Generate mock certificates

tchap · tchap · commit 83708b22bb27 · 2025-09-23T15:31:51.000+02:00
diff --git a/pkg/operator/staticpod/certsyncpod/certsync_controller_linux_test.go b/pkg/operator/staticpod/certsyncpod/certsync_controller_linux_test.go
@@ -5,6 +5,13 @@ package certsyncpod
 import (
 	"bytes"
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
 	"os"
 	"path/filepath"
 	"sync"
@@ -28,6 +35,10 @@ func TestDynamicCertificates(t *testing.T) {
 		Name:      "s1",
 	}
 
+	// Generate all necessary keypairs.
+	tlsCert, tlsKey := generateKeypair(t)
+	tlsCertUpdated, tlsKeyUpdated := generateKeypair(t)
+
 	// Write the keypair into a secret directory.
 	secretDir := filepath.Join(t.TempDir(), "secrets", om.Name)
 	certFile := filepath.Join(secretDir, "tls.crt")
@@ -36,10 +47,10 @@ func TestDynamicCertificates(t *testing.T) {
 	if err := os.MkdirAll(secretDir, 0700); err != nil {
 		t.Fatalf("Failed to create secret directory %q: %v", secretDir, err)
 	}
-	if err := os.WriteFile(certFile, []byte(tlsCert), 0600); err != nil {
+	if err := os.WriteFile(certFile, tlsCert, 0600); err != nil {
 		t.Fatalf("Failed to write TLS certificate into %q: %v", certFile, err)
 	}
-	if err := os.WriteFile(keyFile, []byte(tlsKey), 0600); err != nil {
+	if err := os.WriteFile(keyFile, tlsKey, 0600); err != nil {
 		t.Fatalf("Failed to write TLS key into %q: %v", keyFile, err)
 	}
 
@@ -52,7 +63,7 @@ func TestDynamicCertificates(t *testing.T) {
 
 	// Check the initial keypair is loaded.
 	cert, key := dc.CurrentCertKeyContent()
-	if !bytes.Equal(cert, []byte(tlsCert)) || !bytes.Equal(key, []byte(tlsKey)) {
+	if !bytes.Equal(cert, tlsCert) || !bytes.Equal(key, tlsKey) {
 		t.Fatal("Unexpected initial keypair loaded")
 	}
 
@@ -68,7 +79,7 @@ func TestDynamicCertificates(t *testing.T) {
 
 	// Poll until update detected.
 	recorder := eventstesting.NewTestingEventRecorder(t)
-	files := map[string]string{
+	files := map[string][]byte{
 		"tls.crt": tlsCertUpdated,
 		"tls.key": tlsKeyUpdated,
 	}
@@ -82,110 +93,63 @@ func TestDynamicCertificates(t *testing.T) {
 		// Check the loaded content matches.
 		// This is most probably updated based on write in a previous Poll invocation.
 		cert, key := dc.CurrentCertKeyContent()
-		return bytes.Equal(cert, []byte(tlsCertUpdated)) && bytes.Equal(key, []byte(tlsKeyUpdated)), nil
+		return bytes.Equal(cert, tlsCertUpdated) && bytes.Equal(key, tlsKeyUpdated), nil
 	})
 	if err != nil {
 		t.Fatalf("Failed to wait for dynamic certificate: %v", err)
 	}
 }
 
