From 2720db544712e02526c6cf6908ff683633f58f19 Mon Sep 17 00:00:00 2001 From: Sohan Kunkerkar Date: Thu, 30 Apr 2020 16:45:48 -0400 Subject: [PATCH 1/4] Add support for CA bundles for fetching the ignition config Fixes https://github.com/coreos/ignition/issues/931 --- internal/resource/http.go | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/internal/resource/http.go b/internal/resource/http.go index b3a9dd2cc..1cc621fc0 100644 --- a/internal/resource/http.go +++ b/internal/resource/http.go @@ -109,24 +109,32 @@ func (f *Fetcher) UpdateHttpTimeoutsAndCAs(timeouts types.Timeouts, cas []types. if err != nil { return err } - block, _ := pem.Decode(cablob) + if err := f.parseCABundle(cablob, ca, pool); err != nil { + f.Logger.Err("Unable to parse CA bundle: %s", err) + return err + } + } + f.client.transport.TLSClientConfig = &tls.Config{RootCAs: pool} + return nil +} + +// parseCABundle parses a CA bundle which includes multiple CAs. +func (f *Fetcher) parseCABundle(cablob []byte, ca types.Resource, pool *x509.CertPool) error { + for len(cablob) > 0 { + block, rest := pem.Decode(cablob) if block == nil { f.Logger.Err("Unable to decode CA (%v)", ca.Source) return ErrPEMDecodeFailed } - cert, err := x509.ParseCertificate(block.Bytes) if err != nil { f.Logger.Err("Unable to parse CA (%v): %s", ca.Source, err) return err } - f.Logger.Info("Adding %q to list of CAs", cert.Subject.CommonName) pool.AddCert(cert) + cablob = rest } - - f.client.transport.TLSClientConfig = &tls.Config{RootCAs: pool} - return nil } From 693bae5d53c5713bfae9dde935b75a76ebdd4e87 Mon Sep 17 00:00:00 2001 From: Sohan Kunkerkar Date: Tue, 5 May 2020 17:35:13 -0400 Subject: [PATCH 2/4] Add cabundle tests --- tests/negative/security/tls.go | 119 +++++++++++++++++- tests/positive/security/tls.go | 218 +++++++++++++++++++++++++++++++++ tests/servers/servers.go | 42 ++++++- 3 files changed, 372 insertions(+), 7 deletions(-) diff --git a/tests/negative/security/tls.go b/tests/negative/security/tls.go index cb8d881c0..6c4ec4d52 100644 --- a/tests/negative/security/tls.go +++ b/tests/negative/security/tls.go @@ -36,9 +36,19 @@ func init() { customCAServer.Config.ErrorLog = log.New(ioutil.Discard, "", 0) customCAServer.StartTLS() + cer2, err := tls.X509KeyPair(publicKey2, privateKey2) + if err != nil { + panic(fmt.Sprintf("error loading x509 keypair2: %v", err)) + } + config2 := &tls.Config{Certificates: []tls.Certificate{cer2}} + customCAServer2.TLS = config2 + customCAServer2.Config.ErrorLog = log.New(ioutil.Discard, "", 0) + customCAServer2.StartTLS() + register.Register(register.NegativeTest, AppendConfigCustomCert()) - register.Register(register.NegativeTest, AppendConfigCustomCertHTTP()) - register.Register(register.NegativeTest, AppendConfigCustomCertInvalidHeaderHTTP()) + register.Register(register.NegativeTest, FetchFileCustomCertHTTP()) + register.Register(register.NegativeTest, FetchFileCABundleCertHTTP()) + register.Register(register.NegativeTest, FetchFileCustomCertInvalidHeaderHTTP()) register.Register(register.NegativeTest, FetchFileCustomCert()) } @@ -74,6 +84,48 @@ T3Jig2rNmBtpMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDaQAwZgIxAOul t3MhI02IONjTDusl2YuCxMgpy2uy0MPkEGUHnUOsxmPSG0gEBCNHyeKVeTaPUwIx AKbyaAqbChEy9CvDgyv6qxTYU+eeBImLKS3PH2uW5etc/69V/sDojqpH3hEffsOt 9g== +-----END CERTIFICATE-----`) + + // generated via + // openssl ecparam -genkey -name secp384r1 -out server.key + privateKey2 = []byte(`-----BEGIN EC PARAMETERS----- +BgUrgQQAIg== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDCfXncsl/kqihUWRHThBdGEDpv/bavwHYEi2tjrHiRkm+b7zhFlup8o +aP1l1zP1LhKgBwYFK4EEACKhZANiAAQ/J0D0C3h2a55JU3/EANe1d3e2/mfcoXGq +P8soiFdYntRIC4+V4dnRJuHRR+FHR/3531EIf2WXsoIJr/IRhR/j0tAeXpZ++G+E +vaooXf7gShnhRYKM4viPx4+DhSPjmqw= +-----END EC PRIVATE KEY-----`) + + // generate csr: + // openssl req -new -key server.key -out server.csr + // generate certificate: + // openssl x509 -req -days 3650 -in server.csr -signkey server.key -out + // server.crt -extensions v3_req -extfile extfile.conf + // where extfile.conf has the following details: + // $ cat extfile.conf + // [ v3_req ] + // subjectAltName = IP:127.0.0.1 + // subjectKeyIdentifier=hash + // authorityKeyIdentifier=keyid + // basicConstraints = critical,CA:TRUE + publicKey2 = []byte(`-----BEGIN CERTIFICATE----- +MIICrDCCAjOgAwIBAgIUbFS1ugcEYYGQoTiV6O//r3wdO58wCgYIKoZIzj0EAwIw +gYQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEQMA4GA1UEBwwHUmFsZWlnaDEQ +MA4GA1UECgwHUmVkIEhhdDEUMBIGA1UECwwLRW5naW5lZXJpbmcxDzANBgNVBAMM +BkNvcmVPUzEdMBsGCSqGSIb3DQEJARYOb2VtQGNvcmVvcy5jb20wHhcNMjAwNTA3 +MjIzMzA3WhcNMzAwNTA1MjIzMzA3WjCBhDELMAkGA1UEBhMCVVMxCzAJBgNVBAgM +Ak5DMRAwDgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdSZWQgSGF0MRQwEgYDVQQL +DAtFbmdpbmVlcmluZzEPMA0GA1UEAwwGQ29yZU9TMR0wGwYJKoZIhvcNAQkBFg5v +ZW1AY29yZW9zLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IABD8nQPQLeHZrnklT +f8QA17V3d7b+Z9yhcao/yyiIV1ie1EgLj5Xh2dEm4dFH4UdH/fnfUQh/ZZeyggmv +8hGFH+PS0B5eln74b4S9qihd/uBKGeFFgozi+I/Hj4OFI+OarKNkMGIwDwYDVR0R +BAgwBocEfwAAATAdBgNVHQ4EFgQUovVgWNFFPhrF7XzaRteDnpfPXxowHwYDVR0j +BBgwFoAUovVgWNFFPhrF7XzaRteDnpfPXxowDwYDVR0TAQH/BAUwAwEB/zAKBggq +hkjOPQQDAgNnADBkAjBvCIr9k43oR18Z4HLTzaRfzacFzo75Lt5n0pk3PA5CrUg3 +sXU6o4IxyLNFHzIJn7cCMGTMVKEzoSZDclxkEgu53WM7PQljHgL9FJScEt4hzO2u +FFNjhq0ODV1LNc1i8pQCAg== -----END CERTIFICATE-----`) customCAServerFile = []byte(`{ @@ -85,10 +137,22 @@ AKbyaAqbChEy9CvDgyv6qxTYU+eeBImLKS3PH2uW5etc/69V/sDojqpH3hEffsOt }] } }`) + customCAServerFile2 = []byte(`{ + "ignition": { "version": "3.0.0" }, + "storage": { + "files": [{ + "path": "/foo/bar2", + "contents": { "source": "data:,example%20file2%0A" } + }] + } + }`) customCAServer = httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Write(customCAServerFile) })) + customCAServer2 = httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Write(customCAServerFile2) + })) ) func AppendConfigCustomCert() types.Test { @@ -150,8 +214,8 @@ func FetchFileCustomCert() types.Test { } } -func AppendConfigCustomCertHTTP() types.Test { - name := "tls.config.merge.http" +func FetchFileCustomCertHTTP() types.Test { + name := "tls.fetchfile.http" in := types.GetBaseDisk() out := types.GetBaseDisk() config := fmt.Sprintf(`{ @@ -185,8 +249,51 @@ func AppendConfigCustomCertHTTP() types.Test { } } -func AppendConfigCustomCertInvalidHeaderHTTP() types.Test { - name := "tls.config.merge.http.invalidheader" +// FetchFileCABundleCertHTTP fetches the ignition configs hosted +// on the TLS servers using a CA bundle that includes only the first +// server's CA key. +func FetchFileCABundleCertHTTP() types.Test { + name := "tls.fetchfile.http.cabundle" + in := types.GetBaseDisk() + out := types.GetBaseDisk() + config := fmt.Sprintf(`{ + "ignition": { + "version": "$version", + "security": { + "tls": { + "certificateAuthorities": [{ + "source": "http://127.0.0.1:8080/certificates" + }] + } + } + }, + "storage": { + "files": [{ + "path": "/foo/bar", + "contents": { + "source": %q + } + },{ + "path": "/foo/bar2", + "contents": { + "source": %q + } + }] + } + }`, customCAServer.URL, customCAServer2.URL) + configMinVersion := "3.0.0" + + return types.Test{ + Name: name, + In: in, + Out: out, + Config: config, + ConfigMinVersion: configMinVersion, + } +} + +func FetchFileCustomCertInvalidHeaderHTTP() types.Test { + name := "tls.fetchfile.http.invalidheader" in := types.GetBaseDisk() out := types.GetBaseDisk() config := fmt.Sprintf(`{ diff --git a/tests/positive/security/tls.go b/tests/positive/security/tls.go index fce924366..7559cc28f 100644 --- a/tests/positive/security/tls.go +++ b/tests/positive/security/tls.go @@ -36,9 +36,19 @@ func init() { customCAServer.TLS = config customCAServer.StartTLS() + cer2, err := tls.X509KeyPair(publicKey2, privateKey2) + if err != nil { + panic(fmt.Sprintf("error loading x509 keypair2: %v", err)) + } + config2 := &tls.Config{Certificates: []tls.Certificate{cer2}} + customCAServer2.TLS = config2 + customCAServer2.StartTLS() + register.Register(register.PositiveTest, AppendConfigCustomCert()) register.Register(register.PositiveTest, FetchFileCustomCert()) + register.Register(register.PositiveTest, FetchFileCABundleCert()) register.Register(register.PositiveTest, FetchFileCustomCertHTTP()) + register.Register(register.PositiveTest, FetchFileCABundleCertHTTP()) register.Register(register.PositiveTest, FetchFileCustomCertHTTPCompressed()) register.Register(register.PositiveTest, FetchFileCustomCertHTTPUsingHeaders()) register.Register(register.PositiveTest, FetchFileCustomCertHTTPUsingHeadersWithRedirect()) @@ -77,6 +87,85 @@ T3Jig2rNmBtpMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDaQAwZgIxAOul t3MhI02IONjTDusl2YuCxMgpy2uy0MPkEGUHnUOsxmPSG0gEBCNHyeKVeTaPUwIx AKbyaAqbChEy9CvDgyv6qxTYU+eeBImLKS3PH2uW5etc/69V/sDojqpH3hEffsOt 9g== +-----END CERTIFICATE-----`) + + // generated via + // openssl ecparam -genkey -name secp384r1 -out server.key + privateKey2 = []byte(`-----BEGIN EC PARAMETERS----- +BgUrgQQAIg== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDCfXncsl/kqihUWRHThBdGEDpv/bavwHYEi2tjrHiRkm+b7zhFlup8o +aP1l1zP1LhKgBwYFK4EEACKhZANiAAQ/J0D0C3h2a55JU3/EANe1d3e2/mfcoXGq +P8soiFdYntRIC4+V4dnRJuHRR+FHR/3531EIf2WXsoIJr/IRhR/j0tAeXpZ++G+E +vaooXf7gShnhRYKM4viPx4+DhSPjmqw= +-----END EC PRIVATE KEY-----`) + + // generate csr: + // openssl req -new -key server.key -out server.csr + // generate certificate: + // openssl x509 -req -days 3650 -in server.csr -signkey server.key -out + // server.crt -extensions v3_req -extfile extfile.conf + // where extfile.conf has the following details: + // $ cat extfile.conf + // [ v3_req ] + // subjectAltName = IP:127.0.0.1 + // subjectKeyIdentifier=hash + // authorityKeyIdentifier=keyid + // basicConstraints = critical,CA:TRUE + publicKey2 = []byte(`-----BEGIN CERTIFICATE----- +MIICrDCCAjOgAwIBAgIUbFS1ugcEYYGQoTiV6O//r3wdO58wCgYIKoZIzj0EAwIw +gYQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEQMA4GA1UEBwwHUmFsZWlnaDEQ +MA4GA1UECgwHUmVkIEhhdDEUMBIGA1UECwwLRW5naW5lZXJpbmcxDzANBgNVBAMM +BkNvcmVPUzEdMBsGCSqGSIb3DQEJARYOb2VtQGNvcmVvcy5jb20wHhcNMjAwNTA3 +MjIzMzA3WhcNMzAwNTA1MjIzMzA3WjCBhDELMAkGA1UEBhMCVVMxCzAJBgNVBAgM +Ak5DMRAwDgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdSZWQgSGF0MRQwEgYDVQQL +DAtFbmdpbmVlcmluZzEPMA0GA1UEAwwGQ29yZU9TMR0wGwYJKoZIhvcNAQkBFg5v +ZW1AY29yZW9zLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IABD8nQPQLeHZrnklT +f8QA17V3d7b+Z9yhcao/yyiIV1ie1EgLj5Xh2dEm4dFH4UdH/fnfUQh/ZZeyggmv +8hGFH+PS0B5eln74b4S9qihd/uBKGeFFgozi+I/Hj4OFI+OarKNkMGIwDwYDVR0R +BAgwBocEfwAAATAdBgNVHQ4EFgQUovVgWNFFPhrF7XzaRteDnpfPXxowHwYDVR0j +BBgwFoAUovVgWNFFPhrF7XzaRteDnpfPXxowDwYDVR0TAQH/BAUwAwEB/zAKBggq +hkjOPQQDAgNnADBkAjBvCIr9k43oR18Z4HLTzaRfzacFzo75Lt5n0pk3PA5CrUg3 +sXU6o4IxyLNFHzIJn7cCMGTMVKEzoSZDclxkEgu53WM7PQljHgL9FJScEt4hzO2u +FFNjhq0ODV1LNc1i8pQCAg== +-----END CERTIFICATE-----`) + // catting publicKey and publicKey2 + caBundle = []byte(`-----BEGIN CERTIFICATE----- +MIICzTCCAlKgAwIBAgIJALTP0pfNBMzGMAoGCCqGSM49BAMCMIGZMQswCQYDVQQG +EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj +bzETMBEGA1UECgwKQ29yZU9TIEluYzEUMBIGA1UECwwLRW5naW5lZXJpbmcxEzAR +BgNVBAMMCmNvcmVvcy5jb20xHTAbBgkqhkiG9w0BCQEWDm9lbUBjb3Jlb3MuY29t +MB4XDTE4MDEyNTAwMDczOVoXDTI4MDEyMzAwMDczOVowgZkxCzAJBgNVBAYTAlVT +MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMw +EQYDVQQKDApDb3JlT1MgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmluZzETMBEGA1UE +AwwKY29yZW9zLmNvbTEdMBsGCSqGSIb3DQEJARYOb2VtQGNvcmVvcy5jb20wdjAQ +BgcqhkjOPQIBBgUrgQQAIgNiAAQDEhfHEulYKlANw9eR5l455gwzAIQuraa049Rh +vM7PPywaiD8DobteQmE8wn7cJSzOYw6GLvrL4Q1BO5EFUXknkW50t8lfnUeHveCN +sqvm82F1NVevVoExAUhDYmMREa6jZDBiMA8GA1UdEQQIMAaHBH8AAAEwHQYDVR0O +BBYEFEbFy0SPiF1YXt+9T3Jig2rNmBtpMB8GA1UdIwQYMBaAFEbFy0SPiF1YXt+9 +T3Jig2rNmBtpMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDaQAwZgIxAOul +t3MhI02IONjTDusl2YuCxMgpy2uy0MPkEGUHnUOsxmPSG0gEBCNHyeKVeTaPUwIx +AKbyaAqbChEy9CvDgyv6qxTYU+eeBImLKS3PH2uW5etc/69V/sDojqpH3hEffsOt +9g== +-----END CERTIFICATE----- +# CustomCAServer1 certificate +-----BEGIN