From 8b0e605e8dd1ac172fd7b42bf328f9af679a5b91 Mon Sep 17 00:00:00 2001 From: James Nugent Date: Sat, 9 Nov 2019 18:00:23 +0100 Subject: [PATCH] Use `rustls` for interop tests (#125) * Use rustls for interop tests This commit changes the interop tests to use rustls instead of openssl. Apparently in the past there was some issue with this, but it seems to work OK to me. * Use certificates with larger key sizes for interop This commit switches out the certificates used for testing interop to be based on 4096-bit RSA keys, allowing rustls to be used for the interop testing instead of OpenSSL. The keys are generated using Terraform, although the state file is not committed. A README.md is added to the data directory that explains how to use Terraform to rotate the test certificates if this is ever desirable. This is desirable in order that none of the crates which `cargo build --all` will build have the `openssl` feature, which should allow Tonic to build on Windows with no issues. --- tonic-interop/Cargo.toml | 2 +- tonic-interop/data/README.md | 17 ++++++++ tonic-interop/data/ca.pem | 31 +++++++------ tonic-interop/data/cert-generator/.gitignore | 3 ++ tonic-interop/data/cert-generator/ca.tf | 27 ++++++++++++ .../data/cert-generator/server_certs.tf | 40 +++++++++++++++++ tonic-interop/data/server1.key | 43 ++++++++++++------- tonic-interop/data/server1.pem | 32 ++++++++------ tonic-interop/src/bin/client.rs | 2 +- tonic-interop/src/bin/server.rs | 2 +- 10 files changed, 153 insertions(+), 46 deletions(-) create mode 100644 tonic-interop/data/README.md create mode 100644 tonic-interop/data/cert-generator/.gitignore create mode 100644 tonic-interop/data/cert-generator/ca.tf create mode 100644 tonic-interop/data/cert-generator/server_certs.tf diff --git a/tonic-interop/Cargo.toml b/tonic-interop/Cargo.toml index 8fed51e74..b58a5e7a6 100644 --- a/tonic-interop/Cargo.toml +++ b/tonic-interop/Cargo.toml @@ -14,7 +14,7 @@ path = "src/bin/server.rs" [dependencies] tokio = "=0.2.0-alpha.6" -tonic = { path = "../tonic", features = ["openssl"] } +tonic = { path = "../tonic", features = ["rustls"] } prost = "0.5" prost-derive = "0.5" bytes = "0.4" diff --git a/tonic-interop/data/README.md b/tonic-interop/data/README.md new file mode 100644 index 000000000..a204a5c40 --- /dev/null +++ b/tonic-interop/data/README.md @@ -0,0 +1,17 @@ +# Tonic Testing Certificates + +This directory contains certificates used for testing interop between Tonic's +implementation of gRPC and the Go implementation. Certificates are generated +using [`terraform`][tf]. + +To regenerate certificates for some reason, do the following: + +1. Install Terraform 0.12 (or higher) +1. From the `cert-generator` directory, run: + 1. `terraform init` + 