From 8b74e72e38dc2a32d2a54693480671c9d3abc899 Mon Sep 17 00:00:00 2001
From: Jillian Crossley <jillianc@twitter.com>
Date: Tue, 17 Sep 2024 11:38:18 +0000
Subject: [PATCH] finagle: Regenerate expired certificates used in tests

Problem

We had 2 expired certificates which were causing tests to fail.

Solution

Regenerate these (good for 5 years), add instructions for regenerating, and remove the KTF from the build file.

JIRA Issues: CSL-12418

Differential Revision: https://phabricator.twitter.biz/D1170786
---
 finagle-core/src/test/resources/ssl/README    | 12 ++++++++-
 .../resources/ssl/certs/test-ec-with-sans.crt | 27 ++++++++++---------
 .../ssl/certs/test-ecclient-with-sans.crt     | 27 ++++++++++---------
 .../resources/ssl/conf/test-ec-with-sans.cnf  | 27 +++++++++++++++++++
 .../ssl/conf/test-ecclient-with-sans.cnf      | 27 +++++++++++++++++++
 .../test/resources/ssl/keys/test-ec-key.pem   |  5 ++++
 finagle-core/src/test/scala/BUILD             |  1 -
 7 files changed, 100 insertions(+), 26 deletions(-)
 create mode 100644 finagle-core/src/test/resources/ssl/conf/test-ec-with-sans.cnf
 create mode 100644 finagle-core/src/test/resources/ssl/conf/test-ecclient-with-sans.cnf
 create mode 100644 finagle-core/src/test/resources/ssl/keys/test-ec-key.pem

