From da7841bf434bc5dc9d5bd1fc3ec8bea7d704bbc4 Mon Sep 17 00:00:00 2001
From: Piotr Fus <piotr.fus@snowflake.com>
Date: Thu, 6 Mar 2025 13:56:18 +0100
Subject: [PATCH] SNOW-921006 Add ECDSA tests on wiremock

---
 .github/workflows/build-test.yml  |  26 ++++++++++++++++++++++++++
 ci/scripts/README.md              |  10 ++++++++++
 ci/scripts/ca.srl                 |   2 +-
 ci/scripts/run_wiremock.sh        |  10 +++++++++-
 ci/scripts/wiremock-ecdsa-pub.key |   4 ++++
 ci/scripts/wiremock-ecdsa.crt     |  24 ++++++++++++++++++++++++
 ci/scripts/wiremock-ecdsa.csr     |   9 +++++++++
 ci/scripts/wiremock-ecdsa.key     |   5 +++++
 ci/scripts/wiremock-ecdsa.p12     | Bin 0 -> 1728 bytes
 wiremock_test.go                  |   3 ++-
 10 files changed, 90 insertions(+), 3 deletions(-)
 create mode 100644 ci/scripts/wiremock-ecdsa-pub.key
 create mode 100644 ci/scripts/wiremock-ecdsa.crt
 create mode 100644 ci/scripts/wiremock-ecdsa.csr
 create mode 100644 ci/scripts/wiremock-ecdsa.key
 create mode 100644 ci/scripts/wiremock-ecdsa.p12

diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
index 2e3802796..1afc8f277 100644
--- a/.github/workflows/build-test.yml
+++ b/.github/workflows/build-test.yml
@@ -138,3 +138,29 @@ jobs:
               uses: codecov/codecov-action@v5
               with:
                 token: ${{ secrets.CODE_COV_UPLOAD_TOKEN }}
+    ecc:
+      runs-on: ubuntu-latest
+      strategy:
+        fail-fast: false
+      name: Ecliptic curves check
+      steps:
+        - uses: actions/checkout@v4
+        - uses: actions/setup-java@v4 # for wiremock
+          with:
+            java-version: 17
+            distribution: 'temurin'
+        - name: Setup go
+          uses: actions/setup-go@v5
+          with:
+            go-version: ${{ matrix.go }}
+        - name: Test
+          shell: bash
+          env:
+            PARAMETERS_SECRET: ${{ secrets.PARAMETERS_SECRET }}
+            CLOUD_PROVIDER: ${{ matrix.cloud }}
+            GORACE: history_size=7
+            GO_TEST_PARAMS: ${{ inputs.goTestParams }} -run TestQueryViaHttps
+            WIREMOCK_PORT: 14335
+            WIREMOCK_HTTPS_PORT: 13567
+            WIREMOCK_ENABLE_ECDSA: true
+          run: ./ci/test.sh
\ No newline at end of file
diff --git a/ci/scripts/README.md b/ci/scripts/README.md
index 23c96ad2a..57210e254 100644
--- a/ci/scripts/README.md
+++ b/ci/scripts/README.md
@@ -4,4 +4,14 @@ Password for CA is `password`.
 
 ```bash
 openssl x509 -req -in wiremock.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out wiremock.crt -days 365 -sha256 -extfile wiremock.v3.ext
+openssl pkcs12 -export -out wiremock.p12 -inkey wiremock.key -in wiremock.crt
+```
+
+# Refreshing ECDSA cert
+
+When asked for Common Name, use `localhost`.
