docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Read multiple CA certs from a single PEM file - thanks @mtrmac! 

Signed-off-by: Ying Li <ying.li@docker.com>
This commit is contained in:
Ying Li 2015-10-23 15:56:47 -07:00
parent 61f9f84254
commit 09dc607bef
2 changed files with 129 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
utils/tls_config.go
View File

@ -5,9 +5,7 @@ import (
"crypto/tls"
"crypto/x509"
"fmt"
"os"
"github.com/docker/notary/trustmanager"
"io/ioutil"
)
// Client TLS cipher suites (dropping CBC ciphers for client preferred suite set)
@ -26,13 +24,30 @@ var serverCipherSuites = append(clientCipherSuites, []uint16{
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
}...)
func poolFromFile(filename string) (*x509.CertPool, error) {
pemBytes, err := ioutil.ReadFile(filename)
if err != nil {
return nil, err
}
pool := x509.NewCertPool()
if ok := pool.AppendCertsFromPEM(pemBytes); !ok {
return nil, fmt.Errorf(
"Unable to parse certificates from %s", filename)
}
if len(pool.Subjects()) == 0 {
return nil, fmt.Errorf(
"No certificates parsed from %s", filename)
}
return pool, nil
}
// ServerTLSOpts generates a tls configuration for servers using the
// provided parameters.
type ServerTLSOpts struct {
ServerCertFile string
ServerKeyFile string
RequireClientAuth bool
ClientCADirectory string
ClientCAFile string
}
// ConfigureServerTLS specifies a set of ciphersuites, the server cert and key,
@ -58,24 +73,12 @@ func ConfigureServerTLS(opts *ServerTLSOpts) (*tls.Config, error) {
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
}
if opts.ClientCADirectory != "" {
// Check to see if the given directory exists
fi, err := os.Stat(opts.ClientCADirectory)
if opts.ClientCAFile != "" {
pool, err := poolFromFile(opts.ClientCAFile)
if err != nil {
return nil, err
}
if !fi.IsDir() {
return nil, fmt.Errorf("No such directory: %s", opts.ClientCADirectory)
}
certStore, err := trustmanager.NewX509FileStore(opts.ClientCADirectory)
if err != nil {
return nil, err
}
if certStore.Empty() {
return nil, fmt.Errorf("No certificates in %s", opts.ClientCADirectory)
}
tlsConfig.ClientCAs = certStore.GetCertificatePool()
tlsConfig.ClientCAs = pool
}
return tlsConfig, nil
@ -102,14 +105,11 @@ func ConfigureClientTLS(opts *ClientTLSOpts) (*tls.Config, error) {
}
if opts.RootCAFile != "" {
rootCert, err := trustmanager.LoadCertFromFile(opts.RootCAFile)
pool, err := poolFromFile(opts.RootCAFile)
if err != nil {
return nil, fmt.Errorf(
"Could not load root ca file. %s", err.Error())
return nil, err
}
rootPool := x509.NewCertPool()
rootPool.AddCert(rootCert)
tlsConfig.RootCAs = rootPool
tlsConfig.RootCAs = pool
}
if opts.ClientCertFile != "" || opts.ClientKeyFile != "" {

143
utils/tls_config_test.go
View File

@ -1,13 +1,18 @@
package utils
import (
"crypto"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/tls"
"io"
"crypto/x509"
"io/ioutil"
"os"
"path/filepath"
"testing"
"github.com/docker/notary/trustmanager"
"github.com/stretchr/testify/assert"
)
@ -17,38 +22,57 @@ const (
RootCA = "../fixtures/root-ca.crt"
)
// copies the provided certificate into a temporary directory
func makeTempCertDir(t *testing.T) string {
tempDir, err := ioutil.TempDir("/tmp", "cert-test")
assert.NoError(t, err, "couldn't open temp directory")
// generates a multiple-certificate file with both RSA and ECDSA certs and
// some garbage, returns filename.
