tailscale/prober/tls_test.go

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause

package prober

import (
	"bytes"
	"context"
	"crypto/rand"
	"crypto/rsa"
	"crypto/tls"
	"crypto/x509"
	"crypto/x509/pkix"
	"encoding/pem"
	"math/big"
	"net"
	"net/http"
	"net/http/httptest"
	"strings"
	"testing"
	"time"
)

var leafCert = x509.Certificate{
	SerialNumber:       big.NewInt(10001),
	Subject:            pkix.Name{CommonName: "tlsprobe.test"},
	SignatureAlgorithm: x509.SHA256WithRSA,
	PublicKeyAlgorithm: x509.RSA,
	Version:            3,
	IPAddresses:        []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
	NotBefore:          time.Now().Add(-5 * time.Minute),
	NotAfter:           time.Now().Add(60 * 24 * time.Hour),
	SubjectKeyId:       []byte{1, 2, 3},
	AuthorityKeyId:     []byte{1, 2, 3, 4, 5}, // issuerCert below
	ExtKeyUsage:        []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
	KeyUsage:           x509.KeyUsageDigitalSignature,
}

var issuerCertTpl = x509.Certificate{
	SerialNumber:       big.NewInt(10002),
	Subject:            pkix.Name{CommonName: "tlsprobe.ca.test"},
	SignatureAlgorithm: x509.SHA256WithRSA,
	PublicKeyAlgorithm: x509.RSA,
	Version:            3,
	IPAddresses:        []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
	NotBefore:          time.Now().Add(-5 * time.Minute),
	NotAfter:           time.Now().Add(60 * 24 * time.Hour),
	SubjectKeyId:       []byte{1, 2, 3, 4, 5},
	ExtKeyUsage:        []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
	KeyUsage:           x509.KeyUsageDigitalSignature,
}

func simpleCert() (tls.Certificate, error) {
	certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
	if err != nil {
		return tls.Certificate{}, err
	}
	certPrivKeyPEM := new(bytes.Buffer)
	pem.Encode(certPrivKeyPEM, &pem.Block{
		Type:  "RSA PRIVATE KEY",
		Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
	})
	certBytes, err := x509.CreateCertificate(rand.Reader, &leafCert, &leafCert, &certPrivKey.PublicKey, certPrivKey)
	if err != nil {
		return tls.Certificate{}, err
	}
	certPEM := new(bytes.Buffer)
	pem.Encode(certPEM, &pem.Block{
		Type:  "CERTIFICATE",
		Bytes: certBytes,
	})
	return tls.X509KeyPair(certPEM.Bytes(), certPrivKeyPEM.Bytes())
}

func TestTLSConnection(t *testing.T) {
	crt, err := simpleCert()
	if err != nil {
		t.Fatal(err)
	}
	srv := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
	srv.TLS = &tls.Config{Certificates: []tls.Certificate{crt}}
	srv.StartTLS()
	defer srv.Close()

	err = probeTLS(context.Background(), "fail.example.com", srv.Listener.Addr().String())
	// The specific error message here is platform-specific ("certificate is not trusted"
	// on macOS and "certificate signed by unknown authority" on Linux), so only check
	// that it contains the word 'certificate'.
	if err == nil || !strings.Contains(err.Error(), "certificate") {
		t.Errorf("unexpected error: %q", err)
	}
}

func TestCertExpiration(t *testing.T) {
	for _, tt := range []struct {
		name    string
		cert    func() *x509.Certificate
		wantErr string
	}{
		{
			"cert not valid yet",
			func() *x509.Certificate {
				c := leafCert
				c.NotBefore = time.Now().Add(time.Hour)
				return &c
			},
			"one of the certs has NotBefore in the future",
		},
		{
			"cert expiring soon",
			func() *x509.Certificate {
				c := leafCert
				c.NotAfter = time.Now().Add(time.Hour)
				return &c
			},
			"one of the certs expires in",
		},
	} {
		t.Run(tt.name, func(t *testing.T) {
			cs := &tls.ConnectionState{PeerCertificates: []*x509.Certificate{tt.cert()}}
			err := validateConnState(context.Background(), cs)
			if err == nil || !strings.Contains(err.Error(), tt.wantErr) {
				t.Errorf("unexpected error %q; want %q", err, tt.wantErr)
			}
		})
	}
}

