export LoadCert helper, reuse for export-tests

Signed-off-by: William Woodruff <william@trailofbits.com>
Netflix · Dec 2, 2023 · c171289 · c171289
1 parent 859af10
commit c171289
Show file tree

Hide file tree

Showing 3 changed files with 102 additions and 72 deletions.
diff --git a/test-suites/certutil/cert_util.go b/test-suites/certutil/cert_util.go
@@ -7,9 +7,14 @@ import (
 	"crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"github.com/google/uuid"
+	"encoding/pem"
+	"fmt"
+	"io/ioutil"
 	"math/big"
+	"os"
 	"time"
+
+	"github.com/google/uuid"
 )
 
 const SUBJECT_ORGANIZATION = "bettertls.com"
@@ -78,3 +83,69 @@ func GenerateSelfSignedCert(commonName string) (*x509.Certificate, crypto.Signer
 
 	return caCert, caKey, nil
 }
+
+func LoadCert(rootCa string) (*x509.Certificate, crypto.Signer, error) {
+	var rootCert *x509.Certificate
+	var rootKey crypto.Signer
+
+	if _, err := os.Stat(rootCa); os.IsNotExist(err) {
+		rootCert, rootKey, err = GenerateSelfSignedCert("bettertls_trust_root")
+		if err != nil {
+			return nil, nil, err
+		}
+		f, err := os.OpenFile(rootCa, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
+		if err != nil {
+			return nil, nil, err
+		}
+		defer f.Close()
+		err = pem.Encode(f, &pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: rootCert.Raw,
+		})
+		if err != nil {
+			return nil, nil, err
+		}
+		rootKeyBytes, err := x509.MarshalPKCS8PrivateKey(rootKey)
+		if err != nil {
+			return nil, nil, err
+		}
+		err = pem.Encode(f, &pem.Block{
+			Type:  "PRIVATE KEY",
+			Bytes: rootKeyBytes,
+		})
+		if err != nil {
+			return nil, nil, err
+		}
+		f.Close()
+	} else {
+		data, err := ioutil.ReadFile(rootCa)
+		if err != nil {
+			return nil, nil, err
+		}
+		for len(data) > 0 && (rootCert == nil || rootKey == nil) {
+			block, rest := pem.Decode(data)
+			if block == nil {
+				break
+			}
+			if block.Type == "CERTIFICATE" {
+				rootCert, err = x509.ParseCertificate(block.Bytes)
+				if err != nil {
+					return nil, nil, err
+				}
+			}
+			if block.Type == "PRIVATE KEY" {
+				rootKeyPV, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+				if err != nil {
+					return nil, nil, err
+				}
+				rootKey = rootKeyPV.(crypto.Signer)
+			}
+			data = rest
+		}
+		if rootCert == nil || rootKey == nil {
+			return nil, nil, fmt.Errorf("rootCa file did not include certificate and key")
+		}
+	}
+
+	return rootCert, rootKey, nil
+}
diff --git a/test-suites/cmd/bettertls/export_tests.go b/test-suites/cmd/bettertls/export_tests.go
@@ -1,15 +1,18 @@
 package main
 
 import (
+	"crypto"
+	"crypto/x509"
 	"encoding/json"
 	"flag"
 	"fmt"
+	"io"
+	"os"
+
 	"github.com/Netflix/bettertls/test-suites/certutil"
 	int_set "github.com/Netflix/bettertls/test-suites/int-set"
 	test_case "github.com/Netflix/bettertls/test-suites/test-case"
 	test_executor "github.com/Netflix/bettertls/test-suites/test-executor"
-	"io"
-	"os"
 )
 
 type testExport struct {
@@ -43,24 +46,36 @@ func exportTests(args []string) error {
 	flagSet.Var(testCases, "testCase", "Export only the given test case(s) in the suite instead of all tests. Requires --suite to be specified as well. Use \"123,456-789\" syntax to include a range or set of cases.")
 	var outputPath string
 	flagSet.StringVar(&outputPath, "out", "", "Write to the given file instead of stdout.")
+	var rootCa string
+	flagSet.StringVar(&rootCa, "rootCa", "", "Use the given path as the root CA instead of generating an ephemeral root CA. If the file doesn't exist, a CA will generated and saved to the file.")
 
