Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: reject non-P256 TLS certificates. #5224

Merged
merged 5 commits into from
Dec 7, 2018
+111 −0
Merged

tls: reject non-P256 TLS certificates. #5224

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
36f1993
[WIP] tls: reject non-P256 TLS certificates.
htuch Dec 5, 2018
d22b4d9
Fix exception message, some additional guards.
htuch Dec 6, 2018
fed0cd0
Tests for happy/sad paths.
htuch Dec 6, 2018
2bdbd15
Merge remote-tracking branch 'upstream/master' into p256-only
htuch Dec 6, 2018
0b14302
Nit.
htuch Dec 7, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions source/common/ssl/context_impl.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,18 @@ ContextImpl::ContextImpl(Stats::Scope& scope, const ContextConfig& config, TimeS

bssl::UniquePtr<EVP_PKEY> public_key(X509_get_pubkey(ctx.cert_chain_.get()));
ctx.is_ecdsa_ = EVP_PKEY_id(public_key.get()) == EVP_PKEY_EC;
if (ctx.is_ecdsa_) {
// We only support P-256 ECDSA today.
EC_KEY* ecdsa_public_key = EVP_PKEY_get0_EC_KEY(public_key.get());
// Since we checked the key type above, this should be valid.
ASSERT(ecdsa_public_key != nullptr);
const EC_GROUP* ecdsa_group = EC_KEY_get0_group(ecdsa_public_key);
if (ecdsa_group == nullptr || EC_GROUP_get_curve_name(ecdsa_group) != NID_X9_62_prime256v1) {
throw EnvoyException(fmt::format("Failed to load certificate from chain {}, only P-256 "
"ECDSA certificates are supported",
ctx.cert_chain_file_path_));
}
}

// Load private key.
bio.reset(BIO_new_mem_buf(const_cast<char*>(tls_certificate.privateKey().data()),
Expand Down
41 changes: 41 additions & 0 deletions test/common/ssl/context_impl_test.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -519,6 +519,47 @@ TEST(ClientContextConfigImplTest, InvalidCertificateSpki) {
EnvoyException, "Invalid base64-encoded SHA-256 .*");
}

// Validate that P256 ECDSA certs load.
TEST(ClientContextConfigImplTest, P256EcdsaCert) {
envoy::api::v2::auth::UpstreamTlsContext tls_context;
NiceMock<Server::Configuration::MockTransportSocketFactoryContext> factory_context;
const std::string tls_certificate_yaml = R"EOF(
certificate_chain:
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert_ecdsa_p256.pem"
private_key:
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key_ecdsa_p256.pem"
)EOF";
MessageUtil::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml),
*tls_context.mutable_common_tls_context()->add_tls_certificates());
ClientContextConfigImpl client_context_config(tls_context, factory_context);
Event::SimulatedTimeSystem time_system;
ContextManagerImpl manager(time_system);
Stats::IsolatedStoreImpl store;
manager.createSslClientContext(store, client_context_config);
}

// Validate that non-P256 ECDSA certs are rejected.
TEST(ClientContextConfigImplTest, NonP256EcdsaCert) {
envoy::api::v2::auth::UpstreamTlsContext tls_context;
NiceMock<Server::Configuration::MockTransportSocketFactoryContext> factory_context;
const std::string tls_certificate_yaml = R"EOF(
certificate_chain:
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_cert_ecdsa_p384.pem"
private_key:
filename: "{{ test_rundir }}/test/common/ssl/test_data/selfsigned_key_ecdsa_p384.pem"
)EOF";
MessageUtil::loadFromYaml(TestEnvironment::substitute(tls_certificate_yaml),
*tls_context.mutable_common_tls_context()->add_tls_certificates());
ClientContextConfigImpl client_context_config(tls_context, factory_context);
Event::SimulatedTimeSystem time_system;
ContextManagerImpl manager(time_system);
Stats::IsolatedStoreImpl store;
EXPECT_THROW_WITH_REGEX(manager.createSslClientContext(store, client_context_config),
EnvoyException,
"Failed to load certificate from chain .*selfsigned_cert_ecdsa_p384.pem, "
"only P-256 ECDSA certificates are supported");
}

// Multiple TLS certificates are not yet supported.
// TODO(PiotrSikora): Support multiple TLS certificates.
TEST(ClientContextConfigImplTest, MultipleTlsCertificates) {
Expand Down
8 changes: 8 additions & 0 deletions test/common/ssl/test_data/certs.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ set -e
# openssl genrsa -out san_multiple_dns_key.pem 1024
# openssl genrsa -out san_uri_key.pem 1024
# openssl genrsa -out selfsigned_key.pem 1024
# openssl ecparam -name secp256r1 -genkey -out selfsigned_key_ecdsa_p256.pem
# openssl ecparam -name secp384r1 -genkey -out selfsigned_key_ecdsa_p384.pem
# openssl genrsa -out expired_key.pem 1024
# openssl genrsa -out expired_san_uri_key.pem 1024

Expand Down Expand Up @@ -65,6 +67,12 @@ openssl x509 -req -days 730 -in san_uri_cert.csr -sha256 -CA ca_cert.pem -CAkey
# Generate selfsigned_cert.pem.
openssl req -new -x509 -days 730 -key selfsigned_key.pem -out selfsigned_cert.pem -config selfsigned_cert.cfg -batch -sha256

