Merge branch 'master' into SNOW-1825790-token-cache

Author: sfc-gh-pfus

.github/workflows/build-test.yml

@@ -138,3 +138,29 @@ jobs:
               uses: codecov/codecov-action@v5
               with:
                 token: ${{ secrets.CODE_COV_UPLOAD_TOKEN }}
+    ecc:
+      runs-on: ubuntu-latest
+      strategy:
+        fail-fast: false
+      name: Ecliptic curves check
+      steps:
+        - uses: actions/checkout@v4
+        - uses: actions/setup-java@v4 # for wiremock
+          with:
+            java-version: 17
+            distribution: 'temurin'
+        - name: Setup go
+          uses: actions/setup-go@v5
+          with:
+            go-version: ${{ matrix.go }}
+        - name: Test
+          shell: bash
+          env:
+            PARAMETERS_SECRET: ${{ secrets.PARAMETERS_SECRET }}
+            CLOUD_PROVIDER: ${{ matrix.cloud }}
+            GORACE: history_size=7
+            GO_TEST_PARAMS: ${{ inputs.goTestParams }} -run TestQueryViaHttps
+            WIREMOCK_PORT: 14335
+            WIREMOCK_HTTPS_PORT: 13567
+            WIREMOCK_ENABLE_ECDSA: true
+          run: ./ci/test.sh

ci/scripts/README.md

@@ -4,4 +4,14 @@ Password for CA is `password`.
 
 ```bash
 openssl x509 -req -in wiremock.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out wiremock.crt -days 365 -sha256 -extfile wiremock.v3.ext
+openssl pkcs12 -export -out wiremock.p12 -inkey wiremock.key -in wiremock.crt
+```
+
+# Refreshing ECDSA cert
+
+When asked for Common Name, use `localhost`.
+
+```bash
+openssl req -new -x509 -key wiremock-ecdsa.key -out wiremock-ecdsa.crt -days 365
+openssl pkcs12 -export -inkey wiremock-ecdsa.key -in wiremock-ecdsa.crt -out wiremock-ecdsa.p12
 ```

ci/scripts/ca.srl

@@ -1 +1 @@
-54587BDD05D4BE6A6D8852CA7FDB421189EA1C67
+54587BDD05D4BE6A6D8852CA7FDB421189EA1C69

ci/scripts/run_wiremock.sh

@@ -4,8 +4,16 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 cd $SCRIPT_DIR
 
+if [[ "$1" == "--ecdsa" || "$WIREMOCK_ENABLE_ECDSA" == "true" ]] ; then
+  echo "Using ecliptic curves"
+  pfxFile="$SCRIPT_DIR/wiremock-ecdsa.p12"
+else
+  echo "Using RSA"
+  pfxFile="$SCRIPT_DIR/wiremock.p12"
+fi
+
 if [ ! -f "$SCRIPT_DIR/wiremock-standalone-3.11.0.jar" ]; then
   curl -O https://repo1.maven.org/maven2/org/wiremock/wiremock-standalone/3.11.0/wiremock-standalone-3.11.0.jar
 fi
 
-java -jar "$SCRIPT_DIR/wiremock-standalone-3.11.0.jar" --verbose --port ${WIREMOCK_PORT:=14355} --https-port ${WIREMOCK_HTTPS_PORT:=13567} --https-keystore "$SCRIPT_DIR/wiremock.p12" --keystore-type PKCS12 --keystore-password password
+java -jar "$SCRIPT_DIR/wiremock-standalone-3.11.0.jar" --verbose --port ${WIREMOCK_PORT:=14355} --https-port ${WIREMOCK_HTTPS_PORT:=13567} --https-keystore "$pfxFile" --keystore-type PKCS12 --keystore-password password

ci/scripts/wiremock-ecdsa-pub.key

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEX3j37DbAKoO6Cwn0TsoMcsVXEF52
+lDa2tEHX2kMoxLExE4cgBipPyHgwNEblfAbaA1eC03fytJZw0wd08GvA+Q==
+-----END PUBLIC KEY-----

ci/scripts/wiremock-ecdsa.crt

@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEFzCCAf+gAwIBAgIUVFh73QXUvmptiFLKf9tCEYnqHGkwDQYJKoZIhvcNAQEL
+BQAwezELMAkGA1UEBhMCUEwxFDASBgNVBAgMC01hem93aWVja2llMQ8wDQYDVQQH
+DAZXYXJzYXcxEjAQBgNVBAoMCVNub3dmbGFrZTEQMA4GA1UECwwHRHJpdmVyczEf
+MB0GA1UEAwwWU25vd2ZsYWtlIHRlc3QgUm9vdCBDQTAeFw0yNTAzMDYxMjM1MjJa
+Fw0yNjAzMDYxMjM1MjJaMG4xCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpvd2ll
+Y2tpZTEPMA0GA1UEBwwGV2Fyc2F3MRIwEAYDVQQKDAlTbm93Zmxha2UxEDAOBgNV
+BAsMB0RyaXZlcnMxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqG
+SM49AwEHA0IABF949+w2wCqDugsJ9E7KDHLFVxBedpQ2trRB19pDKMSxMROHIAYq
+T8h4MDRG5XwG2gNXgtN38rSWcNMHdPBrwPmjazBpMB8GA1UdIwQYMBaAFNBlcqId
+rN8OSmvMp5ZbwKR7RYegMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgTwMA8GA1UdEQQI
+MAaHBH8AAAEwHQYDVR0OBBYEFAW3l1QNa8LwvTdTAx9NuD03gHZPMA0GCSqGSIb3
+DQEBCwUAA4ICAQAbH3Wbh9GHfb0DEKXvgzNrLExh5l4qo/1RGio7+WqdE3LMBGbH
+SF/Y7+Kz+m8PxkuxUKNtRT7JxQjRLwGWHjXpowtuc/JoTOw/1pzMmpJaDsMzhjiw
+JhGqGwBy9yqX0524ek/IuMxmZT1rvTjCtFndlQmp5W3nHLt0cwHJC4mUzBI0vyDR
+29RKch+q01APLwZQBp+HwL95K+e1iXBs/kViYLXvtC2Vhw/caZwYNzZKM/HEjHdM
+5XUkklX9UA08G1xbt4uRjugnXBWMYkQyoivTl+DmOIeEQAzymLZzQUZr0fwMoeBK
+mYMjBjzxCZFqJyx3I2e+0hxBXURviGJZhYN53TzEIbaXD/XC8c/FulQ9+EEhw6mZ
+BhRJ5jTWV1i4puPZDAnDaR9VtftF0KdIFDG4kQpP3VG/oMYGXrRpA3LYLCy80oCr
+kbIOPFMeVLUooeRMG7mgNmAYLWuWxPPSxpB8f3ID0n+wvdeMgAacNYuCRU0NV2CN
+XhVpH7jKP7q6th63ICwKpUI5wCl8fqoqwK35NqqZdbyfK1RAL/MlNLlmP1WvEesb
+K8x0PDpHxWA3AVf+DPlByBPKLfbnQmZ7siLmfwQyyNWw012ECzP4tmdCP5I+uih4
+YeAMw2hQ4C53XjoDEp50gq0WHBcvgWagKP+oRD9oTtwHs1NEWU4EAst5Zg==
+-----END CERTIFICATE-----

ci/scripts/wiremock-ecdsa.csr

@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBJzCB0AIBADBuMQswCQYDVQQGEwJQTDEUMBIGA1UECAwLTWF6b3dpZWNraWUx
+DzANBgNVBAcMBldhcnNhdzESMBAGA1UECgwJU25vd2ZsYWtlMRAwDgYDVQQLDAdE
+cml2ZXJzMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAARfePfsNsAqg7oLCfROygxyxVcQXnaUNra0QdfaQyjEsTEThyAGKk/IeDA0
+RuV8BtoDV4LTd/K0lnDTB3Twa8D5oAAwCgYIKoZIzj0EAwIDRgAwQwIfRCKhyzAm
+JTJjDCHPT+MYDwnPDuxvSnuJ3MRspW18ZAIgQDEOowXcfkoB4flhxnwxY+UMLn4h
+MDCOjAbVcJQFGVE=
+-----END CERTIFICATE REQUEST-----

ci/scripts/wiremock-ecdsa.key

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIOSKn4RQ5lJbhkMaZpofTq+8T3U1F4JlNAOJDom4fbAFoAoGCCqGSM49
+AwEHoUQDQgAEX3j37DbAKoO6Cwn0TsoMcsVXEF52lDa2tEHX2kMoxLExE4cgBipP
+yHgwNEblfAbaA1eC03fytJZw0wd08GvA+Q==
+-----END EC PRIVATE KEY-----

ci/scripts/wiremock-ecdsa.p12

@@ -172,7 +172,8 @@ func TestQueryViaHttps(t *testing.T) {
 	testCertPool.AddCert(certificate)
 	cfg.Transporter = &http.Transport{
 		TLSClientConfig: &tls.Config{
-			RootCAs: testCertPool,
+			RootCAs:               testCertPool,
+			VerifyPeerCertificate: verifyPeerCertificateSerial,
 		},
 	}
 	connector := NewConnector(SnowflakeDriver{}, *cfg)