mirror of https://github.com/hyperledger/besu
fix certs fornon mainnet acc tests (#5432)
Signed-off-by: Stefan <stefan.pingel@consensys.net>pull/5438/head
parent
4f5dcaa571
commit
969202790c
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -0,0 +1,176 @@ |
||||
#! /bin/sh |
||||
|
||||
set -e |
||||
|
||||
names=("partner1:miner1" "partner1:miner2" "partner1:miner3" "partner1:miner4" "partner1:miner5" "partner2:miner6") |
||||
crls=("partner1:miner5" "partner2:miner6") |
||||
KEY_ALG="EC -groupname secp256r1" |
||||
#KEY_ALG="RSA -keysize 2048" |
||||
|
||||
########## |
||||
CA_CERTS_PATH=./ca_certs |
||||
ROOT_CA_KS=$CA_CERTS_PATH/root_ca.p12 |
||||
INTER_CA_KS=$CA_CERTS_PATH/inter_ca.p12 |
||||
PARTNER1_CA_KS=$CA_CERTS_PATH/partner1_ca.p12 |
||||
PARTNER2_CA_KS=$CA_CERTS_PATH/partner2_ca.p12 |
||||
CRL_DIR=./crl |
||||
|
||||
mkdir $CA_CERTS_PATH |
||||
|
||||
keytool -genkeypair -alias root_ca -dname "CN=root.ca.besu.com" -ext bc:c -keyalg RSA -keysize 2048 \ |
||||
-sigalg SHA256WithRSA -validity 36500 \ |
||||
-storepass test123 \ |
||||
-keystore $ROOT_CA_KS |
||||
|
||||
keytool -exportcert -keystore $ROOT_CA_KS -storepass test123 -alias root_ca -rfc -file $CA_CERTS_PATH/root_ca.pem |
||||
|
||||
keytool -genkeypair -alias inter_ca -dname "CN=inter.ca.besu.com" \ |
||||
-ext bc:c=ca:true,pathlen:1 -ext ku:c=dS,kCS,cRLs \ |
||||
-keyalg RSA -sigalg SHA256WithRSA -validity 36500 \ |
||||
-storepass test123 \ |
||||
-keystore $INTER_CA_KS |
||||
|
||||
keytool -exportcert -keystore $INTER_CA_KS -storepass test123 -alias inter_ca -rfc -file $CA_CERTS_PATH/inter_ca.pem |
||||
|
||||
keytool -genkeypair -alias partner1_ca -dname "CN=partner1.ca.besu.com" \ |
||||
-ext bc:c=ca:true,pathlen:0 -ext ku:c=dS,kCS,cRLs \ |
||||
-keyalg RSA -sigalg SHA256WithRSA -validity 36500 \ |
||||
-storepass test123 \ |
||||
-keystore $PARTNER1_CA_KS |
||||
|
||||
keytool -exportcert -keystore $PARTNER1_CA_KS -storepass test123 -alias partner1_ca -rfc -file $CA_CERTS_PATH/partner1_ca.pem |
||||
|
||||
keytool -genkeypair -alias partner2_ca -dname "CN=partner2.ca.besu.com" \ |
||||
-ext bc:c=ca:true,pathlen:0 -ext ku:c=dS,kCS,cRLs \ |
||||
-keyalg RSA -sigalg SHA256WithRSA -validity 36500 \ |
||||
-storepass test123 \ |
||||
-keystore $PARTNER2_CA_KS |
||||
|
||||
keytool -exportcert -keystore $PARTNER2_CA_KS -storepass test123 -alias partner2_ca -rfc -file $CA_CERTS_PATH/partner2_ca.pem |
||||
|
||||
keytool -storepass test123 -keystore $INTER_CA_KS -certreq -alias inter_ca \ |
