Extend the 'doth' system test with Strict/Mutual TLS checks

This commit extends the 'doth' system test with a set of Strict/Mutual TLS related checks. This commit also makes each doth NS instance use its own TLS certificate that includes FQDN, IPv4, and IPv6 addresses, issued using a common Certificate Authority, instead of ad-hoc certs. Extend servers initialisation timeout to 60 seconds to improve the tests stability in the CI as certain configurations could fail to initialise on time under load.
2022-02-08 19:02:05 +02:00
parent 7b9318bf72
commit cfea9a3aec
45 changed files with 4676 additions and 18 deletions
--- a/bin/tests/system/doth/CA/certs/srv02.crt01.example.com.pem
+++ b/bin/tests/system/doth/CA/certs/srv02.crt01.example.com.pem
@@ -0,0 +1,69 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 7760573232607207427 (0x6bb3183cdef52003)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
+        Validity
+            Not Before: Feb  8 17:57:59 2022 GMT
+            Not After : Feb  1 17:57:59 2052 GMT
+        Subject: CN=srv02.crt01.example.com
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (384 bit)
+                pub:
+                    04:43:d4:fb:cc:b8:88:60:95:16:aa:2a:d0:31:96:
+                    cb:3e:a8:5c:e4:76:ac:c1:bf:cd:3b:65:85:bb:2c:
+                    cb:fa:c3:48:3c:83:c8:08:ee:dc:59:15:97:22:b8:
+                    42:17:8c:75:09:f9:3e:b6:9c:f2:c5:db:5d:b6:8a:
+                    6a:43:48:0a:a2:dd:13:c2:36:e4:73:b3:64:54:79:
+                    bb:f8:d4:7e:48:f4:05:be:0c:77:63:01:fe:4f:30:
+                    b0:aa:62:bc:f2:ed:f9
+                ASN1 OID: secp384r1
+                NIST CURVE: P-384
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:srv02.crt01.example.com, IP Address:10.53.0.2, IP Address:FD92:7065:B8E:FFFF:0:0:0:2
+    Signature Algorithm: sha256WithRSAEncryption
+         89:ba:ae:4f:f8:3e:da:48:1f:5c:8f:ff:ee:d8:42:b0:0b:9b:
+         f1:b5:e2:90:c9:76:40:09:77:a3:31:d5:73:8f:eb:7d:69:94:
+         1c:2b:10:31:da:d4:0c:29:e7:80:4e:61:53:ba:15:9d:e1:e8:
+         0c:0d:19:77:2b:a8:74:46:e3:03:ae:ab:96:ea:af:80:c3:18:
+         e0:93:8e:e9:58:0e:79:47:98:a4:06:95:6b:8f:2c:d1:f7:29:
+         b1:98:85:e8:a4:9c:45:52:ad:c8:60:20:dc:3a:6a:40:78:15:
+         d1:b4:d0:c3:c5:f3:ac:fe:ec:d3:94:ef:66:0b:d7:8c:46:f3:
+         62:30:c4:c2:78:65:de:40:4e:d8:26:84:8e:18:a7:71:f2:b7:
+         65:d8:d0:c2:c8:e6:a0:fb:ea:01:de:2f:03:8a:50:3d:f6:6c:
+         0b:ef:ce:f5:25:1f:80:54:3e:c2:6d:2c:d3:2b:bd:23:b7:3b:
+         82:6b:91:7f:ea:ff:e6:11:37:d3:f0:d4:db:9f:32:ac:12:cc:
+         ec:25:25:81:58:16:18:90:73:c3:ad:7c:09:a7:08:99:16:ce:
+         e8:6c:4b:9a:e6:09:96:11:c2:f1:cf:19:43:a6:a6:81:f2:57:
+         21:fa:b1:91:58:39:76:17:89:32:4c:4b:df:fa:59:03:b2:32:
+         b4:b3:95:89:af:f4:5e:94:b1:df:e9:bf:21:73:14:06:5d:08:
+         1e:0f:d2:84:14:44:20:91:19:72:b9:38:0b:3c:2e:4f:ea:3a:
+         9b:ef:93:61:e7:36:82:df:49:e2:d7:45:ea:87:45:1d:74:36:
+         18:f4:aa:30:d5:65:da:1f:c7:98:61:ab:64:2a:49:98:64:a1:
+         8c:33:3a:a5:97:4a:69:a6:9d:6f:00:b9:6b:81:8d:09:0f:98:
+         63:0f:85:ae:e4:21:70:a3:da:5a:27:eb:df:6d:82:ac:bb:48:
+         6b:01:4e:36:95:5a:d3:f0:b9:30:43:72:87:af:41:7a:30:13:
+         f2:92:15:f1:69:e7
+-----BEGIN CERTIFICATE-----
+MIIDMzCCAZugAwIBAgIIa7MYPN71IAMwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE
+BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp
+djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD
+DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDIwODE3NTc1OVoYDzIwNTIwMjAx
+MTc1NzU5WjAiMSAwHgYDVQQDDBdzcnYwMi5jcnQwMS5leGFtcGxlLmNvbTB2MBAG
+ByqGSM49AgEGBSuBBAAiA2IABEPU+8y4iGCVFqoq0DGWyz6oXOR2rMG/zTtlhbss
+y/rDSDyDyAju3FkVlyK4QheMdQn5Prac8sXbXbaKakNICqLdE8I25HOzZFR5u/jU
+fkj0Bb4Md2MB/k8wsKpivPLt+aM+MDwwOgYDVR0RBDMwMYIXc3J2MDIuY3J0MDEu
+ZXhhbXBsZS5jb22HBAo1AAKHEP2ScGULjv//AAAAAAAAAAIwDQYJKoZIhvcNAQEL
+BQADggGBAIm6rk/4PtpIH1yP/+7YQrALm/G14pDJdkAJd6Mx1XOP631plBwrEDHa
+1Awp54BOYVO6FZ3h6AwNGXcrqHRG4wOuq5bqr4DDGOCTjulYDnlHmKQGlWuPLNH3
+KbGYheiknEVSrchgINw6akB4FdG00MPF86z+7NOU72YL14xG82IwxMJ4Zd5ATtgm
+hI4Yp3Hyt2XY0MLI5qD76gHeLwOKUD32bAvvzvUlH4BUPsJtLNMrvSO3O4JrkX/q
+/+YRN9Pw1NufMqwSzOwlJYFYFhiQc8OtfAmnCJkWzuhsS5rmCZYRwvHPGUOmpoHy
+VyH6sZFYOXYXiTJMS9/6WQOyMrSzlYmv9F6Usd/pvyFzFAZdCB4P0oQURCCRGXK5
+OAs8Lk/qOpvvk2HnNoLfSeLXReqHRR10Nhj0qjDVZdofx5hhq2QqSZhkoYwzOqWX
+SmmmnW8AuWuBjQkPmGMPha7kIXCj2lon699tgqy7SGsBTjaVWtPwuTBDcoevQXow
+E/KSFfFp5w==
+-----END CERTIFICATE-----