mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-17 03:57:01 +02:00
Code Issues Projects Releases Wiki Activity
a2de4c75cd
vault/builtin/logical/pkiext
History
Matt Schultz 8cc7be234a
Adds automated ACME tests using Caddy. (#21277) 
* Adds automated ACME tests using Caddy.

* Do not use CheckSignatureFrom method to validate TLS-ALPN-01 challenges

* Uncomment TLS-ALPN test.

* Fix validation of tls-alpn-01 keyAuthz

Surprisingly, this failure was not caught by our earlier, but unmerged
acme.sh tests:

> 2023-06-07T19:35:27.6963070Z [32mPASS[0m builtin/logical/pkiext/pkiext_binary.Test_ACME/group/acme.sh_tls-alpn (33.06s)

from https://github.com/hashicorp/vault/pull/20987.

Notably, we had two failures:

 1. The extension's raw value is not used, but is instead an OCTET
    STRING encoded version:

    > The extension has the following ASN.1 [X.680] format :
    >
    > Authorization ::= OCTET STRING (SIZE (32))
    >
    > The extnValue of the id-pe-acmeIdentifier extension is the ASN.1
    > DER encoding [X.690] of the Authorization structure, which
    > contains the SHA-256 digest of the key authorization for the
    > challenge.
 2. Unlike DNS, the SHA-256 is directly embedded in the authorization,
    as evidenced by the `SIZE (32)` annotation in the quote above: we
    were instead expecting this to be url base-64 encoded, which would
    have a different size.

This failure was caught by Matt, testing with Caddy. :-)

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Quick gofmt run.

* Fix challenge encoding in TLS-ALPN-01 challenge tests

* Rename a PKI test helper that retrieves the Vault cluster listener's cert to distinguish it from the method that retrieves the PKI mount's CA cert. Combine a couple of Docker file copy commands into one.

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-06-15 20:44:09 +00:00
..
pkiext_binary Adds automated ACME tests using Caddy. (#21277) 2023-06-15 20:44:09 +00:00
nginx_test.go Add support for docker testclusters (#20247) 2023-04-24 14:25:50 -04:00
README.md Move pki docker tests to pkiext (#17928) 2022-11-14 18:26:26 -05:00
test_helpers.go Use a dedicated runner for the binary-based tests. (#20377) 2023-04-27 09:41:49 -04:00
zlint_test.go Add support for docker testclusters (#20247) 2023-04-24 14:25:50 -04:00

README.md

What is pkiext?

pkiext exists to split the Docker tests into a separate package from the main PKI tests. Because the Docker tests execute in a smaller runner with fewer resources, and we were hitting timeouts waiting for the entire PKI test suite to run, we need to split the larger non-Docker PKI tests from the smaller Docker tests, to ensure the former can execute.

This package should lack any non-test related targets.