||||
| keytool -storepass test123 -keystore $ROOT_CA_KS -gencert -validity 36500 -alias root_ca \ |
||||
-ext bc:c=ca:true,pathlen:1 -ext ku:c=dS,kCS,cRLs -rfc > $CA_CERTS_PATH/inter_ca.pem |
||||
|
||||
cat $CA_CERTS_PATH/root_ca.pem >> $CA_CERTS_PATH/inter_ca.pem |
||||
|
||||
keytool -keystore $INTER_CA_KS -importcert -alias inter_ca \ |
||||
-storepass test123 -noprompt -file $CA_CERTS_PATH/inter_ca.pem |
||||
|
||||
keytool -storepass test123 -keystore $PARTNER1_CA_KS -certreq -alias partner1_ca \ |
||||
| keytool -storepass test123 -keystore $INTER_CA_KS -gencert -validity 36500 -alias inter_ca \ |
||||
-ext bc:c=ca:true,pathlen:0 -ext ku:c=dS,kCS,cRLs -rfc > $CA_CERTS_PATH/partner1_ca.pem |
||||
|
||||
keytool -storepass test123 -keystore $PARTNER2_CA_KS -certreq -alias partner2_ca \ |
||||
| keytool -storepass test123 -keystore $INTER_CA_KS -gencert -validity 36500 -alias inter_ca \ |
||||
-ext bc:c=ca:true,pathlen:0 -ext ku:c=dS,kCS,cRLs -rfc > $CA_CERTS_PATH/partner2_ca.pem |
||||
|
||||
cat $CA_CERTS_PATH/inter_ca.pem >> $CA_CERTS_PATH/partner1_ca.pem |
||||
cat $CA_CERTS_PATH/inter_ca.pem >> $CA_CERTS_PATH/partner2_ca.pem |
||||
|
||||
keytool -keystore $PARTNER1_CA_KS -importcert -alias partner1_ca \ |
||||
-storepass test123 -noprompt -file $CA_CERTS_PATH/partner1_ca.pem |
||||
|
||||
keytool -keystore $PARTNER2_CA_KS -importcert -alias partner2_ca \ |
||||
-storepass test123 -noprompt -file $CA_CERTS_PATH/partner2_ca.pem |
||||
|
||||
echo "Generating miner keystores..." |
||||
### Generate client keystores |
||||
for name in "${names[@]}" |
||||
do |
||||
IFS=':' read -r -a array <<< "$name" |
||||
partner=${array[0]} |
||||
client=${array[1]} |
||||
|
||||
PARTNER_CA_KEYSTORE="$CA_CERTS_PATH/${partner}_ca.p12" |
||||
CLIENT_PATH="./${client}" |
||||
KEYSTORE_PATH="./$CLIENT_PATH/${client}.p12" |
||||
NSSDB_PATH="${CLIENT_PATH}/nssdb" |
||||
|
||||
echo "$PARTNER_CA_KEYSTORE" |
||||
|
||||
mkdir -p $NSSDB_PATH |
||||
|
||||
echo "Generating keystore for Partner $partner Client $client" |
||||
keytool -genkeypair -keystore $KEYSTORE_PATH -storepass test123 -alias ${client} \ |
||||
-keyalg $KEY_ALG -validity 36500 \ |
||||
-dname "CN=localhost, OU=${partner}" \ |
||||
-ext san=dns:localhost,ip:127.0.0.1 |
||||
|
||||
echo "Creating CSR for $client and signing it with ${partner}_ca" |
||||
keytool -storepass test123 -keystore $KEYSTORE_PATH -certreq -alias ${client} \ |
||||
