fix certs fornon mainnet acc tests (#5432)

Signed-off-by: Stefan <stefan.pingel@consensys.net>
pull/5438/head
Stefan Pingel 2 years ago committed by GitHub
parent 4f5dcaa571
commit 969202790c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/ca_certs/inter_ca.p12
  2. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/ca_certs/partner1_ca.p12
  3. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/ca_certs/partner2_ca.p12
  4. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/ca_certs/root_ca.p12
  5. 176
      acceptance-tests/tests/src/test/resources/pki-certs/create.sh
  6. 46
      acceptance-tests/tests/src/test/resources/pki-certs/crl/crl.pem
  7. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner1/miner1.jks
  8. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner1/miner1.p12
  9. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner1/nssdb/cert9.db
  10. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner1/nssdb/key4.db
  11. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner1/truststore.p12
  12. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner2/miner2.jks
  13. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner2/miner2.p12
  14. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner2/nssdb/cert9.db
  15. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner2/nssdb/key4.db
  16. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner2/truststore.p12
  17. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner3/miner3.jks
  18. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner3/miner3.p12
  19. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner3/nssdb/cert9.db
  20. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner3/nssdb/key4.db
  21. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner3/truststore.p12
  22. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner4/miner4.jks
  23. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner4/miner4.p12
  24. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner4/nssdb/cert9.db
  25. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner4/nssdb/key4.db
  26. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner4/truststore.p12
  27. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner5/miner5.jks
  28. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner5/miner5.p12
  29. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner5/nssdb/cert9.db
  30. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner5/nssdb/key4.db
  31. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner5/truststore.p12
  32. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner6/miner6.jks
  33. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner6/miner6.p12
  34. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner6/nssdb/cert9.db
  35. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner6/nssdb/key4.db
  36. BIN
      acceptance-tests/tests/src/test/resources/pki-certs/miner6/truststore.p12

@ -0,0 +1,176 @@
#! /bin/sh
set -e
names=("partner1:miner1" "partner1:miner2" "partner1:miner3" "partner1:miner4" "partner1:miner5" "partner2:miner6")
