scottk/wlan-cloud-loadsim
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/wlan-cloud-loadsim.git synced 2025-11-01 11:08:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Adding v4/v5 encoding decoding

Browse Source
This commit is contained in:
Stephane Bourque
2020-10-20 16:03:11 -07:00
parent 77c44174d1
commit 8cc16c1c6f
40 changed files with 431 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
certs/scripts/clean_all.sh Executable file
View File

@@ -0,0 +1,8 @@
#!/bin/sh
rm -rf testCA
rm ./*.pem
rm ./*.csr
rm ./*.jks
rm ./*.pkcs12
rm ./*.p12

50
certs/scripts/copy-certs-to-helm.sh Executable file
View File

@@ -0,0 +1,50 @@
#!/bin/bash
# Script to copy certs to the respective folders in wlan-cloud-helm folders.
# Make sure you are in wlan-pki-folder with generated
# Usage: ./copy-certs.sh ${wlan-cloud-helm-dir}
# ./copy-certs.sh $HOME/Tip-Repo/wlan-cloud-helm
if [[ $# -eq 0 ]] ;
then
echo "*** No Arguments supplied!! Expecting Absolute path of wlan-cloud-helm dir as an argument to the script ***"
echo "*** Usage: ./copy-certs.sh absolute-path-of-wlan-cloud-helm-dir ***"
exit 0
fi
echo "==============================================="
echo "Copying certs to opensync-gw-cloud certs folder"
cp cacert.pem clientcert.pem clientkey.pem client_keystore.jks server.pkcs12 truststore.jks "$1"/tip-wlan/charts/opensync-gw-cloud/resources/config/certs
echo "================================================"
echo "Copying certs to opensync-gw-static certs folder"
cp client_keystore.jks server.pkcs12 truststore.jks "$1"/tip-wlan/charts/opensync-gw-static/resources/config/certs
echo "=================================================="
echo "Copying certs to opensync-mqtt-broker certs folder"
cp cacert.pem mqttservercert.pem mqttserverkey_dec.pem "$1"/tip-wlan/charts/opensync-mqtt-broker/resources/config/certs/
echo "====================================================================="
echo "Copying certs to wlan-integrated-cloud-component-service certs folder"
cp client_keystore.jks server.pkcs12 truststore.jks "$1"/tip-wlan/charts/wlan-integrated-cloud-component-service/resources/config/certs/
echo "================================================="
echo "Copying certs to wlan-portal-service certs folder"
cp client_keystore.jks server.pkcs12 truststore.jks "$1"/tip-wlan/charts/wlan-portal-service/resources/config/certs/
echo "==============================================="
echo "Copying certs to wlan-prov-service certs folder"
cp client_keystore.jks server.pkcs12 truststore.jks cacert.pem postgresclientcert.pem postgresclientkey_dec.pem postgresclient.p12 "$1"/tip-wlan/charts/wlan-prov-service/resources/config/certs/
echo "=============================================="
echo "Copying certs to wlan-ssc-service certs folder"
cp client_keystore.jks server.pkcs12 kafka-server.pkcs12 truststore.jks cacert.pem cassandraserverkey_dec.pem cassandraservercert.pem cassandra_server_keystore.jks "$1"/tip-wlan/charts/wlan-ssc-service/resources/config/certs/
echo "=============================================="
echo "Copying certs to wlan-spc-service certs folder"
cp client_keystore.jks server.pkcs12 kafka-server.pkcs12 truststore.jks "$1"/tip-wlan/charts/wlan-spc-service/resources/config/certs/
echo "================================================="
echo "Copying certs to wlan-port-forwarding-gateway-service certs folder"
cp client_keystore.jks server.pkcs12 truststore.jks "$1"/tip-wlan/charts/wlan-port-forwarding-gateway-service/resources/config/certs/
echo "==================================="
echo "Copying certs to kafka certs folder"
cp kafka-server.pkcs12 truststore.jks "$1"/tip-wlan/charts/kafka/resources/config/certs/
echo "======================================="
echo "Copying certs to cassandra certs folder"
cp cassandra_server_keystore.jks truststore.jks cacert.pem cassandraserverkey_dec.pem cassandraservercert.pem "$1"/tip-wlan/charts/cassandra/resources/config/certs/
echo "======================================"
echo "Copying certs to postgres certs folder"
cp cacert.pem postgresclientcert.pem postgresclientkey_dec.pem servercert.pem serverkey_dec.pem "$1"/tip-wlan/charts/postgresql/resources/config/certs/
echo "========= All Certs Copied =========="
echo "NOTE: Additional changes are expected in Kafka, Postgres and Cassandra charts before you start deployment. Refer https://telecominfraproject.atlassian.net/wiki/spaces/WIFI/pages/262176803/Pre-requisites+before+deploying+Tip-Wlan+solution"