1. `terraform apply` + +This will generate certificates and write them to the filesystem. The effective +version should be committed to git. + +[tf]: https://terraform.io diff --git a/tonic-interop/data/ca.pem b/tonic-interop/data/ca.pem index 6c8511a73..e2ba27e60 100644 --- a/tonic-interop/data/ca.pem +++ b/tonic-interop/data/ca.pem @@ -1,15 +1,20 @@ -----BEGIN CERTIFICATE----- -MIICSjCCAbOgAwIBAgIJAJHGGR4dGioHMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV -BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX -aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMTBnRlc3RjYTAeFw0xNDExMTEyMjMxMjla -Fw0yNDExMDgyMjMxMjlaMFYxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0 -YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMT -BnRlc3RjYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwEDfBV5MYdlHVHJ7 -+L4nxrZy7mBfAVXpOc5vMYztssUI7mL2/iYujiIXM+weZYNTEpLdjyJdu7R5gGUu -g1jSVK/EPHfc74O7AyZU34PNIP4Sh33N+/A5YexrNgJlPY+E3GdVYi4ldWJjgkAd -Qah2PH5ACLrIIC6tRka9hcaBlIECAwEAAaMgMB4wDAYDVR0TBAUwAwEB/zAOBgNV -HQ8BAf8EBAMCAgQwDQYJKoZIhvcNAQELBQADgYEAHzC7jdYlzAVmddi/gdAeKPau -sPBG/C2HCWqHzpCUHcKuvMzDVkY/MP2o6JIW2DBbY64bO/FceExhjcykgaYtCH/m -oIU63+CFOTtR7otyQAWHqXa7q4SbCDlG7DyRFxqG0txPtGvy12lgldA2+RgcigQG -Dfcog5wrJytaQ6UA0wE= +MIIDRzCCAi+gAwIBAgIRAO7dzPqhReVW2U6D1V1DTYAwDQYJKoZIhvcNAQELBQAw +PTEOMAwGA1UEChMFVG9raW8xEDAOBgNVBAsTB1Rlc3RpbmcxGTAXBgNVBAMTEFRv +bmljIFRlc3RpbmcgQ0EwHhcNMTkxMTA5MTY0NzU0WhcNMjkxMTA2MTY0NzU0WjA9 +MQ4wDAYDVQQKEwVUb2tpbzEQMA4GA1UECxMHVGVzdGluZzEZMBcGA1UEAxMQVG9u +aWMgVGVzdGluZyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+A +e+Y3wDdOm7yUi6xHINw1QE0k1D51U+DAMOLcUq17FYh3fp+OOaqq4znnEx8WkKVl +FuoW4xzIrv2ywn0hFADCxaVpjMuCxj313D7LMZExa98TuFF3Jg2GYScBRQKjfyRv +CV+cSHAvzEstd5ckdiz985Zqnepiy7R9k2CstO45ULG4UoVha+VgmYJ5qXqBXbso +LbDXzrjjQFSmbw1yh9lQvzsk0UyU5Hvi0Otka4LZJsNaNFWkltl8v37QWG6sH8+f +Ur7fELIDmbScGSiqvEm0EZLZHqLU669NvUoFtTKNfKghT83DW9kErzdg5EcVFQom +Ov8cIW9MkBwDJXe6D88CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgIEMA8GA1UdEwEB +/wQFMAMBAf8wHQYDVR0OBBYEFE5N36NK1qLWGDxSJP3IF9H2oLO/MA0GCSqGSIb3 +DQEBCwUAA4IBAQAm27Wdq6+0IxvattJW0j7lnh9AC7aMQEbUQPYM8iO6WVhXshaN +d7YbLDGwRtATzLeA/0laovEL5pc/1NnMsqG4DspD3glXcASUiu5TrzPvBrAWByQn +8C9tGUbyP1yJMo42Mzs0hIDsaUsucynZcdxAErjJjKB9Ps3KeaA6LUr/igN0649S +qQ6bHZdNEIhjyCY7TDJArjPTgdSYjx13XkVbZ1cN/ssZI7Ag8WByhVEHeoE13fqw +ue5oTNat0qNFP0Yo8XB0whPhN2wbCbHoc5khXJiBrMEjAAgJUiWRy3ITG88SIak+ +1dtqgxS2T0nmdRlXBYNNhYKdgWYJq1PwDp9a -----END CERTIFICATE----- diff --git a/tonic-interop/data/cert-generator/.gitignore b/tonic-interop/data/cert-generator/.gitignore new file mode 100644 index 000000000..f6a70f53c --- /dev/null +++ b/tonic-interop/data/cert-generator/.gitignore @@ -0,0 +1,3 @@ +.terraform/ +*.tfstate +*.tfstate.backup