From 2f64c6ef552bd6b9c3e5eba64dbcc00eebf0f35f Mon Sep 17 00:00:00 2001 From: Guillaume Smaha Date: Wed, 11 Jan 2023 17:02:39 +0100 Subject: [PATCH] Fix #390: Use code to generate certificates for client & server --- test/e2e/cert_utils_test.go | 263 +++++++++++++++++++++++++++++ test/e2e/setup_test.go | 2 +- test/e2e/tls/client-ca/server.crt | 16 -- test/e2e/tls/client-crt/client.crt | 16 -- test/e2e/tls/client-crt/client.key | 15 -- test/e2e/tls/server-ca/client.crt | 16 -- test/e2e/tls/server-crt/server.crt | 16 -- test/e2e/tls/server-crt/server.key | 15 -- test/e2e/tls_test.go | 100 ++++++----- 9 files changed, 312 insertions(+), 147 deletions(-) create mode 100644 test/e2e/cert_utils_test.go delete mode 100644 test/e2e/tls/client-ca/server.crt delete mode 100644 test/e2e/tls/client-crt/client.crt delete mode 100644 test/e2e/tls/client-crt/client.key delete mode 100644 test/e2e/tls/server-ca/client.crt delete mode 100644 test/e2e/tls/server-crt/server.crt delete mode 100644 test/e2e/tls/server-crt/server.key diff --git a/test/e2e/cert_utils_test.go b/test/e2e/cert_utils_test.go new file mode 100644 index 00000000..079ec07c --- /dev/null +++ b/test/e2e/cert_utils_test.go @@ -0,0 +1,263 @@ +package e2e_test + +import ( + "bytes" + "crypto/ecdsa" + "crypto/ed25519" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "crypto/tls" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "fmt" + "io/ioutil" + "math/big" + "net" + "os" + "path" + "time" + + chclient "github.com/jpillora/chisel/client" + chserver "github.com/jpillora/chisel/server" +) + +type tlsConfig struct { + serverTLS *chserver.TLSConfig + clientTLS *chclient.TLSConfig + tmpDir string +} + +func (t *tlsConfig) Close() { + if t.tmpDir != "" { + os.RemoveAll(t.tmpDir) + } +} + +func newTestTLSConfig() (*tlsConfig, error) { + tlsConfig := &tlsConfig{} + _, _, serverCertPEM, serverKeyPEM, err := certGetCertificate(&certConfig{ + hosts: []string{ + "0.0.0.0", + "localhost", + }, + extKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + }) + if err != nil { + return nil, err + } + _, _, clientCertPEM, clientKeyPEM, err := certGetCertificate(&certConfig{ + extKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, + }) + if err != nil { + return nil, err + } + + tlsConfig.tmpDir, err = ioutil.TempDir("", "") + if err != nil { + return nil, err + } + + dirServerCA := path.Join(tlsConfig.tmpDir, "server-ca") + if err := os.Mkdir(dirServerCA, 0777); err != nil { + return nil, err + } + pathServerCACrt := path.Join(dirServerCA, "client.crt") + if err := ioutil.WriteFile(pathServerCACrt, clientCertPEM, 0666); err != nil { + return nil, err + } + + dirClientCA := path.Join(tlsConfig.tmpDir, "client-ca") + if err := os.Mkdir(dirClientCA, 0777); err != nil { + return nil, err + } + pathClientCACrt := path.Join(dirClientCA, "server.crt") + if err := ioutil.WriteFile(pathClientCACrt, serverCertPEM, 0666); err != nil { + return nil, err + } + + dirServerCrt := path.Join(tlsConfig.tmpDir, "server-crt") + if err := os.Mkdir(dirServerCrt, 0777); err != nil { + return nil, err + } + pathServerCrtCrt := path.Join(dirServerCrt, "server.crt") + if err := ioutil.WriteFile(pathServerCrtCrt, serverCertPEM, 0666); err != nil { + return nil, err + } + pathServerCrtKey := path.Join(dirServerCrt, "server.key") + if err := ioutil.WriteFile(pathServerCrtKey, serverKeyPEM, 0666); err != nil { + return nil, err + } + + dirClientCrt := path.Join(tlsConfig.tmpDir, "client-crt") + if err := os.Mkdir(dirClientCrt, 0777); err != nil { + return nil, err + } + pathClientCrtCrt := path.Join(dirClientCrt, "client.crt") + if err := ioutil.WriteFile(pathClientCrtCrt, clientCertPEM, 0666); err != nil { + return nil, err + } + pathClientCrtKey := path.Join(dirClientCrt, "client.key") + if err := ioutil.WriteFile(pathClientCrtKey, clientKeyPEM, 0666); err != nil { + return nil, err + } + + // for self signed cert, it needs the server cert, for real cert, this need to be the trusted CA cert + tlsConfig.serverTLS = &chserver.TLSConfig{ + CA: pathServerCACrt, + Cert: pathServerCrtCrt, + Key: pathServerCrtKey, + } + tlsConfig.clientTLS = &chclient.TLSConfig{ + CA: pathClientCACrt, + Cert: pathClientCrtCrt, + Key: pathClientCrtKey, + } + return tlsConfig, nil +} + +type certConfig struct { + signCa *x509.Certificate + isCA bool + hosts []string + validFrom *time.Time + validFor *time.Time + extKeyUsage []x509.ExtKeyUsage + rsaBits int + ecdsaCurve string + ed25519Key bool +} + +func certGetCertificate(c *certConfig) (*x509.Certificate, *tls.Certificate, []byte, []byte, error) { + var err error + var priv interface{} + switch c.ecdsaCurve { + case "": + if c.ed25519Key { + _, priv, err = ed25519.GenerateKey(rand.Reader) + } else { + rsaBits := c.rsaBits + if rsaBits == 0 { + rsaBits = 2048 + } + priv, err = rsa.GenerateKey(rand.Reader, rsaBits) + } + case "P224": + priv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader) + case "P256": + priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + case "P384": + priv, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader) + case "P521": + priv, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader) + default: + return nil, nil, nil, nil, fmt.Errorf("Unrecognized elliptic curve: %q", c.ecdsaCurve) + } + if err != nil { + return nil, nil, nil, nil, fmt.Errorf("Failed to generate private key: %v", err) + } + + // ECDSA, ED25519 and RSA subject keys should have the DigitalSignature + // KeyUsage bits set in the x509.Certificate template + keyUsage := x509.KeyUsageDigitalSignature + // Only RSA subject keys should have the KeyEncipherment KeyUsage bits set. In + // the context of TLS this KeyUsage is particular to RSA key exchange and + // authentication. + if _, isRSA := priv.