Re-enable OIDC wiremock tests once a new certificate chain is available

[sberyozkin]

Description

In #44760, I had to disable a good number of OIDC wiremock tests because they now use expired certificates.

The question is how to re-create the certificates. The difficulty is, it is a full chain, with the leaf, intermediate and root certificates - I think Clement @cescoffier made it possible to auto-generate such 3-certificate chains.
But one of the tests has a truststore p12 file which has the leaf certificate from this chain imported - to test a case where a token is signed with this leaf certificate and with the whole chain being inlined in the token - to verify such a leaf cert is trusted by the server.
Clement, can your certificate extension do some magic such that a 3 cert chain is generated and the leaf cert is also inserted into a truststore ?
I may have to just regenerate the whole chain manually...

Implementation ideas

No response

[quarkus-bot]

/cc @pedroigor (oidc)

[sberyozkin]

Hi @gsmet

could we fix the issue in a way that it doesn't happen again? Because if we don't, that means that it will be impossible to run the tests in old branches at some point, which is not really acceptable.

Unfortunately, I'm not sure we have a tooling support yet, it is nearly there, @cescoffier has https://github.com/cescoffier/certificate-generator (thanks @gastaldi for sharing the link), which is very good, but the impacted OIDC tests:

• Do not use TLS - it is probably not really a blocker, as long as the certificate generator can create certificates as files, which I believe it can
• Need exactly a 3-certificate chain: leaf one signed by the intermediate one, intermediate one - by the root
• I need to be able to get List<X509Certificate> on the test side to have it inlined in the token, so if all certificates in the chain are available as files then it would be easy
• On the server, currently, I have the root and leaf certificates imported, which is a bare required minimum, the 3 certificate chain can be imported as well (as far as I recall it was not possible in the real prod)

Clement, is that already possible with your cert generator ?

If not, I can regenerate them manually and make them last long enough not to be worried about the expiry for a few years, and get rid of the certificate resources later, once it becomes possible.

[cescoffier]

You can use the API to do that. Check in the code repository there is an example.

[sberyozkin]

@cescoffier Looking very good

[cescoffier]

@sberyozkin Here: https://github.com/cescoffier/certificate-generator/blob/main/certificate-generator/src/test/java/io/smallrye/certs/chain/CertificateChainGeneratorTest.java

[sberyozkin]

@cescoffier Sorry, missed your message, yeah, I successfully copied it :-)