Fix testbench mTLS tests.

- Update `gen_certs.sh` - Generate client cert as well by default - Set expiration to 10 years to match other certs - Set subject to match expected values in testbench test - Update testbench `mtls` to ignore key hash value, and only check issuer and subject.
2026-02-06 10:48:05 +00:00 · 2025-05-04 03:05:17 -05:00 · 2025-05-04 03:05:17 -05:00 · 86ae40d61b
commit 86ae40d61b
parent a607ede4df
3 changed files with 60 additions and 59 deletions
--- a/examples/tls/private/client.pem
+++ b/examples/tls/private/client.pem
@ -1,58 +1,58 @@
 -----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCjle13u/R/0+zw
-eycXhdF7ZNYQfqXfkMpw9GlerbqRrxSLEc/YXXBuIO5AZKkXYeP8iM9KbSBD4p8F
-wZD7LL47601c5WwWpNfOravCaSjYgvaYyhnoNzmG8NYaVYKB9kup6lOyQmesNXEK
-NGNSrKpsoaQ7jBk+l+VV1jNBjMhNVWuz4AdFMsVD09QyL1GvQ0OvT/BbUKypaFFw
-YcHruYvHuKGnrlXkvw05aZmKtKiSE6UQoDKtZWfV8yV2M6Sr75i9GKaGMyUZIl88
-MxVLGcGwO6To2wNFKfLkHLOGIWrKA7m/Bb2n1k2OT+6iOnDzU62BoAzG/j8dhNPL
-mZ6a7cZfAgMBAAECggEANwiZe06gUuDZNY44+JDsiLbDzYjOBQiREq8nQ9LukVR1
-dNPpOME2sdYiUUeMG3GzYaIlGsTbtfrnxOf5/oZu+XmP7VDBrFyIvd9viVgXhb+J
-dp2HWbg6gktDvFhIL7DMg71xqubsOeNAxE4bnBS6wREgT2gylfxECzykwci7Gki4
-AkeihvaxqdHk9WP8dtFOuCYhX5pyKd9veS1/L01dVMpoFrq72PHupplKYb3HIo+v
-ga02DhNVcH3fomEbXzazC64k2h5Vz+8mgpu5/V1thKiB2izOwt/hv4tkf2iDNz43
-xdSYUEFsk80M97VI1dM1+TBe/JO0auZvKLkuOWUjAQKBgQDlBMr+d+guajgQ863I
-uEFK4veEXrD51L6AKT+cqFUi894fhOodnnmK8l3JBKzO0zjgsaez8exKZPRN8An8
-4MejM+hMYciJsP7uDpPkhlI5zHd9CR7EFPWXXpt4PecQLvBbnJ/lDnWCrE4m5Zhs
-9OR7izLMBAmaiPlTNAaXj22iqwKBgQC226wzXGr//lnTggZX+u9UdkZKewAYlgnB
-Ywj3+JB6Q/kDDS8C6fdlAvWyHShxtO3gx2pJSI3hk7J8fZu/kbojlLF16ayO+tgg
-t3EoTZxN5zncygPaULstdKHhnMp8a4AO8lLrHtackFbbX7fuUJft0w457FpARvM8
-DONjWI8LHQKBgBBY5TyAxpv5jQL4weDf9hkoVk6mi69plieDyjyeb2VNTv+k9yki
-FL7sSfF9WfBxd0/innvjuuAckKu3hJ7+VIG7xMse97eMYMYRWFEpnVju1WChdAa/
-EEC7yhEtKf8nupRve6JYA99N+U4heV3dpSmEaB3T8/OJ73IW9pl+7W59AoGADxM/
-OCDHZYF3sFtI4Jn8fy8dDmjjkiNUfJAInkDs0FeoQNsmZAwb7ET5Moz615z9+4kV
-NyN3JwDBN0g3vexqtyI8Gyd/pW4CwXe+KX90gmustoolFSuQsueprOr7OpS2QwUx
-Vtb9BH1V29IhXNFiJSZARwA4VJJE3U+Gs5sKd/UCgYEAoCPE3gVaa89nOqQtalhT
-9SISOGQxxMknjNFrEuF3UaGuR0cxDRLX6lSEneAATEpho0QB2Fj4vO8PiyYOGvH+
-5ouJD97rcU77OOixlLFt4+TAWI9AvT0mN7y+SHJ22RkwWGQyF4TIfkg0tQvu36D+
