load intermediate cert (#496)

kayozaki · web-flow · commit 4215ec757efd · 2026-03-31T23:20:07.000-07:00
* load intermediate cert
* using rcgen to sign with intermediate cert, update unit test
diff --git a/crates/integration-tests/src/test/tls_client_certificate.rs b/crates/integration-tests/src/test/tls_client_certificate.rs
@@ -1,7 +1,10 @@
 use crate::kumod::{DaemonWithMaildir, DeliverySummary, MailGenParams};
 use k9::assert_equal;
 use kumo_log_types::RecordType;
-use rustls_cert_gen::{Ca, CertificateBuilder, EndEntity};
+use rcgen::{
+    BasicConstraints, CertificateParams, CertifiedIssuer, DistinguishedName, DnType,
+    ExtendedKeyUsagePurpose, IsCa, KeyPair, KeyUsagePurpose,
+};
 use std::collections::BTreeMap;
 use std::time::Duration;
 
@@ -39,17 +42,15 @@ async fn tls_client_certificate_openssl_no_client_cert() -> anyhow::Result<()> {
 /// Use rustls as TLS library and confirm delivery is successful
 #[tokio::test]
 async fn tls_client_certificate_rustls_success() -> anyhow::Result<()> {
-    let (ca, entity) = generate_certs()?;
-    let ca_pem = ca.serialize_pem().cert_pem;
-    let cert_pem = entity.serialize_pem().cert_pem;
-    let key_pem = entity.serialize_pem().private_key_pem;
+    let (ca_pem, intermediate_pem, entity_pem, key_pem) = generate_certs()?;
+    let cert_pem = format!("{entity_pem}\n{intermediate_pem}");
     let ex = DeliverySummary {
         source_counts: BTreeMap::from([(RecordType::Reception, 1), (RecordType::Delivery, 1)]),
         sink_counts: BTreeMap::from([(RecordType::Reception, 1), (RecordType::Delivery, 1)]),
     };
     let env = vec![
         ("KUMOD_ENABLE_TLS", "OpportunisticInsecure"),
-        ("KUMOD_PREFER_OPENSSL", "true"),
+        ("KUMOD_PREFER_OPENSSL", "false"),
         ("KUMOD_CLIENT_CERTIFICATE", &cert_pem),
         ("KUMOD_CLIENT_PRIVATE_KEY", &key_pem),
         ("KUMOD_CLIENT_REQUIRED_CA", &ca_pem),
@@ -60,8 +61,7 @@ async fn tls_client_certificate_rustls_success() -> anyhow::Result<()> {
 /// Adding fake private key to confirm rustls injection succeeds
 #[tokio::test]
 async fn tls_client_certificate_rustls_fail() -> anyhow::Result<()> {
-    let (_ca, entity) = generate_certs()?;
-    let cert_pem = entity.serialize_pem().cert_pem;
+    let (_ca_pem, _intermediate_pem, cert_pem, _key_pem) = generate_certs()?;
     let ex = DeliverySummary {
         source_counts: BTreeMap::from([
             (RecordType::Reception, 1),
@@ -79,33 +79,72 @@ async fn tls_client_certificate_rustls_fail() -> anyhow::Result<()> {
 
 const COMMON_NAME: &str = "Testing Common Name";
 
-fn generate_certs() -> anyhow::Result<(Ca, EndEntity)> {
-    let ca = CertificateBuilder::new()
-        .certificate_authority()
-        .country_name("GB")?
-        .organization_name("kumo-testing")
-        .build()?;
+fn generate_certs() -> anyhow::Result<(String, String, String, String)> {
+    // Root CA
+    let mut root_params = CertificateParams::default();
+    root_params.distinguished_name = DistinguishedName::new();
+    root_params
+        .distinguished_name
+        .push(DnType::CountryName, "GB");
+    root_params
+        .distinguished_name
+        .push(DnType::OrganizationName, "kumo-testing");
+    root_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
+    root_params.key_usages = vec![
+        KeyUsagePurpose::DigitalSignature,
+        KeyUsagePurpose::KeyCertSign,
+        KeyUsagePurpose::CrlSign,
+    ];
+    let root_key = KeyPair::generate()?;
+    let root_ca = CertifiedIssuer::self_signed(root_params, root_key)?;
+
+    // Intermediate CA (signed by root)
+    let mut intermediate_params = CertificateParams::default();
+    intermediate_params.distinguished_name = DistinguishedName::new();
+    intermediate_params
+        .distinguished_name
+        .push(DnType::CountryName, "GB");
+    intermediate_params
+        .distinguished_name
+        .push(DnType::OrganizationName, "kumo-intermediate-testing");
+    intermediate_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
+    intermediate_params.key_usages = vec![
+        KeyUsagePurpose::DigitalSignature,
+        KeyUsagePurpose::KeyCertSign,
+        KeyUsagePurpose::CrlSign,
+    ];
+    intermediate_params.use_authority_key_identifier_extension = true;
+    let intermediate_key = KeyPair::generate()?;
+    let intermediate_ca =
+        CertifiedIssuer::signed_by(intermediate_params, intermediate_key, &root_ca)?;
 
