Test internal cert generation & verification process

Author: yhabteab

lib/base/tlsutility.cpp

@@ -478,7 +478,7 @@ std::shared_ptr<X509> GetX509Certificate(const String& pemfile)
 	return std::shared_ptr<X509>(cert, X509_free);
 }
 
-int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile, const String& certfile, bool ca)
+int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile, const String& certfile, int validFor, bool ca)
 {
 	char errbuf[256];
 
@@ -547,7 +547,7 @@ int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile,
 		X509_NAME *subject = X509_NAME_new();
 		X509_NAME_add_entry_by_txt(subject, "CN", MBSTRING_ASC, (unsigned char *)cn.CStr(), -1, -1, 0);
 
-		std::shared_ptr<X509> cert = CreateCert(key, subject, subject, key, ca);
+		std::shared_ptr<X509> cert = CreateCert(key, subject, subject, key, validFor, ca);
 
 		X509_NAME_free(subject);
 
@@ -640,12 +640,16 @@ int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile,
 	return 1;
 }
 
-std::shared_ptr<X509> CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NAME *issuer, EVP_PKEY *cakey, bool ca)
+std::shared_ptr<X509> CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NAME *issuer, EVP_PKEY *cakey, int validFor, bool ca)
 {
 	X509 *cert = X509_new();
 	X509_set_version(cert, 2);
-	X509_gmtime_adj(X509_get_notBefore(cert), 0);
-	X509_gmtime_adj(X509_get_notAfter(cert), ca ? ROOT_VALID_FOR : LEAF_VALID_FOR);
+	auto notBefore = 0;
+	if (validFor < 0) {
+		notBefore = validFor - validFor / 4; // Add 25% of the validity period to the past
+	}
+	X509_gmtime_adj(X509_get_notBefore(cert), notBefore);
+	X509_gmtime_adj(X509_get_notAfter(cert), validFor);
 	X509_set_pubkey(cert, pubkey);
 
 	X509_set_subject_name(cert, subject);
@@ -728,7 +732,7 @@ String GetIcingaCADir()
 	return Configuration::DataDir + "/ca";
 }
 
-std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject, bool ca)
+std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject, int validFor, bool ca)
 {
 	char errbuf[256];
 
@@ -765,13 +769,20 @@ std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject, b
 	EVP_PKEY *privkey = EVP_PKEY_new();
 	EVP_PKEY_assign_RSA(privkey, rsa);
 
-	return CreateCert(pubkey, subject, X509_get_subject_name(cacert.get()), privkey, ca);
+	return CreateCert(pubkey, subject, X509_get_subject_name(cacert.get()), privkey, validFor, ca);
 }
 
-std::shared_ptr<X509> CreateCertIcingaCA(const std::shared_ptr<X509>& cert)
+/**
+ * Creates a new X509 certificate signed by the Icinga CA.
+ *
+ * @param cert The certificate containing the public key and subject name.
+ * @param validFor The validity period in seconds. Defaults to LEAF_VALID_FOR.
+ * @returns The new X509 certificate or an empty shared_ptr on error.
+ */
+std::shared_ptr<X509> CreateCertIcingaCA(const std::shared_ptr<X509>& cert, int validFor)
 {
 	std::shared_ptr<EVP_PKEY> pkey = std::shared_ptr<EVP_PKEY>(X509_get_pubkey(cert.get()), EVP_PKEY_free);
-	return CreateCertIcingaCA(pkey.get(), X509_get_subject_name(cert.get()));
+	return CreateCertIcingaCA(pkey.get(), X509_get_subject_name(cert.get()), validFor);
 }
 
 static inline

lib/base/tlsutility.hpp

@@ -54,8 +54,8 @@ Shared<boost::asio::ssl::context>::Ptr SetupSslContext(String certPath, String k
 
 String GetCertificateCN(const std::shared_ptr<X509>& certificate);
 std::shared_ptr<X509> GetX509Certificate(const String& pemfile);
-int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile = String(), const String& certfile = String(), bool ca = false);
-std::shared_ptr<X509> CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NAME *issuer, EVP_PKEY *cakey, bool ca);
+int MakeX509CSR(const String& cn, const String& keyfile, const String& csrfile = String(), const String& certfile = String(), int validFor = LEAF_VALID_FOR, bool ca = false);
+std::shared_ptr<X509> CreateCert(EVP_PKEY *pubkey, X509_NAME *subject, X509_NAME *issuer, EVP_PKEY *cakey, int validFor, bool ca);
 
