linkerd
/
linkerd2-proxy
mirror of https://github.com/linkerd/linkerd2-proxy.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

build(deps): bump rcgen from 0.12.1 to 0.13.2 (#3485) 

* build(deps): bump rcgen from 0.12.1 to 0.13.2

Bumps [rcgen](https://github.com/rustls/rcgen) from 0.12.1 to 0.13.2.
- [Release notes](https://github.com/rustls/rcgen/releases)
- [Commits](https://github.com/rustls/rcgen/compare/v0.12.1...v0.13.2)

---
updated-dependencies:
- dependency-name: rcgen
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* use new api

Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Zahari Dichev <zaharidichev@gmail.com>
This commit is contained in:
dependabot[bot] 2025-01-07 14:54:47 +02:00 committed by GitHub
parent b07b0d88e3
commit c869d2c16a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 82 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Cargo.lock
View File

@ -3298,12 +3298,13 @@ checksum = "f60fcc7d6849342eff22c4350c8b9a989ee8ceabc4b481253e8946b9fe83d684"
[[package]]
name = "rcgen"
version = "0.12.1"
version = "0.13.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "48406db8ac1f3cbc7dcdb56ec355343817958a356ff430259bb07baf7607e1e1"
checksum = "75e669e5202259b5314d1ea5397316ad400819437857b90861765f24c4cf80a2"
dependencies = [
"pem",
"ring",
"rustls-pki-types",
"time",
"yasna",
]

2
linkerd/meshtls/Cargo.toml
View File

@ -29,7 +29,7 @@ linkerd-tls = { path = "../tls" }
[dev-dependencies]
tokio = { version = "1", features = ["macros", "net", "rt-multi-thread"] }
tracing = "0.1"
rcgen = "0.12.0"
rcgen = "0.13.2"
linkerd-conditional = { path = "../conditional" }
linkerd-proxy-transport = { path = "../proxy/transport" }

23
linkerd/meshtls/tests/util.rs
View File

@ -18,7 +18,7 @@ use linkerd_stack::{
};
use linkerd_tls as tls;
use linkerd_tls_test_util as test_util;
use rcgen::{BasicConstraints, Certificate, CertificateParams, IsCa, SanType};
use rcgen::{BasicConstraints, CertificateParams, IsCa, KeyPair, SanType};
use std::str::FromStr;
use std::{
net::SocketAddr,
@ -29,20 +29,25 @@ use tokio::net::TcpStream;
use tracing::Instrument;
fn generate_cert_with_name(subject_alt_names: Vec<SanType>) -> (Vec<u8>, Vec<u8>, String) {
let root_key = KeyPair::generate().unwrap();
let mut root_params = CertificateParams::default();
root_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
let root_cert = Certificate::from_params(root_params).expect("should generate root");
let root_cert = root_params
.self_signed(&root_key)
.expect("should generate root");
let issuer_key = KeyPair::generate().unwrap();
let mut params = CertificateParams::default();
params.subject_alt_names = subject_alt_names;
let cert = Certificate::from_params(params).expect("should generate cert");
let cert = params
.signed_by(&issuer_key, &root_cert, &root_key)
.expect("should generate cert");
(
cert.serialize_der_with_signer(&root_cert)
.expect("should serialize"),
cert.serialize_private_key_der(),
root_cert.serialize_pem().expect("should serialize"),
cert.der().to_vec(),
issuer_key.serialize_der(),
root_cert.pem(),
)
}
@ -51,7 +56,7 @@ pub fn fails_processing_cert_when_wrong_id_configured(mode: meshtls::Mode) {
let id = Id::Dns(server_name.clone());
let (cert, key, roots) =
generate_cert_with_name(vec![SanType::URI("spiffe://system/local".into())]);
generate_cert_with_name(vec![SanType::URI("spiffe://system/local".parse().unwrap())]);
let (mut store, _) = mode
.watch(id, server_name.clone(), &roots)
.expect("should construct");

