Use CA-signed TLS keys for testing

.gitignore

@@ -7,6 +7,7 @@
 /results.tap
 /server-*
 /synapse
+/test-server
 /var
 \#*
 .vscode

keys/ca.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDZDCCAkygAwIBAgIJAKccGMVr5gLXMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNV
+BAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xEzARBgNVBAoMCm1hdHJpeC5vcmcxEjAQ
+BgNVBAMMCXN5dGVzdCBDQTAeFw0xOTA2MDUxNTI2MDlaFw0yOTA2MDIxNTI2MDla
+MEcxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xEzARBgNVBAoMCm1hdHJp
+eC5vcmcxEjAQBgNVBAMMCXN5dGVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALbZ+4WFsg4j/O+sFvL2vznFf6WvJEOd905KN9vwsz3Jp0d5BF6z
+WqzakQ2o2KXbfvF7ElkEQPH0GOvjCmsoyDOeRHj8nE5rms5bZimi76kakr0RrY2P
+OCg0+Oayan7RHb6QcFllbL9aJckJ9qD9UqRiIvUbd6ZT0x3CYObWGsiUWNsBiK72
+AkVtnlq6qseC90lFvx3YGOevetxJWyyCYPO5+hvYPNSa8TjjaQtVwAQumcTevS+K
+G6zvFdoxEhL1e+5RJyeNIN7hrG+Ht3G5qmn0cEId6E/CSEBe/m9o1hqd3jGY4Boh
+J8GPsEfdfK3r68u4cgna+0WjZQhlwxGwWYcCAwEAAaNTMFEwHQYDVR0OBBYEFEzx
+D0cBAWPq+0Lr0bbIDmThuR11MB8GA1UdIwQYMBaAFEzxD0cBAWPq+0Lr0bbIDmTh
+uR11MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHh1w9FRwLGE
+rqPd8IhEHaq5oZXXp08uhV6dhnsOcU3LoD8dZyllBIEFSSF5Lwi6tNcefS16QZzV
+phzJ595bnfNlIltss/LsWqVKoXPOmyD7u0fOYJGAAVII0U2nS/8nNlvyoPxCcorW
+xmUSQjB9RKdlm6TdcDj6FwRTRwmmGhBnTcC2PWrqslXFo9hslYKFDiL/4RL+NKIC
+V4mIhTALOnNxU0L3yxdUzUiQmepDjUffPPk7rYbMJe8q38jm1EWlERuMKz6bY4rf
+QK9vBctMWiEdwnG+RfO4VP73dSc7UFodKSzBBt7TwLgtqntOUzfbIPlKjlVmnK0X
+Kz5XuJVplBQ=
+-----END CERTIFICATE-----

