Gitiles
Code Review Sign In
gerrit.nordix.org / onap / aaf / authz / 8d3350fb03ebcf902416d4ae984234f041668ffc / . / conf / CA / bootstrap.sh
blob: 8454a3a9f7a49c11f11f223900e489ec7278f3f2 [file] [log] [blame]
Instrumental7a1817b2018-11-05 11:11:15 -0600[diff] [blame]1#!/bin/bash
2#########
3# ============LICENSE_START====================================================
4# org.onap.aaf
5# ===========================================================================
6# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
7# ===========================================================================
8# Licensed under the Apache License, Version 2.0 (the "License");
9# you may not use this file except in compliance with the License.
10# You may obtain a copy of the License at
11#
12# http://www.apache.org/licenses/LICENSE-2.0
13#
14# Unless required by applicable law or agreed to in writing, software
15# distributed under the License is distributed on an "AS IS" BASIS,
16# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17# See the License for the specific language governing permissions and
18# limitations under the License.
19# ============LICENSE_END====================================================
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]20#
21# Streamlined AAF Bootstrap initial Cert
22# Removed Variables so it can be run for AutoDeployments
23#
24echo "Bootstrap AAF Certificate"
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]25mkdir -p private certs newcerts
26chmod 700 private
27chmod 755 certs newcerts
28touch index.txt
29echo "unique_subject = no" > index.txt.attr
Instrumental0d4ec122018-08-30 14:33:08 -0500[diff] [blame]30if [ ! -e ./serial ]; then
Instrumental93871ff2018-10-15 07:37:28 -0500[diff] [blame]31 echo $(date +%s)_$(shuf -i 0-1000000 -n 1) > ./serial
Instrumental0d4ec122018-08-30 14:33:08 -0500[diff] [blame]32fi
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]33
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]34NAME=aaf.bootstrap
Instrumental27afb022019-02-07 16:36:56 -0600[diff] [blame]35HOSTNAME="${HOSTNAME:=$(hostname -)}"
Instrumentalfea400a2019-04-17 14:30:28 -0500[diff] [blame]36PUBLIC_FQDN="${aaf_locator_public_fqdn:=$HOSTNAME}"
37FQDN="${aaf_locator_fqdn:=$PUBLIC_FQDN}"
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]38FQI=aaf@aaf.osaaf.org
39SUBJECT="/CN=$FQDN/OU=$FQI`cat subject.aaf`"
40SIGNER_P12=$1
41SIGNER_KEY=/tmp/aaf_signer.key
42SIGNER_CRT=/tmp/aaf_signer.crt
43PASSPHRASE=$2
44if [ "PASSPHRASE" = "" ]; then
45 PASSPHRASE="something easy"
46fi
47BOOTSTRAP_SAN=/tmp/$NAME.san
48BOOTSTRAP_KEY=/tmp/$NAME.key
49BOOTSTRAP_CSR=/tmp/$NAME.csr
50BOOTSTRAP_CRT=/tmp/$NAME.crt
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]51BOOTSTRAP_CHAIN=/tmp/$NAME.chain
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]52BOOTSTRAP_P12=$NAME.p12
Instrumentalbc299c02018-09-25 06:42:31 -0500[diff] [blame]53BOOTSTRAP_ISSUER=$NAME.issuer
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]54
55
56# If Signer doesn't exist, create Self-Signed CA
57if [ ! -e "$SIGNER_P12" ]; then
58 # Creating Signer CA
59 openssl req -config openssl.conf -x509 -sha256 -extensions v3_ca \
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]60 -newkey rsa:4096 -subj /CN="Signer$(cat subject.aaf)" \
61 -keyout $SIGNER_KEY -out $SIGNER_CRT -days 365 -passout stdin << EOF
62$PASSPHRASE
63EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]64
65 # Move to P12 (Signer)
66 openssl pkcs12 -name RootCA -export -in $SIGNER_CRT -inkey $SIGNER_KEY -out $SIGNER_P12 -passin stdin -passout stdin << EOF
67$PASSPHRASE
68$PASSPHRASE
69$PASSPHRASE
70EOF
71
72else
73 # Get Private key from P12
74 openssl pkcs12 -in $SIGNER_P12 -nocerts -nodes -passin stdin -passout stdin -out $SIGNER_KEY << EOF
75$PASSPHRASE
76$PASSPHRASE
77EOF
78
79 # Get Cert from P12
80 openssl pkcs12 -in $SIGNER_P12 -clcerts -nokeys -passin stdin -out $SIGNER_CRT << EOF
