Generate more certs/identities, and use them for better multi-cert test coverage #10747
Conversation
nodejs-github-bot
added
test
sam-github
force-pushed
the
generate-more-certs
branch
from
22660fb
to
616ba33
Compare
|
Will rebase onto #10389 once it lands. |
mscdex
added
tls
sam-github
force-pushed
the
generate-more-certs
branch
from
616ba33
to
9358f42
Compare
sam-github
force-pushed
the
generate-more-certs
branch
from
9358f42
to
750bb7b
Compare
|
@nodejs/crypto |
sam-github
force-pushed
the
generate-more-certs
branch
from
750bb7b
to
9f585b4
Compare
test/fixtures/keys/Makefile
Outdated
| cat ca4-cert.pem >> agent8-cert.pem | ||
|
|
||
| agent8-verify: agent8-cert.pem ca4-cert.pem | ||
| openssl verify -CAfile ca4-cert.pem agent8-cert.pem |
test/fixtures/keys/Makefile
Outdated
| -inkey ec8-key.pem \ | ||
| -certfile ca6-cert.pem \ | ||
| -out ec8.pfx \ | ||
| -password pass:sample |
There was a problem hiding this comment.
You could make the recipes a little more DRY by using
| if (cb) cb(); | ||
| }); | ||
| }); | ||
| const msg = fmt( |
There was a problem hiding this comment.
Can you use util.format here? Saves the casual reader from having to look up what fmt() is.
| ciphers: 'AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:' + | ||
| ciphers: 'AES256-SHA256:' + | ||
| 'AES128-GCM-SHA256:' + | ||
| 'AES128-SHA256:' + |
sam-github
force-pushed
the
generate-more-certs
branch
from
ea714d5
to
fefefcb
Compare
|
Are there any matching cert + intermediate + key files in here? Asking so I can test #7230 (comment). |
|
@silverwind bf43a60a383fa5fce1051532c4e499c4b1df4c07 has the tests you are looking for, I believe, but this PR is partially broken at the moment, I am in process of rebasing (master had an agent8 and agent9 added to it, so I need to move my numbered certs forward, which I'm in process of doing right now). |
sam-github
force-pushed
the
generate-more-certs
branch
from
fefefcb
to
b979858
Compare
|
Hmm, can't find a fitting case there, but this should be a failing example: |
sam-github
force-pushed
the
generate-more-certs
branch
from
b979858
to
d125ee8
Compare
|
I think I see what is happening, you are trying to provide the certs a+b+c of a cert chain as Pre-existing test with pre-existing agent6 cert: This PR adds tests for mixed algorithm identies, where the mixed algs have intermediate certs:
Your example: is invalid usage. agent10-cert.pem is a CHAIN, it already contains ca4-cert.pem, as did the pre-existing cert that had an intermediate cert, agent6:
Docs say:
Your example above has two identities, one is agent10+ca4, and the other is just ca4. This is weird, because ca4 is a sub-chain of the first identity, and also, because they are both RSA, and OpenSSL doesn't permit multiple identities of the same algorithm, because it doesn't know which one to pick (unless you use SNI callback, when it picks by the server name). |
|
Sorry, for So the interesting part is that it works if I concatenate |
Exactly. That is the documented behaviour, so lets not hijack this PR to discuss it further, now that we agree what is happening. Open another issue if you think there is a problem and we can discuss there. |
sam-github
force-pushed
the
generate-more-certs
branch
from
8165817
to
01da330
Compare
I agree. I also would like to change file names and cert attributes to see its use and purpose for ease. |
sam-github
force-pushed
the
generate-more-certs
branch
3 times, most recently
from
e089bd0
to
3ed5993
Compare
|
@shigeki PTAL |
sam-github
force-pushed
the
generate-more-certs
branch
from
3ed5993
to
bb8c327
Compare
|
@shigeki any more comments I can address? |
sam-github
force-pushed
the
generate-more-certs
branch
from
bb8c327
to
912d645
Compare
|
@shigeki ping |
sam-github
force-pushed
the
generate-more-certs
branch
from
912d645
to
2089d22
Compare
|
@shigeki I have responded to all comments, how can I move this forward? |
sam-github
force-pushed
the
generate-more-certs
branch
from
2089d22
to
9f90b7b
Compare
sam-github
dismissed
shigeki’s stale review
addressed comments, no replies to request for more comments
|
@sam-github would you be so kind and rebase? I guess it is otherwise ready? |
sam-github
force-pushed
the
generate-more-certs
branch
from
9f90b7b
to
e1e40ad
Compare
|
@mhdawson @bnoordhuis would you be so kind and reconfirm your LG? |
|
@sam-github the CI is dark red. Seems like some tests need some additional work. |
PFX is not PEM, its binary DER. Use the same .pfx extension as test/fixtures/test_cert.pfx does.
agent6 was the only cert that had a chain (an intermediate certificate), and there were no non-RSA certs other than a single self-signed one. This makes it impossible to test cert-chain scenarios with multiple identities which require chains to prove chain completion, and multi-algorithm because OpenSSL doesn't support multiple identities unless they are multi-algorithm. PFX files were also missing for most identities, making it difficult to test multi-PFX and PFX interactions with cert-chain+key and CA options. New server cert chains: - ECC: ca5 signs ca6 signs ec10, CN=agent10.example.com - RSA: ca2 signs ca4 signs agent10, CN=agent10.example.com PFX added for: - agent6 - agent10 - ec10
Prove that cert and key options do not have to be ordered, and that the pfx option can be used at the same time as the cert/key option (which was claimed to be impossible by some pre-existing documentation).
When honorCipherOrder is not explicitly set, it defaults to true, cover this condition in the test. Also, run all tests in parallel, instead of sequentially.
sam-github
force-pushed
the
generate-more-certs
branch
from
e1e40ad
to
64d61e9
Compare
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passesAffected core subsystem(s)
tls