client_tls_test.go 4.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206
  1. package sarama
  2. import (
  3. "math/big"
  4. "net"
  5. "testing"
  6. "time"
  7. "crypto/rand"
  8. "crypto/rsa"
  9. "crypto/tls"
  10. "crypto/x509"
  11. "crypto/x509/pkix"
  12. )
  13. func TestTLS(t *testing.T) {
  14. cakey, err := rsa.GenerateKey(rand.Reader, 2048)
  15. if err != nil {
  16. t.Fatal(err)
  17. }
  18. clientkey, err := rsa.GenerateKey(rand.Reader, 2048)
  19. if err != nil {
  20. t.Fatal(err)
  21. }
  22. hostkey, err := rsa.GenerateKey(rand.Reader, 2048)
  23. if err != nil {
  24. t.Fatal(err)
  25. }
  26. nvb := time.Now().Add(-1 * time.Hour)
  27. nva := time.Now().Add(1 * time.Hour)
  28. caTemplate := &x509.Certificate{
  29. Subject: pkix.Name{CommonName: "ca"},
  30. Issuer: pkix.Name{CommonName: "ca"},
  31. SerialNumber: big.NewInt(0),
  32. NotAfter: nva,
  33. NotBefore: nvb,
  34. IsCA: true,
  35. BasicConstraintsValid: true,
  36. KeyUsage: x509.KeyUsageCertSign,
  37. }
  38. caDer, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &cakey.PublicKey, cakey)
  39. if err != nil {
  40. t.Fatal(err)
  41. }
  42. caFinalCert, err := x509.ParseCertificate(caDer)
  43. if err != nil {
  44. t.Fatal(err)
  45. }
  46. hostDer, err := x509.CreateCertificate(rand.Reader, &x509.Certificate{
  47. Subject: pkix.Name{CommonName: "host"},
  48. Issuer: pkix.Name{CommonName: "ca"},
  49. IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1)},
  50. SerialNumber: big.NewInt(0),
  51. NotAfter: nva,
  52. NotBefore: nvb,
  53. ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
  54. }, caFinalCert, &hostkey.PublicKey, cakey)
  55. if err != nil {
  56. t.Fatal(err)
  57. }
  58. clientDer, err := x509.CreateCertificate(rand.Reader, &x509.Certificate{
  59. Subject: pkix.Name{CommonName: "client"},
  60. Issuer: pkix.Name{CommonName: "ca"},
  61. SerialNumber: big.NewInt(0),
  62. NotAfter: nva,
  63. NotBefore: nvb,
  64. ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
  65. }, caFinalCert, &clientkey.PublicKey, cakey)
  66. if err != nil {
  67. t.Fatal(err)
  68. }
  69. pool := x509.NewCertPool()
  70. pool.AddCert(caFinalCert)
  71. systemCerts, err := x509.SystemCertPool()
  72. if err != nil {
  73. t.Fatal(err)
  74. }
  75. // Keep server the same - it's the client that we're testing
  76. serverTLSConfig := &tls.Config{
  77. Certificates: []tls.Certificate{{
  78. Certificate: [][]byte{hostDer},
  79. PrivateKey: hostkey,
  80. }},
  81. ClientAuth: tls.RequireAndVerifyClientCert,
  82. ClientCAs: pool,
  83. }
  84. for _, tc := range []struct {
  85. Succeed bool
  86. Server, Client *tls.Config
  87. }{
  88. { // Verify client fails if wrong CA cert pool is specified
  89. Succeed: false,
  90. Server: serverTLSConfig,
  91. Client: &tls.Config{
  92. RootCAs: systemCerts,
  93. Certificates: []tls.Certificate{{
  94. Certificate: [][]byte{clientDer},
  95. PrivateKey: clientkey,
  96. }},
  97. },
  98. },
  99. { // Verify client fails if wrong key is specified
  100. Succeed: false,
  101. Server: serverTLSConfig,
  102. Client: &tls.Config{
  103. RootCAs: pool,
  104. Certificates: []tls.Certificate{{
  105. Certificate: [][]byte{clientDer},
  106. PrivateKey: hostkey,
  107. }},
  108. },
  109. },
  110. { // Verify client fails if wrong cert is specified
  111. Succeed: false,
  112. Server: serverTLSConfig,
  113. Client: &tls.Config{
  114. RootCAs: pool,
  115. Certificates: []tls.Certificate{{
  116. Certificate: [][]byte{hostDer},
  117. PrivateKey: clientkey,
  118. }},
  119. },
  120. },
  121. { // Verify client fails if no CAs are specified
  122. Succeed: false,
  123. Server: serverTLSConfig,
  124. Client: &tls.Config{
  125. Certificates: []tls.Certificate{{
  126. Certificate: [][]byte{clientDer},
  127. PrivateKey: clientkey,
  128. }},
  129. },
  130. },
  131. { // Verify client fails if no keys are specified
  132. Succeed: false,
  133. Server: serverTLSConfig,
  134. Client: &tls.Config{
  135. RootCAs: pool,
  136. },
  137. },
  138. { // Finally, verify it all works happily with client and server cert in place
  139. Succeed: true,
  140. Server: serverTLSConfig,
  141. Client: &tls.Config{
  142. RootCAs: pool,
  143. Certificates: []tls.Certificate{{
  144. Certificate: [][]byte{clientDer},
  145. PrivateKey: clientkey,
  146. }},
  147. },
  148. },
  149. } {
  150. doListenerTLSTest(t, tc.Succeed, tc.Server, tc.Client)
  151. }
  152. }
  153. func doListenerTLSTest(t *testing.T, expectSuccess bool, serverConfig, clientConfig *tls.Config) {
  154. serverConfig.BuildNameToCertificate()
  155. clientConfig.BuildNameToCertificate()
  156. seedListener, err := tls.Listen("tcp", "127.0.0.1:0", serverConfig)
  157. if err != nil {
  158. t.Fatal("cannot open listener", err)
  159. }
  160. var childT *testing.T
  161. if expectSuccess {
  162. childT = t
  163. } else {
  164. childT = &testing.T{} // we want to swallow errors
  165. }
  166. seedBroker := NewMockBrokerListener(childT, 1, seedListener)
  167. defer seedBroker.Close()
  168. seedBroker.Returns(new(MetadataResponse))
  169. config := NewConfig()
  170. config.Net.TLS.Enable = true
  171. config.Net.TLS.Config = clientConfig
  172. client, err := NewClient([]string{seedBroker.Addr()}, config)
  173. if err == nil {
  174. safeClose(t, client)
  175. }
  176. if expectSuccess {
  177. if err != nil {
  178. t.Fatal(err)
  179. }
  180. } else {
  181. if err == nil {
  182. t.Fatal("expected failure")
  183. }
  184. }
  185. }