2
linkerd/meshtls/verifier/Cargo.toml
View File

@ -15,4 +15,4 @@ linkerd-identity = { path = "../../identity" }
[dev-dependencies]
rcgen = "0.12.0"
rcgen = "0.13.2"

78
linkerd/meshtls/verifier/src/lib.rs
View File

@ -61,22 +61,24 @@ mod tests {
use crate::client_identity;
use crate::verify_id;
use linkerd_identity::Id;
use rcgen::{Certificate, CertificateParams, SanType};
use rcgen::{CertificateParams, KeyPair, SanType};
fn generate_cert_with_names(subject_alt_names: Vec<SanType>) -> Vec<u8> {
let key = KeyPair::generate().expect("should generate key");
let mut params = CertificateParams::default();
params.subject_alt_names = subject_alt_names;
Certificate::from_params(params)
params
.self_signed(&key)
.expect("should generate cert")
.serialize_der()
.expect("should serialize")
.der()
.to_vec()
}
#[test]
pub fn cert_with_dns_san_matches_dns_id() {
let dns_name = "foo.ns1.serviceaccount.identity.linkerd.cluster.local";
let cert = generate_cert_with_names(vec![SanType::DnsName(dns_name.into())]);
let cert = generate_cert_with_names(vec![SanType::DnsName(dns_name.parse().unwrap())]);
let id = Id::parse_dns_name(dns_name).expect("should parse DNS id");
assert!(verify_id(&cert, &id).is_ok());
}
@ -84,7 +86,7 @@ mod tests {
#[test]
fn cert_with_spiffe_san_matches_spiffe_id() {
let spiffe_uri = "spiffe://identity.linkerd.cluster.local/ns/ns1/sa/foo";
let cert = generate_cert_with_names(vec![SanType::URI(spiffe_uri.into())]);
let cert = generate_cert_with_names(vec![SanType::URI(spiffe_uri.parse().unwrap())]);
let id = Id::parse_uri(spiffe_uri).expect("should parse SPIFFE id");
assert!(verify_id(&cert, &id).is_ok());
}
@ -92,7 +94,9 @@ mod tests {
#[test]
pub fn cert_with_dns_san_does_not_match_dns_id() {
let dns_name_cert = vec![SanType::DnsName(
"foo.ns1.serviceaccount.identity.linkerd.cluster.local".into(),
"foo.ns1.serviceaccount.identity.linkerd.cluster.local"
.parse()
.unwrap(),
)];
let dns_name = "bar.ns1.serviceaccount.identity.linkerd.cluster.local";
@ -104,7 +108,9 @@ mod tests {
#[test]
fn cert_with_dns_san_does_not_match_spiffe_id() {
let dns_name_cert = vec![SanType::DnsName(
"bar.ns1.serviceaccount.identity.linkerd.cluster.local".into(),
"bar.ns1.serviceaccount.identity.linkerd.cluster.local"
.parse()
.unwrap(),
)];
let spiffe_uri = "spiffe://some-trust-comain/some-system/some-component";
@ -136,9 +142,9 @@ mod tests {
let spiffe_id = "spiffe://some-trust-comain/some-system/some-component";
let cert = generate_cert_with_names(vec![
SanType::DnsName(foo_dns_id.into()),
SanType::DnsName(bar_dns_id.into()),
SanType::URI(spiffe_id.into()),
SanType::DnsName(foo_dns_id.parse().unwrap()),
SanType::DnsName(bar_dns_id.parse().unwrap()),
SanType::URI(spiffe_id.parse().unwrap()),
]);
let id = Id::parse_dns_name(foo_dns_id).expect("should parse DNS id");
assert!(verify_id(&cert, &id).is_ok());
@ -151,9 +157,9 @@ mod tests {
let spiffe_id = "spiffe://some-trust-comain/some-system/some-component";
let cert = generate_cert_with_names(vec![
SanType::DnsName(foo_dns_id.into()),
SanType::DnsName(bar_dns_id.into()),
SanType::URI(spiffe_id.into()),
SanType::DnsName(foo_dns_id.parse().unwrap()),
SanType::DnsName(bar_dns_id.parse().unwrap()),
SanType::URI(spiffe_id.parse().unwrap()),
]);
let id = Id::parse_uri(spiffe_id).expect("should parse SPIFFE id");
assert!(verify_id(&cert, &id).is_ok());
@ -167,9 +173,9 @@ mod tests {
let spiffe_id = "spiffe://some-trust-comain/some-system/some-component";
let cert = generate_cert_with_names(vec![
SanType::DnsName(foo_dns_id.into()),
SanType::DnsName(bar_dns_id.into()),
SanType::URI(spiffe_id.into()),
SanType::DnsName(foo_dns_id.parse().unwrap()),
SanType::DnsName(bar_dns_id.parse().unwrap()),
SanType::URI(spiffe_id.parse().unwrap()),
]);
let id = Id::parse_dns_name(nar_dns_id).expect("should parse DNS id");
assert!(verify_id(&cert, &id).is_err());
