From 849587a9f74a3c1bf43d9118de7d32032954fc91 Mon Sep 17 00:00:00 2001 From: albertteoh Date: Thu, 10 Sep 2020 15:35:42 +1000 Subject: [PATCH 1/2] Add Makefile and README. Add dry-run option Signed-off-by: albertteoh --- pkg/config/tlscfg/testdata/Makefile | 7 ++ pkg/config/tlscfg/testdata/README.md | 14 +++ pkg/config/tlscfg/testdata/gen-certs.sh | 97 ++++++++++++++------- pkg/config/tlscfg/testdata/gen-ssl-conf.sh | 2 +- pkg/config/tlscfg/testdata/wrong-CA-key.pem | 27 ------ 5 files changed, 89 insertions(+), 58 deletions(-) create mode 100644 pkg/config/tlscfg/testdata/Makefile create mode 100644 pkg/config/tlscfg/testdata/README.md delete mode 100644 pkg/config/tlscfg/testdata/wrong-CA-key.pem diff --git a/pkg/config/tlscfg/testdata/Makefile b/pkg/config/tlscfg/testdata/Makefile new file mode 100644 index 000000000000..648e17ea9e3f --- /dev/null +++ b/pkg/config/tlscfg/testdata/Makefile @@ -0,0 +1,7 @@ +.PHONY: certs +certs: + ./gen-certs.sh + +.PHONY: certs-dryrun +certs-dryrun: + ./gen-certs.sh -d diff --git a/pkg/config/tlscfg/testdata/README.md b/pkg/config/tlscfg/testdata/README.md new file mode 100644 index 000000000000..78868e48ce61 --- /dev/null +++ b/pkg/config/tlscfg/testdata/README.md @@ -0,0 +1,14 @@ +# Example Certificate Authority and Certificate creation for testing + +The PEM files located in this directory are used by unit tests in this package. + +To generate and update the PEM files in this directory: + + make certs + +To only generate the PEM files without copying them to this directory: + + make certs-dryrun + + # The location of the generated PEM files will be printed to STDOUT like so: + # Dry-run complete. Generated files can be found in /var/folders/3p/yms48z2s6v7c8fy2m_1481g00000gn/T/certificates.p7pFHXpy \ No newline at end of file diff --git a/pkg/config/tlscfg/testdata/gen-certs.sh b/pkg/config/tlscfg/testdata/gen-certs.sh index 28541cf9499a..5757d1020daa 100755 --- a/pkg/config/tlscfg/testdata/gen-certs.sh +++ b/pkg/config/tlscfg/testdata/gen-certs.sh @@ -3,56 +3,93 @@ # The following commands were used to create the CA, server and client's certificates and keys in this directory used by unit tests. # These certificates use the Subject Alternative Name extension rather than the Common Name, which will be unsupported in Go 1.15. +usage() { + echo "Usage: $0 [-d]" + echo + echo "-d Dry-run mode. PEM files will not be modified." + exit 1 +} + +dry_run=false + +while getopts "d" o; do + case "${o}" in + d) + dry_run=true + ;; + *) + usage + ;; + esac +done +shift $((OPTIND-1)) + +set -ex + +# Create temp dir for generated files. +tmp_dir=$(mktemp -d -t certificates) +clean_up() { + ARG=$? + if [ $dry_run = true ]; then + echo "Dry-run complete. Generated files can be found in $tmp_dir" + else + rm -rf "$tmp_dir" + fi + exit $ARG +} +trap clean_up EXIT + # Generate config files. # The server name (under alt_names in the ssl.conf) is `example.com`. (in accordance to [RFC 2006](https://tools.ietf.org/html/rfc2606)) -source gen-ssl-conf.sh example.com ssl.conf -source gen-ssl-conf.sh wrong.com wrong-ssl.conf +source gen-ssl-conf.sh example.com "$tmp_dir/ssl.conf" +source gen-ssl-conf.sh wrong.com "$tmp_dir/wrong-ssl.conf" # Create CA (accept defaults from prompts). -openssl genrsa -out example-CA-key.pem 