Move crypto helper functions to internal package.

etcd_client_test.go

@@ -46,6 +46,7 @@ import (
 	"go.uber.org/zap"
 	"go.uber.org/zap/zaptest"
 
+	"github.com/strukturag/nextcloud-spreed-signaling/internal"
 	"github.com/strukturag/nextcloud-spreed-signaling/log"
 )
 
@@ -95,13 +96,13 @@ func NewEtcdForTestWithTls(t *testing.T, withTLS bool) (*embed.Etcd, string, str
 		key, err := rsa.GenerateKey(rand.Reader, 1024)
 		require.NoError(err)
 		keyfile = path.Join(tmpdir, "etcd.key")
-		require.NoError(WritePrivateKey(key, keyfile))
+		require.NoError(internal.WritePrivateKey(key, keyfile))
 		cfg.ClientTLSInfo.KeyFile = keyfile
 		cfg.PeerTLSInfo.KeyFile = keyfile
 
-		cert := GenerateSelfSignedCertificateForTesting(t, 1024, "etcd", key)
+		cert := internal.GenerateSelfSignedCertificateForTesting(t, "etcd", key)
 		certfile = path.Join(tmpdir, "etcd.pem")
-		require.NoError(os.WriteFile(certfile, cert, 0755))
+		require.NoError(internal.WriteCertificate(cert, certfile))
 		cfg.ClientTLSInfo.CertFile = certfile
 		cfg.ClientTLSInfo.TrustedCAFile = certfile
 		cfg.PeerTLSInfo.CertFile = certfile

grpc_client_test.go

@@ -27,7 +27,6 @@ import (
 	"crypto/rsa"
 	"fmt"
 	"net"
-	"os"
 	"path"
 	"testing"
 	"time"
@@ -37,6 +36,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.etcd.io/etcd/server/v3/embed"
 
+	"github.com/strukturag/nextcloud-spreed-signaling/internal"
 	"github.com/strukturag/nextcloud-spreed-signaling/log"
 	"github.com/strukturag/nextcloud-spreed-signaling/test"
 )
@@ -315,22 +315,22 @@ func Test_GrpcClients_Encryption(t *testing.T) { // nolint:paralleltest
 		clientKey, err := rsa.GenerateKey(rand.Reader, 1024)
 		require.NoError(err)
 
-		serverCert := GenerateSelfSignedCertificateForTesting(t, 1024, "Server cert", serverKey)
-		clientCert := GenerateSelfSignedCertificateForTesting(t, 1024, "Testing client", clientKey)
+		serverCert := internal.GenerateSelfSignedCertificateForTesting(t, "Server cert", serverKey)
+		clientCert := internal.GenerateSelfSignedCertificateForTesting(t, "Testing client", clientKey)
 
 		dir := t.TempDir()
 		serverPrivkeyFile := path.Join(dir, "server-privkey.pem")
 		serverPubkeyFile := path.Join(dir, "server-pubkey.pem")
 		serverCertFile := path.Join(dir, "server-cert.pem")
-		WritePrivateKey(serverKey, serverPrivkeyFile)          // nolint
-		WritePublicKey(&serverKey.PublicKey, serverPubkeyFile) // nolint
-		os.WriteFile(serverCertFile, serverCert, 0755)         // nolint
+		require.NoError(internal.WritePrivateKey(serverKey, serverPrivkeyFile))
+		require.NoError(internal.WritePublicKey(&serverKey.PublicKey, serverPubkeyFile))
+		require.NoError(internal.WriteCertificate(serverCert, serverCertFile))
 		clientPrivkeyFile := path.Join(dir, "client-privkey.pem")
 		clientPubkeyFile := path.Join(dir, "client-pubkey.pem")
 		clientCertFile := path.Join(dir, "client-cert.pem")
-		WritePrivateKey(clientKey, clientPrivkeyFile)          // nolint
-		WritePublicKey(&clientKey.PublicKey, clientPubkeyFile) // nolint
-		os.WriteFile(clientCertFile, clientCert, 0755)         // nolint
+		require.NoError(internal.WritePrivateKey(clientKey, clientPrivkeyFile))
+		require.NoError(internal.WritePublicKey(&clientKey.PublicKey, clientPubkeyFile))
+		require.NoError(internal.WriteCertificate(clientCert, clientCertFile))
 
