From 22e55d0b4fb2d51d09bb845622f12c74e2968e63 Mon Sep 17 00:00:00 2001
From: Rodrigo Goncalves <rodrigo.g@ufsc.br>
Date: Mon, 5 Aug 2024 13:37:24 +0000
Subject: [PATCH 1/7] Dockerfile config to include the necessary files for
certificate management
---
Dockerfile | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/Dockerfile b/Dockerfile
index 95748f3..e3b575d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -45,3 +45,10 @@ ADD docker/web/index.html /var/www/html/
#smartdata/Config.php
#RUN mkdir /usr/local/tmp/ && touch /usr/local/tmp/log && chmod 777 /usr/local/tmp/log
+
+# Certificate management
+RUN mkdir /certmanager
+ADD docker/certmanager/config /certmanager/
+ADD docker/certmanager/genclient.sh /certmanager/
+ADD docker/certmanager/create-ca.sh /certmanager/
+
--
GitLab
From 3fdba10aa2f64f0644c50912eaa9c1e57ab3cf34 Mon Sep 17 00:00:00 2001
From: Rodrigo Goncalves <rodrigo.g@ufsc.br>
Date: Mon, 5 Aug 2024 13:38:00 +0000
Subject: [PATCH 2/7] Config in docker-compose to map certificates directories
to local folder, for persistence
---
docker-compose.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/docker-compose.yml b/docker-compose.yml
index 8351ac6..4a33759 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -12,6 +12,7 @@ services:
#TODO Fix this in the code
- ./tmp:/var/www/html/tmp
- ./tmp:/smartdata/tmp
+ - ./docker/certmanager/certificates:/certmanager/certificates
#TODO Custom certificates
#- ./crt:/etc/apache2/ssl/server.crt
#- ./key:/etc/apache2/ssl/server.key
--
GitLab
From 1cf51c538e7e5a857ce5077633b78c244ed120b5 Mon Sep 17 00:00:00 2001
From: Rodrigo Goncalves <rodrigo.g@ufsc.br>
Date: Mon, 5 Aug 2024 13:41:02 +0000
Subject: [PATCH 3/7] Correcting .gitignore
---
.gitignore | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.gitignore b/.gitignore
index da9bbec..1ce60fa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,7 +8,7 @@ bin/workflow/tutorial/
cassandra
certmanager
log
-.*
+/.*
bin/workflow
new/
prometheus/
--
GitLab
From c8cec2320c629c0c2c8fe0b2b8dbfb34dad455fd Mon Sep 17 00:00:00 2001
From: Rodrigo Goncalves <rodrigo.g@ufsc.br>
Date: Mon, 5 Aug 2024 13:42:36 +0000
Subject: [PATCH 4/7] Scripts and config for client certificate management
---
docker/certmanager/.gitignore | 1 +
docker/certmanager/config | 12 +++++++
docker/certmanager/create-ca.sh | 7 ++++
docker/certmanager/genclient.sh | 59 +++++++++++++++++++++++++++++++++
4 files changed, 79 insertions(+)
create mode 100644 docker/certmanager/.gitignore
create mode 100644 docker/certmanager/config
create mode 100755 docker/certmanager/create-ca.sh
create mode 100755 docker/certmanager/genclient.sh
diff --git a/docker/certmanager/.gitignore b/docker/certmanager/.gitignore
new file mode 100644
index 0000000..195e616
--- /dev/null
+++ b/docker/certmanager/.gitignore
@@ -0,0 +1 @@
+/certificates/
\ No newline at end of file
diff --git a/docker/certmanager/config b/docker/certmanager/config
new file mode 100644
index 0000000..d265935
--- /dev/null
+++ b/docker/certmanager/config
@@ -0,0 +1,12 @@
+export CERTNAME=rootCA
+export KEYSIZE=2048
+export CLIENTEXP=1491
+export ROOTEXP=2992
+
+export NUMCLIENTS=1
+
+export STATE="SC"
+export CITY="Florianopolis"
+export ORG="UFSC"
+export UNIT="Lisha"
+export HOST="localhost"
diff --git a/docker/certmanager/create-ca.sh b/docker/certmanager/create-ca.sh
new file mode 100755
index 0000000..91fe315
--- /dev/null
+++ b/docker/certmanager/create-ca.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+cd /certmanager
+
+. config
+openssl genpkey -algorithm RSA -out certificates/rootCA.key -pkeyopt rsa_keygen_bits:2048
+openssl req -x509 -new -nodes -key certificates/rootCA.key -sha256 -days 3650 -out certificates/rootCA.pem -subj "/C=BR/ST=$STATE/L=$CITY/O=$ORG/OU=$UNIT/CN=$HOST" -set_serial "0x$(openssl rand -hex 8)"
\ No newline at end of file
diff --git a/docker/certmanager/genclient.sh b/docker/certmanager/genclient.sh
new file mode 100755
index 0000000..6c5dccb
--- /dev/null
+++ b/docker/certmanager/genclient.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+# Caciano Machado/Juliano Zatta - 16/10/2017
+
+cd /certmanager
+
+. config
+
+cd certificates
+
+# Initilize if not available the certificate list
+NUMPREVCERT=`tail -n 1 certificate_list | cut -d " " -f 1`
+ISNUM='^[0-9]+$'
+
+# Update - 30-10-2020 - Roberto M. Scheffel - Added receiver and purpose description, for documentation
+
+receiver=$1
+descr=$2
+if [ -z "$receiver" ]
+then
+ echo 'Usage: ' $0 '<receiver name>' '<purpose short description>.'
+ exit
+fi
+if [ -z "$descr" ]
+then
+ echo 'Usage: ' $0 '<receiver name>' '<purpose short description>.'
