kris
/
th5
1
0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
Alternative TLS implementation in Go
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
505 Révisions
3 Branches
2.6 MiB
 
 
Aborescence: 1ea9624098
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '1ea9624098'
${ noResults }
th5/subcerts_test.go

337 lignes
12 KiB
Brut Annotations Historique 

  1. // Copyright 2018 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package tls

  6. 

  7. import (

  8. 	"crypto"

  9. 	"crypto/x509"

  10. 	"encoding/asn1"

  11. 	"encoding/pem"

  12. 	"fmt"

  13. 	"testing"

  14. 	"time"

  15. )

  16. 

  17. // These test keys were generated with the following program, available in the

  18. // crypto/tls directory:

  19. //

  20. //		go run generate_cert.go -ecdsa-curve P256 -host 127.0.0.1 -dc

  21. //

  22. // To get a certificate without the DelegationUsage extension, remove the `-dc`

  23. // parameter.

  24. var delegatorCertPEM = `-----BEGIN CERTIFICATE-----

  25. MIIBdzCCAR2gAwIBAgIQLVIvEpo0/0TzRja4ImvB1TAKBggqhkjOPQQDAjASMRAw

  26. DgYDVQQKEwdBY21lIENvMB4XDTE4MDcwMzE2NTE1M1oXDTE5MDcwMzE2NTE1M1ow

  27. EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOhB

  28. U6adaAgliLaFc1PAo9HBO4Wish1G4df3IK5EXLy+ooYfmkfzT1FxqbNLZufNYzve

  29. 25fmpal/1VJAjpVyKq2jVTBTMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr

  30. BgEFBQcDATAMBgNVHRMBAf8EAjAAMA8GA1UdEQQIMAaHBH8AAAEwDQYJKwYBBAGC

  31. 2kssBAAwCgYIKoZIzj0EAwIDSAAwRQIhAPNwRk6cygm6zO5rjOzohKYWS+1KuWCM

  32. OetDIvU4mdyoAiAGN97y3GJccYn9ZOJS4UOqhr9oO8PuZMLgdq4OrMRiiA==

  33. -----END CERTIFICATE-----

  34. `

  35. 

  36. var delegatorKeyPEM = `-----BEGIN EC PRIVATE KEY-----

  37. MHcCAQEEIJDVlo+sJolMcNjMkfCGDUjMJcE4UgclcXGCrOtbJAi2oAoGCCqGSM49

  38. AwEHoUQDQgAE6EFTpp1oCCWItoVzU8Cj0cE7haKyHUbh1/cgrkRcvL6ihh+aR/NP

  39. UXGps0tm581jO97bl+alqX/VUkCOlXIqrQ==

  40. -----END EC PRIVATE KEY-----

  41. `

  42. 

  43. var nonDelegatorCertPEM = `-----BEGIN CERTIFICATE-----

  44. MIIBaTCCAQ6gAwIBAgIQSUo+9uaip3qCW+1EPeHZgDAKBggqhkjOPQQDAjASMRAw

  45. DgYDVQQKEwdBY21lIENvMB4XDTE4MDYxMjIzNDAyNloXDTE5MDYxMjIzNDAyNlow

  46. EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLf7

  47. fiznPVdc3V5mM3ymswU2/IoJaq/deA6dgdj50ozdYyRiAPjxzcz9zRsZw1apTF/h

  48. yNfiLhV4EE1VrwXcT5OjRjBEMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr

  49. BgEFBQcDATAMBgNVHRMBAf8EAjAAMA8GA1UdEQQIMAaHBH8AAAEwCgYIKoZIzj0E

  50. AwIDSQAwRgIhANXG0zmrVtQBK0TNZZoEGMOtSwxmiZzXNe+IjdpxO3TiAiEA5VYx

  51. 0CWJq5zqpVXbJMeKVMASo2nrXZoA6NhJvFQ97hw=

  52. -----END CERTIFICATE-----

  53. `

  54. 

  55. var nonDelegatorKeyPEM = `-----BEGIN EC PRIVATE KEY-----

  56. MHcCAQEEIMw9DiOfGI1E/XZrrW2huZSjYi0EKwvVjAe+dYtyFsSloAoGCCqGSM49

  57. AwEHoUQDQgAEt/t+LOc9V1zdXmYzfKazBTb8iglqr914Dp2B2PnSjN1jJGIA+PHN

  58. zP3NGxnDVqlMX+HI1+IuFXgQTVWvBdxPkw==

  59. -----END EC PRIVATE KEY-----

  60. `

  61. 

