You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by ja...@apache.org on 2015/04/07 01:16:45 UTC
trafficserver git commit: ECDSA certificate selection tests
Repository: trafficserver
Updated Branches:
refs/heads/master 661201486 -> f5e6d357a
ECDSA certificate selection tests
Add tests for ECDSA and RSA certificate selection.
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/f5e6d357
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/f5e6d357
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/f5e6d357
Branch: refs/heads/master
Commit: f5e6d357abdaf55207f15c911da48321094aaf2e
Parents: 6612014
Author: Thomas Jackson <ja...@apache.org>
Authored: Mon Apr 6 16:14:09 2015 -0700
Committer: Thomas Jackson <ja...@apache.org>
Committed: Mon Apr 6 16:16:15 2015 -0700
----------------------------------------------------------------------
ci/new_tsqa/files/ec_keys/README.rst | 8 ++
ci/new_tsqa/files/ec_keys/www.example.com.pem | 18 +++
ci/new_tsqa/files/ec_keys/www.test.com.pem | 18 +++
ci/new_tsqa/tests/test_https.py | 131 +++++++++++++++++----
4 files changed, 153 insertions(+), 22 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5e6d357/ci/new_tsqa/files/ec_keys/README.rst
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/files/ec_keys/README.rst b/ci/new_tsqa/files/ec_keys/README.rst
new file mode 100644
index 0000000..12329c7
--- /dev/null
+++ b/ci/new_tsqa/files/ec_keys/README.rst
@@ -0,0 +1,8 @@
+All of these certificates are self-signed and are *not* secure. They are intended
+only for use in testing.
+
+Try to use existing certs if possible rather than generating your own.
+
+# generated using (make sure to set "hostname"):
+openssl ecparam -name prime256v1 -genkey -out key.pem
+openssl req -new -x509 -key key.pem -out cert.pem
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5e6d357/ci/new_tsqa/files/ec_keys/www.example.com.pem
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/files/ec_keys/www.example.com.pem b/ci/new_tsqa/files/ec_keys/www.example.com.pem
new file mode 100644
index 0000000..4db7e23
--- /dev/null
+++ b/ci/new_tsqa/files/ec_keys/www.example.com.pem
@@ -0,0 +1,18 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIGCAR+s6Sno+AteQgnMBOsS7sD4EbSxGN7anPQaossvkoAoGCCqGSM49
+AwEHoUQDQgAEwNOf/ym+XidKYjQg2WDM3GPK2eMbRz2VmvdB4dbzBxQ4gMYCIl2l
+2L7lLqGtmUcuUhDaOxf91hhXAfprU+qRvA==
+-----END EC PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIB/TCCAaSgAwIBAgIJAI8scEv82xNQMAkGByqGSM49BAEwXDELMAkGA1UEBhMC
+WFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21w
+YW55IEx0ZDEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMB4XDTE1MDQwNjIyMzEz
+OVoXDTE1MDUwNjIyMzEzOVowXDELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1
+bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEYMBYGA1UEAwwP
+d3d3LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwNOf/ym+
+XidKYjQg2WDM3GPK2eMbRz2VmvdB4dbzBxQ4gMYCIl2l2L7lLqGtmUcuUhDaOxf9
+1hhXAfprU+qRvKNQME4wHQYDVR0OBBYEFFju5RlYt02MzdcnwBKzCIRnKp2vMB8G
+A1UdIwQYMBaAFFju5RlYt02MzdcnwBKzCIRnKp2vMAwGA1UdEwQFMAMBAf8wCQYH
+KoZIzj0EAQNIADBFAiEAhmfh1lZz99IjJ9n5Num1O6BK491eDP+rENyTC7Y6a/YC
+ID/HGrCAtz1n4lPZ2kSxe6E8lqotrEmEDEx14hlmdw7K
+-----END CERTIFICATE-----
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5e6d357/ci/new_tsqa/files/ec_keys/www.test.com.pem
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/files/ec_keys/www.test.com.pem b/ci/new_tsqa/files/ec_keys/www.test.com.pem
new file mode 100644
index 0000000..97b33b3
--- /dev/null
+++ b/ci/new_tsqa/files/ec_keys/www.test.com.pem
@@ -0,0 +1,18 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEILVRI/Y9isXZJKXwb4srPN4hjx+ZUWGmSL3cn8AEhTVQoAoGCCqGSM49
+AwEHoUQDQgAEh4NjyzcxA2B/b281cUsRHaF+yAUV4CnIhUkPQigXw10GO9lQx69w
