source-git / osbuild-composer

Clone
Source Code
GIT

Blame tools/gen-certs.sh

c8 c8s master
  1.   8b00ed9d91f03c5094022ea2036b0556563c7aa8
  2.   tools
  3.   gen-certs.sh
Blob History Raw
Packit Service 3a6627 
#!/bin/bash
Packit Service 3a6627 
if (( $# != 3 )); then
Packit Service 3a6627 
    echo "Usage: $0 <openssl-config> <certdir> <cadir>"
Packit Service 3a6627 
    echo
Packit Service 3a6627 
    echo "Positional arguments"
Packit Service 3a6627 
    echo "  <openssl-config>  OpenSSL configuration file"
Packit Service 3a6627 
    echo "  <certdir>         Destination directory for the generated files"
Packit Service 3a6627 
    echo "  <cadir>           Working directory for the generation process"
Packit Service 3a6627 
    exit 1
Packit Service 3a6627 
fi
Packit Service 3a6627
Packit Service 3a6627 
set -euxo pipefail
Packit Service 3a6627 
# Generate all X.509 certificates for the tests
Packit Service 3a6627 
# The whole generation is done in a $CADIR to better represent how osbuild-ca
Packit Service 3a6627 
# it.
Packit Service 3a6627 
OPENSSL_CONFIG="$1"
Packit Service 3a6627 
CERTDIR="$2"
Packit Service 3a6627 
CADIR="$3"
Packit Service 3a6627
Packit Service 3a6627 
# The $CADIR might exist from a previous test (current Schutzbot's imperfection)
Packit Service 3a6627 
rm -rf "$CADIR" || true
Packit Service 3a6627 
mkdir -p "$CADIR" "$CERTDIR"
Packit Service 3a6627
Packit Service 3a6627 
# Convert the arguments to real paths so we can safely change working directory
Packit Service 3a6627 
OPENSSL_CONFIG="$(realpath "${OPENSSL_CONFIG}")"
Packit Service 3a6627 
CERTDIR="$(realpath "${CERTDIR}")"
Packit Service 3a6627 
CADIR="$(realpath "${CADIR}")"
Packit Service 3a6627
Packit Service 3a6627 
pushd "$CADIR"
Packit Service 3a6627 
    mkdir certs private
Packit Service 3a6627 
    touch index.txt
Packit Service 3a6627
Packit Service 3a6627 
    # Generate a CA.
Packit Service 3a6627 
    openssl req -config "$OPENSSL_CONFIG" \
Packit Service 3a6627 
        -keyout private/ca.key.pem \
Packit Service 3a6627 
        -new -nodes -x509 -extensions osbuild_ca_ext \
Packit Service 3a6627 
        -out ca.cert.pem -subj "/CN=osbuild.org"
Packit Service 3a6627
Packit Service 3a6627 
    # Copy the private key to the location expected by the tests
Packit Service 3a6627 
    cp ca.cert.pem "$CERTDIR"/ca-crt.pem
Packit Service 3a6627
Packit Service 3a6627 
    # Generate a composer certificate.
Packit Service 3a6627 
    openssl req -config "$OPENSSL_CONFIG" \
Packit Service 3a6627 
        -keyout "$CERTDIR"/composer-key.pem \
Packit Service 3a6627 
        -new -nodes \
Packit Service 3a6627 
        -out /tmp/composer-csr.pem \
Packit Service 3a6627 
        -subj "/CN=localhost/emailAddress=osbuild@example.com" \
Packit Service 3a6627 
        -addext "subjectAltName=DNS:localhost, DNS:composer"
Packit Service 3a6627
Packit Service 3a6627 
    openssl ca -batch -config "$OPENSSL_CONFIG" \
Packit Service 3a6627 
        -extensions osbuild_server_ext \
Packit Service 3a6627 
        -in /tmp/composer-csr.pem \
Packit Service 3a6627 
        -out "$CERTDIR"/composer-crt.pem
Packit Service 3a6627
Packit Service 3a6627 
    # Generate a worker certificate.
Packit Service 3a6627 
    openssl req -config "$OPENSSL_CONFIG" \
Packit Service 3a6627 
        -keyout "$CERTDIR"/worker-key.pem \
Packit Service 3a6627 
        -new -nodes \
Packit Service 3a6627 
        -out /tmp/worker-csr.pem \
Packit Service 3a6627 
        -subj "/CN=localhost/emailAddress=osbuild@example.com" \
Packit Service 3a6627 
        -addext "subjectAltName=DNS:localhost, DNS:worker"
Packit Service 3a6627
Packit Service 3a6627 
    openssl ca -batch -config "$OPENSSL_CONFIG" \
Packit Service 3a6627 
        -extensions osbuild_client_ext \
Packit Service 3a6627 
        -in /tmp/worker-csr.pem \
Packit Service 3a6627 
        -out "$CERTDIR"/worker-crt.pem
Packit Service 3a6627
Packit Service 3a6627 
    # Generate a client certificate.
Packit Service 3a6627 
    openssl req -config "$OPENSSL_CONFIG" \
Packit Service 3a6627 
        -keyout "$CERTDIR"/client-key.pem \
Packit Service 3a6627 
        -new -nodes \
Packit Service 3a6627 
        -out /tmp/client-csr.pem \
Packit Service 3a6627 
        -subj "/CN=client.osbuild.org/emailAddress=osbuild@example.com" \
Packit Service 3a6627 
        -addext "subjectAltName=DNS:client.osbuild.org"
Packit Service 3a6627
Packit Service 3a6627 
    openssl ca -batch -config "$OPENSSL_CONFIG" \
Packit Service 3a6627 
        -extensions osbuild_client_ext \
Packit Service 3a6627 
        -in /tmp/client-csr.pem \
Packit Service 3a6627 
        -out "$CERTDIR"/client-crt.pem
Packit Service 3a6627
Packit Service 3a6627 
    # Client keys are used by tests to access the composer APIs. Allow all users access.
Packit Service 3a6627 
    chmod 644 "$CERTDIR"/client-key.pem
Packit Service 3a6627
Packit Service 3a6627 
    # Generate a kojihub certificate.
Packit Service 3a6627 
    openssl req -config "$OPENSSL_CONFIG" \
Packit Service 3a6627 
        -keyout "$CERTDIR"/kojihub-key.pem \
Packit Service 3a6627 
        -new -nodes \
Packit Service 3a6627 
        -out /tmp/kojihub-csr.pem \
Packit Service 3a6627 
        -subj "/CN=localhost/emailAddress=osbuild@example.com" \
Packit Service 3a6627 
        -addext "subjectAltName=DNS:localhost"
Packit Service 3a6627
Packit Service 3a6627 
    openssl ca -batch -config "$OPENSSL_CONFIG" \
Packit Service 3a6627 
        -extensions osbuild_server_ext \
Packit Service 3a6627 
        -in /tmp/kojihub-csr.pem \
Packit Service 3a6627 
        -out "$CERTDIR"/kojihub-crt.pem
Packit Service 3a6627
Packit Service 3a6627 
popd

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation