Simplify testing with TLS (#4095)

2018-05-04 16:33:23 -07:00
parent 6e10a4ea88
commit 55b4fcb40d
92 changed files with 1246 additions and 1360 deletions
--- a/testutil/pki/cacert.pem
+++ b/testutil/pki/cacert.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIB0TCCATqgAwIBAgIJAMgbq6rkA4b/MA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV
+BAMMEFRlbGVncmFmIFRlc3QgQ0EwHhcNMTgwNTAzMDEwNTI5WhcNMjgwNDMwMDEw
+NTI5WjAbMRkwFwYDVQQDDBBUZWxlZ3JhZiBUZXN0IENBMIGfMA0GCSqGSIb3DQEB
+AQUAA4GNADCBiQKBgQDTySxyXeyQQjCOtNQ/7cKtXN91sp4B1k7whPKBO6yXEFFR
+rYaw76xY5CTTPTJaAPBJ+amHPdPGfmGq6yX10tjAaWQQYV26Axngfpti6F14ci0/
+X/sTay8ii/4Du5DRr9f9rHVimPASR1fkgK+IFhXnONn1R+pNbHYmGS4OVNyoPwID
+AQABox0wGzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQsF
+AAOBgQA9v3eMU33q+bGPEd65kKQcVddPEFdSqmuUJMeO2VQmUFc/ejkP48u42eDK
+Y1GAR+209XgkuWItEBH8HJysOU2plunuIPXpnPcxyP30tpFVLaWzWTQvUehhYpfQ
+C0v9Re3jdLfLORxiaAPyyKogMpAQrjGX+u1aMSOCkcTD2Hjvbw==
+-----END CERTIFICATE-----
--- a/testutil/pki/cakey.pem
+++ b/testutil/pki/cakey.pem
@@ -0,0 +1,16 @@
+-----BEGIN PRIVATE KEY-----
+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANPJLHJd7JBCMI60
+1D/twq1c33WyngHWTvCE8oE7rJcQUVGthrDvrFjkJNM9MloA8En5qYc908Z+Yarr
+JfXS2MBpZBBhXboDGeB+m2LoXXhyLT9f+xNrLyKL/gO7kNGv1/2sdWKY8BJHV+SA
+r4gWFec42fVH6k1sdiYZLg5U3Kg/AgMBAAECgYA2PCtssk7Vdo3WzcoZAPs8yC7V
+hkNedxJKF9G+dJizKtOYVhbLEuWQ8gPYMLDHSbw/RXc7kgK8rzq1uXhEJpWo4THD
+CUUlxGRu3gt94202hbnEnV93Kix4hP98qpv1jPErlx2KywsRPTegMnUAZ2xeI564
+yYwDITqXALa/PqRqSQJBAPPZQeRDtBSfEjZFJS3IgUkmN3RJn4rJz+6D0ahgXPga
+YAYVe8SJyj2epLJP2aOBzrqBSUVkVGg8qOG5w+ibebsCQQDeVuUzYOffthO5f1Hl
+LvdEmfaHjXI0Q+grOnDjNRcvQaCDYYkC9JewBQmnpFrd85rN/Leo0gQ5Yyxp/ja5
+gPFNAkAFwn/38FF0mz1G4uM57Z6AJ9LvgD2wfYvXym1NWNlZUuYpvqApyEdqpTCm
+tZQidJJ5fUxJw1DrFWO30Td7axC5AkEAjSbRX6rXyhiHsS35SexlInI0Jp5PsIqj
+7D2vyS69R0z8oCvdlbi+TAsGtB0Navbqgnc8Cbs630vsuGWhTGdlyQJBAKqQ2gYw
+WeXH77FP8yDQOjpFw80tSyXVykT0Am75RF3sQ1OIn0o0DLhE+he0crb2n8g3FJh
+WyxmGkbTDelSG20=
+-----END PRIVATE KEY-----
--- a/testutil/pki/clientcert.pem
+++ b/testutil/pki/clientcert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+TCCAWKgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
+Z3JhZiBUZXN0IENBMB4XDTE4MDUwMzAxMDUyOVoXDTI4MDQzMDAxMDUyOVowHTEb
+MBkGA1UEAwwSY2xpZW50LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDX7Plvu0MJtA9TrusYtQnAogsdiYJZd9wfFIjH5FxE3SWJ4KAIE+yR
+WRqcqX8XnpieQLaNsfXhDPWLkWngTDydk4NO/jlAQk0e6+9+NeiZ2ViIHmtXERb9
+CyiiWUmo+YCd69lhzSEIMK9EPBSDHQTgQMtEfGak03G5rx3MCakE1QIDAQABo0sw
+STAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAaBgNVHREEEzARgglsb2NhbGhvc3SH
+BH8AAAEwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADgYEAVry0
+L07oTN+FMLncY/Be9BzFB3b3mnbxbZr58OgI4WHuOeYBuvDI033FIIIzpwb8XYpG
+HJkZlSbviqq19lAh/Cktl35BCNrA6Uc+dgW7QWhnYS2tZandVTo/8FFstJTNiiLw
+uiz/Hr3mRXUIDi5OygJHY1IZr8hFTOOJY+0ws3E=
+-----END CERTIFICATE-----
--- a/testutil/pki/clientkey.pem
+++ b/testutil/pki/clientkey.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDX7Plvu0MJtA9TrusYtQnAogsdiYJZd9wfFIjH5FxE3SWJ4KAI
+E+yRWRqcqX8XnpieQLaNsfXhDPWLkWngTDydk4NO/jlAQk0e6+9+NeiZ2ViIHmtX
+ERb9CyiiWUmo+YCd69lhzSEIMK9EPBSDHQTgQMtEfGak03G5rx3MCakE1QIDAQAB
+AoGAOjRU4Lt3zKvO3d3u3ZAfet+zY1jn3DolCfO9EzUJcj6ymcIFIWhNgrikJcrC
+yZkkxrPnAbcQ8oNNxTuDcMTcKZbnyUnlQj5NtVuty5Q+zgf3/Q2pRhaE+TwrpOJ+
+ETtVp9R/PrPN2NC5wPo289fPNWFYkd4DPbdWZp5AJHz1XYECQQD3kKpinJxMYp9F
+Q1Qj1OkxGln0KPgdqRYjjW/rXI4/hUodfg+xXWHPFSGj3AgEjQIvuengbOAeH3qo
+wF1uxVTlAkEA30hXM3EbboMCDQzNRNkkV9EiZ0MZXhj1aIGl+sQZOmOeFdcdjGkD
+dsA42nmaYqXCD9KAvc+S/tGJaa0Qg0VhMQJAb2+TAqh0Qn3yK39PFIH2JcAy1ZDL
+fq5p5L75rfwPm9AnuHbSIYhjSo+8gMG+ai3+2fTZrcfUajrJP8S3SfFRcQJBANQQ
+POHatxcKzlPeqMaPBXlyY553mAxK4CnVmPLGdL+EBYzwtlu5EVUj09uMSxkOHXYx
+k5yzHQVvtXbsrBZBOsECQBJLlkMjJmXrIIdLPmHQWL3bm9MMg1PqzupSEwz6cyrG
+uIIm/X91pDyxCHaKYWp38FXBkYAgohI8ow5/sgRvU5w=
+-----END RSA PRIVATE KEY-----
--- a/testutil/pki/servercert.pem
+++ b/testutil/pki/servercert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB+TCCAWKgAwIBAgIBATANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQDDBBUZWxl
+Z3JhZiBUZXN0IENBMB4XDTE4MDUwMzAxMDUyOVoXDTI4MDQzMDAxMDUyOVowHTEb
+MBkGA1UEAwwSc2VydmVyLmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDTBmLJ0pBFUxnPkkx38sBnOKvs+OinVqxTnVcc1iCyQJQleB37uY6D
+L55mSsPvnad/oDpyGpHt4RVtrhmyC6ptSrWLyk7mraeAo30Cooqr5tA9A+6yj0ij
+ySLlYimTMQy8tbnVNWLwKbxgT9N4NlUzwyqxLWUMfRzLfmefqzk5bQIDAQABo0sw
+STAJBgNVHRMEAjAAMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATALBgNVHQ8E
+BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADgYEATNnM
+ol0s29lJ+WkP+HUFtKaXxQ+kXLADqfhsk2G1/kZAVRHsYUDlJ+GkHnWIHlg/ggIP
+JS+z44iwMPOtzJQI7MvAFYVKpYAEdIFTjXf6GafLjUfoXYi0vwHoVJHtQu3Kpm9L
+Ugm02h0ycIadN8RdWAAFUf6XpVKUJa0YYLuyaXY=
+-----END CERTIFICATE-----
--- a/testutil/pki/serverkey.pem
+++ b/testutil/pki/serverkey.pem
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDTBmLJ0pBFUxnPkkx38sBnOKvs+OinVqxTnVcc1iCyQJQleB37
+uY6DL55mSsPvnad/oDpyGpHt4RVtrhmyC6ptSrWLyk7mraeAo30Cooqr5tA9A+6y
+j0ijySLlYimTMQy8tbnVNWLwKbxgT9N4NlUzwyqxLWUMfRzLfmefqzk5bQIDAQAB
+AoGBALWQAgFJxM2QwV1hr59oYnitPudmBa6smRpb/q6V4Y3cmFpgrdN+hIqEtxGl
+9E0+5PWfI4o3KCV2itxSdlNFTDyqTZkM+BT8PPKISzAewkdqnKjbWgAmluzOJH4O
+hc1zBfIOuT5+cfx5JR5/j9BhWVC7BJ+EiREkd/Z8ZnAMeItVAkEA8bhcC+8luiFQ
+6kytXx2XfbKKh4Q99+KEQHqSGeuHZOcnWfjX99jo67CIxpwBRENslpZOw78fBmi4
+4kf8j+dgLwJBAN99zyRxYzKc8TSsy/fF+3V/Ex75HYGGS/eOWcwPFXpGNA63hIa8
