blob: 6ccc6bfa425a68b7009a69c2dda059dd2d30aa35 [file] [log] [blame]
Instrumental7a1817b2018-11-05 11:11:15 -06001#!/bin/bash
2#########
3# ============LICENSE_START====================================================
4# org.onap.aaf
5# ===========================================================================
6# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
7# ===========================================================================
8# Licensed under the Apache License, Version 2.0 (the "License");
9# you may not use this file except in compliance with the License.
10# You may obtain a copy of the License at
11#
12# http://www.apache.org/licenses/LICENSE-2.0
13#
14# Unless required by applicable law or agreed to in writing, software
15# distributed under the License is distributed on an "AS IS" BASIS,
16# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17# See the License for the specific language governing permissions and
18# limitations under the License.
19# ============LICENSE_END====================================================
Instrumentalcc596dd2018-08-23 09:52:14 -050020#
21# Streamlined AAF Bootstrap initial Cert
22# Removed Variables so it can be run for AutoDeployments
23#
24echo "Bootstrap AAF Certificate"
Instrumentalb8a81292018-08-23 16:32:45 -050025mkdir -p private certs newcerts
26chmod 700 private
27chmod 755 certs newcerts
28touch index.txt
29echo "unique_subject = no" > index.txt.attr
Instrumental0d4ec122018-08-30 14:33:08 -050030if [ ! -e ./serial ]; then
Instrumental93871ff2018-10-15 07:37:28 -050031 echo $(date +%s)_$(shuf -i 0-1000000 -n 1) > ./serial
Instrumental0d4ec122018-08-30 14:33:08 -050032fi
Instrumentalb8a81292018-08-23 16:32:45 -050033
Instrumentalcc596dd2018-08-23 09:52:14 -050034NAME=aaf.bootstrap
Instrumental27afb022019-02-07 16:36:56 -060035HOSTNAME="${HOSTNAME:=$(hostname -)}"
36FQDN="${aaf_locator_fqdn:=$HOSTNAME}"
Instrumentalcc596dd2018-08-23 09:52:14 -050037FQI=aaf@aaf.osaaf.org
38SUBJECT="/CN=$FQDN/OU=$FQI`cat subject.aaf`"
39SIGNER_P12=$1
40SIGNER_KEY=/tmp/aaf_signer.key
41SIGNER_CRT=/tmp/aaf_signer.crt
42PASSPHRASE=$2
43if [ "PASSPHRASE" = "" ]; then
44 PASSPHRASE="something easy"
45fi
46BOOTSTRAP_SAN=/tmp/$NAME.san
47BOOTSTRAP_KEY=/tmp/$NAME.key
48BOOTSTRAP_CSR=/tmp/$NAME.csr
49BOOTSTRAP_CRT=/tmp/$NAME.crt
Instrumentalb8a81292018-08-23 16:32:45 -050050BOOTSTRAP_CHAIN=/tmp/$NAME.chain
Instrumentalcc596dd2018-08-23 09:52:14 -050051BOOTSTRAP_P12=$NAME.p12
Instrumentalbc299c02018-09-25 06:42:31 -050052BOOTSTRAP_ISSUER=$NAME.issuer
Instrumentalcc596dd2018-08-23 09:52:14 -050053
54
55# If Signer doesn't exist, create Self-Signed CA
56if [ ! -e "$SIGNER_P12" ]; then
57 # Creating Signer CA
58 openssl req -config openssl.conf -x509 -sha256 -extensions v3_ca \
Instrumentalb8a81292018-08-23 16:32:45 -050059 -newkey rsa:4096 -subj /CN="Signer$(cat subject.aaf)" \
60 -keyout $SIGNER_KEY -out $SIGNER_CRT -days 365 -passout stdin << EOF
61$PASSPHRASE
62EOF
Instrumentalcc596dd2018-08-23 09:52:14 -050063
64 # Move to P12 (Signer)
65 openssl pkcs12 -name RootCA -export -in $SIGNER_CRT -inkey $SIGNER_KEY -out $SIGNER_P12 -passin stdin -passout stdin << EOF
66$PASSPHRASE
67$PASSPHRASE
68$PASSPHRASE
69EOF
70
71else
72 # Get Private key from P12
73 openssl pkcs12 -in $SIGNER_P12 -nocerts -nodes -passin stdin -passout stdin -out $SIGNER_KEY << EOF
74$PASSPHRASE
75$PASSPHRASE
76EOF
77
78 # Get Cert from P12
79 openssl pkcs12 -in $SIGNER_P12 -clcerts -nokeys -passin stdin -out $SIGNER_CRT << EOF
80$PASSPHRASE
81EOF
82
83fi
84
