From 9d9c03df02e30a0069c9e0b3fe743ac5f3fd9245 Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Tue, 26 Oct 2021 15:03:12 +0000 Subject: [PATCH] tls: Avoid circular dependencies The `linkerd-tls` crate has a test dependency on `linkerd-tls-rustls`, which itself depends on `linkerd-tls`. This is an avoidable circular dependency. This change moves all of the TLS testdata from the `linkerd-tls-rustls` crate to the new `linkerd-tls-test-util` crate. The `tls_accept` test is moved from `linkerd-tls` to `linkerd-tls-rustls` so that `linkerd-tls` no longer depends on `linkerd-tls-rustls`. --- Cargo.lock | 12 +++- Cargo.toml | 1 + linkerd/proxy/identity/Cargo.toml | 3 +- linkerd/proxy/identity/src/certify.rs | 11 ++-- linkerd/stack/src/lib.rs | 1 + linkerd/tls/Cargo.toml | 3 - linkerd/tls/rustls/Cargo.toml | 10 ++- linkerd/tls/rustls/src/lib.rs | 25 ++++++-- linkerd/tls/rustls/src/test_util.rs | 60 ------------------ linkerd/tls/{ => rustls}/tests/tls_accept.rs | 48 +++++++++----- linkerd/tls/test-util/Cargo.toml | 6 ++ linkerd/tls/test-util/src/lib.rs | 27 ++++++++ .../src/testdata/bar-ns1-ca1/crt.der | Bin .../src/testdata/bar-ns1-ca1/csr.pem | 0 .../src/testdata/bar-ns1-ca1/key.p8 | Bin .../src/testdata/ca-config.json | 0 .../src/testdata/ca1-key.pem | 0 .../src/testdata/ca1.pem | 0 .../src/testdata/ca2-key.pem | 0 .../src/testdata/ca2.pem | 0 .../testdata/controller-linkerd-ca1/crt.der | Bin .../testdata/controller-linkerd-ca1/csr.pem | 0 .../testdata/controller-linkerd-ca1/key.p8 | Bin .../src/testdata/default-default-ca1/crt.der | Bin .../src/testdata/default-default-ca1/csr.pem | 0 .../src/testdata/default-default-ca1/key.p8 | Bin .../src/testdata/foo-ns1-ca1/crt.der | Bin .../src/testdata/foo-ns1-ca1/csr.pem | 0 .../src/testdata/foo-ns1-ca1/key.p8 | Bin .../src/testdata/foo-ns1-ca2/crt.der | Bin .../src/testdata/foo-ns1-ca2/csr.pem | 0 .../src/testdata/foo-ns1-ca2/key.p8 | Bin .../src/testdata/gen-certs.sh | 0 33 files changed, 115 insertions(+), 92 deletions(-) delete mode 100644 linkerd/tls/rustls/src/test_util.rs rename linkerd/tls/{ => rustls}/tests/tls_accept.rs (89%) create mode 100644 linkerd/tls/test-util/Cargo.toml create mode 100644 linkerd/tls/test-util/src/lib.rs rename linkerd/tls/{rustls => test-util}/src/testdata/bar-ns1-ca1/crt.der (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/bar-ns1-ca1/csr.pem (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/bar-ns1-ca1/key.p8 (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/ca-config.json (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/ca1-key.pem (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/ca1.pem (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/ca2-key.pem (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/ca2.pem (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/controller-linkerd-ca1/crt.der (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/controller-linkerd-ca1/csr.pem (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/controller-linkerd-ca1/key.p8 (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/default-default-ca1/crt.der (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/default-default-ca1/csr.pem (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/default-default-ca1/key.p8 (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/foo-ns1-ca1/crt.der (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/foo-ns1-ca1/csr.pem (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/foo-ns1-ca1/key.p8 (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/foo-ns1-ca2/crt.der (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/foo-ns1-ca2/csr.pem (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/foo-ns1-ca2/key.p8 (100%) rename linkerd/tls/{rustls => test-util}/src/testdata/gen-certs.sh (100%) diff --git a/Cargo.lock b/Cargo.lock index d5a22bbaf9..cca5714a42 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1165,6 +1165,7 @@ dependencies = [ "linkerd-stack", "linkerd-tls", "linkerd-tls-rustls", + "linkerd-tls-test-util", "linkerd2-proxy-api", "pin-project", "thiserror", @@ -1376,9 +1377,7 @@ dependencies = [ "linkerd-error", "linkerd-identity", "linkerd-io", - "linkerd-proxy-transport", "linkerd-stack", - "linkerd-tls-rustls", "linkerd-tracing", "pin-project", "thiserror", @@ -1393,17 +1392,26 @@ name = "linkerd-tls-rustls" version = "0.1.0" dependencies = [ "futures", + "linkerd-conditional", "linkerd-identity", "linkerd-io", + "linkerd-proxy-transport", "linkerd-stack", "linkerd-tls", + "linkerd-tls-test-util", + "linkerd-tracing", "ring", "thiserror", + "tokio", "tokio-rustls", "tracing", "webpki", ] +[[package]] +name = "linkerd-tls-test-util" +version = "0.1.0" + [[package]] name = "linkerd-tonic-watch" version = "0.1.0" diff --git a/Cargo.toml b/Cargo.toml index 3599140009..5d968659e0 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -54,6 +54,7 @@ members = [ "linkerd/tonic-watch", "linkerd/tls", "linkerd/tls/rustls", + "linkerd/tls/test-util", "linkerd/tracing", "linkerd/transport-header", "linkerd/transport-metrics", diff --git a/linkerd/proxy/identity/Cargo.toml b/linkerd/proxy/identity/Cargo.toml index 703360c992..69538cfef6 100644 --- a/linkerd/proxy/identity/Cargo.toml +++ b/linkerd/proxy/identity/Cargo.toml @@ -8,7 +8,7 @@ publish = false [features] rustfmt = ["linkerd2-proxy-api/rustfmt"] -test-util = ["linkerd-tls-rustls/test-util"] +test-util = ["linkerd-tls-test-util", "linkerd-tls-rustls/test-util"] [dependencies] futures = { version = "0.3", default-features = false } @@ -19,6 +19,7 @@ linkerd-metrics = { path = "../../metrics" } linkerd-stack = { path = "../../stack" } linkerd-tls = { path = "../../tls" } linkerd-tls-rustls = { path = "../../tls/rustls" } +linkerd-tls-test-util = { path = "../../tls/test-util", optional = true } thiserror = "1" tokio = { version = "1", features = ["time", "sync"] } tonic = { version = "0.5", default-features = false } diff --git a/linkerd/proxy/identity/src/certify.rs b/linkerd/proxy/identity/src/certify.rs index fea85bd0bc..ce42e4eec9 100644 --- a/linkerd/proxy/identity/src/certify.rs +++ b/linkerd/proxy/identity/src/certify.rs @@ -196,16 +196,17 @@ impl LocalCrtKey { } #[cfg(feature = "test-util")] - pub fn for_test(id: &rustls::test_util::Identity) -> Self { - let crt_key = id.validate().expect("Identity must be valid"); + pub fn for_test(id: &linkerd_tls_test_util::Entity) -> Self { + let (trust_anchors, crt_key) = CrtKey::for_test(id); + let id = crt_key.id().clone(); let (tx, rx) = watch::channel(Some(crt_key)); // Prevent the receiver stream from ending. tokio::spawn(async move { tx.closed().await; }); Self { - id: id.id(), - trust_anchors: id.trust_anchors(), + id, + trust_anchors, crt_key: rx, refreshes: Arc::new(Counter::new()), } @@ -213,7 +214,7 @@ impl LocalCrtKey { #[cfg(feature = "test-util")] pub fn default_for_test() -> Self { - Self::for_test(&rustls::test_util::DEFAULT_DEFAULT) + Self::for_test(&linkerd_tls_test_util::DEFAULT_DEFAULT) } pub async fn await_crt(mut self) -> Result { diff --git a/linkerd/stack/src/lib.rs b/linkerd/stack/src/lib.rs index 08d7ffe419..ba939d6678 100644 --- a/linkerd/stack/src/lib.rs +++ b/linkerd/stack/src/lib.rs @@ -48,6 +48,7 @@ pub use self::{ unwrap_or::UnwrapOr, }; pub use tower::{ + service_fn, util::{future_service, FutureService, Oneshot, ServiceExt}, Service, }; diff --git a/linkerd/tls/Cargo.toml b/linkerd/tls/Cargo.toml index e7ade011c8..b8ace17c73 100644 --- a/linkerd/tls/Cargo.toml +++ b/linkerd/tls/Cargo.toml @@ -24,8 +24,5 @@ tracing = "0.1.29" untrusted = "0.7" [dev-dependencies] -linkerd-tls-rustls = { path = "rustls", features = ["test-util"] } -linkerd-proxy-transport = { path = "../proxy/transport" } linkerd-tracing = { path = "../tracing", features = ["ansi"] } tokio = { version = "1", features = ["rt-multi-thread"] } -tower = { version = "0.4.10", default-features = false, features = ["util"] } diff --git a/linkerd/tls/rustls/Cargo.toml b/linkerd/tls/rustls/Cargo.toml index 5655aa7540..c38a74f864 100644 --- a/linkerd/tls/rustls/Cargo.toml +++ b/linkerd/tls/rustls/Cargo.toml @@ -8,7 +8,7 @@ publish = false [features] default = [] -test-util = [] +test-util = ["linkerd-tls-test-util"] [dependencies] futures = { version = "0.3", default-features = false } @@ -16,8 +16,16 @@ linkerd-identity = { path = "../../identity" } linkerd-io = { path = "../../io" } linkerd-stack = { path = "../../stack" } linkerd-tls = { path = ".." } +linkerd-tls-test-util = { path = "../test-util", optional = true } ring = "0.16.19" thiserror = "1" tokio-rustls = "0.22" tracing = "0.1" webpki = "0.21" + +[dev-dependencies] +linkerd-conditional = { path = "../../conditional" } +linkerd-tls-test-util = { path = "../test-util" } +linkerd-proxy-transport = { path = "../../proxy/transport" } +linkerd-tracing = { path = "../../tracing", features = ["ansi"] } +tokio = { version = "1", features = ["rt-multi-thread"] } diff --git a/linkerd/tls/rustls/src/lib.rs b/linkerd/tls/rustls/src/lib.rs index 93e2eac166..11fa2692eb 100644 --- a/linkerd/tls/rustls/src/lib.rs +++ b/linkerd/tls/rustls/src/lib.rs @@ -3,8 +3,6 @@ mod client; mod server; -#[cfg(feature = "test-util")] -pub mod test_util; pub use self::{ client::{ClientIo, Connect, ConnectFuture}, @@ -96,8 +94,7 @@ impl sign::Signer for Signer { // === impl TrustAnchors === impl TrustAnchors { - #[cfg(feature = "test-util")] - fn empty() -> Self { + pub fn empty() -> Self { TrustAnchors(Arc::new(ClientConfig::new())) } @@ -224,6 +221,26 @@ impl From<&'_ Crt> for id::LocalId { // === CrtKey === impl CrtKey { + #[cfg(feature = "test-util")] + pub fn for_test(id: &linkerd_tls_test_util::Entity) -> (TrustAnchors, Self) { + let key = Key::from_pkcs8(id.key).expect("key must be valid"); + + let crt = { + let n = id.name.parse::().expect("name must be valid"); + let der = id.crt.iter().copied().collect(); + let expiry = std::time::SystemTime::now() + std::time::Duration::from_secs(60 * 60); + Crt::new(id::LocalId(n), der, vec![], expiry) + }; + + let