-35W26Li1WteB2O4wV9qVReA=
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCu68//dEJZTfUb
+g6lKo0AkcjWevKMtZVpO6YnBCQ+7J0d1U0p7OCN+bisCx0nXvzDO6VxDgWEcnG44
+IR03qYVihq+C1r/96I+6chKIqK0LI2WhXvJ/sXnzz1feFyBYoz/oSM6QndcjUV83
+R8nzp1+eefuTDjuhcCddAk8fU5fJ9OLd7B2sKit8ZLHdHwqlZSWU32sS12xEjP//
+TjazNzP137KVa/KKVvRu2xYlRWHRmR1zY8trSy1795GIdv7198nF2i+0oS4k0PrF
+LzIUYgr1fCZr3QYjLK7mErSpkXUk5FoEhApmWo9iGLOOWv3HUSC8yCgdcIcauK8N
+zTqz2iORAgMBAAECggEAEeG3d1+U3M5Jt/tYq3GkQAA7l7OkYXf9UxiFZZTIj+hZ
+t2vBWcwJDNwJoj9p6W1OebMveb3YhfU+lexaBp5aLWf5ZJW8NiJidxFBmx4rOnqZ
+jB/0XbYbR8pdgC27DR9QjC134x7PpyOivo2kiTewtbcLTyLjA64/HT9RhAamphWA
+aGNex/imFfrWObHg9BNTtfMDekfsOwHOIgbWS/TvdJaVbUzOphZZLmM3mOG/VROG
+BIlDS7mfIO1/YHCE88vfRD3iuiGe3H86Tb6qZL+3xNNAzXIu/UqpLz+FGc9TMJRK
+FZ/u0beD1U6Ij9/BZ6XO3UF7tN84UqhudZ2rnlG35QKBgQDeg4f6lNpTOKRgrVYx
+sLZN5HANWe9I5n8z+TZcv2/pPtQY1A9ZDPM7s0b+Zys089k4f5qXNew0u/JTpin8
+h2MYNvNxXt/fCMxw7PBTkXB1JW+Qofz9k04NRXvMXEtGA3VR+vQcUwdEa9t9dWjD
+rM1k5vp2tSIgqJujZmqtqQdpJwKBgQDJPr9qlVCbWGNXn70HPl5G2MVPvRT6aHVo
+Hx9XUTU4spyCIfmsckh0S2BODJZAHlTZctOKPz7KfnPC6T8V9Vgwzwnv18X71+9w
+4Z8D4OznWL3FNP5RaXSkR7JkpyE79drjVS5MCWC1k7Rr5T9dMPLu6GyjjH6nLfrr
+MsKuNa7QhwKBgBoP1dFntdqhe79HDh1r0S52XxlxOzGSrbtsqQ1b7sOm9DikPdf0
+SFjpupr5gnoFRZ/0cirbyfqzOMLLZ4eIY/bmGMVik14QLcHcPpnLIxzVcafDEVqx
+8iZjyQg6lyZwKUGc3xKiNuuwplifc9HXX4c99oAI3yJsHS6aRExqy89pAoGACbTe
+FKz5A1UjDYHl4yiN8YrZEXyEO4O4TfpaT6LaF07+H4S1/yxP9FQCZCFVSehsnURd
+kah1Rd0NhlQrt8pqo4gI6amVog0LPn2TZuN9abctCAsDTTfx6U6P+yzYfITiNt7P
+6dj18iwaoq2e/cazoPRS8RyAq12bYabEHxT1xpcCgYAIEOqYHdawRk7nexDRiHcc
+8kDIofYXJRXzdjfWH+j1j5/Dk3Ssuiz+/mIZU3PeLwC/p8PS0MmuPe10fC7bHM43
+kI6rdzMEyM586eIEQGJoZmHanK6Ox27qTXoOtX0mpc7DfRVainH70Jseaz7WddNU
+wOWmTtGwe4WcO7Ky1RB/oQ==
 -----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
-MIIEwDCCAqigAwIBAgIUay5Z8sVQUkSTFpacn6o4iq2ElGowDQYJKoZIhvcNAQEL
+MIIEwDCCAqigAwIBAgIUedqTn+lWoKa2Ns1KDFXAG15/uYYwDQYJKoZIhvcNAQEL
 BQAwRzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRIwEAYDVQQKDAlSb2NrZXQg
-Q0ExFzAVBgNVBAMMDlJvY2tldCBSb290IENBMB4XDTI0MDQxNDA4MTU0MVoXDTI1
-MDQxNDA4MTU0MVowgY4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
+Q0ExFzAVBgNVBAMMDlJvY2tldCBSb290IENBMB4XDTI1MDUwNDA4MDQwNFoXDTM1
