test: add additional test certs #4353
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maddeleine
reviewed
Jan 22, 2024
- remove unused artifacts (server cert, intermediate cert and key) - also add more pss examples and a better readme
maddeleine
reviewed
Jan 23, 2024
| @@ -121,25 +138,45 @@ cert-gen () { | |||
| echo "verifying client certificates" | |||
| openssl verify -CAfile ca-cert.pem client-cert.pem | |||
|
|
|||
| echo "cleaning up temporary files" | |||
There was a problem hiding this comment.
One thing I just noticed is that the ca-cert gets added to the server-chain.pem (line 132). It probably shouldn't be in there, root certs aren't actually sent over the wire since the verifier should already have it.
There was a problem hiding this comment.
At least for AWS services, it seems to be common practice to include the root CA in the chain sent by the server. E.g. S3 returns the leaf, intermediate, root CA, and old CA that cross-signed the Amazon Root
- forgot to remove printf statement :'(
maddeleine
approved these changes
Jan 23, 2024
dougch
approved these changes
Jan 24, 2024
| cert-gen rsa 2048 rsa2048 | ||
| cert-gen rsa 3072 rsa3072 | ||
| cert-gen rsa 4096 rsa4096 | ||
| # key signature key_size digest directory |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes:
generate-certs.shscript to also generate certs with different digestsgenerate-certs.shscript to thetest/pemsfoldertestlib.hCall-outs:
We could this certs to remove some of the free-floating, non reproducible certs that we currently rely on. However the PR seems large enough as is, so I think it's better to wait for the future on that.
Testing:
This is currently being used for test certs in my cert-key-restriction branch.
Existing tests should continue to pass, including the benchmark harness tests which rely on these.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.