@ -183,9 +189,9 @@ mod tests {
let spiffe_id = "spiffe://some-trust-comain/some-system/some-component";
let cert = generate_cert_with_names(vec![
SanType::DnsName(foo_dns_id.into()),
SanType::DnsName(bar_dns_id.into()),
SanType::DnsName(nar_dns_id.into()),
SanType::DnsName(foo_dns_id.parse().unwrap()),
SanType::DnsName(bar_dns_id.parse().unwrap()),
SanType::DnsName(nar_dns_id.parse().unwrap()),
]);
let id = Id::parse_uri(spiffe_id).expect("should parse SPIFFE id");
assert!(verify_id(&cert, &id).is_err());
@ -195,7 +201,7 @@ mod tests {
fn can_extract_spiffe_client_identity_one_san() {
let spiffe_id = "spiffe://some-trust-comain/some-system/some-component";
let cert = generate_cert_with_names(vec![SanType::URI(spiffe_id.into())]);
let cert = generate_cert_with_names(vec![SanType::URI(spiffe_id.parse().unwrap())]);
let id = Id::parse_uri(spiffe_id).expect("should parse SPIFFE id");
let client_id = client_identity(&cert);
assert_eq!(client_id, Some(id));
@ -208,9 +214,9 @@ mod tests {
let nar_dns_id = "nar.ns1.serviceaccount.identity.linkerd.cluster.local";
let cert = generate_cert_with_names(vec![
SanType::URI(spiffe_id.into()),
SanType::DnsName(bar_dns_id.into()),
SanType::DnsName(nar_dns_id.into()),
SanType::URI(spiffe_id.parse().unwrap()),
SanType::DnsName(bar_dns_id.parse().unwrap()),
SanType::DnsName(nar_dns_id.parse().unwrap()),
]);
let id = Id::parse_uri(spiffe_id).expect("should parse SPIFFE id");
let client_id = client_identity(&cert);
@ -221,7 +227,7 @@ mod tests {
fn can_extract_dns_client_identity_one_san() {
let dns_id = "foo.ns1.serviceaccount.identity.linkerd.cluster.local";
let cert = generate_cert_with_names(vec![SanType::DnsName(dns_id.into())]);
let cert = generate_cert_with_names(vec![SanType::DnsName(dns_id.parse().unwrap())]);
let id = Id::parse_dns_name(dns_id).expect("should parse DNS id");
let client_id = client_identity(&cert);
assert_eq!(client_id, Some(id));
@ -235,10 +241,10 @@ mod tests {
let spiffe_id = "spiffe://some-trust-comain/some-system/some-component";
let cert = generate_cert_with_names(vec![
SanType::DnsName(dns_id.into()),
SanType::DnsName(bar_dns_id.into()),
SanType::DnsName(nar_dns_id.into()),
SanType::URI(spiffe_id.into()),
SanType::DnsName(dns_id.parse().unwrap()),
SanType::DnsName(bar_dns_id.parse().unwrap()),
SanType::DnsName(nar_dns_id.parse().unwrap()),
SanType::URI(spiffe_id.parse().unwrap()),
]);
let id = Id::parse_dns_name(dns_id).expect("should parse DNS id");
let client_id = client_identity(&cert);
@ -252,9 +258,9 @@ mod tests {
let email_san_2 = "bar@bar.com";
let cert = generate_cert_with_names(vec![
SanType::DnsName(dns_id.into()),
SanType::Rfc822Name(email_san_1.into()),
SanType::Rfc822Name(email_san_2.into()),
SanType::DnsName(dns_id.parse().unwrap()),
SanType::Rfc822Name(email_san_1.parse().unwrap()),
SanType::Rfc822Name(email_san_2.parse().unwrap()),
]);
let id = Id::parse_dns_name(dns_id).expect("should parse DNS id");
let client_id = client_identity(&cert);
@ -268,9 +274,9 @@ mod tests {
let email_san_2 = "bar@bar.com";
let cert = generate_cert_with_names(vec![
SanType::URI(spiffe_id.into()),
SanType::Rfc822Name(email_san_1.into()),
SanType::Rfc822Name(email_san_2.into()),
SanType::URI(spiffe_id.parse().unwrap()),
SanType::Rfc822Name(email_san_1.parse().unwrap()),
SanType::Rfc822Name(email_san_2.parse().unwrap()),
]);
let id = Id::parse_uri(spiffe_id).expect("should parse SPIFFE id");
let client_id = client_identity(&cert);
@ -281,7 +287,7 @@ mod tests {
fn skips_dns_san_with_trailing_dot() {
let dns_id = "foo.ns1.serviceaccount.identity.linkerd.cluster.local.";
let cert = generate_cert_with_names(vec![SanType::DnsName(dns_id.into())]);
let cert = generate_cert_with_names(vec![SanType::DnsName(dns_id.parse().unwrap())]);
let client_id = client_identity(&cert);
assert_eq!(client_id, None);
}

2
linkerd/proxy/spire-client/Cargo.toml
View File

@ -24,5 +24,5 @@ asn1 = { version = "0.6", package = "simple_asn1" }
thiserror = "2"
[dev-dependencies]
rcgen = "0.12.0"
rcgen = "0.13.2"
tokio-test = "0.4"

17
linkerd/proxy/spire-client/src/api.rs
View File

@ -220,18 +220,19 @@ where
#[cfg(test)]
mod tests {
use crate::api::Svid;
use rcgen::{Certificate, CertificateParams, SanType};
use rcgen::{CertificateParams, KeyPair, SanType};
use spiffe_proto::client as api;
fn gen_svid_pb(id: String, subject_alt_names: Vec<SanType>) -> api::X509svid {
let mut params = CertificateParams::default();
params.subject_alt_names = subject_alt_names;
let cert = Certificate::from_params(params).expect("should generate cert");
let key = KeyPair::generate().expect("should generate key");
let cert = params.self_signed(&key).expect("should generate cert");
api::X509svid {
spiffe_id: id,
x509_svid: cert.serialize_der().expect("should serialize"),
x509_svid_key: cert.serialize_private_key_der(),
x509_svid: cert.der().to_vec(),
x509_svid_key: key.serialize_der(),
bundle: Vec::default(),
}
}
@ -239,21 +240,21 @@ mod tests {
#[test]
fn can_parse_valid_proto() {
let id = "spiffe://some-domain/some-workload";
let svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.into())]);
let svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.parse().unwrap())]);
assert!(Svid::try_from(svid_pb).is_ok());
}
#[test]
fn cannot_parse_non_spiffe_id() {
let id = "some-domain.some-workload";
let svid_pb = gen_svid_pb(id.into(), vec![SanType::DnsName(id.into())]);
let svid_pb = gen_svid_pb(id.into(), vec![SanType::DnsName(id.parse().unwrap())]);
assert!(Svid::try_from(svid_pb).is_err());
}
#[test]
fn cannot_parse_empty_cert() {
let id = "spiffe://some-domain/some-workload";
let mut svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.into())]);
let mut svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.parse().unwrap())]);
svid_pb.x509_svid = Vec::default();
assert!(Svid::try_from(svid_pb).is_err());
}
@ -261,7 +262,7 @@ mod tests {
#[test]
fn cannot_parse_empty_key() {
let id = "spiffe://some-domain/some-workload";
let mut svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.into())]);
let mut svid_pb = gen_svid_pb(id.into(), vec![SanType::URI(id.parse().unwrap())]);
svid_pb.x509_svid_key = Vec::default();
assert!(Svid::try_from(svid_pb).is_err());
}

