From 3583399f4e7ad6e66d5e210f049d01bda85f605c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Budai?= Date: Mon, 2 Nov 2020 13:37:22 +0100 Subject: [PATCH] test/koji: use the same X.509 generation logic as for other purposes There's no reason to have 2 CAs and 2 places where we generate certificates, this commit merges them together. --- test/cases/koji.sh | 8 ++++---- tools/provision.sh | 13 +++++++++++++ tools/run-koji-container.sh | 8 +++----- 3 files changed, 20 insertions(+), 9 deletions(-) diff --git a/test/cases/koji.sh b/test/cases/koji.sh index d53127d25..60b1527ed 100755 --- a/test/cases/koji.sh +++ b/test/cases/koji.sh @@ -46,10 +46,10 @@ sudo cp \ "${OSBUILD_COMPOSER_TEST_DATA}"/kerberos/krb5-local.conf \ /etc/krb5.conf.d/local -greenprint "Adding generated CA cert for Koji" +greenprint "Adding the testsuite's CA cert to the system trust store" sudo cp \ - /tmp/osbuild-composer-koji-test/ca-crt.pem \ - /etc/pki/ca-trust/source/anchors/koji-ca-crt.pem + /etc/osbuild-composer/ca-crt.pem \ + /etc/pki/ca-trust/source/anchors/osbuild-composer-tests-ca-crt.pem sudo update-ca-trust greenprint "Restarting composer to pick up new config" @@ -77,5 +77,5 @@ sudo /usr/libexec/osbuild-composer-test/run-koji-container.sh stop greenprint "Removing generated CA cert" sudo rm \ - /etc/pki/ca-trust/source/anchors/koji-ca-crt.pem + /etc/pki/ca-trust/source/anchors/osbuild-composer-tests-ca-crt.pem sudo update-ca-trust diff --git a/tools/provision.sh b/tools/provision.sh index d5d273849..e0c4cfd1e 100755 --- a/tools/provision.sh +++ b/tools/provision.sh @@ -80,6 +80,19 @@ pushd $CADIR # Client keys are used by tests to access the composer APIs. Allow all users access. sudo chmod 644 "$CERTDIR"/client-key.pem + # Generate a kojihub certificate. + sudo openssl req -config $OPENSSL_CONFIG \ + -keyout "$CERTDIR"/kojihub-key.pem \ + -new -nodes \ + -out /tmp/kojihub-csr.pem \ + -subj "/CN=localhost/emailAddress=osbuild@example.com" \ + -addext "subjectAltName=DNS:localhost" + + sudo openssl ca -batch -config $OPENSSL_CONFIG \ + -extensions osbuild_server_ext \ + -in /tmp/kojihub-csr.pem \ + -out "$CERTDIR"/kojihub-crt.pem + popd sudo systemctl start osbuild-remote-worker.socket diff --git a/tools/run-koji-container.sh b/tools/run-koji-container.sh index 99407f3db..d98836bb2 100755 --- a/tools/run-koji-container.sh +++ b/tools/run-koji-container.sh @@ -47,11 +47,9 @@ koji_start() { # create a share directory which is used to share files between the host and containers mkdir "${SHARE_DIR}" - # generate self-signed certificates in the share directory - openssl req -new -nodes -x509 -days 365 -keyout "${SHARE_DIR}/ca-key.pem" -out "${SHARE_DIR}/ca-crt.pem" -subj "/CN=osbuild.org" - openssl genrsa -out "${SHARE_DIR}/key.pem" 2048 - openssl req -new -sha256 -key "${SHARE_DIR}/key.pem" -out "${SHARE_DIR}/csr.pem" -subj "/CN=localhost" - openssl x509 -req -in "${SHARE_DIR}/csr.pem" -CA "${SHARE_DIR}/ca-crt.pem" -CAkey "${SHARE_DIR}/ca-key.pem" -CAcreateserial -out "${SHARE_DIR}/crt.pem" + cp /etc/osbuild-composer/kojihub-key.pem "${SHARE_DIR}/key.pem" + cp /etc/osbuild-composer/kojihub-crt.pem "${SHARE_DIR}/crt.pem" + cp /etc/osbuild-composer/ca-crt.pem "${SHARE_DIR}/ca-crt.pem" ${CONTAINER_RUNTIME} network create org.osbuild.koji