pax_global_header00006660000000000000000000000064147735105470014527gustar00rootroot0000000000000052 comment=ad3951fd2b485f7d818068f44033e6f1a528e8f7 helper-scripts-master/000077500000000000000000000000001477351054700153305ustar00rootroot00000000000000helper-scripts-master/README.md000066400000000000000000000010711477351054700166060ustar00rootroot00000000000000# helper-scripts This repository holds a set of helper-scripts used in CNAF SD CI/CD infrastructure The [x509-scripts](x509-scripts) directory contains a collection of scripts to manage a Certification Authority for testing purposes. The recommended way to use this repository is to clone when needed and add the `scripts` and/or the `x509-scripts/scripts` directories to the `PATH`, for example: ```shell git clone --depth 1 https://baltig.infn.it/mw-devel/helper-scripts.git PATH=$(pwd)/helper-scripts/scripts:$(pwd)/helper-scripts/x509-scripts/scripts:$PATH ``` helper-scripts-master/scripts/000077500000000000000000000000001477351054700170175ustar00rootroot00000000000000helper-scripts-master/scripts/build-docker-image.sh000077500000000000000000000030501477351054700230000ustar00rootroot00000000000000#!/bin/bash # Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2019 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # set -ex # Check for env file in current dir if [ -r .env ]; then set -a source ./.env set +a fi if [ -n "${DOCKER_VERBOSE}" ]; then set -x else set +x fi if [ -z "${DOCKER_IMAGE}" ]; then echo "Please set the DOCKER_IMAGE env variable" exit 1 fi DOCKER_FILE=${DOCKER_FILE:-Dockerfile} DOCKER_OPTS=${DOCKER_OPTS:-"--rm=true --no-cache=true"} DOCKER_TAG=${DOCKER_TAG:-"latest"} docker build -f ${DOCKER_FILE} \ ${DOCKER_OPTS} \ -t ${DOCKER_IMAGE}:${DOCKER_TAG} . if [ -n "${DOCKER_GIT_TAG_ENABLED}" ]; then GIT_COMMIT_SHA=${CI_COMMIT_SHORT_SHA:-$(git rev-parse --short HEAD)} GIT_BRANCH_NAME=${CI_COMMIT_REF_SLUG:-$(echo ${BRANCH_NAME-$(git rev-parse --abbrev-ref HEAD)}|sed 's#/#_#g')} docker tag ${DOCKER_IMAGE} ${DOCKER_IMAGE}:${GIT_COMMIT_SHA} if [[ -n ${GIT_BRANCH_NAME} ]] && [[ "${GIT_BRANCH_NAME}" != "HEAD" ]]; then docker tag ${DOCKER_IMAGE} ${DOCKER_IMAGE}:${GIT_BRANCH_NAME}-latest fi fi helper-scripts-master/scripts/docker-prune.sh000077500000000000000000000001641477351054700217550ustar00rootroot00000000000000#!/bin/bash set -x docker container prune -f docker volume prune -f docker image prune -f docker network prune -f helper-scripts-master/scripts/kaniko-build.sh000077500000000000000000000023431477351054700217310ustar00rootroot00000000000000#!/busybox/sh set -e # Check for env file in current dir if [ -r "$(pwd)/.env" ]; then set -a source "$(pwd)/.env" set +a fi if [ -n "${DOCKER_VERBOSE}" ]; then set -x fi if [ -z "${DOCKER_IMAGE}" ]; then echo "Please set the DOCKER_IMAGE env variable" exit 1 fi DOCKER_TAG=${DOCKER_TAG:-"latest"} KANIKO_OPTS=${KANIKO_OPTS:-"--skip-tls-verify --cleanup"} KANIKO_EXECUTOR=${KANIKO_EXECUTOR:-"/kaniko/executor"} dest_opts="--destination ${DOCKER_IMAGE}:${DOCKER_TAG}" echo "Building image ${DOCKER_IMAGE}:${DOCKER_TAG}" GIT_BRANCH_NAME=$(echo ${GIT_BRANCH}|sed 's#/#_#g') if [[ -n "${DOCKER_GIT_TAG_ENABLED}" ]] && [[ -n "${GIT_COMMIT}" ]]; then COMMIT_IMG_NAME="${DOCKER_IMAGE}:${GIT_COMMIT:0:8}" dest_opts="${dest_opts} --destination ${COMMIT_IMG_NAME}" echo "Commit tag: ${COMMIT_IMG_NAME}" if [[ -n ${GIT_BRANCH_NAME} ]] && [[ "${GIT_BRANCH_NAME}" != "HEAD" ]]; then BRANCH_IMG_NAME="${DOCKER_IMAGE}:${GIT_BRANCH_NAME}-latest" echo "Branch tag: ${BRANCH_IMG_NAME}" dest_opts="${dest_opts} --destination ${BRANCH_IMG_NAME}" fi fi if [ -z "${DOCKER_PUSH_TO_DOCKERHUB}" ]; then dest_opts="${dest_opts} --no-push" fi ${KANIKO_EXECUTOR} -f "$(pwd)/Dockerfile" -c "$(pwd)" ${KANIKO_OPTS} ${dest_opts} helper-scripts-master/scripts/nexus-assets-flat-upload000077500000000000000000000036061477351054700236220ustar00rootroot00000000000000#!/bin/bash set -e if [ -n "$NX_VERBOSE" ]; then set -x fi usage(){ echo "Usage: $0 [option]" >&2 echo echo " -h, --help show this help" echo " -u, --username username for basic authentication" echo " -p, --password password for basic authentication" echo " -H, --baseurl URL of Nexus instance " echo " -r, --reponame name of the repository where to put artifacts " echo " -d, --directory name of the source directory containing the artifacts " echo " -f, --form use form content-type" echo } while getopts ":hu:p:H:r:d:f" opt; do case $opt in h | --help) usage; exit 0 >&2;; u | --username) username=$OPTARG;; p | --password) password=$OPTARG;; H | --baseurl) baseurl=$OPTARG;; r | --reponame) reponame=$OPTARG;; d | --directory) directory=$OPTARG;; f | --form) use_form='y';; \?) echo "Invalid option: -$OPTARG" >&2 exit 1 ;; :) echo "Option -$OPTARG requires an argument." >&2 exit 1 ;; esac done dirname=`basename ${directory}` parentdir=`dirname ${directory}` curl_opts=${NX_CURL_OPTS:-"-s"} cd ${parentdir} for file in `find ${dirname} -type f`; do xfer_opts="${curl_opts} -w %{http_code} --user ${username}:${password}" if [ -n "${use_form}" ]; then target="${baseurl}/repository/${reponame}/" echo -n "${file} -> ${target}: ..." output=$(curl ${xfer_opts} -X POST -H 'Content-Type: multipart/form-data' --data-binary "@${file}" ${target} || : ) else target="${baseurl}/repository/${reponame}/$(basename ${file})" echo -n "${file} -> ${target}: ..." output=$(curl ${xfer_opts} --upload-file ${file} ${target} | tail -1 || : ) fi result=$(echo ${output} | tail -1) if [[ ! ${result} == 20* ]]; then echo -n "Transfer error!" echo ${output} exit 1 fi echo "${result}" done helper-scripts-master/scripts/nexus-assets-list000077500000000000000000000023071477351054700223620ustar00rootroot00000000000000#!