+MDUwMjA4MDQwNFowgY4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
 MRcwFQYDVQQHDA5TaWxpY29uIFZhbGxleTEPMA0GA1UECgwGUm9ja2V0MRswGQYD
 VQQDDBJSb2NrZXQgVExTIEV4YW1wbGUxIzAhBgkqhkiG9w0BCQEWFGV4YW1wbGVA
-cm9ja2V0LmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo5Xt
-d7v0f9Ps8HsnF4XRe2TWEH6l35DKcPRpXq26ka8UixHP2F1wbiDuQGSpF2Hj/IjP
-Sm0gQ+KfBcGQ+yy+O+tNXOVsFqTXzq2rwmko2IL2mMoZ6Dc5hvDWGlWCgfZLqepT
-skJnrDVxCjRjUqyqbKGkO4wZPpflVdYzQYzITVVrs+AHRTLFQ9PUMi9Rr0NDr0/w
-W1CsqWhRcGHB67mLx7ihp65V5L8NOWmZirSokhOlEKAyrWVn1fMldjOkq++YvRim
-hjMlGSJfPDMVSxnBsDuk6NsDRSny5ByzhiFqygO5vwW9p9ZNjk/uojpw81OtgaAM
-xv4/HYTTy5memu3GXwIDAQABo1wwWjAYBgNVHREEETAPgg1ETlM6bG9jYWxob3N0
-MB0GA1UdDgQWBBSowDBXM26C7VogwXNB1F0vLpYO7DAfBgNVHSMEGDAWgBREAyUj
-0lTwopZ2B1VmnvMPfUtCkzANBgkqhkiG9w0BAQsFAAOCAgEAbjF11+t8qVEF72ey
-19p1sRkG9ygb0gE2UpLzVpPilucioIOwQuT4rvsVYZQxK+smQZURDI4uNXODIeoS
-r3maL82VryLSYbkQADyShYjF0uCX8AfCI0YtOKOschNZDcZEJ5mUpHjJE0lEZnkO
-x8ZVXwWf4pv1/8DZoCkMN3gDHwhQGPtrls4q7O38rI7zK9DNrzu7R1ZdGjQSDasL
-6DqHee90O2ejpELUxO6lRl2EUosfklRvjV7hfrDHlpN9EuweXt0JiaKw3WZzHSLa
-dKS8wtTMq5aWzOWrew1ZEhRr+B3KS6BSC5o9xSQMfcDyS0KJcIJI9bNh3nElWFhM
-IBVtGxM/EYAwNJ++jLD10WHvaqW0epMV2cUu+dGJX+TPuI0c/wNehisS4ahvR64m
-UpjAwNUBlYpR/Gb15/i2fVk2BbUyU3AcpZfWFDopQ8UqC8ALVcNjbNHq+yVkuTpj
-gn5iiTTcTqb6qNfie4oDX4KR6ZgpNiTl/PWZo58qxSwdGiJwrINACkPJ6Qg6Qrpd
-hp3CanTWjioHfvTSdiubqw5/XRnqa2Iav0Sttc6TPnTimodmtWkaYA8mvjS+jq8N
-f9l2UYQz8yLabMkn98BM+gRJYwrVt6sCbVuEaHgPwq/qX9mQFhUrfw3iEPKlmezt
-T3AhgPhybUpMFpu+4Tp8JE2JlKQ=
+cm9ja2V0LmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAruvP
+/3RCWU31G4OpSqNAJHI1nryjLWVaTumJwQkPuydHdVNKezgjfm4rAsdJ178wzulc
+Q4FhHJxuOCEdN6mFYoavgta//eiPunISiKitCyNloV7yf7F5889X3hcgWKM/6EjO
+kJ3XI1FfN0fJ86dfnnn7kw47oXAnXQJPH1OXyfTi3ewdrCorfGSx3R8KpWUllN9r
+EtdsRIz//042szcz9d+ylWvyilb0btsWJUVh0Zkdc2PLa0ste/eRiHb+9ffJxdov
+tKEuJND6xS8yFGIK9Xwma90GIyyu5hK0qZF1JORaBIQKZlqPYhizjlr9x1EgvMgo
+HXCHGrivDc06s9ojkQIDAQABo1wwWjAYBgNVHREEETAPgg1ETlM6bG9jYWxob3N0
+MB0GA1UdDgQWBBRfHH7YEW3/jj2tvNsdcEU7hB3SlDAfBgNVHSMEGDAWgBREAyUj
+0lTwopZ2B1VmnvMPfUtCkzANBgkqhkiG9w0BAQsFAAOCAgEAOTOF2u58WDp1kPKP
+mTcjeVBunpu1qWmditSlu9+YNPmKwv22Lcwg9dMPh1o8bH80wdtmrGH0Yi857M9D
+eosieaKHNN7WUU9DRqENJutknFxZ2hd1L3GOqADJujL43BDgOWL8b3ffmfP0f7b1
+5OsFmQALNWMlI5ThpK6naor7aWjXshCVVfjrDFfAouEyr6gLgKVpYyi4cQX7MCH2
