8
v2 "mosn.io/mosn/pkg/config/v2"
9
mosntls "mosn.io/mosn/pkg/mtls"
10
"mosn.io/mosn/pkg/mtls/certtool"
11
"mosn.io/mosn/pkg/mtls/crypto/tls"
12
"mosn.io/mosn/pkg/protocol"
13
"mosn.io/mosn/pkg/protocol/xprotocol/bolt"
14
"mosn.io/mosn/pkg/protocol/xprotocol/dubbo"
15
"mosn.io/mosn/pkg/types"
16
testutil "mosn.io/mosn/test/util"
17
"mosn.io/mosn/test/util/mosn"
23
type tlsConfigHooks struct {
26
defaultHook mosntls.ConfigHooks
29
func (hook *tlsConfigHooks) verifyPeerCertificate(roots *x509.CertPool, certs []*x509.Certificate, t time.Time) error {
30
intermediates := x509.NewCertPool()
31
for _, cert := range certs[1:] {
32
intermediates.AddCert(cert)
34
opts := x509.VerifyOptions{
37
Intermediates: intermediates,
40
_, err := leaf.Verify(opts)
45
func (hook *tlsConfigHooks) GetClientAuth(cfg *v2.TLSConfig) tls.ClientAuthType {
46
return hook.defaultHook.GetClientAuth(cfg)
49
func (hook *tlsConfigHooks) GenerateHashValue(cfg *tls.Config) *types.HashValue {
50
return hook.defaultHook.GenerateHashValue(cfg)
53
func (hook *tlsConfigHooks) GetCertificate(certIndex, keyIndex string) (tls.Certificate, error) {
56
func (hook *tlsConfigHooks) GetX509Pool(caIndex string) (*x509.CertPool, error) {
59
func (hook *tlsConfigHooks) ServerHandshakeVerify(cfg *tls.Config) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
60
return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
61
certs := make([]*x509.Certificate, 0, len(rawCerts))
62
for _, asn1Data := range rawCerts {
63
cert, err := x509.ParseCertificate(asn1Data)
67
certs = append(certs, cert)
69
if cfg.ClientAuth >= tls.VerifyClientCertIfGiven && len(certs) > 0 {
76
return hook.verifyPeerCertificate(cfg.ClientCAs, certs, t)
81
func (hook *tlsConfigHooks) ClientHandshakeVerify(cfg *tls.Config) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
82
return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
83
certs := make([]*x509.Certificate, 0, len(rawCerts))
84
for _, asn1Data := range rawCerts {
85
cert, err := x509.ParseCertificate(asn1Data)
89
certs = append(certs, cert)
97
return hook.verifyPeerCertificate(cfg.RootCAs, certs, t)
101
type tlsConfigHooksFactory struct {
106
func (f *tlsConfigHooksFactory) CreateConfigHooks(config map[string]interface{}) mosntls.ConfigHooks {
107
return &tlsConfigHooks{
110
mosntls.DefaultConfigHooks(),
114
func createCert() (tls.Certificate, error) {
115
var cert tls.Certificate
116
priv, err := certtool.GeneratePrivateKey("P256")
120
tmpl, err := certtool.CreateTemplate("test", false, nil)
125
tmpl.IPAddresses = nil
126
c, err := certtool.SignCertificate(tmpl, priv)
130
return tls.X509KeyPair([]byte(c.CertPem), []byte(c.KeyPem))
133
type tlsExtendCase struct {
137
func (c *tlsExtendCase) Start(conf *testutil.ExtendVerifyConfig) {
138
c.AppServer.GoServe()
139
appAddr := c.AppServer.Addr()
140
clientMeshAddr := testutil.CurrentMeshAddr()
141
c.ClientMeshAddr = clientMeshAddr
142
