From: Remigiusz Janeczek Date: Wed, 16 Jun 2021 17:16:30 +0000 (+0200) Subject: [OOM-CERT-SERVICE] Add curl requests to Makefile X-Git-Tag: 2.4.0~24 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=27611bc9a6f855d439dbf68a2955e4651e83dd14;p=oom%2Fplatform%2Fcert-service.git [OOM-CERT-SERVICE] Add curl requests to Makefile Increase max header size (default was too low for update requests) Issue-ID: OOM-2753 Change-Id: I3614d8d34ed18ae52cec8fb4f9349e170c2ac3af Signed-off-by: Remigiusz Janeczek --- diff --git a/.gitignore b/.gitignore index 8a3ca168..452eeebe 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,7 @@ target/ !**/src/test/** **/var compose-resources/client-volume +compose-resources/certs-from-curl ### STS ### .apt_generated diff --git a/Makefile b/Makefile index d48fd994..5827199b 100644 --- a/Makefile +++ b/Makefile @@ -32,3 +32,55 @@ stop-backend: @echo "##### Stop Cert Service #####" docker-compose down @echo "##### DONE #####" + +send-initialization-request: + @echo "##### Create folder for certificates from curl: `pwd`/compose-resources/certs-from-curl/ #####" + mkdir -p `pwd`/compose-resources/certs-from-curl/ + @echo "##### Generate CSR and Key #####" + openssl req -new -newkey rsa:2048 -nodes -keyout `pwd`/compose-resources/certs-from-curl/ir.key \ + -out `pwd`/compose-resources/certs-from-curl/ir.csr \ + -subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=onap.org" \ + -addext "subjectAltName = DNS:test.onap.org" + @echo "##### Send Initialization Request #####" + curl -sN https://localhost:8443/v1/certificate/RA -H "PK: $$(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \ + -H "CSR: $$(cat ./compose-resources/certs-from-curl/ir.csr | base64 | tr -d \\n)" \ + --cert `pwd`/certs/cmpv2Issuer-cert.pem \ + --key `pwd`/certs/cmpv2Issuer-key.pem \ + --cacert `pwd`/certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "ir" + +send-key-update-request: verify-initialization-request-files-exist + @echo "##### Generate CSR and Key #####" + openssl req -new -newkey rsa:2048 -nodes -keyout `pwd`/compose-resources/certs-from-curl/kur.key \ + -out `pwd`/compose-resources/certs-from-curl/kur.csr \ + -subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=onap.org" \ + -addext "subjectAltName = DNS:test.onap.org" + @echo "##### Send Key Update Request #####" + curl -sN https://localhost:8443/v1/certificate-update/RA -H "PK: $$(cat ./compose-resources/certs-from-curl/kur.key | base64 | tr -d \\n)" \ + -H "CSR: $$(cat ./compose-resources/certs-from-curl/kur.csr | base64 | tr -d \\n)" \ + -H "OLD_PK: $$(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \ + -H "OLD_CERT: $$(cat ./compose-resources/certs-from-curl/ir-cert.pem | base64 | tr -d \\n)" \ + --cert `pwd`/certs/cmpv2Issuer-cert.pem \ + --key `pwd`/certs/cmpv2Issuer-key.pem \ + --cacert `pwd`/certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "kur" + +send-certification-request: verify-initialization-request-files-exist + @echo "##### Generate CSR and Key #####" + openssl req -new -newkey rsa:2048 -nodes -keyout `pwd`/compose-resources/certs-from-curl/cr.key \ + -out `pwd`/compose-resources/certs-from-curl/cr.csr \ + -subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=new-onap.org" \ + -addext "subjectAltName = DNS:test.onap.org" + @echo "##### Send Key Update Request #####" + curl -sN https://localhost:8443/v1/certificate-update/RA -H "PK: $$(cat ./compose-resources/certs-from-curl/cr.key | base64 | tr -d \\n)" \ + -H "CSR: $$(cat ./compose-resources/certs-from-curl/cr.csr | base64 | tr -d \\n)" \ + -H "OLD_PK: $$(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \ + -H "OLD_CERT: $$(cat ./compose-resources/certs-from-curl/ir-cert.pem | base64 | tr -d \\n)" \ + --cert `pwd`/certs/cmpv2Issuer-cert.pem \ + --key `pwd`/certs/cmpv2Issuer-key.pem \ + --cacert `pwd`/certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "cr" + +verify-initialization-request-files-exist: + ifeq (,$(wildcard compose-resources/certs-from-curl/ir.key)) + ifeq (,$(wildcard compose-resources/certs-from-curl/ir-cert.pem)) + $(error Execute send-initialization-request first) + endif + endif diff --git a/README.md b/README.md index 2d91ee8f..ddbdfff7 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,90 @@ make run-client make stop-backend ``` +### Generating certificates via REST Api +#### Requirements +* OpenSSL +* cURL +* jq (for parseCertServiceResponse.sh script) +#### Initialization