Skip to content

Commit 6f7373d

Browse files
committed
tests: rework vendored certificates/keys
The existing unit tests used vendored cert/key data in a strange way. The `end.cert` and `end.chain` files were the same, and neither was a chain. In both cases the certificate was self-signed, and that same certificate was also configured as a trust anchor in the client configurations. No code/script was included to regenerate the cert (and it was set to expire in Aug). This commit replaces the test files to better simulate a real-world deployment with a trust anchor configured OOB and an intermediate and end-entity chain served by the TLS server. The test certificates are switched to use ECDSA (the rcgen default) for private keys instead of RSA. RSA is for the 90s and ECDSA will be faster :) No tests presently require the root or intermediate private keys, or a serialization of just the end entity cert without the intermediate, so we don't persist this data. This could be added in the future as req'd. All of the key/cert generation is bundled into an ignored integration test `tests/certs/main.rs` using a new dev-only dep on `rcgen`. This felt like the best option on balance, but we could also create a second crate, or look at the unstable nightly Cargo script feature.
1 parent 7fdd067 commit 6f7373d

File tree

10 files changed

+192
-152
lines changed

10 files changed

+192
-152
lines changed

Cargo.lock

Lines changed: 73 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ tls12 = ["rustls/tls12"]
2929

3030
[dev-dependencies]
3131
argh = "0.1.1"
32+
rcgen = { version = "0.13", features = ["pem"] }
3233
tokio = { version = "1.0", features = ["full"] }
3334
futures-util = "0.3.1"
3435
lazy_static = "1.1"

tests/certs/chain.pem

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIBsjCCAVmgAwIBAgIUB4Geg6rz4UzdIkSmPjAxGgVhu4MwCgYIKoZIzj0EAwIw
3+
JjEkMCIGA1UEAwwbUnVzdGxzIFJvYnVzdCBSb290IC0gUnVuZyAyMCAXDTc1MDEw
4+
MTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAwWjAhMR8wHQYDVQQDDBZyY2dlbiBzZWxm
5+
IHNpZ25lZCBjZXJ0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEV2z0vS2Nvj1X
6+
k2ZkZNimz/tpEyFIHqHBAMu1ok1q6rioZm0wfKgaVfo2E+/PccibK6AuiK1ZnQ5L
7+
Wr3avkB+bqNoMGYwFQYDVR0RBA4wDIIKZm9vYmFyLmNvbTAdBgNVHSUEFjAUBggr
8+
BgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFJ8xoDmF470si+tMAE2wYQMHHdOT
9+
MA8GA1UdEwEB/wQFMAMBAQAwCgYIKoZIzj0EAwIDRwAwRAIgCEDfPgdEtKoUYtOp
10+
YUd7uSDv2VJd749Avwls04C1MaUCIGTikBJzN3dnQbRARkzdOY4gFp4nczCiYaZZ
11+
ucFJ3PiC
12+
-----END CERTIFICATE-----
13+
-----BEGIN CERTIFICATE-----
14+
MIIBiDCCAS+gAwIBAgIUIKoi4tHahiNaO6Vuw5V97xyOVXQwCgYIKoZIzj0EAwIw
15+
HTEbMBkGA1UEAwwSUnVzdGxzIFJvYnVzdCBSb290MCAXDTc1MDEwMTAwMDAwMFoY
16+
DzQwOTYwMTAxMDAwMDAwWjAmMSQwIgYDVQQDDBtSdXN0bHMgUm9idXN0IFJvb3Qg
17+
LSBSdW5nIDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASJs6dcYkh6yXeD72J3
18+
1JJWfiNkNL4DGhWj5LZhwtq5NxrE2sK/TnQdUHYMhVxKXN0RaRcBZRxoUFD4UFkm
19+
mdIKo0IwQDAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0OBBYEFOhbF/Vi9OjAC+bv6NTU
20+
JMLLV621MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgWtRDzAcl
21+
DpVplxAT6/ZmSmYtjttIFs2fM65z6H+LpOQCIB/PcAK3NZ+Mjs3rtVMV5UmXW3Jf
22+
UaorChZwaCiO3vT8
23+
-----END CERTIFICATE-----

tests/certs/end.cert

Lines changed: 0 additions & 31 deletions
This file was deleted.

tests/certs/end.chain

Lines changed: 0 additions & 62 deletions
This file was deleted.