keys/ca.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAttn7hYWyDiP876wW8va/OcV/pa8kQ533Tko32/CzPcmnR3kE
+XrNarNqRDajYpdt+8XsSWQRA8fQY6+MKayjIM55EePycTmuazltmKaLvqRqSvRGt
+jY84KDT45rJqftEdvpBwWWVsv1olyQn2oP1SpGIi9Rt3plPTHcJg5tYayJRY2wGI
+rvYCRW2eWrqqx4L3SUW/HdgY56963ElbLIJg87n6G9g81JrxOONpC1XABC6ZxN69
+L4obrO8V2jESEvV77lEnJ40g3uGsb4e3cbmqafRwQh3oT8JIQF7+b2jWGp3eMZjg
+GiEnwY+wR918revry7hyCdr7RaNlCGXDEbBZhwIDAQABAoIBAGwdS0jRmkweH0of
+OJqEJuEj06vFeO26EyXpYEndcj3QY+YwudK8vZqCyU2ITkETHWXu3RRhHX1yVOH0
+po5h2K4coGPhCRKdMTVeeXOY8ZfNLII6V6Hh0tSDLcBKMgm1355zjNpuy/QAe2L5
+Tyg1YI3tsLm4efCQk71+1wjmA4QgotU/V7Cc8VrfqICiw3oXJcdmxw94NYxQJQVr
+oWpuLhqU1Mf3blryMg1X8J5TuFRnZCEf1nhRvryLa9XYPIGBtB/WUVVJroYNTIdx
+uBhA05ANkNDg4aByNg2xaQAt2Llri/rFaZXlDtifjtMIoNgmKfWCzAH+bHymo7D0
+hD0Rq6ECgYEA3WmiFWAJ68kDTdA2Y7YzNA7O7jIx+UB1E6lpyCyt8I+rrRHBEF2Q
+W5DIuwUtYro+A8X4wmJo0mPm5bso4ct1wnT2sxtkjjJEUlfSo6cJQq80cYwvCnYZ
+IDtidLp4JJv4IOA62Pxc3WwpQ0J82HSy2F0wQDHIscvb1Se9RB7QXikCgYEA02pG
+v9MS0KgyN3zLGRgjdeqCWRCLTtVDkGZBBu3PY18AmnY11rX1IipsUpNmwFu9Sjde
+2qB4D8fjVa1ZAnVpkaPh+8lIAffjxdolkzQ25oqHVRE5F+Yig3d0EgpNnRyvZvFn
+72P2cRAOXZI7DTVHYn/7M/dRLWDClBhcxy+4kC8CgYEAj/VlmEZITRD2X/qX0n8d
+jaRvMPpb+bbKKI2HJMrAEWAofC/F+pELEi3yBX9ZQg7b0XI/yotXoiuobgghjaXP
+HC8WU9/konvWZj+JyjQJ1ly6WXWPBFtC/Oz/l+vBv/PVAfMo7/otmx3/OicZq1c9
+DWaRv7texRNKDK545bivO/kCgYEApnS237HAzqifYTDQeCGZSe4qUxXDmX4whDD+
+YgY7k3Hpd7Q7D6KULyJXx2xnKm0QzK5r8JcH8OThCURDILxxMkpmU2hXWbVjkRQB
+IbWqxDmt9DxrR3XbFsemi82w7lL3h4Xq34FFOB/8L5BDDlM0sUky7+d58tCMYy4L
+XokkN+ECgYEA1n/bRkP5IDFKeK/bc6j4juCdgQR1+yXJb/C8t+KmPJ1H87w4aYOQ
+3RPkfBwWOHgJPlgoXOyS1ld2hyGqIurfSUrUpTU4aZnn1Uh22nGq7P7O8UKVNYGs
+OCOLYzSR5S2LimawXM8rYnihf9C4K9ev1vCQ418zR3iTk0M7X6tPLNY=
+-----END RSA PRIVATE KEY-----

lib/SyTest/Homeserver/Synapse.pm

@@ -20,6 +20,8 @@ use POSIX qw( strftime WIFEXITED WEXITSTATUS );
 
 use YAML ();
 
+use SyTest::SSL qw( ensure_ssl_cert );
+
 sub _init
 {
    my $self = shift;
@@ -145,17 +147,30 @@ sub start
    my $macaroon_secret_key = "secret_$port";
    my $registration_shared_secret = "reg_secret";
 
-   my $cert = $self->{paths}{cert_file} = "$cwd/keys/tls-selfsigned.crt";
-   my $key  = $self->{paths}{key_file} = "$cwd/keys/tls-selfsigned.key";
+   $self->{paths}{cert_file} = "$hs_dir/tls.crt";
+   $self->{paths}{key_file} = "$hs_dir/tls.key";
+
+   ensure_ssl_cert( $self->{paths}{cert_file}, $self->{paths}{key_file}, $bind_host );
 
    my $config_path = $self->{paths}{config} = $self->write_yaml_file( "config.yaml" => {
         server_name => $self->server_name,
         log_file => "$log",
         ( -f $log_config_file ) ? ( log_config => $log_config_file ) : (),
-        tls_certificate_path => "$cwd/keys/tls-selfsigned.crt",
-        tls_private_key_path => "$cwd/keys/tls-selfsigned.key",
-        tls_dh_params_path => "$cwd/keys/tls.dh",
+
+        # We configure synapse to use a TLS cert which is signed by our dummy CA...
+        tls_certificate_path => $self->{paths}{cert_file},
+        tls_private_key_path => $self->{paths}{key_file},
+
+        # ... and configure it to trust that CA for federation connections...
+        federation_custom_ca_list => [
+           "$cwd/keys/ca.crt",
+        ],
+
+        # ... but synapse currently lacks such an option for non-federation
+        # connections. Instead we just turn of cert checking for them like
+        # this:
         use_insecure_ssl_client_just_for_testing_do_not_use => 1,
+
         rc_messages_per_second => 1000,
         rc_message_burst_count => 1000,
         rc_registration => {

