openconfig · danielywong · Jul 21, 2023 · Jul 22, 2023 · xw-g · Jan 31, 2024
@@ -0,0 +1,26 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+id {
+  name: "security_gnsi_certz"
+  version: 1
+}
+
+# TODO: create authn policy freshness telemetry paths 
+# telemetry_path {
+#   path: "/system/grpc-servers/grpc-server[name=<server>]/state/authn-policy-version"
+# }
+# telemetry_path {
+#   path: "/system/grpc-servers/grpc-server[name=<server>]/state/authn-policy-created-on"
+# }
@@ -0,0 +1,60 @@
+# gNSI TLS Authentication Testing
+
+## Summary
+Test gRPC TLS authentication under various conditions created using
+combinations of different security credentials and artifacts manageable using
+the gNSI protocol, including device certificates, Trust-Bundle (TB),
+Certificate Revocation List (CRL) and Authentication Policy.
+
+## Authentication Policy Enforcement
+
+Test device enforcement of
+[`gnsi.certz.v1.AuthenticationPolicy`](https://github.com/openconfig/gnsi/blob/main/certz/certz.proto)
+against clients connecting with different certificates.  Repeat all test cases
+for every TLS secured service.
+
+Testing of `AuthenticationPolicy` rotation over the gNSI protocol is not within
+the scope of this section.
+
+### Input Args {#input-args}
+
+* `testdata/leaf_cert.pem`: valid client certificate
+* `testdata/leaf_key.pem`: private key for `leaf_cert.pem`
+* `testdata/bad_leaf_cert_1.pem`: client certificate issued by unauthorized issuer
+* `testdata/bad_leaf_key_1.pem`: private key for `bad_leaf_cert_1.pem`
+* `testdata/bad_leaf_cert_2.pem`: client certificate containing inconsistent trust domains
+* `testdata/bad_leaf_key_2.pem`: private key for `bad_leaf_cert_2.pem`
+* `testdata/bad_leaf_cert_3.pem`: client certificate containing inconsistent realm
+* `testdata/bad_leaf_key_3.pem`: private key for `bad_leaf_cert_3.pem`
+
+### DUT service setup
+
+Setup all gRPC services of DUT with the followings:
+* `testdata/leaf_cert.pem`: server certificate
+* `testdata/leaf_key.pem`: private key for `leaf_cert.pem`
+* `testdata/root_cert.pem`: trust bundle
+* `testdata/policy_1.pb`: authentication policy that client certificates are tested against
+* `loas3_disable_realm_consistency_check`: Server flag set according to [Tests](#tests) below.
+
+The following files are included for debugging purposes only:
+* `testdata/policy_1.textproto`: textual format of `policy_1.pb`
+* `testdata/root_key.pem`: private key for `root_cert.pem` used to sign all leaf certificates
+
+All DUT services should also be configured with Authorization Policy that will grant
+access to the clients' identities as minted in their certificates.
+
+### Tests {#tests}
+
+Setup clients to call every test service with the certificate/private-key pairs
+from [Input Args](#input-args) and `root_cert.pem` as trust bundle.
