added expired and untrusted certs

jrobertboos · jrobertboos · commit 7f1a345f6a74 · 2026-03-30T09:51:30.000-04:00
diff --git a/tests/e2e/features/tls.feature b/tests/e2e/features/tls.feature
@@ -29,8 +29,19 @@ Feature: TLS configuration for remote inference providers
     """
      Then The status code of the response is 200
 
-  Scenario: Inference fails with an invalid CA certificate
-    Given Llama Stack is configured with CA certificate path "/certs/client.crt"
+  Scenario: Inference fails with an untrusted CA certificate
+    Given Llama Stack is configured with CA certificate path "/certs/untrusted-ca.crt"
+      And Llama Stack is restarted
+      And Lightspeed Stack is restarted
+     When I use "query" to ask question
+    """
+    {"query": "Say hello", "model": "mock-tls-model", "provider": "tls-openai"}
+    """
+     Then The status code of the response is 500
+      And The body of the response does not contain Hello from the TLS mock inference server
+
+  Scenario: Inference fails with an expired CA certificate
+    Given Llama Stack is configured with CA certificate path "/certs/expired-ca.crt"
       And Llama Stack is restarted
       And Lightspeed Stack is restarted
      When I use "query" to ask question
diff --git a/tests/e2e/mock_tls_inference_server/server.py b/tests/e2e/mock_tls_inference_server/server.py
@@ -11,6 +11,7 @@
 Certificates are generated on-the-fly using trustme at server startup.
 """
 
+import datetime
 import json
 import ssl
 import sys
@@ -21,6 +22,8 @@
 from typing import Any
 
 import trustme
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.x509 import CertificateBuilder, random_serial_number
 
 MODEL_ID = "mock-tls-model"
 
@@ -105,6 +108,31 @@ def _send_json(self, data: dict | list) -> None:
         self.wfile.write(payload)
 
 
+def _export_expired_ca_cert(ca: trustme.CA, path: Path) -> None:
+    """Re-sign a trustme CA certificate with expired validity dates.
+
+    Creates a copy of the CA's self-signed certificate but with validity
+    dates set in the past, making it an expired certificate.
+
+    Parameters:
+        ca: The trustme CA whose certificate and key to use.
+        path: File path to write the expired CA certificate PEM.
+    """
+    original = ca._certificate  # noqa: SLF001
+    now = datetime.datetime.now(datetime.timezone.utc)
+    builder = CertificateBuilder()
+    builder = builder.subject_name(original.subject)
+    builder = builder.issuer_name(original.issuer)
+    builder = builder.public_key(original.public_key())
+    builder = builder.serial_number(random_serial_number())
+    builder = builder.not_valid_before(now - datetime.timedelta(days=365))
+    builder = builder.not_valid_after(now - datetime.timedelta(days=1))
+    for ext in original.extensions:
+        builder = builder.add_extension(ext.value, ext.critical)
+    expired_cert = builder.sign(ca._private_key, hashes.SHA256())  # noqa: SLF001
+    path.write_bytes(expired_cert.public_bytes(serialization.Encoding.PEM))
+
+
 def _make_tls_context(
     ca: trustme.CA,
     server_cert: trustme.LeafCert,
@@ -174,6 +202,15 @@ def main() -> None:
     print(f"  Client cert: {certs_dir / 'client.crt'}")
     print(f"  Client key: {certs_dir / 'client.key'}")
 
+    # Export untrusted CA certificate (from a separate CA that did not sign the server cert)
+    untrusted_ca = trustme.CA()
+    untrusted_ca.cert_pem.write_to_path(str(certs_dir / "untrusted-ca.crt"))
+    print(f"  Untrusted CA cert: {certs_dir / 'untrusted-ca.crt'}")
+
+    # Export expired CA certificate (re-signed with past validity dates)
+    _export_expired_ca_cert(ca, certs_dir / "expired-ca.crt")
+    print(f"  Expired CA cert: {certs_dir / 'expired-ca.crt'}")
+
     print("=" * 60)
     print("Starting servers...")
     print("=" * 60)
diff --git a/tests/e2e/test_list.txt b/tests/e2e/test_list.txt
@@ -1,23 +1 @@
-features/faiss.feature
-features/inline_rag.feature
-features/smoketests.feature
-features/authorized_noop.feature
-features/authorized_noop_token.feature
-features/authorized_rh_identity.feature
-features/rbac.feature
-features/conversations.feature
-features/conversation_cache_v2.feature
-features/feedback.feature
-features/health.feature
-features/info.feature
-features/responses.feature
-features/responses_streaming.feature
-features/query.feature
-features/rlsapi_v1.feature
-features/rlsapi_v1_errors.feature
-features/streaming_query.feature
-features/rest_api.feature
-features/mcp.feature
-features/models.feature
-features/proxy.feature
 features/tls.feature
