From d45159b5485d39fd06cdad71f2c9fc56c630a6ff Mon Sep 17 00:00:00 2001 From: Takuya Kosugiyama Date: Wed, 10 Jun 2020 10:20:38 +0900 Subject: [PATCH] Compare two certificates chains where one is expired Signed-off-by: Takuya Kosugiyama --- prober/tcp_test.go | 33 +++++++++++---------------------- 1 file changed, 11 insertions(+), 22 deletions(-) diff --git a/prober/tcp_test.go b/prober/tcp_test.go index 8d2b21d5..d05f3174 100644 --- a/prober/tcp_test.go +++ b/prober/tcp_test.go @@ -216,17 +216,14 @@ func TestTCPConnectionWithTLSAndVerifiedCertificateChain(t *testing.T) { testCTX, cancel := context.WithTimeout(context.Background(), 10*time.Second) defer cancel() + // From here prepare two certificate chains where one is expired + rootPrivatekey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { panic(fmt.Sprintf("Error creating rsa key: %s", err)) } - // Prepare certificates to simulate a situation where - // the root certificate in the chain sent by the server - // expired but a verified certificate chain can be found - // because a new one has installed on the local machine. - - rootCertExpiry := time.Now().AddDate(0, 0, 1) + rootCertExpiry := time.Now().AddDate(0, 0, 2) rootCertTmpl := generateCertificateTemplate(rootCertExpiry, false) rootCertTmpl.IsCA = true _, rootCertPem := generateSelfSignedCertificateWithPrivateKey(rootCertTmpl, rootPrivatekey) @@ -236,19 +233,16 @@ func TestTCPConnectionWithTLSAndVerifiedCertificateChain(t *testing.T) { expiredRootCertTmpl.IsCA = true expiredRootCert, expiredRootCertPem := generateSelfSignedCertificateWithPrivateKey(expiredRootCertTmpl, rootPrivatekey) - intermediateCertTmpl := generateCertificateTemplate(rootCertExpiry, false) - intermediateCertTmpl.IsCA = true - intermediateCert, intermediateCertPem, intermediateKey := generateSignedCertificate(intermediateCertTmpl, expiredRootCert, rootPrivatekey) - - leafCertImpl := generateCertificateTemplate(rootCertExpiry, false) - _, leafCertPem, leafKey := generateSignedCertificate(leafCertImpl, intermediateCert, intermediateKey) + serverCertExpiry := time.Now().AddDate(0, 0, 1) + serverCertTmpl := generateCertificateTemplate(serverCertExpiry, false) + _, serverCertPem, serverKey := generateSignedCertificate(serverCertTmpl, expiredRootCert, rootPrivatekey) // CAFile must be passed via filesystem, use a tempfile. tmpCaFile, err := ioutil.TempFile("", "cafile.pem") if err != nil { t.Fatalf(fmt.Sprintf("Error creating CA tempfile: %s", err)) } - if _, err := tmpCaFile.Write(rootCertPem); err != nil { + if _, err := tmpCaFile.Write(bytes.Join([][]byte{rootCertPem, expiredRootCertPem}, []byte("\n"))); err != nil { t.Fatalf(fmt.Sprintf("Error writing CA tempfile: %s", err)) } if err := tmpCaFile.Close(); err != nil { @@ -266,14 +260,9 @@ func TestTCPConnectionWithTLSAndVerifiedCertificateChain(t *testing.T) { } defer conn.Close() - expiredRootKeyPem := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(rootPrivatekey)}) - intermediateKeyPem := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(intermediateKey)}) - leafKeyPem := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(leafKey)}) - - certPem := bytes.Join([][]byte{leafCertPem, intermediateCertPem, expiredRootCertPem}, []byte("\n")) - keyPem := bytes.Join([][]byte{leafKeyPem, intermediateKeyPem, expiredRootKeyPem}, []byte("\n")) + serverKeyPem := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(serverKey)}) - keypair, err := tls.X509KeyPair(certPem, keyPem) + keypair, err := tls.X509KeyPair(serverCertPem, serverKeyPem) if err != nil { panic(fmt.Sprintf("Failed to decode TLS testing keypair: %s\n", err)) } @@ -326,8 +315,8 @@ func TestTCPConnectionWithTLSAndVerifiedCertificateChain(t *testing.T) { // Check values expectedResults := map[string]float64{ - "probe_ssl_earliest_cert_expiry": float64(oldRootCertExpiry.Unix()), - "probe_ssl_last_chain_expiry_timestamp_seconds": float64(rootCertExpiry.Unix()), + "probe_ssl_earliest_cert_expiry": float64(serverCertExpiry.Unix()), + "probe_ssl_last_chain_expiry_timestamp_seconds": float64(serverCertExpiry.Unix()), "probe_tls_version_info": 1, } checkRegistryResults(expectedResults, mfs, t)