| keytool -storepass test123 -keystore $PARTNER_CA_KEYSTORE -gencert -validity 36500 -alias "${partner}_ca" -ext ku:c=digitalSignature,nonRepudiation,keyEncipherment -ext eku=sA,cA \ |
||||
-rfc > "${CLIENT_PATH}/${client}.pem" |
||||
|
||||
echo "Concat root_ca.pem to ${client}.pem" |
||||
cat "${CA_CERTS_PATH}/root_ca.pem" >> "${CLIENT_PATH}/${client}.pem" |
||||
|
||||
echo "Importing signed $client.pem CSR into $KEYSTORE_PATH" |
||||
keytool -keystore $KEYSTORE_PATH -importcert -alias $client \ |
||||
-storepass test123 -noprompt -file "${CLIENT_PATH}/${client}.pem" |
||||
|
||||
echo "Converting p12 to jks" |
||||
keytool -importkeystore -srckeystore $KEYSTORE_PATH -srcstoretype PKCS12 -destkeystore "$CLIENT_PATH/${client}.jks" -deststoretype JKS -srcstorepass test123 -deststorepass test123 -srcalias $client -destalias $client -srckeypass test123 -destkeypass test123 -noprompt |
||||
|
||||
echo "Initialize nss" |
||||
echo "test123" > ${CLIENT_PATH}/nsspin.txt |
||||
certutil -N -d sql:${NSSDB_PATH} -f "${CLIENT_PATH}/nsspin.txt" |
||||
# hack to make Java SunPKCS11 work with new sql version of nssdb |
||||
touch ${NSSDB_PATH}/secmod.db |
||||
|
||||
pk12util -i $KEYSTORE_PATH -d sql:${NSSDB_PATH} -k ${CLIENT_PATH}/nsspin.txt -W test123 |
||||
echo "Fixing truststores in sql:${NSSDB_PATH}" |
||||
certutil -M -n "CN=root.ca.besu.com" -t CT,C,C -d sql:"$NSSDB_PATH" -f ${CLIENT_PATH}/nsspin.txt |
||||
certutil -M -n "CN=inter.ca.besu.com" -t u,u,u -d sql:"$NSSDB_PATH" -f ${CLIENT_PATH}/nsspin.txt |
||||
certutil -M -n "CN=${partner}.ca.besu.com" -t u,u,u -d sql:"$NSSDB_PATH" -f ${CLIENT_PATH}/nsspin.txt |
||||
|
||||
certutil -d sql:"$NSSDB_PATH" -f nsspin.txt -L |
||||
|
||||
echo "Creating pkcs11 nss config file" |
||||
cat <<EOF >${CLIENT_PATH}/nss.cfg |
||||
name = NSScrypto-${partner}-${client} |
||||
nssSecmodDirectory = ./src/test/resources/pki-certs/${client}/nssdb |
||||
nssDbMode = readOnly |
||||
nssModule = keystore |
||||
showInfo = true |
||||
EOF |
||||
|
||||
# remove pem files |
||||
rm "${CLIENT_PATH}/${client}.pem" |
||||
|
||||
# create truststore |
||||
echo "Creating truststore ..." |
||||
keytool -exportcert -keystore $ROOT_CA_KS -storepass test123 -alias root_ca -rfc | keytool -import -trustcacerts -alias root_ca -keystore "${CLIENT_PATH}/truststore.p12" -storepass test123 -noprompt |
||||
## keytool -exportcert -keystore $INTER_CA_KS -storepass test123 -alias inter_ca -rfc | keytool -import -trustcacerts -alias inter_ca -keystore "${CLIENT_PATH}/truststore.p12" -storepass test123 -noprompt |
||||
