grpc-go/testdata/spiffe_end2end

All of the following files in this directory except server_spiffebundle.json and client_spiffebundle.json are generated with the generate.sh and generate_intermediate.sh script in this directory.

These comprise a root trust certificate authority (CA) that signs two certificates - client_spiffe.pem and server_spiffe.pem. These are valid SPIFFE certificates (via the configuration in spiffe-openssl.cnf), and the *_spiffebundle.json files are SPIFFE Bundle Maps for the client and server respectively.

The SPIFFE trust bundle map files (*_spiffebundle.json) are manually created for end to end testing. The server_spiffebundle.json contains the foo.bar.com trust domain (only this entry is used in e2e tests) matching URI SAN of client_spiffe.pem, and the CA certificate is ca.pem. The client spiffebundle.json file contains example.com trust domain matching the URI SAN of server_spiffe.pem, and the CA certificate there is also ca.pem.

leaf_and_intermediate_chain.pem is a certificate chain whose leaf is a valid SPIFFE cert that is signed by an intermediate CA (intermediate_ca.pem). The intermediate CA is signed by the root CA (ca.pem). Thus, this setup yields a valid chain to the root of trust ca.pem.

If updating these files, the x5c field in the json is the raw PEM CA certificate and can be copy pasted from the certificate file ca.pem. n and e are values from the public key attached to this certificate. e should probably be AQAB as it is the exponent. n can be fetched from the certificate by getting the RSA key from the cert and extracting the value. This can be done in golang with the following codeblock:

func(GetBase64ModulusFromPublicKey(key *rsa.PublicKey) string {
    return base64.RawURLEncoding.EncodeToString(key.N.Bytes())
}

block, _ := pem.Decode(rawPemCert) cert, _ := x509.ParseCertificate(block.Bytes)
publicKey := cert.PublicKey.(*rsa.PublicKey)
fmt.Println(GetBase64ModulusFromPublicKey(publicKey))