From 476468e260501cb87224761f979b59de1db25f72 Mon Sep 17 00:00:00 2001 From: htuch Date: Tue, 20 Nov 2018 13:32:35 -0500 Subject: [PATCH] test: automate verification hash generation for integration test certs. (#5090) While working on #1319, it became clear that just running certs.sh to regenerate certs does not actually work anymore, since we now have hardcoded hashes for verify_certificate_hash in various places. This PR fixes this for test/config/integration/certs. The problem still exists for test/common/ssl/test_data. I will do a separate PR for that based on the outcome of the review for this PR. I also removed the optional private key regeneration in this PR. I think we should always regenerate everything to prevent the bit rot regression this PR fixes; long term this should be done by Bazel automagically, but that would force an openssl dependency in the environment or the adoption of a tool such as https://github.com/square/certstrap. Risk Level: Low Testing: bazel test //test/integration/... Signed-off-by: Harvey Tuch --- test/config/BUILD | 1 + test/config/integration/certs/BUILD | 5 +++ test/config/integration/certs/cacert.pem | 22 +++++----- test/config/integration/certs/cakey.pem | 26 ++++++------ test/config/integration/certs/certs.sh | 40 ++++++++++--------- test/config/integration/certs/clientcert.pem | 22 +++++----- .../integration/certs/clientcert_hash.h | 4 ++ test/config/integration/certs/clientkey.pem | 26 ++++++------ test/config/integration/certs/servercert.pem | 20 +++++----- .../integration/certs/servercert_hash.h | 4 ++ test/config/integration/certs/serverkey.pem | 26 ++++++------ .../integration/certs/upstreamcacert.pem | 24 +++++------ .../integration/certs/upstreamcakey.pem | 26 ++++++------ .../config/integration/certs/upstreamcert.pem | 26 ++++++------ .../integration/certs/upstreamcert_hash.h | 4 ++ test/config/integration/certs/upstreamkey.pem | 26 ++++++------ test/config/utility.cc | 5 +-- .../sds_dynamic_integration_test.cc | 13 ++---- .../sds_static_integration_test.cc | 5 +-- test/integration/xfcc_integration_test.h | 6 ++- 20 files changed, 174 insertions(+), 157 deletions(-) create mode 100644 test/config/integration/certs/clientcert_hash.h create mode 100644 test/config/integration/certs/servercert_hash.h create mode 100644 test/config/integration/certs/upstreamcert_hash.h diff --git a/test/config/BUILD b/test/config/BUILD index a0de1b23105d..a00a5f12e6df 100644 --- a/test/config/BUILD +++ b/test/config/BUILD @@ -24,6 +24,7 @@ envoy_cc_test_library( "//source/common/network:address_lib", "//source/common/protobuf", "//source/common/protobuf:utility_lib", + "//test/config/integration/certs:hashes", "//test/integration:server_stats_interface", "//test/test_common:environment_lib", "//test/test_common:network_utility_lib", diff --git a/test/config/integration/certs/BUILD b/test/config/integration/certs/BUILD index 3e7bb3b4b4f2..db8894ffa95a 100644 --- a/test/config/integration/certs/BUILD +++ b/test/config/integration/certs/BUILD @@ -11,3 +11,8 @@ filegroup( name = "certs", srcs = glob(["*.pem"]), ) + +cc_library( + name = "hashes", + hdrs = glob(["*hash.h"]), +) diff --git a/test/config/integration/certs/cacert.pem b/test/config/integration/certs/cacert.pem index 667109ccc903..f0cb96ca6c95 100644 --- a/test/config/integration/certs/cacert.pem +++ b/test/config/integration/certs/cacert.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIICzTCCAjagAwIBAgIJAPMCF0JylKygMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV +MIICzTCCAjagAwIBAgIJAJ6rk+HiTbNmMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw -DgYDVQQDDAdUZXN0IENBMB4XDTE4MDQwNjIwNTgwNVoXDTIwMDQwNTIwNTgwNVow +DgYDVQQDDAdUZXN0IENBMB4XDTE4MTEyMDA0NDc1N1oXDTIwMTExOTA0NDc1N1ow djELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh biBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5ZnQgRW5naW5l ZXJpbmcxEDAOBgNVBAMMB1Rlc3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ -AoGBAPwXRDfVzB6UqnK6O+6L6xk3ViX6X1oeE5htjxFyNL4z05ScpdQKYvYi11A+ -3DraY64iecAj4TtwDnZHipXDdSDjGrW4++dIl2xeQtMCV+Q/uTZhv9AfEZ1up9Oh -fvB13pUE2mF/DXsGXO13z3jWNmDbh+D+AmXivegZLAuiLQZJAgMBAAGjYzBhMA8G -A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBScz297CqrO -MfeWj0zNm5QO71gftDAfBgNVHSMEGDAWgBScz297CqrOMfeWj0zNm5QO71gftDAN -BgkqhkiG9w0BAQsFAAOBgQDFfCFFj2qdEqO9GwP6MiQ0+49DkOHHkttE/U3RB+Tb -wStSS2sUyNx1zwVj5znrxKAIhW+h3uLVk0z3MmPnN8LpCwXBWO5SFSCgR9Gh4Jap -2YlHnJyvECjmWFvpTdBRc/tOVuOb80QaYV2VdQO2IC8qXuey7lCxcl1tE8ptDmbm -0Q== +AoGBAJ6EFc5+AI2OgXNhHxaI7vhxmNaJ/wRipEYACJasdCGtJrH+yKOztwJsussk +ZtZxTDQGVkp17fY7oGkKFNXGLWl/ZzCmiKbVrBTWTm+OgpGKEka4KSmyCdFzNtpa +8a089BX2C31+xe4GSQfAF9gutbin8S5XS5QC7KcOla4qoSSFAgMBAAGjYzBhMA8G +A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSMzBlKJavq +qJaCaPdQnZa2YUUQ7DAfBgNVHSMEGDAWgBSMzBlKJavqqJaCaPdQnZa2YUUQ7DAN +BgkqhkiG9w0BAQsFAAOBgQCa96KsF0/LCtNceRuTPON4Nqg53OJI2VkCDmKmIQgx +nm+8TVg1RszCM1+QVIwih3xzwVYFEKUqpf1t4RxsPK+m7kv7RJnNkcFbGT8i5o4i +U1taxOmFJm1LOMY86GA0hOMWQKiqQdyxtT846M2a/fs5NNMWuJ3aXmzCsiXAhKAj +EQ== -----END CERTIFICATE----- diff --git a/test/config/integration/certs/cakey.pem b/test/config/integration/certs/cakey.pem index f5f0983d29be..61f8b19f9da5 100644 --- a/test/config/integration/certs/cakey.pem +++ b/test/config/integration/certs/cakey.pem @@ -1,15 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIICXgIBAAKBgQD8F0Q31cwelKpyujvui+sZN1Yl+l9aHhOYbY8RcjS+M9OUnKXU -CmL2ItdQPtw62mOuInnAI+E7cA52R4qVw3Ug4xq1uPvnSJdsXkLTAlfkP7k2Yb/Q -HxGdbqfToX7wdd6VBNphfw17Blztd8941jZg24fg/gJl4r3oGSwLoi0GSQIDAQAB -AoGBANyPjsQ7bwgikq8memFQUjYR0HISCXNTdVmcIdzly3fO6IPSOtS28bbg7Pns -xctIYIZu649M1Ten5z9dgMdf6A1NnNxcNR1sX7J1lU4sjFh4BbF/nxnoy/LwpMAp -SXgbjrRfw1fCNGryzsaTFWL0cgiNP1Uac8Q3GLi5yU/VP2PBAkEA/t6WzuW537qI -/FHj40PdsZZTQ//GaU1kfkKn+e6GWtz5WHREh1Q+x2X73m7C3P8CFrQ0tP+71lUr -uVrLg6IBHQJBAP01ha9Fuhv1qbrggWQkqkLsyY4TpOHMBxf4hDkaSvlG70aAC7ET -M2RDWobXSAwESm5tsOugAKqvEB5yU24/nh0CQQDUitGe9orcXZWxPaVauBTf7OnB -UkKnPCgq9vFYByc6DP9PWZ5wcLvt00mIxDtyyqJ2Ro+RxZZidiKBb4s6WdatAkBr -UMPYBTVbpELLcVtlliSTOMgz7x9yk4ZuImXnzbz46Zd/ycUqx3iAhgtYGuXuMeNZ -6iORub6OmKO8Q7gYgd4BAkEA6NAMMJHLfMpMT7E4lKVAgmNolM/ob8MwLkxPzuuz -l6iZP1JRaqI4XAkvoOcn+3ymZ3PZh2ZNBkblhKN3vDTepQ== +MIICXAIBAAKBgQCehBXOfgCNjoFzYR8WiO74cZjWif8EYqRGAAiWrHQhrSax/sij +s7cCbLrLJGbWcUw0BlZKde32O6BpChTVxi1pf2cwpoim1awU1k5vjoKRihJGuCkp +sgnRczbaWvGtPPQV9gt9fsXuBkkHwBfYLrW4p/EuV0uUAuynDpWuKqEkhQIDAQAB +AoGAEDU3OZbenZq9l7uNfzNfI94Rn5Yakis32sR0HFvjv/HBbB++Cib9Bm1xqAW/ +0hthjEw9lH18aFnua+8Q9E7AI8kdr53NzRxiMFgiyRV/XOjxb55R1rSu5U6XEUdW +ytk5eAK5jRpKQ5S/H1wvz7hhaBfo+pL5YOuBivyNXpr4lh0CQQDRqz9jcmwfdlZH +K4e/LtrIV4JXOCvO+9FlhtQV6P+VV9npmm/Z/c1v5ybUF+Ij5b1ZcFHihARuUj3f +RIyvTCO7AkEAwYsqxwZg1OAt8olIJc1WZX5ib1OX5wsFTpSjRP40F2GB1qsNa6dk +XA6q95GiN4so1TSM/sWAfp5dfbJGkGm0vwJBAM509v0gzbEJYJnCFnA+XfbKnLDv +wcuWETIM2sgcX5eaIxyxExSvo1xeW9CbF/XLInFwdWE8J/TODNjN8k4nBkMCQFYw +ZGdnNr3162BDtGZpL91Yz/slrdLM/JsG5EJ4NbhnystPN1XGoJHCUm6XYzb6+L8h +fNyEFXnNinLMblInUL8CQFW383NhElJn3HQL9gwRJQWj1qaGXZ0Othh7nfPWqzhx +Zvzkq5rH8uiQT5qBtma1QlXQnQIJoeGd8W5joZ4AwlE= -----END RSA PRIVATE KEY----- diff --git a/test/config/integration/certs/certs.sh b/test/config/integration/certs/certs.sh index 5648336f0517..ebff296a2a06 100755 --- a/test/config/integration/certs/certs.sh +++ b/test/config/integration/certs/certs.sh @@ -2,32 +2,34 @@ set -e -# Uncomment the following lines if you want to regenerate the private keys. -# openssl genrsa -out cakey.pem 1024 -# openssl genrsa -out serverkey.pem 1024 -# openssl genrsa -out clientkey.pem 1024 -# openssl genrsa -out upstreamcakey.pem 1024 -# openssl genrsa -out upstreamkey.pem 1024 +# $1= +generate_ca() { + openssl genrsa -out $1key.pem 1024 + openssl req -new -key $1key.pem -out $1cert.csr -config $1cert.cfg -batch -sha256 + openssl x509 -req -days 730 -in $1cert.csr -signkey $1key.pem -out $1cert.pem \ + -extensions v3_ca -extfile $1cert.cfg +} + +# $1= $2= +generate_cert_key_pair() { + openssl genrsa -out $1key.pem 1024 + openssl req -new -key $1key.pem -out $1cert.csr -config $1cert.cfg -batch -sha256 + openssl x509 -req -days 730 -in $1cert.csr -sha256 -CA $2cert.pem -CAkey \ + $2key.pem -CAcreateserial -out $1cert.pem -extensions v3_ca -extfile $1cert.cfg + echo -e "// NOLINT(namespace-envoy)\n#define TEST_$(echo $1 | tr a-z A-Z)_CERT_HASH \"$(openssl x509 -in $1cert.pem -noout -fingerprint -sha256 | cut -d"=" -f2)\"" > $1cert_hash.h +} # Generate cert for the CA. -openssl req -new -key