tests: rework vendored certificates/keys

The existing unit tests used vendored cert/key data in a strange way.
The `end.cert` and `end.chain` files were the same, and neither was
a chain. In both cases the certificate was self-signed, and that same
certificate was also configured as a trust anchor in the client
configurations. No code/script was included to regenerate the cert (and
it was set to expire in Aug).

This commit replaces the test files to better simulate a real-world
deployment with a trust anchor configured OOB and an intermediate and
end-entity chain served by the TLS server.

The test certificates are switched to use ECDSA (the rcgen default) for
private keys instead of RSA. RSA is for the 90s and ECDSA will be faster
:)

No tests presently require the root or intermediate private keys, or
a serialization of just the end entity cert without the intermediate, so
we don't persist this data. This could be added in the future as req'd.

All of the key/cert generation is bundled into an ignored integration
test `tests/certs/main.rs` using a new dev-only dep on `rcgen`. This
felt like the best option on balance, but we could also create a second
crate, or look at the unstable nightly Cargo script feature.

Cargo.toml

@@ -29,6 +29,7 @@ tls12 = ["rustls/tls12"]
 
 [dev-dependencies]
 argh = "0.1.1"
+rcgen = { version = "0.13", features = ["pem"] }
 tokio = { version = "1.0", features = ["full"] }
 futures-util = "0.3.1"
 lazy_static = "1.1"

tests/certs/chain.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIBsjCCAVmgAwIBAgIUB4Geg6rz4UzdIkSmPjAxGgVhu4MwCgYIKoZIzj0EAwIw
+JjEkMCIGA1UEAwwbUnVzdGxzIFJvYnVzdCBSb290IC0gUnVuZyAyMCAXDTc1MDEw
+MTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAwWjAhMR8wHQYDVQQDDBZyY2dlbiBzZWxm
+IHNpZ25lZCBjZXJ0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEV2z0vS2Nvj1X
+k2ZkZNimz/tpEyFIHqHBAMu1ok1q6rioZm0wfKgaVfo2E+/PccibK6AuiK1ZnQ5L
+Wr3avkB+bqNoMGYwFQYDVR0RBA4wDIIKZm9vYmFyLmNvbTAdBgNVHSUEFjAUBggr
+BgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFJ8xoDmF470si+tMAE2wYQMHHdOT
+MA8GA1UdEwEB/wQFMAMBAQAwCgYIKoZIzj0EAwIDRwAwRAIgCEDfPgdEtKoUYtOp
+YUd7uSDv2VJd749Avwls04C1MaUCIGTikBJzN3dnQbRARkzdOY4gFp4nczCiYaZZ
+ucFJ3PiC
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBiDCCAS+gAwIBAgIUIKoi4tHahiNaO6Vuw5V97xyOVXQwCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwSUnVzdGxzIFJvYnVzdCBSb290MCAXDTc1MDEwMTAwMDAwMFoY
+DzQwOTYwMTAxMDAwMDAwWjAmMSQwIgYDVQQDDBtSdXN0bHMgUm9idXN0IFJvb3Qg
+LSBSdW5nIDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASJs6dcYkh6yXeD72J3
+1JJWfiNkNL4DGhWj5LZhwtq5NxrE2sK/TnQdUHYMhVxKXN0RaRcBZRxoUFD4UFkm
+mdIKo0IwQDAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0OBBYEFOhbF/Vi9OjAC+bv6NTU
+JMLLV621MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgWtRDzAcl
+DpVplxAT6/ZmSmYtjttIFs2fM65z6H+LpOQCIB/PcAK3NZ+Mjs3rtVMV5UmXW3Jf
+UaorChZwaCiO3vT8
+-----END CERTIFICATE-----

tests/certs/end.key

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg1UjNBQsUBVfNWWtI
+uwNhUpyPeV1e3IjRm41VQauX1XOhRANCAARXbPS9LY2+PVeTZmRk2KbP+2kTIUge
+ocEAy7WiTWrquKhmbTB8qBpV+jYT789xyJsroC6IrVmdDktavdq+QH5u
+-----END PRIVATE KEY-----

