Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tests: further cleanup/generalization. #65

Merged
merged 6 commits into from
May 26, 2023
Merged

tests: further cleanup/generalization. #65

merged 6 commits into from
May 26, 2023

Conversation

cpu
Copy link
Member

@cpu cpu commented May 17, 2023

This branch follows #64 and introduces a few more helpful generalizations/cleanups that I made while writing CRL focused test cases.

Some highlights:

  • Lifts out common helper functions for generating end entity and CA certificates that can be shared by several of the more specific test case generators.
  • Tidies up some duplicated path manipulation/strings.
  • Adds simple command line flags to allow control over which test cases are generated and whether the cargo fmt and cargo test invocations are run post-generation.
  • Generalizes the CA certificate generation to allow generating intermediate certificates in addition to self-signed roots, and to allow optionally specifying key usage.

These changes do not affect the generated test cases so I haven't committed updated test files. We know the generator script + the test cases it spits out still work thanks to the CI improvements that landed in #64 :-)

cpu added 6 commits May 17, 2023 09:27
@cpu
tests: lift helpers for cert gen.
82086fa 
Also switch to using named arguments and sensible defaults when omitted.
@cpu
tests: tidy up path manip. and duplication.
a3abe10 
Previously there was a lot of duplicated path constants (e.g.
"name_constraints/"). We were also doing path manipulation in both
Python and Rust code.

This commit removes the duplication by introducing more variables. It
also lifts all of the path manipulation to the Python code and switches
to `os.path.join` instead of raw string bashing.
@cpu
tests: add simple CLI flags to generate.py
40e3717 
This allows choosing which test cases are generated, whether to run
cargo fmt, and whether to run cargo test. By default all tests are
generated and both cargo commands are run, matching pre-existing
behaviour.

These flags are helpful when developing new test cases as it allows
iterating on a subset without as much churn in the tree.
@cpu
tests: fixup stale comment
b357935 
The top header comment for generate.py was overly specific to the name
constraint test generation. This commit updates it to reflect the
current state of the script.
@cpu
tests: rename ISSUER_PRIVATE_KEY/PUBLIC_KEY.
fc246bf 
In future tests we will be generating intermediate issuers and so it's
helpful to differentiate the root trust anchor's private/public key from
other issuers in a certificate chain.
@cpu
tests: generalize ca_cert, allow optional KU.
d0ae722 
This commit adds two optional arguments to `ca_cert` to allow specifying
an issuer name and private key as opposed to always generating an issuer
certificate that is self-issued. This will allow the `ca_cert` helper to
be used to make longer certificate chains.

Similarly, a new argument to optionally provide an `x509.KeyUsage` is
added. This will allow generating issuer certificates that assert
different usage bits (e.g. including/excluding cRLSign).
@cpu cpu self-assigned this May 17, 2023
@cpu cpu mentioned this pull request May 17, 2023
Merged
djc
djc approved these changes May 26, 2023
View reviewed changes
Copy link
Member

@djc djc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems okay.

The continued proliferation of Python code makes me wish we'd converted to Rust code sooner though. Also for some of these refactoring steps, making smaller commits that change one thing at a time would have helped make review easier.

@djc djc merged commit e282ccb into rustls:main May 26, 2023
@cpu cpu deleted the cpu-further-test-gen-cleanup branch May 26, 2023 11:51
@cpu
Copy link
Member Author

cpu commented May 26, 2023
edited
Loading

The continued proliferation of Python code makes me wish we'd converted to Rust code sooner though

It might be doable using rust-openssl but for cases like generating RSA keys, or making certain edge-case certs with invalid data, I'm not sure pure Rust alternatives like rcgen will get us what we need.

Also for some of these refactoring steps, making smaller commits that change one thing at a time would have helped make review easier.

Noted. Will try to break things up even further in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djc djc djc approved these changes

Assignees

@cpu cpu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cpu @djc