type CRLServer struct {
	crlBytes []byte
}

func (s *CRLServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	if s.crlBytes == nil {
		w.WriteHeader(http.StatusInternalServerError)
		return
	}
	w.Header().Set("Content-Type", "application/pkix-crl")
	w.WriteHeader(http.StatusOK)
	w.Write(s.crlBytes)
}

func TestCRL(t *testing.T) {
	// Generate CA key and self-signed CA cert
	caKey, err := rsa.GenerateKey(rand.Reader, 4096)
	if err != nil {
		t.Fatal(err)
	}
	caTpl := issuerCertTpl
	caTpl.BasicConstraintsValid = true
	caTpl.IsCA = true
	caTpl.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature
	caBytes, err := x509.CreateCertificate(rand.Reader, &caTpl, &caTpl, &caKey.PublicKey, caKey)
	if err != nil {
		t.Fatal(err)
	}
	caCert, err := x509.ParseCertificate(caBytes)
	if err != nil {
		t.Fatal(err)
	}

	// Issue a leaf cert signed by the CA
	leaf := leafCert
	leaf.SerialNumber = big.NewInt(20001)
	leaf.Issuer = caCert.Subject
	leafKey, err := rsa.GenerateKey(rand.Reader, 4096)
	if err != nil {
		t.Fatal(err)
	}
	leafBytes, err := x509.CreateCertificate(rand.Reader, &leaf, caCert, &leafKey.PublicKey, caKey)
	if err != nil {
		t.Fatal(err)
	}
	leafCertParsed, err := x509.ParseCertificate(leafBytes)
	if err != nil {
		t.Fatal(err)
	}

	// Catch no CRL set by Let's Encrypt date.
	noCRLCert := leafCert
	noCRLCert.SerialNumber = big.NewInt(20002)
	noCRLCert.CRLDistributionPoints = []string{}
	noCRLCert.NotBefore = time.Unix(letsEncryptStartedStaplingCRL, 0).Add(-48 * time.Hour)
	noCRLCert.Issuer = caCert.Subject
	noCRLCertKey, err := rsa.GenerateKey(rand.Reader, 4096)
	if err != nil {
		t.Fatal(err)
	}
	noCRLStapledBytes, err := x509.CreateCertificate(rand.Reader, &noCRLCert, caCert, &noCRLCertKey.PublicKey, caKey)
	if err != nil {
		t.Fatal(err)
	}
	noCRLStapledParsed, err := x509.ParseCertificate(noCRLStapledBytes)
	if err != nil {
		t.Fatal(err)
	}

	crlServer := &CRLServer{crlBytes: nil}
	srv := httptest.NewServer(crlServer)
	defer srv.Close()

	// Create a CRL that revokes the leaf cert using x509.CreateRevocationList
	now := time.Now()
	revoked := []x509.RevocationListEntry{{
		SerialNumber:   leaf.SerialNumber,
		RevocationTime: now,
		ReasonCode:     1, // Key compromise
	}}
	rl := x509.RevocationList{
		SignatureAlgorithm:        caCert.SignatureAlgorithm,
		Issuer:                    caCert.Subject,
		ThisUpdate:                now,
		NextUpdate:                now.Add(24 * time.Hour),
		RevokedCertificateEntries: revoked,
		Number:                    big.NewInt(1),
	}
	rlBytes, err := x509.CreateRevocationList(rand.Reader, &rl, caCert, caKey)
	if err != nil {
		t.Fatal(err)
	}

	emptyRlBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{Number: big.NewInt(2)}, caCert, caKey)
	if err != nil {
		t.Fatal(err)
	}

	for _, tt := range []struct {
		name     string
		cert     *x509.Certificate
		crlBytes []byte
		wantErr  string
	}{
		{
			"ValidCert",
			leafCertParsed,
			emptyRlBytes,
			"",
		},
		{
			"RevokedCert",
			leafCertParsed,
			rlBytes,
			"has been revoked on",
		},
		{
			"EmptyCRL",
			leafCertParsed,
			emptyRlBytes,
			"",
		},
		{
			"NoCRL",
			leafCertParsed,
			nil,
			"no CRL server presented in leaf cert for",
		},
		{
			"NotBeforeCRLStaplingDate",
			noCRLStapledParsed,
			nil,
			"",
		},
	} {
		t.Run(tt.name, func(t *testing.T) {
			cs := &tls.ConnectionState{PeerCertificates: []*x509.Certificate{tt.cert, caCert}}
			if tt.crlBytes != nil {
				crlServer.crlBytes = tt.crlBytes
				tt.cert.CRLDistributionPoints = []string{srv.URL}
			} else {
				crlServer.crlBytes = nil
				tt.cert.CRLDistributionPoints = []string{}
			}
			err := validateConnState(context.Background(), cs)

