test: generate certificates on fly instead of shipping them in the test RPM
The certificate generation is based on work by Lars Karlitski in our osbuild
CA. The server and client certs now contains Subject Alternative Name making
Python's request module and Go 1.15 happy (they deprecated certificates
without SAN).
Several reasons why we want to switch to the certificate generation:
1) The pre-generated certificates are not documented. If someone wants
to inspect them, he must know the right openssl incantation. This way,
you are able to see what's inside the certificates in a plain text.
2) The pre-generated certificates are going to expire at one point and
someone will be surprised.
3) Shipping private keys in RPMs is iffy. I know, it's just for testing but
still...
4) Auth tests are generating their own certificates. To achieve consistency,
we have two options:
a) Ship also all certificates for auth tests. That's extra 8 ones or
something like that.
b) Generate all certificates on fly. This commit does that.
5) The setup introduced by this commit is very similar to the one in our CA
making the test environment very similar to what's running in production.
tl;dr: I think this is a good step forward.
This commit is contained in:
Ondřej Budai
parent
073f9dc79a
commit
765f599753
11 changed files with 163 additions and 196 deletions
|
|
@ -191,18 +191,6 @@ install -m 0644 -vp test/data/ansible/* %{buildroot}%{_d
|
|||
install -m 0755 -vd %{buildroot}%{_datadir}/tests/osbuild-composer/azure
|
||||
install -m 0644 -vp test/data/azure/* %{buildroot}%{_datadir}/tests/osbuild-composer/azure/
|
||||
|
||||
install -m 0755 -vd %{buildroot}%{_datadir}/tests/osbuild-composer/ca
|
||||
install -m 0644 -vp test/data/ca/ca-crt.pem %{buildroot}%{_datadir}/tests/osbuild-composer/ca/
|
||||
install -m 0600 -vp test/data/ca/ca-key.pem %{buildroot}%{_datadir}/tests/osbuild-composer/ca/
|
||||
install -m 0644 -vp test/data/ca/composer-crt.pem %{buildroot}%{_datadir}/tests/osbuild-composer/ca/
|
||||
install -m 0600 -vp test/data/ca/composer-key.pem %{buildroot}%{_datadir}/tests/osbuild-composer/ca/
|
||||
install -m 0644 -vp test/data/ca/worker-crt.pem %{buildroot}%{_datadir}/tests/osbuild-composer/ca/
|
||||
install -m 0600 -vp test/data/ca/worker-key.pem %{buildroot}%{_datadir}/tests/osbuild-composer/ca/
|
||||
|
||||
# Client keys are used by tests to access the composer APIs. Allow all users access.
|
||||
install -m 0644 -vp test/data/ca/client-crt.pem %{buildroot}%{_datadir}/tests/osbuild-composer/ca/
