tests: rework vendored certificates/keys

Cargo.toml

@@ -29,6 +29,7 @@ tls12 = ["rustls/tls12"]
 
 [dev-dependencies]
 argh = "0.1.1"
+rcgen = { version = "0.13", features = ["pem"] }
 tokio = { version = "1.0", features = ["full"] }
 futures-util = "0.3.1"
 lazy_static = "1.1"

src/common/test_stream.rs

@@ -1,5 +1,6 @@
 use std::io::{self, Cursor, Read, Write};
 use std::pin::Pin;
+use std::sync::Arc;
 use std::task::{Context, Poll};
 
 use futures_util::future::poll_fn;
@@ -291,10 +292,10 @@ async fn stream_eof() -> io::Result<()> {
 
 fn make_pair() -> (ServerConnection, ClientConnection) {
     let (sconfig, cconfig) = utils::make_configs();
-    let server = ServerConnection::new(sconfig).unwrap();
+    let server = ServerConnection::new(Arc::new(sconfig)).unwrap();
 
     let domain = pki_types::ServerName::try_from("foobar.com").unwrap();
-    let client = ClientConnection::new(cconfig, domain).unwrap();
+    let client = ClientConnection::new(Arc::new(cconfig), domain).unwrap();
 
     (server, client)
 }

tests/certs/chain.pem

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIBsjCCAVmgAwIBAgIUB4Geg6rz4UzdIkSmPjAxGgVhu4MwCgYIKoZIzj0EAwIw
+JjEkMCIGA1UEAwwbUnVzdGxzIFJvYnVzdCBSb290IC0gUnVuZyAyMCAXDTc1MDEw
+MTAwMDAwMFoYDzQwOTYwMTAxMDAwMDAwWjAhMR8wHQYDVQQDDBZyY2dlbiBzZWxm
+IHNpZ25lZCBjZXJ0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEV2z0vS2Nvj1X
+k2ZkZNimz/tpEyFIHqHBAMu1ok1q6rioZm0wfKgaVfo2E+/PccibK6AuiK1ZnQ5L
+Wr3avkB+bqNoMGYwFQYDVR0RBA4wDIIKZm9vYmFyLmNvbTAdBgNVHSUEFjAUBggr
+BgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFJ8xoDmF470si+tMAE2wYQMHHdOT
+MA8GA1UdEwEB/wQFMAMBAQAwCgYIKoZIzj0EAwIDRwAwRAIgCEDfPgdEtKoUYtOp
+YUd7uSDv2VJd749Avwls04C1MaUCIGTikBJzN3dnQbRARkzdOY4gFp4nczCiYaZZ
+ucFJ3PiC
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIBiDCCAS+gAwIBAgIUIKoi4tHahiNaO6Vuw5V97xyOVXQwCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwSUnVzdGxzIFJvYnVzdCBSb290MCAXDTc1MDEwMTAwMDAwMFoY
+DzQwOTYwMTAxMDAwMDAwWjAmMSQwIgYDVQQDDBtSdXN0bHMgUm9idXN0IFJvb3Qg
+LSBSdW5nIDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASJs6dcYkh6yXeD72J3
+1JJWfiNkNL4DGhWj5LZhwtq5NxrE2sK/TnQdUHYMhVxKXN0RaRcBZRxoUFD4UFkm
+mdIKo0IwQDAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0OBBYEFOhbF/Vi9OjAC+bv6NTU
+JMLLV621MA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDRwAwRAIgWtRDzAcl
+DpVplxAT6/ZmSmYtjttIFs2fM65z6H+LpOQCIB/PcAK3NZ+Mjs3rtVMV5UmXW3Jf
+UaorChZwaCiO3vT8
+-----END CERTIFICATE-----

tests/certs/end.key

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg1UjNBQsUBVfNWWtI
+uwNhUpyPeV1e3IjRm41VQauX1XOhRANCAARXbPS9LY2+PVeTZmRk2KbP+2kTIUge
+ocEAy7WiTWrquKhmbTB8qBpV+jYT789xyJsroC6IrVmdDktavdq+QH5u
+-----END PRIVATE KEY-----

tests/certs/main.rs

@@ -0,0 +1,66 @@
+//! An ignored-by-default integration test that regenerates vendored certs.
+//! Run with `cargo test -- --ignored` when test certificates need updating.
+//! Suitable for test certificates only. Not a production CA ;-)
+
+use rcgen::{
+    BasicConstraints, CertificateParams, DistinguishedName, DnType, ExtendedKeyUsagePurpose, IsCa,
+    KeyPair, KeyUsagePurpose,
+};
+use std::fs::File;
+use std::io::Write;
+
+#[test]
+#[ignore]
+fn regenerate_certs() {
+    let root_key = KeyPair::generate().unwrap();
+    let root_ca = issuer_params("Rustls Robust Root")
+        .self_signed(&root_key)
+        .unwrap();
+
+    let mut root_file = File::create("tests/certs/root.pem").unwrap();
+    root_file.write_all(root_ca.pem().as_bytes()).unwrap();
+
+    let intermediate_key = KeyPair::generate().unwrap();
+    let intermediate_ca = issuer_params("Rustls Robust Root - Rung 2")
+        .signed_by(&intermediate_key, &root_ca, &root_key)
+        .unwrap();
+
+    let end_entity_key = KeyPair::generate().unwrap();
+    let mut end_entity_params =
+        CertificateParams::new(vec![utils::TEST_SERVER_DOMAIN.to_string()]).unwrap();
+    end_entity_params.is_ca = IsCa::ExplicitNoCa;
+    end_entity_params.extended_key_usages = vec![
+        ExtendedKeyUsagePurpose::ServerAuth,
+        ExtendedKeyUsagePurpose::ClientAuth,
+    ];
+    let end_entity = end_entity_params
+        .signed_by(&end_entity_key, &intermediate_ca, &intermediate_key)
+        .unwrap();
+
+    let mut chain_file = File::create("tests/certs/chain.pem").unwrap();
+    chain_file.write_all(end_entity.pem().as_bytes()).unwrap();
+    chain_file
+        .write_all(intermediate_ca.pem().as_bytes())
+        .unwrap();
+
+    let mut key_file = File::create("tests/certs/end.key").unwrap();
+    key_file
+        .write_all(end_entity_key.serialize_pem().as_bytes())
+        .unwrap();
+}
+
+fn issuer_params(common_name: &str) -> CertificateParams {
+    let mut issuer_name = DistinguishedName::new();
+    issuer_name.push(DnType::CommonName, common_name);
+    let mut issuer_params = CertificateParams::default();
+    issuer_params.distinguished_name = issuer_name;
+    issuer_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
+    issuer_params.key_usages = vec![
+        KeyUsagePurpose::KeyCertSign,
+        KeyUsagePurpose::DigitalSignature,
+    ];
+    issuer_params
+}
+
+// For the server name constant.
+include!("../utils.rs");

