diff options
| author |   Piotr Jaszczyk <piotr.jaszczyk@nokia.com> | 2018-05-29 13:35:11 +0200 |
|---|---|---|
| committer | Piotr Jaszczyk <piotr.jaszczyk@nokia.com> | 2018-08-01 09:48:32 +0200 |
| commit | a4becf29f32de7467793867c3be1d5ab5876477e (patch) | |
| tree | 1e32d3e71188b36e712c8a8ac35c774da70537e1 /ssl | |
| parent | a150bc08ad326699717e09903e42d462e5e9c935 (diff) | |
Use SSL for encrypting the connection
Netty's OpenSSL bindings are used
Closes ONAP-179
Change-Id: I8249fbaaed1dd869b733db04a27cebf53962c80c
Issue-ID: DCAEGEN2-601
Signed-off-by: Piotr Jaszczyk <piotr.jaszczyk@nokia.com>
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/.gitignore | 4 | ||||
| -rw-r--r-- | ssl/Makefile | 33 | ||||
| -rw-r--r-- | ssl/README.md | 28 | ||||
| -rwxr-xr-x | ssl/connect.sh | 26 |
4 files changed, 91 insertions, 0 deletions
diff --git a/ssl/.gitignore b/ssl/.gitignore new file mode 100644 index 00000000..598dc753 --- /dev/null +++ b/ssl/.gitignore @@ -0,0 +1,4 @@ +*.crt +*.key +*.srl +*.csr diff --git a/ssl/Makefile b/ssl/Makefile new file mode 100644 index 00000000..d9d1027f --- /dev/null +++ b/ssl/Makefile @@ -0,0 +1,33 @@ +FILE=sample +CA_PASSWD=onap +SUBJ=/C=PL/ST=DL/L=Wroclaw/O=Nokia/OU=MANO +CA=onap + +sign: $(FILE).crt + +clean: + rm -f *.crt *.key *.srl *.csr + +generate-ca-certificate: $(CA).crt + +generate-private-key: $(FILE).key + +create-public-key: $(FILE).pub + +create-sign-request: $(FILE).csr + +$(CA).crt: + openssl req -new -x509 -keyout $(CA).key -out $(CA).crt -days 365 -passout pass:$(CA_PASSWD) -subj "$(SUBJ)" + +$(FILE).key: + openssl genpkey -algorithm RSA -out $(FILE).key -pkeyopt rsa_keygen_bits:2048 + +$(FILE).pub: $(FILE).key + openssl x509 -req -days 360 -in client.csr -CA $(CA).crt -CAkey $(CA).key -CAcreateserial -out client.crt + +$(FILE).csr: $(FILE).key + openssl req -new -sha256 -key $(FILE).key -out $(FILE).csr -subj "$(SUBJ)" + +$(FILE).crt: $(CA).crt $(FILE).csr + openssl x509 -req -days 360 -in $(FILE).csr -CA $(CA).crt -CAkey $(CA).key -out $(FILE).crt -CAcreateserial -passin pass:$(CA_PASSWD) + diff --git a/ssl/README.md b/ssl/README.md new file mode 100644 index 00000000..efba6107 --- /dev/null +++ b/ssl/README.md @@ -0,0 +1,28 @@ +# Generating SSL certificates + +Typical usage: + +```shell +make FILE=client +make FILE=server +``` + +Will generate CA certificate and signed client and server certificates. + +More "low-level" usage: + +```shell +make generate-ca-certificate +make generate-private-key FILE=client +make sign FILE=client +``` + +# Connecting to a server + +First generate *client* and *server* certificates. Then start a server with it's cert and make ca.crt a trusted certification authority. + +After that you can: + +```shell +./connect.sh client localhost:8600 < file_with_a_data_to_be_sent.dat +``` diff --git a/ssl/connect.sh b/ssl/connect.sh new file mode 100755 index 00000000..16524c3e --- /dev/null +++ b/ssl/connect.sh @@ -0,0 +1,26 @@ +#!/bin/bash +set -eou pipefail + +if [[ $# < 2 ]]; then + echo "Please provide a key file prefix and a target host:port" + exit 1 +fi + +key_prefix=$1 +host_and_port=$2 + +cert_file="$key_prefix.crt" +key_file="$key_prefix.key" + +if [[ ! -r "$cert_file" ]]; then + echo "$cert_file is not readable" + exit 2 +fi + +if [[ ! -r "$key_file" ]]; then + echo "$key_file is not readable" + exit 2 +fi + +openssl s_client -connect $host_and_port -cert "$cert_file" -key "$key_file" -CAfile onap.crt + |