1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
#!/usr/bin/perl -w
# Simple script that uses openssl and c_rehash to set up a ca to generate certs
# for test-mongoc-stream-tls
use strict;
use File::Copy;
my $subj = "/C=US/ST=NY/L=New York/O=MongoDB Inc./OU=C Driver/SAN=foo.com/CN=";
my ($ca_dir, $conf) = @ARGV;
my @dirs = (
$ca_dir,
"$ca_dir/build",
"$ca_dir/verify",
"$ca_dir/ca.db.certs",
"$ca_dir/keys",
"$ca_dir/crl",
);
system("rm", "-rf", "$ca_dir");
# Create the relevant directory structure and files for a CA
{
for my $dir (@dirs) {
mkdir $dir or die "Couldn't create dir: $!";
}
set_file("$ca_dir/ca.db.index", "");
set_file("$ca_dir/ca.db.serial", "01\n");
set_file("$ca_dir/ca.db.rand", "151\n");
}
# generate the root key and cert
{
openssl ("genrsa", "-out", "$ca_dir/signing-ca.key", "1024");
openssl ("req", "-new", "-x509", "-days", 365, "-key",
"$ca_dir/signing-ca.key", "-out", "$ca_dir/signing-ca.crt",
"-config", $conf, "-subj", "${subj}mongo_root");
copy ("$ca_dir/signing-ca.crt", "$ca_dir/verify/mongo_root.pem");
}
# generate a simple password less cert
{
openssl("req", "-nodes", "-newkey", "rsa:1024", req_args("mongodb.com"));
openssl("ca", ca_args("mongodb.com"));
dist_files("mongodb.com");
}
# generate a simple passworded cert
{
openssl ("req", "-passout", "pass:testpass", "-newkey", "rsa:1024",
req_args ("pass.mongodb.com"));
openssl ("ca", ca_args ("pass.mongodb.com"));
dist_files ("pass.mongodb.com");
}
# generate a cert and revoke it to test crls
{
openssl ("req", "-nodes", "-newkey", "rsa:1024",
req_args ("rev.mongodb.com"));
openssl ("ca", ca_args ("rev.mongodb.com"));
dist_files ("rev.mongodb.com");
openssl ("ca", "-config", $conf, "-revoke",
"$ca_dir/verify/rev.mongodb.com.pem");
openssl ("ca", "-config", $conf, "-gencrl", "-out",
"$ca_dir/crl/root.crl.pem");
}
# generate a cert with some alt names including a wild card
{
openssl ("req", "-nodes", "-newkey", "rsa:1024",
req_args ("alt.mongodb.com"));
openssl ("ca", "-extensions", "v3_req", ca_args ("alt.mongodb.com"));
dist_files ("alt.mongodb.com");
}
# generate a cert for localhost
{
openssl ("req", "-nodes", "-newkey", "rsa:1024",
req_args ("127.0.0.1"));
openssl ("ca", ca_args ("127.0.0.1"));
dist_files ("127.0.0.1");
}
# generate the hash directory structure ssl needs
system("c_rehash", "$ca_dir/verify") and die "failed: $?";
sub dist_files {
my ($name) = @_;
system("cat '$ca_dir/build/$name.key' '$ca_dir/build/$name.crt' > '$ca_dir/keys/$name.pem'") and die "terribly: $?";
copy("$ca_dir/build/$name.crt", "$ca_dir/verify/$name.pem");
}
sub ca_args {
my $name = $_[0];
return
"-batch", "-config", $conf, "-out", "$ca_dir/build/$name.crt", "-in",
"$ca_dir/build/$name.req",
;
}
sub req_args {
my $name = $_[0];
return (
"-keyout", "$ca_dir/build/$name.key", "-out", "$ca_dir/build/$name.req",
"-config", $conf, "-subj", "$subj$name",
);
}
sub openssl {
my @args = @_;
system("openssl", @args) and die "failed: $?"
}
sub set_file {
my ($name, $contents) = @_;
open my $file, "> $name" or die "Couldn't open $name: $!";
print $file $contents;
close $file;
}
|
