tolbertam commented on code in PR #1805: URL: https://github.com/apache/cassandra-gocql-driver/pull/1805#discussion_r1736568345
########## testdata/pki/generate_certs.sh: ########## @@ -0,0 +1,93 @@ +#! /bin/bash +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# This script generates the various certificates used for integration +# tests. All certificates are created with a validity of 3650 days, +# or 10 years. Therefore, this only needs to be used sparingly, +# although could eventually be repurposed to regenerate certificates +# as part of setting up the integration test harness. + +set -eux + +# How long certificates should be considered valid, 10 years +VALIDITY=3650 + +# Generate 4096-bit unencrypted RSA private key using aes256 +function generatePrivateKey() { + base=$1 + rm -fv ${base}.key + echo "Generating private key ${base}.key" + # Generate Private Key + openssl genrsa -aes256 -out ${base}.key -passout pass:cassandra 4096 + echo "Decrypting ${base}.key" + # Decrypt Private Key + openssl rsa -in ${base}.key -out ${base}.key -passin pass:cassandra +} + +# Generate a X509 Certificate signed by the generated CA +function generateCASignedCert() { + base=$1 + rm -fv ${base}.csr ${base}.crt + # Generate Certificate Signing Request + echo "Generating certificate signing request ${base}.csr" + openssl req -new -key ${base}.key -out ${base}.csr -config ${base}.cnf + # Generate Certificate using CA + echo "Generating certificate ${base}.crt" + openssl x509 -req -in ${base}.csr -CA ca.crt -CAkey ca.key \ + -CAcreateserial -out ${base}.crt -days $VALIDITY \ + -extensions req_ext -extfile ${base}.cnf + rm -fv ${base}.csr +} + +# CA +# Generate CA that signs both gocql and cassandra certs +generatePrivateKey ca +# Generate CA Certificate +echo "Generating CA certificate ca.crt" +rm -fv ca.crt +openssl req -x509 -new -nodes -key ca.key -days $VALIDITY -out ca.crt -config ca.cnf -reqexts v3_req -extensions req_ext + +# Import CA certificate into PKCS12 truststore so it can be used by Cassandra. +# Note that keytool is used here because java's PKCS12 keystore implementation +# requires additional bag attributes that openssl doesn't provide. +echo "Generating truststore .truststore for Cassandra" +rm -fv .truststore +keytool -import -keystore .truststore -trustcacerts \ Review Comment: It's probably for the best as I encountered compatibility problems even while testing. I've pushed an update to use JKS instead. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