## keytool -exportcert -keystore $PARTNER_CA_KEYSTORE -storepass test123 -alias "${partner}_ca" -rfc | keytool -import -trustcacerts -alias "${partner}_ca" -keystore "${CLIENT_PATH}/truststore.p12" -storepass test123 -noprompt |
||||
|
||||
done |
||||
rm $CA_CERTS_PATH/root_ca.pem |
||||
echo "Keystores and nss database created" |
||||
|
||||
## create crl list |
||||
mkdir -p $CRL_DIR |
||||
## rm $CRL_DIR/crl.pem |
||||
|
||||
for crl in "${crls[@]}" |
||||
do |
||||
IFS=':' read -r -a array <<< "$crl" |
||||
partner=${array[0]} |
||||
client=${array[1]} |
||||
|
||||
echo "Exporting CA certificate and private key" |
||||
openssl pkcs12 -nodes -in "$CA_CERTS_PATH/${partner}_ca.p12" -out "$CRL_DIR/${partner}_ca_key.pem" -passin pass:test123 -nocerts |
||||
openssl pkcs12 -nodes -in "$CA_CERTS_PATH/${partner}_ca.p12" -out "$CRL_DIR/${partner}_ca.pem" -passin pass:test123 -nokeys |
||||
|
||||
echo "Export $client certificate" |
||||
openssl pkcs12 -nodes -in "./${client}/${client}.p12" -out "$CRL_DIR/${client}.pem" -passin pass:test123 -nokeys |
||||
|
||||
## On Mac, use gnutls-certtool, on Linux use certtool |
||||
echo "Creating crl" |
||||
printf '365\n\n' | gnutls-certtool --generate-crl --load-ca-privkey "$CRL_DIR/${partner}_ca_key.pem" --load-ca-certificate "$CRL_DIR/${partner}_ca.pem" \ |
||||
--load-certificate "$CRL_DIR/${client}.pem" >> $CRL_DIR/crl.pem |
||||
|
||||
rm "$CRL_DIR/${partner}_ca_key.pem" |
||||
rm "$CRL_DIR/${partner}_ca.pem" |
||||
rm "$CRL_DIR/${client}.pem" |
||||
done |
@ -1,26 +1,28 @@ |
||||
-----BEGIN X509 CRL----- |
||||
MIICCTCB8gIBATANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDExRwYXJ0bmVyMS5j |
||||
YS5iZXN1LmNvbRcNMjMwMjAyMDcyODAyWhcNMjQwMjAyMDcyODAyWjBcMBUCBGPB |
||||
QSgXDTIzMDIwMjA3MjgwMlowFQIEEevs6RcNMjMwMjAyMDcyODAyWjAVAgQsaU0G |
||||
Fw0yMzAyMDIwNzI4MDJaMBUCBG2UiBoXDTIzMDIwMjA3MjgwMlqgQTA/MB8GA1Ud |
||||
IwQYMBaAFBIuwtMGbq3lv8zRoPbkRVU3C7+cMBwGA1UdFAQVAhNj22YCCfR6KAr3 |
||||
Jz9Wf/uqHx6QMA0GCSqGSIb3DQEBCwUAA4IBAQBfprxahWbxzS/+Wl7E9u8TSn1s |
||||
Wu2bigQb7iN5zeL6t/8JQ514Y3MR88AZ3O3Wk4QyLOl+0iwxvg7cp7CJQtGYbU3X |
||||
wsYGESYwQZmTxRqsTj6+ZdmHRCeYzKz/GyM+L0SJfvQrZhlOPI45xrnKgMq5PFfD |
||||
UMhZOX/QS8XZB0z0RHiGICcYZo0MAB6MLy3svTzWfulCR23BA+V1R15iHFCWqdyV |
||||
newrb6LFqz2ZEj0j6NsBdoqLzsFnkfyyPRYNbhfO4zTrsgzO5vA0894St9Rob6K8 |
||||
rYo8NzXVPe/GCcLDpczdNsYdyrlVIJVIyPhwX6sqs+MiM5Tv1YOR08n9QMCC |
||||
MIICGzCCAQMCAQEwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAxMUcGFydG5lcjEu |
||||
Y2EuYmVzdS5jb20XDTIzMDUwNDEwMTUzNVoXDTI0MDUwMzEwMTUzNVowbTAZAghF |
