From: Mathieu Baudier Date: Wed, 5 Jan 2022 08:11:00 +0000 (+0100) Subject: Merge demo into sdk X-Git-Tag: argeo-commons-2.3.5~99 X-Git-Url: https://git.argeo.org/?p=lgpl%2Fargeo-commons.git;a=commitdiff_plain;h=406efdadf16d13ee40e1ce75177dcda775dd7abd Merge demo into sdk --- diff --git a/demo/.gitignore b/demo/.gitignore deleted file mode 100644 index 45dfa56f4..000000000 --- a/demo/.gitignore +++ /dev/null @@ -1 +0,0 @@ -/exec/ diff --git a/demo/all.policy b/demo/all.policy deleted file mode 100644 index facb61327..000000000 --- a/demo/all.policy +++ /dev/null @@ -1,3 +0,0 @@ -grant { - permission java.security.AllPermission; -}; \ No newline at end of file diff --git a/demo/argeo-init.properties b/demo/argeo-init.properties deleted file mode 100644 index 08df826be..000000000 --- a/demo/argeo-init.properties +++ /dev/null @@ -1,24 +0,0 @@ -#argeo.osgi.baseUrl=http://forge.argeo.org/data/java/argeo-2.1/ -#argeo.osgi.distributionUrl=org/argeo/commons/org.argeo.dep.cms.sdk/2.1.65/org.argeo.dep.cms.sdk-2.1.65.jar -#argeo.osgi.distributionUrl=org/argeo/commons/org.argeo.dep.cms.sdk/2.1.67/org.argeo.dep.cms.sdk-2.1.67.jar -#argeo.osgi.distributionUrl=org/argeo/commons/org.argeo.dep.cms.sdk/2.1.68-SNAPSHOT/org.argeo.dep.cms.sdk-2.1.68-SNAPSHOT.jar - -#argeo.osgi.boot.debug=true - -argeo.osgi.start.1.osgiboot=org.argeo.init -#argeo.osgi.start.2.node=org.eclipse.equinox.http.servlet,org.eclipse.equinox.http.jetty,org.eclipse.equinox.cm,org.eclipse.rap.rwt.osgi -#argeo.osgi.start.3.node=org.argeo.cms,org.eclipse.gemini.blueprint.extender,org.eclipse.equinox.http.registry - -#java.security.manager= -#java.security.policy=file:../../all.policy - -argeo.node.repo.type=localfs -org.osgi.service.http.port=7070 -log4j.configuration=file:../../log4j.properties - -#java.util.logging.config.file=../../logging.properties - - -# DON'T CHANGE BELOW -org.eclipse.rap.workbenchAutostart=false -org.eclipse.equinox.http.jetty.autostart=false \ No newline at end of file diff --git a/demo/cms-cluster_0.properties b/demo/cms-cluster_0.properties deleted file mode 100644 index d0c3fb2f8..000000000 --- a/demo/cms-cluster_0.properties +++ /dev/null @@ -1,33 +0,0 @@ -argeo.osgi.start.2.node=\ -org.eclipse.equinox.http.servlet,\ -org.eclipse.equinox.metatype,\ -org.eclipse.equinox.cm,\ -org.eclipse.equinox.ds,\ -org.eclipse.rap.rwt.osgi - -argeo.osgi.start.3.node=\ -org.argeo.cms - -argeo.osgi.start.5.node=\ -org.argeo.cms.e4.rap - -# Local -org.osgi.service.http.port=7070 -argeo.node.useradmin.uris=ldap://cn=Directory%20Manager:argeoargeo@test-pgsql-ldap/dc=example,dc=com -argeo.node.repo.type=postgresql_cluster_ds -argeo.node.repo.clusterId=03233754-16c3-49a1-8a00-58bf89a65182 -argeo.node.repo.dburl=jdbc:postgresql://test-pgsql-ldap/argeo_cluster -argeo.node.repo.dbuser=argeo -argeo.node.repo.dbpassword=argeo - -# Logging -log4j.configuration=file:../../log4j.properties - -# DON'T CHANGE BELOW -org.eclipse.equinox.http.jetty.autostart=false -org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\ -com.sun.jndi.ldap.sasl,\ -com.sun.security.jgss,\ -com.sun.jndi.dns,\ -com.sun.nio.file,\ -com.sun.nio.sctp diff --git a/demo/cms-cluster_1.properties b/demo/cms-cluster_1.properties deleted file mode 100644 index b5e60f85b..000000000 --- a/demo/cms-cluster_1.properties +++ /dev/null @@ -1,33 +0,0 @@ -argeo.osgi.start.2.node=\ -org.eclipse.equinox.http.servlet,\ -org.eclipse.equinox.metatype,\ -org.eclipse.equinox.cm,\ -org.eclipse.equinox.ds,\ -org.eclipse.rap.rwt.osgi - -argeo.osgi.start.3.node=\ -org.argeo.cms - -argeo.osgi.start.5.node=\ -org.argeo.cms.e4.rap - -# Local -org.osgi.service.http.port=7071 -argeo.node.useradmin.uris=ldap://cn=Directory%20Manager:argeoargeo@test-pgsql-ldap/dc=example,dc=com -argeo.node.repo.type=postgresql_cluster_ds -argeo.node.repo.clusterId=52463fa3-2917-4814-9ff7-685c41cbc7c7 -argeo.node.repo.dburl=jdbc:postgresql://test-pgsql-ldap/argeo_cluster -argeo.node.repo.dbuser=argeo -argeo.node.repo.dbpassword=argeo - -# Logging -log4j.configuration=file:../../log4j.properties - -# DON'T CHANGE BELOW -org.eclipse.equinox.http.jetty.autostart=false -org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\ -com.sun.jndi.ldap.sasl,\ -com.sun.security.jgss,\ -com.sun.jndi.dns,\ -com.sun.nio.file,\ -com.sun.nio.sctp diff --git a/demo/cms-e4-rap.properties b/demo/cms-e4-rap.properties deleted file mode 100644 index 5e1e6545d..000000000 --- a/demo/cms-e4-rap.properties +++ /dev/null @@ -1,67 +0,0 @@ -argeo.osgi.start.2.node=\ -org.eclipse.equinox.http.servlet,\ -org.eclipse.equinox.metatype,\ -org.eclipse.equinox.cm,\ -org.eclipse.equinox.ds,\ -org.eclipse.rap.rwt.osgi,\ -org.argeo.init - -argeo.osgi.start.3.node=\ -org.argeo.cms - -argeo.osgi.start.4.node=\ -org.argeo.cms.jcr - -argeo.osgi.start.5.node=\ -org.argeo.cms.e4.rap - -# Local -argeo.node.repo.type=h2 -org.osgi.service.http.port=7070 -#org.eclipse.equinox.http.jetty.http.host=[IP address to listen to] -#org.osgi.service.http.port.secure=7073 -#org.eclipse.equinox.http.jetty.websocket.enabled=true - -# Logging -log4j.configuration=file:../../log4j.properties - -# SSL -#org.osgi.service.http.port.secure=7073 -#org.eclipse.equinox.http.jetty.https.enabled=true -#org.eclipse.equinox.http.jetty.ssl.keystore=data/node.p12 -#org.eclipse.equinox.http.jetty.ssl.keystoretype=PKCS12 -#org.eclipse.equinox.http.jetty.ssl.password=changeit -#org.eclipse.equinox.http.jetty.ssl.wantclientauth=true - -# Hardened -#org.osgi.framework.security=osgi -#java.security.policy=file:../../all.policy - -# Internationalisation -#argeo.i18n.locales=en,fr,ru -#eclipse.registry.MultiLanguage=true -#argeo.i18n.defaultLocale=en - -# Tuning -# Number of DB connections -#argeo.node.repo.maxPoolSize=10 -# Max amount of memory available to Jackrabbit caches -#argeo.node.repo.maxCacheMB=16 -# Persistence level cache -#argeo.node.repo.bundleCacheMB=8 -# Search, see http://wiki.apache.org/jackrabbit/Search -#argeo.node.repo.extractorPoolSize=0 -#argeo.node.repo.searchCacheSize=1000 -#argeo.node.repo.maxVolatileIndexSize=1048576 - -# Legacy -#argeo.node.transaction.manager=bitronix - -# DON'T CHANGE BELOW -org.eclipse.equinox.http.jetty.autostart=false -org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\ -com.sun.jndi.ldap.sasl,\ -com.sun.security.jgss,\ -com.sun.jndi.dns,\ -com.sun.nio.file,\ -com.sun.nio.sctp diff --git a/demo/cms-local.properties b/demo/cms-local.properties deleted file mode 100644 index e8ae49457..000000000 --- a/demo/cms-local.properties +++ /dev/null @@ -1,29 +0,0 @@ -argeo.osgi.start.2.node=\ -org.eclipse.equinox.http.servlet,\ -org.eclipse.equinox.metatype,\ -org.eclipse.equinox.cm,\ -org.eclipse.equinox.ds,\ -org.eclipse.rap.rwt.osgi - -argeo.osgi.start.3.node=\ -org.argeo.cms - -argeo.osgi.start.5.node=\ -org.argeo.cms.e4.rap - -# Local -argeo.node.repo.type=h2 -org.osgi.service.http.port=7070 -argeo.node.useradmin.uris=os:/// - -# Logging -log4j.configuration=file:../../log4j.properties - -# DON'T CHANGE BELOW -org.eclipse.equinox.http.jetty.autostart=false -org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\ -com.sun.jndi.ldap.sasl,\ -com.sun.security.jgss,\ -com.sun.jndi.dns,\ -com.sun.nio.file,\ -com.sun.nio.sctp diff --git a/demo/cms-pgsql-ldap.properties b/demo/cms-pgsql-ldap.properties deleted file mode 100644 index 3f9aaff9f..000000000 --- a/demo/cms-pgsql-ldap.properties +++ /dev/null @@ -1,32 +0,0 @@ -argeo.osgi.start.2.node=\ -org.eclipse.equinox.http.servlet,\ -org.eclipse.equinox.metatype,\ -org.eclipse.equinox.cm,\ -org.eclipse.equinox.ds,\ -org.eclipse.rap.rwt.osgi - -argeo.osgi.start.3.node=\ -org.argeo.cms - -argeo.osgi.start.5.node=\ -org.argeo.cms.e4.rap - -# Local -org.osgi.service.http.port=7070 -argeo.node.useradmin.uris=ldap://cn=Directory%20Manager:argeoargeo@test-pgsql-ldap/dc=example,dc=com -argeo.node.repo.type=postgresql_ds -argeo.node.repo.dburl=jdbc:postgresql://test-pgsql-ldap/argeo -argeo.node.repo.dbuser=argeo -argeo.node.repo.dbpassword=argeo - -# Logging -log4j.configuration=file:../../log4j.properties - -# DON'T CHANGE BELOW -org.eclipse.equinox.http.jetty.autostart=false -org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\ -com.sun.jndi.ldap.sasl,\ -com.sun.security.jgss,\ -com.sun.jndi.dns,\ -com.sun.nio.file,\ -com.sun.nio.sctp diff --git a/demo/init/node/.gitignore b/demo/init/node/.gitignore deleted file mode 100644 index f61974476..000000000 --- a/demo/init/node/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -/krb5.keytab -/krb5.keytab.old -/*.p12 -/*.jks \ No newline at end of file diff --git a/demo/init/node/ou=roles,ou=node.ldif b/demo/init/node/ou=roles,ou=node.ldif deleted file mode 100644 index ffa9073ef..000000000 --- a/demo/init/node/ou=roles,ou=node.ldif +++ /dev/null @@ -1,12 +0,0 @@ -dn: cn=admin,ou=roles,ou=node -objectClass: groupOfNames -objectClass: top -cn: admin -member: uid=root,ou=People,dc=example,dc=com - -dn: cn=userAdmin,ou=roles,ou=node -objectClass: groupOfNames -objectClass: top -member: cn=admin,ou=roles,ou=node -cn: userAdmin - diff --git a/demo/log4j.properties b/demo/log4j.properties deleted file mode 100644 index bf3f291a5..000000000 --- a/demo/log4j.properties +++ /dev/null @@ -1,12 +0,0 @@ -log4j.rootLogger=WARN, development - -log4j.logger.org.argeo=DEBUG - -## Appenders -log4j.appender.console=org.apache.log4j.ConsoleAppender -log4j.appender.console.layout=org.apache.log4j.PatternLayout -log4j.appender.console.layout.ConversionPattern= %-5p %d{ISO8601} %m %n - -log4j.appender.development=org.apache.log4j.ConsoleAppender -log4j.appender.development.layout=org.apache.log4j.PatternLayout -log4j.appender.development.layout.ConversionPattern=%d{ABSOLUTE} %m (%F:%L) [%t] %p %n diff --git a/demo/logging.properties b/demo/logging.properties deleted file mode 100644 index bf86d0947..000000000 --- a/demo/logging.properties +++ /dev/null @@ -1,65 +0,0 @@ -############################################################ -# Default Logging Configuration File -# -# You can use a different file by specifying a filename -# with the java.util.logging.config.file system property. -# For example java -Djava.util.logging.config.file=myfile -############################################################ - -############################################################ -# Global properties -############################################################ - -# "handlers" specifies a comma