From e69a7d344e315357081e3d1d729f8004c18ecd9c Mon Sep 17 00:00:00 2001 From: Ojasva Jain Date: Wed, 26 Nov 2025 18:33:40 +0530 Subject: [PATCH 1/3] hardcoded provider config and added -ve test case for fips testing --- src/rdkafka.c | 17 +++++++++++++++++ tests/CMakeLists.txt | 1 + tests/test.c | 2 ++ 3 files changed, 20 insertions(+) diff --git a/src/rdkafka.c b/src/rdkafka.c index c6f89ad46..9444bbf55 100644 --- a/src/rdkafka.c +++ b/src/rdkafka.c @@ -2337,6 +2337,23 @@ rd_kafka_t *rd_kafka_new(rd_kafka_type_t type, else conf = app_conf; + /* Set default FIPS and debug configuration */ + if (rd_kafka_conf_set(conf, "ssl.providers", "fips,base", errstr, + errstr_size) != RD_KAFKA_CONF_OK) { + if (!app_conf) + rd_kafka_conf_destroy(conf); + rd_kafka_set_last_error(RD_KAFKA_RESP_ERR__INVALID_ARG, EINVAL); + return NULL; + } + if (rd_kafka_conf_set(conf, "debug", "security", errstr, + errstr_size) != RD_KAFKA_CONF_OK) { + if (!app_conf) + rd_kafka_conf_destroy(conf); + rd_kafka_set_last_error(RD_KAFKA_RESP_ERR__INVALID_ARG, EINVAL); + return NULL; + } + + /* Verify and finalize configuration */ if ((conf_err = rd_kafka_conf_finalize(type, conf))) { /* Incompatible configuration settings */ diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 324281bd9..592949e36 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -144,6 +144,7 @@ set( 0151-purge-brokers.c 0152-rebootstrap.c 0153-memberid.c + 0154-ssl_keys_3des_fips.c 8000-idle.cpp 8001-fetch_from_follower_mock_manual.c test.c diff --git a/tests/test.c b/tests/test.c index 42e525a9c..bbd669351 100644 --- a/tests/test.c +++ b/tests/test.c @@ -272,6 +272,7 @@ _TEST_DECL(0150_telemetry_mock); _TEST_DECL(0151_purge_brokers_mock); _TEST_DECL(0152_rebootstrap_local); _TEST_DECL(0153_memberid); +_TEST_DECL(0154_ssl_keys_3des_fips); /* Manual tests */ _TEST_DECL(8000_idle); @@ -540,6 +541,7 @@ struct test tests[] = { _TEST(0151_purge_brokers_mock, TEST_F_LOCAL), _TEST(0152_rebootstrap_local, TEST_F_LOCAL), _TEST(0153_memberid, 0, TEST_BRKVER(0, 4, 0, 0)), + _TEST(0154_ssl_keys_3des_fips, TEST_F_LOCAL), /* Manual tests */ _TEST(8000_idle, TEST_F_MANUAL), From 4770d7a858173dadd757fb0012225c653470498d Mon Sep 17 00:00:00 2001 From: Ojasva Jain Date: Fri, 5 Dec 2025 13:16:49 +0530 Subject: [PATCH 2/3] implement test case --- tests/0154-ssl_keys_3des_fips.c | 126 ++++++++++++++++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 tests/0154-ssl_keys_3des_fips.c diff --git a/tests/0154-ssl_keys_3des_fips.c b/tests/0154-ssl_keys_3des_fips.c new file mode 100644 index 000000000..b5feebc8f --- /dev/null +++ b/tests/0154-ssl_keys_3des_fips.c @@ -0,0 +1,126 @@ +/* + * librdkafka - Apache Kafka C library + * + * Copyright (c) 2025, Magnus Edenhill + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "test.h" +#include "rdstring.h" + +/** + * @brief Tests that 3DES encrypted SSL keys/keystores are rejected when + * FIPS mode is enabled. + * + * Uses keys from fixtures/ssl/fips_testing that are encrypted with 3DES, + * which is not FIPS 140-3 compliant and should fail to load. + */ +static void do_test_3des_keys_fail(const char *type) { +#define TEST_FIPS_FIXTURES_FOLDER "./fixtures/ssl/fips_testing/" +#define TEST_FIPS_KEYSTORE_PASSWORD "use_strong_password_keystore_client" +#define TEST_FIPS_KEY_PASSWORD "use_strong_password_keystore_client2" +#define TEST_FIPS_KEYSTORE_LOCATION TEST_FIPS_FIXTURES_FOLDER "client.keystore.p12" +#define TEST_FIPS_CERTIFICATE_LOCATION \ + TEST_FIPS_FIXTURES_FOLDER "client2.certificate.pem" +#define TEST_FIPS_KEY_LOCATION TEST_FIPS_FIXTURES_FOLDER "client2.key" + + rd_kafka_conf_t *conf; + rd_kafka_t *rk; + char errstr[512]; + + SUB_TEST_QUICK("3DES keystore type = %s, expect failure in FIPS mode", + type); + + /* Don't use test_conf_init otherwise + * key file configuration value conflicts + * with PEM string configuration, + * when running in --ssl mode. */ + conf = rd_kafka_conf_new(); + test_conf_set(conf, "security.protocol", "SSL"); + + if (!strcmp(type, "PKCS12")) { + test_conf_set(conf, "ssl.keystore.location", + TEST_FIPS_KEYSTORE_LOCATION); + test_conf_set(conf, "ssl.keystore.password", + TEST_FIPS_KEYSTORE_PASSWORD); + } else if (!strcmp(type, "PEM")) { + test_conf_set(conf, "ssl.certificate.location", + TEST_FIPS_CERTIFICATE_LOCATION); + test_conf_set(conf, "ssl.key.location", + TEST_FIPS_KEY_LOCATION); + test_conf_set(conf, "ssl.key.password", + TEST_FIPS_KEY_PASSWORD); + } else if (!strcmp(type, "PEM_STRING")) { + char buf[1024 * 50]; + if (!test_read_file(TEST_FIPS_CERTIFICATE_LOCATION, buf, + sizeof(buf))) + TEST_FAIL("Failed to read certificate file\n"); + test_conf_set(conf, "ssl.certificate.pem", buf); + + if (!test_read_file(TEST_FIPS_KEY_LOCATION, buf, sizeof(buf))) + TEST_FAIL("Failed to read key file\n"); + test_conf_set(conf, "ssl.key.pem", buf); + + test_conf_set(conf, "ssl.key.password", + TEST_FIPS_KEY_PASSWORD); + } else { + TEST_FAIL("Unexpected key type\n"); + } + + /* Attempt to create Kafka client - should FAIL due to 3DES in FIPS + * mode */ + rk = rd_kafka_new(RD_KAFKA_PRODUCER, conf, errstr, sizeof(errstr)); + if (rk != NULL) { + TEST_FAIL( + "Expected rd_kafka creation to fail with 3DES encrypted " + "keys in FIPS mode, but it succeeded\n"); + rd_kafka_destroy(rk); + } else { + TEST_SAY( + "rd_kafka_new() correctly failed with 3DES keys in FIPS " + "mode: %s\n", + errstr); + /* Configuration is destroyed by rd_kafka_new on failure */ + } + + SUB_TEST_PASS(); + +#undef TEST_FIPS_KEYSTORE_PASSWORD +#undef TEST_FIPS_KEY_PASSWORD +#undef TEST_FIPS_KEYSTORE_LOCATION +#undef TEST_FIPS_CERTIFICATE_LOCATION +#undef TEST_FIPS_KEY_LOCATION +#undef TEST_FIPS_FIXTURES_FOLDER +} + + +int main_0154_ssl_keys_3des_fips(int argc, char **argv) { + /* Test all three key format types with 3DES encryption + * All should fail when FIPS mode is enabled */ + do_test_3des_keys_fail("PKCS12"); + do_test_3des_keys_fail("PEM"); + do_test_3des_keys_fail("PEM_STRING"); + + return 0; +} \ No newline at end of file From 668f945de298690a30e25a63f39bf6df8c43f293 Mon Sep 17 00:00:00 2001 From: Ojasva Jain Date: Fri, 5 Dec 2025 13:19:06 +0530 Subject: [PATCH 3/3] add fixtures for negative test case --- tests/fixtures/ssl/fips_testing/Makefile | 8 + .../client.keystore.intermediate.p12 | Bin 0 -> 4098 bytes .../ssl/fips_testing/client.keystore.p12 | Bin 0 -> 3282 bytes .../client2.certificate.intermediate.pem | 67 +++++++ .../ssl/fips_testing/client2.certificate.pem | 46 +++++ .../ssl/fips_testing/client2.intermediate.key | 34 ++++ tests/fixtures/ssl/fips_testing/client2.key | 34 ++++ .../fixtures/ssl/fips_testing/create_keys.sh | 189 ++++++++++++++++++ 8 files changed, 378 insertions(+) create mode 100644 tests/fixtures/ssl/fips_testing/Makefile create mode 100644 tests/fixtures/ssl/fips_testing/client.keystore.intermediate.p12 create mode 100644 tests/fixtures/ssl/fips_testing/client.keystore.p12 create mode 100644 tests/fixtures/ssl/fips_testing/client2.certificate.intermediate.pem create mode 100644 tests/fixtures/ssl/fips_testing/client2.certificate.pem create mode 100644 tests/fixtures/ssl/fips_testing/client2.intermediate.key create mode 100644 tests/fixtures/ssl/fips_testing/client2.key create mode 100755 tests/fixtures/ssl/fips_testing/create_keys.sh diff --git a/tests/fixtures/ssl/fips_testing/Makefile b/tests/fixtures/ssl/fips_testing/Makefile