			if err == nil && tt.wantErr == "" {
				return
			}

			if err == nil || tt.wantErr == "" || !strings.Contains(err.Error(), tt.wantErr) {
				t.Errorf("unexpected error %q; want %q", err, tt.wantErr)
			}
		})
	}
}
all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com> 2023-01-27 13:37:20 -08:00			`// Copyright (c) Tailscale Inc & AUTHORS`
			`// SPDX-License-Identifier: BSD-3-Clause`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00
			`package prober`

			`import (`
			`"bytes"`
			`"context"`
			`"crypto/rand"`
			`"crypto/rsa"`
			`"crypto/tls"`
			`"crypto/x509"`
			`"crypto/x509/pkix"`
			`"encoding/pem"`
			`"math/big"`
			`"net"`
			`"net/http"`
			`"net/http/httptest"`
			`"strings"`
			`"testing"`
			`"time"`
			`)`

			`var leafCert = x509.Certificate{`
			`SerialNumber: big.NewInt(10001),`
			`Subject: pkix.Name{CommonName: "tlsprobe.test"},`
			`SignatureAlgorithm: x509.SHA256WithRSA,`
			`PublicKeyAlgorithm: x509.RSA,`
			`Version: 3,`
			`IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},`
			`NotBefore: time.Now().Add(-5 * time.Minute),`
			`NotAfter: time.Now().Add(60 * 24 * time.Hour),`
			`SubjectKeyId: []byte{1, 2, 3},`
			`AuthorityKeyId: []byte{1, 2, 3, 4, 5}, // issuerCert below`
			`ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},`
			`KeyUsage: x509.KeyUsageDigitalSignature,`
			`}`

			`var issuerCertTpl = x509.Certificate{`
			`SerialNumber: big.NewInt(10002),`
			`Subject: pkix.Name{CommonName: "tlsprobe.ca.test"},`
			`SignatureAlgorithm: x509.SHA256WithRSA,`
			`PublicKeyAlgorithm: x509.RSA,`
			`Version: 3,`
			`IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},`
			`NotBefore: time.Now().Add(-5 * time.Minute),`
			`NotAfter: time.Now().Add(60 * 24 * time.Hour),`
			`SubjectKeyId: []byte{1, 2, 3, 4, 5},`
			`ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},`
			`KeyUsage: x509.KeyUsageDigitalSignature,`
			`}`

			`func simpleCert() (tls.Certificate, error) {`
			`certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)`
			`if err != nil {`
			`return tls.Certificate{}, err`
			`}`
			`certPrivKeyPEM := new(bytes.Buffer)`
			`pem.Encode(certPrivKeyPEM, &pem.Block{`
			`Type: "RSA PRIVATE KEY",`
			`Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),`
			`})`
			`certBytes, err := x509.CreateCertificate(rand.Reader, &leafCert, &leafCert, &certPrivKey.PublicKey, certPrivKey)`
			`if err != nil {`
			`return tls.Certificate{}, err`
			`}`
			`certPEM := new(bytes.Buffer)`
			`pem.Encode(certPEM, &pem.Block{`
			`Type: "CERTIFICATE",`
			`Bytes: certBytes,`
			`})`
			`return tls.X509KeyPair(certPEM.Bytes(), certPrivKeyPEM.Bytes())`
			`}`

			`func TestTLSConnection(t *testing.T) {`
			`crt, err := simpleCert()`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`srv := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))`
			`srv.TLS = &tls.Config{Certificates: []tls.Certificate{crt}}`
			`srv.StartTLS()`
			`defer srv.Close()`

prober: add TLS probe constructor to split dial addr from cert name So we can probe load balancers by their unique DNS name but without asking for that cert name. Updates tailscale/corp#13050 Change-Id: Ie4c0a2f951328df64281ed1602b4e624e3c8cf2e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2024-02-19 08:56:58 -08:00			`err = probeTLS(context.Background(), "fail.example.com", srv.Listener.Addr().String())`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`// The specific error message here is platform-specific ("certificate is not trusted"`
			`// on macOS and "certificate signed by unknown authority" on Linux), so only check`
			`// that it contains the word 'certificate'.`
			`if err == nil \|\| !strings.Contains(err.Error(), "certificate") {`
			`t.Errorf("unexpected error: %q", err)`
			`}`
			`}`

