From 2edaf345d4f49de78d6699f12d664a634eea4b35 Mon Sep 17 00:00:00 2001 From: Tiago Queiroz Date: Tue, 19 Dec 2023 17:55:11 +0100 Subject: [PATCH 1/2] Update TLS certificates in tests Some TLS certificates used in tests expired, this commit fixes it by generating the certificates and, if needed, calculating the fingerprint on each test. This will prevent future CI failures and reduce the maintenance burden. --- transport/tlscommon/ca_pinning_test.go | 23 +- transport/tlscommon/testdata/cacert.crt | 24 --- transport/tlscommon/testdata/cacert.key | 27 --- transport/tlscommon/testdata/client1.crt | 48 ----- transport/tlscommon/testdata/client1.key | 27 --- transport/tlscommon/testdata/es-leaf.crt | 32 --- .../tlscommon/testdata/es-root-ca-cert.crt | 31 --- transport/tlscommon/testdata/server.crt | 22 -- transport/tlscommon/testdata/server.key | 15 -- transport/tlscommon/testdata/tls.crt | 22 -- transport/tlscommon/testdata/unsigned_tls.crt | 22 -- transport/tlscommon/tls_config_test.go | 203 ++++++++++++------ 12 files changed, 157 insertions(+), 339 deletions(-) delete mode 100644 transport/tlscommon/testdata/cacert.crt delete mode 100644 transport/tlscommon/testdata/cacert.key delete mode 100644 transport/tlscommon/testdata/client1.crt delete mode 100644 transport/tlscommon/testdata/client1.key delete mode 100644 transport/tlscommon/testdata/es-leaf.crt delete mode 100644 transport/tlscommon/testdata/es-root-ca-cert.crt delete mode 100644 transport/tlscommon/testdata/server.crt delete mode 100644 transport/tlscommon/testdata/server.key delete mode 100644 transport/tlscommon/testdata/tls.crt delete mode 100644 transport/tlscommon/testdata/unsigned_tls.crt diff --git a/transport/tlscommon/ca_pinning_test.go b/transport/tlscommon/ca_pinning_test.go index 9a464cf7..fcb4d0da 100644 --- a/transport/tlscommon/ca_pinning_test.go +++ b/transport/tlscommon/ca_pinning_test.go @@ -94,7 +94,7 @@ func TestCAPinning(t *testing.T) { ca, err := genCA() require.NoError(t, err) - serverCert, err := genSignedCert(ca, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil) + serverCert, err := genSignedCert(ca, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil, false) require.NoError(t, err) mux := http.NewServeMux() @@ -172,10 +172,10 @@ func TestCAPinning(t *testing.T) { ca, err := genCA() require.NoError(t, err) - intermediate, err := genSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true, "localhost", []string{"localhost"}, nil) + intermediate, err := genSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true, "localhost", []string{"localhost"}, nil, false) require.NoError(t, err) - serverCert, err := genSignedCert(intermediate, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil) + serverCert, err := genSignedCert(intermediate, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil, false) require.NoError(t, err) mux := http.NewServeMux() @@ -246,10 +246,10 @@ func TestCAPinning(t *testing.T) { ca, err := genCA() require.NoError(t, err) - intermediate, err := genSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true, "localhost", []string{"localhost"}, nil) + intermediate, err := genSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true, "localhost", []string{"localhost"}, nil, false) require.NoError(t, err) - serverCert, err := genSignedCert(intermediate, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil) + serverCert, err := genSignedCert(intermediate, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil, false) require.NoError(t, err) mux := http.NewServeMux() @@ -360,10 +360,19 @@ func genSignedCert( commonName string, dnsNames []string, ips []net.IP, + expired bool, ) (tls.Certificate, error) { if commonName == "" { commonName = "You know, for search" } + + notBefore := time.Now() + notAfter := notBefore.Add(time.Hour) + + if expired { + notBefore = notBefore.Add(-42 * time.Hour) + notAfter = notAfter.Add(-42 * time.Hour) + } // Create another Cert/key cert := &x509.Certificate{ SerialNumber: big.NewInt(2000), @@ -382,8 +391,8 @@ func genSignedCert( PostalCode: []string{"HOH OHO"}, }, - NotBefore: time.Now(), - NotAfter: time.Now().Add(1 * time.Hour), + NotBefore: notBefore, + NotAfter: notAfter, IsCA: isCA, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, KeyUsage: keyUsage, diff --git a/transport/tlscommon/testdata/cacert.crt b/transport/tlscommon/testdata/cacert.crt deleted file mode 100644 index debdf7e2..00000000 --- a/transport/tlscommon/testdata/cacert.crt +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEBDCCAuygAwIBAgIUXwbLbwGjWWlQNrMUsdDpKzeGixEwDQYJKoZIhvcNAQEL -BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u -dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 -MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG -UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDTALBgNV -BAsMBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtXsn+VCrW -ibutoByM5EeIK29XYffBwN78EeNjDdaZZqMF4wGZZ6z2xQXH6mFx+m1gjnf5R2qo -yfentYH5VRZz5AEtBGPsOqMffV9u5PkHSo/2ilCX40eBVp5u3qh6aFPZ5DKqexWu -5jUMYolTXpvAtML5YbMH9XvW6pn5WAqwHPLNe+fVuPg4tJN0u/ff0wKqSUBIhVOP -7EPhz3yLflACScgj+LPXz/5gtUXe9RR5RB8zyWGfNL91eoVVaApcdp4kIU+DHmgI -p+T4CpgdYWsYuOWH49F7RJyLpocUU4H+heeC4+zH0LIUcELa+n/M2DUDW3RE109a -tv9OEJKR8/YHAgMBAAGjgdMwgdAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU -fyEN1Qe7FlWa+2RBnl8Vd4ZCFkIwgY0GA1UdIwSBhTCBgoAUfyEN1Qe7FlWa+2RB -nl8Vd4ZCFkKhVKRSMFAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAP -BgNVBAcMCE1vbnRyZWFsMQ4wDAYDVQQKDAViZWF0czENMAsGA1UECwwEcm9vdIIU -XwbLbwGjWWlQNrMUsdDpKzeGixEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB -CwUAA4IBAQAANxJCfDMcNNnAVRlXLdh+loVx8Y5STf1gTgX2gtf9tHZGYE7/ix2P -dG1uQcEz/ETlcGSWRZcQSNR8dNeBi5YWK5dmDUD7reQr3FoyIDvPGHyIcF3clglg -blYhsQN0TVwx4G3kZDenjzKNSyVLR81opLq/PDIGW61ZCioJUQKs5q+IqsKj+okn -in6/b5YfQqyTDIWY3IPiXjvcysbKC0pYc0TkmwGUnidxDny7txrVCVJ1vwIedQug -B/UOjVxi0qsNwpWS08mwEOVvgvObi0mFoGQl8l427M0kM//86NM7vDc4Z0QYHOlq -A0ZjtnSbR3RqfhBGXV3BL+GHtXevn55Z ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/cacert.key b/transport/tlscommon/testdata/cacert.key deleted file mode 100644 index e864b93e..00000000 --- a/transport/tlscommon/testdata/cacert.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArV7J/lQq1om7raAcjORHiCtvV2H3wcDe/BHjYw3WmWajBeMB -mWes9sUFx+phcfptYI53+UdqqMn3p7WB+VUWc+QBLQRj7DqjH31fbuT5B0qP9opQ -l+NHgVaebt6oemhT2eQyqnsVruY1DGKJU16bwLTC+WGzB/V71uqZ+VgKsBzyzXvn -1bj4OLSTdLv339MCqklASIVTj+xD4c98i35QAknII/iz18/+YLVF3vUUeUQfM8lh -nzS/dXqFVWgKXHaeJCFPgx5oCKfk+AqYHWFrGLjlh+PRe0Sci6aHFFOB/oXnguPs -x9CyFHBC2vp/zNg1A1t0RNdPWrb/ThCSkfP2BwIDAQABAoIBAQCQmLJYENL5xD5n -/VZSnEKc670dYHRHgRl5m2HPR8doghYN3tuCmtnDp2e+6VkEux1mnuypWEs5I9oO -YnBZCAKF/fCNH1BHwlAy/1oNH6Qj1Khls86sH7+PvDK/va0/CqyE2rL3RVk8Wnx8 -K+LlSc8V1q2XWUj8pl33TgvFzwx6/QpmGa1ofK84GaeWNskRt8xyf2HECiRl6ZFm -zZr2Ror3nRbgZK9FYWpcp6HUgxAH/8GQ3+8vMvftfTsDGD5TmmEq6CFgAFCVj92L -d7AZmNWR1483NzZF0HWOQ6ew9qrWkqVpER7kKKp/kkfoh2qXgvtQBTrw4IcCRwwa -szaSsIEBAoGBANiqXhBzPQJszm1Ajln07ZeyvgRB8PgzZXcAHS9AfGqh/mGQw5/X -3vqHdGiEynphoYtNqK1YT7RH7pkjkpqDzdunZGz1xog7i4ys8kVtivkDGlhn6cXI -4wmFcmyCaf76VPPr1RX8PNjsEKDK3jq1d86lBjSLPgcHT7J16WZgOcJnAoGBAMzY -QVNpjk1WNT7gid3MUXciIIZAovej4AiVyn97XxxLSyByXmNds65f3dM8NOJkJUvT -iV7pAjKl9pd1lE+WTNQSjCgSxw7G+4u9cQfNE7p6klAh/Rek76Mani9rAmQ2PdJl -EFaEgLom3wbR5eOkYURjw2jfqzFYQ8T1YZkWBithAoGAa3EYkknDIFe6ifzwWnWV -+Jr/lXbpuvspvrhEwLDWwb4xOkqiZ7qR7WSMemQXUFbn1/+bvNJFPB5LmI9GXO8t -f1Zj+5BpchctHYaJ4Znvx4odX2ewSo9S3t7ZHiwRygpzZD43fd6Ggf+WQ1Y2m6Bv -l/7Hs/i0uqGKiPHl2wmuutMCgYABZN9c7/T19cY6/VAy4DcVtne+MiZpxQW7STmt -kGtfR+vk9qJJztNwNlrOGzTI7aGLWI8wxCktqw94jGZL/FvdfZrSkv4jzZrcopdo -VC70L+1a+kA8rvSqiX3WGMZVZEEbc3CfBhvSKH2QEFGeMPowevVTe2Iw3cboSjs1 -zX6RQQKBgFV7gOstMfvixCSUCD2s5j/skhNJsB3Wd/tVYRbl/vgA6hHW8UOy2oWv -UTE45vJNVzRv030G5katjOYhlxHf9rpeSAbeIyty54I3X9/vDJZLXwe8WilQjUr7 -Dw8yNwH44j/0s8xcQXG8yE0h1Aa9GxHHtJtYrRYdx7sSwNHtwpnp ------END RSA PRIVATE KEY----- diff --git a/transport/tlscommon/testdata/client1.crt b/transport/tlscommon/testdata/client1.crt deleted file mode 100644 index c3139a72..00000000 --- a/transport/tlscommon/testdata/client1.crt +++ /dev/null @@ -1,48 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEFzCCAv+gAwIBAgIUeaB7uk2DjAM2cuRl0kaE9ly7Lj4wDQYJKoZIhvcNAQEL -BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u -dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 -MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBmMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG -UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDzANBgNV -BAsMBnNlcnZlcjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEA3jXEj7vN+BDlj6cYblKSml0FWpO4yi9C58cubXXDWXI6 -hdpzNpDa0+n606Jg4eVZpFUZPTnnjQmFIcesO0+i85V4Etswr4T22uobDu1AWV7n -26nDMY/vlf+kDI8H/uFgxQg/Htuh12nHuYrjIS+ot/D6gThwIWVldu0TaBaFfvL5 -5qTPRJoteiBPo5y+VuWLhzPWg8cQYZ4KJ4XREk8H4d7PqFRHp+zATfn2YLBjUK7Z -zd0W3mxkdB2P7MnzZuH5n5zrgJ8OI9voopX8QadMYtUSeITP1INmNKhi4vLbpZjU -mt+N/u1G6xwbuyJiSlklBoXdRcWj5kSljpLtF1evvwIDAQABo4HQMIHNMAwGA1Ud -EwEB/wQCMAAwHQYDVR0OBBYEFAuDdHxE9/Zr7iVwfnUJ/lRtJnZkMIGNBgNVHSME -gYUwgYKAFH8hDdUHuxZVmvtkQZ5fFXeGQhZCoVSkUjBQMQswCQYDVQQGEwJDQTEP -MA0GA1UECAwGUXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVh -dHMxDTALBgNVBAsMBHJvb3SCFF8Gy28Bo1lpUDazFLHQ6Ss3hosRMA4GA1UdDwEB -/wQEAwIF4DANBgkqhkiG9w0BAQsFAAOCAQEACzuX6AiVHk5Igs/LdOW2sJ9lm95N -Su1PQCobM0Jo8wX3pDAEQlLmaWTDcr4bfrQPfI8pih1F89DQU9z0nzNCRfxiQaA7 -myF8ftvf8v5j3LpaPWlkdWgCRieCl58fgy5vtcKx73eTY4a6SRB4zbWpl0rX9H6w -En1kQbpCJDzh8W+xmr8AKvY77CSC1vt7TaKan6F+fGwbt8kIng6P6C7dvMGsDKQN -2Tiq/wtH16DB8mOeO+zfxJfa84TPWL4UcSbZJ8w5Fyz4GJormaymxJGtKv58RO7J -u63WF9vlEnKGyqY1FckTsp3P9ivGEb/Y75+NyRwmNq5VO5BPrRBMOF3VAg== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIEBDCCAuygAwIBAgIUXwbLbwGjWWlQNrMUsdDpKzeGixEwDQYJKoZIhvcNAQEL -BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u -dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 -MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG -UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDTALBgNV -BAsMBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtXsn+VCrW -ibutoByM5EeIK29XYffBwN78EeNjDdaZZqMF4wGZZ6z2xQXH6mFx+m1gjnf5R2qo -yfentYH5VRZz5AEtBGPsOqMffV9u5PkHSo/2ilCX40eBVp5u3qh6aFPZ5DKqexWu -5jUMYolTXpvAtML5YbMH9XvW6pn5WAqwHPLNe+fVuPg4tJN0u/ff0wKqSUBIhVOP -7EPhz3yLflACScgj+LPXz/5gtUXe9RR5RB8zyWGfNL91eoVVaApcdp4kIU+DHmgI -p+T4CpgdYWsYuOWH49F7RJyLpocUU4H+heeC4+zH0LIUcELa+n/M2DUDW3RE109a -tv9OEJKR8/YHAgMBAAGjgdMwgdAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU -fyEN1Qe7FlWa+2RBnl8Vd4ZCFkIwgY0GA1UdIwSBhTCBgoAUfyEN1Qe7FlWa+2RB -nl8Vd4ZCFkKhVKRSMFAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAP -BgNVBAcMCE1vbnRyZWFsMQ4wDAYDVQQKDAViZWF0czENMAsGA1UECwwEcm9vdIIU -XwbLbwGjWWlQNrMUsdDpKzeGixEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB -CwUAA4IBAQAANxJCfDMcNNnAVRlXLdh+loVx8Y5STf1gTgX2gtf9tHZGYE7/ix2P -dG1uQcEz/ETlcGSWRZcQSNR8dNeBi5YWK5dmDUD7reQr3FoyIDvPGHyIcF3clglg -blYhsQN0TVwx4G3kZDenjzKNSyVLR81opLq/PDIGW61ZCioJUQKs5q+IqsKj+okn -in6/b5YfQqyTDIWY3IPiXjvcysbKC0pYc0TkmwGUnidxDny7txrVCVJ1vwIedQug -B/UOjVxi0qsNwpWS08mwEOVvgvObi0mFoGQl8l427M0kM//86NM7vDc4Z0QYHOlq -A0ZjtnSbR3RqfhBGXV3BL+GHtXevn55Z ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/client1.key b/transport/tlscommon/testdata/client1.key deleted file mode 100644 index ce5274b7..00000000 --- a/transport/tlscommon/testdata/client1.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA3jXEj7vN+BDlj6cYblKSml0FWpO4yi9C58cubXXDWXI6hdpz -NpDa0+n606Jg4eVZpFUZPTnnjQmFIcesO0+i85V4Etswr4T22uobDu1AWV7n26nD -MY/vlf+kDI8H/uFgxQg/Htuh12nHuYrjIS+ot/D6gThwIWVldu0TaBaFfvL55qTP -RJoteiBPo5y+VuWLhzPWg8cQYZ4KJ4XREk8H4d7PqFRHp+zATfn2YLBjUK7Zzd0W -3mxkdB2P7MnzZuH5n5zrgJ8OI9voopX8QadMYtUSeITP1INmNKhi4vLbpZjUmt+N -/u1G6xwbuyJiSlklBoXdRcWj5kSljpLtF1evvwIDAQABAoIBABdTza7JKHZCT9ck -04vBX2KVIVrA50VScNOkNVuIYVmihEJJDI9N5asZhRtykHkmeqKlzGCBE63asf85 -1vrjAVhQ+KoCGLpUWxXgPbbzcS3wqKaGy9cIJT65957Z5Rz8zAvjMb0rkXHryOvR -iMaTGkM1KRcntZ3L5zr06HSk6J7K8QCEexKHl7Q7Ki1498tvBWdJGeGWRiUtI89j -wOUdcf3pVSVqI7J8gmmqVwNrVMbVxhlen7nkckXofWAackYVQDBD+hU1n3doNKLa -NP6mZkI02BOB29WLDXLuHtKDZtgnXex4JUz6zw53uV42FCDoQf3DUiVsMEL8xRCJ -27H6bwECgYEA/w53zS00mNdYdXO7dGhAw3UYPc3PDyg6Z823BQzfdOzsn5Yw0BIw -nPgstzwzOL0kw2p/PgwkG/7LOsF5CWs2xvU3LhUdOhgmw4B5IbMOYvbkVoYGz+22 -HJf4qyexAr7tKCITB+LCzUwoAgXp8uju1XdLVpk6xmJ3u+kIhMYTxkUCgYEA3wgx -71/uIUsoW6bVL5K00yXPWTTFtTBWM768VJ8Y++k2igPgcvKaBVaElr4AbvX5iCGz -1Ycc9xsGAYAo7+q4D+4cuOki/m0PMKD3DgXWpTtN0kJ+npWUBdE98NyDlTJYsa/w -xjeMQoDvC8tE2bAiwtVIOPQL2C/3emqkJcsVcDMCgYB8NeOJ/DXdKSJfMJldu1eu -2FuR3aS00PaAjuJOh1JbcvZZUZ879V/PUd0U7zBStWot8LM+2FLNf2whlQ8I0zm9 -8rWIr6eoHxLhqrNTAgxDjdDtgh/XKwDBNBFZ6N5/Y9PC87Uo5fnQWQIy2gZw0Zde -RdZeugixjEqbLIWFg6ElsQKBgHRy6O+c3M6RWU8ROnoOVU9xjGN9REUoKbn2uopM -T1UoHQvOnmAl/vkOhUfXiI5m65SCVE0GsL7sYyRhb/5kRRo8Ls71GwpQkv/G63ds -4PeAkU9Y3JecbZ7j8z1RRXqewOR1gndcBWWrwCQeS6KFboDfr0fdVFnaIZLPH0mE -UXs1AoGBAM3zpcyl5o99dO6x9N/8SSnyLT9TzzbJ6pU6d0F0ELn3OxTUBH1oA1dy -q1fADcRgN5vNuJljY4es/scK2BMeX1isFitXoIzk01F4R61xoXr8T33731eXFG6L -ehoECH2Yj9H4qNbVW531iYKheuSyaMaxCxaDoK9jBzcKaxMGbTlc ------END RSA PRIVATE KEY----- diff --git a/transport/tlscommon/testdata/es-leaf.crt b/transport/tlscommon/testdata/es-leaf.crt deleted file mode 100644 index 89d5087e..00000000 --- a/transport/tlscommon/testdata/es-leaf.crt +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFeDCCA2CgAwIBAgIUV7+XlHjcV++/ezqTkJrXSFc1dpAwDQYJKoZIhvcNAQEL -BQAwPDE6MDgGA1UEAxMxRWxhc3RpY3NlYXJjaCBzZWN1cml0eSBhdXRvLWNvbmZp -Z3VyYXRpb24gSFRUUCBDQTAeFw0yMTExMzAxMDMzNTdaFw0yMzExMzAxMDMzNTda -MBExDzANBgNVBAMTBngtd2luZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBALL045X6ywAHg9tWuViNyXu30rHhJa/AI45ZwLWzQMEwnCWnMvV0Cy3FgUd6 -VKw4Rg55/SfBKShhTRjC4PmDIHDIBgpm4NWpREIW2+cZfeEU8B34ucK/ZHycTFQ1 -Guh8HfvFy5J3OYT+8Wfz94ZxvVLMOGROTSiWdL2foVk98tbHgL1K3qyv1v0rgIjt -smZ7G4tbl3sBCuYceUL7X/+0kavJGls2T/rtxxEIfj5dNz4h65KmABrrAJfrEx35 -y2jCdY2XQsBxxMvbHEXXJKhrjQ8pajMcWAlDBKweiNIDdgBDYWpodpr4f3A6ZJkM -Nplw7KyLna4s3BO/g7fd5/FyQGFuLPraFtFnTXGqH+LjX0td74bdSP22/uhU3cKY -3y64I3/HEaEY5JITgUArExcMVpXuKJKqXEb+LtjGmUbAiO8Z7QKL+PqmU+3tJJ0p -kXnS07m3F/MgrDir/VCnYGQcXeteBwEgmcOwPmxz98eOSBhtb0PrimycF2tQuT8b -mCU+evTPC+KQ+8XY5vBwdPGpf6YAaHuVhNtKqBQnYOpsadS7zw5DJ0Y1Kp9z0ZPL -ch4DxE40xqAFmxWnAfpy2scD8LGJ1zDII90tAtYdu+3Wlzj6uMqUdqPuJED7XD41 -mlF2OjB5ipTs/1Jjl3pEnGG94sw5bQmnS1xFQp/DO3mjlgFBAgMBAAGjgZwwgZkw -HQYDVR0OBBYEFJKNxskBHE5xQ9S24puXSKm6/bLKMB8GA1UdIwQYMBaAFHEdsBBS -VCiK0fDIVe2vNN8JvHmcMEwGA1UdEQRFMEOHEP6AAAAAAAAAtw+3JU5DX8mCCWxv -Y2FsaG9zdIcQAAAAAAAAAAAAAAAAAAAAAYcEfwAAAYcEwKgqtoIGeC13aW5nMAkG -A1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAF5JAIQ9cu2xroh2F85fBr/F0s8D -aRV6AJpkjSVKInMm7omn+GLB80TwQZ6NsGuXrbaq0rcM85khsBs4rWn5MqescYG/ -8A7gZ4EtYE3LIyeqiqBByrtIqszZeXm7ITDSF/lwn7X2swe7orkhVD4tVEvKH6L6 -Ql0oNe5UBN1Rm9NskDltMDzE2A25slkm99CAdPERDEjBpvd3eDcfbQdHeuAOPfUV -T8P2DAdW4SC955bxnc0GPTla5TKXWWLde3egow5a4LeJv6KVWPTC9chEXZyQKp4p -jvWZW1fTO/kC3oj97tfqoH/r35/+qyXmg38HNAFbEoVM3bsO0vqrI5CbkWTkB1Xb -7CY6jJxemyEprl2gmkgfA/MXBHFc3RoIL7JcX7Sk8ZWpnEVK3KyoyK1RJ5kY1Cz4 -SRw4KLJA4Cu6DE7vXy9pTlIeeQARgQOUxnrlRGYHpKRIwgjrhwEjVqc0CPwj7rWr -0VY4MW80FPFIePpqy3DjoJmORQU632iu/5zeUS4dZ11Ms7NTakqqnFHi7XczqeZn -4HqPW8ebQTXrqRXMF/X30x6gkK1R1tXHSbve7cTQWJEwJd+MS2aA5Npt7hGznjPn -Y1p4k9jEz5BnbLtZ2RbAj2FuL4Ee6iJoyZpFbi/SW+h+1ZaPCeUTnxUkDLEiXpdk -tN8H6/6dudhy6btm ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/es-root-ca-cert.crt b/transport/tlscommon/testdata/es-root-ca-cert.crt deleted file mode 100644 index 6234774a..00000000 --- a/transport/tlscommon/testdata/es-root-ca-cert.crt +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFWTCCA0GgAwIBAgIUAoPlJ3hVr921EyJfiT+9lVft3fcwDQYJKoZIhvcNAQEL -BQAwPDE6MDgGA1UEAxMxRWxhc3RpY3NlYXJjaCBzZWN1cml0eSBhdXRvLWNvbmZp -Z3VyYXRpb24gSFRUUCBDQTAeFw0yMTExMzAxMDMzNTdaFw0yNDExMjkxMDMzNTda -MDwxOjA4BgNVBAMTMUVsYXN0aWNzZWFyY2ggc2VjdXJpdHkgYXV0by1jb25maWd1 -cmF0aW9uIEhUVFAgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2 -soq+heCJNHsMuyyyLndREhYmxYFav06XOLB5oC1bAt+0WMo3n7rxVB8dAhfvigof -DsTIytnCcK+Th8ll2k4Bs2weF16ZhvvC2FKbSkdUxNXnXfx7gdKDXZLbfref5FiL -ucwxa7CtVL28Lfws9J5dZTTAuxR2XxaX+TJbH6MbQgKUYR+DnK8T3jSfiDTQtiHs -+pd+C8hSdMgzKCynYP36VZbtz1ynWjvQ/0wxARO6q2OLZGBNh2ncoFEmosXgc0ir -Vh9NrVmozSI0H2f6W07imqL3oe1pe3bwW/OdfeahCBY3IvDLDn8q8wDl91gRta3n -EsMsiuBRSRRpT0grgoCFNy+wiIrETVLaI2HJ0UpVIpcoS7K5l2zN/wA+w+hAOdh0 -PoBt8AoC1aCCGM4osCTKqbgbOg957io2twuvWJ6ae3J2k5FFDMvIfMfL+5HhPSRp -nYiRDPOhapDhaXhHa4pEFONpdiJJgmqymLqjW4liZOGft28dSkISK3iiBL74p/gu -X/sBI7PZANycpyVjnLHK+FwPlRZPkrqCw2Gke4Oqm9uydwM08uRVZcNylVS7H0ip -9BEcxKlXJSaULnTqQXkiPGKGkCrrIIsNQTFjoaBIBP2o69NSZ0SozDf4aCnYy10v -U1dwI9yisOmMfDkakNcAPXfRfmuuJlstl1W1RraQswIDAQABo1MwUTAdBgNVHQ4E -FgQUcR2wEFJUKIrR8MhV7a803wm8eZwwHwYDVR0jBBgwFoAUcR2wEFJUKIrR8MhV -7a803wm8eZwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAiHrC -NxCNsyUYLFVivL9AsJ5Y3IrhAHUzYwofLBJiMYNFsaEi3P1VU3TNlo98kzi2QkdY -NPFtRYoOg6sEI0KPEBw54kLP/Q/FJK7jeJSyhJ9V/Z+NS081YHqrMP4YPK6mM4qa -XuM7hpx37vkLDdfrDPionbcLk7Zz+2t6bIThrwta0idMY6LKeFfW1EWeggK6inNc -Ub3n1qcTyOp1RfcLlHCdb17JhgY5hROmqVfhgLlbT0bx1NZS4pRWhw5CDKsflMUe -SyHbLE1BTH6yE0nNXbR6FgDKjQNUSSZBOBck0hdSaRArALavujjBojHmJYWt1jWO -bcBErzwKKwH/peUh7Wgnq1L/lqym9K9AniWUyhvKn8AbxGLnILDMYOSrvlPF2uU+ -uvp2EzhPUyOgYycC28H4fFUdDeoN5FVP+4sFFK+FIgfqLfVMTgDPmGAbkqA6WKlH -fgQ2fP4oB2ZkN0EPxivXkvZkhDVlIXeoisUkNCgAfVuwCjvOLnqz8u0tTnp/wXxq -XAXUPLcG71YFzABlkwuPdA5GhFAL1Rv8GQJEznhZ8mYz/yTtcg/z3pYEhDcM92Cb -161BormFYVRI1B80rSpzeQwJVfvgCwnWOTat+1joFHCzpl99nHu8tMxi6lkO1G9E -8vdk/J0zMMnhO52V2EMNdH2fTJUMZYixBm4BeEM= ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/server.crt b/transport/tlscommon/testdata/server.crt deleted file mode 100644 index 50ca5ce8..00000000 --- a/transport/tlscommon/testdata/server.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDlTCCAX0CAQEwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCVVMxEzARBgNV -BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xFzAVBgNVBAMM -DmNhQGV4YW1wbGUuY29tMB4XDTIxMDEyNTE2MzQ0OVoXDTMxMDEyMzE2MzQ0OVow -UjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh -biBGcmFuY2lzY28xFjAUBgNVBAMMDSouZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcN -AQEBBQADgY0AMIGJAoGBALFuNygrGLLSnD//JRfU6xMDqgizeVdQqDlLaP/HxQ84 -9RPWnjfbyx2M25JYcLvewPqKQ80lOYnMRhpvujmuKP7gQHNDWOsyXH5JljTX78Wb -I+nuVMeYjbUOh+6EgYNY59G5rH7xqgeu3y1YERfNdchEG8xjSxYeIZ7Ev6VMFF8r -AgMBAAEwDQYJKoZIhvcNAQELBQADggIBALyHDjVcY6Po1eHWTUCLLOW1ZzzkX4qu -gsfJM6qTIZIqh/O6tROGqH9kRw8SarIIZvtztfzuYtmQBE0qkBMzPzdN3x+3C4pz -jf2vsEKRqva9mf9y+JM0Mv0WUuPfusHxPKOCl1on71kP1GL1bYylKqazgVa2tAVa -78xs35YIuCM5apt0X+QO+Tnz/qfqJ7t3F7mP1aeCjYm8J20S8vKTYgkRkFX/8VJB -1zRPl0CAMyoHOMcrmb7wX8V1CIER7VBQ7h580B7/7okrw+Hr3xyMOA0w1DiRUQJE -biHBuDTRDmRg6W5nAwNLFLp/RfHttny0nEEcnzcjEStEKyDGbNg1W2ieWuIhgUza -L3W3ld9LDD9pMnQ8yYTMcL+J2Ir6ErhpGL3Hks42W2c/qYhvo3we6B2ADfsS7P+m -ku5W7/G2fDIlj6rtzaAeur+LSgsjU6kc1et2SJxjcJMPrS4xHxpAhJzD7h7f5N/B -RBc5cT2sE2vuUBRGkz0wC9AC2/kxmv4RwjsrYTY8rEOqHRkxDF18lfFocAoq7Hvr -lO6ft9/knzTQzKiizc6unXsLhUCvBzt50bA/gVLXmUmr1sncATKHWOLbvfRWat4I -0m52jlowgqnJPsXtl+wwNYHaw9gF71RTx/Ov2vZ8xm5SeBNkO8cpdAftETAEqpgp -fDlIVeywLvoN ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/server.key b/transport/tlscommon/testdata/server.key deleted file mode 100644 index 8bb153a9..00000000 --- a/transport/tlscommon/testdata/server.key +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQCxbjcoKxiy0pw//yUX1OsTA6oIs3lXUKg5S2j/x8UPOPUT1p43 -28sdjNuSWHC73sD6ikPNJTmJzEYab7o5rij+4EBzQ1jrMlx+SZY01+/FmyPp7lTH -mI21DofuhIGDWOfRuax+8aoHrt8tWBEXzXXIRBvMY0sWHiGexL+lTBRfKwIDAQAB -AoGAaBKW5cfJl/JzVhJphn4MWL3YeXwUW4Pi+KBj+UwLKW+mSTmk2mzgyfd6P3AC -yB/Tn+GD/YutIUehgxYv7G9ceZC85EsPM6+1s887olgKNKbCiZZvrLBcBCzEhzkN -QpC2/cuOOVYdYYQJZp9RX7herAJ5aqxZHUUtCrudgfCiAckCQQDo37NhBBfUlLc4 -LW3ryxydsh7MrTMU63+5IVtXosV3TFdWN9LC6CCarkILcOG5tmEmM6v1UQRAgCkm -lb+/3SrXAkEAwwz9+mcAU1lTTiy+dCJkKepviT4Ex+BFl0yJPfSN5+/Wg15DjwsN -vdE0H5nAT65aECiYy8V9DKNwHNcTIaZXzQJBAMvoPOBhPiCVC410MgC6e9cVRWTA -766Muuy26Y1l6HQac4r6HGEv8oSeuxPbhrsfmBdkPVjz1L5Juj6f9yOgHEcCQHMH -pHkaaay+D00ZQjDHX38AzUqJEtS1xRTXhFDPeyj/3uiWnQ0tHauGR1EjobDcSC0j -ZAk4rOjZMnMvvA6qRTkCQQCT6B0edwnMc9q/4XcdF+LptWRiYNbSKkrisb304N+d -lqbB76fGQY22onWcZEvcOmifmzmgj56QXSUot+fkNlVK ------END RSA PRIVATE KEY----- diff --git a/transport/tlscommon/testdata/tls.crt b/transport/tlscommon/testdata/tls.crt deleted file mode 100644 index d6528cce..00000000 --- a/transport/tlscommon/testdata/tls.