 		serverConfig := goconf.NewConfigFile()
 		serverConfig.AddOption("grpc", "servercertificate", serverCertFile)

grpc_common_test.go

@@ -23,20 +23,7 @@ package signaling
 
 import (
 	"context"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/pem"
 	"errors"
-	"io/fs"
-	"math/big"
-	"net"
-	"os"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
 )
 
 func (c *reloadableCredentials) WaitForCertificateReload(ctx context.Context, counter uint64) error {
@@ -54,76 +41,3 @@ func (c *reloadableCredentials) WaitForCertPoolReload(ctx context.Context, count
 
 	return c.pool.WaitForReload(ctx, counter)
 }
-
-func GenerateSelfSignedCertificateForTesting(t *testing.T, bits int, organization string, key *rsa.PrivateKey) []byte {
-	template := x509.Certificate{
-		SerialNumber: big.NewInt(1),
-		Subject: pkix.Name{
-			Organization: []string{organization},
-		},
-		NotBefore: time.Now(),
-		NotAfter:  time.Now().Add(time.Hour * 24 * 180),
-
-		KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage: []x509.ExtKeyUsage{
-			x509.ExtKeyUsageClientAuth,
-			x509.ExtKeyUsageServerAuth,
-		},
-		BasicConstraintsValid: true,
-		DNSNames:              []string{"localhost"},
-		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
-	}
-
-	data, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key)
-	require.NoError(t, err)
-
-	data = pem.EncodeToMemory(&pem.Block{
-		Type:  "CERTIFICATE",
-		Bytes: data,
-	})
-	return data
-}
-
-func WritePrivateKey(key *rsa.PrivateKey, filename string) error {
-	data := pem.EncodeToMemory(&pem.Block{
-		Type:  "RSA PRIVATE KEY",
-		Bytes: x509.MarshalPKCS1PrivateKey(key),
-	})
-
-	return os.WriteFile(filename, data, 0600)
-}
-
-func WritePublicKey(key *rsa.PublicKey, filename string) error {
-	data, err := x509.MarshalPKIXPublicKey(key)
-	if err != nil {
-		return err
-	}
-
-	data = pem.EncodeToMemory(&pem.Block{
-		Type:  "RSA PUBLIC KEY",
-		Bytes: data,
-	})
-
-	return os.WriteFile(filename, data, 0755)
-}
-
-func replaceFile(t *testing.T, filename string, data []byte, perm fs.FileMode) {
-	t.Helper()
-	require := require.New(t)
-	oldStat, err := os.Stat(filename)
-	require.NoError(err, "can't stat old file %s", filename)
-
-	for {
-		require.NoError(os.WriteFile(filename, data, perm), "can't write file %s", filename)
-
-		newStat, err := os.Stat(filename)
-		require.NoError(err, "can't stat new file %s", filename)
-
-		// We need different modification times.
-		if !newStat.ModTime().Equal(oldStat.ModTime()) {
-			break
-		}
-
-		time.Sleep(time.Millisecond)
-	}
-}

grpc_server_test.go

@@ -30,7 +30,6 @@ import (
 	"encoding/pem"
 	"errors"
 	"net"
-	"os"
 	"path"
 	"strconv"
 	"testing"
@@ -42,6 +41,7 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 
+	"github.com/strukturag/nextcloud-spreed-signaling/internal"
 	"github.com/strukturag/nextcloud-spreed-signaling/log"
 )
 
@@ -107,15 +107,15 @@ func Test_GrpcServer_ReloadCerts(t *testing.T) {
 	require.NoError(err)
 
 	org1 := "Testing certificate"
-	cert1 := GenerateSelfSignedCertificateForTesting(t, 1024, org1, key)
+	cert1 := internal.GenerateSelfSignedCertificateForTesting(t, org1, key)
 
 	dir := t.TempDir()
 	privkeyFile := path.Join(dir, "privkey.pem")
 	pubkeyFile := path.Join(dir, "pubkey.pem")
 	certFile := path.Join(dir, "cert.pem")
-	WritePrivateKey(key, privkeyFile)          // nolint
-	WritePublicKey(&key.PublicKey, pubkeyFile) // nolint
-	os.WriteFile(certFile, cert1, 0755)        // nolint
+	require.NoError(internal.WritePrivateKey(key, privkeyFile))
+	require.NoError(internal.WritePublicKey(&key.PublicKey, pubkeyFile))
+	require.NoError(internal.WriteCertificate(cert1, certFile))
 
