blob: bf9467826cd4b576622f7747796f91e2b451b7e4 [file] [log] [blame]
Instrumental7a1817b2018-11-05 11:11:15 -06001#!/bin/bash
2#########
3# ============LICENSE_START====================================================
4# org.onap.aaf
5# ===========================================================================
6# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
7# ===========================================================================
8# Licensed under the Apache License, Version 2.0 (the "License");
9# you may not use this file except in compliance with the License.
10# You may obtain a copy of the License at
11#
12# http://www.apache.org/licenses/LICENSE-2.0
13#
14# Unless required by applicable law or agreed to in writing, software
15# distributed under the License is distributed on an "AS IS" BASIS,
16# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17# See the License for the specific language governing permissions and
18# limitations under the License.
19# ============LICENSE_END====================================================
Instrumentalcc596dd2018-08-23 09:52:14 -050020#
21# Streamlined AAF Bootstrap initial Cert
22# Removed Variables so it can be run for AutoDeployments
23#
24echo "Bootstrap AAF Certificate"
Instrumentalb8a81292018-08-23 16:32:45 -050025mkdir -p private certs newcerts
26chmod 700 private
27chmod 755 certs newcerts
28touch index.txt
29echo "unique_subject = no" > index.txt.attr
Instrumental0d4ec122018-08-30 14:33:08 -050030if [ ! -e ./serial ]; then
Instrumental93871ff2018-10-15 07:37:28 -050031 echo $(date +%s)_$(shuf -i 0-1000000 -n 1) > ./serial
Instrumental0d4ec122018-08-30 14:33:08 -050032fi
Instrumentalb8a81292018-08-23 16:32:45 -050033
Instrumentalcc596dd2018-08-23 09:52:14 -050034NAME=aaf.bootstrap
Instrumental54883b42018-09-25 07:56:54 -050035FQDN="${HOSTNAME:=$(hostname -f)}"
Instrumentalcc596dd2018-08-23 09:52:14 -050036FQI=aaf@aaf.osaaf.org
37SUBJECT="/CN=$FQDN/OU=$FQI`cat subject.aaf`"
38SIGNER_P12=$1
39SIGNER_KEY=/tmp/aaf_signer.key
40SIGNER_CRT=/tmp/aaf_signer.crt
41PASSPHRASE=$2
42if [ "PASSPHRASE" = "" ]; then
43 PASSPHRASE="something easy"
44fi
45BOOTSTRAP_SAN=/tmp/$NAME.san
46BOOTSTRAP_KEY=/tmp/$NAME.key
47BOOTSTRAP_CSR=/tmp/$NAME.csr
48BOOTSTRAP_CRT=/tmp/$NAME.crt
Instrumentalb8a81292018-08-23 16:32:45 -050049BOOTSTRAP_CHAIN=/tmp/$NAME.chain
Instrumentalcc596dd2018-08-23 09:52:14 -050050BOOTSTRAP_P12=$NAME.p12
Instrumentalbc299c02018-09-25 06:42:31 -050051BOOTSTRAP_ISSUER=$NAME.issuer
Instrumentalcc596dd2018-08-23 09:52:14 -050052
53
54# If Signer doesn't exist, create Self-Signed CA
55if [ ! -e "$SIGNER_P12" ]; then
56 # Creating Signer CA
57 openssl req -config openssl.conf -x509 -sha256 -extensions v3_ca \
Instrumentalb8a81292018-08-23 16:32:45 -050058 -newkey rsa:4096 -subj /CN="Signer$(cat subject.aaf)" \
59 -keyout $SIGNER_KEY -out $SIGNER_CRT -days 365 -passout stdin << EOF
60$PASSPHRASE
61EOF
Instrumentalcc596dd2018-08-23 09:52:14 -050062
63 # Move to P12 (Signer)
64 openssl pkcs12 -name RootCA -export -in $SIGNER_CRT -inkey $SIGNER_KEY -out $SIGNER_P12 -passin stdin -passout stdin << EOF
65$PASSPHRASE
66$PASSPHRASE
67$PASSPHRASE
68EOF
69
70else
71 # Get Private key from P12
72 openssl pkcs12 -in $SIGNER_P12 -nocerts -nodes -passin stdin -passout stdin -out $SIGNER_KEY << EOF
73$PASSPHRASE
74$PASSPHRASE
75EOF
76
77 # Get Cert from P12