|
||||
install -m 0644 -vp test/data/ca/client-key.pem %{buildroot}%{_datadir}/tests/osbuild-composer/ca/
|
||||
|
||||
install -m 0755 -vd %{buildroot}%{_datadir}/tests/osbuild-composer/manifests
|
||||
install -m 0644 -vp test/data/manifests/* %{buildroot}%{_datadir}/tests/osbuild-composer/manifests/
|
||||
|
||||
|
|
@ -225,6 +213,9 @@ install -m 0600 -vp test/data/keyring/id_rsa %{buildroot}%{_d
|
|||
install -m 0755 -vd %{buildroot}%{_datadir}/tests/osbuild-composer/koji
|
||||
install -m 0644 -vp test/data/koji/* %{buildroot}%{_datadir}/tests/osbuild-composer/koji/
|
||||
|
||||
install -m 0755 -vd %{buildroot}%{_datadir}/tests/osbuild-composer/x509
|
||||
install -m 0644 -vp test/data/x509/* %{buildroot}%{_datadir}/tests/osbuild-composer/x509/
|
||||
|
||||
%if 0%{?rhel}
|
||||
install -m 0755 -vd %{buildroot}%{_datadir}/tests/osbuild-composer/vendor
|
||||
install -m 0644 -vp test/data/vendor/87-podman-bridge.conflist %{buildroot}%{_datadir}/tests/osbuild-composer/vendor/
|
||||
|
|
|
|||
|
|
@ -1,19 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDDTCCAfWgAwIBAgIUVrgJCBlYNv2uMIP04BH2fOTCPr4wDQYJKoZIhvcNAQEL
|
||||
BQAwFjEUMBIGA1UEAwwLb3NidWlsZC5vcmcwHhcNMjAxMDA1MDgzODUzWhcNMjEx
|
||||
MDA1MDgzODUzWjAWMRQwEgYDVQQDDAtvc2J1aWxkLm9yZzCCASIwDQYJKoZIhvcN
|
||||
AQEBBQADggEPADCCAQoCggEBAMCii5Z8O+P3HfrYZmUVJAvQFSyxCvarpjSjopUD
|
||||
J3VCFBa601swg5vDBSnDg0CRiW8r5LHi4seaOULD3OhttabeLZ5a4ESR98Q/XjcE
|
||||
RWWOx9FdQkx1BXlpFDwbWHPTaKXhFfii35fjjmCoprCX6OVVGLfq95yfU7jj2wme
|
||||
BfQoN/Xv+yXzYr6vCVOgTdG8Hc2G639xBf0zaZsDoJH5gtfxpD7s3HRLwN/XWy1e
|
||||
800pHqdBji0Nt1Gz97K3x2HgqzmtX/cUfZN71AHEIt2DzhRjOQbfG0r/W2YztDJb
|
||||
aZ3CultmJOCwXl5dGkSSmVYjB/y104XzbVMl0Mm0arq714kCAwEAAaNTMFEwHQYD
|
||||
VR0OBBYEFFNDFT1jOr4HlFrICey0ukYdzq27MB8GA1UdIwQYMBaAFFNDFT1jOr4H
|
||||
lFrICey0ukYdzq27MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
|
||||
AAey3ciGtbfpzRwHL+KR5SqfVfxKI/LtVU74VFxFfMnVzAuFteV/k9CEHGxbCjmZ
|
||||
nt4Z2vncLzGxJ3wnjm4GfzCCPKCfPdqD6bAwJ5tpDJyFWs0xOe2f9U5i1Yx5UHG+
|
||||
lIR1t/vlmPRkcC1lQlV+xhM/8MPJYl+0Bsjt2vjAvEbHEGifb2voJy2k1AabYwks
|
||||
sDzkfC/0EU1MeHj8tjt98xVsGezdmduZMOee/OyhQ3Z5nuqKvQoiRCUBYVxPbxLV
|
||||
bwwtECtHqs1DDMZSbc095BPMm4TuSMi1YqSiAcDQm776hff26mbeyEg0NROQ30M8
|
||||
8vu25FPz/AlY+0tb2/P7SGI=
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAoouWfDvj9x36
|
||||
2GZlFSQL0BUssQr2q6Y0o6KVAyd1QhQWutNbMIObwwUpw4NAkYlvK+Sx4uLHmjlC
|
||||
w9zobbWm3i2eWuBEkffEP143BEVljsfRXUJMdQV5aRQ8G1hz02il4RX4ot+X445g
|
||||
qKawl+jlVRi36vecn1O449sJngX0KDf17/sl82K+rwlToE3RvB3Nhut/cQX9M2mb