20
certs/scripts/create-ca.sh Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/sh
BASE_DIR=./testCA
#create target directories, set permissions
mkdir -p $BASE_DIR/private
chmod go-rx $BASE_DIR/private
#generate the CA certificate
openssl req -batch -x509 -days 3000 -config openssl-ca.cnf -newkey rsa:4096 -sha256 -out cacert.pem -outform PEM
#move generated certificates into their proper places
mv cacert.pem $BASE_DIR
mv cakey.pem $BASE_DIR/private
#init the certificate database files
touch $BASE_DIR/index.txt
echo '01' > $BASE_DIR/serial.txt
mkdir -p $BASE_DIR/newcerts

2
certs/scripts/create-cassandra-server-cert-request.sh Executable file
View File

@@ -0,0 +1,2 @@
#!/bin/sh
openssl req -batch -config openssl-cassandra-server.cnf -newkey rsa:2048 -sha256 -out cassandraservercert.csr -outform PEM

3
certs/scripts/create-client-cert-request.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
openssl req -batch -config openssl-client.cnf -newkey rsa:2048 -sha256 -out clientcert.csr -outform PEM -nodes

2
certs/scripts/create-kafka-server-cert-request.sh Executable file
View File

@@ -0,0 +1,2 @@
#!/bin/sh
openssl req -batch -config openssl-kafka-server.cnf -newkey rsa:2048 -sha256 -out kafkaservercert.csr -outform PEM

2
certs/scripts/create-mqtt-server-cert-request.sh Executable file
View File

@@ -0,0 +1,2 @@
#!/bin/sh
openssl req -batch -config mqtt-server.cnf -newkey rsa:2048 -sha256 -out mqttservercert.csr -outform PEM

4
certs/scripts/create-postgres-client-cert-request.sh Executable file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
openssl req -batch -config postgres-client.cnf -newkey rsa:2048 -sha256 -out postgresclientcert.csr -outform PEM -nodes

2
certs/scripts/create-server-cert-request.sh Executable file
View File

@@ -0,0 +1,2 @@
#!/bin/sh
openssl req -batch -config openssl-server.cnf -newkey rsa:2048 -sha256 -out servercert.csr -outform PEM

4
certs/scripts/decrypt-cassandra-server-key.sh Executable file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
echo Generating decrypted version of the cassandra client/server key
openssl rsa -passin pass:mypassword -in cassandraserverkey.pem -out cassandraserverkey_dec.pem

4
certs/scripts/decrypt-client-key.sh Executable file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
echo Generating decrypted version of the client key
openssl rsa -passin pass:mypassword -in clientkey.pem -out clientkey_dec.pem

4
certs/scripts/decrypt-mqtt-server-key.sh Executable file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
echo Generating decrypted version of the mqtt server key
openssl rsa -passin pass:mypassword -in mqttserverkey.pem -out mqttserverkey_dec.pem

4
certs/scripts/decrypt-postgres-client-key.sh Executable file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
echo Generating decrypted version of the client key
openssl rsa -passin pass:mypassword -in postgresclientkey.pem -out postgresclientkey_dec.pem

4
certs/scripts/decrypt-server-key.sh Executable file
View File

@@ -0,0 +1,4 @@
#!/bin/sh
echo Generating decrypted version of the server key
openssl rsa -passin pass:mypassword -in serverkey.pem -out serverkey_dec.pem

72
certs/scripts/generate_all.sh Executable file
View File

@@ -0,0 +1,72 @@
#!/bin/sh
echo ====================================================
echo Cleaning up old files
./clean_all.sh
echo ====================================================
echo Creating Certificate Authority
./create-ca.sh
cp testCA/cacert.pem cacert.pem
echo ====================================================
echo Creating Generic Server Certificate
./create-server-cert-request.sh
./sign-server-cert-request.sh
./decrypt-server-key.sh
echo ====================================================
echo Creating MQTT Server Certificate
./create-mqtt-server-cert-request.sh
./sign-mqtt-server-cert-request.sh
./decrypt-mqtt-server-key.sh
echo ====================================================
echo Creating Kafka Server Certificate
./create-kafka-server-cert-request.sh
./sign-kafka-server-cert-request.sh
echo ====================================================
echo Creating Cassandra Server Certificate
./create-cassandra-server-cert-request.sh
./sign-cassandra-server-cert-request.sh
./decrypt-cassandra-server-key.sh
echo ====================================================
echo Creating Client Certificate
./create-client-cert-request.sh
./sign-client-cert-request.sh
./decrypt-client-key.sh
echo ====================================================
echo Creating Postgres Client Certificates
./create-postgres-client-cert-request.sh
./sign-postgres-client-cert-request.sh
./decrypt-postgres-client-key.sh
echo ====================================================
echo Verifying Server Certificate
./verify-server.sh servercert.pem
echo ====================================================
echo Verifying Client Certificate
./verify-client.sh clientcert.pem
echo ====================================================
echo Packaging Server Certificates
./package-server-cert.sh
./package-kafka-server-cert.sh
./package-cassandra-server-cert.sh
echo ====================================================
echo Packaging Client Certificates
./package-client-cert.sh
./package-postgres-client-cert.sh
echo ====================================================
echo Packaging CA Certificate
./package-ca-cert.sh
echo ====================================================
echo All Done

114
certs/scripts/openssl-ca.cnf Normal file
View File

@@ -0,0 +1,114 @@
HOME = .
RANDFILE = $ENV::HOME/.rnd
input_password = mypassword
output_password = mypassword
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = ./testCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial.txt # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
default_days = 1000 # How long to certify for
default_crl_days = 30 # How long before next CRL
default_md = sha256 # Use public key default MD
preserve = no # Keep passed DN ordering
x509_extensions = ca_extensions # The extensions to add to the cert
email_in_dn = no # Don't concat the email in the DN
copy_extensions = copy # Required to copy SANs from CSR to cert
crl_extensions = crl_ext
####################################################################
[ req ]
default_bits = 4096
default_keyfile = cakey.pem
distinguished_name = ca_distinguished_name
x509_extensions = ca_extensions
string_mask = utf8only
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
####################################################################
[ ca_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CA
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Ontario
localityName = Locality Name (eg, city)
localityName_default = Ottawa
organizationName = Organization Name (eg, company)
organizationName_default = ConnectUs Technologies
organizationalUnitName = Organizational Unit (eg, division)
organizationalUnitName_default = Testing Department
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Test CA Not For Deployment
emailAddress = Email Address
emailAddress_default = test@example.com
####################################################################
[ ca_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer
basicConstraints = critical, CA:true
keyUsage = keyCertSign, cRLSign
####################################################################
[ signing_policy ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ signing_req_server ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
[ signing_req_client ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature
[ policy_match ]
organizationName = match

