diff options
| author |   Piotr Jaszczyk <piotr.jaszczyk@nokia.com> | 2018-09-20 12:04:03 +0200 |
|---|---|---|
| committer | Piotr Jaszczyk <piotr.jaszczyk@nokia.com> | 2018-09-24 14:25:32 +0200 |
| commit | 069dcc194fd049e1c52e60d03ce2a9c0553289a7 (patch) | |
| tree | 7916a4fa6b15734301c1e78bb8a20adf22532b4f /ssl | |
| parent | 7b269674526a267f14895df8b825f3b59b30b98a (diff) | |
Use JDK security provider
Replace netty-tcnative bindings for OpenSSL with JDK provided
implementation by default.
Change-Id: I59a4797ce43d15a791eab00bfd25cb730a271207
Issue-ID: DCAEGEN2-816
Signed-off-by: Piotr Jaszczyk <piotr.jaszczyk@nokia.com>
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/.gitignore | 3 | ||||
| -rw-r--r-- | ssl/Makefile-openssl (renamed from ssl/Makefile) | 12 | ||||
| -rw-r--r-- | ssl/README.md | 26 | ||||
| -rwxr-xr-x | ssl/gen-certs.sh | 58 |
4 files changed, 97 insertions, 2 deletions
diff --git a/ssl/.gitignore b/ssl/.gitignore index 598dc753..23888eb0 100644 --- a/ssl/.gitignore +++ b/ssl/.gitignore @@ -2,3 +2,6 @@ *.key *.srl *.csr +*.pkcs12 +*.p12 + diff --git a/ssl/Makefile b/ssl/Makefile-openssl index 28326505..09802ce4 100644 --- a/ssl/Makefile +++ b/ssl/Makefile-openssl @@ -1,12 +1,13 @@ FILE=sample -CA_PASSWD=onap +PASSWD=onaponap +CA_PASSWD=onaponap SUBJ=/C=PL/ST=DL/L=Wroclaw/O=Nokia/OU=MANO CA=trust sign: $(FILE).crt clean: - rm -f *.crt *.key *.srl *.csr + rm -f *.crt *.key *.srl *.csr *.pkcs12 generate-ca-certificate: $(CA).crt @@ -16,6 +17,11 @@ create-public-key: $(FILE).pub create-sign-request: $(FILE).csr +create-key-store: $(FILE).ks.pkcs12 + +create-trust-store: $(CA).crt + openssl pkcs12 -export -in $(CA).crt -CAfile $(CA).crt -out $(CA).pkcs12 -nokeys -noiter -nomaciter -passout pass:$(PASSWD) + $(CA).crt: openssl req -new -x509 -keyout $(CA).key -out $(CA).crt -days 365 -passout pass:$(CA_PASSWD) -subj "$(SUBJ)" @@ -31,3 +37,5 @@ $(FILE).csr: $(FILE).key $(FILE).crt: $(CA).crt $(FILE).csr openssl x509 -req -days 360 -in $(FILE).csr -CA $(CA).crt -CAkey $(CA).key -out $(FILE).crt -CAcreateserial -passin pass:$(CA_PASSWD) +$(FILE).ks.pkcs12: $(FILE).key $(FILE).crt $(CA).crt + openssl pkcs12 -export -in $(FILE).crt -inkey $(FILE).key -CAfile $(CA).crt -out $(FILE).ks.pkcs12 -noiter -nomaciter -passout pass:$(PASSWD) diff --git a/ssl/README.md b/ssl/README.md index efba6107..c2819d24 100644 --- a/ssl/README.md +++ b/ssl/README.md @@ -1,5 +1,23 @@ # Generating SSL certificates +## Java keytool way (recommended) + +To generate: + +```shell +./gen-certs.sh +``` + +To clean (remove generated files): + +```shell +./gen-certs.sh clean +``` + +## OpenSSL way (currently might not work) + +> Add `-f Makefile-openssl` to each command + Typical usage: ```shell @@ -7,6 +25,14 @@ make FILE=client make FILE=server ``` +or (to generate PKCS12 key and trust stores): + +```shell +make create-key-store FILE=client +make create-key-store FILE=server +make create-trust-store +``` + Will generate CA certificate and signed client and server certificates. More "low-level" usage: diff --git a/ssl/gen-certs.sh b/ssl/gen-certs.sh new file mode 100755 index 00000000..b4f78227 --- /dev/null +++ b/ssl/gen-certs.sh @@ -0,0 +1,58 @@ +#!/usr/bin/env bash + +set -eu -o pipefail -o xtrace + +STORE_PASS=onaponap +CN_PREFIX=dcaegen2-hvves +DNAME_PREFIX="C=PL,ST=DL,L=Wroclaw,O=Nokia,OU=MANO,CN=${CN_PREFIX}" +TRUST=trust + +store_opts="-storetype PKCS12 -storepass ${STORE_PASS} -noprompt" + +function gen_key() { + local key_name="$1" + local ca="$2" + local keystore="-keystore ${key_name}.p12 ${store_opts}" + keytool -genkey -alias ${key_name} \ + ${keystore} \ + -keyalg RSA \ + -validity 730 \ + -keysize 2048 \ + -dname "${DNAME_PREFIX}-${key_name}" + keytool -import -trustcacerts -alias ${ca} -file ${ca}.crt ${keystore} + + keytool -certreq -alias ${key_name} -keyalg RSA ${keystore} | \ + keytool -alias ${ca} -gencert -ext "san=dns:${CN_PREFIX}-${ca}" ${store_opts} -keystore ${ca}.p12 | \ + keytool -alias ${key_name} -importcert ${keystore} +} + + +function gen_ca() { + local ca="$1" + keytool -genkeypair ${store_opts} -alias ${ca} -dname "${DNAME_PREFIX}-${ca}" -keystore ${ca}.p12 + keytool -export -alias ${ca} -file ${ca}.crt ${store_opts} -keystore ${ca}.p12 +} + +function gen_truststore() { + local trusted_ca="$1" + keytool -import -trustcacerts -alias ca -file ${trusted_ca}.crt ${store_opts} -keystore ${TRUST}.p12 +} + +function clean() { + rm -f *.crt *.p12 +} + +if [[ $# -eq 0 ]]; then + gen_ca ca + gen_ca untrustedca + gen_truststore ca + gen_key client ca + gen_key server ca + gen_key untrustedclient untrustedca +elif [[ $1 == "clean" ]]; then + clean +else + echo "usage: $0 [clean]" + exit 1 +fi + |