separated list of log Handler -# classes. These handlers will be installed during VM startup. -# Note that these classes must be on the system classpath. -# By default we only configure a ConsoleHandler, which will only -# show messages at the INFO and above levels. -#handlers= java.util.logging.ConsoleHandler -#handlers=org.argeo.init.logging.jse.ThinHandler -handlers= - -# To also add the FileHandler, use the following line instead. -#handlers= java.util.logging.FileHandler, java.util.logging.ConsoleHandler - -# Default global logging level. -# This specifies which kinds of events are logged across -# all loggers. For any given facility this global level -# can be overriden by a facility specific level -# Note that the ConsoleHandler also has a separate level -# setting to limit messages printed to the console. -.level= INFO - -############################################################ -# Handler specific properties. -# Describes specific configuration info for Handlers. -############################################################ - -# default file output is in user's home directory. -java.util.logging.FileHandler.pattern = %h/java%u.log -java.util.logging.FileHandler.limit = 50000 -java.util.logging.FileHandler.count = 1 -# Default number of locks FileHandler can obtain synchronously. -# This specifies maximum number of attempts to obtain lock file by FileHandler -# implemented by incrementing the unique field %u as per FileHandler API documentation. -java.util.logging.FileHandler.maxLocks = 100 -java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter - -# Limit the message that are printed on the console to INFO and above. -java.util.logging.ConsoleHandler.level = INFO -java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter - -# Example to customize the SimpleFormatter output format -# to print one-line log message like this: -# : [] -# -# java.util.logging.SimpleFormatter.format=%4$s: %5$s [%1$tc]%n - -############################################################ -# Facility specific properties. -# Provides extra control for each logger. -############################################################ - -# For example, set the com.xyz.foo logger to only log SEVERE -# messages: -com.xyz.foo.level = SEVERE diff --git a/demo/ssl/.gitignore b/demo/ssl/.gitignore deleted file mode 100644 index bc77402d0..000000000 --- a/demo/ssl/.gitignore +++ /dev/null @@ -1,7 +0,0 @@ -/CA/ -/*.p12 -/*.jks -/nssdb/ -/*.pem -/old/ -/rootCA/ diff --git a/demo/ssl/openssl.cnf b/demo/ssl/openssl.cnf deleted file mode 100644 index 05bb6f77f..000000000 --- a/demo/ssl/openssl.cnf +++ /dev/null @@ -1,120 +0,0 @@ -dir = ./CA # Where everything is kept - -[ ca ] -default_ca = CA_default # The default ca section - -[ CA_default ] -certs = $dir/certs # Where the issued certs are kept -crl_dir = $dir/crl # Where the issued crl are kept -database = $dir/index.txt # database index file. -new_certs_dir = $dir/newcerts # default place for new certs. -certificate = $dir/cacert.pem # The CA certificate -serial = $dir/serial # The current serial number -crlnumber = $dir/crlnumber # the current crl number -crl = $dir/crl.pem # The current CRL -private_key = $dir/private/cakey.pem # The private key -x509_extensions = usr_cert # The extentions to add to the cert -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options -crl_extensions = crl_ext -default_days = 365 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = default # use public key default MD -preserve = no # keep passed DN ordering -policy = policy_match - -[ policy_match ] -countryName = optional -stateOrProvinceName = optional -organizationName = optional -organizationalUnitName = optional -commonName = optional -emailAddress = optional - -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = optional -emailAddress = optional - -[ req ] -default_bits = 4096 -default_md = sha1 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extensions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -input_password = demo -output_password = demo - -string_mask = utf8only -req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_min = 2 -countryName_max = 2 -#stateOrProvinceName = State or Province Name (full name) -#localityName = Locality Name (eg, city) -0.organizationName = Organization Name (eg, company) -organizationalUnitName = Organizational Unit Name (eg, section) -commonName = Common Name (eg, your name or your server\'s hostname) -commonName_max = 64 -emailAddress = Email Address -emailAddress_max = 64 -# SET-ex3 = SET extension number 3 - -## -## DEFAULT VALUES -## -countryName_default = DE -#stateOrProvinceName_default = Berlin -#localityName_default = Berlin -0.organizationName_default = Example -organizationalUnitName_default = Certificate Authorities -commonName_default = Intermediate CA - -[ req_attributes ] -#challengePassword = A challenge password -#challengePassword_min = 4 -#challengePassword_max = 20 -#unstructuredName = An optional company name - -[ usr_cert ] -basicConstraints=CA:FALSE -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer -subjectAltName=email:move -issuerAltName=issuer:copy - -[ v3_req ] -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ca ] -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer -basicConstraints = critical, CA:true -keyUsage = critical, digitalSignature, cRLSign, keyCertSign - -[ v3_intermediate_ca ] -# Extensions for a typical intermediate CA (`man x509v3_config`). -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer -basicConstraints = critical, CA:true, pathlen:0 -keyUsage = critical, digitalSignature, cRLSign, keyCertSign - -[ crl_ext ] -issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always - -[ server_ext ] -extendedKeyUsage=serverAuth - -[ user_ext ] -extendedKeyUsage=clientAuth,emailProtection diff --git a/demo/ssl/openssl_root.cnf b/demo/ssl/openssl_root.cnf deleted file mode 100644 index c68945955..000000000 --- a/demo/ssl/openssl_root.cnf +++ /dev/null @@ -1,120 +0,0 @@ -dir = ./rootCA # Where everything is kept - -[ ca ] -default_ca = CA_default # The default ca section - -[ CA_default ] -certs = $dir/certs # Where the issued certs are kept -crl_dir = $dir/crl # Where the issued crl are kept -database = $dir/index.txt # database index file. -new_certs_dir = $dir/newcerts # default place for new certs. -certificate = $dir/cacert.pem # The CA certificate -serial = $dir/serial # The current serial number -crlnumber = $dir/crlnumber # the current crl number -crl = $dir/crl.pem # The current CRL -private_key = $dir/private/cakey.pem # The private key -x509_extensions = usr_cert # The extentions to add to the cert -name_opt = ca_default # Subject Name options -cert_opt = ca_default # Certificate field options -crl_extensions = crl_ext -default_days = 3650 # how long to certify for -default_crl_days= 30 # how long before next CRL -default_md = default # use public key default MD -preserve = no # keep passed DN ordering -policy = policy_match - -[ policy_match ] -countryName = optional -stateOrProvinceName = optional -organizationName = optional -organizationalUnitName = optional -commonName = optional -emailAddress = optional - -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = optional -emailAddress = optional - -[ req ] -default_bits = 4096 -default_md = sha1 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca # The extensions to add to the self signed cert - -# Passwords for private keys if not present they will be prompted for -input_password = demo -output_password = demo - -string_mask = utf8only -req_extensions = v3_req # The extensions to add to a certificate request - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_min = 2 -countryName_max = 2 -#stateOrProvinceName = State or Province Name (full name) -#localityName = Locality Name (eg, city) -0.organizationName = Organization Name (eg, company) -organizationalUnitName = Organizational Unit Name (eg, section) -commonName = Common Name (eg, your name or your server\'s hostname) -commonName_max = 64 -emailAddress = Email Address -emailAddress_max = 64 -# SET-ex3 = SET extension number 3 - -## -## DEFAULT VALUES -## -countryName_default = DE -#stateOrProvinceName_default = Berlin -#localityName_default = Berlin -0.organizationName_default = Example -organizationalUnitName_default = Certificate Authorities -commonName_default = Root CA - -[ req_attributes ] -#challengePassword = A challenge password -#challengePassword_min = 4 -#challengePassword_max = 20 -#unstructuredName = An optional company name - -[ usr_cert ] -basicConstraints=CA:FALSE -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer -subjectAltName=email:move -issuerAltName=issuer:copy - -[ v3_req ] -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment - -[ v3_ca ] -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer -basicConstraints = critical, CA:true -keyUsage = critical, digitalSignature, cRLSign, keyCertSign - -[ v3_intermediate_ca ] -# Extensions for a typical intermediate CA (`man x509v3_config`). -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer -basicConstraints = critical, CA:true, pathlen:0 -keyUsage = critical, digitalSignature, cRLSign, keyCertSign - -[ crl_ext ] -issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always - -[ server_ext ] -extendedKeyUsage=serverAuth - -[ user_ext ] -extendedKeyUsage=clientAuth,emailProtection diff --git a/demo/ssl/ssl.sh b/demo/ssl/ssl.sh deleted file mode 100644 index 1caa4b3b0..000000000 --- a/demo/ssl/ssl.sh +++ /dev/null @@ -1,115 +0,0 @@ -#!/bin/sh - -# COMPLETELY UNSAFE - FOR DEVELOPMENT ONLY -# Run this script from its directory -# all *.p12 passwords are 'demo' -# all *.jks passwords are 'changeit' - -# Fail if any error -set -e - -ROOT_CA_DN="/C=DE/O=Example/OU=Certificate Authorities/CN=Root CA/" -INTERMEDIATE_CA_DN="/C=DE/O=Example/OU=Certificate Authorities/CN=Intermediate CA/" -SERVER_DN=/C=DE/O=Example/OU=Systems/CN=$HOSTNAME/ -USERS_BASE_DN=/DC=com/DC=example/OU=People - -echo -- Init directory structures -mkdir -p ./rootCA/{certs,crl,csr,newcerts,private} -mkdir -p ./CA/{certs,crl,csr,newcerts,private} - -# -# Root CA -# -export OPENSSL_CONF=./openssl_root.cnf -export CATOP=./rootCA -echo -- Create root CA in $CATOP -touch $CATOP/index.txt -openssl req -new -newkey rsa:4096 -extensions v3_ca \ - -subj "$ROOT_CA_DN" \ - -keyout $CATOP/private/cakey.pem -passout