+fJ/2pDnLzCqLZ9vWdBF39NtkacJS7bo6XSMCQQCZgN2bipSn3k53bJhRJga1gXOt
+2dJMoGIiXHR513QVJSJ9ZaUpNWu9eU9y6VF4m2TTQMLmVnIKbOi0csi2TlZrAkAi
+7URsC5RXGpPPiZmutTAhIqTYWFI2JcjFfWenLkxK+aG1ExURAW/wh9kOdz0HARZQ
+Eum8uSR5DO5CQjeIvQpFAkAgZJXAwRxuts/p1EoLuPCJTaDkIY2vc0AJzzr5nuAs
+pyjnLYCYqSBUJ+3nDDBqNYpgxCJddzmjNxGuO7mef9Ue
+-----END RSA PRIVATE KEY-----
--- a/testutil/pki/tls-certs.sh
+++ b/testutil/pki/tls-certs.sh
@@ -0,0 +1,76 @@
+#!/bin/sh
+
+mkdir certs certs_by_serial private &&
+chmod 700 private &&
+echo 01 > ./serial &&
+touch ./index.txt &&
+cat >./openssl.conf <<EOF
+[ ca ]
+default_ca = telegraf_ca
+
+[ telegraf_ca ]
+certificate = ./certs/cacert.pem
+database = ./index.txt
+new_certs_dir = ./certs_by_serial
+private_key = ./private/cakey.pem
+serial = ./serial
+
+default_crl_days = 3650
+default_days = 3650
+default_md = sha256
+
+policy = telegraf_ca_policy
+x509_extensions = certificate_extensions
+
+[ telegraf_ca_policy ]
+commonName = supplied
+
+[ certificate_extensions ]
+basicConstraints = CA:false
+
+[ req ]
+default_bits = 1024
+default_keyfile = ./private/cakey.pem
+default_md = sha256
+prompt = yes
+distinguished_name = root_ca_distinguished_name
+x509_extensions = root_ca_extensions
+
+[ root_ca_distinguished_name ]
+commonName = hostname
+
+[ root_ca_extensions ]
+basicConstraints = CA:true
+keyUsage = keyCertSign, cRLSign
+
+[ client_ca_extensions ]
+basicConstraints = CA:false
+keyUsage = digitalSignature
+subjectAltName = @client_alt_names
+extendedKeyUsage = 1.3.6.1.5.5.7.3.2
+
+[ client_alt_names ]
+DNS.1 = localhost
+IP.1 = 127.0.0.1
+
+[ server_ca_extensions ]
+basicConstraints = CA:false
+subjectAltName = @server_alt_names
+keyUsage = keyEncipherment, digitalSignature
+extendedKeyUsage = 1.3.6.1.5.5.7.3.1
+
+[ server_alt_names ]
+DNS.1 = localhost
+IP.1 = 127.0.0.1
+EOF
+openssl req -x509 -config ./openssl.conf -days 3650 -newkey rsa:1024 -out ./certs/cacert.pem -keyout ./private/cakey.pem -subj "/CN=Telegraf Test CA/" -nodes &&
+
+# Create server keypair
+openssl genrsa -out ./private/serverkey.pem 1024 &&
+openssl req -new -key ./private/serverkey.pem -out ./certs/servercsr.pem -outform PEM -subj "/CN=server.localdomain/O=server/" &&
+openssl ca -config ./openssl.conf -in ./certs/servercsr.pem -out ./certs/servercert.pem -notext -batch -extensions server_ca_extensions &&
+
+# Create client keypair
+openssl genrsa -out ./private/clientkey.pem 1024 &&
+openssl req -new -key ./private/clientkey.pem -out ./certs/clientcsr.pem -outform PEM -subj "/CN=client.localdomain/O=client/" &&
+openssl ca -config ./openssl.conf -in ./certs/clientcsr.pem -out ./certs/clientcert.pem -notext -batch -extensions client_ca_extensions