3
certs/scripts/package-ca-cert.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
keytool -import -noprompt -file testCA/cacert.pem -alias my_ca -keystore truststore.jks -storepass mypassword

5
certs/scripts/package-cassandra-server-cert.sh Executable file
View File

@@ -0,0 +1,5 @@
#!/bin/sh
openssl pkcs12 -export -in cassandraservercert.pem -inkey cassandraserverkey.pem -passin pass:mypassword -passout pass:mypassword -out cassandra-server.pkcs12 -name 1 -CAfile testCA/cacert.pem -caname root -chain
keytool -importkeystore -destkeystore cassandra_server_keystore.jks -srckeystore cassandra-server.pkcs12 -srcstoretype pkcs12 -srcstorepass mypassword -deststorepass mypassword -deststoretype JKS -alias 1

5
certs/scripts/package-client-cert.sh Executable file
View File

@@ -0,0 +1,5 @@
#!/bin/sh
openssl pkcs12 -export -in clientcert.pem -inkey clientkey.pem -passin pass:mypassword -passout pass:mypassword -out client.pkcs12 -name clientqrcode -CAfile testCA/cacert.pem -caname root -chain
keytool -importkeystore -destkeystore client_keystore.jks -srckeystore client.pkcs12 -srcstoretype pkcs12 -srcstorepass mypassword -deststorepass mypassword -deststoretype JKS -alias clientqrcode

5
certs/scripts/package-kafka-server-cert.sh Executable file
View File

@@ -0,0 +1,5 @@
#!/bin/sh
openssl pkcs12 -export -in kafkaservercert.pem -inkey kafkaserverkey.pem -passin pass:mypassword -passout pass:mypassword -out kafka-server.pkcs12 -name 1 -CAfile testCA/cacert.pem -caname root -chain
keytool -importkeystore -destkeystore kafka_server_keystore.jks -srckeystore kafka-server.pkcs12 -srcstoretype pkcs12 -srcstorepass mypassword -deststorepass mypassword -deststoretype JKS -alias 1

2
certs/scripts/package-postgres-client-cert.sh Executable file
View File

@@ -0,0 +1,2 @@
#!/bin/sh
openssl pkcs12 -export -in postgresclientcert.pem -inkey postgresclientkey.pem -passin pass:mypassword -passout pass:mypassword -out postgresclient.p12 -name user -CAfile testCA/cacert.pem -caname root -chain

6
certs/scripts/package-server-cert.sh Executable file
View File

@@ -0,0 +1,6 @@
#!/bin/sh
openssl pkcs12 -export -in servercert.pem -inkey serverkey.pem -passin pass:mypassword -passout pass:mypassword -out server.pkcs12 -name 1 -CAfile testCA/cacert.pem -caname root -chain
keytool -importkeystore -destkeystore server_keystore.jks -srckeystore server.pkcs12 -srcstoretype pkcs12 -srcstorepass mypassword -deststorepass mypassword -deststoretype JKS -alias 1

3
certs/scripts/show-ca-purpose.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
openssl x509 -purpose -in ./testCA/cacert.pem -inform PEM -noout

2
certs/scripts/show-ca.sh Executable file
View File

@@ -0,0 +1,2 @@
#!/bin/sh
openssl x509 -in ./testCA/cacert.pem -text -noout

36
certs/scripts/show-cert-chain.sh Executable file
View File

@@ -0,0 +1,36 @@
#!/bin/bash
chain_pem="${1}"
if [[ ! -f "${chain_pem}" ]]; then
echo "Usage: $0 BASE64_CERTIFICATE_CHAIN_FILE" >&2
exit 1
fi
if ! openssl x509 -in "${chain_pem}" -noout 2>/dev/null ; then
echo "${chain_pem} is not a certificate" >&2
exit 1
fi
awk -F'\n' '
BEGIN {
showcert = "openssl x509 -noout -subject -issuer"
}
/-----BEGIN CERTIFICATE-----/ {
printf "%2d: ", ind
}
{
printf $0"\n" | showcert
}
/-----END CERTIFICATE-----/ {
close(showcert)
ind ++
}
' "${chain_pem}"
echo
openssl verify -untrusted "${chain_pem}" "${chain_pem}"

