test-profiles/test_resources/ssl/generate-java-keystores.sh - qpid-broker-j - Git at Google

 #!/usr/bin/env bash
 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements.  See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership.  The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing,
 # software distributed under the License is distributed on an
 # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
 #

 echo "Remove existing keystore for Apache Qpid Broker-J "
 rm java_broker_keystore.jks
 echo "Re-create keystore for Apache Qpid Broker-J  by importing RootCA certificate"
 keytool -importcert -v -keystore java_broker_keystore.jks -keysize 2048 -storepass password -alias RootCA -file CA_db/rootca.crt -storetype pkcs12 -noprompt
 echo "Generate certificate key 'java-broker'"
 keytool -genkey -alias java-broker -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -validity 720 -keystore java_broker_keystore.jks -storepass password -dname "CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"  -storetype pkcs12
 echo "Export certificate signing request"
 keytool -certreq -alias java-broker -sigalg SHA512withRSA -keystore java_broker_keystore.jks -storepass password -v -file java_broker.req  -storetype pkcs12
 echo "Sign certificate by entering:"
 echo "  n for 'Is this a CA certificate [y/N]?'"
 echo "  [Enter] for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'"
 echo "  n for 'Is this a critical extension [y/N]?'"
 echo "  password which was specified on creation root CA database."
 certutil -C -d CA_db -c "MyRootCA" -a -i java_broker.req -o java_broker.crt -2 -6 --extKeyUsage serverAuth -v 60 -g 4096
 echo "Import signed certificate"
 keytool -importcert -v -alias java-broker -keystore java_broker_keystore.jks -storepass password -file java_broker.crt  -storetype pkcs12 -noprompt
 echo "List keystore entries"
 keytool --list --keystore java_broker_keystore.jks -storepass password  -storetype pkcs12

 read -p "Press [Enter] key to continue..."
 echo "Remove existing client keystore"
 rm java_client_keystore.jks
 echo "Re-create client keystore by importing RootCA certificate"
 keytool -importcert -v -keystore java_client_keystore.jks -storepass password -alias RootCA -file CA_db/rootca.crt  -storetype pkcs12 -noprompt

 echo "Generate key for certificate 'app2'"
 keytool -genkey -alias app2 -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -validity 720 -keystore java_client_keystore.jks -storepass password  -dname "CN=app2@acme.org, OU=art, O=acme, L=Toronto, ST=ON, C=CA"  -storetype pkcs12
 echo "Export certificate signing request for 'app2'"
 keytool -certreq -alias app2 -sigalg SHA512withRSA -keystore java_client_keystore.jks -storepass password -v -file app2.req  -storetype pkcs12
 echo "Sign certificate 'app2' by entering:"
 echo "  n for 'Is this a CA certificate [y/N]?'"
 echo "  '-1' for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'"
 echo "  n for 'Is this a critical extension [y/N]?'"
 echo "  password which was specified on creation root CA database."
 certutil -C -d CA_db -c "MyRootCA" -a -i app2.req -o app2.crt -2 -6  --extKeyUsage clientAuth -v 60 -Z SHA512
 echo "Import signed certificate 'app2'"
 keytool -importcert -v -alias app2 -keystore java_client_keystore.jks -storepass password -file app2.crt  -storetype pkcs12 -noprompt

 echo "Generate key for certificate 'app1'"
 keytool -genkey -alias app1 -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -validity 720 -keystore java_client_keystore.jks -storepass password  -dname "CN=app1@acme.org, OU=art, O=acme, L=Toronto, ST=ON, C=CA"  -storetype pkcs12
 echo "Export certificate signing request for 'app1'"
 keytool -certreq -alias app1 -sigalg SHA512withRSA -keystore java_client_keystore.jks -storepass password -v -file app1.req
 echo "Sign certificate 'app1' by entering:"
 echo "  n for 'Is this a CA certificate [y/N]?'"
 echo "  '-1' for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'"
 echo "  n for 'Is this a critical extension [y/N]?'"
 echo "  password which was specified on creation of root CA database."
 certutil -C -d CA_db -c "MyRootCA" -a -i app1.req -o app1.crt -2 -6  --extKeyUsage clientAuth -v 60 -Z SHA512
 echo "Import signed certificate 'app1'"
 keytool -importcert -v -alias app1 -keystore java_client_keystore.jks -storepass password -file app1.crt  -storetype pkcs12 -noprompt
 echo "List entries in client keystore"
 keytool --list --keystore java_client_keystore.jks  -storepass password