/bin/bash #set -xe usage(){ echo "Usage: $0 [option]" >&2 echo echo " -h, --help show this help" echo " -u, --username username for basic authentication" echo " -p, --password password for basic authentication" echo " -H, --baseurl URL of Nexus instance " echo " -r, --reponame name of the repository to list " echo " -q, --query string to search to filter the results " echo } while getopts ":hu:p:H:r:q:" opt; do case $opt in h | --help) usage; exit 0 >&2;; u | --username) username=$OPTARG;; p | --password) password=$OPTARG;; H | --baseurl) baseurl=$OPTARG;; r | --reponame) reponame=$OPTARG;; q | --query) filter=$OPTARG;; \?) echo "Invalid option: -$OPTARG" >&2 exit 1 ;; :) echo "Option -$OPTARG requires an argument." >&2 exit 1 ;; esac done url=${baseurl}/service/rest/v1/script/repoassetslister/run curl -s -XPOST -u ${username}:${password} ${url} \ -H "Content-Type: text/plain" \ -d "{\"repoName\":\"${reponame}\", \"startDate\":\"1970-01-01\"}" \ | jq .result | tr ',' '\n' | grep ${filter} | tr -d '\\\"[]{}' | sed s#assets:##g helper-scripts-master/scripts/nexus-assets-remove000077500000000000000000000025341477351054700227060ustar00rootroot00000000000000#!/bin/bash #set -xe usage(){ echo "Usage: $0 [option]" >&2 echo echo " -h, --help show this help" echo " -u, --username username for basic authentication" echo " -p, --password password for basic authentication" echo " -H, --baseurl URL of Nexus instance " echo " -r, --reponame name of the repository " echo " -q, --query string to search to filter the results " echo } while getopts ":hu:p:H:r:q:" opt; do case $opt in h | --help) usage; exit 0 >&2;; u | --username) username=$OPTARG;; p | --password) password=$OPTARG;; H | --baseurl) baseurl=$OPTARG;; r | --reponame) reponame=$OPTARG;; q | --query) filter=$OPTARG;; \?) echo "Invalid option: -$OPTARG" >&2 exit 1 ;; :) echo "Option -$OPTARG requires an argument." >&2 exit 1 ;; esac done url=${baseurl}/service/rest/v1/script/repoassetslister/run list=`curl -s -XPOST -u ${username}:${password} ${url} \ -H "Content-Type: text/plain" \ -d "{\"repoName\":\"${reponame}\", \"startDate\":\"1970-01-01\"}" \ | jq .result | tr ',' '\n' | grep ${filter} | tr -d '\\\"[]{}' | sed s#assets:##g` for elem in $list; do result=`curl -s -I -XDELETE -u ${username}:${password} ${baseurl}${elem} | head -n1` echo "${elem} -> ${result}" done helper-scripts-master/scripts/nexus-assets-upload000077500000000000000000000023331477351054700226720ustar00rootroot00000000000000#!/bin/bash set -xe usage(){ echo "Usage: $0 [option]" >&2 echo echo " -h, --help show this help" echo " -u, --username username for basic authentication" echo " -p, --password password for basic authentication" echo " -H, --baseurl URL of Nexus instance " echo " -r, --reponame name of the repository where to put artifacts " echo " -d, --directory name of the source directorty containing the artifacts " echo } while getopts ":hu:p:H:r:d:" opt; do case $opt in h | --help) usage; exit 0 >&2;; u | --username) username=$OPTARG;; p | --password) password=$OPTARG;; H | --baseurl) baseurl=$OPTARG;; r | --reponame) reponame=$OPTARG;; d | --directory) directory=$OPTARG;; \?) echo "Invalid option: -$OPTARG" >&2 exit 1 ;; :) echo "Option -$OPTARG requires an argument." >&2 exit 1 ;; esac done dirname=`basename ${directory}` parentdir=`dirname ${directory}` cd ${parentdir} for file in `find ${dirname} -type f`; do result=`curl -s -I --user ${username}:${password} --upload-file ${file} ${baseurl}/repository/${reponame}/${file} | head -n1` echo "${file} -> ${result}" done helper-scripts-master/scripts/pkg-build.sh000077500000000000000000000046511477351054700212420ustar00rootroot00000000000000#!/bin/bash set -ex set -a source ./build-env set +a if [ -z "${PLATFORM}" ]; then echo "PLATFORM is not defined" exit 1 fi p_comp_var_name="COMPONENTS_${PLATFORM}" # Allow to define components that are built only on specific platforms if [ -n "${!p_comp_var_name}" ]; then if [ -z "${COMPONENTS}" ]; then COMPONENTS=${!p_comp_var_name} else COMPONENTS="${COMPONENTS} ${!p_comp_var_name}" fi fi if [ -z "${COMPONENTS}" ]; then echo "COMPONENTS is not defined" exit 1 fi pkg_base_image_name="italiangrid/pkg.base:${PLATFORM}" volumes_conf=${PKG_VOLUMES_CONF:-""} if [ -n "${USE_DOCKER_REGISTRY}" ]; then pkg_base_image_name="${DOCKER_REGISTRY_HOST}/${pkg_base_image_name}" fi if [ -z "${PKG_VOLUMES_CONF}" ]; then if [ -n "${MVN_REPO_VOLUME}" ]; then volumes_conf="${volumes_conf} -v ${MVN_REPO_VOLUME}:/m2-repository" fi if [ -n "${STAGE_AREA_VOLUME}" ]; then volumes_conf="${volumes_conf} -v ${STAGE_AREA_VOLUME}:/stage-area" fi if [ -n "${PACKAGES_VOLUME}" ]; then volumes_conf="${volumes_conf} -v ${PACKAGES_VOLUME}:/packages" fi fi # Run packaging for c in ${COMPONENTS}; do build_env_file="$c/build-env" comp_name=$(echo ${c} | tr '[:lower:]' '[:upper:]' | tr '-' '_') var_names="BUILD_REPO PKG_PACKAGES_DIR PKG_STAGE_DIR PKG_TAG PKG_REPO PKG_STAGE_RPMS PKG_STAGE_SRPMS PKG_PUBLISH_PACKAGES PKG_NEXUS_USERNAME PKG_NEXUS_PASSWORD PKG_NEXUS_REPONAME PKG_NEXUS_HOST PKG_SIGN_PACKAGES PKG_SIGN_KEY_PASSWORD PKG_SIGN_PUB_KEY PKG_SIGN_PRI_KEY GPG_IMPORT_OPTS" ## Add component variable overrides for v in ${var_names}; do c_var_name="${v}_${comp_name}" if [ -n "${!c_var_name}" ]; then build_env="${build_env} -e ${v}=${!c_var_name}" elif [ -n "${!v}" ]; then build_env="${build_env} -e ${v}=${!v}" fi done ## Add platform variable overrides for v in ${var_names}; do p_var_name="${v}_${PLATFORM}" if [ -n "${!p_var_name}" ]; then build_env="${build_env} -e ${v}=${!p_var_name}" elif [ -n "${!v}" ]; then build_env="${build_env} -e ${v}=${!v}" fi done if [ "${INCLUDE_BUILD_NUMBER}" == "1" ]; then build_env="${build_env} -e BUILD_NUMBER=${PKG_BUILD_NUMBER:-test}" fi if [ -z "${PKG_SKIP_PULL}" ]; then docker pull ${pkg_base_image_name} fi docker run -i \ ${volumes_conf} \ ${DOCKER_ARGS} \ --env-file ${build_env_file} \ ${build_env} \ ${pkg_base_image_name} \ ${PKG_TARGET} done helper-scripts-master/scripts/pkg-copy-artifacts.sh000077500000000000000000000007301477351054700230650ustar00rootroot00000000000000#!