|
||||
A6CR+YLX8aQ+7Nx0S8Df11stXvNNKR6nQY4tDbdRs/eyt8dh4Ks5rV/3FH2Te9QB
|
||||
xCLdg84UYzkG3xtK/1tmM7QyW2mdwrpbZiTgsF5eXRpEkplWIwf8tdOF821TJdDJ
|
||||
tGq6u9eJAgMBAAECggEBAJBA6NEPRXYoFu5C4SLvGugxsbme9rvTvIoMw/Jcw06e
|
||||
5hZDX4UZJmUdPJ+SxpYypj13HDJN2k9o4Vpq++GeTnqgRH8iRHF08ZqnbXE7pJAx
|
||||
xNa2xLAmravGkZ2VSL6r4ODfVqmzpkbC5Frj0LfLel9KQ1FvBm/mLDb3go6IJKM5
|
||||
sg78bfzKWPsDqCD4Wy37xtm53av63Tvqp7K54SWQ/tlGPZDLb0uUGgc5XMilp58o
|
||||
FaUK4JY6+aH/q5SlhLkKR5TPClZZqUOqB3ccsIQUmx77MNogVi0tZJ9CPs6wGxHt
|
||||
0/9bW+zaGsnaWaAQz9UVGOndC7MwKGN09wrEky/kiRECgYEA59kvyYZEzt0t6dm3
|
||||
0t+71vMMZpqz883WkT4hWIpQdMGSTM68lFBH5EoQhryegMxZ2/9iUAl1IS7+K0CT
|
||||
57hV4JjNaHgux+sbAb2Kcr0H6GbZ05suksPrM7p9TXfCRizKSJUX8PxIaUOnIkcT
|
||||
Ek7w4uwkB8k9Ar4LbI/L+bclf3UCgYEA1LOie2LeYDDUl+Qb/DK0RrhsQssfrxZH
|
||||
McCgeSjsho5ncXumF1+dR7SE/ArgESm0Sw2mTbmKaMex13YFQeB+69RkmHE/C7w8
|
||||
L8iRLXcVkBn+AzI7K5zD3eiyZmk6zZS34Ka0DKIfW+RAgs3VqM8zCBVNCB/9Yt6a
|
||||
oaeXzD1D6UUCgYEA0PEkZeOBY0RlOlihl4NWT1LenCFTh6a7dk2d06Ni+rXwWRP/
|
||||
U1I+V/h/iE24Mq73VJKFUUgUrQEiwmwCX1P64NwUUc/tqPGydxEQEnNVCxaVvGQf
|
||||
xtiVwRqSDhydkoyPCHaFCwLxZxw3JWcUQu2tnXPezL2JJE2NEhtNYhCx1HkCgYA+
|
||||
kgV3RJNkOpkfgZQV8ZiEwVXfpD9S0zvoT+ElIzvJLXUStiwa7h6nbFw+hLh7dAg8
|
||||
l+xXKwCjaDNRzb8oLPFJULay/YVtX1dZOygx9rkaJftKV2l+n+QikISCiewpc9lP
|
||||
tdp7aOnOr2umzwROX32EoDeD710ry44zhciq5U7n/QKBgCCLEU2UMUcGSgqP4gAF
|
||||
5bg+W6vg5ivuajRPc7Kio4+DVWuppd8KZOtR8LaOUzYtCFjT90s5MEduDEbAq6bF
|
||||
CdlALFkOlF/hJU2XzmSQEy4+UysT0jwEgMGTTaFnWoIJZZsUPzLUjZUrWrsFfnpc
|
||||
WCxhsvYiBZIsGBgbKqjhfs+e
|
||||
-----END PRIVATE KEY-----
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIICujCCAaICFC4RtelruuDmzcZBjnKYe8QCuenxMA0GCSqGSIb3DQEBCwUAMBYx
|
||||
FDASBgNVBAMMC29zYnVpbGQub3JnMB4XDTIwMTAwNzIxMDUzNloXDTIwMTEwNjIx
|
||||
MDUzNlowHTEbMBkGA1UEAwwSY2xpZW50Lm9zYnVpbGQub3JnMIIBIjANBgkqhkiG
|
||||
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmIpbWfEt5soZNPUJ3FXZgeJQNvA/i4aCOP0/
|
||||
FSWD36dWqYNyeZBrTdxYBSO44158Tzo4L0ETkdoBxXww3tZhN2t79r6KMdBRCHNG
|
||||
hUY0C5uNmi+cfUvsh6jRg4VDmwk8DOiqVbLQ2rI36GyNfJy7MvDMjD3RbLfhFW7v
|
||||
SUQQnqMRDi/uu107HrCD/O/YN288yul/2EhFTds0rFYKojybKFQxz9o1eWqW31ca
|
||||
83NU5WqQUTSZ+NwnBXC/TrpNNIC6kzVgelDElL9NJU/dK++9vPkGZY5YGc44OiaG
|
||||
wA21hypC2xJpL9FLiQ9jBaN/i935oKyLsQdcqsm4DOllT4TiDwIDAQABMA0GCSqG
|
||||
SIb3DQEBCwUAA4IBAQBfJStg9ofmJJYWfgZHntkhCftwXlBVQKQKz7UTN9ZM+6Uc
|
||||
NlAg9nmkFpK8e9u1HknL4JcdyjYdKzURHMPquvaaRAeUaXeg7LmJmO62VK0HIVHe
|
||||
RtN9XdkJ3YmOC8htMBiIuObq+DMQ20mSEtMpkah812F2gno+lc60G2jYlqi9/oac
