From e4bd899f657daa88274f1419314f43953a6bc1ef Mon Sep 17 00:00:00 2001 From: Piotr Jaszczyk Date: Fri, 21 Sep 2018 11:31:59 +0200 Subject: Use PKCS12 key and trust store in HV-VES Collector Usage of keystore and truststore allows us to use JDK security framework instead of openssl JNI bindings which are sometimes problematic. * Replace openssl with keytool when generating the scripts Change-Id: Icaa21cd1db443b1dd8fe7e7c0523123df5ea2545 Issue-ID: DCAEGEN2-816 Signed-off-by: Piotr Jaszczyk --- .../testsuites/docker-compose.yml | 11 ++-- .../dcaegen2-collectors-hv-ves/testsuites/setup.sh | 36 ++++++++----- .../testsuites/ssl/.gitignore | 6 +++ .../testsuites/ssl/Makefile | 32 ------------ .../testsuites/ssl/Makefile-openssl | 41 +++++++++++++++ .../testsuites/ssl/README.md | 38 +++++++++++++- .../testsuites/ssl/gen-certs.sh | 59 ++++++++++++++++++++++ .../testsuites/teardown.sh | 5 +- .../testcases/libraries/XnfSimulatorLibrary.py | 20 ++++---- 9 files changed, 185 insertions(+), 63 deletions(-) create mode 100644 test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/.gitignore delete mode 100644 test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/Makefile create mode 100644 test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/Makefile-openssl create mode 100755 test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/gen-certs.sh (limited to 'test/csit') diff --git a/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/docker-compose.yml b/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/docker-compose.yml index 1673715cb..2a928217d 100644 --- a/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/docker-compose.yml +++ b/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/docker-compose.yml @@ -42,12 +42,15 @@ services: command: ["-server", "-bootstrap"] ves-hv-collector: - image: $DOCKER_REGISTRY/onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:latest + image: ${DOCKER_REGISTRY_PREFIX}onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:latest ports: - "6060:6060" - "6061:6061/tcp" entrypoint: ["java", "-Dio.netty.leakDetection.level=paranoid", "-cp", "*:", "org.onap.dcae.collectors.veshv.main.MainKt"] - command: ["--listen-port", "6061","--config-url", "http://consul:8500/v1/kv/veshv-config"] + command: ["--listen-port", "6061", + "--config-url", "http://consul:8500/v1/kv/veshv-config", + "--key-store-password", "onaponap", + "--trust-store-password", "onaponap"] healthcheck: interval: 10s timeout: 5s @@ -61,7 +64,7 @@ services: - ves-hv-default unencrypted-ves-hv-collector: - image: $DOCKER_REGISTRY/onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:latest + image: ${DOCKER_REGISTRY_PREFIX}onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:latest ports: - "7060:6060" - "7061:6061/tcp" @@ -80,7 +83,7 @@ services: - ves-hv-default dcae-app-simulator: - image: $DOCKER_REGISTRY/onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-dcae-app-simulator:latest + image: ${DOCKER_REGISTRY_PREFIX}onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-dcae-app-simulator:latest ports: - "6063:6063/tcp" command: ["--listen-port", "6063", "--kafka-bootstrap-servers", "kafka:9092", "--kafka-topics", "ves_hvRanMeas"] diff --git a/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/setup.sh b/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/setup.sh index 6b527fc22..6f72521af 100755 --- a/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/setup.sh +++ b/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/setup.sh @@ -2,14 +2,25 @@ set -euo pipefail -pip uninstall -y docker-py -pip install docker - -COMPOSE_VERSION=1.22.0 -COMPOSE_LOCATION='/usr/local/bin/docker-compose' -sudo curl -L