blob: 5c3dd5b227edf6fc6bf49733c83deec2904f5dd6 [file] [log] [blame] [edit]
#!/bin/bash -eu
# Copyright 2024 The ChromiumOS Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
OUT_DIR="$1"
# Create a random password so that after running this script, no-one can use
# this certificate authority to sign anything else.
PASS="pass:$(head -c 50 /dev/urandom | base64)"
CANAME="BazelContentMirrorLocalCA"
MYCERT="BazelContentMirrorServer"
SUBJ="/CN=${CANAME}"
rm -rf "${OUT_DIR}"
mkdir -p "${OUT_DIR}"
cd "${OUT_DIR}"
echo "Generating private key"
openssl genrsa -passout "${PASS}" -out "${CANAME}.key" 4096
echo "Generating certificate"
openssl req -x509 -new -nodes -key "${CANAME}.key" -sha256 -days 7 \
-out "${CANAME}.crt" -subj "${SUBJ}" -passin "${PASS}"
echo "Generating key"
openssl req -new -nodes -out "${MYCERT}.csr" -newkey rsa:4096 \
-keyout "${MYCERT}.key" -subj "${SUBJ}"
# create a v3 ext file for SAN properties
cat > "${MYCERT}.v3.ext" << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1
IP.2 = ::1
EOF
echo "Signing key"
openssl x509 -req -in "${MYCERT}.csr" -CA "${CANAME}.crt" \
-CAkey "${CANAME}.key" -CAcreateserial -out "${MYCERT}.crt" -days 7 \
-sha256 -extfile "${MYCERT}.v3.ext" -passin "${PASS}"
echo "Importing key"
# To ensure security (and ensure we don't require sudo), we don't modify the
# system's certificates, but instead make a copy of them and add the certificate
# to the copy.
cp /etc/ssl/certs/java/cacerts .
# The system cacerts file has an insecure known password. Change our copy's one
# and forget the new password after this script completes.
PASS="$(head -c 50 /dev/urandom | base64)"
keytool -storepasswd -new "${PASS}" -storepass changeit -keystore cacerts
keytool -importcert -file "${CANAME}.crt" -keystore cacerts \
-alias "Bazel content mirror" -storepass "${PASS}" --noprompt
# Ensure we can't modify the keystore.
chmod 700 cacerts