Add metrics for certificates in the verified chains (#48)

2026-05-20 07:12:45 +00:00 · 2020-09-11 18:20:41 +01:00
parent ddedd5f1b5
commit 17aa4e2d2d
6 changed files with 483 additions and 68 deletions
--- a/test/https.go
+++ b/test/https.go
@@ -14,32 +14,41 @@ import (
 // SetupHTTPSServer sets up a server for testing with a generated cert and key
 // pair
 func SetupHTTPSServer() (*httptest.Server, []byte, []byte, string, func(), error) {
-	var teardown func()
-
 	testcertPEM, testkeyPEM := GenerateTestCertificate(time.Now().AddDate(0, 0, 1))

-	caFile, err := WriteFile("certfile.pem", testcertPEM)
+	server, caFile, teardown, err := SetupHTTPSServerWithCertAndKey(testcertPEM, testcertPEM, testkeyPEM)
 	if err != nil {
 		return nil, testcertPEM, testkeyPEM, caFile, teardown, err
 	}

+	return server, testcertPEM, testkeyPEM, caFile, teardown, nil
+}
+
+// SetupHTTPSServerWithCertAndKey sets up a server with a provided certs and key
+func SetupHTTPSServerWithCertAndKey(caPEM, certPEM, keyPEM []byte) (*httptest.Server, string, func(), error) {
+	var teardown func()
+
+	caFile, err := WriteFile("certfile.pem", caPEM)
+	if err != nil {
+		return nil, caFile, teardown, err
+	}
+
 	teardown = func() {
 		os.Remove(caFile)
 	}

-	// Create server
-	testcert, err := tls.X509KeyPair(testcertPEM, testkeyPEM)
+	testCert, err := tls.X509KeyPair(certPEM, keyPEM)
 	if err != nil {
-		return nil, testcertPEM, testkeyPEM, caFile, teardown, err
+		return nil, caFile, teardown, err
 	}
 	server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprintln(w, "Hello world")
 	}))
 	server.TLS = &tls.Config{
-		Certificates: []tls.Certificate{testcert},
+		Certificates: []tls.Certificate{testCert},
 	}

-	return server, testcertPEM, testkeyPEM, caFile, teardown, nil
+	return server, caFile, teardown, nil
 }

 // SetupHTTPProxyServer sets up a proxy server
--- a/test/tcp.go
+++ b/test/tcp.go
@@ -145,35 +145,44 @@ func (t *TCPServer) Close() {
 // SetupTCPServer sets up a server for testing with a generated cert and key
 // pair
 func SetupTCPServer() (*TCPServer, []byte, []byte, string, func(), error) {
-	var teardown func()
-
 	testcertPEM, testkeyPEM := GenerateTestCertificate(time.Now().AddDate(0, 0, 1))

-	caFile, err := WriteFile("certfile.pem", testcertPEM)
+	server, caFile, teardown, err := SetupTCPServerWithCertAndKey(testcertPEM, testcertPEM, testkeyPEM)
 	if err != nil {
 		return nil, testcertPEM, testkeyPEM, caFile, teardown, err
 	}

+	return server, testcertPEM, testkeyPEM, caFile, teardown, nil
+}
+
+// SetupTCPServerWithCertAndKey sets up a server with the provided certs and key
+func SetupTCPServerWithCertAndKey(caPEM, certPEM, keyPEM []byte) (*TCPServer, string, func(), error) {
+	var teardown func()
+
+	caFile, err := WriteFile("certfile.pem", caPEM)
+	if err != nil {
+		return nil, caFile, teardown, err
+	}
+
 	teardown = func() {
 		os.Remove(caFile)
 	}

-	testcert, err := tls.X509KeyPair(testcertPEM, testkeyPEM)
+	testCert, err := tls.X509KeyPair(certPEM, keyPEM)
 	if err != nil {
-		panic(fmt.Sprintf("Failed to decode TLS testing keypair: %s\n", err))
+		return nil, caFile, teardown, err
 	}

 	tlsConfig := &tls.Config{
 		ServerName:   "127.0.0.1",
-		Certificates: []tls.Certificate{testcert},
+		Certificates: []tls.Certificate{testCert},
 		MinVersion:   tls.VersionTLS13,
 		MaxVersion:   tls.VersionTLS13,
 	}

