istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tests/integration/security/sds_ingress/util/generate_certs.sh (about) 1 #!/bin/sh 2 3 # Copyright Istio Authors 4 # 5 # Licensed under the Apache License, Version 2.0 (the "License"); 6 # you may not use this file except in compliance with the License. 7 # You may obtain a copy of the License at 8 # 9 # http://www.apache.org/licenses/LICENSE-2.0 10 # 11 # Unless required by applicable law or agreed to in writing, software 12 # distributed under the License is distributed on an "AS IS" BASIS, 13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 # See the License for the specific language governing permissions and 15 # limitations under the License. 16 17 WD=$(dirname "$0") 18 WD=$(cd "$WD" || exit; pwd) 19 touch "${WD}/index.txt" 20 21 cat > "${WD}/client.conf" <<EOF 22 [req] 23 req_extensions = v3_req 24 distinguished_name = req_distinguished_name 25 [req_distinguished_name] 26 [ v3_req ] 27 basicConstraints = CA:FALSE 28 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 29 extendedKeyUsage = clientAuth, serverAuth 30 subjectAltName = @alt_names 31 [alt_names] 32 DNS = *.example.com 33 EOF 34 35 cat > "${WD}/server.conf" <<EOF 36 [req] 37 req_extensions = v3_req 38 distinguished_name = req_distinguished_name 39 [req_distinguished_name] 40 [ v3_req ] 41 basicConstraints = CA:FALSE 42 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 43 extendedKeyUsage = clientAuth, serverAuth 44 subjectAltName = @alt_names 45 [alt_names] 46 DNS = *.example.com 47 EOF 48 49 cat > "${WD}/crlA.conf" <<EOF 50 [ ca ] 51 default_ca = CA_default # The default ca section 52 53 [ CA_default ] 54 dir = "${WD}" # Where everything is kept 55 database = "${WD}/index.txt" # database index file. 56 certificate = "${WD}/rootA.crt" # The CA certificate 57 private_key = "${WD}/rootA.key" # The private key 58 59 # crlnumber must also be commented out to leave a V1 CRL. 60 crl_extensions = crl_ext 61 62 default_md = sha256 # use SHA-256 by default 63 default_crl_days= 3650 # how long before next CRL 64 65 [ crl_ext ] 66 # CRL extensions. 67 # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 68 authorityKeyIdentifier=keyid:always 69 [req] 70 req_extensions = v3_req 71 distinguished_name = req_distinguished_name 72 [req_distinguished_name] 73 [ v3_req ] 74 basicConstraints = CA:FALSE 75 keyUsage = nonRepudiation, digitalSignature, keyEncipherment 76 extendedKeyUsage = clientAuth, serverAuth 77 subjectAltName = @alt_names 78 [alt_names] 79 DNS = *.example.com 80 EOF 81 82 openssl req -new -newkey rsa:4096 -x509 -sha256 \ 83 -days 3650 -nodes -out "${WD}/rootA.crt" -keyout "${WD}/rootA.key" \ 84 -subj "/C=US/ST=Denial/L=Ether/O=Dis/CN=*.example.com" \ 85 -addext "subjectAltName = DNS:*.example.com" 86 87 openssl genrsa -out "${WD}/clientA.key" 2048 88 openssl req -new -key "${WD}/clientA.key" -out "${WD}/clientA.csr" -subj "/CN=*.example.com" -config "${WD}/client.conf" 89 openssl x509 -req -days 3650 -CA "${WD}/rootA.crt" -CAkey "${WD}/rootA.key" -set_serial 0 -in "${WD}/clientA.csr" -out "${WD}/clientA.crt" -extensions v3_req -extfile "${WD}/client.conf" 90 91 openssl genrsa -out "${WD}/serverA.key" 2048 92 openssl req -new -key "${WD}/serverA.key" -out "${WD}/serverA.csr" -subj "/CN=*.example.com" -config "${WD}/server.conf" 93 openssl x509 -req -days 3650 -CA "${WD}/rootA.crt" -CAkey "${WD}/rootA.key" -set_serial 0 -in "${WD}/serverA.csr" -out "${WD}/serverA.crt" -extensions v3_req -extfile "${WD}/server.conf" 94 95 96 openssl req -new -newkey rsa:4096 -x509 -sha256 \ 97 -days 3650 -nodes -out "${WD}/rootB.crt" -keyout "${WD}/rootB.key" \ 98 -subj "/C=US/ST=Denial/L=Ether/O=Dis/CN=*.example.com" \ 99 -addext "subjectAltName = DNS:*.example.com" 100 101 openssl genrsa -out "${WD}/clientB.key" 2048 102 openssl req -new -key "${WD}/clientB.key" -out "${WD}/clientB.csr" -subj "/CN=*.example.com" -config "${WD}/client.conf" 103 openssl x509 -req -days 3650 -CA "${WD}/rootB.crt" -CAkey "${WD}/rootB.key" -set_serial 0 -in "${WD}/clientB.csr" -out "${WD}/clientB.crt" -extensions v3_req -extfile "${WD}/client.conf" 104 105 openssl genrsa -out "${WD}/serverB.key" 2048 106 openssl req -new -key "${WD}/serverB.key" -out "${WD}/serverB.csr" -subj "/CN=*.example.com" -config "${WD}/server.conf" 107 openssl x509 -req -days 3650 -CA "${WD}/rootB.crt" -CAkey "${WD}/rootB.key" -set_serial 0 -in "${WD}/serverB.csr" -out "${WD}/serverB.crt" -extensions v3_req -extfile "${WD}/server.conf" 108 109 # revoke one of the client certificates for CRL testing purpose 110 openssl ca -config "${WD}/crlA.conf" -revoke "${WD}/clientA.crt" 111 openssl ca -gencrl -out "${WD}/rootA.crl" -config "${WD}/crlA.conf" 112 113 # remove the database entry for the previous revoked certificate, so that we can generate a new dummy CRL entry for an unused client cert, to be used for integration tests 114 cat /dev/null > "${WD}/index.txt" 115 openssl genrsa -out "${WD}/clientA1.key" 2048 116 openssl req -new -key "${WD}/clientA1.key" -out "${WD}/clientA1.csr" -subj "/CN=*.example.com" -config "${WD}/client.conf" 117 openssl x509 -req -days 3650 -CA "${WD}/rootA.crt" -CAkey "${WD}/rootA.key" -set_serial 1 -in "${WD}/clientA1.csr" -out "${WD}/clientA1.crt" -extensions v3_req -extfile "${WD}/client.conf" 118 119 openssl ca -config "${WD}/crlA.conf" -revoke "${WD}/clientA1.crt" 120 openssl ca -gencrl -out "${WD}/dummyA.crl" -config "${WD}/crlA.conf"