gokeyless/tests/proxy_test.go at master · cloudflare/gokeyless · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
package tests

import (
	"bytes"
	"crypto/tls"
	"crypto/x509"
	"encoding/pem"
	"errors"
	"io"
	"os"
	"testing"
	"time"

	"github.com/stretchr/testify/require"

	"github.com/cloudflare/gokeyless/server"
)

const (
	tlsCert   = "testdata/server.pem"
	tlsKey    = "testdata/server-key.pem"
	caCert    = "testdata/ca.pem"
	network   = "tcp"
	localAddr = "localhost:7777"
)

func serverFunc(conn *tls.Conn) {
	defer conn.Close()
	conn.SetReadDeadline(time.Now().Add(time.Second))
	io.Copy(conn, conn)
}

func clientFunc(conn *tls.Conn) error {
	defer conn.Close()
	if !conn.ConnectionState().HandshakeComplete {
		return errors.New("handshake didn't complete")
	}

	input := []byte("Hello World!")
	if _, err := conn.Write(input); err != nil {
		return err
	}

	output, err := io.ReadAll(conn)
	if err != nil {
		return err
	}
	if bytes.Compare(input, output) != 0 {
		return errors.New("input and output do not match")
	}
	return nil
}

// TestTLSProxy tests a real TLS keyless server which
// uses gokeyless client to finish TLS hanshake with a
// real TLS client.
func (s *IntegrationTestSuite) TestTLSProxy() {
	require := require.New(s.T())

	if testing.Short() {
		s.T().SkipNow()
	}

	cert, err := s.client.LoadTLSCertificate(s.serverAddr, tlsCert)
	require.NoError(err)

	serverConfig := &tls.Config{
		Certificates: []tls.Certificate{cert},
		ServerName:   cert.Leaf.Subject.CommonName,
	}

	l, err := tls.Listen(network, localAddr, serverConfig)
	require.NoError(err)
	defer l.Close()
	go func() {
		for c, err := l.Accept(); err == nil; c, err = l.Accept() {
			go serverFunc(c.(*tls.Conn))
		}
	}()

	// wait for server to start
	time.Sleep(100 * time.Millisecond)

	keys := server.NewDefaultKeystore()
	s.server.SetKeystore(keys)
	pemKey, err := os.ReadFile(tlsKey)
	require.NoError(err)
	p, _ := pem.Decode(pemKey)
	rsaKey, err := x509.ParseECPrivateKey(p.Bytes)
	require.NoError(err)
	err = keys.Add(nil, rsaKey)
	require.NoError(err)

	clientConfig := &tls.Config{
		Time:       fixedCurrentTime,
		ServerName: serverConfig.ServerName,
		RootCAs:    x509.NewCertPool(),
	}

	caBytes, err := os.ReadFile(caCert)
	require.NoError(err)
	clientConfig.RootCAs.AppendCertsFromPEM(caBytes)

	conn, err := tls.Dial(network, localAddr, clientConfig)
	require.NoError(err)

	require.NoError(clientFunc(conn))
}