File: test-common

package info (click to toggle)
ktls-utils 1.3.0-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 636 kB
  • sloc: ansic: 3,620; makefile: 55; sh: 44
file content (71 lines) | stat: -rw-r--r-- 2,091 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
 
# Create CA private key and certificate
openssl genrsa -out "$AUTOPKGTEST_TMP/ca.key.priv.pem" 2048
cat >"$AUTOPKGTEST_TMP/ca.openssl.cnf" <<EOF
[ req ]
distinguished_name = req_dn
string_mask = utf8only
prompt = no
x509_extensions = req_ext

[ req_dn ]
commonName = ktls-utils test CA

[ req_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical, CA:true
EOF
openssl req -new -key "$AUTOPKGTEST_TMP/ca.key.priv.pem" \
	-utf8 -nodes -batch -x509 \
        -outform PEM -out "$AUTOPKGTEST_TMP/ca.x509.pem" \
        -config "$AUTOPKGTEST_TMP/ca.openssl.cnf"

sed -i '/^\[authenticate\.client\]/,$ { /=/d }' \
    /etc/tlshd/config

for role in server client; do
    # Create private key and certificate for role
    openssl genrsa -out "$AUTOPKGTEST_TMP/$role.key.priv.pem" 2048
    cat >"$AUTOPKGTEST_TMP/$role.openssl.cnf" <<EOF
[ req ]
distinguished_name = req_dn
string_mask = utf8only
prompt = no
x509_extensions = req_ext

[ req_dn ]
commonName = $role.internal

[ req_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = critical, CA:false
extendedKeyUsage = critical, ${role}Auth
EOF
    openssl req -new -key "$AUTOPKGTEST_TMP/$role.key.priv.pem" \
	    -out "$AUTOPKGTEST_TMP/$role.req.pem" \
            -config "$AUTOPKGTEST_TMP/$role.openssl.cnf"
    openssl req -in "$AUTOPKGTEST_TMP/$role.req.pem" \
	    -copy_extensions copy \
	    -CA "$AUTOPKGTEST_TMP/ca.x509.pem" \
	    -CAkey "$AUTOPKGTEST_TMP/ca.key.priv.pem" \
	    -utf8 -nodes -batch -x509 \
            -outform PEM -out "$AUTOPKGTEST_TMP/$role.x509.pem"

    # Update tlshd config
    sed -i '/^\[authenticate\.'$role'\]/a\
x509.truststore='"$AUTOPKGTEST_TMP/ca.x509.pem"'\
x509.certificate='"$AUTOPKGTEST_TMP/$role.x509.pem"'\
x509.private_key='"$AUTOPKGTEST_TMP/$role.key.priv.pem" \
	/etc/tlshd/config
done

# Make server name resolvable
if ! grep -qw 'server\.internal' /etc/hosts; then
    cat >>/etc/hosts <<EOF
::1	server.internal
EOF
fi

# Restart tlshd with new config
systemctl restart tlshd