aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl/test/ssl_crl_SUITE.erl
diff options
context:
space:
mode:
authorMagnus Henoch <[email protected]>2015-12-08 18:23:42 +0000
committerMagnus Henoch <[email protected]>2016-04-05 15:21:01 +0100
commitb219dbd698c74cf3c904445d13bb3453be6e1ac8 (patch)
tree479d612caf5945c4b866ced0a9f14c29d5ed5d8b /lib/ssl/test/ssl_crl_SUITE.erl
parentee2178b073e936760b405b338e473236a5df94ca (diff)
downloadotp-b219dbd698c74cf3c904445d13bb3453be6e1ac8.tar.gz
otp-b219dbd698c74cf3c904445d13bb3453be6e1ac8.tar.bz2
otp-b219dbd698c74cf3c904445d13bb3453be6e1ac8.zip
Add ssl_crl_hash_dir module
This module is an implementation of the ssl_crl_cache_api behaviour. It can be used when there is a directory containing CRLs for all relevant CAs, in the form used by e.g. Apache. The module assumes that the directory is being updated through an external process.
Diffstat (limited to 'lib/ssl/test/ssl_crl_SUITE.erl')
-rw-r--r--lib/ssl/test/ssl_crl_SUITE.erl201
1 files changed, 190 insertions, 11 deletions
diff --git a/lib/ssl/test/ssl_crl_SUITE.erl b/lib/ssl/test/ssl_crl_SUITE.erl
index 5b86027210..27005682e9 100644
--- a/lib/ssl/test/ssl_crl_SUITE.erl
+++ b/lib/ssl/test/ssl_crl_SUITE.erl
@@ -41,20 +41,26 @@ groups() ->
[
{check_true, [], [{group, v2_crl},
{group, v1_crl},
- {group, idp_crl}]},
+ {group, idp_crl},
+ {group, crl_hash_dir}]},
{check_peer, [], [{group, v2_crl},
{group, v1_crl},
- {group, idp_crl}]},
+ {group, idp_crl},
+ {group, crl_hash_dir}]},
{check_best_effort, [], [{group, v2_crl},
{group, v1_crl},
- {group, idp_crl}]},
+ {group, idp_crl},
+ {group, crl_hash_dir}]},
{v2_crl, [], basic_tests()},
{v1_crl, [], basic_tests()},
- {idp_crl, [], basic_tests()}].
+ {idp_crl, [], basic_tests()},
+ {crl_hash_dir, [], basic_tests() ++ crl_hash_dir_tests()}].
basic_tests() ->
[crl_verify_valid, crl_verify_revoked, crl_verify_no_crl].
+crl_hash_dir_tests() ->
+ [crl_hash_dir_collision, crl_hash_dir_expired].
init_per_suite(Config) ->
case os:find_executable("openssl") of
@@ -101,7 +107,24 @@ init_per_group(Group, Config0) ->
CertDir = filename:join(?config(priv_dir, Config0), Group),
{CertOpts, Config} = init_certs(CertDir, Group, Config0),
{ok, _} = make_certs:all(DataDir, CertDir, CertOpts),
- [{cert_dir, CertDir}, {idp_crl, false} | Config]
+ case Group of
+ crl_hash_dir ->
+ CrlDir = filename:join(CertDir, "crls"),
+ %% Copy CRLs to their hashed filenames.
+ %% Find the hashes with 'openssl crl -noout -hash -in crl.pem'.
+ populate_crl_hash_dir(CertDir, CrlDir,
+ [{"erlangCA", "d6134ed3"},
+ {"otpCA", "d4c8d7e5"}],
+ replace),
+ CrlCacheOpts = [{crl_cache,
+ {ssl_crl_hash_dir,
+ {internal, [{dir, CrlDir}]}}}];
+ _ ->
+ CrlCacheOpts = []
+ end,
+ [{crl_cache_opts, CrlCacheOpts},
+ {cert_dir, CertDir},
+ {idp_crl, false} | Config]
end.
