REQUEST_TIMEOUT=30000
OUTPUT_PATH=/var/certs
CA_NAME=RA
-OUTPUT_TYPE=JKS
+OUTPUT_TYPE=PEM
KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
KEYSTORE_PASSWORD=secret
TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/truststore.jks
import subprocess
import docker
-import jks
from OpenSSL import crypto
from docker.types import Mount
def __init__(self, mount_path, truststore_path):
self.mount_path = mount_path
self.truststore_path = truststore_path
+ self.keyPem = mount_path + '/key.pem'
self.caCertPem = mount_path + '/ca.pem'
self.serverKeyPem = mount_path + '/server_key.pem'
self.serverCertPem = mount_path + '/server_cert.pem'
- self.keystoreJksPath = mount_path + '/keystore.jks'
+ self.keystorePemPath = mount_path + '/keystore.pem'
self.keystoreP12Path = mount_path + '/keystore.p12'
self.keystorePassPath = mount_path + '/keystore.pass'
- self.truststoreJksPath = mount_path + '/truststore.jks'
+ self.truststorePemPath = mount_path + '/truststore.pem'
self.truststoreP12Path = mount_path + '/truststore.p12'
self.truststorePassPath = mount_path + '/truststore.pass'
# Function to validate keystore/truststore can be opened with generated pass-phrase.
def can_open_keystore_and_truststore_with_pass(self, container_name):
if container_name != NETCONF_PNP_SIM_CONTAINER_NAME:
- return self.can_open_keystore_and_truststore_jks_files()
+ return self.can_open_keystore_and_truststore_pem_files()
else:
return self.can_open_keystore_and_truststore_p12_files()
- # Function to validate keystore.jks/truststore.jks can be opened with generated pass-phrase.
- def can_open_keystore_and_truststore_jks_files(self):
+ # Function to validate keystore.pem/truststore.pem exist and are not empty.
+ def can_open_keystore_and_truststore_pem_files(self):
try:
- jks.KeyStore.load(self.keystoreJksPath, open(self.keystorePassPath, 'rb').read())
- jks.KeyStore.load(self.truststoreJksPath, open(self.truststorePassPath, 'rb').read())
- return True
+ private_key = self.file_exist_and_not_empty(self.keyPem)
+ keystore_pem = self.file_exist_and_not_empty(self.keystorePemPath)
+ truststore_pem = self.file_exist_and_not_empty(self.truststorePemPath)
+ return private_key and keystore_pem and truststore_pem
except Exception as e:
- print("UnExpected Error in validating keystore.jks/truststore.jks: {0}".format(e))
+ print("UnExpected Error in validating keystore.pem/truststore.pem: {0}".format(e))
return False
# Function to validate keystore.p12/truststore.p12 can be opened with generated pass-phrase.
# Method for Uploading Certificate in SDNC-Container.
# Creating/Uploading Server-key, Server-cert, Ca-cert PEM files in Netconf-Pnp-Simulator.
- def can_install_keystore_and_truststore_certs(self, cmd, container_name):
+ def can_install_keystore_and_truststore_certs(self, cmd, cmd_tls, container_name):
continue_exec = True
if container_name == NETCONF_PNP_SIM_CONTAINER_NAME:
print("Generating PEM files for {0} from P12 files".format(container_name))
continue_exec = self.create_pem(self.keystorePassPath, self.keystoreP12Path, self.truststorePassPath,
self.truststoreP12Path)
+ else:
+ cmd = cmd_tls
if continue_exec:
print("Initiate Configuration Push for : {0}".format(container_name))
resp_code = self.execute_bash_config(cmd, container_name)
def remove_mount_dir(self):
shutil.rmtree(self.mount_path)
+ def file_exist_and_not_empty(self, path_to_file):
