Add generate-cert script, modify configure-ccm to work with aarch64 L…

…inux

.github/scripts/configure-ccm.sh

@@ -25,9 +25,9 @@ function set_java_home() {
     else
         export CASSANDRA_USE_JDK11=false
     fi
-    for jdk in /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/${major_version}*/; 
+    for jdk in /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/${major_version}*/*/;
     do 
-        export JAVA_HOME="${jdk/}"x64/
+        export JAVA_HOME="${jdk/}"
         echo "JAVA_HOME is set to $JAVA_HOME"
         export JAVA_TOOL_OPTIONS="-Dcom.sun.jndi.rmiURLParsing=legacy"
     done
@@ -71,10 +71,10 @@ case "${TEST_TYPE}" in
         mkdir -p ~/.local
         cp ./.github/files/jmxremote.password ~/.local/jmxremote.password
         chmod 400 ~/.local/jmxremote.password
-        for jdk in /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/8*/; 
-        do 
-          sudo chmod 777 "${jdk/}"x64/jre/lib/management/jmxremote.access
-          echo "cassandra     readwrite" >> "${jdk/}"x64/jre/lib/management/jmxremote.access
+        for jdk in /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/8*/*/;
+        do
+          sudo chmod 777 "${jdk/}"jre/lib/management/jmxremote.access
+          echo "cassandra     readwrite" >> "${jdk/}"jre/lib/management/jmxremote.access
         done
         if [[ ! -z $ELASSANDRA_VERSION ]]; then
           ccm create test -v file:elassandra-${ELASSANDRA_VERSION}.tar.gz

src/server/src/test/resources/generate-certs.sh

@@ -13,31 +13,29 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Copied from management-api, modified for reaper to create JKS files also
-
 # Generate a new, self-signed root CA
+echo "--- Generating self-signed root CA and key"
 openssl req -extensions v3_ca -new -x509 -days 36500 -nodes -subj "/CN=NettyTestRoot" -newkey rsa:2048 -sha512 -out mutual_auth_ca.pem -keyout mutual_auth_ca.key
 
-# Generate a certificate/key for the server
-openssl req -new -keyout mutual_auth_server.key -nodes -newkey rsa:2048 -subj "/CN=NettyTestServer" | \
-openssl x509 -req -CAkey mutual_auth_ca.key -CA mutual_auth_ca.pem -days 36500 -set_serial $RANDOM -sha512 -out mutual_auth_server.crt
-
-# Generate a valid intermediate CA which will be used to sign the client certificate
-openssl req -new -keyout mutual_auth_intermediate_ca.key -nodes -newkey rsa:2048 -out mutual_auth_intermediate_ca.key
-openssl req -new -sha512 -key mutual_auth_intermediate_ca.key -subj "/CN=NettyTestIntermediate" -out intermediate.csr
-openssl x509 -req -days 1825 -in intermediate.csr -extfile openssl.cnf -extensions v3_ca -CA mutual_auth_ca.pem -CAkey mutual_auth_ca.key -set_serial $RANDOM -out mutual_auth_intermediate_ca.pem
-
-# Generate a client certificate signed by the intermediate CA
-openssl req -new -keyout mutual_auth_client.key -nodes -newkey rsa:2048 -subj "/CN=NettyTestClient/UID=Client" | \
-openssl x509 -req -CAkey mutual_auth_intermediate_ca.key -CA mutual_auth_intermediate_ca.pem -days 36500 -set_serial $RANDOM -sha512 -out mutual_auth_client.crt
-
-# Append
-cat mutual_auth_intermediate_ca.pem mutual_auth_ca.pem > mutual_auth_client_cert_chain.pem
-
-# Modify to PKCS12 and JKS for Reaper (use password changeit)
-openssl pkcs12 -export -out mutual_auth_client_cert_chain.pkcs12 -inkey mutual_auth_intermediate_ca.key -in mutual_auth_client_cert_chain.pem
-openssl pkcs12 -export -out mutual_auth_client.pkcs12 -inkey mutual_auth_client.key -in mutual_auth_client.crt
-
-# Use password changeit
-keytool -importkeystore -srckeystore mutual_auth_client_cert_chain.pkcs12 -srcstoretype pkcs12 -destkeystore truststore.jks -deststoretype JKS
-keytool -importkeystore -srckeystore mutual_auth_client.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
+# Generate request certificate file
+echo "--- Generating server certificate/key"
+openssl req -new -keyout mutual_auth_server.key -nodes -newkey rsa:2048 -subj "/CN=NettyTestServer"
+openssl req -new -sha256 -key mutual_auth_server.key --subj "/CN=NettyTestServer" -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:localhost,IP:127.0.0.1,IP:127.0.0.2")) -out mutual_auth_server.csr
+openssl x509 -req -days 1825 -CAkey mutual_auth_ca.key -CA mutual_auth_ca.pem -CAcreateserial -extensions SAN -extfile <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:localhost,IP:127.0.0.1,IP:127.0.0.2")) -in mutual_auth_server.csr -out mutual_auth_server.crt
+
+# Generate a client certificate/key
+echo "--- Generating client certificate/key"
+openssl req -new -config openssl.cnf -keyout mutual_auth_client.key -nodes -newkey rsa:2048 -subj "/CN=NettyTestClient/UID=Client"  | \
+openssl x509 -req -extfile openssl.cnf -extensions v3_ca -CAkey mutual_auth_ca.key -CA mutual_auth_ca.pem -days 36500 -set_serial $RANDOM -sha512 -out mutual_auth_client.crt
+
+# Create truststore from the CA
+echo "--- Creating truststore"
+rm -f truststore.jks
+keytool -importcert -storetype jks -alias server_auth -keystore truststore.jks -file mutual_auth_server.crt -storepass changeit -noprompt
+
+# Create the keystore from private key
+echo "--- Create client keystore"
+rm -f keystore.jks
+cat mutual_auth_client.key mutual_auth_ca.pem mutual_auth_client.crt > mutual_auth_client_chain.crt
+openssl pkcs12 -export -in mutual_auth_client_chain.crt -out mutual_auth_client_chain.p12 -password pass:"changeit" -name mutual_auth_client -noiter -nomaciter
+keytool -importkeystore -srckeystore mutual_auth_client_chain.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS -storepass changeit -srcstorepass changeit

src/server/src/test/resources/openssl.cnf

@@ -63,6 +63,16 @@ string_mask = utf8only
 
 # req_extensions = v3_req # The extensions to add to a certificate request
 
+req_extensions = req_ext
+
+[ req_ext ]
+subjectAltName          = @alt_names
+
+[alt_names]
+DNS.1   = localhost
+IP.1 = 127.0.0.1
+IP.2 = 127.0.0.2
+
 [ req_distinguished_name ]
 countryName			= Country Name (2 letter code)
 countryName_default		= AU