diff --git a/tools/gen-certs.sh b/tools/gen-certs.sh new file mode 100755 index 000000000..2eb86cf12 --- /dev/null +++ b/tools/gen-certs.sh @@ -0,0 +1,97 @@ +#!/bin/bash +if (( $# != 3 )); then + echo "Usage: $0 " + echo + echo "Positional arguments" + echo " OpenSSL configuration file" + echo " Destination directory for the generated files" + echo " Working directory for the generation process" + exit 1 +fi + +set -euxo pipefail +# Generate all X.509 certificates for the tests +# The whole generation is done in a $CADIR to better represent how osbuild-ca +# it. +OPENSSL_CONFIG="$1" +CERTDIR="$2" +CADIR="$3" + +# The $CADIR might exist from a previous test (current Schutzbot's imperfection) +rm -rf "$CADIR" || true +mkdir -p "$CADIR" "$CERTDIR" + +# Convert the arguments to real paths so we can safely change working directory +OPENSSL_CONFIG="$(realpath "${OPENSSL_CONFIG}")" +CERTDIR="$(realpath "${CERTDIR}")" +CADIR="$(realpath "${CADIR}")" + +pushd "$CADIR" + mkdir certs private + touch index.txt + + # Generate a CA. + openssl req -config "$OPENSSL_CONFIG" \ + -keyout private/ca.key.pem \ + -new -nodes -x509 -extensions osbuild_ca_ext \ + -out ca.cert.pem -subj "/CN=osbuild.org" + + # Copy the private key to the location expected by the tests + cp ca.cert.pem "$CERTDIR"/ca-crt.pem + + # Generate a composer certificate. + openssl req -config "$OPENSSL_CONFIG" \ + -keyout "$CERTDIR"/composer-key.pem \ + -new -nodes \ + -out /tmp/composer-csr.pem \ + -subj "/CN=localhost/emailAddress=osbuild@example.com" \ + -addext "subjectAltName=DNS:localhost" + + openssl ca -batch -config "$OPENSSL_CONFIG" \ + -extensions osbuild_server_ext \ + -in /tmp/composer-csr.pem \ + -out "$CERTDIR"/composer-crt.pem + + # Generate a worker certificate. + openssl req -config "$OPENSSL_CONFIG" \ + -keyout "$CERTDIR"/worker-key.pem \ + -new -nodes \ + -out /tmp/worker-csr.pem \ + -subj "/CN=localhost/emailAddress=osbuild@example.com" \ + -addext "subjectAltName=DNS:localhost" + + openssl ca -batch -config "$OPENSSL_CONFIG" \ + -extensions osbuild_client_ext \ + -in /tmp/worker-csr.pem \ + -out "$CERTDIR"/worker-crt.pem + + # Generate a client certificate. + openssl req -config "$OPENSSL_CONFIG" \ + -keyout "$CERTDIR"/client-key.pem \ + -new -nodes \ + -out /tmp/client-csr.pem \ + -subj "/CN=client.osbuild.org/emailAddress=osbuild@example.com" \ + -addext "subjectAltName=DNS:client.osbuild.org" + + openssl ca -batch -config "$OPENSSL_CONFIG" \ + -extensions osbuild_client_ext \ + -in /tmp/client-csr.pem \ + -out "$CERTDIR"/client-crt.pem + + # Client keys are used by tests to access the composer APIs. Allow all users access. + chmod 644 "$CERTDIR"/client-key.pem + + # Generate a kojihub certificate. + openssl req -config "$OPENSSL_CONFIG" \ + -keyout "$CERTDIR"/kojihub-key.pem \ + -new -nodes \ + -out /tmp/kojihub-csr.pem \ + -subj "/CN=localhost/emailAddress=osbuild@example.com" \ + -addext "subjectAltName=DNS:localhost" + + openssl ca -batch -config "$OPENSSL_CONFIG" \ + -extensions