diff --git a/Cargo.lock b/Cargo.lock index 6437e426be..14e77f9e89 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3298,12 +3298,13 @@ checksum = "f60fcc7d6849342eff22c4350c8b9a989ee8ceabc4b481253e8946b9fe83d684" [[package]] name = "rcgen" -version = "0.12.1" +version = "0.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "48406db8ac1f3cbc7dcdb56ec355343817958a356ff430259bb07baf7607e1e1" +checksum = "75e669e5202259b5314d1ea5397316ad400819437857b90861765f24c4cf80a2" dependencies = [ "pem", "ring", + "rustls-pki-types", "time", "yasna", ] diff --git a/linkerd/meshtls/Cargo.toml b/linkerd/meshtls/Cargo.toml index 7e67a36ac3..1373c0fc13 100644 --- a/linkerd/meshtls/Cargo.toml +++ b/linkerd/meshtls/Cargo.toml @@ -29,7 +29,7 @@ linkerd-tls = { path = "../tls" } [dev-dependencies] tokio = { version = "1", features = ["macros", "net", "rt-multi-thread"] } tracing = "0.1" -rcgen = "0.12.0" +rcgen = "0.13.2" linkerd-conditional = { path = "../conditional" } linkerd-proxy-transport = { path = "../proxy/transport" } diff --git a/linkerd/meshtls/tests/util.rs b/linkerd/meshtls/tests/util.rs index 7b7d6592fa..2060cc4a34 100644 --- a/linkerd/meshtls/tests/util.rs +++ b/linkerd/meshtls/tests/util.rs @@ -18,7 +18,7 @@ use linkerd_stack::{ }; use linkerd_tls as tls; use linkerd_tls_test_util as test_util; -use rcgen::{BasicConstraints, Certificate, CertificateParams, IsCa, SanType}; +use rcgen::{BasicConstraints, CertificateParams, IsCa, KeyPair, SanType}; use std::str::FromStr; use std::{ net::SocketAddr, @@ -29,20 +29,25 @@ use tokio::net::TcpStream; use tracing::Instrument; fn generate_cert_with_name(subject_alt_names: Vec) -> (Vec, Vec, String) { + let root_key = KeyPair::generate().unwrap(); let mut root_params = CertificateParams::default(); root_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained); - let root_cert = Certificate::from_params(root_params).expect("should generate root"); + let root_cert = root_params + .self_signed(&root_key) + .expect("should generate root"); + + let issuer_key = KeyPair::generate().unwrap(); let mut params = CertificateParams::default(); params.subject_alt_names = subject_alt_names; - - let cert = Certificate::from_params(params).expect("should generate cert"); + let cert = params + .signed_by(&issuer_key, &root_cert, &root_key) + .expect("should generate cert"); ( - cert.serialize_der_with_signer(&root_cert) - .expect("should serialize"), - cert.serialize_private_key_der(), - root_cert.serialize_pem().expect("should serialize"), + cert.der().to_vec(), + issuer_key.serialize_der(), + root_cert.pem(), ) } @@ -51,7 +56,7 @@ pub fn fails_processing_cert_when_wrong_id_configured(mode: meshtls::Mode) { let id = Id::Dns(server_name.clone()); let (cert, key, roots) = - generate_cert_with_name(vec![SanType::URI("spiffe://system/local".into())]); + generate_cert_with_name(vec![SanType::URI("spiffe://system/local".parse().unwrap())]); let (mut store, _) = mode .watch(id, server_name.clone(), &roots) .expect("should construct"); diff --git a/linkerd/meshtls/verifier/Cargo.toml b/linkerd/meshtls/verifier/Cargo.toml index f476eaf0c3..0a23d22f08 100644 --- a/linkerd/meshtls/verifier/Cargo.toml +++ b/linkerd/meshtls/verifier/Cargo.toml @@ -15,4 +15,4 @@ linkerd-identity = { path = "../../identity" } [dev-dependencies] -rcgen = "0.12.0" +rcgen = "0.13.2" diff --git a/linkerd/meshtls/verifier/src/lib.rs b/linkerd/meshtls/verifier/src/lib.rs index e2d55392ab..c7fce564e4 100644 --- a/linkerd/meshtls/verifier/src/lib.rs +++ b/linkerd/meshtls/verifier/src/lib.rs @@ -61,22 +61,24 @@ mod tests { use crate::client_identity; use crate::verify_id; use linkerd_identity::Id; - use rcgen::{Certificate, CertificateParams, SanType}; + use rcgen::{CertificateParams, KeyPair, SanType}; fn generate_cert_with_names(subject_alt_names: Vec) -> Vec { + let key = KeyPair::generate().expect("should generate key"); let mut params = CertificateParams::default(); params.subject_alt_names = subject_alt_names; - Certificate::from_params(params) + params + .self_signed(&key) .expect("should generate cert") - .serialize_der() - .expect("should serialize") + .der() + .to_vec() } #[test] pub fn cert_with_dns_san_matches_dns_id() { let dns_name = "foo.ns1.serviceaccount.identity.linkerd.cluster.local"; - let cert = generate_cert_with_names(vec![SanType::DnsName(dns_name.into())]); + let cert = generate_cert_with_names(vec![SanType::DnsName(dns_name.parse().unwrap())]); let id = Id::parse_dns_name(dns_name).expect("should parse DNS id"); assert!(verify_id(&cert, &id).is_ok()); } @@ -84,7 +86,7 @@ mod tests { #[test] fn cert_with_spiffe_san_matches_spiffe_id() { let spiffe_uri = "spiffe://identity.linkerd.cluster.local/ns/ns1/sa/foo"; - let cert = generate_cert_with_names(vec![SanType::URI(spiffe_uri.into())]); + let cert = generate_cert_with_names(vec![SanType::URI(spiffe_uri.parse().unwrap())]); let id = Id::parse_uri(spiffe_uri).expect("should parse SPIFFE id"); assert!(verify_id(&cert, &id).is_ok()); } @@ -92,7 +94,9 @@ mod tests { #[test] pub fn cert_with_dns_san_does_not_match_dns_id() { let dns_name_cert = vec![SanType::DnsName( - "foo.ns1.serviceaccount.identity.linkerd.cluster.local".into(), + "foo.ns1.serviceaccount.identity.linkerd.cluster.local" + .parse() + .unwrap(), )]; let dns_name = "bar.ns1.serviceaccount.identity.linkerd.cluster.local"; @@ -104,7 +108,9 @@ mod tests { #[test] fn cert_with_dns_san_does_not_match_spiffe_id() { let dns_name_cert = vec![SanType::DnsName( - "bar.ns1.serviceaccount.identity.linkerd.cluster.local".into(), + "bar.ns1.serviceaccount.identity.linkerd.cluster.local" + .parse() + .unwrap(), )]; let spiffe_uri = "spiffe://some-trust-comain/some-system/some-component"; @@ -136,9 +142,9 @@ mod tests { let spiffe_id = "spiffe://some-trust-comain/some-system/some-component"; let cert = generate_cert_with_names(vec![ - SanType::DnsName(foo_dns_id.into()), - SanType::DnsName(bar_dns_id.into()), - SanType::URI(spiffe_id.into()), + SanType::DnsName(foo_dns_id.parse().unwrap()), + SanType::DnsName(bar_dns_id.parse().unwrap()), + SanType::URI(spiffe_id.parse().unwrap()), ]); let id = Id::parse_dns_name(foo_dns_id).expect("should parse DNS id"); assert!(verify_id(&cert, &id).is_ok()); @@ -151,9 +157,9 @@ mod tests { let spiffe_id = "spiffe://some-trust-comain/some-system/some-component"; let cert = generate_cert_with_names(vec![ - SanType::DnsName(foo_dns_id.into()), - SanType::DnsName(bar_dns_id.into()), - SanType::URI(spiffe_id.into()), + SanType::DnsName(foo_dns_id.parse().unwrap()), + SanType::DnsName(bar_dns_id.parse().unwrap()), + SanType::URI(spiffe_id.parse().unwrap()), ]); let id = Id::parse_uri(spiffe_id).expect("should parse SPIFFE id"); assert!