client_tls_test.go 5.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231
  1. package sarama
  2. import (
  3. "crypto/rand"
  4. "crypto/rsa"
  5. "crypto/tls"
  6. "crypto/x509"
  7. "crypto/x509/pkix"
  8. "math/big"
  9. "net"
  10. "testing"
  11. "time"
  12. )
  13. func TestTLS(t *testing.T) {
  14. cakey, err := rsa.GenerateKey(rand.Reader, 2048)
  15. if err != nil {
  16. t.Fatal(err)
  17. }
  18. clientkey, err := rsa.GenerateKey(rand.Reader, 2048)
  19. if err != nil {
  20. t.Fatal(err)
  21. }
  22. hostkey, err := rsa.GenerateKey(rand.Reader, 2048)
  23. if err != nil {
  24. t.Fatal(err)
  25. }
  26. nvb := time.Now().Add(-1 * time.Hour)
  27. nva := time.Now().Add(1 * time.Hour)
  28. caTemplate := &x509.Certificate{
  29. Subject: pkix.Name{CommonName: "ca"},
  30. Issuer: pkix.Name{CommonName: "ca"},
  31. SerialNumber: big.NewInt(0),
  32. NotAfter: nva,
  33. NotBefore: nvb,
  34. IsCA: true,
  35. BasicConstraintsValid: true,
  36. KeyUsage: x509.KeyUsageCertSign,
  37. }
  38. caDer, err := x509.CreateCertificate(rand.Reader, caTemplate, caTemplate, &cakey.PublicKey, cakey)
  39. if err != nil {
  40. t.Fatal(err)
  41. }
  42. caFinalCert, err := x509.ParseCertificate(caDer)
  43. if err != nil {
  44. t.Fatal(err)
  45. }
  46. hostDer, err := x509.CreateCertificate(rand.Reader, &x509.Certificate{
  47. Subject: pkix.Name{CommonName: "host"},
  48. Issuer: pkix.Name{CommonName: "ca"},
  49. IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1)},
  50. SerialNumber: big.NewInt(0),
  51. NotAfter: nva,
  52. NotBefore: nvb,
  53. ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
  54. }, caFinalCert, &hostkey.PublicKey, cakey)
  55. if err != nil {
  56. t.Fatal(err)
  57. }
  58. clientDer, err := x509.CreateCertificate(rand.Reader, &x509.Certificate{
  59. Subject: pkix.Name{CommonName: "client"},
  60. Issuer: pkix.Name{CommonName: "ca"},
  61. SerialNumber: big.NewInt(0),
  62. NotAfter: nva,
  63. NotBefore: nvb,
  64. ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
  65. }, caFinalCert, &clientkey.PublicKey, cakey)
  66. if err != nil {
  67. t.Fatal(err)
  68. }
  69. pool := x509.NewCertPool()
  70. pool.AddCert(caFinalCert)
  71. systemCerts, err := x509.SystemCertPool()
  72. if err != nil {
  73. t.Fatal(err)
  74. }
  75. // Keep server the same - it's the client that we're testing
  76. serverTLSConfig := &tls.Config{
  77. Certificates: []tls.Certificate{{
  78. Certificate: [][]byte{hostDer},
  79. PrivateKey: hostkey,
  80. }},
  81. ClientAuth: tls.RequireAndVerifyClientCert,
  82. ClientCAs: pool,
  83. }
  84. for _, tc := range []struct {
  85. name string
  86. Succeed bool
  87. Server, Client *tls.Config
  88. }{
  89. {
  90. name: "Verify client fails if wrong CA cert pool is specified",
  91. Succeed: false,
  92. Server: serverTLSConfig,
  93. Client: &tls.Config{
  94. RootCAs: systemCerts,
  95. Certificates: []tls.Certificate{{
  96. Certificate: [][]byte{clientDer},
  97. PrivateKey: clientkey,
  98. }},
  99. },
  100. },
  101. {
  102. name: "Verify client fails if wrong key is specified",
  103. Succeed: false,
  104. Server: serverTLSConfig,
  105. Client: &tls.Config{
  106. RootCAs: pool,
  107. Certificates: []tls.Certificate{{
  108. Certificate: [][]byte{clientDer},
  109. PrivateKey: hostkey,
