ssl: Generate correct certificate chains for the ECC tests

The certificate chain handling had become quite entangled and was not correct.
author: Ingela Anderton Andin <[email protected]> 2017-03-31 15:39:57 +0200
committer: Ingela Anderton Andin <[email protected]> 2017-04-12 11:01:49 +0200
commit: 1d019afd9d69eaa566d652117b607c83bfb93b31 (patch)
tree: 3024a6e68eba1dc399941d3817570535dd688f9d /lib/ssl/test/x509_test.erl
parent: f606520095236e8dabb85564d3e91361e0b57b6e (diff)
download: otp-1d019afd9d69eaa566d652117b607c83bfb93b31.tar.gz
otp-1d019afd9d69eaa566d652117b607c83bfb93b31.tar.bz2
otp-1d019afd9d69eaa566d652117b607c83bfb93b31.zip
1 files changed, 83 insertions, 72 deletions
diff --git a/lib/ssl/test/x509_test.erl b/lib/ssl/test/x509_test.erl
index 5cd5c8eca7..13f8dfdaa9 100644
--- a/lib/ssl/test/x509_test.erl
+++ b/lib/ssl/test/x509_test.erl
@@ -20,36 +20,36 @@
 
 %%
 
--module(x509_test).
+ -module(x509_test).
 
--include_lib("public_key/include/public_key.hrl").
+ -include_lib("public_key/include/public_key.hrl").
 
--export([gen_test_certs/1, gen_pem_config_files/4]).
+ -export([gen_test_certs/1, gen_pem_config_files/3]).
 
-gen_test_certs(Opts) ->
-    SRootKey = gen_key(proplists:get_value(server_key_gen, Opts)),
-    CRootKey = gen_key(proplists:get_value(client_key_gen, Opts)),
-    ServerRoot = root_cert("server", SRootKey, Opts),
-    ClientRoot = root_cert("client", CRootKey, Opts),
-    [{ServerCert, ServerKey} | ServerCAsKeys] = config(server, ServerRoot, SRootKey, Opts),
-    [{ClientCert, ClientKey} | ClientCAsKeys] = config(client, ClientRoot, CRootKey, Opts),
-    ServerCAs = ca_config(ClientRoot, ServerCAsKeys),
-    ClientCAs = ca_config(ServerRoot, ClientCAsKeys),
-    [{server_config, [{cert, ServerCert}, {key, ServerKey}, {cacerts, ServerCAs}]}, 
-     {client_config, [{cert, ClientCert}, {key, ClientKey}, {cacerts, ClientCAs}]}].
+ gen_test_certs(Opts) ->
+     SRootKey = gen_key(proplists:get_value(server_key_gen, Opts)),
+     CRootKey = gen_key(proplists:get_value(client_key_gen, Opts)),
+     ServerRoot = root_cert("server", SRootKey, Opts),
+     ClientRoot = root_cert("client", CRootKey, Opts),
+     [{ServerCert, ServerKey} | ServerCAsKeys] = config(server, ServerRoot, SRootKey, Opts),
+     [{ClientCert, ClientKey} | ClientCAsKeys] = config(client, ClientRoot, CRootKey, Opts),
+     ServerCAs = ca_config(ClientRoot, ServerCAsKeys),
+     ClientCAs = ca_config(ServerRoot, ClientCAsKeys),
+     [{server_config, [{cert, ServerCert}, {key, ServerKey}, {cacerts, ServerCAs}]}, 
+      {client_config, [{cert, ClientCert}, {key, ClientKey}, {cacerts, ClientCAs}]}].
 
-gen_pem_config_files(GenCertData, CertFileBase, KeyFileBase, CAFileBase) ->
+gen_pem_config_files(GenCertData, ClientBase, ServerBase) ->
     ServerConf = proplists:get_value(server_config, GenCertData),
     ClientConf = proplists:get_value(client_config, GenCertData),
     
-    ServerCaCertFile = filename:join("server_", CAFileBase),
-    ServerCertFile = filename:join("server_", CertFileBase),
-    ServerKeyFile = filename:join("server_", KeyFileBase),
-    
-    ClientCaCertFile = filename:join("client_", CAFileBase),
-    ClientCertFile = filename:join("client_", CertFileBase),
-    ClientKeyFile = filename:join("client_", KeyFileBase),
+    ServerCaCertFile = ServerBase ++ "_server_cacerts.pem",
+    ServerCertFile = ServerBase ++ "_server_cert.pem",
+    ServerKeyFile = ServerBase ++ "_server_key.pem",
     