+
+```bash
+openssl req -new -x509 -key wiremock-ecdsa.key -out wiremock-ecdsa.crt -days 365
+openssl pkcs12 -export -inkey wiremock-ecdsa.key -in wiremock-ecdsa.crt -out wiremock-ecdsa.p12
 ```
\ No newline at end of file
diff --git a/ci/scripts/ca.srl b/ci/scripts/ca.srl
index 0436f7027..27d2a13f3 100644
--- a/ci/scripts/ca.srl
+++ b/ci/scripts/ca.srl
@@ -1 +1 @@
-54587BDD05D4BE6A6D8852CA7FDB421189EA1C67
+54587BDD05D4BE6A6D8852CA7FDB421189EA1C69
diff --git a/ci/scripts/run_wiremock.sh b/ci/scripts/run_wiremock.sh
index a02e3c76e..d08b26d28 100755
--- a/ci/scripts/run_wiremock.sh
+++ b/ci/scripts/run_wiremock.sh
@@ -4,8 +4,16 @@ SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 cd $SCRIPT_DIR
 
+if [[ "$1" == "--ecdsa" || "$WIREMOCK_ENABLE_ECDSA" == "true" ]] ; then
+  echo "Using ecliptic curves"
+  pfxFile="$SCRIPT_DIR/wiremock-ecdsa.p12"
+else
+  echo "Using RSA"
+  pfxFile="$SCRIPT_DIR/wiremock.p12"
+fi
+
 if [ ! -f "$SCRIPT_DIR/wiremock-standalone-3.11.0.jar" ]; then
   curl -O https://repo1.maven.org/maven2/org/wiremock/wiremock-standalone/3.11.0/wiremock-standalone-3.11.0.jar
 fi
 
-java -jar "$SCRIPT_DIR/wiremock-standalone-3.11.0.jar" --verbose --port ${WIREMOCK_PORT:=14355} --https-port ${WIREMOCK_HTTPS_PORT:=13567} --https-keystore "$SCRIPT_DIR/wiremock.p12" --keystore-type PKCS12 --keystore-password password
+java -jar "$SCRIPT_DIR/wiremock-standalone-3.11.0.jar" --verbose --port ${WIREMOCK_PORT:=14355} --https-port ${WIREMOCK_HTTPS_PORT:=13567} --https-keystore "$pfxFile" --keystore-type PKCS12 --keystore-password password
diff --git a/ci/scripts/wiremock-ecdsa-pub.key b/ci/scripts/wiremock-ecdsa-pub.key
new file mode 100644
index 000000000..dff20a876
--- /dev/null
+++ b/ci/scripts/wiremock-ecdsa-pub.key
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEX3j37DbAKoO6Cwn0TsoMcsVXEF52
+lDa2tEHX2kMoxLExE4cgBipPyHgwNEblfAbaA1eC03fytJZw0wd08GvA+Q==
+-----END PUBLIC KEY-----
diff --git a/ci/scripts/wiremock-ecdsa.crt b/ci/scripts/wiremock-ecdsa.crt
new file mode 100644
index 000000000..8b2b17acd
--- /dev/null
+++ b/ci/scripts/wiremock-ecdsa.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEFzCCAf+gAwIBAgIUVFh73QXUvmptiFLKf9tCEYnqHGkwDQYJKoZIhvcNAQEL
+BQAwezELMAkGA1UEBhMCUEwxFDASBgNVBAgMC01hem93aWVja2llMQ8wDQYDVQQH
+DAZXYXJzYXcxEjAQBgNVBAoMCVNub3dmbGFrZTEQMA4GA1UECwwHRHJpdmVyczEf
+MB0GA1UEAwwWU25vd2ZsYWtlIHRlc3QgUm9vdCBDQTAeFw0yNTAzMDYxMjM1MjJa
+Fw0yNjAzMDYxMjM1MjJaMG4xCzAJBgNVBAYTAlBMMRQwEgYDVQQIDAtNYXpvd2ll
+Y2tpZTEPMA0GA1UEBwwGV2Fyc2F3MRIwEAYDVQQKDAlTbm93Zmxha2UxEDAOBgNV
+BAsMB0RyaXZlcnMxEjAQBgNVBAMMCWxvY2FsaG9zdDBZMBMGByqGSM49AgEGCCqG
+SM49AwEHA0IABF949+w2wCqDugsJ9E7KDHLFVxBedpQ2trRB19pDKMSxMROHIAYq
+T8h4MDRG5XwG2gNXgtN38rSWcNMHdPBrwPmjazBpMB8GA1UdIwQYMBaAFNBlcqId
