diff --git a/pkg/getter/httpgetter_test.go b/pkg/getter/httpgetter_test.go index 9a0cf6864..469e42048 100644 --- a/pkg/getter/httpgetter_test.go +++ b/pkg/getter/httpgetter_test.go @@ -337,7 +337,7 @@ func TestDownloadTLSWithRedirect(t *testing.T) { insecureSkipTLSverify := false // Server 2 that will actually fulfil the request. - ca, pub, priv := filepath.Join(cd, "rootca.crt"), filepath.Join(cd, "localhost-cert.pem"), filepath.Join(cd, "key.pem") + ca, pub, priv := filepath.Join(cd, "rootca.crt"), filepath.Join(cd, "localhost-crt.pem"), filepath.Join(cd, "key.pem") tlsConf, err := tlsutil.NewClientTLS(pub, priv, ca, insecureSkipTLSverify) if err != nil { t.Fatal(errors.Wrap(err, "can't create TLS config for client")) diff --git a/testdata/generate.sh b/testdata/generate.sh index 9751ef304..8f98a6083 100755 --- a/testdata/generate.sh +++ b/testdata/generate.sh @@ -1,4 +1,9 @@ #!/bin/sh -openssl req -new -config openssl.conf -key key.pem -out key.csr -openssl ca -config openssl.conf -create_serial -batch -in key.csr -out crt.pem -key rootca.key -cert rootca.crt +# generate +openssl req -new -config openssl.conf -key key.pem -out key.csr -addext "subjectAltName = DNS:helm.sh, IP Address:127.0.0.1" +openssl ca -config openssl.conf -rand_serial -batch -in key.csr -out crt.pem -keyfile rootca.key -cert rootca.crt + +# generate localhost certificate (mainly used for http redirect tests) +openssl req -new -config openssl.conf -key key.pem -out localhost-key.csr -addext "subjectAltName = DNS:localhost" +openssl ca -config openssl.conf -rand_serial -batch -in localhost-key.csr -out localhost-crt.pem -keyfile rootca.key -cert rootca.crt diff --git a/testdata/localhost-cert.pem b/testdata/localhost-cert.pem deleted file mode 100644 index 919037cd5..000000000 --- a/testdata/localhost-cert.pem +++ /dev/null @@ -1,73 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 21:73:9a:e7:be:ce:22:31:b5:21:c9:0c:ee:b6:08:1f:37:df:25:bb - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=CO, L=Boulder, O=Helm, CN=helm.sh - Validity - Not Before: Mar 25 00:42:21 2021 GMT - Not After : Mar 23 00:42:21 2031 GMT - Subject: C=CA, ST=ON, L=Kitchener, O=Helm, CN=localhost - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - RSA Public-Key: (2048 bit) - Modulus: - 00:c8:89:55:0d:0b:f1:da:e6:c0:70:7d:d3:27:cd: - b8:a8:81:8b:7c:a4:89:e5:d1:b1:78:01:1d:df:44: - 88:0b:fc:d6:81:35:3d:d1:3b:5e:8f:bb:93:b3:7e: - 28:db:ed:ff:a0:13:3a:70:a3:fe:94:6b:0b:fe:fb: - 63:00:b0:cb:dc:81:cd:80:dc:d0:2f:bf:b2:4f:9a: - 81:d4:22:dc:97:c8:8f:27:86:59:91:fa:92:05:75: - c4:cc:6b:f5:a9:6b:74:1e:f5:db:a9:f8:bf:8c:a2: - 25:fd:a0:cc:79:f4:25:57:74:a9:23:9b:e2:b7:22: - 