]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8d11b1d)
net/http: remove test-only private key from production binaries
authorDamien Neil <dneil@google.com>
Thu, 10 Jun 2021 17:50:37 +0000 (10:50 -0700)
committerDamien Neil <dneil@google.com>
Thu, 10 Jun 2021 20:20:58 +0000 (20:20 +0000)
The net/http/internal package contains a PEM-encoded private key used in
tests. This key is initialized at init time, which prevents it from
being stripped by the linker in non-test binaries.

Move the certificate and key to a new net/http/internal/testcert
package to ensure it is only included in binaries that reference it.

Fixes #46677.

Change-Id: Ie98bda529169314cc791063e7ce4d99ef99113c8
Reviewed-on: https://go-review.googlesource.com/c/go/+/326771
Trust: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
src/go/build/deps_test.go patch | blob | history
src/net/http/httptest/server.go patch | blob | history
src/net/http/internal/testcert/testcert.go [moved from src/net/http/internal/testcert.go with 94% similarity] patch | blob | history
src/net/http/serve_test.go patch | blob | history
src/net/http/transport_internal_test.go patch | blob | history
src/net/http/transport_test.go patch | blob | history

diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
index 5d1cf7f4c97cfd7a3755a7801921321908b81406..45e2f25df74da3444f3256f52ea8ab6cdf23b616 100644 (file)
--- a/src/go/build/deps_test.go
+++ b/src/go/build/deps_test.go
@@ -440,7 +440,8 @@ var depsRules = `
        # HTTP, King of Dependencies.
 
        FMT
-       < golang.org/x/net/http2/hpack, net/http/internal, net/http/internal/ascii;
+       < golang.org/x/net/http2/hpack
+       < net/http/internal, net/http/internal/ascii, net/http/internal/testcert;
 
        FMT, NET, container/list, encoding/binary, log
        < golang.org/x/text/transform
@@ -459,6 +460,7 @@ var depsRules = `
        golang.org/x/net/http2/hpack,
        net/http/internal,
        net/http/internal/ascii,
+       net/http/internal/testcert,
        net/http/httptrace,
        mime/multipart,
        log
diff --git a/src/net/http/httptest/server.go b/src/net/http/httptest/server.go
index a02a6d64c39882c1a32508ba581211f646b6a82f..4f85ff55d89397e59f96cb7631ffa01cffe7ac13 100644 (file)
--- a/src/net/http/httptest/server.go
+++ b/src/net/http/httptest/server.go
@@ -14,7 +14,7 @@ import (
        "log"
        "net"
        "net/http"
-       "net/http/internal"
+       "net/http/internal/testcert"
        "os"
        "strings"
        "sync"
@@ -144,7 +144,7 @@ func (s *Server) StartTLS() {
        if s.client == nil {
                s.client = &http.Client{Transport: &http.Transport{}}
        }
-       cert, err := tls.X509KeyPair(internal.LocalhostCert, internal.LocalhostKey)
+       cert, err := tls.X509KeyPair(testcert.LocalhostCert, testcert.LocalhostKey)
        if err != nil {
                panic(fmt.Sprintf("httptest: NewTLSServer: %v", err))
        }
diff --git a/src/net/http/internal/testcert.go b/src/net/http/internal/testcert/testcert.go
similarity index 94%
rename from src/net/http/internal/testcert.go
rename to src/net/http/internal/testcert/testcert.go
index 2284a836fb7015d2a41f43cc555c2259e82a93ba..5f94704ef590d6ca5ef9433e67d5d66990a2042a 100644 (file)
--- a/src/net/http/internal/testcert.go
+++ b/src/net/http/internal/testcert/testcert.go
@@ -2,7 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package internal
+// Package testcert contains a test-only localhost certificate.
+package testcert
 
 import "strings"
 
@@ -25,7 +26,7 @@ h1fIw3cSS2OolhloGw/XM6RWPWtPAlGykKLciQrBru5NAPvCMsb/I1DAceTiotQM
 fblo6RBxUQ==
 -----END CERTIFICATE-----`)
 
