diff --git a/transport/tlscommon/ca_pinning_test.go b/transport/tlscommon/ca_pinning_test.go index 9a464cf7..13d935ab 100644 --- a/transport/tlscommon/ca_pinning_test.go +++ b/transport/tlscommon/ca_pinning_test.go @@ -94,7 +94,7 @@ func TestCAPinning(t *testing.T) { ca, err := genCA() require.NoError(t, err) - serverCert, err := genSignedCert(ca, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil) + serverCert, err := genSignedCert(ca, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil, false) require.NoError(t, err) mux := http.NewServeMux() @@ -172,10 +172,10 @@ func TestCAPinning(t *testing.T) { ca, err := genCA() require.NoError(t, err) - intermediate, err := genSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true, "localhost", []string{"localhost"}, nil) + intermediate, err := genSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true, "localhost", []string{"localhost"}, nil, false) require.NoError(t, err) - serverCert, err := genSignedCert(intermediate, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil) + serverCert, err := genSignedCert(intermediate, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil, false) require.NoError(t, err) mux := http.NewServeMux() @@ -246,10 +246,10 @@ func TestCAPinning(t *testing.T) { ca, err := genCA() require.NoError(t, err) - intermediate, err := genSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true, "localhost", []string{"localhost"}, nil) + intermediate, err := genSignedCert(ca, x509.KeyUsageDigitalSignature|x509.KeyUsageCertSign, true, "localhost", []string{"localhost"}, nil, false) require.NoError(t, err) - serverCert, err := genSignedCert(intermediate, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil) + serverCert, err := genSignedCert(intermediate, x509.KeyUsageDigitalSignature, false, "localhost", []string{"localhost"}, nil, false) require.NoError(t, err) mux := http.NewServeMux() @@ -360,10 +360,19 @@ func genSignedCert( commonName string, dnsNames []string, ips []net.IP, + expired bool, ) (tls.Certificate, error) { if commonName == "" { commonName = "You know, for search" } + + notBefore := time.Now() + notAfter := notBefore.Add(5 * time.Hour) + + if expired { + notBefore = notBefore.Add(-42 * time.Hour) + notAfter = notAfter.Add(-42 * time.Hour) + } // Create another Cert/key cert := &x509.Certificate{ SerialNumber: big.NewInt(2000), @@ -382,8 +391,8 @@ func genSignedCert( PostalCode: []string{"HOH OHO"}, }, - NotBefore: time.Now(), - NotAfter: time.Now().Add(1 * time.Hour), + NotBefore: notBefore, + NotAfter: notAfter, IsCA: isCA, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, KeyUsage: keyUsage, diff --git a/transport/tlscommon/testdata/cacert.crt b/transport/tlscommon/testdata/cacert.crt deleted file mode 100644 index debdf7e2..00000000 --- a/transport/tlscommon/testdata/cacert.crt +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEBDCCAuygAwIBAgIUXwbLbwGjWWlQNrMUsdDpKzeGixEwDQYJKoZIhvcNAQEL -BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u -dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 -MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG -UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDTALBgNV -BAsMBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtXsn+VCrW -ibutoByM5EeIK29XYffBwN78EeNjDdaZZqMF4wGZZ6z2xQXH6mFx+m1gjnf5R2qo -yfentYH5VRZz5AEtBGPsOqMffV9u5PkHSo/2ilCX40eBVp5u3qh6aFPZ5DKqexWu -5jUMYolTXpvAtML5YbMH9XvW6pn5WAqwHPLNe+fVuPg4tJN0u/ff0wKqSUBIhVOP -7EPhz3yLflACScgj+LPXz/5gtUXe9RR5RB8zyWGfNL91eoVVaApcdp4kIU+DHmgI -p+T4CpgdYWsYuOWH49F7RJyLpocUU4H+heeC4+zH0LIUcELa+n/M2DUDW3RE109a -tv9OEJKR8/YHAgMBAAGjgdMwgdAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU -fyEN1Qe7FlWa+2RBnl8Vd4ZCFkIwgY0GA1UdIwSBhTCBgoAUfyEN1Qe7FlWa+2RB -nl8Vd4ZCFkKhVKRSMFAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAP -BgNVBAcMCE1vbnRyZWFsMQ4wDAYDVQQKDAViZWF0czENMAsGA1UECwwEcm9vdIIU -XwbLbwGjWWlQNrMUsdDpKzeGixEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB -CwUAA4IBAQAANxJCfDMcNNnAVRlXLdh+loVx8Y5STf1gTgX2gtf9tHZGYE7/ix2P -dG1uQcEz/ETlcGSWRZcQSNR8dNeBi5YWK5dmDUD7reQr3FoyIDvPGHyIcF3clglg -blYhsQN0TVwx4G3kZDenjzKNSyVLR81opLq/PDIGW61ZCioJUQKs5q+IqsKj+okn -in6/b5YfQqyTDIWY3IPiXjvcysbKC0pYc0TkmwGUnidxDny7txrVCVJ1vwIedQug -B/UOjVxi0qsNwpWS08mwEOVvgvObi0mFoGQl8l427M0kM//86NM7vDc4Z0QYHOlq -A0ZjtnSbR3RqfhBGXV3BL+GHtXevn55Z ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/cacert.key b/transport/tlscommon/testdata/cacert.key deleted file mode 100644 index e864b93e..00000000 --- a/transport/tlscommon/testdata/cacert.