github.com/cactusblossom/fabric-ca@v0.0.0-20200611062428-0082fc643826/scripts/fvt/cdp_exploit_test.sh (about) 1 # !/bin/bash 2 # 3 # Copyright IBM Corp. All Rights Reserved. 4 # 5 # SPDX-License-Identifier: Apache-2.0 6 # 7 RC=0 8 CADOMAIN="FVT" 9 : ${TESTCASE:="crl_limit"} 10 FABRIC_CA="$GOPATH/src/github.com/hyperledger/fabric-ca" 11 SCRIPTDIR="$FABRIC_CA/scripts/fvt" 12 . $SCRIPTDIR/fabric-ca_utils 13 rm -rf /tmp/$TESTCASE/ /tmp/CAs/$CADOMAIN /$CADOMAIN/crl/crl.pem 14 export CA_CFG_PATH=/tmp/$TESTCASE 15 export FABRIC_CA_CLIENT_HOME=$CA_CFG_PATH/admin 16 mkdir -p /$CADOMAIN/crl/ 17 localip=127.0.0.1 18 fabricport=$CA_DEFAULT_PORT 19 httpPort=3755 20 ca_keyfile="/root/$CADOMAIN-key.pem" 21 ca_certfile="/root/$CADOMAIN-cert.pem" 22 hacker_admin_keyfile="/root/adminkey.pem" 23 hacker_admin_certfile="/root/admincert.pem" 24 CRLSIZELIMIT=10 25 TIMEOUT=10 26 LOGFILE="/tmp/$TESTCASE/serverlog.txt" 27 AUTHFAIL="20" 28 REVOKEFAIL="29" 29 REVOKEREASON="failed to fetch CRL: Error reading CRL with max buffer size of $CRLSIZELIMIT: Size of requested data is too large" 30 31 checkMsg() { 32 awk -v rc=-1 -v m="$1" ' 33 $0~m { rc=0 } 34 { print } 35 END { exit rc }' 36 } 37 38 function certGen { 39 # Create a Root CA certificate with a cdp extension 40 $SCRIPTDIR/utils/pki -f newca -p cacert -t ec -l 256 -a $CADOMAIN \ 41 -n '/C=US/ST=North Carolina/O=Hyperledger/OU=Fabric/CN=fabric-ca-server/' \ 42 -S "IP:127.0.0.2,DNS:server.fabric.raleigh.ibm.com,email:fabric-ca-server@fab-client.raleigh.ibm.com" 43 # Create a user cert using the Root CA 44 $SCRIPTDIR/utils/pki -f newcert -p admin -t ec -l 256 -a $CADOMAIN \ 45 -n '/C=US/ST=North Carolina/O=Hyperledger/OU=Fabric/CN=admin/' \ 46 -S "IP:127.0.0.2,DNS:admin.fabric.raleigh.ibm.com,email:admin@fab-client.raleigh.ibm.com" <<EOF 47 Y 48 Y 49 EOF 50 rm $FABRIC_CA/testdata/openssl.cnf.base.req 51 } 52 53 function testDefault { 54 # Test default limit of 512000 bytes 55 export FABRIC_CA_SERVER_CRLSIZELIMIT="" 56 # Start the default server and check to see if CRL retrieval works 57 # if size limit is appropriate. However, register will fail because 58 # we used a 'hacked' enrollment certificate 59 $SCRIPTDIR/fabric-ca_setup.sh -I -X -S -D -c $ca_certfile -k $ca_keyfile 60 enroll 61 admin_keyfile="$(find /tmp/$TESTCASE/admin/msp/keystore -type f)" 62 admin_certfile="/tmp/$TESTCASE/admin/msp/signcerts/cert.pem" 63 cp $hacker_admin_keyfile $admin_keyfile 64 cp $hacker_admin_certfile $admin_certfile 65 register admin user1 2>&1 | checkMsg "$AUTHFAIL" 66 } 67 68 function testLimit { 69 # Lower the CRL size limit on server and check to see that the 70 # server does not continue to proceed with retrieving CRL list 71 export FABRIC_CA_SERVER_CRLSIZELIMIT=$1 72 cd $GOPATH/src/github.com/hyperledger/fabric-ca 73 $SCRIPTDIR/fabric-ca_setup.sh -K 74 $SCRIPTDIR/fabric-ca_setup.sh -S -D -X -c $ca_certfile -k $ca_keyfile 2>&1 | tee $LOGFILE & 75 pollLogForMsg "Listening on https*://0.0.0.0:$CA_DEFAULT_PORT" $LOGFILE || ErrorExit "Failed to log CA" 76 enroll admin2 adminpw2 77 admin_keyfile="$(find /tmp/$TESTCASE/admin/msp/keystore -type f)" 78 admin_certfile="/tmp/$TESTCASE/admin/msp/signcerts/cert.pem" 79 cp $hacker_admin_keyfile $admin_keyfile 80 cp $hacker_admin_certfile $admin_certfile 81 register admin user2 client bank_a "" /tmp/$TESTCASE/admin2 2>&1 | checkMsg "$REVOKEFAIL" 82 test $? -ne 0 && ErrorMsg "Failed to return correct error" 83 grep -q "$REVOKEREASON" $LOGFILE 84 } 85 86 c_dir=$(pwd) 87 cp $GOPATH/src/github.com/hyperledger/fabric-ca/testdata/crl.pem /$CADOMAIN/crl/crl.pem 88 cd / 89 python -m SimpleHTTPServer $httpPort & 90 HTTP_PID=$! 91 pollSimpleHttp 92 cd $c_dir 93 94 trap "kill $HTTP_PID; rm -rf /tmp/$TESTCASE/ /tmp/CAs/$CADOMAIN /$CADOMAIN/crl/crl.pem; CleanUp 1; exit 1" INT 95 96 # Start of main test 97 certGen || ErrorExit "Failed to generate certitificates and keys" 98 testDefault || ErrorMsg "Failed to return correct error" 99 testLimit $CRLSIZELIMIT || ErrorMsg "Client authentication failed for other reason than CRL size" 100 kill $HTTP_PID 101 CleanUp $RC 102 exit $RC