anchors = { + let pem = std::str::from_utf8(id.trust_anchors).expect("utf-8"); + TrustAnchors::from_pem(pem).unwrap_or_else(TrustAnchors::empty) + }; + + let ck = anchors.certify(key, crt).expect("Identity must be valid"); + (anchors, ck) + } + pub fn name(&self) -> &id::Name { &self.id.0 } diff --git a/linkerd/tls/rustls/src/test_util.rs b/linkerd/tls/rustls/src/test_util.rs deleted file mode 100644 index eb8e23c4fc..0000000000 --- a/linkerd/tls/rustls/src/test_util.rs +++ /dev/null @@ -1,60 +0,0 @@ -use super::*; -use linkerd_identity::{LocalId, Name}; -use std::time::{Duration, SystemTime}; - -pub struct Identity { - pub name: &'static str, - pub trust_anchors: &'static [u8], - pub crt: &'static [u8], - pub key: &'static [u8], -} - -pub static DEFAULT_DEFAULT: Identity = Identity { - name: "default.default.serviceaccount.identity.linkerd.cluster.local", - trust_anchors: include_bytes!("testdata/ca1.pem"), - crt: include_bytes!("testdata/default-default-ca1/crt.der"), - key: include_bytes!("testdata/default-default-ca1/key.p8"), -}; - -pub static FOO_NS1: Identity = Identity { - name: "foo.ns1.serviceaccount.identity.linkerd.cluster.local", - trust_anchors: include_bytes!("testdata/ca1.pem"), - crt: include_bytes!("testdata/foo-ns1-ca1/crt.der"), - key: include_bytes!("testdata/foo-ns1-ca1/key.p8"), -}; - -pub static BAR_NS1: Identity = Identity { - name: "bar.ns1.serviceaccount.identity.linkerd.cluster.local", - trust_anchors: include_bytes!("testdata/ca1.pem"), - crt: include_bytes!("testdata/bar-ns1-ca1/crt.der"), - key: include_bytes!("testdata/bar-ns1-ca1/key.p8"), -}; - -impl Identity { - pub fn id(&self) -> LocalId { - LocalId(self.name.parse().expect("Invalid identity string")) - } - - pub fn trust_anchors(&self) -> TrustAnchors { - let pem = ::std::str::from_utf8(self.trust_anchors).expect("utf-8"); - TrustAnchors::from_pem(pem).unwrap_or_else(TrustAnchors::empty) - } - - pub fn key(&self) -> Key { - Key::from_pkcs8(self.key).expect("key must be valid") - } - - pub fn crt(&self) -> Crt { - const HOUR: Duration = Duration::from_secs(60 * 60); - - let n = self.name.parse::().expect("name must be valid"); - let der = self.crt.iter().copied().collect(); - Crt::new(LocalId(n), der, vec![], SystemTime::now() + HOUR) - } - - pub fn validate(&self) -> Result { - let k = self.key(); - let c = self.crt(); - self.trust_anchors().certify(k, c) - } -} diff --git a/linkerd/tls/tests/tls_accept.rs b/linkerd/tls/rustls/tests/tls_accept.rs similarity index 89% rename from linkerd/tls/tests/tls_accept.rs rename to linkerd/tls/rustls/tests/tls_accept.rs index e93aa098ae..21eafc3ce1 100644 --- a/linkerd/tls/tests/tls_accept.rs +++ b/linkerd/tls/rustls/tests/tls_accept.rs @@ -7,22 +7,21 @@ use futures::prelude::*; use linkerd_conditional::Conditional; -use linkerd_error::Infallible; +use linkerd_identity as id; use linkerd_io::{self as io, AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt}; use linkerd_proxy_transport::{ addrs::*, listen::{Addrs, Bind, BindTcp}, ConnectTcp, Keepalive, ListenAddr, }; -use linkerd_stack::{ExtractParam, InsertParam, NewService, Param, Service}; +use linkerd_stack::{ + layer::Layer, service_fn, ExtractParam, InsertParam, NewService, Param, Service, ServiceExt, +}; use linkerd_tls as tls; use linkerd_tls_rustls as rustls; -use