			`func TestCertExpiration(t *testing.T) {`
			`for _, tt := range []struct {`
			`name string`
			`cert func() *x509.Certificate`
			`wantErr string`
			`}{`
			`{`
			`"cert not valid yet",`
			`func() *x509.Certificate {`
			`c := leafCert`
			`c.NotBefore = time.Now().Add(time.Hour)`
			`return &c`
			`},`
			`"one of the certs has NotBefore in the future",`
			`},`
			`{`
			`"cert expiring soon",`
			`func() *x509.Certificate {`
			`c := leafCert`
			`c.NotAfter = time.Now().Add(time.Hour)`
			`return &c`
			`},`
			`"one of the certs expires in",`
			`},`
			`} {`
			`t.Run(tt.name, func(t *testing.T) {`
			`cs := &tls.ConnectionState{PeerCertificates: []*x509.Certificate{tt.cert()}}`
			`err := validateConnState(context.Background(), cs)`
			`if err == nil \|\| !strings.Contains(err.Error(), tt.wantErr) {`
			`t.Errorf("unexpected error %q; want %q", err, tt.wantErr)`
			`}`
			`})`
			`}`
			`}`

prober: update cert check for prober (#15919) OCSP has been removed from the LE certs. Use CRL verification instead. If a cert provides a CRL, check its revocation status, if no CRL is provided and otherwise is valid, pass the check. Fixes #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> Co-authored-by: Simon Law <sfllaw@tailscale.com> 2025-05-12 10:25:31 -04:00			`type CRLServer struct {`
			`crlBytes []byte`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`}`

prober: update cert check for prober (#15919) OCSP has been removed from the LE certs. Use CRL verification instead. If a cert provides a CRL, check its revocation status, if no CRL is provided and otherwise is valid, pass the check. Fixes #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> Co-authored-by: Simon Law <sfllaw@tailscale.com> 2025-05-12 10:25:31 -04:00			`func (s CRLServer) ServeHTTP(w http.ResponseWriter, r http.Request) {`
			`if s.crlBytes == nil {`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`w.WriteHeader(http.StatusInternalServerError)`
			`return`
			`}`
prober: update cert check for prober (#15919) OCSP has been removed from the LE certs. Use CRL verification instead. If a cert provides a CRL, check its revocation status, if no CRL is provided and otherwise is valid, pass the check. Fixes #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> Co-authored-by: Simon Law <sfllaw@tailscale.com> 2025-05-12 10:25:31 -04:00			`w.Header().Set("Content-Type", "application/pkix-crl")`
			`w.WriteHeader(http.StatusOK)`
			`w.Write(s.crlBytes)`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`}`

prober: update cert check for prober (#15919) OCSP has been removed from the LE certs. Use CRL verification instead. If a cert provides a CRL, check its revocation status, if no CRL is provided and otherwise is valid, pass the check. Fixes #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> Co-authored-by: Simon Law <sfllaw@tailscale.com> 2025-05-12 10:25:31 -04:00			`func TestCRL(t *testing.T) {`
			`// Generate CA key and self-signed CA cert`
			`caKey, err := rsa.GenerateKey(rand.Reader, 4096)`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
prober: update cert check for prober (#15919) OCSP has been removed from the LE certs. Use CRL verification instead. If a cert provides a CRL, check its revocation status, if no CRL is provided and otherwise is valid, pass the check. Fixes #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> Co-authored-by: Simon Law <sfllaw@tailscale.com> 2025-05-12 10:25:31 -04:00			`caTpl := issuerCertTpl`
			`caTpl.BasicConstraintsValid = true`
			`caTpl.IsCA = true`
			`caTpl.KeyUsage = x509.KeyUsageCertSign \| x509.KeyUsageCRLSign \| x509.KeyUsageDigitalSignature`
			`caBytes, err := x509.CreateCertificate(rand.Reader, &caTpl, &caTpl, &caKey.PublicKey, caKey)`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
prober: update cert check for prober (#15919) OCSP has been removed from the LE certs. Use CRL verification instead. If a cert provides a CRL, check its revocation status, if no CRL is provided and otherwise is valid, pass the check. Fixes #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> Co-authored-by: Simon Law <sfllaw@tailscale.com> 2025-05-12 10:25:31 -04:00			`caCert, err := x509.ParseCertificate(caBytes)`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`if err != nil {`
			`t.Fatal(err)`
			`}`