 	config := goconf.NewConfigFile()
 	config.AddOption("grpc", "servercertificate", certFile)
@@ -124,9 +124,7 @@ func Test_GrpcServer_ReloadCerts(t *testing.T) {
 	server, addr := NewGrpcServerForTestWithConfig(t, config)
 
 	cp1 := x509.NewCertPool()
-	if !cp1.AppendCertsFromPEM(cert1) {
-		require.Fail("could not add certificate")
-	}
+	cp1.AddCert(cert1)
 
 	cfg1 := &tls.Config{
 		RootCAs: cp1,
@@ -142,8 +140,8 @@ func Test_GrpcServer_ReloadCerts(t *testing.T) {
 	}
 
 	org2 := "Updated certificate"
-	cert2 := GenerateSelfSignedCertificateForTesting(t, 1024, org2, key)
-	replaceFile(t, certFile, cert2, 0755)
+	cert2 := internal.GenerateSelfSignedCertificateForTesting(t, org2, key)
+	internal.ReplaceCertificate(t, certFile, cert2)
 
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
 	defer cancel()
@@ -151,9 +149,7 @@ func Test_GrpcServer_ReloadCerts(t *testing.T) {
 	require.NoError(server.WaitForCertificateReload(ctx, 0))
 
 	cp2 := x509.NewCertPool()
-	if !cp2.AppendCertsFromPEM(cert2) {
-		require.Fail("could not add certificate")
-	}
+	cp2.AddCert(cert2)
 
 	cfg2 := &tls.Config{
 		RootCAs: cp2,
@@ -178,19 +174,19 @@ func Test_GrpcServer_ReloadCA(t *testing.T) {
 	clientKey, err := rsa.GenerateKey(rand.Reader, 1024)
 	require.NoError(err)
 
-	serverCert := GenerateSelfSignedCertificateForTesting(t, 1024, "Server cert", serverKey)
+	serverCert := internal.GenerateSelfSignedCertificateForTesting(t, "Server cert", serverKey)
 	org1 := "Testing client"
-	clientCert1 := GenerateSelfSignedCertificateForTesting(t, 1024, org1, clientKey)
+	clientCert1 := internal.GenerateSelfSignedCertificateForTesting(t, org1, clientKey)
 
 	dir := t.TempDir()
 	privkeyFile := path.Join(dir, "privkey.pem")
 	pubkeyFile := path.Join(dir, "pubkey.pem")
 	certFile := path.Join(dir, "cert.pem")
 	caFile := path.Join(dir, "ca.pem")
-	WritePrivateKey(serverKey, privkeyFile)          // nolint
-	WritePublicKey(&serverKey.PublicKey, pubkeyFile) // nolint
-	os.WriteFile(certFile, serverCert, 0755)         // nolint
-	os.WriteFile(caFile, clientCert1, 0755)          // nolint
+	require.NoError(internal.WritePrivateKey(serverKey, privkeyFile))
+	require.NoError(internal.WritePublicKey(&serverKey.PublicKey, pubkeyFile))
+	require.NoError(internal.WriteCertificate(serverCert, certFile))
+	require.NoError(internal.WriteCertificate(clientCert1, caFile))
 
 	config := goconf.NewConfigFile()
 	config.AddOption("grpc", "servercertificate", certFile)
@@ -200,11 +196,12 @@ func Test_GrpcServer_ReloadCA(t *testing.T) {
 	server, addr := NewGrpcServerForTestWithConfig(t, config)
 
 	pool := x509.NewCertPool()
-	if !pool.AppendCertsFromPEM(serverCert) {
-		require.Fail("could not add certificate")
-	}
+	pool.AddCert(serverCert)
 
