AT&T 2.0.19 Code drop, stage 6

Issue-ID: AAF-197
Change-Id: I77f26db1f34bea217888faaa28d4dc79f6edb804
Signed-off-by: Instrumental <jcgmisc@stl.gathman.org>

diff --git a/.gitignore b/.gitignore
new file mode 100644 (file)
index 0000000..e69de29

diff --git a/conf/CA/README.txt b/conf/CA/README.txt
new file mode 100644 (file)
index 0000000..0fd261f
--- /dev/null
+++ b/conf/CA/README.txt
@@ -0,0 +1,38 @@
+#
+# NOTE: This README is "bash" capable.  bash README.txt
+#
+# create simple but reasonable directory structure
+mkdir -p private certs newcerts
+chmod 700 private
+chmod 755 certs newcerts
+touch index.txt
+echo '01' > serial
+
+echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'"
+echo "Enter the PassPhrase for your Key: "
+`stty -echo`
+#read PASSPHRASE
+PASSPHRASE=HunkyDoryDickoryDock
+`stty echo`
+
+# Create a regaular rsa encrypted key
+openssl genrsa -aes256 -out private/ca.ekey -passout stdin 4096 << EOF
+$PASSPHRASE
+EOF
+
+# Move to a Java readable time, not this one is NOT Encrypted.
+openssl pkcs8 -in private/ca.ekey -topk8 -nocrypt -out private/ca.key -passin stdin << EOF
+$PASSPHRASE
+EOF
+chmod 400 private/ca.key private/ca.ekey
+
+# Generate a CA Certificate
+openssl req -config openssl.conf \
+      -key private/ca.key \
+      -new -x509 -days 7300 -sha256 -extensions v3_ca \
+      -out certs/ca.crt << EOF
+$PASSPHRASE
+EOF
+
+# All done, print result
+openssl x509 -text -noout -in certs/ca.crt

diff --git a/conf/CA/clean.sh b/conf/CA/clean.sh
new file mode 100644 (file)
index 0000000..3df6108
--- /dev/null
+++ b/conf/CA/clean.sh
@@ -0,0 +1 @@
+rm -Rf private certs newcerts index* serial* intermediateCAs

diff --git a/conf/CA/intermediate.sh b/conf/CA/intermediate.sh
new file mode 100644 (file)
index 0000000..b207150
--- /dev/null
+++ b/conf/CA/intermediate.sh
@@ -0,0 +1,57 @@
+#
+# Initialize a manual Cert.  This is NOT entered in Certman Records
+#
+  if [ -e intermediate.serial ]; then
+    ((SERIAL=`cat intermediate.serial` + 1))
+  else
+    SERIAL=1
+  fi
+  echo $SERIAL > intermediate.serial
+DIR=intermediate_$SERIAL
+
+mkdir -p $DIR/private $DIR/certs $DIR/newcerts
+chmod 700 $DIR/private
+chmod 755 $DIR/certs $DIR/newcerts
+touch $DIR/index.txt
+if [ ! -e $DIR/serial ]; then
+  echo '01' > $DIR/serial
+fi
+cp manual.sh p12.sh subject.aaf $DIR
+
+if [  "$1" == "" ]; then
+  CN=intermediateCA_$SERIAL
+else
+  CN=$1
+fi
+
+SUBJECT="/CN=$CN`cat subject.aaf`"
+echo $SUBJECT
+  echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'"
+  echo "Enter the PassPhrase for the Key for $CN: "
+  `stty -echo`
+  read PASSPHRASE
+  `stty echo`
+ 
+  # Create a regaular rsa encrypted key
+  openssl req -new -newkey rsa:4096 -sha256 -keyout $DIR/private/ca.key \
+          -out $DIR/$CN.csr -outform PEM -subj "$SUBJECT" \
+          -passout stdin  << EOF
+$PASSPHRASE
+EOF
+
+  chmod 400 $DIR/private/$CN.key 
+  openssl req -verify -text -noout -in $DIR/$CN.csr
+
+  # Sign it
+  openssl ca -config openssl.conf -extensions v3_intermediate_ca \
+     -cert certs/ca.crt -keyfile private/ca.key -out $DIR/certs/ca.crt \
+       -infiles $DIR/$CN.csr
+
+    openssl x509 -text -noout -in $DIR/certs/ca.crt
+
+
+     openssl verify -CAfile certs/ca.crt $DIR/certs/ca.crt
+
+
+
+