pass:demo -out ca_csr.pem \ - 2>/dev/null # quiet -openssl ca -create_serial -selfsign -batch -passin pass:demo -in ca_csr.pem -out $CATOP/cacert.pem \ - 2>/dev/null # quiet - -echo -- Create intermediate CA in ./CA -openssl req -new -newkey rsa:4096 -extensions v3_intermediate_ca \ - -subj "$INTERMEDIATE_CA_DN" \ - -keyout ./CA/private/cakey.pem -passout pass:demo -out ica_csr.pem \ - 2>/dev/null # quiet -openssl ca -batch -passin pass:demo -in ica_csr.pem -out ./CA/cacert.pem \ - 2>/dev/null # quiet - -# -# Intermediate CA -# -export OPENSSL_CONF=./openssl.cnf -export CATOP=./CA - -# create index and serial -touch $CATOP/index.txt -openssl x509 -in $CATOP/cacert.pem -noout -next_serial -out $CATOP/serial \ - 2>/dev/null # quiet - -echo -- Create server key and certificate -openssl req -new -newkey rsa:4096 -extensions server_ext \ - -subj $SERVER_DN \ - -keyout node_key.pem -passout pass:demo -out node_csr.pem \ - 2>/dev/null # quiet -openssl ca -batch -passin pass:demo -in node_csr.pem -out node_crt.pem \ - 2>/dev/null # quiet - -# create CA chain -cat node_crt.pem ./CA/cacert.pem ./rootCA/cacert.pem > chain.pem - -# convert to p12 -openssl pkcs12 -export -passin pass:demo -passout pass:changeit \ - -name "$HOSTNAME" -inkey node_key.pem -in chain.pem \ - -out node.p12 \ - 2>/dev/null # quiet - -echo -- Import Certificate Authority into keystore -keytool -importcert -noprompt -keystore node.p12 -storepass changeit \ - -alias "rootCA" -file ./rootCA/cacert.pem -keytool -importcert -noprompt -keystore node.p12 -storepass changeit \ - -alias "CA" -file ./CA/cacert.pem - -echo -- Copy node.p12 to ../init/node -cp node.p12 ../init/node/ - -echo -- Create 'root' user client certificate root.p12 -openssl req -new -newkey rsa:4096 -extensions user_ext \ - -subj $USERS_BASE_DN/UID=root/ \ - -keyout newkey.pem -passout pass:demo -out newcsr.pem \ - 2>/dev/null # quiet - -openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem \ - 2>/dev/null # quiet - -# create new CA chain -#cat newcrt.pem ./CA/cacert.pem ./rootCA/cacert.pem > newchain.pem -openssl pkcs12 -export -passin pass:demo -passout pass:demo \ - -name "root" -inkey newkey.pem -in chain.pem \ - -out root.p12 \ - 2>/dev/null # quiet - -# demo user -#openssl req -new -newkey rsa:4096 -extensions user_ext -days 365 \ -# -subj $USERS_BASE_DN/UID=demo/ \ -# -keyout newkey.pem -passout pass:demo -out newcsr.pem -#openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem -#openssl pkcs12 -export -passin pass:demo -passout pass:demo \ -# -name "demo" -inkey newkey.pem -in newcrt.pem \ -# -out demo.p12 - -# Self-signed -#openssl req -x509 -new -newkey rsa:4096 -extensions server_ext -days 365 \ -# -subj $SERVER_DN \ -# -keyout newkey.pem -passout pass:demo -out newcrt.pem -# Self-signed server certificate -#openssl pkcs12 -export -passin pass:demo -passout pass:changeit \ -# -name "jetty" -inkey newkey.pem -in newcrt.pem \ -# -certfile ./CA/cacert.pem \ -# -out server.p12 - -echo ## Clean up -rm -vf *.pem diff --git a/sdk/.gitignore b/sdk/.gitignore new file mode 100644 index 000000000..45dfa56f4 --- /dev/null +++ b/sdk/.gitignore @@ -0,0 +1 @@ +/exec/ diff --git a/sdk/all.policy b/sdk/all.policy new file mode 100644 index 000000000..facb61327 --- /dev/null +++ b/sdk/all.policy @@ -0,0 +1,3 @@ +grant { + permission java.security.AllPermission; +}; \ No newline at end of file diff --git a/sdk/argeo-init.properties b/sdk/argeo-init.properties new file mode 100644 index 000000000..08df826be --- /dev/null +++ b/sdk/argeo-init.properties @@ -0,0 +1,24 @@ +#argeo.osgi.baseUrl=http://forge.argeo.org/data/java/argeo-2.1/ +#argeo.osgi.distributionUrl=org/argeo/commons/org.argeo.dep.cms.sdk/2.1.65/org.argeo.dep.cms.sdk-2.1.65.jar +#argeo.osgi.distributionUrl=org/argeo/commons/org.argeo.dep.cms.sdk/2.1.67/org.argeo.dep.cms.sdk-2.1.67.jar +#argeo.osgi.distributionUrl=org/argeo/commons/org.argeo.dep.cms.sdk/2.1.68-SNAPSHOT/org.argeo.dep.cms.sdk-2.1.68-SNAPSHOT.jar + +#argeo.osgi.boot.debug=true + +argeo.osgi.start.1.osgiboot=org.argeo.init +#argeo.osgi.start.2.node=org.eclipse.equinox.http.servlet,org.eclipse.equinox.http.jetty,org.eclipse.equinox.cm,org.eclipse.rap.rwt.osgi +#argeo.osgi.start.3.node=org.argeo.cms,org.eclipse.gemini.blueprint.extender,org.eclipse.equinox.http.registry + +#java.security.manager= +#java.security.policy=file:../../all.policy + +argeo.node.repo.type=localfs +org.osgi.service.http.port=7070 +log4j.configuration=file:../../log4j.properties + +#java.util.logging.config.file=../../logging.properties + + +# DON'T CHANGE BELOW +org.eclipse.rap.workbenchAutostart=false +org.eclipse.equinox.http.jetty.autostart=false \ No newline at end of file diff --git a/sdk/cms-cluster_0.properties b/sdk/cms-cluster_0.properties new file mode 100644 index 000000000..d0c3fb2f8 --- /dev/null +++ b/sdk/cms-cluster_0.properties @@ -0,0 +1,33 @@ +argeo.osgi.start.2.node=\ +org.eclipse.equinox.http.servlet,\ +org.eclipse.equinox.metatype,\ +org.eclipse.equinox.cm,\ +org.eclipse.equinox.ds,\ +org.eclipse.rap.rwt.osgi + +argeo.osgi.start.3.node=\ +org.argeo.cms + +argeo.osgi.start.5.node=\ +org.argeo.cms.e4.rap + +# Local +org.osgi.service.http.port=7070 +argeo.node.useradmin.uris=ldap://cn=Directory%20Manager:argeoargeo@test-pgsql-ldap/dc=example,dc=com +argeo.node.repo.type=postgresql_cluster_ds +argeo.node.repo.clusterId=03233754-16c3-49a1-8a00-58bf89a65182 +argeo.node.repo.dburl=jdbc:postgresql://test-pgsql-ldap/argeo_cluster +argeo.node.repo.dbuser=argeo +argeo.node.repo.dbpassword=argeo + +# Logging +log4j.configuration=file:../../log4j.properties + +# DON'T CHANGE BELOW +org.eclipse.equinox.http.jetty.autostart=false +org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\ +com.sun.jndi.ldap.sasl,\ +com.sun.security.jgss,\ +com.sun.jndi.dns,\ +com.sun.nio.file,\ +com.sun.nio.sctp diff --git a/sdk/cms-cluster_1.properties b/sdk/cms-cluster_1.properties new file mode 100644 index 000000000..b5e60f85b --- /dev/null +++ b/sdk/cms-cluster_1.properties @@ -0,0 +1,33 @@ +argeo.osgi.start.2.node=\ +org.eclipse.equinox.http.servlet,\ +org.eclipse.equinox.metatype,\ +org.eclipse.equinox.cm,\ +org.eclipse.equinox.ds,\ +org.eclipse.rap.rwt.osgi + +argeo.osgi.start.3.node=\ +org.argeo.cms + +argeo.osgi.start.5.node=\ +org.argeo.cms.e4.rap + +# Local +org.osgi.service.http.port=7071 +argeo.node.useradmin.uris=ldap://cn=Directory%20Manager:argeoargeo@test-pgsql-ldap/dc=example,dc=com +argeo.node.repo.type=postgresql_cluster_ds +argeo.node.repo.clusterId=52463fa3-2917-4814-9ff7-685c41cbc7c7 +argeo.node.repo.dburl=jdbc:postgresql://test-pgsql-ldap/argeo_cluster +argeo.node.repo.dbuser=argeo +argeo.node.repo.dbpassword=argeo + +# Logging +log4j.configuration=file:../../log4j.properties + +# DON'T CHANGE BELOW +org.eclipse.equinox.http.jetty.autostart=false +org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\ +com.sun.jndi.ldap.sasl,\ +com.sun.security.jgss,\ +com.sun.jndi.dns,\ +com.sun.nio.file,\ +com.sun.nio.sctp diff --git a/sdk/cms-e4-rap.properties b/sdk/cms-e4-rap.properties new file mode 100644 index 000000000..5e1e6545d --- /dev/null +++ b/sdk/cms-e4-rap.properties @@ -0,0 +1,67 @@ +argeo.osgi.start.2.node=\ +org.eclipse.equinox.http.servlet,\ +org.eclipse.equinox.metatype,\ +org.eclipse.equinox.cm,\ +org.eclipse.equinox.ds,\ +org.eclipse.rap.rwt.osgi,\ +org.argeo.init + +argeo.osgi.start.3.node=\ +org.argeo.cms + +argeo.osgi.start.4.node=\ +org.argeo.cms.jcr + +argeo.osgi.start.5.node=\ +org.argeo.cms.e4.rap + +# Local +argeo.node.repo.type=h2 +org.osgi.service.http.port=7070 +#org.eclipse.equinox.http.jetty.http.host=[IP address to listen to] +#org.osgi.service.http.port.secure=7073 +#org.eclipse.equinox.http.jetty.websocket.enabled=true + +# Logging +log4j.configuration=file:../../log4j.properties + +# SSL +#org.osgi.service.http.port.secure=7073 +#org.eclipse.equinox.http.jetty.https.enabled=true +#org.eclipse.equinox.http.jetty.ssl.keystore=data/node.p12 +#org.eclipse.equinox.http.jetty.ssl.keystoretype=PKCS12 +#org.eclipse.equinox.http.jetty.ssl.password=changeit +#org.eclipse.equinox.http.jetty.ssl.wantclientauth=true + +# Hardened +#org.osgi.framework.security=osgi +#java.security.policy=file:../../all.policy + +# Internationalisation +#argeo.i18n.locales=en,fr,ru +#eclipse.registry.MultiLanguage=true +#argeo.i18n.defaultLocale=en + +# Tuning +# Number of DB connections +#argeo.node.repo.maxPoolSize=10 +# Max amount of memory available to Jackrabbit caches +#argeo.node.repo.maxCacheMB=16 +# Persistence level cache +#argeo.node.repo.bundleCacheMB=8 +# Search, see http://wiki.apache.org/jackrabbit/Search +#argeo.node.repo.extractorPoolSize=0 +#argeo.node.repo.searchCacheSize=1000 +#argeo.node.repo.maxVolatileIndexSize=1048576 + +# Legacy +#argeo.node.transaction.manager=bitronix + +# DON'T CHANGE BELOW +org.eclipse.equinox.http.jetty.autostart=false +org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\ +com.sun.jndi.ldap.sasl,\ +com.sun.security.jgss,\ +com.sun.jndi.dns,\ +com.sun.nio.file,\ +com.sun.nio.sctp diff --git a/sdk/cms-local.properties b/sdk/cms-local.properties new file mode 100644 index 000000000..e8ae49457 --- /dev/null +++ b/sdk/cms-local.properties @@ -0,0 +1,29 @@ +argeo.osgi.start.2.node=\ +org.eclipse.equinox.http.servlet,\ +org.eclipse.equinox.metatype,\ +org.eclipse.equinox.cm,\ +org.eclipse.equinox.ds,\ +org.eclipse.rap.rwt.osgi + +argeo.osgi.start.3.node=\ +org.argeo.cms + +argeo.osgi.start.5.node=\ +org.argeo.cms.e4.rap + +# Local +argeo.node.repo.type=h2 +org.osgi.service.http.port=7070 +argeo.node.useradmin.uris=os:/// + +# Logging +log4j.configuration=file:../../log4j.properties + +# DON'T CHANGE BELOW +org.eclipse.equinox.http.jetty.autostart=false +org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\ +com.sun.jndi.ldap.sasl,\ +com.sun.security.jgss,\ +com.sun.jndi.dns,\ +com.sun.nio.file,\ +com.sun.nio.sctp diff --git a/sdk/cms-pgsql-ldap.properties b/sdk/cms-pgsql-ldap.properties new file mode 100644 index 000000000..3f9aaff9f --- /dev/null +++ b/sdk/cms-pgsql-ldap.properties @@ -0,0 +1,32 @@ +argeo.osgi.start.2.node=\ +org.eclipse.equinox.http.servlet,\ +org.eclipse.equinox.metatype,\ +org.eclipse.equinox.cm,\ +org.eclipse.equinox.ds,\ +org.eclipse.rap.rwt.osgi + +argeo.osgi.start.3.node=\ +org.argeo.cms + +argeo.osgi.start.5.node=\ +org.argeo.cms.e4.rap + +# Local +org.osgi.service.http.port=7070 +argeo.node.useradmin.uris=ldap://cn=Directory%20Manager:argeoargeo@test-pgsql-ldap/dc=example,dc=com +argeo.node.repo.type=postgresql_ds +argeo.node.repo.dburl=jdbc:postgresql://test-pgsql-ldap/argeo +argeo.node.repo.dbuser=argeo +argeo.node.repo.dbpassword=argeo + +# Logging +log4j.configuration=file:../../log4j.properties + +# DON'T CHANGE BELOW +org.eclipse.equinox.http.jetty.autostart=false +org.osgi.framework.bootdelegation=com.sun.jndi.ldap,\ +com.sun.jndi.ldap.sasl,\ +com.sun.security.jgss,\ +com.sun.jndi.dns,\ +com.sun.nio.file,\ +com.sun.nio.sctp diff --git a/sdk/init/node/.gitignore b/sdk/init/node/.gitignore new file mode 100644 index 000000000..f61974476 --- /dev/null +++ b/sdk/init/node/.gitignore @@ -0,0 +1,4 @@ +/krb5.keytab +/krb5.keytab.old +/*.p12 +/*.jks \ No newline at end of file diff --git a/sdk/init/node/ou=roles,ou=node.ldif b/sdk/init/node/ou=roles,ou=node.ldif new file mode 100644 index 000000000..ffa9073ef --- /dev/null +++ b/sdk/init/node/ou=roles,ou=node.ldif @@ -0,0 +1,12 @@ +dn: cn=admin,ou=roles,ou=node +objectClass: groupOfNames +objectClass: top +cn: admin +member: uid=root,ou=People,dc=example,dc=com + +dn: cn=userAdmin,ou=roles,ou=node +objectClass: groupOfNames +objectClass: top +member: cn=admin,ou=roles,ou=node +cn: userAdmin + diff --git a/sdk/log4j.properties b/sdk/log4j.properties new file mode 100644 index 000000000..bf3f291a5 --- /dev/null +++ b/sdk/log4j.properties @@ -0,0 +1,12 @@ +log4j.rootLogger=WARN, development + +log4j.logger.org.argeo=DEBUG + +## Appenders +log4j.appender.console=org.apache.log4j.ConsoleAppender +log4j.appender.console.layout=org.apache.log4j.PatternLayout +log4j.appender.console.layout.ConversionPattern= %-5p %d{ISO8601} %m %n + +log4j.appender.development=org.apache.log4j.ConsoleAppender +log4j.appender.development.layout=org.apache.log4j.PatternLayout +log4j.appender.development.layout.ConversionPattern=%d{ABSOLUTE} %m (%F:%L) [%t] %p %n diff --git a/sdk/ssl/.gitignore b/sdk/ssl/.gitignore new file mode 100644 index 000000000..bc77402d0 --- /dev/null +++ b/sdk/ssl/.gitignore @@ -0,0 +1,7 @@ +/CA/ +/*.p12 +/*.jks +/nssdb/ +/*.pem +/old/ +/rootCA/ diff --git a/sdk/ssl/openssl.cnf b/sdk/ssl/openssl.cnf new file mode 100644 index 000000000..05bb6f77f --- /dev/null +++ b/sdk/ssl/openssl.cnf @@ -0,0 +1,120 @@ +dir = ./CA # Where everything is kept + +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem # The private key +x509_extensions = usr_cert # The extentions to add to the cert +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options +crl_extensions = crl_ext +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering +policy = policy_match + +[ policy_match ] +countryName = optional +stateOrProvinceName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +[ req ] +default_bits = 4096 +default_md = sha1 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +input_password = demo +output_password = demo + +string_mask = utf8only +req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_min = 2 +countryName_max = 2 +#stateOrProvinceName = State or Province Name (full name) +#localityName = Locality Name (eg, city) +0.organizationName = Organization Name (eg, company) +organizationalUnitName = Organizational Unit Name (eg, section) +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 +emailAddress = Email Address +emailAddress_max = 64 +# SET-ex3 = SET extension number 3 + +## +## DEFAULT VALUES +## +countryName_default = DE +#stateOrProvinceName_default = Berlin +#localityName_default = Berlin +0.organizationName_default = Example +organizationalUnitName_default = Certificate Authorities +commonName_default = Intermediate CA + +[ req_attributes ] +#challengePassword = A challenge password +#challengePassword_min = 4 +#challengePassword_max = 20 +#unstructuredName = An optional company name + +[ usr_cert ] +basicConstraints=CA:FALSE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +subjectAltName=email:move +issuerAltName=issuer:copy + +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ crl_ext ] +issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ server_ext ] +extendedKeyUsage=serverAuth + +[ user_ext ] +extendedKeyUsage=clientAuth,emailProtection diff --git a/sdk/ssl/openssl_root.cnf b/sdk/ssl/openssl_root.cnf new file mode 100644 index 000000000..c68945955 --- /dev/null +++ b/sdk/ssl/openssl_root.cnf @@ -0,0 +1,120 @@ +dir = ./rootCA # Where everything is kept + +[ ca ] +default_ca = CA_default # The default ca section + +[ CA_default ] +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem # The private key +x509_extensions = usr_cert # The extentions to add to the cert +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options +crl_extensions = crl_ext +default_days = 3650 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering +policy = policy_match + +[ policy_match ] +countryName = optional +stateOrProvinceName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +[ req ] +default_bits = 4096 +default_md = sha1 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +input_password = demo +output_password = demo + +string_mask = utf8only +req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_min = 2 +countryName_max = 2 +#stateOrProvinceName = State or Province Name (full name) +#localityName = Locality Name (eg, city) +0.organizationName = Organization Name (eg, company) +organizationalUnitName = Organizational Unit Name (eg, section) +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 +emailAddress = Email Address +emailAddress_max = 64 +# SET-ex3 = SET extension number 3 + +## +## DEFAULT VALUES +## +countryName_default = DE +#stateOrProvinceName_default = Berlin +#localityName_default = Berlin +0.organizationName_default = Example +organizationalUnitName_default = Certificate Authorities +commonName_default = Root CA + +[ req_attributes ] +#challengePassword = A challenge password +#challengePassword_min = 4 +#challengePassword_max = 20 +#unstructuredName = An optional company name + +[ usr_cert ] +basicConstraints=CA:FALSE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +subjectAltName=email:move +issuerAltName=issuer:copy + +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ crl_ext ] +issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ server_ext ] +extendedKeyUsage=serverAuth + +[ user_ext ] +extendedKeyUsage=clientAuth,emailProtection diff --git a/sdk/ssl/ssl.sh b/sdk/ssl/ssl.sh new file mode 100644 index 000000000..1caa4b3b0 --- /dev/null +++ b/sdk/ssl/ssl.sh @@ -0,0 +1,115 @@ +#!/bin/sh + +# COMPLETELY UNSAFE - FOR DEVELOPMENT ONLY +# Run this script from its directory +# all *.p12 passwords are 'demo' +# all *.jks passwords are 'changeit' + +# Fail if any error +set -e + +ROOT_CA_DN="/C=DE/O=Example/OU=Certificate Authorities/CN=Root CA/" +INTERMEDIATE_CA_DN="/C=DE/O=Example/OU=Certificate Authorities/CN=Intermediate CA/" +SERVER_DN=/C=DE/O=Example/OU=Systems/CN=$HOSTNAME/ +USERS_BASE_DN=/DC=com/DC=example/OU=People + +echo -- Init directory structures +mkdir -p ./rootCA/{certs,crl,csr,newcerts,private} +mkdir -p ./CA/{certs,crl,csr,newcerts,private} + +# +# Root CA +# +export OPENSSL_CONF=./openssl_root.cnf +export CATOP=./rootCA +echo -- Create root CA in $CATOP +touch $CATOP/index.txt +openssl req -new -newkey rsa:4096 -extensions v3_ca \ + -subj "$ROOT_CA_DN" \ + -keyout $CATOP/private/cakey.pem -passout pass:demo -out ca_csr.pem \ + 2>/dev/null # quiet +openssl ca -create_serial -selfsign -batch -passin pass:demo -in ca_csr.pem -out $CATOP/cacert.pem \ + 2>/dev/null # quiet + +echo -- Create intermediate CA in ./CA +openssl req -new -newkey rsa:4096 -extensions v3_intermediate_ca \ + -subj "$INTERMEDIATE_CA_DN" \ + -keyout ./CA/private/cakey.pem -passout pass:demo -out ica_csr.pem \ + 2>/dev/null # quiet +openssl ca -batch -passin pass:demo -in ica_csr.pem -out ./CA/cacert.pem \ + 2>/dev/null # quiet + +# +# Intermediate CA +# +export OPENSSL_CONF=./openssl.cnf +export CATOP=./CA + +# create index and serial +touch $CATOP/index.txt +openssl x509 -in $CATOP/cacert.pem -noout -next_serial -out $CATOP/serial \ + 2>/dev/null # quiet + +echo -- Create server key and certificate +openssl req -new -newkey rsa:4096 -extensions server_ext \ + -subj $SERVER_DN \ + -keyout node_key.pem -passout pass:demo -out node_csr.pem \ + 2>/dev/null # quiet +openssl ca -batch -passin pass:demo -in node_csr.pem -out node_crt.pem \ + 2>/dev/null # quiet + +# create CA chain +cat node_crt.pem ./CA/cacert.pem ./rootCA/cacert.pem > chain.pem + +# convert to p12 +openssl pkcs12 -export -passin pass:demo -passout pass:changeit \ + -name "$HOSTNAME" -inkey node_key.pem -in chain.pem \ + -out node.p12 \ + 2>/dev/null # quiet + +echo -- Import Certificate Authority into keystore +keytool -importcert -noprompt -keystore node.p12 -storepass changeit \ + -alias "rootCA" -file ./rootCA/cacert.pem +keytool -importcert -noprompt -keystore node.p12 -storepass changeit \ + -alias "CA" -file ./CA/cacert.pem + +echo -- Copy node.p12 to ../init/node +cp node.p12 ../init/node/ + +echo -- Create 'root' user client certificate root.p12 +openssl req -new -newkey rsa:4096 -extensions user_ext \ + -subj $USERS_BASE_DN/UID=root/ \ + -keyout newkey.pem -passout pass:demo -out newcsr.pem \ + 2>/dev/null # quiet + +openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem \ + 2>/dev/null # quiet + +# create new CA chain +#cat newcrt.pem ./CA/cacert.pem ./rootCA/cacert.pem > newchain.pem +openssl pkcs12 -export -passin pass:demo -passout pass:demo \ + -name "root" -inkey newkey.pem -in chain.pem \ + -out root.p12 \ + 2>/dev/null # quiet + +# demo user +#openssl req -new -newkey rsa:4096 -extensions user_ext -days 365 \ +# -subj $USERS_BASE_DN/UID=demo/ \ +# -keyout newkey.pem -passout pass:demo -out newcsr.pem +#openssl ca -preserveDN -batch -passin pass:demo -in newcsr.pem -out newcrt.pem +#openssl pkcs12 -export -passin pass:demo -passout pass:demo \ +# -name "demo" -inkey newkey.pem -in newcrt.pem \ +# -out demo.p12 + +# Self-signed +#openssl req -x509 -new -newkey rsa:4096 -extensions server_ext -days 365 \ +# -subj $SERVER_DN \ +# -keyout newkey.pem -passout pass:demo -out newcrt.pem +# Self-signed server certificate +#openssl pkcs12 -export -passin pass:demo -passout pass:changeit \ +# -name "jetty" -inkey newkey.pem -in newcrt.pem \ +# -certfile ./CA/cacert.pem \ +# -out server.p12 + +echo ## Clean up +rm -vf *.pem