|
||||
frVWGulHjufFdkEpTcLB6tleEKgH0Qj9BZdkk4fCfXTSdWKRXx2j3yRKFjUy2bG3
|
||||
jY1Vrbc9lbQhtbvDwnQwVAdNjmdw0TPSBzDiN48vliG3WVAybhMYaxWHkmPz/SS7
|
||||
Quq7hcFfV1LPJWzC0H1GTynkT8kJyjmi81XeS7/z
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIIEogIBAAKCAQEAmIpbWfEt5soZNPUJ3FXZgeJQNvA/i4aCOP0/FSWD36dWqYNy
|
||||
eZBrTdxYBSO44158Tzo4L0ETkdoBxXww3tZhN2t79r6KMdBRCHNGhUY0C5uNmi+c
|
||||
fUvsh6jRg4VDmwk8DOiqVbLQ2rI36GyNfJy7MvDMjD3RbLfhFW7vSUQQnqMRDi/u
|
||||
u107HrCD/O/YN288yul/2EhFTds0rFYKojybKFQxz9o1eWqW31ca83NU5WqQUTSZ
|
||||
+NwnBXC/TrpNNIC6kzVgelDElL9NJU/dK++9vPkGZY5YGc44OiaGwA21hypC2xJp
|
||||
L9FLiQ9jBaN/i935oKyLsQdcqsm4DOllT4TiDwIDAQABAoIBAAgL3E+9Qh+Xb4b0
|
||||
mgWOXb/VMUgEmkWA3eOlsCssZG1qxU6ByYsSDCb6RYZX4QvVUxdWydnsQ90As/E3
|
||||
4NgQVOZ4e/yDBoUkKPIaKpEjJ+Go3epRMp8FXz+0rwCSCgPmk81WhI2qtgujNQHE
|
||||
oB3/onxIaXHIXQCwHmZkCKlDtuC3Qnh5kimTrEOeSZQYBX28UTyIScBDEH7c6FfY
|
||||
P49FnW1kEsCdEb6kr2eAbjoET8jXrNYWE8Zr9B/QDmf22mPUEJB3mYmcKUOTQabR
|
||||
WBq3vBL0xw47Jpt5U/CQfNrwe3AyyqN6aP33GnuVTd4I2RaCaK/YwRs0HEIzaLCI
|
||||
iXPLVXkCgYEAyGVTr9wvET6zrL7whvc5nOSzxDCvb58bvr3HPPlF1onPQkXSIfRY
|
||||
BtNnv+7giAzOjktO7uGQYHkiZfmSxQvKbVbZuJZ/09L3O9EPLRgqBchlceyyWWym
|
||||
z2LXQBdrNYA/8OZ+qxfuPNPklTYDsnbRi2y7AXpwe8RtduIcS03Xgo0CgYEAwt27
|
||||
GMw8K9pRndK5hDePOvoEZJoiEnw20XqyGLX7+Vgh17epQygtvInWMqBEK8UsbzG+
|
||||
Im1KjODcXaBMdTmi8eO0cdDhiZ8DJRh+FU14pSs9AvVApPPOEkgPaVuYU7FxCLKE
|
||||
v8TK9QjcywvGq2+UAZ9vbtEfBvCasGYGyic83gsCgYAOdQDslv3uSI+9zqiblApb
|
||||
/0PYy4pciyX9RMOy6mjXaWnCZjcaq/4NwAKkHh+ksQfVzCkNosg/rX2FzdOA07Du
|
||||
4m0im/js1zNu5U4q+qtNb3+iEGlteiEupPrSbN4XJgF256oLvdY6HS9IdHUf0uKb
|
||||
JGT5XlPvGeSrxvQzmpIJoQKBgFi8BV2mauQBN1cpxOarMiLGBMgW09sdCw1a1Myh
|
||||
2grSEh8b+AynuCP5lDtbdY+E6tX7jbw5jlAWeOJ9gzOCOmvxp5KIbptveEwlGgzz
|
||||
STPVO6QkL/qtNrJmc/YjCntZ+sHeIMr+fvkTvw8K3r3kQj527pREz98mIxqeawsU
|
||||
0Qe/AoGAU0XRhm/yzsKxHauksqgx+p5qDgoUpiS+KEKU1gCzYkbjI3cg4SNopaCb
|
||||
DfcRwcblwuLnq7BY4n44F08n94u09s0InJdO2xmGrjY5cw7QqiI50B4FSb/KCXB7
|
||||
CnkT7DznceY2guHFT9Rm8j+1Q6EsSwy2BO4/iX6xIaNcKcw5JZk=
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIICsTCCAZkCFElB9131Tg40vCU0/10eVenAgwa/MA0GCSqGSIb3DQEBCwUAMBYx
|
||||
FDASBgNVBAMMC29zYnVpbGQub3JnMB4XDTIwMTAwNTA4Mzg1M1oXDTIwMTEwNDA4
|
||||
Mzg1M1owFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC
|
||||
AQ8AMIIBCgKCAQEAxqmrytbO2mOd3x43nIyvX/G5+S5VpDITPs3KeeJEBUbB1nZa
|
||||
GI7cC36c6bqGV6bnJGv3BdCL9z8L7BPPbSzy3NCvtQ5Q0bGsJgwX0Lkm/H1DzIbP
|
||||
vmktBBrQJrn9L6h4x2e+wxLTOo7oM5NIROBdIDXzAXiJFR3J5TY0bYQH1WD4+xmX
|
||||
