Skip to content

Commit

Permalink
Secure Examples Validation
Browse files Browse the repository at this point in the history
Signed-off-by: Maxim Nesen <[email protected]>
  • Loading branch information
senivam committed Dec 11, 2023
1 parent 48c0197 commit 098fbe7
Show file tree
Hide file tree
Showing 8 changed files with 62 additions and 44 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ public static void main(String[] args) {

// Obtain the user name and password from the program arguments
String user = args.length >= 2 ? args[0] : "Ted";
String password = args.length >= 2 ? args[1] : "secret";
String password = args.length >= 2 ? args[1] : "changeit";

Config config = Config.create();

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ public static void main(String[] args) {

// Obtain the user name and password from the program arguments
String user = args.length >= 2 ? args[0] : "Ted";
String password = args.length >= 2 ? args[1] : "secret";
String password = args.length >= 2 ? args[1] : "changeit";

Config config = Config.create();

Expand Down
10 changes: 10 additions & 0 deletions examples/microprofile/tls/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,16 @@ This examples shows how to configure server TLS using Helidon MP.

Note: This example uses self-signed server certificate!

### How to generate self-signed certificate (optional)
In this example the certificate is bundled so no special certificate is required.
Required tools: keytool
```bash
keytool -genkeypair -keyalg RSA -keysize 2048 -alias server -dname "CN=localhost" -validity 21650 -keystore server.jks -storepass changeit -keypass changeit -deststoretype pkcs12
keytool -exportcert -keystore server.jks -storepass changeit -alias server -rfc -file server.cer
keytool -certreq -keystore server.jks -alias server -keypass changeit -storepass changeit -keyalg rsa -file server.csr
keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -srcstoretype jks -deststoretype pkcs12 -srcstorepass changeit -deststorepass changeit
```