7a:14:7a:3d:ea:f1:7e:32:6b:57:6c:2e:c6:4f:75: - 54:f9:6b:54:d2:ca:eb:54:1c:af:39:15:9b:d0:7c: - 0f:f8:55:51:04:ea:da:fa:7b:8b:63:0f:ac:39:b1: - f6:4b:8e:4e:f6:ea:e9:7b:e6:ba:5e:5a:8e:91:ef: - dc:b1:7d:52:3f:73:83:52:46:83:48:49:ff:f2:2d: - ca:54:f2:36:bb:49:cc:59:99:c0:9e:cf:8e:78:55: - 6c:ed:7d:7e:83:b8:59:2c:7d:f8:1a:81:f0:7d:f5: - 27:f2:db:ae:d4:31:54:38:fe:47:b2:ee:16:20:0f: - f1:db:2d:28:bf:6f:38:eb:11:bb:9a:d4:b2:5a:3a: - 4a:7f - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Alternative Name: - DNS:localhost - Signature Algorithm: sha256WithRSAEncryption - bd:f8:df:36:d9:9e:14:3b:4f:68:b6:d4:40:e0:89:51:e1:a1: - f1:4d:ec:9f:f2:78:e8:f1:4c:45:aa:4b:4a:7c:39:db:b1:9f: - 76:56:5b:d1:7e:46:67:9a:7a:52:f3:f8:3d:26:92:d8:c9:06: - 6e:00:a9:ce:4d:98:24:0a:5a:4b:cc:49:91:9a:ef:ce:77:67: - df:50:d3:66:d1:34:32:aa:17:c8:71:d5:b4:97:b0:a3:a0:9c: - 3b:c4:c2:d6:b6:91:77:4d:68:89:d3:84:c9:6d:42:db:55:96: - 2c:25:40:60:1d:38:41:76:0b:3f:b7:e1:7e:05:82:db:7a:56: - e0:25:ad:34:62:1f:fa:49:18:3e:62:6a:ef:5b:8f:0d:3f:06: - 8a:9b:f7:a7:5f:b3:8e:26:62:5f:92:ab:43:e7:dd:79:90:c8: - 01:09:c3:42:cd:d8:e0:16:17:4f:71:20:18:07:51:b8:60:c1: - 61:3f:76:f1:3e:1e:ad:d5:52:33:27:c3:ef:0f:78:ab:c1:95: - 0e:34:b4:5f:92:54:33:fd:e0:7d:34:27:80:e5:94:a9:2d:db: - 7e:d9:c8:e2:ec:8e:cf:ec:dd:41:6e:d4:c9:2c:2d:a4:eb:63: - a7:4e:62:a7:44:a8:19:e6:7c:47:4f:d2:aa:7f:21:fd:90:a6: - 4c:b4:b3:7a ------BEGIN CERTIFICATE----- -MIIDRDCCAiygAwIBAgIUIXOa577OIjG1IckM7rYIHzffJbswDQYJKoZIhvcNAQEL -BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNPMRAwDgYDVQQHDAdCb3VsZGVy -MQ0wCwYDVQQKDARIZWxtMRAwDgYDVQQDDAdoZWxtLnNoMB4XDTIxMDMyNTAwNDIy -MVoXDTMxMDMyMzAwNDIyMVowUTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRIw -EAYDVQQHDAlLaXRjaGVuZXIxDTALBgNVBAoMBEhlbG0xEjAQBgNVBAMMCWxvY2Fs -aG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMiJVQ0L8drmwHB9 -0yfNuKiBi3ykieXRsXgBHd9EiAv81oE1PdE7Xo+7k7N+KNvt/6ATOnCj/pRrC/77 -YwCwy9yBzYDc0C+/sk+agdQi3JfIjyeGWZH6kgV1xMxr9alrdB7126n4v4yiJf2g -zHn0JVd0qSOb4rciehR6PerxfjJrV2wuxk91VPlrVNLK61QcrzkVm9B8D/hVUQTq -2vp7i2MPrDmx9kuOTvbq6Xvmul5ajpHv3LF9Uj9zg1JGg0hJ//ItylTyNrtJzFmZ -wJ7PjnhVbO19foO4WSx9+BqB8H31J/LbrtQxVDj+R7LuFiAP8dstKL9vOOsRu5rU -slo6Sn8CAwEAAaMYMBYwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEB -CwUAA4IBAQC9+N822Z4UO09ottRA4IlR4aHxTeyf8njo8UxFqktKfDnbsZ92VlvR -fkZnmnpS8/g9JpLYyQZuAKnOTZgkClpLzEmRmu/Od2ffUNNm0TQyqhfIcdW0l7Cj -oJw7xMLWtpF3TWiJ04TJbULbVZYsJUBgHThBdgs/t+F+BYLbelbgJa00Yh/6SRg+ -YmrvW48NPwaKm/enX7OOJmJfkqtD5915kMgBCcNCzdjgFhdPcSAYB1G4YMFhP3bx -Ph6t1VIzJ8PvD3irwZUONLRfklQz/eB9NCeA5ZSpLdt+2cji7I7P7N1BbtTJLC2k -62OnTmKnRKgZ5nxHT9KqfyH9kKZMtLN6 ------END CERTIFICATE----- diff --git a/testdata/localhost-crt.pem