finagle: Regenerate expired certificates used in tests

Problem We had 2 expired certificates which were causing tests to fail. Solution Regenerate these (good for 5 years), add instructions for regenerating, and remove the KTF from the build file. JIRA Issues: CSL-12418 Differential Revision: https://phabricator.twitter.biz/D1170786
twitter · Sep 17, 2024 · 8b74e72 · 8b74e72
1 parent aff1568
commit 8b74e72
Show file tree

Hide file tree

Showing 7 changed files with 100 additions and 26 deletions.
diff --git a/finagle-core/src/test/resources/ssl/README b/finagle-core/src/test/resources/ssl/README
@@ -1 +1,11 @@
-The certificates and keys located in these directories have been generated by Twitter engineers for example purposes and are intended for testing only. They have nothing to do with Twitter production or development systems.
+The certificates and keys located in these directories have been generated by X engineers for example purposes and are intended for testing only. They have nothing to do with X production or development systems.
+
+To generate a new certificate, from this (ssl) directory, run:
+
+For test-ec-with-sans.crt:
+$ openssl req -new -key keys/test-ec-key.pem -out request.csr -config conf/test-ec-with-sans.cnf
+$ openssl x509 -req -days 1825 -in request.csr -signkey keys/test-ec-key.pem --out certs/test-ec-with-sans.crt -extensions v3_ca -extfile conf/test-ec-with-sans.cnf
+
+For test-ecclient-with-sans.crt:
+$ openssl req -new -key keys/test-ec-key.pem -out request.csr -config conf/test-ecclient-with-sans.cnf
+$ openssl x509 -req -days 1825 -in request.csr -signkey keys/test-ec-key.pem --out certs/test-ecclient-with-sans.crt -extensions v3_ca -extfile conf/test-ecclient-with-sans.cnf
diff --git a/finagle-core/src/test/resources/ssl/certs/test-ec-with-sans.crt b/finagle-core/src/test/resources/ssl/certs/test-ec-with-sans.crt
@@ -1,14 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICGzCCAcGgAwIBAgIJAO2zMrMg5/CSMAoGCCqGSM49BAMCMGQxCzAJBgNVBAYT
-AlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEQMA4GA1UE
-CgwHVHdpdHRlcjEeMBwGA1UECwwVQ29yZSBTeXN0ZW0gTGlicmFyaWVzMB4XDTIy
-MDkxNTE4NDI0MVoXDTI0MDkxNDE4NDI0MVowZDELMAkGA1UEBhMCVVMxCzAJBgNV
-BAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRAwDgYDVQQKDAdUd2l0dGVy
-MR4wHAYDVQQLDBVDb3JlIFN5c3RlbSBMaWJyYXJpZXMwWTATBgcqhkjOPQIBBggq
-hkjOPQMBBwNCAASjqFWeGdar7f4B2zsczAGSnlnhFPREq6q30wPc1FIfhYYBPnfk
-Obc7eBSPT7ti/i8/s36vKkvdaM6iD+tlmigjo1wwWjALBgNVHQ8EBAMCBDAwEwYD
-VR0lBAwwCgYIKwYBBQUHAwIwNgYDVR0RBC8wLYYrdHd0cjpzdmM6Y3NsLXRlc3Q6
-dGVzdC1lY3NlcnZlcjpkZXZlbDpsb2NhbDAKBggqhkjOPQQDAgNIADBFAiBZ7NCP