-const (
-	tlsCert = `-----BEGIN CERTIFICATE-----
-MIIDDzCCAfegAwIBAgIUNizZp8wiNCSTBiwtNLz2uS/UxJYwDQYJKoZIhvcNAQEL
-BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI1MDkxODEyMDI1NFoXDTI1MTAx
-ODEyMDI1NFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAwCFBu6vi5JqeCEHJvE97xdhlXX2BEgWS16ikEa6oGOBi
-Q0P1TdW+0GgQYRviuWq0/3Ql2GnrWlulVMZfVGDnwVJNjRvNbPUCOXieP8JIj79x
-Hua6tdwvin69kB6yvhMKPi6h5tmPDgxmcOAU/IZzSkm62kJ8ygJ7nlpD3VcBowj1
-2nGQf3KVXG50YU+/2IFP8iaEj/KsCs1yd0oXlqHHELIWq+9scHYdA1pH+CqZC+u0
-CKJKG2Umgj4cgby9ltOqOsmr2rMXVq5tle381tu9QGqEeJJ3TpnmCb9z5+TLdUAB
-jdBHQKiKXhhVpIKbDScsZ1rmVZ34t1jFFJlHFflqCQIDAQABo1kwVzAUBgNVHREE
-DTALgglsb2NhbGhvc3QwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMB
-MB0GA1UdDgQWBBSzdSuyIKFJtdCOA3nPtV/WJMhuNDANBgkqhkiG9w0BAQsFAAOC
-AQEAWhg6qUZ5l6qHx6OdhlekkVtmgAIplxtpMHbmCjMFcTA+qc1W56a6X/9fPRyy
-Wb/8B2biu2cQ9uoLiiZo+2VhnsmvbqeSWhAVPkTWf1ojDq3VmfK+y12rwX5t4VOv
-NdOJabSufjjmTGzjuNqD+6n43JRu42TCAgbMccdGQzHk9xIBRD7Ik886PYYe3E+G
-4Wha7/jMFaUF0z0FBqIKJbDPB51R2w8g5D5mR4Ylm9tRidxz39qfNHNEWPpp/pVH
-l5h1v53gThzzktCzKQKjgUTzUi4qvqnxRPxHgixfAbvvSYlC3+HizVSuK6j53t+k
-qdEbfjD2fIjpTY91oFX78tVdoA==
------END CERTIFICATE-----
-`
-	tlsKey = `-----BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDAIUG7q+Lkmp4I
-Qcm8T3vF2GVdfYESBZLXqKQRrqgY4GJDQ/VN1b7QaBBhG+K5arT/dCXYaetaW6VU
-xl9UYOfBUk2NG81s9QI5eJ4/wkiPv3Ee5rq13C+Kfr2QHrK+Ewo+LqHm2Y8ODGZw
-4BT8hnNKSbraQnzKAnueWkPdVwGjCPXacZB/cpVcbnRhT7/YgU/yJoSP8qwKzXJ3
-SheWoccQshar72xwdh0DWkf4KpkL67QIokobZSaCPhyBvL2W06o6yavasxdWrm2V
-7fzW271AaoR4kndOmeYJv3Pn5Mt1QAGN0EdAqIpeGFWkgpsNJyxnWuZVnfi3WMUU
-mUcV+WoJAgMBAAECggEAEMuXdHFtLzC4+d3OZdDI8B2fltGe09V65bFPTmBnP212
-CY1KR1iVCqDeNa77XdwPIHmlyUpREaALTuLceILUH5kzQE+a4Jh2blG1+7rfHvnM
-SLhAwB8UZNX5ejzEwUrmzVLEQmroT4ET/3AHRZ/3OhpB5EyFnh8jcU9QuWuesAK0
-biAfn67Vxc3AOUuzvQMqltgJSzc6MBUETyBmxUEXsGxpSw3Ma/ieMPs8hTS60aU3
-TrzkgHD9mBTdpLpSYHmAXYJJOTylVcYYuTWzEoEjNJDTaZf/HiQTC93NZ/M2Kl6s
-kSwT+HaRDfU0BaBbjfPNSXwEUhSvd0JuEie7cpdAxQKBgQD7ivVizx9QUbQkJfkb
-OokCXo/Tjz5uqGq7gMvDdnl34PMju/tG/e+DHphEpetd5cDPg5nEpwhDe7ztbepn
-8UrDTV5RPkwNs9u9eskW8cmELsKjpoodMCXOeEaT3QeYA2fwe5A1X3ILSAPPZAOK
-0YKzr3S/7JSMCiD8+OlxrkPVywKBgQDDiMqFugvMUcDhgByj9aVitkfn3VXB/tGE
-D3DLLoHnt8MpehIbzkMeoDEqqz+K8ItHuOdPSA7dhqP2CG2zDBeWlVxlfZ7S1WMW
-YEwp2frdnLbCXwo93zc5Cje2XMnkU44GzPW1LdLTbY/PodkNAHa0F4LeayMBKsmH
-d7Oxu2rk+wKBgFWhOmPGqpxHFBHyM1kHljiORFv6uYAmKR9nevYxUKx0kZCqn6HN
-NEnokmFcMkGmwvphjGkbi36dkvUoo9F6nL7bia4SjQVlIvrf37DF4pny6SOYwA+r