 read -p "Press [Enter] key to continue..."
 echo "Remove existing client truststore"
 rm java_client_truststore.jks
 echo "Re-create client truststore by importing RootCA certificate"
 keytool -importcert -v -keystore java_client_truststore.jks -storepass password -alias RootCA -file CA_db/rootca.crt  -storetype pkcs12 -noprompt
 echo "List entries in client trusttore"
 keytool --list --keystore java_client_truststore.jks  -storepass password  -storetype pkcs12

 read -p "Press [Enter] key to continue..."
 echo "Remove existing broker truststore"
 rm java_broker_truststore.jks
 echo "Re-create broker truststore by importing RootCA certificate"
 keytool -importcert -v -keystore java_broker_truststore.jks -storepass password -alias RootCA -file CA_db/rootca.crt  -storetype pkcs12 -noprompt
 echo "List entries in broker truststore"
 keytool --list --keystore java_broker_truststore.jks  -storepass password  -storetype pkcs12

 read -p "Press [Enter] key to continue..."
 echo "Remove existing broker peerstore"
 rm java_broker_peerstore.jks
 echo "Re-create broker peerstore by importing app1 certificate"
 keytool -importcert -v -keystore java_broker_peerstore.jks -storepass password -alias app1 -file app1.crt  -storetype pkcs12 -noprompt
 echo "List entries in broker peerstore"
 keytool --list --keystore java_broker_peerstore.jks  -storepass password  -storetype pkcs12

 cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_keystore.jks
 keytool -importcert -v -alias app1 -keystore ../../../broker-core/src/test/resources/ssl/test_keystore.jks -storepass password -file app1.crt  -storetype pkcs12 -noprompt
 keytool -importcert -v -alias app2 -keystore ../../../broker-core/src/test/resources/ssl/test_keystore.jks -storepass password -file app2.crt  -storetype pkcs12 -noprompt

 cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12
 keytool -delete -v -alias rootca  -keystore ../../../broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12 -storepass password

 cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12
 keytool -delete -v -alias java-broker  -keystore ../../../broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12 -storepass password

 cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12
 keytool -genseckey -alias testalias -keyalg AES -keysize 256 -storetype pkcs12 -keystore ../../../broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12 -storepass password

 cp java_broker.req ../../../broker-core/src/test/resources/ssl/java_broker.req
 cp java_broker.crt ../../../broker-core/src/test/resources/ssl/java_broker.crt

 cp expired.crt ../../../broker-core/src/test/resources/ssl/expired.crt
 cp java_client_expired_keystore.jks ../../../broker-core/src/test/resources/ssl/java_client_expired_keystore.pkcs12
 cp java_broker_expired_truststore.jks ../../../broker-core/src/test/resources/ssl/java_broker_expired_truststore.pkcs12

 cp java_broker_peerstore.jks ../../../broker-core/src/test/resources/ssl/java_broker_peerstore.pkcs12
 cp java_broker_truststore.jks  ../../../broker-core/src/test/resources/ssl/java_broker_truststore.pkcs12
 cp java_broker_keystore.jks  ../../../broker-core/src/test/resources/ssl/java_broker_keystore.pkcs12
 cp java_broker_keystore.jks  ../../../systests/qpid-systests-http-management/src/main/resources/java_broker_keystore.jks
 cp java_client_keystore.jks  ../../../broker-core/src/test/resources/ssl/java_client_keystore.pkcs12
 cp java_client_truststore.jks  ../../../broker-core/src/test/resources/ssl/java_client_truststore.pkcs12

 rm java_client_untrusted_keystore.jks
 keytool -genkey -keystore java_client_untrusted_keystore.jks -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -alias untrusted_client -storepass password  -storetype pkcs12 -dname "CN=untrusted_client"
 cp java_client_untrusted_keystore.jks  ../../../broker-core/src/test/resources/ssl/java_client_untrusted_keystore.pkcs12
	#!/usr/bin/env bash
	#
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing,
	# software distributed under the License is distributed on an
	# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	# KIND, either express or implied. See the License for the
	# specific language governing permissions and limitations
	# under the License.
	#

