From 7d3ce4faae1602cbc5b50d2743be32e36bf3692a Mon Sep 17 00:00:00 2001 From: Richard Hansen Date: Mon, 8 Jun 2015 17:28:15 -0400 Subject: [PATCH] add evil twin tests Construct some simple RPKI hierarchies and try every possible object insertion order to see if it's possible for a valid object with an evil parent to ever be considered invalid. addresses [#29] --- mk/rpki.mk | 84 +++++++++++++++++++ tests/subsystem/evil-twin/.gitignore | 5 ++ tests/subsystem/evil-twin/README.txt | 21 +++++ .../evil-twin/ca-evil-invalid.options | 12 +++ .../subsystem/evil-twin/ca-evil-valid.options | 12 +++ tests/subsystem/evil-twin/ca-good.options | 12 +++ .../evil-twin/ee-evil-invalid.options | 12 +++ .../evil-twin/ee-evil-invalid.roa.options | 3 + .../subsystem/evil-twin/ee-evil-valid.options | 12 +++ .../evil-twin/ee-evil-valid.roa.options | 3 + tests/subsystem/evil-twin/ee-good.options | 12 +++ tests/subsystem/evil-twin/ee-good.roa.options | 3 + .../evil-twin/evil-twin-ca-invalid-1.tap | 40 +++++++++ .../evil-twin/evil-twin-ca-invalid-2.tap | 32 +++++++ .../evil-twin/evil-twin-ca-valid-1.tap | 48 +++++++++++ .../evil-twin/evil-twin-ca-valid-2.tap | 52 ++++++++++++ .../evil-twin/evil-twin-common.sh.in | 13 +++ .../evil-twin/evil-twin-ee-invalid.tap | 35 ++++++++ .../evil-twin/evil-twin-ee-valid.tap | 27 ++++++ tests/subsystem/evil-twin/ta-evil.options | 9 ++ tests/subsystem/evil-twin/ta-good.options | 9 ++ tests/subsystem/evil-twin/test1-ca.options | 12 +++ tests/subsystem/evil-twin/test2-ee.options | 12 +++ .../subsystem/evil-twin/test2-ee.roa.options | 3 + 24 files changed, 483 insertions(+) create mode 100644 tests/subsystem/evil-twin/.gitignore create mode 100644 tests/subsystem/evil-twin/README.txt create mode 100644 tests/subsystem/evil-twin/ca-evil-invalid.options create mode 100644 tests/subsystem/evil-twin/ca-evil-valid.options create mode 100644 tests/subsystem/evil-twin/ca-good.options create mode 100644 tests/subsystem/evil-twin/ee-evil-invalid.options create mode 100644 tests/subsystem/evil-twin/ee-evil-invalid.roa.options create mode 100644 tests/subsystem/evil-twin/ee-evil-valid.options create mode 100644 tests/subsystem/evil-twin/ee-evil-valid.roa.options create mode 100644 tests/subsystem/evil-twin/ee-good.options create mode 100644 tests/subsystem/evil-twin/ee-good.roa.options create mode 100755 tests/subsystem/evil-twin/evil-twin-ca-invalid-1.tap create mode 100755 tests/subsystem/evil-twin/evil-twin-ca-invalid-2.tap create mode 100755 tests/subsystem/evil-twin/evil-twin-ca-valid-1.tap create mode 100755 tests/subsystem/evil-twin/evil-twin-ca-valid-2.tap create mode 100644 tests/subsystem/evil-twin/evil-twin-common.sh.in create mode 100755 tests/subsystem/evil-twin/evil-twin-ee-invalid.tap create mode 100755 tests/subsystem/evil-twin/evil-twin-ee-valid.tap create mode 100644 tests/subsystem/evil-twin/ta-evil.options create mode 100644 tests/subsystem/evil-twin/ta-good.options create mode 100644 tests/subsystem/evil-twin/test1-ca.options create mode 100644 tests/subsystem/evil-twin/test2-ee.options create mode 100644 tests/subsystem/evil-twin/test2-ee.roa.options