81$PASSPHRASE
82EOF
83
84fi
85
86# SANS
87cp san.conf $BOOTSTRAP_SAN
Instrumental1e3be602018-10-03 19:40:44 -0500[diff] [blame]88SANS=$FQDN
89if [ "$FQDN" -ne "$HOSTNAME" ]; then
90 SANS="$SANS $HOSTNAME"
91fi
92
93for ROOT in $(cat san_root.aaf); do
94 SANS="$SANS $ROOT"
Instrumental12414fe2019-01-22 10:27:32 -0600[diff] [blame]95 for C in service locate oauth token introspect gui cm hello; do
Instrumental1e3be602018-10-03 19:40:44 -0500[diff] [blame]96 SANS="$SANS $C.$ROOT"
97 done
98done
Instrumental65cdc092018-10-15 12:34:59 -0500[diff] [blame]99
Instrumental12414fe2019-01-22 10:27:32 -0600[diff] [blame]100for C in service locate oauth token introspect gui cm hello; do
Instrumental65cdc092018-10-15 12:34:59 -0500[diff] [blame]101 SANS="$SANS aaf-$C"
102 SANS="$SANS aaf-$C.onap"
103done
104
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]105NUM=1
Instrumental1e3be602018-10-03 19:40:44 -0500[diff] [blame]106for D in $SANS; do
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]107 echo "DNS.$NUM = $D" >> $BOOTSTRAP_SAN
108 NUM=$((NUM+1))
109done
110
111# Create CSR
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]112openssl req -new -newkey rsa:2048 -nodes -keyout $BOOTSTRAP_KEY \
113 -out $BOOTSTRAP_CSR -outform PEM -subj "$SUBJECT" \
114 -passout stdin << EOF
115$PASSPHRASE
116EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]117
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]118echo Sign it
119openssl ca -batch -config openssl.conf -extensions server_cert \
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]120 -cert $SIGNER_CRT -keyfile $SIGNER_KEY \
121 -policy policy_loose \
Instrumental08e93402018-10-03 08:38:52 -0500[diff] [blame]122 -days 365 \
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]123 -passin stdin \
124 -out $BOOTSTRAP_CRT \
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]125 -extfile $BOOTSTRAP_SAN \
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]126 -infiles $BOOTSTRAP_CSR << EOF
127$PASSPHRASE
128EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]129
130# Make a P12
131# Add THIS Intermediate CA into chain
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]132cat $BOOTSTRAP_CRT
133cp $BOOTSTRAP_CRT $BOOTSTRAP_CHAIN
134cat $SIGNER_CRT >> $BOOTSTRAP_CHAIN
Instrumental08e93402018-10-03 08:38:52 -0500[diff] [blame]135cat $BOOTSTRAP_CHAIN
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]136
137# Note: Openssl will pickup and load all Certs in the Chain file
Instrumental08e93402018-10-03 08:38:52 -0500[diff] [blame]138#openssl pkcs12 -name $FQI -export -in $BOOTSTRAP_CRT -inkey $BOOTSTRAP_KEY -CAfile $SIGNER_CRT -out $BOOTSTRAP_P12 -passin stdin -passout stdin << EOF
Instrumentalb8a81292018-08-23 16:32:45 -0500[diff] [blame]139openssl pkcs12 -name $FQI -export -in $BOOTSTRAP_CHAIN -inkey $BOOTSTRAP_KEY -out $BOOTSTRAP_P12 -passin stdin -passout stdin << EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]140$PASSPHRASE
141$PASSPHRASE
142$PASSPHRASE
143EOF
144
Instrumentalbc299c02018-09-25 06:42:31 -0500[diff] [blame]145# Make Issuer name
Instrumentaldd097a42019-02-20 17:14:20 -0600[diff] [blame]146ISSUER=$(openssl x509 -subject -noout -in $SIGNER_CRT | cut -c 9- | sed -e 's/ = /=/g' -e 's/\//, /g')
Instrumental2b46f762019-02-20 11:14:41 -0600[diff] [blame]147for I in $ISSUER; do
148 if [ -z "$REVERSE" ]; then
149 REVERSE="${I%,}"
150 else
151 REVERSE="${I%,}, ${REVERSE}"
Instrumentalbc299c02018-09-25 06:42:31 -0500[diff] [blame]152 fi
Instrumentalbc299c02018-09-25 06:42:31 -0500[diff] [blame]153done
Instrumental2b46f762019-02-20 11:14:41 -0600[diff] [blame]154echo "$REVERSE" > $BOOTSTRAP_ISSUER
Instrumentalbc299c02018-09-25 06:42:31 -0500[diff] [blame]155
Instrumentalcc596dd2018-08-23 09:52:14 -0500[diff] [blame]156# Cleanup
Instrumental08e93402018-10-03 08:38:52 -0500[diff] [blame]157rm -f $BOOTSTRAP_SAN $BOOTSTRAP_KEY $BOOTSTRAP_CSR $BOOTSTRAP_CRT $SIGNER_KEY $SIGNER_CRT $BOOTSTRAP_CHAIN