From 338490239f8975bcb592d960c054b6c0d709227d Mon Sep 17 00:00:00 2001 From: Maciej Szlosarczyk Date: Mon, 29 Jul 2019 10:04:01 +0300 Subject: [PATCH 1/7] Add inotify-tools to dockerfile They're used for rebar3 auto tasks that hot-reloads the running code. --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 2492146..987bec6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -31,6 +31,7 @@ RUN apt-get update && apt-get install -y \ libc-dev \ perl=* \ procps=* \ + inotify-tools=* \ libssl1.0.0=* \ perl-base=* \ && apt-get clean \ From f1bd1f97a5285b0f30e7d903fa4ae54ba529cfb6 Mon Sep 17 00:00:00 2001 From: Maciej Szlosarczyk Date: Mon, 29 Jul 2019 11:05:22 +0300 Subject: [PATCH 2/7] Revoke webclient certificate --- .../priv/test_ca/certs/{webclient.crt.pem => revoked.crt.pem} | 0 .../priv/test_ca/csrs/{webclient.csr.pem => revoked.csr.pem} | 0 .../priv/test_ca/private/{webclient.key.pem => revoked.key.pem} | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename apps/epp_proxy/priv/test_ca/certs/{webclient.crt.pem => revoked.crt.pem} (100%) rename apps/epp_proxy/priv/test_ca/csrs/{webclient.csr.pem => revoked.csr.pem} (100%) rename apps/epp_proxy/priv/test_ca/private/{webclient.key.pem => revoked.key.pem} (100%) diff --git a/apps/epp_proxy/priv/test_ca/certs/webclient.crt.pem b/apps/epp_proxy/priv/test_ca/certs/revoked.crt.pem similarity index 100% rename from apps/epp_proxy/priv/test_ca/certs/webclient.crt.pem rename to apps/epp_proxy/priv/test_ca/certs/revoked.crt.pem diff --git a/apps/epp_proxy/priv/test_ca/csrs/webclient.csr.pem b/apps/epp_proxy/priv/test_ca/csrs/revoked.csr.pem similarity index 100% rename from apps/epp_proxy/priv/test_ca/csrs/webclient.csr.pem rename to apps/epp_proxy/priv/test_ca/csrs/revoked.csr.pem diff --git a/apps/epp_proxy/priv/test_ca/private/webclient.key.pem b/apps/epp_proxy/priv/test_ca/private/revoked.key.pem similarity index 100% rename from apps/epp_proxy/priv/test_ca/private/webclient.key.pem rename to apps/epp_proxy/priv/test_ca/private/revoked.key.pem From 187ebf42138b3077fdda3305e9a9509dd48fc407 Mon Sep 17 00:00:00 2001 From: Maciej Szlosarczyk Date: Mon, 29 Jul 2019 11:07:49 +0300 Subject: [PATCH 3/7] Update test certificate configuration --- .../priv/test_ca/certs/client.crt.pem | 35 +++++++++++++ .../priv/test_ca/csrs/client.csr.pem | 28 ++++++++++ .../priv/test_ca/generate_certificates.sh | 14 +++-- .../priv/test_ca/private/client.key.pem | 51 +++++++++++++++++++ apps/epp_proxy/test/tls_client_SUITE.erl | 4 +- 5 files changed, 126 insertions(+), 6 deletions(-) create mode 100644 apps/epp_proxy/priv/test_ca/certs/client.crt.pem create mode 100644 apps/epp_proxy/priv/test_ca/csrs/client.csr.pem create mode 100644 apps/epp_proxy/priv/test_ca/private/client.key.pem diff --git a/apps/epp_proxy/priv/test_ca/certs/client.crt.pem b/apps/epp_proxy/priv/test_ca/certs/client.crt.pem new file mode 100644 index 0000000..d518c84 --- /dev/null +++ b/apps/epp_proxy/priv/test_ca/certs/client.crt.pem @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGGjCCBAKgAwIBAgICEAgwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkVF +MREwDwYDVQQIDAhIYXJqdW1hYTEQMA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwa +RWVzdGkgSW50ZXJuZXRpIFNpaHRhc3V0dXMxGjAYBgNVBAMMEWVwcF9wcm94eSB0 +ZXN0IGNhMSAwHgYJKoZIhvcNAQkBFhFoZWxsb0BpbnRlcm5ldC5lZTAeFw0xOTA3 +MjkwNzUxNTdaFw0yOTA3MjYwNzUxNTdaMH4xCzAJBgNVBAYTAkVFMREwDwYDVQQI +DAhIYXJqdW1hYTEjMCEGA1UECgwaRWVzdGkgSW50ZXJuZXRpIFNpaHRhc3V0dXMx +FTATBgNVBAMMDHJldm9rZWQgY2VydDEgMB4GCSqGSIb3DQEJARYRaGVsbG9AaW50 +ZXJuZXQuZWUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDaFYIwYpsK +1lCpebo8lR+hBfPg5K1OM7UkE6yNV54UYH1xPUk2iZLxoCnCYZdrfFtzwEfnU+ot +rv6x+QzNh139bTupaUhetlbHBc/YO4Dp7MEF30wjjLGOacNmlsQi9RhGbegxqoJq +PB0mEq1ZSPQqsmBs8QxYoL3FhNVJrXvPBCXF2hmf0z+0LbScXRZ8CV5e7PAji5Oe +LomIPGe9CmVMWRH0JNvLETAEJG0iUPys/zXyBxz9rx9iPAmFhLy4srtvIFQG3tMc +Xu2r8Vyap7BpaEs4CV36fmWHMQ5xVQgLOAhCKbD7uY2v+gKY6w6dQh1Vm1b9qD1N +Vk8isJ5WnT5Z4EFvaMq5gGGj1TaTBi4QOie6KVP8iavOKYYkdOoa60XLTtEa5s9b +cWPS1Bcnl43WR/pPonVvLY3N0VuCjXDwp60GHBGNsVpPa/bUF5wr6BsT7VScFsPM +QG3Gmc4Kc+jxKj3ysz5yVvIL1v9MzN5tdoHX5MNglP0jtNn7sTBZc8sJg5DGALds +7d64W1qTRrR41Cu78IUS7iRJRCXU4NLbyzV+BhEyDhiF8TGm+IGVXE+EAHQMXKjt +Ruzjasf5071bf/eOe50kgVrYDc/JZ2/lJJ/S4cdolz+5PcbExTzdwAeSA/oXKSm6 +2ahveDRn8n6xNHSltjnAWo//9o6WCKHAEQIDAQABo4GJMIGGMAkGA1UdEwQCMAAw +CwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBD +ZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUBbVpSL7xVkMpbVxGydzX3snO820wHwYDVR0j +BBgwFoAU/XfmSnO9pTxls7nPtRWVWQhkaBAwDQYJKoZIhvcNAQELBQADggIBAIrJ +NfPxjQBCE8sCNYRHj9wbtKb2oBFbz1w1irqi+C7kGhn+sfukmhgPA6L7T84DICon +nUhl35IX6DuKCqA+G1kGSG7WKfxK8xLxWt5oK5wH63qrrTcezYTmRnFlyIeIyIOm +Edi6HjVwl3x30aMc5DaC4eOjXJ3JReg5OubQOpBUYCswh8JTR5JCj+ircHiMfbxn +DO40D431madj/qATR/vZt8UYy53hTSQrIed4EeSD5G3OtnDWfvGwoTdwfnDiDZuO +auHpUiV0EP1E2P4N06TQWWEEA1cslKNhC9SbTLXlinM9d7QF2wJJ6fiOuUSganYg +ov9nt6hCTaVC12YTyIO3ZaRIy2KVTtUz0k0ECoiUrF03xqgZrPvixSVokBZnA3uQ +eBAt2Woi1H9ZR7dhnxG6Fbaf/upiQ3U/kHtW24YG3lmkyhAu5OKpQpqJWXabfnbl +QRt3HKcGdD1ytUsRpuMJ6Chtai9d5plPOkhcVgWPuawXBSHh4QHaEnEdqgpt3l3j +WwS2UUiewAbaLCv53LBL+6RRjlcKUInJp/zVRrpdq8hxX48sHCpSIwOckG1wANN2 +68q1LzIWSaKG4LDE4E79FpWT8lnI6ccl0Xo0sbFvOaqMkIFJNXw60HWpUAbjIBTF +9iuftwIPUbl3aiHR0IQns8Rwk9YUu1lzWe5yn2Nj +-----END CERTIFICATE----- diff --git a/apps/epp_proxy/priv/test_ca/csrs/client.csr.pem b/apps/epp_proxy/priv/test_ca/csrs/client.csr.pem new file mode 100644 index 0000000..74bbe41 --- /dev/null +++ b/apps/epp_proxy/priv/test_ca/csrs/client.csr.