	echo "Remove existing keystore for Apache Qpid Broker-J "
	rm java_broker_keystore.jks
	echo "Re-create keystore for Apache Qpid Broker-J by importing RootCA certificate"
	keytool -importcert -v -keystore java_broker_keystore.jks -keysize 2048 -storepass password -alias RootCA -file CA_db/rootca.crt -storetype pkcs12 -noprompt
	echo "Generate certificate key 'java-broker'"
	keytool -genkey -alias java-broker -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -validity 720 -keystore java_broker_keystore.jks -storepass password -dname "CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown" -storetype pkcs12
	echo "Export certificate signing request"
	keytool -certreq -alias java-broker -sigalg SHA512withRSA -keystore java_broker_keystore.jks -storepass password -v -file java_broker.req -storetype pkcs12
	echo "Sign certificate by entering:"
	echo " n for 'Is this a CA certificate [y/N]?'"
	echo " [Enter] for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'"
	echo " n for 'Is this a critical extension [y/N]?'"
	echo " password which was specified on creation root CA database."
	certutil -C -d CA_db -c "MyRootCA" -a -i java_broker.req -o java_broker.crt -2 -6 --extKeyUsage serverAuth -v 60 -g 4096
	echo "Import signed certificate"
	keytool -importcert -v -alias java-broker -keystore java_broker_keystore.jks -storepass password -file java_broker.crt -storetype pkcs12 -noprompt
	echo "List keystore entries"
	keytool --list --keystore java_broker_keystore.jks -storepass password -storetype pkcs12

	read -p "Press [Enter] key to continue..."
	echo "Remove existing client keystore"
	rm java_client_keystore.jks
	echo "Re-create client keystore by importing RootCA certificate"
	keytool -importcert -v -keystore java_client_keystore.jks -storepass password -alias RootCA -file CA_db/rootca.crt -storetype pkcs12 -noprompt

	echo "Generate key for certificate 'app2'"
	keytool -genkey -alias app2 -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -validity 720 -keystore java_client_keystore.jks -storepass password -dname "CN=app2@acme.org, OU=art, O=acme, L=Toronto, ST=ON, C=CA" -storetype pkcs12
	echo "Export certificate signing request for 'app2'"
	keytool -certreq -alias app2 -sigalg SHA512withRSA -keystore java_client_keystore.jks -storepass password -v -file app2.req -storetype pkcs12
	echo "Sign certificate 'app2' by entering:"
	echo " n for 'Is this a CA certificate [y/N]?'"
	echo " '-1' for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'"
	echo " n for 'Is this a critical extension [y/N]?'"
	echo " password which was specified on creation root CA database."
	certutil -C -d CA_db -c "MyRootCA" -a -i app2.req -o app2.crt -2 -6 --extKeyUsage clientAuth -v 60 -Z SHA512
	echo "Import signed certificate 'app2'"
	keytool -importcert -v -alias app2 -keystore java_client_keystore.jks -storepass password -file app2.crt -storetype pkcs12 -noprompt

	echo "Generate key for certificate 'app1'"
	keytool -genkey -alias app1 -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -validity 720 -keystore java_client_keystore.jks -storepass password -dname "CN=app1@acme.org, OU=art, O=acme, L=Toronto, ST=ON, C=CA" -storetype pkcs12
	echo "Export certificate signing request for 'app1'"
	keytool -certreq -alias app1 -sigalg SHA512withRSA -keystore java_client_keystore.jks -storepass password -v -file app1.req
	echo "Sign certificate 'app1' by entering:"
	echo " n for 'Is this a CA certificate [y/N]?'"
	echo " '-1' for 'Enter the path length constraint, enter to skip [<0 for unlimited path]: >'"
	echo " n for 'Is this a critical extension [y/N]?'"
	echo " password which was specified on creation of root CA database."
	certutil -C -d CA_db -c "MyRootCA" -a -i app1.req -o app1.crt -2 -6 --extKeyUsage clientAuth -v 60 -Z SHA512
	echo "Import signed certificate 'app1'"
	keytool -importcert -v -alias app1 -keystore java_client_keystore.jks -storepass password -file app1.crt -storetype pkcs12 -noprompt
	echo "List entries in client keystore"
	keytool --list --keystore java_client_keystore.jks -storepass password

