Instructions to send test certificates (#24)

phbnf · web-flow · commit f18d190ab265 · 2024-10-30T11:43:55.000Z
* Add testdata files

* add instructions to run the hammer

* add instructions to generate chains manually

* add hammer instrucitons to dump log

* typo

* fix comments

* typo

* typo2
diff --git a/deployment/live/gcp/test/README.md b/deployment/live/gcp/test/README.md
@@ -2,7 +2,7 @@
 
 ## Prerequisites
 You'll need to have a VM running in the same GCP project that you can SSH to,
-with Go installed.
+with Go installed, and your favourite terminal multiplexer.
 
 ## Overview
 
@@ -35,8 +35,89 @@ Terraforming the project can be done by:
  2. Run `terragrunt apply`
 
 ## Run the SCTFE
+### With fake chains
 
-On the VM, run the following command:
+On the VM, run the following command to bring up the SCTFE:
 ```bash
 go run ./cmd/gcp/ --project_id=${GOOGLE_PROJECT} --bucket=${GOOGLE_PROJECT}-${TESSERA_BASE_NAME}-bucket --spanner_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-db --spanner_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-dedup-db --private_key=./testdata/ct-http-server.privkey.pem  --password=dirk --roots_pem_file=./testdata/fake-ca.cert --origin=${TESSERA_BASE_NAME}
 ```
+
+In a different terminal you can either mint and submit certificates manually, or
+use the [ct_hammer
+tool](https://github.com/google/certificate-transparency-go/blob/master/trillian/integration/ct_hammer/main.go)
+to do this.
+
+#### Generate chains manually
+First, save the SCTFE repo's path:
+
+```bash
+export SCTFE_REPO=$(pwd)
+```
+
+Clone the [certificate-transparency-go](https://github.com/google/certificate-transparency-go) repo.
+Then, generate a chain manually. The password for the private key is `gently`:
+
+```bash
+mkdir -p /tmp/httpschain
+openssl genrsa -out /tmp/httpschain/cert.key 2048
+openssl req -new -key /tmp/httpschain/cert.key -out /tmp/httpschain/cert.csr -config=${SCTFE_REPO}/testdata/fake-ca.cfg
+openssl x509 -req -days 3650 -in /tmp/httpschain/cert.csr -CAkey ${SCTFE_REPO}/testdata/fake-ca.privkey.pem -CA  ${SCTFE_REPO}/testdata/fake-ca.cert -outform pem -out /tmp/httpschain/chain.pem -provider legacy -provider default
+cat ${SCTFE_REPO}/testdata/fake-ca.cert >> /tmp/httpschain/chain.pem
+```
+
+Finally, submit the chain to the SCTFE:
+
+```bash
+go run ./client/ctclient upload --cert_chain=/tmp/httpschain/chain.pem --skip_https_verify --log_uri=http://localhost:6962/${TESSERA_BASE_NAME}
+```
+
+#### Automatically generate chains
+Save the SCTFE repo's path:
+
+```bash
+export SCTFE_REPO=$(pwd)
+```
+
+Clone the [certificate-transparency-go](https://github.com/google/certificate-transparency-go) repo, and from there run:
+
+```bash
+go run ./trillian/integration/ct_hammer/ --ct_http_servers=localhost:6962/${TESSERA_BASE_NAME} --max_retry=2m --invalid_chance=0 --get_sth=0 --get_sth_consistency=0 --get_proof_by_hash=0 --get_entries=0 --get_roots=0 --get_entry_and_proof=0 --max_parallel_chains=4 --skip_https_verify=true --operations=10000 --rate_limit=150 --log_config=${SCTFE_REPO}/testdata/hammer.cfg --testdata_dir=./trillian/testdata/
+```
+
+### With real HTTPS certificates
+We'll run a SCTFE and copy certificates from an existing RFC6962 log to it.
+It uses the [ct_hammer tool from certificate-transparency-go](https://github.com/google/certificate-transparency-go/tree/aceb1d4481907b00c087020a3930c7bd691a0110/trillian/integration/ct_hammer).
+
+First, set a few environment variables:
+
+```bash