3
certs/scripts/show-client-csr.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
openssl req -text -noout -verify -in clientcert.csr

3
certs/scripts/show-client-purpose.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
openssl x509 -purpose -in clientcert.pem -inform PEM -noout

3
certs/scripts/show-server-cert.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
openssl x509 -in servercert.pem -text -noout

3
certs/scripts/show-server-csr.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
openssl req -text -noout -verify -in servercert.csr

3
certs/scripts/show-server-purpose.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
openssl x509 -purpose -in servercert.pem -inform PEM -noout

3
certs/scripts/sign-cassandra-server-cert-request.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
openssl ca -batch -key mypassword -config openssl-ca.cnf -policy signing_policy -extensions signing_req_server -out cassandraservercert.pem -infiles cassandraservercert.csr

3
certs/scripts/sign-client-cert-request.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
openssl ca -batch -key mypassword -config openssl-ca.cnf -policy signing_policy -extensions signing_req_client -out clientcert.pem -infiles clientcert.csr

3
certs/scripts/sign-kafka-server-cert-request.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
openssl ca -batch -key mypassword -config openssl-ca.cnf -policy signing_policy -extensions signing_req_server -out kafkaservercert.pem -infiles kafkaservercert.csr

3
certs/scripts/sign-mqtt-server-cert-request.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
openssl ca -batch -key mypassword -config openssl-ca.cnf -policy signing_policy -extensions signing_req_server -out mqttservercert.pem -infiles mqttservercert.csr

5
certs/scripts/sign-postgres-client-cert-request.sh Executable file
View File

@@ -0,0 +1,5 @@
#!/bin/sh
openssl ca -batch -key mypassword -config openssl-ca.cnf -policy signing_policy -extensions signing_req_client -out postgresclientcert.pem -infiles postgresclientcert.csr
rm postgresclientcert.csr

3
certs/scripts/sign-server-cert-request.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/sh
openssl ca -batch -key mypassword -config openssl-ca.cnf -policy signing_policy -extensions signing_req_server -out servercert.pem -infiles servercert.csr

2
certs/scripts/start-test-client.sh Executable file
View File

@@ -0,0 +1,2 @@
#!/bin/sh
openssl s_client -CAfile ./testCA/cacert.pem -cert clientcert.pem -key clientkey.pem -connect 127.0.0.1:4242

2
certs/scripts/start-test-server.sh Executable file
View File

@@ -0,0 +1,2 @@
#!/bin/sh
openssl s_server -CAfile ./testCA/cacert.pem -cert servercert.pem -key serverkey.pem -port 4242

13
certs/scripts/verify-client.sh Executable file
View File

@@ -0,0 +1,13 @@
#!/bin/bash
target_pem="${1}"
if [[ ! -f "${target_pem}" ]]; then
echo "Usage: $0 BASE64_CERTIFICATE_FILE" >&2
exit 1
fi
openssl x509 -subject -issuer -noout -dates -in "$target_pem"
openssl verify -purpose sslclient -CAfile ./testCA/cacert.pem "$target_pem"

13
certs/scripts/verify-server.sh Executable file
View File

@@ -0,0 +1,13 @@
#!/bin/bash
target_pem="${1}"
if [[ ! -f "${target_pem}" ]]; then
echo "Usage: $0 BASE64_CERTIFICATE_FILE" >&2
exit 1
fi
openssl x509 -subject -issuer -noout -dates -in "$target_pem"
openssl verify -purpose sslserver -CAfile ./testCA/cacert.pem "$target_pem"