djpbessems
/
ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use EC crypto (instead of RSA) to workaround weird test timeout 

When we use RSA private keys to sign our test certificates, we run
into strange test timeouts. The internal/controller/apicerts package
was timing out on my machine more than once every 3 runs. When I
changed the RSA crypto to EC crypto, this timeout goes away. I'm not
gonna try to figure out what the deal is here because I think it would
take longer than it would be worth (although I am sure it is some fun
story involving prime numbers; the goroutine traces for timed out
tests would always include some big.Int operations involving prime
numbers...).

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
This commit is contained in:
Andrew Keesler 2020-08-28 11:19:52 -04:00
parent a4fe76f6a9
commit ddb7a20c53
No known key found for this signature in database
GPG Key ID: 27CE0444346F9413
2 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
internal/controller/apicerts/certs_expirer_test.go
View File

@ -7,8 +7,9 @@ package apicerts
import ( import (
"context" "context"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand" "crypto/rand"
"crypto/rsa"
"crypto/x509" "crypto/x509"
"errors" "errors"
"testing" "testing"
@ -197,11 +198,12 @@ func TestExpirerControllerSync(t *testing.T) {
{ {
name: "parse cert failure", name: "parse cert failure",
fillSecretData: func(t *testing.T, m map[string][]byte) { fillSecretData: func(t *testing.T, m map[string][]byte) {
privateKey, err := rsa.GenerateKey(rand.Reader, 2048) privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
require.NoError(t, err) require.NoError(t, err)
// See certs_manager.go for this constant. // See certs_manager.go for this constant.
m["tlsCertificateChain"] = x509.MarshalPKCS1PrivateKey(privateKey) m["tlsCertificateChain"], err = x509.MarshalPKCS8PrivateKey(privateKey)
require.NoError(t, err)
}, },
wantDelete: false, wantDelete: false,
}, },

5
internal/testutil/certs.go
View File

@ -6,8 +6,9 @@ SPDX-License-Identifier: Apache-2.0
package testutil package testutil
import ( import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand" "crypto/rand"
"crypto/rsa"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"crypto/x509/pkix" "crypto/x509/pkix"
@ -82,7 +83,7 @@ func (v *ValidCert) RequireMatchesPrivateKey(keyPEM string) {
// There is nothing very special about the certificate that it creates, just // There is nothing very special about the certificate that it creates, just
// that it is a valid certificate that can be used for testing. // that it is a valid certificate that can be used for testing.
func CreateCertificate(notBefore, notAfter time.Time) ([]byte, error) { func CreateCertificate(notBefore, notAfter time.Time) ([]byte, error) {
privateKey, err := rsa.GenerateKey(rand.Reader, 2048) privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil { if err != nil {
return nil, err return nil, err
} }