cakey.pem -out cacert.csr -config cacert.cfg -batch -sha256 -openssl x509 -req -days 730 -in cacert.csr -signkey cakey.pem -out cacert.pem -extensions v3_ca -extfile cacert.cfg - +generate_ca ca # Generate cert for the server. -openssl req -new -key serverkey.pem -out servercert.csr -config servercert.cfg -batch -sha256 -openssl x509 -req -days 730 -in servercert.csr -sha256 -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out servercert.pem -extensions v3_ca -extfile servercert.cfg - +generate_cert_key_pair client ca # Generate cert for the client. -openssl req -new -key clientkey.pem -out clientcert.csr -config clientcert.cfg -batch -sha256 -openssl x509 -req -days 730 -in clientcert.csr -sha256 -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out clientcert.pem -extensions v3_ca -extfile clientcert.cfg +generate_cert_key_pair server ca # Generate cert for the upstream CA. -openssl req -new -key upstreamcakey.pem -out upstreamcacert.csr -config upstreamcacert.cfg -batch -sha256 -openssl x509 -req -days 730 -in upstreamcacert.csr -signkey upstreamcakey.pem -out upstreamcacert.pem -extensions v3_ca -extfile upstreamcacert.cfg - +generate_ca upstreamca # Generate cert for the upstream node. -openssl req -new -key upstreamkey.pem -out upstreamcert.csr -config upstreamcert.cfg -batch -sha256 -openssl x509 -req -days 730 -in upstreamcert.csr -sha256 -CA upstreamcacert.pem -CAkey upstreamcakey.pem -CAcreateserial -out upstreamcert.pem -extensions v3_ca -extfile upstreamcert.cfg +generate_cert_key_pair upstream upstreamca rm *.csr rm *.srl diff --git a/test/config/integration/certs/clientcert.pem b/test/config/integration/certs/clientcert.pem index 0cdeb83f0cc5..c0ea8d6d2331 100644 --- a/test/config/integration/certs/clientcert.pem +++ b/test/config/integration/certs/clientcert.pem @@ -1,21 +1,21 @@ -----BEGIN CERTIFICATE----- -MIIDXzCCAsigAwIBAgIJAPF6WtmgmqzjMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV +MIIDXzCCAsigAwIBAgIJAMlBGofCH4diMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw -DgYDVQQDDAdUZXN0IENBMB4XDTE4MDQwNjIwNTgwNVoXDTIwMDQwNTIwNTgwNVow +DgYDVQQDDAdUZXN0IENBMB4XDTE4MTEyMDA0NDc1N1oXDTIwMTExOTA0NDc1N1ow gagxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T YW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2lu ZWVyaW5nMRswGQYDVQQDDBJUZXN0IEZyb250ZW5kIFRlYW0xJTAjBgkqhkiG9w0B CQEWFmZyb250ZW5kLXRlYW1AbHlmdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A -MIGJAoGBANyIm74sonncgf8epZA6jr08wecs+8PK7gtDvoGRhKs8+xyvNjOyVeDR -LPd01B/g4k7xbu+9Iln8Ie8hzNuyN/TrU0aGepzQg92HCVM0rx4BZh3j7sdwIL17 -Z+YkLsAYfHOKkpTX+Bokz1tBulx+DiZMHIdHS3DCvq9KCf7IaLU3AgMBAAGjgcEw +MIGJAoGBALJ5QYTfxsnpzPQ8qMZ+523A32dzpTVSc7idoVizYjWZCUr42hiOSjzf +Lk1rXHv5NIbF1Bc5wL1MWT7wOSS5w3qxfBq54bhlDpD07EHMcLSAhDykiAiTun3B +TW//TU69vSG70cbEZMCRwhnGlzpa9qH9UQTTbDRq0X7LobBn+0rHAgMBAAGjgcEw gb4wDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH AwIGCCsGAQUFBwMBMEIGA1UdEQQ7MDmGH3NwaWZmZTovL2x5ZnQuY29tL2Zyb250 -ZW5kLXRlYW2CCGx5ZnQuY29tggx3d3cubHlmdC5jb20wHQYDVR0OBBYEFOqJmvL1 -fux33h5NFuVhokL4Nrj6MB8GA1UdIwQYMBaAFJzPb3sKqs4x95aPTM2blA7vWB+0 -MA0GCSqGSIb3DQEBCwUAA4GBADmyB4N3S7QgMjRlwcD65DVRc31pkciShZy1wgZJ -dwoOmhjjEHzBGZn7ysIxejnM3/foWGX5wpQCY4SGJ/l1qkRijGeifqIQx4Hpuz/J -SPkgAd+u6OX99zpE2+o4gavk5puCCvRjuClxeLdNxBKyoiadM+a8slx6/0wkcUkb -jQog +ZW5kLXRlYW2CCGx5ZnQuY29tggx3d3cubHlmdC5jb20wHQYDVR0OBBYEFO5+Oco9 +Yi+NE7lmW7RCo3S2mK9CMB8GA1UdIwQYMBaAFIzMGUolq+qoloJo91CdlrZhRRDs +MA0GCSqGSIb3DQEBCwUAA4GBACHQTOB7Wn3fvF0npu3htxa68F0U12EW1WYmc/Mf +4h2dhv+MXVef0kjo6Yy2uX6X3iRkDgfVzvQTajHBkQV5pixeExfWfzklBP7Q7cgg +Zs6AyOMjoua7ulnppYaVO5LQfkoVr0TF3vGdDxaiLIq6hO9dPwPgtyuGnIVUx1Q4 +wjle -----END CERTIFICATE----- diff --git a/test/config/integration/certs/clientcert_hash.h b/test/config/integration/certs/clientcert_hash.h new file mode 100644 index 000000000000..ac16be53810f --- /dev/null +++ b/test/config/integration/certs/clientcert_hash.h @@ -0,0 +1,4 @@ +// NOLINT(namespace-envoy) +#define TEST_CLIENT_CERT_HASH \ + "72:68:C8:8B:7D:45:21:0F:F1:6D:FF:8C:CA:32:5B:53:23:B6:8A:97:6B:13:AA:29:57:11:D8:A1:1D:99:AF:" \ + "BE" diff --git a/test/config/integration/certs/clientkey.pem b/test/config/integration/certs/clientkey.pem index ae1aa5abe0c3..9e71cadae04b 