diff --git a/mk/rpki.mk b/mk/rpki.mk index 0694b4d8..9ebf4974 100644 --- a/mk/rpki.mk +++ b/mk/rpki.mk @@ -87,6 +87,90 @@ clean-local: clean-roa-ee-munge clean-roa-ee-munge: rm -rf tests/subsystem/roa-ee-munge/roa-ee-munge.tap.cache +###################################################################### +## evil twin tests +###################################################################### +EVIL_TWIN_TESTS = \ + tests/subsystem/evil-twin/evil-twin-ca-invalid-1.tap \ + tests/subsystem/evil-twin/evil-twin-ca-invalid-2.tap \ + tests/subsystem/evil-twin/evil-twin-ca-valid-1.tap \ + tests/subsystem/evil-twin/evil-twin-ca-valid-2.tap \ + tests/subsystem/evil-twin/evil-twin-ee-invalid.tap \ + tests/subsystem/evil-twin/evil-twin-ee-valid.tap +TESTS += ${EVIL_TWIN_TESTS} +EXTRA_DIST += ${EVIL_TWIN_TESTS} +check_SCRIPTS += \ + tests/subsystem/evil-twin/evil-twin-common.sh +tests/subsystem/evil-twin/evil-twin-common.sh: \ + tests/subsystem/evil-twin/evil-twin-common.sh.in +MK_SUBST_FILES += \ + tests/subsystem/evil-twin/evil-twin-common.sh +CERTS += \ + tests/subsystem/evil-twin/ta-good.cer \ + tests/subsystem/evil-twin/ta-evil.cer \ + tests/subsystem/evil-twin/ca-good.cer \ + tests/subsystem/evil-twin/ca-evil-invalid.cer \ + tests/subsystem/evil-twin/ca-evil-valid.cer \ + tests/subsystem/evil-twin/test1-ca.cer \ + tests/subsystem/evil-twin/test2-ee.cer \ + tests/subsystem/evil-twin/ee-good.cer \ + tests/subsystem/evil-twin/ee-evil-invalid.cer \ + tests/subsystem/evil-twin/ee-evil-valid.cer +ROAS += \ + tests/subsystem/evil-twin/test2-ee.roa \ + tests/subsystem/evil-twin/ee-good.roa \ + tests/subsystem/evil-twin/ee-evil-invalid.roa \ + tests/subsystem/evil-twin/ee-evil-valid.roa +tests/subsystem/evil-twin/ta-good.cer: \ + tests/subsystem/evil-twin/ta-good.options \ + tests/subsystem/evil-twin/ta-good.key +tests/subsystem/evil-twin/ta-evil.cer: \ + tests/subsystem/evil-twin/ta-evil.options \ + tests/subsystem/evil-twin/ta-evil.key +tests/subsystem/evil-twin/ca-good.cer: \ + tests/subsystem/evil-twin/ca-good.options \ + tests/subsystem/evil-twin/ca-good.key +tests/subsystem/evil-twin/ca-evil-invalid.cer: \ + tests/subsystem/evil-twin/ca-evil-invalid.options \ + tests/subsystem/evil-twin/ca-evil-invalid.key +tests/subsystem/evil-twin/ca-evil-valid.cer: \ + tests/subsystem/evil-twin/ca-evil-valid.options \ + tests/subsystem/evil-twin/ca-evil-valid.key +tests/subsystem/evil-twin/test1-ca.cer: \ + tests/subsystem/evil-twin/test1-ca.options \ + tests/subsystem/evil-twin/test1-ca.key +tests/subsystem/evil-twin/test2-ee.cer: \ + tests/subsystem/evil-twin/test2-ee.options \ + tests/subsystem/evil-twin/test2-ee.key +tests/subsystem/evil-twin/test2-ee.roa: \ + tests/subsystem/evil-twin/test2-ee.cer \ + tests/subsystem/evil-twin/test2-ee.key \ + tests/subsystem/evil-twin/test2-ee.roa.options +tests/subsystem/evil-twin/ee-good.cer: \ + tests/subsystem/evil-twin/ee-good.options \ + tests/subsystem/evil-twin/ee-good.key +tests/subsystem/evil-twin/ee-good.roa: \ + tests/subsystem/evil-twin/ee-good.cer \ + tests/subsystem/evil-twin/ee-good.key \ + tests/subsystem/evil-twin/ee-good.roa.options +tests/subsystem/evil-twin/ee-evil-invalid.cer: \ + tests/subsystem/evil-twin/ee-evil-invalid.options \ + tests/subsystem/evil-twin/ee-evil-invalid.key +tests/subsystem/evil-twin/ee-evil-invalid.roa: \ + tests/subsystem/evil-twin/ee-evil-invalid.cer \ + tests/subsystem/evil-twin/ee-evil-invalid.key \ + tests/subsystem/evil-twin/ee-evil-invalid.roa.options +tests/subsystem/evil-twin/ee-evil-valid.cer: \ + tests/subsystem/evil-twin/ee-evil-valid.options \ + tests/subsystem/evil-twin/ee-evil-valid.key +tests/subsystem/evil-twin/ee-evil-valid.roa: \ + tests/subsystem/evil-twin/ee-evil-valid.cer \ + tests/subsystem/evil-twin/ee-evil-valid.key \ + tests/subsystem/evil-twin/ee-evil-valid.roa.options +clean-local: clean-evil-twin +clean-evil-twin: + rm -rf ${EVIL_TWIN_TESTS:=.cache} + ###################################################################### ## chaser ###################################################################### diff --git a/tests/subsystem/evil-twin/.gitignore b/tests/subsystem/evil-twin/.gitignore new file mode 100644 index 00000000..e1736a71 --- /dev/null +++ b/tests/subsystem/evil-twin/.gitignore @@ -0,0 +1,5 @@ +/*.cache/ +/*.cer +/*.key +/*.roa +/evil-twin-common.sh diff --git a/tests/subsystem/evil-twin/README.txt b/tests/subsystem/evil-twin/README.txt new file mode 100644 index 00000000..64b6d80d --- /dev/null +++ b/tests/subsystem/evil-twin/README.txt @@ -0,0 +1,21 @@ +This directory contains tests for vulnerabilities to the "evil twin" +attack. + +The goal of the evil twin attack is to make a good object look bad. +The malicious CA signs and publishes a certificate that reuses the +public key, subject, and SKI from a victim certificate. This new +certificate (the "evil twin" certificate) is either: + + * invalid because it uses resources not held by the malicious CA, or + + * valid but not a valid parent of the objects signed by the victim + certificate because the objects signed by the victim certificate + have resources outside of the evil twin certificate. + +Either way, if the RP software is buggy and considers the evil twin to +be the parent of objects that were actually signed by the victim +(because the subject, SKI, and public keys match), those good objects +would be incorrectly invalidated. + +The test scripts in this directory use different toy hierarchies to +cover a wide range of scenarios. diff --git a/tests/subsystem/evil-twin/ca-evil-invalid.options b/tests/subsystem/evil-twin/ca-evil-invalid.options new file mode 100644 index 00000000..428f5c8b --- /dev/null +++ b/tests/subsystem/evil-twin/ca-evil-invalid.options @@ -0,0 +1,12 @@ +type=CA +issuer=ta-evil +subject=ca-good +aia=rsync://invalid/ +sia=r:rsync://invalid/,m:rsync://invalid/invalid.mft +ipv4=0.0.0.0/16 +ipv6=::/32 +as=1-63 +selfsigned=false +parentcertfile=tests/subsystem/evil-twin/ta-evil.cer +parentkeyfile=tests/subsystem/evil-twin/ta-evil.key +subjkeyfile=tests/subsystem/evil-twin/ca-good.key diff --git a/tests/subsystem/evil-twin/ca-evil-valid.options b/tests/subsystem/evil-twin/ca-evil-valid.options new file mode 