starknet_transaction_prover: add TLS integration tests

avi-starkware · avi-starkware · commit b062874a8d06 · 2026-05-17T18:41:23.000+03:00
Adds end-to-end HTTPS tests against a self-signed test certificate
checked into resources/test_tls/: a successful HTTPS JSON-RPC roundtrip
on starknet_specVersion, a plain-HTTP-against-TLS-server negative test,
and unit tests around load_tls_acceptor covering missing cert/key
paths, invalid PEM contents, and the happy path.

To allow co-located tests in tls_test.rs to call it, load_tls_acceptor
is bumped from private to pub(crate); no API surface is exposed
outside the crate.
diff --git a/crates/starknet_transaction_prover/resources/test_tls/README.md b/crates/starknet_transaction_prover/resources/test_tls/README.md
@@ -0,0 +1,25 @@
+# Test TLS Material
+
+**This directory contains a self-signed certificate and its private key used
+exclusively by the unit tests in `src/server/tls_test.rs`.**
+
+The key is intentionally checked into the repository — it is a test fixture,
+not a secret. Do not reuse this material outside of test code.
+
+## Properties
+
+- Subject: `CN=localhost`
+- SAN: `DNS:localhost,IP:127.0.0.1`
+- Validity: 100 years from generation
+- Key: 2048-bit RSA, unencrypted
+
+## Regenerating
+
+```bash
+openssl req -x509 -newkey rsa:2048 \
+  -keyout crates/starknet_transaction_prover/resources/test_tls/key.pem \
+  -out   crates/starknet_transaction_prover/resources/test_tls/cert.pem \
+  -sha256 -days 36500 -nodes \
+  -subj "/CN=localhost" \
+  -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
+```
diff --git a/crates/starknet_transaction_prover/resources/test_tls/cert.pem b/crates/starknet_transaction_prover/resources/test_tls/cert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDJzCCAg+gAwIBAgIUCfCD8/3lfYaThN2hDz8c4CIbTDowDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MCAXDTI2MDUxNzE1Mjk0N1oYDzIxMjYw
+NDIzMTUyOTQ3WjAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQCcDEcAhUbdyBnUkIGykVCvNtXVg+sHYlvTTYnpasxM
+iUyY9jyoLYJlBPZjmNPipDd67REL2fGa7q3hkkkHAy4BxdYIqE2l9fPkX2unY/nS
+OWDemwPgOXEorcDWJC/kIVwNtVdqfLKG22d88QUvMe4rqUCA6J32dQv1/UAQ9OKw
+9kVQ3NAwGTMG2e61A3Ueur0DBmtap5YSn7IlT3HKQXSkTX08V7MCf8W9N3/Bg01h
+a7yAtNiQX66Gs4y/8CsM7eTBnLt4e0MVyhSJ9Zj2Ibpatr/YyWAhaW8p7y4sGo50
+3ovQ6isrOO8ayi6d7fYVCI27NDoiSmJ67okfQk0rf3DJAgMBAAGjbzBtMB0GA1Ud
+DgQWBBQdz7tV14UJxD6RchjKEDz61wgN/zAfBgNVHSMEGDAWgBQdz7tV14UJxD6R
+chjKEDz61wgN/zAPBgNVHRMBAf8EBTADAQH/MBoGA1UdEQQTMBGCCWxvY2FsaG9z
+dIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAIiAb1/7gA/NXMck/k3WGnYCp3Aut
+rYDbfq1fwG/GJZ572qd9XREtuC198QPpQ04yjv7v2sspeWFqAS8e+Gr67h1cQ7q/