## Build and run

```bash
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,9 @@ static void startAndPrintEndpoints(Supplier<WebServer> startMethod) {
System.out.printf("Started server on localhost:%d%n", webServer.port());
System.out.println();
System.out.println("Users:");
System.out.println("Jack/changeit in roles: user, admin");
System.out.println("Jill/changeit in roles: user");
System.out.println("John/changeit in no roles");
System.out.println("jack/changeit in roles: user, admin");
System.out.println("jill/changeit in roles: user");
System.out.println("john/changeit in no roles");
System.out.println();
System.out.println("***********************");
System.out.println("** Endpoints: **");
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,9 @@ static WebServer startServer(Routing routing) {
System.out.printf("Started server on localhost:%d%n", webServer.port());
System.out.println();
System.out.println("Users:");
System.out.println("Jack/password in roles: user, admin");
System.out.println("Jill/password in roles: user");
System.out.println("John/password in no roles");
System.out.println("jack/changeit in roles: user, admin");
System.out.println("jill/changeit in roles: user");
System.out.println("john/changeit in no roles");
System.out.println();
System.out.println("***********************");
System.out.println("** Endpoints: **");
Expand Down
6 changes: 3 additions & 3 deletions examples/security/webserver-signatures/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ java -jar target/helidon-examples-security-webserver-signatures.jar

Try the endpoints:
```bash
curl -u "jack:changeit" http://localhost:8080/service1
curl -u "jill:changeit" http://localhost:8080/service1-rsa
curl -v -u "john:changeit" http://localhost:8080/service1
curl -u "jack:password" http://localhost:8080/service1
curl -u "jill:password" http://localhost:8080/service1-rsa
curl -v -u "john:password" http://localhost:8080/service1
```
10 changes: 9 additions & 1 deletion examples/webserver/mutual-tls/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,12 @@ to invoke the endpoint using client certificate.

Alternative approach is to install the private key and certificate
to your browser and invoke the endpoint manually.


### Howto regenerate certificates (optional)
In order to regenerate bundled certificates: client.p12 and server.p12 use
bundled script with given parameters:
```bash
./automatic-store-generator.sh --name Helidon --type P12 --single true
```
and then copy generated certificates from ``out/client.p12`` and ``out/server.p12``
to `src/main/resources` other generated files can be deleted.
64 changes: 32 additions & 32 deletions examples/webserver/mutual-tls/automatic-store-generator.sh
100644 → 100755
Original file line number Diff line number Diff line change
Expand Up @@ -25,54 +25,54 @@ SINGLE=true
createCertificatesAndStores() {
mkdir out
echo 'Generating new key stores...'
keytool -genkeypair -keyalg RSA -keysize 2048 -alias root-ca -dname "CN=$NAME-CA" -validity 21650 -keystore ca.jks -storepass password -keypass password -deststoretype pkcs12 -ext KeyUsage=digitalSignature,keyEncipherment,keyCertSign -ext ExtendedKeyUsage=serverAuth,clientAuth -ext BasicConstraints=ca:true,PathLen:3
keytool -genkeypair -keyalg RSA -keysize 2048 -alias server -dname "CN=localhost" -validity 21650 -keystore server.jks -storepass password -keypass password -deststoretype pkcs12
keytool -genkeypair -keyalg RSA -keysize 2048 -alias client -dname "C=CZ,CN=$NAME-client,OU=Prague,O=Oracle" -validity 21650 -keystore client.jks -storepass password -keypass password -deststoretype pkcs12
keytool -genkeypair -keyalg RSA -keysize 2048 -alias root-ca -dname "CN=$NAME-CA" -validity 21650 -keystore ca.jks -storepass changeit -keypass changeit -deststoretype pkcs12 -ext KeyUsage=digitalSignature,keyEncipherment,keyCertSign -ext ExtendedKeyUsage=serverAuth,clientAuth -ext BasicConstraints=ca:true,PathLen:3
keytool -genkeypair -keyalg RSA -keysize 2048 -alias server -dname "CN=localhost" -validity 21650 -keystore server.jks -storepass changeit -keypass changeit -deststoretype pkcs12
keytool -genkeypair -keyalg RSA -keysize 2048 -alias client -dname "C=CZ,CN=$NAME-client,OU=Prague,O=Oracle" -validity 21650 -keystore client.jks -storepass changeit -keypass changeit -deststoretype pkcs12
echo 'Obtaining client and server certificates...'
keytool -exportcert -keystore client.jks -storepass password -alias client -rfc -file client.cer
keytool -exportcert -keystore server.jks -storepass password -alias server -rfc -file server.cer
keytool -exportcert -keystore client.jks -storepass changeit -alias client -rfc -file client.cer
keytool -exportcert -keystore server.jks -storepass changeit -alias server -rfc -file server.cer
echo 'Generating CSR for client and server...'
keytool -certreq -keystore server.jks -alias server -keypass password -storepass password -keyalg rsa -file server.csr
keytool -certreq -keystore client.jks -alias client -keypass password -storepass password -keyalg rsa -file client.csr
keytool -certreq -keystore server.jks -alias server -keypass changeit -storepass changeit -keyalg rsa -file server.csr
keytool -certreq -keystore client.jks -alias client -keypass changeit -storepass changeit -keyalg rsa -file client.csr
echo 'Obtaining CA pem and key...'
keytool -importkeystore -srckeystore ca.jks -destkeystore ca.p12 -srcstoretype jks -deststoretype pkcs12 -srcstorepass password -deststorepass password
openssl pkcs12 -in ca.p12 -out ca.key -nocerts -passin pass:password -passout pass:password
openssl pkcs12 -in ca.p12 -out ca.pem -nokeys -passin pass:password -passout pass:password
keytool -importkeystore -srckeystore ca.jks -destkeystore ca.p12 -srcstoretype jks -deststoretype pkcs12 -srcstorepass changeit -deststorepass changeit
openssl pkcs12 -in ca.p12 -out ca.key -nocerts -passin pass:changeit -passout pass:changeit
openssl pkcs12 -in ca.p12 -out ca.pem -nokeys -passin pass:changeit -passout pass:changeit
