tests: Enable client certificate verification in the TLS tests (osque…

…ry#8211) - Add an option in the python test server to enable client certificate verification, since it was assumed to be on by some tests, but it wasn't. - Enable osquery_remote_transports_remotetransportstlstests-test on Windows, since it was incorrectly skipped. - Format test_http_server.py using black. - Use the non deprecated flag in the server to select the protocol versions - Regenerate test certificates to support strict checks with TLS 1.3 and OpenSSL 3.x
trailofbits · Dec 13, 2023 · f50be81 · f50be81
1 parent b76c460
commit f50be81
Show file tree

Hide file tree

Showing 8 changed files with 228 additions and 177 deletions.
diff --git a/osquery/remote/tests/test_utils.cpp b/osquery/remote/tests/test_utils.cpp
@@ -36,7 +36,8 @@ DECLARE_string(enroll_secret_path);
 DECLARE_bool(disable_caching);
 
 Status TLSServerRunner::startAndSetScript(const std::string& port,
-                                          const std::string& server_cert) {
+                                          const std::string& server_cert,
+                                          bool verify_client_cert) {
   auto script = (getTestHelperScriptsDirectory() / "test_http_server.py");
   auto config_dir = getTestConfigDirectory();
   std::vector<std::string> args = {
@@ -52,6 +53,10 @@ Status TLSServerRunner::startAndSetScript(const std::string& port,
     args.push_back(server_cert);
   }
 
+  if (verify_client_cert) {
+    args.push_back("--verify-client-cert");
+  }
+
   args.push_back(port);
 
   const auto cmd = osquery::join(args, " ");
@@ -82,7 +87,8 @@ Status TLSServerRunner::getListeningPortPid(const std::string& port,
   return Status::success();
 }
 
-bool TLSServerRunner::start(const std::string& server_cert) {
+bool TLSServerRunner::start(const std::string& server_cert,
+                            bool verify_client_cert) {
   auto& self = instance();
   if (self.server_ != nullptr) {
     return true;
@@ -107,7 +113,8 @@ bool TLSServerRunner::start(const std::string& server_cert) {
       }
     }
 
-    auto status = self.startAndSetScript(self.port_, server_cert);
+    auto status =
+        self.startAndSetScript(self.port_, server_cert, verify_client_cert);
     if (!status.ok()) {
       // This is an unexpected problem, retry without waiting.
       LOG(WARNING) << status.getMessage();
@@ -171,6 +178,14 @@ void TLSServerRunner::setClientConfig() {
                     (getTestConfigDirectory() / "test_enroll_secret.txt")
                         .make_preferred()
                         .string());
+
+  Flag::updateValue(
+      "tls_client_cert",
+      (getTestConfigDirectory() / "test_client.pem").make_preferred().string());
+
+  Flag::updateValue(
+      "tls_client_key",
+      (getTestConfigDirectory() / "test_client.key").make_preferred().string());
 }
 
 void TLSServerRunner::unsetClientConfig() {

diff --git a/osquery/remote/tests/test_utils.h b/osquery/remote/tests/test_utils.h
@@ -43,7 +43,8 @@ class TLSServerRunner : private boost::noncopyable {
    *
    * A failure status is returned on error.
    */
-  static bool start(const std::string& server_cert = {});
+  static bool start(const std::string& server_cert = {},
+                    bool verify_client_cert = false);
 
   /// Stop the service when the process exits.
   static void stop();
@@ -63,7 +64,8 @@ class TLSServerRunner : private boost::noncopyable {
    * This does not check that the port was bound.
    */
   Status startAndSetScript(const std::string& port,
-                           const std::string& server_cert);
+                           const std::string& server_cert,
+                           bool verify_client_cert);
 
  private:
   /// Current server handle.
@@ -78,4 +80,4 @@ class TLSServerRunner : private boost::noncopyable {
   std::string tls_server_certs_;
   std::string enroll_secret_path_;
 };
-}
+} // namespace osquery
diff --git a/osquery/remote/transports/CMakeLists.txt b/osquery/remote/transports/CMakeLists.txt
@@ -7,7 +7,7 @@
 
 function(osqueryRemoteTransportsMain)
 
