-
Notifications
You must be signed in to change notification settings - Fork 29.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: move all test keys/certs under test/fixtures/keys/
#27962
test: move all test keys/certs under test/fixtures/keys/
#27962
Conversation
/ping @nodejs/testing |
I'm not sure that a Makefile should go in |
I'd be happy to make that change if desired, but it should be noted that I didn't touch fixtures that were already in the key Makefile, and some of those are probably not safely regenerate-able on build if that's what you're looking for. I also think it's useful for there to be a source of truth on the generation parameters of these fixtures near by them. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice improvement, thanks. I made a couple small suggestions for change to consider.
const modSize = 1024; | ||
const certPem = fixtures.readKey('rsa_cert.crt'); | ||
const keyPem = fixtures.readKey('rsa_private.pem'); | ||
const keySize = 2048; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for pointing this out. @nodejs/crypto should we do this? Its not strictly a "move". I don't know if we really need to be testing keys so small. 1024
could be historical, or perhaps its important that we don't accidentally break small-key support for existing users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM w/ @sam-github's comments addressed. Thanks for taking the time to do this.
@Trott The Makefile shouldn't be part of the main Makefile. It's like deps/openssl/config/Makefile --- its not used to build Node.js, its a script (that happens to be in Makefile syntax) that is used occaisonally to maintain sets of files that are checked in to git. Cert regeneration is rarely needed, but we have had to do it on occaison if a cert's end-of-validity was being passed. It serves less as a Makefile, and more as documentation for how the certs were created. Also, regenerating the certs invalidates lots of tests, which have dependencies on serial numbers, SHA values, timestamps, etc. that are no longer correct afterwards. I've been tempted to add some scripting with OpenSSL at the end of the Makefile to generate some kind of JSON "manifest" for the certs, so that tests could depend on the meta info in the manifest instead of hardcoded values, but the certs are so seldomly regenerated that it hasn't been worth the effort (yet). |
@sam-github I'm working on your requests -- thanks for the review! FOAF+SSL (as described here) is a certificate based 'social' authentication protocol. Apparently node supports it, and it is very weakly tested in I'll add comments to describe linking to that page :) |
0c9f225
to
61f2f16
Compare
Force push was to ensure |
61f2f16
to
82b1f81
Compare
Force push to add detail to the last commit message. |
You don't have to justify force pushing. Its your branch, rebase and force-push it as much as you want. 2a3809a would be better to have been comitted as Having a PR, particularly a large (by lines) one like this, that has lots of well-defined individual commits is nice, but for a PR to have one commit that introduces a change, and then another that reverts it, isn't so good. Other than the "revert" commit, this looks good to me. I've kicked off a CI run. If it's green, this should be landable. Thanks for all your work on this. |
@sam-github I guess the question should have been: Should the Makefile exist somewhere other than |
I don't care that much where its moved around to. It could get moved to And like I said, its the same pattern as deps/openssl/config/Makefile. I've no idea where the scripts that import icu and some of the other vendored deps are. Maybe there is a pattern these should follow, too. So, if someone wants to move Makefile somewhere else and make the case it improves consistency, shrug, OK, but not into the top-level Makefile! :-) |
And also, most importantly, moving the Makefile has nothig to do with this PR. Its at best a follow up. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test failures on Windows....
Looks like the tests are failing on Windows due to Result from test/parallel/test-crypto-certificate.js: AssertionError [ERR_ASSERTION]: Expected values to be strictly equal:
+ actual - expected
+ '-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9xYiIonscC3vz/A2ceR7KhZZlDu/5bye53nCVTcKnWd2seY6UAdKersX6njr83Dd5OVe1BW/wJvp5EjWTAGYbFswlNmeD44edEGM939B6Lq+/8iBkrTi8mGN4YCytivE24YI0D4XZMPfkLSpab2y/Hy4DjQKBq1ThZ0UBnK+9IhX37Ju/ZoGYSlTIGIhzyaiYBh7wrZBoPczIEu6et/kN2VnnbRUtkYTF97ggcv5h+hDpUQjQW0ZgOMcTc8n+RkGpIt0/iM/bTjI3Tz/gsFdi6hHcpZgbopPL630296iByyigQCPJVzdusFrQN5DeC+zT/nGypQkZanLb4ZspSx9QIDAQAB-----END PUBLIC KEY-----'
- '-----BEGIN PUBLIC KEY-----\rMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9xYiIonscC3vz/A2ceR\r7KhZZlDu/5bye53nCVTcKnWd2seY6UAdKersX6njr83Dd5OVe1BW/wJvp5EjWTAG\rYbFswlNmeD44edEGM939B6Lq+/8iBkrTi8mGN4YCytivE24YI0D4XZMPfkLSpab2\ry/Hy4DjQKBq1ThZ0UBnK+9IhX37Ju/ZoGYSlTIGIhzyaiYBh7wrZBoPczIEu6et/\rkN2VnnbRUtkYTF97ggcv5h+hDpUQjQW0ZgOMcTc8n+RkGpIt0/iM/bTjI3Tz/gsF\rdi6hHcpZgbopPL630296iByyigQCPJVzdusFrQN5DeC+zT/nGypQkZanLb4ZspSx\r9QIDAQAB\r-----END PUBLIC KEY-----\r'
at checkMethods (c:\workspace\node-test-binary-windows-2\test\parallel\test-crypto-certificate.js:43:10)
at Object.<anonymous> (c:\workspace\node-test-binary-windows-2\test\parallel\test-crypto-certificate.js:58:3)
at Module._compile (internal/modules/cjs/loader.js:781:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:792:10)
