Generate TLS certs programmatically

Cargo.lock

@@ -488,6 +488,7 @@ dependencies = [
  "env_logger",
  "libsky",
  "log",
+ "openssl",
  "powershell_script",
  "zip",
 ]

ci/ssl.sh

@@ -1,9 +0,0 @@
-function gen_sub() {
-    local result="${1}"
-    case $OSTYPE in
-        msys|win32) result="//XX=x${result}"
-    esac
-    echo "$result"
-}
-SUB=`gen_sub "/C=US/CN=foo"`
-openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj $SUB -keyout key.pem -out cert.pem

harness/Cargo.toml

@@ -11,3 +11,4 @@ env_logger = "0.9.0"
 log = "0.4.14"
 zip = { version = "0.5.13", features = ["deflate"] }
 powershell_script = "0.3.2"
+openssl = { version = "*", features = ["vendored"] }

harness/src/test.rs

@@ -25,7 +25,20 @@
 */
 
 use crate::{util, HarnessError, HarnessResult};
+use openssl::{
+    asn1::Asn1Time,
+    bn::{BigNum, MsbOption},
+    error::ErrorStack,
+    hash::MessageDigest,
+    pkey::{PKey, Private},
+    rsa::Rsa,
+    x509::{
+        extension::{BasicConstraints, KeyUsage, SubjectKeyIdentifier},
+        X509NameBuilder, X509,
+    },
+};
 use std::fs;
+use std::io::Write;
 use std::process::Child;
 use std::process::Command;
 
@@ -85,14 +98,68 @@ pub fn run_test() -> HarnessResult<()> {
     ret
 }
 
+fn mk_ca_cert() -> Result<(X509, PKey<Private>), ErrorStack> {
+    let rsa = Rsa::generate(2048)?;
+    let key_pair = PKey::from_rsa(rsa)?;
+
+    let mut x509_name = X509NameBuilder::new()?;
+    x509_name.append_entry_by_text("C", "US")?;
+    x509_name.append_entry_by_text("ST", "CA")?;
+    x509_name.append_entry_by_text("O", "Skytable")?;
+    x509_name.append_entry_by_text("CN", "sky-harness")?;
+    let x509_name = x509_name.build();
+
+    let mut cert_builder = X509::builder()?;
+    cert_builder.set_version(2)?;
+    let serial_number = {
+        let mut serial = BigNum::new()?;
+        serial.rand(159, MsbOption::MAYBE_ZERO, false)?;
+        serial.to_asn1_integer()?
+    };
+    cert_builder.set_serial_number(&serial_number)?;
+    cert_builder.set_subject_name(&x509_name)?;
+    cert_builder.set_issuer_name(&x509_name)?;
+    cert_builder.set_pubkey(&key_pair)?;
+    let not_before = Asn1Time::days_from_now(0)?;
+    cert_builder.set_not_before(&not_before)?;
+    let not_after = Asn1Time::days_from_now(365)?;
+    cert_builder.set_not_after(&not_after)?;
+
+    cert_builder.append_extension(BasicConstraints::new().critical().ca().build()?)?;
+    cert_builder.append_extension(
+        KeyUsage::new()
+            .critical()
+            .key_cert_sign()
+            .crl_sign()
+            .build()?,
+    )?;
+
+    let subject_key_identifier =
+        SubjectKeyIdentifier::new().build(&cert_builder.x509v3_context(None, None))?;
+    cert_builder.append_extension(subject_key_identifier)?;
+
+    cert_builder.sign(&key_pair, MessageDigest::sha256())?;
+    let cert = cert_builder.build();
+
+    Ok((cert, key_pair))
+}
+
 pub fn run_test_inner() -> HarnessResult<()> {
     // first create the TLS keys
     info!("Creating TLS key+cert");
-    util::handle_child("generate TLS key+cert", cmd!("bash", "ci/ssl.sh"))?;
-    util::handle_child(
-        "create server1 directory",
-        cmd!("mkdir", "-p", "server1", "server2"),
-    )?;
+    let (cert, pkey) = mk_ca_cert().expect("Failed to create cert");
+    let mut certfile = fs::File::create("cert.pem").expect("failed to create cert.pem");
+    certfile.write_all(&cert.to_pem().unwrap()).unwrap();
+    let mut pkeyfile = fs::File::create("key.pem").expect("failed to create key.pem");
+    pkeyfile
+        .write_all(&pkey.private_key_to_pem_pkcs8().unwrap())
+        .unwrap();
+    fs::create_dir_all("server1").map_err(|e| {
+        HarnessError::Other(format!("Failed to create `server1` dir with error: {e}"))
+    })?;
+    fs::create_dir_all("server2").map_err(|e| {
+        HarnessError::Other(format!("Failed to create `server2` dir with error: {e}"))
+    })?;
 
     // assemble commands
     let mut cmd: Vec<String> = vec!["run".to_string(), "-p".to_string(), "skyd".to_string()];