end_per_group(_GroupName, Config) ->
@@ -164,9 +187,10 @@ crl_verify_valid(Config) when is_list(Config) ->
{crl_cache, {ssl_crl_cache, {internal, [{http, 5000}]}}},
{verify, verify_peer}];
false ->
- [{cacertfile, filename:join([PrivDir, "server", "cacerts.pem"])},
- {crl_check, Check},
- {verify, verify_peer}]
+ ?config(crl_cache_opts, Config) ++
+ [{cacertfile, filename:join([PrivDir, "server", "cacerts.pem"])},
+ {crl_check, Check},
+ {verify, verify_peer}]
end,
{ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
@@ -196,9 +220,10 @@ crl_verify_revoked(Config) when is_list(Config) ->
{crl_check, Check},
{verify, verify_peer}];
false ->
- [{cacertfile, filename:join([PrivDir, "revoked", "cacerts.pem"])},
- {crl_check, Check},
- {verify, verify_peer}]
+ ?config(crl_cache_opts, Config) ++
+ [{cacertfile, filename:join([PrivDir, "revoked", "cacerts.pem"])},
+ {crl_check, Check},
+ {verify, verify_peer}]
end,
crl_verify_error(Hostname, ServerNode, ServerOpts, ClientNode, ClientOpts,
@@ -251,6 +276,132 @@ crl_verify_no_crl(Config) when is_list(Config) ->
crl_verify_valid(Hostname, ServerNode, ServerOpts, ClientNode, ClientOpts)
end.
+crl_hash_dir_collision() ->
+ [{doc,"Verify ssl_crl_hash_dir behaviour with hash collisions"}].
+crl_hash_dir_collision(Config) when is_list(Config) ->
+ PrivDir = ?config(cert_dir, Config),
+ Check = ?config(crl_check, Config),
+
+ %% Create two CAs whose names hash to the same value
+ CA1 = "hash-collision-0000000000",
+ CA2 = "hash-collision-0258497583",
+ CertsConfig = make_certs:make_config([]),
+ make_certs:intermediateCA(PrivDir, CA1, "erlangCA", CertsConfig),
+ make_certs:intermediateCA(PrivDir, CA2, "erlangCA", CertsConfig),
+
+ make_certs:enduser(PrivDir, CA1, "collision-client-1", CertsConfig),
+ make_certs:enduser(PrivDir, CA2, "collision-client-2", CertsConfig),
+
+ [ServerOpts1, ServerOpts2] =
+ [
+ [{keyfile, filename:join([PrivDir, EndUser, "key.pem"])},
+ {certfile, filename:join([PrivDir, EndUser, "cert.pem"])},
+ {cacertfile, filename:join([PrivDir, EndUser, "cacerts.pem"])}]
+ || EndUser <- ["collision-client-1", "collision-client-2"]],
+
+ %% Add CRLs for our new CAs into the CRL hash directory.
+ %% Find the hashes with 'openssl crl -noout -hash -in crl.pem'.
+ CrlDir = filename:join(PrivDir, "crls"),
+ populate_crl_hash_dir(PrivDir, CrlDir,
+ [{CA1, "b68fc624"},
+ {CA2, "b68fc624"}],
+ replace),
+
+ ClientOpts = ?config(crl_cache_opts, Config) ++
+ [{cacertfile, filename:join([PrivDir, "erlangCA", "cacerts.pem"])},
+ {crl_check, Check},
+ {verify, verify_peer}],
+
+ {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+ %% Neither certificate revoked; both succeed.
+ crl_verify_valid(Hostname, ServerNode, ServerOpts1, ClientNode, ClientOpts),
+ crl_verify_valid(Hostname, ServerNode, ServerOpts2, ClientNode, ClientOpts),
+
+ make_certs:revoke(PrivDir, CA1, "collision-client-1", CertsConfig),
+ populate_crl_hash_dir(PrivDir, CrlDir,
+ [{CA1, "b68fc624"},
+ {CA2, "b68fc624"}],
+ replace),
+
+ %% First certificate revoked; first fails, second succeeds.
+ crl_verify_error(Hostname, ServerNode, ServerOpts1, ClientNode, ClientOpts,
+ "certificate revoked"),
+ crl_verify_valid(Hostname, ServerNode, ServerOpts2, ClientNode, ClientOpts),
+
+ make_certs:revoke(PrivDir, CA2, "collision-client-2", CertsConfig),
+ populate_crl_hash_dir(PrivDir, CrlDir,
+ [{CA1, "b68fc624"},
+ {CA2, "b68fc624"}],
+ replace),
+
+ %% Second certificate revoked; both fail.
+ crl_verify_error(Hostname, ServerNode, ServerOpts1, ClientNode, ClientOpts,
+ "certificate revoked"),
+ crl_verify_error(Hostname, ServerNode, ServerOpts2, ClientNode, ClientOpts,
+ "certificate revoked"),
+
+ ok.
