test/common/ssl: check-in expired SSL certs to avoid OS X generation failure

test/common/ssl/context_impl_test.cc

@@ -109,8 +109,8 @@ TEST_F(SslContextImplTest, TestExpiringCert) {
 TEST_F(SslContextImplTest, TestExpiredCert) {
   std::string json = R"EOF(
   {
-      "cert_chain_file": "{{ test_tmpdir }}/unittestcert_expired.pem",
-      "private_key_file": "{{ test_tmpdir }}/unittestkey_expired.pem"
+      "cert_chain_file": "{{ test_rundir }}/test/common/ssl/test_data/unittest_expired_cert.pem",
+      "private_key_file": "{{ test_rundir }}/test/common/ssl/test_data/unittest_expired_key.pem"
   }
   )EOF";
 

test/common/ssl/gen_unittest_certs.sh

@@ -1,11 +1,14 @@
 #!/bin/bash
 #
-# Create a test certificate with a 15-day expiration for SSL tests
+# Create a test certificate with a 15-day expiration for SSL tests.
 
 set -e
 
-TEST_CERT_DIR=$TEST_TMPDIR
-export OPENSSL_CONF="$TEST_CERT_DIR"/openssl.cnf
+TEST_CERT_DIR="${TEST_TMPDIR}"
+
+mkdir -p "${TEST_CERT_DIR}"
+
+export OPENSSL_CONF="${TEST_CERT_DIR}"/openssl.cnf
 (cat << EOF
 [ req ]
 default_bits            = 2048
@@ -33,24 +36,10 @@ commonName_max                  = 64
 emailAddress                    = Email Address
 emailAddress_max                = 64
 EOF
-) > "$OPENSSL_CONF"
+) > "${OPENSSL_CONF}"
 
-mkdir -p $TEST_CERT_DIR
-openssl genrsa -out $TEST_CERT_DIR/unittestkey.pem 1024
-openssl genrsa -out $TEST_CERT_DIR/unittestkey_expired.pem 1024
-openssl req -new -key $TEST_CERT_DIR/unittestkey.pem -out $TEST_CERT_DIR/unittestcert.csr \
-    -sha256 <<EOF
-US
-California
-San Francisco
-Lyft
-Test
-Unit Test CA
-unittest@lyft.com
-
-
-EOF
-openssl req -new -key $TEST_CERT_DIR/unittestkey_expired.pem -out $TEST_CERT_DIR/unittestcert_expired.csr \
+openssl genrsa -out "${TEST_CERT_DIR}/unittestkey.pem" 1024
+openssl req -new -key "${TEST_CERT_DIR}/unittestkey.pem" -out "${TEST_CERT_DIR}/unittestcert.csr" \
     -sha256 <<EOF
 US
 California
@@ -62,7 +51,5 @@ unittest@lyft.com
 
 
 EOF
-openssl x509 -req -days 15 -in $TEST_CERT_DIR/unittestcert.csr -sha256 -signkey \
-    $TEST_CERT_DIR/unittestkey.pem -out $TEST_CERT_DIR/unittestcert.pem
-openssl x509 -req -days -365 -in $TEST_CERT_DIR/unittestcert_expired.csr -sha256 -signkey \
-    $TEST_CERT_DIR/unittestkey_expired.pem -out $TEST_CERT_DIR/unittestcert_expired.pem
+openssl x509 -req -days 15 -in "${TEST_CERT_DIR}/unittestcert.csr" -sha256 \
+    -signkey "${TEST_CERT_DIR}/unittestkey.pem" -out "${TEST_CERT_DIR}/unittestcert.pem"