+of7PjZkJRdeBlEMBVUcwTKEuENMZ7a3+Tw==
+-----END EC PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIB9zCCAZ6gAwIBAgIJAOofwBNPt6PwMAkGByqGSM49BAEwWTELMAkGA1UEBhMC
+WFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21w
+YW55IEx0ZDEVMBMGA1UEAwwMd3d3LnRlc3QuY29tMB4XDTE1MDQwNjIyMzI0MVoX
+DTE1MDUwNjIyMzI0MVowWTELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQg
+Q2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEVMBMGA1UEAwwMd3d3
+LnRlc3QuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEh4NjyzcxA2B/b281
+cUsRHaF+yAUV4CnIhUkPQigXw10GO9lQx69wof7PjZkJRdeBlEMBVUcwTKEuENMZ
+7a3+T6NQME4wHQYDVR0OBBYEFJKeIbf5+FuFSDl+qyszoefkIdYNMB8GA1UdIwQY
+MBaAFJKeIbf5+FuFSDl+qyszoefkIdYNMAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0E
+AQNIADBFAiEAs79BVAgcBZStdk8xLUXEpRoX68MVNpq2P/9OcMPmb2cCIEv/OFq3
+TYlabCBevc+jjmnry8C//Z+ffY/IEwbTxJlQ
+-----END CERTIFICATE-----
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f5e6d357/ci/new_tsqa/tests/test_https.py
----------------------------------------------------------------------
diff --git a/ci/new_tsqa/tests/test_https.py b/ci/new_tsqa/tests/test_https.py
index 2b38614..fcc6bad 100644
--- a/ci/new_tsqa/tests/test_https.py
+++ b/ci/new_tsqa/tests/test_https.py
@@ -21,38 +21,26 @@ import socket
import helpers
import tsqa.utils
+# some ciphers to test with
+CIPHER_MAP = {
+ 'rsa': 'ECDHE-RSA-AES256-GCM-SHA384',
+ 'ecdsa': 'ECDHE-ECDSA-AES256-GCM-SHA384',
+}
-class TestSSL(helpers.EnvironmentCase):
- @classmethod
- def setUpEnv(cls, env):
- '''
- This function is responsible for setting up the environment for this fixture
- This includes everything pre-daemon start
- '''
-
- # add an SSL port to ATS
- cls.ssl_port = tsqa.utils.bind_unused_port()[1]
- cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
- cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.enabled'] = 1
- cls.configs['records.config']['CONFIG']['proxy.config.diags.debug.tags'] = 'ssl'
- # configure SSL multicert
- cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem')))
- cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.test.com.pem')))
-
- cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem')))
- cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.test.com.pem')))
-
- def _get_cert(self, addr, sni_name=None):
+class CertSelectionMixin(object):
+ def _get_cert(self, addr, sni_name=None, ciphers=None):
'''
Return the certificate for addr. Optionally sending sni_name
'''
- ctx = SSL.Context(SSL.SSLv23_METHOD)
+ ctx = SSL.Context(SSL.TLSv1_2_METHOD)
# Set up client
sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
sock.connect(addr)
if sni_name is not None:
sock.set_tlsext_host_name(sni_name)
+ if ciphers is not None:
+ ctx.set_cipher_list(ciphers)
sock.do_handshake()
return sock.get_peer_certificate()
@@ -93,3 +81,102 @@ class TestSSL(helpers.EnvironmentCase):
cert = self._get_cert(addr, sni_name='www.example.com')
self.assertEqual(cert.get_subject().commonName.decode(), 'www.example.com')
+
+
+class TestRSA(helpers.EnvironmentCase, CertSelectionMixin):
+ '''
+ Tests for https for ATS configured with RSA certificates
+ '''
+ @classmethod
+ def setUpEnv(cls, env):
+ # add an SSL port to ATS
+ cls.ssl_port = tsqa.utils.bind_unused_port()[1]
+ cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
+ cls.configs['records.config']['CONFIG'].update({
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ssl',
+ 'proxy.config.ssl.server.cipher_suite': CIPHER_MAP['rsa'],
+ })
+
+ # configure SSL multicert
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem')))
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.test.com.pem')))
+
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem')))
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format(helpers.tests_file_path('rsa_keys/www.test.com.pem')))