+RfDgbksKy5OmqhI2374DEQgxlqadnnc+HTx2zKmLErUSvuE1K1CmKgwrZDyueTPh
+aDKBNZrWh7t7okrcbyWFMmqaZtpMWMSvldvihIXv10v9LuRuHMd+QoNvfigrJofd
+zEtk0+ZXx9DMSN5djhfyvxhapGGel68Kjt/XPamcx4pTzzxyKvoNLooEfV/WZnp7
+2n6MlNBcjmi0EBX8Xr7cbviBSXADAAGxnwFoLMUB/hK6oWdv5lkWPojzM7/E0cyW
+cjIkF54wM/mXsxoHRqNFKo5pdjZYvoonguYADTU9+EsfM7Amp06Xqm/YR79L5yCa
+GbRW0b4sUaYXGusTOuXpVqBfRxO7NG8J4r1OP9l3RP8tqwP+1JuDfyKyhD5yNmYl
+OJFfHxS8udBM3ZbrzrfaT4/1T66prRC4QeufkjP6Zhj+l88rxgdg3KEN3VOjJ1IB
+J3ig0HbpD/ETWVT21vrqhHXJXWg=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIFbzCCA1egAwIBAgIURX345HUrWikAysSTFd8xoV5GSIYwDQYJKoZIhvcNAQEL
--- a/examples/tls/private/gen_certs.sh
+++ b/examples/tls/private/gen_certs.sh
@ -138,8 +138,8 @@ function gen_ecdsa_nistp521_sha512() {
 }

 function gen_client_cert() {
-    openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr
-    openssl x509 -req -extfile <(printf "subjectAltName=DNS:${ALT}") -days 365 \
+  openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr -subj "/C=US/ST=California/L=Silicon Valley/O=Rocket/CN=Rocket TLS Example/emailAddress=example@rocket.local"
+  openssl x509 -req -extfile <(printf "subjectAltName=DNS:${ALT}") -days 3650 \
    -in client.csr -CA ca_cert.pem -CAkey ca_key.pem -CAcreateserial \
    -out client.crt

@ -160,5 +160,6 @@ case $1 in
    gen_ecdsa_nistp256_sha256
    gen_ecdsa_nistp384_sha384
    gen_ecdsa_nistp521_sha512
+    gen_client_cert
    ;;
 esac
--- a/testbench/src/servers/mtls.rs
+++ b/testbench/src/servers/mtls.rs
@ -28,10 +28,10 @@ fn test_mtls(mandatory: bool) -> Result<()> {
        .identity(reqwest::Identity::from_pem(&pem)?)
        .try_into()?;

-    let response = client.get(&server, "/")?.send()?;
-    assert_eq!(response.text()?,
-        "611895682361338926795452113263857440769284805738:2\
-            [C=US, ST=CA, O=Rocket CA, CN=Rocket Root CA] \
+    let response = client.get(&server, "/")?.send()?.text()?;
+    let (_key_hash, subject) = response.split_once(":2").unwrap();
+    assert_eq!(subject,
+        "[C=US, ST=CA, O=Rocket CA, CN=Rocket Root CA] \
            C=US, ST=California, L=Silicon Valley, O=Rocket, \
            CN=Rocket TLS Example, Email=example@rocket.local");