prober: speed up TestCRL ~450x by baking in some test keys

Fixes #16290 Updates tailscale/corp#28679 Change-Id: Ic90129b686779d0ed1cb40acf187cfcbdd39eb83 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-07-12 16:48:40 +00:00 · 2025-06-16 18:18:36 -07:00 · 2025-06-16 18:18:36 -07:00 · 42f71e959d
commit 42f71e959d
parent d7770d2b81
1 changed files with 53 additions and 12 deletions
--- a/prober/tls_test.go
+++ b/prober/tls_test.go
@ -6,6 +6,7 @@ package prober
 import (
 	"bytes"
 	"context"
 	"crypto/ecdsa"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
@ -140,16 +141,60 @@ func (s *CRLServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	w.Write(s.crlBytes)
 }
 // someECDSAKey{1,2,3} are different EC private keys in PEM format
 // as generated by:
 //
 //	openssl ecparam -name prime256v1 -genkey -noout -out -
 //
 // They're used in tests to avoid burning CPU at test time to just
 // to make some arbitrary test keys.
 const (
 	someECDSAKey1 = `
 -----BEGIN EC PRIVATE KEY-----
 MHcCAQEEIDKggO47Si0/JgqF0q9m0HfQ92lbERWsBaKS5YihtuheoAoGCCqGSM49
 AwEHoUQDQgAE/JtNZkfFmAGQJHW5Xgz0Eoyi9MKVxl77sXjIFDMX233QDIWPEM/B
 vmNMvdFkuYBjwbq6H+SNf1NXRNladEGU/Q==
 -----END EC PRIVATE KEY-----
 `
 	someECDSAKey2 = `
 -----BEGIN EC PRIVATE KEY-----
 MHcCAQEEIPIJhRf4MpzLil1ZKcRqMx+jPeJXw96KtYYzV2AcgBzgoAoGCCqGSM49
 AwEHoUQDQgAEhA9CSWFmUvdvXMzyt+as+6f+0luydHU1x/gEksVByYIgYxahaGts
 xbSKj6F2WgAN/ok1gFLqhH3UWMNVthM1wA==
 -----END EC PRIVATE KEY-----
 `
 	someECDSAKey3 = `
 -----BEGIN EC PRIVATE KEY-----
 MHcCAQEEIKgZ1OJjK2St9O0i52N1K+IgSiu2/NSMk9Yt2+kDMHd7oAoGCCqGSM49
 AwEHoUQDQgAExFp80etkjy/AEUtSgJjXRA39jTU7eiEmCGRREewFQhwcEscBEfrg
 6NN31r9YlEs+hZ8gXE1L3Deu6jn5jW3pig==
 -----END EC PRIVATE KEY-----
 `
 )
 // parseECKey parses an EC private key from a PEM-encoded string.
 func parseECKey(t *testing.T, pemPriv string) *ecdsa.PrivateKey {
 	t.Helper()
 	block, _ := pem.Decode([]byte(pemPriv))
 	if block == nil {
 		t.Fatal("failed to decode PEM")
 	}
 	key, err := x509.ParseECPrivateKey(block.Bytes)
 	if err != nil {
 		t.Fatalf("failed to parse EC key: %v", err)
 	}
 	return key
 }
 func TestCRL(t *testing.T) {
 	// Generate CA key and self-signed CA cert
-	caKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	caKey := parseECKey(t, someECDSAKey1)
-	if err != nil {
+
 		t.Fatal(err)
 	}
 	caTpl := issuerCertTpl
 	caTpl.BasicConstraintsValid = true
 	caTpl.IsCA = true
 	caTpl.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature
 	caTpl.SignatureAlgorithm = x509.ECDSAWithSHA256
 	caBytes, err := x509.CreateCertificate(rand.Reader, &caTpl, &caTpl, &caKey.PublicKey, caKey)
 	if err != nil {
 		t.Fatal(err)
@ -162,11 +207,9 @@ func TestCRL(t *testing.T) {
 	// Issue a leaf cert signed by the CA
 	leaf := leafCert
 	leaf.SerialNumber = big.NewInt(20001)
 	leaf.SignatureAlgorithm = x509.ECDSAWithSHA256
 	leaf.Issuer = caCert.Subject
-	leafKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	leafKey := parseECKey(t, someECDSAKey2)
 	if err != nil {
 		t.Fatal(err)
 	}
 	leafBytes, err := x509.CreateCertificate(rand.Reader, &leaf, caCert, &leafKey.PublicKey, caKey)
 	if err != nil {
 		t.Fatal(err)
@ -182,10 +225,8 @@ func TestCRL(t *testing.T) {
 	noCRLCert.CRLDistributionPoints = []string{}
 	noCRLCert.NotBefore = time.Unix(letsEncryptStartedStaplingCRL, 0).Add(-48 * time.Hour)
 	noCRLCert.Issuer = caCert.Subject
-	noCRLCertKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	noCRLCert.SignatureAlgorithm = x509.ECDSAWithSHA256
-	if err != nil {
+	noCRLCertKey := parseECKey(t, someECDSAKey3)
 		t.Fatal(err)
 	}
 	noCRLStapledBytes, err := x509.CreateCertificate(rand.Reader, &noCRLCert, caCert, &noCRLCertKey.PublicKey, caKey)
 	if err != nil {
 		t.Fatal(err)