+mEnGPXQBKQ9r4TSamsFHnrh5x/J9Ec/hBXU9xd8OemZ+o00Itxn1FWwDBvudzfOA
+1IJ/7RNxmhUK2/dOOS9Jo5zGhRX/f6s8qmW6ZX2dRpvio3YqV30LpVSBZMsfQiWv
+dRHcl5xVoxxtvSkKt1Ou8VE2SEl61c7+Gb3zPBxOdT59QDFGZvX9PC8fPsOq2dNh
+ZhYJ4UJfWP5lMa372GATdPjVlZSf575xDpagUgSEKxEyCd7XC2k/p00u+w==
+-----END CERTIFICATE-----
diff --git a/crates/starknet_transaction_prover/resources/test_tls/key.pem b/crates/starknet_transaction_prover/resources/test_tls/key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCcDEcAhUbdyBnU
+kIGykVCvNtXVg+sHYlvTTYnpasxMiUyY9jyoLYJlBPZjmNPipDd67REL2fGa7q3h
+kkkHAy4BxdYIqE2l9fPkX2unY/nSOWDemwPgOXEorcDWJC/kIVwNtVdqfLKG22d8
+8QUvMe4rqUCA6J32dQv1/UAQ9OKw9kVQ3NAwGTMG2e61A3Ueur0DBmtap5YSn7Il
+T3HKQXSkTX08V7MCf8W9N3/Bg01ha7yAtNiQX66Gs4y/8CsM7eTBnLt4e0MVyhSJ
+9Zj2Ibpatr/YyWAhaW8p7y4sGo503ovQ6isrOO8ayi6d7fYVCI27NDoiSmJ67okf
+Qk0rf3DJAgMBAAECggEAQmpDSehvifMhc0Pxv4NzmK85AX/85w6o0F0fBlZrD2Qc
+UrnyhQ2hgsdC6o7gF4UXC92cNLQUzYEqRmhRZoem7CA8gUDIk4sDu74U/pBhgmTj
+YrsNQkCQdeTFvx51t52vJTJ6OxtJjHYTLK0ULMsOeEy35GWc3Ylhhte7jbv8Q55S
+wSwmCqxnEj6+5HlAeOIC2LJnrerDEejlTpXH1HCEsTH0dd4EQ/sHixzNVt2MSHDU
+fjhsmTl6kTO+RcIPoohuUSMrtrN9j/T4GxcrZqqwdzws/KMg1GYWvRxBJQHuO1yl
+5ivhA4sjE8cmN2SbcgrYa3R7aK3XzrCmxx4DKHNYlQKBgQDWeS4BIVEIKwzjjQOC
+RPhPg4Zo+0xYzceq4Q7ERn6mBojsLxNF91Z0Yx32rDpQziV1FESe0xmWneRCIjP8
+Ua31MU5FeH1GI7q0RyWD7XoUTI8io8cFdMiQEbRrYqARVrHun6NpBHIUG5Z5az8L
+JWRP/P0QN90cgkgLnqwxFicHywKBgQC6Qx7ej5cPBBf/m8Aijmd8cUDqrmk6A4Zc
+df8IjsfMdkv7H29qBip4KgNuThREaTq5fuCqgKvVKUgmudEFousfuWjzJsICBE9h
+4DGFDUxPBYyUFf70PmlQ8e4avvNg1Cx5VgIt4M2IAsUmiAC/52y14R67u7MfQP7q
+UWU3YitPOwKBgQCkq/A9n+YGnn9L68aI7Am3i2XVDzXEbWNj+V8MJpAxS40vwslK
+jCjOPhgQgJZZ2p358fDp/W2FLn/Go1pE3jXxr8TIJEYTZ3V/26ybSefU1B+GWjeC
+IfOoYl+jn9sE1QrTC7E8/dPVSoVTfpuuJCyMGdP38tyLeiB1A4R0P+0B1wKBgAtZ
+79Wsdo5Jt5SyT0FL4G6rEEO9IViRwmx8HHDPEsoZI4RIZCfX/FqaZN8iDwYkS5nm
+a5a4hMBW5bjGdkCbryydxhGbeRNaY+QZH6t2JgJi2jBkLsd/zjdKpzImFPr/sz4p
+ybQ2ERCK6qzweOs5FVz4PUE/rSjocyCgmUSIzQ7lAoGAE+Vc2EeHPxFRZgVSFS6m
+SEl5p5h8Wfr39+HKBSVd1P7QMHAFN11yXrGhIrRnAkI37chSvNtwLbTLicHuY127
+zEVAVXATvTZosErLp8WuNCxnb/1PxBVv1RMxJHm0ibjfRuWpDF+Gstn6ESQYKyPU
+Z84XK248kL9fShkmRNRujGI=
+-----END PRIVATE KEY-----
diff --git a/crates/starknet_transaction_prover/src/server.rs b/crates/starknet_transaction_prover/src/server.rs
@@ -39,6 +39,8 @@ pub mod tls;
 mod cors_test;
 #[cfg(test)]
 mod rpc_spec_test;
+#[cfg(test)]
+mod tls_test;
 
 #[cfg(test)]
 #[path = "server/ohttp_integration_test.rs"]
diff --git a/crates/starknet_transaction_prover/src/server/tls.rs b/crates/starknet_transaction_prover/src/server/tls.rs
@@ -138,7 +138,7 @@ pub async fn start_tls_server(
 }
 
 /// Loads a certificate chain and private key from PEM files and builds a TLS acceptor.