+    ClientCaCertFile = ClientBase ++ "_client_cacerts.pem",
+    ClientCertFile =  ClientBase ++ "_client_cert.pem",
+    ClientKeyFile = ClientBase ++ "_client_key.pem",
+
     do_gen_pem_config_files(ServerConf,
                             ServerCertFile,
                             ServerKeyFile,
@@ -58,59 +58,60 @@ gen_pem_config_files(GenCertData, CertFileBase, KeyFileBase, CAFileBase) ->
                             ClientCertFile,
                             ClientKeyFile,
                             ClientCaCertFile),
-    [{server_config, [{certfile, ServerCertFile}, {keyfile, ServerKeyFile}, {cacertfile, ServerCaCertFile}]}, 
-     {client_config, [{certfile, ClientCertFile}, {keyfile, ClientKeyFile}, {cacertfile, ClientCaCertFile}]}].
+    [{server_config, [{certfile, ServerCertFile}, 
+                      {keyfile, ServerKeyFile}, {cacertfile, ServerCaCertFile}]}, 
+     {client_config, [{certfile, ClientCertFile}, 
+                      {keyfile, ClientKeyFile}, {cacertfile, ClientCaCertFile}]}].
 
-    
-do_gen_pem_config_files(Config, CertFile, KeyFile, CAFile) ->
-    CAs = proplists:get_value(cacerts, Config),
-    Cert = proplists:get_value(cert, Config),
-    Key = proplists:get_value(key, Config),
-    der_to_pem(CertFile, [cert_entry(Cert)]),
-    der_to_pem(KeyFile, [key_entry(Key)]),
-    der_to_pem(CAFile, ca_entries(CAs)).
-   
-cert_entry(Cert) ->
-    {'Certificate', Cert, not_encrypted}.
-
-key_entry(Key = #'RSAPrivateKey'{}) ->
-    Der = public_key:der_encode('RSAPrivateKey', Key),
-    {'RSAPrivateKey', Der, not_encrypted};
-key_entry(Key = #'DSAPrivateKey'{}) ->
-    Der =  public_key:der_encode('DSAPrivateKey', Key),
-    {'DSAPrivateKey', Der, not_encrypted};
-key_entry(Key = #'ECPrivateKey'{}) ->
-    Der =  public_key:der_encode('ECPrivateKey', Key),
-    {'ECPrivateKey', Der, not_encrypted}.
-
-ca_entries(CAs) ->
-    [{'Certificate', CACert, not_encrypted} || CACert <- CAs].
-
-gen_key(KeyGen) ->
-    case is_key(KeyGen) of
-        true ->
-            KeyGen;
-        false ->
-            public_key:generate_key(KeyGen)
-    end.
 
-root_cert(Role, PrivKey, Opts) ->
-    TBS = cert_template(),
-    Issuer = issuer("root", Role, " ROOT CA"),
-    OTPTBS = TBS#'OTPTBSCertificate'{
-               signature = sign_algorithm(PrivKey, Opts),
-               issuer = Issuer,
-               validity = validity(Opts),  
-               subject = Issuer,
-               subjectPublicKeyInfo = public_key(PrivKey),
-               extensions = extensions(Opts)
-              },
-    public_key:pkix_sign(OTPTBS, PrivKey).
+ do_gen_pem_config_files(Config, CertFile, KeyFile, CAFile) ->
+     CAs = proplists:get_value(cacerts, Config),
+     Cert = proplists:get_value(cert, Config),
+     Key = proplists:get_value(key, Config),
+     der_to_pem(CertFile, [cert_entry(Cert)]),
+     der_to_pem(KeyFile, [key_entry(Key)]),
+     der_to_pem(CAFile, ca_entries(CAs)).
+
+ cert_entry(Cert) ->
+     {'Certificate', Cert, not_encrypted}.
+
+ key_entry(Key = #'RSAPrivateKey'{}) ->
+     Der = public_key:der_encode('RSAPrivateKey', Key),
+     {'RSAPrivateKey', Der, not_encrypted};
+ key_entry(Key = #'DSAPrivateKey'{}) ->
+     Der =  public_key:der_encode('DSAPrivateKey', Key),
+     {'DSAPrivateKey', Der, not_encrypted};
+ key_entry(Key = #'ECPrivateKey'{}) ->
+     Der =  public_key:der_encode('ECPrivateKey', Key),
+     {'ECPrivateKey', Der, not_encrypted}.
+
+ ca_entries(CAs) ->
+     [{'Certificate', CACert, not_encrypted} || CACert <- CAs].
+
+ gen_key(KeyGen) ->
+     case is_key(KeyGen) of
+         true ->
+             KeyGen;
+         false ->
+             public_key:generate_key(KeyGen)
+     end.
+
+ root_cert(Role, PrivKey, Opts) ->
+     TBS = cert_template(),
+     Issuer = issuer("root", Role, " ROOT CA"),
+     OTPTBS = TBS#'OTPTBSCertificate'{
+                signature = sign_algorithm(PrivKey, Opts),
+                issuer = Issuer,
+                validity = validity(Opts),  
+                subject = Issuer,
+                subjectPublicKeyInfo = public_key(PrivKey),
+                extensions = extensions(Opts)
+               },
+     public_key:pkix_sign(OTPTBS, PrivKey).
 