+
+Client Cert/Key | Server Realm Check | Test Expectation
+:-------------- | ------------------ | ----------------
+leaf       | enabled  | RPC returns Ok
+bad leaf 1 | enabled  | !Ok due to signer unauthorized to sign for the certificate's role
+bad leaf 2 | enabled  | !Ok due to mismatch of cert's synthetic and SPIFFE ID trust domains
+bad leaf 3 | enabled  | !Ok due to inconsistent security realm
+leaf       | disabled | RPC returns Ok
+bad leaf 1 | disabled | !Ok due to signer unauthorized to sign for the certificate's role
+bad leaf 2 | disabled | !Ok due to mismatch of cert's synthetic and SPIFFE ID trust domains
+bad leaf 3 | disabled | RPC returns Ok
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICezCCAiGgAwIBAgIUX8IR8WDnhiiIXpwpS5DqybtssD0wCgYIKoZIzj0EAwIw
+NzEXMBUGA1UECgwOc2VjdXJpdHktcmVhbG0xDTALBgNVBAsMBHJvb3QxDTALBgNV
+BAMMBDEyMzQwIBcNMjMwMjAyMjI0NDIwWhgPMjA1MDA2MjAyMjQ0MjBaMBExDzAN
+BgNVBAMMBnVudXNlZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFg9DWN1VYrS
+BY7xu0MrvQ6UGl+KjD2dYW09dD+o5a/WRY3yhFDgteVJnu1yxlo7PS4aH1w7WkBQ
+9Lqk5DWlZhijggEtMIIBKTAOBgNVHQ8BAf8EBAMCB4AwIAYDVR0lAQH/BBYwFAYI
+KwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwgaYGA1UdEQEB/wSBmzCB
+mIZHc3BpZmZlOi8vc2lnbmVyLXJvbGUuZ3BpbnMuc2VjdXJpdHktcmVhbG0ucHJv
+ZC5nb29nbGUuY29tL3JvbGUvYmFkLXJvbGWCMXNpZ25lci1yb2xlLmdwaW5zLnNl
+Y3VyaXR5LXJlYWxtLnByb2Quc3BpZmZlLmdvb2eCGnN3aXRjaC1mcWRuLm5ldC5n
+b29nbGUuY29tMB0GA1UdDgQWBBRedrO7onFvRDlEXa2ob8EA17+sLDAfBgNVHSME
+GDAWgBQjLbIYpRUutvN9D0HyJJdDdSxAMzAKBggqhkjOPQQDAgNIADBFAiANW2WR
+ShVmSuig9dgC/tAlCqxTm2/+s1gVPP7IBWrEGAIhAPUGww9wMFk8+OHMvnmgkzhF
+op6I/Z6B5fGPZpxTsAbr
+-----END CERTIFICATE-----
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICeDCCAh2gAwIBAgIUX8IR8WDnhiiIXpwpS5DqybtssD4wCgYIKoZIzj0EAwIw
+NzEXMBUGA1UECgwOc2VjdXJpdHktcmVhbG0xDTALBgNVBAsMBHJvb3QxDTALBgNV
+BAMMBDEyMzQwIBcNMjMwMjAyMjI0NDIwWhgPMjA1MDA2MjAyMjQ0MjBaMBExDzAN
+BgNVBAMMBnVudXNlZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNQ+3K4JMXTG
+redZ24cJIS6RXzGFVsrPoxw9eZ9sn5vOwnEYki9Ox+64m85z+JfLd+1pYgk7+2sS
+XtlV5roCi8WjggEpMIIBJTAOBgNVHQ8BAf8EBAMCB4AwIAYDVR0lAQH/BBYwFAYI
+KwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwgaIGA1UdEQEB/wSBlzCB
+lIZIc3BpZmZlOi8vc2lnbmVyLXJvbGUuZ3BpbnMuc2VjdXJpdHktcmVhbG0ucHJv
