google.golang.org/grpc@v1.74.2/internal/testutils/tls_creds.go

google.golang.org/grpc@v1.74.2/internal/testutils/tls_creds.go (about)

     1  /*
     2   *
     3   * Copyright 2024 gRPC authors.
     4   *
     5   * Licensed under the Apache License, Version 2.0 (the "License");
     6   * you may not use this file except in compliance with the License.
     7   * You may obtain a copy of the License at
     8   *
     9   *     http://www.apache.org/licenses/LICENSE-2.0
    10   *
    11   * Unless required by applicable law or agreed to in writing, software
    12   * distributed under the License is distributed on an "AS IS" BASIS,
    13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14   * See the License for the specific language governing permissions and
    15   * limitations under the License.
    16   */
    17  
    18  package testutils
    19  
    20  import (
    21  	"crypto/tls"
    22  	"crypto/x509"
    23  	"os"
    24  	"testing"
    25  
    26  	"google.golang.org/grpc/credentials"
    27  	"google.golang.org/grpc/testdata"
    28  )
    29  
    30  // CreateClientTLSCredentials creates client-side TLS transport credentials
    31  // using certificate and key files from testdata/x509 directory.
    32  func CreateClientTLSCredentials(t *testing.T) credentials.TransportCredentials {
    33  	t.Helper()
    34  
    35  	cert, err := tls.LoadX509KeyPair(testdata.Path("x509/client1_cert.pem"), testdata.Path("x509/client1_key.pem"))
    36  	if err != nil {
    37  		t.Fatalf("tls.LoadX509KeyPair(x509/client1_cert.pem, x509/client1_key.pem) failed: %v", err)
    38  	}
    39  	b, err := os.ReadFile(testdata.Path("x509/server_ca_cert.pem"))
    40  	if err != nil {
    41  		t.Fatalf("os.ReadFile(x509/server_ca_cert.pem) failed: %v", err)
    42  	}
    43  	roots := x509.NewCertPool()
    44  	if !roots.AppendCertsFromPEM(b) {
    45  		t.Fatal("Failed to append certificates")
    46  	}
    47  	return credentials.NewTLS(&tls.Config{
    48  		Certificates: []tls.Certificate{cert},
    49  		RootCAs:      roots,
    50  		ServerName:   "x.test.example.com",
    51  	})
    52  }
    53  
    54  // CreateServerTLSCredentials creates server-side TLS transport credentials
    55  // using certificate and key files from testdata/x509 directory.
    56  func CreateServerTLSCredentials(t *testing.T, clientAuth tls.ClientAuthType) credentials.TransportCredentials {
    57  	t.Helper()
    58  
    59  	cert, err := tls.LoadX509KeyPair(testdata.Path("x509/server1_cert.pem"), testdata.Path("x509/server1_key.pem"))
    60  	if err != nil {
    61  		t.Fatalf("tls.LoadX509KeyPair(x509/server1_cert.pem, x509/server1_key.pem) failed: %v", err)
    62  	}
    63  	b, err := os.ReadFile(testdata.Path("x509/client_ca_cert.pem"))
    64  	if err != nil {
    65  		t.Fatalf("os.ReadFile(x509/client_ca_cert.pem) failed: %v", err)
    66  	}
    67  	ca := x509.NewCertPool()
    68  	if !ca.AppendCertsFromPEM(b) {
    69  		t.Fatal("Failed to append certificates")
    70  	}
    71  	return credentials.NewTLS(&tls.Config{
    72  		ClientAuth:   clientAuth,
    73  		Certificates: []tls.Certificate{cert},
    74  		ClientCAs:    ca,
    75  	})
    76  }
    77  
    78  // CreateServerTLSCredentialsCompatibleWithSPIFFE creates server-side TLS
    79  // transport credentials using certificate and key files from the
    80  // testdata/spiffe_end2end directory. These credentials are compatible with the
    81  // SPIFFE trust bundles used on the client side.
