Add tests and fix

envoyproxy · Oct 16, 2024 · 38f5dee · 38f5dee
1 parent b111724
commit 38f5dee
Show file tree

Hide file tree

Showing 4 changed files with 318 additions and 35 deletions.
diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc
@@ -4,6 +4,7 @@
 
 #include <cstdint>
 
+#include <unistd.h>
 #include "envoy/extensions/transport_sockets/tls/v3/common.pb.h"
 #include "envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.pb.h"
 #include "envoy/network/transport_socket.h"
@@ -109,40 +110,15 @@ std::shared_ptr<SpiffeData> SPIFFEValidator::loadTrustBundles() {
             error = true;
             return false;
           }
-
-          STACK_OF(GENERAL_NAME)* san_names = static_cast<STACK_OF(GENERAL_NAME)*>(
-              X509_get_ext_d2i(x509.get(), NID_subject_alt_name, nullptr, nullptr));
-          if (san_names != nullptr) {
-            for (size_t i = 0; i < sk_GENERAL_NAME_num(san_names); i++) {
-              const GENERAL_NAME* current_name = sk_GENERAL_NAME_value(san_names, i);
-              if (current_name->type == GEN_URI) {
-                const char* uri = reinterpret_cast<const char*>(
-                    ASN1_STRING_get0_data(current_name->d.uniformResourceIdentifier));
-                if (absl::StartsWith(uri, "spiffe://")) {
-                  std::string san_string(uri);
-                  const std::string& san_domain = extractTrustDomain(san_string);
-                  if (domain_name != san_domain) {
-                    ENVOY_LOG(error, "Domain specified in bundle '{}' and in SAN '{}' do not match",
-                              domain_name, san_domain);
-                    error = true;
-                    return false;
-                  }
-
-                  if (X509_STORE_add_cert(spiffeDataPtr->trust_bundle_stores[domain_name].get(),
-                                          x509.get()) != 1) {
-                    ENVOY_LOG(error, "Failed to add x509 object while loading '{}'",
-                              trust_bundle_file_name_);
-                    error = true;
-                    return false;
-                  }
-                  X509_up_ref(x509.get());
-                  spiffeDataPtr->ca_certs.push_back(std::move(x509));
-                  break;
-                }
-              }
-            }
-            sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
+          if (X509_STORE_add_cert(spiffeDataPtr->trust_bundle_stores[domain_name].get(),
+                                      x509.get()) != 1) {
+            ENVOY_LOG(error, "Failed to add x509 object while loading '{}'",
+                      trust_bundle_file_name_);
+            error = true;
+            return false;
           }
+          X509_up_ref(x509.get());
+          spiffeDataPtr->ca_certs.push_back(std::move(x509));
         }
       }
     }

diff --git a/test/common/tls/test_data/certs.sh b/test/common/tls/test_data/certs.sh
@@ -16,6 +16,66 @@ cleanup() {
     rm ./intermediate_crl_*
 }
 
+
+# $@=<trust domain, CA cert, sequence number> (repeatable for multiple domains and certs per domain)
+generate_spiffe_trust_bundle_mapping() {
+    local trust_domains=()
+
+    # Collecting all trust domain arguments
+    while [[ $# -gt 0 ]]; do
+        trust_domains+=( "$1" "$2" "$3" )
+        shift 3
+    done
+
+    echo "{" > trust_bundles.json
+    echo "  \"trust_domains\": {" >> trust_bundles.json
+
+    local first_domain=true
+    for (( i=0; i<${#trust_domains[@]}; i+=3 )); do
+        local trust_domain="${trust_domains[i]}"
+        local ca_cert_files=(${trust_domains[i+1]//,/ })
+        local sequence_number="${trust_domains[i+2]}"
+
+        if [ "$first_domain" = false ]; then
+            echo "    }," >> trust_bundles.json
+        fi
+        first_domain=false
+
+        echo "    \"$trust_domain\": {" >> trust_bundles.json
+        echo "      \"sequence_number\": $sequence_number," >> trust_bundles.json
+        echo "      \"keys\": [" >> trust_bundles.json
+
+        local first_key=true
+        for ca_cert_file in "${ca_cert_files[@]}"; do
+            local base64_der=$(openssl x509 -in "$ca_cert_file" -outform DER | base64 | tr -d '\n\r')
+            local modulus=$(openssl x509 -in "$ca_cert_file" -noout -modulus | cut -d'=' -f2 | xxd -r -p | base64 | tr -d "=\n" | tr '/+' '_-')
+
+            if [ "$first_key" = false ]; then
+                echo "," >> trust_bundles.json
+            fi
+            first_key=false
+
+            cat <<EOF >> trust_bundles.json
+        {
+          "kty": "RSA",
+          "use": "x509-svid",
+          "x5c": [
+            "$base64_der"
+          ],
+          "n": "$modulus",
+          "e": "AQAB"
+        }
+EOF
+        done
+
+        echo "      ]" >> trust_bundles.json
+    done
+
+    echo "    }" >> trust_bundles.json
+    echo "  }" >> trust_bundles.json
+    echo "}" >> trust_bundles.json
+}
+
 # $1=<CA name> $2=[issuer name]
 generate_ca() {
     local extra_args=()
@@ -398,6 +458,8 @@ generate_x509_cert spiffe_san ca
 generate_rsa_key non_spiffe_san
 generate_x509_cert non_spiffe_san ca
 