	read -p "Press [Enter] key to continue..."
	echo "Remove existing client truststore"
	rm java_client_truststore.jks
	echo "Re-create client truststore by importing RootCA certificate"
	keytool -importcert -v -keystore java_client_truststore.jks -storepass password -alias RootCA -file CA_db/rootca.crt -storetype pkcs12 -noprompt
	echo "List entries in client trusttore"
	keytool --list --keystore java_client_truststore.jks -storepass password -storetype pkcs12

	read -p "Press [Enter] key to continue..."
	echo "Remove existing broker truststore"
	rm java_broker_truststore.jks
	echo "Re-create broker truststore by importing RootCA certificate"
	keytool -importcert -v -keystore java_broker_truststore.jks -storepass password -alias RootCA -file CA_db/rootca.crt -storetype pkcs12 -noprompt
	echo "List entries in broker truststore"
	keytool --list --keystore java_broker_truststore.jks -storepass password -storetype pkcs12

	read -p "Press [Enter] key to continue..."
	echo "Remove existing broker peerstore"
	rm java_broker_peerstore.jks
	echo "Re-create broker peerstore by importing app1 certificate"
	keytool -importcert -v -keystore java_broker_peerstore.jks -storepass password -alias app1 -file app1.crt -storetype pkcs12 -noprompt
	echo "List entries in broker peerstore"
	keytool --list --keystore java_broker_peerstore.jks -storepass password -storetype pkcs12

	cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_keystore.jks
	keytool -importcert -v -alias app1 -keystore ../../../broker-core/src/test/resources/ssl/test_keystore.jks -storepass password -file app1.crt -storetype pkcs12 -noprompt
	keytool -importcert -v -alias app2 -keystore ../../../broker-core/src/test/resources/ssl/test_keystore.jks -storepass password -file app2.crt -storetype pkcs12 -noprompt

	cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12
	keytool -delete -v -alias rootca -keystore ../../../broker-core/src/test/resources/ssl/test_pk_only_keystore.pkcs12 -storepass password

	cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12
	keytool -delete -v -alias java-broker -keystore ../../../broker-core/src/test/resources/ssl/test_cert_only_keystore.pkcs12 -storepass password

	cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12
	keytool -genseckey -alias testalias -keyalg AES -keysize 256 -storetype pkcs12 -keystore ../../../broker-core/src/test/resources/ssl/test_symmetric_key_keystore.pkcs12 -storepass password

	cp java_broker.req ../../../broker-core/src/test/resources/ssl/java_broker.req
	cp java_broker.crt ../../../broker-core/src/test/resources/ssl/java_broker.crt

	cp expired.crt ../../../broker-core/src/test/resources/ssl/expired.crt
	cp java_client_expired_keystore.jks ../../../broker-core/src/test/resources/ssl/java_client_expired_keystore.pkcs12
	cp java_broker_expired_truststore.jks ../../../broker-core/src/test/resources/ssl/java_broker_expired_truststore.pkcs12

	cp java_broker_peerstore.jks ../../../broker-core/src/test/resources/ssl/java_broker_peerstore.pkcs12
	cp java_broker_truststore.jks ../../../broker-core/src/test/resources/ssl/java_broker_truststore.pkcs12
	cp java_broker_keystore.jks ../../../broker-core/src/test/resources/ssl/java_broker_keystore.pkcs12
	cp java_broker_keystore.jks ../../../systests/qpid-systests-http-management/src/main/resources/java_broker_keystore.jks
	cp java_client_keystore.jks ../../../broker-core/src/test/resources/ssl/java_client_keystore.pkcs12
	cp java_client_truststore.jks ../../../broker-core/src/test/resources/ssl/java_client_truststore.pkcs12

	rm java_client_untrusted_keystore.jks
	keytool -genkey -keystore java_client_untrusted_keystore.jks -keyalg RSA -keysize 2048 -sigalg SHA512withRSA -alias untrusted_client -storepass password -storetype pkcs12 -dname "CN=untrusted_client"
	cp java_client_untrusted_keystore.jks ../../../broker-core/src/test/resources/ssl/java_client_untrusted_keystore.pkcs12