tests/certs/end.key

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
-----BEGIN PRIVATE KEY-----
2+
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg1UjNBQsUBVfNWWtI
3+
uwNhUpyPeV1e3IjRm41VQauX1XOhRANCAARXbPS9LY2+PVeTZmRk2KbP+2kTIUge
4+
ocEAy7WiTWrquKhmbTB8qBpV+jYT789xyJsroC6IrVmdDktavdq+QH5u
5+
-----END PRIVATE KEY-----

tests/certs/end.rsa

Lines changed: 0 additions & 51 deletions
This file was deleted.

tests/certs/main.rs

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
//! An ignored-by-default integration test that regenerates vendored certs.
2+
//! Run with `cargo test -- --ignored` when test certificates need updating.
3+
//! Suitable for test certificates only. Not a production CA ;-)
4+
5+
use rcgen::{
6+
BasicConstraints, CertificateParams, DistinguishedName, DnType, ExtendedKeyUsagePurpose, IsCa,
7+
KeyPair, KeyUsagePurpose,
8+
};
9+
use std::fs::File;
10+
use std::io::Write;
11+
12+
#[test]
13+
#[ignore]
14+
fn regenerate_certs() {
15+
let root_key = KeyPair::generate().unwrap();
16+
let root_ca = issuer_params("Rustls Robust Root")
17+
.self_signed(&root_key)
18+
.unwrap();
19+
20+
let mut root_file = File::create("tests/certs/root.pem").unwrap();
21+
root_file.write_all(root_ca.pem().as_bytes()).unwrap();
22+
23+
let intermediate_key = KeyPair::generate().unwrap();
24+
let intermediate_ca = issuer_params("Rustls Robust Root - Rung 2")
25+
.signed_by(&intermediate_key, &root_ca, &root_key)
26+
.unwrap();
27+
28+
let end_entity_key = KeyPair::generate().unwrap();
29+
let mut end_entity_params =
30+
CertificateParams::new(vec![utils::TEST_SERVER_DOMAIN.to_string()]).unwrap();
31+
end_entity_params.is_ca = IsCa::ExplicitNoCa;
32+
end_entity_params.extended_key_usages = vec![
33+
ExtendedKeyUsagePurpose::ServerAuth,
34+
ExtendedKeyUsagePurpose::ClientAuth,
35+
];
36+
let end_entity = end_entity_params
37+
.signed_by(&end_entity_key, &intermediate_ca, &intermediate_key)
38+
.unwrap();
39+
40+
let mut chain_file = File::create("tests/certs/chain.pem").unwrap();
41+
chain_file.write_all(end_entity.pem().as_bytes()).unwrap();
42+
chain_file
43+
.write_all(intermediate_ca.pem().as_bytes())
44+
.unwrap();
45+
46+
let mut key_file = File::create("tests/certs/end.key").unwrap();
47+
key_file
48+
.write_all(end_entity_key.serialize_pem().as_bytes())
49+
.unwrap();
50+
}
51+
52+
fn issuer_params(common_name: &str) -> CertificateParams {
53+
let mut issuer_name = DistinguishedName::new();
54+
issuer_name.push(DnType::CommonName, common_name);
55+
let mut issuer_params = CertificateParams::default();
56+
issuer_params.distinguished_name = issuer_name;
57+
issuer_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
58+
issuer_params.key_usages = vec![
59+
KeyUsagePurpose::KeyCertSign,
60+
KeyUsagePurpose::DigitalSignature,
61+
];
62+
issuer_params
63+
}
64+
65+
// For the server name constant.
66+
include!("../utils.rs");

tests/certs/root.pem

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIBgDCCASagAwIBAgIUDKVcG8WKAVxMrpkvWBsSKu6G9swwCgYIKoZIzj0EAwIw
3+
HTEbMBkGA1UEAwwSUnVzdGxzIFJvYnVzdCBSb290MCAXDTc1MDEwMTAwMDAwMFoY
4+
DzQwOTYwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJSdXN0bHMgUm9idXN0IFJvb3Qw
5+
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQjrQmsnBwZUT8iraiF5EAJFMZE3rgA
6+
oqDL6clNl7YtjKqH/E/BiVs+k+70Dz74Ibrm/z80f51fK/Ug2h5pSOp5o0IwQDAO
7+
BgNVHQ8BAf8EBAMCAoQwHQYDVR0OBBYEFMwwAap72bFsxZxK0ThGymdrjBfYMA8G
8+
A1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAJR/PB88zHsy0iotwCcG
9+
SPPOowWXb0Uzj6CPHBks25woAiB5Bg4+395Lr2K4UIh3zv0BFuSyXrFqvj+WMhUy
10+
4Z+WRw==
11+
-----END CERTIFICATE-----

0 commit comments

Comments
 (0)