-
Notifications
You must be signed in to change notification settings - Fork 174
Expand file tree
/
Copy pathsetup-certs.sh
More file actions
executable file
·114 lines (85 loc) · 3.02 KB
/
setup-certs.sh
File metadata and controls
executable file
·114 lines (85 loc) · 3.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#!/usr/bin/env bash
set -euo pipefail
TEST_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")"/../.. && pwd)"
# shellcheck source=../../scripts/lib.sh
source "$TEST_ROOT/scripts/lib.sh"
setup_certs() {
target_dir="$1"
cn="$2"
[[ -n "$cn" ]] || {
echo >&2 "No CN specified!"
exit 1
}
ca_name="${3:-Test CA}"
[[ -d "$target_dir" ]] || mkdir "$target_dir"
chmod 0700 "$target_dir"
pushd "$target_dir"
# Extensions for intermediate CA
intermediate_ca_exts='
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
'
root_ca_exts="
[req]
distinguished_name=dn
x509_extensions=ext
[ dn ]
[ ext ]
basicConstraints=CA:TRUE,pathlen:1
"
# Root CA
openssl req -quiet -nodes -config <(echo "$root_ca_exts") -new -x509 -keyout ca.key -out ca.crt -subj "/CN=Root ${ca_name}"
# Intermediate CA
openssl genrsa -out intermediate.key 4096
openssl req -new -key intermediate.key -subj "/CN=Intermediate ${ca_name}" |
openssl x509 -sha256 -extfile <(echo "$intermediate_ca_exts") -req -CA ca.crt -CAkey ca.key -CAcreateserial -out intermediate.crt
leaf_ca_exts="subjectAltName=DNS:${cn}"
# Leaf cert
openssl genrsa -out leaf.key 4096
openssl req -new -key leaf.key -subj "/CN=${cn}" |
openssl x509 -sha256 -extfile <(echo "$leaf_ca_exts") -req -CA intermediate.crt -CAkey intermediate.key -CAcreateserial -out leaf.crt
cat leaf.crt intermediate.crt ca.crt >tls.crt
cp leaf.key tls.key
openssl pkcs12 -export -inkey tls.key -in tls.crt -out keystore.p12 -passout pass:
popd
}
# shellcheck disable=SC2120
setup_default_TLS_certs() {
info "Setting up default certs for tests"
local cert_dir
cert_dir="${1:-$(mktemp -d)}"
setup_certs "$cert_dir" custom-tls-cert.central.stackrox.local "Server CA"
export_default_TLS_certs "${cert_dir}"
}
export_default_TLS_certs() {
local cert_dir="$1"
export ROX_DEFAULT_TLS_CERT_FILE="${cert_dir}/tls.crt"
export ROX_DEFAULT_TLS_KEY_FILE="${cert_dir}/tls.key"
export DEFAULT_CA_FILE="${cert_dir}/ca.crt"
ROX_TEST_CA_PEM="$(cat "${cert_dir}/ca.crt")"
export ROX_TEST_CA_PEM="$ROX_TEST_CA_PEM"
export ROX_TEST_CENTRAL_CN="custom-tls-cert.central.stackrox.local"
export TRUSTSTORE_PATH="${cert_dir}/keystore.p12"
echo "Contents of ${cert_dir}:"
ls -al "${cert_dir}"
}
# shellcheck disable=SC2120
setup_client_TLS_certs() {
info "Setting up client certs for tests"
local cert_dir
cert_dir="${1:-$(mktemp -d)}"
setup_certs "$cert_dir" "Client Certificate User" "Client CA"
export_client_TLS_certs "${cert_dir}"
}
export_client_TLS_certs() {
local cert_dir="$1"
export KEYSTORE_PATH="$cert_dir/keystore.p12"
export CLIENT_CA_PATH="$cert_dir/ca.crt"
export CLIENT_CERT_PATH="$cert_dir/tls.crt"
export CLIENT_KEY_PATH="$cert_dir/tls.key"
echo "Contents of ${cert_dir}:"
ls -al "${cert_dir}"
}
if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
setup_certs "$@"
fi