vHHIIJignsrNl08ODruG0UGn/I9wMKu7pS3wlWbyHvzuPsUUi1cCxZowUp52l1GU
|
||||
Y7b54R1zMX7yTkiY4rshKfDqkKLQwk0RphXF4SLVjfPM38gA2zTcXecAahn/Si2b
|
||||
7VNmUD0NTMxf5UtCv0iqdUFLekgFOb8q1J+osQIDAQABMA0GCSqGSIb3DQEBCwUA
|
||||
A4IBAQCaOtOFXGfjAQRMOrSiy62wigw+D26jml01krRDCch/8MiDtG9agX0qIQnP
|
||||
hK/lkY4AbRqwMe9MugJmCBEgHDwgOgPX7GH+J8l/DbjOp1NUzD4rxy/bfTXLP+5j
|
||||
dkUzD7GIedygTm4jGTxFE9P6iYo/Un0GffSIsjIWaXyGf2T6kn1oE8sygXwhNaqm
|
||||
F1duIXbseNo4brXBwWncw/C0gw8dXZDzlozIKhUzH/Ff6Q3h1Axu/5uNV7Svmkb1
|
||||
pHg9faWkZHhLasm40LTGG2B83z3f38R2AwcRRkH5Wque1FwfT886XnF//E9dfGi8
|
||||
cr1i2trLhweFMp1w5qbbqojMYs3h
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDGqavK1s7aY53f
|
||||
HjecjK9f8bn5LlWkMhM+zcp54kQFRsHWdloYjtwLfpzpuoZXpucka/cF0Iv3Pwvs
|
||||
E89tLPLc0K+1DlDRsawmDBfQuSb8fUPMhs++aS0EGtAmuf0vqHjHZ77DEtM6jugz
|
||||
k0hE4F0gNfMBeIkVHcnlNjRthAfVYPj7GZe8ccggmKCeys2XTw4Ou4bRQaf8j3Aw
|
||||
q7ulLfCVZvIe/O4+xRSLVwLFmjBSnnaXUZRjtvnhHXMxfvJOSJjiuyEp8OqQotDC
|
||||
TRGmFcXhItWN88zfyADbNNxd5wBqGf9KLZvtU2ZQPQ1MzF/lS0K/SKp1QUt6SAU5
|
||||
vyrUn6ixAgMBAAECggEARR3o4ARGKWL5HRQ1QukLZvUBv/jn4N1vJq2QYUFgavmI
|
||||
HOZGSD8DvZgKXaMAdGRkDJ7nbYV1/MpZioQF6bT2te6BAxv88EfBXeddLcgNEVE/
|
||||
klvg0R1khQYTHzYcKUWS58VncBUPmlL35GG8hgINRFSgvAVEpC0d/foS2XtTAmBC
|
||||
IxJUr6C9TewK4R1psFMqUOhUJUwoAAN1HVN/zRQttOK9P5JYc4nl4UuaeQ0AYIro
|
||||
OSvseKBCgD9fGFpeT0lM/rB5qBh+/25faUs3hhF6kQZcvVqDVfUi2FbkSeoqV5BB
|
||||
Gr1LKzxK3TBsKzZIsJt/ZTcVlfXNho2F+WqWDADHQQKBgQD1ezi+8ItR8SE0j/1q
|
||||
5jpevjFQWipzwCBjZFtJBYutlw76MbGV0YAPgNNXzTFi35N5b5FB0cvfQlD0bG1c
|
||||
25xZw16hSiBh8uVpEpWcB2FQbtMg3N81T5TD/gVoZZpOSW9G0zdeRkQYPf+aNgaA
|
||||
/bCI60Bnz7oqMCfAp9m1plplSQKBgQDPLOD5HCOS+gqyS7hHpb4aDetgKErHuxki
|
||||
l9/jzWLt6QR3q7rVwvc91tbvJejQh+aL+vw5xfjyN8DnjHQ7qjV0pPyW86bpd1Cf
|
||||
b2AlBnKc9kI2ghcWirod6lu3Xwm+LYboh6++cCyYuq8lsKzslMPluzbEZzi+r1p0
|
||||
WAuo9KnwKQKBgQCiZe5YgxHoF7l76HYiLkUXQIOnQL8s7EGA/3dUi5KoOHL0GcP9
|
||||
9SbfGr62K00st/P8Nk7GWGCjRmAAE2sWL0L0L0d/NGbP5bzXEjBflJJQf8C00Onp
|
||||
fshQENDLC8xVVkeDd1/9wkZyMzHRd0Q+OZZ8PgXRp57lIg5qaaChh3ft4QKBgBKL
|
||||
J8/kTuLW8qIm2OXA1hUq7ch7ksXx3zwTb/zJ43L8CmRTwLNlcg/c7PwW3pHbuC0L
|
||||
WAwrxi6YAvI2xiiZAZPhOKKiSGxZO6QpqedmflfCSwbp+fsQi7wlv/PX091r4clq
|
||||
a7aV/8fj3c131OKQJkCn0y0dOB0JQQVs5A5JZ/SRAoGBAO4JCRa7OGNYEd+C2XkK
|
||||
JbZ7HFgnvFcdPVnH4AikrtJ2tujvz9npVpLHAgfbxxxqo3GTw/5hlY4MWftXrorf
|
||||
FWwuO/dBeVWWN9P0tIp2IGuw+lXgUqgr3UPSJmxurlKNtQvggjxM55WT/mV6cYYi
|
||||
dHkErd2bkiUF0KjuNz5VZD94
|
||||
-----END PRIVATE KEY-----
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIICsTCCAZkCFElB9131Tg40vCU0/10eVenAgwbAMA0GCSqGSIb3DQEBCwUAMBYx