diff --git a/finagle-core/src/test/resources/ssl/README b/finagle-core/src/test/resources/ssl/README
index c07a8c8de49..fe6f87a97ab 100644
--- a/finagle-core/src/test/resources/ssl/README
+++ b/finagle-core/src/test/resources/ssl/README
@@ -1 +1,11 @@
-The certificates and keys located in these directories have been generated by Twitter engineers for example purposes and are intended for testing only. They have nothing to do with Twitter production or development systems.
+The certificates and keys located in these directories have been generated by X engineers for example purposes and are intended for testing only. They have nothing to do with X production or development systems.
+
+To generate a new certificate, from this (ssl) directory, run:
+
+For test-ec-with-sans.crt:
+$ openssl req -new -key keys/test-ec-key.pem -out request.csr -config conf/test-ec-with-sans.cnf
+$ openssl x509 -req -days 1825 -in request.csr -signkey keys/test-ec-key.pem --out certs/test-ec-with-sans.crt -extensions v3_ca -extfile conf/test-ec-with-sans.cnf
+
+For test-ecclient-with-sans.crt:
+$ openssl req -new -key keys/test-ec-key.pem -out request.csr -config conf/test-ecclient-with-sans.cnf
+$ openssl x509 -req -days 1825 -in request.csr -signkey keys/test-ec-key.pem --out certs/test-ecclient-with-sans.crt -extensions v3_ca -extfile conf/test-ecclient-with-sans.cnf
diff --git a/finagle-core/src/test/resources/ssl/certs/test-ec-with-sans.crt b/finagle-core/src/test/resources/ssl/certs/test-ec-with-sans.crt
index 32fd7bbb554..298bfac7669 100644
--- a/finagle-core/src/test/resources/ssl/certs/test-ec-with-sans.crt
+++ b/finagle-core/src/test/resources/ssl/certs/test-ec-with-sans.crt
@@ -1,14 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICGzCCAcGgAwIBAgIJAO2zMrMg5/CSMAoGCCqGSM49BAMCMGQxCzAJBgNVBAYT
-AlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEQMA4GA1UE
-CgwHVHdpdHRlcjEeMBwGA1UECwwVQ29yZSBTeXN0ZW0gTGlicmFyaWVzMB4XDTIy
-MDkxNTE4NDI0MVoXDTI0MDkxNDE4NDI0MVowZDELMAkGA1UEBhMCVVMxCzAJBgNV
-BAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRAwDgYDVQQKDAdUd2l0dGVy
-MR4wHAYDVQQLDBVDb3JlIFN5c3RlbSBMaWJyYXJpZXMwWTATBgcqhkjOPQIBBggq
-hkjOPQMBBwNCAASjqFWeGdar7f4B2zsczAGSnlnhFPREq6q30wPc1FIfhYYBPnfk
-Obc7eBSPT7ti/i8/s36vKkvdaM6iD+tlmigjo1wwWjALBgNVHQ8EBAMCBDAwEwYD
-VR0lBAwwCgYIKwYBBQUHAwIwNgYDVR0RBC8wLYYrdHd0cjpzdmM6Y3NsLXRlc3Q6
-dGVzdC1lY3NlcnZlcjpkZXZlbDpsb2NhbDAKBggqhkjOPQQDAgNIADBFAiBZ7NCP
-tcH92VbSjNTIABU47lDYRwd2or4AM6CBeui1EwIhANhoTJ20Gb7E2iypkYiFD8fy
-3xTqsPCkl7xcFR4DDAl4
+MIICsjCCAligAwIBAgIUEU7qdnOXCW7p9S6SwOw/tUIBEtkwCgYIKoZIzj0EAwIw
+gZgxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5j
+aXNjbzEQMA4GA1UECgwHVHdpdHRlcjEeMBwGA1UECwwVQ29yZSBTeXN0ZW0gTGli
+cmFyaWVzMTIwMAYDVQQDDClUd2l0dGVyIENvcmUgU3lzdGVtIExpYnJhcmllcyBD
+ZXJ0aWZpY2F0ZTAeFw0yNDA5MTcxMDAyMzNaFw0yOTA5MTYxMDAyMzNaMIGYMQsw
+CQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28x
+EDAOBgNVBAoMB1R3aXR0ZXIxHjAcBgNVBAsMFUNvcmUgU3lzdGVtIExpYnJhcmll
+czEyMDAGA1UEAwwpVHdpdHRlciBDb3JlIFN5c3RlbSBMaWJyYXJpZXMgQ2VydGlm
+aWNhdGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQFfMrz0mhgTUqVUwN+GXGP
+7gxa2iA9rIAa0IDSYta9GJBgsfJZU4UwGfcUiJetkGl5YkueeHxahKMcOMP7L7zq
+o34wfDAOBgNVHQ8BAf8EBAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwNgYDVR0R
+BC8wLYYrdHd0cjpzdmM6Y3NsLXRlc3Q6dGVzdC1lY3NlcnZlcjpkZXZlbDpsb2Nh
+bDAdBgNVHQ4EFgQUpW7jgu5CL8I/eJp8vbsXEOIF4H0wCgYIKoZIzj0EAwIDSAAw
+RQIgeSeLfQW7acX695k1hAMA5MrVHeH7di70alhykmTIjWwCIQDDOjQhtypBW6Ox
+uw3PORgOs5Pxd56ZSbnyBU8fs2rQWA==
 -----END CERTIFICATE-----
diff --git a/finagle-core/src/test/resources/ssl/certs/test-ecclient-with-sans.crt b/finagle-core/src/test/resources/ssl/certs/test-ecclient-with-sans.crt
index 7b82850b493..0a67ab42e9b 100644
--- a/finagle-core/src/test/resources/ssl/certs/test-ecclient-with-sans.crt
+++ b/finagle-core/src/test/resources/ssl/certs/test-ecclient-with-sans.crt
@@ -1,14 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICGzCCAcGgAwIBAgIJAJFtdyp/q4rHMAoGCCqGSM49BAMCMGQxCzAJBgNVBAYT
-AlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEQMA4GA1UE
-CgwHVHdpdHRlcjEeMBwGA1UECwwVQ29yZSBTeXN0ZW0gTGlicmFyaWVzMB4XDTIy
-MDkxNTE4MjU0MloXDTI0MDkxNDE4MjU0MlowZDELMAkGA1UEBhMCVVMxCzAJBgNV
-BAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRAwDgYDVQQKDAdUd2l0dGVy
