forked from bgpsecurity/rpstir
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Construct some simple RPKI hierarchies and try every possible object insertion order to see if it's possible for a valid object with an evil parent to ever be considered invalid. addresses [bgpsecurity#29]
- Loading branch information
Showing
24 changed files
with
483 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| /*.cache/ | ||
| /*.cer | ||
| /*.key | ||
| /*.roa | ||
| /evil-twin-common.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| This directory contains tests for vulnerabilities to the "evil twin" | ||
| attack. | ||
|
|
||
| The goal of the evil twin attack is to make a good object look bad. | ||
| The malicious CA signs and publishes a certificate that reuses the | ||
| public key, subject, and SKI from a victim certificate. This new | ||
| certificate (the "evil twin" certificate) is either: | ||
|
|
||
| * invalid because it uses resources not held by the malicious CA, or | ||
|
|
||
| * valid but not a valid parent of the objects signed by the victim | ||
| certificate because the objects signed by the victim certificate | ||
| have resources outside of the evil twin certificate. | ||
|
|
||
| Either way, if the RP software is buggy and considers the evil twin to | ||
| be the parent of objects that were actually signed by the victim | ||
| (because the subject, SKI, and public keys match), those good objects | ||
| would be incorrectly invalidated. | ||
|
|
||
| The test scripts in this directory use different toy hierarchies to | ||
| cover a wide range of scenarios. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| type=CA | ||
| issuer=ta-evil | ||
| subject=ca-good | ||
| aia=rsync://invalid/ | ||
| sia=r:rsync://invalid/,m:rsync://invalid/invalid.mft | ||
| ipv4=0.0.0.0/16 | ||
| ipv6=::/32 | ||
| as=1-63 | ||
| selfsigned=false | ||
| parentcertfile=tests/subsystem/evil-twin/ta-evil.cer | ||
| parentkeyfile=tests/subsystem/evil-twin/ta-evil.key | ||
| subjkeyfile=tests/subsystem/evil-twin/ca-good.key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| type=CA | ||
| issuer=ta-evil | ||
| subject=ca-good | ||
| aia=rsync://invalid/ | ||
| sia=r:rsync://invalid/,m:rsync://invalid/invalid.mft | ||
| ipv4=1.0.0.0/16 | ||
| ipv6=1::/32 | ||
| as=128-191 | ||
| selfsigned=false | ||
| parentcertfile=tests/subsystem/evil-twin/ta-evil.cer | ||
| parentkeyfile=tests/subsystem/evil-twin/ta-evil.key | ||
| subjkeyfile=tests/subsystem/evil-twin/ca-good.key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| type=CA | ||
| issuer=ta-good | ||
| subject=ca-good | ||
| aia=rsync://invalid/ | ||
| sia=r:rsync://invalid/,m:rsync://invalid/invalid.mft | ||
| ipv4=0.0.0.0/16 | ||
| ipv6=::/32 | ||
| as=1-63 | ||
| selfsigned=false | ||
| parentcertfile=tests/subsystem/evil-twin/ta-good.cer | ||
| parentkeyfile=tests/subsystem/evil-twin/ta-good.key | ||
| subjkeyfile=tests/subsystem/evil-twin/ca-good.key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| type=EE | ||
| issuer=ta-evil | ||
| subject=ee-good | ||
| aia=rsync://invalid/ | ||
| sia=s:rsync://invalid/ | ||
| ipv4=0.0.0.0/24 | ||
| ipv6=::/48 | ||
| as=1-31 | ||
| selfsigned=false | ||
| parentcertfile=tests/subsystem/evil-twin/ta-evil.cer | ||
| parentkeyfile=tests/subsystem/evil-twin/ta-evil.key | ||
| subjkeyfile=tests/subsystem/evil-twin/ee-good.key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| roaipv4=0.0.0.0/25 | ||
| roaipv6=::/64 | ||
| asid=1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| type=EE | ||
| issuer=ta-evil | ||
| subject=ee-good | ||
| aia=rsync://invalid/ | ||
| sia=s:rsync://invalid/ | ||
| ipv4=1.0.0.0/24 | ||
| ipv6=1::/48 | ||
| as=128-159 | ||
| selfsigned=false | ||
| parentcertfile=tests/subsystem/evil-twin/ta-evil.cer | ||
| parentkeyfile=tests/subsystem/evil-twin/ta-evil.key | ||