new file mode 100644 index 000000000..d12bbda9f --- /dev/null +++ b/tests/fixtures/ssl/fips_testing/Makefile @@ -0,0 +1,8 @@ +ssl_keys: clear_keys + @./create_keys.sh client client2 + +clear_keys: + @rm -f *.key *.crt *.jks \ + *.csr *.pem *.p12 *.srl extfile + +.PHONY: ssl_keys diff --git a/tests/fixtures/ssl/fips_testing/client.keystore.intermediate.p12 b/tests/fixtures/ssl/fips_testing/client.keystore.intermediate.p12 new file mode 100644 index 0000000000000000000000000000000000000000..2e9411e2fa8f632baf9c050ce0ddf0ec9b7917b6 GIT binary patch literal 4098 zcmZXWcQhM}zs8A#n5iH}?OiiQYL6mTqBUB3)ZVIS2}MQ4-qfsJwWHLgO3hj|!;6}w zp;~)X>Fw{Fd+&SCxqp1m_nhZ*&hzJUK5#7L8bC@0$3i;EDMfI)xHDQ(3eqAhq!x&U zRQ`=$!?9Fq|041tEEW83BnBWQ`TGR^C8Th6a;pDsp!wTK2Lz)IbKUhSvXub&b5tTBV`kI>Ted5>LF*bwa->Cz0diXIk(z0c8tHBaA>5@YY@6xnbqyRk}|v96)q!Z4;6FVDPdrBkALT4y(B#$T8RPOePvBi z7(kR%13Gp)xED+;OE6aotouEV$s04{w@{YBHYMAPmjUQ=wR!E*Ze!aXmJds z;x4#%wzKJUITJ<;;uhg`R}2h0xhJXWCBv+Cr4W-YUYdfd=E=#{)x}e*A3)76glQ%8 zK(E3$Q%yuO6gCQqaZ5iC- zi*}O512~EP86f9rFrEJ4@5X9iqpLJ8i30QKDq2;{IU%GSjBq-C$nVqp zVNU=bT}1KCdhn1`T^@#fvV{s&&I(4!IqV( z^nue&bH6XPA=UAvjmtymdtXV*H{S?W%s@sf2!jmX%d}Rofb9FMX~MiS_Z`=M+8nyv>a*0Sg2RcYb9$F!6T3_ zQ}rpk(1oHo@yiVb>L@h1K}awQi*l>%z{U45wSJAk4o)#zp~+(m8?Z#-5aR?YW$x4% zi5NtstDv_PW~6KHcBhkcjXpJ!y8Lb}I}_4_$x9#Jx{?9I{43qM_|lOJU9XdyD-AU{ zb3yDA{c9sr7Vs;|G{!J?)>)&CqmB6y8rvjhp2`|_=$q6awBSFaRH#wH(>B&I%u#4e z08kz8zqIYg*7f#4_sKiMAyxe_6MCL?QP}w6c5R!309%#ZFC9qgx$z0V@VYvwsZjO8m`IC3 zg@c3cTIsaBxe{20c-0++k{DH@ip3TP$BnKTmDX+T=OxQN{jlY28~c+ElH4H z(Bbmq@bg`vq{iM2X(y&O;XP)N%K)wLk%cU=YpYgE?lP87f?|WV@or?=1b;`@j;Sm2 zaYa&LzS6Adfb})7kPngMcI=$t=wv$$kQ$k}@%e!&vwnw?MYF@{^%6Z-MhlN$?6v9D zI(>D+rtWr2l?LcpJRbnMLYp0sz7+&4x3@S?rKuND&b?`*M)NFY;dz37E=4P0|vQ`1nuu=^=K*L$d6s#99 zCscS_Q&=(5o{Wn2VHUKyXI|a5650UbuvGYB$5FuN_r~(ZSSeJ(dmGOGc!$V_bXIzw z7r6kSZ0p{nY3KqU#}Q>=mve$~dI{YT<$h`D%dBoHXZ31)(V)4ad%xIB*i40ZL*@m7 z+f=_&3-zO3THNea71z9}<2^gT%I_ZmwHOn;!AzfeLxD>v^>xeSXVoTDgB}y!BJ)@# z;R7di#i2GAhuCS0dFQzBAVBKf; zd(O`g59HEj5z3Lmua12eH}mMe$45=em`r(<$wscMQ&bqp>-VTetg=`@ZfY0(T%`4% zY7Ek$e@qGXc^2F%7xPD_>7!Xy6(CV&>JIfg83eid#{~3@&E{&ne^-`G{?(@0dnfwVQcc7f|q;GLy;%APHT|0 ztk*0cLw0(T5Rss8@<;kRiSLISMGUpG81;~F;+Y2Crw~zB#kSdRYvu7DJFnb?JXV8BNG*6 zD>*2cb99wjVn-Wm_tor_v9KM`S~`7cx_`v4X}6Ap(jOm9a_oyLd1 zoebDBs_A%cX)8_>lyY`;U}j?u_UvOUuzGTPpTQw}<;A=A&OoAX=atz-G51o#qa<6N zC>3-P(=}9UY2AFB!>vHWmR31Uk1+iEWoC`WL&J=D*-Ih1Ig&3S=|m5jA5qv09Ckvie5pOC7d-I@%aY7}(@@Rl@;)A9JV=K{qS z)ys9S{ST&E_9S-}_f*_fV1{!Vk3~1L_NyqV^?aLp#OsJdqpgP7RDF3- zP0yJp_P-UdniA7NNLP#Hl?V)haDh>(qbR&#kk-d)ZRrBi5rX@x1S;#Zugu+wO{BB_AjhlFYF9qHh>A-60xG zj1(QPZ{9VL7bdzg@d}R6pt87LKZ!FD`EB7-(&2A;q1hC59He*yYkc9{CZDt!pyP?3 zLefF+Wx=r^+y5hqMOe^1AQpuB8|(Z%O>*l0(MBp#KoJ)B1C9mm{C}Io%Pu4y6f_0= z$0mVT;1Iu4zODaQ%R2wo9O5ADts(!@Q3;@P9zA`kqUpX}@i@ZChT<2@is1GPIZ~xZNYsdBA!+wU8NBjQl+MP}a?@+a-S9LO&bvVeFqKac^J&tZ;=KCvc zHRdMqWK+YIFkuyygJy1yz?SK=98JYYxodLd#Hq1$&Ss*`PmDYCF8F78Hc7vB+CBUH zguuFSk>24K>H!!f=2}>Ci+>1&J?H6UZ$LXm5qZ2U;1U4 zMoxr)yeQ>h@56s~QZ2se(YLH1gKc{kQk(%M=}mD;Q{G>6j_n4dQ8D^gAB2s(A#x8^ zwhiPxLl2!uiZuDx_%+I}!J`P{f;ZhxeW_g%M$S2R|4}KK9UdcjBInXP*PC8jz#{ry zuztu0_i9ci=kxO_!bdlg&BJ(zFvV*9H)LJYn150=n%usnUT(gTg=b=mXE$Dl0F#(s z>!JP}@`HvIr+;+-@Naqh^lK#;)#tgf7BIaY^aVPwwe1uhX!DVJOHlRTjGQ@geCM- zIL}nPL%_5RPt#U$9E@wUnE`{Qd75ZqURj}pTr-gg8cka8f;~@}t(OsCn?Ak$i$o=} zpBxNoYUGuDyB61lNb|R6{lU^Zl=9UUo^?MnU_4h`t$FK;&F}#{{zsGkFG|~ffhC%n z7Hyxyp^sy0$^yF#8=XF;%`d3Q_tVZP@v?