-  if(OSQUERY_BUILD_TESTS AND DEFINED PLATFORM_POSIX)
+  if(OSQUERY_BUILD_TESTS)
     generateOsqueryRemoteTransportsRemotetransportstlstestsTest()
   endif()
 
@@ -34,20 +34,18 @@ function(generateOsqueryRemoteTransportsTransportstls)
 
   generateIncludeNamespace(osquery_remote_transports_transportstls "osquery/remote/transports" "FILE_ONLY" ${public_header_files})
 
-  if(DEFINED PLATFORM_POSIX)
-    add_test(NAME osquery_remote_transports_remotetransportstlstests-test COMMAND osquery_remote_transports_remotetransportstlstests-test)
+  add_test(NAME osquery_remote_transports_remotetransportstlstests-test COMMAND osquery_remote_transports_remotetransportstlstests-test)
 
-    set(remotetransportstlstests-test_env
-      "TEST_CONF_FILES_DIR=${TEST_CONFIGS_DIR}"
-      "TEST_HELPER_SCRIPTS_DIR=${CMAKE_BINARY_DIR}/tools/tests"
-      "OSQUERY_PYTHON_INTERPRETER_PATH=${OSQUERY_PYTHON_EXECUTABLE}"
-    )
+  set(remotetransportstlstests-test_env
+    "TEST_CONF_FILES_DIR=${TEST_CONFIGS_DIR}"
+    "TEST_HELPER_SCRIPTS_DIR=${CMAKE_BINARY_DIR}/tools/tests"
+    "OSQUERY_PYTHON_INTERPRETER_PATH=${OSQUERY_PYTHON_EXECUTABLE}"
+  )
 
-    set_tests_properties(
-      osquery_remote_transports_remotetransportstlstests-test
-      PROPERTIES ENVIRONMENT "${remotetransportstlstests-test_env}"
-    )
-  endif()
+  set_tests_properties(
+    osquery_remote_transports_remotetransportstlstests-test
+    PROPERTIES ENVIRONMENT "${remotetransportstlstests-test_env}"
+  )
 endfunction()
 
 

diff --git a/osquery/remote/transports/tests/tls_transports_tests.cpp b/osquery/remote/transports/tests/tls_transports_tests.cpp
@@ -17,16 +17,16 @@
 
 #include <gtest/gtest.h>
 
-#include <osquery/logger/logger.h>
 #include <osquery/core/system.h>
+#include <osquery/logger/logger.h>
 #include <osquery/registry/registry_factory.h>
 #include <osquery/utils/info/platform_type.h>
 
 #include "osquery/remote/requests.h"
 #include "osquery/remote/serializers/json.h"
 
-#include "osquery/remote/tests/test_utils.h"
 #include "osquery/config/tests/test_utils.h"
+#include "osquery/remote/tests/test_utils.h"
 #include "osquery/tests/test_util.h"
 
 namespace osquery {
@@ -57,10 +57,11 @@ class TLSTransportsTests : public testing::Test {
     initDatabasePluginForTesting();
   }
 
-  void startServer(const std::string& server_cert = {}) {
+  void startServer(const std::string& server_cert = {},
+                   bool verify_client_cert = false) {
     certs_ = FLAGS_tls_server_certs;
     FLAGS_tls_server_certs = "";
-    ASSERT_TRUE(TLSServerRunner::start(server_cert));
+    ASSERT_TRUE(TLSServerRunner::start(server_cert, verify_client_cert));
     port_ = TLSServerRunner::port();
   }
 
@@ -178,7 +179,7 @@ TEST_F(TLSTransportsTests, test_call_server_cert_pinning) {
 }
 
