From b7e45fa0ce8d4ec488e7b10b2578fe8b02b1a7d8 Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Fri, 12 Jul 2024 09:25:22 -0400 Subject: [PATCH] tests: rework vendored certificates/keys The existing unit tests used vendored cert/key data in a strange way. The `end.cert` and `end.chain` files were the same, and neither was a chain. In both cases the certificate was self-signed, and that same certificate was also configured as a trust anchor in the client configurations. No code/script was included to regenerate the cert (and it was set to expire in Aug). This commit replaces the test files to better simulate a real-world deployment with a trust anchor configured OOB and an intermediate and end-entity chain served by the TLS server. The test certificates are switched to use ECDSA (the rcgen default) for private keys instead of RSA. RSA is for the 90s and ECDSA will be faster :) No tests presently require the root or intermediate private keys, or a serialization of just the end entity cert without the intermediate, so we don't persist this data. This could be added in the future as req'd. All of the key/cert generation is bundled into an ignored integration test `tests/certs/main.rs` using a new dev-only dep on `rcgen`. This felt like the best option on balance, but we could also create a second crate, or look at the unstable nightly Cargo script feature. --- Cargo.lock | 73 +++++++++++++++++++++++++++++++++++++++++++ Cargo.toml | 1 + tests/certs/chain.pem | 23 ++++++++++++++ tests/certs/end.cert | 31 ------------------ tests/certs/end.chain | 62 ------------------------------------ tests/certs/end.key | 5 +++ tests/certs/end.rsa | 51 ------------------------------ tests/certs/main.rs | 66 ++++++++++++++++++++++++++++++++++++++ tests/certs/root.pem | 11 +++++++ tests/utils.rs | 21 ++++++++----- 10 files changed, 192 insertions(+), 152 deletions(-) create mode 100644 tests/certs/chain.pem delete mode 100644 tests/certs/end.cert delete mode 100644 tests/certs/end.chain create mode 100644 tests/certs/end.key delete mode 100644 tests/certs/end.rsa create mode 100644 tests/certs/main.rs create mode 100644 tests/certs/root.pem diff --git a/Cargo.lock b/Cargo.lock index 61a27793..cb96e34f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -207,6 +207,15 @@ dependencies = [ "cc", ] +[[package]] +name = "deranged" +version = "0.3.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b42b6fa04a440b495c8b04d0e71b707c585f83cb9cb28cf8cd0d976c315e31b4" +dependencies = [ + "powerfmt", +] + [[package]] name = "dunce" version = "1.0.4" @@ -426,6 +435,12 @@ dependencies = [ "minimal-lexical", ] +[[package]] +name = "num-conv" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9" + [[package]] name = "num_cpus" version = "1.16.0" @@ -480,6 +495,16 @@ version = "1.0.15" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a" +[[package]] +name = "pem" +version = "3.