    82  func CreateServerTLSCredentialsCompatibleWithSPIFFE(t *testing.T, clientAuth tls.ClientAuthType) credentials.TransportCredentials {
    83  	t.Helper()
    84  
    85  	cert, err := tls.LoadX509KeyPair(testdata.Path("spiffe_end2end/server_spiffe.pem"), testdata.Path("spiffe_end2end/server.key"))
    86  	if err != nil {
    87  		t.Fatalf("tls.LoadX509KeyPair(spiffe_end2end/server_spiffe.pem, spiffe_end2end/server.key) failed: %v", err)
    88  	}
    89  	b, err := os.ReadFile(testdata.Path("spiffe_end2end/ca.pem"))
    90  	if err != nil {
    91  		t.Fatalf("os.ReadFile(spiffe_end2end/ca.pem) failed: %v", err)
    92  	}
    93  	ca := x509.NewCertPool()
    94  	if !ca.AppendCertsFromPEM(b) {
    95  		t.Fatal("Failed to append certificates")
    96  	}
    97  	return credentials.NewTLS(&tls.Config{
    98  		ClientAuth:   clientAuth,
    99  		Certificates: []tls.Certificate{cert},
   100  		ClientCAs:    ca,
   101  	})
   102  }
   103  
   104  // CreateServerTLSCredentialsCompatibleWithSPIFFEChain creates server-side TLS
   105  // transport credentials using a certificate chain and key files from the
   106  // testdata/spiffe_end2end directory. These credentials are compatible with the
   107  // SPIFFE trust bundles used on the client side.
   108  func CreateServerTLSCredentialsCompatibleWithSPIFFEChain(t *testing.T, clientAuth tls.ClientAuthType) credentials.TransportCredentials {
   109  	t.Helper()
   110  
   111  	certs, err := tls.LoadX509KeyPair(testdata.Path("spiffe_end2end/leaf_and_intermediate_chain.pem"), testdata.Path("spiffe_end2end/leaf_signed_by_intermediate.key"))
   112  	if err != nil {
   113  		t.Fatalf("tls.LoadX509KeyPair(spiffe_end2end/leaf_and_intermediate_chain.pem, spiffe_end2end/leaf_signed_by_intermediate.key) failed: %v", err)
   114  	}
   115  	b, err := os.ReadFile(testdata.Path("spiffe_end2end/ca.pem"))
   116  	if err != nil {
   117  		t.Fatalf("os.ReadFile(spiffe_end2end/ca.pem) failed: %v", err)
   118  	}
   119  	ca := x509.NewCertPool()
   120  	if !ca.AppendCertsFromPEM(b) {
   121  		t.Fatal("Failed to append certificates")
   122  	}
   123  	return credentials.NewTLS(&tls.Config{
   124  		ClientAuth:   clientAuth,
   125  		Certificates: []tls.Certificate{certs},
   126  		ClientCAs:    ca,
   127  	})
   128  }
   129  
   130  // CreateServerTLSCredentialsValidSPIFFEButWrongCA creates server-side TLS
   131  // transport credentials using certificate and key files from the
   132  // testdata/spiffe directory rather than the testdata/spiffe_end2end directory.
   133  // These credentials have the expected trust domains and SPIFFE IDs that are
   134  // compatible with testdata/spiffe_end2end client files, but they are signed by
   135  // a different CA and will thus fail the connection.
   136  func CreateServerTLSCredentialsValidSPIFFEButWrongCA(t *testing.T, clientAuth tls.ClientAuthType) credentials.TransportCredentials {
   137  	t.Helper()
   138  
   139  	cert, err := tls.LoadX509KeyPair(testdata.Path("spiffe/server1_spiffe.pem"), testdata.Path("server1.key"))
   140  	if err != nil {
   141  		t.Fatalf("tls.LoadX509KeyPair(spiffe/server1_spiffe.pem, spiffe/server.key) failed: %v", err)
   142  	}
   143  	b, err := os.ReadFile(testdata.Path("spiffe_end2end/ca.pem"))
   144  	if err != nil {
   145  		t.Fatalf("os.ReadFile(spiffe_end2end/ca.pem) failed: %v", err)
   146  	}
   147  	ca := x509.NewCertPool()
   148  	if !ca.AppendCertsFromPEM(b) {
   149  		t.Fatal("Failed to append certificates")
   150  	}
   151  	return credentials.NewTLS(&tls.Config{
   152  		ClientAuth:   clientAuth,
   153  		Certificates: []tls.Certificate{cert},
   154  		ClientCAs:    ca,
   155  	})
   156  }