(*rsa.PrivateKey); isRSA { + keyUsage |= x509.KeyUsageKeyEncipherment + } + + notBefore := time.Now() + if c.validFrom != nil { + notBefore = *c.validFrom + } + + notAfter := time.Now().Add(24 * time.Hour) + if c.validFor != nil { + notAfter = *c.validFor + } + + serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) + serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) + if err != nil { + return nil, nil, nil, nil, fmt.Errorf("Failed to generate serial number: %v", err) + } + + cert := &x509.Certificate{ + SerialNumber: serialNumber, + Subject: pkix.Name{ + OrganizationalUnit: []string{"test"}, + Organization: []string{"Chisel"}, + Country: []string{"us"}, + Province: []string{"ma"}, + Locality: []string{"Boston"}, + CommonName: "localhost", + }, + NotBefore: notBefore, + NotAfter: notAfter, + + KeyUsage: keyUsage, + ExtKeyUsage: c.extKeyUsage, + BasicConstraintsValid: true, + } + + for _, h := range c.hosts { + if ip := net.ParseIP(h); ip != nil { + cert.IPAddresses = append(cert.IPAddresses, ip) + } else { + cert.DNSNames = append(cert.DNSNames, h) + } + } + + if c.isCA { + cert.IsCA = true + cert.KeyUsage |= x509.KeyUsageCertSign + } + + ca := cert + if c.signCa != nil { + ca = c.signCa + } + + certBytes, err := x509.CreateCertificate(rand.Reader, cert, ca, certGetPublicKey(priv), priv) + if err != nil { + return nil, nil, nil, nil, fmt.Errorf("Failed to create certificate: %v", err) + } + + certPEM := new(bytes.Buffer) + pem.Encode(certPEM, &pem.Block{ + Type: "CERTIFICATE", + Bytes: certBytes, + }) + + privBytes, err := x509.MarshalPKCS8PrivateKey(priv) + if err != nil { + return nil, nil, nil, nil, fmt.Errorf("Unable to marshal private key: %v", err) + } + certPrivKeyPEM := new(bytes.Buffer) + pem.Encode(certPrivKeyPEM, &pem.Block{ + Type: "PRIVATE KEY", + Bytes: privBytes, + }) + + tlsCert, err := tls.X509KeyPair(certPEM.Bytes(), certPrivKeyPEM.Bytes()) + if err != nil { + return nil, nil, nil, nil, fmt.Errorf("Unable to create x590 key pair: %v", err) + } + + return cert, &tlsCert, certPEM.Bytes(), certPrivKeyPEM.Bytes(), nil +} + +func certGetPublicKey(priv interface{}) interface{} { + switch k := priv.(type) { + case *rsa.PrivateKey: + return &k.PublicKey + case *ecdsa.PrivateKey: + return &k.PublicKey + case ed25519.PrivateKey: + return k.Public().(ed25519.PublicKey) + default: + return nil + } +} diff --git a/test/e2e/setup_test.go b/test/e2e/setup_test.go index a01e119c..c6228757 100644 --- a/test/e2e/setup_test.go +++ b/test/e2e/setup_test.go @@ -16,7 +16,7 @@ import ( const debug = true -//test layout configuration +// test layout configuration type testLayout struct { server *chserver.Config client *chclient.Config diff --git a/test/e2e/tls/client-ca/server.crt b/test/e2e/tls/client-ca/server.crt deleted file mode 100644 index 395b2a1a..00000000 --- a/test/e2e/tls/client-ca/server.crt +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICezCCAeQCCQDwdWskfbwmzzANBgkqhkiG9w0BAQUFADCBgTELMAkGA1UEBhMC -dXMxCzAJBgNVBAgMAm1hMQ8wDQYDVQQHDAZCb3N0b24xDzANBgNVBAoMBkNoaXNl -bDENMAsGA1UECwwEdGVzdDESMBAGA1UEAwwJbG9jYWxob3N0MSAwHgYJKoZIhvcN -AQkBFhF3aWxseGlhQGdtYWlsLmNvbTAeFw0yMDA4MjQxOTQ4MTdaFw0zMDA4MjIx -OTQ4MTdaMIGBMQswCQYDVQQGEwJ1czELMAkGA1UECAwCbWExDzANBgNVBAcMBkJv -c3RvbjEPMA0GA1UECgwGQ2hpc2VsMQ0wCwYDVQQLDAR0ZXN0MRIwEAYDVQQDDAls -b2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXdpbGx4aWFAZ21haWwuY29tMIGfMA0G -CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC128s6L6YN0eNSNbI40URFHd9xzfnPlUcH -n9n7D6YkJL7LsTAtUfjubNAX0Q1gclDnDZCfYi9UZVzzID4s1gZJZAEZGnce8loO -a+WcPUgIOJngk2bwUHfrWPl+R5mvE9p60rfYNdo86wLMaLAJu+VagNmaoilSU7OS -uZ/AgTUMFQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAEzq2qsH5VfmjUcvlhS4a7X5 -zOAtEIVB1+oef/1NcyT3PaMX0ry0Ddbo3NJs3G9KTF0k+TCGtT7nAG2jRQvs6omZ -3+9C3x+6TQq+95KMBWXuZLZEPNa4iCGFbGrHq4wcWDehBAPSjdctqnmowd8yIgov -gNSN2xEMPNKYIhHt0lyc ------END CERTIFICATE----- diff --git a/test/e2e/tls/client-crt/client.crt b/test/e2e/tls/client-crt/client.crt deleted file mode 100644 index d1f70592..00000000 --- a/test/e2e/tls/client-crt/client.crt +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICfTCCAeYCCQDIXTlEp6na1zANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMC -dXMxCzAJBgNVBAgMAm1hMQ8wDQYDVQQHDAZCb3N0b24xDzANBgNVBAoMBkNoaXNl -bDENMAsGA1UECwwEdGVzdDETMBEGA1UEAwwKbVRMU0NsaWVudDEgMB4GCSqGSIb3 -DQEJARYRd2lsbHhpYUBnbWFpbC5jb20wHhcNMjAwODI0MTk0ODQxWhcNMzAwODIy -MTk0ODQxWjCBgjELMAkGA1UEBhMCdXMxCzAJBgNVBAgMAm1hMQ8wDQYDVQQHDAZC -b3N0b24xDzANBgNVBAoMBkNoaXNlbDENMAsGA1UECwwEdGVzdDETMBEGA1UEAwwK -bVRMU0NsaWVudDEgMB4GCSqGSIb3DQEJARYRd2lsbHhpYUBnbWFpbC5jb20wgZ8w -DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM4jt9TxHsCNegij34we4yzOykAuMVuz -DzW++Jh4/xWeOoU3xb7I2ETIzmusIM70o2lm+e+gy9VfAAXaNgZg63QV54jRn2nk -BWoXJYvYOJwt5YzOsLkbh6epSlrqYI0H34Sy5rEkacXCkcpcEvom/tvJ+SpHyIL1 -PYNN1CCx/eg5AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAJysuLKCgVqMW628SFcpu -ojtBSNy2KETDwmMTaLg/XTaAPOvxAO3W9F7KJ1JxVFf2oIW7ROL9sP862lSMQLZ5 -R45pBlPZycb1CQplD50wMqknaaMJ1qnld9Jkv802cJa2riqzdHb5rnjrewmuLOOB -V0cZ9PJA3KdXbJW1o+WjQz4= ------END CERTIFICATE----- diff --git a/test/e2e/tls/client-crt/client.key b/test/e2e/tls/client-crt/client.key deleted file mode 100644 index a8afa33e..00000000 --- a/test/e2e/tls/client-crt/client.key +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIICWwIBAAKBgQDOI7fU8R7AjXoIo9+MHuMszspALjFbsw81vviYeP8VnjqFN8W+ -yNhEyM5rrCDO9KNpZvnvoMvVXwAF2jYGYOt0FeeI0Z9p5AVqFyWL2DicLeWMzrC5 -G4enqUpa6mCNB9+EsuaxJGnFwpHKXBL6Jv7byfkqR8iC9T2DTdQgsf3oOQIDAQAB -AoGAArLhAz6s4mR3xokusgzteHa0myZ/qu2rM07uvkBHRqctqPTT9+11N2FRooM8 -Yrk9MnIQr5xxTrfRrkHvFyJJstNX809ve9Klu1vbT+S19se/m+jLKTOtOoYoPRaK -w7ekvjhLct00zQevphEX30xqA2S3HSjWD3HmjVwdadAUgQECQQDz+LShNRkJ97+n -hiRgShHupW7CmAb67hrenbbzkCaY8Kf9cAFiscEmjH+lZsbufCgzVvHKDNKi9/JN -dPTSQvURAkEA2E2D0BqTDOiqjwyueSr2V5m63mzWR0Jd1TAl0dxB6SBumYQQ1FFP -DmQ/J3lcT2RTS+PmKAkuPpSOalw1kqggqQJAbotPVQgZG1IdjguS6epF68sbv6Jg -70v58sqlfgDf7EaG56fbiNuf+BaLM+e41ZB+Kp0Hm5Rp0JvmN0B6OddK8QJAcZbD -UdWiw3SrnNOcDCVzmC0y5Ptiy6kefYX7VmnEcxiE/DlOXTEVwwkB4UjqIQcedwwH -IZ8wmcyJvXEO8SU5gQJAfHxBcFdX2vrDNNjm5GG11zrT86Ii+ieXa0Ty5vapRSsz -FQH3KnM2t7nNDMlFOaHuvVXHmPasudtxBDc5xDoHNA== ------END RSA PRIVATE KEY----- diff --git a/test/e2e/tls/server-ca/client.crt b/test/e2e/tls/server-ca/client.crt deleted file mode 100644 index d1f70592..00000000 --- a/test/e2e/tls/server-ca/client.crt +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICfTCCAeYCCQDIXTlEp6na1zANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMC -dXMxCzAJBgNVBAgMAm1hMQ8wDQYDVQQHDAZCb3N0b24xDzANBgNVBAoMBkNoaXNl -bDENMAsGA1UECwwEdGVzdDETMBEGA1UEAwwKbVRMU0NsaWVudDEgMB4GCSqGSIb3 -DQEJARYRd2lsbHhpYUBnbWFpbC5jb20wHhcNMjAwODI0MTk0ODQxWhcNMzAwODIy -MTk0ODQxWjCBgjELMAkGA1UEBhMCdXMxCzAJBgNVBAgMAm1hMQ8wDQYDVQQHDAZC -b3N0b24xDzANBgNVBAoMBkNoaXNlbDENMAsGA1UECwwEdGVzdDETMBEGA1UEAwwK -bVRMU0NsaWVudDEgMB4GCSqGSIb3DQEJARYRd2lsbHhpYUBnbWFpbC5jb20wgZ8w -DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM4jt9TxHsCNegij34we4yzOykAuMVuz -DzW++Jh4/xWeOoU3xb7I2ETIzmusIM70o2lm+e+gy9VfAAXaNgZg63QV54jRn2nk -BWoXJYvYOJwt5YzOsLkbh6epSlrqYI0H34Sy5rEkacXCkcpcEvom/tvJ+SpHyIL1 -PYNN1CCx/eg5AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAJysuLKCgVqMW628SFcpu -ojtBSNy2KETDwmMTaLg/XTaAPOvxAO3W9F7KJ1JxVFf2oIW7ROL9sP862lSMQLZ5 -R45pBlPZycb1CQplD50wMqknaaMJ1qnld9Jkv802cJa2riqzdHb5rnjrewmuLOOB -V0cZ9PJA3KdXbJW1o+WjQz4= ------END CERTIFICATE----- diff --git a/test/e2e/tls/server-crt/server.crt b/test/e2e/tls/server-crt/server.crt deleted file mode 100644 index 395b2a1a..00000000 --- a/test/e2e/tls/server-crt/server.crt +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICezCCAeQCCQDwdWskfbwmzzANBgkqhkiG9w0BAQUFADCBgTELMAkGA1UEBhMC -dXMxCzAJBgNVBAgMAm1hMQ8wDQYDVQQHDAZCb3N0b24xDzANBgNVBAoMBkNoaXNl -bDENMAsGA1UECwwEdGVzdDESMBAGA1UEAwwJbG9jYWxob3N0MSAwHgYJKoZIhvcN -AQkBFhF3aWxseGlhQGdtYWlsLmNvbTAeFw0yMDA4MjQxOTQ4MTdaFw0zMDA4MjIx -OTQ4MTdaMIGBMQswCQYDVQQGEwJ1czELMAkGA1UECAwCbWExDzANBgNVBAcMBkJv -c3RvbjEPMA0GA1UECgwGQ2hpc2VsMQ0wCwYDVQQLDAR0ZXN0MRIwEAYDVQQDDAls -b2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXdpbGx4aWFAZ21haWwuY29tMIGfMA0G -CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC128s6L6YN0eNSNbI40URFHd9xzfnPlUcH -n9n7D6YkJL7LsTAtUfjubNAX0Q1gclDnDZCfYi9UZVzzID4s1gZJZAEZGnce8loO -a+WcPUgIOJngk2bwUHfrWPl+R5mvE9p60rfYNdo86wLMaLAJu+VagNmaoilSU7OS -uZ/AgTUMFQIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAEzq2qsH5VfmjUcvlhS4a7X5 -zOAtEIVB1+oef/1NcyT3PaMX0ry0Ddbo3NJs3G9KTF0k+TCGtT7nAG2jRQvs6omZ -3+9C3x+6TQq+95KMBWXuZLZEPNa4iCGFbGrHq4wcWDehBAPSjdctqnmowd8yIgov -gNSN2xEMPNKYIhHt0lyc ------END CERTIFICATE----- diff --git a/test/e2e/tls/server-crt/server.key b/test/e2e/tls/server-crt/server.key deleted file mode 100644 index 2225ca98..00000000 --- a/test/e2e/tls/server-crt/server.key +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQC128s6L6YN0eNSNbI40URFHd9xzfnPlUcHn9n7D6YkJL7LsTAt -UfjubNAX0Q1gclDnDZCfYi9UZVzzID4s1gZJZAEZGnce8loOa+WcPUgIOJngk2bw -UHfrWPl+R5mvE9p60rfYNdo86wLMaLAJu+VagNmaoilSU7OSuZ/AgTUMFQIDAQAB -AoGBAJva4JLfXyqc5HsCNdlnz2CEt4irBBsZTiSEpKX7xWFYdIPROP6+L972NmkS -6qnrjtZV08oktXdY344l5eM7EWrFnqKH1pyTRUPnyKGY53jY4yZMad1GYMXLo8Mj -gkEOsfIhuieEBKGXAX54moDLTFzn14q+V+7g3OrLmMYXFN7JAkEA54S00eeuy0Eg -6+qx9dO4iDBp3qut5PShjda4M11MWobRQH71gO0g25qSrnw0x7BXJQl1hhgYtSUy -zbaF+5ZORwJBAMkWxt55YDpXdP4vudugmzP7F8aSB6rUysowlv1uStFhARNYwgs+ -Tl9EGhFPF0ganNv4di1iYLarIKoWas8nNMMCQEex4ekKzSdmUNKeCGQvH3sVOwPY -uG4pj4oED2DgqI90JoLJji9Rv5YiBQCBuDqKkkIG7t0Kw0P9dAEeX9lsT2sCQD5x -iznEmSQkyliwe1d/LRLcMwrfh+/9eieFJS33lNYl+E6IrmENbQraO/oKBGHImdMY -+aGoPf4bb95BbdN8Cj8CQECXWVHkFFVQ2B78r7ENWnmbVG5XJW/iwfaZtmbsPPrI -KqGlB8leQcLLlCC48SCLlc64VtWOaJVxBDyvO4NuD/U= ------END RSA PRIVATE KEY----- diff --git a/test/e2e/tls_test.go b/test/e2e/tls_test.go index 593476e8..304fd937 100644 --- a/test/e2e/tls_test.go +++ b/test/e2e/tls_test.go @@ -1,6 +1,7 @@ package e2e_test import ( + "path" "testing" chclient "github.com/jpillora/chisel/client" @@ -8,25 +9,22 @@ import ( ) func TestTLS(t *testing.T) { + tlsConfig, err := newTestTLSConfig() + if err != nil { + t.Fatal(err) + } + defer tlsConfig.Close() + tmpPort := availablePort() //setup server, client, fileserver teardown := simpleSetup(t, &chserver.Config{ - TLS: chserver.TLSConfig{ - Cert: "tls/server-crt/server.crt", - Key: "tls/server-crt/server.key", - CA: "tls/server-ca/client.crt", - }, + TLS: *tlsConfig.serverTLS, }, &chclient.Config{ Remotes: []string{tmpPort + ":$FILEPORT"}, - TLS: chclient.TLSConfig{ - //for self signed cert, it needs the server cert, for real cert, this need to be the trusted CA cert - CA: "tls/client-ca/server.crt", - Cert: "tls/client-crt/client.crt", - Key: "tls/client-crt/client.key", - }, - Server: "https://localhost:" + tmpPort, + TLS: *tlsConfig.clientTLS, + Server: "https://localhost:" + tmpPort, }) defer teardown() //test remote @@ -40,25 +38,24 @@ func TestTLS(t *testing.T) { } func TestMTLS(t *testing.T) { + tlsConfig, err := newTestTLSConfig() + if err != nil { + t.Fatal(err) + } + defer tlsConfig.Close() + //provide no client cert, server should reject the client request + tlsConfig.serverTLS.CA = path.Dir(tlsConfig.serverTLS.CA) + tmpPort := availablePort() //setup server, client, fileserver teardown := simpleSetup(t, &chserver.Config{ - TLS: chserver.TLSConfig{ - CA: "tls/server-ca", - Cert: "tls/server-crt/server.crt", - Key: "tls/server-crt/server.key", - }, + TLS: *tlsConfig.serverTLS, }, &chclient.Config{ Remotes: []string{tmpPort + ":$FILEPORT"}, - TLS: chclient.TLSConfig{ - //for self signed cert, it needs the server cert, for real cert, this need to be the trusted CA cert - CA: "tls/client-ca/server.crt", - Cert: "tls/client-crt/client.crt", - Key: "tls/client-crt/client.key", - }, - Server: "https://localhost:" + tmpPort, + TLS: *tlsConfig.clientTLS, + Server: "https://localhost:" + tmpPort, }) defer teardown() //test remote @@ -72,60 +69,59 @@ func TestMTLS(t *testing.T) { } func TestTLSMissingClientCert(t *testing.T) { + tlsConfig, err := newTestTLSConfig() + if err != nil { + t.Fatal(err) + } + defer tlsConfig.Close() + //provide no client cert, server should reject the client request + tlsConfig.clientTLS.Cert = "" + tlsConfig.clientTLS.Key = "" + tmpPort := availablePort() //setup server, client, fileserver teardown := simpleSetup(t, &chserver.Config{ - TLS: chserver.TLSConfig{ - CA: "tls/server-ca/client.crt", - Cert: "tls/server-crt/server.crt", - Key: "tls/server-crt/server.key", - }, + TLS: *tlsConfig.serverTLS, }, &chclient.Config{ Remotes: []string{tmpPort + ":$FILEPORT"}, - TLS: chclient.TLSConfig{ - CA: "tls/client-ca/server.crt", - //provide no client cert, server should reject the client request - //Cert: "tls/client-crt/client.crt", - //Key: "tls/client-crt/client.key", - }, - Server: "https://localhost:" + tmpPort, + TLS: *tlsConfig.clientTLS, + Server: "https://localhost:" + tmpPort, }) defer teardown() //test remote - _, err := post("http://localhost:"+tmpPort, "foo") + _, err = post("http://localhost:"+tmpPort, "foo") if err == nil { t.Fatal(err) } } func TestTLSMissingClientCA(t *testing.T) { + tlsConfig, err := newTestTLSConfig() + if err != nil { + t.Fatal(err) + } + defer tlsConfig.Close() + //specify a CA which does not match the client cert + //server should reject the client request + //provide no client cert, server should reject the client request + tlsConfig.serverTLS.CA = tlsConfig.clientTLS.CA + tmpPort := availablePort() //setup server, client, fileserver teardown := simpleSetup(t, &chserver.Config{ - TLS: chserver.TLSConfig{ - //specify a CA which does not match the client cert - //server should reject the client request - CA: "tls/server-crt/server.crt", - Cert: "tls/server-crt/server.crt", - Key: "tls/server-crt/server.key", - }, + TLS: *tlsConfig.serverTLS, }, &chclient.Config{ Remotes: []string{tmpPort + ":$FILEPORT"}, - TLS: chclient.TLSConfig{ - //for self signed cert, it needs the server cert, for real cert, this need to be the trusted CA cert - CA: "tls/client-ca/server.crt", - Cert: "tls/client-crt/client.crt", - Key: "tls/client-crt/client.key", - }, - Server: "https://localhost:" + tmpPort, + TLS: *tlsConfig.clientTLS, + Server: "https://localhost:" + tmpPort, }) defer teardown() //test remote - _, err := post("http://localhost:"+tmpPort, "foo") + _, err = post("http://localhost:"+tmpPort, "foo") if err == nil { t.Fatal(err) }