|
||||
FDASBgNVBAMMC29zYnVpbGQub3JnMB4XDTIwMTAwNTA4Mzg1N1oXDTIwMTEwNDA4
|
||||
Mzg1N1owFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC
|
||||
AQ8AMIIBCgKCAQEAwJ0dIkgyH0Vq82Xnuez6Y30AAUg8BmVdWhEXW07XBUYdjnqG
|
||||
XoDDk2hyqSKlCo4wtOgajS9j08eZG09b/JuQOIzoOP39HkmMFYW2ocJFcNM07h5Z
|
||||
X248ANyG4XorIQPk6HiJJd+hCKm6Pta5HgRC6MBy9RRl+DOxJRfyMxSmI3LaH52d
|
||||
GvsjhSGWAp57ksappadLAcYhnMQDwqgUcG9mtRXcewo5r6ypDDDnv0DL8qs9H9uN
|
||||
Bw46LeE8zrfS6fVOOMly0GWPjcTCk2AWKRnSFJo5eoVue1NYm1lwAtVXMeZ21IQp
|
||||
tEVi/vl1CSo3j/wyp95cApCoTQkqt0zjng/uEQIDAQABMA0GCSqGSIb3DQEBCwUA
|
||||
A4IBAQBV1IhkPMGhYVvomI/rvb+wXjUNnEZyg6VTfOxjVWdZfCisfTqk3uw4ar0t
|
||||
43b4QExm2dl1IFFtrfnRlx3uN1MQ4biH2A1p8go6mWILRjo3zLA78RzA//BG05UZ
|
||||
DN98VP6VdCjFDMpwvhfUXFZzWfenUIjACnqY/VaURI+iT92M9jG1qFS9s50dmDn3
|
||||
lK3prS+HSKNdHc3KDfYoFzPoTfpuwJv10tkQd4jSt2FJevlQpcuXyytW5UGJrTgN
|
||||
UVHVevYJhOjMuLMZ77QvDJvF4XEkap1FPP/tGwbhMEIPnD3qWCjD3+HA/PXcHMRq
|
||||
hk4DBD+WNpxL6zMgMqUwRdfsBzec
|
||||
-----END CERTIFICATE-----
|
||||
|
|
@ -1,28 +0,0 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAnR0iSDIfRWrz
|
||||
Zee57PpjfQABSDwGZV1aERdbTtcFRh2OeoZegMOTaHKpIqUKjjC06BqNL2PTx5kb
|
||||
T1v8m5A4jOg4/f0eSYwVhbahwkVw0zTuHllfbjwA3IbheishA+ToeIkl36EIqbo+
|
||||
1rkeBELowHL1FGX4M7ElF/IzFKYjctofnZ0a+yOFIZYCnnuSxqmlp0sBxiGcxAPC
|
||||
qBRwb2a1Fdx7CjmvrKkMMOe/QMvyqz0f240HDjot4TzOt9Lp9U44yXLQZY+NxMKT
|
||||
YBYpGdIUmjl6hW57U1ibWXAC1Vcx5nbUhCm0RWL++XUJKjeP/DKn3lwCkKhNCSq3
|
||||
TOOeD+4RAgMBAAECggEBAI6J9oxvJwBzS7Fx4Wl7ENTdJUrNnPYSv2Gusj00+/SA
|
||||
LdFJpPR8j78flXLLG53TGgJWnYeL4XFRDWHjeaxXpwPiatv6Qf3O6abnu/67GM5k
|
||||
zo/Ez9jKaAcvK3XjBdW53wWWZdAsTSxvBlAIcRfgiW9bM/dgMBHclyRfMzJP/p7N
|
||||
z+l2yKrizImojL/CXEG6BjkjpcS5l5hr8/DGCMCEes9CcQamFb281wPXdktICOHG
|
||||
tkyR8+E571rr+nzDYdaTLFa5jLiFDbNdCk378c8T5eOWCGQayEwBUfd06h7Fqn95
|
||||
Jt6TdFbWz1bXykUyKAkmniqgRNDol/wR6WjlnBEejV0CgYEA5vhX0IEwLoqIJww8
|
||||
sttGDkVJXjwAHOb9FQy5uWcz0b7QeLS8pJaGbact0nveMM3HXl3A/uVWvMtpnrEk
|
||||
vEfE2ZktxwFIiYbrqjTbDp2s0yvjDde/FHJD2UkP0mGnzLas/NwV+pljZ7iAev4q
|
||||
GlpcSBrxaeFabxENWfx6NY75QwsCgYEA1XysqOzmUXiPCxTwOnz+k9/4E9d8cg79
|
||||
nuQo8vJ8lEAzKAxic434GX4ijsu7OE5SqMotrpUtwtruNOVliDnpyxRz4TdTwo+A
|
||||
4MgZG3BkG2OZNGsg3VaTpMtdkLWnd3Zato2AwQrUhUGMDW+kf/vRGsCJOmVsVWg/
|
||||
1hlWxgekhNMCgYAxG3AgRrdlzdJw6usk4/YbJqQYww0LGBmLFi+OueCModNVNqg9
|
||||
HjvqqHbXn7p4CehvqeNUzpIIhf8o3GUBGwlBco4HF8DCbMtCXwaMLv4Fz/jwgoR/
|
||||
5mOCmUQh6N1yawyQnoKVy3MVJGc8vzlYbQnd0sytRFqj7q42CbY6GPHqTQKBgHoF
|
||||
