internal/testutils/tls_creds.go - external/github.com/grpc/grpc-go - Git at Google

 /*
  *
  * Copyright 2024 gRPC authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package testutils

 import (
 	"crypto/tls"
 	"crypto/x509"
 	"os"
 	"testing"

 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/testdata"
 )

 // CreateClientTLSCredentials creates client-side TLS transport credentials
 // using certificate and key files from testdata/x509 directory.
 func CreateClientTLSCredentials(t *testing.T) credentials.TransportCredentials {
 	t.Helper()

 	cert, err := tls.LoadX509KeyPair(testdata.Path("x509/client1_cert.pem"), testdata.Path("x509/client1_key.pem"))
 	if err != nil {
 		t.Fatalf("tls.LoadX509KeyPair(x509/client1_cert.pem, x509/client1_key.pem) failed: %v", err)
 	}
 	b, err := os.ReadFile(testdata.Path("x509/server_ca_cert.pem"))
 	if err != nil {
 		t.Fatalf("os.ReadFile(x509/server_ca_cert.pem) failed: %v", err)
 	}
 	roots := x509.NewCertPool()
 	if !roots.AppendCertsFromPEM(b) {
 		t.Fatal("Failed to append certificates")
 	}
 	return credentials.NewTLS(&tls.Config{
 		Certificates: []tls.Certificate{cert},
 		RootCAs:      roots,
 		ServerName:   "x.test.example.com",
 	})
 }

 // CreateServerTLSCredentials creates server-side TLS transport credentials
 // using certificate and key files from testdata/x509 directory.
 func CreateServerTLSCredentials(t *testing.T, clientAuth tls.ClientAuthType) credentials.TransportCredentials {
 	t.Helper()

 	cert, err := tls.LoadX509KeyPair(testdata.Path("x509/server1_cert.pem"), testdata.Path("x509/server1_key.pem"))
 	if err != nil {
 		t.Fatalf("tls.LoadX509KeyPair(x509/server1_cert.pem, x509/server1_key.pem) failed: %v", err)
 	}
 	b, err := os.ReadFile(testdata.Path("x509/client_ca_cert.pem"))
 	if err != nil {
 		t.Fatalf("os.ReadFile(x509/client_ca_cert.pem) failed: %v", err)
 	}
 	ca := x509.NewCertPool()
 	if !ca.AppendCertsFromPEM(b) {
 		t.Fatal("Failed to append certificates")
 	}
 	return credentials.NewTLS(&tls.Config{
 		ClientAuth:   clientAuth,
 		Certificates: []tls.Certificate{cert},
 		ClientCAs:    ca,
 	})
 }

 // CreateServerTLSCredentialsCompatibleWithSPIFFE creates server-side TLS
 // transport credentials using certificate and key files from the
 // testdata/spiffe_end2end directory. These credentials are compatible with the
 // SPIFFE trust bundles used on the client side.
 func CreateServerTLSCredentialsCompatibleWithSPIFFE(t *testing.T, clientAuth tls.ClientAuthType) credentials.TransportCredentials {
 	t.Helper()

 	cert, err := tls.LoadX509KeyPair(testdata.Path("spiffe_end2end/server_spiffe.pem"), testdata.Path("spiffe_end2end/server.key"))
 	if err != nil {
 		t.Fatalf("tls.LoadX509KeyPair(spiffe_end2end/server_spiffe.pem, spiffe_end2end/server.key) failed: %v", err)
 	}
 	b, err := os.ReadFile(testdata.Path("spiffe_end2end/ca.pem"))
 	if err != nil {
 		t.Fatalf("os.ReadFile(spiffe_end2end/ca.pem) failed: %v", err)
 	}
 	ca := x509.NewCertPool()
 	if !ca.AppendCertsFromPEM(b) {
 		t.Fatal("Failed to append certificates")
 	}
 	return credentials.NewTLS(&tls.Config{
 		ClientAuth:   clientAuth,
 		Certificates: []tls.Certificate{cert},
 		ClientCAs:    ca,
 	})
 }

