diff --git a/retry/transport_wrapper_test.go b/retry/transport_wrapper_test.go index 300c29f7..bf52114a 100644 --- a/retry/transport_wrapper_test.go +++ b/retry/transport_wrapper_test.go @@ -823,7 +823,7 @@ func Listen() (listener net.Listener, address string) { // simulating an HTTP/2 server: listener, err := tls.Listen("tcp", "127.0.0.1:0", &tls.Config{ Certificates: []tls.Certificate{ - LocalhostKeyPair(), + LocalhostCertificate(), }, NextProtos: []string{ http2.NextProtoTLS, diff --git a/testing/servers.go b/testing/servers.go index 34ddb49c..fa56e80d 100644 --- a/testing/servers.go +++ b/testing/servers.go @@ -17,14 +17,20 @@ limitations under the License. package testing import ( + "crypto/rand" + "crypto/rsa" "crypto/tls" + "crypto/x509" + "crypto/x509/pkix" "encoding/pem" "io/ioutil" "log" + "math/big" "net" "net/http" "net/url" "path/filepath" + "time" "github.com/onsi/gomega/ghttp" "golang.org/x/net/http2" @@ -264,9 +270,10 @@ func VerifyCookie(name, value string) http.HandlerFunc { } } -// LocalhostKeyPair returns a TLS key pair valid for the name `localhost` DNS -// name, for the `127.0.0.1` IPv4 address and for the `::1` IPv6 address. The -// key pair has been generated with the following command: +// LocalhostCertificate returns a self signed TLS certificate valid for the name `localhost` DNS +// name, for the `127.0.0.1` IPv4 address and for the `::1` IPv6 address. +// +// A similar certificate can be generated with the following command: // // openssl req \ // -x509 \ @@ -276,97 +283,40 @@ func VerifyCookie(name, value string) http.HandlerFunc { // -out tls.crt \ // -subj '/CN=localhost' \ // -addext 'subjectAltName=DNS:localhost,IP:127.0.0.1,IP:::1' \ -// -days 3650 -func LocalhostKeyPair() tls.Certificate { - pair, err := tls.X509KeyPair(localhostCrt, localhostKey) - Expect(err).ToNot(HaveOccurred()) - return pair +// -days 1 +func LocalhostCertificate() tls.Certificate { + if localhostCertificate == nil { + key, err := rsa.GenerateKey(rand.Reader, 4096) + Expect(err).ToNot(HaveOccurred()) + now := time.Now() + spec := x509.Certificate{ + SerialNumber: big.NewInt(0), + Subject: pkix.Name{ + CommonName: "localhost", + }, + DNSNames: []string{ + "localhost", + }, + IPAddresses: []net.IP{ + net.ParseIP("127.0.0.1"), + net.ParseIP("::1"), + }, + NotBefore: now, + NotAfter: now.Add(24 * time.Hour), + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{ + x509.ExtKeyUsageServerAuth, + }, + } + data, err := x509.CreateCertificate(rand.Reader, &spec, &spec, &key.PublicKey, key) + Expect(err).ToNot(HaveOccurred()) + localhostCertificate = &tls.Certificate{ + Certificate: [][]byte{data}, + PrivateKey: key, + } + } + return *localhostCertificate } -var localhostCrt = []byte(` ------BEGIN CERTIFICATE----- -MIIFODCCAyCgAwIBAgIUdhdcmZ5JmTWpGQiuLnTMT6UxZb0wDQYJKoZIhvcNAQEL -BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIxMDgxMjEwMjQyM1oXDTMxMDgx -MDEwMjQyM1owFDESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEF -AAOCAg8AMIICCgKCAgEAs4I2qpFnkss60FIxKTboLv6QpBt8QnR4l2xT1egCBr3x -kqOkobZjrfZ61JbDyz9ZPcrwzksB+6/Xp8VNmbCvYx8hKAv0EMBTl3Lczv7jIrg8 -wXXncjSguRolXkeuQAHqk37CkVhEjfZuvd4ZCoumQXzmw61AZlxDOHDMDM3Um95m -ZYNtVwDn/eZRFIPQbmCcDKC2v2/nlpuviUOuMwnPU/ev4eLaDFUqAO0llTVpJKdb -E0KIyWX7fGFTtibfw5azEGxPEb/7FAUtaa3Rms70I7fwZU/FBy8iXuSzW/g7Ms3a -zZo+rTQFCbNHdU22w4bhZtBvZkXyyDEtxypx77UZZIrKOVflu/VU2lNQS98LnaXF -GtV0qVQ7hFdDRw/XmxDZPsG8xDORgx7PADPTqj0Hylg2oawPZdidqkqP5hgERuWk -vBTMeJ6RjoKLV70FSnIzlOh0fFnln6iZB4dDXE2bLtHtB3oRDrN/VA+N1bCPZmWY -7/s9OqlQ5xRsT9sz+iqyzaOk0XCRV3z+QgohmkOd0GCoZ+QDpogMaaXy0hQlFpaX -hTBO/0FPXzg2ipop7ItgDZYQgl5wuva40R6j1KRqBZLNMuZhosIQ4qf9geeVbZfu -A+QNUSJPrtXXNaCCstiIGJgHWGl1KWBHnmhLSb7yajEFfmQM+yVb/T/TEacjOYMC -AwEAAaOBgTB/MB0GA1UdDgQWBBRK6ctms4WQmh8Qy+VKSHLgc74z3jAfBgNVHSME -GDAWgBRK6ctms4WQmh8Qy+VKSHLgc74z3jAPBgNVHRMBAf8EBTADAQH/MCwGA1Ud -EQQlMCOCCWxvY2FsaG9zdIcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG -9w0BAQsFAAOCAgEAQhcYqXuWIK0/4oJfJBabbtUUEN1As98gaomcQKMTk30K+aZD -KejPeBZnOJSWpZRl4ypm4Z3u/jIHptLHKSSoSIyEIikV1MsZy9c8E/aetRbrJ4G/ -Y+TM/jCKZ9Rz6zxZznN52fME7Gh9de75QsUrmDl8wmgZ9Y09UYX6hG4+rCR0R+lX -GQv3LAVCHXGtCqHS8zXXyymRQghqE8Tz7dzWtpo0AIVA0k8GL4bGxlAAuQL7TXHE -jfLNh35RjULxM6JONYj/uQnaret5kE5ZuzQp+L4HHs/5qIE2wvTyFKyAtJP0E6AP -hI754OEvOVMXfBOYWDalOcyka9kKUCTkDztW5VY/bpapqfTLN6McRqzEijLatg2c -ADHabdIbhKhKKfH1ZmZFXthrPiPfc+Y7oTsf7gmIzR3actjfI6ZWaUhhaipFil3c -7sedG68X7W7I4F5cdPTbZb3fnUb7Xk2mReivDgY2Cz1rMVBYI7wT+m82oPTRwsRU -YZrbnOIXoWmTo6hVtvi7XXNVFj2vDgVQTSqJBUWl2DKqUQ+EALj9AVnDD4TS9Af1 -v7215I4iIaeVbmilS7GCoayiPczJfKDpMUf4OEV5r4EomJwWzgqxx5qioRpRvU9k -9kFc5TTcHQENjK3Og/Ii5jpQegAo01sduDnCN05YfAZ2En6M/rqjWG/WiyY= ------END CERTIFICATE----- -`) - -var localhostKey = []byte(` ------BEGIN PRIVATE KEY----- -MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCzgjaqkWeSyzrQ -UjEpNugu/pCkG3xCdHiXbFPV6AIGvfGSo6ShtmOt9nrUlsPLP1k9yvDOSwH7r9en -xU2ZsK9jHyEoC/QQwFOXctzO/uMiuDzBdedyNKC5GiVeR65AAeqTfsKRWESN9m69 -3hkKi6ZBfObDrUBmXEM4cMwMzdSb3mZlg21XAOf95lEUg9BuYJwMoLa/b+eWm6+J -Q64zCc9T96/h4toMVSoA7SWVNWkkp1sTQojJZft8YVO2Jt/DlrMQbE8Rv/sUBS1p -rdGazvQjt/BlT8UHLyJe5LNb+DsyzdrNmj6tNAUJs0d1TbbDhuFm0G9mRfLIMS3H -KnHvtRlkiso5V+W79VTaU1BL3wudpcUa1XSpVDuEV0NHD9ebENk+wbzEM5GDHs8A -M9OqPQfKWDahrA9l2J2qSo/mGARG5aS8FMx4npGOgotXvQVKcjOU6HR8WeWfqJkH -h0NcTZsu0e0HehEOs39UD43VsI9mZZjv+z06qVDnFGxP2zP6KrLNo6TRcJFXfP5C -CiGaQ53QYKhn5AOmiAxppfLSFCUWlpeFME7/QU9fODaKminsi2ANlhCCXnC69rjR -HqPUpGoFks0y5mGiwhDip/2B55Vtl+4D5A1RIk+u1dc1oIKy2IgYmAdYaXUpYEee -aEtJvvJqMQV+ZAz7JVv9P9MRpyM5gwIDAQABAoICACx3MudpgUiBgx4bXgYhjb4m -XNnp3QvxIfYQZWv1PptA7dgvJRbRwTtUdPS4K+Pq20ZNQP0441LfKgJrA1/wvmFF -UsdCvsBvg8VeNIgp50WwcYxSknRdyPpRGbSS+Pzt/JdwrO2n+cNYqfHqVDWihhpu -wBL0laFFdXlDp6f8TJAXtTGsLqeAl/by2F7GkBjnYYBXRy2AoNNT2VWdKEeIRI0+ -K5k+wliPuAnmtIqTYmor8omAz7Vjx7n1ufDDDGa8q7qDucphzeYVqjwlTGiWny9B -3xCZg+rVqCPtbuh3QuLAz1RiwufQnPbcK/VIvN8OSENZml6xMQSZ+gb94p9IMvOk -JKfHH6jIPV9ou9y9k1htxHcozrZcr1/Ua63kQEPkzpQCL8orZJgfAqhsH0ZnM6zz -WAwoCasdSQEbn9s5eMYWHN5cHj32gXEze1b0S/iv/72nEWyid2A9nqhu8tyIC6/l -wxqYEInS3Sj0PvVJRrulkRn/ESxoY3Nl3TUmHlWduE077yVUT75BkArWvWpMblhz -/6Z/LyjmZfTZmItkzLoOkT1y5oVqOLi4qGBipXwKTFjTs2dReX7q+HqVoP03lREA -g1Flnx6wUWURTY+MGzJ8LBgJISm9uOpltpEtClO1mOGzim5Z/lxQ+edjZ/Ir3zVi -NmllX1gV4NMXh/VBeMZBAoIBAQDr7G3BH6+RQliFA2YPMfQ+X1eompu4u7pM4aRY -EVrOEUCq5XVLpRuCWQeHL+iPMMiP4IW2nZmsF6fUiGYsNXsdVvkOalxQuZNnrsZT -6H1GQv3JeB1ToFU6psCfMVuHlimPNanm3rfPm1vTJNHORTCHj80nRF3Fn6oKi1OL -LLu2LzjDaTwb2Ag5p0/8da712aogE/E1B2rp1gs53bjkMyYdJoODblZWFeG/B127 -SMh+sgmWzjINM9thdifrI3sI0uw/E0pJGjy27Q3yUj75ePs6gxtQwytcGqf3j2GM -ci4m6fX8qeoRnpmsVBrO5LJTBX6WQNfwnPCyxC+JiuZ1bqATAoIBAQDCyMqthZ3B -LBcr803uIEbkDlqaq/Tj+rgZJjYxs2N5BTpZAzRc+7Vsaj93cEbsOOack434UTs9 -BDCftVPvZzrQ/k7qTeSYSNTFUeqz2ECSh1HJPxyjHNjPq7lV1hZtI9W1eFBflNYw -o+rXZJtshh6WRfMbc7bsdlvk7/tomumdc9w2fDfDmOD7pbkVBB3c4P5Rm/ZGsStZ -2rqmB1T2qzdKPTApRFE6u0nq1SWx+GfUaJTCWqVE1Il5lDIT3+49qdLgShLciZfy -WWS0XbG7Ifz81jtIPXSLSEuMvNrNZN9mg7+RjehkMKmjY9FaZZbDG7xOOhM7QWdP -WY/0HOKZ2I7RAoIBAFVmOPh+asQPGxHTAB+h+oKVapq6lIHTWoW37BCA/7i2IA18 -j+/47TNK3OG/otQqWX9TS7Ol6tmTmonhcfKwzUb6k573O0FxW31dk6cN8kL7vvgt -xZfe4tsfP3ygljxHS/Xt+/l5R1ocJ6oPmu6qtv1rPVzob3U47Ylxk6U+ZRh2kXqS -3lJJ6fhMqzR8uP9/cgi4j0idzcKlW1zv+JyKM1K7/UEXMKNqulO26+P+Xa0W70eq -jg2fZtsptRt1tXSlPSU761j46V9iAflkci1F8NLmYH3kmA54C7MeMLZxImmtqQBz -1SnZmlD6BNY9jJtm0sK66C/N74cWYwrLv85kZAcCggEBAKF80vv1sQp8QWHAv7VS -sTNV6ywcsFVqgcLn+TpPXYLyIKO3kmwcixctJx0gyswBiL/7XVKoFhLKLH3cWZA7 -53lpvYdnuMPAbhaBibI88ZwJ8HaGinl46w+RcYCGk+U8NmvTKd90h/efjo2w7WKV -9znjGGCEGP4GSr2NcMQS2ugdLE9HwPu6/Zvkk4Om/BMpve9u/EkzjZtbSi9oGLrA -zIASJqGv8CBfMjMtL6lTJtHlOp+/gxGDm85eXP45Q02AREKLZwPMV1snXeRjYXyh -+xqrik6kFMF82JX/5O8wWD6nr+U+35Jg/eNmWCU34Dw1/HJml5ci7EHPIRfj8sJV -1mECggEBAIoIzyJVxTQaOFm87ssM6JWg6E+OgXuYceZdAoLgusOOqWL/cI0J3uhS -aIH7r2oc4i4G4bl8GCwTp1Rk3yTDz9/8k4YNklR+UwBdpmjRUwTOiq6WGyiqJYTN -vQIDq0qReQVKz96HcsY3uDVCyRtQp3CcSgXWD6zuf/uKmLf/oQRa4bie+zmdRwm5 -Rkj6gTqym3L9EWc3ouk/DgeclGirm2YOx0O0YGD6dRK7Qe2rFBliAZ+9A6CO48DG -z5vQ40nwaH0oMMEXCkFbSDP0GRr0t1fCDVTBv3DLc+OL+tQDPZtSUuBWQhlD+/Kp -kQa+wVDL7TzyYOgTVJ1YtorASxSqJBg= ------END PRIVATE KEY----- -`) +// localhostCertificate contains the TLS certificate returned by the LocalhostCertificate function. +var localhostCertificate *tls.Certificate diff --git a/testing/tokens.go b/testing/tokens.go index 161fafaf..97418e9e 100644 --- a/testing/tokens.go +++ b/testing/tokens.go @@ -17,6 +17,7 @@ limitations under the License. package testing import ( + "crypto/rand" "crypto/rsa" "encoding/base64" "fmt" @@ -138,57 +139,10 @@ var ( func init() { var err error - // Load the keys used to sign and verify tokens: - jwtPublicKey, err = jwt.ParseRSAPublicKeyFromPEM([]byte(jwtPublicKeyPEM)) - if err != nil { - panic(err) - } - jwtPrivateKey, err = jwt.ParseRSAPrivateKeyFromPEM([]byte(jwtPrivateKeyPEM)) + // Generate the keys used to sign and verify tokens: + jwtPrivateKey, err = rsa.GenerateKey(rand.Reader, 4096) if err != nil { panic(err) } + jwtPublicKey = &jwtPrivateKey.PublicKey } - -// Public key in PEM format: -const