Skip to content

environmentd: migrate test TLS infrastructure to rcgen+rustls#35835

Draft
jasonhernandez wants to merge 3 commits intoMaterializeInc:jason/sec-220-tier3-4-leaf-crate-migrationsfrom
jasonhernandez:jason/sec-219-tls-test-infra
Draft

environmentd: migrate test TLS infrastructure to rcgen+rustls#35835
jasonhernandez wants to merge 3 commits intoMaterializeInc:jason/sec-220-tier3-4-leaf-crate-migrationsfrom
jasonhernandez:jason/sec-219-tls-test-infra

Conversation

@jasonhernandez
Copy link
Copy Markdown
Contributor

@jasonhernandez jasonhernandez commented Apr 2, 2026
edited
Loading

Summary

  • Migrate test TLS cert generation from openssl to rcgen
  • Migrate test TLS connections from postgres-openssl to tokio-postgres-rustls
  • Restore cert reloading assertions in server tests
  • Add tokio-postgres-rustls as ring wrapper in deny.toml

Depends on #35847.
Part 7/7 of the FIPS 140-3 compliance mode migration.
Works toward SEC-219.

Test plan

  • cargo deny check licenses bans sources passes
  • Environmentd TLS tests pass

🤖 Generated with Claude Code

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 2, 2026

Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone.

PR title guidelines

  • Use imperative mood: "Fix X" not "Fixed X" or "Fixes X"
  • Be specific: "Fix panic in catalog sync when controller restarts" not "Fix bug" or "Update catalog code"
  • Prefix with area if helpful: compute: , storage: , adapter: , sql:

Pre-merge checklist

  • The PR title is descriptive and will make sense in the git log.
  • This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
  • If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.
  • This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
  • If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
  • If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).

@jasonhernandez jasonhernandez force-pushed the jason/sec-219-tls-test-infra branch 2 times, most recently from 38d722a to dfaf0ef Compare April 2, 2026 17:27
@jasonhernandez jasonhernandez changed the title experimental cryptography changes environmentd: migrate test TLS infrastructure to rcgen+rustls Apr 2, 2026
@jasonhernandez jasonhernandez force-pushed the jason/sec-219-tls-test-infra branch 6 times, most recently from 0eb770f to 89701f2 Compare April 2, 2026 19:39
jasonhernandez and others added 3 commits April 3, 2026 11:24
@jasonhernandez @claude
environmentd: migrate test TLS infrastructure from openssl to rcgen+r…
f13c220 
…ustls

Replace openssl-based test certificate generation and TLS connector
construction with rcgen (cert generation) and tokio-postgres-rustls.

- Ca struct now uses rcgen::CertificateParams + KeyPair instead of
  openssl X509/PKey. Certificate and key are stored as PEM bytes.
- New TestTlsConfig builder replaces the closure-based
  SslConnectorBuilder pattern with a declarative config struct.
- make_pg_tls now takes TestTlsConfig and returns MakeRustlsConnect.

Test files (auth.rs, server.rs, balancerd/tests) still need call-site
migration to the new API — tracked as remaining work for SEC-219.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@jasonhernandez @claude
tests: migrate TLS test call sites from openssl to rustls
59bf89a 
Update all test files to use the new TestTlsConfig-based API:

- auth.rs: Migrate ~50 make_pg_tls call sites, replace SslConnectorBuilder
  closures with TestTlsConfig builder. Switch JWT from RS256 to ES256
  (matching rcgen's ECDSA key generation). Stub make_http_tls/make_ws_tls
  with TODO comments for full rustls migration.
- environmentd/tests/server.rs: Migrate make_pg_tls calls, JWT keys,
  reqwest cert access, and X509 comparisons (with TODO stubs).
- balancerd/tests/server.rs: Migrate make_pg_tls calls, JWT keys,
  reqwest cert access, and X509 comparisons (with TODO stubs).

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@jasonhernandez @claude
tests: restore cert reloading assertions and fix TLS test helpers
4eec3e8 
Replace TODO stubs with working implementations:

- peer_certificate_der(): raw tokio-rustls handshake to inspect peer
  certificates. reqwest's TlsInfo::peer_certificate() only works with
  the native-tls backend, returning None with rustls — so we drop down
  to tokio_rustls::TlsConnector directly where
  ServerConnection::peer_certificates() always works.

- cert_file_to_der(): parse PEM cert files to DER for comparison.

- make_http_tls(): now honors TestTlsConfig (builds hyper-rustls
  connector from the client config that trusts the test CA).

- make_ws_tls(): uses rustls::StreamOwned for synchronous TLS
  WebSocket connections.

Cert reloading test assertions in both environmentd and balancerd are
now fully restored — no remaining TODO stubs.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@jasonhernandez jasonhernandez force-pushed the jason/sec-219-tls-test-infra branch from 89701f2 to 4eec3e8 Compare April 3, 2026 18:25
@jasonhernandez jasonhernandez changed the base branch from main to jason/sec-220-tier3-4-leaf-crate-migrations April 3, 2026 18:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonhernandez