Generate ephemeral certificates for TLS tests (#3611)

Signed-off-by: guptapratykshh <[email protected]>

Author: guptapratykshh

io/js/src/test/scala/fs2/io/JsCertificateProvider.scala

@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2013 Functional Streams for Scala
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of
+ * this software and associated documentation files (the "Software"), to deal in
+ * the Software without restriction, including without limitation the rights to
+ * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+ * the Software, and to permit persons to whom the Software is furnished to do so,
+ * subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+ * FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+ * COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+ * IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package fs2.io
+
+import cats.effect.IO
+import fs2.io.file.Files
+import scodec.bits.ByteVector
+import scala.concurrent.duration._
+
+/** Platform-specific implementation for JS platform using OpenSSL.
+  */
+private[io] object PlatformSpecificCertificateProvider {
+
+  def create: IO[TestCertificateProvider] = IO.pure(new JsCertificateProvider)
+
+  private class JsCertificateProvider extends TestCertificateProvider {
+
+    def getCertificatePair: IO[TestCertificateProvider.CertificatePair] =
+      Files[IO].tempDirectory.use { tempDir =>
+        val certPath = tempDir / "cert.pem"
+        val keyPath = tempDir / "key.pem"
+
+        val cmd = List(
+          "openssl",
+          "req",
+          "-x509",
+          "-newkey",
+          "rsa:2048",
+          "-keyout",
+          keyPath.toString,
+          "-out",
+          certPath.toString,
+          "-days",
+          "365",
+          "-nodes",
+          "-subj",
+          "/CN=localhost/O=FS2 Tests",
+          "-addext",
+          "subjectAltName=DNS:localhost,IP:127.0.0.1",
+          "-sha256"
+        )
+
+        def run(cmd: List[String]): IO[Unit] =
+          fs2.io.process.ProcessBuilder(cmd.head, cmd.tail: _*).spawn[IO].use { p =>
+            p.exitValue.flatMap {
+              case 0 => IO.unit
+              case n =>
+                IO.raiseError(new RuntimeException(s"Command ${cmd.head} failed with exit code $n"))
+            }
+          }
+
+        for {
+          _ <- run(cmd)
+          _ <- IO.sleep(1.second)
+          cert <- Files[IO].readAll(certPath).compile.to(ByteVector)
+          key <- Files[IO].readAll(keyPath).compile.to(ByteVector)
+          certString <- Files[IO].readAll(certPath).through(fs2.text.utf8.decode).compile.string
+          keyString <- Files[IO].readAll(keyPath).through(fs2.text.utf8.decode).compile.string
+        } yield TestCertificateProvider.CertificatePair(
+          certificate = cert,
+          privateKey = key,
+          certificateString = certString,
+          privateKeyString = keyString
+        )
+      }
+  }
+}

io/js/src/test/scala/fs2/io/net/tls/TLSSuite.scala

@@ -26,43 +26,30 @@ package tls
 
 import cats.effect.IO
 import cats.syntax.all._
-import fs2.io.file.Files
-import fs2.io.file.Path
-
-import scala.scalajs.js
 
 abstract class TLSSuite extends Fs2Suite {
 
   def testTlsContext(
       privateKey: Boolean,
       version: Option[SecureContext.SecureVersion] = None
-  ): IO[TLSContext[IO]] = Files[IO]
-    .readAll(Path("io/shared/src/test/resources/keystore.json"))
-    .through(text.utf8.decode)
-    .compile
-    .string
-    .flatMap(s => IO(js.JSON.parse(s).asInstanceOf[js.Dictionary[CertKey]]("server")))
-    .map { certKey =>
+  ): IO[TLSContext[IO]] = TestCertificateProvider.getCachedProvider.flatMap { provider =>
+    provider.getCertificatePair.map { certPair =>
       Network[IO].tlsContext.fromSecureContext(
         SecureContext(
           minVersion = version,
           maxVersion = version,
-          ca = List(certKey.cert.asRight).some,
-          cert = List(certKey.cert.asRight).some,
+          ca = List(certPair.certificateString.asRight).some,
+          cert = List(certPair.certificateString.asRight).some,
           key =
-            if (privateKey) List(SecureContext.Key(certKey.key.asRight, "password".some)).some
+            if (privateKey)
+              List(SecureContext.Key(certPair.privateKeyString.asRight, "password".some)).some
             else None
         )
       )
     }
+  }
 
   val logger = TLSLogger.Disabled
   // val logger = TLSLogger.Enabled(msg => IO(println(s"\u001b[33m${msg}\u001b[0m")))
 
