Merge pull request docker#154 from thaJeztah/fix_non_linux_tests

tlsconfig: make root pool tests deterministic across platforms

Author: vvoland

tlsconfig/config.go

@@ -34,6 +34,9 @@ type Options struct {
 	// the system pool will be used.
 	ExclusiveRootPools bool
 	MinVersion         uint16
+
+	// systemCertPool allows mocking the system cert-pool for testing.
+	systemCertPool func() (*x509.CertPool, error)
 }
 
 // DefaultServerAcceptedCiphers should be uses by code which already has a crypto/tls
@@ -77,26 +80,33 @@ func defaultConfig(ops ...func(*tls.Config)) *tls.Config {
 }
 
 // certPool returns an X.509 certificate pool from `caFile`, the certificate file.
-func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {
+func certPool(opts Options) (*x509.CertPool, error) {
 	// If we should verify the server, we need to load a trusted ca
 	var (
 		pool *x509.CertPool
 		err  error
 	)
-	if exclusivePool {
+	if opts.ExclusiveRootPools {
 		pool = x509.NewCertPool()
 	} else {
-		pool, err = x509.SystemCertPool()
+		if opts.systemCertPool != nil {
+			pool, err = opts.systemCertPool()
+		} else {
+			pool, err = x509.SystemCertPool()
+		}
 		if err != nil {
 			return nil, fmt.Errorf("failed to read system certificates: %v", err)
 		}
 	}
-	pemData, err := os.ReadFile(caFile)
+	if opts.CAFile == "" {
+		return pool, nil
+	}
+	pemData, err := os.ReadFile(opts.CAFile)
 	if err != nil {
-		return nil, fmt.Errorf("could not read CA certificate %q: %v", caFile, err)
+		return nil, fmt.Errorf("could not read CA certificate %q: %v", opts.CAFile, err)
 	}
 	if !pool.AppendCertsFromPEM(pemData) {
-		return nil, fmt.Errorf("failed to append certificates from PEM file: %q", caFile)
+		return nil, fmt.Errorf("failed to append certificates from PEM file: %q", opts.CAFile)
 	}
 	return pool, nil
 }
@@ -199,7 +209,7 @@ func Client(options Options) (*tls.Config, error) {
 	tlsConfig := defaultConfig()
 	tlsConfig.InsecureSkipVerify = options.InsecureSkipVerify
 	if !options.InsecureSkipVerify && options.CAFile != "" {
-		CAs, err := certPool(options.CAFile, options.ExclusiveRootPools)
+		CAs, err := certPool(options)
 		if err != nil {
 			return nil, err
 		}
@@ -232,7 +242,7 @@ func Server(options Options) (*tls.Config, error) {
 	}
 	tlsConfig.Certificates = []tls.Certificate{tlsCert}
 	if options.ClientAuth >= tls.VerifyClientCertIfGiven && options.CAFile != "" {
-		CAs, err := certPool(options.CAFile, options.ExclusiveRootPools)
+		CAs, err := certPool(options)
 		if err != nil {
 			return nil, err
 		}

tlsconfig/config_test.go

@@ -4,41 +4,14 @@ import (
 	"bytes"
 	"crypto/tls"
 	"crypto/x509"
-	"encoding/pem"
 	"errors"
 	"os"
+	"path/filepath"
 	"reflect"
-	"runtime"
 	"testing"
 )
 