-    let mut entity = CertificateBuilder::new()
-        .end_entity()
-        .common_name(COMMON_NAME)
-        .subject_alternative_names(vec![rcgen::SanType::DnsName(
-            "smtp.example.com".try_into().unwrap(),
-        )]);
-    entity.client_auth();
+    // End entity certificate for client authentication (signed by intermediate)
+    let mut entity_params = CertificateParams::new(vec!["smtp.example.com".to_string()])?;
+    entity_params.distinguished_name = DistinguishedName::new();
+    entity_params
+        .distinguished_name
+        .push(DnType::CommonName, COMMON_NAME);
+    entity_params.is_ca = IsCa::NoCa;
+    entity_params.key_usages = vec![KeyUsagePurpose::DigitalSignature];
+    entity_params.extended_key_usages = vec![ExtendedKeyUsagePurpose::ClientAuth];
+    entity_params.use_authority_key_identifier_extension = true;
 
-    let entity = entity.build(&ca)?;
+    let entity_key = KeyPair::generate()?;
+    let entity = entity_params.signed_by(&entity_key, &intermediate_ca)?;
 
-    Ok((ca, entity))
+    Ok((
+        root_ca.pem(),
+        intermediate_ca.pem(),
+        entity.pem(),
+        entity_key.serialize_pem(),
+    ))
 }
 
 /// Use openssl as TLS library, confirm delivery succeeds
 #[tokio::test]
 async fn tls_client_certificate_rustls_openssl_success() -> anyhow::Result<()> {
-    let (ca, entity) = generate_certs()?;
-    let ca_pem = ca.serialize_pem().cert_pem;
-    let cert_pem = entity.serialize_pem().cert_pem;
-    let key_pem = entity.serialize_pem().private_key_pem;
+    let (ca_pem, intermediate_pem, entity_pem, key_pem) = generate_certs()?;
+    let cert_pem = format!("{entity_pem}\n{intermediate_pem}");
 
     let ex = DeliverySummary {
         source_counts: BTreeMap::from([(RecordType::Reception, 1), (RecordType::Delivery, 1)]),
@@ -122,11 +161,56 @@ async fn tls_client_certificate_rustls_openssl_success() -> anyhow::Result<()> {
     tls_client_certificate(env, ex).await
 }
 
+/// Use openssl as TLS library, confirm we're failing to deliver due to missing intermediate certificate in the chain.
+#[tokio::test]
+async fn tls_client_certificate_rustls_openssl_missing_intermediate() -> anyhow::Result<()> {
+    let (ca_pem, _intermediate_pem, entity_pem, key_pem) = generate_certs()?;
+
+    let ex = DeliverySummary {
+        source_counts: BTreeMap::from([
+            (RecordType::Reception, 1),
+            (RecordType::TransientFailure, 1),
+        ]),
+        sink_counts: BTreeMap::new(),
+    };
+
+    let env = vec![
+        ("KUMOD_ENABLE_TLS", "OpportunisticInsecure"),
+        ("KUMOD_PREFER_OPENSSL", "true"),
+        ("KUMOD_CLIENT_CERTIFICATE", &entity_pem),
+        ("KUMOD_CLIENT_PRIVATE_KEY", &key_pem),
+        ("KUMOD_CLIENT_REQUIRED_CA", &ca_pem),
+    ];
+    tls_client_certificate(env, ex).await
+}
+
+/// Use rustls as TLS library, confirm we're failing to deliver due to missing intermediate certificate in the chain.
+#[tokio::test]
+async fn tls_client_certificate_rustls_missing_intermediate() -> anyhow::Result<()> {
+    let (ca_pem, _intermediate_pem, entity_pem, key_pem) = generate_certs()?;
+
+    let ex = DeliverySummary {
+        source_counts: BTreeMap::from([
+            (RecordType::Reception, 1),
+            (RecordType::TransientFailure, 1),
+        ]),
+        sink_counts: BTreeMap::new(),
+    };
+
+    let env = vec![
+        ("KUMOD_ENABLE_TLS", "OpportunisticInsecure"),
+        ("KUMOD_PREFER_OPENSSL", "false"),
+        ("KUMOD_CLIENT_CERTIFICATE", &entity_pem),
+        ("KUMOD_CLIENT_PRIVATE_KEY", &key_pem),
+        ("KUMOD_CLIENT_REQUIRED_CA", &ca_pem),
+    ];
+    tls_client_certificate(env, ex).await
+}
+
 /// Adding fake private key to confirm openssl injection would temp fail
 #[tokio::test]
 async fn tls_client_certificate_rustls_openssl_fail() -> anyhow::Result<()> {
-    let (_ca, entity) = generate_certs()?;
-    let cert_pem = entity.serialize_pem().cert_pem;
+    let (_ca_pem, _intermediate_pem, cert_pem, _key_pem) = generate_certs()?;
     let ex = DeliverySummary {
         source_counts: BTreeMap::from([
             (RecordType::Reception, 1),
diff --git a/crates/kumo-tls-helper/src/lib.rs b/crates/kumo-tls-helper/src/lib.rs
@@ -261,8 +261,18 @@ impl TlsOptions {
         if let (Some(cert_data), Some(key_data)) =
             (&self.certificate_from_pem, &self.private_key_from_pem)
         {
-            let cert = X509::from_pem(cert_data)?;
-            builder.set_certificate(&cert)?;
+            let certs = X509::stack_from_pem(cert_data)?;
+            let Some(leaf) = certs.get(0).map(Clone::clone) else {
+                return Err(OpensslConnectorError::SslErrorStack(
+                    "certificate PEM data is empty".to_string(),
+                ));
+            };
+            builder.set_certificate(&leaf)?;
+
+            // Add intermediates
+            for cert in certs.iter().skip(1) {
+                builder.add_extra_chain_cert(cert.clone())?;
+            }
 
             let key = PKey::private_key_from_pem(key_data)?;
             builder.set_private_key(&key)?;