jwtPublicKeyPEM = ` ------BEGIN PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7bKPFZi7LJ5Oc/XefBDe -byQ1i38Sc3f7Jq0vh8aZC2W6SyqIlv3uUDWFozw0bdkS4MGN6eFjql0JIMIIoq/C -A3aNDCJXKFyVOepe7kgWQ5WY2HH03D/gzUM773TPIkeLCUDJhWi+KMcoMtyxgwr+ -X4UVRz/o73fKMrv1bKq7ajAu2Wq1Cjp7zeoirnVz2uplpEtholrySyuhKFmjlRvg -eaLzlc/krB24+IPdJrklGyuwyr8jHDjYBJIsNuqtOzMibdhKPtAhswgZ/lyCFWt+ -xAvLsVAJtfNwuED/Cac2KdY60tZzeWsknSuZKL76OARHxlPOWrMsw4jrqpkXM7Ns -LQIDAQAB ------END PUBLIC KEY----- -` - -// Private key in PEM format: -const jwtPrivateKeyPEM = ` ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA7bKPFZi7LJ5Oc/XefBDebyQ1i38Sc3f7Jq0vh8aZC2W6SyqI -lv3uUDWFozw0bdkS4MGN6eFjql0JIMIIoq/CA3aNDCJXKFyVOepe7kgWQ5WY2HH0 -3D/gzUM773TPIkeLCUDJhWi+KMcoMtyxgwr+X4UVRz/o73fKMrv1bKq7ajAu2Wq1 -Cjp7zeoirnVz2uplpEtholrySyuhKFmjlRvgeaLzlc/krB24+IPdJrklGyuwyr8j -HDjYBJIsNuqtOzMibdhKPtAhswgZ/lyCFWt+xAvLsVAJtfNwuED/Cac2KdY60tZz -eWsknSuZKL76OARHxlPOWrMsw4jrqpkXM7NsLQIDAQABAoIBAQCqZXenTr7XZIDv -JhGhNOKQIA/2eVi7yAYWGs7Y8aijAAEFg285dr3RaBzuAOnA2X1r+7UFNZsh9OHn -RtGz9nUJ0IGacj+y4nPjeb0l6i1zs5lHiKG1BmHcI9eieEVI2Kq2LmiIp6ayStrp -Y0Ypn8bsqNWxJwKQMHqV1iJBDT+fBZuk2kEouRiWCBazIlUgd110v0veWul9eHgy -kqrrhogq2/RdY9+EiKzPSr0A8zdFJHfRGSuk3rK9sUQ9HbvL6ZG+q+O3IUKfO33O -lYniHG+/FmY2ESHqRBSd93/zKqubIhbj0Ha/JiSm66ranGDtqeBqdUZxIVt9TH8U -qltTsKmtAoGBAP61QMouox/AIgLPZ4GUVYc8EtQz3SNioQ24Bn+c4idL30vwewrR -Togz7WDF1EUiL2ljE7Dxxo0FJbEasETZojoXHt7ZCpaSEK+GcvKmV/NdCrprrYhO -GPwuttaEMlOXNtFsjWGhhg+d18aCZTWpIUmsQS8823nwWiGDuYbxlYzXAoGBAO7n -N5P5McAMRi2NdJJXbVvBbC2xwrvOt/qZZnAvFAX4NI088CBj1EGW1b9Mq+uuOfkM -8DP3EkGZ/YixTAIub5xL55CpyU38+aIoKgfLJuk+DHGBJD24qYYTzsXPEFuDvjyU -+0VnbCMInyga6iW2ux3FCYLnowv7yI8GFCmw90qbAoGBAKPgjn0HIKEvBzLzqs7u -V1EZT6wEaoV30dN30YaNs9xArry3TxMYtARiFJqs7fRFGGgf/O1dwbe91hBq8Xp6 -5Cun8I7E6lESTXYBdTe12uSTunFTEmWeiejHTZAboh2yLuzzgMuOFyk5DzmDcAbk -eKxkDdSMvVFpWTQzAk1WZjglAoGAQie8+Dj1Ud0UQeD9+thC7DmvnyeuaRthTv/T -ohUnUk/dHY9WX2HFkTQXlJXCtczVOOYgTgOJBqmBz6xpA+Gf/oP2Z9TcbcAz0HeW -y/mxmL0Z7QR56K2OJBawF46zVOQydcw7mIh/JWRpzk1FsZPcVO4PKDTErbjXXOOu -Ca17jSkCgYBRwxm+l3gCduco5byxzMftqyMBm+JUDtFdkQseSzF2YYHW7cPylmi+ -Br3bhh0/sYVONO3a0EGr37J6d8pESpVIHsmVKPNsaLb5vMOwE0hAP5Aj83MkFlo5 -fD77PZoNGoJiJ9PCF3f7fZSwcAsA1hbulzR/hl5MuRxhybAYbfx6xg== ------END RSA PRIVATE KEY----- -`