 TEST_F(TLSTransportsTests, test_call_client_auth) {
-  startServer();
+  startServer({}, true);
 
   auto t = std::make_shared<TLSTransport>();
   t->setPeerCertificate(
@@ -197,7 +198,8 @@ TEST_F(TLSTransportsTests, test_call_client_auth) {
 
 TEST_F(TLSTransportsTests, test_wrong_hostname) {
   startServer(
-      (getTestConfigDirectory() / "test_server_wrong_hostname.pem").string());
+      (getTestConfigDirectory() / "test_server_wrong_hostname.pem").string(),
+      true);
 
   auto t = std::make_shared<TLSTransport>();
   t->setPeerCertificate(

diff --git a/tools/tests/configs/test_client.pem b/tools/tests/configs/test_client.pem
@@ -1,19 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDHTCCAgUCAQgwDQYJKoZIhvcNAQELBQAwWzELMAkGA1UEBhMCVVMxEzARBgNV
-BAgMCkNhbGlmb3JuaWExGDAWBgNVBAoMD29zcXVlcnktdGVzdGluZzEdMBsGA1UE
-AwwUb3NxdWVyeS11bml0dGVzdHMtY2EwHhcNMjMwNzEzMTkxNDEwWhcNMzMwNzEw
-MTkxNDEwWjBOMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEYMBYG
-A1UECgwPb3NxdWVyeS10ZXN0aW5nMRAwDgYDVQQDDAdjbGllbnQxMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2SB4aHxZdryb1gBLxhNA2JxuX8BBgvaH
-vleoQWDzDzrAx1gs9snPk81XDb0BpmIZtDR1HB5Jew01E+Ddtg/2khq9W1Xp4NmC
-dYcXSEkIcfE79KsXUo8FD04TP4v0kkXZAhkqo1TeOEgf7XiJ0GrDOFFCF+48QryC
-6p91JjikHx0+PJmhZR5z4+7aVi8prCkIjEY61HSWDWBXropi1CMLHlROT2CR5PyB
-CXkZeUTYKhlnCGVuChAPouVwXN5saCpc+d6c3eT9ITa011ZkAeLxWUx+Ps7Z5H1y
-PlOFwlYH5dbjIOc+M6Z6ta+klGg8+cX78nmafG0dcS3v+tbBHireUQIDAQABMA0G
-CSqGSIb3DQEBCwUAA4IBAQCgWHtNDNiJc3BZboIhj/Z938Ql5jqqse5dvFmPBt5J
-Fb8V3Ylr594QHnaPxYbbZL4oozjixSn6QoDuIZvzhklb6TgoNu0nH1XhunvWSwWa
-SGePnfOpO/GL2LCIzQ75rVR76QqSKeKa+KluScQGpak7TXrKKe+73oP4W5AN28Wg
-I2BjDWytsMKYODyqSj2Yp2/5Tqa4ef4EXwnkBr7vZfSBQRfXaq3FumMQ5QIo5/pt
-wE9fX4YgXeuEtMHFFIOLnA0qxWoHg0k7U4mqx8ed4HoLJ6eyEQu0QSNtMtCSxL83
-nq6CyGuXKNu2cY2jIiLY4Og2TwVUFsHRPrDmZFpkpq0N
+MIIDkDCCAnigAwIBAgIUJuZdK9bkeAuymXEStO/R9kRxbDUwDQYJKoZIhvcNAQEL
+BQAwWzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExGDAWBgNVBAoM
+D29zcXVlcnktdGVzdGluZzEdMBsGA1UEAwwUb3NxdWVyeS11bml0dGVzdHMtY2Ew
+HhcNMjMxMjA3MjE0ODAyWhcNMzMxMjA0MjE0ODAyWjBQMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEYMBYGA1UECgwPb3NxdWVyeS10ZXN0aW5nMRIw
+EAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDZIHhofFl2vJvWAEvGE0DYnG5fwEGC9oe+V6hBYPMPOsDHWCz2yc+TzVcNvQGm
+Yhm0NHUcHkl7DTUT4N22D/aSGr1bVeng2YJ1hxdISQhx8Tv0qxdSjwUPThM/i/SS
+RdkCGSqjVN44SB/teInQasM4UUIX7jxCvILqn3UmOKQfHT48maFlHnPj7tpWLyms
+KQiMRjrUdJYNYFeuimLUIwseVE5PYJHk/IEJeRl5RNgqGWcIZW4KEA+i5XBc3mxo
+Klz53pzd5P0hNrTXVmQB4vFZTH4+ztnkfXI+U4XCVgfl1uMg5z4zpnq1r6SUaDz5
+xfvyeZp8bR1xLe/61sEeKt5RAgMBAAGjVzBVMBMGA1UdJQQMMAoGCCsGAQUFBwMC
+MB0GA1UdDgQWBBTunrmcen3J17O1r+0qt6QoCGpiIjAfBgNVHSMEGDAWgBTIQG54
+V+OftpEfgof4nSvXTQdZADANBgkqhkiG9w0BAQsFAAOCAQEAxEoFEfLRRhUDsks6
+cwFzRri1tk+6Ws6T82gE8TdoXMYM041CYltIGvzvwHGtHVBUDIPxsV1VDLY3AwgX
+oYD0PaJ9tTHUg3rNUywmczGtIPvqEHPU2vUJH23r8DAFbreEqT8iaZ2qr4t+BZZa
+LY4KP89g4HfxZuYGiQUUv+zCNOnWtZRimRq2J2mhEfqrSu/YuFUmvZ1J8sXHFmjJ
+c0a0H9JKstQ+J6uHN7WxrjWX30aOTJbJqV9DE122z6nAekT0Uv5q/biqKncROiJE
+jvLXfd6mEXIgf2mj2oOUbdZK2MOMdWeauCUZLAKK+IlJae+BQ6BB1GnCUsIlIUkt
+0M7Z0A==
 -----END CERTIFICATE-----
diff --git a/tools/tests/configs/test_server.pem b/tools/tests/configs/test_server.pem
@@ -1,20 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDMjCCAhoCFHRC8UNjEgv1hXKyJYTIOJ45xTKEMA0GCSqGSIb3DQEBCwUAMFsx
-CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRgwFgYDVQQKDA9vc3F1
-ZXJ5LXRlc3RpbmcxHTAbBgNVBAMMFG9zcXVlcnktdW5pdHRlc3RzLWNhMB4XDTIw
-MDIxMTIxNDIxOFoXDTMwMDIxMTIxNDIxOFowUDELMAkGA1UEBhMCVVMxEzARBgNV
-BAgMCkNhbGlmb3JuaWExGDAWBgNVBAoMD29zcXVlcnktdGVzdGluZzESMBAGA1UE
-AwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7EzV
-Opqj8cYMfhSQnc3moTiKU0HFqYwpcl6H3VEz618+scm/lLbj+2eLZB7LreVagiXb
-ZASfStR0k7fOKRWzf6+IiR8I1O0pj5JSQl6YxGdWCr/Xmw9CXY+buxO7TfiKfeO7
-wjU7kM4Ns/FYugyZwv0zfeIFUwEubmZnYPpV+oaFfMs90VZjCj5KdsFJ9Fl86BzS
-S6zkkpJECOkuseSvMpJm2aaB0uruPH7VyGboCA5IO17Z4vzJwzFxEz5+CHIKICl+
