You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2022/10/13 19:31:41 UTC

[GitHub] [trafficcontrol] shamrickus opened a new pull request, #7136: TO `deliveryservice/sslkeys/add` verify certificate chain

shamrickus opened a new pull request, #7136:
URL: https://github.com/apache/trafficcontrol/pull/7136

<!--
Thank you for contributing! Please be sure to read our contribution guidelines: https://github.com/apache/trafficcontrol/blob/master/CONTRIBUTING.md
If this closes or relates to an existing issue, please reference it using one of the following:

Closes: #ISSUE
Related: #ISSUE

If this PR fixes a security vulnerability, DO NOT submit! Instead, contact
the Apache Traffic Control Security Team at security@trafficcontrol.apache.org and follow the
guidelines at https://apache.org/security regarding vulnerability disclosure.
-->

This PR fixes #7046
<hr/>

## Which Traffic Control components are affected by this PR?

- Traffic Ops

## What is the best way to verify this PR?
Add SSL Keys to a Delivery Service where the chain certificates are not related, this should now return a 400 error instead of an unknown authority _warning_.

## If this is a bugfix, which Traffic Control versions contained the bug?

- master

## PR submission checklist
- [x] This PR has tests 
- [x] This PR has documentation 
- [x] This PR has a CHANGELOG.md entry 
- [x] This PR **DOES NOT FIX A SERIOUS SECURITY VULNERABILITY** (see [the Apache Software Foundation's security guidelines](https://apache.org/security) for details)

<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->

--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] ocket8888 commented on a diff in pull request #7136: TO `deliveryservice/sslkeys/add` verify certificate chain

Posted by GitBox <gi...@apache.org>.

ocket8888 commented on code in PR #7136:
URL: https://github.com/apache/trafficcontrol/pull/7136#discussion_r1014224466


##########
traffic_ops/testing/api/v5/deliveryservices_keys_test.go:
##########
@@ -333,6 +334,38 @@ func DeliveryServiceSSLKeys(t *testing.T) {
 	if dsSSLKey.Certificate.CSR == "" {
 		t.Errorf("expected a valid CSR, but got nothing")
 	}
+
+	var otherKey *tc.DeliveryServiceSSLKeys
+	for _, ds := range testData.DeliveryServices {
+		if !(*ds.Protocol == tc.DSProtocolHTTPS || *ds.Protocol == tc.DSProtocolHTTPAndHTTPS || *ds.Protocol == tc.DSProtocolHTTPToHTTPS) {
+			continue
+		}
+		var err error
+		dsSSLKey := new(tc.DeliveryServiceSSLKeys)
+		for tries := 0; tries < 5; tries++ {
+			time.Sleep(time.Second)
+			var sslKeysResp tc.DeliveryServiceSSLKeysResponse
+			sslKeysResp, _, err = TOSession.GetDeliveryServiceSSLKeys(*ds.XMLID, client.RequestOptions{})
+			*dsSSLKey = sslKeysResp.Response
+			if err == nil && dsSSLKey != nil {
+				break
+			}
+		}
+		if dsSSLKey != nil {
+			otherKey = dsSSLKey
+			break
+		}
+	}
+	assert.RequireNotNil(t, otherKey, "Expected to find another DS  with a valid SSL certificate")
+	err = deliveryservice.Base64DecodeCertificate(&otherKey.Certificate)
+	assert.RequireNoError(t, err, "Couldn't decode certificate: %v", err)
+
+	dsSSLKeyReq.Certificate.Crt += otherKey.Certificate.Crt
+	_, _, err = TOSession.AddSSLKeysForDS(tc.DeliveryServiceAddSSLKeysReq{DeliveryServiceSSLKeysReq: dsSSLKeyReq}, client.RequestOptions{})
+	assert.RequireNotNil(t, err, "Expected inconsistent certificate chain to be rejected")
+	if !strings.Contains(err.Error(), "intermediate chain contains certificates that do not match") {
+		t.Fatalf("Expected failure with chain issue, instead got: %s", err.Error())

Review Comment:
   nit but Fatal is unnecessary when the statement is the last one in the test