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e459365e590736a54c3fa561947c84837534b8e9af6fc5bf781307e82658fae" +dependencies = [ + "base64", + "serde", +] + [[package]] name = "pin-project-lite" version = "0.2.14" @@ -492,6 +517,12 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184" +[[package]] +name = "powerfmt" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391" + [[package]] name = "prettyplease" version = "0.2.20" @@ -520,6 +551,19 @@ dependencies = [ "proc-macro2", ] +[[package]] +name = "rcgen" +version = "0.13.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "54077e1872c46788540de1ea3d7f4ccb1983d12f9aa909b234468676c1a36779" +dependencies = [ + "pem", + "ring", + "rustls-pki-types", + "time", + "yasna", +] + [[package]] name = "redox_syscall" version = "0.5.2" @@ -731,6 +775,25 @@ dependencies = [ "unicode-ident", ] +[[package]] +name = "time" +version = "0.3.36" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5dfd88e563464686c916c7e46e623e520ddc6d79fa6641390f2e3fa86e83e885" +dependencies = [ + "deranged", + "num-conv", + "powerfmt", + "serde", + "time-core", +] + +[[package]] +name = "time-core" +version = "0.1.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ef927ca75afb808a4d64dd374f00a2adf8d0fcff8e7b184af886c3c87ec4a3f3" + [[package]] name = "tokio" version = "1.38.0" @@ -768,6 +831,7 @@ dependencies = [ "argh", "futures-util", "lazy_static", + "rcgen", "rustls", "rustls-pemfile", "rustls-pki-types", @@ -953,6 +1017,15 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" +[[package]] +name = "yasna" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd" +dependencies = [ + "time", +] + [[package]] name = "zeroize" version = "1.8.1" diff --git a/Cargo.toml b/Cargo.toml index 84c356f4..50f35696 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,6 +29,7 @@ tls12 = ["rustls/tls12"] [dev-dependencies] argh = "0.1.1" +rcgen = { version = "0.13", features = ["pem"] } tokio = { version = "1.0", features = ["full"] } futures-util = "0.3.1" lazy_static = "1.1" diff --git a/tests/certs/chain.pem b/tests/certs/chain.pem new file mode 100644 index 00000000..4c36531e --- /dev/null +++ b/tests/certs/chain.