-
Notifications
You must be signed in to change notification settings - Fork 74
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tests: rework vendored certificates/keys
The existing unit tests used vendored cert/key data in a strange way. The `end.cert` and `end.chain` files were the same, and neither was a chain. In both cases the certificate was self-signed, and that same certificate was also configured as a trust anchor in the client configurations. No code/script was included to regenerate the cert (and it was set to expire in Aug). This commit replaces the test files to better simulate a real-world deployment with a trust anchor configured OOB and an intermediate and end-entity chain served by the TLS server. The test certificates are switched to use ECDSA (the rcgen default) for private keys instead of RSA. RSA is for the 90s and ECDSA will be faster :) No tests presently require the root or intermediate private keys, or a serialization of just the end entity cert without the intermediate, so we don't persist this data. This could be added in the future as req'd. All of the key/cert generation is bundled into an ignored integration test `tests/certs/main.rs` using a new dev-only dep on `rcgen`. This felt like the best option on balance, but we could also create a second crate, or look at the unstable nightly Cargo script feature.
- Loading branch information
Showing
10 changed files
with
192 additions
and
152 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIIBsjCCAVmgAwIBAgIUB4Geg6rz4UzdIkSmPjAxGgVhu4MwCgYIKoZIzj0EAwIw | ||
JjEkMCIGA1UEAwwbUnVzdGxzIFJvYnVzdCBSb290IC0gUnVuZyAyMCAXDTc1MDEw | ||
MTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAwWjAhMR8wHQYDVQQDDBZyY2dlbiBzZWxm | ||
IHNpZ25lZCBjZXJ0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEV2z0vS2Nvj1X | ||
k2ZkZNimz/tpEyFIHqHBAMu1ok1q6rioZm0wfKgaVfo2E+/PccibK6AuiK1ZnQ5L | ||
Wr3avkB+bqNoMGYwFQYDVR0RBA4wDIIKZm9vYmFyLmNvbTAdBgNVHSUEFjAUBggr | ||
BgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFJ8xoDmF470si+tMAE2wYQMHHdOT | ||
MA8GA1UdEwEB/wQFMAMBAQAwCgYIKoZIzj0EAwIDRwAwRAIgCEDfPgdEtKoUYtOp | ||
YUd7uSDv2VJd749Avwls04C1MaUCIGTikBJzN3dnQbRARkzdOY4gFp4nczCiYaZZ | ||
ucFJ3PiC | ||
-----END CERTIFICATE----- | ||
-----BEGIN CERTIFICATE----- | ||
MIIBiDCCAS+gAwIBAgIUIKoi4tHahiNaO6Vuw5V97xyOVXQwCgYIKoZIzj0EAwIw | ||
HTEbMBkGA1UEAwwSUnVzdGxzIFJvYnVzdCBSb290MCAXDTc1MDEwMTAwMDAwMFoY | ||
DzQwOTYwMTAxMDAwMDAwWjAmMSQwIgYDVQQDDBtSdXN0bHMgUm9idXN0IFJvb3Qg | ||
LSBSdW5nIDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASJs6dcYkh6yXeD72J3 | ||
1JJWfiNkNL4DGhWj5LZhwtq5NxrE2sK/TnQdUHYMhVxKXN0RaRcBZRxoUFD4UFkm | ||
mdIKo0IwQDAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0OBBYEFOhbF/Vi9OjAC+bv6NTU | ||
JMLLV621MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgWtRDzAcl | ||
DpVplxAT6/ZmSmYtjttIFs2fM65z6H+LpOQCIB/PcAK3NZ+Mjs3rtVMV5UmXW3Jf | ||
UaorChZwaCiO3vT8 | ||
-----END CERTIFICATE----- |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
-----BEGIN PRIVATE KEY----- | ||
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg1UjNBQsUBVfNWWtI | ||
uwNhUpyPeV1e3IjRm41VQauX1XOhRANCAARXbPS9LY2+PVeTZmRk2KbP+2kTIUge | ||
ocEAy7WiTWrquKhmbTB8qBpV+jYT789xyJsroC6IrVmdDktavdq+QH5u | ||
-----END PRIVATE KEY----- |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