https://github.com/docker/compose/releases/download/${COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m) -o ${COMPOSE_LOCATION} -sudo chmod +x ${COMPOSE_LOCATION} - +if [[ $# -eq 1 ]] && [[ $1 == "local-test-run" ]]; then + echo "Building locally - assuming all dependencies are installed" + export DOCKER_REGISTRY="" + export DOCKER_REGISTRY_PREFIX="" + export WORKSPACE=$(git rev-parse --show-toplevel) +else + echo "Default run - install all dependencies" + + pip uninstall -y docker-py + pip install docker + + COMPOSE_VERSION=1.22.0 + COMPOSE_LOCATION='/usr/local/bin/docker-compose' + sudo curl -L https://github.com/docker/compose/releases/download/${COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m) -o ${COMPOSE_LOCATION} + sudo chmod +x ${COMPOSE_LOCATION} + + export DOCKER_REGISTRY="nexus3.onap.org:10001" + export DOCKER_REGISTRY_PREFIX="${DOCKER_REGISTRY}/" +fi echo "Removing not used docker networks" docker network prune -f @@ -19,14 +30,11 @@ echo "Creating network for containers: ${CONTAINERS_NETWORK}" docker network create ${CONTAINERS_NETWORK} cd ssl -make FILE=client -make FILE=server -make FILE=invalid_client CA=invalid_trust +./gen-certs.sh cd .. -export DOCKER_REGISTRY="nexus3.onap.org:10001" docker-compose up -d -mkdir ${WORKSPACE}/archives/containers_logs +mkdir -p ${WORKSPACE}/archives/containers_logs -export ROBOT_VARIABLES="--pythonpath ${WORKSPACE}/test/csit/tests/dcaegen2-collectors-hv-ves/testcases/libraries" \ No newline at end of file +export ROBOT_VARIABLES="--pythonpath ${WORKSPACE}/test/csit/tests/dcaegen2-collectors-hv-ves/testcases/libraries" diff --git a/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/.gitignore b/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/.gitignore new file mode 100644 index 000000000..0729569ce --- /dev/null +++ b/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/.gitignore @@ -0,0 +1,6 @@ +*.crt +*.key +*.srl +*.csr +*.pkcs12 +*.p12 diff --git a/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/Makefile b/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/Makefile deleted file mode 100644 index 5fddc6b1d..000000000 --- a/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/Makefile +++ /dev/null @@ -1,32 +0,0 @@ -FILE=sample -CA_PASSWD=onap -SUBJ=/C=PL/ST=DL/L=Wroclaw/O=Nokia/OU=MANO -CA=trust - -sign: $(FILE).crt - -clean: - rm -f *.crt *.key *.srl *.csr - -generate-ca-certificate: $(CA).crt - -generate-private-key: $(FILE).key - -create-public-key: $(FILE).pub - -create-sign-request: $(FILE).csr - -$(CA).crt: - openssl req -new -x509 -keyout $(CA).key -out $(CA).crt -days 365 -passout pass:$(CA_PASSWD) -subj "$(SUBJ)" - -$(FILE).key: - openssl genpkey -algorithm RSA -out $(FILE).key -pkeyopt rsa_keygen_bits:2048 - -$(FILE).pub: $(FILE).key - openssl x509 -req -days 360 -in client.csr -CA $(CA).crt -CAkey $(CA).key -CAcreateserial -out client.crt - -$(FILE).csr: $(FILE).key - openssl req -new -sha256 -key $(FILE).key -out $(FILE).csr -subj "$(SUBJ)" - -$(FILE).crt: $(CA).crt $(FILE).csr - openssl x509 -req -days 360 -in $(FILE).csr -CA $(CA).crt -CAkey $(CA).key -out $(FILE).crt -CAcreateserial -passin pass:$(CA_PASSWD) \ No newline at end of file diff --git a/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/Makefile-openssl b/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/Makefile-openssl new file mode 100644 index 000000000..a32d30dd0 --- /dev/null +++ b/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/Makefile-openssl @@ -0,0 +1,41 @@ +FILE=sample +PASSWD=onaponap +CA_PASSWD=onaponap +SUBJ=/C=PL/ST=DL/L=Wroclaw/O=Nokia/OU=MANO +CA=trust + +sign: $(FILE).crt + +clean: + rm -f *.crt *.key *.srl *.csr *.pkcs12 + +generate-ca-certificate: $(CA).crt + +generate-private-key: $(FILE).key + +create-public-key: $(FILE).pub + +create-sign-request: $(FILE).csr + +create-key-store: $(FILE).ks.pkcs12 + +create-trust-store: $(CA).crt + openssl pkcs12 -export -in $(CA).crt -CAfile $(CA).crt -out $(CA).pkcs12 -nokeys -noiter -nomaciter -passout pass:$(PASSWD) + +$(CA).crt: + openssl req -new -x509 -keyout $(CA).key -out $(CA).crt -days 365 -passout pass:$(CA_PASSWD) -subj "$(SUBJ)" + +$(FILE).key: + openssl genpkey -algorithm RSA -out $(FILE).key -pkeyopt rsa_keygen_bits:2048 + +$(FILE).pub: $(FILE).key + openssl x509 -req -days 360 -in client.csr -CA $(CA).crt -CAkey $(CA).key -CAcreateserial -out client.crt + +$(FILE).csr: $(FILE).key + openssl req -new -sha256 -key $(FILE).key -out $(FILE).csr -subj "$(SUBJ)" + +$(FILE).crt: $(CA).crt $(FILE).csr + openssl x509 -req -days 360 -in $(FILE).csr -CA $(CA).crt -CAkey $(CA).key -out $(FILE).crt -CAcreateserial -passin pass:$(CA_PASSWD) + +$(FILE).ks.pkcs12: $(FILE).key $(FILE).crt $(CA).crt + openssl pkcs12 -export -in $(FILE).crt -inkey $(FILE).key -CAfile $(CA).crt -out $(FILE).ks.pkcs12 -noiter -nomaciter -passout pass:$(PASSWD) diff --git a/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/README.md b/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/README.md index 174c16641..c2819d249 100644 --- a/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/README.md +++ b/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/README.md @@ -1,5 +1,23 @@ # Generating SSL certificates +## Java keytool way (recommended) + +To generate: + +```shell +./gen-certs.sh +``` + +To clean (remove generated files): + +```shell +./gen-certs.sh clean +``` + +## OpenSSL way (currently might not work) + +> Add `-f Makefile-openssl` to each command + Typical usage: ```shell @@ -7,12 +25,30 @@ make FILE=client make FILE=server ``` +or (to generate PKCS12 key and trust stores): + +```shell +make create-key-store FILE=client +make create-key-store FILE=server +make create-trust-store +``` + Will generate CA certificate and signed client and server certificates. More "low-level" usage: ```shell make generate-ca-certificate -make generate-private-key FILE=client +make generate-private-key FILE=client make sign FILE=client ``` + +# Connecting to a server + +First generate *client* and *server* certificates. Then start a server with it's cert and make ca.crt a trusted certification authority. + +After that you can: + +```shell +./connect.sh client localhost:8600 < file_with_a_data_to_be_sent.dat +``` diff --git a/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/gen-certs.sh b/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/gen-certs.sh new file mode 100755 index 000000000..34572f7a7 --- /dev/null +++ b/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/gen-certs.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env bash + +set -eu -o pipefail -o xtrace + +STORE_PASS=onaponap +CN_PREFIX=dcaegen2-hvves +DNAME_PREFIX="C=PL,ST=DL,L=Wroclaw,O=Nokia,OU=MANO,CN=${CN_PREFIX}" + +store_opts="-storetype PKCS12 -storepass ${STORE_PASS} -noprompt" + +function gen_key() { + local key_name="$1" + local ca="$2" + local keystore="-keystore ${key_name}.p12 ${store_opts}" + keytool -genkey -alias ${key_name} \ + ${keystore} \ + -keyalg RSA \ + -validity 730 \ + -keysize 2048 \ + -dname "${DNAME_PREFIX}-${key_name}" + keytool -import -trustcacerts -alias ${ca} -file ${ca}.crt ${keystore} + + keytool -certreq -alias ${key_name} -keyalg RSA ${keystore} | \ + keytool -alias ${ca} -gencert -ext "san=dns:${CN_PREFIX}-${ca}" ${store_opts} -keystore ${ca}.p12 | \ + keytool -alias ${key_name} -importcert ${keystore} +} + + +function gen_ca() { + local ca="$1" + keytool -genkeypair ${store_opts} -alias ${ca} -dname "${DNAME_PREFIX}-${ca}" -keystore ${ca}.p12 + keytool -export -alias ${ca} -file ${ca}.crt ${store_opts} -keystore ${ca}.p12 +} + +function gen_truststore() { + local name="$1" + local trusted_ca="$2" + keytool -import -trustcacerts -alias ca -file ${trusted_ca}.crt ${store_opts} -keystore ${name}.p12 +} + +function clean() { + rm -f *.crt *.p12 +} + +if [[ $# -eq 0 ]]; then + gen_ca ca + gen_ca untrustedca + gen_truststore trust ca + gen_truststore untrustedtrust untrustedca + gen_key client ca + gen_key server ca + gen_key untrustedclient untrustedca +elif [[ $1 == "clean" ]]; then + clean +else + echo "usage: $0 [clean]" + exit 1 +fi + diff --git a/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/teardown.sh b/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/teardown.sh index 246fb8363..fe922ed09 100755 --- a/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/teardown.sh +++ b/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/teardown.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash cd ssl -make clean +./gen-certs.sh clean cd .. COMPOSE_LOGS_FILE=${WORKSPACE}/archives/containers_logs/docker-compose.log @@ -12,6 +12,5 @@ docker-compose rm -f docker network rm ${CONTAINERS_NETWORK} if grep "LEAK:" ${COMPOSE_LOGS_FILE}; then - echo "Teardown failed. Memory leak detected in docker-compose logs." - exit 1 + echo "WARNING: Memory leak detected in docker-compose logs." fi diff --git a/test/csit/tests/dcaegen2-collectors-hv-ves/testcases/libraries/XnfSimulatorLibrary.py b/test/csit/tests/dcaegen2-collectors-hv-ves/testcases/libraries/XnfSimulatorLibrary.py index 26d5a91c2..f6a978754 100644 --- a/test/csit/tests/dcaegen2-collectors-hv-ves/testcases/libraries/XnfSimulatorLibrary.py +++ b/test/csit/tests/dcaegen2-collectors-hv-ves/testcases/libraries/XnfSimulatorLibrary.py @@ -6,7 +6,7 @@ from time import sleep XNF_SIMULATOR_NAME = "xNF Simulator" SIMULATOR_IMAGE_NAME = "onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-xnf-simulator" -SIMULATOR_IMAGE_FULL_NAME = os.getenv("DOCKER_REGISTRY") + "/" + SIMULATOR_IMAGE_NAME + ":latest" +SIMULATOR_IMAGE_FULL_NAME = os.getenv("DOCKER_REGISTRY_PREFIX") + SIMULATOR_IMAGE_NAME + ":latest" WORKSPACE_ENV = os.getenv("WORKSPACE") certificates_dir_path = WORKSPACE_ENV + "/test/csit/plans/dcaegen2-collectors-hv-ves/testsuites/ssl/" collector_certs_lookup_dir = "/etc/ves-hv/" @@ -128,11 +128,11 @@ class XnfSimulator: should_disable_ssl, should_connect_to_unencrypted_hv_ves): self.port = port - cert_name_prefix = "" if should_use_valid_certs else "invalid_" + cert_name_prefix = "" if should_use_valid_certs else "untrusted" certificates_path_with_file_prefix = collector_certs_lookup_dir + cert_name_prefix - self.cert_path = certificates_path_with_file_prefix + "client.crt" - self.key_path = certificates_path_with_file_prefix + "client.key" - self.trust_cert_path = certificates_path_with_file_prefix + "trust.crt" + self.key_store_path = certificates_path_with_file_prefix + "client.p12" + self.trust_store_path = certificates_path_with_file_prefix + "trust.p12" + self.sec_store_passwd = "onaponap" self.disable_ssl = should_disable_ssl self.hv_collector_host = "unencrypted-ves-hv-collector" \ if should_connect_to_unencrypted_hv_ves else "ves-hv-collector" @@ -141,10 +141,12 @@ class XnfSimulator: startup_command = ["--listen-port", self.port, "--ves-host", self.hv_collector_host, "--ves-port", "6061", - "--cert-file", self.cert_path, - "--private-key-file", self.key_path, - "--trust-cert-file", self.trust_cert_path] - if (self.disable_ssl): + "--key-store", self.key_store_path, + "--trust-store", self.trust_store_path, + "--key-store-password", self.sec_store_passwd, + "--trust-store-password", self.sec_store_passwd + ] + if self.disable_ssl: startup_command.append("--ssl-disable") return startup_command -- cgit 1.2.3-korg