Skip to content

xds: Add documentation for /sni-test-certs and refactoring #12415

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 14, 2025
+55 −0
Merged

xds: Add documentation for /sni-test-certs and refactoring #12415

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
21352b7
MAINTAINERS.md: Add Shiva
shivaspeaks Aug 11, 2025
458735d
Merge branch 'grpc:master' into master
shivaspeaks Sep 30, 2025
4f064fa
Update XdsTrustManagerFactoryTest.java
shivaspeaks Sep 30, 2025
0f96110
refactor and add documentation
shivaspeaks Oct 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions xds/src/test/resources/certs/sni-test-certs/README
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
Bad Wildcard DNS Certificate (bad_wildcard_dns_certificate.pem)
This certificate is used for testing SNI with invalid wildcard DNS SANs. It is issued by a custom, self-signed Certificate Authority (CA).

1. Create the Certificate Authority (CA)
Create the CA's private key:
$ openssl genpkey -algorithm RSA -out ca.key -pkeyopt rsa_keygen_bits:2048
Create the CA's self-signed certificate:
$ openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.pem -subj "/CN=My Internal CA"

2. Generate the Server Certificate
Next, generate the server's private key and a Certificate Signing Request (CSR).
Create the server's private key:
$ openssl genpkey -algorithm RSA -out bad_wildcard_dns.key -pkeyopt rsa_keygen_bits:2048
Create a configuration file named san.cnf with the following content. This file specifies the Subject Alternative Names (SANs) for the certificate.
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = Illinois
L = Chicago
O = "Example, Co."
CN = *.test.google.com

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.test.google.fr
DNS.2 = *.test.youtube.com
DNS.3 = waterzooi.test.google.be
DNS.4 = 192.168.1.3
DNS.5 = *.TEST.YOUTUBE.com
DNS.6 = w*i.test.google.be
DNS.7 = w*a.test.google.be
DNS.8 = *.test.google.com.au
DNS.9 = *waterzooi
DNS.10 = *.lyft.com
DNS.11 = ly**ft.com
DNS.12 = *yft.c*m
DNS.13 = xn--*.lyft.com

Create the Certificate Signing Request (CSR):
$ openssl req -new -key bad_wildcard_dns.key -out bad_wildcard_dns.csr -config san.cnf

3. Sign the Server Certificate
Finally, use the CA to sign the CSR, which will create the server certificate.
$ openssl x509 -req -in bad_wildcard_dns.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out bad_wildcard_dns_certificate.pem -days 365 -sha256 -extensions v3_req -extfile san.cnf

4. Clean Up
$ rm bad_wildcard_dns.key san.cnf bad_wildcard_dns.csr ca.key ca.pem ca.srl
0 ...st-certs/bad_wildcard_dns_certificate.pem → ...st-certs/bad_wildcard_dns_certificate.pem
View file
Open in desktop
File renamed without changes.