-	pair1, err := tls.X509KeyPair(clientCert1, pem.EncodeToMemory(&pem.Block{
+	pair1, err := tls.X509KeyPair(pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: clientCert1.Raw,
+	}), pem.EncodeToMemory(&pem.Block{
 		Type:  "RSA PRIVATE KEY",
 		Bytes: x509.MarshalPKCS1PrivateKey(clientKey),
 	}))
@@ -225,12 +222,15 @@ func Test_GrpcServer_ReloadCA(t *testing.T) {
 	require.NoError(err)
 
 	org2 := "Updated client"
-	clientCert2 := GenerateSelfSignedCertificateForTesting(t, 1024, org2, clientKey)
-	replaceFile(t, caFile, clientCert2, 0755)
+	clientCert2 := internal.GenerateSelfSignedCertificateForTesting(t, org2, clientKey)
+	internal.ReplaceCertificate(t, caFile, clientCert2)
 
 	require.NoError(server.WaitForCertPoolReload(ctx1, 0))
 
-	pair2, err := tls.X509KeyPair(clientCert2, pem.EncodeToMemory(&pem.Block{
+	pair2, err := tls.X509KeyPair(pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: clientCert2.Raw,
+	}), pem.EncodeToMemory(&pem.Block{
 		Type:  "RSA PRIVATE KEY",
 		Bytes: x509.MarshalPKCS1PrivateKey(clientKey),
 	}))

internal/crypto_helpers.go

@@ -0,0 +1,124 @@
+/**
+ * Standalone signaling server for the Nextcloud Spreed app.
+ * Copyright (C) 2025 struktur AG
+ *
+ * @author Joachim Bauch <bauch@struktur.de>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package internal
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"net"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+func GenerateSelfSignedCertificateForTesting(t *testing.T, organization string, key *rsa.PrivateKey) *x509.Certificate {
+	t.Helper()
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{organization},
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(time.Hour * 24 * 180),
+
+		KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageClientAuth,
+			x509.ExtKeyUsageServerAuth,
+		},
+		BasicConstraintsValid: true,
+		DNSNames:              []string{"localhost"},
+		IPAddresses:           []net.IP{net.ParseIP("127.0.0.1")},
+	}
+
+	data, err := x509.CreateCertificate(rand.Reader, &template, &template, &key.PublicKey, key)
+	require.NoError(t, err)
+
+	cert, err := x509.ParseCertificate(data)
+	require.NoError(t, err)
+
+	return cert
+}
+
+func WritePrivateKey(key *rsa.PrivateKey, filename string) error {
+	data := pem.EncodeToMemory(&pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(key),
+	})
+
+	return os.WriteFile(filename, data, 0600)
+}
+
+func WritePublicKey(key *rsa.PublicKey, filename string) error {
+	data, err := x509.MarshalPKIXPublicKey(key)
+	if err != nil {
+		return err
+	}
+
+	data = pem.EncodeToMemory(&pem.Block{
+		Type:  "RSA PUBLIC KEY",
+		Bytes: data,
+	})
+
+	return os.WriteFile(filename, data, 0755)
+}
+
+func WriteCertificate(cert *x509.Certificate, filename string) error {
+	data := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: cert.Raw,
+	})
+
+	return os.WriteFile(filename, data, 0755)
+}
+
+func ReplaceCertificate(t *testing.T, filename string, cert *x509.Certificate) {
+	t.Helper()
+	require := require.New(t)
+	oldStat, err := os.Stat(filename)
+	require.NoError(err, "can't stat old file %s", filename)
+
+	data := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: cert.Raw,
+	})
+
+	for {
+		require.NoError(os.WriteFile(filename, data, 0755), "can't write file %s", filename)
+
+		newStat, err := os.Stat(filename)
+		require.NoError(err, "can't stat new file %s", filename)
+
+		// We need different modification times.
+		if !newStat.ModTime().Equal(oldStat.ModTime()) {
+			break
+		}
+
+		time.Sleep(time.Millisecond)
+	}
+}