/bin/bash set -ex docker run -i --rm \ -e U_ID=$(id -u) \ -e U_GID=$(id -g) \ -v ${PACKAGES_VOLUME}:/packages \ -v ${STAGE_AREA_VOLUME}:/stage-area \ -v ${COPY_ARTIFACTS_DIR:-$(pwd)/artifacts}:/artifacts \ centos:7 \ /bin/bash -ex -c 'ls -lR /packages /stage-area && mkdir artifacts/packages artifacts/stage-area && mv /packages/* /artifacts/packages && mv /stage-area/* /artifacts/stage-area && chown -R ${U_ID}:${U_GID} /artifacts && ls -lR /artifacts' helper-scripts-master/scripts/pull-docker-image.sh000077500000000000000000000040021477351054700226530ustar00rootroot00000000000000#!/bin/bash # Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2019 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # set -e # Check for env file in current dir if [ -r .env ]; then set -a source .env set +a fi if [ -n "${DOCKER_VERBOSE}" ]; then set -x fi if [ -z "${DOCKER_IMAGE}" ]; then echo "Please set the DOCKER_IMAGE env variable" exit 1 fi DOCKER_TAG=${DOCKER_TAG:-"latest"} DOCKER_REGISTRY_NAMESPACE=${DOCKER_REGISTRY_NAMESPACE:-} if [ -n "${DOCKER_REGISTRY_HOST}" ]; then if [ -n "${DOCKER_REGISTRY_NAMESPACE}" ]; then IMG_NAME="${DOCKER_REGISTRY_HOST}/${DOCKER_REGISTRY_NAMESPACE}/$(echo ${DOCKER_IMAGE} | cut -d '/' -f2)" else IMG_NAME=${DOCKER_REGISTRY_HOST}/${DOCKER_IMAGE} fi if [ -n "${DOCKER_GIT_TAG_ENABLED}" ]; then GIT_COMMIT_SHA=${CI_COMMIT_SHORT_SHA:-$(git rev-parse --short HEAD)} GIT_BRANCH_NAME=${CI_COMMIT_REF_SLUG:-$(echo ${BRANCH_NAME-$(git rev-parse --abbrev-ref HEAD)}|sed 's#/#_#g')} docker pull ${IMG_NAME}:${GIT_COMMIT_SHA} docker tag ${IMG_NAME}:${GIT_COMMIT_SHA} ${DOCKER_IMAGE}:${GIT_COMMIT_SHA} docker tag ${IMG_NAME}:${GIT_COMMIT_SHA} ${DOCKER_IMAGE}:${DOCKER_TAG} if [[ -n ${GIT_BRANCH_NAME} ]] && [[ "${GIT_BRANCH_NAME}" != "HEAD" ]]; then docker pull ${IMG_NAME}:${GIT_BRANCH_NAME}-latest docker tag ${IMG_NAME}:${GIT_BRANCH_NAME}-latest ${DOCKER_IMAGE}:${GIT_BRANCH_NAME}-latest fi else docker pull ${IMG_NAME}:${DOCKER_TAG} docker tag ${IMG_NAME}:${DOCKER_TAG} ${DOCKER_IMAGE}:${DOCKER_TAG} fi fi helper-scripts-master/scripts/push-docker-image.sh000077500000000000000000000051771477351054700226740ustar00rootroot00000000000000#!/bin/bash # Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2019 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # set -ex # Check for env file in current dir if [ -r .env ]; then set -a source .env set +a fi if [ -n "${DOCKER_VERBOSE}" ]; then set -x else set +x fi if [ -z "${DOCKER_IMAGE}" ]; then echo "Please set the DOCKER_IMAGE env variable" exit 1 fi DOCKER_TAG=${DOCKER_TAG:-"latest"} DOCKER_REGISTRY_NAMESPACE=${DOCKER_REGISTRY_NAMESPACE:-} if [ -n "${DOCKER_GIT_TAG_ENABLED}" ]; then GIT_COMMIT_SHA=${CI_COMMIT_SHORT_SHA:-$(git rev-parse --short HEAD)} GIT_BRANCH_NAME=${CI_COMMIT_REF_SLUG:-$(echo ${BRANCH_NAME-$(git rev-parse --abbrev-ref HEAD)}|sed 's#/#_#g')} fi if [ -n "${DOCKER_REGISTRY_HOST}" ]; then if [ -n "${DOCKER_REGISTRY_NAMESPACE}" ]; then IMG_NAME="${DOCKER_REGISTRY_HOST}/${DOCKER_REGISTRY_NAMESPACE}/$(echo ${DOCKER_IMAGE} | cut -d '/' -f2)" else IMG_NAME=${DOCKER_REGISTRY_HOST}/${DOCKER_IMAGE} fi docker tag ${DOCKER_IMAGE}:${DOCKER_TAG} ${IMG_NAME}:${DOCKER_TAG} echo "Pushing ${IMG_NAME}:${DOCKER_TAG}" docker push ${IMG_NAME}:${DOCKER_TAG} if [ -n "${DOCKER_GIT_TAG_ENABLED}" ]; then docker tag ${DOCKER_IMAGE}:${GIT_COMMIT_SHA} ${IMG_NAME}:${GIT_COMMIT_SHA} echo "Pushing ${IMG_NAME}:${GIT_COMMIT_SHA}" docker push ${IMG_NAME}:${GIT_COMMIT_SHA} if [[ -n ${GIT_BRANCH_NAME} ]] && [[ "${GIT_BRANCH_NAME}" != "HEAD" ]]; then docker tag ${DOCKER_IMAGE}:${GIT_BRANCH_NAME}-latest ${IMG_NAME}:${GIT_BRANCH_NAME}-latest echo "Pushing ${IMG_NAME}:${GIT_BRANCH_NAME}-latest" docker push ${IMG_NAME}:${GIT_BRANCH_NAME}-latest fi fi fi if [ -n "${DOCKER_PUSH_TO_DOCKERHUB}" ]; then echo "Pushing ${DOCKER_IMAGE}:${DOCKER_TAG}" docker push ${DOCKER_IMAGE}:${DOCKER_TAG} if [ -n "${DOCKER_GIT_TAG_ENABLED}" ]; then echo "Pushing ${DOCKER_IMAGE}:${GIT_COMMIT_SHA}" docker push ${DOCKER_IMAGE}:${GIT_COMMIT_SHA} if [[ -n ${GIT_BRANCH_NAME} ]] && [[ "${GIT_BRANCH_NAME}" != "HEAD" ]]; then echo "Pushing ${DOCKER_IMAGE}:${GIT_BRANCH_NAME}-latest" docker push ${DOCKER_IMAGE}:${GIT_BRANCH_NAME}-latest fi fi fi helper-scripts-master/x509-scripts/000077500000000000000000000000001477351054700175225ustar00rootroot00000000000000helper-scripts-master/x509-scripts/.gitignore000066400000000000000000000001631477351054700215120ustar00rootroot00000000000000# SPDX-FileCopyrightText: 2024 Istituto Nazionale di Fisica Nucleare # # SPDX-License-Identifier: EUPL-1.2 /*_ca helper-scripts-master/x509-scripts/LICENSES/000077500000000000000000000000001477351054700207275ustar00rootroot00000000000000helper-scripts-master/x509-scripts/LICENSES/EUPL-1.2.txt000066400000000000000000000327401477351054700225410ustar00rootroot00000000000000EUROPEAN UNION PUBLIC LICENCE v. 1.2 EUPL © the European Union 2007, 2016 This European Union Public Licence (the ‘EUPL’) applies to the Work (as defined below) which is provided under the terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such use is covered by a right of the copyright holder of the Work). The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following notice immediately following the copyright notice for the Work: Licensed under the EUPL or has expressed by any other means his willingness to license under the EUPL. 1.Definitions In this Licence, the following terms have the following meaning: — ‘The Licence’:this Licence. — ‘The Original Work’:the work or software distributed or communicated by the Licensor under this Licence, available as Source Code and also as Executable Code as the case may be. — ‘Derivative Works’:the works or software that could be created by the Licensee, based upon the Original Work or modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in the country mentioned in Article 15. — ‘The Work’:the Original Work or its Derivative Works. — ‘The Source Code’:the human-readable form of the Work which is the most convenient for people to study and modify. — ‘The Executable Code’:any code which has generally been compiled and which is meant to be interpreted by a computer as a program. — ‘The Licensor’:the natural or legal person that distributes or communicates the Work under the Licence. — ‘Contributor(s)’:any natural or legal person who modifies the Work under the Licence, or otherwise contributes to the creation of a Derivative Work. — ‘The Licensee’ or ‘You’:any natural or legal person who makes any usage of the Work under the terms of the Licence. — ‘Distribution’ or ‘Communication’:any act of selling, giving, lending, renting, distributing, communicating, transmitting, or otherwise making available, online or offline, copies of the Work or providing access to its essential functionalities at the disposal of any other natural or legal person. 2.Scope of the rights granted by the Licence The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for the duration of copyright vested in the Original Work: — use the Work in any circumstance and for all usage, — reproduce the Work, — modify the Work, and make Derivative Works based upon the Work, — communicate to the public, including the right to make available or display the Work or copies thereof to the public and perform publicly, as the case may be, the Work, — distribute the Work or copies thereof, — lend and rent the Work or copies thereof, — sublicense rights in the Work or copies thereof. Those rights can be exercised on any media, supports and formats, whether now known or later invented, as far as the applicable law permits so. In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed by law in order to make effective the licence of the economic rights here above listed. The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the extent necessary to make use of the rights granted on the Work under this Licence. 3.Communication of the Source Code The Licensor may provide the Work either in its Source Code form, or as Executable Code. If the Work is provided as Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to distribute or communicate the Work. 4.Limitations on copyright Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the exclusive rights of the rights owners in the Work, of the exhaustion of those rights or of other applicable limitations thereto. 5.Obligations of the Licensee The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those obligations are the following: Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices and a copy of the Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work to carry prominent notices stating that the Work has been modified and the date of modification. Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless the Original Work is expressly distributed only under this version of the Licence — for example by communicating ‘EUPL v. 1.2 only’. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the Work or Derivative Work that alter or restrict the terms of the Licence. Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done under the terms of this Compatible Licence. For the sake of this clause, ‘Compatible Licence’ refers to the licences listed in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail. Provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available for as long as the Licensee continues to distribute or communicate the Work. Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the copyright notice. 6.Chain of Authorship The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or licensed to him/her and that he/she has the power and authority to grant the Licence. Each Contributor warrants that the copyright in the modifications he/she brings to the Work are owned by him/her or licensed to him/her and that he/she has the power and authority to grant the Licence. Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions to the Work, under the terms of this Licence. 7.Disclaimer of Warranty The Work is a work in progress, which is continuously improved by numerous Contributors. It is not a finished work and may therefore contain defects or ‘bugs’ inherent to this type of development. For the above reason, the Work is provided under the Licence on an ‘as is’ basis and without warranties of any kind concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this Licence. This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work. 8.Disclaimer of Liability Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss of data or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However, the Licensor will be liable under statutory product liability laws as far such laws apply to the Work. 9.Additional agreements While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such Contributor by the fact You have accepted any warranty or additional liability. 10.Acceptance of the Licence The provisions of this Licence can be accepted by clicking on an icon ‘I agree’ placed under the bottom of a window displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms and conditions. Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution or Communication by You of the Work or copies thereof. 