CERTIFICATE----- +MIICrDCCAjOgAwIBAgIUbFS1ugcEYYGQoTiV6O//r3wdO58wCgYIKoZIzj0EAwIw +gYQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEQMA4GA1UEBwwHUmFsZWlnaDEQ +MA4GA1UECgwHUmVkIEhhdDEUMBIGA1UECwwLRW5naW5lZXJpbmcxDzANBgNVBAMM +BkNvcmVPUzEdMBsGCSqGSIb3DQEJARYOb2VtQGNvcmVvcy5jb20wHhcNMjAwNTA3 +MjIzMzA3WhcNMzAwNTA1MjIzMzA3WjCBhDELMAkGA1UEBhMCVVMxCzAJBgNVBAgM +Ak5DMRAwDgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdSZWQgSGF0MRQwEgYDVQQL +DAtFbmdpbmVlcmluZzEPMA0GA1UEAwwGQ29yZU9TMR0wGwYJKoZIhvcNAQkBFg5v +ZW1AY29yZW9zLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IABD8nQPQLeHZrnklT +f8QA17V3d7b+Z9yhcao/yyiIV1ie1EgLj5Xh2dEm4dFH4UdH/fnfUQh/ZZeyggmv +8hGFH+PS0B5eln74b4S9qihd/uBKGeFFgozi+I/Hj4OFI+OarKNkMGIwDwYDVR0R +BAgwBocEfwAAATAdBgNVHQ4EFgQUovVgWNFFPhrF7XzaRteDnpfPXxowHwYDVR0j +BBgwFoAUovVgWNFFPhrF7XzaRteDnpfPXxowDwYDVR0TAQH/BAUwAwEB/zAKBggq +hkjOPQQDAgNnADBkAjBvCIr9k43oR18Z4HLTzaRfzacFzo75Lt5n0pk3PA5CrUg3 +sXU6o4IxyLNFHzIJn7cCMGTMVKEzoSZDclxkEgu53WM7PQljHgL9FJScEt4hzO2u +FFNjhq0ODV1LNc1i8pQCAg== -----END CERTIFICATE-----`) customCAServerFile = []byte(`{ @@ -89,9 +178,22 @@ AKbyaAqbChEy9CvDgyv6qxTYU+eeBImLKS3PH2uW5etc/69V/sDojqpH3hEffsOt } }`) + customCAServerFile2 = []byte(`{ + "ignition": { "version": "3.0.0" }, + "storage": { + "files": [{ + "path": "/foo/bar2", + "contents": { "source": "data:,example%20file2%0A" } + }] + } + }`) + customCAServer = httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Write(customCAServerFile) })) + customCAServer2 = httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Write(customCAServerFile2) + })) ) func AppendConfigCustomCert() types.Test { @@ -181,6 +283,64 @@ func FetchFileCustomCert() types.Test { } } +func FetchFileCABundleCert() types.Test { + name := "tls.fetchfile.cabundle" + in := types.GetBaseDisk() + out := types.GetBaseDisk() + config := fmt.Sprintf(`{ + "ignition": { + "version": "$version", + "security": { + "tls": { + "certificateAuthorities": [{ + "source": %q + }] + } + } + }, + "storage": { + "files": [{ + "path": "/foo/bar", + "contents": { + "source": %q + } + }, + { + "path": "/foo/bar2", + "contents": { + "source": %q + } + }] + } + }`, dataurl.EncodeBytes(caBundle), customCAServer.URL, customCAServer2.URL) + configMinVersion := "3.0.0" + + out[0].Partitions.AddFiles("ROOT", []types.File{ + { + Node: types.Node{ + Directory: "foo", + Name: "bar", + }, + Contents: string(customCAServerFile), + }, + { + Node: types.Node{ + Directory: "foo", + Name: "bar2", + }, + Contents: string(customCAServerFile2), + }, + }) + + return types.Test{ + Name: name, + In: in, + Out: out, + Config: config, + ConfigMinVersion: configMinVersion, + } +} + func FetchFileCustomCertHTTP() types.Test { name := "tls.fetchfile.http" in := types.GetBaseDisk() @@ -226,6 +386,64 @@ func FetchFileCustomCertHTTP() types.Test { } } +func FetchFileCABundleCertHTTP() types.Test { + name := "tls.fetchfile.http.cabundle" + in := types.GetBaseDisk() + out := types.GetBaseDisk() + config := fmt.Sprintf(`{ + "ignition": { + "version": "$version", + "security": { + "tls": { + "certificateAuthorities": [{ + "source": "http://127.0.0.1:8080/caBundle" + }] + } + } + }, + "storage": { + "files": [{ + "path": "/foo/bar", + "contents": { + "source": %q + } + }, + { + "path": "/foo/bar2", + "contents": { + "source": %q + } + }] + } + }`, customCAServer.URL, customCAServer2.URL) + configMinVersion := "3.0.0" + + out[0].Partitions.AddFiles("ROOT", []types.File{ + { + Node: types.Node{ + Directory: "foo", + Name: "bar", + }, + Contents: string(customCAServerFile), + }, + { + Node: types.Node{ + Directory: "foo", + Name: "bar2", + }, + Contents: string(customCAServerFile2), + }, + }) + + return types.Test{ + Name: name, + In: in, + Out: out, + Config: config, + ConfigMinVersion: configMinVersion, + } +} + func FetchFileCustomCertHTTPCompressed() types.Test { name := "tls.fetchfile.http.compressed" in := types.GetBaseDisk() diff --git a/tests/servers/servers.go b/tests/servers/servers.go index dc5b2c346..a2da17f6f 100644 --- a/tests/servers/servers.go +++ b/tests/servers/servers.go @@ -60,6 +60,42 @@ T3Jig2rNmBtpMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDaQAwZgIxAOul t3MhI02IONjTDusl2YuCxMgpy2uy0MPkEGUHnUOsxmPSG0gEBCNHyeKVeTaPUwIx AKbyaAqbChEy9CvDgyv6qxTYU+eeBImLKS3PH2uW5etc/69V/sDojqpH3hEffsOt 9g== +-----END CERTIFICATE-----`) + servedCABundle = []byte(`-----BEGIN CERTIFICATE----- +MIICzTCCAlKgAwIBAgIJALTP0pfNBMzGMAoGCCqGSM49BAMCMIGZMQswCQYDVQQG +EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj +bzETMBEGA1UECgwKQ29yZU9TIEluYzEUMBIGA1UECwwLRW5naW5lZXJpbmcxEzAR +BgNVBAMMCmNvcmVvcy5jb20xHTAbBgkqhkiG9w0BCQEWDm9lbUBjb3Jlb3MuY29t +MB4XDTE4MDEyNTAwMDczOVoXDTI4MDEyMzAwMDczOVowgZkxCzAJBgNVBAYTAlVT +MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMw +EQYDVQQKDApDb3JlT1MgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmluZzETMBEGA1UE +AwwKY29yZW9zLmNvbTEdMBsGCSqGSIb3DQEJARYOb2VtQGNvcmVvcy5jb20wdjAQ +BgcqhkjOPQIBBgUrgQQAIgNiAAQDEhfHEulYKlANw9eR5l455gwzAIQuraa049Rh +vM7PPywaiD8DobteQmE8wn7cJSzOYw6GLvrL4Q1BO5EFUXknkW50t8lfnUeHveCN +sqvm82F1NVevVoExAUhDYmMREa6jZDBiMA8GA1UdEQQIMAaHBH8AAAEwHQYDVR0O +BBYEFEbFy0SPiF1YXt+9T3Jig2rNmBtpMB8GA1UdIwQYMBaAFEbFy0SPiF1YXt+9 +T3Jig2rNmBtpMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDaQAwZgIxAOul +t3MhI02IONjTDusl2YuCxMgpy2uy0MPkEGUHnUOsxmPSG0gEBCNHyeKVeTaPUwIx +AKbyaAqbChEy9CvDgyv6qxTYU+eeBImLKS3PH2uW5etc/69V/sDojqpH3hEffsOt +9g== +-----END CERTIFICATE----- +# CustomCAServer1 certificate +-----BEGIN CERTIFICATE----- +MIICrDCCAjOgAwIBAgIUbFS1ugcEYYGQoTiV6O//r3wdO58wCgYIKoZIzj0EAwIw +gYQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEQMA4GA1UEBwwHUmFsZWlnaDEQ +MA4GA1UECgwHUmVkIEhhdDEUMBIGA1UECwwLRW5naW5lZXJpbmcxDzANBgNVBAMM +BkNvcmVPUzEdMBsGCSqGSIb3DQEJARYOb2VtQGNvcmVvcy5jb20wHhcNMjAwNTA3 +MjIzMzA3WhcNMzAwNTA1MjIzMzA3WjCBhDELMAkGA1UEBhMCVVMxCzAJBgNVBAgM +Ak5DMRAwDgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdSZWQgSGF0MRQwEgYDVQQL +DAtFbmdpbmVlcmluZzEPMA0GA1UEAwwGQ29yZU9TMR0wGwYJKoZIhvcNAQkBFg5v +ZW1AY29yZW9zLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IABD8nQPQLeHZrnklT +f8QA17V3d7b+Z9yhcao/yyiIV1ie1EgLj5Xh2dEm4dFH4UdH/fnfUQh/ZZeyggmv +8hGFH+PS0B5eln74b4S9qihd/uBKGeFFgozi+I/Hj4OFI+OarKNkMGIwDwYDVR0R +BAgwBocEfwAAATAdBgNVHQ4EFgQUovVgWNFFPhrF7XzaRteDnpfPXxowHwYDVR0j +BBgwFoAUovVgWNFFPhrF7XzaRteDnpfPXxowDwYDVR0TAQH/BAUwAwEB/zAKBggq +hkjOPQQDAgNnADBkAjBvCIr9k43oR18Z4HLTzaRfzacFzo75Lt5n0pk3PA5CrUg3 +sXU6o4IxyLNFHzIJn7cCMGTMVKEzoSZDclxkEgu53WM7PQljHgL9FJScEt4hzO2u +FFNjhq0ODV1LNc1i8pQCAg== -----END CERTIFICATE-----`) // export these so tests don't have to hard-code them everywhere @@ -90,6 +126,10 @@ func (server *HTTPServer) Certificates(w http.ResponseWriter, r *http.Request) { w.Write(servedPublicKey) } +func (server *HTTPServer) CABundle(w http.ResponseWriter, r *http.Request) { + w.Write(servedCABundle) +} + func compress(contents []byte) []byte { var buf bytes.Buffer w := gzip.NewWriter(&buf) @@ -278,7 +318,7 @@ func (server *HTTPServer) Start() { http.HandleFunc("/config_headers_redirect", server.ConfigRedirect) http.HandleFunc("/config_headers_redirected", server.ConfigRedirected) http.HandleFunc("/config_headers_overwrite", server.ConfigHeadersOverwrite) - + http.HandleFunc("/caBundle", server.CABundle) s := &http.Server{Addr: ":8080"} go s.ListenAndServe() } From ba63698b5618edc5948471a36575982c1d6c1e94 Mon Sep 17 00:00:00 2001 From: Sohan Kunkerkar Date: Thu, 14 May 2020 08:52:35 -0400 Subject: [PATCH 3/4] Moving tls public/private keys into a separate package --- tests/fixtures/tls_fixtures.go | 109 +++++++++++++++++++++++++++++ tests/negative/security/tls.go | 80 +-------------------- tests/positive/security/tls.go | 123 ++------------------------------- tests/servers/servers.go | 72 +++---------------- 4 files changed, 127 insertions(+), 257 deletions(-) create mode 100644 tests/fixtures/tls_fixtures.go diff --git a/tests/fixtures/tls_fixtures.go b/tests/fixtures/tls_fixtures.go new file mode 100644 index 000000000..360a7d040 --- /dev/null +++ b/tests/fixtures/tls_fixtures.go @@ -0,0 +1,109 @@ +// Copyright 2020 Red Hat, Inc. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package fixtures + +// This file contains all the large constants used for testing +// the tls flow. + +var ( + // PrivateKey is generated via: + // openssl ecparam -genkey -name secp384r1 -out server.key + PrivateKey = []byte(`-----BEGIN EC PARAMETERS----- +BgUrgQQAIg== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDB6yW6RIYfTXdYVuPY0V0L6EtZ6vZD86vgbsw52Y3/U5nZ2JE++JrKu +tt2Xt/NMzG6gBwYFK4EEACKhZANiAAQDEhfHEulYKlANw9eR5l455gwzAIQuraa0 +49RhvM7PPywaiD8DobteQmE8wn7cJSzOYw6GLvrL4Q1BO5EFUXknkW50t8lfnUeH +veCNsqvm82F1NVevVoExAUhDYmMREa4= +-----END EC PRIVATE KEY-----`) + + // PublicKey is generated via: + // generate csr: + // openssl req -new -key server.key -out server.csr + // generate certificate: + // openssl x509 -req -days 3650 -in server.csr -signkey server.key -out + // server.crt -extensions v3_req -extfile extfile.conf + // where extfile.conf has the following details: + // $ cat extfile.conf + // [ v3_req ] + // subjectAltName = IP:127.0.0.1 + // subjectKeyIdentifier=hash + // authorityKeyIdentifier=keyid + // basicConstraints = critical,CA:TRUE + PublicKey = []byte(`-----BEGIN CERTIFICATE----- +MIICzTCCAlKgAwIBAgIJALTP0pfNBMzGMAoGCCqGSM49BAMCMIGZMQswCQYDVQQG +EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj +bzETMBEGA1UECgwKQ29yZU9TIEluYzEUMBIGA1UECwwLRW5naW5lZXJpbmcxEzAR +BgNVBAMMCmNvcmVvcy5jb20xHTAbBgkqhkiG9w0BCQEWDm9lbUBjb3Jlb3MuY29t +MB4XDTE4MDEyNTAwMDczOVoXDTI4MDEyMzAwMDczOVowgZkxCzAJBgNVBAYTAlVT +MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMw +EQYDVQQKDApDb3JlT1MgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmluZzETMBEGA1UE +AwwKY29yZW9zLmNvbTEdMBsGCSqGSIb3DQEJARYOb2VtQGNvcmVvcy5jb20wdjAQ +BgcqhkjOPQIBBgUrgQQAIgNiAAQDEhfHEulYKlANw9eR5l455gwzAIQuraa049Rh +vM7PPywaiD8DobteQmE8wn7cJSzOYw6GLvrL4Q1BO5EFUXknkW50t8lfnUeHveCN +sqvm82F1NVevVoExAUhDYmMREa6jZDBiMA8GA1UdEQQIMAaHBH8AAAEwHQYDVR0O +BBYEFEbFy0SPiF1YXt+9T3Jig2rNmBtpMB8GA1UdIwQYMBaAFEbFy0SPiF1YXt+9 +T3Jig2rNmBtpMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDaQAwZgIxAOul +t3MhI02IONjTDusl2YuCxMgpy2uy0MPkEGUHnUOsxmPSG0gEBCNHyeKVeTaPUwIx +AKbyaAqbChEy9CvDgyv6qxTYU+eeBImLKS3PH2uW5etc/69V/sDojqpH3hEffsOt +9g== +-----END CERTIFICATE-----`) + + // PrivateKey2 is generated via + // openssl ecparam -genkey -name secp384r1 -out server.key + PrivateKey2 = []byte(`-----BEGIN EC PARAMETERS----- +BgUrgQQAIg== +-----END EC PARAMETERS----- +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDCfXncsl/kqihUWRHThBdGEDpv/bavwHYEi2tjrHiRkm+b7zhFlup8o +aP1l1zP1LhKgBwYFK4EEACKhZANiAAQ/J0D0C3h2a55JU3/EANe1d3e2/mfcoXGq +P8soiFdYntRIC4+V4dnRJuHRR+FHR/3531EIf2WXsoIJr/IRhR/j0tAeXpZ++G+E +vaooXf7gShnhRYKM4viPx4+DhSPjmqw= +-----END EC PRIVATE KEY-----`) + + // PublicKey2 is generate via: + // generate csr: + // openssl req -new -key server.key -out server.csr + // generate certificate: + // openssl x509 -req -days 3650 -in server.csr -signkey server.key -out + // server.crt -extensions v3_req -extfile extfile.conf + // where extfile.conf has the following details: + // $ cat extfile.conf + // [ v3_req ] + // subjectAltName = IP:127.0.0.1 + // subjectKeyIdentifier=hash + // authorityKeyIdentifier=keyid + // basicConstraints = critical,CA:TRUE + PublicKey2 = []byte(`-----BEGIN CERTIFICATE----- +MIICrDCCAjOgAwIBAgIUbFS1ugcEYYGQoTiV6O//r3wdO58wCgYIKoZIzj0EAwIw +gYQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEQMA4GA1UEBwwHUmFsZWlnaDEQ +MA4GA1UECgwHUmVkIEhhdDEUMBIGA1UECwwLRW5naW5lZXJpbmcxDzANBgNVBAMM +BkNvcmVPUzEdMBsGCSqGSIb3DQEJARYOb2VtQGNvcmVvcy5jb20wHhcNMjAwNTA3 +MjIzMzA3WhcNMzAwNTA1MjIzMzA3WjCBhDELMAkGA1UEBhMCVVMxCzAJBgNVBAgM +Ak5DMRAwDgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdSZWQgSGF0MRQwEgYDVQQL +DAtFbmdpbmVlcmluZzEPMA0GA1UEAwwGQ29yZU9TMR0wGwYJKoZIhvcNAQkBFg5v +ZW1AY29yZW9zLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IABD8nQPQLeHZrnklT +f8QA17V3d7b+Z9yhcao/yyiIV1ie1EgLj5Xh2dEm4dFH4UdH/fnfUQh/ZZeyggmv +8hGFH+PS0B5eln74b4S9qihd/uBKGeFFgozi+I/Hj4OFI+OarKNkMGIwDwYDVR0R +BAgwBocEfwAAATAdBgNVHQ4EFgQUovVgWNFFPhrF7XzaRteDnpfPXxowHwYDVR0j +BBgwFoAUovVgWNFFPhrF7XzaRteDnpfPXxowDwYDVR0TAQH/BAUwAwEB/zAKBggq +hkjOPQQDAgNnADBkAjBvCIr9k43oR18Z4HLTzaRfzacFzo75Lt5n0pk3PA5CrUg3 +sXU6o4IxyLNFHzIJn7cCMGTMVKEzoSZDclxkEgu53WM7PQljHgL9FJScEt4hzO2u +FFNjhq0ODV1LNc1i8pQCAg== +-----END CERTIFICATE-----`) + // CABundle is a combination of PublicKey + PublicKey2. + CABundle = append(append(PublicKey, '\n'), PublicKey2...) +) diff --git a/tests/negative/security/tls.go b/tests/negative/security/tls.go index 6c4ec4d52..16f1c2ed3 100644 --- a/tests/negative/security/tls.go +++ b/tests/negative/security/tls.go @@ -22,12 +22,13 @@ import ( "net/http" "net/http/httptest" + "github.com/coreos/ignition/v2/tests/fixtures" "github.com/coreos/ignition/v2/tests/register" "github.com/coreos/ignition/v2/tests/types" ) func init() { - cer, err := tls.X509KeyPair(publicKey, privateKey) + cer, err := tls.X509KeyPair(fixtures.PublicKey, fixtures.PrivateKey) if err != nil { panic(fmt.Sprintf("error loading x509 keypair: %v", err)) } @@ -36,7 +37,7 @@ func init() { customCAServer.Config.ErrorLog = log.New(ioutil.Discard, "", 0) customCAServer.StartTLS() - cer2, err := tls.X509KeyPair(publicKey2, privateKey2) + cer2, err := tls.X509KeyPair(fixtures.PublicKey2, fixtures.PrivateKey2) if err != nil { panic(fmt.Sprintf("error loading x509 keypair2: %v", err)) } @@ -53,81 +54,6 @@ func init() { } var ( - // generated via: - // openssl ecparam -genkey -name secp384r1 -out server.key - privateKey = []byte(`-----BEGIN EC PARAMETERS----- -BgUrgQQAIg== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MIGkAgEBBDB6yW6RIYfTXdYVuPY0V0L6EtZ6vZD86vgbsw52Y3/U5nZ2JE++JrKu -tt2Xt/NMzG6gBwYFK4EEACKhZANiAAQDEhfHEulYKlANw9eR5l455gwzAIQuraa0 -49RhvM7PPywaiD8DobteQmE8wn7cJSzOYw6GLvrL4Q1BO5EFUXknkW50t8lfnUeH -veCNsqvm82F1NVevVoExAUhDYmMREa4= ------END EC PRIVATE KEY-----`) - - // generated via: - // openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650 - publicKey = []byte(`-----BEGIN CERTIFICATE----- -MIICzTCCAlKgAwIBAgIJALTP0pfNBMzGMAoGCCqGSM49BAMCMIGZMQswCQYDVQQG -EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj -bzETMBEGA1UECgwKQ29yZU9TIEluYzEUMBIGA1UECwwLRW5naW5lZXJpbmcxEzAR -BgNVBAMMCmNvcmVvcy5jb20xHTAbBgkqhkiG9w0BCQEWDm9lbUBjb3Jlb3MuY29t -MB4XDTE4MDEyNTAwMDczOVoXDTI4MDEyMzAwMDczOVowgZkxCzAJBgNVBAYTAlVT -MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMw -EQYDVQQKDApDb3JlT1MgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmluZzETMBEGA1UE -AwwKY29yZW9zLmNvbTEdMBsGCSqGSIb3DQEJARYOb2VtQGNvcmVvcy5jb20wdjAQ -BgcqhkjOPQIBBgUrgQQAIgNiAAQDEhfHEulYKlANw9eR5l455gwzAIQuraa049Rh -vM7PPywaiD8DobteQmE8wn7cJSzOYw6GLvrL4Q1BO5EFUXknkW50t8lfnUeHveCN -sqvm82F1NVevVoExAUhDYmMREa6jZDBiMA8GA1UdEQQIMAaHBH8AAAEwHQYDVR0O -BBYEFEbFy0SPiF1YXt+9T3Jig2rNmBtpMB8GA1UdIwQYMBaAFEbFy0SPiF1YXt+9 -T3Jig2rNmBtpMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDaQAwZgIxAOul -t3MhI02IONjTDusl2YuCxMgpy2uy0MPkEGUHnUOsxmPSG0gEBCNHyeKVeTaPUwIx -AKbyaAqbChEy9CvDgyv6qxTYU+eeBImLKS3PH2uW5etc/69V/sDojqpH3hEffsOt -9g== ------END CERTIFICATE-----`) - - // generated via - // openssl ecparam -genkey -name secp384r1 -out server.key - privateKey2 = []byte(`-----BEGIN EC PARAMETERS----- -BgUrgQQAIg== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MIGkAgEBBDCfXncsl/kqihUWRHThBdGEDpv/bavwHYEi2tjrHiRkm+b7zhFlup8o -aP1l1zP1LhKgBwYFK4EEACKhZANiAAQ/J0D0C3h2a55JU3/EANe1d3e2/mfcoXGq -P8soiFdYntRIC4+V4dnRJuHRR+FHR/3531EIf2WXsoIJr/IRhR/j0tAeXpZ++G+E -vaooXf7gShnhRYKM4viPx4+DhSPjmqw= ------END EC PRIVATE KEY-----`) - - // generate csr: - // openssl req -new -key server.key -out server.csr - // generate certificate: - // openssl x509 -req -days 3650 -in server.csr -signkey server.key -out - // server.crt -extensions v3_req -extfile extfile.conf - // where extfile.conf has the following details: - // $ cat extfile.conf - // [ v3_req ] - // subjectAltName = IP:127.0.0.1 - // subjectKeyIdentifier=hash - // authorityKeyIdentifier=keyid - // basicConstraints = critical,CA:TRUE - publicKey2 = []byte(`-----BEGIN CERTIFICATE----- -MIICrDCCAjOgAwIBAgIUbFS1ugcEYYGQoTiV6O//r3wdO58wCgYIKoZIzj0EAwIw -gYQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEQMA4GA1UEBwwHUmFsZWlnaDEQ -MA4GA1UECgwHUmVkIEhhdDEUMBIGA1UECwwLRW5naW5lZXJpbmcxDzANBgNVBAMM -BkNvcmVPUzEdMBsGCSqGSIb3DQEJARYOb2VtQGNvcmVvcy5jb20wHhcNMjAwNTA3 -MjIzMzA3WhcNMzAwNTA1MjIzMzA3WjCBhDELMAkGA1UEBhMCVVMxCzAJBgNVBAgM -Ak5DMRAwDgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdSZWQgSGF0MRQwEgYDVQQL -DAtFbmdpbmVlcmluZzEPMA0GA1UEAwwGQ29yZU9TMR0wGwYJKoZIhvcNAQkBFg5v -ZW1AY29yZW9zLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IABD8nQPQLeHZrnklT -f8QA17V3d7b+Z9yhcao/yyiIV1ie1EgLj5Xh2dEm4dFH4UdH/fnfUQh/ZZeyggmv -8hGFH+PS0B5eln74b4S9qihd/uBKGeFFgozi+I/Hj4OFI+OarKNkMGIwDwYDVR0R -BAgwBocEfwAAATAdBgNVHQ4EFgQUovVgWNFFPhrF7XzaRteDnpfPXxowHwYDVR0j -BBgwFoAUovVgWNFFPhrF7XzaRteDnpfPXxowDwYDVR0TAQH/BAUwAwEB/zAKBggq -hkjOPQQDAgNnADBkAjBvCIr9k43oR18Z4HLTzaRfzacFzo75Lt5n0pk3PA5CrUg3 -sXU6o4IxyLNFHzIJn7cCMGTMVKEzoSZDclxkEgu53WM7PQljHgL9FJScEt4hzO2u -FFNjhq0ODV1LNc1i8pQCAg== ------END CERTIFICATE-----`) - customCAServerFile = []byte(`{ "ignition": { "version": "3.0.0" }, "storage": { diff --git a/tests/positive/security/tls.go b/tests/positive/security/tls.go index 7559cc28f..e67fab9b5 100644 --- a/tests/positive/security/tls.go +++ b/tests/positive/security/tls.go @@ -20,6 +20,7 @@ import ( "net/http" "net/http/httptest" + "github.com/coreos/ignition/v2/tests/fixtures" "github.com/coreos/ignition/v2/tests/register" "github.com/coreos/ignition/v2/tests/servers" "github.com/coreos/ignition/v2/tests/types" @@ -28,7 +29,7 @@ import ( ) func init() { - cer, err := tls.X509KeyPair(publicKey, privateKey) + cer, err := tls.X509KeyPair(fixtures.PublicKey, fixtures.PrivateKey) if err != nil { panic(fmt.Sprintf("error loading x509 keypair: %v", err)) } @@ -36,7 +37,7 @@ func init() { customCAServer.TLS = config customCAServer.StartTLS() - cer2, err := tls.X509KeyPair(publicKey2, privateKey2) + cer2, err := tls.X509KeyPair(fixtures.PublicKey2, fixtures.PrivateKey2) if