1956Aa8hfIk1/5U+qng1NOOKcEv1O4udF7a9WO2XwGWspn0r8VoI2ZHK6wjk46Qs
|
||||
Y239QHm2jx7W23DAwVvdJdrdt9dmFKDmXktrsxxgkkn+zXsVqDAyORmkasMCeBkN
|
||||
ykEMgqpj67wmSt0IPt3OnOEu5XvvqUUjmJB5/9QXAoGBALLyTFgqiJdQwhlDCmMD
|
||||
eUpd4OW6NAmsOke+udhjcXMF+WNieDI6z4TWhwpoFjtdRsrMHmB5VXZFwkvh7L53
|
||||
hEis0a9DX+ltNdHysMyrDBww7DyAC3gesf+N9iblPERn1G7lukNU2JcvpeCrwgtf
|
||||
gM0xvSJPc+eNOmM3aKQsA/l9
|
||||
-----END PRIVATE KEY-----
|
||||
85
test/data/x509/openssl.cnf
Normal file
85
test/data/x509/openssl.cnf
Normal file
|
|
@ -0,0 +1,85 @@
|
|||
#
|
||||
# ca options
|
||||
#
|
||||
|
||||
[ca]
|
||||
default_ca = osbuild_ca
|
||||
|
||||
[osbuild_ca]
|
||||
database = ./index.txt
|
||||
new_certs_dir = ./certs
|
||||
rand_serial = yes
|
||||
|
||||
certificate = ca.cert.pem
|
||||
private_key = private/ca.key.pem
|
||||
|
||||
default_days = 3650
|
||||
default_md = sha256
|
||||
|
||||
x509_extensions = osbuild_ca_ext
|
||||
|
||||
# See WARNINGS in `man openssl ca`. This is ok, becasue it only copies
|
||||
# extensions that are not already specified in `osbuild_ca_ext`.
|
||||
copy_extensions = copy
|
||||
|
||||
preserve = no
|
||||
policy = osbuild_ca_policy
|
||||
|
||||
# We want to issue multiple certificates with the same subject in the
|
||||
# testing environment.
|
||||
unique_subject = no
|
||||
|
||||
|
||||
[osbuild_ca_ext]
|
||||
basicConstraints = critical, CA:TRUE
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always, issuer:always
|
||||
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
||||
|
||||
|
||||
[osbuild_ca_policy]
|
||||
commonName = supplied
|
||||
emailAddress = supplied
|
||||
|
||||
|
||||
#
|
||||
# Extensions for server certificates
|
||||
#
|
||||
|
||||
[osbuild_server_ext]
|
||||
basicConstraints = critical, CA:FALSE
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid, issuer:always
|
||||
keyUsage = critical, digitalSignature, keyEncipherment
|
||||
extendedKeyUsage = serverAuth
|
||||
|
||||
|
||||
#
|
||||
# Extensions for client certificates
|
||||
#
|
||||
|
||||
[osbuild_client_ext]
|
||||
basicConstraints = CA:FALSE
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid,issuer
|
||||
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
|
||||
extendedKeyUsage = clientAuth
|
||||
|
||||
|
||||
#
|
||||
# req options
|
||||
#
|
||||
|
||||
[req]
|
||||
default_md = sha256
|
||||
default_bits = 2048
|
||||
distinguished_name = osbuild_distinguished_name
|
||||
|
||||
|
||||
#
|
||||
# Only prompt for CN
|
||||
#
|
||||
|
||||
[osbuild_distinguished_name]
