Use separate certificates for client,server (#3336)

Use same script to generate as core

Fixes open-telemetry#3334

Signed-off-by: Bogdan Drutu <[email protected]>

Makefile

@@ -258,3 +258,21 @@ build-examples:
 .PHONY: checkdoc
 checkdoc:
 	checkdoc --project-path $(CURDIR) --component-rel-path $(COMP_REL_PATH) --module-name $(MOD_NAME)
+
+# Function to execute a command. Note the empty line before endef to make sure each command
+# gets executed separately instead of concatenated with previous one.
+# Accepts command to execute as first parameter.
+define exec-command
+$(1)
+
+endef
+
+# List of directories where certificates are stored for unit tests.
+CERT_DIRS := receiver/sapmreceiver/testdata \
+             receiver/signalfxreceiver/testdata \
+             receiver/splunkhecreceiver/testdata
+
+# Generate certificates for unit tests relying on certificates.
+.PHONY: certs
+certs:
+	$(foreach dir, $(CERT_DIRS), $(call exec-command, @internal/buildscripts/gen-certs.sh -o $(dir)))

internal/buildscripts/gen-certs.sh

@@ -0,0 +1,125 @@
+#!/usr/bin/env bash
+
+# This script is used to create the CA, server and client's certificates and keys required by unit tests.
+# These certificates use the Subject Alternative Name extension rather than the Common Name, which will be unsupported from Go 1.15.
+
+usage() {
+  echo "Usage: $0 [-d]"
+  echo
+  echo "-d  Dry-run mode. No project files will not be modified. Default: 'false'"
+  echo "-m  Domain name to use in the certificate. Default: 'localhost'"
+  echo "-o  Output directory where certificates will be written to. Default: '.'; the current directory"
+  exit 1
+}
+
+dry_run=false
+domain="localhost"
+output_dir="."
+
+while getopts "dm:o:" o; do
+    case "${o}" in
+        d)
+            dry_run=true
+            ;;
+        m)
+            domain=$OPTARG
+            ;;
+        o)
+            output_dir=$OPTARG
+            ;;
+        *)
+            usage
+            ;;
+    esac
+done
+shift $((OPTIND-1))
+
+set -ex
+
+# Create temp dir for generated files.
+tmp_dir=$(mktemp -d -t certificates)
+clean_up() {
+    ARG=$?
+    if [ $dry_run = true ]; then
+      echo "Dry-run complete. Generated files can be found in $tmp_dir"
+    else
+      rm -rf "$tmp_dir"
+    fi
+    exit $ARG
+}
+trap clean_up EXIT
+
+gen_ssl_conf() {
+  domain_name=$1
+  output_file=$2
+
+  cat << EOF > "$output_file"
+[ req ]
+prompt              = no
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+req_extensions      = req_ext
+
+[ req_distinguished_name ]
+countryName         = AU
+stateOrProvinceName = Australia
+localityName        = Sydney
+organizationName    = MyOrgName
+commonName          = MyCommonName
+
+[ req_ext ]
+subjectAltName      = @alt_names
+
+[alt_names]
+DNS.1               = $domain_name
+EOF
+}
+
+# Generate config files.
+gen_ssl_conf "$domain" "$tmp_dir/ssl.conf"
+
+# Create CA (accept defaults from prompts).
+openssl genrsa -out "$tmp_dir/ca.key"  2048
+openssl req -new -key "$tmp_dir/ca.key" -x509 -days 3650 -out "$tmp_dir/ca.crt" -config "$tmp_dir/ssl.conf"
+
+# Create client and server keys.
+openssl genrsa -out "$tmp_dir/server.key" 2048
+openssl genrsa -out "$tmp_dir/client.key" 2048
+
+# Create certificate sign request using the above created keys.
+openssl req -new -nodes -key "$tmp_dir/server.key" -out "$tmp_dir/server.csr" -config "$tmp_dir/ssl.conf"
+openssl req -new -nodes -key "$tmp_dir/client.key" -out "$tmp_dir/client.csr" -config "$tmp_dir/ssl.conf"
+
+# Creating the client and server certificates.
+openssl x509 -req \
+             -sha256 \
+             -days 3650 \
+             -in "$tmp_dir/server.csr" \
+             -signkey "$tmp_dir/server.key" \
+             -out "$tmp_dir/server.crt" \
+             -extensions req_ext \
+             -CA "$tmp_dir/ca.crt" \
+             -CAkey "$tmp_dir/ca.key" \
+             -CAcreateserial \
+             -extfile "$tmp_dir/ssl.conf"
+openssl x509 -req \
+             -sha256 \
+             -days 3650 \
+             -in "$tmp_dir/client.csr" \
+             -signkey "$tmp_dir/client.key" \
+             -out "$tmp_dir/client.crt" \
+             -extensions req_ext \
+             -CA "$tmp_dir/ca.crt" \
+             -CAkey "$tmp_dir/ca.key" \
+             -CAcreateserial \
+             -extfile "$tmp_dir/ssl.conf"
+
+# Copy files if not in dry-run mode.
+if [ $dry_run = false ]; then
+  cp "$tmp_dir/ca.crt" \
+     "$tmp_dir/client.crt" \
+     "$tmp_dir/client.key" \
+     "$tmp_dir/server.crt" \
+     "$tmp_dir/server.key" \
+     "$output_dir"
+fi