100644 --- a/test/config/integration/certs/clientkey.pem +++ b/test/config/integration/certs/clientkey.pem @@ -1,15 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIICXgIBAAKBgQDciJu+LKJ53IH/HqWQOo69PMHnLPvDyu4LQ76BkYSrPPscrzYz -slXg0Sz3dNQf4OJO8W7vvSJZ/CHvIczbsjf061NGhnqc0IPdhwlTNK8eAWYd4+7H -cCC9e2fmJC7AGHxzipKU1/gaJM9bQbpcfg4mTByHR0twwr6vSgn+yGi1NwIDAQAB -AoGBANcjtbva005Knc8CWMXROnrGEOuzaJDjIUJ//hNsoJ5kyRx8mUXpjfnaViG6 -KU5IFr6orW7XdfGPFJOyx6Tzwb0ukXTcp+eblzL470FML7CS5wBN8j0Ppd3XP1MO -WZLSruhCuzQjT39ovHyKzftGTQ9qW5/juQ+oc57cil2jEEgBAkEA+6R3LwGr904r -kUWNmMdfPULj1EAuE7wB+8nxxv6nbHQF3Gsjiwj8MlI1dUh4B/PwBs4YsuVDAnCo -iWvhQ8WqAQJBAOBaPKuEGm/4UU7MtUxlMxNjl6RYXLLlHWcrz8aMzaQ//nR9HpTH -EJaomGhbB03cC4ZksaS5YxJ24yOYRMC7LzcCQHvvGzfOdfhdyn1IqR0mjBRq3jRJ -y6eyf7OXWPltr91tIvnU1nOCYFsUO/ngUCVykbN4S5fH7AHGpGrR8+bh8gECQQCz -Jrudxq6JzQO4ZfU8HO+tQvD7lmfnntdc5HpVNWidCVD62lLKQS+47sZNRqtNfDJj -zhKg1D0NqIv2h4gXUyH/AkEA53KKxNuH+Qmoy6D4rxfD0IO1rAptBg8MopLrzoea -k4sbUloJ6Grom+8ea/20RBup7khBIcPi4ShnG0//Ly9Ygg== +MIICXQIBAAKBgQCyeUGE38bJ6cz0PKjGfudtwN9nc6U1UnO4naFYs2I1mQlK+NoY +jko83y5Na1x7+TSGxdQXOcC9TFk+8DkkucN6sXwaueG4ZQ6Q9OxBzHC0gIQ8pIgI +k7p9wU1v/01Ovb0hu9HGxGTAkcIZxpc6Wvah/VEE02w0atF+y6GwZ/tKxwIDAQAB +AoGAE+P/sVdfSFGOTgoUpUqvcEP2ogj5eJ/f1ct7l+8mGuMbbgeeBu6Ux4P4HRjC +De8QM5UIti3xlSdVKvaK59TsPCiGPcmqlH20CyxHr8znQImtj6iD01jOk75xxS1Z +/Hph19mOOQYJ0Eya4o5py+/zu1ylo/sW25XNA84YxoL6TUECQQDppOgE2iJbXMPZ +NKxIowzxklMBrWkj4LIGpEyQkwaEiCXqVHNorHpfnHvhhKwNKz5HfhocxSAO7XJd +VVCZq10lAkEAw4zz5u1LKaQH+s+OEFBob+NJCaL4KNf0NddGywG38ps/1cNVc7v6 +Q7M+y682wnM6wmgQiogAkWzTHxEMrXpCewJAbEkXl5gZsEpQIsz8xDV9fECa4/4g +6pXrLJTdP2xE6wvGttIpIuw9Uy7NY3n/26KdHLlfFNJvxztZc9RkpLP9WQJBAIKD +JJXPcgbMr3a55/sDb3CdpTWFS1MXLqpwj5MWBospCqXExNeFcjaU/yg6PLXy6hiu +E7whoR9uHknxuyBdJNkCQQCg5+w/BCssL01gyA3bbLMd5TSw5mGbOHD+XsaM1IxS +BT1Y+xw2ODKRX2L590oWn3Go8i3kQhB9IwAjJir4ius7 -----END RSA PRIVATE KEY----- diff --git a/test/config/integration/certs/servercert.pem b/test/config/integration/certs/servercert.pem index 339c6b6c2110..30761d7189a0 100644 --- a/test/config/integration/certs/servercert.pem +++ b/test/config/integration/certs/servercert.pem @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDXDCCAsWgAwIBAgIJAPF6WtmgmqziMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV +MIIDXDCCAsWgAwIBAgIJAMlBGofCH4djMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRAw -DgYDVQQDDAdUZXN0IENBMB4XDTE4MDQwNjIwNTgwNVoXDTIwMDQwNTIwNTgwNVow +DgYDVQQDDAdUZXN0IENBMB4XDTE4MTEyMDA0NDc1N1oXDTIwMTExOTA0NDc1N1ow gaYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1T YW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2lu ZWVyaW5nMRowGAYDVQQDDBFUZXN0IEJhY2tlbmQgVGVhbTEkMCIGCSqGSIb3DQEJ ARYVYmFja2VuZC10ZWFtQGx5ZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB -iQKBgQCqtS9bbVbo4ZpO1uSBCDortIibXKByL1fgl7s2uJc77+vzJnqC9uLFYygU -1Z198X6jaAjc/vUkLFVXZhOU8607Zex8X+CdZBjQqsN90X2Ste1wqJ7G5SAGhptd -/nOfb1IdGa6YtwPTlVitnMTfRgG4fh+3DA51UulCGTfJXCaC3wIDAQABo4HAMIG9 +iQKBgQDSk5iQ/qC6bc2oA9/EgJ4xfoj4dJ2O1je8Sht+fqcfB+i0JpUDVkXj22qo +5Sy40+SKI/WDfMZtEg5+XZ5V01wo58ar0MlQgmCdcA1Ijr/cMssB2gcGCbjMPOg4 +Bi7VtIWH5PWritg+PNi1gnVjJ/ekjBwOEMkPRKIP3GHn193EXQIDAQABo4HAMIG9 MAwGA1UdEwEB/wQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMC BggrBgEFBQcDATBBBgNVHREEOjA4hh5zcGlmZmU6Ly9seWZ0LmNvbS9iYWNrZW5k -LXRlYW2CCGx5ZnQuY29tggx3d3cubHlmdC5jb20wHQYDVR0OBBYEFLEoDrcF8PTj -2t6gbcjoXQqBlAeeMB8GA1UdIwQYMBaAFJzPb3sKqs4x95aPTM2blA7vWB+0MA0G -CSqGSIb3DQEBCwUAA4GBAJr60+EyNfrdkzUzzFvRA/E7dntBhBIOWKDvB2p8Hcym -ILbC6sJdUotEUg2kxbweY20OjrpyT3jSe9o4E8SDkebybbxrQlXzNCq0XL42R5bI -TSufsKqBICwwJ47yp+NV7RsPhe8AO/GehXhTlJBBwHSX6gfvjapkUG43AmdbY19L +LXRlYW2CCGx5ZnQuY29tggx3d3cubHlmdC5jb20wHQYDVR0OBBYEFKuBHhCwW/9V +2tvT1tfEafkSMWrqMB8GA1UdIwQYMBaAFIzMGUolq+qoloJo91CdlrZhRRDsMA0G +CSqGSIb3DQEBCwUAA4GBAIbKHNw7OXg4U+Frl6AO+7bOA2KO4qJaGkVU5HiWqECm +VCvTS10KHOaCZNP+5MNB7NnCHRaRN50AEYp5ETng/JOLE8V69VW38usMVctJhLo6 +HCl25mocrEKAB+9Ur4OUcQx4OLlnazD9/cAhJBow66sW6iuatZE0Km6bUajbUoDQ -----END CERTIFICATE----- diff --git a/test/config/integration/certs/servercert_hash.h b/test/config/integration/certs/servercert_hash.h new file mode 100644 index 000000000000..cc8a8ab2da5c --- /dev/null +++ b/test/config/integration/certs/servercert_hash.h @@ -0,0 +1,4 @@ +// NOLINT(namespace-envoy) +#define TEST_SERVER_CERT_HASH \ + "B3:F5:A1:8F:FF:CD:99:4C:46:1D:3F:98:F6:75:B0:8B:0F:9B:9C:6D:5F:7E:77:26:E9:13:E4:3C:43:14:E8:" \ + "51" diff --git a/test/config/integration/certs/serverkey.pem b/test/config/integration/certs/serverkey.pem index 9a504fd325b6..4ac65f3edee6 100644 --- a/test/config/integration/certs/serverkey.pem +++ b/test/config/integration/certs/serverkey.pem @@ -1,15 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQCqtS9bbVbo4ZpO1uSBCDortIibXKByL1fgl7s2uJc77+vzJnqC -9uLFYygU1Z198X6jaAjc/vUkLFVXZhOU8607Zex8X+CdZBjQqsN90X2Ste1wqJ7G -5SAGhptd/nOfb1IdGa6YtwPTlVitnMTfRgG4fh+3DA51UulCGTfJXCaC3wIDAQAB -AoGBAIDbb7n12QrFcTNd5vK3gSGIjy2nR72pmw3/uuPdhttJibPrMcM2FYumA5Vm -ghGVf2BdoYMgOW9qv6jPdqyTHAlkjKRU2rnqqUgiRWscHsTok6qubSeE/NtKYhM3 -O2NH0Yv6Avq7aVMaZ9XpmXp/0ovpDggFBzfUZW4d3SNhFGeRAkEA1F7WwgAOh6m4 -0OaZgOkTE89shSXRJHeXUegYtR1Ur3+U1Ib/Ana8JcvtmkT17iR0AUjKqDsF/4LE -OrV6Gv6+DQJBAM3HL88Ac6zxfCmmrEYDfmz9PhNj0NhDgKt0wq/mSOlCIl6EUdBu -1jFNQ2b3qDdUbNKRBBMvWJ7agl1Wk11j9ZsCQD5fXFO+EIZnopA4Kf1idufqk8TH -RpWfSiIUOK1439Zrchq5S0w98yRmsHIOruwyaJ+38U1XiHtyvI9BnYswJkECQG2d -wLL1W6lxziFl3vlA3TTzxgCQOG0rsDwla5xGAOr4xtQwimCM2l7S+Ke+H4ax23Jj -u5b4rq2YWr+b4c5q9CcCQH94/pVWoUVa2z/JlBq/1/MbcnucfWcpj8HKxpgoTD3b -t+uGq75okt7lfCeocT3Brt50w43WwPbmvQyeaC0qawU= +MIICXgIBAAKBgQDSk5iQ/qC6bc2oA9/EgJ4xfoj4dJ2O1je8Sht+fqcfB+i0JpUD +VkXj22qo5Sy40+SKI/WDfMZtEg5+XZ5V01wo58ar0MlQgmCdcA1Ijr/cMssB2gcG +CbjMPOg4Bi7VtIWH5PWritg+PNi1gnVjJ/ekjBwOEMkPRKIP3GHn193EXQIDAQAB +AoGAEhSAJfrm2/rvjHyAqwOMEZ3WrtZ8bLYx5OXMBIllWgG41jb11mqC57SALO44 +b8optj6uJtMAyn6hZfIt1Rqnr+d5rarbk/BjNobn2+GB9UpQU7562iCeH9lKDEJd +fqLJZgn2+OjUC9/GIMkTv08LfPgm8nghR3x4Q/sNTrf0jFUCQQD3+Su/UwksodUQ +d03B1qhEP4e2oa6Lx+DWc4e/u29pQ46ILSMA7X5IyL52PuMU+mk5kOG9axv4mXjB +jYg1XNP/AkEA2WSJdhXt/AW2lFepTWVeI4SyGxay6lgUsNhAhVYCgsKM+hqz8zG8 +RsWld0iinUHtrc9uyk1cuF5IP2T3h8k3owJBAOALjGBAGQDvcv9+m42wcbXAJNF5 +AaifvmBkX9l283GLLWOSTJcQ/VGrtpJFvYx9t8bgRWWMOeiCWZ2fT9rO9WcCQQCM +1zjDe2OqopzuMHjsPp8lzcOCD0uszZHiHMh4WgfYZWjmZERva6p6A3S2+iT4Uw1E +TR6PDF3kyJhwEd7YZwGXAkEA97sYBBHJC2JD8O1MAI+X90p7XJSTBdwVQ1qsjqVA +mGT+pZVVAyMR6AnvVM1q2qyjBcrr4oMIeblq1e6ApiDsEQ== -----END RSA PRIVATE KEY----- diff --git a/test/config/integration/certs/upstreamcacert.pem b/test/config/integration/certs/upstreamcacert.pem index cacd82dc6bef..a1054d7516bc 100644 --- a/test/config/integration/certs/upstreamcacert.pem +++ b/test/config/integration/certs/upstreamcacert.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIC3zCCAkigAwIBAgIJAMM83D2OKSv5MA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV +MIIC3zCCAkigAwIBAgIJAKqvsW2eOS9ZMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRkw -FwYDVQQDDBBUZXN0IFVwc3RyZWFtIENBMB4XDTE4MDQwNjIwNTgwNVoXDTIwMDQw -NTIwNTgwNVowfzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAU +FwYDVQQDDBBUZXN0IFVwc3RyZWFtIENBMB4XDTE4MTEyMDA0NDc1N1oXDTIwMTEx +OTA0NDc1N1owfzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAU BgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5ZnQxGTAXBgNVBAsMEEx5 ZnQgRW5naW5lZXJpbmcxGTAXBgNVBAMMEFRlc3QgVXBzdHJlYW0gQ0EwgZ8wDQYJ -KoZIhvcNAQEBBQADgY0AMIGJAoGBANbxYY3hK35w0cSDReeoEJtqoegs+v3wo3B7 -Uaki2AWXcdQK4kEyz1zesRcwUgT3gTqNdQJ+WiN0UtZpEgqvNDvSRYj1ONLIrnP7 -en1Uc2ld5KHjzZfSUnlDSlHURGad2N/V9fsT8HUUrAFSNnyRRmA54zuuQP8cQBLl -YXgisaADAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG -MB0GA1UdDgQWBBQ3dX2uHV9GclTYCEwe0vUNWBQwaTAfBgNVHSMEGDAWgBQ3dX2u -HV9GclTYCEwe0vUNWBQwaTANBgkqhkiG9w0BAQsFAAOBgQAP6wy68tfj2OF5IAyH -S8Ka9nVkzrnjiYSwx3MUZowtjOGZJBxb3kvok6L2xcD8nU1nGSp/EuDqQlbpqNSn -NoiAw5+EmudsDup8Tp4pKzQLMEaB0au4j//BMea1SMyBI1IBNRDTduTOT4o4xW5Y -gc3S4SpdzpuTdPkPU0W0U0QnMw== +KoZIhvcNAQEBBQADgY0AMIGJAoGBAM/ZDWPcmCQnHnQrPzEoMqCD2rH8OAMew2Ei +blmj3gr3jF9Lmzg7GsbtmWE8tsL+CtRPl6J4phiuaHVpOd9jq9GV82yibo/MtHjW +tuKN2iXA4rrodADGY/XTK3ByMZrKBxMgYj6ng3yu2/8kQo6SVTghWxFElH0VRNL8 +WlHAbe5nAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG +MB0GA1UdDgQWBBSkkbQjKTl5cIKOS1Vt+ST4nkKVLzAfBgNVHSMEGDAWgBSkkbQj +KTl5cIKOS1Vt+ST4nkKVLzANBgkqhkiG9w0BAQsFAAOBgQAACXkbMKlIjmqFMhh/ +Zr2lOrU5pHnQq1OwODFl4o2jkI9jYXISaavfwra+RqHnfkbvgg/qdmCrH0R6ekZf +5hRYhW/xoZgLEkbdGtAiKKzsQwmbAdAzmzKSZV2PaKYO+PztCpEgxGn8ekb38z+V +6eFOfm5tQDsdcJjyjI81Vu42uA== -----END