|
||||
CN = Common Name
|
||||
emailAddress = E-Mail Address
|
||||
|
|
@ -12,14 +12,86 @@ sudo mkdir -p /etc/osbuild-composer/repositories
|
|||
sudo cp -a /usr/share/tests/osbuild-composer/repositories/fedora-*.json \
|
||||
/etc/osbuild-composer/repositories/
|
||||
|
||||
sudo cp -a /usr/share/tests/osbuild-composer/ca/* \
|
||||
/etc/osbuild-composer/
|
||||
sudo chown _osbuild-composer /etc/osbuild-composer/composer-*.pem
|
||||
# Generate all X.509 certificates for the tests
|
||||
# The whole generation is done in a $CADIR to better represent how osbuild-ca
|
||||
# it.
|
||||
CERTDIR=/etc/osbuild-composer
|
||||
OPENSSL_CONFIG=/usr/share/tests/osbuild-composer/x509/openssl.cnf
|
||||
CADIR=/etc/osbuild-composer-test/ca
|
||||
|
||||
# The $CADIR might exist from a previous test (current Schutzbot's imperfection)
|
||||
sudo rm -rf $CADIR || true
|
||||
sudo mkdir -p $CADIR
|
||||
|
||||
pushd $CADIR
|
||||
sudo mkdir certs private
|
||||
sudo touch index.txt
|
||||
|
||||
# Generate a CA.
|
||||
sudo openssl req -config $OPENSSL_CONFIG \
|
||||
-keyout private/ca.key.pem \
|
||||
-new -nodes -x509 -extensions osbuild_ca_ext \
|
||||
-out ca.cert.pem -subj "/CN=osbuild.org"
|
||||
|
||||
# Copy the private key to the location expected by the tests
|
||||
sudo cp ca.cert.pem "$CERTDIR"/ca-crt.pem
|
||||
|
||||
# Generate a composer certificate.
|
||||
sudo openssl req -config $OPENSSL_CONFIG \
|
||||
-keyout "$CERTDIR"/composer-key.pem \
|
||||
-new -nodes \
|
||||
-out /tmp/composer-csr.pem \
|
||||
-subj "/CN=localhost/emailAddress=osbuild@example.com" \
|
||||
-addext "subjectAltName=DNS:localhost"
|
||||
|
||||
sudo openssl ca -batch -config $OPENSSL_CONFIG \
|
||||
-extensions osbuild_server_ext \
|
||||
-in /tmp/composer-csr.pem \
|
||||
-out "$CERTDIR"/composer-crt.pem
|
||||
|
||||
sudo chown _osbuild-composer "$CERTDIR"/composer-*.pem
|
||||
|
||||
# Generate a worker certificate.
|
||||
sudo openssl req -config $OPENSSL_CONFIG \
|
||||
-keyout "$CERTDIR"/worker-key.pem \
|
||||
-new -nodes \
|
||||
-out /tmp/worker-csr.pem \
|
||||
-subj "/CN=localhost/emailAddress=osbuild@example.com" \
|
||||
-addext "subjectAltName=DNS:localhost"
|
||||
|
||||
sudo openssl ca -batch -config $OPENSSL_CONFIG \
|
||||
-extensions osbuild_client_ext \
|
||||
-in /tmp/worker-csr.pem \
|
||||
-out "$CERTDIR"/worker-crt.pem
|
||||
|
||||
# Generate a client certificate.
|
||||
sudo openssl req -config $OPENSSL_CONFIG \
|
||||
-keyout "$CERTDIR"/client-key.pem \
|
||||
-new -nodes \
|
||||
-out /tmp/client-csr.pem \
|
||||
-subj "/CN=client.osbuild.org/emailAddress=osbuild@example.com" \
|
||||
-addext "subjectAltName=DNS:client.osbuild.org"
|
||||
|
||||
sudo openssl ca -batch -config $OPENSSL_CONFIG \
|
||||
-extensions osbuild_client_ext \
|
||||
-in /tmp/client-csr.pem \
|
||||
-out "$CERTDIR"/client-crt.pem
|
||||
|
||||
# Client keys are used by tests to access the composer APIs. Allow all users access.
|
||||
sudo chmod 644 "$CERTDIR"/client-key.pem
|
||||
|
||||
popd
|
||||
|
||||
sudo systemctl start osbuild-remote-worker.socket
|
||||
sudo systemctl start osbuild-composer.socket
|
||||
sudo systemctl start osbuild-composer-api.socket
|
||||
|
||||
# The keys were regenerated but osbuild-composer might be already running.
|
||||
# Let's try to restart it. In ideal world, this shouldn't be needed as every
|
||||
# test case is supposed to run on a pristine machine. However, this is
|
||||
# currently not true on Schutzbot
|
||||
sudo systemctl try-restart osbuild-composer
|
||||
|
||||
# Basic verification
|
||||
sudo composer-cli status show
|
||||
sudo composer-cli sources list
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue