From 1c0e15bbb71a99c8f5dccd0c19802f93963ff499 Mon Sep 17 00:00:00 2001
From: Tshepang Mbambo <tshepang@gmail.com>
Date: Wed, 27 Dec 2023 18:37:56 +0100
Subject: [PATCH] RiiR cert updater (#44)

* RiiR cert updater

Part of #39
---
 .../update_valid_ee_certs.bash                | 21 ---------
 .../update_valid_ee_certs.rs                  | 43 +++++++++++++++++++
 2 files changed, 43 insertions(+), 21 deletions(-)
 delete mode 100755 src/tests/verification_real_world/update_valid_ee_certs.bash
 create mode 100755 src/tests/verification_real_world/update_valid_ee_certs.rs

diff --git a/src/tests/verification_real_world/update_valid_ee_certs.bash b/src/tests/verification_real_world/update_valid_ee_certs.bash
deleted file mode 100755
index 0eb95beb..00000000
--- a/src/tests/verification_real_world/update_valid_ee_certs.bash
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-
-fetch_ee_cert() {
-  local domain="$1"
-  local out_file="$2"
-
-  echo -n |
-    openssl s_client \
-      -connect "$domain:443" \
-      -servername "$domain" |
-    openssl x509 \
-      -outform DER > "$DIR/$out_file"
-}
-
-fetch_ee_cert "my.1password.com" "1password_com_valid_1.crt"
-fetch_ee_cert "agilebits.com" "agilebits_com_valid_1.crt"
-fetch_ee_cert "lencr.org" "letsencrypt_org_valid_1.crt"
diff --git a/src/tests/verification_real_world/update_valid_ee_certs.rs b/src/tests/verification_real_world/update_valid_ee_certs.rs
new file mode 100755
index 00000000..58914a5e
--- /dev/null
+++ b/src/tests/verification_real_world/update_valid_ee_certs.rs
@@ -0,0 +1,43 @@
+#!/usr/bin/env -S cargo +nightly -Z script
+```cargo
+package.edition = "2021"
+dependencies.anyhow = "1"
+dependencies.reqwest.version = "0.11"
+dependencies.reqwest.default-features = false
+dependencies.reqwest.features = ["blocking", "rustls-tls-webpki-roots"]
+```
+
+use std::{fs, path::Path};
+
+fn main() -> anyhow::Result<()> {
+    for (domain, output_path) in [
+        ("my.1password.com", "1password_com_valid_1.crt"),
+        ("agilebits.com", "agilebits_com_valid_1.crt"),
+        ("lencr.org", "letsencrypt_org_valid_1.crt"),
+    ] {
+        query(domain, output_path)?;
+    }
+    Ok(())
+}
+
+fn query(domain: &str, path: &str) -> anyhow::Result<()> {
+    let url = format!("https://{domain}");
+    let response = reqwest::blocking::Client::builder()
+        .tls_info(true)
+        // avoids agilebits.com redirect, which will result in the wrong cert...
+        // we want the cert of agilebits.com, not of 1password.com
+        .redirect(reqwest::redirect::Policy::none())
+        .build()?
+        .get(url)
+        .send()?;
+    let Some(tls_info): Option<&reqwest::tls::TlsInfo> = response.extensions().get() else {
+        anyhow::bail!("no TLS info found");
+    };
+    let Some(der) = tls_info.peer_certificate() else {
+        anyhow::bail!("no TLS certificate found");
+    };
+    let path = Path::new(env!("CARGO_MANIFEST_DIR")).join(path);
+    eprintln!("writing DER of {domain} to {}", path.display());
+    fs::write(path, der)?;
+    Ok(())
+}