+generate_spiffe_trust_bundle_mapping "example.com" "ca_cert.pem" 12035488 "lyft.com" "ca_cert.pem" 12035489
+
 cp -f spiffe_san_cert.cfg expired_spiffe_san_cert.cfg
 generate_rsa_key expired_spiffe_san
 generate_x509_cert expired_spiffe_san ca -1

diff --git a/test/common/tls/test_data/trust_bundles.json b/test/common/tls/test_data/trust_bundles.json
@@ -0,0 +1,32 @@
+{
+  "trust_domains": {
+    "example.com": {
+      "sequence_number": 12035488,
+      "keys": [
+        {
+          "kty": "RSA",
+          "use": "x509-svid",
+          "x5c": [
+            "MIID3TCCAsWgAwIBAgIUdmyO+EFUvRajCw+EOB+l8GkoygwwDQYJKoZIhvcNAQELBQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5naW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjQxMDExMjIzMzA2WhcNMjYxMDExMjIzMzA2WjB2MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVlcmluZzEQMA4GA1UEAwwHVGVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXhLaaPG1XmO+gIMILimAG4znTkbppPncqpHxs34mY+VtvAvy6wrScqUnSZylQoyrGtQuIMrCF3D7XhMjmYAH7gASCZninmsQqcvIKUP9yFEvRmLgEbR/dGjEB4aKIl230LZgKMl35I2mqvxvS8etx8BBOvDaS6sDeySDGq3UyDiVTFnSI0e2haC6ktp+zIJL7iqDhJpCVkNueBiDLfU2z/9F5jx2huaS2Y7tEndWGhJRd9zvqxf/Fw6CtruSou8TNXP+4y+Wtkdp7wWNJFYVoLoV2ugx+jOvPKLoy+JVa2hYviH2cN5w524dO3iGOWv/u/+k0BRw5GpOcJUq2CcesCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFA3ZY65POlo1Y6C9pujLEpqQOWOsMB8GA1UdIwQYMBaAFA3ZY65POlo1Y6C9pujLEpqQOWOsMA0GCSqGSIb3DQEBCwUAA4IBAQBcZXbRD0sAZPXXe/E5kOy0gN2iiux7JkBOdIXe7QVgBV1sCOhHHEWJ/Vawz5wK1/UXj7P3AqJKT3PbWy2vWNmoXxtD4ix8cIBPU3gxQ9HrhTgjof0mXIsujy+mUwm5Dmu/+xt1NaUXb9MvXUqlNTkdTyn3TMhQ7C0FzQYERTgwNPv2wJki+uq1Tt0G8XyW7QFCiUsdXPtEbYxv1dOwsGAYf/N426XuUNn6luqdHonMb0Xp7LpNM4pBH8Nh4G87itUmsRFUQ2s7QVff7FYOHYhEflC07DPmtOhOVXaGtut/2BFU/GbKQlLNcAvcVOpMA/Z9pobsffgGYBrZgmN3Ljnt"
+          ],
+          "n": "peEtpo8bVeY76AgwguKYAbjOdORumk-dyqkfGzfiZj5W28C_LrCtJypSdJnKVCjKsa1C4gysIXcPteEyOZgAfuABIJmeKeaxCpy8gpQ_3IUS9GYuARtH90aMQHhooiXbfQtmAoyXfkjaaq_G9Lx63HwEE68NpLqwN7JIMardTIOJVMWdIjR7aFoLqS2n7MgkvuKoOEmkJWQ254GIMt9TbP_0XmPHaG5pLZju0Sd1YaElF33O-rF_8XDoK2u5Ki7xM1c_7jL5a2R2nvBY0kVhWguhXa6DH6M688oujL4lVraFi-IfZw3nDnbh07eIY5a_-7_6TQFHDkak5wlSrYJx6w",