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIE1jCCAr4CAQAwgZAxCzAJBgNVBAYTAkVFMREwDwYDVQQIDAhIYXJqdW1hYTEQ +MA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwaRWVzdGkgSW50ZXJuZXRpIFNpaHRh +c3V0dXMxFTATBgNVBAMMDHJldm9rZWQgY2VydDEgMB4GCSqGSIb3DQEJARYRaGVs +bG9AaW50ZXJuZXQuZWUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDa +FYIwYpsK1lCpebo8lR+hBfPg5K1OM7UkE6yNV54UYH1xPUk2iZLxoCnCYZdrfFtz +wEfnU+otrv6x+QzNh139bTupaUhetlbHBc/YO4Dp7MEF30wjjLGOacNmlsQi9RhG +begxqoJqPB0mEq1ZSPQqsmBs8QxYoL3FhNVJrXvPBCXF2hmf0z+0LbScXRZ8CV5e +7PAji5OeLomIPGe9CmVMWRH0JNvLETAEJG0iUPys/zXyBxz9rx9iPAmFhLy4srtv +IFQG3tMcXu2r8Vyap7BpaEs4CV36fmWHMQ5xVQgLOAhCKbD7uY2v+gKY6w6dQh1V +m1b9qD1NVk8isJ5WnT5Z4EFvaMq5gGGj1TaTBi4QOie6KVP8iavOKYYkdOoa60XL +TtEa5s9bcWPS1Bcnl43WR/pPonVvLY3N0VuCjXDwp60GHBGNsVpPa/bUF5wr6BsT +7VScFsPMQG3Gmc4Kc+jxKj3ysz5yVvIL1v9MzN5tdoHX5MNglP0jtNn7sTBZc8sJ +g5DGALds7d64W1qTRrR41Cu78IUS7iRJRCXU4NLbyzV+BhEyDhiF8TGm+IGVXE+E +AHQMXKjtRuzjasf5071bf/eOe50kgVrYDc/JZ2/lJJ/S4cdolz+5PcbExTzdwAeS +A/oXKSm62ahveDRn8n6xNHSltjnAWo//9o6WCKHAEQIDAQABoAAwDQYJKoZIhvcN +AQELBQADggIBAM+rpYhoVrsgkItnaLoE5ZFqOsaW+nGyy7IVe8KeTi+sfDo/OOMH +KoZebwFkKa+5MpR7iGdGhwMsEvQBNwAAElLfVAW2NZQmC8DGwLyRA1yPTWNNvYi9 +oGaLPAvIROnSdd5WImV749zxv9W23pjozYSyFWVRxjhZd6Wj3XLRJFkAtikZZW02 +jnzLGLamILIuGj51d/ukR+uN4hVxnMKKhRpiRJFsjGJj3aai2ptJmvRhp1vrclJg +Bix1JsLzKbuvPP00EuZXUZ9bRDUW8bpNhvuWUhtS5iFME6mTyqL7PveivLX7Sxuy +VQ58FNeU68BIrdCSavxHtmgB/vjyMcfcEm7K9C7YPGSedK5evzKbVpkNk2SP5Cl4 +0pLDeLjYRGnf6sDjGK1FVJYAX9AG+8ZiCtSkWfMY/5ClcK5SCeO5QY1Ad3bY1Ez8 +l3IdzKwZK4zq9NZN20r0ZzSZ8kzEqeKotKXIPDjKBDHFk3wu4tkHZf9pyu9PkQjZ +RpoVmhNFVQ2BRdZANudrMiWgUhxUpQgmRQPnpGbDmdWdvqEoHsTPkHrxgNdb+PxP +D3NWN28hj9MRve+lSStnN/GXb9DPKyA6vmUHcd9p8EnnmLTy9sqy/smE3zYwDmz2 +QSGz4UhMOAD6/6/9mCLf1qiRpD2JAcYOz7LcVTrqpo3UtHAW/XD9XNPp +-----END CERTIFICATE REQUEST----- diff --git a/apps/epp_proxy/priv/test_ca/generate_certificates.sh b/apps/epp_proxy/priv/test_ca/generate_certificates.sh index 29625e0..753b39e 100755 --- a/apps/epp_proxy/priv/test_ca/generate_certificates.sh +++ b/apps/epp_proxy/priv/test_ca/generate_certificates.sh @@ -1,9 +1,15 @@ # !/bin/sh # Use localhost as common name. -openssl genrsa -out private/webclient.key.pem 4096 -openssl req -sha256 -config openssl.cnf -new -days 3650 -key private/webclient.key.pem -out csrs/webclient.csr.pem -openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -days 3650 -out certs/webclient.crt.pem -openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem +openssl genrsa -out private/client.key.pem 4096 +openssl req -sha256 -config openssl.cnf -new -days 3650 -key private/client.key.pem -out csrs/client.csr.pem +openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/client.csr.pem -days 3650 -out certs/client.crt.pem + +openssl genrsa -out private/revoked.key.pem 4096 +openssl req -sha256 -config openssl.cnf -new -days 3650 -key private/revoked.key.pem -out csrs/revoked.csr.pem +openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/revoked.csr.pem -days 3650 -out certs/revoked.crt.pem +openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -revoke certs/revoked.crt.pem + openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -crldays 3650 -gencrl -out crl/crl.pem + openssl req -config openssl.cnf -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout private/apache.key -config