use ed25519 instead of RSA in tests and examples (#5050)

Also adds a golangci-lint depguard rules that forbids importing crypto/rsa.
2025-04-20 11:55:08 +08:00
parent 03e9359e38
commit d35b5ac187
6 changed files with 127 additions and 31 deletions
--- a/integrationtests/tools/crypto.go
+++ b/integrationtests/tools/crypto.go
@@ -4,7 +4,6 @@ import (
 	"crypto"
 	"crypto/ed25519"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
@@ -69,7 +68,7 @@ func GenerateLeafCert(ca *x509.Certificate, caPriv crypto.PrivateKey) (*x509.Cer
 // GenerateTLSConfigWithLongCertChain generates a tls.Config that uses a long certificate chain.
 // The Root CA used is the same as for the config returned from getTLSConfig().
 func GenerateTLSConfigWithLongCertChain(ca *x509.Certificate, caPrivateKey crypto.PrivateKey) (*tls.Config, error) {
-	const chainLen = 7
+	const chainLen = 16
 	certTempl := &x509.Certificate{
 		SerialNumber:          big.NewInt(2019),
 		Subject:               pkix.Name{},
@@ -83,13 +82,13 @@ func GenerateTLSConfigWithLongCertChain(ca *x509.Certificate, caPrivateKey crypt

 	lastCA := ca
 	lastCAPrivKey := caPrivateKey
-	privKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	_, priv, err := ed25519.GenerateKey(rand.Reader)
 	if err != nil {
 		return nil, err
 	}
 	certs := make([]*x509.Certificate, chainLen)
-	for i := 0; i < chainLen; i++ {
-		caBytes, err := x509.CreateCertificate(rand.Reader, certTempl, lastCA, &privKey.PublicKey, lastCAPrivKey)
+	for i := range chainLen {
+		caBytes, err := x509.CreateCertificate(rand.Reader, certTempl, lastCA, priv.Public(), lastCAPrivKey)
 		if err != nil {
 			return nil, err
 		}
@@ -99,7 +98,7 @@ func GenerateTLSConfigWithLongCertChain(ca *x509.Certificate, caPrivateKey crypt
 		}
 		certs[i] = ca
 		lastCA = ca
-		lastCAPrivKey = privKey
+		lastCAPrivKey = priv
 	}
 	leafCert, leafPrivateKey, err := GenerateLeafCert(lastCA, lastCAPrivKey)
 	if err != nil {
--- a/integrationtests/tools/crypto_test.go
+++ b/integrationtests/tools/crypto_test.go
@@ -0,0 +1,99 @@
+package tools
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"io"
+	"net"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+type countingConn struct {
+	net.Conn
+	BytesReceived int
+}
+
+func (c *countingConn) Read(b []byte) (int, error) {
+	n, err := c.Conn.Read(b)
+	c.BytesReceived += n
+	return n, err
+}
+
+func TestGenerateTLSConfig(t *testing.T) {
+	ca, caPriv, err := GenerateCA()
+	require.NoError(t, err)
+	certPool := x509.NewCertPool()
+	certPool.AddCert(ca)
+	clientConf := &tls.Config{
+		ServerName: "localhost",
+		RootCAs:    certPool,
+	}
+
+	t.Run("short chain", func(t *testing.T) {
+		leaf, leafPriv, err := GenerateLeafCert(ca, caPriv)
+		require.NoError(t, err)
+
+		serverConf := &tls.Config{
+			Certificates: []tls.Certificate{{
+				Certificate: [][]byte{leaf.Raw},
+				PrivateKey:  leafPriv,
+			}},
+		}
+
+		bytesReceived := testGenerateTLSConfig(t, serverConf, clientConf)
+		t.Logf("bytes received: %d", bytesReceived)
+		require.Less(t, bytesReceived, 2000)
+	})
+
+	t.Run("long chain", func(t *testing.T) {
+		serverConf, err := GenerateTLSConfigWithLongCertChain(ca, caPriv)
+		require.NoError(t, err)
+
+		bytesReceived := testGenerateTLSConfig(t, serverConf, clientConf)
+		t.Logf("bytes received: %d", bytesReceived)
+		require.Greater(t, bytesReceived, 5000)
+	})
+}
+
+func testGenerateTLSConfig(t *testing.T, serverConf, clientConf *tls.Config) int {
+	ln, err := tls.Listen("tcp", "127.0.0.1:0", serverConf)
+	require.NoError(t, err)
+	defer ln.Close()
+
+	type result struct {
+		err error
+		msg string
+	}
+
+	resultChan := make(chan result, 1)
+	go func() {
+		conn, err := ln.Accept()
+		if err != nil {
+			resultChan <- result{err: err}
+			return
+		}
+		defer conn.Close()
+		msg, err := io.ReadAll(conn)
+		resultChan <- result{err: err, msg: string(msg)}
+	}()
+
+	tcpConn, err := net.Dial("tcp", ln.Addr().String())
+	require.NoError(t, err)
+	defer tcpConn.Close()
+	countingConn := &countingConn{Conn: tcpConn}
+
+	tlsConn := tls.Client(countingConn, clientConf)
+	require.NoError(t, tlsConn.Handshake())
+
+	_, err = tlsConn.Write([]byte("foobar"))
+	require.NoError(t, err)
+	require.NoError(t, tlsConn.Close())
+
+	res := <-resultChan
+	require.NoError(t, res.err)
+	require.Equal(t, "foobar", res.msg)
+
+	return countingConn.BytesReceived
+}