osbuild_server_ext \ + -in /tmp/kojihub-csr.pem \ + -out "$CERTDIR"/kojihub-crt.pem + +popd diff --git a/tools/provision.sh b/tools/provision.sh index f90f2419e..1ed1e4478 100755 --- a/tools/provision.sh +++ b/tools/provision.sh @@ -37,81 +37,9 @@ CERTDIR=/etc/osbuild-composer OPENSSL_CONFIG=/usr/share/tests/osbuild-composer/x509/openssl.cnf CADIR=/etc/osbuild-composer-test/ca -# The $CADIR might exist from a previous test (current Schutzbot's imperfection) -sudo rm -rf $CADIR || true -sudo mkdir -p $CADIR - -pushd $CADIR - sudo mkdir certs private - sudo touch index.txt - - # Generate a CA. - sudo openssl req -config $OPENSSL_CONFIG \ - -keyout private/ca.key.pem \ - -new -nodes -x509 -extensions osbuild_ca_ext \ - -out ca.cert.pem -subj "/CN=osbuild.org" - - # Copy the private key to the location expected by the tests - sudo cp ca.cert.pem "$CERTDIR"/ca-crt.pem - - # Generate a composer certificate. - sudo openssl req -config $OPENSSL_CONFIG \ - -keyout "$CERTDIR"/composer-key.pem \ - -new -nodes \ - -out /tmp/composer-csr.pem \ - -subj "/CN=localhost/emailAddress=osbuild@example.com" \ - -addext "subjectAltName=DNS:localhost" - - sudo openssl ca -batch -config $OPENSSL_CONFIG \ - -extensions osbuild_server_ext \ - -in /tmp/composer-csr.pem \ - -out "$CERTDIR"/composer-crt.pem - - sudo chown _osbuild-composer "$CERTDIR"/composer-*.pem - - # Generate a worker certificate. - sudo openssl req -config $OPENSSL_CONFIG \ - -keyout "$CERTDIR"/worker-key.pem \ - -new -nodes \ - -out /tmp/worker-csr.pem \ - -subj "/CN=localhost/emailAddress=osbuild@example.com" \ - -addext "subjectAltName=DNS:localhost" - - sudo openssl ca -batch -config $OPENSSL_CONFIG \ - -extensions osbuild_client_ext \ - -in /tmp/worker-csr.pem \ - -out "$CERTDIR"/worker-crt.pem - - # Generate a client certificate. - sudo openssl req -config $OPENSSL_CONFIG \ - -keyout "$CERTDIR"/client-key.pem \ - -new -nodes \ - -out /tmp/client-csr.pem \ - -subj "/CN=client.osbuild.org/emailAddress=osbuild@example.com" \ - -addext "subjectAltName=DNS:client.osbuild.org" - - sudo openssl ca -batch -config $OPENSSL_CONFIG \ - -extensions osbuild_client_ext \ - -in /tmp/client-csr.pem \ - -out "$CERTDIR"/client-crt.pem - - # Client keys are used by tests to access the composer APIs. Allow all users access. - sudo chmod 644 "$CERTDIR"/client-key.pem - - # Generate a kojihub certificate. - sudo openssl req -config $OPENSSL_CONFIG \ - -keyout "$CERTDIR"/kojihub-key.pem \ - -new -nodes \ - -out /tmp/kojihub-csr.pem \ - -subj "/CN=localhost/emailAddress=osbuild@example.com" \ - -addext "subjectAltName=DNS:localhost" - - sudo openssl ca -batch -config $OPENSSL_CONFIG \ - -extensions osbuild_server_ext \ - -in /tmp/kojihub-csr.pem \ - -out "$CERTDIR"/kojihub-crt.pem - -popd +scriptloc=$(dirname "$0") +sudo "${scriptloc}/gen-certs.sh" "${OPENSSL_CONFIG}" "${CERTDIR}" "${CADIR}" +sudo chown _osbuild-composer "${CERTDIR}"/composer-*.pem sudo systemctl start osbuild-remote-worker.socket sudo systemctl start osbuild-composer.socket