+
+ def test_rsa(self):
+ addr = ('127.0.0.1', self.ssl_port)
+ cert = self._get_cert(addr, ciphers=CIPHER_MAP['rsa'])
+ self.assertEqual(cert.get_subject().commonName.decode(), 'www.example.com')
+
+ def test_ecdsa(self):
+ addr = ('127.0.0.1', self.ssl_port)
+ with self.assertRaises(Exception):
+ cert = self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa'])
+ self.assertEqual(cert.get_subject().commonName.decode(), 'www.example.com')
+
+class TestECDSA(helpers.EnvironmentCase, CertSelectionMixin):
+ '''
+ Tests for https for ATS configured with ECDSA certificates
+ '''
+ @classmethod
+ def setUpEnv(cls, env):
+ # add an SSL port to ATS
+ cls.ssl_port = tsqa.utils.bind_unused_port()[1]
+ cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
+ cls.configs['records.config']['CONFIG'].update({
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ssl',
+ 'proxy.config.ssl.server.cipher_suite': CIPHER_MAP['ecdsa'],
+ })
+
+ # configure SSL multicert
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0}'.format(helpers.tests_file_path('ec_keys/www.example.com.pem')))
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0}'.format(helpers.tests_file_path('ec_keys/www.test.com.pem')))
+
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format(helpers.tests_file_path('ec_keys/www.example.com.pem')))
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0}'.format(helpers.tests_file_path('ec_keys/www.test.com.pem')))
+
+ def test_rsa(self):
+ addr = ('127.0.0.1', self.ssl_port)
+ with self.assertRaises(Exception):
+ cert = self._get_cert(addr, ciphers=CIPHER_MAP['rsa'])
+ self.assertEqual(cert.get_subject().commonName.decode(), 'www.example.com')
+
+ def test_ecdsa(self):
+ addr = ('127.0.0.1', self.ssl_port)
+ cert = self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa'])
+ self.assertEqual(cert.get_subject().commonName.decode(), 'www.example.com')
+
+class TestMix(helpers.EnvironmentCase, CertSelectionMixin):
+ '''
+ Tests for https for ATS configured with both ECDSA and RSA certificates
+ '''
+ @classmethod
+ def setUpEnv(cls, env):
+ # add an SSL port to ATS
+ cls.ssl_port = tsqa.utils.bind_unused_port()[1]
+ cls.configs['records.config']['CONFIG']['proxy.config.http.server_ports'] += ' {0}:ssl'.format(cls.ssl_port)
+ cls.configs['records.config']['CONFIG'].update({
+ 'proxy.config.diags.debug.enabled': 1,
+ 'proxy.config.diags.debug.tags': 'ssl',
+ 'proxy.config.ssl.server.cipher_suite': '{0}:{1}'.format(CIPHER_MAP['ecdsa'], CIPHER_MAP['rsa']),
+ })
+
+ # configure SSL multicert
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0},{1}'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem'), helpers.tests_file_path('ec_keys/www.example.com.pem')))
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=127.0.0.2 ssl_cert_name={0},{1}'.format(helpers.tests_file_path('rsa_keys/www.test.com.pem'), helpers.tests_file_path('ec_keys/www.test.com.pem')))
+
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0},{1}'.format(helpers.tests_file_path('rsa_keys/www.example.com.pem'), helpers.tests_file_path('ec_keys/www.example.com.pem')))
+ cls.configs['ssl_multicert.config'].add_line('dest_ip=* ssl_cert_name={0},{1}'.format(helpers.tests_file_path('rsa_keys/www.test.com.pem'), helpers.tests_file_path('ec_keys/www.test.com.pem')))
+
+ def test_rsa(self):
+ addr = ('127.0.0.1', self.ssl_port)
+ cert = self._get_cert(addr, ciphers=CIPHER_MAP['rsa'])
+ self.assertEqual(cert.get_subject().commonName.decode(), 'www.example.com')
+
+ def test_ecdsa(self):
+ addr = ('127.0.0.1', self.ssl_port)
+ cert = self._get_cert(addr, ciphers=CIPHER_MAP['ecdsa'])
+ self.assertEqual(cert.get_subject().commonName.decode(), 'www.example.com')