receiver/sapmreceiver/testdata/ca.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNjCCAh4CCQDAtHQ9svPM4TANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJB
+VTESMBAGA1UECAwJQXVzdHJhbGlhMQ8wDQYDVQQHDAZTeWRuZXkxEjAQBgNVBAoM
+CU15T3JnTmFtZTEVMBMGA1UEAwwMTXlDb21tb25OYW1lMB4XDTIxMDUwNjAzMTYz
+MFoXDTMxMDUwNDAzMTYzMFowXTELMAkGA1UEBhMCQVUxEjAQBgNVBAgMCUF1c3Ry
+YWxpYTEPMA0GA1UEBwwGU3lkbmV5MRIwEAYDVQQKDAlNeU9yZ05hbWUxFTATBgNV
+BAMMDE15Q29tbW9uTmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AMqR3+6s+Iirta769tDlA0N0OAF9hyY6Y3OHshtBFCUiDgZSrTEcNlyHQLJN9J+L
+W5lPJm5nIAUZZphc1fPLEsF3pH8tNM21X0wrefjfb3FV/0V6ZXpxkZMCREx9B+Qo
+HKOwax6jsxXM03o1bRAxTFGVwDjPop1VZKmQT/z3qo4D1xpgpvkSGWW5zqeaZXje
+lEJ71TKF2diMshUooHADkDpTFznFwBGPQJvm0Kpkir08VDdIOxbkPIb+SLsM3zlN
+NUjOW9xN25RR1rSfWIpEJqUIpXrN+0PES9lU9k09YbP24QE2V1dnrRl9mE8AW5jn
+f1Ye4Dj/aFDaA9ByXD5F+g8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEArIi+Vu8q
+dKcPT74kbBGBsw9G6No17plPrQ3fVky8/B+HhOLGU2pHjyMyYd3G3DWjCV1JA4PO
+B15raWWsWqTV3+zutQ6zgbSCo8c/KiN6CKJdptiDV242Sx64gvswjDm5YIRaIoZr
+Y8hiy64DrqN5eG1g/VO7w4xnskgEyQW67qX7ccrxBFaq3nUbgfBoMvFaaEMVAiz6
+9Rmc+p4qA2hfdfY29n5iA9m6cTQ91WKXXN5qLIqfKzsRlb7neHCk/z1BhF/dEJi1
+T+BpwaMhGFCcTl2E7fIJmzEMeQkaAUpGyOgrJ+Of7Srmw4uRwC1QOsgaxdEfj/Am
+wS/wXW0j+fNzfQ==
+-----END CERTIFICATE-----