11.Information to the public In case of any Distribution or Communication of the Work by means of electronic communication by You (for example, by offering to download the Work from a remote location) the distribution channel or media (for example, a website) must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence and the way it may be accessible, concluded, stored and reproduced by the Licensee. 12.Termination of the Licence The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms of the Licence. Such a termination will not terminate the licences of any person who has received the Work from the Licensee under the Licence, provided such persons remain in full compliance with the Licence. 13.Miscellaneous Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the Work. If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid and enforceable. The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence. New versions of the Licence will be published with a unique version number. All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take advantage of the linguistic version of their choice. 14.Jurisdiction Without prejudice to specific agreement between parties, — any litigation resulting from the interpretation of this License, arising between the European Union institutions, bodies, offices or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union, — any litigation arising between other parties and resulting from the interpretation of this License, will be subject to the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business. 15.Applicable Law Without prejudice to specific agreement between parties, — this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat, resides or has his registered office, — this licence shall be governed by Belgian law if the Licensor has no seat, residence or registered office inside a European Union Member State. Appendix ‘Compatible Licences’ according to Article 5 EUPL are: — GNU General Public License (GPL) v. 2, v. 3 — GNU Affero General Public License (AGPL) v. 3 — Open Software License (OSL) v. 2.1, v. 3.0 — Eclipse Public License (EPL) v. 1.0 — CeCILL v. 2.0, v. 2.1 — Mozilla Public Licence (MPL) v. 2 — GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3 — Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software — European Union Public Licence (EUPL) v. 1.1, v. 1.2 — Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+). The European Commission may update this Appendix to later versions of the above licences without producing a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the covered Source Code from exclusive appropriation. All other changes or additions to this Appendix require the production of a new EUPL version. helper-scripts-master/x509-scripts/README.md000066400000000000000000000123301477351054700210000ustar00rootroot00000000000000 # X.509 Scripts Collection of scripts to manage a Certification Authority for testing purposes. ## Manage Certificate Authorities and end-entity certificates Certificates are generated based on information kept as much as possible in a modular OpenSSL configuration file: for every certificate to generate a new module is first created in the `conf.d` directory. The modules are then collected by a top-level `openssl.conf` file. ### Boot a Certification Authority `Usage: make_ca.sh` Setup a minimal directory tree to keep CA information: - certificates and private key - namespace files - symbolic links to certificate and namespace files from subject hashes (new and old) A _namespace file_ is a file specifying the name space of Distinguished Names for whom the CA will issue a certificate. Two formats are available, each characterized by a filename extension: `.namespaces` or `.signing_policy`. In the same directory the CRL and EE certificates will be created by `make_crl.sh` and `make_cert.sh`. The name of the CA (which corresponds to a section in the configuration file and to the CA directory) is taken from the env variable `CA_NAME`, which must exist. See `conf.d/ephemeral_ca.conf` for a tipical configuration section. Example usage: ```shell $ env CA_NAME=ephemeral_ca make_ca.sh .+......+... ----- Created CA under 'ephemeral_ca' ``` ### Remove a CA `Usage: remove_ca.sh ca-name` Remove recursively all files and directories, including the top directory, created by `make_ca.sh` and following commands. Example usage: ```shell $ remove_ca.sh ephemeral_ca Removed CA under ephemeral_ca ``` ### Create an EE certificate `Usage: make_cert.sh cert-name` Generate a certificate based on the information specified in an OpenSSL configuration file named correspondingly, included in the `conf.d` directory. The configuration file contains a section with the same name. The name of the CA, which must have already been created with `make_ca.sh`, is taken from the env variable CA_NAME. See `conf.d/test0.conf` for a tipical configuration section. The certificate and the corresponding private key are in PEM format and they are named _cert-name_`.cert.pem` and _cert-name_`.key.pem` respectively. The certificate and private key are also wrapped in a PKCS#12 file, named _cert-name_`.p12`. The private key and the PKCS#12 file are protected by the same password, if set in the configuration. All the files are put in the subdirectory `certs` of the CA directory. Example usage: ```shell $ cat conf.d/test0.conf [ test0 ] default_bits = 2048 default_keyfile = ${ENV::CA_NAME}/certs/test0.key.pem distinguished_name = test0_dn ... $ env CA_NAME=ephemeral_ca make_cert.sh test0 ..+...+.... ... ----- New certificate in ephemeral_ca/certs/test0.cert.pem ``` To create an expired certificate you can use the `faketime` utility. For example: ```shell $ date Thu Dec 5 16:54:43 UTC 2024 $ faketime -f -1y env CA_NAME=ephemeral_ca make_cert.sh expired .