diff --git a/tonic-interop/data/cert-generator/ca.tf b/tonic-interop/data/cert-generator/ca.tf new file mode 100644 index 000000000..6a85bde56 --- /dev/null +++ b/tonic-interop/data/cert-generator/ca.tf @@ -0,0 +1,27 @@ +resource "tls_private_key" "root" { + algorithm = "RSA" + rsa_bits = "2048" +} + +resource "tls_self_signed_cert" "root" { + key_algorithm = tls_private_key.root.algorithm + private_key_pem = tls_private_key.root.private_key_pem + + validity_period_hours = 87600 + early_renewal_hours = 8760 + + is_ca_certificate = true + + allowed_uses = ["cert_signing"] + + subject { + common_name = "Tonic Testing CA" + organization = "Tokio" + organizational_unit = "Testing" + } +} + +resource "local_file" "ca_cert" { + filename = "../ca.pem" + content = tls_self_signed_cert.root.cert_pem +} \ No newline at end of file diff --git a/tonic-interop/data/cert-generator/server_certs.tf b/tonic-interop/data/cert-generator/server_certs.tf new file mode 100644 index 000000000..536248bde --- /dev/null +++ b/tonic-interop/data/cert-generator/server_certs.tf @@ -0,0 +1,40 @@ +resource "tls_private_key" "server" { + algorithm = "RSA" + rsa_bits = "2048" +} + +resource "tls_cert_request" "server" { + key_algorithm = tls_private_key.server.algorithm + private_key_pem = tls_private_key.server.private_key_pem + + subject { + common_name = "Tonic Test Server Cert" + } + + dns_names = [ + "*.test.google.fr", + ] +} + +resource "tls_locally_signed_cert" "server" { + cert_request_pem = tls_cert_request.server.cert_request_pem + + ca_key_algorithm = tls_private_key.root.algorithm + ca_private_key_pem = tls_private_key.root.private_key_pem + ca_cert_pem = tls_self_signed_cert.root.cert_pem + + validity_period_hours = 43800 + early_renewal_hours = 8760 + + allowed_uses = ["server_auth"] +} + +resource "local_file" "server_cert" { + filename = "../server1.pem" + content = tls_locally_signed_cert.server.cert_pem +} + +resource "local_file" "server_key" { + filename = "../server1.key" + content = tls_private_key.server.private_key_pem +} diff --git a/tonic-interop/data/server1.key b/tonic-interop/data/server1.key index 143a5b876..ad45fbb7a 100644 --- a/tonic-interop/data/server1.key +++ b/tonic-interop/data/server1.key @@ -1,16 +1,27 @@ ------BEGIN PRIVATE KEY----- -MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAOHDFScoLCVJpYDD -M4HYtIdV6Ake/sMNaaKdODjDMsux/4tDydlumN+fm+AjPEK5GHhGn1BgzkWF+slf -3BxhrA/8dNsnunstVA7ZBgA/5qQxMfGAq4wHNVX77fBZOgp9VlSMVfyd9N8YwbBY -AckOeUQadTi2X1S6OgJXgQ0m3MWhAgMBAAECgYAn7qGnM2vbjJNBm0VZCkOkTIWm -V10okw7EPJrdL2mkre9NasghNXbE1y5zDshx5Nt3KsazKOxTT8d0Jwh/3KbaN+YY -tTCbKGW0pXDRBhwUHRcuRzScjli8Rih5UOCiZkhefUTcRb6xIhZJuQy71tjaSy0p -dHZRmYyBYO2YEQ8xoQJBAPrJPhMBkzmEYFtyIEqAxQ/o/A6E+E4w8i+KM7nQCK7q -K4JXzyXVAjLfyBZWHGM2uro/fjqPggGD6QH1qXCkI4MCQQDmdKeb2TrKRh5BY1LR -81aJGKcJ2XbcDu6wMZK4oqWbTX2KiYn9GB0woM6nSr/Y6iy1u145YzYxEV/iMwff -DJULAkB8B2MnyzOg0pNFJqBJuH29bKCcHa8gHJzqXhNO5lAlEbMK95p/P2Wi+4Hd -aiEIAF1BF326QJcvYKmwSmrORp85AkAlSNxRJ50OWrfMZnBgzVjDx3xG6KsFQVk2 -ol6VhqL6dFgKUORFUWBvnKSyhjJxurlPEahV6oo6+A+mPhFY8eUvAkAZQyTdupP3 -XEFQKctGz+9+gKkemDp7LBBMEMBXrGTLPhpEfcjv/7KPdnFHYmhYeBTBnuVmTVWe -F98XJ7tIFfJq ------END PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAvSo8ttodDg4wwjwSPURcTgVPh7Iv9E+PsCTHW7b1Dov/tjxs +nhgLZkySicSLIhHv+/17DYHaMd7alx5AYb+Bxk/KvSuR/sqg0QJcuQ4prpzccQHY +mqJTeMWFCOvAUSSOZXwOxKHFNoLCVQsZMMs1JmUwAoun9ocyuoXuNFa/2GmNO+cN +tBSa1ZnEyhuW9R8lFdp41e9OG1c6dgdh3Gq6NEqDaRN/FbaBAQJO6u8jDClcqeB5 +uPfXKEENk8ed71zRRJ7u4Pjn+qCgy9daz6hRuP7MGKnrXt1j5f73JnZF5bFuM+Bg +6MqG6XVvrIVDdvod2qWpMTjCpINp45i0lkZpAQIDAQABAoIBAQCu50LD/uAmgtBq +h4iFxZNjQF3MpeDZEEdXImqCTqQ/EwsYwL3dX3YK3HoRj/zlP5iZckI4tvu8aMXM +PFhjCONBLb3TM1oGL+yJ1JlPMd0wajEY/A/+ymBLprXfDbwASsCu7QnqnXjvce+l +GmHsT7eRDLZbZC2lMFSjSfp5wkwYF8lBfg2tDswgBX2mT4lZ/nUIjpr1x1y34BQL +yPYHSsSnoTSC6dqWkpuiQyyTraeknCsE4lw03C2XWcpCFaNt6ZrzAmSeX7/MK+Xp +blQ4bQmeydCwfsXFBdE/lOWUIjc8mkBN0c9wbiBJwyAH09QzUVcXlgjH7IBwKSMc +mFpLvt3BAoGBAOGNHc1URPiSJaIc86nkWvmNiISxqHUVOrZPwOLJMciJz75XSmVs +QlydXIepunU5WZJJiIV2fL6FyZ7RnCGLCvFEymewobexAjL3ffN4oN5s2g2e8fs+ +vhu3xLxo3fmhcRLbxub0qOJUu//2lcBYRXHVu+lb4qvisnn4BDMxbAFNAoGBANaz +o5Zo6uL5WHcNjwKa4YtWA4/pzAzsXwNqPPUyWL9uvAP3YS7ikQvzLJXDUTCtopZ5 +xTvuShRPfvrIUkvK9XOok3PNeyPeBoRQ8W9sP6n/5gSULy7sHALJxZscMf7GD81+ +yfH+R+67vwW1etwP3LHuC1NirCcpvLZfWyfUcqyFAoGBAKeqzXKrqDHYAp3GQ+QR +WweUDN4HayDOTTzlgI+V3KokuAfYv/cxSQur9vLqWy91GH7EpvX/pK/EqKKlUxkk +UVgVORlnlnAE54uXq0toar2t0VK6y0tn0s6sB1W/5vMA7huEwRFC4qCNOMwIND4t +4EHFDtFketYnyWEd25Fqtc0pAoGATpvJClnxnhbDMBuzv7VrXPOqLDfisNyeUQbF +uNStL7HgfudFGsBzcNeg/Fhd0p/QRp3g+/dcAiG1ESblEsEFq0oOarjSHCi/ZBSq +wSv2B00dL5H90IU8ID0173ucRnbH9Go2kDaUqbDt2K5AhG/+UtsgJHCdLV2XrYIu +QuAC+G0CgYBW2O4FjDLG16kivtEziCW+Z/iLeUM3r8lDzf8iz1Dg+72AnlmAFSzz +QaY2GxdatZHBCMeZ0eaMxxFyuT2IPKOiyIHQ6diJBX+CFNHxgPfCAQ8DTVi6aJtS +NiY/yUYTsQbh6Mey8QAC5wdoyuVUKQO2SwyNiHFWP+i9aFXr/rv98w== +-----END RSA PRIVATE KEY----- diff --git a/tonic-interop/data/server1.pem b/tonic-interop/data/server1.pem index f3d43fcc5..2a7148ded 100644 --- a/tonic-interop/data/server1.pem +++ b/tonic-interop/data/server1.pem @@ -1,16 +1,20 @@ -----BEGIN CERTIFICATE----- -MIICnDCCAgWgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJBVTET -MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ -dHkgTHRkMQ8wDQYDVQQDEwZ0ZXN0Y2EwHhcNMTUxMTA0MDIyMDI0WhcNMjUxMTAx -MDIyMDI0WjBlMQswCQYDVQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNV -BAcTB0NoaWNhZ28xFTATBgNVBAoTDEV4YW1wbGUsIENvLjEaMBgGA1UEAxQRKi50 -ZXN0Lmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOHDFSco -LCVJpYDDM4HYtIdV6Ake/sMNaaKdODjDMsux/4tDydlumN+fm+AjPEK5GHhGn1Bg -zkWF+slf3BxhrA/8dNsnunstVA7ZBgA/5qQxMfGAq4wHNVX77fBZOgp9VlSMVfyd -9N8YwbBYAckOeUQadTi2X1S6OgJXgQ0m3MWhAgMBAAGjazBpMAkGA1UdEwQCMAAw -CwYDVR0PBAQDAgXgME8GA1UdEQRIMEaCECoudGVzdC5nb29nbGUuZnKCGHdhdGVy -em9vaS50ZXN0Lmdvb2dsZS5iZYISKi50ZXN0LnlvdXR1YmUuY29thwTAqAEDMA0G -CSqGSIb3DQEBCwUAA4GBAJFXVifQNub1LUP4JlnX5lXNlo8FxZ2a12AFQs+bzoJ6 -hM044EDjqyxUqSbVePK0ni3w1fHQB5rY9yYC5f8G7aqqTY1QOhoUk8ZTSTRpnkTh -y4jjdvTZeLDVBlueZUTDRmy2feY5aZIU18vFDK08dTG0A87pppuv1LNIR3loveU8 +MIIDSzCCAjOgAwIBAgIQQY5jNBnC4CbgToZB9CzLYzANBgkqhkiG9w0BAQsFADA9 +MQ4wDAYDVQQKEwVUb2tpbzEQMA4GA1UECxMHVGVzdGluZzEZMBcGA1UEAxMQVG9u +aWMgVGVzdGluZyBDQTAeFw0xOTExMDkxNjQ3NTRaFw0yNDExMDcxNjQ3NTRaMCEx +HzAdBgNVBAMTFlRvbmljIFRlc3QgU2VydmVyIENlcnQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQC9Kjy22h0ODjDCPBI9RFxOBU+Hsi/0T4+wJMdbtvUO +i/+2PGyeGAtmTJKJxIsiEe/7/XsNgdox3tqXHkBhv4HGT8q9K5H+yqDRAly5Dimu +nNxxAdiaolN4xYUI68BRJI5lfA7EocU2gsJVCxkwyzUmZTACi6f2hzK6he40Vr/Y +aY075w20FJrVmcTKG5b1HyUV2njV704bVzp2B2Hcaro0SoNpE38VtoEBAk7q7yMM +KVyp4Hm499coQQ2Tx53vXNFEnu7g+Of6oKDL11rPqFG4/swYqete3WPl/vcmdkXl +sW4z4GDoyobpdW+shUN2+h3apakxOMKkg2njmLSWRmkBAgMBAAGjYzBhMBMGA1Ud +JQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUTk3fo0rW +otYYPFIk/cgX0fags78wGwYDVR0RBBQwEoIQKi50ZXN0Lmdvb2dsZS5mcjANBgkq +hkiG9w0BAQsFAAOCAQEATypihaP3RfHar9DZGeKwPz25BQBhGJE2lEwlehUuNBkG +M1+yQw0p3Yj2n5tR87Qp+G5rDN51e2OCWbEMTo0iAiGdic4N4FXnmA7R9QDcBcKw +YmKIXd48F+Ceh5XYGFuR14dTshu2Zajwcw4OW3dhvEbv9h5pMCJXplhAPHvhTKTM +TTl0fjDkBcOdKWswdQCtt2xOqcQhpYdVYClYym22WYDcMDr7CqiC/y3jLl6eVpsA +hPDAVZqpZSpnV6isihoUyDeSVT830/E/n8e756l7gBNxpsYF+PqDBVPiAU7Gjp99 +EegYn7LiB+s4tgHeSMdNclffWQJ3PameoaLHdikGLA== -----END CERTIFICATE----- diff --git a/tonic-interop/src/bin/client.rs b/tonic-interop/src/bin/client.rs index 46ebb9ba9..3de203d0c 100644 --- a/tonic-interop/src/bin/client.rs +++ b/tonic-interop/src/bin/client.rs @@ -35,7 +35,7 @@ async fn main() -> Result<(), Box> { let ca = Certificate::from_pem(pem); endpoint.tls_config( - ClientTlsConfig::with_openssl() + ClientTlsConfig::with_rustls() .ca_certificate(ca) .domain_name("foo.test.google.fr"), ); diff --git a/tonic-interop/src/bin/server.rs b/tonic-interop/src/bin/server.rs index 2752d59f1..7c767fc5d 100644 --- a/tonic-interop/src/bin/server.rs +++ b/tonic-interop/src/bin/server.rs @@ -26,7 +26,7 @@ async fn main() -> std::result::Result<(), Box> { let key = tokio::fs::read("tonic-interop/data/server1.key").await?; let identity = Identity::from_pem(cert, key); - builder.tls_config(ServerTlsConfig::with_openssl().identity(identity)); + builder.tls_config(ServerTlsConfig::with_rustls().identity(identity)); } builder.interceptor_fn(|svc, req| {