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIRAKtKtQKtGFIUneRz5r1FnUMwDQYJKoZIhvcNAQELBQAw -FjEUMBIGA1UEAwwLbW9yZWxsby5vdmgwHhcNMTkwODA5MDkzOTIyWhcNMTkxMTA3 -MDkzOTIyWjBOMRkwFwYDVQQKExBFbGFzdGljc2VhcmNoIENBMTEwLwYDVQQDEyhl -bGFzdGljc2VhcmNoLXNhbXBsZS1lcy1odHRwLmRlZmF1bHQuc3ZjMIIBIjANBgkq -hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq6HRcrfV1kHnXv5Z+ImkgKDvxCezI3/p -yiR0jSv6L7+bblHzzsqkPnz3aaIPJJ2G4sdwaIhl5rJdOvCj48It8OtRidZjzuJH -hN2RpN2Ii5WX4D1u18CrjEQrRUzs/vuwpyP0zWx0yP3lp88fy8kfWHj8cE06KZ3c -jq1fTRjEDv/N6xofqBSIHPsnvOVIP0Sp9bJkw5yO0H3oBfrqP0N2mjnwQknclz30 -t/LoXHcRrZTOH42pgG5ODZslqLNgKLXQHzRcglzNQPwYKYHigBiy+xsHxbIIXe1n -R70PYKXisA0bhHTiV1Sa77dqQRdSkm0JzrNg58lHZYA1sVKTh0nRMQIDAQABo4Gv -MIGsMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDou -x6fQdsT7szqJX2vyfmtmtuXiMGsGA1UdEQRkMGKCKGVsYXN0aWNzZWFyY2gtc2Ft -cGxlLWVzLWh0dHAuZGVmYXVsdC5zdmOCNmVsYXN0aWNzZWFyY2gtc2FtcGxlLWVz -LWh0dHAuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbDANBgkqhkiG9w0BAQsFAAOC -AQEAL0EBOx2vPXJSIjv8t0S2HkbCSerdDvGSNtkOrTizBtL7EwRSec6nes6OaWo6 -JYVNCP0Y+a4jQQrD9MkFKniKxluvLgbsHHsCnQC5tI5iwaOIZe+33pVyNksTc3CC -l2s6Imqpvt6S3GyuWhcwWhwi3pK0ce9RqoO7GONHZmyuOaHGm1OxPeXJQYu7gTKg -3hMjnNAzLOF1oOIrPKnkxfP4jdOrQE1oKk9QR7ScIKLVHJTJoogCM50I7yD7HnMT -itkHwZhk5ptdA29P/OAcZheO5NOGlWJ6OeQl35A9SxgB3DSRTFORoEBfwPZB4ZLC -zODbmFEr7N0FzCN6hU8PjcLLhg== ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/unsigned_tls.crt b/transport/tlscommon/testdata/unsigned_tls.crt deleted file mode 100644 index 710dda0a..00000000 --- a/transport/tlscommon/testdata/unsigned_tls.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDmjCCAoKgAwIBAgIfVNT1201IZeL6eZ5nBDNfdg7z5Rx3pSWKx48R5xEUMzAN -BgkqhkiG9w0BAQUFADBmMQkwBwYDVQQGEwAxCTAHBgNVBAoMADEJMAcGA1UECwwA -MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20xDzANBgkqhkiG9w0BCQEWADEYMBYG -A1UEAwwPd3d3LmV4YW1wbGUuY29tMB4XDTIwMDcyMzIzNTE1NloXDTMwMDcyNDIz -NTE1NlowTDEJMAcGA1UEBhMAMQkwBwYDVQQKDAAxCTAHBgNVBAsMADEYMBYGA1UE -AwwPd3d3LmV4YW1wbGUuY29tMQ8wDQYJKoZIhvcNAQkBFgAwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQDUM6FCJj36941WQVrIKVjHCNKf0bdGiinfxGgL -4SaUywGUo35mp70SFSpEcl3HE5B62Nab3axZ7N3oYeCD5iCJGPI0JWE3/gPdn5ao -2xsGr1sKS+453dkmpDBEnTHNo7HjmvZIDIEzKHDW1QnfeeSGef9TKtVsnoDhGp+u -mMndqBBUEXE/4tIrFuKZLQjxlchw6JQ6fpjmXxZKRCgXJq18/x9jfJnduYpb/DOc -bXfQKZCbJeQdlZO9yxwwmzetZ/7kRZ774qvYtcHs+RVH5tPob1J/xgEoVpE4XAgp -IrYrYCA159ejRJfb5Zs9Hx0AbatzFzTrHzod+jhfDpCh/NX3AgMBAAGjTzBNMB0G -A1UdDgQWBBSuVtBMQ/Q6YHXDi6FQxOGzp+U5pTAfBgNVHSMEGDAWgBSuVtBMQ/Q6 -YHXDi6FQxOGzp+U5pTALBgNVHREEBDACggAwDQYJKoZIhvcNAQEFBQADggEBADNC -AZZUgG4uXpDEIcWKT7gI8G+lbQJjIYciCNtqJsSpxOyN1Vs6tt8FXZBrVjxCa+Ik -TpBZ0OxhY7Ry3veqVoeh9o8ASM8mvFE7y/CjZHtqxh5Q/Q1O5/UuMVy4ilT4hzEb -jXvoH+gLCVxPcaV4cfqfWEWoW3RwfG+NtBq7ZnCl5o7ATDjDl1qe9sZ1rvIq7mLb -Lk7lvNjqZU1PBRj6riW84Tv+yZc2kytqu61l8+NmphKwrKUgVUcbY37knmNIF2tB -pl742yDqYtSu3ODWFtjNw2CZRGhTOcJMXasBFpjch0dz3uM++As0n9r63cNDssDi -GQ6OHiviqMYraJMVFsc= ------END CERTIFICATE----- diff --git a/transport/tlscommon/tls_config_test.go b/transport/tlscommon/tls_config_test.go index 5804d5f3..71498cae 100644 --- a/transport/tlscommon/tls_config_test.go +++ b/transport/tlscommon/tls_config_test.go @@ -18,15 +18,14 @@ package tlscommon import ( + "crypto/sha256" "crypto/tls" "crypto/x509" - "encoding/pem" + "encoding/hex" "errors" - "io/ioutil" "net" "net/http" "net/url" - "path/filepath" "testing" "github.com/stretchr/testify/assert" @@ -34,15 +33,10 @@ import ( ) func TestMakeVerifyServerConnection(t *testing.T) { - testCerts := openTestCerts(t) - - testCA, errs := LoadCertificateAuthorities([]string{ - filepath.Join("testdata", "ca.crt"), - filepath.Join("testdata", "cacert.crt"), - }) - if len(errs) > 0 { - t.Fatalf("failed to load test certificate authorities: %+v", errs) - } + testCerts := genTestCerts(t) + + certPool := x509.NewCertPool() + certPool.AddCert(testCerts["ca"]) testcases := map[string]struct { verificationMode TLSVerificationMode @@ -64,7 +58,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "default verification with certificates when required with expired cert": { verificationMode: VerifyFull, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["expired"]}, serverName: "", expectedCallback: true, @@ -73,7 +67,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "default verification with certificates when required with incorrect server name in cert": { verificationMode: VerifyFull, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["correct"]}, serverName: "bad.example.com", expectedCallback: true, @@ -82,7 +76,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "default verification with certificates when required with correct cert": { verificationMode: VerifyFull, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["correct"]}, serverName: "localhost", expectedCallback: true, @@ -91,7 +85,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "default verification with certificates when required with correct wildcard cert": { verificationMode: VerifyFull, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["wildcard"]}, serverName: "hello.example.com", expectedCallback: true, @@ -100,7 +94,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "certificate verification with certificates when required with correct cert": { verificationMode: VerifyCertificate, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["correct"]}, serverName: "localhost", expectedCallback: true, @@ -109,7 +103,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "certificate verification with certificates when required with expired cert": { verificationMode: VerifyCertificate, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["expired"]}, serverName: "localhost", expectedCallback: true, @@ -118,7 +112,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "certificate verification with certificates when required with incorrect server name in cert": { verificationMode: VerifyCertificate, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["correct"]}, serverName: "bad.example.com", expectedCallback: true, @@ -127,7 +121,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "strict verification with certificates when required with correct cert": { verificationMode: VerifyStrict, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["correct"]}, serverName: "localhost", expectedCallback: false, @@ -136,7 +130,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "default verification with certificates when required with cert signed by unknown authority": { verificationMode: VerifyFull, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["unknown authority"]}, serverName: "", expectedCallback: true, @@ -191,12 +185,14 @@ func TestMakeVerifyServerConnection(t *testing.T) { } func TestTrustRootCA(t *testing.T) { - certs := openTestCerts(t) + certs := genTestCerts(t) nonEmptyCertPool := x509.NewCertPool() nonEmptyCertPool.AddCert(certs["wildcard"]) nonEmptyCertPool.AddCert(certs["unknown authority"]) + fingerprint := getFingerprint(certs["ca"]) + testCases := []struct { name string rootCAs *x509.CertPool @@ -207,21 +203,21 @@ func TestTrustRootCA(t *testing.T) { }{ { name: "RootCA cert matches the fingerprint and is added to cfg.RootCAs", - caTrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - peerCerts: []*x509.Certificate{certs["es-leaf"], certs["es-root-ca"]}, + caTrustedFingerprint: fingerprint, + peerCerts: []*x509.Certificate{certs["correct"], certs["ca"]}, expectedRootCAsLen: 1, }, { name: "RootCA cert doesn not matche the fingerprint and is not added to cfg.RootCAs", - caTrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - peerCerts: []*x509.Certificate{certs["es-leaf"], certs["es-root-ca"]}, + caTrustedFingerprint: fingerprint, + peerCerts: []*x509.Certificate{certs["correct"], certs["ca"]}, expectedRootCAsLen: 0, }, { name: "non empty CertPool has the RootCA added", rootCAs: nonEmptyCertPool, - caTrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - peerCerts: []*x509.Certificate{certs["es-leaf"], certs["es-root-ca"]}, + caTrustedFingerprint: fingerprint, + peerCerts: []*x509.Certificate{certs["correct"], certs["ca"]}, expectedRootCAsLen: 3, }, { @@ -263,7 +259,8 @@ func TestTrustRootCA(t *testing.T) { } func TestMakeVerifyConnectionUsesCATrustedFingerprint(t *testing.T) { - testCerts := openTestCerts(t) + testCerts := genTestCerts(t) + fingerprint := getFingerprint(testCerts["ca"]) testcases := map[string]struct { verificationMode TLSVerificationMode @@ -276,35 +273,35 @@ func TestMakeVerifyConnectionUsesCATrustedFingerprint(t *testing.T) { }{ "CATrustedFingerprint and verification mode:VerifyFull": { verificationMode: VerifyFull, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, - CATrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", + CATrustedFingerprint: fingerprint, }, "CATrustedFingerprint and verification mode:VerifyCertificate": { verificationMode: VerifyCertificate, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, - CATrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", + CATrustedFingerprint: fingerprint, }, "CATrustedFingerprint and verification mode:VerifyStrict": { verificationMode: VerifyStrict, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, - CATrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - CASHA256: []string{Fingerprint(testCerts["es-leaf"])}, + CATrustedFingerprint: fingerprint, + CASHA256: []string{Fingerprint(testCerts["correct"])}, }, "CATrustedFingerprint and verification mode:VerifyNone": { verificationMode: VerifyNone, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: false, }, "invalid CATrustedFingerprint and verification mode:VerifyFull returns error": { verificationMode: VerifyFull, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, CATrustedFingerprint: "INVALID HEX ENCODING", @@ -312,7 +309,7 @@ func TestMakeVerifyConnectionUsesCATrustedFingerprint(t *testing.T) { }, "invalid CATrustedFingerprint and verification mode:VerifyCertificate returns error": { verificationMode: VerifyCertificate, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, CATrustedFingerprint: "INVALID HEX ENCODING", @@ -320,12 +317,12 @@ func TestMakeVerifyConnectionUsesCATrustedFingerprint(t *testing.T) { }, "invalid CATrustedFingerprint and verification mode:VerifyStrict returns error": { verificationMode: VerifyStrict, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, CATrustedFingerprint: "INVALID HEX ENCODING", expectingError: true, - CASHA256: []string{Fingerprint(testCerts["es-leaf"])}, + CASHA256: []string{Fingerprint(testCerts["correct"])}, }, } @@ -410,7 +407,8 @@ func TestMakeVerifyServerConnectionForIPs(t *testing.T) { false, test.commonName, test.dnsNames, - test.ips) + test.ips, + false) if err != nil { t.Fatalf("cannot generate peer certificate: %s", err) } @@ -585,7 +583,7 @@ func TestVerificationMode(t *testing.T) { for name, test := range testcases { t.Run(name, func(t *testing.T) { - certs, err := genSignedCert(caCert, x509.KeyUsageCertSign, false, test.commonName, test.dnsNames, test.ips) + certs, err := genSignedCert(caCert, x509.KeyUsageCertSign, false, test.commonName, test.dnsNames, test.ips, false) if err != nil { t.Fatalf("could not generate certificates: %s", err) } @@ -678,30 +676,111 @@ func startTestServer(t *testing.T, serverAddr string, serverCerts []tls.Certific return *serverURL } -func openTestCerts(t testing.TB) map[string]*x509.Certificate { - t.Helper() - certs := make(map[string]*x509.Certificate, 0) +func getFingerprint(cert *x509.Certificate) string { + caSHA256 := sha256.Sum256(cert.Raw) + return hex.EncodeToString(caSHA256[:]) +} - for testcase, certname := range map[string]string{ - "expired": "tls.crt", - "unknown authority": "unsigned_tls.crt", - "correct": "client1.crt", - "wildcard": "server.crt", - "es-leaf": "es-leaf.crt", - "es-root-ca": "es-root-ca-cert.crt", - } { +func genTestCerts(t *testing.T) map[string]*x509.Certificate { + ca, err := genCA() + if err != nil { + t.Fatalf("cannot generate root CA: %s", err) + } - certBytes, err := ioutil.ReadFile(filepath.Join("testdata", certname)) - if err != nil { - t.Fatalf("reading file %q: %+v", certname, err) - } - block, _ := pem.Decode(certBytes) - testCert, err := x509.ParseCertificate(block.Bytes) + unknownCA, err := genCA() + if err != nil { + t.Fatalf("cannot generate second root CA: %s", err) + } + + certs := map[string]*x509.Certificate{ + "ca": ca.Leaf, + } + + certData := map[string]struct { + ca tls.Certificate + keyUsage x509.KeyUsage + isCA bool + dnsNames []string + ips []net.IP + expired bool + }{ + "wildcard": { + ca: ca, + keyUsage: x509.KeyUsageDigitalSignature, + isCA: false, + dnsNames: []string{"*.example.com"}, + }, + "correct": { + ca: ca, + keyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, + isCA: false, + dnsNames: []string{"localhost"}, + // IPV4 and IPV6 + ips: []net.IP{{127, 0, 0, 1}, {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}, + }, + "unknown authority": { + ca: unknownCA, + keyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, + isCA: false, + dnsNames: []string{"localhost"}, + // IPV4 and IPV6 + ips: []net.IP{{127, 0, 0, 1}, {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}, + }, + "expired": { + ca: ca, + keyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, + isCA: false, + dnsNames: []string{"localhost"}, + // IPV4 and IPV6 + ips: []net.IP{{127, 0, 0, 1}, {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}, + expired: true, + }, + } + + for certName, data := range certData { + cert, err := genSignedCert( + data.ca, + data.keyUsage, + data.isCA, + certName, + data.dnsNames, + data.ips, + data.expired, + ) if err != nil { - t.Fatalf("parsing certificate %q: %+v", certname, err) + t.Fatal(err) } - certs[testcase] = testCert + certs[certName] = cert.Leaf } + // If for any reason there is a need to debug + // or inspect those certificates, just uncomment the + // following block. It will write all generated + // certificates to testdata/debug + + // mapName := map[string]string{ + // "ca": "ca.crt", + // "correct": "client1.crt", + // "expired": "tls.crt", + // "unknown authority": "unsigned_tls.crt", + // "wildcard": "server.crt", + // } + + // for certName, cert := range certs { + // certPEM := new(bytes.Buffer) + // pem.Encode(certPEM, &pem.Block{ + // Type: "CERTIFICATE", + // Bytes: cert.Raw, + // }) + + // serverCertFile, err := os.Create(filepath.Join("testdata", "debug", mapName[certName])) + // if err != nil { + // t.Fatalf("creating file to write server certificate: %v", err) + // } + // if _, err := serverCertFile.Write(certPEM.Bytes()); err != nil { + // t.Fatalf("writing server certificate: %v", err) + // } + // } + return certs } From 793de7e533f223162e7491e19547eb83bb658faf Mon Sep 17 00:00:00 2001 From: Tiago Queiroz Date: Wed, 20 Dec 2023 12:00:03 +0100 Subject: [PATCH 2/2] PR improvements --- transport/tlscommon/ca_pinning_test.go | 2 +- transport/tlscommon/tls_config_test.go | 83 ++++++++++++++++---------- 2 files changed, 51 insertions(+), 34 deletions(-) diff --git a/transport/tlscommon/ca_pinning_test.go b/transport/tlscommon/ca_pinning_test.go index fcb4d0da..13d935ab 100644 --- a/transport/tlscommon/ca_pinning_test.go +++ b/transport/tlscommon/ca_pinning_test.go @@ -367,7 +367,7 @@ func genSignedCert( } notBefore := time.Now() - notAfter := notBefore.Add(time.Hour) + notAfter := notBefore.Add(5 * time.Hour) if expired { notBefore = notBefore.Add(-42 * time.Hour) diff --git a/transport/tlscommon/tls_config_test.go b/transport/tlscommon/tls_config_test.go index 71498cae..07bb6327 100644 --- a/transport/tlscommon/tls_config_test.go +++ b/transport/tlscommon/tls_config_test.go @@ -18,14 +18,21 @@ package tlscommon import ( + "bytes" "crypto/sha256" "crypto/tls" "crypto/x509" "encoding/hex" + "encoding/pem" "errors" + "math/rand" "net" "net/http" "net/url" + "os" + "path/filepath" + "regexp" + "strconv" "testing" "github.com/stretchr/testify/assert" @@ -131,10 +138,10 @@ func TestMakeVerifyServerConnection(t *testing.T) { verificationMode: VerifyFull, clientAuth: tls.RequireAndVerifyClientCert, certAuthorities: certPool, - peerCerts: []*x509.Certificate{testCerts["unknown authority"]}, + peerCerts: []*x509.Certificate{testCerts["unknown_authority"]}, serverName: "", expectedCallback: true, - expectedError: x509.UnknownAuthorityError{Cert: testCerts["unknown authority"]}, + expectedError: x509.UnknownAuthorityError{Cert: testCerts["unknown_authority"]}, }, "default verification without certificates not required": { verificationMode: VerifyFull, @@ -189,7 +196,7 @@ func TestTrustRootCA(t *testing.T) { nonEmptyCertPool := x509.NewCertPool() nonEmptyCertPool.AddCert(certs["wildcard"]) - nonEmptyCertPool.AddCert(certs["unknown authority"]) + nonEmptyCertPool.AddCert(certs["unknown_authority"]) fingerprint := getFingerprint(certs["ca"]) @@ -718,7 +725,7 @@ func genTestCerts(t *testing.T) map[string]*x509.Certificate { // IPV4 and IPV6 ips: []net.IP{{127, 0, 0, 1}, {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}, }, - "unknown authority": { + "unknown_authority": { ca: unknownCA, keyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, isCA: false, @@ -737,6 +744,7 @@ func genTestCerts(t *testing.T) map[string]*x509.Certificate { }, } + tmpDir := t.TempDir() for certName, data := range certData { cert, err := genSignedCert( data.ca, @@ -748,39 +756,48 @@ func genTestCerts(t *testing.T) map[string]*x509.Certificate { data.expired, ) if err != nil { - t.Fatal(err) + t.Fatalf("could not generate certificate '%s': %s", certName, err) } certs[certName] = cert.Leaf + + // We write the certificate to disk, so if the test fails the certs can + // be inspected/reused + certPEM := new(bytes.Buffer) + pem.Encode(certPEM, &pem.Block{ + Type: "CERTIFICATE", + Bytes: cert.Leaf.Raw, + }) + + serverCertFile, err := os.Create(filepath.Join(tmpDir, certName+".crt")) + if err != nil { + t.Fatalf("creating file to write server certificate: %v", err) + } + if _, err := serverCertFile.Write(certPEM.Bytes()); err != nil { + t.Fatalf("writing server certificate: %v", err) + } + + if err := serverCertFile.Close(); err != nil { + t.Fatalf("could not close certificate file: %s", err) + } } - // If for any reason there is a need to debug - // or inspect those certificates, just uncomment the - // following block. It will write all generated - // certificates to testdata/debug - - // mapName := map[string]string{ - // "ca": "ca.crt", - // "correct": "client1.crt", - // "expired": "tls.crt", - // "unknown authority": "unsigned_tls.crt", - // "wildcard": "server.crt", - // } - - // for certName, cert := range certs { - // certPEM := new(bytes.Buffer) - // pem.Encode(certPEM, &pem.Block{ - // Type: "CERTIFICATE", - // Bytes: cert.Raw, - // }) - - // serverCertFile, err := os.Create(filepath.Join("testdata", "debug", mapName[certName])) - // if err != nil { - // t.Fatalf("creating file to write server certificate: %v", err) - // } - // if _, err := serverCertFile.Write(certPEM.Bytes()); err != nil { - // t.Fatalf("writing server certificate: %v", err) - // } - // } + t.Cleanup(func() { + if t.Failed() { + finalDir := filepath.Join(os.TempDir(), cleanStr(t.Name())+strconv.Itoa(rand.Int())) + if err := os.Rename(tmpDir, finalDir); err != nil { + t.Fatalf("could not rename directory with certificates: %s", err) + } + + t.Logf("certificates persisted on: '%s'", finalDir) + } + }) return certs } + +var cleanRegExp = regexp.MustCompile(`[^a-zA-Z0-9]`) + +// cleanStr replaces all characters that do not match 'a-zA-Z0-9' by '_' +func cleanStr(path string) string { + return cleanRegExp.ReplaceAllString(path, "_") +}