  62. var dcTestDCsPEM = `-----BEGIN DC TEST DATA-----

  63. MIIGQzCCAToTBXRsczEyAgIDAwICBAMEga0ACUp3AFswWTATBgcqhkjOPQIBBggq

  64. hkjOPQMBBwNCAAQ9z9RDrMvyRzPOkw9SK2S/O5DiwfRNjAwYcq7e/sKdN0ZcSP1K

  65. se/+ZDXfruwyviuq+h5oSzWPoejHHx7jnwBTBAMASDBGAiEAtYH/x0Ue2B2a34WG

  66. Oj9wVPJeyYBXxIbUrCdqfoQzq2oCIQCJYtwRE9UJvAQKve4ulJOr+zGjN8jG4tdg

  67. 9YSb/yOQgQR5MHcCAQEEIOBCmSaGwzZtXOJRCbA03GgxegoSV5GasVjJlttpUAPh

  68. oAoGCCqGSM49AwEHoUQDQgAEPc/UQ6zL8kczzpMPUitkvzuQ4sH0TYwMGHKu3v7C

  69. nTdGXEj9SrHv/mQ1367sMr4rqvoeaEs1j6Hoxx8e458AUzCCATgTBXRsczEzAgJ/

  70. FwICBAMEgasACUp3AFswWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARcqxvo0JO1

  71. yiXoBhV/T2hmkUhwMnP5XtTJCGGfI0ILShmTeuTcScmiTuzo3qA/HVmr2sdnfBvx

  72. zhQOYXrsfTNxBAMARjBEAiB8xrQk3DRFkACXMLZTJ1jAml/2zj/Vqc4cav0xi9zk

  73. dQIgDSrNtkK1akKGeNt7Iquv0lLZgyLp1i+rwQwOTdbw6ScEeTB3AgEBBCC7JqZM

  74. yIFzXdTmuYIUqOGQ602V4VtQttg/Oh2NuSCteKAKBggqhkjOPQMBB6FEA0IABFyr

  75. G+jQk7XKJegGFX9PaGaRSHAyc/le1MkIYZ8jQgtKGZN65NxJyaJO7OjeoD8dWava

  76. x2d8G/HOFA5heux9M3EwggE9EwdpbnZhbGlkAgMA/wACAgQDBIGtAAlKdwBbMFkw

  77. EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdlKK5Dv35nOxaTS0LGqBnQstHSqVFIoZ

  78. FsHGdXuR2N4pAoMkUF0w94+BZ/KHm1Djv/ugELm0aMHp8SBbJV3JVQQDAEgwRgIh

  79. AL/gfo5JGFV/pNZe4ktc2yO41a4ipFvb8WIv8qn29gjoAiEAw1DB1EelNEfjl+fp

  80. CDMT+mdFKRDMnXTRrM2K8gI1QsEEeTB3AgEBBCCdu3sMkUAsbHAcYOZ9wJnQujWr

  81. 5UqPQotIys9hqJ3PTaAKBggqhkjOPQMBB6FEA0IABHZSiuQ79+ZzsWk0tCxqgZ0L

  82. LR0qlRSKGRbBxnV7kdjeKQKDJFBdMPePgWfyh5tQ47/7oBC5tGjB6fEgWyVdyVUw

  83. ggFAEwttYWxmb3JtZWQxMgICAwMCAgQDBIGtAAlKdwBbMFkwEwYHKoZIzj0CAQYI

  84. KoZIzj0DAQcDQgAEn8Rr7eedTHuGJjv7mglv7nJrV7KMDE2A33v8EAMGU+AvRq2m

  85. XNIoc+a6JxpYetjTnT3s8TW4qWXq9dJzw3VAVgQDAEgwRgIhAKEVbifQNllzjTwX

  86. s5CUsN42Eo8R8WTiFNSbhJmqDKsCAiEA4cqhQA2Cop2WtuOAG3aMnO9MKAPxLeUc

  87. fEmnM658P3kEeTB3AgEBBCAR4EtE/WbJIc6id2bLOR4xgis7mzOWJdiRAiGKNshB

  88. iKAKBggqhkjOPQMBB6FEA0IABF/2VNK9W/QsMdiBn3qdG19trNMAFvVM0JbeBHin

  89. gl/7WVXGBk0WzgvmA0qSH4Bc7d8z8n3JKdmByYPgpxTjbFUwggFAEwttYWxmb3Jt

  90. ZWQxMwICAwQCAgQDBIGtAAlKdwBbMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE

  91. FGWBYWhjdr9al2imEFlGx+r0tQdcEqL/Qtf7imo/z5fr2z+tG3TawC0QeHU6uyRX

  92. 8zPvZGJ/Xps5q3RBI0tVggQDAEgwRgIhAMv30xlPKpajZuahNRHx3AlGtM9mNt5K

  93. WbWvhqDXhlVgAiEAxqI0K57Y9p9lLC8cSoy2arppjPMWKkVA4G2ck2n4NwUEeTB3

  94. AgEBBCCaruxlln2bwAX0EGy4oge0EpSDObt8Z+pNqx1nxDYyYKAKBggqhkjOPQMB