 config(Role, Root, Key, Opts) ->
-    KeyGenOpt = list_to_atom(atom_to_list(Role) ++ "key_gen_chain"),
-    KeyGens = proplists:get_value(KeyGenOpt, Opts, [{namedCurve, hd(tls_v1:ecc_curves(0))}, 
-                                                    {namedCurve, hd(tls_v1:ecc_curves(0))}]),
+    KeyGenOpt = list_to_atom(atom_to_list(Role) ++ "_key_gen_chain"),
+    KeyGens = proplists:get_value(KeyGenOpt, Opts, default_key_gen()),
     Keys = lists:map(fun gen_key/1, KeyGens),
     cert_chain(Role, Root, Key, Opts, Keys).
 
@@ -276,7 +277,8 @@ cert_chain(Role, Root, RootKey, Opts, Keys) ->
     cert_chain(Role, Root, RootKey, Opts, Keys, 0, []).
 
 cert_chain(Role, IssuerCert, IssuerKey, Opts, [Key], _, Acc) ->
-    Cert = cert(Role, public_key:pkix_decode_cert(IssuerCert, otp), IssuerKey, Key, "admin", " Peer cert", Opts),
+    Cert = cert(Role, public_key:pkix_decode_cert(IssuerCert, otp), 
+                IssuerKey, Key, "admin", " Peer cert", Opts),
     [{Cert, Key}, {IssuerCert, IssuerKey} | Acc];
 cert_chain(Role, IssuerCert, IssuerKey, Opts, [Key | Keys], N, Acc) ->
     Cert = cert(Role, public_key:pkix_decode_cert(IssuerCert, otp), IssuerKey, Key, "webadmin", 
@@ -308,3 +310,12 @@ is_key(_) ->
 der_to_pem(File, Entries) ->
     PemBin = public_key:pem_encode(Entries),
     file:write_file(File, PemBin).
+
+default_key_gen() ->
+    case tls_v1:ecc_curves(0) of
+        [] ->
+            [{rsa, 2048, 17}, {rsa, 2048, 17}];
+        [_|_] ->
+            [{namedCurve, hd(tls_v1:ecc_curves(0))},
+             {namedCurve, hd(tls_v1:ecc_curves(0))}]
+    end.
author	Ingela Anderton Andin <[email protected]>	2017-03-31 15:39:57 +0200
committer	Ingela Anderton Andin <[email protected]>	2017-04-12 11:01:49 +0200
commit	1d019afd9d69eaa566d652117b607c83bfb93b31 (patch)
tree	3024a6e68eba1dc399941d3817570535dd688f9d /lib/ssl/test/x509_test.erl
parent	f606520095236e8dabb85564d3e91361e0b57b6e (diff)
download	otp-1d019afd9d69eaa566d652117b607c83bfb93b31.tar.gz otp-1d019afd9d69eaa566d652117b607c83bfb93b31.tar.bz2 otp-1d019afd9d69eaa566d652117b607c83bfb93b31.zip