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIBsjCCAVmgAwIBAgIUB4Geg6rz4UzdIkSmPjAxGgVhu4MwCgYIKoZIzj0EAwIw +JjEkMCIGA1UEAwwbUnVzdGxzIFJvYnVzdCBSb290IC0gUnVuZyAyMCAXDTc1MDEw +MTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAwWjAhMR8wHQYDVQQDDBZyY2dlbiBzZWxm +IHNpZ25lZCBjZXJ0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEV2z0vS2Nvj1X +k2ZkZNimz/tpEyFIHqHBAMu1ok1q6rioZm0wfKgaVfo2E+/PccibK6AuiK1ZnQ5L +Wr3avkB+bqNoMGYwFQYDVR0RBA4wDIIKZm9vYmFyLmNvbTAdBgNVHSUEFjAUBggr +BgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFJ8xoDmF470si+tMAE2wYQMHHdOT +MA8GA1UdEwEB/wQFMAMBAQAwCgYIKoZIzj0EAwIDRwAwRAIgCEDfPgdEtKoUYtOp +YUd7uSDv2VJd749Avwls04C1MaUCIGTikBJzN3dnQbRARkzdOY4gFp4nczCiYaZZ +ucFJ3PiC +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBiDCCAS+gAwIBAgIUIKoi4tHahiNaO6Vuw5V97xyOVXQwCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwSUnVzdGxzIFJvYnVzdCBSb290MCAXDTc1MDEwMTAwMDAwMFoY +DzQwOTYwMTAxMDAwMDAwWjAmMSQwIgYDVQQDDBtSdXN0bHMgUm9idXN0IFJvb3Qg +LSBSdW5nIDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASJs6dcYkh6yXeD72J3 +1JJWfiNkNL4DGhWj5LZhwtq5NxrE2sK/TnQdUHYMhVxKXN0RaRcBZRxoUFD4UFkm +mdIKo0IwQDAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0OBBYEFOhbF/Vi9OjAC+bv6NTU +JMLLV621MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgWtRDzAcl +DpVplxAT6/ZmSmYtjttIFs2fM65z6H+LpOQCIB/PcAK3NZ+Mjs3rtVMV5UmXW3Jf +UaorChZwaCiO3vT8 +-----END CERTIFICATE----- diff --git a/tests/certs/end.cert b/tests/certs/end.cert deleted file mode 100644 index 8ac217ee..00000000 --- a/tests/certs/end.cert +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFUDCCAzigAwIBAgIJAJaxEZDuHyedMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV -BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX -aWRnaXRzIFB0eSBMdGQwHhcNMjMwODA0MDkwNTUwWhcNMjQwODAzMDkwNTUwWjBa -MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 -ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQDDApmb29iYXIuY29tMIICIjAN -BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq7NIGBTw7i/JY43Z53EwugTF6IKP -6m7zQumtEUXWNQ3nQ7f81GeA+VAz7LZzeMuChjtR1lGcOZmx1PlwEmTr/Drfsip6 -Ryd4kjWiphp0mSUAKbKaX5Y9CFXNLQRqE01P8SEWZWhAKrI2iWtfjGetIqX/mt6E -OTGl/PaTKes1a+Nucbq3aUCffsQiRhHbwWlmrq3/Nxi8q5ekjEN9ls2djBzy/+cN -RUrq4e8uUN7LMW1HjQlY2Sod7eO3yZnB+Myq2zzi6odaq4yCi5D6VuPVMYBSrlfz -G2CLcSl0ncztSkqO08Bda6WZQQKqXlX2NhldxHxSo4S9mQliv+LWCCIBcqWsXojr -DYwQChJzTBpjPbQzhWDNdxokR9G9NzUcqYFNLPkxHa1ME+nGJYNX8wXXUL8q62zd -LYNcFEX89luaE/gxcSwWpfVfeMgK0f9dDKCPgn7Db2dv8FPbBLhaUiKCaL8phwJ8 -8K+zXCoiTOUxuni48T4q92DUToGw4uyQKd5s71gjZvaaoIsv+kTgF9J3wVzvmUCc -JE5FY1m6oJ2GIvsfFt+OsN3+KV3riCf5+Ivae/1tuDU9FHhCdgg8UzW2EHe1iPZI -48gx533NYQzItbgUII0aTIRtAbzOAvG1qiUBxgStR9H8duVKGQDE52MX7805E7az -R+1fIOamrngx1q8CAwEAAaMuMCwwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFQYDVR0R -BA4wDIIKZm9vYmFyLmNvbTANBgkqhkiG9w0BAQsFAAOCAgEALySenJ0pGGjo0W1n -2pwbzDxkZ6SsjHNDDZsfpA8NadJ6/CCtbNhT2pc87to+zssqocRZg71D46kbLBfC -KtQlg7O1FtS3yLOwnKix96USc562t9kMewAPH2krRr2BLF+mV8DR9plmyVNiqRbo -M6zt7ikUzoxojAcRDaVFNUCqRNKYGwcpvXQBgZ62u33mr0g2rfPq5KHfDtqyZvGm -GhFQiii5qvPgpwbZ/8xuyDx9HM1IqejZ8QtHsDYq2da2pLjEsw6xanN2HpaDqIv8 -y6RkBPkpZa9q/maXYmu6iMdT3sKJ4fmCRltpIEFoYB6B3cUDUH8n/0WUV/WH/0Hk -O9m7/zilJIJ6BRkgY48PTfh5rn/CD0BFrkLzGvAd2mJoAGSu//eUMYjt5O/ydZuk -Dc0q50DTKzuN0EycFLK58yJmdmvEt2+Y2bGN4vLqljU4+wdqLvxGXR9iwarq0uWF -5C7YeI4co2FDp0boOzge81gv/s0MBerQK82jUccJT47YgwbY5cyXK6AYiBdqdiZY -4ye88mon2gSZkiptT+iqLFvguNLvo0vS7cGcT/fegRc9Kp9E5eOI9fvevfT4pK7O -VVPX/NyOYTVucB3pnv33X50jsoecDDROdDicylj7T3jRykiHJRkCB7rUySmHcYo7 -HZCD6YHQc2aYKd2yGp0kXUn9C+E= ------END CERTIFICATE----- diff --git a/tests/certs/end.chain b/tests/certs/end.chain deleted file mode 100644 index f1a1ea9e..00000000 --- a/tests/certs/end.chain +++ /dev/null @@ -1,62 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFUDCCAzigAwIBAgIJAJaxEZDuHyedMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV -BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX -aWRnaXRzIFB0eSBMdGQwHhcNMjMwODA0MDkwNTUwWhcNMjQwODAzMDkwNTUwWjBa -MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 -ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQDDApmb29iYXIuY29tMIICIjAN -BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq7NIGBTw7i/JY43Z53EwugTF6IKP -6m7zQumtEUXWNQ3nQ7f81GeA+VAz7LZzeMuChjtR1lGcOZmx1PlwEmTr/Drfsip6 -Ryd4kjWiphp0mSUAKbKaX5Y9CFXNLQRqE01P8SEWZWhAKrI2iWtfjGetIqX/mt6E -OTGl/PaTKes1a+Nucbq3aUCffsQiRhHbwWlmrq3/Nxi8q5ekjEN9ls2djBzy/+cN -RUrq4e8uUN7LMW1HjQlY2Sod7eO3yZnB+Myq2zzi6odaq4yCi5D6VuPVMYBSrlfz -G2CLcSl0ncztSkqO08Bda6WZQQKqXlX2NhldxHxSo4S9mQliv+LWCCIBcqWsXojr -DYwQChJzTBpjPbQzhWDNdxokR9G9NzUcqYFNLPkxHa1ME+nGJYNX8wXXUL8q62zd -LYNcFEX89luaE/gxcSwWpfVfeMgK0f9dDKCPgn7Db2dv8FPbBLhaUiKCaL8phwJ8 -8K+zXCoiTOUxuni48T4q92DUToGw4uyQKd5s71gjZvaaoIsv+kTgF9J3wVzvmUCc -JE5FY1m6oJ2GIvsfFt+OsN3+KV3riCf5+Ivae/1tuDU9FHhCdgg8UzW2EHe1iPZI -48gx533NYQzItbgUII0aTIRtAbzOAvG1qiUBxgStR9H8duVKGQDE52MX7805E7az -R+1fIOamrngx1q8CAwEAAaMuMCwwEwYDVR0lBAwwCgYIKwYBBQUHAwEwFQYDVR0R -BA4wDIIKZm9vYmFyLmNvbTANBgkqhkiG9w0BAQsFAAOCAgEALySenJ0pGGjo0W1n -2pwbzDxkZ6SsjHNDDZsfpA8NadJ6/CCtbNhT2pc87to+zssqocRZg71D46kbLBfC -KtQlg7O1FtS3yLOwnKix96USc562t9kMewAPH2krRr2BLF+mV8DR9plmyVNiqRbo -M6zt7ikUzoxojAcRDaVFNUCqRNKYGwcpvXQBgZ62u33mr0g2rfPq5KHfDtqyZvGm -GhFQiii5qvPgpwbZ/8xuyDx9HM1IqejZ8QtHsDYq2da2pLjEsw6xanN2HpaDqIv8 -y6RkBPkpZa9q/maXYmu6iMdT3sKJ4fmCRltpIEFoYB6B3cUDUH8n/0WUV/WH/0Hk -O9m7/zilJIJ6BRkgY48PTfh5rn/CD0BFrkLzGvAd2mJoAGSu//eUMYjt5O/ydZuk -Dc0q50DTKzuN0EycFLK58yJmdmvEt2+Y2bGN4vLqljU4+wdqLvxGXR9iwarq0uWF -5C7YeI4co2FDp0boOzge81gv/s0MBerQK82jUccJT47YgwbY5cyXK6AYiBdqdiZY -4ye88mon2gSZkiptT+iqLFvguNLvo0vS7cGcT/fegRc9Kp9E5eOI9fvevfT4pK7O -VVPX/NyOYTVucB3pnv33X50jsoecDDROdDicylj7T3jRykiHJRkCB7rUySmHcYo7 -HZCD6YHQc2aYKd2yGp0kXUn9C+E= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFajCCA1KgAwIBAgIJAN9o7WeFfW8fMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV -BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX -aWRnaXRzIFB0eSBMdGQwHhcNMjMwODA0MDkwNTQ5WhcNMjQwODAzMDkwNTQ5WjBF -MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 -ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC -CgKCAgEAyTfVP7gwXhZyYRxx2j8CGAHkzAWXLfzdmaJ/+1szvR18YxJISVG8XGAY -l4wAJGkd5hTYYhrw9ja6KhS65K55aQ0bpNDUSZALmsKIR1vsfXMRZHdqguVLMY1r -Wqw2uZkSxD2y7Qui86SHsgBCltYqPThxyQsdGyueHcl4HMCK4hJ+xbc+32Z/p5it -j8GsygnYJBo9ZLeV69Ug3rTPJrWJIntuobMjcDg/JksHtagtgh5Ai89H57ELv4fM -a0VBm1oeaXLp7QuLTnybrQIFvMg7Lxk2Fk5/AGIoniskqq3jcDp7b6Atm5VT1tVl -+J4rxWjjHWb/tXIUBBREU4rAak/ezF3DjhLDwK/iUI3SZHv4XRc0FnhLGeIwJAAa -5ECGtXa9IqIcYbBYnftGUcUhHPFRiYyam6W3ZrlFn/NXE3p4mMVup+cYE7aFOOy+ -q0ZcA+0JKnrWQVusnmnGJth5CiabttLZrmJ9DRluZeEv4O6eJAnTAQoxBGuAhnvO -JKN8qjYXdnA38WnV0W0pOe6DiCQcC9tVISwmu78dfLN6qz+x1M9vkLqT7IOtsL9e -4vG2gJY3xGxoraBEIMr01mHsuXxAG7Esk78lGz0+RVwXIs3OZaqJSJqGfBelZLwi -8wPxXYlGaulz9LVH1lVEBivAgBMKvdResmgH7O2QmygpLTi/VG0CAwEAAaNdMFsw -DAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAcYwHQYDVR0OBBYEFB8wxB4pPgS7M557 -r2uN7Joao5KxMB8GA1UdIwQYMBaAFB8wxB4pPgS7M557r2uN7Joao5KxMA0GCSqG -SIb3DQEBCwUAA4ICAQByL1ztEnZfIkbkt51z13EZc5o5tw6OXiktzHgRXnOMdiYL -kMQo+NDHqXNW+U4R/AOXzKUXH/nIY9cfC9P7duznpw+muQJfdwGFsATrjplKNLJK -YOgPpVGzC6CwR6nvw3cRtQQWAc7nQ5zUFIIJOM0TRlqZ13OdRK50Tt9jysp0xoMB -lzMzgmYQ/O+RASTKk0UQw9kpP7LMihDc96fdxBFJHE+LTM0RfYZuJ1qj2psnkYvM -kmYRw8xCh8GxRX4b6ErrIeCr7rTc5A5FoL5MsQptsv71TW/FDGENlXZl7G4mXFQM -KqDnIdouakbyc+sX2C+663Mr/lDBCxXFvljVg4IfOreih6WeMorjtRdxCrJlLI++ -UJIl1r0b73jUx9fFCf+PA9b5o7/Y/hMwEBVQztGiIgTFaWSVs2gxZfnsupnz1ura -66GxYdB+5In6Y5Tsly4NB0RyWrljtWOMSciOrNb5czKfks3JjxPMJ9Mp9KSCEV9l -jcB7wYV5XTs5S2IPde/R7ILb/BHvF79Hw7SDf46g7VX3IZcnH7Mq6RbBJ4MPgScf -afVCX4Q1EqO6wPln5hwRNFELd5Utb1RDTRY+398SY+9QGJd0UUZ2xdK8wEmP8A2p -r4K5vcf8QuqXVvz3Kdi855R8mBlqDEIjm+QbXUwgiR2RAUYNZVDsjH0bx0HN5A== ------END CERTIFICATE----- diff --git a/tests/certs/end.key b/tests/certs/end.key new file mode 100644 index 00000000..c3238930 --- /dev/null +++ b/tests/certs/end.key @@ -0,0 +1,5 @@ +-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg1UjNBQsUBVfNWWtI +uwNhUpyPeV1e3IjRm41VQauX1XOhRANCAARXbPS9LY2+PVeTZmRk2KbP+2kTIUge +ocEAy7WiTWrquKhmbTB8qBpV+jYT789xyJsroC6IrVmdDktavdq+QH5u +-----END PRIVATE KEY----- diff --git a/tests/certs/end.rsa b/tests/certs/end.rsa deleted file mode 100644 index f775da20..00000000 --- a/tests/certs/end.rsa +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKgIBAAKCAgEAq7NIGBTw7i/JY43Z53EwugTF6IKP6m7zQumtEUXWNQ3nQ7f8 -1GeA+VAz7LZzeMuChjtR1lGcOZmx1PlwEmTr/Drfsip6Ryd4kjWiphp0mSUAKbKa -X5Y9CFXNLQRqE01P8SEWZWhAKrI2iWtfjGetIqX/mt6EOTGl/PaTKes1a+Nucbq3 -aUCffsQiRhHbwWlmrq3/Nxi8q5ekjEN9ls2djBzy/+cNRUrq4e8uUN7LMW1HjQlY -2Sod7eO3yZnB+Myq2zzi6odaq4yCi5D6VuPVMYBSrlfzG2CLcSl0ncztSkqO08Bd -a6WZQQKqXlX2NhldxHxSo4S9mQliv+LWCCIBcqWsXojrDYwQChJzTBpjPbQzhWDN -dxokR9G9NzUcqYFNLPkxHa1ME+nGJYNX8wXXUL8q62zdLYNcFEX89luaE/gxcSwW -pfVfeMgK0f9dDKCPgn7Db2dv8FPbBLhaUiKCaL8phwJ88K+zXCoiTOUxuni48T4q -92DUToGw4uyQKd5s71gjZvaaoIsv+kTgF9J3wVzvmUCcJE5FY1m6oJ2GIvsfFt+O -sN3+KV3riCf5+Ivae/1tuDU9FHhCdgg8UzW2EHe1iPZI48gx533NYQzItbgUII0a -TIRtAbzOAvG1qiUBxgStR9H8duVKGQDE52MX7805E7azR+1fIOamrngx1q8CAwEA -AQKCAgEAkiVUvSK9/I9yRKnOCwC+b+d2KTVQmEP+DTtnU2d1L814xpxJuOWs0wkg -WWDnIq9elzDQtLLcXe7jfhse+JksgJIAK9+aGwyOxSygF/A2xM/ItrVOTwRLSNf3 -f1TdkTZiUCVQsdotm+n7H7bkKldo+DABQ+oY87G9znZ2xtxsqTt5m5ZJXW5jE/yQ -C8JRoew8OXzi2hvVI908cyNTN9QmQMe3UnhxRETDbrIuYylwHM8ecv68wIPn27/T -hOa6QzK6T0ghAW1akOBVkcRCQUlGAw9t0PYNeIURy610lIiEhZK2xahcHC9lJf/F -0ewrWNr4hDEqCgMHesaRZjEG6v8+6Nj8Jx+uFQMrIPPJHOK6pzj+VZl4FlcqQGJN -NSlXP2gt8t+6WzLEGy0sPiQNghwEqLO1cIt8lbWeFChDgRuiuipQFgD3bgBeEcSJ -rQG520EtQbwysTPtD3MAa1BwYFNMbWQHi0++tPK2wosaYPfGI/L33c8EjTxgDJgw -Z6GRx9P2PWSzcgKs0EQsSyh/9QI1cAmG7kr4D0BWj4Jn6tJITQOj6Ajy5irnQ2Yr -qOtwV9cFznzy0M75WF5Jh4uli/Wpwh+62Auc9srK20oAdWS5lboV+KXD8Ftc6PzK -X1EEY6EqMoLCx6mmtJip6Ufpd0EzgUh0bI8xyTwhVtHB7IDnm8ECggEBANYwPLmV -N8PakybVPEiduK0SQBllA6fmpEF5oKoPdrV84m5ckejPXpXV0jlpVNCMPGV5jR6f -G6PcnxpirngcZUh1pLWmAYwYpTWAm2CnQ/lGgrDWlVIqB3w8UmjPYJuRkghKaOF4 -g0bJEfk1p8V9ndpuDYvyXlAPMrPKUsi8y1r9wU7xcMnI39IQ8YIfkUiW75g0f/VK -coANPABlsvwutpXIhWc0h0XiG6yY4qr1s+KH94uih7JRvwC2L/oMhRRH2uuB1iHT -oEMwA/dAQpbJSFSUltziXA7QtnilPryDDUEk9oNf6BGlLwM45CQjgaKgcE+T1W9L -zOvUO1uNF3gZr+ECggEBAM03wvFGslop2nAVsLacMaqb4Lwbx6XgORYxXxD2fyr4 -JMZKp32KhtVTOK8MPZkn1L8tkwD/Cmol6yqj9lxTXby3Hu44lczUgjGYaO39Rk5Q -/CBYcbGtQu7LyLmehH0quVBSQmtMVk91ziU1X+Bj6qVaAeAX23jDyE/KAoH/vY6i -4ViLGpJR2znT45IbGuXaZw5CZOk+/Of6vdfXMSVToHTFpHYAuQkVtuK/lbEbjEnE -c42AgXrWQ2HxQWRYHAW2hIx34H2PsO/JQxnl8io+Zfze/ElpsxYk/u9tTkpydaeF -EPrEpnlEIP4N8sqxQJ8986AmBWW7lJYwaCSIQerLmI8CggEBAJSzOoVxNhzwE3dD -VS3o6fymDgBTY/1eH60hPsyyHa0UPbN26wmhZj5KC0A2g16h7ZBZmgKnXa4ejgro -dc4HkL2Eh0xhKvPTbGc/mR+6IHPgYv1YjKRVb4rt6hy/1IdMwgClgDkAzMsI70R/ -3rE6a6vo+dit9JJKat3tWhnpEJlkUJ94+d/taI5TmwfG2Lt3pnGaCTgHboS+K2jv -MhroZ3SHmS40hrGar7HdFoiwOinMUa0Msn63SA67bYWAyadx12fnZP1pCft7S1WN -tG0w4tltq2tAb78NYZFSz8JajYormkVNATW243OuPJ1mVSrNjguBTA2Pp34Wgvsl -ciS8WKECggEAVxd0Fvs+077xYiICZe0xsssGfC558y6Oa5m2U7eYzn6S9MhX/pJc -mIoCA1/5gFcEFcJcoc6a9+Nxwx3kftgubtl0Ofsvr8b8HdolpeKYBMKfzYZbceEr -B7baT9QzO/92t9zBLVIvSvee7fGR5+PfgB8LrrPRQ5YrG5mKqOsE4lTDt9UJCNHO -bOM8sBPqvWOL2uRYeRhvMnAaQ1CjHck4znXWTvINlQpvHBnciFY9mkzSEVpZGO13 -mUhOzSwLcG0+IXL6ha8Gkyzh2krZFA55L/DeNrWx+BLpUmkcEcIzpk11oEb2s34z -Vj5LLLQ+zZX4H54jKkKKU5bli6N7/g47hwKCAQEAhTwxs7xWQ7GEzR6svN1FpiwN -hP2SlY3i5ed8PIsRSASWJ6rJpJJKgEccXdcnAO3MscleL/cO4s6FSHsGyHFyZ4/D -EsXY/eo5q3Bjv5/hvQt7nnCp1LwNQ0durj2bKdpj7P6Kjli38OF1CDU1E31pVOWJ -kKi/YUIFgJq/rN9Uyx2Y8Km6ubohjuVRVWmva2xOe1mX1ZEOGu8aFliW/1h/m8Ct -B+ywtn4mUDDJqNJ6W5k54SyJXWceMrW8i5t8qOCN5Yd3NYHNFMMBg/XhpIsc+bDL -0ekvo9w0gfJFnNH1V4uNinGaNBJp7xZSC0TK0I0hvMyRoQQ+M5iGpMBEVYZnAw== ------END RSA PRIVATE KEY----- diff --git a/tests/certs/main.rs b/tests/certs/main.rs new file mode 100644 index 00000000..1dbbc97f --- /dev/null +++ b/tests/certs/main.rs @@ -0,0 +1,66 @@ +//! An ignored-by-default integration test that regenerates vendored certs. +//! Run with `cargo test -- --ignored` when test certificates need updating. +//! Suitable for test certificates only. Not a production CA ;-) + +use rcgen::{ + BasicConstraints, CertificateParams, DistinguishedName, DnType, ExtendedKeyUsagePurpose, IsCa, + KeyPair, KeyUsagePurpose, +}; +use std::fs::File; +use std::io::Write; + +#[test] +#[ignore] +fn regenerate_certs() { + let root_key = KeyPair::generate().unwrap(); + let root_ca = issuer_params("Rustls Robust Root") + .self_signed(&root_key) + .unwrap(); + + let mut root_file = File::create("tests/certs/root.pem").unwrap(); + root_file.write_all(root_ca.pem().as_bytes()).unwrap(); + + let intermediate_key = KeyPair::generate().unwrap(); + let intermediate_ca = issuer_params("Rustls Robust Root - Rung 2") + .signed_by(&intermediate_key, &root_ca, &root_key) + .unwrap(); + + let end_entity_key = KeyPair::generate().unwrap(); + let mut end_entity_params = + CertificateParams::new(vec![utils::TEST_SERVER_DOMAIN.to_string()]).unwrap(); + end_entity_params.is_ca = IsCa::ExplicitNoCa; + end_entity_params.extended_key_usages = vec![ + ExtendedKeyUsagePurpose::ServerAuth, + ExtendedKeyUsagePurpose::ClientAuth, + ]; + let end_entity = end_entity_params + .signed_by(&end_entity_key, &intermediate_ca, &intermediate_key) + .unwrap(); + + let mut chain_file = File::create("tests/certs/chain.pem").unwrap(); + chain_file.write_all(end_entity.pem().as_bytes()).unwrap(); + chain_file + .write_all(intermediate_ca.pem().as_bytes()) + .unwrap(); + + let mut key_file = File::create("tests/certs/end.key").unwrap(); + key_file + .write_all(end_entity_key.serialize_pem().as_bytes()) + .unwrap(); +} + +fn issuer_params(common_name: &str) -> CertificateParams { + let mut issuer_name = DistinguishedName::new(); + issuer_name.push(DnType::CommonName, common_name); + let mut issuer_params = CertificateParams::default(); + issuer_params.distinguished_name = issuer_name; + issuer_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); + issuer_params.key_usages = vec![ + KeyUsagePurpose::KeyCertSign, + KeyUsagePurpose::DigitalSignature, + ]; + issuer_params +} + +// For the server name constant. +include!