err != nil { panic(fmt.Sprintf("error loading x509 keypair2: %v", err)) } @@ -56,118 +57,6 @@ func init() { } var ( - // generated via: - // openssl ecparam -genkey -name secp384r1 -out server.key - privateKey = []byte(`-----BEGIN EC PARAMETERS----- -BgUrgQQAIg== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MIGkAgEBBDB6yW6RIYfTXdYVuPY0V0L6EtZ6vZD86vgbsw52Y3/U5nZ2JE++JrKu -tt2Xt/NMzG6gBwYFK4EEACKhZANiAAQDEhfHEulYKlANw9eR5l455gwzAIQuraa0 -49RhvM7PPywaiD8DobteQmE8wn7cJSzOYw6GLvrL4Q1BO5EFUXknkW50t8lfnUeH -veCNsqvm82F1NVevVoExAUhDYmMREa4= ------END EC PRIVATE KEY-----`) - - // generated via: - // openssl req -new -x509 -sha256 -key server.key -out server.crt -days 3650 - publicKey = []byte(`-----BEGIN CERTIFICATE----- -MIICzTCCAlKgAwIBAgIJALTP0pfNBMzGMAoGCCqGSM49BAMCMIGZMQswCQYDVQQG -EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj -bzETMBEGA1UECgwKQ29yZU9TIEluYzEUMBIGA1UECwwLRW5naW5lZXJpbmcxEzAR -BgNVBAMMCmNvcmVvcy5jb20xHTAbBgkqhkiG9w0BCQEWDm9lbUBjb3Jlb3MuY29t -MB4XDTE4MDEyNTAwMDczOVoXDTI4MDEyMzAwMDczOVowgZkxCzAJBgNVBAYTAlVT -MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMw -EQYDVQQKDApDb3JlT1MgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmluZzETMBEGA1UE -AwwKY29yZW9zLmNvbTEdMBsGCSqGSIb3DQEJARYOb2VtQGNvcmVvcy5jb20wdjAQ -BgcqhkjOPQIBBgUrgQQAIgNiAAQDEhfHEulYKlANw9eR5l455gwzAIQuraa049Rh -vM7PPywaiD8DobteQmE8wn7cJSzOYw6GLvrL4Q1BO5EFUXknkW50t8lfnUeHveCN -sqvm82F1NVevVoExAUhDYmMREa6jZDBiMA8GA1UdEQQIMAaHBH8AAAEwHQYDVR0O -BBYEFEbFy0SPiF1YXt+9T3Jig2rNmBtpMB8GA1UdIwQYMBaAFEbFy0SPiF1YXt+9 -T3Jig2rNmBtpMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDaQAwZgIxAOul -t3MhI02IONjTDusl2YuCxMgpy2uy0MPkEGUHnUOsxmPSG0gEBCNHyeKVeTaPUwIx -AKbyaAqbChEy9CvDgyv6qxTYU+eeBImLKS3PH2uW5etc/69V/sDojqpH3hEffsOt -9g== ------END CERTIFICATE-----`) - - // generated via - // openssl ecparam -genkey -name secp384r1 -out server.key - privateKey2 = []byte(`-----BEGIN EC PARAMETERS----- -BgUrgQQAIg== ------END EC PARAMETERS----- ------BEGIN EC PRIVATE KEY----- -MIGkAgEBBDCfXncsl/kqihUWRHThBdGEDpv/bavwHYEi2tjrHiRkm+b7zhFlup8o -aP1l1zP1LhKgBwYFK4EEACKhZANiAAQ/J0D0C3h2a55JU3/EANe1d3e2/mfcoXGq -P8soiFdYntRIC4+V4dnRJuHRR+FHR/3531EIf2WXsoIJr/IRhR/j0tAeXpZ++G+E -vaooXf7gShnhRYKM4viPx4+DhSPjmqw= ------END EC PRIVATE KEY-----`) - - // generate csr: - // openssl req -new -key server.key -out server.csr - // generate certificate: - // openssl x509 -req -days 3650 -in server.csr -signkey server.key -out - // server.crt -extensions v3_req -extfile extfile.conf - // where extfile.conf has the following details: - // $ cat extfile.conf - // [ v3_req ] - // subjectAltName = IP:127.0.0.1 - // subjectKeyIdentifier=hash - // authorityKeyIdentifier=keyid - // basicConstraints = critical,CA:TRUE - publicKey2 = []byte(`-----BEGIN CERTIFICATE----- -MIICrDCCAjOgAwIBAgIUbFS1ugcEYYGQoTiV6O//r3wdO58wCgYIKoZIzj0EAwIw -gYQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEQMA4GA1UEBwwHUmFsZWlnaDEQ -MA4GA1UECgwHUmVkIEhhdDEUMBIGA1UECwwLRW5naW5lZXJpbmcxDzANBgNVBAMM -BkNvcmVPUzEdMBsGCSqGSIb3DQEJARYOb2VtQGNvcmVvcy5jb20wHhcNMjAwNTA3 -MjIzMzA3WhcNMzAwNTA1MjIzMzA3WjCBhDELMAkGA1UEBhMCVVMxCzAJBgNVBAgM -Ak5DMRAwDgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdSZWQgSGF0MRQwEgYDVQQL -DAtFbmdpbmVlcmluZzEPMA0GA1UEAwwGQ29yZU9TMR0wGwYJKoZIhvcNAQkBFg5v -ZW1AY29yZW9zLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IABD8nQPQLeHZrnklT -f8QA17V3d7b+Z9yhcao/yyiIV1ie1EgLj5Xh2dEm4dFH4UdH/fnfUQh/ZZeyggmv -8hGFH+PS0B5eln74b4S9qihd/uBKGeFFgozi+I/Hj4OFI+OarKNkMGIwDwYDVR0R -BAgwBocEfwAAATAdBgNVHQ4EFgQUovVgWNFFPhrF7XzaRteDnpfPXxowHwYDVR0j -BBgwFoAUovVgWNFFPhrF7XzaRteDnpfPXxowDwYDVR0TAQH/BAUwAwEB/zAKBggq -hkjOPQQDAgNnADBkAjBvCIr9k43oR18Z4HLTzaRfzacFzo75Lt5n0pk3PA5CrUg3 -sXU6o4IxyLNFHzIJn7cCMGTMVKEzoSZDclxkEgu53WM7PQljHgL9FJScEt4hzO2u -FFNjhq0ODV1LNc1i8pQCAg== ------END CERTIFICATE-----`) - // catting publicKey and publicKey2 - caBundle = []byte(`-----BEGIN CERTIFICATE----- -MIICzTCCAlKgAwIBAgIJALTP0pfNBMzGMAoGCCqGSM49BAMCMIGZMQswCQYDVQQG -EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj -bzETMBEGA1UECgwKQ29yZU9TIEluYzEUMBIGA1UECwwLRW5naW5lZXJpbmcxEzAR -BgNVBAMMCmNvcmVvcy5jb20xHTAbBgkqhkiG9w0BCQEWDm9lbUBjb3Jlb3MuY29t -MB4XDTE4MDEyNTAwMDczOVoXDTI4MDEyMzAwMDczOVowgZkxCzAJBgNVBAYTAlVT -MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMw -EQYDVQQKDApDb3JlT1MgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmluZzETMBEGA1UE -AwwKY29yZW9zLmNvbTEdMBsGCSqGSIb3DQEJARYOb2VtQGNvcmVvcy5jb20wdjAQ -BgcqhkjOPQIBBgUrgQQAIgNiAAQDEhfHEulYKlANw9eR5l455gwzAIQuraa049Rh -vM7PPywaiD8DobteQmE8wn7cJSzOYw6GLvrL4Q1BO5EFUXknkW50t8lfnUeHveCN -sqvm82F1NVevVoExAUhDYmMREa6jZDBiMA8GA1UdEQQIMAaHBH8AAAEwHQYDVR0O -BBYEFEbFy0SPiF1YXt+9T3Jig2rNmBtpMB8GA1UdIwQYMBaAFEbFy0SPiF1YXt+9 -T3Jig2rNmBtpMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDaQAwZgIxAOul -t3MhI02IONjTDusl2YuCxMgpy2uy0MPkEGUHnUOsxmPSG0gEBCNHyeKVeTaPUwIx -AKbyaAqbChEy9CvDgyv6qxTYU+eeBImLKS3PH2uW5etc/69V/sDojqpH3hEffsOt -9g== ------END CERTIFICATE----- -# CustomCAServer1 certificate ------BEGIN CERTIFICATE----- -MIICrDCCAjOgAwIBAgIUbFS1ugcEYYGQoTiV6O//r3wdO58wCgYIKoZIzj0EAwIw -gYQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEQMA4GA1UEBwwHUmFsZWlnaDEQ -MA4GA1UECgwHUmVkIEhhdDEUMBIGA1UECwwLRW5naW5lZXJpbmcxDzANBgNVBAMM -BkNvcmVPUzEdMBsGCSqGSIb3DQEJARYOb2VtQGNvcmVvcy5jb20wHhcNMjAwNTA3 -MjIzMzA3WhcNMzAwNTA1MjIzMzA3WjCBhDELMAkGA1UEBhMCVVMxCzAJBgNVBAgM -Ak5DMRAwDgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdSZWQgSGF0MRQwEgYDVQQL -DAtFbmdpbmVlcmluZzEPMA0GA1UEAwwGQ29yZU9TMR0wGwYJKoZIhvcNAQkBFg5v -ZW1AY29yZW9zLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IABD8nQPQLeHZrnklT -f8QA17V3d7b+Z9yhcao/yyiIV1ie1EgLj5Xh2dEm4dFH4UdH/fnfUQh/ZZeyggmv -8hGFH+PS0B5eln74b4S9qihd/uBKGeFFgozi+I/Hj4OFI+OarKNkMGIwDwYDVR0R -BAgwBocEfwAAATAdBgNVHQ4EFgQUovVgWNFFPhrF7XzaRteDnpfPXxowHwYDVR0j -BBgwFoAUovVgWNFFPhrF7XzaRteDnpfPXxowDwYDVR0TAQH/BAUwAwEB/zAKBggq -hkjOPQQDAgNnADBkAjBvCIr9k43oR18Z4HLTzaRfzacFzo75Lt5n0pk3PA5CrUg3 -sXU6o4IxyLNFHzIJn7cCMGTMVKEzoSZDclxkEgu53WM7PQljHgL9FJScEt4hzO2u -FFNjhq0ODV1LNc1i8pQCAg== ------END