Adding JKS creation along with the certificates (#17)

Author: JohnPreston

docs/certificates.rst

@@ -0,0 +1,68 @@
+
+.. meta::
+    :description: Files Composer features
+    :keywords: AWS, Kubernetes, SSL, certificates
+
+
+.. _certificates
+
+===================
+SSL Certificates
+===================
+
+Self signed certificates
+============================
+
+When deploying services, it is best practice where possible to enable TLS termination. Even when the certificates are
+self-signed, this improves security dramatically. With the files composer, you can request to generate certificates on
+the fly to later use with your application. This will create a private key and public certificate.
+
+Below are optional properties and there default values that you can set so that the certificate information reflects
+your needs.
+
++----------------------+---------------------------------------------+
+| Property Name        | Default Value                               |
++======================+=============================================+
+| emailAddress         | [email protected]                |
++----------------------+---------------------------------------------+
+| commonName           | the hostname retrieved from the os.hostname |
++----------------------+---------------------------------------------+
+| countryName          | ZZ                                          |
++----------------------+---------------------------------------------+
+| localityName         | Anywhere                                    |
++----------------------+---------------------------------------------+
+| stateOrProvinceName  | Shire                                       |
++----------------------+---------------------------------------------+
+| organizationName     | NoOne                                       |
++----------------------+---------------------------------------------+
+| organizationUnitName | Automation                                  |
++----------------------+---------------------------------------------+
+| validityEndInSeconds | 3*31*24*60*60=3Months                       |
++----------------------+---------------------------------------------+
+
+.. note::
+
+    The certificates are created once, and not automatically renewed after ``validityEndInSeconds`` expires.
+    This is meant to be a solution to provision temporary certificates.
+
+    There is no CA created and retrievable in this process.
+
+jksConfig
+------------
+
+This is a configuration option that allows you to create a java key store (JKS) in the JKS format from the generated
+certificate files. You can specify the fileName which will be created in the same folder, alongside the key and certificate.
+You must specify a passphrase, which is used for both the private key and the jks encryption.
+
+
+.. code-block::
+
+    certificates:
+      x509:
+        /tmp/testing:
+          keyFileName: nginx.key
+          certFileName: nginx.crt
+          commonName: test.net
+          jksConfig:
+            fileName: test.jks
+            passphrase: somesecretpassword

docs/features.rst

@@ -52,7 +52,7 @@ AWS Secrets Manager Source
 .. attention::
 
     This should only be used for very edgy use-cases, such as retrieving certificates stored as flat content in AWS SSM.
-    You should absolutely use the `AWS ECS Task Definition Secrets`_ definitions
+    Alternatively you can use the `AWS ECS Task Definition Secrets`_ definitions
 
     .. seealso::
 
@@ -70,6 +70,23 @@ accessible.
     We do not recommend to put the basic auth credentials in plain text in the configuration, unless the source
     of the configuration for ECS Files Composer comes from AWS Secrets manager.
 
+Self-signed certificates rendering
+====================================
+
+.. code-block::
+
+    certificates:
+      x509:
+        /tmp/testinggg:
+          keyFileName: nginx.key
+          certFileName: nginx.crt
+          commonName: test.net
+
+.. seealso::
+
+    More details on all the available options for :ref:`certificates`
+
+
 Files Rendering
 ====================
 

docs/index.rst

@@ -88,6 +88,7 @@ docker-compose
     input
     features
     jinja2_functions_filters
+    certificates
     examples
     modules
     contributing

ecs-files-input.json

@@ -320,23 +320,23 @@
         "countryName": {
           "type": "string",
           "pattern": "^[A-Z]+$",
-          "default": "AW"
+          "default": "ZZ"
         },
         "localityName": {
           "type": "string",
-          "default": "AWS"
+          "default": "Anywhere"
         },
         "stateOrProvinceName": {
           "type": "string",
-          "default": "AWS"
+          "default": "Shire"
         },
         "organizationName": {
           "type": "string",
-          "default": "AWS"
+          "default": "NoOne"
         },
         "organizationUnitName": {
           "type": "string",
-          "default": "AWS"
+          "default": "Automation"
         },
         "validityEndInSeconds": {
           "type": "number",
@@ -358,6 +358,25 @@
           "type": "string",
           "description": "UNIX user or UID owner of the file. Default to root(0)",
           "default": "root"
+        },
+        "jksConfig": {
+          "description": "Configuration that will allow to transform the certificate into a JKS for java applications",
+          "type": "object",
+          "additionalProperties": false,
+          "required": [
+            "fileName",
+            "passphrase"
+          ],
+          "properties": {
+            "fileName": {
+              "type": "string",
+              "description": "Name of the JKS file to create"
+            },
+            "passphrase": {
+              "type": "string",
+              "description": "The passphrase to use to secure the jks and certificate"
+            }
+          }
         }
       }
     },