diff --git a/conf/CA/manual.sh b/conf/CA/manual.sh
new file mode 100644 (file)
index 0000000..bb89175
--- /dev/null
+++ b/conf/CA/manual.sh
@@ -0,0 +1,55 @@
+#
+# Initialize a manual Cert.  This is NOT entered in Certman Records
+#
+echo "FQI (Fully Qualified Identity): "
+read FQI
+if [ "$1" = "" -o "$1" = "-local" ]; then 
+  echo "Personal Certificate"
+  SUBJECT="/CN=$FQI/OU=V1`cat subject.aaf`"
+else 
+  echo "Application Certificate"
+  SUBJECT="/CN=$1/OU=$FQI`cat subject.aaf`"
+  FQI=$1
+  shift
+fi
+echo $SUBJECT
+
+if [ -e $FQI.csr ]; then
+  SIGN_IT=true
+else 
+  if [ "$1" = "-local" ]; then
+       echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'"
+       echo "Enter the PassPhrase for the Key for $FQI: "
+       `stty -echo`
+       read PASSPHRASE
+       `stty echo`
+ 
+       # remove any previous Private key
+       rm private/$FQI.key
+       # Create j regaular rsa encrypted key
+       openssl req -new -newkey rsa:2048 -sha256 -keyout private/$FQI.key \
+         -out $FQI.csr -outform PEM -subj "$SUBJECT" \
+         -passout stdin  << EOF
+$PASSPHRASE
+EOF
+       chmod 400 private/$FQI.key 
+       SIGN_IT=true
+  else 
+       echo openssl req -newkey rsa:4096 -sha256 -keyout $FQI.key -out $FQI.csr -outform PEM -subj '"'$SUBJECT'"'
+       echo chmod 400 $FQI.key
+       echo "# All done, print result"
+       echo openssl req -verify -text -noout -in $FQI.csr
+  fi
+fi
+
+if [ "$SIGN_IT" = "true" ]; then
+  # Sign it
+  openssl ca -config ../openssl.conf -extensions server_cert -out $FQI.crt \
+       -cert certs/ca.crt -keyfile private/ca.key \
+        -policy policy_loose \
+       -infiles $FQI.csr
+fi
+
+
+
+

diff --git a/conf/CA/newca.sh b/conf/CA/newca.sh
new file mode 100644 (file)
index 0000000..5f49f38
--- /dev/null
+++ b/conf/CA/newca.sh
@@ -0,0 +1,57 @@
+#
+# NOTE: This README is "bash" capable.  bash README.txt
+#
+# create simple but reasonable directory structure
+mkdir -p private certs newcerts 
+chmod 700 private
+chmod 755 certs newcerts
+touch index.txt
+if [ ! -e serial ]; then
+  echo '01' > serial
+fi
+
+if [  "$1" == "" ]; then
+  CN=$1
+else
+  CN=RootCA
+fi
+
+echo "IMPORTANT: If for any reason, you kill this process, type 'stty sane'"
+echo "Enter the PassPhrase for your Key: "
+`stty -echo`
+read PASSPHRASE
+`stty echo`
+
+if [ ! -e /private/ca.ekey ]; then
+  # Create a regaular rsa encrypted key
+  openssl genrsa -aes256 -out private/ca.ekey -passout stdin 4096 << EOF
+$PASSPHRASE
+EOF
+fi
+
+if [ ! -e /private/ca.key ]; then
+  # Move to a Java/Filesystem readable key. Note that this one is NOT Encrypted.
+  openssl pkcs8 -in private/ca.ekey -topk8 -nocrypt -out private/ca.key -passin stdin << EOF
+$PASSPHRASE
+EOF
+fi
+chmod 400 private/ca.key private/ca.ekey
+
+
+if [ -e subject.aaf ]; then
+  SUBJECT="-subj /CN=$CN`cat subject.aaf`"
+else
+  SUBJECT=""
+fi
+
+# Generate a CA Certificate
+openssl req -config openssl.conf \
+      -key private/ca.key \
+      -new -x509 -days 7300 -sha256 -extensions v3_ca \
+      $SUBJECT \
+      -out certs/ca.crt 
+
+if [ -e certs/ca.crt ]; then
+  # All done, print result
+  openssl x509 -text -noout -in certs/ca.crt
+fi

diff --git a/conf/CA/openssl.conf b/conf/CA/openssl.conf
new file mode 100644 (file)
index 0000000..528c14d
--- /dev/null
+++ b/conf/CA/openssl.conf
@@ -0,0 +1,131 @@
+# OpenSSL root CA configuration file.
+# Copy to `/opt/app/osaaf/CA/openssl.cnf`.
+
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = .
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/private/ca.key
+certificate       = $dir/certs/ca.crt
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/ca.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 60
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+stateOrProvinceName     = optional
+organizationName        = match
+organizationalUnitName  = supplied
+commonName              = supplied
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 2048
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Optionally, specify some defaults.
+countryName_default             = 
+stateOrProvinceName_default     = 
+localityName_default            =
+0.organizationName_default      = 
+organizationalUnitName_default  =
+emailAddress_default            =
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server, client
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment, nonRepudiation
+extendedKeyUsage = serverAuth, clientAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning

diff --git a/conf/CA/p12.sh b/conf/CA/p12.sh
new file mode 100644 (file)
index 0000000..f490b18
--- /dev/null
+++ b/conf/CA/p12.sh
@@ -0,0 +1,23 @@
+#
+# Create a p12 file from local certs
+#
+echo "FQI (Fully Qualified Identity): "
+read FQI
+
+if [ "$1" = "" ]; then
+  MACH=$FQI  
+else 
+  MACH=$1
+fi
+
+# Add Cert AND Intermediate CAs (Clients will have Root CAs (or not))
+  cat $MACH.crt  > $MACH.chain
+  for CA in `ls intermediateCAs`; do
+        cat "intermediateCAs/$CA" >> $MACH.chain
+  done
+
+  # Make a pkcs12 keystore, a jks keystore and a pem keystore
+  rm -f $MACH.p12
+  # Note: Openssl will pickup and load all Certs in the Chain file
+  openssl pkcs12 -name $FQI -export -in $MACH.chain -inkey private/$MACH.key -out $MACH.p12 
+

diff --git a/conf/CA/subject.aaf b/conf/CA/subject.aaf
new file mode 100644 (file)
index 0000000..b7227e1
--- /dev/null
+++ b/conf/CA/subject.aaf
@@ -0,0 +1 @@
+/OU=OSAAF/O=ONAP/C=US