Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tests: rework vendored certificates/keys #80

Merged
merged 7 commits into from
Jul 13, 2024
Merged

tests: rework vendored certificates/keys #80

merged 7 commits into from
Jul 13, 2024

Conversation

cpu
Copy link
Member

@cpu cpu commented Jul 12, 2024

I think there's more cleanup opportunity in these tests but here's a first pass:

  • Removes scripts/generate-certificate.sh - the script and its output were never used by tokio-rustls. As best I can tell it was copied into this repo by mistake.
  • Tidies up some duplication in constructing server/client configs.
  • Removes overfitting on RSA private keys (similar to examples: prefer pemfile::private_key #77)
  • Adds a new tests/certs/main.rs integration test that's ignored by default. When run, it uses rcgen to recreate the vendored certificate/key data used by unit tests.
  • Reworks unit tests for a more sensible test PKI. Previously we had one self-signed certificate being used as the end entity server certificate, the server's "chain", and the client's root. With the update we have a distinct end entity certificate and an intermediate that issued it as the chain. A separate self-signed root that issued the intermediate is used for the client trust store. We also cut over to ECDSA private keys instead of RSA.

cpu added 7 commits July 12, 2024 09:28
@cpu
rm unused cert generation script
a7d664c 
This was originally landed in the `tokio-tls` repo to support the
`tokio-native-tls` crate's smoke tests. It was never used by the Rustls
code in that repo, but was carried over anyway when we extracted that
code into this repo.

Let's remove it. We can come up with a better solution for the vendored
test certificates we are using.
@cpu
tests: move vendored certs to subdir
ce04f10 
This keeps the tests dir tidy and will make it easier to add an update
script that isn't itself an integration test.
@cpu
tests: return bare configs from make_configs()
bb07fb3 
Let the callers put the configs into an `Arc`. This will allow re-using
the setup logic from `utils::make_configs()` in contexts where
customization of the client or server config is required.
@cpu
tests: convert more tests to utils::make_configs()
91fb30e 
There's still some improvements left to be made, but this reduces
a great deal of duplication in the test code.
@cpu
tests: tidy up test server usage
d1f37bd 
* Remove the `CHAIN` const and tuple from `TEST_SERVER` - this is
  now encapsulated in the `ClientConfig` that's returned from
  `make_configs()` and no tests are constructing a config from scratch.
  Similarly the domain name is always `"foobar.com"` (this is baked into
  the vendored end-entity certificate). Let's just use a const for that.
* Remove `start_server()` - it's too small to be of much utility. Let's
  just ref the `lazy_static!` directly.
@cpu
tests: don't overfit on RSA private keys
d81328b 
Prefer `rustls_pemfile::private_key()` to `rsa_private_keys()`. The
former is more general, and also doesn't require the `next()` dance that
`rsa_private_keys()` does if you're only interested in one private key.
@cpu
tests: rework vendored certificates/keys
b7e45fa 
The existing unit tests used vendored cert/key data in a strange way.
The `end.cert` and `end.chain` files were the same, and neither was
a chain. In both cases the certificate was self-signed, and that same
certificate was also configured as a trust anchor in the client
configurations. No code/script was included to regenerate the cert (and
it was set to expire in Aug).

This commit replaces the test files to better simulate a real-world
deployment with a trust anchor configured OOB and an intermediate and
end-entity chain served by the TLS server.

The test certificates are switched to use ECDSA (the rcgen default) for
private keys instead of RSA. RSA is for the 90s and ECDSA will be faster
:)

No tests presently require the root or intermediate private keys, or
a serialization of just the end entity cert without the intermediate, so
we don't persist this data. This could be added in the future as req'd.

All of the key/cert generation is bundled into an ignored integration
test `tests/certs/main.rs` using a new dev-only dep on `rcgen`. This
felt like the best option on balance, but we could also create a second
crate, or look at the unstable nightly Cargo script feature.
@cpu cpu self-assigned this Jul 12, 2024
@cpu cpu mentioned this pull request Jul 12, 2024
Closed
djc
djc approved these changes Jul 13, 2024
View reviewed changes
Copy link
Member

@djc djc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great!

quininer
quininer approved these changes Jul 13, 2024
View reviewed changes
Copy link
Member

@quininer quininer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cpu cpu merged commit 6f7373d into rustls:main Jul 13, 2024
6 checks passed
@cpu cpu deleted the cpu-certgen-tidy_dev branch July 13, 2024 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@quininer quininer quininer approved these changes

@djc djc djc approved these changes

Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cpu @djc @quininer