-tcH92VbSjNTIABU47lDYRwd2or4AM6CBeui1EwIhANhoTJ20Gb7E2iypkYiFD8fy
-3xTqsPCkl7xcFR4DDAl4
+MIICsjCCAligAwIBAgIUEU7qdnOXCW7p9S6SwOw/tUIBEtkwCgYIKoZIzj0EAwIw
+gZgxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5j
+aXNjbzEQMA4GA1UECgwHVHdpdHRlcjEeMBwGA1UECwwVQ29yZSBTeXN0ZW0gTGli
+cmFyaWVzMTIwMAYDVQQDDClUd2l0dGVyIENvcmUgU3lzdGVtIExpYnJhcmllcyBD
+ZXJ0aWZpY2F0ZTAeFw0yNDA5MTcxMDAyMzNaFw0yOTA5MTYxMDAyMzNaMIGYMQsw
+CQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x
+EDAOBgNVBAoMB1R3aXR0ZXIxHjAcBgNVBAsMFUNvcmUgU3lzdGVtIExpYnJhcmll
+czEyMDAGA1UEAwwpVHdpdHRlciBDb3JlIFN5c3RlbSBMaWJyYXJpZXMgQ2VydGlm
+aWNhdGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQFfMrz0mhgTUqVUwN+GXGP
+7gxa2iA9rIAa0IDSYta9GJBgsfJZU4UwGfcUiJetkGl5YkueeHxahKMcOMP7L7zq
+o34wfDAOBgNVHQ8BAf8EBAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwNgYDVR0R
+BC8wLYYrdHd0cjpzdmM6Y3NsLXRlc3Q6dGVzdC1lY3NlcnZlcjpkZXZlbDpsb2Nh
+bDAdBgNVHQ4EFgQUpW7jgu5CL8I/eJp8vbsXEOIF4H0wCgYIKoZIzj0EAwIDSAAw
+RQIgeSeLfQW7acX695k1hAMA5MrVHeH7di70alhykmTIjWwCIQDDOjQhtypBW6Ox
+uw3PORgOs5Pxd56ZSbnyBU8fs2rQWA==
 -----END CERTIFICATE-----
diff --git a/finagle-core/src/test/resources/ssl/certs/test-ecclient-with-sans.crt b/finagle-core/src/test/resources/ssl/certs/test-ecclient-with-sans.crt
@@ -1,14 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICGzCCAcGgAwIBAgIJAJFtdyp/q4rHMAoGCCqGSM49BAMCMGQxCzAJBgNVBAYT
-AlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEQMA4GA1UE
-CgwHVHdpdHRlcjEeMBwGA1UECwwVQ29yZSBTeXN0ZW0gTGlicmFyaWVzMB4XDTIy
-MDkxNTE4MjU0MloXDTI0MDkxNDE4MjU0MlowZDELMAkGA1UEBhMCVVMxCzAJBgNV
-BAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRAwDgYDVQQKDAdUd2l0dGVy
-MR4wHAYDVQQLDBVDb3JlIFN5c3RlbSBMaWJyYXJpZXMwWTATBgcqhkjOPQIBBggq
-hkjOPQMBBwNCAARGSaK+Nh0eKZLGSfZoeAZ0y0eogtFdHUdOWZWteCxKgI/8iyuT
-23vXKN5WJcegJB4PGA3sj5jdZvYzzgwi+zHco1wwWjALBgNVHQ8EBAMCBDAwEwYD
-VR0lBAwwCgYIKwYBBQUHAwIwNgYDVR0RBC8wLYYrdHd0cjpzdmM6Y3NsLXRlc3Q6
-dGVzdC1lY2NsaWVudDpkZXZlbDpsb2NhbDAKBggqhkjOPQQDAgNIADBFAiAY3J+U
-+WOpyIA11KknEOkRmdMkMSEJuCCvsitPy57kMQIhAIfqbFFKAtgdbUPRhIfUMf0r
-Lz9NmiJ25XPw+BDRuA9B
+MIICozCCAkqgAwIBAgIUOcBaED2Eh6u77gea6z767RLn7sowCgYIKoZIzj0EAwIw
+gYsxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5j
+aXNjbzEQMA4GA1UECgwHVHdpdHRlcjEeMBwGA1UECwwVQ29yZSBTeXN0ZW0gTGli
+cmFyaWVzMSUwIwYDVQQDDBxDb3JlIFN5c3RlbSBMaWJyYXJpZXMgQ2xpZW50MB4X
+DTI0MDkxNzEwMDcwNFoXDTI5MDkxNjEwMDcwNFowgYsxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEQMA4GA1UECgwHVHdp
+dHRlcjEeMBwGA1UECwwVQ29yZSBTeXN0ZW0gTGlicmFyaWVzMSUwIwYDVQQDDBxD
+b3JlIFN5c3RlbSBMaWJyYXJpZXMgQ2xpZW50MFkwEwYHKoZIzj0CAQYIKoZIzj0D
+AQcDQgAEBXzK89JoYE1KlVMDfhlxj+4MWtogPayAGtCA0mLWvRiQYLHyWVOFMBn3