prober: update cert check for prober (#15919) OCSP has been removed from the LE certs. Use CRL verification instead. If a cert provides a CRL, check its revocation status, if no CRL is provided and otherwise is valid, pass the check. Fixes #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> Co-authored-by: Simon Law <sfllaw@tailscale.com> 2025-05-12 10:25:31 -04:00			`// Issue a leaf cert signed by the CA`
			`leaf := leafCert`
			`leaf.SerialNumber = big.NewInt(20001)`
			`leaf.Issuer = caCert.Subject`
			`leafKey, err := rsa.GenerateKey(rand.Reader, 4096)`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
prober: update cert check for prober (#15919) OCSP has been removed from the LE certs. Use CRL verification instead. If a cert provides a CRL, check its revocation status, if no CRL is provided and otherwise is valid, pass the check. Fixes #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> Co-authored-by: Simon Law <sfllaw@tailscale.com> 2025-05-12 10:25:31 -04:00			`leafBytes, err := x509.CreateCertificate(rand.Reader, &leaf, caCert, &leafKey.PublicKey, caKey)`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
prober: update cert check for prober (#15919) OCSP has been removed from the LE certs. Use CRL verification instead. If a cert provides a CRL, check its revocation status, if no CRL is provided and otherwise is valid, pass the check. Fixes #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> Co-authored-by: Simon Law <sfllaw@tailscale.com> 2025-05-12 10:25:31 -04:00			`leafCertParsed, err := x509.ParseCertificate(leafBytes)`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`if err != nil {`
			`t.Fatal(err)`
			`}`

prober: update cert check for prober (#15919) OCSP has been removed from the LE certs. Use CRL verification instead. If a cert provides a CRL, check its revocation status, if no CRL is provided and otherwise is valid, pass the check. Fixes #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> Co-authored-by: Simon Law <sfllaw@tailscale.com> 2025-05-12 10:25:31 -04:00			`// Catch no CRL set by Let's Encrypt date.`
			`noCRLCert := leafCert`
			`noCRLCert.SerialNumber = big.NewInt(20002)`
			`noCRLCert.CRLDistributionPoints = []string{}`
			`noCRLCert.NotBefore = time.Unix(letsEncryptStartedStaplingCRL, 0).Add(-48 * time.Hour)`
			`noCRLCert.Issuer = caCert.Subject`
			`noCRLCertKey, err := rsa.GenerateKey(rand.Reader, 4096)`
			`if err != nil {`
			`t.Fatal(err)`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`}`
prober: update cert check for prober (#15919) OCSP has been removed from the LE certs. Use CRL verification instead. If a cert provides a CRL, check its revocation status, if no CRL is provided and otherwise is valid, pass the check. Fixes #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> Co-authored-by: Simon Law <sfllaw@tailscale.com> 2025-05-12 10:25:31 -04:00			`noCRLStapledBytes, err := x509.CreateCertificate(rand.Reader, &noCRLCert, caCert, &noCRLCertKey.PublicKey, caKey)`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
prober: update cert check for prober (#15919) OCSP has been removed from the LE certs. Use CRL verification instead. If a cert provides a CRL, check its revocation status, if no CRL is provided and otherwise is valid, pass the check. Fixes #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> Co-authored-by: Simon Law <sfllaw@tailscale.com> 2025-05-12 10:25:31 -04:00			`noCRLStapledParsed, err := x509.ParseCertificate(noCRLStapledBytes)`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
prober: update cert check for prober (#15919) OCSP has been removed from the LE certs. Use CRL verification instead. If a cert provides a CRL, check its revocation status, if no CRL is provided and otherwise is valid, pass the check. Fixes #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> Co-authored-by: Simon Law <sfllaw@tailscale.com> 2025-05-12 10:25:31 -04:00
			`crlServer := &CRLServer{crlBytes: nil}`
			`srv := httptest.NewServer(crlServer)`
			`defer srv.Close()`