  95. B6FEA0IABBYfBBlgDC3TLkbJJTTJaZMXiXvDkUiWMeYFpcbAHdvMI8zoS6b++Zgc

  96. HJbn52hmB027JEIMPWsxKxPkr7udk7Q=

  97. -----END DC TEST DATA-----

  98. `

  99. 

  100. type dcTestDC struct {

  101. 	Name       string

  102. 	Version    int

  103. 	Scheme     int

  104. 	DC         []byte

  105. 	PrivateKey []byte

  106. }

  107. 

  108. var dcTestDCs []dcTestDC

  109. var dcTestConfig *Config

  110. var dcTestDelegationCert Certificate

  111. var dcTestCert Certificate

  112. var dcTestNow time.Time

  113. 

  114. func init() {

  115. 

  116. 	// Parse the PEM-encoded DER block containing the test DCs.

  117. 	block, _ := pem.Decode([]byte(dcTestDCsPEM))

  118. 	if block == nil {

  119. 		panic("failed to decode DC tests PEM block")

  120. 	}

  121. 

  122. 	// Parse the DER-encoded test DCs.

  123. 	_, err := asn1.Unmarshal(block.Bytes, &dcTestDCs)

  124. 	if err != nil {

  125. 		panic("failed to unmarshal DC test ASN.1 data")

  126. 	}

  127. 

  128. 	// Use a static time for testing. This is the point at which the test DCs

  129. 	// were generated.

  130. 	dcTestNow = time.Date(2018, 07, 03, 18, 0, 0, 234234, time.UTC)

  131. 

  132. 	// The base configuration for the client and server.

  133. 	dcTestConfig = &Config{

  134. 		Time: func() time.Time {

  135. 			return dcTestNow

  136. 		},

  137. 		Rand:         zeroSource{},

  138. 		Certificates: nil,

  139. 		MinVersion:   VersionTLS10,

  140. 		MaxVersion:   VersionTLS13Draft22,

  141. 		CipherSuites: allCipherSuites(),

  142. 	}

  143. 

  144. 	// The delegation certificate.

  145. 	dcTestDelegationCert, err = X509KeyPair([]byte(delegatorCertPEM), []byte(delegatorKeyPEM))

  146. 	if err != nil {

  147. 		panic(err)

  148. 	}

  149. 	dcTestDelegationCert.Leaf, err = x509.ParseCertificate(dcTestDelegationCert.Certificate[0])

  150. 	if err != nil {

  151. 		panic(err)

  152. 	}

  153. 

  154. 	// A certificate without the the DelegationUsage extension for X.509.

  155. 	dcTestCert, err = X509KeyPair([]byte(nonDelegatorCertPEM), []byte(nonDelegatorKeyPEM))

  156. 	if err != nil {

  157. 		panic(err)

  158. 	}

  159. 	dcTestCert.Leaf, err = x509.ParseCertificate(dcTestCert.Certificate[0])

  160. 	if err != nil {

  161. 		panic(err)

  162. 	}

  163. 

  164. 	// Make these roots of these certificates the client's trusted CAs.