echo 'Signing client and server certificates...'
openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client-signed.cer -days 21650 -passin pass:password
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server-signed.cer -sha256 -days 21650 -passin pass:password
openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client-signed.cer -days 21650 -passin pass:changeit
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server-signed.cer -sha256 -days 21650 -passin pass:changeit
echo 'Replacing server and client certificates with the signed ones...'
keytool -importkeystore -srckeystore client.jks -destkeystore client.p12 -srcstoretype jks -deststoretype pkcs12 -srcstorepass password -deststorepass password
openssl pkcs12 -in client.p12 -nodes -out client-private.key -nocerts -passin pass:password
openssl pkcs12 -export -in client-signed.cer -inkey client-private.key -out client-signed.p12 -name client -passout pass:password
keytool -delete -alias client -keystore client.jks -storepass password
keytool -importkeystore -srckeystore client-signed.p12 -srcstoretype PKCS12 -destkeystore client.jks -srcstorepass password -deststorepass password
keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -srcstoretype jks -deststoretype pkcs12 -srcstorepass password -deststorepass password
openssl pkcs12 -in server.p12 -nodes -out server-private.key -nocerts -passin pass:password
openssl pkcs12 -export -in server-signed.cer -inkey server-private.key -out server-signed.p12 -name server -passout pass:password
keytool -delete -alias server -keystore server.jks -storepass password
keytool -importkeystore -srckeystore server-signed.p12 -srcstoretype PKCS12 -destkeystore server.jks -srcstorepass password -deststorepass password
keytool -importkeystore -srckeystore client.jks -destkeystore client.p12 -srcstoretype jks -deststoretype pkcs12 -srcstorepass changeit -deststorepass changeit
openssl pkcs12 -in client.p12 -nodes -out client-private.key -nocerts -passin pass:changeit
openssl pkcs12 -export -in client-signed.cer -inkey client-private.key -out client-signed.p12 -name client -passout pass:changeit
keytool -delete -alias client -keystore client.jks -storepass changeit
keytool -importkeystore -srckeystore client-signed.p12 -srcstoretype PKCS12 -destkeystore client.jks -srcstorepass changeit -deststorepass changeit
keytool -importkeystore -srckeystore server.jks -destkeystore server.p12 -srcstoretype jks -deststoretype pkcs12 -srcstorepass changeit -deststorepass changeit
openssl pkcs12 -in server.p12 -nodes -out server-private.key -nocerts -passin pass:changeit
openssl pkcs12 -export -in server-signed.cer -inkey server-private.key -out server-signed.p12 -name server -passout pass:changeit
keytool -delete -alias server -keystore server.jks -storepass changeit
keytool -importkeystore -srckeystore server-signed.p12 -srcstoretype PKCS12 -destkeystore server.jks -srcstorepass changeit -deststorepass changeit

echo "Importing CA cert to the client and server stores..."
if [ "$SINGLE" = true ] ; then
keytool -v -trustcacerts -keystore client.jks -importcert -file ca.pem -alias root-ca -storepass password -noprompt
keytool -v -trustcacerts -keystore server.jks -importcert -file ca.pem -alias root-ca -storepass password -noprompt
keytool -v -trustcacerts -keystore client.jks -importcert -file ca.pem -alias root-ca -storepass changeit -noprompt
keytool -v -trustcacerts -keystore server.jks -importcert -file ca.pem -alias root-ca -storepass changeit -noprompt
else
keytool -v -trustcacerts -keystore client-truststore.jks -importcert -file ca.pem -alias root-ca -storepass password -noprompt
keytool -v -trustcacerts -keystore server-truststore.jks -importcert -file ca.pem -alias root-ca -storepass password -noprompt
keytool -v -trustcacerts -keystore client-truststore.jks -importcert -file ca.pem -alias root-ca -storepass changeit -noprompt
keytool -v -trustcacerts -keystore server-truststore.jks -importcert -file ca.pem -alias root-ca -storepass changeit -noprompt
fi

echo "Changing aliases to 1..."
keytool -changealias -alias server -destalias 1 -keypass password -keystore server.jks -storepass password
keytool -changealias -alias client -destalias 1 -keypass password -keystore client.jks -storepass password
keytool -changealias -alias server -destalias 1 -keypass changeit -keystore server.jks -storepass changeit
keytool -changealias -alias client -destalias 1 -keypass changeit -keystore client.jks -storepass changeit

echo "Generating requested type of stores..."
if [ "$TYPE" = PKCS12 ] || [ "$TYPE" = P12 ] ; then
keytool -importkeystore -srckeystore client.jks -destkeystore out/client.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass password -deststorepass password
keytool -importkeystore -srckeystore server.jks -destkeystore out/server.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass password -deststorepass password
keytool -importkeystore -srckeystore client.jks -destkeystore out/client.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit
keytool -importkeystore -srckeystore server.jks -destkeystore out/server.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit
if [ "$SINGLE" = false ] ; then
keytool -importkeystore -srckeystore server-truststore.jks -destkeystore out/server-truststore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass password -deststorepass password
keytool -importkeystore -srckeystore client-truststore.jks -destkeystore out/client-truststore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass password -deststorepass password
keytool -importkeystore -srckeystore server-truststore.jks -destkeystore out/server-truststore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit
keytool -importkeystore -srckeystore client-truststore.jks -destkeystore out/client-truststore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit
fi
else
mv client.jks out/client.jks
Expand Down

0 comments on commit 098fbe7

Please sign in to comment.