crls=("partner1:miner5" "partner2:miner6")
KEY_ALG="EC -groupname secp256r1"
#KEY_ALG="RSA -keysize 2048"
##########
CA_CERTS_PATH=./ca_certs
ROOT_CA_KS=$CA_CERTS_PATH/root_ca.p12
INTER_CA_KS=$CA_CERTS_PATH/inter_ca.p12
PARTNER1_CA_KS=$CA_CERTS_PATH/partner1_ca.p12
PARTNER2_CA_KS=$CA_CERTS_PATH/partner2_ca.p12
CRL_DIR=./crl
mkdir $CA_CERTS_PATH
keytool -genkeypair -alias root_ca -dname "CN=root.ca.besu.com" -ext bc:c -keyalg RSA -keysize 2048 \
-sigalg SHA256WithRSA -validity 36500 \
-storepass test123 \
-keystore $ROOT_CA_KS
keytool -exportcert -keystore $ROOT_CA_KS -storepass test123 -alias root_ca -rfc -file $CA_CERTS_PATH/root_ca.pem
keytool -genkeypair -alias inter_ca -dname "CN=inter.ca.besu.com" \
-ext bc:c=ca:true,pathlen:1 -ext ku:c=dS,kCS,cRLs \
-keyalg RSA -sigalg SHA256WithRSA -validity 36500 \
-storepass test123 \
-keystore $INTER_CA_KS
keytool -exportcert -keystore $INTER_CA_KS -storepass test123 -alias inter_ca -rfc -file $CA_CERTS_PATH/inter_ca.pem
keytool -genkeypair -alias partner1_ca -dname "CN=partner1.ca.besu.com" \
-ext bc:c=ca:true,pathlen:0 -ext ku:c=dS,kCS,cRLs \
-keyalg RSA -sigalg SHA256WithRSA -validity 36500 \
-storepass test123 \
-keystore $PARTNER1_CA_KS
keytool -exportcert -keystore $PARTNER1_CA_KS -storepass test123 -alias partner1_ca -rfc -file $CA_CERTS_PATH/partner1_ca.pem
keytool -genkeypair -alias partner2_ca -dname "CN=partner2.ca.besu.com" \
-ext bc:c=ca:true,pathlen:0 -ext ku:c=dS,kCS,cRLs \
-keyalg RSA -sigalg SHA256WithRSA -validity 36500 \
-storepass test123 \
-keystore $PARTNER2_CA_KS
keytool -exportcert -keystore $PARTNER2_CA_KS -storepass test123 -alias partner2_ca -rfc -file $CA_CERTS_PATH/partner2_ca.pem
keytool -storepass test123 -keystore $INTER_CA_KS -certreq -alias inter_ca \
| keytool -storepass test123 -keystore $ROOT_CA_KS -gencert -validity 36500 -alias root_ca \
-ext bc:c=ca:true,pathlen:1 -ext ku:c=dS,kCS,cRLs -rfc > $CA_CERTS_PATH/inter_ca.pem
cat $CA_CERTS_PATH/root_ca.pem >> $CA_CERTS_PATH/inter_ca.pem
keytool -keystore $INTER_CA_KS -importcert -alias inter_ca \
-storepass test123 -noprompt -file $CA_CERTS_PATH/inter_ca.pem
keytool -storepass test123 -keystore $PARTNER1_CA_KS -certreq -alias partner1_ca \
| keytool -storepass test123 -keystore $INTER_CA_KS -gencert -validity 36500 -alias inter_ca \
-ext bc:c=ca:true,pathlen:0 -ext ku:c=dS,kCS,cRLs -rfc > $CA_CERTS_PATH/partner1_ca.pem
keytool -storepass test123 -keystore $PARTNER2_CA_KS -certreq -alias partner2_ca \
| keytool -storepass test123 -keystore $INTER_CA_KS -gencert -validity 36500 -alias inter_ca \
-ext bc:c=ca:true,pathlen:0 -ext ku:c=dS,kCS,cRLs -rfc > $CA_CERTS_PATH/partner2_ca.pem
cat $CA_CERTS_PATH/inter_ca.pem >> $CA_CERTS_PATH/partner1_ca.pem
cat $CA_CERTS_PATH/inter_ca.pem >> $CA_CERTS_PATH/partner2_ca.pem
keytool -keystore $PARTNER1_CA_KS -importcert -alias partner1_ca \
-storepass test123 -noprompt -file $CA_CERTS_PATH/partner1_ca.pem
keytool -keystore $PARTNER2_CA_KS -importcert -alias partner2_ca \
-storepass test123 -noprompt -file $CA_CERTS_PATH/partner2_ca.pem
echo "Generating miner keystores..."