std::{future::Future, net::SocketAddr, sync::mpsc, task, time::Duration}; +use linkerd_tls_test_util as test_util; +use std::{convert::Infallible, future::Future, net::SocketAddr, sync::mpsc, task, time::Duration}; use tokio::net::TcpStream; -use tower::{ - layer::Layer, - util::{service_fn, ServiceExt}, -}; use tracing::instrument::Instrument; type ServerConn = ( @@ -30,10 +29,29 @@ type ServerConn = ( io::EitherIo>, tls::server::DetectIo>, ); +fn load(id: &linkerd_tls_test_util::Entity) -> (rustls::TrustAnchors, rustls::CrtKey) { + let key = rustls::Key::from_pkcs8(id.key).expect("key must be valid"); + + let crt = { + let n = id.name.parse::().expect("name must be valid"); + let der = id.crt.iter().copied().collect(); + let expiry = std::time::SystemTime::now() + std::time::Duration::from_secs(60 * 60); + rustls::Crt::new(id::LocalId(n), der, vec![], expiry) + }; + + let anchors = { + let pem = std::str::from_utf8(id.trust_anchors).expect("utf-8"); + rustls::TrustAnchors::from_pem(pem).unwrap_or_else(rustls::TrustAnchors::empty) + }; + + let ck = anchors.certify(key, crt).expect("Identity must be valid"); + (anchors, ck) +} + #[tokio::test(flavor = "current_thread")] async fn plaintext() { - let server_tls = rustls::test_util::FOO_NS1.validate().unwrap(); - let client_tls = rustls::test_util::BAR_NS1.validate().unwrap(); + let (_, server_tls) = load(&test_util::FOO_NS1); + let (_, client_tls) = load(&test_util::BAR_NS1); let (client_result, server_result) = run_test( client_tls, Conditional::None(tls::NoClientTls::NotProvidedByServiceDiscovery), @@ -58,8 +76,8 @@ async fn plaintext() { #[tokio::test(flavor = "current_thread")] async fn proxy_to_proxy_tls_works() { - let server_tls = rustls::test_util::FOO_NS1.validate().unwrap(); - let client_tls = rustls::test_util::BAR_NS1.validate().unwrap(); + let (_, server_tls) = load(&test_util::FOO_NS1); + let (_, client_tls) = load(&test_util::BAR_NS1); let server_id = tls::ServerId(server_tls.name().clone()); let (client_result, server_result) = run_test( client_tls.clone(), @@ -89,14 +107,12 @@ async fn proxy_to_proxy_tls_works() { #[tokio::test(flavor = "current_thread")] async fn proxy_to_proxy_tls_pass_through_when_identity_does_not_match() { - let server_tls = rustls::test_util::FOO_NS1.validate().unwrap(); + let (_, server_tls) = load(&test_util::FOO_NS1); // Misuse the client's identity instead of the server's identity. Any // identity other than `server_tls.server_identity` would work. - let client_tls = rustls::test_util::BAR_NS1 - .validate() - .expect("valid client cert"); - let sni = rustls::test_util::BAR_NS1.crt().name().clone(); + let (_, client_tls) = load(&test_util::BAR_NS1); + let sni = (**client_tls.id()).clone(); let (client_result, server_result) = run_test( client_tls, diff --git a/linkerd/tls/test-util/Cargo.toml b/linkerd/tls/test-util/Cargo.toml new file mode 100644 index 0000000000..0cc98c09a4 --- /dev/null +++ b/linkerd/tls/test-util/Cargo.toml @@ -0,0 +1,6 @@ +[package] +name = "linkerd-tls-test-util" +version = "0.1.0" +license = "Apache-2.0" +edition = "2018" +publish = false diff --git a/linkerd/tls/test-util/src/lib.rs b/linkerd/tls/test-util/src/lib.rs new file mode 100644 index 0000000000..d62b43c5f9 --- /dev/null +++ b/linkerd/tls/test-util/src/lib.rs @@ -0,0 +1,27 @@ +pub struct Entity { + pub name: &'static str, + pub trust_anchors: &'static [u8], + pub crt: &'static [u8], + pub key: &'static [u8], +} + +pub static DEFAULT_DEFAULT: Entity = Entity { + name: "default.default.serviceaccount.identity.linkerd.cluster.local", + trust_anchors: include_bytes!