CERTIFICATE-----`) - customCAServerFile = []byte(`{ "ignition": { "version": "3.0.0" }, "storage": { @@ -216,7 +105,7 @@ func AppendConfigCustomCert() types.Test { } } } - }`, customCAServer.URL, dataurl.EncodeBytes(publicKey)) + }`, customCAServer.URL, dataurl.EncodeBytes(fixtures.PublicKey)) configMinVersion := "3.0.0" out[0].Partitions.AddFiles("ROOT", []types.File{ @@ -261,7 +150,7 @@ func FetchFileCustomCert() types.Test { } }] } - }`, dataurl.EncodeBytes(publicKey), customCAServer.URL) + }`, dataurl.EncodeBytes(fixtures.PublicKey), customCAServer.URL) configMinVersion := "3.0.0" out[0].Partitions.AddFiles("ROOT", []types.File{ @@ -312,7 +201,7 @@ func FetchFileCABundleCert() types.Test { } }] } - }`, dataurl.EncodeBytes(caBundle), customCAServer.URL, customCAServer2.URL) + }`, dataurl.EncodeBytes(fixtures.CABundle), customCAServer.URL, customCAServer2.URL) configMinVersion := "3.0.0" out[0].Partitions.AddFiles("ROOT", []types.File{ diff --git a/tests/servers/servers.go b/tests/servers/servers.go index a2da17f6f..6d448d07b 100644 --- a/tests/servers/servers.go +++ b/tests/servers/servers.go @@ -27,6 +27,7 @@ import ( "strings" "time" + "github.com/coreos/ignition/v2/tests/fixtures" "github.com/pin/tftp" ) @@ -43,68 +44,13 @@ var ( servedContents = []byte(`asdf fdsa`) - servedPublicKey = []byte(`-----BEGIN CERTIFICATE----- -MIICzTCCAlKgAwIBAgIJALTP0pfNBMzGMAoGCCqGSM49BAMCMIGZMQswCQYDVQQG -EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj -bzETMBEGA1UECgwKQ29yZU9TIEluYzEUMBIGA1UECwwLRW5naW5lZXJpbmcxEzAR -BgNVBAMMCmNvcmVvcy5jb20xHTAbBgkqhkiG9w0BCQEWDm9lbUBjb3Jlb3MuY29t -MB4XDTE4MDEyNTAwMDczOVoXDTI4MDEyMzAwMDczOVowgZkxCzAJBgNVBAYTAlVT -MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMw -EQYDVQQKDApDb3JlT1MgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmluZzETMBEGA1UE -AwwKY29yZW9zLmNvbTEdMBsGCSqGSIb3DQEJARYOb2VtQGNvcmVvcy5jb20wdjAQ -BgcqhkjOPQIBBgUrgQQAIgNiAAQDEhfHEulYKlANw9eR5l455gwzAIQuraa049Rh -vM7PPywaiD8DobteQmE8wn7cJSzOYw6GLvrL4Q1BO5EFUXknkW50t8lfnUeHveCN -sqvm82F1NVevVoExAUhDYmMREa6jZDBiMA8GA1UdEQQIMAaHBH8AAAEwHQYDVR0O -BBYEFEbFy0SPiF1YXt+9T3Jig2rNmBtpMB8GA1UdIwQYMBaAFEbFy0SPiF1YXt+9 -T3Jig2rNmBtpMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDaQAwZgIxAOul -t3MhI02IONjTDusl2YuCxMgpy2uy0MPkEGUHnUOsxmPSG0gEBCNHyeKVeTaPUwIx -AKbyaAqbChEy9CvDgyv6qxTYU+eeBImLKS3PH2uW5etc/69V/sDojqpH3hEffsOt -9g== ------END CERTIFICATE-----`) - servedCABundle = []byte(`-----BEGIN CERTIFICATE----- -MIICzTCCAlKgAwIBAgIJALTP0pfNBMzGMAoGCCqGSM49BAMCMIGZMQswCQYDVQQG -EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj -bzETMBEGA1UECgwKQ29yZU9TIEluYzEUMBIGA1UECwwLRW5naW5lZXJpbmcxEzAR -BgNVBAMMCmNvcmVvcy5jb20xHTAbBgkqhkiG9w0BCQEWDm9lbUBjb3Jlb3MuY29t -MB4XDTE4MDEyNTAwMDczOVoXDTI4MDEyMzAwMDczOVowgZkxCzAJBgNVBAYTAlVT -MRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRMw -EQYDVQQKDApDb3JlT1MgSW5jMRQwEgYDVQQLDAtFbmdpbmVlcmluZzETMBEGA1UE -AwwKY29yZW9zLmNvbTEdMBsGCSqGSIb3DQEJARYOb2VtQGNvcmVvcy5jb20wdjAQ -BgcqhkjOPQIBBgUrgQQAIgNiAAQDEhfHEulYKlANw9eR5l455gwzAIQuraa049Rh -vM7PPywaiD8DobteQmE8wn7cJSzOYw6GLvrL4Q1BO5EFUXknkW50t8lfnUeHveCN -sqvm82F1NVevVoExAUhDYmMREa6jZDBiMA8GA1UdEQQIMAaHBH8AAAEwHQYDVR0O -BBYEFEbFy0SPiF1YXt+9T3Jig2rNmBtpMB8GA1UdIwQYMBaAFEbFy0SPiF1YXt+9 -T3Jig2rNmBtpMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDaQAwZgIxAOul -t3MhI02IONjTDusl2YuCxMgpy2uy0MPkEGUHnUOsxmPSG0gEBCNHyeKVeTaPUwIx -AKbyaAqbChEy9CvDgyv6qxTYU+eeBImLKS3PH2uW5etc/69V/sDojqpH3hEffsOt -9g== ------END CERTIFICATE----- -# CustomCAServer1 certificate ------BEGIN CERTIFICATE----- -MIICrDCCAjOgAwIBAgIUbFS1ugcEYYGQoTiV6O//r3wdO58wCgYIKoZIzj0EAwIw -gYQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEQMA4GA1UEBwwHUmFsZWlnaDEQ -MA4GA1UECgwHUmVkIEhhdDEUMBIGA1UECwwLRW5naW5lZXJpbmcxDzANBgNVBAMM -BkNvcmVPUzEdMBsGCSqGSIb3DQEJARYOb2VtQGNvcmVvcy5jb20wHhcNMjAwNTA3 -MjIzMzA3WhcNMzAwNTA1MjIzMzA3WjCBhDELMAkGA1UEBhMCVVMxCzAJBgNVBAgM -Ak5DMRAwDgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdSZWQgSGF0MRQwEgYDVQQL -DAtFbmdpbmVlcmluZzEPMA0GA1UEAwwGQ29yZU9TMR0wGwYJKoZIhvcNAQkBFg5v -ZW1AY29yZW9zLmNvbTB2MBAGByqGSM49AgEGBSuBBAAiA2IABD8nQPQLeHZrnklT -f8QA17V3d7b+Z9yhcao/yyiIV1ie1EgLj5Xh2dEm4dFH4UdH/fnfUQh/ZZeyggmv -8hGFH+PS0B5eln74b4S9qihd/uBKGeFFgozi+I/Hj4OFI+OarKNkMGIwDwYDVR0R -BAgwBocEfwAAATAdBgNVHQ4EFgQUovVgWNFFPhrF7XzaRteDnpfPXxowHwYDVR0j -BBgwFoAUovVgWNFFPhrF7XzaRteDnpfPXxowDwYDVR0TAQH/BAUwAwEB/zAKBggq -hkjOPQQDAgNnADBkAjBvCIr9k43oR18Z4HLTzaRfzacFzo75Lt5n0pk3PA5CrUg3 -sXU6o4IxyLNFHzIJn7cCMGTMVKEzoSZDclxkEgu53WM7PQljHgL9FJScEt4hzO2u -FFNjhq0ODV1LNc1i8pQCAg== ------END CERTIFICATE-----`) - // export these so tests don't have to hard-code them everywhere configRawHash = sha512.Sum512(servedConfig) contentsRawHash = sha512.Sum512(servedContents) - publicKeyRawHash = sha512.Sum512(servedPublicKey) + publicKeyRawHash = sha512.Sum512(fixtures.PublicKey) configRawHashForSHA256 = sha256.Sum256(servedConfig) contentsRawHashForSHA256 = sha256.Sum256(servedContents) - publicKeyRawHashForSHA256 = sha256.Sum256(servedPublicKey) + publicKeyRawHashForSHA256 = sha256.Sum256(fixtures.PublicKey) ConfigHash = hex.EncodeToString(configRawHash[:]) ContentsHash = hex.EncodeToString(contentsRawHash[:]) PublicKeyHash = hex.EncodeToString(publicKeyRawHash[:]) @@ -123,11 +69,11 @@ func (server *HTTPServer) Contents(w http.ResponseWriter, r *http.Request) { } func (server *HTTPServer) Certificates(w http.ResponseWriter, r *http.Request) { - w.Write(servedPublicKey) + w.Write(fixtures.PublicKey) } func (server *HTTPServer) CABundle(w http.ResponseWriter, r *http.Request) { - w.Write(servedCABundle) + w.Write(fixtures.CABundle) } func compress(contents []byte) []byte { @@ -151,7 +97,7 @@ func (server *HTTPServer) ContentsCompressed(w http.ResponseWriter, r *http.Requ } func (server *HTTPServer) CertificatesCompressed(w http.ResponseWriter, r *http.Request) { - w.Write(compress(servedPublicKey)) + w.Write(compress(fixtures.PublicKey)) } func errorHandler(w http.ResponseWriter, message string) { @@ -227,7 +173,7 @@ func (server *HTTPServer) ContentsHeaders(w