+ZC5nb29nbGUuY29tL3JvbGUvbGVhZi1yb2xlgixzaWduZXItcm9sZS5ncGlucy5i
+YWQtcmVhbG0ucHJvZC5zcGlmZmUuZ29vZ4Iac3dpdGNoLWZxZG4ubmV0Lmdvb2ds
+ZS5jb20wHQYDVR0OBBYEFO536e4uMT4JHJCPnn2hpg1JrgH0MB8GA1UdIwQYMBaA
+FCMtshilFS62830PQfIkl0N1LEAzMAoGCCqGSM49BAMCA0kAMEYCIQCmBip91rOJ
+gAxHT/dEJnS34d6g6v6qNGK7pZVaDtpq7QIhAMiaLL300yG92aBELv34MfGwukpG
+fJyZB18OgouDwq9U
+-----END CERTIFICATE-----
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICcTCCAhigAwIBAgIUX8IR8WDnhiiIXpwpS5DqybtssD8wCgYIKoZIzj0EAwIw
+NzEXMBUGA1UECgwOc2VjdXJpdHktcmVhbG0xDTALBgNVBAsMBHJvb3QxDTALBgNV
+BAMMBDEyMzQwIBcNMjMwMjAyMjI0NDIwWhgPMjA1MDA2MjAyMjQ0MjBaMBExDzAN
+BgNVBAMMBnVudXNlZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPgfOqd4lQ+5
+6WNV0WzcT4gSHAhNEKS5ZNlSZ3MpGcry3CZx1WIvR01wkIAucj27+u4D6IGBdzK0
+8+wTmVsxuhGjggEkMIIBIDAOBgNVHQ8BAf8EBAMCB4AwIAYDVR0lAQH/BBYwFAYI
+KwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwgZ0GA1UdEQEB/wSBkjCB
+j4ZDc3BpZmZlOi8vc2lnbmVyLXJvbGUuZ3BpbnMuYmFkLXJlYWxtLnByb2QuZ29v
+Z2xlLmNvbS9yb2xlL2xlYWYtcm9sZYIsc2lnbmVyLXJvbGUuZ3BpbnMuYmFkLXJl
+YWxtLnByb2Quc3BpZmZlLmdvb2eCGnN3aXRjaC1mcWRuLm5ldC5nb29nbGUuY29t
+MB0GA1UdDgQWBBQFx4Y8xPxouO9y2DG93Ha36jSmRzAfBgNVHSMEGDAWgBQjLbIY
+pRUutvN9D0HyJJdDdSxAMzAKBggqhkjOPQQDAgNHADBEAiAEA8uIVICrEho14Svs
+vHpUkGxGzpQHIcZWJg4OxTp40wIgVFm6c1JZC5IRNNeINffa2yEWzJvkGwCfc7Kw
+xyCKxrI=
+-----END CERTIFICATE-----
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgURv4QCjy/jVDGWwO
+6S5iTOHXwwHpMrvhBsdD1wX6CeihRANCAARYPQ1jdVWK0gWO8btDK70OlBpfiow9
+nWFtPXQ/qOWv1kWN8oRQ4LXlSZ7tcsZaOz0uGh9cO1pAUPS6pOQ1pWYY
+-----END PRIVATE KEY-----
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgVsW8zWaTgwVHnHWv
+8pWEnt+0tB5jiDMQlh9BJP6sTcihRANCAATUPtyuCTF0xq3nWduHCSEukV8xhVbK
+z6McPXmfbJ+bzsJxGJIvTsfuuJvOc/iXy3ftaWIJO/trEl7ZVea6AovF
+-----END PRIVATE KEY-----
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgWKYW6yuOmtbpKnem
+K1wrELKdzCuu2w58Yhn3y9kxeQOhRANCAAT4HzqneJUPueljVdFs3E+IEhwITRCk
+uWTZUmdzKRnK8twmcdViL0dNcJCALnI9u/ruA+iBgXcytPPsE5lbMboR
+-----END PRIVATE KEY-----
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICfTCCAiKgAwIBAgIUX8IR8WDnhiiIXpwpS5DqybtssDwwCgYIKoZIzj0EAwIw
+NzEXMBUGA1UECgwOc2VjdXJpdHktcmVhbG0xDTALBgNVBAsMBHJvb3QxDTALBgNV