			`// Create a CRL that revokes the leaf cert using x509.CreateRevocationList`
			`now := time.Now()`
			`revoked := []x509.RevocationListEntry{{`
			`SerialNumber: leaf.SerialNumber,`
			`RevocationTime: now,`
			`ReasonCode: 1, // Key compromise`
			`}}`
			`rl := x509.RevocationList{`
			`SignatureAlgorithm: caCert.SignatureAlgorithm,`
			`Issuer: caCert.Subject,`
			`ThisUpdate: now,`
			`NextUpdate: now.Add(24 * time.Hour),`
			`RevokedCertificateEntries: revoked,`
			`Number: big.NewInt(1),`
			`}`
			`rlBytes, err := x509.CreateRevocationList(rand.Reader, &rl, caCert, caKey)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`emptyRlBytes, err := x509.CreateRevocationList(rand.Reader, &x509.RevocationList{Number: big.NewInt(2)}, caCert, caKey)`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`for _, tt := range []struct {`
prober: update cert check for prober (#15919) OCSP has been removed from the LE certs. Use CRL verification instead. If a cert provides a CRL, check its revocation status, if no CRL is provided and otherwise is valid, pass the check. Fixes #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> Co-authored-by: Simon Law <sfllaw@tailscale.com> 2025-05-12 10:25:31 -04:00			`name string`
			`cert *x509.Certificate`
			`crlBytes []byte`
			`wantErr string`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`}{`
prober: update cert check for prober (#15919) OCSP has been removed from the LE certs. Use CRL verification instead. If a cert provides a CRL, check its revocation status, if no CRL is provided and otherwise is valid, pass the check. Fixes #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> Co-authored-by: Simon Law <sfllaw@tailscale.com> 2025-05-12 10:25:31 -04:00			`{`
			`"ValidCert",`
			`leafCertParsed,`
			`emptyRlBytes,`
			`"",`
			`},`
			`{`
			`"RevokedCert",`
			`leafCertParsed,`
			`rlBytes,`
			`"has been revoked on",`
			`},`
			`{`
			`"EmptyCRL",`
			`leafCertParsed,`
			`emptyRlBytes,`
			`"",`
			`},`
			`{`
			`"NoCRL",`
			`leafCertParsed,`
			`nil,`
prober: fix test logic (#15952) Catch failing tests that have no expected error string. Updates #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> 2025-05-13 09:19:18 -04:00			`"no CRL server presented in leaf cert for",`
prober: update cert check for prober (#15919) OCSP has been removed from the LE certs. Use CRL verification instead. If a cert provides a CRL, check its revocation status, if no CRL is provided and otherwise is valid, pass the check. Fixes #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> Co-authored-by: Simon Law <sfllaw@tailscale.com> 2025-05-12 10:25:31 -04:00			`},`
			`{`
			`"NotBeforeCRLStaplingDate",`
			`noCRLStapledParsed,`
			`nil,`
			`"",`
			`},`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`} {`
			`t.Run(tt.name, func(t *testing.T) {`
prober: update cert check for prober (#15919) OCSP has been removed from the LE certs. Use CRL verification instead. If a cert provides a CRL, check its revocation status, if no CRL is provided and otherwise is valid, pass the check. Fixes #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> Co-authored-by: Simon Law <sfllaw@tailscale.com> 2025-05-12 10:25:31 -04:00			`cs := &tls.ConnectionState{PeerCertificates: []*x509.Certificate{tt.cert, caCert}}`
			`if tt.crlBytes != nil {`
			`crlServer.crlBytes = tt.crlBytes`
			`tt.cert.CRLDistributionPoints = []string{srv.URL}`
			`} else {`
			`crlServer.crlBytes = nil`
			`tt.cert.CRLDistributionPoints = []string{}`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`}`
			`err := validateConnState(context.Background(), cs)`

			`if err == nil && tt.wantErr == "" {`
			`return`
			`}`

prober: fix test logic (#15952) Catch failing tests that have no expected error string. Updates #15912 Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com> 2025-05-13 09:19:18 -04:00			`if err == nil \|\| tt.wantErr == "" \|\| !strings.Contains(err.Error(), tt.wantErr) {`
prober: expand certificate verification logic in the TLS prober TLS prober now checks validity period for all server certificates and verifies OCSP revocation status for the leaf cert. Signed-off-by: Anton Tolchanov <anton@tailscale.com> 2022-10-12 18:41:38 +01:00			`t.Errorf("unexpected error %q; want %q", err, tt.wantErr)`
			`}`
			`})`
			`}`
			`}`