b/testdata/localhost-crt.pem new file mode 100644 index 000000000..566792ccf --- /dev/null +++ b/testdata/localhost-crt.pem @@ -0,0 +1,79 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 67:fc:01:9f:43:a7:bb:cc:41:8e:bf:41:95:a9:e9:fb:3e:a0:89:f3 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CO, L=Boulder, O=Helm, CN=helm.sh + Validity + Not Before: Nov 6 10:45:30 2023 GMT + Not After : Nov 3 10:45:30 2033 GMT + Subject: C=US, ST=CO, L=Boulder, O=Helm, CN=helm.sh + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c8:89:55:0d:0b:f1:da:e6:c0:70:7d:d3:27:cd: + b8:a8:81:8b:7c:a4:89:e5:d1:b1:78:01:1d:df:44: + 88:0b:fc:d6:81:35:3d:d1:3b:5e:8f:bb:93:b3:7e: + 28:db:ed:ff:a0:13:3a:70:a3:fe:94:6b:0b:fe:fb: + 63:00:b0:cb:dc:81:cd:80:dc:d0:2f:bf:b2:4f:9a: + 81:d4:22:dc:97:c8:8f:27:86:59:91:fa:92:05:75: + c4:cc:6b:f5:a9:6b:74:1e:f5:db:a9:f8:bf:8c:a2: + 25:fd:a0:cc:79:f4:25:57:74:a9:23:9b:e2:b7:22: + 7a:14:7a:3d:ea:f1:7e:32:6b:57:6c:2e:c6:4f:75: + 54:f9:6b:54:d2:ca:eb:54:1c:af:39:15:9b:d0:7c: + 0f:f8:55:51:04:ea:da:fa:7b:8b:63:0f:ac:39:b1: + f6:4b:8e:4e:f6:ea:e9:7b:e6:ba:5e:5a:8e:91:ef: + dc:b1:7d:52:3f:73:83:52:46:83:48:49:ff:f2:2d: + ca:54:f2:36:bb:49:cc:59:99:c0:9e:cf:8e:78:55: + 6c:ed:7d:7e:83:b8:59:2c:7d:f8:1a:81:f0:7d:f5: + 27:f2:db:ae:d4:31:54:38:fe:47:b2:ee:16:20:0f: + f1:db:2d:28:bf:6f:38:eb:11:bb:9a:d4:b2:5a:3a: + 4a:7f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Alternative Name: + DNS:localhost + X509v3 Subject Key Identifier: + 62:48:0B:D0:F1:4E:A4:45:69:08:1A:DB:78:E7:6C:19:C4:52:88:B6 + X509v3 Authority Key Identifier: + 89:C0:05:C4:32:17:69:9B:91:76:97:37:0F:6E:B9:CC:E7:1E:04:34 + Signature Algorithm: sha256WithRSAEncryption + Signature Value: + 41:fe:c0:41:97:34:55:61:bf:64:92:10:9b:77:66:df:5a:b7: + bd:ff:8e:83:15:07:9b:7a:90:31:86:2c:ae:64:68:a4:c0:7b: + 65:39:9b:4a:60:aa:85:f3:55:e4:7d:04:0c:9f:71:91:ee:fb: + 9c:c2:36:74:68:ce:76:b0:bb:22:c0:c3:57:76:4a:69:fb:90: + b3:a9:be:97:73:4d:07:20:34:e3:36:94:ba:c3:be:a0:f5:e3: + 48:00:57:3c:11:0d:80:cc:8d:a7:fc:a6:5b:44:80:30:f5:46: + b1:ea:ff:2f:1e:cf:88:57:3f:8a:fa:16:f2:2d:b6:9d:d1:23: + ba:df:2a:05:e5:09:d3:a9:de:47:31:0b:32:95:99:fa:6d:32: + d9:26:60:87:01:87:f5:24:85:9a:04:f2:55:15:96:d2:59:8e: + 76:be:c7:18:6d:53:52:bf:e6:23:35:9e:43:2f:59:21:ca:4d: + 67:e6:b8:f4:82:2e:e9:85:7d:fd:47:31:94:5e:ff:2c:5a:1a: + 09:da:3d:00:df:63:37:ec:ad:2e:c5:a7:bc:0c:28:d3:ca:19: + e6:b6:e2:99:a3:c8:da:53:4a:1b:da:19:a6:74:b9:26:65:f6: + d6:16:cf:a4:7b:cd:60:80:af:24:3a:7d:d1:0b:7b:de:bc:33: + 67:69:5c:d2 +-----BEGIN CERTIFICATE----- +MIIDgDCCAmigAwIBAgIUZ/wBn0Onu8xBjr9Blanp+z6gifMwDQYJKoZIhvcNAQEL +BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNPMRAwDgYDVQQHDAdCb3VsZGVy +MQ0wCwYDVQQKDARIZWxtMRAwDgYDVQQDDAdoZWxtLnNoMB4XDTIzMTEwNjEwNDUz +MFoXDTMzMTEwMzEwNDUzMFowTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNPMRAw +DgYDVQQHDAdCb3VsZGVyMQ0wCwYDVQQKDARIZWxtMRAwDgYDVQQDDAdoZWxtLnNo +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyIlVDQvx2ubAcH3TJ824 +qIGLfKSJ5dGxeAEd30SIC/zWgTU90Ttej7uTs34o2+3/oBM6cKP+lGsL/vtjALDL +3IHNgNzQL7+yT5qB1CLcl8iPJ4ZZkfqSBXXEzGv1qWt0HvXbqfi/jKIl/aDMefQl +V3SpI5vityJ6FHo96vF+MmtXbC7GT3VU+WtU0srrVByvORWb0HwP+FVRBOra+nuL +Yw+sObH2S45O9urpe+a6XlqOke/csX1SP3ODUkaDSEn/8i3KVPI2u0nMWZnAns+O +eFVs7X1+g7hZLH34GoHwffUn8tuu1DFUOP5Hsu4WIA/x2y0ov2846xG7mtSyWjpK +fwIDAQABo1gwVjAUBgNVHREEDTALgglsb2NhbGhvc3QwHQYDVR0OBBYEFGJIC9Dx +TqRFaQga23jnbBnEUoi2MB8GA1UdIwQYMBaAFInABcQyF2mbkXaXNw9uucznHgQ0 +MA0GCSqGSIb3DQEBCwUAA4IBAQBB/sBBlzRVYb9kkhCbd2bfWre9/46DFQebepAx +hiyuZGikwHtlOZtKYKqF81XkfQQMn3GR7vucwjZ0aM52sLsiwMNXdkpp+5Czqb6X +c00HIDTjNpS6w76g9eNIAFc8EQ2AzI2n/KZbRIAw9Uax6v8vHs+IVz+K+hbyLbad +0SO63yoF5QnTqd5HMQsylZn6bTLZJmCHAYf1JIWaBPJVFZbSWY52vscYbVNSv+Yj +NZ5DL1khyk1n5rj0gi7phX39RzGUXv8sWhoJ2j0A32M37K0uxae8DCjTyhnmtuKZ +o8jaU0ob2hmmdLkmZfbWFs+ke81ggK8kOn3RC3vevDNnaVzS +-----END CERTIFICATE----- diff --git a/testdata/openssl.conf b/testdata/openssl.conf index be5ff04b7..2382bda75 100644 --- a/testdata/openssl.conf +++ b/testdata/openssl.conf @@ -11,7 +11,9 @@ certificate = ./rootca.crt default_days = 3650 default_md = sha256 policy = policy_anything -copy_extensions = copyall +copy_extensions = copy +# don't make subjects unique, as we generate two certificates using the same subject line +unique_subject = no [policy_anything] countryName = optional @@ -28,19 +30,19 @@ distinguished_name = req_distinguished_name req_extensions = v3_req [ req_distinguished_name ] -countryName = Country Name (2 letter code) -stateOrProvinceName = State or Province Name (full name) -localityName = Locality Name (eg, city) -organizationName = Organization Name (eg, company) -commonName = Common Name (e.g. server FQDN or YOUR name) +countryName = Country Name (2 letter code) +countryName_default = US +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = CO +localityName = Locality Name (eg, city) +localityName_default = Boulder +organizationName = Organization Name (eg, company) +organizationName_default = Helm +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_default = helm.sh [ v3_req ] -subjectAltName = @alternate_names -[alternate_names] -DNS.1 = helm.sh -IP.1 = 127.0.0.1 - -# # Used to generate localhost-crt.pem # [alternate_names] -# DNS.1 = localhost +# This is now set in generate.sh as we want to generate two certs from this config +# using different alternate_names \ No newline at end of file