google.golang.org/grpc@v1.74.2/testdata/spiffe_end2end/README.md (about)

     1  All of the following files in this directory except `server_spiffebundle.json`
     2  and `client_spiffebundle.json` are generated with the `generate.sh` and
     3  `generate_intermediate.sh` script in this directory.
     4  
     5  These comprise a root trust certificate authority (CA) that signs two
     6  certificates - `client_spiffe.pem` and `server_spiffe.pem`. These are valid
     7  SPIFFE certificates (via the configuration in `spiffe-openssl.cnf`), and the
     8  `*_spiffebundle.json` files are SPIFFE Bundle Maps for the client and server
     9  respectively.
    10  
    11  The SPIFFE trust bundle map files (`*_spiffebundle.json`) are manually created
    12  for end to end testing. The `server_spiffebundle.json` contains the
    13  `foo.bar.com` trust domain (only this entry is used in e2e tests) matching URI
    14  SAN of `client_spiffe.pem`, and the CA certificate is `ca.pem`. The client
    15  `spiffebundle.json` file contains `example.com` trust domain matching the URI
    16  SAN of `server_spiffe.pem`, and the CA certificate there is also `ca.pem`.
    17  
    18  `leaf_and_intermediate_chain.pem` is a certificate chain whose leaf is a valid
    19  SPIFFE cert that is signed by an intermediate CA (`intermediate_ca.pem`). The
    20  intermediate CA is signed by the root CA (`ca.pem`). Thus, this setup yields a
    21  valid chain to the root of trust `ca.pem`.
    22  
    23  If updating these files, the `x5c` field in the json is the raw PEM CA
    24  certificate and can be copy pasted from the certificate file `ca.pem`. `n` and
    25  `e` are values from the public key attached to this certificate. `e` should
    26  *probably* be `AQAB` as it is the exponent. `n` can be fetched from the
    27  certificate by getting the RSA key from the cert and extracting the value. This
    28  can be done in golang with the following codeblock:
    29  
    30  ```
    31  func(GetBase64ModulusFromPublicKey(key *rsa.PublicKey) string {
    32      return base64.RawURLEncoding.EncodeToString(key.N.Bytes())
    33  }
    34  
    35  block, _ := pem.Decode(rawPemCert) cert, _ := x509.ParseCertificate(block.Bytes)
    36  publicKey := cert.PublicKey.(*rsa.PublicKey)
    37  fmt.Println(GetBase64ModulusFromPublicKey(publicKey))
    38  ```