+ exit
+fi
+
+if [[ -a certificate_list ]]; then
+ if ! [[ $NUMPREVCERT =~ $ISNUM ]]; then
+ echo "ERROR: File certificate_list corrupted. This file stores the list of generated certificates and respective serial numbers."
+ exit -1
+ fi
+ CURRCLIENT=$((NUMPREVCERT + 1))
+ LASTCLIENT=$((NUMCLIENTS + NUMPREVCERT))
+else
+ CURRCLIENT=1
+ LASTCLIENT=$NUMCLIENTS
+fi
+
+for i in `seq $CURRCLIENT $LASTCLIENT`; do
+ # Generate RSA key
+
+ echo "openssl genrsa -out client-$i.key $KEYSIZE"
+ openssl genrsa -out client-$i.key $KEYSIZE
+
+ # Generate certificate request
+ echo "openssl req -subj \"/C=BR/ST=$STATE/L=$CITY/O=$ORG/OU=$UNIT/CN=$HOST\" -new -key client-$i.key -out client-$i.req"
+ openssl req -subj "/C=BR/ST=$STATE/L=$CITY/O=$ORG/OU=$UNIT/CN=$HOST" -new -key client-$i.key -out client-$i.req
+ # Generate certificate
+ echo "openssl x509 -req -in client-$i.req -CA ${CERTNAME}.pem -CAkey ${CERTNAME}.key -CAcreateserial -out client-$i.pem -days $CLIENTEXP -sha256"
+ openssl x509 -req -in client-$i.req -CA ${CERTNAME}.pem -CAkey ${CERTNAME}.key -CAcreateserial -out client-$i.pem -days $CLIENTEXP -sha256
+ serial=`openssl x509 -in client-$i.pem -serial -noout | cut -d "=" -f 2`
+ echo $i $serial
+ echo $i $serial `date "+%F-%T"` `whoami` ' | ' $receiver ' | ' $descr >> certificate_list
+ mv client-$i.key client-$i-$serial.key
+ mv client-$i.pem client-$i-$serial.pem
+ rm -f client-$i.req
+done
\ No newline at end of file
--
GitLab
From c2b3d382a8b42a37dbd6cef94d9ef4bc429839f6 Mon Sep 17 00:00:00 2001
From: Rodrigo Goncalves <rodrigo.g@ufsc.br>
Date: Mon, 5 Aug 2024 13:45:02 +0000
Subject: [PATCH 5/7] Included usage documentation
---
README.md | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/README.md b/README.md
index 8346e75..d0ad945 100644
--- a/README.md
+++ b/README.md
@@ -4,3 +4,15 @@ cp bin/smartdata/Config.php.template bin/smartdata/Config.php
```
* Edit `bin/smartdata/Config.php` to customize your environment.
+
+# Initial setup
+Execute the following command to create the CA certificate in the environment:
+```
+docker compose exec -it web /certmanager/create-ca.sh
+```
+
+# Create client certificates
+Execute the following command to create client certificates:
+```
+docker compose exec -it web /certmanager/genclient.sh clientId clientDescription
+```
--
GitLab
From 3c2980eebc90cfec91b902c968a6158ea1766916 Mon Sep 17 00:00:00 2001
From: Rodrigo Goncalves <rodrigo.g@ufsc.br>
Date: Mon, 5 Aug 2024 14:21:26 +0000
Subject: [PATCH 6/7] Fix for correct certificate serial size creation
---
docker/certmanager/create-ca.sh | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/docker/certmanager/create-ca.sh b/docker/certmanager/create-ca.sh
index 91fe315..929a585 100755
--- a/docker/certmanager/create-ca.sh
+++ b/docker/certmanager/create-ca.sh
@@ -1,7 +1,18 @@
#!/bin/bash
+# Caciano Machado/Juliano Zatta - 16/10/2017
cd /certmanager
. config
-openssl genpkey -algorithm RSA -out certificates/rootCA.key -pkeyopt rsa_keygen_bits:2048
-openssl req -x509 -new -nodes -key certificates/rootCA.key -sha256 -days 3650 -out certificates/rootCA.pem -subj "/C=BR/ST=$STATE/L=$CITY/O=$ORG/OU=$UNIT/CN=$HOST" -set_serial "0x$(openssl rand -hex 8)"
\ No newline at end of file
+
+cd certificates
+
+if [ -a ${CERTNAME}.pem ]; then
+ echo "WARNING: Certificate with name $CERTNAME already exists."
+ echo "WARNING: If you really want to delete it then do it manually."
+else
+ ROOTCA_SERIAL=`openssl rand -hex 8`
+ openssl genrsa -out ${CERTNAME}.key $KEYSIZE
+ openssl req -subj "/C=BR/ST=$STATE/L=$CITY/O=$ORG/OU=$UNIT/CN=Root\ Certificate" -x509 -new -nodes -key ${CERTNAME}.key -sha256 -days $ROOTEXP -out ${CERTNAME}.pem -set_serial "0x$ROOTCA_SERIAL"
+ echo $ROOTCA_SERIAL > rootCA.srl
+fi
\ No newline at end of file
--
GitLab
From 56299dfa3ce0b4ce01d56eac9c3564e16c883479 Mon Sep 17 00:00:00 2001
From: Rodrigo Goncalves <rodrigo.g@ufsc.br>
Date: Mon, 5 Aug 2024 14:25:11 +0000
Subject: [PATCH 7/7] Fix root .gitignore to allow certmanager
---
.gitignore | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.gitignore b/.gitignore
index 1ce60fa..6244ba5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,7 +6,7 @@ tmp/*
bin/smartdata/importers/
bin/workflow/tutorial/
cassandra
-certmanager
+/certmanager
log
/.*
bin/workflow
--
GitLab