receiver/sapmreceiver/testdata/client.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIJAJ04Tjxr61SEMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
+BAYTAkFVMRIwEAYDVQQIDAlBdXN0cmFsaWExDzANBgNVBAcMBlN5ZG5leTESMBAG
+A1UECgwJTXlPcmdOYW1lMRUwEwYDVQQDDAxNeUNvbW1vbk5hbWUwHhcNMjEwNTA2
+MDMxNjMxWhcNMzEwNTA0MDMxNjMxWjBdMQswCQYDVQQGEwJBVTESMBAGA1UECAwJ
+QXVzdHJhbGlhMQ8wDQYDVQQHDAZTeWRuZXkxEjAQBgNVBAoMCU15T3JnTmFtZTEV
+MBMGA1UEAwwMTXlDb21tb25OYW1lMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA9YS6A2aFmaGVSbe4c5XAFR+7A2pzS+pD8fs+J6AxafkONhCN3/mW5cxp
+vucDTQBnq/gxz2nLaUAEL7YrW5C0k0Wt8XKu6cM0WbtMEv3im87N8jOVWxHEBlAe
+0uaR+CKNdJaxg1OH03XHfuM1FW1fALEPJVmIKHvJRMPyx0d2H9ACJ7wx0X490IeS
+NtFmGLyawXNkV0EnVkCa1S+bdAUHUWoE1OlIfYZ9haRygEwlkK5wiQ/ngTZaS27b
+96P01KnnMg3GSHxExk86PkoYizrE8MN3luheFKGkgtJBEUR9iC1NZT9WPkl/dLw3
+0FsZBMqipwNmFpeXfK0MiM+Ii4p/qQIDAQABoy4wLDAUBgNVHREEDTALgglsb2Nh
+bGhvc3QwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQB8
+83osKF1Up3jdR7gV9XkdhYWigA8G1hum6W10mMyphOMnPtcER0VKJFdVxVS80VlX
+H0CqPJ2DOczeuxNdgAot1X3vFGD+20+EDMVwL6G5pED1Cl5Pz5qj+aO96jOeLT35
+OEQCTDLSSm75wsf16J501tOF2z99U1cFXv9j6cX/LJc0NdeqaG2TE8o7PvkpbKXV
+QjUmYv9VfvAJoUa4Tr0I5I3bi/K0xaiVPugyv5oCHW/I3B9QqC/mv7lDa4LPTK4Y
+jujWZW+Fbk31JX2yq81QQ89vhSJXo/pnut8JPNJW295gkFAjFCUtjqBuW9QdMJlG
+z+buUqr8lpMCK8570aRE
+-----END CERTIFICATE-----