(verify_id(&cert, &id).is_ok()); @@ -167,9 +173,9 @@ mod tests { let spiffe_id = "spiffe://some-trust-comain/some-system/some-component"; let cert = generate_cert_with_names(vec![ - SanType::DnsName(foo_dns_id.into()), - SanType::DnsName(bar_dns_id.into()), - SanType::URI(spiffe_id.into()), + SanType::DnsName(foo_dns_id.parse().unwrap()), + SanType::DnsName(bar_dns_id.parse().unwrap()), + SanType::URI(spiffe_id.parse().unwrap()), ]); let id = Id::parse_dns_name(nar_dns_id).expect("should parse DNS id"); assert!(verify_id(&cert, &id).is_err()); @@ -183,9 +189,9 @@ mod tests { let spiffe_id = "spiffe://some-trust-comain/some-system/some-component"; let cert = generate_cert_with_names(vec![ - SanType::DnsName(foo_dns_id.into()), - SanType::DnsName(bar_dns_id.into()), - SanType::DnsName(nar_dns_id.into()), + SanType::DnsName(foo_dns_id.parse().unwrap()), + SanType::DnsName(bar_dns_id.parse().unwrap()), + SanType::DnsName(nar_dns_id.parse().unwrap()), ]); let id = Id::parse_uri(spiffe_id).expect("should parse SPIFFE id"); assert!(verify_id(&cert, &id).is_err()); @@ -195,7 +201,7 @@ mod tests { fn can_extract_spiffe_client_identity_one_san() { let spiffe_id = "spiffe://some-trust-comain/some-system/some-component"; - let cert = generate_cert_with_names(vec![SanType::URI(spiffe_id.into())]); + let cert = generate_cert_with_names(vec![SanType::URI(spiffe_id.parse().unwrap())]); let id = Id::parse_uri(spiffe_id).expect("should parse SPIFFE id"); let client_id = client_identity(&cert); assert_eq!(client_id, Some(id)); @@ -208,9 +214,9 @@ mod tests { let nar_dns_id = "nar.ns1.serviceaccount.identity.linkerd.cluster.local"; let cert = generate_cert_with_names(vec![ - SanType::URI(spiffe_id.into()), - SanType::DnsName(bar_dns_id.into()), - SanType::DnsName(nar_dns_id.into()), + SanType::URI(spiffe_id.parse().unwrap()), + SanType::DnsName(bar_dns_id.parse().unwrap()), + SanType::DnsName(nar_dns_id.parse().unwrap()), ]); let id = Id::parse_uri(spiffe_id).expect("should parse SPIFFE id"); let client_id = client_identity(&cert); @@ -221,7 +227,7 @@ mod tests { fn can_extract_dns_client_identity_one_san() { let dns_id = "foo.ns1.serviceaccount.identity.linkerd.cluster.local"; - let cert = generate_cert_with_names(vec![SanType::DnsName(dns_id.into())]); + let cert = generate_cert_with_names(vec![SanType::DnsName(dns_id.parse().unwrap())]); let id = Id::parse_dns_name(dns_id).expect("should parse DNS id"); let client_id = client_identity(&cert); assert_eq!(client_id, Some(id)); @@ -235,10 +241,10 @@ mod tests { let spiffe_id = "spiffe://some-trust-comain/some-system/some-component"; let cert = generate_cert_with_names(vec![ - SanType::DnsName(dns_id.into()), - SanType::DnsName(bar_dns_id.into()), - SanType::DnsName(nar_dns_id.into()), - SanType::URI(spiffe_id.into()), + SanType::DnsName(dns_id.parse().unwrap()), + SanType::DnsName(bar_dns_id.parse().unwrap()), + SanType::DnsName(nar_dns_id.parse().unwrap()), + SanType::URI(spiffe_id.parse().unwrap()), ]); let id = Id::parse_dns_name(dns_id).expect("should parse DNS id"); let client_id = client_identity(&cert); @@ -252,9 +258,9 @@ mod tests { let email_san_2 = "bar@bar.com"; let cert = generate_cert_with_names(vec![ - SanType::DnsName(dns_id.into()), - SanType::Rfc822Name(email_san_1.into()), - SanType::Rfc822Name(email_san_2.into()), + SanType::DnsName(dns_id.parse().unwrap()), + SanType::Rfc822Name(email_san_1.parse().unwrap()), + SanType::Rfc822Name(email_san_2.parse().unwrap()), ]); let id = Id::parse_dns_name(dns_id).expect("should parse DNS id"); let client_id = client_identity(&cert); @@ -268,9 +274,9 @@ mod tests { let email_san_2 = "bar@bar.com"; let cert = generate_cert_with_names(vec![ - SanType::URI(spiffe_id.into()), - SanType::Rfc822Name(email_san_1.into()), - SanType::Rfc822Name(email_san_2.into()), + SanType::URI(spiffe_id.parse().unwrap()), + SanType::Rfc822Name(email_san_1.parse().unwrap()), + SanType::Rfc822Name(email_san_2.parse().unwrap()), ]); let id = Id::parse_uri(spiffe_id).expect("should parse SPIFFE id"); let client_id = client_identity(&cert); @@ -281,7 +287,7 @@ mod tests { fn skips_dns_san_with_trailing_dot() { let dns_id = "foo.ns1.serviceaccount.identity.linkerd.cluster.local."; - let cert = generate_cert_with_names(vec![SanType::DnsName(dns_id.into())]); + let cert = generate_cert_with_names(vec![SanType::DnsName(dns_id.parse().unwrap())]); let client_id = client_identity(&cert); assert_eq!(client_id, None); } diff --git a/linkerd/proxy/spire-client/Cargo.toml b/linkerd/proxy/spire-client/Cargo.toml index 9fbfa20e9a..df8af4a93b 100644 --- a/linkerd/proxy/spire-client/Cargo.toml +++ b/linkerd/proxy/spire-client/Cargo.toml @@ -24,5 +24,5 @@ asn1 = { version = "0.6", package = "simple_asn1" } thiserror = "2" [dev-dependencies] -rcgen = "0.12.0" +rcgen = "0.13.2" tokio-test = "0.4" diff --git a/linkerd/proxy/spire-client/src/api.rs b/linkerd/proxy/spire-client/src/api.rs index f4745e7fa0..143c13705f 100644 --- a/linkerd/proxy/spire-client/src/api.rs +++ b/linkerd/proxy/spire-client/src/api.rs @@ -220,18 +220,19 @@ where #[cfg(test)] mod tests { use crate::api::Svid; - use rcgen::{Certificate, CertificateParams, SanType}; + use rcgen::{CertificateParams, KeyPair, SanType}; use spiffe_proto::client as api; fn gen_svid_pb(id: String, subject_alt_names: Vec) -> api::X509svid { let mut params = CertificateParams::default(); params.subject_alt_names = subject_alt_names; - let cert = Certificate::from_params(params).expect("should generate cert"); + let key = KeyPair::generate().expect("should generate key"); + let cert = params.self_signed(&key).expect("should generate cert"); api::X509svid { spiffe_id: id, - x509_svid: cert.serialize_der().expect("should serialize"), - x509_svid_key: cert.serialize_private_key_der(), + x509_svid: cert.der().to_vec(), + x509_svid_key: key.serialize_der(), bundle: Vec::default(), } } @@ -239,21 +240,21 @@ mod tests { #[test] fn can_parse_valid_proto() { let id = "spiffe://some-domain/some-workload"; - let svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.into())]); + let svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.parse().unwrap())]); assert!(Svid::try_from(svid_pb).is_ok()); } #[test] fn cannot_parse_non_spiffe_id() { let id = "some-domain.some-workload"; - let svid_pb = gen_svid_pb(id.into(), vec![SanType::DnsName(id.into())]); + let svid_pb = gen_svid_pb(id.into(), vec![SanType::DnsName(id.parse().unwrap())]); assert!