tests/certs/root.pem

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBgDCCASagAwIBAgIUDKVcG8WKAVxMrpkvWBsSKu6G9swwCgYIKoZIzj0EAwIw
+HTEbMBkGA1UEAwwSUnVzdGxzIFJvYnVzdCBSb290MCAXDTc1MDEwMTAwMDAwMFoY
+DzQwOTYwMTAxMDAwMDAwWjAdMRswGQYDVQQDDBJSdXN0bHMgUm9idXN0IFJvb3Qw
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQjrQmsnBwZUT8iraiF5EAJFMZE3rgA
+oqDL6clNl7YtjKqH/E/BiVs+k+70Dz74Ibrm/z80f51fK/Ug2h5pSOp5o0IwQDAO
+BgNVHQ8BAf8EBAMCAoQwHQYDVR0OBBYEFMwwAap72bFsxZxK0ThGymdrjBfYMA8G
+A1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAJR/PB88zHsy0iotwCcG
+SPPOowWXb0Uzj6CPHBks25woAiB5Bg4+395Lr2K4UIh3zv0BFuSyXrFqvj+WMhUy
+4Z+WRw==
+-----END CERTIFICATE-----

tests/early-data.rs

@@ -1,14 +1,14 @@
 #![cfg(feature = "early-data")]
 
-use std::io::{self, BufReader, Cursor, Read, Write};
+use std::io::{self, Read, Write};
 use std::net::{SocketAddr, TcpListener};
 use std::pin::Pin;
 use std::sync::Arc;
 use std::task::{Context, Poll};
 use std::thread;
 
 use futures_util::{future::Future, ready};
-use rustls::{self, ClientConfig, RootCertStore, ServerConfig, ServerConnection, Stream};
+use rustls::{self, ClientConfig, ServerConnection, Stream};
 use tokio::io::{AsyncRead, AsyncReadExt, AsyncWriteExt, ReadBuf};
 use tokio::net::TcpStream;
 use tokio_rustls::{client::TlsStream, TlsConnector};
@@ -65,14 +65,7 @@ async fn test_0rtt_vectored() -> io::Result<()> {
 }
 
 async fn test_0rtt_impl(vectored: bool) -> io::Result<()> {
-    let cert_chain = rustls_pemfile::certs(&mut Cursor::new(include_bytes!("end.cert")))
-        .collect::<io::Result<Vec<_>>>()?;
-    let key_der =
-        rustls_pemfile::private_key(&mut Cursor::new(include_bytes!("end.rsa")))?.unwrap();
-    let mut server = ServerConfig::builder()
-        .with_no_client_auth()
-        .with_single_cert(cert_chain, key_der)
-        .unwrap();
+    let (mut server, mut client) = utils::make_configs();
     server.max_early_data_size = 8192;
     let server = Arc::new(server);
 
@@ -109,25 +102,15 @@ async fn test_0rtt_impl(vectored: bool) -> io::Result<()> {
         });
     });
 
-    let mut chain = BufReader::new(Cursor::new(include_str!("end.chain")));
-    let mut root_store = RootCertStore::empty();
-    for cert in rustls_pemfile::certs(&mut chain) {
-        root_store.add(cert.unwrap()).unwrap();
-    }
-
-    let mut config =
-        rustls::ClientConfig::builder_with_protocol_versions(&[&rustls::version::TLS13])
-            .with_root_certificates(root_store)
-            .with_no_client_auth();
-    config.enable_early_data = true;
-    let config = Arc::new(config);
+    client.enable_early_data = true;
+    let client = Arc::new(client);
     let addr = SocketAddr::from(([127, 0, 0, 1], server_port));
 
-    let (io, buf) = send(config.clone(), addr, b"hello", vectored).await?;
+    let (io, buf) = send(client.clone(), addr, b"hello", vectored).await?;
     assert!(!io.get_ref().1.is_early_data_accepted());
     assert_eq!("LATE:hello", String::from_utf8_lossy(&buf));
 
-    let (io, buf) = send(config, addr, b"world!", vectored).await?;
+    let (io, buf) = send(client, addr, b"world!", vectored).await?;
     assert!(io.get_ref().1.is_early_data_accepted());
     assert_eq!("EARLY:world!LATE:", String::from_utf8_lossy(&buf));