  165. 	dcTestConfig.RootCAs = x509.NewCertPool()

  166. 

  167. 	raw := dcTestDelegationCert.Certificate[len(dcTestDelegationCert.Certificate)-1]

  168. 	root, err := x509.ParseCertificate(raw)

  169. 	if err != nil {

  170. 		panic(err)

  171. 	}

  172. 	dcTestConfig.RootCAs.AddCert(root)

  173. 

  174. 	raw = dcTestCert.Certificate[len(dcTestCert.Certificate)-1]

  175. 	root, err = x509.ParseCertificate(raw)

  176. 	if err != nil {

  177. 		panic(err)

  178. 	}

  179. 	dcTestConfig.RootCAs.AddCert(root)

  180. }

  181. 

  182. // Tests the handshake and one round of application data. Returns true if the

  183. // connection used a DC.

  184. func testConnWithDC(t *testing.T, clientMsg, serverMsg string, clientConfig, serverConfig *Config) (bool, error) {

  185. 	ln := newLocalListener(t)

  186. 	defer ln.Close()

  187. 

  188. 	// Listen for and serve a single client connection.

  189. 	srvCh := make(chan *Conn, 1)

  190. 	var serr error

  191. 	go func() {

  192. 		sconn, err := ln.Accept()

  193. 		if err != nil {

  194. 			serr = err

  195. 			srvCh <- nil

  196. 			return

  197. 		}

  198. 		srv := Server(sconn, serverConfig)

  199. 		if err := srv.Handshake(); err != nil {

  200. 			serr = fmt.Errorf("handshake: %v", err)

  201. 			srvCh <- nil

  202. 			return

  203. 		}

  204. 		srvCh <- srv

  205. 	}()

  206. 

  207. 	// Dial the server.

  208. 	cli, err := Dial("tcp", ln.Addr().String(), clientConfig)

  209. 	if err != nil {

  210. 		return false, err

  211. 	}

  212. 	defer cli.Close()

  213. 

  214. 	srv := <-srvCh

  215. 	if srv == nil {

  216. 		return false, serr

  217. 	}

  218. 

  219. 	bufLen := len(clientMsg)

  220. 	if len(serverMsg) > len(clientMsg) {

  221. 		bufLen = len(serverMsg)

  222. 	}

  223. 	buf := make([]byte, bufLen)

  224. 

  225. 	// Client sends a message to the server, which is read by the server.

  226. 	cli.Write([]byte(clientMsg))

  227. 	n, err := srv.Read(buf)

  228. 	if n != len(clientMsg) || string(buf[:n]) != clientMsg {

  229. 		return false, fmt.Errorf("Server read = %d, buf= %q; want %d, %s", n, buf, len(clientMsg), clientMsg)

  230. 	}

  231. 

  232. 	// Server reads a message from the client, which is read by the client.

  233. 	srv.Write([]byte(serverMsg))

  234. 	n, err = cli.Read(buf)

  235. 	if n != len(serverMsg) || err != nil || string(buf[:n]) != serverMsg {

  236. 		return false, fmt.Errorf("Client read = %d, %v, data %q; want %d, nil, %s", n, err, buf, len(serverMsg), serverMsg)

  237. 	}

  238. 

  239. 	// Return true if the client's conn.dc structure was instantiated.

  240. 	return (cli.verifiedDc != nil), nil

  241. }

  242. 

  243. // Checks that the client suppports a version >= 1.2 and accepts delegated

  244. // credentials. If so, it returns the delegation certificate; otherwise it

  245. // returns a plain certificate.

  246. func testServerGetCertificate(ch *ClientHelloInfo) (*Certificate, error) {

  247. 	versOk := false

  248. 	for _, vers := range ch.SupportedVersions {

  249. 		versOk = versOk || (vers >= uint16(VersionTLS12))

  250. 	}

  251. 

  252. 	if versOk && ch.AcceptsDelegatedCredential {

  253. 		return &dcTestDelegationCert, nil

  254. 	}

  255. 	return &dcTestCert, nil

  256. }

  257. 

  258. // Various test cases for handshakes involving DCs.

