lukasz-antoniak commented on code in PR #1805: URL: https://github.com/apache/cassandra-gocql-driver/pull/1805#discussion_r1735691301
########## testdata/pki/generate_certs.sh: ########## @@ -0,0 +1,93 @@ +#! /bin/bash +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# This script generates the various certificates used for integration +# tests. All certificates are created with a validity of 3650 days, +# or 10 years. Therefore, this only needs to be used sparingly, +# although could eventually be repurposed to regenerate certificates +# as part of setting up the integration test harness. + +set -eux + +# How long certificates should be considered valid, 10 years +VALIDITY=3650 + +# Generate 4096-bit unencrypted RSA private key using aes256 +function generatePrivateKey() { + base=$1 + rm -fv ${base}.key + echo "Generating private key ${base}.key" + # Generate Private Key + openssl genrsa -aes256 -out ${base}.key -passout pass:cassandra 4096 + echo "Decrypting ${base}.key" + # Decrypt Private Key + openssl rsa -in ${base}.key -out ${base}.key -passin pass:cassandra +} + +# Generate a X509 Certificate signed by the generated CA +function generateCASignedCert() { + base=$1 + rm -fv ${base}.csr ${base}.crt + # Generate Certificate Signing Request + echo "Generating certificate signing request ${base}.csr" + openssl req -new -key ${base}.key -out ${base}.csr -config ${base}.cnf + # Generate Certificate using CA + echo "Generating certificate ${base}.crt" + openssl x509 -req -in ${base}.csr -CA ca.crt -CAkey ca.key \ + -CAcreateserial -out ${base}.crt -days $VALIDITY \ + -extensions req_ext -extfile ${base}.cnf + rm -fv ${base}.csr +} + +# CA +# Generate CA that signs both gocql and cassandra certs +generatePrivateKey ca +# Generate CA Certificate +echo "Generating CA certificate ca.crt" +rm -fv ca.crt +openssl req -x509 -new -nodes -key ca.key -days $VALIDITY -out ca.crt -config ca.cnf -reqexts v3_req -extensions req_ext + +# Import CA certificate into PKCS12 truststore so it can be used by Cassandra. +# Note that keytool is used here because java's PKCS12 keystore implementation +# requires additional bag attributes that openssl doesn't provide. +echo "Generating truststore .truststore for Cassandra" +rm -fv .truststore +keytool -import -keystore .truststore -trustcacerts \ Review Comment: I am thinking whether we should run GoCQL tests with the same JVM / C* matrix as for Java driver. We do run tests with JVM 8 and there we need also JKS format. On the other hand, would it make sense to test Golang driver with C* on JVM 8? JVM version will of course not impact the driver itself, but only server-side component. Just pointing this out but this is out, but I am fine leaving the PKC12 format only. ########## testdata/pki/generate_certs.sh: ########## @@ -0,0 +1,93 @@ +#! /bin/bash +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# This script generates the various certificates used for integration Review Comment: I would also try not to introduce more moving parts in integration tests. What do you think about increasing validity to 100 years? ########## testdata/pki/cassandra.crt: ########## @@ -1,83 +1,31 @@ -Certificate: Review Comment: I think it is useful to immediately see expiration date :). Did not know that this was possible before. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