//! An ignored-by-default integration test that regenerates vendored certs. | ||
//! Run with `cargo test -- --ignored` when test certificates need updating. | ||
//! Suitable for test certificates only. Not a production CA ;-) | ||
use rcgen::{ | ||
BasicConstraints, CertificateParams, DistinguishedName, DnType, ExtendedKeyUsagePurpose, IsCa, | ||
KeyPair, KeyUsagePurpose, | ||
}; | ||
use std::fs::File; | ||
use std::io::Write; | ||
|
||
#[test] | ||
#[ignore] | ||
fn regenerate_certs() { | ||
let root_key = KeyPair::generate().unwrap(); | ||
let root_ca = issuer_params("Rustls Robust Root") | ||
.self_signed(&root_key) | ||
.unwrap(); | ||
|
||
let mut root_file = File::create("tests/certs/root.pem").unwrap(); | ||
root_file.write_all(root_ca.pem().as_bytes()).unwrap(); | ||
|
||
let intermediate_key = KeyPair::generate().unwrap(); | ||
let intermediate_ca = issuer_params("Rustls Robust Root - Rung 2") | ||
.signed_by(&intermediate_key, &root_ca, &root_key) | ||
.unwrap(); | ||
|
||
let end_entity_key = KeyPair::generate().unwrap(); | ||
let mut end_entity_params = | ||
CertificateParams::new(vec![utils::TEST_SERVER_DOMAIN.to_string()]).unwrap(); | ||
end_entity_params.is_ca = IsCa::ExplicitNoCa; | ||
end_entity_params.extended_key_usages = vec![ | ||
ExtendedKeyUsagePurpose::ServerAuth, | ||
ExtendedKeyUsagePurpose::ClientAuth, | ||
]; | ||
let end_entity = end_entity_params | ||
.signed_by(&end_entity_key, &intermediate_ca, &intermediate_key) | ||
.unwrap(); | ||
|
||
let mut chain_file = File::create("tests/certs/chain.pem").unwrap(); | ||
chain_file.write_all(end_entity.pem().as_bytes()).unwrap(); | ||
chain_file | ||
.write_all(intermediate_ca.pem().as_bytes()) | ||
.unwrap(); | ||
|
||
let mut key_file = File::create("tests/certs/end.key").unwrap(); | ||
key_file | ||
.write_all(end_entity_key.serialize_pem().as_bytes()) | ||
.unwrap(); | ||
} | ||
|
||
fn issuer_params(common_name: &str) -> CertificateParams { | ||
let mut issuer_name = DistinguishedName::new(); | ||
issuer_name.push(DnType::CommonName, common_name); | ||
let mut issuer_params = CertificateParams::default(); | ||
issuer_params.distinguished_name = issuer_name; | ||
issuer_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); | ||
issuer_params.key_usages = vec![ | ||
KeyUsagePurpose::KeyCertSign, | ||
KeyUsagePurpose::DigitalSignature, | ||
]; | ||
issuer_params | ||
} | ||
|
||
// For the server name constant. | ||
include!("../utils.rs"); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
-----BEGIN CERTIFICATE----- | ||
MIIBgDCCASagAwIBAgIUDKVcG8WKAVxMrpkvWBsSKu6G9swwCgYIKoZIzj0EAwIw | ||
HTEbMBkGA1UEAwwSUnVzdGxzIFJvYnVzdCBSb290MCAXDTc1MDEwMTAwMDAwMFoY | ||
DzQwOTYwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJSdXN0bHMgUm9idXN0IFJvb3Qw | ||
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQjrQmsnBwZUT8iraiF5EAJFMZE3rgA | ||
oqDL6clNl7YtjKqH/E/BiVs+k+70Dz74Ibrm/z80f51fK/Ug2h5pSOp5o0IwQDAO | ||
BgNVHQ8BAf8EBAMCAoQwHQYDVR0OBBYEFMwwAap72bFsxZxK0ThGymdrjBfYMA8G | ||
A1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAJR/PB88zHsy0iotwCcG | ||
SPPOowWXb0Uzj6CPHBks25woAiB5Bg4+395Lr2K4UIh3zv0BFuSyXrFqvj+WMhUy | ||
4Z+WRw== | ||
-----END CERTIFICATE----- |
Oops, something went wrong.