+FIiXrZBpeWJLnnh8WoSjHDjD+y+86qOBiTCBhjAdBgNVHQ4EFgQUpW7jgu5CL8I/
+eJp8vbsXEOIF4H0wHwYDVR0jBBgwFoAUpW7jgu5CL8I/eJp8vbsXEOIF4H0wDAYD
+VR0TAQH/BAIwADA2BgNVHREELzAthit0d3RyOnN2Yzpjc2wtdGVzdDp0ZXN0LWVj
+Y2xpZW50OmRldmVsOmxvY2FsMAoGCCqGSM49BAMCA0cAMEQCICyTazdx7PwpLOtU
++tjQNl8z73JbUs6oIAO7knk04zicAiAomS6rW9Uf4nVXaWaRVjL5HbQVhwA4ZJp0
+owLQ/3d39Q==
 -----END CERTIFICATE-----
diff --git a/finagle-core/src/test/resources/ssl/conf/test-ec-with-sans.cnf b/finagle-core/src/test/resources/ssl/conf/test-ec-with-sans.cnf
@@ -0,0 +1,27 @@
+[ req ]
+default_bits       = 256
+default_md         = sha256
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+prompt             = no
+
+[ req_distinguished_name ]
+C  = US
+ST = CA
+L  = San Francisco
+O  = Twitter
+OU = Core System Libraries
+CN = Twitter Core System Libraries Certificate
+
+[ req_ext ]
+subjectAltName = @alt_names
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = clientAuth
+
+[ alt_names ]
+URI.1 = twtr:svc:csl-test:test-ecserver:devel:local
+
+[ v3_ca ]
+keyUsage = critical, keyEncipherment, dataEncipherment
+extendedKeyUsage = TLS Web Client Authentication
+subjectAltName = @alt_names
diff --git a/finagle-core/src/test/resources/ssl/conf/test-ecclient-with-sans.cnf b/finagle-core/src/test/resources/ssl/conf/test-ecclient-with-sans.cnf
@@ -0,0 +1,27 @@
+[ req ]
+distinguished_name  = req_distinguished_name
+x509_extensions     = v3_req
+prompt              = no
+
+[ req_distinguished_name ]
+C  = US
+ST = CA
+L  = San Francisco
+O  = Twitter
+OU = Core System Libraries
+CN = Core System Libraries Client
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = critical, KeyEncipherment, DataEncipherment
+extendedKeyUsage = TLS Web Client Authentication
+subjectAltName = @alt_names
+
+[ alt_names ]
+URI.1 = twtr:svc:csl-test:test-ecclient:devel:local
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = critical, CA:FALSE
+subjectAltName = @alt_names
diff --git a/finagle-core/src/test/resources/ssl/keys/test-ec-key.pem b/finagle-core/src/test/resources/ssl/keys/test-ec-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIAYh4d/7S1NkOYmhLe0EIajAP+pnQ4icN0cqOkfkZjFXoAoGCCqGSM49
+AwEHoUQDQgAEBXzK89JoYE1KlVMDfhlxj+4MWtogPayAGtCA0mLWvRiQYLHyWVOF
+MBn3FIiXrZBpeWJLnnh8WoSjHDjD+y+86g==
+-----END EC PRIVATE KEY-----
diff --git a/finagle-core/src/test/scala/BUILD b/finagle-core/src/test/scala/BUILD
@@ -60,7 +60,6 @@ junit_tests(
     # env_local is tag for bazel only, added due to DPB-14188
     tags = [
         "bazel-compatible",
-        "known-to-fail-jira:CSL-12418",
     ],
     dependencies = [
         ":pushsession-utils",