### Generate client keystores
for name in "${names[@]}"
do
IFS=':' read -r -a array <<< "$name"
partner=${array[0]}
client=${array[1]}
PARTNER_CA_KEYSTORE="$CA_CERTS_PATH/${partner}_ca.p12"
CLIENT_PATH="./${client}"
KEYSTORE_PATH="./$CLIENT_PATH/${client}.p12"
NSSDB_PATH="${CLIENT_PATH}/nssdb"
echo "$PARTNER_CA_KEYSTORE"
mkdir -p $NSSDB_PATH
echo "Generating keystore for Partner $partner Client $client"
keytool -genkeypair -keystore $KEYSTORE_PATH -storepass test123 -alias ${client} \
-keyalg $KEY_ALG -validity 36500 \
-dname "CN=localhost, OU=${partner}" \
-ext san=dns:localhost,ip:127.0.0.1
echo "Creating CSR for $client and signing it with ${partner}_ca"
keytool -storepass test123 -keystore $KEYSTORE_PATH -certreq -alias ${client} \
| keytool -storepass test123 -keystore $PARTNER_CA_KEYSTORE -gencert -validity 36500 -alias "${partner}_ca" -ext ku:c=digitalSignature,nonRepudiation,keyEncipherment -ext eku=sA,cA \
-rfc > "${CLIENT_PATH}/${client}.pem"
echo "Concat root_ca.pem to ${client}.pem"
cat "${CA_CERTS_PATH}/root_ca.pem" >> "${CLIENT_PATH}/${client}.pem"
echo "Importing signed $client.pem CSR into $KEYSTORE_PATH"
keytool -keystore $KEYSTORE_PATH -importcert -alias $client \
-storepass test123 -noprompt -file "${CLIENT_PATH}/${client}.pem"
echo "Converting p12 to jks"
keytool -importkeystore -srckeystore $KEYSTORE_PATH -srcstoretype PKCS12 -destkeystore "$CLIENT_PATH/${client}.jks" -deststoretype JKS -srcstorepass test123 -deststorepass test123 -srcalias $client -destalias $client -srckeypass test123 -destkeypass test123 -noprompt
echo "Initialize nss"
echo "test123" > ${CLIENT_PATH}/nsspin.txt
certutil -N -d sql:${NSSDB_PATH} -f "${CLIENT_PATH}/nsspin.txt"
# hack to make Java SunPKCS11 work with new sql version of nssdb
touch ${NSSDB_PATH}/secmod.db
pk12util -i $KEYSTORE_PATH -d sql:${NSSDB_PATH} -k ${CLIENT_PATH}/nsspin.txt -W test123
echo "Fixing truststores in sql:${NSSDB_PATH}"
certutil -M -n "CN=root.ca.besu.com" -t CT,C,C -d sql:"$NSSDB_PATH" -f ${CLIENT_PATH}/nsspin.txt
certutil -M -n "CN=inter.ca.besu.com" -t u,u,u -d sql:"$NSSDB_PATH" -f ${CLIENT_PATH}/nsspin.txt
certutil -M -n "CN=${partner}.ca.besu.com" -t u,u,u -d sql:"$NSSDB_PATH" -f ${CLIENT_PATH}/nsspin.txt
certutil -d sql:"$NSSDB_PATH" -f nsspin.txt -L
echo "Creating pkcs11 nss config file"
cat <<EOF >${CLIENT_PATH}/nss.cfg
name = NSScrypto-${partner}-${client}
nssSecmodDirectory = ./src/test/resources/pki-certs/${client}/nssdb
nssDbMode = readOnly
nssModule = keystore