##########
traffic_ops/testing/api/v5/deliveryservices_keys_test.go:
##########
@@ -333,6 +334,38 @@ func DeliveryServiceSSLKeys(t *testing.T) {
 	if dsSSLKey.Certificate.CSR == "" {
 		t.Errorf("expected a valid CSR, but got nothing")
 	}
+
+	var otherKey *tc.DeliveryServiceSSLKeys
+	for _, ds := range testData.DeliveryServices {
+		if !(*ds.Protocol == tc.DSProtocolHTTPS || *ds.Protocol == tc.DSProtocolHTTPAndHTTPS || *ds.Protocol == tc.DSProtocolHTTPToHTTPS) {
+			continue
+		}
+		var err error
+		dsSSLKey := new(tc.DeliveryServiceSSLKeys)
+		for tries := 0; tries < 5; tries++ {
+			time.Sleep(time.Second)
+			var sslKeysResp tc.DeliveryServiceSSLKeysResponse
+			sslKeysResp, _, err = TOSession.GetDeliveryServiceSSLKeys(*ds.XMLID, client.RequestOptions{})
+			*dsSSLKey = sslKeysResp.Response
+			if err == nil && dsSSLKey != nil {
+				break
+			}
+		}
+		if dsSSLKey != nil {
+			otherKey = dsSSLKey
+			break
+		}
+	}
+	assert.RequireNotNil(t, otherKey, "Expected to find another DS  with a valid SSL certificate")

Review Comment:
   `dsSSLKey` is never `nil` at any point, so the check after the inner `for` loop will always be true, and this assertion can never fail. To make it work, I think you'd need to only use `new` when setting the value of `dsSSLKey` in that inner loop, and just declare it as a nil pointer above that. I'm sure the test would fail anyway because parsing a blank cert should probably return an error, but as-is this is an unused check.



##########
traffic_ops/traffic_ops_golang/deliveryservice/keys_test.go:
##########
@@ -2521,11 +2654,29 @@ func TestVerifyAndEncodeCertificateECDSASelfSignedCertificateKeyPairWithoutParam
 
 func TestVerifyAndEncodeCertificateECDSASelfSignedCertificateKeyPairMisMatchedPrivateKey(t *testing.T) {
 	// Should fail due to mismatched ECDSA cert/private key pair
-	_, _, _, _, err := verifyCertKeyPair(SelfSignedECDSACertificate, PrivateKeyECDSANISTPrime256V1, "", true)
+	_, _, _, _, _, err := verifyCertKeyPair(SelfSignedECDSACertificate, PrivateKeyECDSANISTPrime256V1, "", true)
 
 	if err == nil {
 		t.Fatalf("unexpected Result: Mismatched ECDSA cert/key pair should have failed verification")
 	} else {
 		t.Logf("expected error message: %s", err.Error())
 	}
 }
+
+func TestVerifyInconsistentCertChain(t *testing.T) {
+	_, _, _, _, isInconsistent, err := verifyCertKeyPair(SelfSignedInconsistentCertChain, SelfSignedRSAPrivateKeyInvalidChain, "", true)
+	if err != nil {
+		t.Fatalf("expected mismatched to return no error")
+	}
+	if !isInconsistent {
+		t.Fatalf("expected chain to be considered inconsistent")
+	}
+
+	_, _, _, _, isInconsistent, err = verifyCertKeyPair(SelfSignedCertChain+ValidIntermediateCert, SelfSignedRSAPrivateKeyInvalidChain, "", true)
+	if err != nil {
+		t.Fatalf("expected mismatched to return no error")
+	}
+	if !isInconsistent {
+		t.Fatalf("expected chain to be considered inconsistent")
+	}

Review Comment:
   nit but I don't think any of these actually need to be fatal failures



##########
traffic_ops/testing/api/v5/deliveryservices_keys_test.go:
##########
@@ -333,6 +334,38 @@ func DeliveryServiceSSLKeys(t *testing.T) {
 	if dsSSLKey.Certificate.CSR == "" {
 		t.Errorf("expected a valid CSR, but got nothing")
 	}
+
+	var otherKey *tc.DeliveryServiceSSLKeys
+	for _, ds := range testData.DeliveryServices {
+		if !(*ds.Protocol == tc.DSProtocolHTTPS || *ds.Protocol == tc.DSProtocolHTTPAndHTTPS || *ds.Protocol == tc.DSProtocolHTTPToHTTPS) {
+			continue
+		}
+		var err error
+		dsSSLKey := new(tc.DeliveryServiceSSLKeys)
+		for tries := 0; tries < 5; tries++ {
+			time.Sleep(time.Second)
+			var sslKeysResp tc.DeliveryServiceSSLKeysResponse
+			sslKeysResp, _, err = TOSession.GetDeliveryServiceSSLKeys(*ds.XMLID, client.RequestOptions{})
+			*dsSSLKey = sslKeysResp.Response
+			if err == nil && dsSSLKey != nil {

Review Comment:
   Similar to above, `dsSSLKey` can never be nil, so checking it here is pointless unless that changes. If that check were to be `true`, the preceding line would segfault before it got that far.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] ocket8888 merged pull request #7136: TO `deliveryservice/sslkeys/add` verify certificate chain

Posted by GitBox <gi...@apache.org>.

ocket8888 merged PR #7136:
URL: https://github.com/apache/trafficcontrol/pull/7136


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org