDC

  299. 		clientConfig.Time = func() time.Time {

  300. 			return dcTestNow.Add(time.Duration(test.nowOffset))

  301. 		}

  302. 

  303. 		if test.serverDC {

  304. 			serverConfig.GetDelegatedCredential = func(

  305. 				ch *ClientHelloInfo, vers uint16) (*DelegatedCredential, crypto.PrivateKey, error) {

  306. 				for _, t := range dcTestDCs {

  307. 					if t.Name == test.dcTestName {

  308. 						dc, err := UnmarshalDelegatedCredential(t.DC)

  309. 						if err != nil {

  310. 							return nil, nil, err

  311. 						}

  312. 						sk, err := x509.ParseECPrivateKey(t.PrivateKey)

  313. 						if err != nil {

  314. 							return nil, nil, err

  315. 						}

  316. 						return dc, sk, nil

  317. 					}

  318. 				}

  319. 				return nil, nil, fmt.Errorf("Test DC with name '%s' not found", test.dcTestName)

  320. 			}

  321. 		} else {

  322. 			serverConfig.GetDelegatedCredential = nil

  323. 		}

  324. 

  325. 		usedDC, err := testConnWithDC(t, clientMsg, serverMsg, clientConfig, serverConfig)

  326. 		if err != nil && test.expectSuccess {

  327. 			t.Errorf("test #%d (%s) fails: %s", i+1, test.name, err)

  328. 		} else if err == nil && !test.expectSuccess {

  329. 			t.Errorf("test #%d (%s) succeeds; expected failure", i+1, test.name)

  330. 		}

  331. 

  332. 		if usedDC != test.expectDC {

  333. 			t.Errorf("test #%d (%s) usedDC = %v; expected %v", i+1, test.name, usedDC, test.expectDC)

  334. 		}

  335. 	}

  336. }