+....+... ... ----- New certificate in ephemeral_ca/certs/expired.cert.pem $ openssl x509 -in ephemeral_ca/certs/expired.cert.pem -noout -dates notBefore=Dec 6 16:54:45 2023 GMT notAfter=Jan 5 16:54:45 2024 GMT ``` ### Revoke a certificate `Usage: revoke_cert.sh cert-name` Revokes an already issued certificate. Example usage: ```shell $ env CA_NAME=ephemeral_ca make_cert.sh revoked ... $ env CA_NAME=ephemeral_ca revoke_cert.sh revoked Using configuration from openssl.conf Adding Entry with serial number 52002AFE925899453E1AA29C00FF31F80E8B16F6 to DB for /C=IT/O=IGI/CN=Revoked Revoking Certificate 52002AFE925899453E1AA29C00FF31F80E8B16F6. Data Base Updated Certificate ephemeral_ca/certs/revoked.cert.pem is revoked ``` ### Generate a Certificate Revocation List `Usage: make_crl.sh` Produces a CRL file based on the certificates revoked so far for a given CA. The name of the CA is taken from the env variable CA_NAME. The file is called `ca.crl`; two symbolic links, with extension `.r0`, are created using the subject hash (new and old). Example usage: ```shell $ env CA_NAME=ephemeral_ca make_crl.sh Using configuration from openssl.conf New CRL for CA ephemeral_ca in ephemeral_ca/ca.crl ``` ### Install a CA `Usage: install_ca.sh ca-name [directory]` Installs the certificate, CRL, namespace files and corresponding symbolic links from subject hashes (new and old) for the specified CA in the given directory, which must exist. By default the directory is `/etc/grid-security/certificates`. Example usage: ```shell $ mkdir /tmp/trust $ install_ca.sh ephemeral_ca /tmp/trust $ ls /tmp/trust a4c9e7bb.0 a4c9e7bb.r0 a5de37b0.0 a5de37b0.r0 ephemeral_ca.crl ephemeral_ca.pem a4c9e7bb.namespaces a4c9e7bb.signing_policy a5de37b0.namespaces a5de37b0.signing_policy ephemeral_ca.namespaces ephemeral_ca.signing_policy ``` ### Uninstall a CA `Usage: uninstall_ca.sh ca-name [directory]` Removes all files for the specified CA, which was previously installed in the given directory. By default the directory is `/etc/grid-security/certificates`. Example usage: ```shell $ uninstall_ca.sh ephemeral_ca /tmp/trust $ ls /tmp/trust $ ``` helper-scripts-master/x509-scripts/conf.d/000077500000000000000000000000001477351054700206715ustar00rootroot00000000000000helper-scripts-master/x509-scripts/conf.d/ephemeral_ca.conf000066400000000000000000000020251477351054700241440ustar00rootroot00000000000000# SPDX-FileCopyrightText: 2024 Istituto Nazionale di Fisica Nucleare # # SPDX-License-Identifier: EUPL-1.2 [ ephemeral_ca ] dir = ${ENV::CA_NAME} certs = $dir/certs database = $dir/index.txt serial = $dir/serial certificate = $dir/ca.crt private_key = $dir/private/ca.key default_crl_days = 30 default_md = sha512 [ ephemeral_ca_cert ] default_bits = 2048 default_keyfile = ${ENV::CA_NAME}/private/ca.key distinguished_name = ${ENV::CA_NAME}_dn prompt = no encrypt_key = no default_md = sha512 x509_extensions = ${ENV::CA_NAME}_extensions [ ephemeral_ca_dn ] C = IT O = IGI CN = Ephemeral CA [ ephemeral_ca_extensions ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always basicConstraints = critical, CA:true keyUsage = critical, cRLSign, keyCertSign helper-scripts-master/x509-scripts/conf.d/expired.conf000066400000000000000000000013771477351054700232100ustar00rootroot00000000000000# SPDX-FileCopyrightText: 2024 Istituto Nazionale di Fisica Nucleare # # SPDX-License-Identifier: EUPL-1.2 [ expired ] default_bits = 2048 default_keyfile = ${ENV::CA_NAME}/certs/expired.key.pem distinguished_name = expired_dn prompt = no output_password = pass default_md = sha512 x509_extensions = expired_extensions [ expired_dn ] C = IT O = IGI CN = Expired [ expired_extensions ] basicConstraints = critical,CA:FALSE subjectKeyIdentifier = hash keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment authorityKeyIdentifier = keyid, issuer subjectAltName = email:expired@cnaf.infn.it helper-scripts-master/x509-scripts/conf.d/igi_test_ca.conf000066400000000000000000000020141477351054700240070ustar00rootroot00000000000000# SPDX-FileCopyrightText: 2024 Istituto Nazionale di Fisica Nucleare # # SPDX-License-Identifier: EUPL-1.2 [ igi_test_ca ] dir = ${ENV::CA_NAME} certs = $dir/certs database = $dir/index.txt serial = $dir/serial certificate = $dir/ca.crt private_key = $dir/private/ca.key default_crl_days = 30 default_md = sha512 [ igi_test_ca_cert ] default_bits = 2048 default_keyfile = ${ENV::CA_NAME}/private/ca.key distinguished_name = ${ENV::CA_NAME}_dn prompt = no encrypt_key = no default_md = sha512 x509_extensions = ${ENV::CA_NAME}_extensions [ igi_test_ca_dn ] C = IT O = IGI CN = Test CA [ igi_test_ca_extensions ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always basicConstraints = critical, CA:true keyUsage = critical, cRLSign, keyCertSign helper-scripts-master/x509-scripts/conf.d/revoked.conf000066400000000000000000000013771477351054700232070ustar00rootroot00000000000000# SPDX-FileCopyrightText: 2024 Istituto Nazionale di Fisica Nucleare # # SPDX-License-Identifier: EUPL-1.2 [ revoked ] default_bits = 2048 default_keyfile = ${ENV::CA_NAME}/certs/revoked.key.pem distinguished_name = revoked_dn prompt = no output_password = pass default_md = sha512 x509_extensions = revoked_extensions [ revoked_dn ] C = IT O = IGI CN = Revoked [ revoked_extensions ] basicConstraints = critical,CA:FALSE subjectKeyIdentifier = hash keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment authorityKeyIdentifier = keyid, issuer subjectAltName = email:revoked@cnaf.infn.it helper-scripts-master/x509-scripts/conf.d/star_cnaf.conf000066400000000000000000000014251477351054700235020ustar00rootroot00000000000000# SPDX-FileCopyrightText: 2024 Istituto Nazionale di Fisica Nucleare # # SPDX-License-Identifier: EUPL-1.2 [ star_cnaf ] default_bits = 2048 default_keyfile = ${ENV::CA_NAME}/certs/star_cnaf.key.pem distinguished_name = star_cnaf_dn prompt = no encrypt_key = no default_md = sha512 x509_extensions = star_cnaf_extensions [ star_cnaf_dn ] C = IT O = IGI CN = *.cnaf.infn.it [ star_cnaf_extensions ] basicConstraints = critical,CA:FALSE subjectKeyIdentifier = hash keyUsage = critical, digitalSignature extendedKeyUsage = serverAuth, clientAuth authorityKeyIdentifier = keyid, issuer subjectAltName = DNS:*.cnaf.infn.it helper-scripts-master/x509-scripts/conf.d/test0.conf000066400000000000000000000013571477351054700226050ustar00rootroot00000000000000# SPDX-FileCopyrightText: 2024 Istituto Nazionale di Fisica Nucleare # # SPDX-License-Identifier: EUPL-1.2 [ test0 ] default_bits = 2048 default_keyfile = ${ENV::CA_NAME}/certs/test0.key.pem distinguished_name = test0_dn prompt = no output_password = pass default_md = sha512 x509_extensions = test0_extensions [ test0_dn ] C = IT O = IGI CN = Test0 [ test0_extensions ] basicConstraints = critical,CA:FALSE subjectKeyIdentifier = hash keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment authorityKeyIdentifier = keyid, issuer subjectAltName = email:test0@cnaf.infn.it helper-scripts-master/x509-scripts/conf.d/test1.conf000066400000000000000000000013551477351054700226040ustar00rootroot00000000000000# SPDX-FileCopyrightText: 2024 Istituto Nazionale di Fisica Nucleare # # SPDX-License-Identifier: EUPL-1.2 [ test1 ] default_bits = 2048 default_keyfile = ${ENV::CA_NAME}/certs/test1.key.pem distinguished_name = test1_dn prompt = no encrypt_key = no default_md = sha512 x509_extensions = test1_extensions [ test1_dn ] C = IT O = IGI CN = Test1 [ test1_extensions ] basicConstraints = critical,CA:FALSE subjectKeyIdentifier = hash keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment authorityKeyIdentifier = keyid, issuer subjectAltName = email:test1@cnaf.infn.it helper-scripts-master/x509-scripts/conf.d/test2.conf000066400000000000000000000015631477351054700226060ustar00rootroot00000000000000# SPDX-FileCopyrightText: 2024 Istituto Nazionale di Fisica Nucleare # # SPDX-License-Identifier: EUPL-1.2 [ test2 ] # emulate support for private key options; extract the information from # make_cert.sh and act accordingly # default_keyfile = ${ENV::CA_NAME}/certs/test2.key.pem # pkeyopt = ec_paramgen_curve:secp384r1 distinguished_name = test2_dn prompt = no output_password = pass default_md = sha512 x509_extensions = test2_extensions [ test2_dn ] C = IT O = IGI CN = Test2 [ test2_extensions ] basicConstraints = critical,CA:FALSE subjectKeyIdentifier = hash keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment authorityKeyIdentifier = keyid, issuer subjectAltName = email:test2@cnaf.infn.it helper-scripts-master/x509-scripts/openssl.conf000066400000000000000000000003121477351054700220500ustar00rootroot00000000000000# SPDX-FileCopyrightText: 2024 Istituto Nazionale di Fisica Nucleare # # SPDX-License-Identifier: EUPL-1.2 config_diagnostics = 1 [ ca ] default_ca = ${ENV::CA_NAME} .include conf.d helper-scripts-master/x509-scripts/scripts/000077500000000000000000000000001477351054700212115ustar00rootroot00000000000000helper-scripts-master/x509-scripts/scripts/install_ca.sh000077500000000000000000000030521477351054700236610ustar00rootroot00000000000000#!/bin/bash -e # SPDX-FileCopyrightText: 2024 Istituto Nazionale di Fisica Nucleare # # SPDX-License-Identifier: EUPL-1.2 if [ $# -ne 1 -a $# -ne 2 ]; then >&2 echo "Usage: $(basename $0) ca-name [directory]" exit 1 fi ca_name="${1%/}" install_dir="/etc/grid-security/certificates" if [ $# -eq 2 ]; then install_dir="$2" fi if [ ! -d "${ca_name}" ]; then >&2 echo "Directory '${ca_name}' does not exist" exit 1 fi if [ ! -d "${ca_name}/private" ]; then >&2 echo "Directory '${ca_name}' does not look like a CA" exit 1 fi if [ ! -d "${install_dir}" ]; then >&2 echo "Directory '${install_dir}' does not exist" exit 1 fi cp "${ca_name}/ca.crt" "${install_dir}/${ca_name}.pem" cp "${ca_name}/ca.crl" "${install_dir}/${ca_name}.crl" cp "${ca_name}/ca.namespaces" "${install_dir}/${ca_name}.namespaces" cp "${ca_name}/ca.signing_policy" "${install_dir}/${ca_name}.signing_policy" subject_hash=$(openssl x509 -in "${ca_name}/ca.crt" -noout -subject_hash) subject_hash_old=$(openssl x509 -in "${ca_name}/ca.crt" -noout -subject_hash_old) pushd "${install_dir}" > /dev/null ln -s "${ca_name}.pem" "${subject_hash}.0" ln -s "${ca_name}.pem" "${subject_hash_old}.0" ln -s "${ca_name}.crl" "${subject_hash}.r0" ln -s "${ca_name}.crl" "${subject_hash_old}.r0" ln -s "${ca_name}.namespaces" "${subject_hash}.namespaces" ln -s "${ca_name}.namespaces" "${subject_hash_old}.namespaces" ln -s "${ca_name}.signing_policy" "${subject_hash}.signing_policy" ln -s "${ca_name}.signing_policy" "${subject_hash_old}.signing_policy" popd > /dev/null helper-scripts-master/x509-scripts/scripts/make_ca.sh000077500000000000000000000040141477351054700231270ustar00rootroot00000000000000#!/bin/bash -e # SPDX-FileCopyrightText: 2024 Istituto Nazionale di Fisica Nucleare # # SPDX-License-Identifier: EUPL-1.2 # take the CA_NAME from the env as an additional check for the existence # of the env var, which is then used in other scripts if [ $# -ne 0 ]; then >&2 echo "Usage: $(basename $0) (the CA is taken from the CA_NAME env var)" exit 1 fi if [ -z "${CA_NAME}" ]; then >&2 echo "Env var CA_NAME is not set" exit 1 fi if [ -e "${CA_NAME}" ]; then >&2 echo "File or directory '${CA_NAME}' already exists" exit 1 fi if [ ! -e "conf.d/${CA_NAME}.conf" ]; then >&2 echo "The configuration file 'conf.d/${CA_NAME}.conf' doesn't exist" exit 1 fi if [ ! -e "openssl.conf" ]; then >&2 echo "The configuration file 'openssl.conf' doesn't exist in this directory" exit 1 fi mkdir -p "${CA_NAME}" "${CA_NAME}"/private "${CA_NAME}"/certs touch "${CA_NAME}"/index.txt "${CA_NAME}"/serial cert_file=ca.crt openssl req -batch -x509 -new -out "${CA_NAME}/${cert_file}" -config openssl.conf -section ${CA_NAME}_cert subject="$(openssl x509 -in ${CA_NAME}/${cert_file} -noout -subject -nameopt compat | sed 's/^subject=//')" namespace="$(echo ${subject} | sed 's:/CN=.