func generateMultiCert(t *testing.T) string {
tempFile, err := ioutil.TempFile("/tmp", "cert-test")
defer tempFile.Close()
assert.NoError(t, err)
in, err := os.Open(RootCA)
assert.NoError(t, err, "cannot open %s", RootCA)
defer in.Close()
copiedCert := filepath.Join(tempDir, filepath.Base(RootCA))
out, err := os.Create(copiedCert)
assert.NoError(t, err, "cannot open %s", copiedCert)
defer out.Close()
_, err = io.Copy(out, in)
assert.NoError(t, err, "cannot copy %s to %s", RootCA, copiedCert)
rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
assert.NoError(t, err)
ecKey, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
assert.NoError(t, err)
template, err := trustmanager.NewCertificate("gun")
assert.NoError(t, err)
return tempDir
for _, key := range []crypto.Signer{rsaKey, ecKey} {
derBytes, err := x509.CreateCertificate(
rand.Reader, template, template, key.Public(), key)
assert.NoError(t, err)
cert, err := x509.ParseCertificate(derBytes)
assert.NoError(t, err)
pemBytes := trustmanager.CertToPEM(cert)
nBytes, err := tempFile.Write(pemBytes)
assert.NoError(t, err)
assert.Equal(t, nBytes, len(pemBytes))
assert.NoError(t, err)
}
_, err = tempFile.WriteString(`\n
-----BEGIN CERTIFICATE-----
This is some garbage that isnt a cert
-----END CERTIFICATE-----
`)
return tempFile.Name()
}
// If the cert files and directory are provided but are invalid, an error is
// returned.
func TestConfigServerTLSFailsIfUnableToLoadCerts(t *testing.T) {
tempDir := makeTempCertDir(t)
for i := 0; i < 3; i++ {
files := []string{ServerCert, ServerKey, tempDir}
files := []string{ServerCert, ServerKey, RootCA}
files[i] = "not-real-file"
result, err := ConfigureServerTLS(&ServerTLSOpts{
ServerCertFile: files[0],
ServerKeyFile: files[1],
RequireClientAuth: true,
ClientCADirectory: files[2],
ClientCAFile: files[2],
})
assert.Nil(t, result)
assert.Error(t, err)
@ -72,33 +96,34 @@ func TestConfigServerTLSServerCertsOnly(t *testing.T) {
assert.Nil(t, tlsConfig.ClientCAs)
}
// If a valid client cert directory is provided, but it contains no client
// If a valid client cert file is provided, but it contains no client
// certs, an error is returned.
func TestConfigServerTLSWithEmptyCACertDir(t *testing.T) {
tempDir, err := ioutil.TempDir("/tmp", "cert-test")
assert.NoError(t, err, "couldn't open temp directory")
func TestConfigServerTLSWithEmptyCACertFile(t *testing.T) {
tempFile, err := ioutil.TempFile("/tmp", "cert-test")
assert.NoError(t, err)
defer os.RemoveAll(tempFile.Name())
tempFile.Close()
tlsConfig, err := ConfigureServerTLS(&ServerTLSOpts{
ServerCertFile: ServerCert,
ServerKeyFile: ServerKey,
ClientCADirectory: tempDir,
ServerCertFile: ServerCert,
ServerKeyFile: ServerKey,
ClientCAFile: tempFile.Name(),
})
assert.Nil(t, tlsConfig)
assert.Error(t, err)
}
// If server cert and key are provided, and client cert directory is provided,
// a valid tls.Config is returned with the clientCAs set to the certs in that
// directory.
func TestConfigServerTLSWithCACerts(t *testing.T) {
tempDir := makeTempCertDir(t)
// If server cert and key are provided, and client cert file is provided with
// one cert, a valid tls.Config is returned with the clientCAs set to that
// cert.
func TestConfigServerTLSWithOneCACert(t *testing.T) {
keypair, err := tls.LoadX509KeyPair(ServerCert, ServerKey)
assert.NoError(t, err)
tlsConfig, err := ConfigureServerTLS(&ServerTLSOpts{
ServerCertFile: ServerCert,
ServerKeyFile: ServerKey,
ClientCADirectory: tempDir,
ServerCertFile: ServerCert,
ServerKeyFile: ServerKey,
ClientCAFile: RootCA,
})
assert.NoError(t, err)
assert.Equal(t, []tls.Certificate{keypair}, tlsConfig.Certificates)
@ -107,6 +132,30 @@ func TestConfigServerTLSWithCACerts(t *testing.T) {
assert.Len(t, tlsConfig.ClientCAs.Subjects(), 1)
}
// If server cert and key are provided, and client cert file is provided with
// multiple certs (and garbage), a valid tls.Config is returned with the
// clientCAs set to the valid cert and the garbage is ignored (but only
// because the garbage is at the end - actually CertPool.AppendCertsFromPEM
// aborts as soon as it finds an invalid cert)
func TestConfigServerTLSWithMultipleCACertsAndGarbage(t *testing.T) {
tempFilename := generateMultiCert(t)
defer os.RemoveAll(tempFilename)
keypair, err := tls.LoadX509KeyPair(ServerCert, ServerKey)
assert.NoError(t, err)
tlsConfig, err := ConfigureServerTLS(&ServerTLSOpts{
ServerCertFile: ServerCert,
ServerKeyFile: ServerKey,
ClientCAFile: tempFilename,
})
assert.NoError(t, err)
assert.Equal(t, []tls.Certificate{keypair}, tlsConfig.Certificates)
assert.True(t, tlsConfig.PreferServerCipherSuites)
assert.Equal(t, tls.NoClientCert, tlsConfig.ClientAuth)
assert.Len(t, tlsConfig.ClientCAs.Subjects(), 2)
}
// If server cert and key are provided, and client auth is disabled, then
// a valid tls.Config is returned with ClientAuth set to
// RequireAndVerifyClientCert
@ -151,8 +200,8 @@ func TestConfigClientServerName(t *testing.T) {
}
}
// The RootCA is set if it is provided and valid
func TestConfigClientTLSValidRootCA(t *testing.T) {
// The RootCA is set if the file provided has a single CA cert.
func TestConfigClientTLSRootCAFileWithOneCert(t *testing.T) {
tlsConfig, err := ConfigureClientTLS(&ClientTLSOpts{RootCAFile: RootCA})
assert.NoError(t, err)
assert.Nil(t, tlsConfig.Certificates)
@ -161,8 +210,24 @@ func TestConfigClientTLSValidRootCA(t *testing.T) {
assert.Len(t, tlsConfig.RootCAs.Subjects(), 1)
}
// An error is returned if a root CA is provided but not valid
func TestConfigClientTLSInvalidRootCA(t *testing.T) {
// If the root CA file provided has multiple CA certs and garbage, only the
// valid certs are read (but only because the garbage is at the end - actually
// CertPool.AppendCertsFromPEM aborts as soon as it finds an invalid cert)
func TestConfigClientTLSRootCAFileMultipleCertsAndGarbage(t *testing.T) {
tempFilename := generateMultiCert(t)
defer os.RemoveAll(tempFilename)
tlsConfig, err := ConfigureClientTLS(
&ClientTLSOpts{RootCAFile: tempFilename})
assert.NoError(t, err)
assert.Nil(t, tlsConfig.Certificates)
assert.Equal(t, false, tlsConfig.InsecureSkipVerify)
assert.Equal(t, "", tlsConfig.ServerName)
assert.Len(t, tlsConfig.RootCAs.Subjects(), 2)
}
// An error is returned if a root CA is provided but the file doesn't exist.
func TestConfigClientTLSNonexistentRootCAFile(t *testing.T) {
tlsConfig, err := ConfigureClientTLS(
&ClientTLSOpts{RootCAFile: "not-a-file"})
assert.Error(t, err)