Merge pull request #1215 from t-woerner/fix_ca_less_to_use_X.509_v3

Fix ca-less test to use X.509 v3 certificates
freeipa · Mar 11, 2024 · 216a5d4 · 216a5d4
2 parents ce05b5e + b92da82
commit 216a5d4
Show file tree

Hide file tree

Showing 5 changed files with 151 additions and 124 deletions.
diff --git a/tests/ca-less/certificates/extensions.conf b/tests/ca-less/certificates/extensions.conf
@@ -0,0 +1,7 @@
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+authorityKeyIdentifier = keyid,issuer
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = ${ENV::HOST_FQDN}
diff --git a/tests/ca-less/certificates/pkinit-extensions.conf b/tests/ca-less/certificates/pkinit-extensions.conf
@@ -0,0 +1,19 @@
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage = 1.3.6.1.5.2.3.5
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+issuerAltName = issuer:copy
+subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+
+[kdc_princ_name]
+realm = EXP:0,GeneralString:${ENV::REALM_NAME}
+principal_name = EXP:1,SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type = EXP:0,INTEGER:1
+name_string = EXP:1,SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1 = GeneralString:krbtgt
+princ2 = GeneralString:${ENV::REALM_NAME}
diff --git a/tests/ca-less/certificates/pkinit/extensions.conf b/tests/ca-less/certificates/pkinit/extensions.conf
diff --git a/tests/ca-less/clean_up_certificates.yml b/tests/ca-less/clean_up_certificates.yml
@@ -7,9 +7,6 @@
   - name: Run generate-certificates.sh
     ansible.builtin.command: >
       /bin/bash
-      generate-certificates.sh delete "{{ item }}"
+      generate-certificates.sh cleanup
     args:
       chdir: "{{ playbook_dir }}"
-    with_items:
-      - "{{ groups.ipaserver[0] }}"
-      - "{{ groups.ipareplicas[0] }}"
diff --git a/tests/ca-less/generate-certificates.sh b/tests/ca-less/generate-certificates.sh
@@ -1,153 +1,177 @@
 #!/usr/bin/env bash
 
-ROOT_CA_DIR="certificates/root-ca"
-DIRSRV_CERTS_DIR="certificates/dirsrv"
-HTTPD_CERTS_DIR="certificates/httpd"
-PKINIT_CERTS_DIR="certificates/pkinit"
+CERTIFICATES="certificates"
+ROOT_CA_DIR="${CERTIFICATES}/root-ca"
+DIRSRV_CERTS_DIR="${CERTIFICATES}/dirsrv"
+HTTPD_CERTS_DIR="${CERTIFICATES}/httpd"
+PKINIT_CERTS_DIR="${CERTIFICATES}/pkinit"
+EXTENSIONS_CONF="${CERTIFICATES}/extensions.conf"
+PKINIT_EXTENSIONS_CONF="${CERTIFICATES}/pkinit-extensions.conf"
 PKCS12_PASSWORD="SomePKCS12password"
 
-# generate_ipa_pkcs12_certificate \
-#    $cert_name $ipa_fqdn $certs_dir $root_ca_cert $root_ca_private_key extensions_file extensions_name
-function generate_ipa_pkcs12_certificate {
+# create_ca \
+#    $domain_name
+function create_ca {
 