("testdata/ca1.pem"), + crt: include_bytes!("testdata/default-default-ca1/crt.der"), + key: include_bytes!("testdata/default-default-ca1/key.p8"), +}; + +pub static FOO_NS1: Entity = Entity { + name: "foo.ns1.serviceaccount.identity.linkerd.cluster.local", + trust_anchors: include_bytes!("testdata/ca1.pem"), + crt: include_bytes!("testdata/foo-ns1-ca1/crt.der"), + key: include_bytes!("testdata/foo-ns1-ca1/key.p8"), +}; + +pub static BAR_NS1: Entity = Entity { + name: "bar.ns1.serviceaccount.identity.linkerd.cluster.local", + trust_anchors: include_bytes!("testdata/ca1.pem"), + crt: include_bytes!("testdata/bar-ns1-ca1/crt.der"), + key: include_bytes!("testdata/bar-ns1-ca1/key.p8"), +}; diff --git a/linkerd/tls/rustls/src/testdata/bar-ns1-ca1/crt.der b/linkerd/tls/test-util/src/testdata/bar-ns1-ca1/crt.der similarity index 100% rename from linkerd/tls/rustls/src/testdata/bar-ns1-ca1/crt.der rename to linkerd/tls/test-util/src/testdata/bar-ns1-ca1/crt.der diff --git a/linkerd/tls/rustls/src/testdata/bar-ns1-ca1/csr.pem b/linkerd/tls/test-util/src/testdata/bar-ns1-ca1/csr.pem similarity index 100% rename from linkerd/tls/rustls/src/testdata/bar-ns1-ca1/csr.pem rename to linkerd/tls/test-util/src/testdata/bar-ns1-ca1/csr.pem diff --git a/linkerd/tls/rustls/src/testdata/bar-ns1-ca1/key.p8 b/linkerd/tls/test-util/src/testdata/bar-ns1-ca1/key.p8 similarity index 100% rename from linkerd/tls/rustls/src/testdata/bar-ns1-ca1/key.p8 rename to linkerd/tls/test-util/src/testdata/bar-ns1-ca1/key.p8 diff --git a/linkerd/tls/rustls/src/testdata/ca-config.json b/linkerd/tls/test-util/src/testdata/ca-config.json similarity index 100% rename from linkerd/tls/rustls/src/testdata/ca-config.json rename to linkerd/tls/test-util/src/testdata/ca-config.json diff --git a/linkerd/tls/rustls/src/testdata/ca1-key.pem b/linkerd/tls/test-util/src/testdata/ca1-key.pem similarity index 100% rename from linkerd/tls/rustls/src/testdata/ca1-key.pem rename to linkerd/tls/test-util/src/testdata/ca1-key.pem diff --git a/linkerd/tls/rustls/src/testdata/ca1.pem b/linkerd/tls/test-util/src/testdata/ca1.pem similarity index 100% rename from linkerd/tls/rustls/src/testdata/ca1.pem rename to linkerd/tls/test-util/src/testdata/ca1.pem diff --git a/linkerd/tls/rustls/src/testdata/ca2-key.pem b/linkerd/tls/test-util/src/testdata/ca2-key.pem similarity index 100% rename from linkerd/tls/rustls/src/testdata/ca2-key.pem rename to linkerd/tls/test-util/src/testdata/ca2-key.pem diff --git a/linkerd/tls/rustls/src/testdata/ca2.pem b/linkerd/tls/test-util/src/testdata/ca2.pem similarity index 100% rename from linkerd/tls/rustls/src/testdata/ca2.pem rename to linkerd/tls/test-util/src/testdata/ca2.pem diff --git a/linkerd/tls/rustls/src/testdata/controller-linkerd-ca1/crt.der b/linkerd/tls/test-util/src/testdata/controller-linkerd-ca1/crt.der similarity index 100% rename from linkerd/tls/rustls/src/testdata/controller-linkerd-ca1/crt.der rename to linkerd/tls/test-util/src/testdata/controller-linkerd-ca1/crt.der diff --git a/linkerd/tls/rustls/src/testdata/controller-linkerd-ca1/csr.pem