Skip to content

generate test tls key at runtime instead of embedding#88

Merged
fabracht merged 1 commit into
mainfrom
remove-embedded-test-key
Jun 15, 2026
Merged

generate test tls key at runtime instead of embedding#88
fabracht merged 1 commit into
mainfrom
remove-embedded-test-key

Conversation

@fabracht

@fabracht fabracht commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Resolves the secret-scanning alert for crates/mqtt5/src/transport/tls.rs (RSA Private Key, commit dea578ac).

The TLS PEM-loading unit test embedded a hardcoded RSA private key blob, which secret scanning flags. It was a throwaway test fixture guarding nothing, but its presence in source keeps triggering detection.

Change

  • Generate the key at test runtime via rcgen::KeyPair::generate().serialize_pem() instead of embedding a private-key literal.
  • Add rcgen as a dev-dependency.

load_client_key_pem_bytes uses rustls pem_slice_iter, which accepts the PKCS#8 PEM that rcgen emits. Test passes; clippy clean.

Not addressed here (no code in current tree)

The other two alerts are history-only test fixtures already removed from tracking in 65eb0c5 and gitignored (test_certs/*.key):

  • test_certs/ca.key (commit e340249)
  • test_certs/client.key (commit e340249)

Per decision, git history will not be rewritten — those alerts should be dismissed as "used in tests". After this merges, the tls.rs alert can likewise be dismissed (the key still exists in history, only removed from HEAD).

@fabracht fabracht merged commit 4f7a9d3 into main Jun 15, 2026
15 checks passed
@fabracht fabracht deleted the remove-embedded-test-key branch June 15, 2026 22:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fabracht