+export SCTFE_REPO=$(pwd)
+export SRC_LOG_URI=https://ct.googleapis.com/logs/xenon2022
+```
+
+Then, get fetch the roots the source logs accepts, and edit configs accordingly.
+To do so, clone the [certificate-transparency-go](https://github.com/google/certificate-transparency-go) repo, and from there run:
+
+```bash
+export CTGO_REPO=$(pwd)
+mkdir -p /tmp/hammercfg
+cp ${SCTFE_REPO}/testdata/hammer.cfg /tmp/hammercfg
+go run ./client/ctclient get-roots --log_uri=${SRC_LOG_URI} --text=false > /tmp/hammercfg/roots.pem
+sed -i 's-""-"/tmp/hammercfg/roots.pem"-g' /tmp/hammercfg/hammer.cfg
+```
+
+
+Run the SCTFE with the same roots:
+
+```bash
+cd ${SCTFE_REPO}
+go run ./cmd/gcp/ --project_id=${GOOGLE_PROJECT} --bucket=${GOOGLE_PROJECT}-${TESSERA_BASE_NAME}-bucket --spanner_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-db --private_key=./testdata/ct-http-server.privkey.pem  --password=dirk --roots_pem_file=/tmp/hammercfg/roots.pem --origin=${TESSERA_BASE_NAME} --spanner_dedup_db_path=projects/${GOOGLE_PROJECT}/instances/${TESSERA_BASE_NAME}/databases/${TESSERA_BASE_NAME}-dedup-db -v=3
+```
+
+Run `ct_hammer` in a different terminal:
+
+```bash
+cd ${CTGO_REPO}
+go run ./trillian/integration/ct_hammer/ --ct_http_servers=localhost:6962/${TESSERA_BASE_NAME} --max_retry=2m --invalid_chance=0 --get_sth=0 --get_sth_consistency=0  --get_proof_by_hash=0 --get_entries=0 --get_roots=0 --get_entry_and_proof=0 --max_parallel_chains=4 --skip_https_verify=true --operations=10000 --rate_limit=150 --log_config=/tmp/hammercfg/hammer.cfg --src_log_uri=${SRC_LOG_URI}
+```
+
diff --git a/testdata/fake-ca.cfg b/testdata/fake-ca.cfg
@@ -0,0 +1,52 @@
+# OpenSSL configuration file.
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+prompt              = no
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+# Try to force use of PrintableString throughout
+string_mask         = pkix
+
+[ req_distinguished_name ]
+C=GB
+ST=London
+L=London
+O=Google
+OU=Eng
+CN=FakeCertificateAuthority
+
+[ v3_ca ]
+subjectKeyIdentifier = 01020304
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:10
+keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly
+
+[ v3_int_ca ]
+subjectKeyIdentifier = 05060708
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly
+extendedKeyUsage = serverAuth,clientAuth
+
+[ v3_int_ca_pair ]
+subjectKeyIdentifier = 0a0b0c0d
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly
+extendedKeyUsage = serverAuth,clientAuth
+
+[ v3_ca1 ]
+subjectKeyIdentifier = 11121314
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:10
+keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly
+
+[ v3_user ]
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, encipherOnly, decipherOnly
diff --git a/testdata/fake-ca.privkey.pem b/testdata/fake-ca.privkey.pem
@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-CBC,53C67AA311B73ED1
+
+UgdxD/ThmtBjRklM1aU8qxCM3yvVYrl4NzudKE4NCQjYR7u0OhE3OD6XShPghtRU
+RM8ekP81zIPEUS6H/V5ysbwDtwibQ4/kw85lOVEoNdqDCMV++M3aEFiV8RA0hj+q
+x8ANosBgtEVsbC1LwOk0/yrvUFucrp5FuHSxJ3//9iI=
+-----END EC PRIVATE KEY-----
diff --git a/testdata/hammer.cfg b/testdata/hammer.cfg
@@ -0,0 +1,6 @@
+config {
+  roots_pem_file: ""
+  public_key: {
+          der: "0Y0\x13\x06\x07*\x86H\xce=\x02\x01\x06\b*\x86H\xce=\x03\x01\x07\x03B\0\x04\x07\xf8Q\xaf\xaa\x8cV\x83\x901\xb7\x80\xe3\xd6\x1a\xf7/6\x06q\xec\xdd;\xbe~6o\r\x1c\x1c`\x0b\x7f\xf5\x9f\xff\xe5$I4V\xf2K\x10_\xbf\b\x1f\xf9\x0e\xcf5\xb5\x8a\x8a\x8b0\nT\xb7\xbf\x1dM\xb9"
+  }
+}
