Replace self_signed certs with ssl/proper and delete self_signed

Author: Thanos Ploumis

core/src/main/groovy/noe/server/Httpd.groovy

@@ -50,7 +50,6 @@ abstract class Httpd extends ServerAbstract {
   String cachePath // directory for mod_cache caching
   File postInstallErrFile
   File postInstallOutFile
-  File sslCertDir
 
   Httpd(String basedir, version) {
     super(basedir, version)
@@ -67,11 +66,10 @@ abstract class Httpd extends ServerAbstract {
     this.cachePath = this.basedir + platform.sep + 'cache'
     postInstallErrFile = new File(getHttpdServerRootFull(), 'httpdPostInstallErr.log')
     postInstallOutFile = new File(getHttpdServerRootFull(), 'httpdPostInstallOut.log')
-    String sslStringDir = PathHelper.join(platform.tmpDir, "ssl", "self_signed")
-    this.sslCertDir = new File(sslStringDir)
-    this.sslCertificate = new File(sslCertDir, "server.crt").absolutePath
-    this.sslKey = new File(sslCertDir, "server.key").absolutePath
-    this.keystorePath = new File(sslCertDir, "server.jks").absolutePath
+    String sslStringDir = PathHelper.join(platform.tmpDir, "ssl", "proper", "generated", "ca", "intermediate")
+    this.sslCertificate = new File(sslStringDir, "localhost.server.cert.pem").absolutePath
+    this.sslKey = new File(sslStringDir, "localhost.server.key.pem").absolutePath
+    this.keystorePath = new File(sslStringDir,"localhost.server.keystore.jks").absolutePath
   }
 
   static ServerAbstract getInstance(String basedir, version, String httpdDir = '', NoeContext context = NoeContext.forCurrentContext()) {

core/src/main/groovy/noe/server/ServerAbstract.groovy

@@ -98,11 +98,11 @@ abstract class ServerAbstract implements IApp {
     this.serverRoot = basedir
     this.host = (host) ?: DefaultProperties.HOST
     this.ignoreShutdownPort = true
-    this.sslCertificate = getDeplSrcPath() + "${platform.sep}ssl${platform.sep}self_signed${platform.sep}server.crt"
-    this.sslKey = getDeplSrcPath() + "${platform.sep}ssl${platform.sep}self_signed${platform.sep}server.key"
-    this.keystorePath = getDeplSrcPath() + "${platform.sep}ssl${platform.sep}self_signed${platform.sep}server.jks"
-    this.truststorePassword = 'changeit'
-    this.sslKeystorePassword = 'changeit'
+    this.sslCertificate = getDeplSrcPath() + "${platform.sep}ssl${platform.sep}proper${platform.sep}generated${platform.sep}ca${platform.sep}intermediate${platform.sep}localhost.server.cert.pem"
+    this.sslKey = getDeplSrcPath() + "${platform.sep}ssl${platform.sep}proper${platform.sep}generated${platform.sep}ca${platform.sep}intermediate${platform.sep}localhost.server.key.pem"
+    this.keystorePath = getDeplSrcPath() + "${platform.sep}ssl${platform.sep}proper${platform.sep}generated${platform.sep}ca${platform.sep}intermediate${platform.sep}localhost.server.keystore.jks"
+    this.truststorePassword = 'testpass'
+    this.sslKeystorePassword = 'testpass'
     this.pid = null
     setRunAs(loadRunAs())
     this.processCode = String.valueOf(Math.abs(this.hashCode()))

core/src/main/groovy/noe/server/Tomcat.groovy

@@ -42,7 +42,6 @@ class Tomcat extends ServerAbstract implements WorkerServer {
   def rootBasedir
   File postInstallErrFile
   File postInstallOutFile
-  File sslCertDir //Path to directory holding ssl certificates
 
   Tomcat(String basedir, version) {
     super(basedir, version)
@@ -62,11 +61,10 @@ class Tomcat extends ServerAbstract implements WorkerServer {
     this.cfgHost = (cfgHost) ?: ''
     postInstallErrFile = new File(basedir,  'tomcatPostInstallErr.log')
     postInstallOutFile = new File(basedir,  'tomcatPostInstallOut.log')
-    String sslStringDir = PathHelper.join(platform.tmpDir, "ssl", "self_signed")
-    this.sslCertDir = new File(sslStringDir)
-    this.sslCertificate = new File(sslCertDir, "server.crt").absolutePath
-    this.sslKey = new File(sslCertDir, "server.key").absolutePath
-    this.keystorePath = new File(sslCertDir, "server.jks").absolutePath
+    String sslStringDir = PathHelper.join(platform.tmpDir, "ssl", "proper", "generated", "ca", "intermediate")
+    this.sslCertificate = new File(sslStringDir, "localhost.server.cert.pem").absolutePath
+    this.sslKey = new File(sslStringDir, "localhost.server.key.pem").absolutePath
+    this.keystorePath = new File(sslStringDir,"localhost.server.keystore.jks").absolutePath
 