-    cert_name=$1
-    ipa_fqdn=$2
-    certs_dir=$3
-    root_ca_cert=$4
-    root_ca_private_key=$5
-    extensions_file=$6
-    extensions_name=$7
-
-    # Generate CSR and private key
-    openssl req -new -newkey rsa:4096 -nodes \
-        -subj "/C=US/ST=Test/L=Testing/O=Default/CN=${ipa_fqdn}" \
-        -keyout "${certs_dir}/private.key" \
-        -out "${certs_dir}/request.csr"
-
-    # Sign CSR to generate PEM certificate
-    if [ -z "${extensions_file}" ]; then
-        openssl x509 -req -days 365 -sha256 \
-            -CAcreateserial \
-            -CA "${root_ca_cert}" \
-            -CAkey "${root_ca_private_key}" \
-            -in "${certs_dir}/request.csr" \
-            -out "${certs_dir}/cert.pem"
-    else
-        openssl x509 -req -days 365 -sha256 \
-            -CAcreateserial \
-            -CA "${ROOT_CA_DIR}/cert.pem" \
-            -CAkey "${ROOT_CA_DIR}/private.key" \
-            -extfile "${extensions_file}" \
-            -extensions "${extensions_name}" \
-            -in "${certs_dir}/request.csr" \
-            -out "${certs_dir}/cert.pem"
+    domain_name=$1
+    if [ -z "${domain_name}" ]; then
+        echo "ERROR: domain is not set"
+        echo
+        echo "usage: $0 ca <domain>"
+        exit 0;
     fi
+    realm=${domain_name^^}
+
+    export REALM_NAME=${realm}
+
+    # Create certificates folder structure
+    mkdir -p "${ROOT_CA_DIR}"
+
+    # Create root CA
+    if [ ! -f "${ROOT_CA_DIR}/private.key" ]; then
+        # create aes encrypted private key
+        openssl genrsa -out "${ROOT_CA_DIR}/private.key" 4096
+
+        # create certificate, 1826 days = 5 years
+        openssl req -x509 -new -nodes -sha256 -days 1826 \
+                -subj "/C=US/ST=Test/L=Testing/O=Default/CN=Test Root CA" \
+                -key "${ROOT_CA_DIR}/private.key" \
+                -out "${ROOT_CA_DIR}/cert.pem"
+    fi
+}
+
+# create_host_pkcs12_certificate \
+#    $cert_name $certs_dir $root_ca_cert $extensions_file
+function create_host_pkcs12_certificate {
+
+    cert_name=$1
+    certs_dir=$2
+    root_ca_cert=$3
+    extensions_file=$4
+
+    # Create CSR and private key
+    openssl req -new -nodes -newkey rsa:4096 \
+                -subj "/C=US/ST=Test/L=Testing/O=Default/CN=${cert_name}" \
+                -keyout "${certs_dir}/private.key" \
+                -out "${certs_dir}/request.csr"
+
+    # Sign CSR to create PEM certificate
+    openssl x509 -req -days 1460 -sha256 -CAcreateserial \
+                -CAkey "${ROOT_CA_DIR}/private.key" \
+                -CA "${root_ca_cert}" \
+                -in "${certs_dir}/request.csr" \
+                -out "${certs_dir}/cert.pem" \
+                -extfile "${extensions_file}"
 
     # Convert certificate to PKCS12 format
     openssl pkcs12 -export \
-        -name "${cert_name}" \
-        -certfile "${root_ca_cert}" \
-        -in "${certs_dir}/cert.pem" \
-        -inkey "${certs_dir}/private.key" \
-        -passout "pass:${PKCS12_PASSWORD}" \
-        -out "${certs_dir}/cert.p12"
+            -name "${cert_name}" \
+            -certfile "${root_ca_cert}" \
+            -passout "pass:${PKCS12_PASSWORD}" \
+            -inkey "${certs_dir}/private.key" \
+            -in "${certs_dir}/cert.pem" \
+            -out "${certs_dir}/cert.p12"
 }
 
-# generate_ipa_pkcs12_certificates $ipa_fqdn $ipa_domain
-function generate_ipa_pkcs12_certificates {
+# create_ipa_pkcs12_certificates \
+#    $host_fqdn $domain_name
+function create_host_certificates {
 
-    host=$1
-    if [ -z "$host" ]; then
-        echo "ERROR: ipa-host-fqdn is not set"
+    host_fqdn=$1
+    if [ -z "${host_fqdn}" ]; then
+        echo "ERROR: host-fqdn is not set"
         echo
-        echo "usage: $0 create ipa-host-fqdn domain"
+        echo "usage: $0 create <host-fqdn> [<domain>]"
         exit 0;
     fi
 
-    domain=$2
-    if [ -z "$domain" ]; then
-        echo "ERROR: domain is not set"
+    domain_name=$2
+    [ -z "${domain_name}" ] && domain_name=${host_fqdn#*.*}
+    if [ -z "${domain_name}" ]; then
+        echo "ERROR: domain is not set and can not be created from host fqdn"
         echo
-        echo "usage: $0 create ipa-host-fqdn domain"
+        echo "usage: $0 create <host-fqdn> [<domain>]"
         exit 0;
     fi
+    realm=${domain_name^^}
 
-    # Generate certificates folder structure
-    mkdir -p "${ROOT_CA_DIR}"
-    mkdir -p "${DIRSRV_CERTS_DIR}/$host"
-    mkdir -p "${HTTPD_CERTS_DIR}/$host"
-    mkdir -p "${PKINIT_CERTS_DIR}/$host"
+    export HOST_FQDN=${host_fqdn}
+    export REALM_NAME=${realm}
 