lib/SyTest/SSL.pm

@@ -0,0 +1,58 @@
+# -*- coding: utf-8 -*-
+# Copyright 2019 The Matrix.org Foundation C.I.C.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+package SyTest::SSL;
+
+use Exporter 'import';
+our @EXPORT_OK = qw(
+   ensure_ssl_cert
+);
+
+=head2 ensure_ssl_cert
+
+    ensure_ssl_cert( $cert_file, $key_file, $server_name );
+
+Ensure that an SSL certificate file and key file exist. If they do not,
+generate a key and/or certificate. The certificate will be signed by the test CA.
+
+=cut
+
+sub ensure_ssl_cert
+{
+   my ( $cert_file, $key_file, $server_name ) = @_;
+
+   if ( ! -e $key_file ) {
+      # todo: we can do this in pure perl
+      system("openssl", "genrsa", "-out", $key_file, "2048") == 0
+         or die "openssl genrsa failed $?";
+   }
+
+   if ( ! -e $cert_file ) {
+      # generate a CSR
+      my $csr_file = "$cert_file.csr";
+      system(
+         "openssl", "req", "-new", "-key", $key_file, "-out", $csr_file,
+         "-subj", "/CN=$server_name",
+      ) == 0 or die "openssl req failed $?";
+
+      # sign it with the CA
+      system(
+         "openssl", "x509", "-req", "-in", $csr_file,
+         "-CA", "keys/ca.crt", "-CAkey", "keys/ca.key", "-set_serial", 1,
+         "-out", $cert_file,
+      ) == 0 or die "openssl x509 failed $?";
+   }
+}
+

tests/01http-server.pl

@@ -1,18 +1,51 @@
+use Cwd qw( abs_path );
 use File::Basename qw( dirname );
+use File::Path qw( make_path );
 use Net::Async::HTTP::Server 0.09;  # request_class with bugfix
 use IO::Async::SSL;
 
 use SyTest::HTTPClient;
 use SyTest::HTTPServer::Request;
+use SyTest::SSL qw( ensure_ssl_cert );
 
 my $DIR = dirname( __FILE__ );
 
 struct Awaiter => [qw( pathmatch filter future )];
 
-push our @EXPORT, qw( ServerInfo await_http_request TEST_SERVER_INFO );
+push our @EXPORT, qw(
+   ServerInfo await_http_request TEST_SERVER_INFO
+   start_test_server_ssl
+);
 
 struct ServerInfo => [qw( server_name client_location federation_host federation_port )];
 
+=head2 start_test_server_ssl
+
+   my $listener = start_test_server_ssl( $server ) -> get;
+
+Creates a TLS cert signed by the CA, and configures an IO::Async::Listener to start listening with it.
+
+=cut
+
+sub start_test_server_ssl {
+   my ( $server ) = @_;
+
+   my $test_server_dir = abs_path( "test-server" );
+   -d $test_server_dir or make_path( $test_server_dir );
+
+   my $ssl_cert = "$test_server_dir/server.crt";
+   my $ssl_key = "$test_server_dir/server.key";
+   ensure_ssl_cert( $ssl_cert, $ssl_key, $BIND_HOST );
+
+   return $server->listen(
+      host          => $BIND_HOST,
+      service       => 0,
+      extensions    => [qw( SSL )],
+      SSL_key_file  => $ssl_key,
+      SSL_cert_file => $ssl_cert,
+   );
+}
+
 our $TEST_SERVER_INFO = fixture(
    requires => [],
 
@@ -25,13 +58,7 @@
       my $http_client;
       my $server_info;
 
-      $http_server->listen(
-         host => $BIND_HOST,
-         service => 0,
-         extensions => ["SSL"],
-         SSL_cert_file => "$DIR/../keys/tls-selfsigned.crt",
-         SSL_key_file => "$DIR/../keys/tls-selfsigned.key",
-      )->then( sub {
+      start_test_server_ssl( $http_server )->then( sub {
          my ( $listener ) = @_;
          my $sockport = $listener->read_handle->sockport;
 

tests/50federation/00prepare.pl

@@ -11,27 +11,14 @@
 use SyTest::Federation::Client;
 use SyTest::Federation::Server;
 
-
-
-my $DIR = dirname( __FILE__ );
-
 push our @EXPORT, qw( INBOUND_SERVER OUTBOUND_CLIENT create_federation_server );
 
 sub create_federation_server
 {
    my $server = SyTest::Federation::Server->new;
    $loop->add( $server );
 
-   $server->listen(
-      host          => $BIND_HOST,
-      service       => "",
-      extensions    => [qw( SSL )],
-      # Synapse currently only talks IPv4
-      family        => "inet",
-
-      SSL_key_file  => "$DIR/server.key",
-      SSL_cert_file => "$DIR/server.crt",
-   )->on_done( sub {
+   start_test_server_ssl( $server )->on_done( sub {
       my ( $server ) = @_;
       my $sock = $server->read_handle;