ecs_files_composer/certificates_mgmt.py

@@ -6,6 +6,7 @@
 from os import path
 from typing import Any
 
+import jks as pyjks
 from OpenSSL import crypto
 
 from ecs_files_composer.files_mgmt import File
@@ -27,6 +28,7 @@ def __init__(self, **data: Any):
         self.key_file = None
         self.cert_file_path = None
         self.key_file_path = None
+        self.keystore = None
 
     def init_cert_paths(self):
         self.cert_file_path = path.abspath(f"{self.dir_path}/{self.cert_file_name}")
@@ -95,6 +97,22 @@ def set_cert_files(self):
             }
         )
 
+    def generate_jks(self):
+        """
+        Creates a JKS from the private key and certificate
+        :return:
+        """
+        jks_path = path.abspath(f"{self.dir_path}/{self.jks_config.file_name}")
+        pkey = pyjks.jks.PrivateKeyEntry.new(
+            self.key_file_name,
+            certs=[crypto.dump_certificate(crypto.FILETYPE_ASN1, self.cert)],
+            key=self.key_content,
+            key_format="rsa_raw",
+        )
+        pkey.encrypt(self.jks_config.passphrase)
+        self.keystore = pyjks.KeyStore.new("jks", [pkey])
+        self.keystore.save(jks_path, self.jks_config.passphrase)
+
 
 def process_x509_certs(job):
     """
@@ -111,6 +129,10 @@ def process_x509_certs(job):
         cert_obj.dir_path = cert_path
         cert_obj.init_cert_paths()
         cert_obj.set_cert_files()
+        if cert_obj.jks_config:
+            cert_obj.generate_jks()
         job.certificates.x509[cert_path] = cert_obj
+        if not job.files:
+            job.files = {}
         job.files[cert_obj.cert_file.path] = cert_obj.cert_file
         job.files[cert_obj.key_file_path] = cert_obj.key_file

ecs_files_composer/input.py

@@ -1,6 +1,6 @@
 # generated by datamodel-codegen:
 #   filename:  ecs-files-input.json
-#   timestamp: 2022-11-23T17:19:16+00:00
+#   timestamp: 2023-02-22T16:56:14+00:00
 
 from __future__ import annotations
 
@@ -87,6 +87,18 @@ class CommandsDef(BaseModel):
     __root__: List[str] = Field(..., description="List of commands to run")
 
 
+class JksConfig(BaseModel):
+    class Config:
+        extra = Extra.forbid
+
+    file_name: str = Field(
+        ..., alias="fileName", description="Name of the JKS file to create"
+    )
+    passphrase: str = Field(
+        ..., description="The passphrase to use to secure the jks and certificate"
+    )
+
+
 class X509CertDef(BaseModel):
     class Config:
         extra = Extra.allow
@@ -100,11 +112,13 @@ class Config:
             regex=r"^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9])\Z"
         )
     ] = Field(None, alias="commonName")
-    country_name: Optional[str] = Field("AW", alias="countryName", regex="^[A-Z]+$")
-    locality_name: Optional[str] = Field("AWS", alias="localityName")
-    state_or_province_name: Optional[str] = Field("AWS", alias="stateOrProvinceName")
-    organization_name: Optional[str] = Field("AWS", alias="organizationName")
-    organization_unit_name: Optional[str] = Field("AWS", alias="organizationUnitName")
+    country_name: Optional[str] = Field("ZZ", alias="countryName", regex="^[A-Z]+$")
+    locality_name: Optional[str] = Field("Anywhere", alias="localityName")
+    state_or_province_name: Optional[str] = Field("Shire", alias="stateOrProvinceName")
+    organization_name: Optional[str] = Field("NoOne", alias="organizationName")
+    organization_unit_name: Optional[str] = Field(
+        "Automation", alias="organizationUnitName"
+    )
     validity_end_in_seconds: Optional[float] = Field(
         8035200,
         alias="validityEndInSeconds",
@@ -119,6 +133,11 @@ class Config:
     owner: Optional[str] = Field(
         "root", description="UNIX user or UID owner of the file. Default to root(0)"
     )
+    jks_config: Optional[JksConfig] = Field(
+        None,
+        alias="jksConfig",
+        description="Configuration that will allow to transform the certificate into a JKS for java applications",
+    )
 
 
 class CertbotAwsStoreCertificate(BaseModel):