*$::')" cat > "${CA_NAME}/ca.signing_policy" < "${CA_NAME}/ca.namespaces" <&2 echo "Usage: $(basename $0) cert-name" exit 1 fi cert_name="$1" if [ -z "${CA_NAME}" ]; then >&2 echo "Env var CA_NAME is not set" exit 1 fi if [ ! -d "${CA_NAME}" ]; then >&2 echo "Directory '${CA_NAME}' does not exist" exit 1 fi cert_file="${CA_NAME}/certs/${cert_name}.cert.pem" if [ -e "${cert_file}" ]; then >&2 echo "A certificate for ${cert_name} in ${CA_NAME} already exists ('${cert_file}')" exit 1 fi conf_file="conf.d/${cert_name}.conf" if [ ! -e "${conf_file}" ]; then >&2 echo "The configuration file '${conf_file}' doesn't exist" exit 1 fi if [ ! -e "openssl.conf" ]; then >&2 echo "The configuration file 'openssl.conf' doesn't exist in this directory" exit 1 fi key_file="$(eval echo $(awk -F= '/default_keyfile/ {gsub(/^ +| +$|ENV::/, "", $2); print $2}' ${conf_file}))" if [[ -z "${key_file}" ]]; then key_file=${cert_file%cert.pem}key.pem fi pkeyopt="$(awk -F= '/pkeyopt/ {gsub(/^ +| +$/, "", $2); print $2}' ${conf_file})" if [[ "${pkeyopt}" == ec_paramgen_curve:* ]]; then openssl genpkey -algorithm EC -pkeyopt "${pkeyopt}" > "${key_file}" minus_key="-key ${key_file}" fi openssl req -batch -CA "${CA_NAME}/ca.crt" -CAkey "${CA_NAME}/private/ca.key" -out "${cert_file}" ${minus_key[@]} -text -config openssl.conf -section "${cert_name}" password="$(awk -F= '/output_password/ {gsub(/^ +| +$/, "", $2); print $2}' ${conf_file})" openssl pkcs12 -export -out "${cert_file%cert.pem}p12" -in "${cert_file}" -inkey "${key_file}" -passin pass:"$password" -passout pass:"$password" echo "New certificate in ${cert_file}" helper-scripts-master/x509-scripts/scripts/make_crl.sh000077500000000000000000000014711477351054700233300ustar00rootroot00000000000000#!/bin/bash -e # SPDX-FileCopyrightText: 2024 Istituto Nazionale di Fisica Nucleare # # SPDX-License-Identifier: EUPL-1.2 if [ -z "${CA_NAME}" ]; then >&2 echo "Env var CA_NAME is not set" exit 1 fi if [ ! -d "${CA_NAME}" ]; then >&2 echo "Directory '${CA_NAME}' does not exist" exit 1 fi if [ ! -e "openssl.conf" ]; then >&2 echo "The configuration file 'openssl.conf' doesn't exist in this directory" exit 1 fi openssl ca -gencrl -out "${CA_NAME}/ca.crl" -config openssl.conf -section "${CA_NAME}" subject_hash=$(openssl x509 -in "${CA_NAME}/ca.crt" -noout -subject_hash) subject_hash_old=$(openssl x509 -in "${CA_NAME}/ca.crt" -noout -subject_hash_old) ln -sf ca.crl "${CA_NAME}/${subject_hash}.r0" ln -sf ca.crl "${CA_NAME}/${subject_hash_old}.r0" echo "New CRL for CA ${CA_NAME} in ${CA_NAME}/ca.crl" helper-scripts-master/x509-scripts/scripts/remove_ca.sh000077500000000000000000000010551477351054700235110ustar00rootroot00000000000000#!/bin/bash -e # SPDX-FileCopyrightText: 2024 Istituto Nazionale di Fisica Nucleare # # SPDX-License-Identifier: EUPL-1.2 # don't rely on the CA_NAME env var, but prefer an explicit command line argument if [ $# -ne 1 ]; then >&2 echo "Usage: remove_ca.sh ca-name" exit 1 fi ca_name="$1" if [ ! -d "${ca_name}" ]; then >&2 echo "Directory '${ca_name}' does not exist" exit 1 fi if [ ! -d "${ca_name}/private" ]; then >&2 echo "Directory '${ca_name}' does not look like a CA" exit 1 fi rm -r ${ca_name} echo "Removed CA under ${ca_name}" helper-scripts-master/x509-scripts/scripts/revoke_cert.sh000077500000000000000000000015131477351054700240600ustar00rootroot00000000000000#!/bin/bash -e # SPDX-FileCopyrightText: 2024 Istituto Nazionale di Fisica Nucleare # # SPDX-License-Identifier: EUPL-1.2 if [ $# -ne 1 ]; then >&2 echo "Usage: revoke_cert.sh cert-name" exit 1 fi cert_name="$1" if [ -z "${CA_NAME}" ]; then >&2 echo "Env var CA_NAME is not set" exit 1 fi if [ ! -d "${CA_NAME}" ]; then >&2 echo "Directory '${CA_NAME}' does not exist" exit 1 fi if [ ! -e "${CA_NAME}/certs/${cert_name}.cert.pem" ]; then >&2 echo "A certificate for ${cert_name} in ${CA_NAME} doesn't exist" exit 1 fi if [ ! -e "openssl.conf" ]; then >&2 echo "The configuration file 'openssl.conf' doesn't exist in this directory" exit 1 fi openssl ca -revoke "${CA_NAME}/certs/${cert_name}.cert.pem" -config openssl.conf -section "${CA_NAME}" echo "Certificate ${CA_NAME}/certs/${cert_name}.cert.pem is revoked" helper-scripts-master/x509-scripts/scripts/uninstall_ca.sh000077500000000000000000000022421477351054700242240ustar00rootroot00000000000000#!/bin/bash -e # SPDX-FileCopyrightText: 2024 Istituto Nazionale di Fisica Nucleare # # SPDX-License-Identifier: EUPL-1.2 if [ $# -ne 1 -a $# -ne 2 ]; then >&2 echo "Usage: $(basename $0) ca-name [directory]" exit 1 fi ca_name="${1%/}" install_dir="/etc/grid-security/certificates" if [ $# -eq 2 ]; then install_dir="$2" fi if [ ! -d "${install_dir}" ]; then >&2 echo "Directory '${install_dir}' does not exist" exit 1 fi pushd "${install_dir}" > /dev/null if [ ! -e "${ca_name}.pem" ]; then >&2 echo "${ca_name} is not installed in ${install_dir}" exit 1 fi subject_hash=$(openssl x509 -in "${ca_name}.pem" -noout -subject_hash) subject_hash_old=$(openssl x509 -in "${ca_name}.pem" -noout -subject_hash_old) rm \ "${ca_name}.pem" "${ca_name}.crl" "${ca_name}.namespaces" "${ca_name}.signing_policy" \ "${subject_hash}.0" "${subject_hash_old}.0" \ "${subject_hash}.r0" "${subject_hash_old}.r0" \ "${subject_hash}.namespaces" "${subject_hash_old}.namespaces" \ "${subject_hash}.signing_policy" "${subject_hash_old}.signing_policy" popd > /dev/null