+rN8OSmvMp5ZbwKR7RYegMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgTwMA8GA1UdEQQI
+MAaHBH8AAAEwHQYDVR0OBBYEFAW3l1QNa8LwvTdTAx9NuD03gHZPMA0GCSqGSIb3
+DQEBCwUAA4ICAQAbH3Wbh9GHfb0DEKXvgzNrLExh5l4qo/1RGio7+WqdE3LMBGbH
+SF/Y7+Kz+m8PxkuxUKNtRT7JxQjRLwGWHjXpowtuc/JoTOw/1pzMmpJaDsMzhjiw
+JhGqGwBy9yqX0524ek/IuMxmZT1rvTjCtFndlQmp5W3nHLt0cwHJC4mUzBI0vyDR
+29RKch+q01APLwZQBp+HwL95K+e1iXBs/kViYLXvtC2Vhw/caZwYNzZKM/HEjHdM
+5XUkklX9UA08G1xbt4uRjugnXBWMYkQyoivTl+DmOIeEQAzymLZzQUZr0fwMoeBK
+mYMjBjzxCZFqJyx3I2e+0hxBXURviGJZhYN53TzEIbaXD/XC8c/FulQ9+EEhw6mZ
+BhRJ5jTWV1i4puPZDAnDaR9VtftF0KdIFDG4kQpP3VG/oMYGXrRpA3LYLCy80oCr
+kbIOPFMeVLUooeRMG7mgNmAYLWuWxPPSxpB8f3ID0n+wvdeMgAacNYuCRU0NV2CN
+XhVpH7jKP7q6th63ICwKpUI5wCl8fqoqwK35NqqZdbyfK1RAL/MlNLlmP1WvEesb
+K8x0PDpHxWA3AVf+DPlByBPKLfbnQmZ7siLmfwQyyNWw012ECzP4tmdCP5I+uih4
+YeAMw2hQ4C53XjoDEp50gq0WHBcvgWagKP+oRD9oTtwHs1NEWU4EAst5Zg==
+-----END CERTIFICATE-----
diff --git a/ci/scripts/wiremock-ecdsa.csr b/ci/scripts/wiremock-ecdsa.csr
new file mode 100644
index 000000000..d18c00d80
--- /dev/null
+++ b/ci/scripts/wiremock-ecdsa.csr
@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBJzCB0AIBADBuMQswCQYDVQQGEwJQTDEUMBIGA1UECAwLTWF6b3dpZWNraWUx
+DzANBgNVBAcMBldhcnNhdzESMBAGA1UECgwJU25vd2ZsYWtlMRAwDgYDVQQLDAdE
+cml2ZXJzMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAARfePfsNsAqg7oLCfROygxyxVcQXnaUNra0QdfaQyjEsTEThyAGKk/IeDA0
+RuV8BtoDV4LTd/K0lnDTB3Twa8D5oAAwCgYIKoZIzj0EAwIDRgAwQwIfRCKhyzAm
+JTJjDCHPT+MYDwnPDuxvSnuJ3MRspW18ZAIgQDEOowXcfkoB4flhxnwxY+UMLn4h
+MDCOjAbVcJQFGVE=
+-----END CERTIFICATE REQUEST-----
diff --git a/ci/scripts/wiremock-ecdsa.key b/ci/scripts/wiremock-ecdsa.key
new file mode 100644
index 000000000..731d048fe
--- /dev/null
+++ b/ci/scripts/wiremock-ecdsa.key
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIOSKn4RQ5lJbhkMaZpofTq+8T3U1F4JlNAOJDom4fbAFoAoGCCqGSM49
+AwEHoUQDQgAEX3j37DbAKoO6Cwn0TsoMcsVXEF52lDa2tEHX2kMoxLExE4cgBipP
+yHgwNEblfAbaA1eC03fytJZw0wd08GvA+Q==
+-----END EC PRIVATE KEY-----
diff --git a/ci/scripts/wiremock-ecdsa.p12 b/ci/scripts/wiremock-ecdsa.p12
new file mode 100644
index 0000000000000000000000000000000000000000..b3bd4ea9ea4973eaf06338a92c773c3bc491320a
GIT binary patch
literal 1728
zcmai!dpOgJAIG=ZmNAPAbzDMQ$@RN*q$P}8Dne0`YbLp0VoJGeZdq<&x#eycg(R_7
z?PNGi#fX%n9US7gO|)WkI?wO-)Su^%&+~rX@An^{=Xw9}0w{161S|$n;NftDX0mm%
zPzt;aTt<O=Ln&~N@9_nI0+aYz!OJMn4S)g_LcpN!vi!3F10FvNObR#+;C@;pfPqTC
z_kDXuc4yRxko6R3R6{pFAmShZ2^at0R|o<I0+ith&tz+`j~EoJ36(al<zr9)T5Rd7
zV7siyw<MkdjgJj&^z~j(TP?MBHi}cYNMwVw@g9V+*&6DM>PcRM5!MoOIK1udGrjA=
zCPQz;C+%TOt!P;}#3{PWHoJ-y{3xiyh9X`$ed>8{gr?rBQ$_*GUYVCw;9hl%cJ%Jf
zCxP1ZhsJp`Y`jCB3DI4#C~`M<{s7}q@_rd^k$nF0Zg$|RewBegXS6?*x^LZ^!V+0t
zV`NlX69goOOoV;Tjhl6IeUI4ndaS-p?IHWqn?2YqyZE*0>a{wy#QTvGGjr7L2;8S>
zTuMn%CxJ+3=kI@t$Sv>=c9~E(d$R0rJGa@27}^BT!z7M>O)`#pIrPoIlOKP~Kkw#?