-olMlMrGHXtxq3GlLRw5ETah1fYaOP350UBAnPJFRUkhR8mTrv1yJvGH9AoGAUPTL
-1P4ocFnQ4Axoz0GfTfVmZAtxvDZCjMjPzG/e/Q9KUFvoL3cAtydf8+ifEGlzYSif
-LGYLMZDTRcRLlvwEsCX68VJHdcc/lT4dip5jjWmbCXLMDL3kYUtnsatNM6mcfhhS
-CseEKGGOT0sVUJrGit3JI0l8XrlWYy4eShHsug0CgYBDTFYrnc8pSZn5SQwHVRkc
-hEW+WWdaTjmuaUx0I/ce4rocLHiO+bTM2hjYNL52xn62L2N7p+1wQBfChcI1wFbU
-w6An158oz0ldvlmxQk7CIyEoQNY+snSxOmZFXILDdp7mPbHhtavJj5vruY5VIHYs
-n4dXmvaEIZfo5M7UBlYW1A==
------END PRIVATE KEY-----
-`
-	tlsCertUpdated = `-----BEGIN CERTIFICATE-----
-MIIDDzCCAfegAwIBAgIUIcqFTfK2NxKU2YAyPdt/IL2TGl0wDQYJKoZIhvcNAQEL
-BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI1MDkxODEyNDI1NloXDTI1MTAx
-ODEyNDI1NlowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAlwJe+8tKBE/Q+epUKl7UI+R/8es0U11BuaQIF6iT0FvE
-DbEyFLAxvNPoE9m+Bu/wXivzkfEcXaxpHcDE6jA/A51TX/cDKwZAD6aMOovmG4b+
-SJDTtbtRzZcEwyWqwK43cbK12O/D+TTV2/0lZYisA/EoAoWjGb6uY053xcBn6+Cf
-+6+cZ5slBizrIcY87U2a039hRBaAb/1Wss+Ogj22eYJotYxFeuptWhqKP4cvn6nZ
-r+HPaio/Eq2LRVb0tAzSuIATleo9k9443EnNB63TkgeW2RTTsFvSK6R7EWN4Kcdk
-ubxhPMuUyWgCsSEwYTu19BVrwBIlZjZpNETsqtbDbQIDAQABo1kwVzAUBgNVHREE
-DTALgglsb2NhbGhvc3QwCwYDVR0PBAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMB
-MB0GA1UdDgQWBBSkjhnvdVmMb+9DKQ4lQNmnwM1IHjANBgkqhkiG9w0BAQsFAAOC
-AQEAU0YlNhE0iaNJk/rvlXqkD/1O4b7pM8+aOHN54crVAgaA3fNZOcNelMuxPhFj
-mHpvM8L09wwlueVHudFier5g41mhgbkN7jsHZJlKG7ZjW5GJVggshn+bFmAYK/VS
-JSvJe+QcUMJeWANjbV3pMgg3Is/edhOMeJawvqHjSQMNT6qln4/9MgBTuSiEnpOh
-3MzmMXaFQLfFIDeuQY0dTM6Sx2Yn8EAmMuhjClLUdlPMskOk4vasqnbZuARp6bUe
-ZofmJ2YNG4PsXZQak7p6WSkt9HqGll7a9UBFSAI2O4a3D3MahdRNMcwi8LDzZr/y
-Vj72VewkK8yf+sPJ/nmkY/2j/w==
------END CERTIFICATE-----
-`
-	tlsKeyUpdated = `-----BEGIN PRIVATE KEY-----
-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCXAl77y0oET9D5
-6lQqXtQj5H/x6zRTXUG5pAgXqJPQW8QNsTIUsDG80+gT2b4G7/BeK/OR8RxdrGkd
-wMTqMD8DnVNf9wMrBkAPpow6i+Ybhv5IkNO1u1HNlwTDJarArjdxsrXY78P5NNXb
-/SVliKwD8SgChaMZvq5jTnfFwGfr4J/7r5xnmyUGLOshxjztTZrTf2FEFoBv/Vay
-z46CPbZ5gmi1jEV66m1aGoo/hy+fqdmv4c9qKj8SrYtFVvS0DNK4gBOV6j2T3jjc
-Sc0HrdOSB5bZFNOwW9IrpHsRY3gpx2S5vGE8y5TJaAKxITBhO7X0FWvAEiVmNmk0
-ROyq1sNtAgMBAAECggEADbGaWW0C5kcypScZwMnepO6Yp6Bzm0euqR312edgmBlq
-Ou+hofykVgJFXl91ev2RJ4kGymo570iuM5OCh9YeML64i9BDikhD0OeCeeCr2j0w
-m/X+LNGyxlj2hpfI1zY1MutI0EZV2ChxaESZeo6dQrJAtZHWy4PeHoVEGTuscNhH
-FZSUjqnJxxYUIH5ypHF13yYE++BtTfUW0lKVoYjV1w8a/qKiJTLukZy452wFkJ6a
-pwOmZF0F5oxrhe8hdG6WP3CeGnr4Bv6OKSmBG3N/fNbEXfk7zMLiZo74hUYgrKfy
