github.com/in-toto/in-toto-golang@v0.9.1-0.20240517212500-990269f763cf/Makefile (about) 1 # Common Certificate Attributes 2 TRUST_DOMAIN_FQDN := example.com 3 DEFAULT_BITS := 2048 4 DEFAULT_MD := sha512 5 ORGANIZATIONAL_UNIT := example 6 ORGANIZATION := example 7 ROOT_DAYS := 3650 8 INTERMEDIATE_DAYS := 3650 9 LEAF_DAYS := 1 10 GOOS ?= $(shell go env GOOS) 11 GOARCH ?= $(shell go env GOARCH) 12 13 14 # Template Locations 15 OPENSSL_TMPL := ./certs/openssl.cnf.tmpl 16 LAYOUT_TMPL := ./certs/layout.tmpl 17 18 build: modules 19 @mkdir -p bin 20 GOOS=$(GOOS) GOARCH=$(GOARCH) CGO_ENABLED=0 go build \ 21 -o ./bin/in-toto main.go 22 23 modules: 24 @go mod tidy 25 26 clean: clean-certs clean-test-files spiffe-infra-down 27 @rm -rf ./bin 28 29 clean-certs: 30 @rm -rf ./certs/*.pem ./certs/*.srl ./certs/*.cnf 31 32 clean-test-files: 33 @rm -rf ./test/tmp 34 @rm -rf ./untar.link 35 @rm -rf ./.srl 36 37 test: go-test test-verify test-spiffe-verify 38 39 go-test: 40 @go test ./... 41 42 # Run all the linters 43 .PHONY: lint 44 lint: 45 golangci-lint run ./... 46 47 test-sign: build generate_layout 48 # Running test-sign 49 cd ./test/tmp; ../../bin/in-toto sign -f ./test.layout -k ../../certs/example.com.layout.key.pem -o ./signed.layout 50 51 test-record: build generate_layout 52 # Running record start 53 cd ./test/tmp; ../../bin/in-toto record start -n write-code -c ../../certs/example.com.write-code.cert.pem -k ../../certs/example.com.write-code.key.pem -d . 54 # Record running step 55 cd ./test/tmp; echo goodbye > foo.py 56 # Running record stop 57 cd ./test/tmp; ../../bin/in-toto record stop -n write-code -c ../../certs/example.com.write-code.cert.pem -p foo.py -k ../../certs/example.com.write-code.key.pem -d . 58 59 test-run: build generate_layout 60 # Running write code step 61 @./bin/in-toto run -n write-code -c ./certs/example.com.write-code.cert.pem -k ./certs/example.com.write-code.key.pem -p ./test/tmp/foo.py -d ./test/tmp -l ./test/tmp/ -- /bin/sh -c "echo hello > ./test/tmp/foo.py" 62 # Running package step 63 @./bin/in-toto run -n package -c ./certs/example.com.package.cert.pem -k ./certs/example.com.package.key.pem -m ./test/tmp/foo.py -p ./test/tmp/foo.tar.gz -d ./test/tmp -l ./test/tmp/ -- tar zcvf ./test/tmp/foo.tar.gz ./test/tmp/foo.py 64 65 test-verify: test-sign test-run 66 # Running test verify 67 cd ./test/tmp; ../../bin/in-toto verify -l ./signed.layout -k ../../certs/example.com.layout.cert.pem -i ../../certs/example.com.intermediate.cert.pem -d . 68 69 test-spiffe-run: test-spiffe-sign 70 # Running write code step 71 docker exec -u 1000 -w /test/tmp -it intoto-runner in-toto run --spiffe-workload-api-path unix:///run/spire/sockets/agent.sock -n write-code -p foo.py -d . -- sh -c "echo hello > foo.py" 72 # Running package step 73 docker exec -u 1001 -w /test/tmp -it intoto-runner in-toto run --spiffe-workload-api-path unix:///run/spire/sockets/agent.sock -n package -m foo.py -p foo.tar.gz -d . -- tar zcvf foo.tar.gz foo.py 74 75 test-spiffe-verify: test-spiffe-sign test-spiffe-run 76 # Running test verify 77 docker exec -it -w /test/tmp intoto-runner /bin/in-toto verify -l ./spiffe.signed.layout -k ./layout-svid.pem -d . 78 79 test-spiffe-sign: build spiffe-test-generate-layout 80 docker exec -it -w /test/tmp intoto-runner /bin/in-toto sign -f ./spiffe.test.layout -k ./layout-key.pem -o ./spiffe.signed.layout 81 82 spiffe-test-generate-layout: spiffe-infra-up 83 # Get key layout from the root cert 84 $(eval rootca := $(shell ./bin/in-toto key layout ./test/tmp/layout-bundle.pem | sed -e 's/\\n/\\\\n/g')) 85 cat $(LAYOUT_TMPL) | sed -e 's#{{ROOTCA}}#$(rootca)#' > ./test/tmp/spiffe.test.layout 86 docker-compose -f ./test-infra/docker-compose.yaml up -d intoto-runner 87 sleep 5 # sleep to ensure the intoto-runner is fully up and connected to spire 88 89 spiffe-infra-up: build 90 @mkdir -p ./test/tmp 91 @chmod 777 ./test/tmp 92 ./test-infra/infra-up.sh 93 ./test-infra/mint-cert.sh layout 94 95 spiffe-infra-down: 96 ./test-infra/infra-down.sh 97 98 generate_layout: build leaf_certs 99 @mkdir -p ./test/tmp 100 # get key layout from the root cert 101 $(eval rootca := $(shell ./bin/in-toto key layout ./certs/root.cert.pem | sed -e 's/\\n/\\\\n/g')) 102 cat $(LAYOUT_TMPL) | sed -e 's#{{ROOTCA}}#$(rootca)#' > ./test/tmp/test.layout 103 104 root-cert: 105 # Generate root cert openssl conf file 106 $(call generate_openssl_conf,root) 107 108 # Create Root Key 109 @openssl genrsa -out ./certs/root.key.pem 110 111 # Create Root Cert 112 @openssl req -subj "/C=/ST=/L=/O=$(ORGANIZATION)/OU=$(ORGANIZATIONAL_UNIT)CN=root/" -days $(ROOT_DAYS) -x509 -new \ 113 -key "./certs/root.key.pem" -out "./certs/root.cert.pem" \ 114 -config ./certs/$(TRUST_DOMAIN_FQDN).root.openssl.cnf \ 115 -extensions v3-root 116 117 intermediate_cert: root-cert 118 # Generate intermediate cert openssl conf file 119 $(call generate_openssl_conf,intermediate) 120 121 # Create intermediate key 122 @openssl genrsa -out ./certs/$(TRUST_DOMAIN_FQDN).intermediate.key.pem 123 124 # Generate intermediate CSR 125 @openssl req -subj "/C=/ST=/L=/O=$(ORGANIZATION)/OU=$(ORGANIZATIONAL_UNIT)CN=$(TRUST_DOMAIN_FQDN)" -new \ 126 -key ./certs/$(TRUST_DOMAIN_FQDN).intermediate.key.pem \ 127 -out ./certs/$(TRUST_DOMAIN_FQDN).intermediate.csr.pem \ 128 -config ./certs/$(TRUST_DOMAIN_FQDN).intermediate.openssl.cnf \ 129 -extensions v3-intermediate 130 131 # Sign Intermediate CSR Using Root Certificate 132 @openssl x509 -days $(INTERMEDIATE_DAYS) -req \ 133 -CAcreateserial \ 134 -CA ./certs/root.cert.pem \ 135 -CAkey ./certs/root.key.pem \ 136 -in ./certs/$(TRUST_DOMAIN_FQDN).intermediate.csr.pem \ 137 -out ./certs/$(TRUST_DOMAIN_FQDN).intermediate.cert.pem \ 138 -extfile ./certs/$(TRUST_DOMAIN_FQDN).intermediate.openssl.cnf \ 139 -extensions v3-intermediate 140 141 # Verify intermediate cert was signed by root cert 142 @openssl verify -CAfile ./certs/root.cert.pem ./certs/$(TRUST_DOMAIN_FQDN).intermediate.cert.pem 143 144 leaf_certs: intermediate_cert 145 $(call generate_leaf_cert,layout) 146 $(call generate_leaf_cert,write-code) 147 $(call generate_leaf_cert,package) 148 149 define generate_leaf_cert 150 # Generate leaf cert openssl conf file 151 $(call generate_openssl_conf,$(1)) 152 153 # Generate leaf signing key 154 @openssl genrsa -out ./certs/$(TRUST_DOMAIN_FQDN).$(1).key.pem 155 156 # Generate leaf CSR 157 openssl req -new \ 158 -key ./certs/$(TRUST_DOMAIN_FQDN).$(1).key.pem \ 159 -out ./certs/$(TRUST_DOMAIN_FQDN).$(1).csr.pem \ 160 -config ./certs/$(TRUST_DOMAIN_FQDN).$(1).openssl.cnf \ 161 -extensions v3-leaf 162 163 # Sign leaf CSR Using intermediate Certificate 164 @openssl x509 -days $(LEAF_DAYS) -req \ 165 -CAcreateserial \ 166 -CA ./certs/$(TRUST_DOMAIN_FQDN).intermediate.cert.pem \ 167 -CAkey ./certs/$(TRUST_DOMAIN_FQDN).intermediate.key.pem \ 168 -in ./certs/$(TRUST_DOMAIN_FQDN).$(1).csr.pem \ 169 -out ./certs/$(TRUST_DOMAIN_FQDN).$(1).cert.pem \ 170 -extfile ./certs/$(TRUST_DOMAIN_FQDN).$(1).openssl.cnf \ 171 -extensions v3-leaf 172 173 # Create cert bundle for trust domain 174 cat ./certs/root.cert.pem ./certs/$(TRUST_DOMAIN_FQDN).intermediate.cert.pem > ./certs/$(TRUST_DOMAIN_FQDN).bundle.cert.pem 175 176 # Verify leaf cert chain 177 @openssl verify -CAfile ./certs/$(TRUST_DOMAIN_FQDN).bundle.cert.pem ./certs/$(TRUST_DOMAIN_FQDN).$(1).cert.pem 178 endef 179 180 define generate_openssl_conf 181 @cat $(OPENSSL_TMPL) | sed -e 's/{{TRUST_DOMAIN_FQDN}}/$(TRUST_DOMAIN_FQDN)/' | \ 182 sed -e 's/{{ORGANIZATIONAL_UNIT}}/$(ORGANIZATIONAL_UNIT)/' | \ 183 sed -e 's/{{ORGANIZATION}}/$(ORGANIZATION)/' | \ 184 sed -e 's/{{DEFUALT_BITS}}/$(DEFAULT_BITS)/' | \ 185 sed -e 's/{{DEFAULT_MD}}/$(DEFAULT_MD)/' | \ 186 sed -e 's/{{SPIFFE_PATH}}/$(1)/' > certs/$(TRUST_DOMAIN_FQDN).$(1).openssl.cnf 187 endef 188 189 .PHONY: help 190 all: help 191 help: Makefile 192 @echo 193 @echo " Choose a command run in in-toto-golang:" 194 @echo 195 @sed -n 's/^##//p' $< | column -t -s ':' | sed -e 's/^/ /' 196 @echo