From 44db28811b1661ff6bf80ffa71f7128eca715d34 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Thu, 29 Oct 2020 16:14:13 -0700 Subject: [PATCH] Generate ECDSA keys and certs in integration tests (#5150) This adds an ECDSA hierarchy along-side the RSA hierarchy which our integration tests already rely on. This does not yet integrate the new hierarchy into the services (none of the generated keys or certs are referenced from test service config files yet), but it lays the groundwork for that to happen after our services all have multi-issuer support. Part of #5113 --- test/cert-ceremonies/generate.go | 96 ++++++++++++------- .../intermediate-ceremony-ecdsa.yaml | 29 ++++++ .../intermediate-key-ceremony-ecdsa.yaml | 11 +++ ...e-ocsp.yaml => intermediate-ocsp-rsa.yaml} | 2 +- test/cert-ceremonies/root-ceremony-ecdsa.yaml | 32 +++++++ test/issuer-ocsp-responder.json | 2 +- 6 files changed, 136 insertions(+), 36 deletions(-) create mode 100644 test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml create mode 100644 test/cert-ceremonies/intermediate-key-ceremony-ecdsa.yaml rename test/cert-ceremonies/{intermediate-ocsp.yaml => intermediate-ocsp-rsa.yaml} (89%) create mode 100644 test/cert-ceremonies/root-ceremony-ecdsa.yaml diff --git a/test/cert-ceremonies/generate.go b/test/cert-ceremonies/generate.go index 7a12c4d9f..633c882f0 100644 --- a/test/cert-ceremonies/generate.go +++ b/test/cert-ceremonies/generate.go @@ -85,51 +85,79 @@ func main() { } else if err != nil && !os.IsNotExist(err) { log.Fatalf("statting %q: %s", outputFile, err) } - // Create a SoftHSM slot for the root signing key - rootKeySlot, err := createSlot("root signing key (rsa)") + // Create SoftHSM slots for the root signing keys + rsaRootKeySlot, err := createSlot("root signing key (rsa)") + cmd.FailOnError(err, "failed creating softhsm2 slot for RSA root key") + ecdsaRootKeySlot, err := createSlot("root signing key (ecdsa)") cmd.FailOnError(err, "failed creating softhsm2 slot for root key") - // Generate the root signing key and certificate - err = genKey("test/cert-ceremonies/root-ceremony-rsa.yaml", rootKeySlot) - cmd.FailOnError(err, "failed to generate root key + root cert") + // Generate the root signing keys and certificates + err = genKey("test/cert-ceremonies/root-ceremony-rsa.yaml", rsaRootKeySlot) + cmd.FailOnError(err, "failed to generate RSA root key + root cert") + err = genKey("test/cert-ceremonies/root-ceremony-ecdsa.yaml", ecdsaRootKeySlot) + cmd.FailOnError(err, "failed to generate ECDSA root key + root cert") - // Create a SoftHSM slot for the intermediate signing key - intermediateKeySlot, err := createSlot("intermediate signing key (rsa)") - cmd.FailOnError(err, "failed to create softhsm2 slot for intermediate key") + // Create SoftHSM slots for the intermediate signing keys + rsaIntermediateKeySlot, err := createSlot("intermediate signing key (rsa)") + cmd.FailOnError(err, "failed to create softhsm2 slot for RSA intermediate key") + ecdsaIntermediateKeySlot, err := createSlot("intermediate signing key (ecdsa)") + cmd.FailOnError(err, "failed to create softhsm2 slot for ECDSA intermediate key") - // Generate the intermediate signing key - err = genKey("test/cert-ceremonies/intermediate-key-ceremony-rsa.yaml", intermediateKeySlot) - cmd.FailOnError(err, "failed to generate intermediate key") + // Generate the intermediate signing keys + err = genKey("test/cert-ceremonies/intermediate-key-ceremony-rsa.yaml", rsaIntermediateKeySlot) + cmd.FailOnError(err, "failed to generate RSA intermediate key") + err = genKey("test/cert-ceremonies/intermediate-key-ceremony-ecdsa.yaml", ecdsaIntermediateKeySlot) + cmd.FailOnError(err, "failed to generate ECDSA intermediate key") - // Create the A intermediate ceremony config file with the root - // signing key slot and ID - tmpRSAIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{ - "SlotID": rootKeySlot, + // Create the A intermediate ceremony config files with the root + // signing key slots and IDs + rsaTmpIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{ + "SlotID": rsaRootKeySlot, "CertPath": "/tmp/intermediate-cert-rsa-a.pem", "CommonName": "CA intermediate (RSA) A", }) - cmd.FailOnError(err, "failed to rewrite intermediate cert config with key ID") - // Create the A intermediate certificate - err = genCert(tmpRSAIntermediateA) - cmd.FailOnError(err, "failed to generate intermediate cert") + cmd.FailOnError(err, "failed to rewrite RSA intermediate cert config with key ID") + ecdsaTmpIntermediateA, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml", map[string]string{ + "SlotID": ecdsaRootKeySlot, + "CertPath": "/tmp/intermediate-cert-ecdsa-a.pem", + "CommonName": "CA intermediate (ECDSA) A", + }) + cmd.FailOnError(err, "failed to rewrite ECDSA intermediate cert config with key ID") - // Create the B intermediate ceremony config file with the root - // signing key slot and ID - tmpRSAIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{ - "SlotID": rootKeySlot, + // Create the A intermediate certificates + err = genCert(rsaTmpIntermediateA) + cmd.FailOnError(err, "failed to generate RSA intermediate cert") + err = genCert(ecdsaTmpIntermediateA) + cmd.FailOnError(err, "failed to generate ECDSA intermediate cert") + + // Create the B intermediate ceremony config files with the root + // signing key slots and IDs + rsaTmpIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-rsa.yaml", map[string]string{ + "SlotID": rsaRootKeySlot, "CertPath": "/tmp/intermediate-cert-rsa-b.pem", "CommonName": "CA intermediate (RSA) B", }) - cmd.FailOnError(err, "failed to rewrite intermediate cert config with key ID") - // Create the B intermediate certificate - err = genCert(tmpRSAIntermediateB) - cmd.FailOnError(err, "failed to generate intermediate cert") - - // Create an OCSP response for the A intermediate - tmpOCSPConfig, err := rewriteConfig("test/cert-ceremonies/intermediate-ocsp.yaml", map[string]string{ - "SlotID": rootKeySlot, + cmd.FailOnError(err, "failed to rewrite RSA intermediate cert config with key ID") + ecdsaTmpIntermediateB, err := rewriteConfig("test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml", map[string]string{ + "SlotID": ecdsaRootKeySlot, + "CertPath": "/tmp/intermediate-cert-ecdsa-b.pem", + "CommonName": "CA intermediate (ECDSA) B", }) - cmd.FailOnError(err, "failed to rewrite intermediate OCSP config with key ID") - err = genCert(tmpOCSPConfig) - cmd.FailOnError(err, "failed to generate intermediate OCSP response") + cmd.FailOnError(err, "failed to rewrite ECDSA intermediate cert config with key ID") + + // Create the B intermediate certificates + err = genCert(rsaTmpIntermediateB) + cmd.FailOnError(err, "failed to generate RSA intermediate cert") + err = genCert(ecdsaTmpIntermediateB) + cmd.FailOnError(err, "failed to generate ECDSA intermediate cert") + + // Rewrite OCSP configs and generate OCSP responses for the A intermediates + rsaTmpOCSPConfig, err := rewriteConfig("test/cert-ceremonies/intermediate-ocsp-rsa.yaml", map[string]string{ + "SlotID": rsaRootKeySlot, + }) + cmd.FailOnError(err, "failed to rewrite RSA intermediate OCSP config with key ID") + err = genCert(rsaTmpOCSPConfig) + cmd.FailOnError(err, "failed to generate RSA intermediate OCSP response") + // We do not generate OCSP for the ECDSA intermediates, as our new issuers + // only use CRLs, not OCSP. } diff --git a/test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml b/test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml new file mode 100644 index 000000000..db2503cf1 --- /dev/null +++ b/test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml @@ -0,0 +1,29 @@ +ceremony-type: intermediate +pkcs11: + module: /usr/local/lib/softhsm/libsofthsm2.so + pin: 1234 + signing-key-slot: {{ .SlotID}} + signing-key-label: root signing key (ecdsa) +inputs: + public-key-path: /tmp/intermediate-signing-pub-ecdsa.pem + issuer-certificate-path: /tmp/root-cert-ecdsa.pem +outputs: + certificate-path: {{ .CertPath }} +certificate-profile: + signature-algorithm: ECDSAWithSHA384 + common-name: {{ .CommonName }} + organization: good guys + country: US + not-before: 2020-01-01 12:00:00 + not-after: 2040-01-01 12:00:00 + ocsp-url: http://example.com/ocsp + crl-url: http://example.com/crl + issuer-url: http://example.com/root + policies: + - oid: 1.2.3 + - oid: 1.5.6 + cps-uri: "http://example.com/cps" + key-usages: + - Digital Signature + - Cert Sign + - CRL Sign diff --git a/test/cert-ceremonies/intermediate-key-ceremony-ecdsa.yaml b/test/cert-ceremonies/intermediate-key-ceremony-ecdsa.yaml new file mode 100644 index 000000000..0311465f9 --- /dev/null +++ b/test/cert-ceremonies/intermediate-key-ceremony-ecdsa.yaml @@ -0,0 +1,11 @@ +ceremony-type: key +pkcs11: + module: /usr/local/lib/softhsm/libsofthsm2.so + pin: 1234 + store-key-in-slot: {{ .SlotID }} + store-key-with-label: intermediate signing key (ecdsa) +key: + type: ecdsa + ecdsa-curve: P-384 +outputs: + public-key-path: /tmp/intermediate-signing-pub-ecdsa.pem diff --git a/test/cert-ceremonies/intermediate-ocsp.yaml b/test/cert-ceremonies/intermediate-ocsp-rsa.yaml similarity index 89% rename from test/cert-ceremonies/intermediate-ocsp.yaml rename to test/cert-ceremonies/intermediate-ocsp-rsa.yaml index bdd52cc49..e420e639a 100644 --- a/test/cert-ceremonies/intermediate-ocsp.yaml +++ b/test/cert-ceremonies/intermediate-ocsp-rsa.yaml @@ -8,7 +8,7 @@ inputs: certificate-path: /tmp/intermediate-cert-rsa-a.pem issuer-certificate-path: /tmp/root-cert-rsa.pem outputs: - response-path: /tmp/intermediate-ocsp.b64 + response-path: /tmp/intermediate-ocsp-rsa.b64 ocsp-profile: this-update: 2020-01-01 12:00:00 next-update: 2039-01-01 12:00:00 diff --git a/test/cert-ceremonies/root-ceremony-ecdsa.yaml b/test/cert-ceremonies/root-ceremony-ecdsa.yaml new file mode 100644 index 000000000..01e2052a9 --- /dev/null +++ b/test/cert-ceremonies/root-ceremony-ecdsa.yaml @@ -0,0 +1,32 @@ +ceremony-type: root +pkcs11: + module: /usr/local/lib/softhsm/libsofthsm2.so + pin: 1234 + store-key-in-slot: {{ .SlotID }} + store-key-with-label: root signing key (ecdsa) +key: + type: ecdsa + ecdsa-curve: P-384 +outputs: + public-key-path: /tmp/root-signing-pub-ecdsa.pem + certificate-path: /tmp/root-cert-ecdsa.pem +certificate-profile: + signature-algorithm: ECDSAWithSHA384 + common-name: CA root (ECDSA) + organization: good guys + country: US + not-before: 2020-01-01 12:00:00 + not-after: 2040-01-01 12:00:00 + key-usages: + - Cert Sign + - CRL Sign +skip-lints: + - e_ext_authority_key_identifier_missing + - e_ext_authority_key_identifier_no_key_identifier + - e_sub_ca_aia_missing + - e_sub_ca_certificate_policies_missing + - e_sub_ca_crl_distribution_points_missing + - n_ca_digital_signature_not_set + - n_mp_allowed_eku + - n_sub_ca_eku_missing + - w_sub_ca_aia_does_not_contain_issuing_ca_url diff --git a/test/issuer-ocsp-responder.json b/test/issuer-ocsp-responder.json index 7476a27eb..28c616e18 100644 --- a/test/issuer-ocsp-responder.json +++ b/test/issuer-ocsp-responder.json @@ -1,6 +1,6 @@ { "ocspResponder": { - "source": "file:///tmp/intermediate-ocsp.b64", + "source": "file:///tmp/intermediate-ocsp-rsa.b64", "path": "/", "listenAddress": "0.0.0.0:4003", "shutdownStopTimeout": "10s",