  110. }},
  111. },
  112. },
  113. {
  114. name: "Verify client fails if wrong cert is specified",
  115. Succeed: false,
  116. Server: serverTLSConfig,
  117. Client: &tls.Config{
  118. RootCAs: pool,
  119. Certificates: []tls.Certificate{{
  120. Certificate: [][]byte{hostDer},
  121. PrivateKey: clientkey,
  122. }},
  123. },
  124. },
  125. {
  126. name: "Verify client fails if no CAs are specified",
  127. Succeed: false,
  128. Server: serverTLSConfig,
  129. Client: &tls.Config{
  130. Certificates: []tls.Certificate{{
  131. Certificate: [][]byte{clientDer},
  132. PrivateKey: clientkey,
  133. }},
  134. },
  135. },
  136. {
  137. name: "Verify client fails if no keys are specified",
  138. Succeed: false,
  139. Server: serverTLSConfig,
  140. Client: &tls.Config{
  141. RootCAs: pool,
  142. },
  143. },
  144. {
  145. name: "Finally, verify it all works happily with client and server cert in place",
  146. Succeed: true,
  147. Server: serverTLSConfig,
  148. Client: &tls.Config{
  149. RootCAs: pool,
  150. Certificates: []tls.Certificate{{
  151. Certificate: [][]byte{clientDer},
  152. PrivateKey: clientkey,
  153. }},
  154. },
  155. },
  156. } {
  157. t.Run(tc.name, func(t *testing.T) { doListenerTLSTest(t, tc.Succeed, tc.Server, tc.Client) })
  158. }
  159. }
  160. func doListenerTLSTest(t *testing.T, expectSuccess bool, serverConfig, clientConfig *tls.Config) {
  161. serverConfig.BuildNameToCertificate()
  162. clientConfig.BuildNameToCertificate()
  163. seedListener, err := tls.Listen("tcp", "127.0.0.1:0", serverConfig)
  164. if err != nil {
  165. t.Fatal("cannot open listener", err)
  166. }
  167. var childT *testing.T
  168. if expectSuccess {
  169. childT = t
  170. } else {
  171. childT = &testing.T{} // we want to swallow errors
  172. }
  173. seedBroker := NewMockBrokerListener(childT, 1, seedListener)
  174. defer seedBroker.Close()
  175. seedBroker.Returns(new(MetadataResponse))
  176. config := NewConfig()
  177. config.Net.TLS.Enable = true
  178. config.Net.TLS.Config = clientConfig
  179. client, err := NewClient([]string{seedBroker.Addr()}, config)
  180. if err == nil {
  181. safeClose(t, client)
  182. }
  183. if expectSuccess {
  184. if err != nil {
  185. t.Fatal(err)
  186. }
  187. } else {
  188. if err == nil {
  189. t.Fatal("expected failure")
  190. }
  191. }
  192. }
  193. func TestSetServerName(t *testing.T) {
  194. if validServerNameTLS("kafka-server.domain.com:9093", nil).ServerName != "kafka-server.domain.com" {
  195. t.Fatal("Expected kafka-server.domain.com as tls.ServerName when tls config is nil")
  196. }
  197. if validServerNameTLS("kafka-server.domain.com:9093", &tls.Config{}).ServerName != "kafka-server.domain.com" {
  198. t.Fatal("Expected kafka-server.domain.com as tls.ServerName when tls config ServerName is not provided")
  199. }
  200. c := &tls.Config{ServerName: "kafka-server-other.domain.com"}
  201. if validServerNameTLS("", c).ServerName != "kafka-server-other.domain.com" {
  202. t.Fatal("Expected kafka-server-other.domain.com as tls.ServerName when tls config ServerName is provided")
  203. }
  204. if validServerNameTLS("host-no-port", nil).ServerName != "" {
  205. t.Fatal("Expected empty ServerName as the broker addr is missing the port")
  206. }
  207. }