From ddb7a20c5352f3cd9faf988a007a9f081e87d63a Mon Sep 17 00:00:00 2001
From: Andrew Keesler <akeesler@vmware.com>
Date: Fri, 28 Aug 2020 11:19:52 -0400
Subject: [PATCH] Use EC crypto (instead of RSA) to workaround weird test
 timeout

When we use RSA private keys to sign our test certificates, we run
into strange test timeouts. The internal/controller/apicerts package
was timing out on my machine more than once every 3 runs. When I
changed the RSA crypto to EC crypto, this timeout goes away. I'm not
gonna try to figure out what the deal is here because I think it would
take longer than it would be worth (although I am sure it is some fun
story involving prime numbers; the goroutine traces for timed out
tests would always include some big.Int operations involving prime
numbers...).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
---
 internal/controller/apicerts/certs_expirer_test.go | 8 +++++---
 internal/testutil/certs.go                         | 5 +++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/internal/controller/apicerts/certs_expirer_test.go b/internal/controller/apicerts/certs_expirer_test.go
index da1dd1ca..49ad3beb 100644
--- a/internal/controller/apicerts/certs_expirer_test.go
+++ b/internal/controller/apicerts/certs_expirer_test.go
@@ -7,8 +7,9 @@ package apicerts
 
 import (
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/x509"
 	"errors"
 	"testing"
@@ -197,11 +198,12 @@ func TestExpirerControllerSync(t *testing.T) {
 		{
 			name: "parse cert failure",
 			fillSecretData: func(t *testing.T, m map[string][]byte) {
-				privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+				privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 				require.NoError(t, err)
 
 				// See certs_manager.go for this constant.
-				m["tlsCertificateChain"] = x509.MarshalPKCS1PrivateKey(privateKey)
+				m["tlsCertificateChain"], err = x509.MarshalPKCS8PrivateKey(privateKey)
+				require.NoError(t, err)
 			},
 			wantDelete: false,
 		},
diff --git a/internal/testutil/certs.go b/internal/testutil/certs.go
index f404969f..67e1c0c5 100644
--- a/internal/testutil/certs.go
+++ b/internal/testutil/certs.go
@@ -6,8 +6,9 @@ SPDX-License-Identifier: Apache-2.0
 package testutil
 
 import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
@@ -82,7 +83,7 @@ func (v *ValidCert) RequireMatchesPrivateKey(keyPEM string) {
 // There is nothing very special about the certificate that it creates, just
 // that it is a valid certificate that can be used for testing.
 func CreateCertificate(notBefore, notAfter time.Time) ([]byte, error) {
-	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return nil, err
 	}