||||
KUAnwQI0rxcNMjMwNTA0MTAxNTM1WjAZAggBqEW2S0yD7hcNMjMwNTA0MTAxNTM1 |
||||
WjAZAghxoeavxdMy8xcNMjMwNTA0MTAxNTM1WjAaAgkAgWKzx/tKZWkXDTIzMDUw |
||||
NDEwMTUzNVqgQTA/MB8GA1UdIwQYMBaAFJcP76nbNK50KG5jmh6CvsxlAhJjMBwG |
||||
A1UdFAQVAhNkU4XHFwNbgBqsTIFexJjuzEvyMA0GCSqGSIb3DQEBCwUAA4IBAQB2 |
||||
fhAhVwRBtHdwqhGjRlgbz4i6E0CtoL/02Vazib1OiRAXCkyFJL04U3FGcrPa89Dt |
||||
ClZE0G38+Jw0Be0tEpn9A8doSbLr73w1GqW3BqNTw/qjbc6R2x28A1VIVPwV6bZH |
||||
5P59YtDV+SjSPNxqkwRMyXqGZ2WIMwUS3u47Es9vMsjChXUJWU6W+jf3LYO/dt+V |
||||
7xSchRpljhBtMB8MIoXILBq9uOSFalLmy94YzK2Rw1ZG2SVy2QZ6ZXHvZ/omLbPL |
||||
kd4oAiN7L0OLOkFVHyb9bVP6DUWfXxSxBdszbQzHCy74NEsFUC0xqq0xpxwQRRfD |
||||
codJtbEVJraSsSBkB78n |
||||
-----END X509 CRL----- |
||||
-----BEGIN X509 CRL----- |
||||
MIICCTCB8gIBATANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDExRwYXJ0bmVyMi5j |
||||
YS5iZXN1LmNvbRcNMjMwMjAyMDcyODAyWhcNMjQwMjAyMDcyODAyWjBcMBUCBCHr |
||||
jx0XDTIzMDIwMjA3MjgwMlowFQIEet0CHBcNMjMwMjAyMDcyODAyWjAVAgQsaU0G |
||||
Fw0yMzAyMDIwNzI4MDJaMBUCBG2UiBoXDTIzMDIwMjA3MjgwMlqgQTA/MB8GA1Ud |
||||
IwQYMBaAFD9/xcIxAL/W332b3jmJ/oCeelKZMBwGA1UdFAQVAhNj22YCDSFMMJWc |
||||
DYJaDxyk5/lTMA0GCSqGSIb3DQEBCwUAA4IBAQA4fpbGGXVx8UZH4X41MQfbsQj3 |
||||
IsTO6KRpHEKTgQwZmyVy8+Ot6qJ3j9NOOgDyUzh8J/4F8dwlhtCrtfQuaVJdS3ny |
||||
hZNiMmWUqfGZmMasEk9pmzjvgh4tW9osls1HuirAavxxrSLVHWeJjbQQ11/Mrv1a |
||||
xA60gf7I+qM9naO4SjB+wQR8F6wzudtrmQ0EvxzxL68wXSSYN7P7zPcd2mGjwKvs |
||||
tr3YacPMRmTi3IDLNhx0aIWmKYuyoKIYzm1gv0jlDwembPKp9c2Ps6RK0ahPut7s |
||||
cgpWnsNN88zPeLmrPhUcb4/T45bTZ80d028Ix3U36Gh0TaOgrERkvVE3ViqP |
||||
MIICGzCCAQMCAQEwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAxMUcGFydG5lcjIu |
||||
Y2EuYmVzdS5jb20XDTIzMDUwNDEwMTUzNVoXDTI0MDUwMzEwMTUzNVowbTAZAggF |
||||
p9b0zZl1RxcNMjMwNTA0MTAxNTM1WjAZAgh7MQ7e4x/GbRcNMjMwNTA0MTAxNTM1 |
||||
WjAZAghxoeavxdMy8xcNMjMwNTA0MTAxNTM1WjAaAgkAgWKzx/tKZWkXDTIzMDUw |
||||
NDEwMTUzNVqgQTA/MB8GA1UdIwQYMBaAFJuQMv8IsgbJS8FfPZZx+hSgj7PBMBwG |
||||
A1UdFAQVAhNkU4XHGmnm4OkmS4KBFW1nS4csMA0GCSqGSIb3DQEBCwUAA4IBAQB2 |
||||
43mCjuMmB+MXpl+Axn3b/4V2f0HmbUFhF/andWKUwzC47HoQ+WzXoTV0xisHGCgH |
||||
SYlrLdWd+pFh24H7TrKgqvmwtVmUFwm6DphXW3AHvaePWIrAy7L5ZrdOQB9TZPC1 |
||||
Ly+6x0oKoueiHodWivLQx+CJVbPAzxFEVh0JjecoFw8Tf9FGTqy8jJRdno9HgKDg |
||||
BB7w7kPGF7xoaAbukwTXFz7f1nep44oqge+leEc398tdFDxmwralXAUB0A2v/vDG |
||||
cSZTr+fyTri+zHjQzeq6//y2GF7S56KSyBXDXTJrvqtuijiVHTzQku+pbVNNrid5 |
||||
LgCJI7Phj2Q8k26z0+JJ |
||||
-----END X509 CRL----- |
||||
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in new issue