-	// Create server
 	ln, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
-		return nil, testcertPEM, testkeyPEM, caFile, teardown, err
+		return nil, caFile, teardown, err
 	}

 	server := &TCPServer{
@@ -182,5 +191,5 @@ func SetupTCPServer() (*TCPServer, []byte, []byte, string, func(), error) {
 		stopCh:   make(chan (struct{})),
 	}

-	return server, testcertPEM, testkeyPEM, caFile, teardown, nil
+	return server, caFile, teardown, err
 }
--- a/test/test.go
+++ b/test/test.go
@@ -15,38 +15,72 @@ import (

 // GenerateTestCertificate generates a test certificate with the given expiry date
 func GenerateTestCertificate(expiry time.Time) ([]byte, []byte) {
-	privatekey, err := rsa.GenerateKey(rand.Reader, 2048)
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	if err != nil {
 		panic(fmt.Sprintf("Error creating rsa key: %s", err))
 	}
-	publickey := &privatekey.PublicKey
+	pemKey := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)})

-	cert := x509.Certificate{
-		IsCA:                  true,
+	cert := GenerateCertificateTemplate(expiry)
+	cert.IsCA = true
+
+	_, pemCert := GenerateSelfSignedCertificateWithPrivateKey(cert, privateKey)
+
+	return pemCert, pemKey
+}
+
+func GenerateSignedCertificate(cert, parentCert *x509.Certificate, parentKey *rsa.PrivateKey) (*x509.Certificate, []byte, []byte) {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		panic(fmt.Sprintf("Error creating rsa key: %s", err))
+	}
+
+	derCert, err := x509.CreateCertificate(rand.Reader, cert, parentCert, &privateKey.PublicKey, parentKey)
+	if err != nil {
+		panic(fmt.Sprintf("Error signing test-certificate: %s", err))
+	}
+
+	genCert, err := x509.ParseCertificate(derCert)
+	if err != nil {
+		panic(fmt.Sprintf("Error parsing test-certificate: %s", err))
+	}
+
+	return genCert,
+		pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derCert}),
+		pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)})
+}
+func GenerateSelfSignedCertificateWithPrivateKey(cert *x509.Certificate, privateKey *rsa.PrivateKey) (*x509.Certificate, []byte) {
+	derCert, err := x509.CreateCertificate(rand.Reader, cert, cert, &privateKey.PublicKey, privateKey)
+	if err != nil {
+		panic(fmt.Sprintf("Error signing test-certificate: %s", err))
+	}
+
+	genCert, err := x509.ParseCertificate(derCert)
+	if err != nil {
+		panic(fmt.Sprintf("Error parsing test-certificate: %s", err))
+	}
+
+	return genCert, pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derCert})
+}
+
+func GenerateCertificateTemplate(expiry time.Time) *x509.Certificate {
+	return &x509.Certificate{
 		BasicConstraintsValid: true,
 		SubjectKeyId:          []byte{1},
 		SerialNumber:          big.NewInt(100),
+		NotBefore:             time.Now(),
+		NotAfter:              expiry,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")},
 		Subject: pkix.Name{
 			CommonName:         "example.ribbybibby.me",
 			Organization:       []string{"ribbybibby"},
 			OrganizationalUnit: []string{"ribbybibbys org"},
 		},
 		EmailAddresses: []string{"me@ribbybibby.me", "example@ribbybibby.me"},
-		IPAddresses:    []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")},
 		DNSNames:       []string{"example.ribbybibby.me", "example-2.ribbybibby.me", "example-3.ribbybibby.me"},
-		NotBefore:      time.Now(),
-		NotAfter:       expiry,
-		ExtKeyUsage:    []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
-		KeyUsage:       x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 	}
-
-	derCert, err := x509.CreateCertificate(rand.Reader, &cert, &cert, publickey, privatekey)
-	if err != nil {
-		panic(fmt.Sprintf("Error signing test-certificate: %s", err))
-	}
-	pemCert := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derCert})
-	pemKey := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privatekey)})
-	return pemCert, pemKey
 }

 // WriteFile writes some content to a temporary file