Request +1. Create Certificate Signing Request and Private Key +``` +openssl req -new -newkey rsa:2048 -nodes -keyout ./compose-resources/certs-from-curl/ir.key \ + -out ./compose-resources/certs-from-curl/ir.csr \ + -subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=onap.org" \ + -addext "subjectAltName = DNS:test.onap.org" +``` +2. Send Initialization Request +``` +curl -s https://localhost:8443/v1/certificate/RA -H "PK: $(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \ + -H "CSR: $(cat ./compose-resources/certs-from-curl/ir.csr | base64 | tr -d \\n)" \ + --cert ./certs/cmpv2Issuer-cert.pem \ + --key ./certs/cmpv2Issuer-key.pem \ + --cacert ./certs/cacert.pem +``` +to parse the response pipe the output to `parseCertserviceResponse.sh` script, providing prefix as argument +``` +curl -sN https://localhost:8443/v1/certificate/RA -H "PK: $(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \ + -H "CSR: $(cat ./compose-resources/certs-from-curl/ir.csr | base64 | tr -d \\n)" \ + --cert ./certs/cmpv2Issuer-cert.pem \ + --key ./certs/cmpv2Issuer-key.pem \ + --cacert ./certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "ir" +``` + +#### Update Request +1. Create Certificate Signing Request and Private Key - same as for Initialization Request. +When CSR data (like Subject and SANS) is unchanged, Key Update Request will be performed. +Otherwise Certification Request will be performed. +Example for KUR: +``` +openssl req -new -newkey rsa:2048 -nodes -keyout ./compose-resources/certs-from-curl/kur.key \ +-out ./compose-resources/certs-from-curl/kur.csr \ +-subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=onap.org" \ +-addext "subjectAltName = DNS:test.onap.org" +``` +Example for CR: +``` +openssl req -new -newkey rsa:2048 -nodes -keyout ./compose-resources/certs-from-curl/cr.key \ +-out ./compose-resources/certs-from-curl/cr.csr \ +-subj "/C=US/ST=California/L=San-Francisco/O=ONAP/OU=Linux-Foundation/CN=new-onap.org" \ +-addext "subjectAltName = DNS:test.onap.org" +``` +2. Send Update Request. +Example for KUR: +``` +curl -sN https://localhost:8443/v1/certificate-update/RA -H "PK: $(cat ./compose-resources/certs-from-curl/kur.key | base64 | tr -d \\n)" \ + -H "CSR: $(cat ./compose-resources/certs-from-curl/kur.csr | base64 | tr -d \\n)" \ + -H "OLDPK: $(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \ + -H "OLDCERT: $(cat ./compose-resources/certs-from-curl/ir-cert.pem | base64 | tr -d \\n)" \ + --cert ./certs/cmpv2Issuer-cert.pem \ + --key ./certs/cmpv2Issuer-key.pem \ + --cacert ./certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "kur" +``` +Example CR: +``` +curl -sN https://localhost:8443/v1/certificate-update/RA -H "PK: $$(cat ./compose-resources/certs-from-curl/cr.key | base64 | tr -d \\n)" \ + -H "CSR: $$(cat ./compose-resources/certs-from-curl/cr.csr | base64 | tr -d \\n)" \ + -H "OLD_PK: $$(cat ./compose-resources/certs-from-curl/ir.key | base64 | tr -d \\n)" \ + -H "OLD_CERT: $$(cat ./compose-resources/certs-from-curl/ir-cert.pem | base64 | tr -d \\n)" \ + --cert ./certs/cmpv2Issuer-cert.pem \ + --key ./certs/cmpv2Issuer-key.pem \ + --cacert ./certs/cacert.pem | `pwd`/parseCertServiceResponse.sh "cr" +``` + +#### Using makefile +1. Perform Initialization Request: +``` +make send-initialization-request +``` +2. Perform Update Request: +``` +make send-key-update-request +``` +or: +``` +make send-certification-request +``` + ### OOM CertService CSITs #### CSIT repository ``` diff --git a/certService/src/main/resources/application.properties b/certService/src/main/resources/application.properties index a7f5eea8..8698a314 100644 --- a/certService/src/main/resources/application.properties +++ b/certService/src/main/resources/application.properties @@ -10,6 +10,9 @@ springdoc.swagger-ui.path=/docs # OOM CertService app specific configuration app.config.path=/etc/onap/oom/certservice +# HTTP Configuration +server.max-http-header-size=16384 + # Mutual TLS configuration server.ssl.enabled=true server.ssl.client-auth=need diff --git a/parseCertServiceResponse.sh b/parseCertServiceResponse.sh new file mode 100755 index 00000000..dff867fa --- /dev/null +++ b/parseCertServiceResponse.sh @@ -0,0 +1,4 @@ +#!/bin/bash +read -r RESPONSE +echo "$RESPONSE" | jq -r '.certificateChain[]' > ./compose-resources/certs-from-curl/$1-cert.pem +echo "$RESPONSE" | jq -r '.trustedCertificates[]' > ./compose-resources/certs-from-curl/$1-cacert.pem