-y6UH7hrBwiM+HapiFb7yyhQOq06/G8Is/w2cJpSXNicCcOGtrTVBxoVFhxyXK6QE
-dmglMPJE3Macg3+r3wIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDRJIS1Jrt7jnLv
-fzQkqjDe3rZYtOlQrG+tx9Bh4sw7riMm1jxPATnoe96VWW2r1RfgV8eKOV93X2xJ
-7DFH8sKDceuj0PT6D8sCS5CFRejZOrrfwS15/4e2SafiOiYgk6Jlhc+f3sePzUU8
-k+1Vi9uCk4IFqgQ5v6KFnFOFV49E1q7Fglw/HHcMCxK3yriHrv/BcMWRxptLhhb7
-2/I4mDP2Nn92L4qDl/9Zj6qjy3M7Yv4deeh2984JBCxWiX/fUyk2niZWpDRnOi9h
-Rpr9c67T4aBvu2tRh9j658JvGo/Pe2QdikTGpD+vxttXqcx25ZVaGnwtbdDwbJMO
-VywUsueM
+MIIDkDCCAnigAwIBAgIUUNMfQp5cEH8esNXG9capU4d8kAkwDQYJKoZIhvcNAQEL
+BQAwWzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExGDAWBgNVBAoM
+D29zcXVlcnktdGVzdGluZzEdMBsGA1UEAwwUb3NxdWVyeS11bml0dGVzdHMtY2Ew
+HhcNMjMxMjA3MjIwNzMyWhcNMzMxMjA0MjIwNzMyWjBQMQswCQYDVQQGEwJVUzET
+MBEGA1UECAwKQ2FsaWZvcm5pYTEYMBYGA1UECgwPb3NxdWVyeS10ZXN0aW5nMRIw
+EAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQDsTNU6mqPxxgx+FJCdzeahOIpTQcWpjClyXofdUTPrXz6xyb+UtuP7Z4tkHsut
+5VqCJdtkBJ9K1HSTt84pFbN/r4iJHwjU7SmPklJCXpjEZ1YKv9ebD0Jdj5u7E7tN
++Ip947vCNTuQzg2z8Vi6DJnC/TN94gVTAS5uZmdg+lX6hoV8yz3RVmMKPkp2wUn0
+WXzoHNJLrOSSkkQI6S6x5K8ykmbZpoHS6u48ftXIZugIDkg7Xtni/MnDMXETPn4I
+cgogKX7LpQfuGsHCIz4dqmIVvvLKFA6rTr8bwiz/DZwmlJc2JwJw4a2tNUHGhUWH
+HJcrpAR2aCUw8kTcxpyDf6vfAgMBAAGjVzBVMBMGA1UdJQQMMAoGCCsGAQUFBwMB
+MB0GA1UdDgQWBBS+qH8WOgrBNnFB4yo9idKxrRYRlTAfBgNVHSMEGDAWgBTIQG54
+V+OftpEfgof4nSvXTQdZADANBgkqhkiG9w0BAQsFAAOCAQEAB7Gcu+DXmOn0TYFp
+WXZEPPrBuPx9Gpbg7vNyuvUKt/bq7rzDuZlwmAjug5qQkFFqlN2+6VKVHA2LWU38
+YJ2pmZ5CcIzO1/jPiczaIcg8F/ZT8aA6i80RkiRNcUO9WpEO5o5xCxt54y43YQcr
+SJQ2A/Ez6XInLCC00HWx0uZLkVlJmnQ/cWDrc9bq1UBshDG9QL9bGM9bedbb5rwg
+9g50e8U+Pp6Xff/rUusp4BN19Du0Xyvofkwyh8+1m8TLKMHx0xNhjpzp1SB7eWh3
+8Jt/fDYoy277SSAMbdaZwhI/Q6haCw17AgzjoZ415QzB+ImnamAIYWbZIo5r54HE
+BMqHzA==
 -----END CERTIFICATE-----
diff --git a/tools/tests/configs/test_server_ca.pem b/tools/tests/configs/test_server_ca.pem
@@ -1,22 +1,22 @@
 -----BEGIN CERTIFICATE-----