# Generate selfsigned_cert_ecdsa_p256.pem.
openssl req -new -x509 -days 730 -key selfsigned_key_ecdsa_p256.pem -out selfsigned_cert_ecdsa_p256.pem -config selfsigned_cert.cfg -batch -sha256

# Generate selfsigned_cert_ecdsa_p384.pem.
openssl req -new -x509 -days 730 -key selfsigned_key_ecdsa_p384.pem -out selfsigned_cert_ecdsa_p384.pem -config selfsigned_cert.cfg -batch -sha256

# Generate expired_cert.pem as a self-signed, expired cert (will fail on Mac OS 10.13+ because of negative days value).
openssl req -new -key expired_key.pem -out expired_cert.csr -config selfsigned_cert.cfg -batch -sha256
openssl x509 -req -days -365 -in expired_cert.csr -signkey expired_key.pem -out expired_cert.pem
Expand Down
16 changes: 16 additions & 0 deletions test/common/ssl/test_data/selfsigned_cert_ecdsa_p256.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
-----BEGIN CERTIFICATE-----
MIICijCCAi+gAwIBAgIJALJe5fMxxImWMAoGCCqGSM49BAMCMHoxCzAJBgNVBAYT
AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
MQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRQwEgYD
VQQDDAtUZXN0IFNlcnZlcjAeFw0xODEyMDYxNzI2MzNaFw0yMDEyMDUxNzI2MzNa
MHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T
YW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2lu
ZWVyaW5nMRQwEgYDVQQDDAtUZXN0IFNlcnZlcjBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABK64d3LUKGgoZW6+SmRmomON7VKNpnLrzxnab+YDSVaIa6Ra5wKfwpPl
lY13E/pvImznLi7CGeqDnAOlR1FfoLKjgZ0wgZowDAYDVR0TAQH/BAIwADALBgNV
HQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB4GA1UdEQQX
MBWCE3NlcnZlcjEuZXhhbXBsZS5jb20wHQYDVR0OBBYEFL4/swsRcOIQC1vhhteF
lW+xYkx5MB8GA1UdIwQYMBaAFL4/swsRcOIQC1vhhteFlW+xYkx5MAoGCCqGSM49
BAMCA0kAMEYCIQDZDEX2FYhfrc7lW63rqG+0ZBUaf/rOj6cJ+1sLgCy31AIhAMQW
9QbcVxRgisBD/aE45Zow7epY6ZYLpSj9FKnHe3Uh
-----END CERTIFICATE-----
17 changes: 17 additions & 0 deletions test/common/ssl/test_data/selfsigned_cert_ecdsa_p384.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE-----
MIICxjCCAkygAwIBAgIJAMZErjw+7ImlMAoGCCqGSM49BAMCMHoxCzAJBgNVBAYT
AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
MQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRQwEgYD
VQQDDAtUZXN0IFNlcnZlcjAeFw0xODEyMDYxNzI2MzNaFw0yMDEyMDUxNzI2MzNa
MHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T
YW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2lu
ZWVyaW5nMRQwEgYDVQQDDAtUZXN0IFNlcnZlcjB2MBAGByqGSM49AgEGBSuBBAAi
A2IABGzQqH4QvGjbJGZdyjs3mvyxvgTpi9X5OczwyMQvYYx9v3G/d9AdiPM5IYgG
WhpgXCp8w5Y2aSs7zVhPrgvHzBENngD7/GApYYiddORZ49c8VU9pNjI4ldUHkCzw
MZ11caOBnTCBmjAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAU
BggrBgEFBQcDAgYIKwYBBQUHAwEwHgYDVR0RBBcwFYITc2VydmVyMS5leGFtcGxl
LmNvbTAdBgNVHQ4EFgQU4voPUUR2VO230OxpFg4NwiwdHK0wHwYDVR0jBBgwFoAU
4voPUUR2VO230OxpFg4NwiwdHK0wCgYIKoZIzj0EAwIDaAAwZQIxAJho8eSlS/2X
b3xtYfkoqjJQDr1CPvaAoPj63fo3gMwvmF7I+xNKTTlGCpHpMjjfVQIwUB1BkDhe
dvcOktVfBvnH5TQ4tzieSiuPawAU0QkcmgKIyd2LKJ1kimU2FdFVO40f
-----END CERTIFICATE-----
8 changes: 8 additions & 0 deletions test/common/ssl/test_data/selfsigned_key_ecdsa_p256.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIF1Qz3pVyjoD6qgCa/tg9gpF3vNSfgK88UpNJllXIbT/oAoGCCqGSM49
AwEHoUQDQgAErrh3ctQoaChlbr5KZGaiY43tUo2mcuvPGdpv5gNJVohrpFrnAp/C
k+WVjXcT+m8ibOcuLsIZ6oOcA6VHUV+gsg==
-----END EC PRIVATE KEY-----
9 changes: 9 additions & 0 deletions test/common/ssl/test_data/selfsigned_key_ecdsa_p384.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
-----BEGIN EC PARAMETERS-----
BgUrgQQAIg==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDA4MtE/FxALE2H3TnzCVd61Uz+sNTqkCmn53nsIk13JUlyEgLeSfTIN
N7tT7XmgnTagBwYFK4EEACKhZANiAARs0Kh+ELxo2yRmXco7N5r8sb4E6YvV+TnM
8MjEL2GMfb9xv3fQHYjzOSGIBloaYFwqfMOWNmkrO81YT64Lx8wRDZ4A+/xgKWGI
nXTkWePXPFVPaTYyOJXVB5As8DGddXE=
-----END EC PRIVATE KEY-----