 }
-
-@js.native
-trait CertKey extends js.Object {
-  def cert: String = js.native
-  def key: String = js.native
-}

io/jvm/src/test/scala/fs2/io/JvmJsCertificateProvider.scala

@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 2013 Functional Streams for Scala
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of
+ * this software and associated documentation files (the "Software"), to deal in
+ * the Software without restriction, including without limitation the rights to
+ * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+ * the Software, and to permit persons to whom the Software is furnished to do so,
+ * subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+ * FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+ * COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+ * IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ */
+
+package fs2.io
+
+import cats.effect.IO
+import scodec.bits.ByteVector
+
+import java.math.BigInteger
+import java.security.KeyPairGenerator
+import java.security.SecureRandom
+import java.util.Date
+import sun.security.x509.AlgorithmId
+import sun.security.x509.CertificateAlgorithmId
+import sun.security.x509.CertificateIssuerName
+import sun.security.x509.CertificateSerialNumber
+import sun.security.x509.CertificateSubjectName
+import sun.security.x509.CertificateValidity
+import sun.security.x509.CertificateVersion
+import sun.security.x509.CertificateX509Key
+import sun.security.x509.X500Name
+import sun.security.x509.X509CertImpl
+import sun.security.x509.X509CertInfo
+
+/** Platform-specific implementation for JVM and JS platforms that can generate certificates.
+  */
+private[io] object PlatformSpecificCertificateProvider {
+
+  def create: IO[TestCertificateProvider] = IO.pure(new JvmJsCertificateProvider)
+
+  private class JvmJsCertificateProvider extends TestCertificateProvider {
+
+    def getCertificatePair: IO[TestCertificateProvider.CertificatePair] =
+      IO(KeyPairGenerator.getInstance("RSA")).flatMap { keyPairGen =>
+        for {
+          _ <- IO(keyPairGen.initialize(2048, new SecureRandom()))
+          keyPair <- IO(keyPairGen.generateKeyPair())
+
+          // Create certificate info
+          certInfo = new X509CertInfo()
+
+          // Set validity period (1 year from now)
+          now = new Date()
+          expiration = new Date(now.getTime + 365L * 24 * 60 * 60 * 1000)
+          validity = new CertificateValidity(now, expiration)
+          _ <- IO(certInfo.set(CertificateValidity.NAME, validity))
+
+          // Set serial number
+          serial = new BigInteger(64, new SecureRandom())
+          _ <- IO(certInfo.set(CertificateSerialNumber.NAME, new CertificateSerialNumber(serial)))
+
+          // Set subject and issuer names
+          subject = new X500Name("CN=Unknown,O=Unknown,OU=FS2 Tests,L=Unknown,ST=Unknown,C=Unknown")
+          _ <- IO(certInfo.set(CertificateSubjectName.NAME, new CertificateSubjectName(subject)))
+          _ <- IO(certInfo.set(CertificateIssuerName.NAME, new CertificateIssuerName(subject)))
+
+          // Set public key
+          publicKey = keyPair.getPublic()
+          _ <- IO(certInfo.set(CertificateX509Key.NAME, new CertificateX509Key(publicKey)))
+
+          // Set version
+          _ <- IO(
+            certInfo.set(CertificateVersion.NAME, new CertificateVersion(CertificateVersion.V3))
+          )
+
+          // Set algorithm
+          algorithm = AlgorithmId.get("SHA256WithRSA")
+          _ <- IO(certInfo.set(CertificateAlgorithmId.NAME, new CertificateAlgorithmId(algorithm)))
+
+          // Sign the certificate
+          cert = new X509CertImpl(certInfo)
+          _ <- IO(cert.sign(keyPair.getPrivate(), "SHA256WithRSA"))
+
+          // Convert to PEM format
+          certBytes = cert.getEncoded
+          certPem = pemEncode("CERTIFICATE", certBytes)
+
+          // Convert private key to PEM format
+          privateKeyBytes = keyPair.getPrivate().getEncoded()
+          keyPem = pemEncode("PRIVATE KEY", privateKeyBytes)
+
+        } yield TestCertificateProvider.CertificatePair(
+          certificate = ByteVector.view(certBytes),
+          privateKey = ByteVector.view(privateKeyBytes),
+          certificateString = certPem,
+          privateKeyString = keyPem
+        )
+      }
+
+    /** Encodes binary data in PEM format
+      */
+    private def pemEncode(header: String, data: Array[Byte]): String = {
+      val base64 = java.util.Base64.getEncoder.encodeToString(data)
+      val lines = base64.grouped(64).toList
+      s"""-----BEGIN $header-----
+         |${lines.mkString("\n")}
+         |-----END $header-----""".stripMargin
+    }
+  }
+}