 String GetIcingaCADir();
 String CertificateToString(X509* cert);
@@ -66,8 +66,8 @@ inline String CertificateToString(const std::shared_ptr<X509>& cert)
 }
 
 std::shared_ptr<X509> StringToCertificate(const String& cert);
-std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject, bool ca = false);
-std::shared_ptr<X509> CreateCertIcingaCA(const std::shared_ptr<X509>& cert);
+std::shared_ptr<X509> CreateCertIcingaCA(EVP_PKEY *pubkey, X509_NAME *subject, int validFor, bool ca = false);
+std::shared_ptr<X509> CreateCertIcingaCA(const std::shared_ptr<X509>& cert, int validFor = LEAF_VALID_FOR);
 bool IsCertUptodate(const std::shared_ptr<X509>& cert);
 bool IsCaUptodate(X509* cert);
 

lib/remote/apilistener.cpp

@@ -186,7 +186,7 @@ std::shared_ptr<X509> ApiListener::RenewCert(const std::shared_ptr<X509>& cert,
 	std::shared_ptr<EVP_PKEY> pubkey (X509_get_pubkey(cert.get()), EVP_PKEY_free);
 	auto subject (X509_get_subject_name(cert.get()));
 	auto cacert (GetX509Certificate(GetDefaultCaPath()));
-	auto newcert (CreateCertIcingaCA(pubkey.get(), subject, ca));
+	auto newcert (CreateCertIcingaCA(pubkey.get(), subject, ca ? ROOT_VALID_FOR : LEAF_VALID_FOR, ca));
 
 	/* verify that the new cert matches the CA we're using for the ApiListener;
 	 * this ensures that the CA we have in /var/lib/icinga2/ca matches the one

lib/remote/pkiutility.cpp

@@ -7,7 +7,6 @@
 #include "base/logger.hpp"
 #include "base/application.hpp"
 #include "base/tcpsocket.hpp"
-#include "base/tlsutility.hpp"
 #include "base/console.hpp"
 #include "base/tlsstream.hpp"
 #include "base/tcpsocket.hpp"
@@ -37,7 +36,7 @@ int PkiUtility::NewCa()
 
 	Utility::MkDirP(caDir, 0700);
 
-	MakeX509CSR("Icinga CA", caKeyFile, String(), caCertFile, true);
+	MakeX509CSR("Icinga CA", caKeyFile, String(), caCertFile, ROOT_VALID_FOR, true);
 
 	return 0;
 }
@@ -53,7 +52,7 @@ int PkiUtility::NewCert(const String& cn, const String& keyfile, const String& c
 	return 0;
 }
 
-int PkiUtility::SignCsr(const String& csrfile, const String& certfile)
+int PkiUtility::SignCsr(const String& csrfile, const String& certfile, long validFor)
 {
 	char errbuf[256];
 
@@ -72,7 +71,7 @@ int PkiUtility::SignCsr(const String& csrfile, const String& certfile)
 	BIO_free(csrbio);
 
 	std::shared_ptr<EVP_PKEY> pubkey = std::shared_ptr<EVP_PKEY>(X509_REQ_get_pubkey(req), EVP_PKEY_free);
-	std::shared_ptr<X509> cert = CreateCertIcingaCA(pubkey.get(), X509_REQ_get_subject_name(req));
+	std::shared_ptr<X509> cert = CreateCertIcingaCA(pubkey.get(), X509_REQ_get_subject_name(req), validFor);
 
 	X509_REQ_free(req);
 

lib/remote/pkiutility.hpp

@@ -7,6 +7,7 @@
 #include "base/exception.hpp"
 #include "base/dictionary.hpp"
 #include "base/string.hpp"
+#include "base/tlsutility.hpp"
 #include <openssl/x509v3.h>
 #include <memory>
 
@@ -21,7 +22,7 @@ class PkiUtility
 public:
 	static int NewCa();
 	static int NewCert(const String& cn, const String& keyfile, const String& csrfile, const String& certfile);
-	static int SignCsr(const String& csrfile, const String& certfile);
+	static int SignCsr(const String& csrfile, const String& certfile, long validFor = LEAF_VALID_FOR);
 	static std::shared_ptr<X509> FetchCert(const String& host, const String& port);
 	static int WriteCert(const std::shared_ptr<X509>& cert, const String& trustedfile);
 	static int GenTicket(const String& cn, const String& salt, std::ostream& ticketfp);

test/CMakeLists.txt

@@ -176,12 +176,8 @@ add_boost_test(base
     base_timer/invoke
     base_timer/scope
     base_tlsutility/sha1
-    base_tlsutility/iscauptodate_ok
-    base_tlsutility/iscauptodate_expiring
-    base_tlsutility/iscertuptodate_ok
-    base_tlsutility/iscertuptodate_expiring
-    base_tlsutility/iscertuptodate_old
-    base_tlsutility/VerifyCertificate_revalidate
+    base_tlsutility/create_verify_ca
+    base_tlsutility/create_verify_leaf_certs
     base_utility/parse_version
     base_utility/compare_version
     base_utility/comparepasswords_works