keystone/examples/pki/gen_pki.sh
Guang Yee fddacf7bce bug 1069945: generate certs for the tests in one place
and doc how to install signing certificate from an external CA

Change-Id: I92feb8eaeea617211ee7132480ac7a63bf0a1bf1
2012-11-05 12:27:14 -08:00

223 lines
5.7 KiB
Bash
Executable File

#!/bin/bash
# Copyright 2012 OpenStack LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# This script generates the crypto necessary for the SSL tests.
DIR=`dirname "$0"`
CURRENT_DIR=`cd "$DIR" && pwd`
CERTS_DIR=$CURRENT_DIR/certs
PRIVATE_DIR=$CURRENT_DIR/private
CMS_DIR=$CURRENT_DIR/cms
function rm_old {
rm -rf $CERTS_DIR/*.pem
rm -rf $PRIVATE_DIR/*.pem
}
function cleanup {
rm -rf *.conf > /dev/null 2>&1
rm -rf index* > /dev/null 2>&1
rm -rf *.crt > /dev/null 2>&1
rm -rf newcerts > /dev/null 2>&1
rm -rf *.pem > /dev/null 2>&1
rm -rf serial* > /dev/null 2>&1
}
function generate_ca_conf {
echo '
[ req ]
default_bits = 1024
default_keyfile = cakey.pem
default_md = sha1
prompt = no
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
[ ca_distinguished_name ]
serialNumber = 5
countryName = US
stateOrProvinceName = CA
localityName = Sunnyvale
organizationName = OpenStack
organizationalUnitName = Keystone
emailAddress = keystone@openstack.org
commonName = Self Signed
[ ca_extensions ]
basicConstraints = critical,CA:true
' > ca.conf
}
function generate_ssl_req_conf {
echo '
[ req ]
default_bits = 1024
default_keyfile = keystonekey.pem
default_md = sha1
prompt = no
distinguished_name = distinguished_name
[ distinguished_name ]
countryName = US
stateOrProvinceName = CA
localityName = Sunnyvale
organizationName = OpenStack
organizationalUnitName = Keystone
commonName = localhost
emailAddress = keystone@openstack.org
' > ssl_req.conf
}
function generate_cms_signing_req_conf {
echo '
[ req ]
default_bits = 1024
default_keyfile = keystonekey.pem
default_md = sha1
prompt = no
distinguished_name = distinguished_name
[ distinguished_name ]
countryName = US
stateOrProvinceName = CA
localityName = Sunnyvale
organizationName = OpenStack
organizationalUnitName = Keystone
commonName = Keystone
emailAddress = keystone@openstack.org
' > cms_signing_req.conf
}
function generate_signing_conf {
echo '
[ ca ]
default_ca = signing_ca
[ signing_ca ]
dir = .
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/certs/cacert.pem
serial = $dir/serial
private_key = $dir/private/cakey.pem
default_days = 21360
default_crl_days = 30
default_md = sha1
policy = policy_any
[ policy_any ]
countryName = supplied
stateOrProvinceName = supplied
localityName = optional
organizationName = supplied
organizationalUnitName = supplied
emailAddress = supplied
commonName = supplied
' > signing.conf
}
function setup {
touch index.txt
echo '10' > serial
generate_ca_conf
mkdir newcerts
}
function check_error {
if [ $1 != 0 ] ; then
echo "Failed! rc=${1}"
echo 'Bailing ...'
cleanup
exit $1
else
echo 'Done'
fi
}
function generate_ca {
echo 'Generating New CA Certificate ...'
openssl req -x509 -newkey rsa:1024 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes
check_error $?
}
function ssl_cert_req {
echo 'Generating SSL Certificate Request ...'
generate_ssl_req_conf
openssl req -newkey rsa:1024 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes
check_error $?
#openssl req -in req.pem -text -noout
}
function cms_signing_cert_req {
echo 'Generating CMS Signing Certificate Request ...'
generate_cms_signing_req_conf
openssl req -newkey rsa:1024 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes
check_error $?
#openssl req -in req.pem -text -noout
}
function issue_certs {
generate_signing_conf
echo 'Issuing SSL Certificate ...'
openssl ca -in ssl_req.pem -config signing.conf -batch
check_error $?
openssl x509 -in $CURRENT_DIR/newcerts/10.pem -out $CERTS_DIR/ssl_cert.pem
check_error $?
echo 'Issuing CMS Signing Certificate ...'
openssl ca -in cms_signing_req.pem -config signing.conf -batch
check_error $?
openssl x509 -in $CURRENT_DIR/newcerts/11.pem -out $CERTS_DIR/signing_cert.pem
check_error $?
}
function create_middleware_cert {
cp $CERTS_DIR/ssl_cert.pem $CERTS_DIR/middleware.pem
cat $PRIVATE_DIR/ssl_key.pem >> $CERTS_DIR/middleware.pem
}
function check_openssl {
echo 'Checking openssl availability ...'
which openssl
check_error $?
}
function gen_sample_cms {
for json_file in "${CMS_DIR}/auth_token_revoked.json" "${CMS_DIR}/auth_token_unscoped.json" "${CMS_DIR}/auth_token_scoped.json" "${CMS_DIR}/revocation_list.json"
do
openssl cms -sign -in $json_file -nosmimecap -signer $CERTS_DIR/signing_cert.pem -inkey $PRIVATE_DIR/signing_key.pem -outform PEM -nodetach -nocerts -noattr -out ${json_file/.json/.pem}
done
}
check_openssl
rm_old
cleanup
setup
generate_ca
ssl_cert_req
cms_signing_cert_req
issue_certs
create_middleware_cert
gen_sample_cms
cleanup