test: Make authentication tests work again on macOS

At some point, the macOS security framework changed enough such that it apparently cannot be convinced to accept a TLS cert without a password. That meant that some tests involving TLS were failing on macs because our test cert had no password on it. This update creates a new cert with password "password", and updates the tests that use it. Furthermore, OpenSSL 3 dropped compatibility with certain encryption ciphers by default, meaning that pkcs12 certs created with it couldn't be verified by the macOS security framework. The web-recommended solution is to run `openssl pkcs12` with the `-legacy` option. Unfortunately, while solving the problem for macOS, this produced a cert that was too out-of-date for OpenSSL3 on linux. More specific cipher selection per the Magic Incantations(tm) below generates a cert that will pass tests on both macOS *and* Linux... but may not be safe for any other purpose. Apply only to affected area. In case of hemorrhage, seek emergency medical help immediately. For reference, the commands below were used to create this cert on macOS using OpenSSL 3.3.1 installed with `homebrew`: ``` # Make a new private key openssl genrsa -out private.key 2048 # Generate a signing request. openssl req -new -key private.key -out cert.csr # Generate an x5509 cert from the signing request (good for 10 years) openssl x509 -req -days 3650 -in cert.csr -signkey private.key \ -out certificate.crt # Export the pkcs12 file with password "password" openssl pkcs12 -export -out certificate.p12 -inkey private.key \ -in certificate.crt -passout pass:password \ -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1 ``` Change-Id: Ib6d25034f29690a94b41e4ebc1ad88add27bf777 Reviewed-on: https://gerrit.readyset.name/c/readyset/+/7640 Tested-by: Buildkite CI Reviewed-by: Sidney Cammeresi <[email protected]>
readysettech · Jun 28, 2024 · b9a0ff8 · b9a0ff8
1 parent f0da387
commit b9a0ff8
Show file tree

Hide file tree

Showing 3 changed files with 2 additions and 2 deletions.
diff --git a/psql-srv/tests/authentication.rs b/psql-srv/tests/authentication.rs
@@ -88,7 +88,7 @@ impl PsqlBackend for ScramSha256Backend {
 
 async fn run_server(backend: ScramSha256Backend) -> u16 {
     let identity_file = include_bytes!("tls_certs/keyStore.p12");
-    let identity = native_tls::Identity::from_pkcs12(identity_file, "").unwrap();
+    let identity = native_tls::Identity::from_pkcs12(identity_file, "password").unwrap();
     let tls_acceptor = Some(Arc::new(TlsAcceptor::from(
         native_tls::TlsAcceptor::new(identity).unwrap(),
     )));

diff --git a/psql-srv/tests/tls.rs b/psql-srv/tests/tls.rs
@@ -88,7 +88,7 @@ async fn connect() {
     // Load the identity file as bytes (using relative path)
     let identity_file = include_bytes!("tls_certs/keyStore.p12");
     // Test identify file does not require password
-    let identity = native_tls::Identity::from_pkcs12(identity_file, "").unwrap();
+    let identity = native_tls::Identity::from_pkcs12(identity_file, "password").unwrap();
     let tls_acceptor = Some(Arc::new(TlsAcceptor::from(
         native_tls::TlsAcceptor::new(identity).unwrap(),
     )));

diff --git a/psql-srv/tests/tls_certs/keyStore.p12 b/psql-srv/tests/tls_certs/keyStore.p12