(Svid::try_from(svid_pb).is_err()); } #[test] fn cannot_parse_empty_cert() { let id = "spiffe://some-domain/some-workload"; - let mut svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.into())]); + let mut svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.parse().unwrap())]); svid_pb.x509_svid = Vec::default(); assert!(Svid::try_from(svid_pb).is_err()); } @@ -261,7 +262,7 @@ mod tests { #[test] fn cannot_parse_empty_key() { let id = "spiffe://some-domain/some-workload"; - let mut svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.into())]); + let mut svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.parse().unwrap())]); svid_pb.x509_svid_key = Vec::default(); assert!(Svid::try_from(svid_pb).is_err()); } diff --git a/linkerd/proxy/spire-client/src/lib.rs b/linkerd/proxy/spire-client/src/lib.rs index 992e0e1a21..bcc0dab46b 100644 --- a/linkerd/proxy/spire-client/src/lib.rs +++ b/linkerd/proxy/spire-client/src/lib.rs @@ -62,10 +62,11 @@ mod tests { use crate::api::Svid; use linkerd_error::Result; use linkerd_identity::DerX509; - use rcgen::{Certificate, CertificateParams, SanType, SerialNumber}; + use rcgen::{CertificateParams, KeyPair, SanType, SerialNumber}; use std::time::SystemTime; fn gen_svid(id: Id, subject_alt_names: Vec, serial: SerialNumber) -> Svid { + let key = KeyPair::generate().expect("should generate key"); let mut params = CertificateParams::default(); params.subject_alt_names = subject_alt_names; params.serial_number = Some(serial); @@ -73,10 +74,11 @@ mod tests { Svid::new( id, DerX509( - Certificate::from_params(params) + params + .self_signed(&key) .expect("should generate cert") - .serialize_der() - .expect("should serialize"), + .der() + .to_vec(), ), Vec::default(), Vec::default(), @@ -151,7 +153,7 @@ mod tests { let serial_1 = SerialNumber::from_slice("some-serial-1".as_bytes()); let update_1 = SvidUpdate::new(vec![gen_svid( spiffe_id.clone(), - vec![SanType::URI(spiffe_san.into())], + vec![SanType::URI(spiffe_san.parse().unwrap())], serial_1.clone(), )]); @@ -164,7 +166,7 @@ mod tests { let serial_2 = SerialNumber::from_slice("some-serial-2".as_bytes()); let update_2 = SvidUpdate::new(vec![gen_svid( spiffe_id.clone(), - vec![SanType::URI(spiffe_san.into())], + vec![SanType::URI(spiffe_san.parse().unwrap())], serial_2.clone(), )]); @@ -186,7 +188,7 @@ mod tests { let serial_1 = SerialNumber::from_slice("some-serial-1".as_bytes()); let update_1 = SvidUpdate::new(vec![gen_svid( spiffe_id.clone(), - vec![SanType::URI(spiffe_san.into())], + vec![SanType::URI(spiffe_san.parse().unwrap())], serial_1.clone(), )]); @@ -228,7 +230,7 @@ mod tests { let serial_1 = SerialNumber::from_slice("some-serial-1".as_bytes()); let update_1 = SvidUpdate::new(vec![gen_svid( spiffe_id.clone(), - vec![SanType::URI(spiffe_san.into())], + vec![SanType::URI(spiffe_san.parse().unwrap())], serial_1.clone(), )]); @@ -242,7 +244,7 @@ mod tests { let mut update_sent = svid_tx.subscribe(); let update_2 = SvidUpdate::new(vec![gen_svid( spiffe_id_wrong, - vec![SanType::URI(spiffe_san_wrong.into())], + vec![SanType::URI(spiffe_san_wrong.parse().unwrap())], serial_2.clone(), )]);