-fn load_tls_acceptor(cert_path: &Path, key_path: &Path) -> anyhow::Result<TlsAcceptor> {
+pub(crate) fn load_tls_acceptor(cert_path: &Path, key_path: &Path) -> anyhow::Result<TlsAcceptor> {
     let cert_pem = std::fs::read(cert_path)
         .with_context(|| format!("Failed to read TLS certificate file: {}", cert_path.display()))?;
     let cert_chain: Vec<CertificateDer<'static>> =
diff --git a/crates/starknet_transaction_prover/src/server/tls_test.rs b/crates/starknet_transaction_prover/src/server/tls_test.rs
@@ -0,0 +1,155 @@
+//! Integration tests for the TLS server bootstrap.
+//!
+//! Uses a self-signed certificate checked into `resources/test_tls/`. The cert covers
+//! `CN=localhost` (+ SAN `DNS:localhost`) and is valid for 100 years; regenerate with:
+//!
+//! ```bash
+//! openssl req -x509 -newkey rsa:2048 \
+//!   -keyout crates/starknet_transaction_prover/resources/test_tls/key.pem \
+//!   -out   crates/starknet_transaction_prover/resources/test_tls/cert.pem \
+//!   -sha256 -days 36500 -nodes \
+//!   -subj "/CN=localhost" \
+//!   -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
+//! ```
+
+use std::io::Write;
+use std::net::SocketAddr;
+use std::path::{Path, PathBuf};
+
+use serde_json::Value;
+use tempfile::NamedTempFile;
+
+use crate::server::mock_rpc::MockProvingRpc;
+use crate::server::rpc_api::ProvingRpcServer;
+use crate::server::rpc_impl::SPEC_VERSION;
+use crate::server::tls::{load_tls_acceptor, start_tls_server};
+
+/// Installs the default rustls crypto provider (aws-lc-rs) if not already installed.
+/// Required by reqwest when using rustls-based TLS.
+fn ensure_crypto_provider() {
+    let _ = tokio_rustls::rustls::crypto::aws_lc_rs::default_provider().install_default();
+}
+
+fn test_cert_path() -> PathBuf {
+    Path::new(env!("CARGO_MANIFEST_DIR")).join("resources/test_tls/cert.pem")
+}
+
+fn test_key_path() -> PathBuf {
+    Path::new(env!("CARGO_MANIFEST_DIR")).join("resources/test_tls/key.pem")
+}
+
+/// Reads the checked-in self-signed test certificate as PEM bytes.
+fn read_test_cert_pem() -> Vec<u8> {
+    std::fs::read(test_cert_path()).expect("Failed to read test cert.pem")
+}
+
+/// Writes PEM bytes to a temporary file and returns the handle.
+fn write_pem_to_tempfile(pem_bytes: &[u8]) -> NamedTempFile {
+    let mut file = NamedTempFile::new().expect("Failed to create temp file");
+    file.write_all(pem_bytes).expect("Failed to write PEM");
+    file.flush().expect("Failed to flush PEM file");
+    file
+}
+
+/// Starts a TLS server with mock RPC methods, returns (addr, server_handle, cert_pem).
