-
Notifications
You must be signed in to change notification settings - Fork 56
/
Copy pathtls_for_test.go
181 lines (150 loc) · 5.04 KB
/
tls_for_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
package main_test
/*
* This file implements a certificate authority and certs for testing otel-cli's
* TLS settings.
*
* Do NOT copy this code for production systems. It makes a few compromises to
* optimize for testing and ephemeral certs that are totally inappropriate for
* use in settings where security matters.
*/
import (
"bytes"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/tls"
"crypto/x509"
"encoding/pem"
"math/big"
"net"
"os"
"testing"
"time"
)
type TlsSettings struct {
caFile string
caPrivKeyFile string
serverFile string
serverPrivKeyFile string
clientFile string
clientPrivKeyFile string
serverTLSConf *tls.Config
clientTLSConf *tls.Config
certpool *x509.CertPool
}
func generateTLSData(t *testing.T) TlsSettings {
var err error
var out TlsSettings
expire := time.Now().Add(time.Hour)
// ------------- CA -------------
ca := &x509.Certificate{
SerialNumber: big.NewInt(4317),
NotBefore: time.Now(),
NotAfter: expire,
IsCA: true,
BasicConstraintsValid: true,
}
// create a private key
caPrivKey, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
if err != nil {
t.Fatalf("error generating ca private key: %s", err)
}
// create a cert on the CA with the ^^ private key
caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caPrivKey.PublicKey, caPrivKey)
if err != nil {
t.Fatalf("error generating ca cert: %s", err)
}
// get the PEM encoding that the tests will use
caPEM := new(bytes.Buffer)
pem.Encode(caPEM, &pem.Block{Type: "CERTIFICATE", Bytes: caBytes})
out.caFile = pemToTempFile(t, "ca-cert", caPEM)
caPrivKeyPEM := new(bytes.Buffer)
caPrivKeyBytes, err := x509.MarshalECPrivateKey(caPrivKey)
if err != nil {
t.Fatalf("error marshaling server cert: %s", err)
}
pem.Encode(caPrivKeyPEM, &pem.Block{Type: "EC PRIVATE KEY", Bytes: caPrivKeyBytes})
out.caPrivKeyFile = pemToTempFile(t, "ca-privkey", caPrivKeyPEM)
out.certpool = x509.NewCertPool()
out.certpool.AppendCertsFromPEM(caPEM.Bytes())
data := new(bytes.Buffer)
pem.Encode(data, &pem.Block{Type: "EC PRIVATE KEY", Bytes: caPrivKeyBytes})
// ------------- server -------------
serverCert := &x509.Certificate{
SerialNumber: big.NewInt(4318),
IPAddresses: []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
NotBefore: time.Now(),
NotAfter: expire,
}
serverPrivKey, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
if err != nil {
t.Fatalf("error generating server private key: %s", err)
}
serverBytes, err := x509.CreateCertificate(rand.Reader, serverCert, ca, &serverPrivKey.PublicKey, caPrivKey)
if err != nil {
t.Fatalf("error generating server cert: %s", err)
}
serverPEM := new(bytes.Buffer)
pem.Encode(serverPEM, &pem.Block{Type: "CERTIFICATE", Bytes: serverBytes})
out.serverFile = pemToTempFile(t, "server-cert", serverPEM)
serverPrivKeyPEM := new(bytes.Buffer)
serverPrivKeyBytes, err := x509.MarshalECPrivateKey(serverPrivKey)
if err != nil {
t.Fatalf("error marshaling server cert: %s", err)
}
pem.Encode(serverPrivKeyPEM, &pem.Block{Type: "EC PRIVATE KEY", Bytes: serverPrivKeyBytes})
out.serverPrivKeyFile = pemToTempFile(t, "server-privkey", serverPrivKeyPEM)
serverCertPair, err := tls.X509KeyPair(serverPEM.Bytes(), serverPrivKeyPEM.Bytes())
if err != nil {
t.Fatalf("error generating server cert pair: %s", err)
}
out.serverTLSConf = &tls.Config{
ClientCAs: out.certpool,
Certificates: []tls.Certificate{serverCertPair},
}
// ------------- client -------------
clientCert := &x509.Certificate{
SerialNumber: big.NewInt(4319),
NotBefore: time.Now(),
NotAfter: expire,
}
clientPrivKey, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
if err != nil {
t.Fatalf("error generating client private key: %s", err)
}
clientBytes, err := x509.CreateCertificate(rand.Reader, clientCert, ca, &clientPrivKey.PublicKey, caPrivKey)
if err != nil {
t.Fatalf("error generating client cert: %s", err)
}
clientPEM := new(bytes.Buffer)
pem.Encode(clientPEM, &pem.Block{Type: "CERTIFICATE", Bytes: clientBytes})
out.clientFile = pemToTempFile(t, "client-cert", clientPEM)
clientPrivKeyPEM := new(bytes.Buffer)
clientPrivKeyBytes, err := x509.MarshalECPrivateKey(clientPrivKey)
if err != nil {
t.Fatalf("error marshaling client cert: %s", err)
}
pem.Encode(clientPrivKeyPEM, &pem.Block{Type: "EC PRIVATE KEY", Bytes: clientPrivKeyBytes})
out.clientPrivKeyFile = pemToTempFile(t, "client-privkey", clientPrivKeyPEM)
out.clientTLSConf = &tls.Config{
ServerName: "localhost",
}
return out
}
func (t TlsSettings) cleanup() {
os.Remove(t.caFile)
os.Remove(t.caPrivKeyFile)
os.Remove(t.clientFile)
os.Remove(t.clientPrivKeyFile)
os.Remove(t.serverFile)
os.Remove(t.serverPrivKeyFile)
}
func pemToTempFile(t *testing.T, tmpl string, buf *bytes.Buffer) string {
tmp, err := os.CreateTemp(os.TempDir(), "otel-cli-test-"+tmpl+"-pem")
if err != nil {
t.Fatalf("error creating temp file: %s", err)
}
tmp.Write(buf.Bytes())
tmp.Close()
return tmp.Name()
}