aboutsummaryrefslogtreecommitdiffstats
path: root/ssl
diff options
context:
space:
mode:
authorPiotr Jaszczyk <piotr.jaszczyk@nokia.com>2018-09-20 12:04:03 +0200
committerPiotr Jaszczyk <piotr.jaszczyk@nokia.com>2018-09-24 14:25:32 +0200
commit069dcc194fd049e1c52e60d03ce2a9c0553289a7 (patch)
tree7916a4fa6b15734301c1e78bb8a20adf22532b4f /ssl
parent7b269674526a267f14895df8b825f3b59b30b98a (diff)
Use JDK security provider
Replace netty-tcnative bindings for OpenSSL with JDK provided implementation by default. Change-Id: I59a4797ce43d15a791eab00bfd25cb730a271207 Issue-ID: DCAEGEN2-816 Signed-off-by: Piotr Jaszczyk <piotr.jaszczyk@nokia.com>
Diffstat (limited to 'ssl')
-rw-r--r--ssl/.gitignore3
-rw-r--r--ssl/Makefile-openssl (renamed from ssl/Makefile)12
-rw-r--r--ssl/README.md26
-rwxr-xr-xssl/gen-certs.sh58
4 files changed, 97 insertions, 2 deletions
diff --git a/ssl/.gitignore b/ssl/.gitignore
index 598dc753..23888eb0 100644
--- a/ssl/.gitignore
+++ b/ssl/.gitignore
@@ -2,3 +2,6 @@
*.key
*.srl
*.csr
+*.pkcs12
+*.p12
+
diff --git a/ssl/Makefile b/ssl/Makefile-openssl
index 28326505..09802ce4 100644
--- a/ssl/Makefile
+++ b/ssl/Makefile-openssl
@@ -1,12 +1,13 @@
FILE=sample
-CA_PASSWD=onap
+PASSWD=onaponap
+CA_PASSWD=onaponap
SUBJ=/C=PL/ST=DL/L=Wroclaw/O=Nokia/OU=MANO
CA=trust
sign: $(FILE).crt
clean:
- rm -f *.crt *.key *.srl *.csr
+ rm -f *.crt *.key *.srl *.csr *.pkcs12
generate-ca-certificate: $(CA).crt
@@ -16,6 +17,11 @@ create-public-key: $(FILE).pub
create-sign-request: $(FILE).csr
+create-key-store: $(FILE).ks.pkcs12
+
+create-trust-store: $(CA).crt
+ openssl pkcs12 -export -in $(CA).crt -CAfile $(CA).crt -out $(CA).pkcs12 -nokeys -noiter -nomaciter -passout pass:$(PASSWD)
+
$(CA).crt:
openssl req -new -x509 -keyout $(CA).key -out $(CA).crt -days 365 -passout pass:$(CA_PASSWD) -subj "$(SUBJ)"
@@ -31,3 +37,5 @@ $(FILE).csr: $(FILE).key
$(FILE).crt: $(CA).crt $(FILE).csr
openssl x509 -req -days 360 -in $(FILE).csr -CA $(CA).crt -CAkey $(CA).key -out $(FILE).crt -CAcreateserial -passin pass:$(CA_PASSWD)
+$(FILE).ks.pkcs12: $(FILE).key $(FILE).crt $(CA).crt
+ openssl pkcs12 -export -in $(FILE).crt -inkey $(FILE).key -CAfile $(CA).crt -out $(FILE).ks.pkcs12 -noiter -nomaciter -passout pass:$(PASSWD)
diff --git a/ssl/README.md b/ssl/README.md
index efba6107..c2819d24 100644
--- a/ssl/README.md
+++ b/ssl/README.md
@@ -1,5 +1,23 @@
# Generating SSL certificates
+## Java keytool way (recommended)
+
+To generate:
+
+```shell
+./gen-certs.sh
+```
+
+To clean (remove generated files):
+
+```shell
+./gen-certs.sh clean
+```
+
+## OpenSSL way (currently might not work)
+
+> Add `-f Makefile-openssl` to each command
+
Typical usage:
```shell
@@ -7,6 +25,14 @@ make FILE=client
make FILE=server
```
+or (to generate PKCS12 key and trust stores):
+
+```shell
+make create-key-store FILE=client
+make create-key-store FILE=server
+make create-trust-store
+```
+
Will generate CA certificate and signed client and server certificates.
More "low-level" usage:
diff --git a/ssl/gen-certs.sh b/ssl/gen-certs.sh
new file mode 100755
index 00000000..b4f78227
--- /dev/null
+++ b/ssl/gen-certs.sh
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail -o xtrace
+
+STORE_PASS=onaponap
+CN_PREFIX=dcaegen2-hvves
+DNAME_PREFIX="C=PL,ST=DL,L=Wroclaw,O=Nokia,OU=MANO,CN=${CN_PREFIX}"
+TRUST=trust
+
+store_opts="-storetype PKCS12 -storepass ${STORE_PASS} -noprompt"
+
+function gen_key() {
+ local key_name="$1"
+ local ca="$2"
+ local keystore="-keystore ${key_name}.p12 ${store_opts}"
+ keytool -genkey -alias ${key_name} \
+ ${keystore} \
+ -keyalg RSA \
+ -validity 730 \
+ -keysize 2048 \
+ -dname "${DNAME_PREFIX}-${key_name}"
+ keytool -import -trustcacerts -alias ${ca} -file ${ca}.crt ${keystore}
+
+ keytool -certreq -alias ${key_name} -keyalg RSA ${keystore} | \
+ keytool -alias ${ca} -gencert -ext "san=dns:${CN_PREFIX}-${ca}" ${store_opts} -keystore ${ca}.p12 | \
+ keytool -alias ${key_name} -importcert ${keystore}
+}
+
+
+function gen_ca() {
+ local ca="$1"
+ keytool -genkeypair ${store_opts} -alias ${ca} -dname "${DNAME_PREFIX}-${ca}" -keystore ${ca}.p12
+ keytool -export -alias ${ca} -file ${ca}.crt ${store_opts} -keystore ${ca}.p12
+}
+
+function gen_truststore() {
+ local trusted_ca="$1"
+ keytool -import -trustcacerts -alias ca -file ${trusted_ca}.crt ${store_opts} -keystore ${TRUST}.p12
+}
+
+function clean() {
+ rm -f *.crt *.p12
+}
+
+if [[ $# -eq 0 ]]; then
+ gen_ca ca
+ gen_ca untrustedca
+ gen_truststore ca
+ gen_key client ca
+ gen_key server ca
+ gen_key untrustedclient untrustedca
+elif [[ $1 == "clean" ]]; then
+ clean
+else
+ echo "usage: $0 [clean]"
+ exit 1
+fi
+