%7i(FSIcP?g7p7;u!?a@0g z6Z(1Iw>j63FER2HkvVbYo!!WcH`t7MvdIh@&EPf6jA`?yh%rvdH?v+r4h__kUJR)t z&mQ++?Yecy5f$O!N^pnT1I%p@=frRf%RE&=88z18B-%AZ9p!MprJfL9zL17x@sJpR zz0cb2Zj1LDPX>8LEG_tE*|qqc^B%KM;1eO5w+)hKXJoozd>QoQ=gxbuwW z$xfKi$2K1F_gDCS&Z^%q7au8{K?3Yjgv}ZZZ7@d_=Jkta1u83A?t!hlW2txIKMofe zZ{QA10a;wQYFaB(cU|Kr78}}AZ!i4wX~c595_jWKv`IWVx|s~SF*vdKb?tORKYo*X zmnaSHdzjRqfF~o|vyP)*LZnJOR2E~BAKi_8;)zEPr8M9-|92fJ8KvkrX-FJNyhz+h zoJo900^ofALMAB~kWr$9DoGW(F1CFBB7pSmXWSaZ2L@Mw^S~*|L85eI05%W_ka1-* rY|vYl_Vbq5p=B literal 0 HcmV?d00001 diff --git a/tests/fixtures/ssl/fips_testing/client.keystore.p12 b/tests/fixtures/ssl/fips_testing/client.keystore.p12 new file mode 100644 index 0000000000000000000000000000000000000000..b69707a52d798eac927755f8367661915c19a778 GIT binary patch literal 3282 zcmZXVcQhM}8pab6F=GZ*D=iwcK^3(}jiOdaiBWr%)?OuT)Q;LkNs(H$O0Cvt&1%e2 zv&5)XqbRMdx!-rrz4yE4+&|v)p7Z?9dH#HUNF3u36_6TTQ4oRX@?z8QJxU0C)zR`*Zd~59aF? z2lDC^iybreRX0TjS~>G3x4)kEWN0mhpd~~1#X()LG0Uw5k{jxLn4m?)E`P2y%O;*) zev3RgbYaD$F}^Deo>w^TfX0?`HC3}!e&9vd+I z9pBeDCK=pYrVx;Kqqv15IGG?xkdqKXPTMXCHf z31%k?q@O(qin#AJNfbB{zE_f}4 zb$v0MJWVi;+PbBmy)Xo;ZgELEJPlq85f{8p$M(Hk-u)EqtBfiQvSFjv@~{cV3iAt} zZ&>&H`>Ui@#Uz=ksif_&dhf-Jj>v@gq(t*B3Ubq!K23-_Skbj`E|wvee(z5Db3?6K zk>vd);Zh@x3z6pUd3$CCse8il?LrUqO)F6n{i6#it(SrAsR*|$Tr=>C)R~re5Hayn z9oQRoSDS~UJT~Z(-=U#K33=Dt;rT*eyOS~vXaaX_^IUJT!t)NMlEPbs!g^N98Hri&~65^@X+$=%g}R_7rO?l)BGXoq0Zy)9n7u{_K3(>)f~ zyPdbne4z!~i#b~Ts%*J!bWTA>;Bdl_B5_M6K{4v(tl_)){yBdj!K{=8?!chzlBp zr80tQ6*%tWGjVka?562Jxdj{FLNI(O)W(|H`;l?Im)mH}{-1K&HImt4zj}P#nMwLV zn|CA$D~DyH==PG$FnwZD@uhnP#SbQ}NR6f3`F!u$f?jIt-|4NKRz2pEj@M58=CU7B-TNc7a~i>M1fvIssX?*+ za^<(tF4x7JtE=fNpK&?^MN&3&+r?#HSAQ<(CM}O&;hu1A-WNrv9%DAq1>e?#?P)BpZdlL`g)f_&gWcoKP z*vH!g;zpvj!)xZlzA5K8&g0l$jRCIX9n?!Mt6>bM3&c)UjLk|n_JsfoJ=IfaD!8a`-1aDeQ~x;NrYz3@8J0Vp zo^nlvd{f0r`xc$79Wy???Asu$X(8TY%Va;;Rrn?=9@uTkH@GXI;PWn7X-$lkr_8*V@Eb|GiPP7Zc58!@kb$K*x-(^`1qHe))+=ei8TGG%#1G=oDu64MFC|SxU{z zpB`ya^?RK}fOzs%p)qP`gLKtIdqhS@OU&TFV1 z>)513XzPcDxmd-LaN@3q>(PM>YA3$?aG>o@+lzD85D(BO;cy{r7R1}8n(+Gq>W2MR zsYgKSrm88!4)Mb64fZy4Gq2md0(?ls)0{-rh0ly_wW5P;(>}o=IrMct+Ah^?`0DMG zR>(r$pscc7xXV)?NCdE>^A6(RVzN^_Zs>i7vH*14=w8?;vk#TqsPz3Un=a`UN?X}wPtphS*9?BGV zA{5QKQPq|ApT#95Q<9rYWKBn?Tu$RRqECX#=7Pij}@Yflwbam{L{ zhRBLyj2;eDu2SJYB#UZI402%-VsYDieAN_@>F)%R9%eYd z^r}E*mAw~~Ms(DGo>6I}HrFaHaCwi{!8#Uqp7APf2{Q?gG!IHR3sFv(}mcUE&_5%7rSyh?+APBBKiYdFQR>V@+ko5cOu;5Bmf51F_8w<2w6~pAyZKS!FL_ zBXovTGL?TZ*7P|(@VvCdp{v0r(8>~qyEYV;Notao>JFa+k=h-5pE%mqjwYI<_0oHt z82ep@7HVIlpzf4{m}`2WkOMJ1#@+qhtHxn62X3pwwP+Nj$zlF-i300tt-wf4Dns$c>!!CsUX9c^QMGXQKNt;+^Vw)xS6np zC;nt{nhEh5Z11@OE6GbpOv%w%@$IYZ&suS1<1QRxR?U7_YiYXNuaD$nI+xZ&Ui|Mm z(s4*b`56IDfO`NBfD6C}5P-b=4}?i`f;dRvZMbY44erMEeuP=0oKf +subject=CN=caintermediate +issuer=CN=caroot +-----BEGIN CERTIFICATE----- +MIIC+jCCAeKgAwIBAgIUEb7JmmOH1eAXu8q/HZBQe1kwA/QwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGY2Fyb290MB4XDTI1MTEyNTE3NTQ1OFoXDTM1MTEyMzE3 +NTQ1OFowGTEXMBUGA1UEAwwOY2FpbnRlcm1lZGlhdGUwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQC0KdfACN5Y3b88l50Vu+3MXT/vVnZBv2CWgxXWFZtD +oPklE5g71zAdFf+grNDDIRyWO2oU93VVK/cNtxKE+PMr4D3gvBZnYDSiBwvuVNIo ++WnEEsIWVoewAlFSv3NAMynrmJ+ign6pDTCBanvYSu8/e7ZwLD6YiqNghlRfGGia +/g2K7kzlEsVb34ABJqKbxuTzImHIzqy98TVqnJj5+4OohWSMV8MIBbdkOJOxtLm0 +GLZ6puUAVHrpZZ/ie2l2w3y3CSjYEmfxZ4nwIvnkimXxBKqS5WG7NLNa8zlNsZFr +W6ADH60DNSBAjq/lARD8y8eJUS/PtuTPJucM/QNXMcoRAgMBAAGjQjBAMB0GA1Ud +DgQWBBQvBngTMqt1iYY1XMoF2IOUdlMImjAfBgNVHSMEGDAWgBRT0wgXL6D9sWYZ +tI4TrEv1V1sQ6jANBgkqhkiG9w0BAQsFAAOCAQEAiMbK67NhimMdCJVeQt9Ucwkd +UODxn6KH2WRCNA3Zp4hsofYcnqT/kHU4QFGs+JQyUzv8hlEz7YKA5qaSG+V85urQ +vORTmlY5R2AmPp23hB+cXyMIZh2pbcMhL4hWAAmjKAkLhvSCWxdkhwr3aid61qN1 +4aDt2xgaRmtaNfqglTeEbgz6oWfpWL7JtiyZbf4CRXCIn0h8WtrrpKtniAcPnwA7 +FMnho5q6gLrAHmESMaJR1fkBw0hIMjT3/S/CBQkPqZAe/ZDBK0SsjHuk3HVuv7WU +uh8BLXePCNi2EoJLT6tEJe0bfRxLjAzUBuv1aPXSGKziXf420nHQWhwLnnldlQ== +-----END CERTIFICATE----- +Bag Attributes: +subject=CN=caroot +issuer=CN=caroot +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgIUIZuT3ZRi/rg5tp/nJdJfMX7LqFswDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGY2Fyb290MB4XDTI1MTEyNTE3NTQ1OFoXDTI1MTIyNTE3 +NTQ1OFowETEPMA0GA1UEAwwGY2Fyb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEArvN1tXJiIvX6EOcOdHsKbsec3vg1u18JrvWkLV5ApF6I230x+vp3 +HP/4C4yxCjhR/1QrZVaYeaMPpm2T1Q21XxZBacl4SStQRbfho0vhZTNrQPN1SQKD +ICU8xjRe3+Nwtt1CEdbOP3NaEAZt7nUf4qViX/xUJzTj0POZ+dwImWf3WaDkmzL9 +94G7beei2OjWsLPZgXaVglNRAT8cyY5zXgY1gltSrjD1M/qJ7qGCufpCo3WbGIgN +nfROpDMqNUrjTJxWSpEE/xvFOwWa4yOwP8hy+7ZooTUy3UFds4HG7PVjgPF9Hg3N +4cDKFhg79ddyx/so6b80QiptxWoaPvcQ4QIDAQABoyEwHzAdBgNVHQ4EFgQUU9MI +Fy+g/bFmGbSOE6xL9VdbEOowDQYJKoZIhvcNAQELBQADggEBAJk4i0pcLTxBrInr +NVdDMwYK0ssIJ4TTicMosdsKYzT77UluJ23MklSMmv7Spl1rbC3zw252oH/hf0hS +FHN1z4Xfpi1DMPGLhWfMGQsPkYj+hIiXJoygfsUWjEpu1oR/kbycpjQDUaWMYvbs +mQYK6mBWa29qseXu5fvc9Q3PAJU3ZQrFjdk4QoJrJ3kw4Qskt+zGIx70iN7RyTQZ +WjAtEvLZlB+ZSNt54v3udcIsVm2yVEcHRB+1rnpufqVAZqIOmLmRQEUdPMFmmbTC +G/P/LmYrmWNUBblFpDNbgwAst1cpUQl+OrL11jOMCJvN94xaO/7p+nGgcNUswXU3 +ACnLv1g= +-----END CERTIFICATE----- diff --git a/tests/fixtures/ssl/fips_testing/client2.certificate.pem b/tests/fixtures/ssl/fips_testing/client2.certificate.pem new file mode 100644 index 000000000..538ffdc32 --- /dev/null +++ b/tests/fixtures/ssl/fips_testing/client2.certificate.pem @@ -0,0 +1,46 @@ +Bag Attributes + friendlyName: client2 + localKeyID: 03 D1 53 C3 1C C5 9C 05 C8 62 44 FF F8 CA A4 20 00 95 DE B5 +subject=C=, ST=, L=, O=, OU=, CN=client2 +issuer=CN=caroot +-----BEGIN CERTIFICATE----- +MIIDSzCCAjOgAwIBAgIUVhvehT8q1VP+m37T/qOQiTEYDukwDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGY2Fyb290MCAXDTI1MTEyNTE3NTUwNFoYDzIwNTMwNDEx +MTc1NTA0WjBJMQkwBwYDVQQGEwAxCTAHBgNVBAgTADEJMAcGA1UEBxMAMQkwBwYD +VQQKEwAxCTAHBgNVBAsTADEQMA4GA1UEAxMHY2xpZW50MjCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAKf9BTW43p3ii/W4mNEfSGq1inIyxgnCom99NrW0 +3QW1tWdzOmbXlxYPV/fKCPuNlponJyPekaD0nk8lHHd0XTaf+22HZoIlhM3bj/fR +Nv3ltJdxARHeBMXbT2y5sHV9xE5xvzoLjefOG6BZ+r/hf5+lLYsc5b+2yTY3tlkf +QgqXOO3zvMxMN5QyHKqjgtE4GvCQwcIZBZ09rNRxTdZ+CtCtrJF34ZwH0y/KytB+ +1HBxh6Y5pmSGS2tlT4zhpwjALTbo4/iZ39zl+phxOdNHDmSs0RE3PbqPXTk8DHAS +faWOqNsi5Oh/bliN5mMyHq+m5v2dAAfO+PF1wYmWBoxcZlUCAwEAAaNhMF8wHQYD +VR0RBBYwFIIHY2xpZW50MoIJbG9jYWxob3N0MB0GA1UdDgQWBBQK4ppiu5jPt14n +pXwjnt5Nbp/x4zAfBgNVHSMEGDAWgBRT0wgXL6D9sWYZtI4TrEv1V1sQ6jANBgkq +hkiG9w0BAQsFAAOCAQEAibGMDw1MP0plC4d3B7S5Auj7T1vx3pCX46v/R1mCzg1X +0aC/LuWIcxxLegBYhqF4m/4onBkeGt1tZuuVqWBEAJ/RUTaTuVjvPR3dYeOAteE6 +jVPfWNh2smNJ2CKTsM3/sIzt7jqujVZt1rCZs5M88qvHzorKv+BCzXb8onbcj/P3 +qVibud9Bl5t3aKQKviA7sepVdIdLIFnqcm80uhvhJau7fLhL4r+wvRo1wBRHz5IY +4KL4fKpPetUyLJexDXuK60NGBByWtO9WxKOZOgDK+qtvmwqK7C467dSBHT3QOKLc +hb0mhiATcDiQ+d9+OIbJvQ2bJHEAIMfXPWIAEdgEfA== +-----END CERTIFICATE----- +Bag Attributes: +subject=CN=caroot +issuer=CN=caroot +-----BEGIN CERTIFICATE----- +MIIC0TCCAbmgAwIBAgIUIZuT3ZRi/rg5tp/nJdJfMX7LqFswDQYJKoZIhvcNAQEL +BQAwETEPMA0GA1UEAwwGY2Fyb290MB4XDTI1MTEyNTE3NTQ1OFoXDTI1MTIyNTE3 +NTQ1OFowETEPMA0GA1UEAwwGY2Fyb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEArvN1tXJiIvX6EOcOdHsKbsec3vg1u18JrvWkLV5ApF6I230x+vp3 +HP/4C4yxCjhR/1QrZVaYeaMPpm2T1Q21XxZBacl4SStQRbfho0vhZTNrQPN1SQKD +ICU8xjRe3+Nwtt1CEdbOP3NaEAZt7nUf4qViX/xUJzTj0POZ+dwImWf3WaDkmzL9 +94G7beei2OjWsLPZgXaVglNRAT8cyY5zXgY1gltSrjD1M/qJ7qGCufpCo3WbGIgN +nfROpDMqNUrjTJxWSpEE/xvFOwWa4yOwP8hy+7ZooTUy3UFds4HG7PVjgPF9Hg3N +4cDKFhg79ddyx/so6b80QiptxWoaPvcQ4QIDAQABoyEwHzAdBgNVHQ4EFgQUU9MI +Fy+g/bFmGbSOE6xL9VdbEOowDQYJKoZIhvcNAQELBQADggEBAJk4i0pcLTxBrInr +NVdDMwYK0ssIJ4TTicMosdsKYzT77UluJ23MklSMmv7Spl1rbC3zw252oH/hf0hS +FHN1z4Xfpi1DMPGLhWfMGQsPkYj+hIiXJoygfsUWjEpu1oR/kbycpjQDUaWMYvbs +mQYK6mBWa29qseXu5fvc9Q3PAJU3ZQrFjdk4QoJrJ3kw4Qskt+zGIx70iN7RyTQZ +WjAtEvLZlB+ZSNt54v3udcIsVm2yVEcHRB+1rnpufqVAZqIOmLmRQEUdPMFmmbTC +G/P/LmYrmWNUBblFpDNbgwAst1cpUQl+OrL11jOMCJvN94xaO/7p+nGgcNUswXU3 +ACnLv1g= +-----END CERTIFICATE----- diff --git a/tests/fixtures/ssl/fips_testing/client2.intermediate.key b/tests/fixtures/ssl/fips_testing/client2.intermediate.key new file mode 100644 index 000000000..c5a9b830c --- /dev/null +++ b/tests/fixtures/ssl/fips_testing/client2.intermediate.key @@ -0,0 +1,34 @@ +Bag Attributes + friendlyName: client2 + localKeyID: 26 88 82 5A 6E 8F 23 CB 4A 44 A6 28 DB BD 9C B8 9F 0C 8E EF +Key Attributes: +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFJDBWBgkqhkiG9w0BBQ0wSTAxBgkqhkiG9w0BBQwwJAQQKX8XhLoOOxCA7lYK +JdbxUQICCAAwDAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQI2UYkSOMbRasEggTI +8lqX14Issa6pl4VetvSYUeL4a8KnyXHSV6g12qlw/ojL4yh9lKF6qmMlpHO4Glrz +mYGUIaLAqChmxbwuQpUY77y32dN1/rcNmY1bG0qggsWwOgCale1SG59aCUbvX9BJ +fbm/OrrGj6pusI/1umryQckhheiB65aiLngFLYf+1oEKOgGMNf17Qei2QDErBoq+ +Opt6yXnp2oavlo7SPRX0uYishfoQSqpnLYpzcWlfGZAVY81lsEKSQjRECp42Cpah +A4IhhdteaeMNhqiz0rW5dK8LCwZZmaGBKxYUroOjbEnRslWA2F480DibLCl7V4Dn +B9+AAkkJjpTCuMQTeoxwWcQMxzHHktGmb6/YGoOr90SRLnt5Hnl4LjGVdLTFhsF9 +vSC481SFSjS3QaoLxnv9dRSyzhDDhO78w+4+TGAMfIUI10HnE0XCsp3twV35XdFR +l7pIuKLJ7oCQ/BUaoHJHFuw6vVlrEbgu/DAQZ66fAMo8u/oHDd4mBSv0Zh+2mjH6 +/sOo+lPVCKYKBj7JHhFW0AnuCRTrF7WF4foEZwZ3xabR55gD4hcHwuBpY1S5mrg2 +Cu8okYv33fPoOktAkM9IHkD4vUnZnfi1rm8pGVHCI3mcbzSpSBQHOaK9PLCfXKZq +Of5ajglJyWtk4+1gBhUX6anLepcCmGdnbdfKtROCBvcm4g87IdP9tQLLx2zHfQSf ++Z5feBrvrV/mB3DFUCkMIKxe6gKyXsCIA1bFKJsBitY2Zk9Wwe54bXmPGE5SviJh +tPRrOAia6wMe1hiYp80islvkL08Gml5Wqu52IgtMn5NjCNk6S/eWRqpYMKBZ02rA +3vIK/JsgUhZsZZV9YGZlrZ6fgwSnYFZjA8yH0yc9d8TlqmRqtEb2fJdg4sANLxCo +abJo6FfNX+kPO/6fp5MORjNhzpClmK8WXeJ133w/UFZquZkS8kemaQvHfw/z9eeS +kbJYPdKLijEtLIT0UTdmCwjli54GF398t7qpGud84bYAQe/naDifyuRYutC/R5wr +JKBoXJwQIJZg39xTDby/ObIXCibYUqzxFVt0nZLhKBouAEk362J7IOxmWIacXTaD +qAm4V/cU4R1hg5oXYn5x8Hxdk3pIW58PqBQZO7wxg1zGw4pSTzIkqKgU1eH6sPdM +Zu7T9zS5cNRntLy+A8NplR2tvft16MXArQQAyvVLvBQ/U/sHcO9BjsgV5BopYl7B +powXSKSvb+NsGSjHNUgj+Frr5DB7ifapJUNMhQI5AZadEx6cL5jHnhiHb2qP+4rH +eOxNFlM/EbeOtCsy6uSojuRbSycTwWvJ6Y0uhmSSj19i3Lp3KLaG0PkWoSK7IKlr +Mhr31vA4jl71hFKdPQQHrNQa4hOhk+otPj1+1t8tUU6gSDuK8imsSGoJESajTf1Q +Cf6gVJMCyZFW298O8zNrof8/2mGW8wG1Gm+xUAyNkktR/HZeu4Lhrx8sfxIUl5D1 +iT88onoND57MB+/fHBgnwpuqvmFZy6hlJfFc+nNnII6eV+hRJdz6ddJJ0h1fc/+c +lbJewG/EyhdGD+Kom6nAnaP0JTgKHr092iZFNx9UsuPnBK5mZiiD/pCZ0hmkq1kF +tdl5UUXLa0PDpBhn6WnopdRnQch8osJC +-----END ENCRYPTED PRIVATE KEY----- diff --git a/tests/fixtures/ssl/fips_testing/client2.key b/tests/fixtures/ssl/fips_testing/client2.key new file mode 100644 index 000000000..ff025ae7d --- /dev/null +++ b/tests/fixtures/ssl/fips_testing/client2.key @@ -0,0 +1,34 @@ +Bag Attributes + friendlyName: client2 + localKeyID: 03 D1 53 C3 1C C5 9C 05 C8 62 44 FF F8 CA A4 20 00 95 DE B5 +Key Attributes: +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFJDBWBgkqhkiG9w0BBQ0wSTAxBgkqhkiG9w0BBQwwJAQQGESZU3kCj6hqn0uu +v66y2QICCAAwDAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQId+Jfp7qDjWEEggTI +QohK5ooTxQv2mO2IHbnJhGkuQqkObhAwAwXZCLgd74exzm9SJ6lN8LbdPutFxTnu +CCbxyfYRc8VzNBP41Ey+Zt/G8AAf8+eL5NXWS7+6kMatpnann489Je43N3DB3U6g +CBdOwU/lUwH9g7pDqyQbX3lSrqJLv62izv1zo9om1i9cYnK8hxgrl55gkQxuWnwk +yEkUkTIcpLZ9uqbmRKdu6xgTqqESODbImDaoFA8OYHIzdEk7Y3Yr0YUGB0zOgRn3 +99cxbsXFLJk+vsbhcF9SEDUUPR2I6YtfI5AQ7oq97x53rdVplaCk6g+4qTAjpAT5 +S+PFSgVvxTQRUkm7DtU4SC5mnCqAqPMX4zAObQe9CUBddkAo5CRPo0CH+xxRo051 +ZuIFn1mqsHRYy3pVFopgq46yCOkhO24X/TFtUiHcb4apgQE4hTrKQe75A/tJLcGv +VoZ5QnLK10eOcFoA5MS3ycX0bEsDPO3hNlgrnBUMwdftAcv8qdz8NJ8ZeFAYyy34 +F7ethL8Wuqrf/AWaM4gtZGHXt+KU56j7YFnF86VClytRQktzL5f3EkU2H3F3Vg3L +KP4f1Xp+fr+Tt4xzdTgk9JnbZWr5OeXoFK9GoNt6kTtUqwb32012RWVr7c04JUCt ++DcyADFr/jaQLsOQAnr0P7pIwOTNwHOewi8O5+KHgpvGRmL8+AuYlSpHNe4/UTPo +2JbX5Md298kfTG8XIQcPgwabiuAI0M5fB19r9tEeIpq7hFFA/lmnE8VbfnvUR99r +xD2PDtEPOzt79iWJzFFxRdYNyIo8qwjQNFEhwNoPBUt3+N0PCFuFBnz5BxGAI7V8 +Rlr6aXuMqj/i4jvgUYjb48kwCvWSfoz6Wq96Uq0S3fKzUXhft+6BwU8MH7zGSMxx +aqr/ddLTtJTOQR0AedPE9NcVC3FM+US/7fpH4KHg4+XbIIliIT6QPnKkhLq1vTyj +0fmeF68qsjGHiKHQdK58mFngM0DgNjh36MONfHrhxsXW1BYj6IPixjQgQKaHCqLL +0rMyZAxiG64wCaX3yeSvK/5L9JzW+fR2ikVipMDgWMho8sIEsey+nFQuggUYW+fk +L8XAS+t/HyyC7/iFdDRIbJ/G8PjM7ML0EGnTxxTXpXaglHRYI0xIL3he8j4ZolRz +gI1v0/EHdNcZr3A5TTvalHBGCVhtLoA4Jj64uCe8ti6wIUDdb6dd7p+2GfROmsb7 +6djzGdkqg2ittkinF4lCF95APMNdfNpEi2UzjL3jtplxyxC5ZD3+A4QEn1jKz6bQ +X3pHWChpaPH5UsxJouLUvQI4X7SO0Vp7Siejjlqe7jlSZIswGGzqSz3YBmI6r8O0 +3t6/ZjzeweGWsSd6lECmCrN7b26vdtFRBLoSm5QJCk+bbb/+DLiYnGu0DG272oE+ +Ay6Ewsnn988TDwqjHI65jfaxlBkNjJV+luQnwPR/Q3Yejun3ZboH5Gjf3BRM0/mT +iJcp2xF/lYWHrM1OneV1amz0vkpoFb907CCSr+/mWnTjmjWSp6nFrkY06nhq2o/X +/jDqDZ+IECj4xmlD3u7JmTLaGwLbIGU9BE5w5q7MOHziXcZwmiCbdEyqiCfNhMn5 +2QGkrZV1fnql08m87vCHYNjkDnGT5h// +-----END ENCRYPTED PRIVATE KEY----- diff --git a/tests/fixtures/ssl/fips_testing/create_keys.sh b/tests/fixtures/ssl/fips_testing/create_keys.sh new file mode 100755 index 000000000..e8d8ac752 --- /dev/null +++ b/tests/fixtures/ssl/fips_testing/create_keys.sh @@ -0,0 +1,189 @@ +#!/bin/sh +set -e +CA_PASSWORD="${CA_PASSWORD:-use_strong_password_ca}" +CA_INTERMEDIATE_PASSWORD="${CA_INTERMEDIATE_PASSWORD:-use_strong_password_intermediate_ca}" +KEYSTORE_PASSWORD="${KEYSTORE_PASSWORD:-use_strong_password_keystore}" +TRUSTSTORE_PASSWORD="${TRUSTSTORE_PASSWORD:-use_strong_password_truststore}" +OUTPUT_FOLDER=${OUTPUT_FOLDER:-$( dirname "$0" )} +CNS=${@:-client} + +cd ${OUTPUT_FOLDER} +CA_ROOT_KEY=${CA_ROOT_KEY:-caroot.key} +CA_ROOT_CRT=${CA_ROOT_CRT:-caroot.crt} +CA_INTERMEDIATE_KEY=intermediate.key +CA_INTERMEDIATE_CSR=intermediate.csr +CA_INTERMEDIATE_CRT=intermediate.crt + +generate_ca_extfile() { +echo "# $1: Generate extfile" +cat << EOF > extfile +[req] +distinguished_name=dn +[ dn ] +CN=$1 +[ ext ] +basicConstraints=CA:TRUE,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer:always +keyUsage = critical, cRLSign, digitalSignature, keyCertSign +extendedKeyUsage = clientAuth +EOF +} + +generate_client_certificate_extfile() { +local CN=$1 +echo "# $CN: Generate extfile" +cat << EOF > extfile +[req] +distinguished_name = req_distinguished_name +x509_extensions = v3_req +prompt = no +[req_distinguished_name] +CN = $CN +[v3_req] +subjectAltName = @alt_names +[alt_names] +DNS.1 = $CN +DNS.2 = localhost +EOF +} + +if [ ! -f $CA_ROOT_KEY -o ! -f $CA_ROOT_CRT ]; then + echo "# Generate CA" + generate_ca_extfile caroot + openssl req -new -x509 -config extfile -keyout $CA_ROOT_KEY \ + -out $CA_ROOT_CRT -subj \ + '/CN=caroot/OU=/O=/L=/ST=/C=' -passin "pass:${CA_PASSWORD}" \ + -passout "pass:${CA_PASSWORD}" +fi + +echo "# caintermediate: Generate CSR" +openssl req -new -keyout $CA_INTERMEDIATE_KEY \ + -out $CA_INTERMEDIATE_CSR -subj \ + '/CN=caintermediate/OU=/O=/L=/ST=/C=' \ + -passin "pass:${CA_INTERMEDIATE_PASSWORD}" \ + -passout "pass:${CA_INTERMEDIATE_PASSWORD}" + +generate_ca_extfile caintermediate + +echo "# caintermediate: Sign request" +openssl x509 -req -extfile extfile \ +-passin "pass:${CA_PASSWORD}" \ +-in "${CA_INTERMEDIATE_CSR}" \ +-CA "${CA_ROOT_CRT}" \ +-CAkey "${CA_ROOT_KEY}" \ +-days 3650 \ +-out "${CA_INTERMEDIATE_CRT}" + +for CN in $CNS; do +for INTERMEDIATE in true false; do + INTERMEDIATE_PREFIX="" + if [ $INTERMEDIATE = "true" ]; then + INTERMEDIATE_PREFIX=".intermediate" + fi + + KEYSTORE=${CN}.keystore${INTERMEDIATE_PREFIX}.p12 + TRUSTSTORE=${CN}.truststore${INTERMEDIATE_PREFIX}.p12 + CSR=${CN}${INTERMEDIATE_PREFIX}.csr + SIGNED_CRT=${CN}-ca-signed${INTERMEDIATE_PREFIX}.crt + CERTIFICATE=${CN}.certificate${INTERMEDIATE_PREFIX}.pem + KEY=${CN}${INTERMEDIATE_PREFIX}.key + # Get specific password for this CN + CN_KEYSTORE_PASSWORD="$(eval echo \$${CN}_KEYSTORE_PASSWORD)" + if [ -z "$CN_KEYSTORE_PASSWORD" ]; then + CN_KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}_$CN + fi + + echo "# $CN: Generate Keystore" + keytool -genkey -noprompt \ + -alias $CN \ + -dname "CN=$CN,OU=,O=,L=,S=,C=" \ + -ext "SAN=dns:$CN,dns:localhost" \ + -keystore $KEYSTORE \ + -keyalg RSA \ + -storepass "${CN_KEYSTORE_PASSWORD}" \ + -storetype pkcs12 + + echo "# $CN: Generate Truststore" + keytool -noprompt -keystore \ + $TRUSTSTORE -alias caroot -import \ + -file $CA_ROOT_CRT -storepass "${TRUSTSTORE_PASSWORD}" + + echo "# $CN: Generate CSR" + keytool -keystore $KEYSTORE -alias $CN \ + -certreq -file $CSR -storepass "${CN_KEYSTORE_PASSWORD}" \ + -keypass "${CN_KEYSTORE_PASSWORD}" \ + -ext "SAN=dns:$CN,dns:localhost" + + generate_client_certificate_extfile $CN + + echo "# $CN: Import root certificate" + keytool -noprompt -keystore $KEYSTORE \ + -alias caroot -import -file $CA_ROOT_CRT -storepass "${CN_KEYSTORE_PASSWORD}" + + if [ $INTERMEDIATE = "true" ]; then + echo "# $CN: Sign the certificate with the intermediate CA" + openssl x509 -req -CA $CA_INTERMEDIATE_CRT -CAkey $CA_INTERMEDIATE_KEY \ + -in $CSR \ + -out $SIGNED_CRT -days 9999 \ + -CAcreateserial -passin "pass:${CA_INTERMEDIATE_PASSWORD}" \ + -extensions v3_req -extfile extfile + + echo "# $CN: Import intermediate CA certificate" + keytool -noprompt -keystore $KEYSTORE \ + -alias caintermediate -import -file $CA_INTERMEDIATE_CRT \ + -storepass "${CN_KEYSTORE_PASSWORD}" + else + echo "# $CN: Sign the certificate with the CA" + openssl x509 -req -CA $CA_ROOT_CRT -CAkey $CA_ROOT_KEY \ + -in $CSR \ + -out $SIGNED_CRT -days 9999 \ + -CAcreateserial -passin "pass:${CA_PASSWORD}" \ + -extensions v3_req -extfile extfile + fi + + echo "# $CN: Import signed certificate" + keytool -noprompt -keystore $KEYSTORE -alias $CN \ + -import -file $SIGNED_CRT -storepass "${CN_KEYSTORE_PASSWORD}" \ + -ext "SAN=dns:$CN,dns:localhost" + + # Delete imported certificates as they were only used to import the + # signed certificate. + keytool -delete -alias caroot -keystore $KEYSTORE \ + -storepass "${CN_KEYSTORE_PASSWORD}" + if [ $INTERMEDIATE = "true" ]; then + keytool -delete -alias caintermediate -keystore $KEYSTORE \ + -storepass "${CN_KEYSTORE_PASSWORD}" + fi + + # Re-export keystore with 3DES encryption + echo "# $CN: Re-export keystore with 3DES encryption" + TEMP_KEYSTORE="${KEYSTORE}.tmp" + TEMP_PEM="${KEYSTORE}.pem" + mv "$KEYSTORE" "$TEMP_KEYSTORE" + + # Extract certificate and key to PEM format + openssl pkcs12 -in "$TEMP_KEYSTORE" -out "$TEMP_PEM" \ + -passin "pass:${CN_KEYSTORE_PASSWORD}" \ + -passout "pass:${CN_KEYSTORE_PASSWORD}" + + # Re-export to PKCS12 with 3DES encryption + openssl pkcs12 -export -in "$TEMP_PEM" -out "$KEYSTORE" \ + -passin "pass:${CN_KEYSTORE_PASSWORD}" \ + -passout "pass:${CN_KEYSTORE_PASSWORD}" \ + -name "$CN" \ + -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES -macalg sha1 + + rm "$TEMP_KEYSTORE" "$TEMP_PEM" + + echo "# $CN: Export PEM certificate" + openssl pkcs12 -in "$KEYSTORE" -out "$CERTIFICATE" \ + -nokeys -passin "pass:${CN_KEYSTORE_PASSWORD}" + + echo "# $CN: Export PEM key with 3DES encryption" + openssl pkcs12 -in "$KEYSTORE" -out "$KEY" \ + -nocerts -passin "pass:${CN_KEYSTORE_PASSWORD}" \ + -passout "pass:${CN_KEYSTORE_PASSWORD}" \ + -des3 +done +done