20
linkerd/proxy/spire-client/src/lib.rs
View File

@ -62,10 +62,11 @@ mod tests {
use crate::api::Svid;
use linkerd_error::Result;
use linkerd_identity::DerX509;
use rcgen::{Certificate, CertificateParams, SanType, SerialNumber};
use rcgen::{CertificateParams, KeyPair, SanType, SerialNumber};
use std::time::SystemTime;
fn gen_svid(id: Id, subject_alt_names: Vec<SanType>, serial: SerialNumber) -> Svid {
let key = KeyPair::generate().expect("should generate key");
let mut params = CertificateParams::default();
params.subject_alt_names = subject_alt_names;
params.serial_number = Some(serial);
@ -73,10 +74,11 @@ mod tests {
Svid::new(
id,
DerX509(
Certificate::from_params(params)
params
.self_signed(&key)
.expect("should generate cert")
.serialize_der()
.expect("should serialize"),
.der()
.to_vec(),
),
Vec::default(),
Vec::default(),
@ -151,7 +153,7 @@ mod tests {
let serial_1 = SerialNumber::from_slice("some-serial-1".as_bytes());
let update_1 = SvidUpdate::new(vec![gen_svid(
spiffe_id.clone(),
vec![SanType::URI(spiffe_san.into())],
vec![SanType::URI(spiffe_san.parse().unwrap())],
serial_1.clone(),
)]);
@ -164,7 +166,7 @@ mod tests {
let serial_2 = SerialNumber::from_slice("some-serial-2".as_bytes());
let update_2 = SvidUpdate::new(vec![gen_svid(
spiffe_id.clone(),
vec![SanType::URI(spiffe_san.into())],
vec![SanType::URI(spiffe_san.parse().unwrap())],
serial_2.clone(),
)]);
@ -186,7 +188,7 @@ mod tests {
let serial_1 = SerialNumber::from_slice("some-serial-1".as_bytes());
let update_1 = SvidUpdate::new(vec![gen_svid(
spiffe_id.clone(),
vec![SanType::URI(spiffe_san.into())],
vec![SanType::URI(spiffe_san.parse().unwrap())],
serial_1.clone(),
)]);
@ -228,7 +230,7 @@ mod tests {
let serial_1 = SerialNumber::from_slice("some-serial-1".as_bytes());
let update_1 = SvidUpdate::new(vec![gen_svid(
spiffe_id.clone(),
vec![SanType::URI(spiffe_san.into())],
vec![SanType::URI(spiffe_san.parse().unwrap())],
serial_1.clone(),
)]);
@ -242,7 +244,7 @@ mod tests {
let mut update_sent = svid_tx.subscribe();
let update_2 = SvidUpdate::new(vec![gen_svid(
spiffe_id_wrong,
vec![SanType::URI(spiffe_san_wrong.into())],
vec![SanType::URI(spiffe_san_wrong.parse().unwrap())],
serial_2.clone(),
)]);