internal/crypto_helpers_test.go

@@ -0,0 +1,119 @@
+/**
+ * Standalone signaling server for the Nextcloud Spreed app.
+ * Copyright (C) 2025 struktur AG
+ *
+ * @author Joachim Bauch <bauch@struktur.de>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package internal
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"os"
+	"path"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGenerateSelfSignedCertificateForTesting(t *testing.T) {
+	t.Parallel()
+	require := require.New(t)
+	assert := assert.New(t)
+
+	bits := 1024
+	key, err := rsa.GenerateKey(rand.Reader, bits)
+	require.NoError(err)
+	cert := GenerateSelfSignedCertificateForTesting(t, "Testing", key)
+	require.NotNil(cert)
+
+	if assert.Len(cert.Subject.Organization, 1) {
+		assert.Equal("Testing", cert.Subject.Organization[0])
+	}
+	if assert.Len(cert.DNSNames, 1) {
+		assert.Equal("localhost", cert.DNSNames[0])
+	}
+	if assert.Len(cert.IPAddresses, 1) {
+		assert.Equal("127.0.0.1", cert.IPAddresses[0].String())
+	}
+	if assert.IsType(&rsa.PublicKey{}, cert.PublicKey) {
+		pkey := cert.PublicKey.(*rsa.PublicKey)
+		assert.Equal(bits/8, pkey.Size())
+	}
+}
+
+func TestWriteKeys(t *testing.T) {
+	t.Parallel()
+	require := require.New(t)
+	assert := assert.New(t)
+
+	key, err := rsa.GenerateKey(rand.Reader, 1024)
+	require.NoError(err)
+
+	dir := t.TempDir()
+	privateFilename := path.Join(dir, "testing.key")
+	if assert.NoError(WritePrivateKey(key, privateFilename)) {
+		if data, err := os.ReadFile(privateFilename); assert.NoError(err) {
+			if block, rest := pem.Decode(data); assert.Equal("RSA PRIVATE KEY", block.Type) && assert.Empty(rest) {
+				if parsed, err := x509.ParsePKCS1PrivateKey(block.Bytes); assert.NoError(err) {
+					assert.True(key.Equal(parsed), "keys should be equal")
+				}
+			}
+		}
+	}
+
+	publicFilename := path.Join(dir, "testing.pem")
+	if assert.NoError(WritePublicKey(&key.PublicKey, publicFilename)) {
+		if data, err := os.ReadFile(publicFilename); assert.NoError(err) {
+			if block, rest := pem.Decode(data); assert.Equal("RSA PUBLIC KEY", block.Type) && assert.Empty(rest) {
+				if parsed, err := x509.ParsePKIXPublicKey(block.Bytes); assert.NoError(err) {
+					assert.True(key.PublicKey.Equal(parsed), "keys should be equal")
+				}
+			}
+		}
+	}
+}
+
+func TestReplaceCertificate(t *testing.T) {
+	t.Parallel()
+	require := require.New(t)
+	assert := assert.New(t)
+
+	bits := 1024
+	key, err := rsa.GenerateKey(rand.Reader, bits)
+	require.NoError(err)
+	cert1 := GenerateSelfSignedCertificateForTesting(t, "Testing", key)
+	require.NotNil(cert1)
+
+	dir := t.TempDir()
+	filename := path.Join(dir, "testing.crt")
+	require.NoError(WriteCertificate(cert1, filename))
+	stat1, err := os.Stat(filename)
+	require.NoError(err)
+
+	cert2 := GenerateSelfSignedCertificateForTesting(t, "Testing", key)
+	require.NotNil(cert2)
+	ReplaceCertificate(t, filename, cert2)
+	stat2, err := os.Stat(filename)
+	require.NoError(err)
+
+	assert.NotEqual(stat1.ModTime(), stat2.ModTime())
+}

mcu_proxy_test.go

@@ -49,6 +49,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.etcd.io/etcd/server/v3/embed"
 
+	"github.com/strukturag/nextcloud-spreed-signaling/internal"
 	"github.com/strukturag/nextcloud-spreed-signaling/log"
 )
 
@@ -860,8 +861,8 @@ func newMcuProxyForTestWithOptions(t *testing.T, options proxyTestOptions, idx i
 	dir := t.TempDir()
 	privkeyFile := path.Join(dir, "privkey.pem")
 	pubkeyFile := path.Join(dir, "pubkey.pem")
-	WritePrivateKey(tokenKey, privkeyFile)          // nolint
-	WritePublicKey(&tokenKey.PublicKey, pubkeyFile) // nolint
+	require.NoError(internal.WritePrivateKey(tokenKey, privkeyFile))
+	require.NoError(internal.WritePublicKey(&tokenKey.PublicKey, pubkeyFile))
 
 	cfg := goconf.NewConfigFile()
 	cfg.AddOption("mcu", "urltype", "static")