+
+crl_hash_dir_expired() ->
+ [{doc,"Verify ssl_crl_hash_dir behaviour with expired CRLs"}].
+crl_hash_dir_expired(Config) when is_list(Config) ->
+ PrivDir = ?config(cert_dir, Config),
+ Check = ?config(crl_check, Config),
+
+ CA = "CRL-maybe-expired-CA",
+ %% Add "issuing distribution point", to ensure that verification
+ %% fails if there is no valid CRL.
+ CertsConfig = make_certs:make_config([{issuing_distribution_point, true}]),
+ make_certs:intermediateCA(PrivDir, CA, "erlangCA", CertsConfig),
+ EndUser = "CRL-maybe-expired",
+ make_certs:enduser(PrivDir, CA, EndUser, CertsConfig),
+
+ ServerOpts = [{keyfile, filename:join([PrivDir, EndUser, "key.pem"])},
+ {certfile, filename:join([PrivDir, EndUser, "cert.pem"])},
+ {cacertfile, filename:join([PrivDir, EndUser, "cacerts.pem"])}],
+ ClientOpts = ?config(crl_cache_opts, Config) ++
+ [{cacertfile, filename:join([PrivDir, CA, "cacerts.pem"])},
+ {crl_check, Check},
+ {verify, verify_peer}],
+ {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+ %% First make a CRL that expired yesterday.
+ make_certs:gencrl(PrivDir, CA, CertsConfig, -24),
+ CrlDir = filename:join(PrivDir, "crls"),
+ populate_crl_hash_dir(PrivDir, CrlDir,
+ [{CA, "1627b4b0"}],
+ replace),
+
+ %% Since the CRL has expired, it's treated as missing, and the
+ %% outcome depends on the crl_check setting.
+ case Check of
+ true ->
+ %% The error "revocation status undetermined" gets turned
+ %% into "bad certificate".
+ crl_verify_error(Hostname, ServerNode, ServerOpts, ClientNode, ClientOpts,
+ "bad certificate");
+ peer ->
+ crl_verify_error(Hostname, ServerNode, ServerOpts, ClientNode, ClientOpts,
+ "bad certificate");
+ best_effort ->
+ %% In "best effort" mode, we consider the certificate not
+ %% to be revoked if we can't find the appropriate CRL.
+ crl_verify_valid(Hostname, ServerNode, ServerOpts, ClientNode, ClientOpts)
+ end,
+
+ %% Now make a CRL that expires tomorrow.
+ make_certs:gencrl(PrivDir, CA, CertsConfig, 24),
+ CrlDir = filename:join(PrivDir, "crls"),
+ populate_crl_hash_dir(PrivDir, CrlDir,
+ [{CA, "1627b4b0"}],
+ add),
+
+ %% With a valid CRL, verification should always pass.
+ crl_verify_valid(Hostname, ServerNode, ServerOpts, ClientNode, ClientOpts),
+
+ ok.
+
crl_verify_valid(Hostname, ServerNode, ServerOpts, ClientNode, ClientOpts) ->
Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
{from, self()},
@@ -311,3 +462,31 @@ make_dir_path(PathComponents) ->
rename_crl(Filename) ->
file:rename(Filename, Filename ++ ".notfound").
+
+populate_crl_hash_dir(CertDir, CrlDir, CAsHashes, AddOrReplace) ->
+ ok = filelib:ensure_dir(filename:join(CrlDir, "crls")),
+ case AddOrReplace of
+ replace ->
+ %% Delete existing files, so we can override them.
+ [ok = file:delete(FileToDelete) ||
+ {_CA, Hash} <- CAsHashes,
+ FileToDelete <- filelib:wildcard(
+ filename:join(CrlDir, Hash ++ ".r*"))];
+ add ->
+ ok
+ end,
+ %% Create new files, incrementing suffix if needed to find unique names.
+ [{ok, _} =
+ file:copy(filename:join([CertDir, CA, "crl.pem"]),
+ find_free_name(CrlDir, Hash, 0))
+ || {CA, Hash} <- CAsHashes],
+ ok.
+
+find_free_name(CrlDir, Hash, N) ->
+ Name = filename:join(CrlDir, Hash ++ ".r" ++ integer_to_list(N)),
+ case filelib:is_file(Name) of
+ true ->
+ find_free_name(CrlDir, Hash, N + 1);
+ false ->
+ Name
+ end.