fixed Private key and certificates on repo

[guptapratykshh]

Fixes #3611

Removed the static key.pem and cert.pem files from io/shared/src/test/resources to verify we are no longer relying on committed private keys , implemented ephemeral certificate generation for Scala Native using the openssl CLI. This generates a proper Root CA and signs a Server Certificate with strict RFC 5280 extensions (SKI, AKI, KeyUsage) to satisfy s2n-tls validation requirements and implemented ephemeral certificate generation for Scala.js using openssl (via fs2.io.process), ensuring we can run TLS tests on Node.js without the deleted static files.

[guptapratykshh]

@mpilquist can you have a look at this PR , Thanks.

[mpilquist]

Note this file is JVM specific but name still has Js in it.

[mpilquist]

If the implementations all shell out to openssl, why do they need to be platform specific? If instead we used, e.g., JCA on the JVM, node-forge on JS, and libopenssl on native, then I could see doing the platform independent approach.

[mpilquist]

This will create a new Ref for each use of cachedProvider, defeating the attempt at caching.

[mpilquist]

Leftover from debugging?

[mpilquist]

No need to create a CA key/certificate. The generated certificate can be self signed. That will simplify this whole function. The self-signed cert + private key should be used as a client/server identity and the self-signed cert should be used in trust stores.

[mpilquist]

Only need to return a single self-signed certificate and private key. Should also document the format that's returned (e.g. PEM, etc)

[mpilquist]

I'd also rename this to be CertificateAndPrivateKey

[mpilquist]

I'd remove this provider concept and just do this:

object TestCertificateProvider {
  private val cachedValue: AtomicCell[IO, Option[CertificateAndPrivateKey]] = AtomicCell.of(None).unsafeRunSync()

  def getCertificateAndPrivateKey: IO[CertificateAndPrivateKey] = {
    cachedValue.evalUpdate {
      case Some(cached) => IO.pure(cached)
      case None => generateCertificateAndPrivateKey
    }
  }

  private def generateCertificateAndPrivateKey: IO[CertificateAndPrivateKey] = ???
}

[mpilquist]

See my other comment about using cats.effect.std.AtomicCell which simplifies this caching logic.

[guptapratykshh]

i have tested locally all these tests are passing , but cli si failing

[mpilquist]

Looks like the -addext switch was causing openssl to segfault sometimes.

[mpilquist]

@guptapratykshh Take a look at the 2 commits from today for some further simplifications. AtomicCell is missing both an unsafe constructor (like Ref has) and an in constructor (like Mutex has) so I replaced it with a Ref+Mutex to avoid the complicated initialization. I also added an API to S2nConfig to allow specifying a cert+key with a PEM string instead of only via binary, which removed the need for carrying both formats in the value returned from TestCertificateProvider.