receiver/sapmreceiver/testdata/client.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA9YS6A2aFmaGVSbe4c5XAFR+7A2pzS+pD8fs+J6AxafkONhCN
+3/mW5cxpvucDTQBnq/gxz2nLaUAEL7YrW5C0k0Wt8XKu6cM0WbtMEv3im87N8jOV
+WxHEBlAe0uaR+CKNdJaxg1OH03XHfuM1FW1fALEPJVmIKHvJRMPyx0d2H9ACJ7wx
+0X490IeSNtFmGLyawXNkV0EnVkCa1S+bdAUHUWoE1OlIfYZ9haRygEwlkK5wiQ/n
+gTZaS27b96P01KnnMg3GSHxExk86PkoYizrE8MN3luheFKGkgtJBEUR9iC1NZT9W
+Pkl/dLw30FsZBMqipwNmFpeXfK0MiM+Ii4p/qQIDAQABAoIBAQCRqIG2/L7sS2nH
+R2D96e0AW0fXGfN3KW/QAw938NkAFwswVhfltiyo/uIJqQJTT5cx9liOxiQwuBMD
+v17vvuTyrpcotLJC61WGmtDiP4+Ogl26gJHuapbSa/wtgS8+eDlV3wVHdWoSsUB+
+7gsTQETpoyHqNbjK082vp1TEl4fkDJmG0x//R8bQBl4VcTxeqJYqrW6KuF0Mx3bY
+8UeOS7OTkajzHO+KYFEoHN25IT3Onmqe6orljgkRXdOEpi1a2T0nQFw+2YesqP+K
+sK8cyVQMyCqPg8YoiHNvetx6n1TxVHRQCZGtoSDljWzZMP2hXrjMeApr3PhcX7as
+IJJQwwgBAoGBAP7lZLj1zJDz7UJb7czRF8IMSXaWinR8dIdcZDvnFfXFuSGzlcVa
+WTsamhsfV1Up7vFqzcV9N1ZDKWm8kQfRHnShBYsCRujMUK/wVrAJEc7SNo5oVwdm
+52jiXyJYkt1cMSaMPNG91FUXAwsrLKOcKGTN6I1aPBP6TlOWc5eHfB0BAoGBAPaU
+76P7Yp/zkTfsOR8/xq8Pl/7HTGlZuYLXPmwR4wODUiaDqXHg0M6qSbp6OgcLZBEe
+198vdydGXGSUHtzqUscBbXJyyp6Wash2GYgx72+3KfzZ2nHttxlbQtNBwGxX4REV
+bVrFFgOMPRD5cnEMMHqSpFNGWl3YbMeGcU+TaVqpAoGBAMGUnYYKxq1fU1UOU+80
+7QImKrSxZ71Ht4gFluoXegoJe6wooxoan6HPdjIa/0xiaGFYZ6YQjrIol48B8nMp
+UiPpFjiYJhou8ShtMqjGeovEAkLs4wtwD1cMdIu1EPSkS3+nCZmQvW1R6LHWvDQV
+KGhGKNMRMIdLlajNnkP6VTwBAoGBAJBoZvPlLDw6m8hheo6XfhdWDZDzTQfBuUgs
+IG2QCCAtjzXpE5oSrJbr2aPxIvyvKhpwssINfT2uEjwBFxYP0QylBGDrY0h/FOhz
+ab5+aBhH77oaJ7ljG0EpVjh8oGGTEcc8gj+PfrXzMmw3elNEbTvLl5sBb7jYH9S2
+IrQUw7WJAoGAJneoFPKRrPYxV5mjjfaz2bMJYTgGE8WepgJiFBLpZCXQK5wIlnuN
+9W43dC0+9GrCdhVoYm5UmkN8xuBRMzDdm0Of5fJqdsxIvzOsaUt34tPoH7LOgikj
+ENL4WCXHgtNqFH1XCL/0/Ftb5fVGMw9jhXtT4hsqN4xXnkGPrgYMglA=
+-----END RSA PRIVATE KEY-----