2048 -openssl req -new -key example-CA-key.pem -x509 -days 3650 -out example-CA-cert.pem -config ssl.conf +openssl genrsa -out "$tmp_dir/example-CA-key.pem" 2048 +openssl req -new -key "$tmp_dir/example-CA-key.pem" -x509 -days 3650 -out "$tmp_dir/example-CA-cert.pem" -config "$tmp_dir/ssl.conf" # Create Wrong CA (a dummy CA which doesn't provide any certificate; accept defaults from prompts). -openssl genrsa -out wrong-CA-key.pem 2048 -openssl req -new -key wrong-CA-key.pem -x509 -days 3650 -out wrong-CA-cert.pem -config wrong-ssl.conf +openssl genrsa -out "$tmp_dir/wrong-CA-key.pem" 2048 +openssl req -new -key "$tmp_dir/wrong-CA-key.pem" -x509 -days 3650 -out "$tmp_dir/wrong-CA-cert.pem" -config "$tmp_dir/wrong-ssl.conf" # Create client and server keys. -openssl genrsa -out example-server-key.pem 2048 -openssl genrsa -out example-client-key.pem 2048 +openssl genrsa -out "$tmp_dir/example-server-key.pem" 2048 +openssl genrsa -out "$tmp_dir/example-client-key.pem" 2048 # Create certificate sign request using the above created keys and configuration given and commandline arguments. -openssl req -new -nodes -key example-server-key.pem -out example-server.csr -config ssl.conf -openssl req -new -nodes -key example-client-key.pem -out example-client.csr -config ssl.conf +openssl req -new -nodes -key "$tmp_dir/example-server-key.pem" -out "$tmp_dir/example-server.csr" -config "$tmp_dir/ssl.conf" +openssl req -new -nodes -key "$tmp_dir/example-client-key.pem" -out "$tmp_dir/example-client.csr" -config "$tmp_dir/ssl.conf" # Creating the client and server certificate. openssl x509 -req \ -sha256 \ -days 3650 \ - -in example-server.csr \ - -signkey example-server-key.pem \ - -out example-server-cert.pem \ + -in "$tmp_dir/example-server.csr" \ + -signkey "$tmp_dir/example-server-key.pem" \ + -out "$tmp_dir/example-server-cert.pem" \ -extensions req_ext \ - -CA example-CA-cert.pem \ - -CAkey example-CA-key.pem \ + -CA "$tmp_dir/example-CA-cert.pem" \ + -CAkey "$tmp_dir/example-CA-key.pem" \ -CAcreateserial \ - -extfile ssl.conf + -extfile "$tmp_dir/ssl.conf" openssl x509 -req \ -sha256 \ -days 3650 \ - -in example-client.csr \ - -signkey example-client-key.pem \ - -out example-client-cert.pem \ + -in "$tmp_dir/example-client.csr" \ + -signkey "$tmp_dir/example-client-key.pem" \ + -out "$tmp_dir/example-client-cert.pem" \ -extensions req_ext \ - -CA example-CA-cert.pem \ - -CAkey example-CA-key.pem \ + -CA "$tmp_dir/example-CA-cert.pem" \ + -CAkey "$tmp_dir/example-CA-key.pem" \ -CAcreateserial \ - -extfile ssl.conf - -# Cleanup. -rm example-CA-key.pem -rm example-CA-cert.srl -rm example-client.csr -rm example-server.csr -rm ssl.conf -rm wrong-ssl.conf + -extfile "$tmp_dir/ssl.conf" +# Copy PEM files. +if [ $dry_run = false ]; then + cp "$tmp_dir/example-CA-cert.pem" \ + "$tmp_dir/example-client-cert.pem" \ + "$tmp_dir/example-client-key.pem" \ + "$tmp_dir/example-server-cert.pem" \ + "$tmp_dir/example-server-key.pem" \ + "$tmp_dir/wrong-CA-cert.pem" . +fi \ No newline at end of file diff --git a/pkg/config/tlscfg/testdata/gen-ssl-conf.sh b/pkg/config/tlscfg/testdata/gen-ssl-conf.sh index c87c56f80612..c706e3d42be8 100644 --- a/pkg/config/tlscfg/testdata/gen-ssl-conf.sh +++ b/pkg/config/tlscfg/testdata/gen-ssl-conf.sh @@ -9,7 +9,7 @@ if [[ -z "$domain_name" || -z "$output_file" ]]; then printf "A script to generate SSL configuration files for testing purposes.