zh8fO#-N;t&!HikzLo;)fy4_tmgK8eCizXVB(~E|S8N&v3Bz_jZzQP>lx5Ci9Dg)u0
z{%U!TNAqpYWo|#D82N>l4)q{gN?n8a1n$sCy;b9OHE}Pp!RcsKp8(z`1;!aPR)Oxc
z1V_imuGCL~)Sz<wFCk&qQ5inm0-C(&aO|M$vJjE|uIE8c3da#UbzTrA&&cfJ69$oS
zL)wDd<A$tzX;kj*$HeK*ZP{qP#J7Gm{NX*#Aee(hKM9hOUfev0?OC$XR*F13PyM69
z?se?*lCuxlZp_#VL8a1fx_1)F*)|NZ4{`IYR(c;R)<~{mts0@_H&8jespmC!pAEv!
zw;$UzFgBtZQF!UCrUP-#zi6jZO9lI)`WA`$;zEbJ;m6+dg_n^6mulXFFbdW6lyT`o
z&)2IPS<XgUudYnCh?{+O$}(JtT-O@jWTKkVNx@W?kG0vFiA}Pd8%ms{V(Fp2GrsO>
zCT0oPgK@hW(IL_6sMH<wtIR(IrPKDDq&3B28RuPE=$@Ou`I7WD6a$TJ9Wfo5Klt0w
z;|?=BzoHc#w^`P=NH@(JJ(2ZcU4JU*bm~I`cZifP)_A_t&}ybVDD;e|+L3&SU9KW<
zjyw7Hq<VLL&2X(fHWaTMG@`Mz6!h09lzi@kvxAt|5?A({r(ix&W`Bu72F+|Mb0|9h
zWbbS%=ncf`Y*YW?y{)Fih2VSBi(E*|KG*I`8MC9|S=(-xYttu_N{&z*8%a-UgwI%;
z=UTtex?af<(q}J|+t&wMg;vpv+qDGQB|N*QwhY&JHvhgL)LJ=42V*T|nh{knj><L!
zHChPhXp|v&ve>xV>&t@uFD1>N<12YqU{}{Xy?wOfbkldcxVrupPI!;@mvt|b4o1oO
z$J5<vO5dALVU&)>h2L-4jB>)hn|2J}O0@{Hh&S=392|QV2ScW{dK}tHjZC=Uz`_Km
z$;u#9R%6CO_<_u0*8?pE9_N_Y22^iGFjH*akR{=%Ss4@cFk?Bb;{|p10QzX#nvdCs
zn95K1^zyz%*FtTnJWhYdY+*%2K!;&&uHqGqtTD$W>)>P4{=ZC;x{)b(`Igh=`MElm
ztd%TEw*u6Am4-|m>uFCoA8?iK`e&9C(#DBb)b7;s+)g!gDilCOV@?buIpgs0#a=&=
zvEP7jhFH|Ld@a#RNtq2$z{h`Z?O#xW@lXob;Cp=F`{}|Z|IbjQ1Q=3A76Rne|H7hW
z%UhB9!2SKU;@P$ulL7kwiNy(U_<S%EqXObC$lFrwm{4*S2{h5M&~<3Fmr&oKlpCAB
z7_C>_mG1YXk4-WWbILKhwlZpeQL<!NrNcHy<R0OZNnZ%$Boup$JKrTdPQ%eRkT3S?
zRO~UmtQ^Ok<1k&|!9k_5dMn{H)km)*+Q3caIP4#7nh%dklS!)kY|c=Ii3wV->&7J|
z>0=T+yz%5%)<D3{0}YAD#m}n^=`<Z27TEJ+C4?MK9*TyU6eU?rb%mrZ+;XY$TEgGa
zM_mF401lA)!F&i927;<$0%XpyokM=_d*kYsJFITqcmxrP<gb;PE;4+rzP7YO#am7|
N{dHpQdg#AP{R0>G6x;v+

literal 0
HcmV?d00001

diff --git a/wiremock_test.go b/wiremock_test.go
index 9122b8f4c..e12d4d67f 100644
--- a/wiremock_test.go
+++ b/wiremock_test.go
@@ -172,7 +172,8 @@ func TestQueryViaHttps(t *testing.T) {
 	testCertPool.AddCert(certificate)
 	cfg.Transporter = &http.Transport{
 		TLSClientConfig: &tls.Config{
-			RootCAs: testCertPool,
+			RootCAs:               testCertPool,
+			VerifyPeerCertificate: verifyPeerCertificateSerial,
 		},
 	}
 	connector := NewConnector(SnowflakeDriver{}, *cfg)