showInfo = true
EOF
# remove pem files
rm "${CLIENT_PATH}/${client}.pem"
# create truststore
echo "Creating truststore ..."
keytool -exportcert -keystore $ROOT_CA_KS -storepass test123 -alias root_ca -rfc | keytool -import -trustcacerts -alias root_ca -keystore "${CLIENT_PATH}/truststore.p12" -storepass test123 -noprompt
## keytool -exportcert -keystore $INTER_CA_KS -storepass test123 -alias inter_ca -rfc | keytool -import -trustcacerts -alias inter_ca -keystore "${CLIENT_PATH}/truststore.p12" -storepass test123 -noprompt
## keytool -exportcert -keystore $PARTNER_CA_KEYSTORE -storepass test123 -alias "${partner}_ca" -rfc | keytool -import -trustcacerts -alias "${partner}_ca" -keystore "${CLIENT_PATH}/truststore.p12" -storepass test123 -noprompt
done
rm $CA_CERTS_PATH/root_ca.pem
echo "Keystores and nss database created"
## create crl list
mkdir -p $CRL_DIR
## rm $CRL_DIR/crl.pem
for crl in "${crls[@]}"
do
IFS=':' read -r -a array <<< "$crl"
partner=${array[0]}
client=${array[1]}
echo "Exporting CA certificate and private key"
openssl pkcs12 -nodes -in "$CA_CERTS_PATH/${partner}_ca.p12" -out "$CRL_DIR/${partner}_ca_key.pem" -passin pass:test123 -nocerts
openssl pkcs12 -nodes -in "$CA_CERTS_PATH/${partner}_ca.p12" -out "$CRL_DIR/${partner}_ca.pem" -passin pass:test123 -nokeys
echo "Export $client certificate"
openssl pkcs12 -nodes -in "./${client}/${client}.p12" -out "$CRL_DIR/${client}.pem" -passin pass:test123 -nokeys
## On Mac, use gnutls-certtool, on Linux use certtool
echo "Creating crl"
printf '365\n\n' | gnutls-certtool --generate-crl --load-ca-privkey "$CRL_DIR/${partner}_ca_key.pem" --load-ca-certificate "$CRL_DIR/${partner}_ca.pem" \
--load-certificate "$CRL_DIR/${client}.pem" >> $CRL_DIR/crl.pem
rm "$CRL_DIR/${partner}_ca_key.pem"
rm "$CRL_DIR/${partner}_ca.pem"
rm "$CRL_DIR/${client}.pem"
done

@ -1,26 +1,28 @@
-----BEGIN X509 CRL-----
MIICCTCB8gIBATANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDExRwYXJ0bmVyMS5j
YS5iZXN1LmNvbRcNMjMwMjAyMDcyODAyWhcNMjQwMjAyMDcyODAyWjBcMBUCBGPB
QSgXDTIzMDIwMjA3MjgwMlowFQIEEevs6RcNMjMwMjAyMDcyODAyWjAVAgQsaU0G
Fw0yMzAyMDIwNzI4MDJaMBUCBG2UiBoXDTIzMDIwMjA3MjgwMlqgQTA/MB8GA1Ud
IwQYMBaAFBIuwtMGbq3lv8zRoPbkRVU3C7+cMBwGA1UdFAQVAhNj22YCCfR6KAr3
Jz9Wf/uqHx6QMA0GCSqGSIb3DQEBCwUAA4IBAQBfprxahWbxzS/+Wl7E9u8TSn1s
Wu2bigQb7iN5zeL6t/8JQ514Y3MR88AZ3O3Wk4QyLOl+0iwxvg7cp7CJQtGYbU3X
wsYGESYwQZmTxRqsTj6+ZdmHRCeYzKz/GyM+L0SJfvQrZhlOPI45xrnKgMq5PFfD
UMhZOX/QS8XZB0z0RHiGICcYZo0MAB6MLy3svTzWfulCR23BA+V1R15iHFCWqdyV