| subjkeyfile=tests/subsystem/evil-twin/ee-good.key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| roaipv4=0.0.0.0/25 | ||
| roaipv6=::/64 | ||
| asid=1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| type=EE | ||
| issuer=ta-good | ||
| subject=ee-good | ||
| aia=rsync://invalid/ | ||
| sia=s:rsync://invalid/ | ||
| ipv4=0.0.0.0/24 | ||
| ipv6=::/48 | ||
| as=1-31 | ||
| selfsigned=false | ||
| parentcertfile=tests/subsystem/evil-twin/ta-good.cer | ||
| parentkeyfile=tests/subsystem/evil-twin/ta-good.key | ||
| subjkeyfile=tests/subsystem/evil-twin/ee-good.key |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| roaipv4=0.0.0.0/25 | ||
| roaipv6=::/64 | ||
| asid=1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| #!/bin/sh | ||
|
|
||
| # This scenario uses the following forest: | ||
| # | ||
| # | ||
| # Good TA (valid) Evil TA (valid) | ||
| # IPv4: 0.0.0.0/8 IPv4: 1.0.0.0/8 | ||
| # IPv6: ::/16 IPv6: 1::/16 | ||
| # AS: 1-127 AS: 128-255 | ||
| # | | | ||
| # | | | ||
| # Good CA (valid) Evil CA (invalid, this is the "evil twin" of Good CA) | ||
| # IPv4: 0.0.0.0/16 IPv4: 0.0.0.0/16 (outside of issuer resoures) | ||
| # IPv6: ::/32 IPv6: ::/32 (outside of issuer resources) | ||
| # AS: 1-63 AS: 1-63 (outside of issuer resources) | ||
| # | | ||
| # | | ||
| # Test1 CA (valid) | ||
| # IPv4: 0.0.0.0/24 | ||
| # IPv6: ::/48 | ||
| # AS: 1-31 | ||
| # | ||
| # The five objects above are added to the database one at a time. To | ||
| # ensure that the order in which the objects are added does not affect | ||
| # the outcome, all permutations are tried (the database is scrubbed | ||
| # between permutations). The result looks like this: | ||
| # | ||
| # 1. ta-good.cer ta-evil.cer ca-good.cer ca-evil.cer test1-ca.cer | ||
| # 2. ta-good.cer ta-evil.cer ca-good.cer test1-ca.cer ca-evil.cer | ||
| # 3. ta-good.cer ta-evil.cer ca-evil.cer ca-good.cer test1-ca.cer | ||
| # 4. ta-good.cer ta-evil.cer ca-evil.cer test1-ca.cer ca-good.cer | ||
| # ... | ||
| # 120. test1-ca.cer ca-evil.cer ca-good.cer ta-evil.cer ta-good.cer | ||
|
|
||
| . "${TESTS_BUILDDIR}"/evil-twin-common.sh || exit 1 | ||
|
|
||
| files="ta-good.cer ta-evil.cer ca-good.cer ca-evil-invalid.cer test1-ca.cer" | ||
| exp="ta-good.cer ta-evil.cer ca-good.cer test1-ca.cer" | ||
|
|
||
| run_tests "${files}" "${exp}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| #!/bin/sh | ||
|
|
||
| # This scenario is the same as evil-twin-ca-invalid-1 except the Test1 | ||
| # CA certificate is replaced by a ROA: | ||
| # | ||
| # Good TA (valid) Evil TA (valid) | ||
| # IPv4: 0.0.0.0/8 IPv4: 1.0.0.0/8 | ||
| # IPv6: ::/16 IPv6: 1::/16 | ||
| # AS: 1-127 AS: 128-255 | ||
| # | | | ||
| # | | | ||
| # Good CA (valid) Evil CA (invalid, this is the "evil twin" of Good CA) | ||
| # IPv4: 0.0.0.0/16 IPv4: 0.0.0.0/16 (outside of issuer resoures) | ||
| # IPv6: ::/32 IPv6: ::/32 (outside of issuer resources) | ||
| # AS: 1-63 AS: 1-63 (outside of issuer resources) | ||
| # | | ||
| # | | ||
| # Test2 ROA (valid) | ||
| # IPv4: 0.0.0.0/25 | ||
| # IPv6: ::/64 | ||
| # AS: 1 | ||
| # via Test2 EE (valid): | ||
| # IPv4: 0.0.0.0/24 | ||
| # IPv6: ::/48 | ||
| # AS: 1-31 | ||
|
|
||
| . "${TESTS_BUILDDIR}"/evil-twin-common.sh || exit 1 | ||
|
|
||
| files="ta-good.cer ta-evil.cer ca-good.cer ca-evil-invalid.cer test2-ee.roa" | ||
| exp="ta-good.cer ta-evil.cer ca-good.cer test2-ee.roa test2-ee.roa.cer" | ||
|
|
||
| run_tests "${files}" "${exp}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| #!/bin/sh | ||
|
|
||
| # This scenario is the same as evil-twin-ca-invalid-1 except the Evil | ||
| # CA certificate has its resources altered to be valid: | ||
| # | ||
| # Good TA (valid) Evil TA (valid) | ||
| # IPv4: 0.0.0.0/8 IPv4: 1.0.0.0/8 | ||
| # IPv6: ::/16 IPv6: 1::/16 | ||