http.ResponseWriter, r *http.Request func (server *HTTPServer) CertificatesHeaders(w http.ResponseWriter, r *http.Request) { headerCheck(w, r) - w.Write(servedPublicKey) + w.Write(fixtures.PublicKey) } // redirectedHeaderCheck validates that user's headers from the original request are missing @@ -276,7 +222,7 @@ func (server *HTTPServer) CertificatesRedirect(w http.ResponseWriter, r *http.Re func (server *HTTPServer) CertificatesRedirected(w http.ResponseWriter, r *http.Request) { redirectedHeaderCheck(w, r) - w.Write(servedPublicKey) + w.Write(fixtures.PublicKey) } func (server *HTTPServer) ConfigHeadersOverwrite(w http.ResponseWriter, r *http.Request) { @@ -294,7 +240,7 @@ func (server *HTTPServer) ContentsHeadersOverwrite(w http.ResponseWriter, r *htt func (server *HTTPServer) CertificatesHeadersOverwrite(w http.ResponseWriter, r *http.Request) { overwrittenHeaderCheck(w, r) - w.Write(servedPublicKey) + w.Write(fixtures.PublicKey) } type HTTPServer struct{} From 0d3d0a3aaeb5f849f767ee94a773c1acfa20851f Mon Sep 17 00:00:00 2001 From: Sohan Kunkerkar Date: Thu, 14 May 2020 20:30:59 -0400 Subject: [PATCH 4/4] Add CA bundle reference in the docs --- doc/configuration-v3_0.md | 2 +- doc/configuration-v3_1.md | 2 +- doc/configuration-v3_2_experimental.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/configuration-v3_0.md b/doc/configuration-v3_0.md index 76243a96e..a589ced6c 100644 --- a/doc/configuration-v3_0.md +++ b/doc/configuration-v3_0.md @@ -19,7 +19,7 @@ The Ignition configuration is a JSON document conforming to the following specif * **_security_** (object): options relating to network security. * **_tls_** (object): options relating to TLS when fetching resources over `https`. * **_certificateAuthorities_** (list of objects): the list of additional certificate authorities (in addition to the system authorities) to be used for TLS verification when fetching over `https`. All certificate authorities must have a unique `source`. - * **source** (string): the URL of the certificate (in PEM format). Supported schemes are `http`, `https`, `s3`, `tftp`, and [`data`][rfc2397]. Note: When using `http`, it is advisable to use the verification option to ensure the contents haven't been modified. + * **source** (string): the URL of the certificate bundle (in PEM format). The bundle can contain multiple concatenated certificates. Supported schemes are `http`, `https`, `s3`, `tftp`, and [`data`][rfc2397]. Note: When using `http`, it is advisable to use the verification option to ensure the contents haven't been modified. * **_verification_** (object): options related to the verification of the certificate. * **_hash_** (string): the hash of the certificate, in the form `-` where type is sha512. * **_storage_** (object): describes the desired state of the system's storage devices. diff --git a/doc/configuration-v3_1.md b/doc/configuration-v3_1.md index 710ee3ee5..e246d54c6 100644 --- a/doc/configuration-v3_1.md +++ b/doc/configuration-v3_1.md @@ -27,7 +27,7 @@ The Ignition configuration is a JSON document conforming to the following specif * **_security_** (object): options relating to network security. * **_tls_** (object): options relating to TLS when fetching resources over `https`. * **_certificateAuthorities_** (list of objects): the list of additional certificate authorities (in addition to the system authorities) to be used for TLS verification when fetching over `https`. All certificate authorities must have a unique `source`. - * **source** (string): the URL of the certificate (in PEM format). Supported schemes are `http`, `https`, `s3`, `tftp`, and [`data`][rfc2397]. Note: When using `http`, it is advisable to use the verification option to ensure the contents haven't been modified. + * **source** (string): the URL of the certificate bundle (in PEM format). The bundle can contain multiple concatenated certificates. Supported schemes are `http`, `https`, `s3`, `tftp`, and [`data`][rfc2397]. Note: When using `http`, it is advisable to use the verification option to ensure the contents haven't been modified. * **_compression_** (string): the type of compression used on the certificate (null or gzip). Compression cannot be used with S3. * **_httpHeaders_** (list of objects): a list of HTTP headers to be added to the request. Available for `http` and `https` source schemes only. * **name** (string): the header name. diff --git a/doc/configuration-v3_2_experimental.md b/doc/configuration-v3_2_experimental.md index a0786c100..fef50f378 100644 --- a/doc/configuration-v3_2_experimental.md +++ b/doc/configuration-v3_2_experimental.md @@ -29,7 +29,7 @@ The Ignition configuration is a JSON document conforming to the following specif * **_security_** (object): options relating to network security. * **_tls_** (object): options relating to TLS when fetching resources over `https`. * **_certificateAuthorities_** (list of objects): the list of additional certificate authorities (in addition to the system authorities) to be used for TLS verification when fetching over `https`. All certificate authorities must have a unique `source`. - * **source** (string): the URL of the certificate (in PEM format). Supported schemes are `http`, `https`, `s3`, `tftp`, and [`data`][rfc2397]. Note: When using `http`, it is advisable to use the verification option to ensure the contents haven't been modified. + * **source** (string): the URL of the certificate bundle (in PEM format). The bundle can contain multiple concatenated certificates. Supported schemes are `http`, `https`, `s3`, `tftp`, and [`data`][rfc2397]. Note: When using `http`, it is advisable to use the verification option to ensure the contents haven't been modified. * **_compression_** (string): the type of compression used on the certificate (null or gzip). Compression cannot be used with S3. * **_httpHeaders_** (list of objects): a list of HTTP headers to be added to the request. Available for `http` and `https` source schemes only. * **name** (string): the header name.