 	err := flagSet.Parse(args)
 	if err != nil {
 		return err
 	}
 
-	rootCa, rootKey, err := certutil.GenerateSelfSignedCert("bettertls_trust_root")
-	if err != nil {
-		return err
+	var rootCert *x509.Certificate
+	var rootKey crypto.Signer
+	if rootCa == "" {
+		rootCert, rootKey, err = certutil.GenerateSelfSignedCert("bettertls_trust_root")
+		if err != nil {
+			return err
+		}
+	} else {
+		rootCert, rootKey, err = certutil.LoadCert(rootCa)
+		if err != nil {
+			return err
+		}
 	}
-	suites, err := test_executor.BuildTestSuitesWithRootCa(rootCa, rootKey)
+
+	suites, err := test_executor.BuildTestSuitesWithRootCa(rootCert, rootKey)
 	if err != nil {
 		return err
 	}
 
 	output := new(testExport)
 	output.BetterTlsRevision = test_executor.GetBuildRevision()
-	output.TrustRoot = rootCa.Raw
+	output.TrustRoot = rootCert.Raw
 	output.Suites = make(map[string]*suiteExport)
 
 	for _, suiteName := range suites.GetProviderNames() {
@@ -97,7 +112,7 @@ func exportTests(args []string) error {
 			testCaseExport := new(testCaseExport)
 			testCaseExport.Id = i
 			testCaseExport.Suite = provider.Name()
-			certs, err := testCase.GetCertificates(rootCa, rootKey)
+			certs, err := testCase.GetCertificates(rootCert, rootKey)
 			if err != nil {
 				return err
 			}

diff --git a/test-suites/cmd/bettertls/run_server.go b/test-suites/cmd/bettertls/run_server.go
@@ -3,17 +3,15 @@ package main
 import (
 	"crypto"
 	"crypto/x509"
-	"encoding/pem"
 	"flag"
-	"fmt"
-	"github.com/Netflix/bettertls/test-suites/certutil"
-	test_executor "github.com/Netflix/bettertls/test-suites/test-executor"
-	"github.com/sirupsen/logrus"
-	"io/ioutil"
 	"log"
 	"os"
 	"os/signal"
 	"syscall"
+
+	"github.com/Netflix/bettertls/test-suites/certutil"
+	test_executor "github.com/Netflix/bettertls/test-suites/test-executor"
+	"github.com/sirupsen/logrus"
 )
 
 func runServer(args []string) error {
@@ -34,63 +32,9 @@ func runServer(args []string) error {
 			return err
 		}
 	} else {
-		if _, err := os.Stat(rootCa); os.IsNotExist(err) {
-			rootCert, rootKey, err = certutil.GenerateSelfSignedCert("bettertls_trust_root")
-			if err != nil {
-				return err
-			}
-			f, err := os.OpenFile(rootCa, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
-			if err != nil {
-				return err
-			}
-			defer f.Close()
-			err = pem.Encode(f, &pem.Block{
-				Type:  "CERTIFICATE",
-				Bytes: rootCert.Raw,
-			})
-			if err != nil {
-				return err
-			}
-			rootKeyBytes, err := x509.MarshalPKCS8PrivateKey(rootKey)
-			if err != nil {
-				return err
-			}
-			err = pem.Encode(f, &pem.Block{
-				Type:  "PRIVATE KEY",
-				Bytes: rootKeyBytes,
-			})
-			if err != nil {
-				return err
-			}
-			f.Close()
-		} else {
-			data, err := ioutil.ReadFile(rootCa)
-			if err != nil {
-				return err
-			}
-			for len(data) > 0 && (rootCert == nil || rootKey == nil) {
-				block, rest := pem.Decode(data)
-				if block == nil {
-					break
-				}
-				if block.Type == "CERTIFICATE" {
-					rootCert, err = x509.ParseCertificate(block.Bytes)
-					if err != nil {
-						return err
-					}
-				}
-				if block.Type == "PRIVATE KEY" {
-					rootKeyPV, err := x509.ParsePKCS8PrivateKey(block.Bytes)
-					if err != nil {
-						return err
-					}
-					rootKey = rootKeyPV.(crypto.Signer)
-				}
-				data = rest
-			}
-			if rootCert == nil || rootKey == nil {
-				return fmt.Errorf("rootCa file did not include certificate and key")
-			}
+		rootCert, rootKey, err = certutil.LoadCert(rootCa)
+		if err != nil {
+			return err
 		}
 	}