85# SANS
86cp san.conf $BOOTSTRAP_SAN
Instrumental1e3be602018-10-03 19:40:44 -050087SANS=$FQDN
88if [ "$FQDN" -ne "$HOSTNAME" ]; then
89 SANS="$SANS $HOSTNAME"
90fi
91
92for ROOT in $(cat san_root.aaf); do
93 SANS="$SANS $ROOT"
Instrumental12414fe2019-01-22 10:27:32 -060094 for C in service locate oauth token introspect gui cm hello; do
Instrumental1e3be602018-10-03 19:40:44 -050095 SANS="$SANS $C.$ROOT"
96 done
97done
Instrumental65cdc092018-10-15 12:34:59 -050098
Instrumental12414fe2019-01-22 10:27:32 -060099for C in service locate oauth token introspect gui cm hello; do
Instrumental65cdc092018-10-15 12:34:59 -0500100 SANS="$SANS aaf-$C"
101 SANS="$SANS aaf-$C.onap"
102done
103
Instrumentalcc596dd2018-08-23 09:52:14 -0500104NUM=1
Instrumental1e3be602018-10-03 19:40:44 -0500105for D in $SANS; do
Instrumentalcc596dd2018-08-23 09:52:14 -0500106 echo "DNS.$NUM = $D" >> $BOOTSTRAP_SAN
107 NUM=$((NUM+1))
108done
109
110# Create CSR
Instrumentalb8a81292018-08-23 16:32:45 -0500111openssl req -new -newkey rsa:2048 -nodes -keyout $BOOTSTRAP_KEY \
112 -out $BOOTSTRAP_CSR -outform PEM -subj "$SUBJECT" \
113 -passout stdin << EOF
114$PASSPHRASE
115EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500116
Instrumentalb8a81292018-08-23 16:32:45 -0500117echo Sign it
118openssl ca -batch -config openssl.conf -extensions server_cert \
Instrumentalcc596dd2018-08-23 09:52:14 -0500119 -cert $SIGNER_CRT -keyfile $SIGNER_KEY \
120 -policy policy_loose \
Instrumental08e93402018-10-03 08:38:52 -0500121 -days 365 \
Instrumentalb8a81292018-08-23 16:32:45 -0500122 -passin stdin \
123 -out $BOOTSTRAP_CRT \
Instrumentalcc596dd2018-08-23 09:52:14 -0500124 -extfile $BOOTSTRAP_SAN \
Instrumentalb8a81292018-08-23 16:32:45 -0500125 -infiles $BOOTSTRAP_CSR << EOF
126$PASSPHRASE
127EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500128
129# Make a P12
130# Add THIS Intermediate CA into chain
Instrumentalb8a81292018-08-23 16:32:45 -0500131cat $BOOTSTRAP_CRT
132cp $BOOTSTRAP_CRT $BOOTSTRAP_CHAIN
133cat $SIGNER_CRT >> $BOOTSTRAP_CHAIN
Instrumental08e93402018-10-03 08:38:52 -0500134cat $BOOTSTRAP_CHAIN
Instrumentalcc596dd2018-08-23 09:52:14 -0500135
136# Note: Openssl will pickup and load all Certs in the Chain file
Instrumental08e93402018-10-03 08:38:52 -0500137#openssl pkcs12 -name $FQI -export -in $BOOTSTRAP_CRT -inkey $BOOTSTRAP_KEY -CAfile $SIGNER_CRT -out $BOOTSTRAP_P12 -passin stdin -passout stdin << EOF
Instrumentalb8a81292018-08-23 16:32:45 -0500138openssl pkcs12 -name $FQI -export -in $BOOTSTRAP_CHAIN -inkey $BOOTSTRAP_KEY -out $BOOTSTRAP_P12 -passin stdin -passout stdin << EOF
Instrumentalcc596dd2018-08-23 09:52:14 -0500139$PASSPHRASE
140$PASSPHRASE
141$PASSPHRASE
142EOF
143
Instrumentalbc299c02018-09-25 06:42:31 -0500144# Make Issuer name
Instrumentaldd097a42019-02-20 17:14:20 -0600145ISSUER=$(openssl x509 -subject -noout -in $SIGNER_CRT | cut -c 9- | sed -e 's/ = /=/g' -e 's/\//, /g')
Instrumental2b46f762019-02-20 11:14:41 -0600146for I in $ISSUER; do
147 if [ -z "$REVERSE" ]; then
148 REVERSE="${I%,}"
149 else
150 REVERSE="${I%,}, ${REVERSE}"
Instrumentalbc299c02018-09-25 06:42:31 -0500151 fi
Instrumentalbc299c02018-09-25 06:42:31 -0500152done
Instrumental2b46f762019-02-20 11:14:41 -0600153echo "$REVERSE" > $BOOTSTRAP_ISSUER
Instrumentalbc299c02018-09-25 06:42:31 -0500154
Instrumentalcc596dd2018-08-23 09:52:14 -0500155# Cleanup
Instrumental08e93402018-10-03 08:38:52 -0500156rm -f $BOOTSTRAP_SAN $BOOTSTRAP_KEY $BOOTSTRAP_CSR $BOOTSTRAP_CRT $SIGNER_KEY $SIGNER_CRT $BOOTSTRAP_CHAIN