100644 index 00000000..fc53577f --- /dev/null +++ b/tests/subsystem/evil-twin/ca-evil-valid.options @@ -0,0 +1,12 @@ +type=CA +issuer=ta-evil +subject=ca-good +aia=rsync://invalid/ +sia=r:rsync://invalid/,m:rsync://invalid/invalid.mft +ipv4=1.0.0.0/16 +ipv6=1::/32 +as=128-191 +selfsigned=false +parentcertfile=tests/subsystem/evil-twin/ta-evil.cer +parentkeyfile=tests/subsystem/evil-twin/ta-evil.key +subjkeyfile=tests/subsystem/evil-twin/ca-good.key diff --git a/tests/subsystem/evil-twin/ca-good.options b/tests/subsystem/evil-twin/ca-good.options new file mode 100644 index 00000000..17aa40c6 --- /dev/null +++ b/tests/subsystem/evil-twin/ca-good.options @@ -0,0 +1,12 @@ +type=CA +issuer=ta-good +subject=ca-good +aia=rsync://invalid/ +sia=r:rsync://invalid/,m:rsync://invalid/invalid.mft +ipv4=0.0.0.0/16 +ipv6=::/32 +as=1-63 +selfsigned=false +parentcertfile=tests/subsystem/evil-twin/ta-good.cer +parentkeyfile=tests/subsystem/evil-twin/ta-good.key +subjkeyfile=tests/subsystem/evil-twin/ca-good.key diff --git a/tests/subsystem/evil-twin/ee-evil-invalid.options b/tests/subsystem/evil-twin/ee-evil-invalid.options new file mode 100644 index 00000000..e9094d5e --- /dev/null +++ b/tests/subsystem/evil-twin/ee-evil-invalid.options @@ -0,0 +1,12 @@ +type=EE +issuer=ta-evil +subject=ee-good +aia=rsync://invalid/ +sia=s:rsync://invalid/ +ipv4=0.0.0.0/24 +ipv6=::/48 +as=1-31 +selfsigned=false +parentcertfile=tests/subsystem/evil-twin/ta-evil.cer +parentkeyfile=tests/subsystem/evil-twin/ta-evil.key +subjkeyfile=tests/subsystem/evil-twin/ee-good.key diff --git a/tests/subsystem/evil-twin/ee-evil-invalid.roa.options b/tests/subsystem/evil-twin/ee-evil-invalid.roa.options new file mode 100644 index 00000000..aa6c453d --- /dev/null +++ b/tests/subsystem/evil-twin/ee-evil-invalid.roa.options @@ -0,0 +1,3 @@ +roaipv4=0.0.0.0/25 +roaipv6=::/64 +asid=1 diff --git a/tests/subsystem/evil-twin/ee-evil-valid.options b/tests/subsystem/evil-twin/ee-evil-valid.options new file mode 100644 index 00000000..597d5315 --- /dev/null +++ b/tests/subsystem/evil-twin/ee-evil-valid.options @@ -0,0 +1,12 @@ +type=EE +issuer=ta-evil +subject=ee-good +aia=rsync://invalid/ +sia=s:rsync://invalid/ +ipv4=1.0.0.0/24 +ipv6=1::/48 +as=128-159 +selfsigned=false +parentcertfile=tests/subsystem/evil-twin/ta-evil.cer +parentkeyfile=tests/subsystem/evil-twin/ta-evil.key +subjkeyfile=tests/subsystem/evil-twin/ee-good.key diff --git a/tests/subsystem/evil-twin/ee-evil-valid.roa.options b/tests/subsystem/evil-twin/ee-evil-valid.roa.options new file mode 100644 index 00000000..aa6c453d --- /dev/null +++ b/tests/subsystem/evil-twin/ee-evil-valid.roa.options @@ -0,0 +1,3 @@ +roaipv4=0.0.0.0/25 +roaipv6=::/64 +asid=1 diff --git a/tests/subsystem/evil-twin/ee-good.options b/tests/subsystem/evil-twin/ee-good.options new file mode 100644 index 00000000..1a01dbc7 --- /dev/null +++ b/tests/subsystem/evil-twin/ee-good.options @@ -0,0 +1,12 @@ +type=EE +issuer=ta-good +subject=ee-good +aia=rsync://invalid/ +sia=s:rsync://invalid/ +ipv4=0.0.0.0/24 +ipv6=::/48 +as=1-31 +selfsigned=false +parentcertfile=tests/subsystem/evil-twin/ta-good.cer +parentkeyfile=tests/subsystem/evil-twin/ta-good.key +subjkeyfile=tests/subsystem/evil-twin/ee-good.key diff --git a/tests/subsystem/evil-twin/ee-good.roa.options b/tests/subsystem/evil-twin/ee-good.roa.options new file mode 100644 index 00000000..aa6c453d --- /dev/null +++ b/tests/subsystem/evil-twin/ee-good.roa.options @@ -0,0 +1,3 @@ +roaipv4=0.0.0.0/25 +roaipv6=::/64 +asid=1 diff --git a/tests/subsystem/evil-twin/evil-twin-ca-invalid-1.tap b/tests/subsystem/evil-twin/evil-twin-ca-invalid-1.tap new file mode 100755 index 00000000..1f5a7977 --- /dev/null +++ b/tests/subsystem/evil-twin/evil-twin-ca-invalid-1.tap @@ -0,0 +1,40 @@ +#!/bin/sh + +# This scenario uses the following forest: +# +# +# Good TA (valid) Evil TA (valid) +# IPv4: 0.0.0.0/8 IPv4: 1.0.0.0/8 +# IPv6: ::/16 IPv6: 1::/16 +# AS: 1-127 AS: 128-255 +# | | +# | | +# Good CA (valid) Evil CA (invalid, this is the "evil twin" of Good CA) +# IPv4: 0.0.0.0/16 IPv4: 0.0.0.0/16 (outside of issuer resoures) +# IPv6: ::/32 IPv6: ::/32 (outside of issuer resources) +# AS: 1-63 AS: 1-63 (outside of issuer resources) +# | +# | +# Test1 CA (valid) +# IPv4: 0.0.0.0/24 +# IPv6: ::/48 +# AS: 1-31 +# +# The five objects above are added to the database one at a time. To +# ensure that the order in which the objects are added does not affect +# the outcome, all permutations are tried (the database is scrubbed +# between permutations). The result looks like this: +# +# 1. ta-good.cer ta-evil.cer ca-good.cer ca-evil.cer test1-ca.cer +# 2. ta-good.cer ta-evil.cer ca-good.cer test1-ca.cer ca-evil.cer +# 3. ta-good.cer ta-evil.cer ca-evil.cer ca-good.cer test1-ca.cer +# 4. ta-good.cer ta-evil.cer ca-evil.cer test1-ca.cer ca-good.cer +# ... +# 120. test1-ca.cer ca-evil.cer ca-good.cer ta-evil.cer ta-good.cer + +. "${TESTS_BUILDDIR}"/evil-twin-common.sh || exit 1 + +files="ta-good.cer ta-evil.cer ca-good.cer ca-evil-invalid.cer test1-ca.cer" +exp="ta-good.cer ta-evil.cer ca-good.cer test1-ca.cer" + +run_tests "${files}" "${exp}" diff --git a/tests/subsystem/evil-twin/evil-twin-ca-invalid-2.tap b/tests/subsystem/evil-twin/evil-twin-ca-invalid-2.tap new file mode 100755 index 00000000..63a145fa --- /dev/null +++ b/tests/subsystem/evil-twin/evil-twin-ca-invalid-2.tap @@ -0,0 +1,32 @@ +#!/bin/sh + +# This scenario is the same as evil-twin-ca-invalid-1 except the Test1 +# CA certificate is replaced by a ROA: +# +# Good TA (valid) Evil TA (valid) +# IPv4: 0.0.0.0/8 IPv4: 1.0.0.0/8 +# IPv6: ::/16 IPv6: 1::/16 +# AS: 1-127 AS: 128-255 +# | | +# | | +# Good CA (valid) Evil CA (invalid, this is the "evil twin" of Good CA) +# IPv4: 0.0.0.0/16 IPv4: 0.0.0.0/16 (outside of issuer resoures) +# IPv6: ::/32 IPv6: ::/32 (outside of issuer resources) +# AS: 1-63 AS: 1-63 (outside of issuer resources) +# | +# | +# Test2 ROA (valid) +# IPv4: 0.0.0.0/25 +# IPv6: ::/64 +# AS: 1 +# via Test2 EE (valid): +# IPv4: 0.0.0.0/24 +# IPv6: ::/48 +# AS: 1-31 + +. "${TESTS_BUILDDIR}"/evil-twin-common.sh || exit 1 + +files="ta-good.cer ta-evil.cer ca-good.cer ca-evil-invalid.cer test2-ee.roa" +exp="ta-good.cer ta-evil.cer ca-good.cer test2-ee.roa test2-ee.roa.cer" + +run_tests "${files}" "${exp}" diff --git a/tests/subsystem/evil-twin/evil-twin-ca-valid-1.tap b/tests/subsystem/evil-twin/evil-twin-ca-valid-1.tap new file mode 100755 index 00000000..e3340593 --- /dev/null +++ b/tests/subsystem/evil-twin/evil-twin-ca-valid-1.tap @@ -0,0 +1,48 @@ +#!