+          "e": "AQAB"
+        }
+      ]
+    },
+    "lyft.com": {
+      "sequence_number": 12035489,
+      "keys": [
+        {
+          "kty": "RSA",
+          "use": "x509-svid",
+          "x5c": [
+            "MIID3TCCAsWgAwIBAgIUdmyO+EFUvRajCw+EOB+l8GkoygwwDQYJKoZIhvcNAQELBQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5naW5lZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwHhcNMjQxMDExMjIzMzA2WhcNMjYxMDExMjIzMzA2WjB2MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwETHlmdDEZMBcGA1UECwwQTHlmdCBFbmdpbmVlcmluZzEQMA4GA1UEAwwHVGVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXhLaaPG1XmO+gIMILimAG4znTkbppPncqpHxs34mY+VtvAvy6wrScqUnSZylQoyrGtQuIMrCF3D7XhMjmYAH7gASCZninmsQqcvIKUP9yFEvRmLgEbR/dGjEB4aKIl230LZgKMl35I2mqvxvS8etx8BBOvDaS6sDeySDGq3UyDiVTFnSI0e2haC6ktp+zIJL7iqDhJpCVkNueBiDLfU2z/9F5jx2huaS2Y7tEndWGhJRd9zvqxf/Fw6CtruSou8TNXP+4y+Wtkdp7wWNJFYVoLoV2ugx+jOvPKLoy+JVa2hYviH2cN5w524dO3iGOWv/u/+k0BRw5GpOcJUq2CcesCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFA3ZY65POlo1Y6C9pujLEpqQOWOsMB8GA1UdIwQYMBaAFA3ZY65POlo1Y6C9pujLEpqQOWOsMA0GCSqGSIb3DQEBCwUAA4IBAQBcZXbRD0sAZPXXe/E5kOy0gN2iiux7JkBOdIXe7QVgBV1sCOhHHEWJ/Vawz5wK1/UXj7P3AqJKT3PbWy2vWNmoXxtD4ix8cIBPU3gxQ9HrhTgjof0mXIsujy+mUwm5Dmu/+xt1NaUXb9MvXUqlNTkdTyn3TMhQ7C0FzQYERTgwNPv2wJki+uq1Tt0G8XyW7QFCiUsdXPtEbYxv1dOwsGAYf/N426XuUNn6luqdHonMb0Xp7LpNM4pBH8Nh4G87itUmsRFUQ2s7QVff7FYOHYhEflC07DPmtOhOVXaGtut/2BFU/GbKQlLNcAvcVOpMA/Z9pobsffgGYBrZgmN3Ljnt"
+          ],
+          "n": "peEtpo8bVeY76AgwguKYAbjOdORumk-dyqkfGzfiZj5W28C_LrCtJypSdJnKVCjKsa1C4gysIXcPteEyOZgAfuABIJmeKeaxCpy8gpQ_3IUS9GYuARtH90aMQHhooiXbfQtmAoyXfkjaaq_G9Lx63HwEE68NpLqwN7JIMardTIOJVMWdIjR7aFoLqS2n7MgkvuKoOEmkJWQ254GIMt9TbP_0XmPHaG5pLZju0Sd1YaElF33O-rF_8XDoK2u5Ki7xM1c_7jL5a2R2nvBY0kVhWguhXa6DH6M688oujL4lVraFi-IfZw3nDnbh07eIY5a_-7_6TQFHDkak5wlSrYJx6w",
+          "e": "AQAB"
+        }
+      ]
+    }
+  }
+}