CERTIFICATE----- diff --git a/test/config/integration/certs/upstreamcakey.pem b/test/config/integration/certs/upstreamcakey.pem index 7d519376c4c2..362d7b9f542e 100644 --- a/test/config/integration/certs/upstreamcakey.pem +++ b/test/config/integration/certs/upstreamcakey.pem @@ -1,15 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQDW8WGN4St+cNHEg0XnqBCbaqHoLPr98KNwe1GpItgFl3HUCuJB -Ms9c3rEXMFIE94E6jXUCflojdFLWaRIKrzQ70kWI9TjSyK5z+3p9VHNpXeSh482X -0lJ5Q0pR1ERmndjf1fX7E/B1FKwBUjZ8kUZgOeM7rkD/HEAS5WF4IrGgAwIDAQAB -AoGAPA7mO0aXaJUNh+NGPRxwx3xcEQvAdgQvJtbOUnwx8B4I6D7CSYVw+3od8WTH -BixCJ6Iu96tmdFGkc9SX/fRGm41PpCYzUpToUkqPqWnCW8UPLUFJeBL6sujbJPQi -ROOhPBUyG6huKljLm1QP3fLUmzU5BRrglzKWk7sEYAthecECQQDzaGI9OW0se9w+ -bAvm31/RlzbQNP+xiD+TN0Nom4ZivV2BxiVebiftPn24pD58HKcTeIGZ5jReKkJy -q1wDXCv3AkEA4hAEhq8V3ZU/Ans1A9Zke0L8ICPQqBOfE4bXLps3m1C/o4GTzNuf -Qi+b/EfXYGUjJekSmgjlihxvr1OmBglxVQJAIZJBEm6sNxlyPA3M6m/emFrBzZ+x -sHu5QQW7P19L/qxdjDuXBdotmZQn5OKKV7Xf+ViCj4ZnrKEpfwVRcIky6wJAXnRg -38GSOkZc0HWYXiUbUOFZJTixuziPlAIYMNIL9upTWEcQ8Vyme2oXG98Mn6tCd1me -OxwShJWDGNezm/wgDQJBAPI3QNv2VCu5DFjvwEC4ko8pEhhjZnYpoPGzZZ0KcMWK -TSMS9CldcAJlCoPDH3GlpSxdS2uc7ygkXcKqJpFcRto= +MIICXgIBAAKBgQDP2Q1j3JgkJx50Kz8xKDKgg9qx/DgDHsNhIm5Zo94K94xfS5s4 +OxrG7ZlhPLbC/grUT5eieKYYrmh1aTnfY6vRlfNsom6PzLR41rbijdolwOK66HQA +xmP10ytwcjGaygcTIGI+p4N8rtv/JEKOklU4IVsRRJR9FUTS/FpRwG3uZwIDAQAB +AoGAadggp4AIwjBho8r6LTBJR9CdqBHG/F/II0kDZQa75l3V0BmSe/otUqxgdVIT +yAzSuvelQomqG9uFOnVRkV8SeYbY3vtMIHOih30UjPlzV04NbsMDQWmtVo7Y2pjO +JYabhUgML2rGSMFYtwPv1eunYBhdtdltvW0Ph7b66+GfuCECQQD7FrDsh2o/O52m +oXJaOjGOMQMHxjmjo8zW7CTJnQ69tbv87X+HJQas5MEi9c4Voah4IkG+FF3DkOyK +3j7W3MsvAkEA0+nWBQJo+rmmL8q9vIsZa65xv81km1uoVPhsTrCiaPC8t2lWNyND +NyxloGm/fmzPIUDsrjEIDj1h/4JnOVBiSQJBAIvbH8EfzDZcZnuiAafwMhoZgq6Z +4xEa88Xi0rraGJPi3ksLnrUQEp/K6ykl8RxrZwNDUYsmnPOJjbfsAuR7J1ECQQCS +RtkawB0i5L9YQgRSf1newJ14HhkSPGSnsotgjgCtm29I04dVrBubnCPSZOxwIj+f +3qcBXosG+UwKCUOjhl8xAkEArMsu+3oOJnq48ZXvGRvCbWPDhcjY01j/kDXMqwTU +AFTkAyQIynR/4UKy0FyDZ3GvVIDtctmHQT/gmF6c6FvOeQ== -----END RSA PRIVATE KEY----- diff --git a/test/config/integration/certs/upstreamcert.pem b/test/config/integration/certs/upstreamcert.pem index 8ec929106387..886299b5a20b 100644 --- a/test/config/integration/certs/upstreamcert.pem +++ b/test/config/integration/certs/upstreamcert.pem @@ -1,20 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIDLjCCApegAwIBAgIJAPfssd/9ymzGMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV +MIIDLjCCApegAwIBAgIJAKHUkPiCL9FWMA0GCSqGSIb3DQEBCwUAMH8xCzAJBgNV BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp c2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBMeWZ0IEVuZ2luZWVyaW5nMRkw -FwYDVQQDDBBUZXN0IFVwc3RyZWFtIENBMB4XDTE4MDQwNjIwNTgwNVoXDTIwMDQw -NTIwNTgwNVowgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYw +FwYDVQQDDBBUZXN0IFVwc3RyZWFtIENBMB4XDTE4MTEyMDA0NDc1N1oXDTIwMTEx +OTA0NDc1N1owgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYw FAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARMeWZ0MRkwFwYDVQQLDBBM eWZ0IEVuZ2luZWVyaW5nMR0wGwYDVQQDDBRUZXN0IFVwc3RyZWFtIFNlcnZlcjCB -nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAu7BZ855UTUGLBbSIG7NbmOHnit0k -qhVaS7qf56wuGybRyoS82vUKKF+HG84DJZGjPCCzr9sjgPuDI2ebWf28YScS/K/v -VVVk4mdJcpL8LSKF9j2wWjD1fk/soLAfeMgs3GvXBXk1GsJ+PzCr6jKJ+EqghKpV -3snf6/leRi0gBrMCAwEAAaOBrDCBqTAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF +nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAx/aeLqJvV17ZQcj/9pH22hSQguWi +Sq4/v7ap9z+6lwIfaX2hMKtt6yP3ll1WzezqDQOXBh+8DGGH6LtJ0CJ3jTWsPNRR +5o9JcM7oHT3I3B3EWfUuGs3irN2b53XagjnkFQXk84BxSdXN8FLcd7dAS3/hnZCW +4vmCjZC1BnuwdX0CAwEAAaOBrDCBqTAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF 4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwLQYDVR0RBCYwJIIKKi5s -eWZ0LmNvbYcEAAAAAIcQAAAAAAAAAAAAAAAAAAAAADAdBgNVHQ4EFgQUL4L/GnkQ -ef+2KrADZK0zecZe84MwHwYDVR0jBBgwFoAUN3V9rh1fRnJU2AhMHtL1DVgUMGkw -DQYJKoZIhvcNAQELBQADgYEAjj51LybM5XMacujGJ+caTMQWnSRStiuAPFuzEZqx -MgnNpin0ezCrFWBQOAcZn1aDOU36fZaLSRFquzBaSh2/4m1Gr51MHt1p/JulrK0/ -feZSBxf221sTVE+oxRqKr8DDMhr3FQSKJJYXa069GkRajhaaXEtO+f129T3NA5mA -jfU= +eWZ0LmNvbYcEAAAAAIcQAAAAAAAAAAAAAAAAAAAAADAdBgNVHQ4EFgQUEpAikNcL +P+mqrbl/Bb1K8qByi/0wHwYDVR0jBBgwFoAUpJG0Iyk5eXCCjktVbfkk+J5ClS8w +DQYJKoZIhvcNAQELBQADgYEAg3bvGg0R7RoV0zNL/8Zy2X2ZvH/+fj5mk1lrjIxQ +cLhjk0leqyDfTrviHNbC55ZGn75rAaZb4z5va2g5RgLMA4HRXF2MuFR0qkaN83TI +sAyEA6rgN7YdCkc+Jgh+DBQAX6QNyrUEw4XcDVTJBjtuBh9MyhYl2/ydQy414fmU +gns= -----END CERTIFICATE----- diff --git a/test/config/integration/certs/upstreamcert_hash.h b/test/config/integration/certs/upstreamcert_hash.h new file mode 100644 index 000000000000..adcd8c4307af --- /dev/null +++ b/test/config/integration/certs/upstreamcert_hash.h @@ -0,0 +1,4 @@ +// NOLINT(namespace-envoy) +#define TEST_UPSTREAM_CERT_HASH \ + "67:05:87:F4:B7:8F:E2:3A:81:72:87:EE:86:FD:27:F0:F7:D7:34:62:99:37:B0:A0:3F:60:AE:A1:85:9F:42:" \ + "8F" diff --git a/test/config/integration/certs/upstreamkey.pem b/test/config/integration/certs/upstreamkey.pem index 1bc9ae549782..2ef946eb9f4d 100644 --- a/test/config/integration/certs/upstreamkey.pem +++ b/test/config/integration/certs/upstreamkey.pem @@ -1,15 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIICXwIBAAKBgQC7sFnznlRNQYsFtIgbs1uY4eeK3SSqFVpLup/nrC4bJtHKhLza -9QooX4cbzgMlkaM8ILOv2yOA+4MjZ5tZ/bxhJxL8r+9VVWTiZ0lykvwtIoX2PbBa -MPV+T+ygsB94yCzca9cFeTUawn4/MKvqMon4SqCEqlXeyd/r+V5GLSAGswIDAQAB -AoGBAIS+5d/4S4eYo8sVNG7jHBW1MR516kihcYu+IvqoPLPXcOnbl/cE+Ho1lkmE -G5Wmu9z7BBuM0j+Xo9iWnrm3TFPyyfMmr9yernMlcF/ZQR086ZMg6r811HoaZ242 -LSxFeguyh4UUKHM9jlaSavZjRjFCLwv5KLXyOZ+2NAijcsIBAkEA8fO80uYekNsl -AcbhS49/V/rAxfm2Phj1r8+T2HTGwSGCNHTZjupJQe45DdAM+uQYVzw/3hRAeynN -u4UtsBmdEQJBAMaWEhXtiWYwY/KGVozJmvrX0rQUfFthLGBNyAR+li1cYPN/6Meq -erE+hst0g59o9vflj2xDeqKTBo9j7VLmN4MCQQDkb6+znzj0ozNJfjBwWsdslX80 -bBO4hXBR0bZRA9AzwCNiy4AtAt6vtO+BLxFSP9ELbAMQ9iX7IvjvN0pvnX9BAkEA -kaDjymjTZbj+0o9pUP1XRbSXs6+CMpDkNgtULteV0dX40xht4F5Ic0pjFzhufaw/ -0DLsJnylpisjmGuzUiO5eQJBAJ63kDNDZORysx+iEGBlafHgv36OCbnYQQKcr05e -66FsajYNuhYbQbZDQTavlbJjHjjwMqnhLS8gJCKuiN3s/Qs= +MIICXAIBAAKBgQDH9p4uom9XXtlByP/2kfbaFJCC5aJKrj+/tqn3P7qXAh9pfaEw +q23rI/eWXVbN7OoNA5cGH7wMYYfou0nQIneNNaw81FHmj0lwzugdPcjcHcRZ9S4a +zeKs3ZvnddqCOeQVBeTzgHFJ1c3wUtx3t0BLf+GdkJbi+YKNkLUGe7B1fQIDAQAB +AoGAa0BEgYDQNU2DO7yiRU7u1vN2uy6NiH7DZIGF0j6VRs91p7AhV6hrEVa+QiEY +IOU0d/x38WnuA7oAGnzxzzfdZKYF5AA8OAdGmDCKlcNyXXglU8IKP6lq3y2YhgLP +hqDcK6j5CBtNegI4CIng+Q19E80GfNTXwKoN/+P7p7R7VqUCQQDrCpWJtPlm5sZV +VzHAmDXLmBa7WjD5GH30sJkVfVoLSjWYsE66XO/y/jFgjn+v1dO30bN5KwTW0TAr +woi9uJaHAkEA2ctKGVfCVLYwkOUOfYCUan3rNbSkmG7LI3JKJmGPVW9M9bfJHr5/ +mVABldomY2l/Rlor6z0/FEK5U3i+7DbQ2wJAclO1pUQYREtgkcZV9v6SvDOAayVV +yPR23/y+mctdbzxrkZfA07m9JY8raXIm/dqenz0rdXbNZchfDAoWBWKyJQJAa3/o +BzJF/UIgHqSwzkmU+CtG2a9cPtEQ+2ICL4egE+9n8TDR2Jb2rFnNLoYKxK7h33vK +icYlSH7Wsti6hCVaWQJBANbUIUi8i++CabcUhnUtwYh1LsyTAOCkCuHqMGm8QEwg +aUsDWJAHYZFMO4RkidKCUQAvtBnAavqTxQbij4hfSzo= -----END RSA PRIVATE KEY----- diff --git a/test/config/utility.cc b/test/config/utility.cc index 9098a8102ee0..6b38aef17877 100644 --- a/test/config/utility.cc +++ b/test/config/utility.cc @@ -8,6 +8,7 @@ #include "common/config/resources.h" #include "common/protobuf/utility.h" +#include "test/config/integration/certs/clientcert_hash.h" #include "test/test_common/environment.h" #include "test/test_common/network_utility.h" #include "test/test_common/utility.h" @@ -392,9 +393,7 @@ void ConfigHelper::initializeTls(envoy::api::v2::auth::CommonTlsContext& common_ auto* validation_context = common_tls_context.mutable_validation_context(); validation_context->mutable_trusted_ca()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/cacert.pem")); - validation_context->add_verify_certificate_hash( - "E0:F3:C8:CE:5E:2E:A3:05:F0:70:1F:F5:12:E3:6E:2E:" - "97:92:82:84:A2:28:BC:F7:73:32:D3:39:30:A1:B6:FD"); + validation_context->add_verify_certificate_hash(TEST_CLIENT_CERT_HASH); auto* tls_certificate = common_tls_context.add_tls_certificates(); tls_certificate->mutable_certificate_chain()->set_filename( diff --git a/test/integration/sds_dynamic_integration_test.cc b/test/integration/sds_dynamic_integration_test.cc index 2da48a066555..0fa56d186a27 100644 --- a/test/integration/sds_dynamic_integration_test.cc +++ b/test/integration/sds_dynamic_integration_test.cc @@ -11,6 +11,7 @@ #include "common/ssl/context_manager_impl.h" #include "test/common/grpc/grpc_client_integration.h" +#include "test/config/integration/certs/clientcert_hash.h" #include "test/integration/http_integration.h" #include "test/integration/server.h" #include "test/integration/ssl_utility.h" @@ -85,9 +86,7 @@ class SdsDynamicIntegrationBaseTest : public HttpIntegrationTest, auto* validation_context = secret.mutable_validation_context(); validation_context->mutable_trusted_ca()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/cacert.pem")); - validation_context->add_verify_certificate_hash( - "E0:F3:C8:CE:5E:2E:A3:05:F0:70:1F:F5:12:E3:6E:2E:" - "97:92:82:84:A2:28:BC:F7:73:32:D3:39:30:A1:B6:FD"); + validation_context->add_verify_certificate_hash(TEST_CLIENT_CERT_HASH); return secret; } @@ -170,9 +169,7 @@ class SdsDynamicDownstreamIntegrationTest : public SdsDynamicIntegrationBaseTest auto* validation_context = common_tls_context->mutable_validation_context(); validation_context->mutable_trusted_ca()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/cacert.pem")); - validation_context->add_verify_certificate_hash( - "E0:F3:C8:CE:5E:2E:A3:05:F0:70:1F:F5:12:E3:6E:2E:" - "97:92:82:84:A2:28:BC:F7:73:32:D3:39:30:A1:B6:FD"); + validation_context->add_verify_certificate_hash(TEST_CLIENT_CERT_HASH); // Modify the listener ssl cert to use SDS from sds_cluster auto* secret_config = common_tls_context->add_tls_certificate_sds_secret_configs(); @@ -290,9 +287,7 @@ class SdsDynamicDownstreamCertValidationContextTest : public SdsDynamicDownstrea // context. auto* combined_config = common_tls_context->mutable_combined_validation_context(); auto* default_validation_context = combined_config->mutable_default_validation_context(); - default_validation_context->add_verify_certificate_hash( - "E0:F3:C8:CE:5E:2E:A3:05:F0:70:1F:F5:12:E3:6E:2E:" - "97:92:82:84:A2:28:BC:F7:73:32:D3:39:30:A1:B6:FD"); + default_validation_context->add_verify_certificate_hash(TEST_CLIENT_CERT_HASH); auto* secret_config = combined_config->mutable_validation_context_sds_secret_config(); setUpSdsConfig(secret_config, validation_secret_); } else { diff --git a/test/integration/sds_static_integration_test.cc b/test/integration/sds_static_integration_test.cc index e2b39c3cb8e1..38e5e2e194d7 100644 --- a/test/integration/sds_static_integration_test.cc +++ b/test/integration/sds_static_integration_test.cc @@ -9,6 +9,7 @@ #include "common/ssl/context_config_impl.h" #include "common/ssl/context_manager_impl.h" +#include "test/config/integration/certs/clientcert_hash.h" #include "test/integration/http_integration.h" #include "test/integration/server.h" #include "test/integration/ssl_utility.h" @@ -56,9 +57,7 @@ class SdsStaticDownstreamIntegrationTest auto* validation_context = secret->mutable_validation_context(); validation_context->mutable_trusted_ca()->set_filename( TestEnvironment::runfilesPath("test/config/integration/certs/cacert.pem")); - validation_context->add_verify_certificate_hash( - "E0:F3:C8:CE:5E:2E:A3:05:F0:70:1F:F5:12:E3:6E:2E:" - "97:92:82:84:A2:28:BC:F7:73:32:D3:39:30:A1:B6:FD"); + validation_context->add_verify_certificate_hash(TEST_CLIENT_CERT_HASH); secret = bootstrap.mutable_static_resources()->add_secrets(); secret->set_name("server_cert"); diff --git a/test/integration/xfcc_integration_test.h b/test/integration/xfcc_integration_test.h index 8e22c670ed39..307364fd6717 100644 --- a/test/integration/xfcc_integration_test.h +++ b/test/integration/xfcc_integration_test.h @@ -3,10 +3,13 @@ #include #include +#include "test/config/integration/certs/clientcert_hash.h" #include "test/integration/http_integration.h" #include "test/integration/server.h" #include "test/mocks/server/mocks.h" +#include "absl/strings/ascii.h" +#include "absl/strings/str_replace.h" #include "gmock/gmock.h" #include "gtest/gtest.h" @@ -22,7 +25,8 @@ class XfccIntegrationTest : public HttpIntegrationTest, "By=spiffe://lyft.com/frontend;Hash=123456;URI=spiffe://lyft.com/testclient"; const std::string current_xfcc_by_hash_ = "By=spiffe://lyft.com/" - "backend-team;Hash=e0f3c8ce5e2ea305f0701ff512e36e2e97928284a228bcf77332d33930a1b6fd"; + "backend-team;Hash=" + + absl::AsciiStrToLower(absl::StrReplaceAll(TEST_CLIENT_CERT_HASH, {{":", ""}})); const std::string client_subject_ = "Subject=\"" "emailAddress=frontend-team@lyft.com,CN=Test Frontend Team,"