/bin/sh + +# This scenario is the same as evil-twin-ca-invalid-1 except the Evil +# CA certificate has its resources altered to be valid: +# +# Good TA (valid) Evil TA (valid) +# IPv4: 0.0.0.0/8 IPv4: 1.0.0.0/8 +# IPv6: ::/16 IPv6: 1::/16 +# AS: 1-127 AS: 128-255 +# | | +# | | +# Good CA (valid) Evil CA (valid, this is the "evil twin" of Good CA) +# IPv4: 0.0.0.0/16 IPv4: 1.0.0.0/16 (modified resources to be valid) +# IPv6: ::/32 IPv6: 1::/32 (modified resources to be valid) +# AS: 1-63 AS: 128-191 (modified resources to be valid) +# | +# | +# Test1 CA (valid) +# IPv4: 0.0.0.0/24 +# IPv6: ::/48 +# AS: 1-31 + +. "${TESTS_BUILDDIR}"/evil-twin-common.sh || exit 1 + +files="ta-good.cer ta-evil.cer ca-good.cer ca-evil-valid.cer test1-ca.cer" +exp=${files} + +# override testcase() to set xfail for cases that are known to fail +testcase() { + pass=true + # if the evil hierarchy is completely added before the test CA, or + # if the entire evil hierarchy and the test CA are added before + # the good hierarchy is completely added, then it will fail. + # stated another way, if the good hierarchy and test CA are added + # before the bad hierarchy is completely added, then it will pass. + case $(printf " %s " $4) in + *evil*evil*" test1-ca.cer "*) pass=false;; + *evil*" test1-ca.cer "*evil*good*) pass=false;; + *" test1-ca.cer "*evil*evil*good*) pass=false;; + esac + if "${pass}"; then + t4s_testcase "$@" + else + t4s_testcase --xfail "see ticket #29" "$@" + fi +} + +run_tests "${files}" "${exp}" diff --git a/tests/subsystem/evil-twin/evil-twin-ca-valid-2.tap b/tests/subsystem/evil-twin/evil-twin-ca-valid-2.tap new file mode 100755 index 00000000..21858deb --- /dev/null +++ b/tests/subsystem/evil-twin/evil-twin-ca-valid-2.tap @@ -0,0 +1,52 @@ +#!/bin/sh + +# This scenario is the same as evil-twin-ca-valid-1 except the Test1 +# CA certificate is replaced with a ROA as in evil-twin-ca-invalid-2: +# +# Good TA (valid) Evil TA (valid) +# IPv4: 0.0.0.0/8 IPv4: 1.0.0.0/8 +# IPv6: ::/16 IPv6: 1::/16 +# AS: 1-127 AS: 128-255 +# | | +# | | +# Good CA (valid) Evil CA (valid, this is the "evil twin" of Good CA) +# IPv4: 0.0.0.0/16 IPv4: 1.0.0.0/16 (modified resources to be valid) +# IPv6: ::/32 IPv6: 1::/32 (modified resources to be valid) +# AS: 1-63 AS: 128-191 (modified resources to be valid) +# | +# | +# Test2 ROA (valid) +# IPv4: 0.0.0.0/25 +# IPv6: ::/64 +# AS: 1 +# via Test2 EE (valid): +# IPv4: 0.0.0.0/24 +# IPv6: ::/48 +# AS: 1-31 + +. "${TESTS_BUILDDIR}"/evil-twin-common.sh || exit 1 + +files="ta-good.cer ta-evil.cer ca-good.cer ca-evil-valid.cer test2-ee.roa" +exp=${files}" test2-ee.roa.cer" + +# override testcase() to set xfail for cases that are known to fail +testcase() { + pass=true + # if the evil hierarchy is completely added before the