test/common/ssl/test_data/README.md

@@ -1,11 +1,11 @@
 # What are the identities, certificates and keys
-There are 6 identities:
+There are 8 identities:
 - **CA**: Certificate Authority for **No SAN**, **SAN With URI** and **SAN With
   DNS**. It has the self-signed certificate *ca_cert.pem*. *ca_key.pem* is its
   private key.
--- **Fake CA**: Fake Certificate Authority used to validate verification logic.
--  It has the self-signed certificate *fake_ca_cert.pem"*. *fake_ca_key.pem" is
--  its private key.
+- **Fake CA**: Fake Certificate Authority used to validate verification logic.
+  It has the self-signed certificate *fake_ca_cert.pem"*. *fake_ca_key.pem" is
+  its private key.
 - **No SAN**: It has the certificate *no_san_cert.pem*, signed by the **CA**.
   The certificate does not have SAN field. *no_san_key.pem* is its private key.
 - **SAN With URI**: It has the certificate *san_uri_cert.pem*, which is signed
@@ -21,11 +21,18 @@ There are 6 identities:
 - **SAN only**: Same as *SAN With DNS* except that the certificate doesn't have the
   CommonName set. It has certificate *san_only_dns_cert.pem*, *san_only_dns_key.pem*
   is its private key.
-- **Self-signed**: The self-signed certificate *selfsigned_cert.pem", using the
+- **Self-signed**: The self-signed certificate *selfsigned_cert.pem*, using the
   config *selfsigned_cert.cfg*. *selfsigned_key.pem* is its private key.
+- **Unit Test Expired**: A self-signed, expired certificate *unittest_expired_cert.pem*,
+  using the config *unittest_expired_cert.cnf*. *unitest_expired_key.pem* is its private
+  key.
+
 
 # How to update certificates
 **certs.sh** has the commands to generate all files except the private key
 files. Running certs.sh directly will cause the certificate files to be
 regenerated. So if you want to regenerate a particular file, please copy the
 corresponding commands from certs.sh and execute them in command line.
+
+Note that Mac OS is unable to generate the expired unit test cert starting
+with its switch from OpenSSL to LibreSSL in High Sierra (10.13).

test/common/ssl/test_data/certs.sh

@@ -11,6 +11,7 @@ set -e
 # openssl genrsa -out san_multiple_dns_key.pem 1024
 # openssl genrsa -out san_uri_key.pem 1024
 # openssl genrsa -out selfsigned_key.pem 1024
+# openssl genrsa -out unittest_expired_key.pem 1024
 
 # Generate ca_cert.pem.
 openssl req -new -key ca_key.pem -out ca_cert.csr -config ca_cert.cfg -batch -sha256
@@ -55,5 +56,9 @@ openssl rand 80 > ticket_key_a
 openssl rand 80 > ticket_key_b
 openssl rand 79 > ticket_key_wrong_len
 
+# Generate unittest_expired_cert.pem (will fail on Mac OS 10.13+, see README.md).
+openssl req -new -key unittest_expired_key.pem -out unittest_expired_cert.csr -config unittest_expired_cert.cfg -batch -sha256
+openssl x509 -req -days -365 -in unittest_expired_cert.csr -signkey unittest_expired_key.pem -out unittest_expired_cert.pem
+
 rm *csr
 rm *srl

test/common/ssl/test_data/unittest_expired_cert.cfg

@@ -0,0 +1,27 @@
+[ req ]
+default_bits            = 2048
+distinguished_name      = req_distinguished_name
+
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = US
+countryName_min                 = 2
+countryName_max                 = 2
+
+stateOrProvinceName             = State or Province Name (full name)
+stateOrProvinceName_default     = California
+
+localityName                    = Locality Name (eg, city)
+localityName_default            = San Francisco
+0.organizationName              = Organization Name (eg, company)
+0.organizationName_default      = Lyft
+
+organizationalUnitName          = Organizational Unit Name (eg, section)
+organizationalUnitName_default  = Test
+commonName                      = Common Name (e.g. server FQDN or YOUR name)
+commonName_max                  = 64
+commonName_default              = Unit Test CA
+
+emailAddress                    = Email Address
+emailAddress_max                = 64
+emailAddress_default            = unittest@lyft.com

test/common/ssl/test_data/unittest_expired_cert.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICmzCCAgQCCQChJeVNFMOzyDANBgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMC
+VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x
+DTALBgNVBAoMBEx5ZnQxDTALBgNVBAsMBFRlc3QxFTATBgNVBAMMDFVuaXQgVGVz
+dCBDQTEgMB4GCSqGSIb3DQEJARYRdW5pdHRlc3RAbHlmdC5jb20wHhcNMTgwMTE4
+MDEwMDE5WhcNMTcwMTE4MDEwMDE5WjCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgM
+CkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBEx5
+ZnQxDTALBgNVBAsMBFRlc3QxFTATBgNVBAMMDFVuaXQgVGVzdCBDQTEgMB4GCSqG
+SIb3DQEJARYRdW5pdHRlc3RAbHlmdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAL9RYeyNkS3mXJwsmRJgl2M6hMeAP1O11uSwbru9sWitb1brdhCRQGIc
+4OopVXoyg97mm0DjuC61+OJwpFrMlIxu56i1Lf5n7CEL1WDncO5SEf6ihsK+fUcA
+eX9kBw1Puuj9bYlYFHFu1O8r+N1R2mHI/zrwh5oPk81erZ279dxLAgMBAAEwDQYJ
+KoZIhvcNAQELBQADgYEAAoDpwg3mH37Rf/EK0VGnV31Obwls6F34Xd0+AcfCQQA/
+h9vWox2AXWQqZ0ypCdPSsR5G47E3s8JY51NVamKcwMoy4kMsgn/DFY/t7wV85o2Y
+Z48tMPR86GbhwPEYrYH7yM56FGi0X+MoekRPG7TCMTpJUJDnSJyBKo2r4nSq2oU=
+-----END CERTIFICATE-----

test/common/ssl/test_data/unittest_expired_key.pem

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC/UWHsjZEt5lycLJkSYJdjOoTHgD9TtdbksG67vbForW9W63YQ
+kUBiHODqKVV6MoPe5ptA47gutfjicKRazJSMbueotS3+Z+whC9Vg53DuUhH+oobC
+vn1HAHl/ZAcNT7ro/W2JWBRxbtTvK/jdUdphyP868IeaD5PNXq2du/XcSwIDAQAB
+AoGAcVkaFzhYh0UwIScbGZQ4nQWSnVASNNpLEvqk4H4mmcoHaQvfyzkDWB2b85/B
+kMBU+L7PxMYl3Sba6e2qslD6wKEZRmxbGpssgLHWlWr/h8CXEVEmEh60I2VrDIcx
+3h4Fdb4Rhx6d3EPnYaK2Zj+7m+LP1ipeAbLPMwABsPdIKcECQQD31ruLp+ido/cR
+2fTTptGEo2LJ4xvySkB1LofL+9bzz5I0hCoMMGEXJ0egezAT8T+vTbweonbyny65
+YKXzAhxpAkEAxZ4ujkirfjqVOAq5J4KSUYpyH4h+ErSAdHbdatn+AFRiE1BZkpb1
+Fny/0gLnxnTU/zeKns9aVQteEGwOEEGskwJAFymle4bk0Z7aX3u8Su+jUz8l43Jr
+UTipT4pavLC7xSuYIXpcp6j52f0cz53Tv3ljl1GvjDlo3oIMDt0+hTikSQJBALYU
+aRDwJBLKJ3Lbbn3Y8Lfwt/YV7ROO/ExSuPAaqs3i8fqZre5C6M8vYg4+Xw+b1iTR
+KAfrRW/WaXT4Gn0gBcECQQDK6bFpQuoEZTFqThfmvfurnNZDnfWaK6As9DW0F6lA
+FMr1bcuJqVxW85hWwnf7is8sEHXUNUV3z56GFTW4S5PC
+-----END RSA PRIVATE KEY-----