serverMeshAddr := testutil.CurrentMeshAddr()
143
cfg := testutil.CreateTLSExtensionConfig(clientMeshAddr, serverMeshAddr, c.AppProtocol, c.MeshProtocol, []string{appAddr}, conf)
144
mesh := mosn.NewMosn(cfg)
152
time.Sleep(5 * time.Second)
155
func TestTLSExtend(t *testing.T) {
157
root := certtool.GetRootCA()
158
pool := x509.NewCertPool()
159
pool.AppendCertsFromPEM([]byte(root.CertPem))
160
cert, err := createCert()
162
t.Error("create certificate failed")
165
factory := &tlsConfigHooksFactory{pool, cert}
166
extendConfig := &testutil.ExtendVerifyConfig{
169
if err := mosntls.Register(extendConfig.ExtendType, factory); err != nil {
170
t.Errorf("register factory failed %v", err)
173
appaddr := "127.0.0.1:8080"
174
testCases := []*tlsExtendCase{
175
&tlsExtendCase{NewTestCase(t, protocol.HTTP1, protocol.HTTP1, testutil.NewHTTPServer(t, nil))},
178
&tlsExtendCase{NewTestCase(t, protocol.HTTP2, protocol.HTTP2, testutil.NewUpstreamHTTP2(t, appaddr, nil))},
180
&tlsExtendCase{NewTestCase(t, protocol.HTTP2, protocol.Auto, testutil.NewUpstreamHTTP2(t, appaddr, nil))},
182
for i, tc := range testCases {
183
t.Logf("start case #%d\n", i)
184
tc.Start(extendConfig)
189
t.Errorf("[ERROR MESSAGE] #%d %v to mesh %v tls extension test failed, error: %v\n", i, tc.AppProtocol, tc.MeshProtocol, err)
191
case <-time.After(15 * time.Second):
192
t.Errorf("[ERROR MESSAGE] #%d %v to mesh %v hang\n", i, tc.AppProtocol, tc.MeshProtocol)
198
type tlsXExtendCase struct {
202
func (c *tlsXExtendCase) Start(conf *testutil.ExtendVerifyConfig) {
203
c.AppServer.GoServe()
204
appAddr := c.AppServer.Addr()
205
clientMeshAddr := testutil.CurrentMeshAddr()
206
c.ClientMeshAddr = clientMeshAddr
207
serverMeshAddr := testutil.CurrentMeshAddr()
208
cfg := testutil.CreateXprotocolTLSExtensionConfig(clientMeshAddr, serverMeshAddr, c.SubProtocol, []string{appAddr}, conf)
209
mesh := mosn.NewMosn(cfg)
217
time.Sleep(5 * time.Second)
220
func TestXTLSExtend(t *testing.T) {
222
root := certtool.GetRootCA()
223
pool := x509.NewCertPool()
224
pool.AppendCertsFromPEM([]byte(root.CertPem))
225
cert, err := createCert()
227
t.Error("create certificate failed")
230
factory := &tlsConfigHooksFactory{pool, cert}
231
extendConfig := &testutil.ExtendVerifyConfig{
235
mosntls.Register(extendConfig.ExtendType, factory)
236
appaddr := "127.0.0.1:8080"
237
testCases := []*tlsXExtendCase{
238
&tlsXExtendCase{NewXTestCase(t, bolt.ProtocolName, testutil.NewRPCServer(t, appaddr, bolt.ProtocolName))},
239
&tlsXExtendCase{NewXTestCase(t, dubbo.ProtocolName, testutil.NewRPCServer(t, appaddr, dubbo.ProtocolName))},
242
for i, tc := range testCases {
243
t.Logf("start case #%d\n", i)
244
tc.Start(extendConfig)
249
t.Errorf("[ERROR MESSAGE] #%d %v to mesh %v tls extension test failed, error: %v\n", i, tc.AppProtocol, tc.MeshProtocol, err)
251
case <-time.After(15 * time.Second):
252
t.Errorf("[ERROR MESSAGE] #%d %v to mesh %v hang\n", i, tc.AppProtocol, tc.MeshProtocol)