| # AS: 1-127 AS: 128-255 | ||
| # | | | ||
| # | | | ||
| # Good CA (valid) Evil CA (valid, this is the "evil twin" of Good CA) | ||
| # IPv4: 0.0.0.0/16 IPv4: 1.0.0.0/16 (modified resources to be valid) | ||
| # IPv6: ::/32 IPv6: 1::/32 (modified resources to be valid) | ||
| # AS: 1-63 AS: 128-191 (modified resources to be valid) | ||
| # | | ||
| # | | ||
| # Test1 CA (valid) | ||
| # IPv4: 0.0.0.0/24 | ||
| # IPv6: ::/48 | ||
| # AS: 1-31 | ||
|
|
||
| . "${TESTS_BUILDDIR}"/evil-twin-common.sh || exit 1 | ||
|
|
||
| files="ta-good.cer ta-evil.cer ca-good.cer ca-evil-valid.cer test1-ca.cer" | ||
| exp=${files} | ||
|
|
||
| # override testcase() to set xfail for cases that are known to fail | ||
| testcase() { | ||
| pass=true | ||
| # if the evil hierarchy is completely added before the test CA, or | ||
| # if the entire evil hierarchy and the test CA are added before | ||
| # the good hierarchy is completely added, then it will fail. | ||
| # stated another way, if the good hierarchy and test CA are added | ||
| # before the bad hierarchy is completely added, then it will pass. | ||
| case $(printf " %s " $4) in | ||
| *evil*evil*" test1-ca.cer "*) pass=false;; | ||
| *evil*" test1-ca.cer "*evil*good*) pass=false;; | ||
| *" test1-ca.cer "*evil*evil*good*) pass=false;; | ||
| esac | ||
| if "${pass}"; then | ||
| t4s_testcase "$@" | ||
| else | ||
| t4s_testcase --xfail "see ticket #29" "$@" | ||
| fi | ||
| } | ||
|
|
||
| run_tests "${files}" "${exp}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| #!/bin/sh | ||
|
|
||
| # This scenario is the same as evil-twin-ca-valid-1 except the Test1 | ||
| # CA certificate is replaced with a ROA as in evil-twin-ca-invalid-2: | ||
| # | ||
| # Good TA (valid) Evil TA (valid) | ||
| # IPv4: 0.0.0.0/8 IPv4: 1.0.0.0/8 | ||
| # IPv6: ::/16 IPv6: 1::/16 | ||
| # AS: 1-127 AS: 128-255 | ||
| # | | | ||
| # | | | ||
| # Good CA (valid) Evil CA (valid, this is the "evil twin" of Good CA) | ||
| # IPv4: 0.0.0.0/16 IPv4: 1.0.0.0/16 (modified resources to be valid) | ||
| # IPv6: ::/32 IPv6: 1::/32 (modified resources to be valid) | ||
| # AS: 1-63 AS: 128-191 (modified resources to be valid) | ||
| # | | ||
| # | | ||
| # Test2 ROA (valid) | ||
| # IPv4: 0.0.0.0/25 | ||
| # IPv6: ::/64 | ||
| # AS: 1 | ||
| # via Test2 EE (valid): | ||
| # IPv4: 0.0.0.0/24 | ||
| # IPv6: ::/48 | ||
| # AS: 1-31 | ||
|
|
||
| . "${TESTS_BUILDDIR}"/evil-twin-common.sh || exit 1 | ||
|
|
||
| files="ta-good.cer ta-evil.cer ca-good.cer ca-evil-valid.cer test2-ee.roa" | ||
| exp=${files}" test2-ee.roa.cer" | ||
|
|
||
| # override testcase() to set xfail for cases that are known to fail | ||
| testcase() { | ||
| pass=true | ||
| # if the evil hierarchy is completely added before the test ROA, | ||
| # or if the entire evil hierarchy and the test ROA are added | ||
| # before the good hierarchy is completely added, then it will fail | ||
| # stated another way, if the good hierarchy and test ROA are added | ||
| # before the bad hierarchy is completely added, then it will pass. | ||
| case $(printf " %s " $4) in | ||
| *evil*evil*" test2-ee.roa "*) pass=false;; | ||
| *evil*" test2-ee.roa "*evil*good*) pass=false;; | ||
| *" test2-ee.roa "*evil*evil*good*) pass=false;; | ||
| esac | ||
| if "${pass}"; then | ||
| t4s_testcase "$@" | ||
| else | ||
| t4s_testcase --xfail "see ticket #29" "$@" | ||
| fi | ||
| } | ||
|
|
||
| run_tests "${files}" "${exp}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| @SETUP_ENVIRONMENT@ | ||
|
|
||
| t4s_setup | ||
|
|
||
| u=${TESTS_TOP_SRCDIR}/tests/util.sh | ||
| . "${u}" || t4s_bailout "unable to load ${u}" | ||
|
|
||
| cd "${TESTS_BUILDDIR}" || t4s_bailout "unable to cd to ${TESTS_BUILDDIR}" | ||
|
|
||
| run_tests() { | ||
| test_perms "${0##*/}".cache "$@" | ||
| t4s_done | ||
| } |
Oops, something went wrong.