   }
 

core/src/main/groovy/noe/workspace/WorkspaceAbstract.groovy

@@ -120,25 +120,22 @@ abstract class WorkspaceAbstract implements IWorkspace {
   }
 
   /**
-   * Copies self-signed, pre-generated certificates from noe core to ${tmpdir}/ssl/self_signed directory.
+   * Copies intermediate certs, pre-generated certificates from noe core to ${tmpdir}/ssl/proper/generated/ca/intermediate directory.
    *
    */
   void copyCertificates() {
-    List<String> certificates = ["server.crt", "server.jks", "server.key", "server.p12"]
-    String sslStringDir = PathHelper.join(platform.tmpDir, "ssl", "self_signed")
-    File sslDir = new File(sslStringDir)
-    String resourcesPath = "ssl/self_signed/"  //resources jar path is always separated by /
+    String sslIntermediateDir = PathHelper.join(platform.tmpDir, "ssl", "proper", "generated", "ca", "intermediate")
+    File intermediateTmpDir = new File(sslIntermediateDir)
+    String intermediatePath = "ssl/proper/generated/ca/intermediate/"
 
-    if (!sslDir.exists()) {
-      JBFile.mkdir(sslDir)
+    if (!intermediateTmpDir.exists()) {
+      JBFile.mkdir(intermediateTmpDir)
     }
 
-    JBFile.makeAccessible(sslDir)
+    JBFile.makeAccessible(intermediateTmpDir)
 
-    for (String certName : certificates) {
-      File certFile = Library.retrieveResourceAsFile("${resourcesPath}${certName}")
-      JBFile.move(certFile, sslDir)
-    }
+    File sslIntermediateFile = Library.retrieveResourceAsFile("${intermediatePath}")
+    JBFile.move(sslIntermediateFile, intermediateTmpDir)
   }
 
   void downloadClusterBench() {

core/src/main/resources/ssl/proper/generated/Dockerfile

@@ -0,0 +1,18 @@
+# Small docker image specification to generate certificates on system that does include docker but not Java or OpenSSL
+# docker build . -t "mydockerimage"
+# docker run --rm -v $PWD/ca:/ca:z mydockerimage bash generate-trustchain.sh
+
+FROM alpine
+
+MAINTAINER Honza Kasik (https://github.com/honza-kasik)
+
+RUN apk update && \
+    apk add --no-cache openssl && \
+    apk add --no-cache bash && \
+    apk add --no-cache openjdk8-jre-base && \
+    rm -rf /var/cache/apk/*
+
+VOLUME /ca
+
+COPY conf /conf
+COPY generate-trustchain.sh /generate-trustchain.sh

core/src/main/resources/ssl/proper/generated/README.md

@@ -0,0 +1,21 @@
+This directory contains script to generate whole trustchain for testing purposes.
+Complete description of generated structere may be found in [generate-trustchain.sh](generate-trustchain.sh).
+
+## How to run
+
+For quick, OS-independent generation, run following commands to perform build using docker: 
+
+```bash
+IMAGE_NAME="my_cool_docker_image"
+docker build . -t ${IMAGE_NAME}
+docker run --rm -v $PWD/ca:/trustchain/ca:z ${IMAGE_NAME} bash generate-trustchain.sh
+
+```
+
+See [Dockerfile](Dockerfile) for further information on which version of Java (keytool) and OpenSSL is being used.
+
+You can also run the script manually, if you have all dependencies installed (see [Dockerfile](Dockerfile)):
+
+```bash
+./generate-trustchain.sh
+```

