test: add make-certs script to generate SSL certs

This will create the a certificate authority (CA) and then create a cert for composer and another one for the worker. The worker one can also be used by the koji plugin. The configuration file is needed to get subjectAltName working.
2020-09-16 14:09:49 +02:00 · 2020-09-16 14:09:49 +02:00 · 481243e628
commit 481243e628
parent db82105eb0
2 changed files with 71 additions and 0 deletions
--- a/test/data/composer.ssl.conf
+++ b/test/data/composer.ssl.conf
@ -0,0 +1,17 @@
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+CN = localhost
+
+[v3_req]
+keyUsage = critical,keyEncipherment, dataEncipherment, digitalSignature
+extendedKeyUsage = critical,serverAuth,clientAuth,emailProtection
+basicConstraints = critical,CA:FALSE
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+DNS.2 = composer
--- a/test/make-certs.sh
+++ b/test/make-certs.sh
@ -0,0 +1,54 @@
+#!/bin/bash
+set -euo pipefail
+
+# this script must be run as root
+if [ $UID != 0 ]; then
+  echo This script must be run as root.
+  exit 1
+fi
+
+TEST_DATA=${TEST_DATA:-test/data}
+
+CA_DIR="/etc/osbuild-composer"
+echo "Generating certificates"
+mkdir -p ${CA_DIR}
+
+# The CA
+openssl req -new -nodes -x509 -days 365 \
+        -keyout "${CA_DIR}/ca-key.pem" \
+        -out "${CA_DIR}/ca-crt.pem" \
+        -subj "/CN=osbuild.org"
+openssl genrsa -out "${CA_DIR}/key.pem" 2048
+
+# composer
+ALT_NAMES="DNS:localhost,DNS:org.osbuild.koji.composer,DNS:composer"
+openssl genrsa -out ${CA_DIR}/composer-key.pem 2048
+openssl req -new -sha256 \
+        -key ${CA_DIR}/composer-key.pem	\
+        -out ${CA_DIR}/composer-csr.pem \
+        -config ${TEST_DATA}/composer.ssl.conf
+openssl x509 -req \
+        -in ${CA_DIR}/composer-csr.pem \
+        -CA ${CA_DIR}/ca-crt.pem \
+        -CAkey ${CA_DIR}/ca-key.pem \
+        -CAcreateserial \
+        -out ${CA_DIR}/composer-crt.pem \
+        -extfile ${TEST_DATA}/composer.ssl.conf \
+        -extensions v3_req
+
+# worker
+openssl genrsa -out ${CA_DIR}/worker-key.pem 2048
+openssl req -new -sha256 \
+        -key ${CA_DIR}/worker-key.pem	\
+        -out ${CA_DIR}/worker-csr.pem \
+        -subj "/CN=localhost"
+
+openssl x509 -req \
+        -in ${CA_DIR}/worker-csr.pem \
+        -CA ${CA_DIR}/ca-crt.pem \
+        -CAkey ${CA_DIR}/ca-key.pem \
+        -CAcreateserial \
+        -out ${CA_DIR}/worker-crt.pem
+
+# fix permissions for composer
+chown _osbuild-composer:_osbuild-composer ${CA_DIR}/composer-*