-MIIDlzCCAn+gAwIBAgIULTkYO65dkEg2o0mHM6ZMqWsK5w4wDQYJKoZIhvcNAQEL
+MIIDpDCCAoygAwIBAgIUT/JSqgknbGcVPabMrV3/cs8IR4swDQYJKoZIhvcNAQEL
 BQAwWzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExGDAWBgNVBAoM
 D29zcXVlcnktdGVzdGluZzEdMBsGA1UEAwwUb3NxdWVyeS11bml0dGVzdHMtY2Ew
-HhcNMjAwMjExMjEzMzMzWhcNMzAwMjExMjEzMzMzWjBbMQswCQYDVQQGEwJVUzET
+HhcNMjMxMjA3MjIwMzE4WhcNMzMxMjA0MjIwMzE4WjBbMQswCQYDVQQGEwJVUzET
 MBEGA1UECAwKQ2FsaWZvcm5pYTEYMBYGA1UECgwPb3NxdWVyeS10ZXN0aW5nMR0w
 GwYDVQQDDBRvc3F1ZXJ5LXVuaXR0ZXN0cy1jYTCCASIwDQYJKoZIhvcNAQEBBQAD
 ggEPADCCAQoCggEBAOKMqGZCm+QuTu+QjNCG3cl42g763RBmp9Xn3SzIPinUgbWz
 nNBdgzlwkjmRBnevuIEMkLFSSVyH9J44sLj/5vBvwq0upJZv/mZwwb+fBkPlek1n
 KRqoPZs/smqVWLQjz6vWsxqS5DKyzd1kyv+hBOkPkybpYlMFC9UyhPkYWAwJ95TL
 Sfx7KfxAkqpCIXsGMsilZ7BjP2iCecihD1vjZZwqqj17ED7q6SstiTUzU3VZAuOr
 4Ag69qCymsGLqa+Ii/lpo5JJ4t41quBZYXqogz01N5c/w/hifKTx0ba/UTW/zMls
-xsugmwZsMMn/uIoFg23CIns38RHzBQEkyDHHt8cCAwEAAaNTMFEwHQYDVR0OBBYE
+xsugmwZsMMn/uIoFg23CIns38RHzBQEkyDHHt8cCAwEAAaNgMF4wHQYDVR0OBBYE
 FMhAbnhX45+2kR+Ch/idK9dNB1kAMB8GA1UdIwQYMBaAFMhAbnhX45+2kR+Ch/id
-K9dNB1kAMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAMrFOgO3
-x9CdWIjKYB2LaA46EEEzLu/2fqfqoIutGVV1g0/WZ4m3roS2d1w+qFemGIAXbypf
-yQj2kLpu6++3xvHylWgpa3IoQimZs0x6Kafqe6Gz4iEKg4lSmFXR1zLhXJeX9QMg
-+HqTZMlDoen4K+Gd+kYA5ky2t7auS5mHYa3pL0m3TuKUTO6+Y5WH8SEdo4bcNsUk
-+D9AmV9Nsmm91mE6xgf+sFxlQpf7bZsFhqceIiApUujR3MSpq9lHC1fdVkaD6ViV
-4Lxx7odIhaxQ2NQ32qYDqn3Ieu7vdUdgVry++CzGsv342IMU7FKuYAWD3GFo+z9Y
-s3oPBKzj3Spr7H4=
+K9dNB1kAMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMA0GCSqGSIb3DQEB
+CwUAA4IBAQCBAg3+HNXNzEIlkAY7vbXR7eBYgG3ZUa0lNJ379cjmxhSidlWJo6Fw
+w71auSoYY1DAuLVbJXGXMRz9FdrzwDCpvgKLl0zy1HxsdxT91tKPqp8PqBgS8q8P
+hX482vBpugunZRYbB2cVHBi457JkskssMTSFafsw5EbB+FYB0O8dTC4UkvbebbNZ
+Gt4YOhEtGmpdiQizCATt/H/TxmqB+7mY3v5hfiv3P7pcXkbD/R4YweFlfuL9LiPq
+AQM4xollosBATMt01bIldmwDksv+LkOAMXVu7cptI/tVCrTvp/6r3WvHK0qEFVcb
+pURljZyhzJ1kBmqkc7aGFEM05XRcVRyf
 -----END CERTIFICATE-----