core/src/main/resources/ssl/proper/generated/ca/certs/ca.cert.pem

@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGTDCCBDSgAwIBAgIJANQ0pcZU/eCxMA0GCSqGSIb3DQEBCwUAMIGyMQswCQYD
+VQQGEwJDWjEXMBUGA1UECAwOQ3plY2ggUmVwdWJsaWMxDTALBgNVBAcMBEJybm8x
+HjAcBgNVBAoMFVJlZCBIYXQgQ3plY2gsIHMuci5vLjEPMA0GA1UECwwGRUFQIFFF
+MSAwHgYJKoZIhvcNAQkBFhFqa2FzaWtAcmVkaGF0LmNvbTEoMCYGA1UEAwwfY2Ff
+bW9kX2NsdXN0ZXJfdGVzdF9jZXJ0aWZpY2F0ZTAeFw0xOTAzMTgxMTM2MzlaFw0y
+OTAzMTUxMTM2MzlaMIGyMQswCQYDVQQGEwJDWjEXMBUGA1UECAwOQ3plY2ggUmVw
+dWJsaWMxDTALBgNVBAcMBEJybm8xHjAcBgNVBAoMFVJlZCBIYXQgQ3plY2gsIHMu
+ci5vLjEPMA0GA1UECwwGRUFQIFFFMSAwHgYJKoZIhvcNAQkBFhFqa2FzaWtAcmVk
+aGF0LmNvbTEoMCYGA1UEAwwfY2FfbW9kX2NsdXN0ZXJfdGVzdF9jZXJ0aWZpY2F0
+ZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJlW7owbp/KioDejaCmX
+mjh+Zqg15qpQC26nck9sV1eFcwB7GDUwueSH6LEpy7L2Dd8DC9f/n9E9jQIZDabJ
+JDUXXPrynZtmGbUXiUFG5kKohmVHbdE8v5KQ323oA/ic/DwbraDdkIWbq+6k4nqK
+IJBdBuoSxZLSgVXGR6rJjB0Mvdu3ky6F9zx4P6i26Qnz9lPNimxv2EhS9XyfSW5q
+0KUNKGq9pVD2EOZ+OZqlANcYiamESbLl72JOlNKeYVIPQzkBffTVLUkN4IcBFbyd
+8FprBlVbn+BHB7kKLwlv60lkaTMHQycqq82NZi8RqbUHoOszqFbUOKHSarnA0P1h
+Rlnif8CceNbIrK5foDPrNwgtQNueY8MhTghtuJ0MqARK+Cn2jADVKUrr5ZHpH7BI
+VKsgiXxX/kdLmhyjb9i3tEcRCo/qRQPyRsxbJNBspyb/qdJN9c38ru5aM0zJSmsG
+H/ldkl9VCm+y6BdPEXxK00LZbIqYXX6msmzHyJMFUVIV6Z8uMlPv3H1S4CcmEIXr
+7bVm8mUnou41ZtBkpaMZriwPq8V/bQOn4Zjs3n3K1QmLfOJKL02LMNXi0NF1pByG
+1YHWP0pltYgSO9cRzvSuiN81cdT86viJu/ZEHwBuQPnTXiZyR+LNZgA/AkDQ4Y13
+zmYKcZIVQIKpdxISKylylt+jAgMBAAGjYzBhMB0GA1UdDgQWBBTheIJoFEQJomtl
+r1YW8dyg/qYYZDAfBgNVHSMEGDAWgBTheIJoFEQJomtlr1YW8dyg/qYYZDAPBgNV
+HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEA
+FzCSF1IRtcs2rypyfZ9JjpR0sRgjhmnWOihFuNRaCmym8vwtuOqQ4ILrUye6vqf9
+lR/ActS7+YPX7mPm8/shPe65Fcj7XVUqeAkgaCAaz14a45ltwMK4d9cawK6ClXl6
+aOLYXWndGiYM/pxHLU9dhLtzfX6wnXJI1uLWs37p1lqZgMmFEu7ZwWG9Rgos7VyA
+7gxdHBAnrxZFp185VI0UQO6DSd8LiJ6Pw94fu4kut/SvlL+aqmMA2HxmUzMX/yGx
+5YQIBrhSzGp5wuSJVlqK0Nvmzj1fJlwek1JZCGcIKVBhSYbs90sN/kx2GNbPbMbJ
+0nI/dDKcKIMvtENK0o0h/xdhok0UiNi29EhnSwloQkogqXDfVoB7867051owrq/x
+fIKf82YStSYWlcrBNdmLgQbUog2rIJFHeHsRv2FLph4wvmR+jblgdJ3gJyUewUPw
+v8C/EGIuw5Lia4dkP2sPg93s70Lxy3o/jVw+TqzL/sLpiJDuWMfQTaOZXlHLciYv
+Mbdpt/TADdLg+ZhhpEbb+bsvJDBSFl8aAH/AASt8U7iTjAJHRW5HzXhao3RlliBW
++tZGZs0fFC3s2g0asuQoJ7mG7H3DOadefshVYyX/5+PlCQ8o/lGrpJ876qsWUnW8
+TpuBuVjHCn13zW9bIoXCR0tRX1CUjSsAqzx/cv6P2JI=
+-----END CERTIFICATE-----

core/src/main/resources/ssl/proper/generated/ca/crlnumber

@@ -0,0 +1 @@
+1000

core/src/main/resources/ssl/proper/generated/ca/index.txt

@@ -0,0 +1 @@
+V	290315113640Z		1000	unknown	/C=CZ/ST=Czech Republic/O=Red Hat Czech, s.r.o./OU=EAP QE/CN=intermediate_mod_cluster_test_certificate/[email protected]

core/src/main/resources/ssl/proper/generated/ca/index.txt.attr

@@ -0,0 +1 @@
+unique_subject = yes