 // CreateServerTLSCredentialsCompatibleWithSPIFFEChain creates server-side TLS
 // transport credentials using a certificate chain and key files from the
 // testdata/spiffe_end2end directory. These credentials are compatible with the
 // SPIFFE trust bundles used on the client side.
 func CreateServerTLSCredentialsCompatibleWithSPIFFEChain(t *testing.T, clientAuth tls.ClientAuthType) credentials.TransportCredentials {
 	t.Helper()

 	certs, err := tls.LoadX509KeyPair(testdata.Path("spiffe_end2end/leaf_and_intermediate_chain.pem"), testdata.Path("spiffe_end2end/leaf_signed_by_intermediate.key"))
 	if err != nil {
 		t.Fatalf("tls.LoadX509KeyPair(spiffe_end2end/leaf_and_intermediate_chain.pem, spiffe_end2end/leaf_signed_by_intermediate.key) failed: %v", err)
 	}
 	b, err := os.ReadFile(testdata.Path("spiffe_end2end/ca.pem"))
 	if err != nil {
 		t.Fatalf("os.ReadFile(spiffe_end2end/ca.pem) failed: %v", err)
 	}
 	ca := x509.NewCertPool()
 	if !ca.AppendCertsFromPEM(b) {
 		t.Fatal("Failed to append certificates")
 	}
 	return credentials.NewTLS(&tls.Config{
 		ClientAuth:   clientAuth,
 		Certificates: []tls.Certificate{certs},
 		ClientCAs:    ca,
 	})
 }

 // CreateServerTLSCredentialsValidSPIFFEButWrongCA creates server-side TLS
 // transport credentials using certificate and key files from the
 // testdata/spiffe directory rather than the testdata/spiffe_end2end directory.
 // These credentials have the expected trust domains and SPIFFE IDs that are
 // compatible with testdata/spiffe_end2end client files, but they are signed by
 // a different CA and will thus fail the connection.
 func CreateServerTLSCredentialsValidSPIFFEButWrongCA(t *testing.T, clientAuth tls.ClientAuthType) credentials.TransportCredentials {
 	t.Helper()

 	cert, err := tls.LoadX509KeyPair(testdata.Path("spiffe/server1_spiffe.pem"), testdata.Path("server1.key"))
 	if err != nil {
 		t.Fatalf("tls.LoadX509KeyPair(spiffe/server1_spiffe.pem, spiffe/server.key) failed: %v", err)
 	}
 	b, err := os.ReadFile(testdata.Path("spiffe_end2end/ca.pem"))
 	if err != nil {
 		t.Fatalf("os.ReadFile(spiffe_end2end/ca.pem) failed: %v", err)
 	}
 	ca := x509.NewCertPool()
 	if !ca.AppendCertsFromPEM(b) {
 		t.Fatal("Failed to append certificates")
 	}
 	return credentials.NewTLS(&tls.Config{
 		ClientAuth:   clientAuth,
 		Certificates: []tls.Certificate{cert},
 		ClientCAs:    ca,
 	})
 }
	/*
	*
	* Copyright 2024 gRPC authors.
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package testutils

	import (
	"crypto/tls"
	"crypto/x509"
	"os"
	"testing"

	"google.golang.org/grpc/credentials"
	"google.golang.org/grpc/testdata"
	)

	// CreateClientTLSCredentials creates client-side TLS transport credentials
	// using certificate and key files from testdata/x509 directory.
	func CreateClientTLSCredentials(t *testing.T) credentials.TransportCredentials {
	t.Helper()

	cert, err := tls.LoadX509KeyPair(testdata.Path("x509/client1_cert.pem"), testdata.Path("x509/client1_key.pem"))
	if err != nil {
	t.Fatalf("tls.LoadX509KeyPair(x509/client1_cert.pem, x509/client1_key.pem) failed: %v", err)
	}
	b, err := os.ReadFile(testdata.Path("x509/server_ca_cert.pem"))
	if err != nil {
	t.Fatalf("os.ReadFile(x509/server_ca_cert.pem) failed: %v", err)
	}
	roots := x509.NewCertPool()
	if !roots.AppendCertsFromPEM(b) {
	t.Fatal("Failed to append certificates")
	}
	return credentials.NewTLS(&tls.Config{
	Certificates: []tls.Certificate{cert},
	RootCAs: roots,
	ServerName: "x.test.example.com",
	})
	}

	// CreateServerTLSCredentials creates server-side TLS transport credentials
	// using certificate and key files from testdata/x509 directory.
	func CreateServerTLSCredentials(t *testing.T, clientAuth tls.ClientAuthType) credentials.TransportCredentials {
	t.Helper()

	cert, err := tls.LoadX509KeyPair(testdata.Path("x509/server1_cert.pem"), testdata.Path("x509/server1_key.pem"))
	if err != nil {
	t.Fatalf("tls.LoadX509KeyPair(x509/server1_cert.pem, x509/server1_key.pem) failed: %v", err)
	}
	b, err := os.ReadFile(testdata.Path("x509/client_ca_cert.pem"))
	if err != nil {
	t.Fatalf("os.ReadFile(x509/client_ca_cert.pem) failed: %v", err)
	}
	ca := x509.NewCertPool()
	if !ca.AppendCertsFromPEM(b) {
	t.Fatal("Failed to append certificates")
	}
	return credentials.NewTLS(&tls.Config{
	ClientAuth: clientAuth,
	Certificates: []tls.Certificate{cert},
	ClientCAs: ca,
	})
	}

	// CreateServerTLSCredentialsCompatibleWithSPIFFE creates server-side TLS
	// transport credentials using certificate and key files from the
	// testdata/spiffe_end2end directory. These credentials are compatible with the
	// SPIFFE trust bundles used on the client side.
	func CreateServerTLSCredentialsCompatibleWithSPIFFE(t *testing.T, clientAuth tls.ClientAuthType) credentials.TransportCredentials {
	t.Helper()

	cert, err := tls.LoadX509KeyPair(testdata.Path("spiffe_end2end/server_spiffe.pem"), testdata.Path("spiffe_end2end/server.key"))
	if err != nil {
	t.Fatalf("tls.LoadX509KeyPair(spiffe_end2end/server_spiffe.pem, spiffe_end2end/server.key) failed: %v", err)
	}
	b, err := os.ReadFile(testdata.Path("spiffe_end2end/ca.pem"))
	if err != nil {
	t.Fatalf("os.ReadFile(spiffe_end2end/ca.pem) failed: %v", err)
	}
	ca := x509.NewCertPool()
	if !ca.AppendCertsFromPEM(b) {
	t.Fatal("Failed to append certificates")
	}
	return credentials.NewTLS(&tls.Config{
	ClientAuth: clientAuth,
	Certificates: []tls.Certificate{cert},
	ClientCAs: ca,
	})
	}

	// CreateServerTLSCredentialsCompatibleWithSPIFFEChain creates server-side TLS
	// transport credentials using a certificate chain and key files from the
	// testdata/spiffe_end2end directory. These credentials are compatible with the
	// SPIFFE trust bundles used on the client side.
	func CreateServerTLSCredentialsCompatibleWithSPIFFEChain(t *testing.T, clientAuth tls.ClientAuthType) credentials.TransportCredentials {
	t.Helper()

	certs, err := tls.LoadX509KeyPair(testdata.Path("spiffe_end2end/leaf_and_intermediate_chain.pem"), testdata.Path("spiffe_end2end/leaf_signed_by_intermediate.key"))
	if err != nil {
	t.Fatalf("tls.LoadX509KeyPair(spiffe_end2end/leaf_and_intermediate_chain.pem, spiffe_end2end/leaf_signed_by_intermediate.key) failed: %v", err)
	}
	b, err := os.ReadFile(testdata.Path("spiffe_end2end/ca.pem"))
	if err != nil {
	t.Fatalf("os.ReadFile(spiffe_end2end/ca.pem) failed: %v", err)
	}
	ca := x509.NewCertPool()
	if !ca.AppendCertsFromPEM(b) {
	t.Fatal("Failed to append certificates")
	}
	return credentials.NewTLS(&tls.Config{
	ClientAuth: clientAuth,
	Certificates: []tls.Certificate{certs},
	ClientCAs: ca,
	})
	}

	// CreateServerTLSCredentialsValidSPIFFEButWrongCA creates server-side TLS
	// transport credentials using certificate and key files from the
	// testdata/spiffe directory rather than the testdata/spiffe_end2end directory.
	// These credentials have the expected trust domains and SPIFFE IDs that are
	// compatible with testdata/spiffe_end2end client files, but they are signed by
	// a different CA and will thus fail the connection.
	func CreateServerTLSCredentialsValidSPIFFEButWrongCA(t *testing.T, clientAuth tls.ClientAuthType) credentials.TransportCredentials {
	t.Helper()

	cert, err := tls.LoadX509KeyPair(testdata.Path("spiffe/server1_spiffe.pem"), testdata.Path("server1.key"))
	if err != nil {
	t.Fatalf("tls.LoadX509KeyPair(spiffe/server1_spiffe.pem, spiffe/server.key) failed: %v", err)
	}
	b, err := os.ReadFile(testdata.Path("spiffe_end2end/ca.pem"))
	if err != nil {
	t.Fatalf("os.ReadFile(spiffe_end2end/ca.pem) failed: %v", err)
	}
	ca := x509.NewCertPool()
	if !ca.AppendCertsFromPEM(b) {
	t.Fatal("Failed to append certificates")
	}
	return credentials.NewTLS(&tls.Config{
	ClientAuth: clientAuth,
	Certificates: []tls.Certificate{cert},
	ClientCAs: ca,
	})
	}