78 openssl pkcs12 -in $SIGNER_P12 -clcerts -nokeys -passin stdin -out $SIGNER_CRT << EOF
79$PASSPHRASE
80EOF
81
82fi
83
84# SANS
85cp san.conf $BOOTSTRAP_SAN
Instrumental1e3be602018-10-03 19:40:44 -050086SANS=$FQDN
87if [ "$FQDN" -ne "$HOSTNAME" ]; then
88 SANS="$SANS $HOSTNAME"
89fi
90
91for ROOT in $(cat san_root.aaf); do
92 SANS="$SANS $ROOT"
Instrumental12414fe2019-01-22 10:27:32 -060093 for C in service locate oauth token introspect gui cm hello; do
Instrumental1e3be602018-10-03 19:40:44 -050094 SANS="$SANS $C.$ROOT"
95 done
96done
Instrumental65cdc092018-10-15 12:34:59 -050097
Instrumental12414fe2019-01-22 10:27:32 -060098for C in service locate oauth token introspect gui cm hello; do
Instrumental65cdc092018-10-15 12:34:59 -050099 SANS="$SANS aaf-$C"
100 SANS="$SANS aaf-$C.onap"
101done
102
Instrumentalcc596dd2018-08-23 09:52:14 -0500103NUM=1
Instrumental1e3be602018-10-03 19:40:44 -0500104for D in $SANS; do
Instrumentalcc596dd2018-08-23 09:52:14 -0500105 echo "DNS.$NUM = $D" >> $BOOTSTRAP_SAN
106 NUM=$((NUM+1))
107done
108
109# Create CSR
Instrumentalb8a81292018-08-23 16:32:45 -0500110openssl req -new -newkey rsa:2048 -nodes -keyout $BOOTSTRAP_KEY \
111 -out $BOOTSTRAP_CSR -outform PEM -subj "$SUBJECT" \
112 -passout stdin << EOF
113$PASSPHRASE
114EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500115
Instrumentalb8a81292018-08-23 16:32:45 -0500116echo Sign it
117openssl ca -batch -config openssl.conf -extensions server_cert \
Instrumentalcc596dd2018-08-23 09:52:14 -0500118 -cert $SIGNER_CRT -keyfile $SIGNER_KEY \
119 -policy policy_loose \
Instrumental08e93402018-10-03 08:38:52 -0500120 -days 365 \
Instrumentalb8a81292018-08-23 16:32:45 -0500121 -passin stdin \
122 -out $BOOTSTRAP_CRT \
Instrumentalcc596dd2018-08-23 09:52:14 -0500123 -extfile $BOOTSTRAP_SAN \
Instrumentalb8a81292018-08-23 16:32:45 -0500124 -infiles $BOOTSTRAP_CSR << EOF
125$PASSPHRASE
126EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500127
128# Make a P12
129# Add THIS Intermediate CA into chain
Instrumentalb8a81292018-08-23 16:32:45 -0500130cat $BOOTSTRAP_CRT
131cp $BOOTSTRAP_CRT $BOOTSTRAP_CHAIN
132cat $SIGNER_CRT >> $BOOTSTRAP_CHAIN
Instrumental08e93402018-10-03 08:38:52 -0500133cat $BOOTSTRAP_CHAIN
Instrumentalcc596dd2018-08-23 09:52:14 -0500134
135# Note: Openssl will pickup and load all Certs in the Chain file
Instrumental08e93402018-10-03 08:38:52 -0500136#openssl pkcs12 -name $FQI -export -in $BOOTSTRAP_CRT -inkey $BOOTSTRAP_KEY -CAfile $SIGNER_CRT -out $BOOTSTRAP_P12 -passin stdin -passout stdin << EOF
Instrumentalb8a81292018-08-23 16:32:45 -0500137openssl pkcs12 -name $FQI -export -in $BOOTSTRAP_CHAIN -inkey $BOOTSTRAP_KEY -out $BOOTSTRAP_P12 -passin stdin -passout stdin << EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500138$PASSPHRASE
139$PASSPHRASE
140$PASSPHRASE
141EOF
142
Instrumentalbc299c02018-09-25 06:42:31 -0500143# Make Issuer name
144ISSUER=$(openssl x509 -subject -noout -in $SIGNER_CRT | cut -c 10-)
145for I in ${ISSUER//\// }; do
146 if [ -n "$CADI_X509_ISSUER" ]; then
147 CADI_X509_ISSUER=", $CADI_X509_ISSUER"
148 fi
149 CADI_X509_ISSUER="$I$CADI_X509_ISSUER"
150done
151echo $CADI_X509_ISSUER > $BOOTSTRAP_ISSUER
152
Instrumentalcc596dd2018-08-23 09:52:14 -0500153# Cleanup
Instrumental08e93402018-10-03 08:38:52 -0500154rm -f $BOOTSTRAP_SAN $BOOTSTRAP_KEY $BOOTSTRAP_CSR $BOOTSTRAP_CRT $SIGNER_KEY $SIGNER_CRT $BOOTSTRAP_CHAIN