test ROA, + # or if the entire evil hierarchy and the test ROA are added + # before the good hierarchy is completely added, then it will fail + # stated another way, if the good hierarchy and test ROA are added + # before the bad hierarchy is completely added, then it will pass. + case $(printf " %s " $4) in + *evil*evil*" test2-ee.roa "*) pass=false;; + *evil*" test2-ee.roa "*evil*good*) pass=false;; + *" test2-ee.roa "*evil*evil*good*) pass=false;; + esac + if "${pass}"; then + t4s_testcase "$@" + else + t4s_testcase --xfail "see ticket #29" "$@" + fi +} + +run_tests "${files}" "${exp}" diff --git a/tests/subsystem/evil-twin/evil-twin-common.sh.in b/tests/subsystem/evil-twin/evil-twin-common.sh.in new file mode 100644 index 00000000..5b39bd6b --- /dev/null +++ b/tests/subsystem/evil-twin/evil-twin-common.sh.in @@ -0,0 +1,13 @@ +@SETUP_ENVIRONMENT@ + +t4s_setup + +u=${TESTS_TOP_SRCDIR}/tests/util.sh +. "${u}" || t4s_bailout "unable to load ${u}" + +cd "${TESTS_BUILDDIR}" || t4s_bailout "unable to cd to ${TESTS_BUILDDIR}" + +run_tests() { + test_perms "${0##*/}".cache "$@" + t4s_done +} diff --git a/tests/subsystem/evil-twin/evil-twin-ee-invalid.tap b/tests/subsystem/evil-twin/evil-twin-ee-invalid.tap new file mode 100755 index 00000000..febea937 --- /dev/null +++ b/tests/subsystem/evil-twin/evil-twin-ee-invalid.tap @@ -0,0 +1,35 @@ +#!/bin/sh + +# This scenario tests evil twin EE certificates rather than evil twin +# CA certificates: +# +# Good TA (valid) Evil TA (valid) +# IPv4: 0.0.0.0/8 IPv4: 1.0.0.0/8 +# IPv6: ::/16 IPv6: 1::/16 +# AS: 1-127 AS: 128-255 +# | | +# | | +# Good ROA (valid) Evil ROA (OK sig & resources; invalid from bad EE) +# IPv4: 0.0.0.0/25 IPv4: 0.0.0.0/25 +# IPv6: ::/64 IPv6: ::/64 +# AS: 1 AS: 1 +# via Good EE (valid): via Evil EE (invalid, this is the "evil twin"): +# IPv4: 0.0.0.0/24 IPv4: 0.0.0.0/24 (outside of issuer resources) +# IPv6: ::/48 IPv6: ::/48 (outside of issuer resources) +# AS: 1-31 AS: 1-31 (outside of issuer resources) + +. "${TESTS_BUILDDIR}"/evil-twin-common.sh || exit 1 + +files="ta-good.cer ta-evil.cer ee-good.roa ee-evil-invalid.roa" +exp="ta-good.cer ta-evil.cer ee-good.roa ee-good.roa.cer" +# This is an alternative accepted result, though it shouldn't be. +# There's a bug that causes ee-evil-invalid.roa to be "accepted" +# depending on the file add order. See tests/subsystem/roa-ee-munge +# and ticket #28. +exp2="ta-good.cer ta-evil.cer ee-evil-invalid.roa ee-good.roa.cer" +# This is another alternative that shouldn't be accepted. It's the +# same bug as above, except for some reason both ROAs are being +# accepted instead of just one or the other. +exp3="ta-good.cer ta-evil.cer ee-evil-invalid.roa ee-good.roa.cer ee-good.roa" + +run_tests "${files}" "${exp}" "${exp2}" "${exp3}" diff --git a/tests/subsystem/evil-twin/evil-twin-ee-valid.tap b/tests/subsystem/evil-twin/evil-twin-ee-valid.tap new file mode 100755 index 00000000..ba14ff02 --- /dev/null +++ b/tests/subsystem/evil-twin/evil-twin-ee-valid.tap @@ -0,0 +1,27 @@ +#!