newrb6LFqz2ZEj0j6NsBdoqLzsFnkfyyPRYNbhfO4zTrsgzO5vA0894St9Rob6K8
rYo8NzXVPe/GCcLDpczdNsYdyrlVIJVIyPhwX6sqs+MiM5Tv1YOR08n9QMCC
MIICGzCCAQMCAQEwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAxMUcGFydG5lcjEu
Y2EuYmVzdS5jb20XDTIzMDUwNDEwMTUzNVoXDTI0MDUwMzEwMTUzNVowbTAZAghF
KUAnwQI0rxcNMjMwNTA0MTAxNTM1WjAZAggBqEW2S0yD7hcNMjMwNTA0MTAxNTM1
WjAZAghxoeavxdMy8xcNMjMwNTA0MTAxNTM1WjAaAgkAgWKzx/tKZWkXDTIzMDUw
NDEwMTUzNVqgQTA/MB8GA1UdIwQYMBaAFJcP76nbNK50KG5jmh6CvsxlAhJjMBwG
A1UdFAQVAhNkU4XHFwNbgBqsTIFexJjuzEvyMA0GCSqGSIb3DQEBCwUAA4IBAQB2
fhAhVwRBtHdwqhGjRlgbz4i6E0CtoL/02Vazib1OiRAXCkyFJL04U3FGcrPa89Dt
ClZE0G38+Jw0Be0tEpn9A8doSbLr73w1GqW3BqNTw/qjbc6R2x28A1VIVPwV6bZH
5P59YtDV+SjSPNxqkwRMyXqGZ2WIMwUS3u47Es9vMsjChXUJWU6W+jf3LYO/dt+V
7xSchRpljhBtMB8MIoXILBq9uOSFalLmy94YzK2Rw1ZG2SVy2QZ6ZXHvZ/omLbPL
kd4oAiN7L0OLOkFVHyb9bVP6DUWfXxSxBdszbQzHCy74NEsFUC0xqq0xpxwQRRfD
codJtbEVJraSsSBkB78n
-----END X509 CRL-----
-----BEGIN X509 CRL-----
MIICCTCB8gIBATANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDExRwYXJ0bmVyMi5j
YS5iZXN1LmNvbRcNMjMwMjAyMDcyODAyWhcNMjQwMjAyMDcyODAyWjBcMBUCBCHr
jx0XDTIzMDIwMjA3MjgwMlowFQIEet0CHBcNMjMwMjAyMDcyODAyWjAVAgQsaU0G
Fw0yMzAyMDIwNzI4MDJaMBUCBG2UiBoXDTIzMDIwMjA3MjgwMlqgQTA/MB8GA1Ud
IwQYMBaAFD9/xcIxAL/W332b3jmJ/oCeelKZMBwGA1UdFAQVAhNj22YCDSFMMJWc
DYJaDxyk5/lTMA0GCSqGSIb3DQEBCwUAA4IBAQA4fpbGGXVx8UZH4X41MQfbsQj3
IsTO6KRpHEKTgQwZmyVy8+Ot6qJ3j9NOOgDyUzh8J/4F8dwlhtCrtfQuaVJdS3ny
hZNiMmWUqfGZmMasEk9pmzjvgh4tW9osls1HuirAavxxrSLVHWeJjbQQ11/Mrv1a
xA60gf7I+qM9naO4SjB+wQR8F6wzudtrmQ0EvxzxL68wXSSYN7P7zPcd2mGjwKvs
tr3YacPMRmTi3IDLNhx0aIWmKYuyoKIYzm1gv0jlDwembPKp9c2Ps6RK0ahPut7s
cgpWnsNN88zPeLmrPhUcb4/T45bTZ80d028Ix3U36Gh0TaOgrERkvVE3ViqP
MIICGzCCAQMCAQEwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAxMUcGFydG5lcjIu
Y2EuYmVzdS5jb20XDTIzMDUwNDEwMTUzNVoXDTI0MDUwMzEwMTUzNVowbTAZAggF
p9b0zZl1RxcNMjMwNTA0MTAxNTM1WjAZAgh7MQ7e4x/GbRcNMjMwNTA0MTAxNTM1
WjAZAghxoeavxdMy8xcNMjMwNTA0MTAxNTM1WjAaAgkAgWKzx/tKZWkXDTIzMDUw
NDEwMTUzNVqgQTA/MB8GA1UdIwQYMBaAFJuQMv8IsgbJS8FfPZZx+hSgj7PBMBwG
A1UdFAQVAhNkU4XHGmnm4OkmS4KBFW1nS4csMA0GCSqGSIb3DQEBCwUAA4IBAQB2
43mCjuMmB+MXpl+Axn3b/4V2f0HmbUFhF/andWKUwzC47HoQ+WzXoTV0xisHGCgH
SYlrLdWd+pFh24H7TrKgqvmwtVmUFwm6DphXW3AHvaePWIrAy7L5ZrdOQB9TZPC1
Ly+6x0oKoueiHodWivLQx+CJVbPAzxFEVh0JjecoFw8Tf9FGTqy8jJRdno9HgKDg
BB7w7kPGF7xoaAbukwTXFz7f1nep44oqge+leEc398tdFDxmwralXAUB0A2v/vDG
cSZTr+fyTri+zHjQzeq6//y2GF7S56KSyBXDXTJrvqtuijiVHTzQku+pbVNNrid5
LgCJI7Phj2Q8k26z0+JJ
-----END X509 CRL-----

Loading…
Cancel
Save