diff options
author | Nobuaki Sukegawa <nsuke@apache.org> | 2016-02-04 15:09:41 +0900 |
---|---|---|
committer | Nobuaki Sukegawa <nsuke@apache.org> | 2016-02-04 22:20:00 +0900 |
commit | f39f7dbd26fe090f0fc6566c100ca7adc9ace714 (patch) | |
tree | 1c9d7094eeb14b226c8b33027543dd3f4c43aaa3 /test/keys | |
parent | 25536ad83a85cfda6d5388278e4e378f2d4df73e (diff) | |
download | thrift-f39f7dbd26fe090f0fc6566c100ca7adc9ace714.tar.gz |
THRIFT-3599 Validate client IP address against cert's SubjectAltName
Diffstat (limited to 'test/keys')
-rwxr-xr-x | test/keys/README.md | 20 | ||||
-rw-r--r-- | test/keys/client_v3.crt | 24 | ||||
-rw-r--r-- | test/keys/client_v3.key | 27 |
3 files changed, 70 insertions, 1 deletions
diff --git a/test/keys/README.md b/test/keys/README.md index 15faa5106..eb67fd810 100755 --- a/test/keys/README.md +++ b/test/keys/README.md @@ -50,6 +50,24 @@ export certificate in PEM format for OpenSSL usage openssl pkcs12 -in client.p12 -out client.pem -clcerts +### create client key and certificate with altnames + +copy openssl.cnf from your system e.g. /etc/ssl/openssl.cnf and append following to the end of [ v3_req ] + + subjectAltName=@alternate_names + + [ alternate_names ] + IP.1=127.0.0.1 + IP.2=::1 + +create a signing request: + + openssl req -new -key client_v3.key -out client_v3.csr -config openssl.cnf \ + -subj "/C=US/ST=Maryland/L=Forest Hill/O=The Apache Software Foundation/OU=Apache Thrift/CN=localhost" -extensions v3_req + +sign the client certificate with the server.key + + openssl x509 -req -days 3000 -in client_v3.csr -CA CA.pem -CAkey server.key -set_serial 01 -out client_v3.crt -extensions v3_req -extfile openssl.cnf ## Java key and certificate import Java Test Environment uses key and trust store password "thrift" without the quotes @@ -65,7 +83,7 @@ list truststore entries delete an entry - keytool -delete -storepass thrift -keystore ../../lib/java/test/.truststore -alias ssltest + keytool -delete -storepass thrift -keystore ../../lib/java/test/.truststore -alias ssltest import certificate into truststore diff --git a/test/keys/client_v3.crt b/test/keys/client_v3.crt new file mode 100644 index 000000000..6703c7a98 --- /dev/null +++ b/test/keys/client_v3.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID9jCCAt6gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBsTELMAkGA1UEBhMCVVMx +ETAPBgNVBAgMCE1hcnlsYW5kMRQwEgYDVQQHDAtGb3Jlc3QgSGlsbDEnMCUGA1UE +CgweVGhlIEFwYWNoZSBTb2Z0d2FyZSBGb3VuZGF0aW9uMRYwFAYDVQQLDA1BcGFj +aGUgVGhyaWZ0MRIwEAYDVQQDDAlsb2NhbGhvc3QxJDAiBgkqhkiG9w0BCQEWFWRl +dkB0aHJpZnQuYXBhY2hlLm9yZzAeFw0xNjAyMDMxOTAwMDlaFw0yNDA0MjExOTAw +MDlaMIGLMQswCQYDVQQGEwJVUzERMA8GA1UECAwITWFyeWxhbmQxFDASBgNVBAcM +C0ZvcmVzdCBIaWxsMScwJQYDVQQKDB5UaGUgQXBhY2hlIFNvZnR3YXJlIEZvdW5k +YXRpb24xFjAUBgNVBAsMDUFwYWNoZSBUaHJpZnQxEjAQBgNVBAMMCWxvY2FsaG9z +dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALZ0wiQnXg5QMZZWugd/ +O3woatyHuczJuFSmYiRGWLr3PugB+xtvjy0rTcE2MNx/bdsVxrapCKA+tMFORbEl +sF6jk0H+B7BzGoIwHr6N8GP1VOoA2esrhsNEz22aJI00VaFTFE8G/qgFcihyaVWH +ZsLa3MakOzFUmOBaV2tLBjCjaznqXw3eo3XwUI0BkgS9b9vqXjScmfWXDw5+1is4 +bCgumG2zj9EpLypc9qCGNKFBO2YIg0XsIIJ8RprlianjL6P4MfC6GPOyW4NbZaLd +ESv/bumpVyuV/C/xqkPahvOwBuPE1loxZZPx6Qv368qn7SVNVZOLyX722spooA5G +6csCAwEAAaM9MDswCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwIQYDVR0RBBowGIcE +fwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAMigk3sHI +nDY9E0V5zaZpN4Y8NoxaSSPN/hJ1abae2cp5v/dpsVAn9KgRLt4YEcaxmShblx7j +g3/8Bk18H9UXNKimfw27oWGFLgqv72rJrF4KfLQLR0PH3d44qmgbX8K204YtVQu2 +rp/3uMTnptkuAkSyA8hsFG7Y1p/wR3I57SENt2xB1f2nxyQ5vrdqbEXdKbORasM5 +hn0irWempVVd28RfXQAmJXhhHDrtIbYrSYUw7TKcG9Kl+VeGf+A+sk4ewB4wB5yU +Pgg57hzq0DW5BwMCl5UroY+umzB3FSngWxiEzEdLn6PkzZavnRndwXD/ZcCN4qSm +4jry8siM9ttT2g== +-----END CERTIFICATE----- diff --git a/test/keys/client_v3.key b/test/keys/client_v3.key new file mode 100644 index 000000000..b989f738e --- /dev/null +++ b/test/keys/client_v3.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAtnTCJCdeDlAxlla6B387fChq3Ie5zMm4VKZiJEZYuvc+6AH7 +G2+PLStNwTYw3H9t2xXGtqkIoD60wU5FsSWwXqOTQf4HsHMagjAevo3wY/VU6gDZ +6yuGw0TPbZokjTRVoVMUTwb+qAVyKHJpVYdmwtrcxqQ7MVSY4FpXa0sGMKNrOepf +Dd6jdfBQjQGSBL1v2+peNJyZ9ZcPDn7WKzhsKC6YbbOP0SkvKlz2oIY0oUE7ZgiD +RewggnxGmuWJqeMvo/gx8LoY87Jbg1tlot0RK/9u6alXK5X8L/GqQ9qG87AG48TW +WjFlk/HpC/fryqftJU1Vk4vJfvbaymigDkbpywIDAQABAoIBAQCJpyUhaaIIYnBG +4D+RkGgsj8Gvh6ah3j53ft/kRj6DMC4BlB0C4fO/PEB5WI0cjfcvpwo4nOapHyX4 +ATmLIMgjXn2m+CSM9wo01mEbmrKWd20M7n96cWhGwg9MvVJ+RdGk2K0lwj02PoWW +Blt576GTuNN/+j++Q/jiqsXxaLTO0/Wj+4b2gQh3n8I0u6bkolDLoERKIdrLGHH+ +FU3sk8bpUhHmeiUTfwwci+juhtOY9e30AEst6xakCHbq1lRRyEYPtWL7oLds6yv0 +UAKP7wS9Yl6dcekXSF1RZpB+fovTW+qPYn8aEuksaMz0wK96FCOjVNGYxMp+Xnvl +sKx63UZBAoGBAOCbCbJtO0HsgIauvCvGZ50aZ1vDvQReCwri4ioutEg4JCAXHEsX ++axz2J5j3UEQhGKr0EX9BG6YbxGW0Mmjf3QxeRB+0WLpMMY2SFt93oC2R1AX9l0I +h50O6tYv5SXm96pKxwRz01d84mCJgwn/G+cZ/EJj4rfZsNbQst6JQFvzAoGBAM/1 +gLVQt5l+IK+6s68EnADI66i7cKe6sj3rFRTahZJxL2vY28J9EB2mF/XEgARSNJQV +X/H9zDrwKm9MX87/eCH2nEbc+5qSGpDPQm482C9DqsMitxCKD8bble1BlpjFb8hr +R0Q3v5q8u5uomLBds5eUBeRKMtu9tOMA9KRSDGjJAoGAF44K2Ux9T2+XFwjSMSEQ +krhHKKeBdijKrayXnWbif0Rr/XWPAQ0VoRFRIWNFu+IYkCSGpiBfy51u4IBZixv7 +bNsXYDR8jwv3koH02qt7nzH+jpbEvoL7fewnkqjZNj1fsds/vebLvjwZnZguRukb +KwRdoTTKfQ92bUDb0VzBhCMCgYB7H+3ObDXoCQctRCsyilYbGNp+EkxG4oC5rD/V +EvRWmfDrt3+VjRpHk5lIB8mLxWgf7O/bhNqwYpWdQ+jN0++6nBo20oudHrff2PaJ +8jhE85lc42bjwfpJUKVZzaVuWicu0GVnfGJTKT8ikBWnBjNYoWlDmrK164H3jQ9L +YtC6EQKBgQCabFXXHx5cIJ2XOm4K/nTOG7ClvD80xapqyGroQd9E/cJUHHPp/wQ4 +c1dMO5EViM7JRsKfxkl9vM5o9IM7swlYh4EMFSLJNjzgOY9XVkvQh0uGbiJOBO4f +inUuWn1YWUj/HFtrT+0No+cYvZVcMKrFAy3K/AwpTbfKCk6roullNA== +-----END RSA PRIVATE KEY----- |