("../utils.rs"); diff --git a/tests/certs/root.pem b/tests/certs/root.pem new file mode 100644 index 00000000..a906347e --- /dev/null +++ b/tests/certs/root.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBgDCCASagAwIBAgIUDKVcG8WKAVxMrpkvWBsSKu6G9swwCgYIKoZIzj0EAwIw +HTEbMBkGA1UEAwwSUnVzdGxzIFJvYnVzdCBSb290MCAXDTc1MDEwMTAwMDAwMFoY +DzQwOTYwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJSdXN0bHMgUm9idXN0IFJvb3Qw +WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQjrQmsnBwZUT8iraiF5EAJFMZE3rgA +oqDL6clNl7YtjKqH/E/BiVs+k+70Dz74Ibrm/z80f51fK/Ug2h5pSOp5o0IwQDAO +BgNVHQ8BAf8EBAMCAoQwHQYDVR0OBBYEFMwwAap72bFsxZxK0ThGymdrjBfYMA8G +A1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAJR/PB88zHsy0iotwCcG +SPPOowWXb0Uzj6CPHBks25woAiB5Bg4+395Lr2K4UIh3zv0BFuSyXrFqvj+WMhUy +4Z+WRw== +-----END CERTIFICATE----- diff --git a/tests/utils.rs b/tests/utils.rs index 04923f3c..e9641e97 100644 --- a/tests/utils.rs +++ b/tests/utils.rs @@ -7,14 +7,19 @@ mod utils { #[allow(dead_code)] pub fn make_configs() -> (ServerConfig, ClientConfig) { - const CERT: &str = include_str!("certs/end.cert"); - const CHAIN: &str = include_str!("certs/end.chain"); - const RSA: &str = include_str!("certs/end.rsa"); + // A test root certificate that is the trust anchor for the CHAIN. + const ROOT: &str = include_str!("certs/root.pem"); + // A server certificate chain that includes both an end-entity server certificate + // and the intermediate certificate that issued it. The ROOT is configured + // out-of-band. + const CHAIN: &str = include_str!("certs/chain.pem"); + // A private key corresponding to the end-entity server certificate in CHAIN. + const EE_KEY: &str = include_str!("certs/end.key"); - let cert = certs(&mut BufReader::new(Cursor::new(CERT))) + let cert = certs(&mut BufReader::new(Cursor::new(CHAIN))) .map(|result| result.unwrap()) .collect(); - let key = private_key(&mut BufReader::new(Cursor::new(RSA))) + let key = private_key(&mut BufReader::new(Cursor::new(EE_KEY))) .unwrap() .unwrap(); let sconfig = ServerConfig::builder() @@ -23,9 +28,9 @@ mod utils { .unwrap(); let mut client_root_cert_store = RootCertStore::empty(); - let mut chain = BufReader::new(Cursor::new(CHAIN)); - for cert in certs(&mut chain) { - client_root_cert_store.add(cert.unwrap()).unwrap(); + let mut roots = BufReader::new(Cursor::new(ROOT)); + for root in certs(&mut roots) { + client_root_cert_store.add(root.unwrap()).unwrap(); } let cconfig = ClientConfig::builder()