| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176 |
- /*
- certs.me -- Test certificate generation
-
- This file provides targets to generate SSL test certificates using OpenSSL.
- WARNING: All these certificates are for internal use only.
- To generate a certificate request to send to a certificate authority like Verisign, do:
- This will create a certificate request file in "server.csr" and a private key in "server.key"
- me cert-request
-
- To use appweb with HTTP, you need a server certificate.
- This command will generate a self-signed test certificate called "self.crt" with a private key "self.key".
-
- me self-signed-cert
-
- To create a CA and then a server cert based on this CA.
- This command will generate a CA certificate in ca.crt with a CA private key in ca.key. The last minted certificate
- serial number is in ca.srl.
-
- me ca-cert
- To generate a certificate signed by the test CA.
- This will generate a certificate in "test.crt" with a private key in "test.key".
- me test-cert
- To generate an Elliptic Curve certificate signed by the test CA.
- This will generate a certificate in "ec.crt" with a private key in "ec.key".
- me ec-cert
- For all cert targets:
- me generate-certs
- */
- Me.load({
- settings: {
- certs: {
- days: 3650,
- bits: 2048,
- gendh: false,
- }
- },
- mixin: `
- function ossl(command, input) {
- trace('Run', 'openssl ' + command)
- let cmd = Cmd()
- cmd.env = {BIN: me.dir.bin}
- let result = cmd.start('openssl ' + command, {detach: true})
- if (input) {
- cmd.write(Path(input).readString())
- }
- cmd.finalize()
- cmd.wait()
- if (cmd.status != 0) {
- throw new IOError('Command failed, status ' + cmd.status + '\n' + cmd.error)
- }
- return cmd.response
- }
- `,
- targets: {
- 'install-certs': {
- type: 'file',
- path: '${BIN}/',
- files: [ 'samples/**' ],
- },
- 'generate-certs': {
- depends: [ 'ca-cert', 'self-signed-cert', 'test-cert', 'ec-cert' ],
- },
- 'generate-samples': {
- depends: [ 'generate-certs', 'get-roots' ]
- action: `
- for each (f in Path('samples').files('**')) {
- trace('Generate', f)
- f.remove()
- Path(f.basename).rename(f)
- }
- rm(['*.old', '*.csr', 'ca.db', 'ca.db.attr', '*.pem'])
- `
- },
- 'get-roots': {
- action: `
- let http = Http()
- http.verify = false
- // http.get('https://pki.google.com/roots.pem')
- http.get('https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt')
- let dest = Path('${BIN}/roots.crt')
- trace('Create', dest)
- dest.write(http.response)
- `
- },
- /*
- WARNING: Self-signed server certificate for testing ONLY.
- Use a self-signed certificate when you just want quick and dirty testing.
- The browser will say it doesn't recognize this certificate, but that is ok for testing only.
- Creates a private key in self.key.
- See: http://www.sslshopper.com/article-most-common-openssl-commands.html
- */
- 'self-signed-cert': {
- message: 'Make: Self-signed Certificate: self.crt',
- action: `
- ossl('genrsa -out ${BIN}/self.key ${settings.certs.bits}')
- ossl('req -new -x509 -days ${settings.certs.days} -key ${BIN}/self.key -out ${BIN}/self.crt', 'self.ans')
- `,
- },
- /*
- Setup a test certificate authority. Use this if you will be generating multiple certificates for clients and
- servers. NOTE: this is only for test. The certificate authority is not a real entity!
- */
- 'ca-cert': {
- message: 'Make: CA Certificate: ca.crt',
- action: `
- ossl('genrsa -out ${BIN}/ca.key ${settings.certs.bits}')
- ossl('req -config openssl.conf -new -x509 -days ${settings.certs.days} -key ${BIN}/ca.key -out ${BIN}/ca.crt -extensions caExtensions')
- me.dir.bin.join('ca.srl').write('9999991000\n')
- me.dir.bin.join('ca.db').write('')
- `,
- },
- /*
- Test cert signed by the test CA above. This is used for test as the server cert and on the client side
- when validating client certs.
- */
- 'test-cert': {
- message: 'Make: Test Certificate: test.crt',
- action: `
- ossl('genrsa -out ${BIN}/test.key ${settings.certs.bits}')
- ossl('req -new -key ${BIN}/test.key -out ${BIN}/test.csr', 'test.ans')
- ossl('ca -batch -config openssl.conf -notext -in ${BIN}/test.csr -out ${BIN}/test.crt -extensions server')
- `,
- },
- 'ec-cert': {
- message: 'Make: EC Test Certificate: ec.crt',
- action: `
- ossl('ecparam -genkey -name prime256v1 -out ${BIN}/ec.key')
- ossl('req -new -key ${BIN}/ec.key -out ${BIN}/ec.csr', 'ec.ans')
- ossl('req -x509 -days 365 -key ${BIN}/ec.key -in ${BIN}/ec.csr -out ${BIN}/ec.crt')
- `
- },
- 'dhparams': {
- message: 'Generate: Local DH parameters for OpenSSL ... may take a few minutes',
- action: `
- me.dir.bin.join('dh.c').write(Cmd.run('openssl dhparam -C ${settings.certs.bits} -out ${BIN}/dh.pem') + '\n')
- `
- }
- /*
- Generate a certificate request to send to a certificate authority like Verisign
- Generates a server key in "server.key"
- */
- 'cert-request': {
- action: `
- ossl('genrsa -out ${BIN}/server.key ${settings.certs.bits}')
- ossl('req -new -key ${BIN}/server.key -out ${BIN}/server.csr', 'test.ans')
- `,
- },
- 'show-certs': {
- action: `
- print(ossl('x509 -in ${BIN}/ca.crt -noout -text'))
- print(ossl('x509 -in ${BIN}/test.crt -noout -text'))
- print(ossl('x509 -in ${BIN}/self.crt -noout -text'))
- `
- }
- }
- })
|