b/linkerd/tls/test-util/src/testdata/controller-linkerd-ca1/csr.pem similarity index 100% rename from linkerd/tls/rustls/src/testdata/controller-linkerd-ca1/csr.pem rename to linkerd/tls/test-util/src/testdata/controller-linkerd-ca1/csr.pem diff --git a/linkerd/tls/rustls/src/testdata/controller-linkerd-ca1/key.p8 b/linkerd/tls/test-util/src/testdata/controller-linkerd-ca1/key.p8 similarity index 100% rename from linkerd/tls/rustls/src/testdata/controller-linkerd-ca1/key.p8 rename to linkerd/tls/test-util/src/testdata/controller-linkerd-ca1/key.p8 diff --git a/linkerd/tls/rustls/src/testdata/default-default-ca1/crt.der b/linkerd/tls/test-util/src/testdata/default-default-ca1/crt.der similarity index 100% rename from linkerd/tls/rustls/src/testdata/default-default-ca1/crt.der rename to linkerd/tls/test-util/src/testdata/default-default-ca1/crt.der diff --git a/linkerd/tls/rustls/src/testdata/default-default-ca1/csr.pem b/linkerd/tls/test-util/src/testdata/default-default-ca1/csr.pem similarity index 100% rename from linkerd/tls/rustls/src/testdata/default-default-ca1/csr.pem rename to linkerd/tls/test-util/src/testdata/default-default-ca1/csr.pem diff --git a/linkerd/tls/rustls/src/testdata/default-default-ca1/key.p8 b/linkerd/tls/test-util/src/testdata/default-default-ca1/key.p8 similarity index 100% rename from linkerd/tls/rustls/src/testdata/default-default-ca1/key.p8 rename to linkerd/tls/test-util/src/testdata/default-default-ca1/key.p8 diff --git a/linkerd/tls/rustls/src/testdata/foo-ns1-ca1/crt.der b/linkerd/tls/test-util/src/testdata/foo-ns1-ca1/crt.der similarity index 100% rename from linkerd/tls/rustls/src/testdata/foo-ns1-ca1/crt.der rename to linkerd/tls/test-util/src/testdata/foo-ns1-ca1/crt.der diff --git a/linkerd/tls/rustls/src/testdata/foo-ns1-ca1/csr.pem b/linkerd/tls/test-util/src/testdata/foo-ns1-ca1/csr.pem similarity index 100% rename from linkerd/tls/rustls/src/testdata/foo-ns1-ca1/csr.pem rename to linkerd/tls/test-util/src/testdata/foo-ns1-ca1/csr.pem diff --git a/linkerd/tls/rustls/src/testdata/foo-ns1-ca1/key.p8 b/linkerd/tls/test-util/src/testdata/foo-ns1-ca1/key.p8 similarity index 100% rename from linkerd/tls/rustls/src/testdata/foo-ns1-ca1/key.p8 rename to linkerd/tls/test-util/src/testdata/foo-ns1-ca1/key.p8 diff --git a/linkerd/tls/rustls/src/testdata/foo-ns1-ca2/crt.der b/linkerd/tls/test-util/src/testdata/foo-ns1-ca2/crt.der similarity index 100% rename from linkerd/tls/rustls/src/testdata/foo-ns1-ca2/crt.der rename to linkerd/tls/test-util/src/testdata/foo-ns1-ca2/crt.der diff --git a/linkerd/tls/rustls/src/testdata/foo-ns1-ca2/csr.pem b/linkerd/tls/test-util/src/testdata/foo-ns1-ca2/csr.pem similarity index 100% rename from linkerd/tls/rustls/src/testdata/foo-ns1-ca2/csr.pem rename to linkerd/tls/test-util/src/testdata/foo-ns1-ca2/csr.pem diff --git a/linkerd/tls/rustls/src/testdata/foo-ns1-ca2/key.p8 b/linkerd/tls/test-util/src/testdata/foo-ns1-ca2/key.p8 similarity index 100% rename from linkerd/tls/rustls/src/testdata/foo-ns1-ca2/key.p8 rename to linkerd/tls/test-util/src/testdata/foo-ns1-ca2/key.p8 diff --git a/linkerd/tls/rustls/src/testdata/gen-certs.sh b/linkerd/tls/test-util/src/testdata/gen-certs.sh similarity index 100% rename from linkerd/tls/rustls/src/testdata/gen-certs.sh rename to linkerd/tls/test-util/src/testdata/gen-certs.sh