-MR4wHAYDVQQLDBVDb3JlIFN5c3RlbSBMaWJyYXJpZXMwWTATBgcqhkjOPQIBBggq
-hkjOPQMBBwNCAARGSaK+Nh0eKZLGSfZoeAZ0y0eogtFdHUdOWZWteCxKgI/8iyuT
-23vXKN5WJcegJB4PGA3sj5jdZvYzzgwi+zHco1wwWjALBgNVHQ8EBAMCBDAwEwYD
-VR0lBAwwCgYIKwYBBQUHAwIwNgYDVR0RBC8wLYYrdHd0cjpzdmM6Y3NsLXRlc3Q6
-dGVzdC1lY2NsaWVudDpkZXZlbDpsb2NhbDAKBggqhkjOPQQDAgNIADBFAiAY3J+U
-+WOpyIA11KknEOkRmdMkMSEJuCCvsitPy57kMQIhAIfqbFFKAtgdbUPRhIfUMf0r
-Lz9NmiJ25XPw+BDRuA9B
+MIICozCCAkqgAwIBAgIUOcBaED2Eh6u77gea6z767RLn7sowCgYIKoZIzj0EAwIw
+gYsxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5j
+aXNjbzEQMA4GA1UECgwHVHdpdHRlcjEeMBwGA1UECwwVQ29yZSBTeXN0ZW0gTGli
+cmFyaWVzMSUwIwYDVQQDDBxDb3JlIFN5c3RlbSBMaWJyYXJpZXMgQ2xpZW50MB4X
+DTI0MDkxNzEwMDcwNFoXDTI5MDkxNjEwMDcwNFowgYsxCzAJBgNVBAYTAlVTMQsw
+CQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEQMA4GA1UECgwHVHdp
+dHRlcjEeMBwGA1UECwwVQ29yZSBTeXN0ZW0gTGlicmFyaWVzMSUwIwYDVQQDDBxD
+b3JlIFN5c3RlbSBMaWJyYXJpZXMgQ2xpZW50MFkwEwYHKoZIzj0CAQYIKoZIzj0D
+AQcDQgAEBXzK89JoYE1KlVMDfhlxj+4MWtogPayAGtCA0mLWvRiQYLHyWVOFMBn3
+FIiXrZBpeWJLnnh8WoSjHDjD+y+86qOBiTCBhjAdBgNVHQ4EFgQUpW7jgu5CL8I/
+eJp8vbsXEOIF4H0wHwYDVR0jBBgwFoAUpW7jgu5CL8I/eJp8vbsXEOIF4H0wDAYD
+VR0TAQH/BAIwADA2BgNVHREELzAthit0d3RyOnN2Yzpjc2wtdGVzdDp0ZXN0LWVj
+Y2xpZW50OmRldmVsOmxvY2FsMAoGCCqGSM49BAMCA0cAMEQCICyTazdx7PwpLOtU
++tjQNl8z73JbUs6oIAO7knk04zicAiAomS6rW9Uf4nVXaWaRVjL5HbQVhwA4ZJp0
+owLQ/3d39Q==
 -----END CERTIFICATE-----
diff --git a/finagle-core/src/test/resources/ssl/conf/test-ec-with-sans.cnf b/finagle-core/src/test/resources/ssl/conf/test-ec-with-sans.cnf
new file mode 100644
index 00000000000..558ea78ad19
--- /dev/null
+++ b/finagle-core/src/test/resources/ssl/conf/test-ec-with-sans.cnf
@@ -0,0 +1,27 @@
+[ req ]
+default_bits       = 256
+default_md         = sha256
+distinguished_name = req_distinguished_name
+req_extensions     = req_ext
+prompt             = no
+
+[ req_distinguished_name ]
+C  = US
+ST = CA
+L  = San Francisco
+O  = Twitter
+OU = Core System Libraries
+CN = Twitter Core System Libraries Certificate
+
+[ req_ext ]
+subjectAltName = @alt_names
+keyUsage = keyEncipherment, dataEncipherment
+extendedKeyUsage = clientAuth
+
+[ alt_names ]
+URI.1 = twtr:svc:csl-test:test-ecserver:devel:local
+
+[ v3_ca ]
+keyUsage = critical, keyEncipherment, dataEncipherment
+extendedKeyUsage = TLS Web Client Authentication
+subjectAltName = @alt_names
diff --git a/finagle-core/src/test/resources/ssl/conf/test-ecclient-with-sans.cnf b/finagle-core/src/test/resources/ssl/conf/test-ecclient-with-sans.cnf
new file mode 100644
index 00000000000..9b3db45e47e
--- /dev/null
+++ b/finagle-core/src/test/resources/ssl/conf/test-ecclient-with-sans.cnf
@@ -0,0 +1,27 @@
+[ req ]
+distinguished_name  = req_distinguished_name
+x509_extensions     = v3_req
+prompt              = no
+
+[ req_distinguished_name ]
+C  = US
+ST = CA
+L  = San Francisco
+O  = Twitter
+OU = Core System Libraries
+CN = Core System Libraries Client
+
+[ v3_req ]
+basicConstraints = CA:FALSE
+keyUsage = critical, KeyEncipherment, DataEncipherment
+extendedKeyUsage = TLS Web Client Authentication
+subjectAltName = @alt_names
+
+[ alt_names ]
+URI.1 = twtr:svc:csl-test:test-ecclient:devel:local
+
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = critical, CA:FALSE
+subjectAltName = @alt_names
diff --git a/finagle-core/src/test/resources/ssl/keys/test-ec-key.pem b/finagle-core/src/test/resources/ssl/keys/test-ec-key.pem
new file mode 100644
index 00000000000..bb733f18cfc
--- /dev/null
+++ b/finagle-core/src/test/resources/ssl/keys/test-ec-key.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIAYh4d/7S1NkOYmhLe0EIajAP+pnQ4icN0cqOkfkZjFXoAoGCCqGSM49
+AwEHoUQDQgAEBXzK89JoYE1KlVMDfhlxj+4MWtogPayAGtCA0mLWvRiQYLHyWVOF
+MBn3FIiXrZBpeWJLnnh8WoSjHDjD+y+86g==
+-----END EC PRIVATE KEY-----
diff --git a/finagle-core/src/test/scala/BUILD b/finagle-core/src/test/scala/BUILD
index 022a90d1669..70c89581b22 100644
--- a/finagle-core/src/test/scala/BUILD
+++ b/finagle-core/src/test/scala/BUILD
@@ -60,7 +60,6 @@ junit_tests(
     # env_local is tag for bazel only, added due to DPB-14188
     tags = [
         "bazel-compatible",
-        "known-to-fail-jira:CSL-12418",
     ],
     dependencies = [
         ":pushsession-utils",