+BAMMBDEyMzQwIBcNMjMwMjAyMjI0NDIwWhgPMjA1MDA2MjAyMjQ0MjBaMBExDzAN
+BgNVBAMMBnVudXNlZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABARBwVsT5yGL
+trXx12HA5ARM38aYhK+2oKmVgvp0UBUN6UxAiu5LMU3OrUoptl5A7KOP/wXZB3YE
+pHd2d+xRACyjggEuMIIBKjAOBgNVHQ8BAf8EBAMCB4AwIAYDVR0lAQH/BBYwFAYI
+KwYBBQUHAwIGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwgacGA1UdEQEB/wSBnDCB
+mYZIc3BpZmZlOi8vc2lnbmVyLXJvbGUuZ3BpbnMuc2VjdXJpdHktcmVhbG0ucHJv
+ZC5nb29nbGUuY29tL3JvbGUvbGVhZi1yb2xlgjFzaWduZXItcm9sZS5ncGlucy5z
+ZWN1cml0eS1yZWFsbS5wcm9kLnNwaWZmZS5nb29nghpzd2l0Y2gtZnFkbi5uZXQu
+Z29vZ2xlLmNvbTAdBgNVHQ4EFgQUJSGwv0OGf7boij1r3sfh34Q6N0UwHwYDVR0j
+BBgwFoAUIy2yGKUVLrbzfQ9B8iSXQ3UsQDMwCgYIKoZIzj0EAwIDSQAwRgIhAPXa
+lUFu7dtZG1OpV9QEn/7j9NbVtax4xVef4JmVJqPDAiEAiybKi3je0XKulAJ4ux1r
+O1w7rBQAbXnd3urYZ+FsI+E=
+-----END CERTIFICATE-----
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgo5zvCj2bjHeyWfS9
+GXIIXLiCCmcqvgtQsKlCe9gY9z+hRANCAAQEQcFbE+chi7a18ddhwOQETN/GmISv
+tqCplYL6dFAVDelMQIruSzFNzq1KKbZeQOyjj/8F2Qd2BKR3dnfsUQAs
+-----END PRIVATE KEY-----
@@ -0,0 +1,5 @@
+
+$
+2
+signer-role*2
+	leaf-role (
@@ -0,0 +1,12 @@
+whitelisted_master {
+  master {
+    scope: MDB_USER
+    mdb_user { user_name: "signer-role" }
+  }
+  whitelisted_role {
+    scope: MDB_USER
+    mdb_user { user_name: "leaf-role" }
+  }
+}
+serial_no: 2
+last_update_timestamp_secs: 2
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBtTCCAVqgAwIBAgIUEQFeEEEWW3I5WUl+LS10gE0F85YwCgYIKoZIzj0EAwIw
+NzEXMBUGA1UECgwOc2VjdXJpdHktcmVhbG0xDTALBgNVBAsMBHJvb3QxDTALBgNV
+BAMMBDEyMzQwIBcNMjMwMjAyMjI0NDIwWhgPMjA1MDA2MjAyMjQ0MjBaMDcxFzAV
+BgNVBAoMDnNlY3VyaXR5LXJlYWxtMQ0wCwYDVQQLDARyb290MQ0wCwYDVQQDDAQx
+MjM0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE3XOe+hm3BCEwJAwW3GyNpKIz
+ouZ+NEje4Olt8cIuiqA19vgFXp2vQQ30RiimLfpkiztHOlvWxpRDZZokIMX16qNC
+MEAwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCMt
+shilFS62830PQfIkl0N1LEAzMAoGCCqGSM49BAMCA0kAMEYCIQDfA/naY+lZ9ThV
+mql8gzoJJfo0pIDgEQZh/liKS4/mxwIhAKB/EkGPWG46Db4WjnRjUmc51JsWvp02
+JVwJBIxPuRDg
+-----END CERTIFICATE-----
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgntuqi1ukrQRqcE1g
+93T/QqaRBjpgwQIWfrKdZ3DllyuhRANCAATdc576GbcEITAkDBbcbI2kojOi5n40
+SN7g6W3xwi6KoDX2+AVena9BDfRGKKYt+mSLO0c6W9bGlENlmiQgxfXq
+-----END PRIVATE KEY-----