\n\n" printf "Usage: ssl-conf-gen.sh DOMAIN_NAME OUTPUT_FILE\n\n" printf "Example: ssl-conf-gen.sh example.com ssl.conf\n" - return + return 1 fi cat << EOF > "$output_file" diff --git a/pkg/config/tlscfg/testdata/wrong-CA-key.pem b/pkg/config/tlscfg/testdata/wrong-CA-key.pem deleted file mode 100644 index 0200b08c5c9a..000000000000 --- a/pkg/config/tlscfg/testdata/wrong-CA-key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAs72r4dAH4lb08E4RT82/uKbGJaje/wckQae4rrUIR8VDnlnO -oTbPNHl7x7+5B3oRuFCkWYV/Ny5Tec8ABwu1e5Z+5ZtSySi1OjnqAHH7xdUFVdeD -Ln7JrA6AVs9Hd26T5YhQMFu24JxmxjN2CA8Dr4vBeUjuATDbHZtvjmvZ3HxlG9G3 -mjcldkwPh2LjWQBOQYOHwqyJqJHzsRDuUJBMslazOdq3vAfCZammzwEI/OAdUNN0 -aQBtePIzMyZ9Oa+7d2xEcniwyFfpLc3AdcpqjemU83BDVBKmSuj8sqnzcG0b5c4J -8zifkK6bzVWO6e/3BV5uUEanzJqD6D1PNg3uXwIDAQABAoIBAA1Tg7njTaJXZiOm -9hufmpZbLxe9tILeCa8ge03guDNyCbhk2jATuzsdwrKloVdPkp7Cw9yrTCpQMfo3 -Ab6D/LmkB9aINJQbg4xEnPfZe5xIVfPuXZiF5/fsv1EwXxEYzrhW6fMb6awvjGMn -j5m7Wz+ZsgeHA7Zs4+IHEzdRAb8aDhKTpwCSmtlx50+zi834KTRsZluDuijFrQT5 -YRQvsM+IPijbfDXbhjeSe+hmJSKpf2mDk2P02rrjBRLgwGFGmk/ga+Y/mZgtYxpg -HnQed39dv5XbIZvVJImQFB/a5oNl+rZzKwKy3r3Q/UrikfOlURt6vPy5GRCNOmGF -BT/xkFkCgYEA53LLhIMG9qGntMe9lzHmwxDBAUZS1I6uEVzY5l3o0dk53ZHlfq6A -r8ybO9U1GiM8zMYkeRZpCqH9oM/HLQIW33L3dbApSmsts1glEchP54YdkNX6KyZQ -j4Yllx0px/Xt+41LG89LAHAlRyk9E5r/4bcVpTWMnU6AVCZE1xcPmeUCgYEAxs61 -gdgJ6S1uNNXwdA+1iXlGubNnDdmsySnkJw4rFslAXGvBvs3Kt5rCDQsTIs72Sm34 -bkE+rgktlHLECO6TWWJbNtSr0aTRhoJMYswy06X/zwdZJT8oVRyBWGqB/pMTKtw7 -aVOddqDXJEg4DI0yvmKTkyFBWWGwcyfy8wnt0vMCgYAybzBsEsVMrxNFcJUewk// -x8HXDkT0bpb9z5awNFyMheJ3Jti0j0AZjuNw2Vf19yHDmZXPERQYrg3/oedMJn1n -ebz010tYHRzbTOTfCCBpWi9NJWObTYEWlWvRjxhQq4WNYE+yoqw8TzPAWvslL4x8 -2hGMa6vVh4qtS52KpUrQBQKBgF/mywvtqSpAbg8yvKFgCpRcWk+uSSIXRRBtEs/8 -N7DwOAndOULPhuB22PDtzLdX2tsgnVyiQJg3eTNJAWPFonLVzWZvxMqGlUQriqmG -E2ahhvrZcplTFCOqcoKyLi8dx3s/bbFrUmQtRlsMM21ql3Xbm5C31AxH4ZRLSxkO -SxkdAoGBAOQLwznBLgqHE3Pf+rXEUGHtjMfXTaSmwptKJLsybpl1A2/rQPbRFME3 -LjEaD4ICPaBlVWOoqExqKnHAgaB5H75EPuiAT96/5ZOS1FhnuprOW9wKz/p4oJAe -3SJW0YDbnePVIzpOZlR7WfNfuF5Kx8pbK3qCZPrVU5tOz/EjbjpR ------END RSA PRIVATE KEY----- From 12652ffe8a68d3aa7fea4f121c0492b5626a99ba Mon Sep 17 00:00:00 2001 From: Albert <26584478+albertteoh@users.noreply.github.com> Date: Fri, 11 Sep 2020 09:44:17 +1000 Subject: [PATCH 2/2] Update pkg/config/tlscfg/testdata/README.md Co-authored-by: Yuri Shkuro --- pkg/config/tlscfg/testdata/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/config/tlscfg/testdata/README.md b/pkg/config/tlscfg/testdata/README.md index 78868e48ce61..26c14335307d 100644 --- a/pkg/config/tlscfg/testdata/README.md +++ b/pkg/config/tlscfg/testdata/README.md @@ -10,5 +10,6 @@ To only generate the PEM files without copying them to this directory: make certs-dryrun - # The location of the generated PEM files will be printed to STDOUT like so: - # Dry-run complete. Generated files can be found in /var/folders/3p/yms48z2s6v7c8fy2m_1481g00000gn/T/certificates.p7pFHXpy \ No newline at end of file +The location of the generated PEM files will be printed to STDOUT like so: + + # Dry-run complete. Generated files can be found in /var/folders/3p/yms48z2s6v7c8fy2m_1481g00000gn/T/certificates.p7pFHXpy