receiver/sapmreceiver/testdata/server.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDazCCAlOgAwIBAgIJAJ04Tjxr61SDMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
+BAYTAkFVMRIwEAYDVQQIDAlBdXN0cmFsaWExDzANBgNVBAcMBlN5ZG5leTESMBAG
+A1UECgwJTXlPcmdOYW1lMRUwEwYDVQQDDAxNeUNvbW1vbk5hbWUwHhcNMjEwNTA2
+MDMxNjMxWhcNMzEwNTA0MDMxNjMxWjBdMQswCQYDVQQGEwJBVTESMBAGA1UECAwJ
+QXVzdHJhbGlhMQ8wDQYDVQQHDAZTeWRuZXkxEjAQBgNVBAoMCU15T3JnTmFtZTEV
+MBMGA1UEAwwMTXlDb21tb25OYW1lMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA4JRQCdODFJCucb3WAq6ojysyl/6GpYy0YaaBgpby57agtnt8E7NGlfrP
+UhCnT0tKStagkh+yNbHFP63D/YD2Yys23BuDHZb5gbG5GwHF+qpIO6klweErDfgy
+p+z8q/t6oLTS6FQzIiIN1vzIutGTiuixU+hz8P6Eo7dXWEBdrf9h+Vpe76OaLGp9
+36jYDKjkY8ZR9SV3WwqGcMw/Hj3nJ/99PUQxiaSSrULrEaj+6PDKAKyEyQ/y0nX9
+mrx758LyFfhEOYrbmKW5vz5NLKpHpDF7BiIqTiqNkunGbKVMh9VMwkR25z5G+Aya
+xLK9961f7tW0nBNkANGrEl70Xii96QIDAQABoy4wLDAUBgNVHREEDTALgglsb2Nh
+bGhvc3QwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQAX
+rgDGCNj4ypE+sTVUDEYuyRU9U1CeFNThDtirSWp5sLkcxi9sKZibfq1gtYvOZqEu
+a6FmW3NENV+9fxjx2SqOCMmRbyRylRnOKOrciw0TCqnsO2HVHLgnIOFkBxsRbPK5
+K348T0OAcpp+4S5JfAHWyVHDkr+ME8F+X/iJt44Gl3LMLsmfUXIfjsn4isjNuuDu
+YTuUIudAc8QXn8nqUUkCgaaLMdI0Jv8vos52InXLdZQN3BZEQvh9IV/rlq6u+sDN
+SdQySnhCRfDxHtFNF1fWSzsH+W3EDj6773EDRnbtJ5khnS4bjcf1xIBHrq2KG+ZB
+IuvI1IjQR7mOOcBOAv++
+-----END CERTIFICATE-----

receiver/sapmreceiver/testdata/server.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA4JRQCdODFJCucb3WAq6ojysyl/6GpYy0YaaBgpby57agtnt8
+E7NGlfrPUhCnT0tKStagkh+yNbHFP63D/YD2Yys23BuDHZb5gbG5GwHF+qpIO6kl
+weErDfgyp+z8q/t6oLTS6FQzIiIN1vzIutGTiuixU+hz8P6Eo7dXWEBdrf9h+Vpe
+76OaLGp936jYDKjkY8ZR9SV3WwqGcMw/Hj3nJ/99PUQxiaSSrULrEaj+6PDKAKyE
+yQ/y0nX9mrx758LyFfhEOYrbmKW5vz5NLKpHpDF7BiIqTiqNkunGbKVMh9VMwkR2
+5z5G+AyaxLK9961f7tW0nBNkANGrEl70Xii96QIDAQABAoIBABvZaH9/ci7Xrjo+
+n05f2FlAsxp0HsBizW+alU7bZy3i0NUwRPewcJ1ip9j2ZbkIjiLvsKPOOGw+Kka2
+RqqmFme/0SLEaqL9uN0ja9/0fVeTTDfRxvPe91bZI3b9hWvSWKebJNhYsKqX7H1v
+hXjdSl2cc3kDR3VoKoyezL8N5FASMs06IWvCBtDYCehj+A3GkvGbOMLdTEj2j1nF
+F287xfO5iqPwFxd0gcfnBCitfng/4+Hr4NQNCTyKF9SVtB975gBTGjD/8CJ5Lcr3
+TW8Q+OTox3goR1gQDFf4Z8G0jsHUJfPjjhE4BCdhdxMUQqT3H9v1jIRMpXYO5qL6
+Zo7R+30CgYEA+wVm7/Bn0UFHnW8pPI/TbidRNK+gMr2J5aDCOl3RfM7R9BwhTb5L
+6Nyx5ChBD+VFznBpjonEENGawG+43sSek5+Kr3Tm2PAHs0zWDP5suzJeatZnVgMT
+rQcYgQfvuwz+lmOJqGSit5lLd/6su2L7O2XNR9GH1ae4bQIlSLOVJpsCgYEA5Qim
+BI/uHpInS2ZT7zj2k7703dP2IKpkDD+hJhmP0MU9FcsGISOXHsrnJVmuxbnaKljM
+Nwt7uOC3UT5eqGiJJ0yXxliHX2m7yMP1IyhWTw4TDyYhWITxQN9U6vwuu+Xo9S4D
+yx2Fj7RB3JskOivO8G6HUr7agJ+VhPEqSB6a88sCgYEAlKC6Nk9N6SSR1rG+5ND0
+C0DUYDGs1N5NC92Hoy9xnkiHH9aYEYQfRh2GZuU+wL6r+nOszGzd3md9DXwZJi2d
+ByNr5j99f+1/YbaY9tCeaKiGJxQT02W2/Lg61gtw8nvbMgh1tXMAtVzaxo3QkJMm
+1iCMz31MxECufjzK/qT2JwkCgYEAjIQR1xq27OqeURQmys4X+e1eLfqtNr1TRHCF
+Xeqw4VUhdQ1qZUqAnNO/nJq5L3Ym83QnVl4lOfgkgCPTz17TRtknBPmrlE46d6JB
+85/70+S+rLyoGLb3jOV4I/M0ePNFSadBjIxANTpSbhaA02+tNrWZMJsHU4KVKUsM
+tdKRHqECgYBsqvFtcI2A3zogJP6X22ZuGBtolkt0toU1pXV4zDO4Gn5RujgDqS4U
+7o9ET1meCXZ9olGqWUrgqxfN0cUbNu38nUqzfnjZH0LeA3yTbvbMLnkpTXSJ6/J1
+Mt2mxIA5eiarcvAc83g0eIcCji3d4aZgqS8XqBBUSk22mO3Q3IZ9xw==
+-----END RSA PRIVATE KEY-----