at Module.load (internal/modules/cjs/loader.js:641:32)
at Function.Module._load (internal/modules/cjs/loader.js:556:12)
at Function.Module.runMain (internal/modules/cjs/loader.js:844:10)
at internal/main/run_main_module.js:17:11 {
generatedMessage: true,
code: 'ERR_ASSERTION',
actual: '-----BEGIN PUBLIC ' +
'KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9xYiIonscC3vz/A2ceR7KhZZlDu/5bye53nCVTcKnWd2seY6UAdKersX6njr83Dd5OVe1BW/wJvp5EjWTAGYbFswlNmeD44edEGM939B6Lq+/8iBkrTi8mGN4YCytivE24YI0D4XZMPfkLSpab2y/Hy4DjQKBq1ThZ0UBnK+9IhX37Ju/ZoGYSlTIGIhzyaiYBh7wrZBoPczIEu6et/kN2VnnbRUtkYTF97ggcv5h+hDpUQjQW0ZgOMcTc8n+RkGpIt0/iM/bTjI3Tz/gsFdi6hHcpZgbopPL630296iByyigQCPJVzdusFrQN5DeC+zT/nGypQkZanLb4ZspSx9QIDAQAB-----END ' +
'PUBLIC KEY-----',
expected: '-----BEGIN PUBLIC KEY-----\r' +
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt9xYiIonscC3vz/A2ceR\r' +
'7KhZZlDu/5bye53nCVTcKnWd2seY6UAdKersX6njr83Dd5OVe1BW/wJvp5EjWTAG\r' +
'YbFswlNmeD44edEGM939B6Lq+/8iBkrTi8mGN4YCytivE24YI0D4XZMPfkLSpab2\r' +
'y/Hy4DjQKBq1ThZ0UBnK+9IhX37Ju/ZoGYSlTIGIhzyaiYBh7wrZBoPczIEu6et/\r' +
'kN2VnnbRUtkYTF97ggcv5h+hDpUQjQW0ZgOMcTc8n+RkGpIt0/iM/bTjI3Tz/gsF\r' +
'di6hHcpZgbopPL630296iByyigQCPJVzdusFrQN5DeC+zT/nGypQkZanLb4ZspSx\r' +
'9QIDAQAB\r' +
'-----END PUBLIC KEY-----\r',
operator: 'strictEqual'
} |
2a3809a
to
6bffe65
Compare
If I'm reading Jenkins right, the offending tests are:
I've made changes to these in cd1a9b3 to avoid the \r\n issue, so the tests should now pass. I was able to check all but |
This comment has been minimized.
This comment has been minimized.
wrt. #27962 (comment), it's great that this all passes, but I'm confused as to why, the failures seem wholly unrelated to regenerating the certs. Were these tests failing before the certs were moved into test/fixtures, but being ignored, and you fixed them? Or did something about the rearranging of the certs cause the tests to start failing? It matters, because if a PR is a series of commits, the tests should pass between every single commit, so if one of these commits caused them to fail, and then the tests are only fixed by the last commit, We could squash the entire PR into one commit when it lands, but you've broken it into such nice individual commits, I'm reluctant to do that. Btw, if you have a windows box, you can use @nodejs/releasers @nodejs/lts do you have an opinon on this? |
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
Lots of changes, but mostly just search/replace of fixtures.readSync(...) to fixtures.readKey([new key]...) Benchmarks modified to use fixtures.readKey(...): benchmark/tls/throughput.js benchmark/tls/tls-connect.js benchmark/tls/secure-pair.js Also be sure to review the change to L16 of test/parallel/test-crypto-sign-verify.js PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
Converts the whitespace to spaces in the all: ... target for consistency. The other whitespace has to remain tabs due to how Makefiles work. PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
Also adds make'd signatures for use in tests of signing/verification. All of the moved keys can be regenerated at will without breaking tests now. PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
Lots of changes, but mostly just search/replace of fixtures.readSync(...) to fixtures.readKey([new key]...) Benchmarks modified to use fixtures.readKey(...): benchmark/tls/throughput.js benchmark/tls/tls-connect.js benchmark/tls/secure-pair.js Also be sure to review the change to L16 of test/parallel/test-crypto-sign-verify.js PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
Converts the whitespace to spaces in the all: ... target for consistency. The other whitespace has to remain tabs due to how Makefiles work. PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
PR-URL: #27962 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ujjwal Sharma <[email protected]> Reviewed-By: Rich Trott <[email protected]>
A bunch of pre-generated test keypairs/certs were kept under
test/fixtures/
with no information on how they were generated. This PR removes those keypairs/certs and creates new definitions to replace them in the makefile undertest/fixtures/keys/
. Each was subsequently generated, and references in tests to the old files were updated.All of the keypairs/certs I touched are now entirely re-generate-able, so long as certain parameters in the makefile aren't changed. Even if they are changed, it should now be simple to track down what tests fail and to rectify it.
With these changes, future work like #3759 and what's needed for #27862 should be a lot more manageable.
Many old references used
fixture.readSync(...)
which I've changed in most cases tofixture.readKey(...)
which is set up to pull directly from thetest/fixtures/keys/
directory.I made changes in df43695 to the following benchmarks that use test fixtures. I'm not familiar with the benchmark system, so I would appreciate a check that what I've done is OK.
I'm really sorry for the size of this PR! Most of it is the newly generated certificates, and the changed references to those certificates. I would be happy to break up this work in whatever way is desired! Most of these commits are pretty atomic, so separating them shouldn't be too much trouble.
The makefile could also probably use some simplifying/cleaning up. If there's any advice or requests in that avenue, I would be happy to implement them.
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes