diff options
| author |   wsliwka <wojciech.sliwka@nokia.com> | 2019-11-25 11:05:39 +0100 |
|---|---|---|
| committer |   Mariusz Wagner <mariusz.wagner@nokia.com> | 2019-12-03 07:48:13 +0000 |
| commit | c310382470d5e499bb933b051bf3434c83a0ddbe (patch) | |
| tree | a6ff2a8130251ee317263d6c1412b7f6ffb70e4e /test/mocks/pnfsimulator/netconfsimulator/netconf | |
| parent | be1df2cdc3e8f2b16cd007dcdb59c8093024a0a3 (diff) | |
Configure netopeer to support mTLS
Issue-ID: INT-1372
Signed-off-by: wsliwka <wojciech.sliwka@nokia.com>
Change-Id: I11281c2a0703b97e1075d01bba9ec076766daf0d
Diffstat (limited to 'test/mocks/pnfsimulator/netconfsimulator/netconf')
4 files changed, 29 insertions, 15 deletions
diff --git a/test/mocks/pnfsimulator/netconfsimulator/netconf/initialize_netopeer.sh b/test/mocks/pnfsimulator/netconfsimulator/netconf/initialize_netopeer.sh index 550a64ff4..3ce53d510 100755 --- a/test/mocks/pnfsimulator/netconfsimulator/netconf/initialize_netopeer.sh +++ b/test/mocks/pnfsimulator/netconfsimulator/netconf/initialize_netopeer.sh @@ -34,7 +34,7 @@ cp /tls/* /usr/local/etc/keystored/keys/ cp /netconf/*.xml /tmp/ chmod +x /netconf/set-up-xmls.py -/netconf/set-up-xmls.py /tls ca.crt server_cert.crt server_key.pem /tmp/load_server_certs.xml /tmp/tls_listen.xml +/netconf/set-up-xmls.py /tls ca.crt server_cert.crt server_key.pem /tmp/load_server_certs.xml /tmp/tls_listen.xml client.crt /usr/bin/supervisord -c /etc/supervisord.conf & sysrepoctl --install --yang=/netconf/pnf-simulator.yang --owner=netconf:nogroup --permissions=777 diff --git a/test/mocks/pnfsimulator/netconfsimulator/netconf/load_server_certs.xml b/test/mocks/pnfsimulator/netconfsimulator/netconf/load_server_certs.xml index 2524e08b0..b52f911c9 100644 --- a/test/mocks/pnfsimulator/netconfsimulator/netconf/load_server_certs.xml +++ b/test/mocks/pnfsimulator/netconfsimulator/netconf/load_server_certs.xml @@ -36,5 +36,9 @@ <name>CA_CERT_NAME</name> <certificate>CA_CERTIFICATE_HERE</certificate> </trusted-certificate> + <trusted-certificate> + <name>CLIENT_CERT_NAME</name> + <certificate>CLIENT_CERTIFICATE_HERE</certificate> + </trusted-certificate> </trusted-certificates> </keystore> diff --git a/test/mocks/pnfsimulator/netconfsimulator/netconf/set-up-xmls.py b/test/mocks/pnfsimulator/netconfsimulator/netconf/set-up-xmls.py index d46ff91f9..cdc4e4f3d 100755 --- a/test/mocks/pnfsimulator/netconfsimulator/netconf/set-up-xmls.py +++ b/test/mocks/pnfsimulator/netconfsimulator/netconf/set-up-xmls.py @@ -35,9 +35,10 @@ SERVER_KEY_NAME = "SERVER_KEY_NAME" SERVER_CERT_NAME = "SERVER_CERT_NAME" SERVER_CERTIFICATE_HERE = "SERVER_CERTIFICATE_HERE" CA_CERT_NAME = "CA_CERT_NAME" +CLIENT_CERT_NAME = "CLIENT_CERT_NAME" +CLIENT_CERTIFICATE_HERE="CLIENT_CERTIFICATE_HERE" CA_CERTIFICATE_HERE = "CA_CERTIFICATE_HERE" -CA_FINGERPRINT_HERE = "CA_FINGERPRINT_HERE" -CA_FINGERPRINT_ENV = "CA_FINGERPRINT" +CLIENT_FINGERPRINT_HERE = "CLIENT_FINGERPRINT_HERE" SERVER_CERTIFICATE_ENV = "SERVER_CERTIFICATE_ENV" CA_CERTIFICATE_ENV = "CA_CERTIFICATE_ENV" @@ -64,7 +65,7 @@ class CertHelper(object): @classmethod def get_cert_fingerprint(cls, directory, cert_filename): cmd = "openssl x509 -fingerprint -noout -in {}/{} | sed -e " \ - "'s/SHA1 Fingerprint//; s/=//; s/=//p'" \ + "'s/SHA1 Fingerprint//; s/=//; s/=//p'" \ .format(directory, cert_filename) fingerprint = CertHelper.system(cmd) return fingerprint @@ -84,19 +85,21 @@ class App(object): @classmethod def patch_server_certs(cls, data, server_key_filename_noext, server_cert_filename_noext, ca_cert_filename_noext, - server_cert, ca_cert): + server_cert, ca_cert, client_cert_filename_noext, client_cert): data = data.replace(SERVER_KEY_NAME, server_key_filename_noext) data = data.replace(SERVER_CERT_NAME, server_cert_filename_noext) data = data.replace(CA_CERT_NAME, ca_cert_filename_noext) + data = data.replace(CLIENT_CERT_NAME, client_cert_filename_noext) + data = data.replace(CLIENT_CERTIFICATE_HERE, client_cert) data = data.replace(SERVER_CERTIFICATE_HERE, server_cert) data = data.replace(CA_CERTIFICATE_HERE, ca_cert) return data @classmethod - def patch_tls_listen(cls, data, server_cert_filename_noext, ca_fingerprint, + def patch_tls_listen(cls, data, server_cert_filename_noext, client_fingerprint, server_cert, ca_cert): data = data.replace(SERVER_CERT_NAME, server_cert_filename_noext) - data = data.replace(CA_FINGERPRINT_HERE, ca_fingerprint) + data = data.replace(CLIENT_FINGERPRINT_HERE, client_fingerprint) data = data.replace(SERVER_CERTIFICATE_HERE, server_cert) data = data.replace(CA_CERTIFICATE_HERE, ca_cert) return data @@ -110,40 +113,46 @@ class App(object): server_key_filename = sys.argv[4] load_server_certs_xml_file = sys.argv[5] tls_listen_xml_file = sys.argv[6] + client_cert_filename = sys.argv[7] + # strip extensions ca_cert_filename_noext = ca_cert_filename.replace(".crt", "") server_cert_filename_noext = server_cert_filename.replace(".crt", "") server_key_filename_noext = server_key_filename.replace(".pem", "") + client_cert_filename_noext = client_cert_filename.replace(".crt", "") # get certificates from files server_cert = CertHelper.get_pem_content_stripped(cert_dir, server_cert_filename) ca_cert = CertHelper.get_pem_content_stripped(cert_dir, ca_cert_filename) - ca_fingerprint = CertHelper.get_cert_fingerprint(cert_dir, - ca_cert_filename) - CertHelper.print_certs_info(ca_cert, ca_fingerprint, server_cert) + client_fingerprint = CertHelper.get_cert_fingerprint(cert_dir, + client_cert_filename) + CertHelper.print_certs_info(ca_cert, client_fingerprint, server_cert) + client_cert = CertHelper.get_pem_content_stripped(cert_dir, + client_cert_filename) # patch TLS configuration files data_srv = FileHelper.get_file_contents(load_server_certs_xml_file) patched_srv = App.patch_server_certs(data_srv, server_key_filename_noext, server_cert_filename_noext, ca_cert_filename_noext, - server_cert, ca_cert) + server_cert, ca_cert, + client_cert_filename_noext, client_cert) FileHelper.write_file_contents(load_server_certs_xml_file, patched_srv) data_tls = FileHelper.get_file_contents(tls_listen_xml_file) patched_tls = App.patch_tls_listen(data_tls, server_cert_filename_noext, - ca_fingerprint, server_cert, ca_cert) + client_fingerprint, server_cert, ca_cert) FileHelper.write_file_contents(tls_listen_xml_file, patched_tls) def main(): - if len(sys.argv) is not 7: + if len(sys.argv) is not 8: print("Usage: {1} <cert_dir> <ca_cert_filename> <server_cert_filename> " "<server_key_filename> <load_server_certs_xml_full_path> " - "<tls_listen_full_path>", sys.argv[0]) + "<tls_listen_full_path> <client_cert_filename>", sys.argv[0]) return 1 App.run() logger.info("XML files patched successfully") diff --git a/test/mocks/pnfsimulator/netconfsimulator/netconf/tls_listen.xml b/test/mocks/pnfsimulator/netconfsimulator/netconf/tls_listen.xml index 4f45b28a2..4f610b580 100644 --- a/test/mocks/pnfsimulator/netconfsimulator/netconf/tls_listen.xml +++ b/test/mocks/pnfsimulator/netconfsimulator/netconf/tls_listen.xml @@ -32,11 +32,12 @@ </certificates> <client-auth> <trusted-ca-certs>test_trusted_ca_list</trusted-ca-certs> + <trusted-client-certs>test_trusted_ca_list</trusted-client-certs> <cert-maps> <cert-to-name> <id>1</id> <!-- This is not a typo - 0x02 should stay there --> - <fingerprint>02:CA_FINGERPRINT_HERE</fingerprint> + <fingerprint>02:CLIENT_FINGERPRINT_HERE</fingerprint> <map-type xmlns:x509c2n="urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name">x509c2n:specified</map-type> <name>test</name> </cert-to-name> |