Add enhanced X509 Certificate/Private RSA Key validation to Traffic Ops (AddSSLKeys Endpoint)

[ghost]

Which issue is fixed by this PR? If not related to an existing issue, what does this PR do?

Partially addresses #3267

All imported x509 certificates / private key pairs will be validated with the following criteria:

1. All PEM encoded strings contained in the CRT and KEY fields must be decodable to DER binary format via pem.Decode()
2. A single PEM encoded private RSA key must be decodable from KEY payload. KEY format must be PKCS update README.md - JIRA link #1 or PKCS experimental TOv2 UI - changes to handle ints (postgres) instead of strings.. #8
3. The import server X509 certificate in the CRT payload is checked for the appropriate Public Key Algorithm (x509.RSA is only supported currently)
4. Private RSA Key modulus (value N) is compared against the x509 cert RSA Public Key modulus value N. If both values do not match, x509 certificate and key are rejected with httpStatus 4XX.
5. Original certificate Chain validation functionality has been left in-place.
6. Ability to import x509v3 Certificates without SKI/AKI has been left in-place.

Which TC components are affected by this PR?

• Documentation
• Grove
• Traffic Analytics
• Traffic Monitor
• Traffic Ops
• Traffic Ops ORT
• Traffic Portal
• Traffic Router
• Traffic Stats
• Traffic Vault
• Other _________

What is the best way to verify this PR? Please include manual steps or automated tests.

(If no tests are part of this PR, please provide explanation as to why no tests are included.)

Tests to perform for validation:

1. Import x509 certificate with mismatched RSA Private Key

Expected Result: x509 certificate and key are rejected and not saved in traffic vault.

2. Import x509 certificate with encrypted RSA Private Key

Expected Result: x509 certificate and key are rejected and not saved in traffic vault.

3. Attempt to import ECC x509 certificate and ECDSA private key

Expected Result: x509 certificate and key are rejected and . not saved in traffic vault.

4. Import self-signed certificate for a delivery service with matching Private RSA key.

5. Optional: Startup CiaB with this commit cherry-picked in.

6. Run the unit tests in deliveryservice/keys_test.go

=== RUN   TestDecodePrivateKey_PKCS8_RSA_2048
--- PASS: TestDecodePrivateKey_PKCS8_RSA_2048 (0.00s)
=== RUN   TestDecodePrivateKey_PKCS1_RSA_2048
--- PASS: TestDecodePrivateKey_PKCS1_RSA_2048 (0.00s)
=== RUN   TestDecodePrivateKey_RSA_Encrypted_And_BadData
--- PASS: TestDecodePrivateKey_RSA_Encrypted_And_BadData (0.00s)
=== RUN   TestVerifyAndEncodeCertificate_BadData
--- PASS: TestVerifyAndEncodeCertificate_BadData (0.00s)
=== RUN   TestVerifyAndEncodeCertificate_SelfSigned_NO_SKIAKI_CertKeyPair
--- PASS: TestVerifyAndEncodeCertificate_SelfSigned_NO_SKIAKI_CertKeyPair (0.15s)
=== RUN   TestVerifyAndEncodeCertificate_SelfSignedCertKeyPair
--- PASS: TestVerifyAndEncodeCertificate_SelfSignedCertKeyPair (0.00s)
=== RUN   TestVerifyAndEncodeCertificate_SelfSignedCertKeyPair_MisMatched_PrivateKey
--- PASS: TestVerifyAndEncodeCertificate_SelfSignedCertKeyPair_MisMatched_PrivateKey (0.00s)
=== RUN   TestVerifyAndEncodeCertificate_CASignedCertKeyPair
--- PASS: TestVerifyAndEncodeCertificate_CASignedCertKeyPair (0.00s)
=== RUN   TestVerifyAndEncodeCertificate_CASigned_NO_SKIAKI_CertKeyPair
--- PASS: TestVerifyAndEncodeCertificate_CASigned_NO_SKIAKI_CertKeyPair (0.00s)
=== RUN   TestVerifyAndEncodeCertificate_CASigned_NO_SKIAKI_CertKeyPair_With_RootCA
--- PASS: TestVerifyAndEncodeCertificate_CASigned_NO_SKIAKI_CertKeyPair_With_RootCA (0.00s)
=== RUN   TestVerifyAndEncodeCertificate_CASignedCertKeyPair_With_RootCA
--- PASS: TestVerifyAndEncodeCertificate_CASignedCertKeyPair_With_RootCA (0.00s)
=== RUN   TestVerifyAndEncodeCertificate_ECC_CertificateKeyPair
--- PASS: TestVerifyAndEncodeCertificate_ECC_CertificateKeyPair (0.00s)
PASS
ok  	command-line-arguments	(cached)

Check all that apply

• This PR includes tests
• This PR includes documentation updates
• This PR includes an update to CHANGELOG.md
• This PR includes all required license headers
• This PR includes a database migration (ensure that migration sequence is correct)
• This PR fixes a serious security flaw. Read more: www.apache.org/security

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3306/
Test PASSed.