+ return os.path.isfile(path_to_file) and os.path.getsize(path_to_file) > 0
+
@staticmethod
def get_pkcs12(pass_file_path, p12_file_path):
# Load PKCS12 Object
--- /dev/null
+#!/bin/bash
+
+# ============LICENSE_START=======================================================
+# Copyright (C) 2020 Nordix Foundation.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+set -o errexit
+set -o pipefail
+set -o nounset
+[ "${SHELL_XTRACE:-false}" = "true" ] && set -o xtrace
+
+CONFIG=${CONFIG:-"${WORKSPACE}"/tests/sdnc/sdnc_netconf_tls_post_deploy/cert-data}
+CONTAINER_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.Gateway}}{{end}}' sdnc)
+ODL_URL=${ODL_URL:-http://"${CONTAINER_IP}":8282}
+PROC_NAME=${0##*/}
+PROC_NAME=${PROC_NAME%.sh}
+
+function now_ms() {
+ # Requires coreutils package
+ date +"%Y-%m-%d %H:%M:%S.%3N"
+}
+
+function log() {
+ local level=$1
+ shift
+ local message="$*"
+ printf "%s %-5s [%s] %s\n" "$(now_ms)" $level $PROC_NAME "$message"
+}
+
+# Extracts the body of a PEM file by removing the dashed header and footer
+pem_body() {
+ grep -Fv -- ----- $1
+}
+
+CA_CERT_ID=xNF_CA_certificate_0_0
+CA_CERT=$(pem_body $CONFIG/truststore.pem)
+
+SERVER_PRIV_KEY_ID=ODL_private_key_0
+SERVER_KEY=$(pem_body $CONFIG/key.pem)
+SERVER_CERT=$(pem_body $CONFIG/keystore.pem)
+
+RESTCONF_URL=$ODL_URL/restconf
+NETCONF_KEYSTORE_PATH=$RESTCONF_URL/config/netconf-keystore:keystore
+
+xcurl() {
+ curl -s -o /dev/null -H "Authorization: Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ==" -w %{http_code} "$@"
+}
+
+log INFO Delete Keystore
+sc=$(xcurl -X DELETE $NETCONF_KEYSTORE_PATH)
+
+if [ "$sc" != "200" -a "$sc" != "404" ]; then
+ log ERROR "Keystore deletion failed with SC=$sc"
+ exit 1
+fi
+
+log INFO Load CA certificate
+sc=$(xcurl -X POST $NETCONF_KEYSTORE_PATH --header "Content-Type: application/json" --data "
+{
+ \"trusted-certificate\": [
+ {
+ \"name\": \"$CA_CERT_ID\",
+ \"certificate\": \"$CA_CERT\"
+ }
+ ]
+}
+")
+
+if [ "$sc" != "200" -a "$sc" != "204" ]; then
+ log ERROR Trusted-certificate update failed with SC=$sc
+ exit 1
+fi
+
+log INFO Load server private key and certificate
+sc=$(xcurl -X POST $NETCONF_KEYSTORE_PATH --header "Content-Type: application/json" --data "
+{
+ \"private-key\": {
+ \"name\": \"$SERVER_PRIV_KEY_ID\",
+ \"certificate-chain\": [
+ \"$SERVER_CERT\"
+ ],
+ \"data\": \"$SERVER_KEY\"
+ }
+}
+")
+
+if [ "$sc" != "200" -a "$sc" != "204" ]; then
+ log ERROR Private-key update failed with SC=$sc
+ exit 1
+fi
\ No newline at end of file
[Arguments] ${env_file} ${CONTAINER_NAME} ${expected_exit_code}
${exit_code}= Run Client Container ${DOCKER_CLIENT_IMAGE} ${CLIENT_CONTAINER_NAME} ${env_file} ${CERT_SERVICE_ADDRESS}${CERT_SERVICE_ENDPOINT} ${CERT_SERVICE_NETWORK}
${can_open}= Can Open Keystore And Truststore With Pass ${CONTAINER_NAME}
- ${install_certs}= Can Install Keystore And Truststore Certs ${CONF_SCRIPT} ${CONTAINER_NAME}
+ ${install_certs}= Can Install Keystore And Truststore Certs ${CONF_SCRIPT} ${CONF_TLS_SCRIPT} ${CONTAINER_NAME}
Remove Client Container And Save Logs ${CLIENT_CONTAINER_NAME} positive_path
Should Be Equal As Strings ${exit_code} ${expected_exit_code} Client return: ${exitcode} exit code, but expected: ${expected_exit_code}
Should Be True ${can_open} Cannot Open Keystore/TrustStore by Passphrase
Code Review / integration / csit.git / commitdiff