+async fn start_test_tls_server() -> (SocketAddr, jsonrpsee::server::ServerHandle, Vec<u8>) {
+    let methods = MockProvingRpc::from_expected_json().into_rpc();
+    let addr: SocketAddr = "127.0.0.1:0".parse().unwrap();
+
+    let (local_addr, handle) = start_tls_server(
+        addr,
+        &test_cert_path(),
+        &test_key_path(),
+        methods,
+        10,              // max_connections
+        5 * 1024 * 1024, // max_request_body_size
+        None,            // cors_layer
+        None,            // ohttp_layer
+    )
+    .await
+    .expect("Failed to start TLS server");
+
+    (local_addr, handle, read_test_cert_pem())
+}
+
+#[tokio::test]
+async fn test_https_spec_version_succeeds() {
+    ensure_crypto_provider();
+    let (addr, handle, cert_pem) = start_test_tls_server().await;
+
+    let cert = reqwest::tls::Certificate::from_pem(&cert_pem)
+        .expect("Failed to parse certificate for reqwest");
+    let client = reqwest::Client::builder()
+        .add_root_certificate(cert)
+        .build()
+        .expect("Failed to build HTTPS client");
+
+    let body = serde_json::json!({
+        "jsonrpc": "2.0",
+        "id": "1",
+        "method": "starknet_specVersion"
+    });
+
+    let response = client
+        .post(format!("https://localhost:{}", addr.port()))
+        .json(&body)
+        .send()
+        .await
+        .expect("HTTPS request failed");
+
+    assert_eq!(response.status(), 200);
+
+    let json: Value = response.json().await.expect("Failed to parse response JSON");
+    assert_eq!(json["result"].as_str().unwrap(), SPEC_VERSION);
+
+    handle.stop().expect("Failed to stop server");
+}
+
+#[tokio::test]
+async fn test_http_to_tls_server_fails() {
+    ensure_crypto_provider();
+    let (addr, handle, _cert_pem) = start_test_tls_server().await;
+
+    let client = reqwest::Client::new();
+    let body = serde_json::json!({
+        "jsonrpc": "2.0",
+        "id": "1",
+        "method": "starknet_specVersion"
+    });
+
+    // Plain HTTP to a TLS server should fail (connection or protocol error).
+    let result = client.post(format!("http://localhost:{}", addr.port())).json(&body).send().await;
+
+    assert!(result.is_err(), "Expected HTTP to TLS server to fail, but got: {result:?}");
+
+    handle.stop().expect("Failed to stop server");
+}
+
+#[test]
+fn test_load_tls_acceptor_missing_cert_file() {
+    let key_file = write_pem_to_tempfile(b"dummy key content");
+    let result = load_tls_acceptor("/nonexistent/cert.pem".as_ref(), key_file.path());
+    assert!(result.is_err(), "Expected error for missing cert file");
+}
+
+#[test]
+fn test_load_tls_acceptor_missing_key_file() {
+    let cert_file = write_pem_to_tempfile(b"dummy cert content");
+    let result = load_tls_acceptor(cert_file.path(), "/nonexistent/key.pem".as_ref());
+    assert!(result.is_err(), "Expected error for missing key file");
+}
+
+#[test]
+fn test_load_tls_acceptor_invalid_pem() {
+    let cert_file = write_pem_to_tempfile(b"not a valid PEM certificate");
+    let key_file = write_pem_to_tempfile(b"not a valid PEM key");
+    let result = load_tls_acceptor(cert_file.path(), key_file.path());
+    assert!(result.is_err(), "Expected error for invalid PEM content");
+}
+
+#[test]
+fn test_load_tls_acceptor_succeeds_for_valid_files() {
+    // Sanity check that the checked-in test cert/key actually load as a TLS acceptor.
+    load_tls_acceptor(&test_cert_path(), &test_key_path())
+        .expect("Expected test cert/key to load successfully");
+}

Original file line number	Diff line number	Diff line change
`@@ -138,7 +138,7 @@ pub async fn start_tls_server(`
`138`	`138`	`}`
`139`	`139`
`140`	`140`	`/// Loads a certificate chain and private key from PEM files and builds a TLS acceptor.`
`141`		`-fn load_tls_acceptor(cert_path: &Path, key_path: &Path) -> anyhow::Result<TlsAcceptor> {`
	`141`	`+pub(crate) fn load_tls_acceptor(cert_path: &Path, key_path: &Path) -> anyhow::Result<TlsAcceptor> {`
`142`	`142`	`let cert_pem = std::fs::read(cert_path)`
`143`	`143`	`.with_context(\|\| format!("Failed to read TLS certificate file: {}", cert_path.display()))?;`
`144`	`144`	`let cert_chain: Vec<CertificateDer<'static>> =`