-YfwHI5pbwURl+Ust69uyn8EDRfBhqQCNqdB4iNOA4QKBgQDOnx3MrluSDSb+kJ86
-CwwN6MCWLn20Rq36afmTW8iUvSmbKO/KyYbrVY/+qsoSQ89L3doE5O2YHsu08OJ7
-BGJMxfFZ71+OTcvCl5iirkg/2g530cf1/QcYhtqc6+WDvluZUxt4ZpE+jyERQaG3
-EzaJLPoIbMT+DyCwfXcKWjndCQKBgQC7GPRzA4oTj0csxLuH8y4yIT2wbMPHiSML
-f96OHroUhBeVbruL4y5cu9EJyYKIM9Q1yi13Ce+T+YLlFvUgUpPK/zpF5sPICz+Z
-TRs055t3tG4QOLm6gfrGlyka6n5CLlANT1mSDghlfh1zXZ1m/vME6cFxwgVzGBlE
-ptxBoQiwRQKBgEB+GecRZTOpN0quCYUsfY6536MAz+u9RACto2EDfRAwGxR7Kp25
-WYuLIW70EC6zS7j6flqYujCJLDxGE+sh6yzbfAH+XW0lizwp5VKh45tKjMmJiUiW
-uehF72abmwAMIrsw3ZovKZbFRiUEv11NefBHQaPvj21de26bOtTYZMdBAoGAMMt9
-VVGi/R7s7RwR3I7riV9p+00icjOt1B3xKReSaC9bBznt57nEKaNCDU9kn6kEu1KT
-MOyCcxErthuaqmde7B5MUFay0MU+PPkDE3Uj8sA3xDtHFQE5KfnaWo61hwUVE6OS
-NKk8P1v4ylGr72SmdK2SKdz0FuQ+Es2BvAwHfBECgYAPVRckudv8Yx4/dXVkhBkM
-b5V7VUwWYq2Dmwzf83p2C3gqoXbO8d91pkIQhcc+LhC4umYisNFx5cuEfkzJXTBT
-zQWIuZVz5eekCOb+Egi/kBrheenpc+/7NXCx2km1zegN4dn2Njusb0XgLVFMvCkQ
-a3PRfBcOqez6+lxuQkb+NQ==
------END PRIVATE KEY-----
-`
-)
+// generateKeypair returns (cert, key).
+func generateKeypair(t *testing.T) ([]byte, []byte) {
+	t.Helper()
+
+	privateKey, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
+	if err != nil {
+		t.Fatalf("Failed to generate TLS key: %v", err)
+	}
+
+	notBefore := time.Now()
+	notAfter := notBefore.Add(1 * time.Hour)
+
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		t.Fatalf("Failed to generate serial number for TLS keypair: %v", err)
+	}
+
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			Organization: []string{"Example Org"},
+		},
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
+		KeyUsage:              x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		DNSNames:              []string{"example.com"},
+	}
+
+	publicKeyBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey)
+	if err != nil {
+		t.Fatalf("Failed to create TLS certificate: %v", err)
+	}
+
+	var certOut bytes.Buffer
+	if err := pem.Encode(&certOut, &pem.Block{Type: "CERTIFICATE", Bytes: publicKeyBytes}); err != nil {
+		t.Fatalf("Failed to write certificate PEM: %v", err)
+	}
+
+	privateKeyBytes, err := x509.MarshalPKCS8PrivateKey(privateKey)
+	if err != nil {
+		t.Fatalf("Unable to marshal private key: %v", err)
+	}
+
+	var keyOut bytes.Buffer
+	if err := pem.Encode(&keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privateKeyBytes}); err != nil {
+		t.Fatalf("Failed to write certificate PEM: %v", err)
+	}
+
+	return certOut.Bytes(), keyOut.Bytes()
+}
