Skip to content

Commit e8b8e7b

Browse files
khushijain21khushijain21
authored
[tlscommon] Add test helper methods (#269)
1 parent 46fafcc commit e8b8e7b

File tree

3 files changed

+305
-279
lines changed

3 files changed

+305
-279
lines changed

transport/tlscommon/ca_pinning_test.go

Lines changed: 0 additions & 148 deletions
Original file line numberDiff line numberDiff line change
@@ -20,19 +20,12 @@ package tlscommon
2020
import (
2121
"bytes"
2222
"context"
23-
"crypto/rand"
24-
"crypto/rsa"
25-
"crypto/sha256"
2623
"crypto/tls"
2724
"crypto/x509"
28-
"crypto/x509/pkix"
29-
"fmt"
30-
"math/big"
3125
"net"
3226
"net/http"
3327
"strings"
3428
"testing"
35-
"time"
3629

3730
"github.com/stretchr/testify/assert"
3831
"github.com/stretchr/testify/require"
@@ -41,8 +34,6 @@ import (
4134
"github.com/elastic/elastic-agent-libs/iobuf"
4235
)
4336

44-
var ser int64 = 1
45-
4637
func TestCAPinning(t *testing.T) {
4738
const (
4839
host = "127.0.0.1"
@@ -310,142 +301,3 @@ func TestCAPinning(t *testing.T) {
310301
require.Error(t, err)
311302
})
312303
}
313-
314-
func genCA() (tls.Certificate, error) {
315-
ca := &x509.Certificate{
316-
SerialNumber: serial(),
317-
Subject: pkix.Name{
318-
CommonName: "localhost",
319-
Organization: []string{"TESTING"},
320-
Country: []string{"CANADA"},
321-
Province: []string{"QUEBEC"},
322-
Locality: []string{"MONTREAL"},
323-
StreetAddress: []string{"testing road"},
324-
PostalCode: []string{"HOH OHO"},
325-
},
326-
NotBefore: time.Now(),
327-
NotAfter: time.Now().Add(1 * time.Hour),
328-
IsCA: true,
329-
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
330-
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
331-
BasicConstraintsValid: true,
332-
}
333-
334-
caKey, err := rsa.GenerateKey(rand.Reader, 2048) // less secure key for quicker testing.
335-
if err != nil {
336-
return tls.Certificate{}, fmt.Errorf("fail to generate RSA key: %w", err)
337-
}
338-
339-
ca.SubjectKeyId = generateSubjectKeyID(&caKey.PublicKey)
340-
341-
caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &caKey.PublicKey, caKey)
342-
if err != nil {
343-
return tls.Certificate{}, fmt.Errorf("fail to create certificate: %w", err)
344-
}
345-
346-
leaf, err := x509.ParseCertificate(caBytes)
347-
if err != nil {
348-
return tls.Certificate{}, fmt.Errorf("fail to parse certificate: %w", err)
349-
}
350-
351-
return tls.Certificate{
352-
Certificate: [][]byte{caBytes},
353-
PrivateKey: caKey,
354-
Leaf: leaf,
355-
}, nil
356-
}
357-
358-
// genSignedCert generates a CA and KeyPair and remove the need to depends on code of agent.
359-
func genSignedCert(
360-
ca tls.Certificate,
361-
keyUsage x509.KeyUsage,
362-
isCA bool,
363-
commonName string,
364-
dnsNames []string,
365-
ips []net.IP,
366-
expired bool,
367-
) (tls.Certificate, error) {
368-
if commonName == "" {
369-
commonName = "You know, for search"
370-
}
371-
372-
notBefore := time.Now()
373-
notAfter := notBefore.Add(5 * time.Hour)
374-
375-
if expired {
376-
notBefore = notBefore.Add(-42 * time.Hour)
377-
notAfter = notAfter.Add(-42 * time.Hour)
378-
}
379-
// Create another Cert/key
380-
cert := &x509.Certificate{
381-
SerialNumber: big.NewInt(2000),
382-
383-
// SNA - Subject Alternative Name fields
384-
IPAddresses: ips,
385-
DNSNames: dnsNames,
386-
387-
Subject: pkix.Name{
388-
CommonName: commonName,
389-
Organization: []string{"TESTING"},
390-
Country: []string{"CANADA"},
391-
Province: []string{"QUEBEC"},
392-
Locality: []string{"MONTREAL"},
393-
StreetAddress: []string{"testing road"},
394-
PostalCode: []string{"HOH OHO"},
395-
},
396-
397-
NotBefore: notBefore,
398-
NotAfter: notAfter,
399-
IsCA: isCA,
400-
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
401-
KeyUsage: keyUsage,
402-
BasicConstraintsValid: true,
403-
}
404-
405-
certKey, err := rsa.GenerateKey(rand.Reader, 2048)
406-
if err != nil {
407-
return tls.Certificate{}, fmt.Errorf("fail to generate RSA key: %w", err)
408-
}
409-
410-
if isCA {
411-
cert.SubjectKeyId = generateSubjectKeyID(&certKey.PublicKey)
412-
}
413-
414-
certBytes, err := x509.CreateCertificate(
415-
rand.Reader,
416-
cert,
417-
ca.Leaf,
418-
&certKey.PublicKey,
419-
ca.PrivateKey,
420-
)
421-
422-
if err != nil {
423-
return tls.Certificate{}, fmt.Errorf("fail to create signed certificate: %w", err)
424-
}
425-
426-
leaf, err := x509.ParseCertificate(certBytes)
427-
if err != nil {
428-
return tls.Certificate{}, fmt.Errorf("fail to parse the certificate: %w", err)
429-
}
430-
431-
return tls.Certificate{
432-
Certificate: [][]byte{certBytes},
433-
PrivateKey: certKey,
434-
Leaf: leaf,
435-
}, nil
436-
}
437-
438-
func serial() *big.Int {
439-
ser = ser + 1
440-
return big.NewInt(ser)
441-
}
442-
443-
func generateSubjectKeyID(publicKey *rsa.PublicKey) []byte {
444-
// SubjectKeyId generated using method 1 in RFC 7093, Section 2:
445-
// 1) The keyIdentifier is composed of the leftmost 160-bits of the
446-
// SHA-256 hash of the value of the BIT STRING subjectPublicKey
447-
// (excluding the tag, length, and number of unused bits).
448-
publicKeyBytes := x509.MarshalPKCS1PublicKey(publicKey)
449-
h := sha256.Sum256(publicKeyBytes)
450-
return h[:20]
451-
}

0 commit comments

Comments
 (0)