receiver/sapmreceiver/trace_receiver_test.go

@@ -18,11 +18,8 @@ import (
 	"bytes"
 	"compress/gzip"
 	"context"
-	"crypto/tls"
-	"crypto/x509"
 	"encoding/binary"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"testing"
 	"time"
@@ -191,16 +188,20 @@ func sendSapm(endpoint string, sapm *splunksapm.PostSpansRequest, zipped bool, t
 	client := &http.Client{}
 
 	if tlsEnabled {
-		caCert, errCert := ioutil.ReadFile("./testdata/testcert.crt")
-		if errCert != nil {
-			return nil, fmt.Errorf("failed to load certificate: %s", errCert.Error())
+		tlscs := configtls.TLSClientSetting{
+			TLSSetting: configtls.TLSSetting{
+				CAFile:   "./testdata/ca.crt",
+				CertFile: "./testdata/client.crt",
+				KeyFile:  "./testdata/client.key",
+			},
+			ServerName: "localhost",
+		}
+		tls, errTLS := tlscs.LoadTLSConfig()
+		if errTLS != nil {
+			return nil, fmt.Errorf("failed to send request to receiver %w", err)
 		}
-		caCertPool := x509.NewCertPool()
-		caCertPool.AppendCertsFromPEM(caCert)
 		client.Transport = &http.Transport{
-			TLSClientConfig: &tls.Config{
-				RootCAs: caCertPool,
-			},
+			TLSClientConfig: tls,
 		}
 	}
 
@@ -281,8 +282,9 @@ func TestReception(t *testing.T) {
 						Endpoint: tlsAddress,
 						TLSSetting: &configtls.TLSServerSetting{
 							TLSSetting: configtls.TLSSetting{
-								CertFile: "./testdata/testcert.crt",
-								KeyFile:  "./testdata/testkey.key",
+								CAFile:   "./testdata/ca.crt",
+								CertFile: "./testdata/server.crt",
+								KeyFile:  "./testdata/server.key",
 							},
 						},
 					},
@@ -304,7 +306,7 @@ func TestReception(t *testing.T) {
 			t.Log("Sending Sapm Request")
 			var resp *http.Response
 			resp, err := sendSapm(tt.args.config.Endpoint, tt.args.sapm, tt.args.zipped, tt.args.useTLS, "")
-			require.NoErrorf(t, err, "should not have failed when sending sapm %v", err)
+			require.NoError(t, err)
 			assert.Equal(t, 200, resp.StatusCode)
 			t.Log("SAPM Request Received")