tests/certs/main.rs

@@ -0,0 +1,66 @@
+//! An ignored-by-default integration test that regenerates vendored certs.
+//! Run with `cargo test -- --ignored` when test certificates need updating.
+//! Suitable for test certificates only. Not a production CA ;-)
+
+use rcgen::{
+    BasicConstraints, CertificateParams, DistinguishedName, DnType, ExtendedKeyUsagePurpose, IsCa,
+    KeyPair, KeyUsagePurpose,
+};
+use std::fs::File;
+use std::io::Write;
+
+#[test]
+#[ignore]
+fn regenerate_certs() {
+    let root_key = KeyPair::generate().unwrap();
+    let root_ca = issuer_params("Rustls Robust Root")
+        .self_signed(&root_key)
+        .unwrap();
+
+    let mut root_file = File::create("tests/certs/root.pem").unwrap();
+    root_file.write_all(root_ca.pem().as_bytes()).unwrap();
+
+    let intermediate_key = KeyPair::generate().unwrap();
+    let intermediate_ca = issuer_params("Rustls Robust Root - Rung 2")
+        .signed_by(&intermediate_key, &root_ca, &root_key)
+        .unwrap();
+
+    let end_entity_key = KeyPair::generate().unwrap();
+    let mut end_entity_params =
+        CertificateParams::new(vec![utils::TEST_SERVER_DOMAIN.to_string()]).unwrap();
+    end_entity_params.is_ca = IsCa::ExplicitNoCa;
+    end_entity_params.extended_key_usages = vec![
+        ExtendedKeyUsagePurpose::ServerAuth,
+        ExtendedKeyUsagePurpose::ClientAuth,
+    ];
+    let end_entity = end_entity_params
+        .signed_by(&end_entity_key, &intermediate_ca, &intermediate_key)
+        .unwrap();
+
+    let mut chain_file = File::create("tests/certs/chain.pem").unwrap();
+    chain_file.write_all(end_entity.pem().as_bytes()).unwrap();
+    chain_file
+        .write_all(intermediate_ca.pem().as_bytes())
+        .unwrap();
+
+    let mut key_file = File::create("tests/certs/end.key").unwrap();
+    key_file
+        .write_all(end_entity_key.serialize_pem().as_bytes())
+        .unwrap();
+}
+
+fn issuer_params(common_name: &str) -> CertificateParams {
+    let mut issuer_name = DistinguishedName::new();
+    issuer_name.push(DnType::CommonName, common_name);
+    let mut issuer_params = CertificateParams::default();
+    issuer_params.distinguished_name = issuer_name;
+    issuer_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
+    issuer_params.key_usages = vec![
+        KeyUsagePurpose::KeyCertSign,
+        KeyUsagePurpose::DigitalSignature,
+    ];
+    issuer_params
+}
+
+// For the server name constant.
+include!("../utils.rs");

tests/certs/root.pem

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBgDCCASagAwIBAgIUDKVcG8WKAVxMrpkvWBsSKu6G9swwCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwSUnVzdGxzIFJvYnVzdCBSb290MCAXDTc1MDEwMTAwMDAwMFoY
+DzQwOTYwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJSdXN0bHMgUm9idXN0IFJvb3Qw
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQjrQmsnBwZUT8iraiF5EAJFMZE3rgA
+oqDL6clNl7YtjKqH/E/BiVs+k+70Dz74Ibrm/z80f51fK/Ug2h5pSOp5o0IwQDAO
+BgNVHQ8BAf8EBAMCAoQwHQYDVR0OBBYEFMwwAap72bFsxZxK0ThGymdrjBfYMA8G
+A1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAJR/PB88zHsy0iotwCcG
+SPPOowWXb0Uzj6CPHBks25woAiB5Bg4+395Lr2K4UIh3zv0BFuSyXrFqvj+WMhUy
+4Z+WRw==
+-----END CERTIFICATE-----