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArV7J/lQq1om7raAcjORHiCtvV2H3wcDe/BHjYw3WmWajBeMB -mWes9sUFx+phcfptYI53+UdqqMn3p7WB+VUWc+QBLQRj7DqjH31fbuT5B0qP9opQ -l+NHgVaebt6oemhT2eQyqnsVruY1DGKJU16bwLTC+WGzB/V71uqZ+VgKsBzyzXvn -1bj4OLSTdLv339MCqklASIVTj+xD4c98i35QAknII/iz18/+YLVF3vUUeUQfM8lh -nzS/dXqFVWgKXHaeJCFPgx5oCKfk+AqYHWFrGLjlh+PRe0Sci6aHFFOB/oXnguPs -x9CyFHBC2vp/zNg1A1t0RNdPWrb/ThCSkfP2BwIDAQABAoIBAQCQmLJYENL5xD5n -/VZSnEKc670dYHRHgRl5m2HPR8doghYN3tuCmtnDp2e+6VkEux1mnuypWEs5I9oO -YnBZCAKF/fCNH1BHwlAy/1oNH6Qj1Khls86sH7+PvDK/va0/CqyE2rL3RVk8Wnx8 -K+LlSc8V1q2XWUj8pl33TgvFzwx6/QpmGa1ofK84GaeWNskRt8xyf2HECiRl6ZFm -zZr2Ror3nRbgZK9FYWpcp6HUgxAH/8GQ3+8vMvftfTsDGD5TmmEq6CFgAFCVj92L -d7AZmNWR1483NzZF0HWOQ6ew9qrWkqVpER7kKKp/kkfoh2qXgvtQBTrw4IcCRwwa -szaSsIEBAoGBANiqXhBzPQJszm1Ajln07ZeyvgRB8PgzZXcAHS9AfGqh/mGQw5/X -3vqHdGiEynphoYtNqK1YT7RH7pkjkpqDzdunZGz1xog7i4ys8kVtivkDGlhn6cXI -4wmFcmyCaf76VPPr1RX8PNjsEKDK3jq1d86lBjSLPgcHT7J16WZgOcJnAoGBAMzY -QVNpjk1WNT7gid3MUXciIIZAovej4AiVyn97XxxLSyByXmNds65f3dM8NOJkJUvT -iV7pAjKl9pd1lE+WTNQSjCgSxw7G+4u9cQfNE7p6klAh/Rek76Mani9rAmQ2PdJl -EFaEgLom3wbR5eOkYURjw2jfqzFYQ8T1YZkWBithAoGAa3EYkknDIFe6ifzwWnWV -+Jr/lXbpuvspvrhEwLDWwb4xOkqiZ7qR7WSMemQXUFbn1/+bvNJFPB5LmI9GXO8t -f1Zj+5BpchctHYaJ4Znvx4odX2ewSo9S3t7ZHiwRygpzZD43fd6Ggf+WQ1Y2m6Bv -l/7Hs/i0uqGKiPHl2wmuutMCgYABZN9c7/T19cY6/VAy4DcVtne+MiZpxQW7STmt -kGtfR+vk9qJJztNwNlrOGzTI7aGLWI8wxCktqw94jGZL/FvdfZrSkv4jzZrcopdo -VC70L+1a+kA8rvSqiX3WGMZVZEEbc3CfBhvSKH2QEFGeMPowevVTe2Iw3cboSjs1 -zX6RQQKBgFV7gOstMfvixCSUCD2s5j/skhNJsB3Wd/tVYRbl/vgA6hHW8UOy2oWv -UTE45vJNVzRv030G5katjOYhlxHf9rpeSAbeIyty54I3X9/vDJZLXwe8WilQjUr7 -Dw8yNwH44j/0s8xcQXG8yE0h1Aa9GxHHtJtYrRYdx7sSwNHtwpnp ------END RSA PRIVATE KEY----- diff --git a/transport/tlscommon/testdata/client1.crt b/transport/tlscommon/testdata/client1.crt deleted file mode 100644 index c3139a72..00000000 --- a/transport/tlscommon/testdata/client1.crt +++ /dev/null @@ -1,48 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEFzCCAv+gAwIBAgIUeaB7uk2DjAM2cuRl0kaE9ly7Lj4wDQYJKoZIhvcNAQEL -BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u -dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 -MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBmMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG -UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDzANBgNV -BAsMBnNlcnZlcjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEA3jXEj7vN+BDlj6cYblKSml0FWpO4yi9C58cubXXDWXI6 -hdpzNpDa0+n606Jg4eVZpFUZPTnnjQmFIcesO0+i85V4Etswr4T22uobDu1AWV7n -26nDMY/vlf+kDI8H/uFgxQg/Htuh12nHuYrjIS+ot/D6gThwIWVldu0TaBaFfvL5 -5qTPRJoteiBPo5y+VuWLhzPWg8cQYZ4KJ4XREk8H4d7PqFRHp+zATfn2YLBjUK7Z -zd0W3mxkdB2P7MnzZuH5n5zrgJ8OI9voopX8QadMYtUSeITP1INmNKhi4vLbpZjU -mt+N/u1G6xwbuyJiSlklBoXdRcWj5kSljpLtF1evvwIDAQABo4HQMIHNMAwGA1Ud -EwEB/wQCMAAwHQYDVR0OBBYEFAuDdHxE9/Zr7iVwfnUJ/lRtJnZkMIGNBgNVHSME -gYUwgYKAFH8hDdUHuxZVmvtkQZ5fFXeGQhZCoVSkUjBQMQswCQYDVQQGEwJDQTEP -MA0GA1UECAwGUXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVh -dHMxDTALBgNVBAsMBHJvb3SCFF8Gy28Bo1lpUDazFLHQ6Ss3hosRMA4GA1UdDwEB -/wQEAwIF4DANBgkqhkiG9w0BAQsFAAOCAQEACzuX6AiVHk5Igs/LdOW2sJ9lm95N -Su1PQCobM0Jo8wX3pDAEQlLmaWTDcr4bfrQPfI8pih1F89DQU9z0nzNCRfxiQaA7 -myF8ftvf8v5j3LpaPWlkdWgCRieCl58fgy5vtcKx73eTY4a6SRB4zbWpl0rX9H6w -En1kQbpCJDzh8W+xmr8AKvY77CSC1vt7TaKan6F+fGwbt8kIng6P6C7dvMGsDKQN -2Tiq/wtH16DB8mOeO+zfxJfa84TPWL4UcSbZJ8w5Fyz4GJormaymxJGtKv58RO7J -u63WF9vlEnKGyqY1FckTsp3P9ivGEb/Y75+NyRwmNq5VO5BPrRBMOF3VAg== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIEBDCCAuygAwIBAgIUXwbLbwGjWWlQNrMUsdDpKzeGixEwDQYJKoZIhvcNAQEL -BQAwUDELMAkGA1UEBhMCQ0ExDzANBgNVBAgMBlF1ZWJlYzERMA8GA1UEBwwITW9u -dHJlYWwxDjAMBgNVBAoMBWJlYXRzMQ0wCwYDVQQLDARyb290MCAXDTE5MDcyMjE5 -MjkwNVoYDzIxMTkwNjI4MTkyOTA1WjBQMQswCQYDVQQGEwJDQTEPMA0GA1UECAwG -UXVlYmVjMREwDwYDVQQHDAhNb250cmVhbDEOMAwGA1UECgwFYmVhdHMxDTALBgNV -BAsMBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtXsn+VCrW -ibutoByM5EeIK29XYffBwN78EeNjDdaZZqMF4wGZZ6z2xQXH6mFx+m1gjnf5R2qo -yfentYH5VRZz5AEtBGPsOqMffV9u5PkHSo/2ilCX40eBVp5u3qh6aFPZ5DKqexWu -5jUMYolTXpvAtML5YbMH9XvW6pn5WAqwHPLNe+fVuPg4tJN0u/ff0wKqSUBIhVOP -7EPhz3yLflACScgj+LPXz/5gtUXe9RR5RB8zyWGfNL91eoVVaApcdp4kIU+DHmgI -p+T4CpgdYWsYuOWH49F7RJyLpocUU4H+heeC4+zH0LIUcELa+n/M2DUDW3RE109a -tv9OEJKR8/YHAgMBAAGjgdMwgdAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU -fyEN1Qe7FlWa+2RBnl8Vd4ZCFkIwgY0GA1UdIwSBhTCBgoAUfyEN1Qe7FlWa+2RB -nl8Vd4ZCFkKhVKRSMFAxCzAJBgNVBAYTAkNBMQ8wDQYDVQQIDAZRdWViZWMxETAP -BgNVBAcMCE1vbnRyZWFsMQ4wDAYDVQQKDAViZWF0czENMAsGA1UECwwEcm9vdIIU -XwbLbwGjWWlQNrMUsdDpKzeGixEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB -CwUAA4IBAQAANxJCfDMcNNnAVRlXLdh+loVx8Y5STf1gTgX2gtf9tHZGYE7/ix2P -dG1uQcEz/ETlcGSWRZcQSNR8dNeBi5YWK5dmDUD7reQr3FoyIDvPGHyIcF3clglg -blYhsQN0TVwx4G3kZDenjzKNSyVLR81opLq/PDIGW61ZCioJUQKs5q+IqsKj+okn -in6/b5YfQqyTDIWY3IPiXjvcysbKC0pYc0TkmwGUnidxDny7txrVCVJ1vwIedQug -B/UOjVxi0qsNwpWS08mwEOVvgvObi0mFoGQl8l427M0kM//86NM7vDc4Z0QYHOlq -A0ZjtnSbR3RqfhBGXV3BL+GHtXevn55Z ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/client1.key b/transport/tlscommon/testdata/client1.key deleted file mode 100644 index ce5274b7..00000000 --- a/transport/tlscommon/testdata/client1.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEA3jXEj7vN+BDlj6cYblKSml0FWpO4yi9C58cubXXDWXI6hdpz -NpDa0+n606Jg4eVZpFUZPTnnjQmFIcesO0+i85V4Etswr4T22uobDu1AWV7n26nD -MY/vlf+kDI8H/uFgxQg/Htuh12nHuYrjIS+ot/D6gThwIWVldu0TaBaFfvL55qTP -RJoteiBPo5y+VuWLhzPWg8cQYZ4KJ4XREk8H4d7PqFRHp+zATfn2YLBjUK7Zzd0W -3mxkdB2P7MnzZuH5n5zrgJ8OI9voopX8QadMYtUSeITP1INmNKhi4vLbpZjUmt+N -/u1G6xwbuyJiSlklBoXdRcWj5kSljpLtF1evvwIDAQABAoIBABdTza7JKHZCT9ck -04vBX2KVIVrA50VScNOkNVuIYVmihEJJDI9N5asZhRtykHkmeqKlzGCBE63asf85 -1vrjAVhQ+KoCGLpUWxXgPbbzcS3wqKaGy9cIJT65957Z5Rz8zAvjMb0rkXHryOvR -iMaTGkM1KRcntZ3L5zr06HSk6J7K8QCEexKHl7Q7Ki1498tvBWdJGeGWRiUtI89j -wOUdcf3pVSVqI7J8gmmqVwNrVMbVxhlen7nkckXofWAackYVQDBD+hU1n3doNKLa -NP6mZkI02BOB29WLDXLuHtKDZtgnXex4JUz6zw53uV42FCDoQf3DUiVsMEL8xRCJ -27H6bwECgYEA/w53zS00mNdYdXO7dGhAw3UYPc3PDyg6Z823BQzfdOzsn5Yw0BIw -nPgstzwzOL0kw2p/PgwkG/7LOsF5CWs2xvU3LhUdOhgmw4B5IbMOYvbkVoYGz+22 -HJf4qyexAr7tKCITB+LCzUwoAgXp8uju1XdLVpk6xmJ3u+kIhMYTxkUCgYEA3wgx -71/uIUsoW6bVL5K00yXPWTTFtTBWM768VJ8Y++k2igPgcvKaBVaElr4AbvX5iCGz -1Ycc9xsGAYAo7+q4D+4cuOki/m0PMKD3DgXWpTtN0kJ+npWUBdE98NyDlTJYsa/w -xjeMQoDvC8tE2bAiwtVIOPQL2C/3emqkJcsVcDMCgYB8NeOJ/DXdKSJfMJldu1eu -2FuR3aS00PaAjuJOh1JbcvZZUZ879V/PUd0U7zBStWot8LM+2FLNf2whlQ8I0zm9 -8rWIr6eoHxLhqrNTAgxDjdDtgh/XKwDBNBFZ6N5/Y9PC87Uo5fnQWQIy2gZw0Zde -RdZeugixjEqbLIWFg6ElsQKBgHRy6O+c3M6RWU8ROnoOVU9xjGN9REUoKbn2uopM -T1UoHQvOnmAl/vkOhUfXiI5m65SCVE0GsL7sYyRhb/5kRRo8Ls71GwpQkv/G63ds -4PeAkU9Y3JecbZ7j8z1RRXqewOR1gndcBWWrwCQeS6KFboDfr0fdVFnaIZLPH0mE -UXs1AoGBAM3zpcyl5o99dO6x9N/8SSnyLT9TzzbJ6pU6d0F0ELn3OxTUBH1oA1dy -q1fADcRgN5vNuJljY4es/scK2BMeX1isFitXoIzk01F4R61xoXr8T33731eXFG6L -ehoECH2Yj9H4qNbVW531iYKheuSyaMaxCxaDoK9jBzcKaxMGbTlc ------END RSA PRIVATE KEY----- diff --git a/transport/tlscommon/testdata/es-leaf.crt b/transport/tlscommon/testdata/es-leaf.crt deleted file mode 100644 index 89d5087e..00000000 --- a/transport/tlscommon/testdata/es-leaf.crt +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFeDCCA2CgAwIBAgIUV7+XlHjcV++/ezqTkJrXSFc1dpAwDQYJKoZIhvcNAQEL -BQAwPDE6MDgGA1UEAxMxRWxhc3RpY3NlYXJjaCBzZWN1cml0eSBhdXRvLWNvbmZp -Z3VyYXRpb24gSFRUUCBDQTAeFw0yMTExMzAxMDMzNTdaFw0yMzExMzAxMDMzNTda -MBExDzANBgNVBAMTBngtd2luZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBALL045X6ywAHg9tWuViNyXu30rHhJa/AI45ZwLWzQMEwnCWnMvV0Cy3FgUd6 -VKw4Rg55/SfBKShhTRjC4PmDIHDIBgpm4NWpREIW2+cZfeEU8B34ucK/ZHycTFQ1 -Guh8HfvFy5J3OYT+8Wfz94ZxvVLMOGROTSiWdL2foVk98tbHgL1K3qyv1v0rgIjt -smZ7G4tbl3sBCuYceUL7X/+0kavJGls2T/rtxxEIfj5dNz4h65KmABrrAJfrEx35 -y2jCdY2XQsBxxMvbHEXXJKhrjQ8pajMcWAlDBKweiNIDdgBDYWpodpr4f3A6ZJkM -Nplw7KyLna4s3BO/g7fd5/FyQGFuLPraFtFnTXGqH+LjX0td74bdSP22/uhU3cKY -3y64I3/HEaEY5JITgUArExcMVpXuKJKqXEb+LtjGmUbAiO8Z7QKL+PqmU+3tJJ0p -kXnS07m3F/MgrDir/VCnYGQcXeteBwEgmcOwPmxz98eOSBhtb0PrimycF2tQuT8b -mCU+evTPC+KQ+8XY5vBwdPGpf6YAaHuVhNtKqBQnYOpsadS7zw5DJ0Y1Kp9z0ZPL -ch4DxE40xqAFmxWnAfpy2scD8LGJ1zDII90tAtYdu+3Wlzj6uMqUdqPuJED7XD41 -mlF2OjB5ipTs/1Jjl3pEnGG94sw5bQmnS1xFQp/DO3mjlgFBAgMBAAGjgZwwgZkw -HQYDVR0OBBYEFJKNxskBHE5xQ9S24puXSKm6/bLKMB8GA1UdIwQYMBaAFHEdsBBS -VCiK0fDIVe2vNN8JvHmcMEwGA1UdEQRFMEOHEP6AAAAAAAAAtw+3JU5DX8mCCWxv -Y2FsaG9zdIcQAAAAAAAAAAAAAAAAAAAAAYcEfwAAAYcEwKgqtoIGeC13aW5nMAkG -A1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggIBAF5JAIQ9cu2xroh2F85fBr/F0s8D -aRV6AJpkjSVKInMm7omn+GLB80TwQZ6NsGuXrbaq0rcM85khsBs4rWn5MqescYG/ -8A7gZ4EtYE3LIyeqiqBByrtIqszZeXm7ITDSF/lwn7X2swe7orkhVD4tVEvKH6L6 -Ql0oNe5UBN1Rm9NskDltMDzE2A25slkm99CAdPERDEjBpvd3eDcfbQdHeuAOPfUV -T8P2DAdW4SC955bxnc0GPTla5TKXWWLde3egow5a4LeJv6KVWPTC9chEXZyQKp4p -jvWZW1fTO/kC3oj97tfqoH/r35/+qyXmg38HNAFbEoVM3bsO0vqrI5CbkWTkB1Xb -7CY6jJxemyEprl2gmkgfA/MXBHFc3RoIL7JcX7Sk8ZWpnEVK3KyoyK1RJ5kY1Cz4 -SRw4KLJA4Cu6DE7vXy9pTlIeeQARgQOUxnrlRGYHpKRIwgjrhwEjVqc0CPwj7rWr -0VY4MW80FPFIePpqy3DjoJmORQU632iu/5zeUS4dZ11Ms7NTakqqnFHi7XczqeZn -4HqPW8ebQTXrqRXMF/X30x6gkK1R1tXHSbve7cTQWJEwJd+MS2aA5Npt7hGznjPn -Y1p4k9jEz5BnbLtZ2RbAj2FuL4Ee6iJoyZpFbi/SW+h+1ZaPCeUTnxUkDLEiXpdk -tN8H6/6dudhy6btm ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/es-root-ca-cert.crt b/transport/tlscommon/testdata/es-root-ca-cert.crt deleted file mode 100644 index 6234774a..00000000 --- a/transport/tlscommon/testdata/es-root-ca-cert.crt +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFWTCCA0GgAwIBAgIUAoPlJ3hVr921EyJfiT+9lVft3fcwDQYJKoZIhvcNAQEL -BQAwPDE6MDgGA1UEAxMxRWxhc3RpY3NlYXJjaCBzZWN1cml0eSBhdXRvLWNvbmZp -Z3VyYXRpb24gSFRUUCBDQTAeFw0yMTExMzAxMDMzNTdaFw0yNDExMjkxMDMzNTda -MDwxOjA4BgNVBAMTMUVsYXN0aWNzZWFyY2ggc2VjdXJpdHkgYXV0by1jb25maWd1 -cmF0aW9uIEhUVFAgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC2 -soq+heCJNHsMuyyyLndREhYmxYFav06XOLB5oC1bAt+0WMo3n7rxVB8dAhfvigof -DsTIytnCcK+Th8ll2k4Bs2weF16ZhvvC2FKbSkdUxNXnXfx7gdKDXZLbfref5FiL -ucwxa7CtVL28Lfws9J5dZTTAuxR2XxaX+TJbH6MbQgKUYR+DnK8T3jSfiDTQtiHs -+pd+C8hSdMgzKCynYP36VZbtz1ynWjvQ/0wxARO6q2OLZGBNh2ncoFEmosXgc0ir -Vh9NrVmozSI0H2f6W07imqL3oe1pe3bwW/OdfeahCBY3IvDLDn8q8wDl91gRta3n -EsMsiuBRSRRpT0grgoCFNy+wiIrETVLaI2HJ0UpVIpcoS7K5l2zN/wA+w+hAOdh0 -PoBt8AoC1aCCGM4osCTKqbgbOg957io2twuvWJ6ae3J2k5FFDMvIfMfL+5HhPSRp -nYiRDPOhapDhaXhHa4pEFONpdiJJgmqymLqjW4liZOGft28dSkISK3iiBL74p/gu -X/sBI7PZANycpyVjnLHK+FwPlRZPkrqCw2Gke4Oqm9uydwM08uRVZcNylVS7H0ip -9BEcxKlXJSaULnTqQXkiPGKGkCrrIIsNQTFjoaBIBP2o69NSZ0SozDf4aCnYy10v -U1dwI9yisOmMfDkakNcAPXfRfmuuJlstl1W1RraQswIDAQABo1MwUTAdBgNVHQ4E -FgQUcR2wEFJUKIrR8MhV7a803wm8eZwwHwYDVR0jBBgwFoAUcR2wEFJUKIrR8MhV -7a803wm8eZwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAiHrC -NxCNsyUYLFVivL9AsJ5Y3IrhAHUzYwofLBJiMYNFsaEi3P1VU3TNlo98kzi2QkdY -NPFtRYoOg6sEI0KPEBw54kLP/Q/FJK7jeJSyhJ9V/Z+NS081YHqrMP4YPK6mM4qa -XuM7hpx37vkLDdfrDPionbcLk7Zz+2t6bIThrwta0idMY6LKeFfW1EWeggK6inNc -Ub3n1qcTyOp1RfcLlHCdb17JhgY5hROmqVfhgLlbT0bx1NZS4pRWhw5CDKsflMUe -SyHbLE1BTH6yE0nNXbR6FgDKjQNUSSZBOBck0hdSaRArALavujjBojHmJYWt1jWO -bcBErzwKKwH/peUh7Wgnq1L/lqym9K9AniWUyhvKn8AbxGLnILDMYOSrvlPF2uU+ -uvp2EzhPUyOgYycC28H4fFUdDeoN5FVP+4sFFK+FIgfqLfVMTgDPmGAbkqA6WKlH -fgQ2fP4oB2ZkN0EPxivXkvZkhDVlIXeoisUkNCgAfVuwCjvOLnqz8u0tTnp/wXxq -XAXUPLcG71YFzABlkwuPdA5GhFAL1Rv8GQJEznhZ8mYz/yTtcg/z3pYEhDcM92Cb -161BormFYVRI1B80rSpzeQwJVfvgCwnWOTat+1joFHCzpl99nHu8tMxi6lkO1G9E -8vdk/J0zMMnhO52V2EMNdH2fTJUMZYixBm4BeEM= ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/server.crt b/transport/tlscommon/testdata/server.crt deleted file mode 100644 index 50ca5ce8..00000000 --- a/transport/tlscommon/testdata/server.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDlTCCAX0CAQEwDQYJKoZIhvcNAQELBQAwUzELMAkGA1UEBhMCVVMxEzARBgNV -BAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xFzAVBgNVBAMM -DmNhQGV4YW1wbGUuY29tMB4XDTIxMDEyNTE2MzQ0OVoXDTMxMDEyMzE2MzQ0OVow -UjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNh -biBGcmFuY2lzY28xFjAUBgNVBAMMDSouZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcN -AQEBBQADgY0AMIGJAoGBALFuNygrGLLSnD//JRfU6xMDqgizeVdQqDlLaP/HxQ84 -9RPWnjfbyx2M25JYcLvewPqKQ80lOYnMRhpvujmuKP7gQHNDWOsyXH5JljTX78Wb -I+nuVMeYjbUOh+6EgYNY59G5rH7xqgeu3y1YERfNdchEG8xjSxYeIZ7Ev6VMFF8r -AgMBAAEwDQYJKoZIhvcNAQELBQADggIBALyHDjVcY6Po1eHWTUCLLOW1ZzzkX4qu -gsfJM6qTIZIqh/O6tROGqH9kRw8SarIIZvtztfzuYtmQBE0qkBMzPzdN3x+3C4pz -jf2vsEKRqva9mf9y+JM0Mv0WUuPfusHxPKOCl1on71kP1GL1bYylKqazgVa2tAVa -78xs35YIuCM5apt0X+QO+Tnz/qfqJ7t3F7mP1aeCjYm8J20S8vKTYgkRkFX/8VJB -1zRPl0CAMyoHOMcrmb7wX8V1CIER7VBQ7h580B7/7okrw+Hr3xyMOA0w1DiRUQJE -biHBuDTRDmRg6W5nAwNLFLp/RfHttny0nEEcnzcjEStEKyDGbNg1W2ieWuIhgUza -L3W3ld9LDD9pMnQ8yYTMcL+J2Ir6ErhpGL3Hks42W2c/qYhvo3we6B2ADfsS7P+m -ku5W7/G2fDIlj6rtzaAeur+LSgsjU6kc1et2SJxjcJMPrS4xHxpAhJzD7h7f5N/B -RBc5cT2sE2vuUBRGkz0wC9AC2/kxmv4RwjsrYTY8rEOqHRkxDF18lfFocAoq7Hvr -lO6ft9/knzTQzKiizc6unXsLhUCvBzt50bA/gVLXmUmr1sncATKHWOLbvfRWat4I -0m52jlowgqnJPsXtl+wwNYHaw9gF71RTx/Ov2vZ8xm5SeBNkO8cpdAftETAEqpgp -fDlIVeywLvoN ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/server.key b/transport/tlscommon/testdata/server.key deleted file mode 100644 index 8bb153a9..00000000 --- a/transport/tlscommon/testdata/server.key +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIICXQIBAAKBgQCxbjcoKxiy0pw//yUX1OsTA6oIs3lXUKg5S2j/x8UPOPUT1p43 -28sdjNuSWHC73sD6ikPNJTmJzEYab7o5rij+4EBzQ1jrMlx+SZY01+/FmyPp7lTH -mI21DofuhIGDWOfRuax+8aoHrt8tWBEXzXXIRBvMY0sWHiGexL+lTBRfKwIDAQAB -AoGAaBKW5cfJl/JzVhJphn4MWL3YeXwUW4Pi+KBj+UwLKW+mSTmk2mzgyfd6P3AC -yB/Tn+GD/YutIUehgxYv7G9ceZC85EsPM6+1s887olgKNKbCiZZvrLBcBCzEhzkN -QpC2/cuOOVYdYYQJZp9RX7herAJ5aqxZHUUtCrudgfCiAckCQQDo37NhBBfUlLc4 -LW3ryxydsh7MrTMU63+5IVtXosV3TFdWN9LC6CCarkILcOG5tmEmM6v1UQRAgCkm -lb+/3SrXAkEAwwz9+mcAU1lTTiy+dCJkKepviT4Ex+BFl0yJPfSN5+/Wg15DjwsN -vdE0H5nAT65aECiYy8V9DKNwHNcTIaZXzQJBAMvoPOBhPiCVC410MgC6e9cVRWTA -766Muuy26Y1l6HQac4r6HGEv8oSeuxPbhrsfmBdkPVjz1L5Juj6f9yOgHEcCQHMH -pHkaaay+D00ZQjDHX38AzUqJEtS1xRTXhFDPeyj/3uiWnQ0tHauGR1EjobDcSC0j -ZAk4rOjZMnMvvA6qRTkCQQCT6B0edwnMc9q/4XcdF+LptWRiYNbSKkrisb304N+d -lqbB76fGQY22onWcZEvcOmifmzmgj56QXSUot+fkNlVK ------END RSA PRIVATE KEY----- diff --git a/transport/tlscommon/testdata/tls.crt b/transport/tlscommon/testdata/tls.crt deleted file mode 100644 index d6528cce..00000000 --- a/transport/tlscommon/testdata/tls.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDnzCCAoegAwIBAgIRAKtKtQKtGFIUneRz5r1FnUMwDQYJKoZIhvcNAQELBQAw -FjEUMBIGA1UEAwwLbW9yZWxsby5vdmgwHhcNMTkwODA5MDkzOTIyWhcNMTkxMTA3 -MDkzOTIyWjBOMRkwFwYDVQQKExBFbGFzdGljc2VhcmNoIENBMTEwLwYDVQQDEyhl -bGFzdGljc2VhcmNoLXNhbXBsZS1lcy1odHRwLmRlZmF1bHQuc3ZjMIIBIjANBgkq -hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq6HRcrfV1kHnXv5Z+ImkgKDvxCezI3/p -yiR0jSv6L7+bblHzzsqkPnz3aaIPJJ2G4sdwaIhl5rJdOvCj48It8OtRidZjzuJH -hN2RpN2Ii5WX4D1u18CrjEQrRUzs/vuwpyP0zWx0yP3lp88fy8kfWHj8cE06KZ3c -jq1fTRjEDv/N6xofqBSIHPsnvOVIP0Sp9bJkw5yO0H3oBfrqP0N2mjnwQknclz30 -t/LoXHcRrZTOH42pgG5ODZslqLNgKLXQHzRcglzNQPwYKYHigBiy+xsHxbIIXe1n -R70PYKXisA0bhHTiV1Sa77dqQRdSkm0JzrNg58lHZYA1sVKTh0nRMQIDAQABo4Gv -MIGsMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDou -x6fQdsT7szqJX2vyfmtmtuXiMGsGA1UdEQRkMGKCKGVsYXN0aWNzZWFyY2gtc2Ft -cGxlLWVzLWh0dHAuZGVmYXVsdC5zdmOCNmVsYXN0aWNzZWFyY2gtc2FtcGxlLWVz -LWh0dHAuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbDANBgkqhkiG9w0BAQsFAAOC -AQEAL0EBOx2vPXJSIjv8t0S2HkbCSerdDvGSNtkOrTizBtL7EwRSec6nes6OaWo6 -JYVNCP0Y+a4jQQrD9MkFKniKxluvLgbsHHsCnQC5tI5iwaOIZe+33pVyNksTc3CC -l2s6Imqpvt6S3GyuWhcwWhwi3pK0ce9RqoO7GONHZmyuOaHGm1OxPeXJQYu7gTKg -3hMjnNAzLOF1oOIrPKnkxfP4jdOrQE1oKk9QR7ScIKLVHJTJoogCM50I7yD7HnMT -itkHwZhk5ptdA29P/OAcZheO5NOGlWJ6OeQl35A9SxgB3DSRTFORoEBfwPZB4ZLC -zODbmFEr7N0FzCN6hU8PjcLLhg== ------END CERTIFICATE----- diff --git a/transport/tlscommon/testdata/unsigned_tls.crt b/transport/tlscommon/testdata/unsigned_tls.crt deleted file mode 100644 index 710dda0a..00000000 --- a/transport/tlscommon/testdata/unsigned_tls.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDmjCCAoKgAwIBAgIfVNT1201IZeL6eZ5nBDNfdg7z5Rx3pSWKx48R5xEUMzAN -BgkqhkiG9w0BAQUFADBmMQkwBwYDVQQGEwAxCTAHBgNVBAoMADEJMAcGA1UECwwA -MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20xDzANBgkqhkiG9w0BCQEWADEYMBYG -A1UEAwwPd3d3LmV4YW1wbGUuY29tMB4XDTIwMDcyMzIzNTE1NloXDTMwMDcyNDIz -NTE1NlowTDEJMAcGA1UEBhMAMQkwBwYDVQQKDAAxCTAHBgNVBAsMADEYMBYGA1UE -AwwPd3d3LmV4YW1wbGUuY29tMQ8wDQYJKoZIhvcNAQkBFgAwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQDUM6FCJj36941WQVrIKVjHCNKf0bdGiinfxGgL -4SaUywGUo35mp70SFSpEcl3HE5B62Nab3axZ7N3oYeCD5iCJGPI0JWE3/gPdn5ao -2xsGr1sKS+453dkmpDBEnTHNo7HjmvZIDIEzKHDW1QnfeeSGef9TKtVsnoDhGp+u -mMndqBBUEXE/4tIrFuKZLQjxlchw6JQ6fpjmXxZKRCgXJq18/x9jfJnduYpb/DOc -bXfQKZCbJeQdlZO9yxwwmzetZ/7kRZ774qvYtcHs+RVH5tPob1J/xgEoVpE4XAgp -IrYrYCA159ejRJfb5Zs9Hx0AbatzFzTrHzod+jhfDpCh/NX3AgMBAAGjTzBNMB0G -A1UdDgQWBBSuVtBMQ/Q6YHXDi6FQxOGzp+U5pTAfBgNVHSMEGDAWgBSuVtBMQ/Q6 -YHXDi6FQxOGzp+U5pTALBgNVHREEBDACggAwDQYJKoZIhvcNAQEFBQADggEBADNC -AZZUgG4uXpDEIcWKT7gI8G+lbQJjIYciCNtqJsSpxOyN1Vs6tt8FXZBrVjxCa+Ik -TpBZ0OxhY7Ry3veqVoeh9o8ASM8mvFE7y/CjZHtqxh5Q/Q1O5/UuMVy4ilT4hzEb -jXvoH+gLCVxPcaV4cfqfWEWoW3RwfG+NtBq7ZnCl5o7ATDjDl1qe9sZ1rvIq7mLb -Lk7lvNjqZU1PBRj6riW84Tv+yZc2kytqu61l8+NmphKwrKUgVUcbY37knmNIF2tB -pl742yDqYtSu3ODWFtjNw2CZRGhTOcJMXasBFpjch0dz3uM++As0n9r63cNDssDi -GQ6OHiviqMYraJMVFsc= ------END CERTIFICATE----- diff --git a/transport/tlscommon/tls_config_test.go b/transport/tlscommon/tls_config_test.go index 5804d5f3..07bb6327 100644 --- a/transport/tlscommon/tls_config_test.go +++ b/transport/tlscommon/tls_config_test.go @@ -18,15 +18,21 @@ package tlscommon import ( + "bytes" + "crypto/sha256" "crypto/tls" "crypto/x509" + "encoding/hex" "encoding/pem" "errors" - "io/ioutil" + "math/rand" "net" "net/http" "net/url" + "os" "path/filepath" + "regexp" + "strconv" "testing" "github.com/stretchr/testify/assert" @@ -34,15 +40,10 @@ import ( ) func TestMakeVerifyServerConnection(t *testing.T) { - testCerts := openTestCerts(t) + testCerts := genTestCerts(t) - testCA, errs := LoadCertificateAuthorities([]string{ - filepath.Join("testdata", "ca.crt"), - filepath.Join("testdata", "cacert.crt"), - }) - if len(errs) > 0 { - t.Fatalf("failed to load test certificate authorities: %+v", errs) - } + certPool := x509.NewCertPool() + certPool.AddCert(testCerts["ca"]) testcases := map[string]struct { verificationMode TLSVerificationMode @@ -64,7 +65,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "default verification with certificates when required with expired cert": { verificationMode: VerifyFull, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["expired"]}, serverName: "", expectedCallback: true, @@ -73,7 +74,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "default verification with certificates when required with incorrect server name in cert": { verificationMode: VerifyFull, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["correct"]}, serverName: "bad.example.com", expectedCallback: true, @@ -82,7 +83,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "default verification with certificates when required with correct cert": { verificationMode: VerifyFull, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["correct"]}, serverName: "localhost", expectedCallback: true, @@ -91,7 +92,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "default verification with certificates when required with correct wildcard cert": { verificationMode: VerifyFull, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["wildcard"]}, serverName: "hello.example.com", expectedCallback: true, @@ -100,7 +101,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "certificate verification with certificates when required with correct cert": { verificationMode: VerifyCertificate, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["correct"]}, serverName: "localhost", expectedCallback: true, @@ -109,7 +110,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "certificate verification with certificates when required with expired cert": { verificationMode: VerifyCertificate, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["expired"]}, serverName: "localhost", expectedCallback: true, @@ -118,7 +119,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "certificate verification with certificates when required with incorrect server name in cert": { verificationMode: VerifyCertificate, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["correct"]}, serverName: "bad.example.com", expectedCallback: true, @@ -127,7 +128,7 @@ func TestMakeVerifyServerConnection(t *testing.T) { "strict verification with certificates when required with correct cert": { verificationMode: VerifyStrict, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, + certAuthorities: certPool, peerCerts: []*x509.Certificate{testCerts["correct"]}, serverName: "localhost", expectedCallback: false, @@ -136,11 +137,11 @@ func TestMakeVerifyServerConnection(t *testing.T) { "default verification with certificates when required with cert signed by unknown authority": { verificationMode: VerifyFull, clientAuth: tls.RequireAndVerifyClientCert, - certAuthorities: testCA, - peerCerts: []*x509.Certificate{testCerts["unknown authority"]}, + certAuthorities: certPool, + peerCerts: []*x509.Certificate{testCerts["unknown_authority"]}, serverName: "", expectedCallback: true, - expectedError: x509.UnknownAuthorityError{Cert: testCerts["unknown authority"]}, + expectedError: x509.UnknownAuthorityError{Cert: testCerts["unknown_authority"]}, }, "default verification without certificates not required": { verificationMode: VerifyFull, @@ -191,11 +192,13 @@ func TestMakeVerifyServerConnection(t *testing.T) { } func TestTrustRootCA(t *testing.T) { - certs := openTestCerts(t) + certs := genTestCerts(t) nonEmptyCertPool := x509.NewCertPool() nonEmptyCertPool.AddCert(certs["wildcard"]) - nonEmptyCertPool.AddCert(certs["unknown authority"]) + nonEmptyCertPool.AddCert(certs["unknown_authority"]) + + fingerprint := getFingerprint(certs["ca"]) testCases := []struct { name string @@ -207,21 +210,21 @@ func TestTrustRootCA(t *testing.T) { }{ { name: "RootCA cert matches the fingerprint and is added to cfg.RootCAs", - caTrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - peerCerts: []*x509.Certificate{certs["es-leaf"], certs["es-root-ca"]}, + caTrustedFingerprint: fingerprint, + peerCerts: []*x509.Certificate{certs["correct"], certs["ca"]}, expectedRootCAsLen: 1, }, { name: "RootCA cert doesn not matche the fingerprint and is not added to cfg.RootCAs", - caTrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - peerCerts: []*x509.Certificate{certs["es-leaf"], certs["es-root-ca"]}, + caTrustedFingerprint: fingerprint, + peerCerts: []*x509.Certificate{certs["correct"], certs["ca"]}, expectedRootCAsLen: 0, }, { name: "non empty CertPool has the RootCA added", rootCAs: nonEmptyCertPool, - caTrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - peerCerts: []*x509.Certificate{certs["es-leaf"], certs["es-root-ca"]}, + caTrustedFingerprint: fingerprint, + peerCerts: []*x509.Certificate{certs["correct"], certs["ca"]}, expectedRootCAsLen: 3, }, { @@ -263,7 +266,8 @@ func TestTrustRootCA(t *testing.T) { } func TestMakeVerifyConnectionUsesCATrustedFingerprint(t *testing.T) { - testCerts := openTestCerts(t) + testCerts := genTestCerts(t) + fingerprint := getFingerprint(testCerts["ca"]) testcases := map[string]struct { verificationMode TLSVerificationMode @@ -276,35 +280,35 @@ func TestMakeVerifyConnectionUsesCATrustedFingerprint(t *testing.T) { }{ "CATrustedFingerprint and verification mode:VerifyFull": { verificationMode: VerifyFull, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, - CATrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", + CATrustedFingerprint: fingerprint, }, "CATrustedFingerprint and verification mode:VerifyCertificate": { verificationMode: VerifyCertificate, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, - CATrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", + CATrustedFingerprint: fingerprint, }, "CATrustedFingerprint and verification mode:VerifyStrict": { verificationMode: VerifyStrict, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, - CATrustedFingerprint: "e83171aa133b2b507e057fe091e296a7e58e9653c2b88d203b64a47eef6ec62b", - CASHA256: []string{Fingerprint(testCerts["es-leaf"])}, + CATrustedFingerprint: fingerprint, + CASHA256: []string{Fingerprint(testCerts["correct"])}, }, "CATrustedFingerprint and verification mode:VerifyNone": { verificationMode: VerifyNone, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: false, }, "invalid CATrustedFingerprint and verification mode:VerifyFull returns error": { verificationMode: VerifyFull, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, CATrustedFingerprint: "INVALID HEX ENCODING", @@ -312,7 +316,7 @@ func TestMakeVerifyConnectionUsesCATrustedFingerprint(t *testing.T) { }, "invalid CATrustedFingerprint and verification mode:VerifyCertificate returns error": { verificationMode: VerifyCertificate, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, CATrustedFingerprint: "INVALID HEX ENCODING", @@ -320,12 +324,12 @@ func TestMakeVerifyConnectionUsesCATrustedFingerprint(t *testing.T) { }, "invalid CATrustedFingerprint and verification mode:VerifyStrict returns error": { verificationMode: VerifyStrict, - peerCerts: []*x509.Certificate{testCerts["es-leaf"], testCerts["es-root-ca"]}, + peerCerts: []*x509.Certificate{testCerts["correct"], testCerts["ca"]}, serverName: "localhost", expectedCallback: true, CATrustedFingerprint: "INVALID HEX ENCODING", expectingError: true, - CASHA256: []string{Fingerprint(testCerts["es-leaf"])}, + CASHA256: []string{Fingerprint(testCerts["correct"])}, }, } @@ -410,7 +414,8 @@ func TestMakeVerifyServerConnectionForIPs(t *testing.T) { false, test.commonName, test.dnsNames, - test.ips) + test.ips, + false) if err != nil { t.Fatalf("cannot generate peer certificate: %s", err) } @@ -585,7 +590,7 @@ func TestVerificationMode(t *testing.T) { for name, test := range testcases { t.Run(name, func(t *testing.T) { - certs, err := genSignedCert(caCert, x509.KeyUsageCertSign, false, test.commonName, test.dnsNames, test.ips) + certs, err := genSignedCert(caCert, x509.KeyUsageCertSign, false, test.commonName, test.dnsNames, test.ips, false) if err != nil { t.Fatalf("could not generate certificates: %s", err) } @@ -678,30 +683,121 @@ func startTestServer(t *testing.T, serverAddr string, serverCerts []tls.Certific return *serverURL } -func openTestCerts(t testing.TB) map[string]*x509.Certificate { - t.Helper() - certs := make(map[string]*x509.Certificate, 0) +func getFingerprint(cert *x509.Certificate) string { + caSHA256 := sha256.Sum256(cert.Raw) + return hex.EncodeToString(caSHA256[:]) +} + +func genTestCerts(t *testing.T) map[string]*x509.Certificate { + ca, err := genCA() + if err != nil { + t.Fatalf("cannot generate root CA: %s", err) + } + + unknownCA, err := genCA() + if err != nil { + t.Fatalf("cannot generate second root CA: %s", err) + } - for testcase, certname := range map[string]string{ - "expired": "tls.crt", - "unknown authority": "unsigned_tls.crt", - "correct": "client1.crt", - "wildcard": "server.crt", - "es-leaf": "es-leaf.crt", - "es-root-ca": "es-root-ca-cert.crt", - } { + certs := map[string]*x509.Certificate{ + "ca": ca.Leaf, + } - certBytes, err := ioutil.ReadFile(filepath.Join("testdata", certname)) + certData := map[string]struct { + ca tls.Certificate + keyUsage x509.KeyUsage + isCA bool + dnsNames []string + ips []net.IP + expired bool + }{ + "wildcard": { + ca: ca, + keyUsage: x509.KeyUsageDigitalSignature, + isCA: false, + dnsNames: []string{"*.example.com"}, + }, + "correct": { + ca: ca, + keyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, + isCA: false, + dnsNames: []string{"localhost"}, + // IPV4 and IPV6 + ips: []net.IP{{127, 0, 0, 1}, {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}, + }, + "unknown_authority": { + ca: unknownCA, + keyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, + isCA: false, + dnsNames: []string{"localhost"}, + // IPV4 and IPV6 + ips: []net.IP{{127, 0, 0, 1}, {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}, + }, + "expired": { + ca: ca, + keyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment, + isCA: false, + dnsNames: []string{"localhost"}, + // IPV4 and IPV6 + ips: []net.IP{{127, 0, 0, 1}, {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}, + expired: true, + }, + } + + tmpDir := t.TempDir() + for certName, data := range certData { + cert, err := genSignedCert( + data.ca, + data.keyUsage, + data.isCA, + certName, + data.dnsNames, + data.ips, + data.expired, + ) if err != nil { - t.Fatalf("reading file %q: %+v", certname, err) + t.Fatalf("could not generate certificate '%s': %s", certName, err) } - block, _ := pem.Decode(certBytes) - testCert, err := x509.ParseCertificate(block.Bytes) + certs[certName] = cert.Leaf + + // We write the certificate to disk, so if the test fails the certs can + // be inspected/reused + certPEM := new(bytes.Buffer) + pem.Encode(certPEM, &pem.Block{ + Type: "CERTIFICATE", + Bytes: cert.Leaf.Raw, + }) + + serverCertFile, err := os.Create(filepath.Join(tmpDir, certName+".crt")) if err != nil { - t.Fatalf("parsing certificate %q: %+v", certname, err) + t.Fatalf("creating file to write server certificate: %v", err) + } + if _, err := serverCertFile.Write(certPEM.Bytes()); err != nil { + t.Fatalf("writing server certificate: %v", err) + } + + if err := serverCertFile.Close(); err != nil { + t.Fatalf("could not close certificate file: %s", err) } - certs[testcase] = testCert } + t.Cleanup(func() { + if t.Failed() { + finalDir := filepath.Join(os.TempDir(), cleanStr(t.Name())+strconv.Itoa(rand.Int())) + if err := os.Rename(tmpDir, finalDir); err != nil { + t.Fatalf("could not rename directory with certificates: %s", err) + } + + t.Logf("certificates persisted on: '%s'", finalDir) + } + }) + return certs } + +var cleanRegExp = regexp.MustCompile(`[^a-zA-Z0-9]`) + +// cleanStr replaces all characters that do not match 'a-zA-Z0-9' by '_' +func cleanStr(path string) string { + return cleanRegExp.ReplaceAllString(path, "_") +}