/bin/sh + +# This scenario is like evil-twin-ee-invalid except the resources in +# Evil EE have been modified so that the cert validates (the ROA must +# be left alone because the signature can't be forged): +# +# Good TA (valid) Evil TA (valid) +# IPv4: 0.0.0.0/8 IPv4: 1.0.0.0/8 +# IPv6: ::/16 IPv6: 1::/16 +# AS: 1-127 AS: 128-255 +# | | +# | | +# Good ROA (valid) Evil ROA (invalid due to resources in EE cert) +# IPv4: 0.0.0.0/25 IPv4: 0.0.0.0/25 +# IPv6: ::/64 IPv6: ::/64 +# AS: 1 AS: 1 +# via Good EE (valid): via Evil EE (valid, this is the "evil twin"): +# IPv4: 0.0.0.0/24 IPv4: 1.0.0.0/24 (modified resources to be valid) +# IPv6: ::/48 IPv6: 1::/48 (modified resources to be valid) +# AS: 1-31 AS: 128-159 (modified resources to be valid) + +. "${TESTS_BUILDDIR}"/evil-twin-common.sh || exit 1 + +files="ta-good.cer ta-evil.cer ee-good.roa ee-evil-valid.roa" +exp="ta-good.cer ta-evil.cer ee-good.roa ee-good.roa.cer" + +run_tests "${files}" "${exp}" diff --git a/tests/subsystem/evil-twin/ta-evil.options b/tests/subsystem/evil-twin/ta-evil.options new file mode 100644 index 00000000..15ab8bc8 --- /dev/null +++ b/tests/subsystem/evil-twin/ta-evil.options @@ -0,0 +1,9 @@ +type=CA +issuer=ta-evil +subject=ta-evil +sia=r:rsync://invalid/,m:rsync://invalid/invalid.mft +ipv4=1.0.0.0/8 +ipv6=1::/16 +as=128-255 +selfsigned=true +subjkeyfile=tests/subsystem/evil-twin/ta-evil.key diff --git a/tests/subsystem/evil-twin/ta-good.options b/tests/subsystem/evil-twin/ta-good.options new file mode 100644 index 00000000..aad272fc --- /dev/null +++ b/tests/subsystem/evil-twin/ta-good.options @@ -0,0 +1,9 @@ +type=CA +issuer=ta-good +subject=ta-good +sia=r:rsync://invalid/,m:rsync://invalid/invalid.mft +ipv4=0.0.0.0/8 +ipv6=::/16 +as=1-127 +selfsigned=true +subjkeyfile=tests/subsystem/evil-twin/ta-good.key diff --git a/tests/subsystem/evil-twin/test1-ca.options b/tests/subsystem/evil-twin/test1-ca.options new file mode 100644 index 00000000..c65b2796 --- /dev/null +++ b/tests/subsystem/evil-twin/test1-ca.options @@ -0,0 +1,12 @@ +type=CA +issuer=ca-good +subject=test1-ca +aia=rsync://invalid/ +sia=r:rsync://invalid/,m:rsync://invalid/invalid.mft +ipv4=0.0.0.0/24 +ipv6=::/48 +as=1-31 +selfsigned=false +parentcertfile=tests/subsystem/evil-twin/ca-good.cer +parentkeyfile=tests/subsystem/evil-twin/ca-good.key +subjkeyfile=tests/subsystem/evil-twin/test1-ca.key diff --git a/tests/subsystem/evil-twin/test2-ee.options b/tests/subsystem/evil-twin/test2-ee.options new file mode 100644 index 00000000..3483ded7 --- /dev/null +++ b/tests/subsystem/evil-twin/test2-ee.options @@ -0,0 +1,12 @@ +type=EE +issuer=ca-good +subject=test2-ee +aia=rsync://invalid/ +sia=s:rsync://invalid/ +ipv4=0.0.0.0/24 +ipv6=::/48 +as=1-31 +selfsigned=false +parentcertfile=tests/subsystem/evil-twin/ca-good.cer +parentkeyfile=tests/subsystem/evil-twin/ca-good.key +subjkeyfile=tests/subsystem/evil-twin/test2-ee.key diff --git a/tests/subsystem/evil-twin/test2-ee.roa.options b/tests/subsystem/evil-twin/test2-ee.roa.options new file mode 100644 index 00000000..aa6c453d --- /dev/null +++ b/tests/subsystem/evil-twin/test2-ee.roa.options @@ -0,0 +1,3 @@ +roaipv4=0.0.0.0/25 +roaipv6=::/64 +asid=1