-    # Generate root CA
     if [ ! -f "${ROOT_CA_DIR}/private.key" ]; then
-        openssl genrsa \
-                -out "${ROOT_CA_DIR}/private.key" 4096
-
-        openssl req -new -x509 -sha256 -nodes -days 3650 \
-                -subj "/C=US/ST=Test/L=Testing/O=Default" \
-                -key "${ROOT_CA_DIR}/private.key" \
-                -out "${ROOT_CA_DIR}/cert.pem"
+        create_ca "${domain_name}"
     fi
 
-    # Generate a certificate for the Directory Server
-    if [ ! -f "${DIRSRV_CERTS_DIR}/$host/cert.pem" ]; then
-        generate_ipa_pkcs12_certificate \
+    # Create certificates folder structure
+    mkdir -p "${DIRSRV_CERTS_DIR}/${host_fqdn}"
+    mkdir -p "${HTTPD_CERTS_DIR}/${host_fqdn}"
+    mkdir -p "${PKINIT_CERTS_DIR}/${host_fqdn}"
+
+    # Create a certificate for the Directory Server
+    if [ ! -f "${DIRSRV_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
+        create_host_pkcs12_certificate \
             "dirsrv-cert" \
-            "$host" \
-            "${DIRSRV_CERTS_DIR}/$host" \
+            "${DIRSRV_CERTS_DIR}/${host_fqdn}" \
             "${ROOT_CA_DIR}/cert.pem" \
-            "${ROOT_CA_DIR}/private.key"
+            "${EXTENSIONS_CONF}"
     fi
 
-    # Generate a certificate for the Apache server
-    if [ ! -f "${HTTPD_CERTS_DIR}/$host/cert.pem" ]; then
-        generate_ipa_pkcs12_certificate \
+    # Create a certificate for the Apache server
+    if [ ! -f "${HTTPD_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
+        create_host_pkcs12_certificate \
             "httpd-cert" \
-            "$host" \
-            "${HTTPD_CERTS_DIR}/$host" \
+            "${HTTPD_CERTS_DIR}/${host_fqdn}" \
             "${ROOT_CA_DIR}/cert.pem" \
-            "${ROOT_CA_DIR}/private.key"
+            "${EXTENSIONS_CONF}"
     fi
 
-    # Generate a certificate for the KDC PKINIT
-    if [ ! -f "${PKINIT_CERTS_DIR}/$host/cert.pem" ]; then
-        export REALM=${domain^^}
-
-        generate_ipa_pkcs12_certificate \
+    # Create a certificate for the KDC PKINIT
+    if [ ! -f "${PKINIT_CERTS_DIR}/${host_fqdn}/cert.pem" ]; then
+        create_host_pkcs12_certificate \
             "pkinit-cert" \
-            "$host" \
-            "${PKINIT_CERTS_DIR}/$host" \
+            "${PKINIT_CERTS_DIR}/${host_fqdn}" \
             "${ROOT_CA_DIR}/cert.pem" \
-            "${ROOT_CA_DIR}/private.key" \
-            "${PKINIT_CERTS_DIR}/extensions.conf" \
-            "kdc_cert"
+            "${PKINIT_EXTENSIONS_CONF}"
     fi
 }
 
-# delete_ipa_pkcs12_certificates $ipa_fqdn
-function delete_ipa_pkcs12_certificates {
+# delete_host_certificates \
+#     $host_fqdn
+function delete_host_certificates {
 
-    host=$1
-    if [ -z "$host" ]; then
-        echo "ERROR: ipa-host-fqdn is not set"
+    host_fqdn=$1
+    if [ -z "${host_fqdn}" ]; then
+        echo "ERROR: host-fqdn is not set"
         echo
-        echo "usage: $0 delete ipa-host-fqdn"
+        echo "usage: $0 delete <host-fqdn>"
         exit 0;
     fi
 
-    rm -f certificates/*/"$host"/*
-    rm -f "${ROOT_CA_DIR}"/*
+    rm -rf certificates/*/"${host_fqdn}"/
+}
+
+# cleanup \
+#     $host_fqdn
+function cleanup {
+
+    rm -rf certificates/*/
 }
 
 # Entrypoint
 case "$1" in
+  ca)
+    create_ca "$2"
+    ;;
   create)
-    generate_ipa_pkcs12_certificates "$2" "$3"
+    create_host_certificates "$2" "$3"
     ;;
   delete)
-    delete_ipa_pkcs12_certificates "$2"
+    delete_host_certificates "$2"
+    ;;
+  cleanup)
+    cleanup
     ;;
   *)
-    echo $"Usage: $0 {create|delete}"
+    echo $"Usage: $0 {create|delete|ca|cleanup}"
     ;;
 esac