Test internal cert generation & verification process

[yhabteab]

This is basically kind of the same as #10329 but without using hard coded certificates!

closes #10329

[yhabteab]

That was my last push :)! Now, all of the GHAs should be fine, so pls have a look!

[jschmidt-icinga]

You should squash some of the changes from f74cddb back into ec26a2d. First introducing the new argument as int and then changing it to long makes the diff much harder to read.

[yhabteab]

As @julianbrost found out, OpenSSL has no problems with past 2038 timestamps, so the whole Normalize* function was removed, as it's no longer needed. To not overflow the time_t type when comparing the certifcate timestamps, OpenSSL has also a function ASN1_TIME_compare which takes two ASN1_TIME pointers and compare them, instead of the X509_cmp_time function, however as of writing this comment, AL2 already failed due to the ASN1_TIME_compare function being absent with such old OpenSSL version. So, I'm not sure yet, how we should handle this, maybe there's an equivalent OpenSSL function that also exists on AL2.

[yhabteab]

The previously used ASN1_TIME_adj OpenSSL function was for some reason that I don't understood and that I don't want to find out why - failing miserably on Windows 32. So, after searching for an equivalent function a bit online, I found X509_time_adj_ex that does similar things and obviously that also works on Windows 32, thus I've replaced all ASN1_TIME_adj usages with that function.

[yhabteab]

Just rebased to resolve the conflicts!

[yhabteab]

Fixed a small comparison failure on docker builds as it seems to take over a second to sign the certificate and load it from disk, thus fails the == comparison. The fix is to use the 0>= operator like in other places!

[jschmidt-icinga]

Just a few comments, mostly things clang-tidy suggested, one readability improvement. Otherwise this looks fine to me.

[jschmidt-icinga]

😆 assertIMMorDZSSC isn't much better than before, but it's not that important either.

[Al2Klimov]

0 is an int.

[julianbrost]

Please stop splitting a single point across multiple comments. This makes it way harder to read, especially if individual conversations are marked as resolved and additionally, it clutters the diff view (see the screenshot below). If you want to refer to code in a different place, you can also just include it by referencing it like this:

icinga2/lib/base/tlsutility.cpp

Line 651 in 190dc86

notBefore = validFor - 365*24*60*60;

[Al2Klimov]

But validFor is a long.

[Al2Klimov]

So:

Suggested change

	auto notBefore = 0;
	long notBefore = 0;

[Al2Klimov]

Why 1 year and not LEAF_VALID_FOR?

[julianbrost]

This (and other places in the new tests) still use the pattern where you update some certificate parameters, but don't actually create a new signature. So after just doing that X509_time_adj_ex(), the X509 structure is in an inconsistent state where the parsed and changed information does not match the signature. IMHO this makes the whole test case questionable if you use inconsistent data structures. Thus, everywhere something needs to be changed in a certificate, a new certificate should be created.

[yhabteab]

I'm still using X509_time_adj_ex() here because I don't verify any cert signature here but want to only test whether the IsCaUptodate function behaves correctly or not and this has nothing to do with the actual cert signature. And for the other few cases that still use X509_time_adj_ex(), they don't use it to adjust the notAfter timestamp but the notBefore one, since it's not user configurable (and I don't want to add yet another parameter for it), so creating a new certificate would be pointless as it's going to have a notBefore ts of 0.

[julianbrost]

Your newly added comment highlights the problem, because of that inconsistency within the test data, it's possible the test doesn't even test what it's supposed to test:

icinga2/test/base-tlsutility.cpp

Lines 197 to 203 in c3ee33c

	// Set the certificate validity start date to 2016, all certificates created before 2017 are considered outdated.
	BOOST_CHECK(X509_time_adj_ex(X509_get_notBefore(cert.get()), 0, -(now-l_2016), &now));
	BOOST_CHECK(!IsCertUptodate(cert));
	// ... but verification should still work, as the certificate is still valid. Though, on AL2 the notBefore
	// time set above will be reset to its original value, as VerifyCertificate transforms the crt first to string
	// and back to X509, which causes OpenSSL to reset the notBefore time to its original value.
	BOOST_CHECK(VerifyCertificate(cacert, cert, String()));

and I don't want to add yet another parameter for it

That would result in a better test case though. The actual use of these functions is to check a certificate that was either loaded from a file or sent by a peer, not a X509* where some values were adjusted retroactively. So using a regular certificate as an input in the test cases would be more realistic.

Plus, it would additionally remove the need for this special case in the implementation if the caller could just specify the whole validity period:

icinga2/lib/base/tlsutility.cpp

Lines 648 to 652 in c3ee33c

	if (validFor < 0) {
	// Set the validity start date to ~1 year past the validFor date,
	// so that the generated cert doesn't expire before the validFor date.
	notBefore = validFor - LEAF_VALID_FOR;
	}

[julianbrost]

Would be nicer if it didn't repeat that magic constant:

Suggested change

	char errBuf[256]; // Buffer for OpenSSL error messages.
	ERR_error_string_n(ERR_get_error(), errBuf, 256);
	char errBuf[256]; // Buffer for OpenSSL error messages.
	ERR_error_string_n(ERR_get_error(), errBuf, sizeof(errBuf));

[jschmidt-icinga]

On that note (and because clang-tidy complained about it), make the char array a std::array and use .data() and .size() instead of decaying into a char * and sizeof(char[]).

[yhabteab]

The notBefore cert ts is now configurable as well as requested in #10350 (comment).