-// This is the currently active Amazon Root CA 1 (CN=Amazon Root CA 1,O=Amazon,C=US),
-// downloaded from: https://www.amazontrust.com/repository/AmazonRootCA1.pem
-// It's valid since May 26 00:00:00 2015 GMT and expires on Jan 17 00:00:00 2038 GMT.
-// Download updated versions from https://www.amazontrust.com/repository/
 const (
-	systemRootTrustedCert = `
------BEGIN CERTIFICATE-----
-MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
-ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
-b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
-MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
-b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
-ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
-9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
-IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
-VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
-93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
-jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
-AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
-A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
-U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
-N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
-o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
-5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
-rqXRfboQnoZsG4q5WTP468SQvvG5
------END CERTIFICATE-----
-`
 	rsaPrivateKeyFile             = "fixtures/key.pem"
 	certificateFile               = "fixtures/cert.pem"
 	multiCertificateFile          = "fixtures/multi.pem"
@@ -118,8 +91,8 @@ func TestConfigServerTLSServerCertsOnly(t *testing.T) {
 	if len(tlsConfig.Certificates[0].Certificate) != len(keypair.Certificate) {
 		t.Fatal("Unexpected server certificates")
 	}
-	for i, cert := range tlsConfig.Certificates[0].Certificate {
-		if !bytes.Equal(cert, keypair.Certificate[i]) {
+	for i, crt := range tlsConfig.Certificates[0].Certificate {
+		if !bytes.Equal(crt, keypair.Certificate[i]) {
 			t.Fatal("Unexpected server certificates")
 		}
 	}
@@ -195,47 +168,47 @@ func TestConfigServerTLSClientCASet(t *testing.T) {
 
 // Exclusive root pools determines whether the CA pool will be a union of the system
 // certificate pool and custom certs, or an exclusive or of the custom certs and system pool
+//
+// NOTE: In reality this behavior depends on the platform trust store and would
+// be best validated via integration tests. Here we inject a fake system pool so
+// the unit test can deterministically verify the intended semantics.
 func TestConfigServerExclusiveRootPools(t *testing.T) {
-	if runtime.GOOS == "windows" || runtime.GOOS == "darwin" {
-		// FIXME: see https://github.com/docker/go-connections/issues/105.
-		t.Skip("FIXME: failing on Windows and darwin")
-	}
 	key, cert := getCertAndKey()
-	ca := getMultiCert()
 
-	caBytes, err := os.ReadFile(ca)
+	customRoot, err := newTestTrustRoot()
 	if err != nil {
-		t.Fatal("Unable to read CA certs", err)
+		t.Fatal("Unable to generate fake custom CA", err)
 	}
 
-	var testCerts []*x509.Certificate
-	for _, pemBytes := range [][]byte{caBytes, []byte(systemRootTrustedCert)} {
-		pemBlock, _ := pem.Decode(pemBytes)
-		if pemBlock == nil {
-			t.Fatal("Malformed certificate")
-		}
-		cert, err := x509.ParseCertificate(pemBlock.Bytes)
-		if err != nil {
-			t.Fatal("Unable to parse certificate")
-		}
-		testCerts = append(testCerts, cert)
+	ca := filepath.Join(t.TempDir(), "custom-ca.pem")
+	if err := os.WriteFile(ca, customRoot.RootPEM, 0o644); err != nil {
+		t.Fatal("Unable to write custom CA file", err)
 	}
 
+	systemLeaf, err := systemRootTrustedX509()
+	if err != nil {
+		t.Fatal("Unable to load fake system certificate", err)
+	}
+
+	testCerts := []*x509.Certificate{customRoot.LeafCert, systemLeaf}
+
 	// ExclusiveRootPools not set, so should be able to verify both system-signed certs
 	// and custom CA-signed certs
 	tlsConfig, err := Server(Options{
 		CertFile:   cert,
 		KeyFile:    key,
 		ClientAuth: tls.VerifyClientCertIfGiven,
 		CAFile:     ca,
+
+		systemCertPool: fakeSystemCertPool(),
 	})
 
 	if err != nil || tlsConfig == nil {
 		t.Fatal("Unable to configure server TLS", err)
 	}
 
