Skip to content

Update ct_helper #7821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 4, 2023
Merged

Update ct_helper #7821

merged 2 commits into from
Apr 4, 2023

Conversation

@lhoguin
Copy link
Contributor

@lhoguin lhoguin commented Apr 4, 2023

Since ct_helper removes erl_make_certs some tests needed to be updated to use public_key:pkix_test_data/1 instead.

Special care must be taken during review around the long chain test since we expect the trusted and untrusted certificates to be using the same chain (they are issued by the same intermediary certificate).

@lhoguin lhoguin requested a review from the-mikedavis April 4, 2023 10:45
@mergify mergify bot added the bazel label Apr 4, 2023
Update ct_helper
53c6d19 
Since ct_helper removes erl_make_certs some tests needed
to be updated to use public_key:pkix_test_data/1 instead.
@essen essen force-pushed the lh-update-ct-helper branch from 924ce52 to 53c6d19 Compare April 4, 2023 11:01
@lhoguin lhoguin marked this pull request as ready for review April 4, 2023 11:19
lhoguin
lhoguin commented Apr 4, 2023
View reviewed changes
the-mikedavis
the-mikedavis reviewed Apr 4, 2023
View reviewed changes
deps/rabbitmq_trust_store/test/system_SUITE.erl Outdated

TestDataTrusted = public_key:pkix_test_data(#{
root => [],
intermediaries => [[{key, KeyInter}]],
Copy link
Collaborator

@the-mikedavis the-mikedavis Apr 4, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at public_key:chain_opts() I think this should be intermediates. It looks like it's also expecting the dec key:

Suggested change
intermediaries => [[{key, KeyInter}]],
intermediates => [[{key, KeyInterDec}]],

This will also add a new cert to the cacerts list on L340

Copy link
Contributor Author

@lhoguin lhoguin Apr 4, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hah, this explains a few things I didn't understand.

deps/rabbitmq_trust_store/test/system_SUITE.erl Outdated
[CertInter, RootCA] = proplists:get_value(cacerts, TestDataTrusted),

TestDataUntrusted = public_key:pkix_test_data(#{
root => [#{cert => CertInter, key => KeyInter}],
Copy link
Collaborator

@the-mikedavis the-mikedavis Apr 4, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this is expecting a proplist or a map: https://github.com/erlang/otp/blob/e599897f91ca5f05b4d868c6776efad7e6c1ad8d/lib/public_key/src/pubkey_cert.erl#L505-L523. (pubkey_cert:root_cert/2 tries to get the key out of this with proplists:get/3.)

It also looks like this one expects the dec key:

Suggested change
root => [#{cert => CertInter, key => KeyInter}],
root => [{cert, CertInter}, {key, KeyInterDec}],

Or alternatively I think this should work:

Suggested change
root => [#{cert => CertInter, key => KeyInter}],
root => #{cert => CertInter, key => KeyInterDec},

Copy link
Contributor Author

@lhoguin lhoguin Apr 4, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The map is correct, just not fully documented. It's how you can pass the root certificate from pkix_test_root_cert. Interesting I didn't get a crash because of the list though.

@lhoguin
Copy link
Contributor Author

lhoguin commented Apr 4, 2023

Pushed a commit with the fixes. Noticed the root CA is returned twice in cacerts (first and last) and fixed that as well. We now get the correct intermediate certificate I think.

@lhoguin lhoguin requested a review from the-mikedavis April 4, 2023 15:18
the-mikedavis
the-mikedavis approved these changes Apr 4, 2023
View reviewed changes
Copy link
Collaborator

@the-mikedavis the-mikedavis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thanks for updating this!

@michaelklishin michaelklishin merged commit b26b371 into main Apr 4, 2023
@michaelklishin michaelklishin deleted the lh-update-ct-helper branch April 4, 2023 17:52
@mergify mergify bot mentioned this pull request Apr 4, 2023
Merged
michaelklishin added a commit that referenced this pull request Apr 4, 2023
@michaelklishin
Merge pull request #7837 from rabbitmq/mergify/bp/v3.12.x/pr-7821
033319e 
Update ct_helper (backport #7821)
michaelklishin added a commit that referenced this pull request Apr 4, 2023
@michaelklishin
Merge pull request #7838 from rabbitmq/mergify/bp/v3.11.x/pr-7837
a3312e0 
Update ct_helper (backport #7821) (backport #7837)
michaelklishin added a commit that referenced this pull request Apr 5, 2023
@michaelklishin
Merge pull request #7839 from rabbitmq/mergify/bp/v3.10.x/pr-7838
4527d9e 
Update ct_helper (backport #7821) (backport #7837) (backport #7838)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@the-mikedavis the-mikedavis the-mikedavis approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lhoguin @the-mikedavis @michaelklishin