-// LocalhostKey is the private key for localhostCert.
+// LocalhostKey is the private key for LocalhostCert.
 var LocalhostKey = []byte(testingKey(`-----BEGIN RSA TESTING KEY-----
 MIICXgIBAAKBgQDuLnQAI3mDgey3VBzWnB2L39JUU4txjeVE6myuDqkM/uGlfjb9
 SjY1bIw4iA5sBBZzHi3z0h1YV8QPuxEbi4nW91IJm2gsvvZhIrCHS3l6afab4pZB
diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
index c2f881146975f61bafb8c3c4ee74a2f5776120d5..6394da3bb7cf60d0263e723bb611967f64d43820 100644 (file)
--- a/src/net/http/serve_test.go
+++ b/src/net/http/serve_test.go
@@ -25,6 +25,7 @@ import (
        "net/http/httptest"
        "net/http/httputil"
        "net/http/internal"
+       "net/http/internal/testcert"
        "net/url"
        "os"
        "os/exec"
@@ -1475,7 +1476,7 @@ func TestServeTLS(t *testing.T) {
        defer afterTest(t)
        defer SetTestHookServerServe(nil)
 
-       cert, err := tls.X509KeyPair(internal.LocalhostCert, internal.LocalhostKey)
+       cert, err := tls.X509KeyPair(testcert.LocalhostCert, testcert.LocalhostKey)
        if err != nil {
                t.Fatal(err)
        }
@@ -1599,7 +1600,7 @@ func TestAutomaticHTTP2_Serve_WithTLSConfig(t *testing.T) {
 }
 
 func TestAutomaticHTTP2_ListenAndServe(t *testing.T) {
-       cert, err := tls.X509KeyPair(internal.LocalhostCert, internal.LocalhostKey)
+       cert, err := tls.X509KeyPair(testcert.LocalhostCert, testcert.LocalhostKey)
        if err != nil {
                t.Fatal(err)
        }
@@ -1609,7 +1610,7 @@ func TestAutomaticHTTP2_ListenAndServe(t *testing.T) {
 }
 
 func TestAutomaticHTTP2_ListenAndServe_GetCertificate(t *testing.T) {
-       cert, err := tls.X509KeyPair(internal.LocalhostCert, internal.LocalhostKey)
+       cert, err := tls.X509KeyPair(testcert.LocalhostCert, testcert.LocalhostKey)
        if err != nil {
                t.Fatal(err)
        }
diff --git a/src/net/http/transport_internal_test.go b/src/net/http/transport_internal_test.go
index 1097ffd1739cc375143533c2ac7be3d7fdb272f3..1cce27235dfdc3ce73c7188c609187d61ebb6bb2 100644 (file)
--- a/src/net/http/transport_internal_test.go
+++ b/src/net/http/transport_internal_test.go
@@ -12,7 +12,7 @@ import (
        "errors"
        "io"
        "net"
-       "net/http/internal"
+       "net/http/internal/testcert"
        "strings"
        "testing"
 )
@@ -191,7 +191,7 @@ func (f roundTripFunc) RoundTrip(r *Request) (*Response, error) {
 
 // Issue 25009
 func TestTransportBodyAltRewind(t *testing.T) {
-       cert, err := tls.X509KeyPair(internal.LocalhostCert, internal.LocalhostKey)
+       cert, err := tls.X509KeyPair(testcert.LocalhostCert, testcert.LocalhostKey)
        if err != nil {
                t.Fatal(err)
        }
diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
index dcaacece617504b8f7e6b195c43cc121e9daec47..690e0c299d2b353489dc63c4eaeff58b3f817dbe 100644 (file)
--- a/src/net/http/transport_test.go
+++ b/src/net/http/transport_test.go
@@ -30,7 +30,7 @@ import (
        "net/http/httptest"
        "net/http/httptrace"
        "net/http/httputil"
-       "net/http/internal"
+       "net/http/internal/testcert"
        "net/textproto"
        "net/url"
        "os"
@@ -4299,7 +4299,7 @@ func TestTransportReuseConnEmptyResponseBody(t *testing.T) {
 
 // Issue 13839
 func TestNoCrashReturningTransportAltConn(t *testing.T) {
-       cert, err := tls.X509KeyPair(internal.LocalhostCert, internal.LocalhostKey)
+       cert, err := tls.X509KeyPair(testcert.LocalhostCert, testcert.LocalhostKey)
        if err != nil {
                t.Fatal(err)
        }
Go GOST TLS 1.3