-	for i, cert := range testCerts {
-		if _, err := cert.Verify(x509.VerifyOptions{Roots: tlsConfig.ClientCAs}); err != nil {
+	for i, crt := range testCerts {
+		if _, err := crt.Verify(x509.VerifyOptions{Roots: tlsConfig.ClientCAs}); err != nil {
 			t.Fatalf("Unable to verify certificate %d: %v", i, err)
 		}
 	}
@@ -248,40 +221,36 @@ func TestConfigServerExclusiveRootPools(t *testing.T) {
 		ClientAuth:         tls.VerifyClientCertIfGiven,
 		CAFile:             ca,
 		ExclusiveRootPools: true,
+		systemCertPool:     fakeSystemCertPool(),
 	})
 
 	if err != nil || tlsConfig == nil {
 		t.Fatal("Unable to configure server TLS", err)
 	}
 
-	for i, cert := range testCerts {
-		_, err := cert.Verify(x509.VerifyOptions{Roots: tlsConfig.ClientCAs})
+	for i, crt := range testCerts {
+		_, err := crt.Verify(x509.VerifyOptions{Roots: tlsConfig.ClientCAs})
 		switch {
 		case i == 0 && err != nil:
 			t.Fatal("Unable to verify custom certificate, even though the root pool should have only the custom CA", err)
 		case i == 1 && err == nil:
-			t.Fatal("Successfully verified system root-signed certificate though the root pool should have only the cusotm CA", err)
+			t.Fatal("Successfully verified system root-signed certificate though the root pool should have only the custom CA", err)
 		}
 	}
 
-	// No CA file provided, system cert should be verifiable only
+	// No CA file provided means the server does not configure ClientCAs.
 	tlsConfig, err = Server(Options{
 		CertFile: cert,
 		KeyFile:  key,
+
+		systemCertPool: fakeSystemCertPool(),
 	})
 
 	if err != nil || tlsConfig == nil {
 		t.Fatal("Unable to configure server TLS", err)
 	}
-
-	for i, cert := range testCerts {
-		_, err := cert.Verify(x509.VerifyOptions{Roots: tlsConfig.ClientCAs})
-		switch {
-		case i == 1 && err != nil:
-			t.Fatal("Unable to verify system root-signed certificate, even though the root pool should be the system pool only", err)
-		case i == 0 && err == nil:
-			t.Fatal("Successfully verified custom certificate though the root pool should be the system pool only", err)
-		}
+	if tlsConfig.ClientCAs != nil {
+		t.Fatal("Expected ClientCAs to be nil when no CA file is provided")
 	}
 }
 
@@ -510,8 +479,8 @@ func TestConfigClientTLSValidClientCertAndKey(t *testing.T) {
 	if len(tlsConfig.Certificates[0].Certificate) != len(keypair.Certificate) {
 		t.Fatal("Unexpected client certificates")
 	}
-	for i, cert := range tlsConfig.Certificates[0].Certificate {
-		if !bytes.Equal(cert, keypair.Certificate[i]) {
+	for i, crt := range tlsConfig.Certificates[0].Certificate {
+		if !bytes.Equal(crt, keypair.Certificate[i]) {
 			t.Fatal("Unexpected client certificates")
 		}
 	}
@@ -538,41 +507,43 @@ func TestConfigClientTLSEncryptedKey(t *testing.T) {
 
 // Exclusive root pools determines whether the CA pool will be a union of the system
 // certificate pool and custom certs, or an exclusive or of the custom certs and system pool
+//
+// NOTE: In reality this behavior depends on the platform trust store and would
+// be best validated via integration tests. Here we inject a fake system pool so
+// the unit test can deterministically verify the intended semantics.
 func TestConfigClientExclusiveRootPools(t *testing.T) {
-	if runtime.GOOS == "windows" || runtime.GOOS == "darwin" {
-		// FIXME: see https://github.com/docker/go-connections/issues/105.
-		t.Skip("FIXME: failing on Windows and darwin")
-	}
-	ca := getMultiCert()
+	key, cert := getCertAndKey()
 
-	caBytes, err := os.ReadFile(ca)
+	customRoot, err := newTestTrustRoot()
 	if err != nil {
-		t.Fatal("Unable to read CA certs", err)
+		t.Fatal("Unable to generate fake custom CA", err)
 	}
 
-	var testCerts []*x509.Certificate
-	for _, pemBytes := range [][]byte{caBytes, []byte(systemRootTrustedCert)} {
-		pemBlock, _ := pem.Decode(pemBytes)
-		if pemBlock == nil {
-			t.Fatal("Malformed certificate")
-		}
-		cert, err := x509.ParseCertificate(pemBlock.Bytes)
-		if err != nil {
-			t.Fatal("Unable to parse certificate")
-		}
-		testCerts = append(testCerts, cert)
+	ca := filepath.Join(t.TempDir(), "custom-ca.pem")
+	if err := os.WriteFile(ca, customRoot.RootPEM, 0o644); err != nil {
+		t.Fatal("Unable to write custom CA file", err)
+	}
+
+	systemLeaf, err := systemRootTrustedX509()
+	if err != nil {
+		t.Fatal("Unable to load fake system certificate", err)
 	}
 
+	testCerts := []*x509.Certificate{customRoot.LeafCert, systemLeaf}
+
 	// ExclusiveRootPools not set, so should be able to verify both system-signed certs
 	// and custom CA-signed certs
-	tlsConfig, err := Client(Options{CAFile: ca})
+	tlsConfig, err := Client(Options{
+		CAFile:         ca,
+		systemCertPool: fakeSystemCertPool(),
+	})
 
 	if err != nil || tlsConfig == nil {
 		t.Fatal("Unable to configure client TLS", err)
 	}
 
-	for i, cert := range testCerts {
-		if _, err := cert.Verify(x509.VerifyOptions{Roots: tlsConfig.RootCAs}); err != nil {
+	for i, crt := range testCerts {
+		if _, err := crt.Verify(x509.VerifyOptions{Roots: tlsConfig.RootCAs}); err != nil {
 			t.Fatalf("Unable to verify certificate %d: %v", i, err)
 		}
 	}
@@ -582,37 +553,35 @@ func TestConfigClientExclusiveRootPools(t *testing.T) {
 	tlsConfig, err = Client(Options{
 		CAFile:             ca,
 		ExclusiveRootPools: true,
+		systemCertPool:     fakeSystemCertPool(),
 	})
 
 	if err != nil || tlsConfig == nil {
 		t.Fatal("Unable to configure client TLS", err)
 	}
 
-	for i, cert := range testCerts {
-		_, err := cert.Verify(x509.VerifyOptions{Roots: tlsConfig.RootCAs})
+	for i, crt := range testCerts {
+		_, err := crt.Verify(x509.VerifyOptions{Roots: tlsConfig.RootCAs})
 		switch {
 		case i == 0 && err != nil:
 			t.Fatal("Unable to verify custom certificate, even though the root pool should have only the custom CA", err)
 		case i == 1 && err == nil:
-			t.Fatal("Successfully verified system root-signed certificate though the root pool should have only the cusotm CA", err)
+			t.Fatal("Successfully verified system root-signed certificate though the root pool should have only the custom CA", err)
 		}
 	}
 
-	// No CA file provided, system cert should be verifiable only
-	tlsConfig, err = Client(Options{})
+	// No CA file provided means the client leaves RootCAs unset.
+	tlsConfig, err = Client(Options{
+		CertFile:       cert,
+		KeyFile:        key,
+		systemCertPool: fakeSystemCertPool(),
+	})
 
 	if err != nil || tlsConfig == nil {
 		t.Fatal("Unable to configure client TLS", err)
 	}
-
-	for i, cert := range testCerts {
-		_, err := cert.Verify(x509.VerifyOptions{Roots: tlsConfig.RootCAs})
-		switch {
-		case i == 1 && err != nil:
-			t.Fatal("Unable to verify system root-signed certificate, even though the root pool should be the system pool only", err)
-		case i == 0 && err == nil:
-			t.Fatal("Successfully verified custom certificate though the root pool should be the system pool only", err)
-		}
+	if tlsConfig.RootCAs != nil {
+		t.Fatal("Expected RootCAs to be nil when no CA file is provided")
 	}
 }