[ocket8888]

If this PR only partially fixes that issue, you should change "Fixes" to e.g. "Addressed" - As-is, GitHub's going to auto-close the issue when this gets merged.

[ocket8888]

It'd be nice if you could add something to the deliveryservices/sslkeys/add API endpoint docs about supported algorithms/chains/whatever else you think is appropriate.

[rob05c]

Looks good, only things are making sure EC certs are still allowed, and language idioms.

Tested in a CiaB, works as expected, except that EC certs aren't allowed.

We do support EC and DSA certs in TC, this needs to check and allow those as well. Other than that, mostly just language idiom and format things, if you don't mind fixing those.

That said, most of our code in TC allows any cert the libraries we're using support (Go, Java, Perl, etc). It does seem like we might be making things harder for ourselves in the future, by whitelisting instead of blacklisting. If we just check for invalid things we know about, we'll support new cert types that our libraries add for free. If you could make this allow types that we don't know about, and just return errors for known bad things, I think that would be even better.

Once the idioms and EC support are added, I'll test EC certs in the CIAB again, and it should be good to merge.

EDIT: Hm, looks like I might be mistaken about EC support. It works on Edges, but it looks like TR might have trouble with them. Still, we should support them, they're smaller and more secure. How would you feel about adding a warning, but allowing them? So when TR is fixed, we don't have to also fix TO?

[ghost]

Thanks for reviewing this PR @ocket8888 @rob05c. I'm working on getting these requested changes in today.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3326/
Test FAILed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3328/
Test FAILed.

[ghost]

I'm adding some extra logic at the end of the certificate unit tests that check for correct number of certs that should be in the cert chain. Unit tests for non-SKIAKI certificates do not have the correct number of items in the returned certificate bundle.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3329/
Test PASSed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3330/
Test PASSed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3333/
Test FAILed.

[ghost]

I have forced pushed a branch that combines PR #3382 with PR #3417 and adds ECDSA support for DNS delivery services.
TODO:

1. Add in the SQL query that limits ECDSA certs to DNS delivery services only.
2. Fix the unit tests for the ECC certificate/key pair import use case.
3. Fix up the docs to be 'go doc' format.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3423/
Test PASSed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3424/
Test PASSed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3425/
Test PASSed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3426/
Test PASSed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3427/
Test PASSed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3428/
Test PASSed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3429/
Test PASSed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3430/
Test PASSed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3431/
Test PASSed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3432/
Test PASSed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3433/
Test PASSed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3434/
Test PASSed.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3435/
Test PASSed.

[ghost]

Latest branch provides the following changes:

1. Merge in PR CLOSED - Fix add sslkeys endpoint to always use the input certificate #3417
2. Adds ECDSA support for only DNS* delivery service types.
3. Verification that both RSA and ECDSA private keys match the corresponding submitted x509 certificate. RSA verification ensures the public modulus N value matches the modulus N value in the x509 certificate. ECDSA verification ensures the curve set {name, public-X, public-Y} curve values are equal to those in the x509 certificate.
4. There are 27 unit tests that verify both x509v3 and x509v1 certificate/key combinations (look at keys_test.go). Yes I'm aware the documentation is lacking, but it doesn't make sense for me to write a ton of docs if this PR gets rejected. I can update the docs once this PR has been tested and the solution is accepted.
5. Verification that ECDSA keys are only permitted on DNS* delivery services explicitly.
6. Reject all x509 + DSA certificates because no modern HTTPS client supports it

[rawlinp]

Nice work on this PR!

For comments I've prefixed with nit: feel free to tell me you'd like to leave it how it is if you feel strongly about it. The other few comments I believe should be addressed before this is merged.

[ghost]

@rawlinp I pushed four commits that resolve all comments you raised from yesterday's review.

[asfgit]

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/trafficcontrol-PR/3444/
Test PASSed.