server.csr.cnf openssl x509 -req -in server.csr -CA certs/ca.crt.pem -CAkey private/ca.key.pem -CAcreateserial -out certs/apache.crt -days 3650 -sha256 -extfile v3.ext diff --git a/apps/epp_proxy/priv/test_ca/private/client.key.pem b/apps/epp_proxy/priv/test_ca/private/client.key.pem new file mode 100644 index 0000000..f0bdd55 --- /dev/null +++ b/apps/epp_proxy/priv/test_ca/private/client.key.pem @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKQIBAAKCAgEA2hWCMGKbCtZQqXm6PJUfoQXz4OStTjO1JBOsjVeeFGB9cT1J +NomS8aApwmGXa3xbc8BH51PqLa7+sfkMzYdd/W07qWlIXrZWxwXP2DuA6ezBBd9M +I4yxjmnDZpbEIvUYRm3oMaqCajwdJhKtWUj0KrJgbPEMWKC9xYTVSa17zwQlxdoZ +n9M/tC20nF0WfAleXuzwI4uTni6JiDxnvQplTFkR9CTbyxEwBCRtIlD8rP818gcc +/a8fYjwJhYS8uLK7byBUBt7THF7tq/FcmqewaWhLOAld+n5lhzEOcVUICzgIQimw ++7mNr/oCmOsOnUIdVZtW/ag9TVZPIrCeVp0+WeBBb2jKuYBho9U2kwYuEDonuilT +/ImrzimGJHTqGutFy07RGubPW3Fj0tQXJ5eN1kf6T6J1by2NzdFbgo1w8KetBhwR +jbFaT2v21BecK+gbE+1UnBbDzEBtxpnOCnPo8So98rM+clbyC9b/TMzebXaB1+TD +YJT9I7TZ+7EwWXPLCYOQxgC3bO3euFtak0a0eNQru/CFEu4kSUQl1ODS28s1fgYR +Mg4YhfExpviBlVxPhAB0DFyo7Ubs42rH+dO9W3/3jnudJIFa2A3PyWdv5SSf0uHH +aJc/uT3GxMU83cAHkgP6Fykputmob3g0Z/J+sTR0pbY5wFqP//aOlgihwBECAwEA +AQKCAgBPJsNLoF45PrOj7wRC/LSwEqMDGrwzx9yUrXdRDV3Yc3TT5rRt0Ny+Sa0e +WaFFZ6shhcYTFYfG8N6L5aJZ7imU01J2GDol9fPk5B0dk+sj+8PKx9KwjF3dHFHJ +KCsjrOUUmstNS19uA0dpDBpSb4H/BSKuJ4adnCmESMPIq+hlqFG1T4VBVsCmOnh0 +z+xbNGNF/KTjocMABE/yXEoieGVvolw7yizjtOdCeZ4KeG5cs3v2zdId2LOBSd0C +0rxUJLqWiJs2qyTgBSwp3b4Ie5gxiaLTQcMUKU/cE1f0ljIHMFz+9na/xgbAufK7 +YYS6WsaezXRzN96X9R1fr86oDQYVmREnBU5ouUWDMop17M3TRH70mAdaczb2zML3 +cg+uQXjuw45hyD322RySZgz4+nnLcSFJBHzfbfFBnGtwiAfVqc68n5+wVLzJvwji +zV6MCs7FfvR1+ex/MY9woggkQTHfDX2311N83uD11K6pO5FbRQUSHgNo+/tEYwAq +niY6fsXPxOPC8udEIbCEOFOGd/xMF9ihvbMWbSVB/ZZFIedrzbk8SPG/rUx+k5wP +rCte69i/b2yQyfDs9ULYletevHb+CuhIyAvIIkhb1zfM4rmoa6MdHmhJAKb3lzLO +lAyYmnepFbVek6vqpn+6oJzHCejCAhUoSr1oytBlNUDdvjacYQKCAQEA83t3d+EH +jgqEZiH9DvZnhrgiX5qtTPieVyl6bpbw8XM4ULmy3fy3ZdFEN/zGJlRYMVA0P4I8 +4GJaULYtDlaPuH1xqhuFrF/gv1aOGChq4M33nNtdjVgWvWKJK6rkPXCYwD8QRK/H +vz3DQUqn7XEqLEknFWt6SeIseSajrXWLF0F+hy6HmW+eRONHf5HT8EMx3zqMgoE1 +eNyCeJ8Xkja+T7t1xcYKW5zUeDs9nYXPiuk9Mq2zQzqfiIJKnow4HThrd2WKcKKC +60C7YTGEvEHbUTAzz9C4BaVjEXu7bCfb5ryVfnJH8LHpQ1PgEIVBdJ7OjfXDnAf2 +FqoMiHFAximvPQKCAQEA5UvExUQJTLNrB7K/mn0/2Q9G8zQgpns+EwxD2s9nhpXD +RLmbPIH5URV1Hf5HchlKp5uY7KB0SgUIjAV6I2FDv/oFNk+pu/PXI2rOcZuPgX3M +KD5MTw+Gm5NtoYgDemcJUMgAk9ilh7v7YKP8ASwNxikHkQ3oEKPXSW1/mJxiSzpH +8tpmSFisBAFtBJlMEzt8FGH7a8+DpvbOyxfP4aocF6cgqKtSwgtKJm2EwSyaEMYB +1cK6wQeY0mpcmtrdSeJaEWnq5deFhEYWOKTaliTQMFgWC6RBGdCp7RGyE0jVQi7F +iAXFsfkNjVmmSF8PAA/CKOIW0Z1QV/10zP9F5ofhZQKCAQEAuT41TZJ6Ufn0c1Pm +mSyk5R1QoZYnxYjdxwi6qkrSc5CqxtgRmsy7p45ILaR2CRFgq9wOdEcdE8YgWonP +y7nVzJI8GSSpVdT4Q/qRTxXpArIRclh/W5sqadn+7Kcu0QPKY3FXajqmaPyPgixP +iNnxMRJS1vwXZQDbvyzDmKP2N7JPln+zEOyX6GdWrVsAeSpWVjTQVDYDvble1nCL +2WUm87h2yQp8NOkjyXmgzijRFymOsvDukvaWC6C9LtUVmD2lnYg2hK1Pl7Z/GVo4 +V5ZvSty2fqSYbUtADTwrAwVsS6cswbAmxZxGEUBOF6OagiSUl/LkaOCxvNqRgHlR +w7JRLQKCAQEA15S6R0HlgHC783vyu1yBGCJN8cET5ZK/1QbWETapPhc2hToAow4M +i1iiSXXWVIdE8nrPd8KQMzuyQnuvzu3W1ftKxTp2+hiTMGBuAtBgRz4wIbIY6shN +JZ6iF5oasw2G66VvLZImZ4ytFrp25980gBf5Xj717hctBYNm0ORPYi1EkicWvXRp +Hkb86bL7nKVzznIlAcMUI3mvCbG0qJXYXcCrawnRAFG/AIw9oaW+oICaHxE7ptru +qv6HXKzkG2AukGrGCBzvEmMW52DPhxTLjHh1GbLv5kaSTSszAwCaSORSocXTjrX7 +MOeV+Dsvjj5CrU+MZr4CWQgatdZYMRuWJQKCAQB7BGo5ajhebHd9UD1+X+plXBWb +LxMhvK9f4Z/Q7PUDcQwesyF4/iyLFxdihixPspBpY4YuRAXzXtFrGtzKxfTdBz8O +pBk++GI8OBA0+qviIYkqg3Yojb05nupAL+by8HHMc2kQwbiZQ0oH1AKZgGcAxe9i +dI+nSMDWM088bwTDmmUHVE4hdEiYvRza3OefDH4/EQhNhJHvWqgGsaHL0nhmfPVa +O4ovmZoRqLsCdxuUao2Q2klIFQicKWsnl2J96rIlzgjZGzHUgqkAKnnrYGTdu7oG +tiQRzzDF0C24sbH2mrX6Q+sjN7KKW1fCIQEufMCbT8nF/gv7SD7Do/H0SFp1 +-----END RSA PRIVATE KEY----- diff --git a/apps/epp_proxy/test/tls_client_SUITE.erl b/apps/epp_proxy/test/tls_client_SUITE.erl index 9f777e7..5ed1e65 100644 --- a/apps/epp_proxy/test/tls_client_SUITE.erl +++ b/apps/epp_proxy/test/tls_client_SUITE.erl @@ -27,8 +27,8 @@ init_per_suite(Config) -> application:ensure_all_started(hackney), CWD = code:priv_dir(epp_proxy), Options = [binary, - {certfile, filename:join(CWD, "test_ca/certs/webclient.crt.pem")}, - {keyfile, filename:join(CWD, "test_ca/private/webclient.key.pem")}, + {certfile, filename:join(CWD, "test_ca/certs/client.crt.pem")}, + {keyfile, filename:join(CWD, "test_ca/private/client.key.pem")}, {active, false}], [{ssl_options, Options} | Config]. From 1e04bff9b20680a032c7fb5873c5761b4ec98a2e Mon Sep 17 00:00:00 2001 From: Maciej Szlosarczyk Date: Mon, 29 Jul 2019 11:18:33 +0300 Subject: [PATCH 4/7] Revoke a test certificate --- apps/epp_proxy/priv/test_ca/crl/crl.pem | 33 +++++++++++++------------ 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/apps/epp_proxy/priv/test_ca/crl/crl.pem b/apps/epp_proxy/priv/test_ca/crl/crl.pem index 7efffce..e0e265c 100644 --- a/apps/epp_proxy/priv/test_ca/crl/crl.pem +++ b/apps/epp_proxy/priv/test_ca/crl/crl.pem @@ -1,21 +1,22 @@ -----BEGIN X509 CRL----- -MIIDfTCCAWUCAQEwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkVFMREwDwYD +MIIDkjCCAXoCAQEwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkVFMREwDwYD VQQIDAhIYXJqdW1hYTEQMA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwaRWVzdGkg SW50ZXJuZXRpIFNpaHRhc3V0dXMxGjAYBgNVBAMMEWVwcF9wcm94eSB0ZXN0IGNh -MSAwHgYJKoZIhvcNAQkBFhFoZWxsb0BpbnRlcm5ldC5lZRcNMTkwNzExMTMxMTM0 -WhcNMjkwNzA4MTMxMTM0WjBpMBMCAhACFw0xOTA1MjkwNjM5MTJaMBMCAhADFw0x +MSAwHgYJKoZIhvcNAQkBFhFoZWxsb0BpbnRlcm5ldC5lZRcNMTkwNzI5MDc1NTA5 +WhcNMjkwNzI2MDc1NTA5WjB+MBMCAhACFw0xOTA1MjkwNjM5MTJaMBMCAhADFw0x OTA1MjkwODQxMDJaMBMCAhAEFw0xOTA1MzExMTI0NTJaMBMCAhAFFw0xOTA1MzEx -MTQyMjJaMBMCAhAGFw0xOTA1MzExMjQzNDlaoDAwLjAfBgNVHSMEGDAWgBT9d+ZK -c72lPGWzuc+1FZVZCGRoEDALBgNVHRQEBAICEAgwDQYJKoZIhvcNAQELBQADggIB -ACv4opvBcQoCEkiKhVlr5bSq0vAVaTu1FloKTay0xsgDGSqQDnPR/B7ELSyoYo2A -iBuSrQREyvXOtZhlQyTHwCDnAjpgGDGdRbRJAhhbWA9/MC4oqyJLjOFxLspX2S7E -Fq4F/DbUZaW8niGGCcAUf8QnilaJLEhUT7qIJW2DpyFLd/1qLK81PBO8VW4fbKQI -z2LsrA3NijW+W192LMvHLKnE47ifW1PLM0dJimkVNrkS42ACuwnCOLfLJsIg9aRe -QsI1CY+L1F2tROedUFo6noffnm+SyMapna4SEXlQTaA1kfLtLOGVhXpBAgcewIsY -DQQCTn4oEAhZroZMPYJXYXC/pNSMUEBifXR2akO7eE5kLBgf11ZfhuEUqperviiJ -yLNzoakh3eMazIo5Qr8ZinMWP8HHZJI8GmOvJtVKAvOFmXkVm++Cnl/Ovp8skrTD -AibySMZSTgoAc+ynZYI5q6HZxJWXN/PQ/++hFyOW9aG1DTLGpV6rO+O4zNldmUIO -DTu+dUmKNamp1a6GcaY5xLSQTfV8InetxwF+gazvcmtEnqagH64EseSz4RZQLtRc -kAZLho1rPE35Ok/2eswMvQ9hOkQ7tX9dO35HYoHoVKUzdiBaPP3PCDeCC/Ei5C2n -Z1rfbtOFwF/36qyz7o+YqHaWHVc9W/koRjtrmXA1soJ2 +MTQyMjJaMBMCAhAGFw0xOTA1MzExMjQzNDlaMBMCAhAHFw0xOTA3MjkwNzU0MzRa +oDAwLjAfBgNVHSMEGDAWgBT9d+ZKc72lPGWzuc+1FZVZCGRoEDALBgNVHRQEBAIC +EAkwDQYJKoZIhvcNAQELBQADggIBAEk9pyZjqyYUdnA0Sv7RyevRUQGKbbf3EXdv +JLDyvI9rpoyuWPkMT6vPsYght0cf/wO7oaEK/uustvFEYQiJss60jI0XuczWypk9 +paKu3LhIy6Drm3locY2k0ESrgP9IwNzS5Xr0FiaWRIozbkcawte8M4Nqe8BO5prk +/5sLjv3eFnD7E445tZhu3vmXkD50FT3PLHVBEz4yS6Fx6nTiv+9QUu8NGf+bc6+o +YKPMy6Lh/wGC7p6sZJCOCjfzLAcqWfB2EW6XU8WeQcQCZ0au7zvZjQownCS9CeJV +KVsC4QiUt97FxR2gcEN2GJesywIF11X9o8s1K/Hz3+rrtU1ymoMLeumaRW24z35A +zVsdNwRfSPmt1qHlyaJaFhKG6jw5/nws+/wGFycIjWK0DSORiGCYdKD0cCjKJbNO +2QJnJlNOaCUUj8ULyiFOtZvdadc4JVW42NI/F+AFy/bnBK0uH6CenK5XwX3kEMme +KD8b5reUcVRhQdVJdAABFJlihIg05yENI7hlH1CKfy4vmlBKl+M2mW9cmNO8O6uS +KMH8/wLuLga9gYziNT1RmVNFbnpF0hc6CFtSnlVXXTlU/TrxheH8ykrHQhKEkQj+ +3krObDFDCUMKmaGu2nxRYZwLXzUe3wVl1SAxw0eEGyON/N83sLYlcrwWTVzRG3Z7 +RqRHPn+h -----END X509 CRL----- From 9bd9a67e938101fe3e9ee91cbf0af3960815a5e8 Mon Sep 17 00:00:00 2001 From: Maciej Szlosarczyk Date: Mon, 29 Jul 2019 11:19:11 +0300 Subject: [PATCH 5/7] Add more logging for failed SSL handshake --- apps/epp_proxy/src/epp_tls_worker.erl | 19 ++++++++++++++++--- apps/epp_proxy/test/tls_client_SUITE.erl | 21 ++++++++++++++++++--- 2 files changed, 34 insertions(+), 6 deletions(-) diff --git a/apps/epp_proxy/src/epp_tls_worker.erl b/apps/epp_proxy/src/epp_tls_worker.erl index d5263bb..e7d7aad 100644 --- a/apps/epp_proxy/src/epp_tls_worker.erl +++ b/apps/epp_proxy/src/epp_tls_worker.erl @@ -43,9 +43,16 @@ start_link(Socket) -> %% If certificate is revoked, this will fail right away here. %% mod_epp does exactly the same thing. handle_cast(serve, State = #state{socket = Socket}) -> - {ok, SecureSocket} = ssl:handshake(Socket), - NewState = state_from_socket(SecureSocket, State), - {noreply, NewState}; + {ok, {PeerIp, _PeerPort}} = ssl:peername(Socket), + + case ssl:handshake(Socket) of + {ok, SecureSocket} -> + NewState = state_from_socket(SecureSocket, State), + {noreply, NewState}; + {error, Error} -> + log_on_invalid_handshake(PeerIp, Error) + end; + %% Step two: Using the state of the connection, get the hello route %% from http server. Send the response from HTTP server back to EPP %% client. When this succeeds, send "process_command" to self and @@ -160,6 +167,12 @@ log_on_timeout(State) -> lager:info("Client timed out: [~p]~n", [State]), exit(normal). +log_on_invalid_handshake(Ip, Error) -> + ReadableIp = epp_util:readable_ip(Ip), + lager:info("Failed SSL handshake. IP: ~s, Error: [~p]~n", + [ReadableIp, Error]), + exit(normal). + %% Extract state info from socket. Fail if you must. state_from_socket(Socket, State) -> {ok, PeerCert} = ssl:peercert(Socket), diff --git a/apps/epp_proxy/test/tls_client_SUITE.erl b/apps/epp_proxy/test/tls_client_SUITE.erl index 5ed1e65..a9e8eb0 100644 --- a/apps/epp_proxy/test/tls_client_SUITE.erl +++ b/apps/epp_proxy/test/tls_client_SUITE.erl @@ -11,7 +11,8 @@ valid_command_test_case/1, long_message_test_case/1, invalid_command_test_case/1, - error_test_case/1]). + error_test_case/1, + revoked_cert_test_case/1]). all() -> [frame_size_test_case, @@ -20,7 +21,8 @@ all() -> valid_command_test_case, long_message_test_case, invalid_command_test_case, - error_test_case]. + error_test_case, + revoked_cert_test_case]. init_per_suite(Config) -> application:ensure_all_started(epp_proxy), @@ -30,7 +32,11 @@ init_per_suite(Config) -> {certfile, filename:join(CWD, "test_ca/certs/client.crt.pem")}, {keyfile, filename:join(CWD, "test_ca/private/client.key.pem")}, {active, false}], - [{ssl_options, Options} | Config]. + RevokedOptions = [binary, + {certfile, filename:join(CWD, "test_ca/certs/revoked.crt.pem")}, + {keyfile, filename:join(CWD, "test_ca/private/revoked.key.pem")}, + {active, false}], + [{ssl_options, Options}, {revoked_options, RevokedOptions} | Config]. end_per_suite(Config) -> application:stop(epp_proxy), @@ -170,6 +176,15 @@ error_test_case(Config) -> "Command syntax error."), ok. +revoked_cert_test_case(Config) -> + Options = proplists:get_value(revoked_options, Config), + {error, Error} = ssl:connect("localhost", 1443, Options, 2000), + ct:pal("~p", [Error]), + {tls_alert, + {certificate_revoked, + "received CLIENT ALERT: Fatal - Certificate Revoked"}} = Error, + ok. + %% Helper functions: length_of_data(Data) -> EPPEnvelope = binary:part(Data, {0, 4}), From 8afbf225407ba9dcdc0826be53777eaab1bcb38b Mon Sep 17 00:00:00 2001 From: Maciej Szlosarczyk Date: Mon, 29 Jul 2019 11:20:37 +0300 Subject: [PATCH 6/7] Add password for test CA to readme file --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f2dfd04..2cb948e 100644 --- a/README.md +++ b/README.md @@ -139,7 +139,8 @@ tests, there is a small Roda application located in `apps/epp_proxy/priv/test_ba It has been written with Ruby 2.6.3. There is also a number of generated ssl certificates that are used only for testing. Those are -valid until 2029 and they are located in `apps/epp_proxy/priv/test_ca`. +valid until 2029 and they are located in `apps/epp_proxy/priv/test_ca`. The password for test CA +is `password`. You need to start the backend application before running the test suite. To start it as a deamon, from the root folder of the project, execute: From 0231aae27038a315f3bdf436b52bb6f5fd8aed28 Mon Sep 17 00:00:00 2001 From: Maciej Szlosarczyk Date: Mon, 29 Jul 2019 11:25:16 +0300 Subject: [PATCH 7/7] Reformat code --- apps/epp_proxy/src/epp_http_client.erl | 6 ++++-- apps/epp_proxy/src/epp_tls_worker.erl | 15 +++++++-------- apps/epp_proxy/test/tls_client_SUITE.erl | 1 - 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/apps/epp_proxy/src/epp_http_client.erl b/apps/epp_proxy/src/epp_http_client.erl index f9f364f..c52bc70 100644 --- a/apps/epp_proxy/src/epp_http_client.erl +++ b/apps/epp_proxy/src/epp_http_client.erl @@ -82,10 +82,12 @@ request_from_map(#{command := Command, %% Return form data or an empty list. request_body(?helloCommand, _, _) -> ""; request_body(_Command, RawFrame, nomatch) -> - {multipart, [{<<"raw_frame">>, RawFrame}, {<<"frame">>, RawFrame}]}; + {multipart, + [{<<"raw_frame">>, RawFrame}, {<<"frame">>, RawFrame}]}; request_body(_Command, RawFrame, ClTRID) -> {multipart, - [{<<"raw_frame">>, RawFrame}, {<<"frame">>, RawFrame}, {<<"clTRID">>, ClTRID}]}. + [{<<"raw_frame">>, RawFrame}, {<<"frame">>, RawFrame}, + {<<"clTRID">>, ClTRID}]}. %% Return a list of properties that each represent a query part in a query string. %% [{"user", "eis"}]} becomes later https://example.com?user=eis diff --git a/apps/epp_proxy/src/epp_tls_worker.erl b/apps/epp_proxy/src/epp_tls_worker.erl index e7d7aad..f374f66 100644 --- a/apps/epp_proxy/src/epp_tls_worker.erl +++ b/apps/epp_proxy/src/epp_tls_worker.erl @@ -44,15 +44,13 @@ start_link(Socket) -> %% mod_epp does exactly the same thing. handle_cast(serve, State = #state{socket = Socket}) -> {ok, {PeerIp, _PeerPort}} = ssl:peername(Socket), - case ssl:handshake(Socket) of - {ok, SecureSocket} -> - NewState = state_from_socket(SecureSocket, State), - {noreply, NewState}; - {error, Error} -> - log_on_invalid_handshake(PeerIp, Error) + {ok, SecureSocket} -> + NewState = state_from_socket(SecureSocket, State), + {noreply, NewState}; + {error, Error} -> + log_on_invalid_handshake(PeerIp, Error) end; - %% Step two: Using the state of the connection, get the hello route %% from http server. Send the response from HTTP server back to EPP %% client. When this succeeds, send "process_command" to self and @@ -169,7 +167,8 @@ log_on_timeout(State) -> log_on_invalid_handshake(Ip, Error) -> ReadableIp = epp_util:readable_ip(Ip), - lager:info("Failed SSL handshake. IP: ~s, Error: [~p]~n", + lager:info("Failed SSL handshake. IP: ~s, Error: " + "[~p]~n", [ReadableIp, Error]), exit(normal). diff --git a/apps/epp_proxy/test/tls_client_SUITE.erl b/apps/epp_proxy/test/tls_client_SUITE.erl index a9e8eb0..ae86826 100644 --- a/apps/epp_proxy/test/tls_client_SUITE.erl +++ b/apps/epp_proxy/test/tls_client_SUITE.erl @@ -179,7 +179,6 @@ error_test_case(Config) -> revoked_cert_test_case(Config) -> Options = proplists:get_value(revoked_options, Config), {error, Error} = ssl:connect("localhost", 1443, Options, 2000), - ct:pal("~p", [Error]), {tls_alert, {certificate_revoked, "received CLIENT ALERT: Fatal - Certificate Revoked"}} = Error,