  259. var dcTests = []struct {

  260. 	clientDC         bool

  261. 	serverDC         bool

  262. 	clientSkipVerify bool

  263. 	clientMaxVers    uint16

  264. 	serverMaxVers    uint16

  265. 	nowOffset        time.Duration

  266. 	dcTestName       string

  267. 	expectSuccess    bool

  268. 	expectDC         bool

  269. 	name             string

  270. }{

  271. 	{true, true, false, VersionTLS12, VersionTLS12, 0, "tls12", true, true, "tls12"},

  272. 	{true, true, false, VersionTLS13, VersionTLS13, 0, "tls13", true, true, "tls13"},

  273. 	{true, true, false, VersionTLS12, VersionTLS12, 0, "malformed12", false, false, "tls12, malformed dc"},

  274. 	{true, true, false, VersionTLS13, VersionTLS13, 0, "malformed13", false, false, "tls13, malformed dc"},

  275. 	{true, true, true, VersionTLS12, VersionTLS12, 0, "invalid", true, true, "tls12, invalid dc, skip verify"},

  276. 	{true, true, true, VersionTLS13, VersionTLS13, 0, "invalid", true, true, "tls13, invalid dc, skip verify"},

  277. 	{false, true, false, VersionTLS12, VersionTLS12, 0, "tls12", true, false, "client no dc"},

  278. 	{true, false, false, VersionTLS12, VersionTLS12, 0, "tls12", true, false, "server no dc"},

  279. 	{true, true, false, VersionTLS11, VersionTLS12, 0, "tls12", true, false, "client old"},

  280. 	{true, true, false, VersionTLS12, VersionTLS11, 0, "tls12", true, false, "server old"},

  281. 	{true, true, false, VersionTLS13, VersionTLS13, dcMaxTTL, "tls13", false, false, "expired dc"},

  282. }

  283. 

  284. // Tests the handshake with the delegated credential extension for each test

  285. // case in dcTests.

  286. func TestDCHandshake(t *testing.T) {

  287. 	serverMsg := "hello"

  288. 	clientMsg := "world"

  289. 

  290. 	clientConfig := dcTestConfig.Clone()

  291. 	serverConfig := dcTestConfig.Clone()

  292. 	serverConfig.GetCertificate = testServerGetCertificate

  293. 

  294. 	for i, test := range dcTests {

  295. 		clientConfig.MaxVersion = test.clientMaxVers

  296. 		serverConfig.MaxVersion = test.serverMaxVers

  297. 		clientConfig.InsecureSkipVerify = test.clientSkipVerify

  298. 		clientConfig.AcceptDelegatedCredential = test.clientDC

  299. 		clientConfig.Time = func() time.Time {

  300. 			return dcTestNow.Add(time.Duration(test.nowOffset))

  301. 		}

  302. 

  303. 		if test.serverDC {

  304. 			serverConfig.GetDelegatedCredential = func(

  305. 				ch *ClientHelloInfo, vers uint16) (*DelegatedCredential, crypto.PrivateKey, error) {

  306. 				for _, t := range dcTestDCs {

  307. 					if t.Name == test.dcTestName {

  308. 						dc, err := UnmarshalDelegatedCredential(t.DC)

  309. 						if err != nil {

  310. 							return nil, nil, err

  311. 						}

  312. 						sk, err := x509.ParseECPrivateKey(t.PrivateKey)

  313. 						if err != nil {

  314. 							return nil, nil, err

  315. 						}

  316. 						return dc, sk, nil

  317. 					}

  318. 				}

  319. 				return nil, nil, fmt.Errorf("Test DC with name '%s' not found", test.dcTestName)

  320. 			}

  321. 		} else {

  322. 			serverConfig.GetDelegatedCredential = nil

  323. 		}

  324. 

  325. 		usedDC, err := testConnWithDC(t, clientMsg, serverMsg, clientConfig, serverConfig)

  326. 		if err != nil && test.expectSuccess {

  327. 			t.Errorf("test #%d (%s) fails: %s", i+1, test.name, err)

  328. 		} else if err == nil && !test.expectSuccess {

  329. 			t.Errorf("test #%d (%s) succeeds; expected failure", i+1, test.name)

  330. 		}

  331. 

  332. 		if usedDC != test.expectDC {

  333. 			t.Errorf("test #%d (%s) usedDC = %v; expected %v", i+1, test.name, usedDC, test.expectDC)

  334. 		}

  335. 	}

  336. }