From 04b63bf8c1c211fc8d3acc7a584ec2443da829a7 Mon Sep 17 00:00:00 2001 From: Hakky54 Date: Thu, 9 May 2024 13:36:27 +0200 Subject: [PATCH] Integrated keystore configuration in the main server resources --- README.MD | 22 +++++++------- pom.xml | 1 - script/configure-one-way-authentication.sh | 16 +++++----- ...y-authentication-by-trusting-each-other.sh | 18 +++++------ ...-way-authentication-by-trusting-root-ca.sh | 26 ++++++++-------- server/pom.xml | 6 ---- shared-server-resources/pom.xml | 30 ------------------- .../src/main/resources/placeholder.txt | 0 8 files changed, 41 insertions(+), 78 deletions(-) delete mode 100644 shared-server-resources/pom.xml delete mode 100644 shared-server-resources/src/main/resources/placeholder.txt diff --git a/README.MD b/README.MD index a5f0f9ca..b1511842 100644 --- a/README.MD +++ b/README.MD @@ -135,7 +135,7 @@ To solve this issue, you are going to create a keystore with a public and privat To create a keystore with a public and private key, execute the following command in your terminal: ```bash -keytool -v -genkeypair -dname "CN=Hakan,OU=Amsterdam,O=Thunderberry,C=NL" -keystore shared-server-resources/src/main/resources/identity.jks -storepass secret -keypass secret -keyalg RSA -keysize 2048 -alias server -validity 3650 -deststoretype pkcs12 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth -ext SubjectAlternativeName:c=DNS:localhost,DNS:raspberrypi.local,IP:127.0.0.1 +keytool -v -genkeypair -dname "CN=Hakan,OU=Amsterdam,O=Thunderberry,C=NL" -keystore server/src/main/resources/identity.jks -storepass secret -keypass secret -keyalg RSA -keysize 2048 -alias server -validity 3650 -deststoretype pkcs12 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth -ext SubjectAlternativeName:c=DNS:localhost,DNS:raspberrypi.local,IP:127.0.0.1 ``` Now, you need to tell your server where the location of the keystore is and provide the passwords. Paste the following in your `application.yml` file: @@ -170,12 +170,12 @@ Therefor you also need to create a truststore. A truststore is a suitcase contai **Export certificate of the server** ```bash -keytool -v -exportcert -file shared-server-resources/src/main/resources/server.cer -alias server -keystore shared-server-resources/src/main/resources/identity.jks -storepass secret -rfc +keytool -v -exportcert -file server/src/main/resources/server.cer -alias server -keystore server/src/main/resources/identity.jks -storepass secret -rfc ``` Now, you can create the truststore for the client and import the certificate of the server with the following command: ```bash -keytool -v -importcert -file shared-server-resources/src/main/resources/server.cer -alias server -keystore client/src/test/resources/truststore.jks -storepass secret -noprompt +keytool -v -importcert -file server/src/main/resources/server.cer -alias server -keystore client/src/test/resources/truststore.jks -storepass secret -noprompt ``` You created the truststore for the client. Unfortunately, the client is not aware of this. Now, you need to tell that it needs to use the truststore with the correct location and password. You also need to tell the client that authentication is enabled. Provide the following property in the `application.yml` file of the client: @@ -213,7 +213,7 @@ keytool -v -exportcert -file client/src/test/resources/client.cer -alias client ``` **Create the server truststore with the certificate of the client** ```bash -keytool -v -importcert -file client/src/test/resources/client.cer -alias client -keystore shared-server-resources/src/main/resources/truststore.jks -storepass secret -noprompt +keytool -v -importcert -file client/src/test/resources/client.cer -alias client -keystore server/src/main/resources/truststore.jks -storepass secret -noprompt ``` You created the extra keystore for the client. Unfortunately, the client is not aware of this. Now, you need to tell that it also needs to use the keystore with the correct location and password. You also need to tell the client that two-way-authentication is enabled. Provide the following property in the `application.yml` file of the client: @@ -277,7 +277,7 @@ To get your certificate signed you need to provide a Certificate Signing Request ##### Certificate Signing Request for the server ```bash -keytool -v -certreq -file shared-server-resources/src/main/resources/server.csr -keystore shared-server-resources/src/main/resources/identity.jks -alias server -keypass secret -storepass secret -keyalg rsa +keytool -v -certreq -file server/src/main/resources/server.csr -keystore server/src/main/resources/identity.jks -alias server -keypass secret -storepass secret -keyalg rsa ``` ##### Certificate Signing Request for the client @@ -295,7 +295,7 @@ keytool -v -gencert -infile client/src/test/resources/client.csr -outfile client ##### Signing the server certificate ```bash -keytool -v -gencert -infile shared-server-resources/src/main/resources/server.csr -outfile shared-server-resources/src/main/resources/server-signed.cer -keystore root-ca/identity.jks -storepass secret -alias root-ca -validity 3650 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth -ext SubjectAlternativeName:c=DNS:localhost,DNS:raspberrypi.local,IP:127.0.0.1 -rfc +keytool -v -gencert -infile server/src/main/resources/server.csr -outfile server/src/main/resources/server-signed.cer -keystore root-ca/identity.jks -storepass secret -alias root-ca -validity 3650 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth -ext SubjectAlternativeName:c=DNS:localhost,DNS:raspberrypi.local,IP:127.0.0.1 -rfc ``` #### Replace the unsigned certificate with a signed one @@ -315,9 +315,9 @@ keytool -v -delete -alias root-ca -keystore client/src/test/resources/identity.j **Server** ```bash -keytool -v -importcert -file root-ca/root-ca.pem -alias root-ca -keystore shared-server-resources/src/main/resources/identity.jks -storepass secret -noprompt -keytool -v -importcert -file shared-server-resources/src/main/resources/server-signed.cer -alias server -keystore shared-server-resources/src/main/resources/identity.jks -storepass secret -keytool -v -delete -alias root-ca -keystore shared-server-resources/src/main/resources/identity.jks -storepass secret +keytool -v -importcert -file root-ca/root-ca.pem -alias root-ca -keystore server/src/main/resources/identity.jks -storepass secret -noprompt +keytool -v -importcert -file server/src/main/resources/server-signed.cer -alias server -keystore server/src/main/resources/identity.jks -storepass secret +keytool -v -delete -alias root-ca -keystore server/src/main/resources/identity.jks -storepass secret ``` #### Trusting the Certificate Authority only @@ -330,7 +330,7 @@ keytool -v -importcert -file root-ca/root-ca.pem -alias root-ca -keystore client **Server** ```bash -keytool -v -importcert -file root-ca/root-ca.pem -alias root-ca -keystore shared-server-resources/src/main/resources/truststore.jks -storepass secret -noprompt +keytool -v -importcert -file root-ca/root-ca.pem -alias root-ca -keystore server/src/main/resources/truststore.jks -storepass secret -noprompt ``` The truststores still contains the client and server specific certificates and that needs to be removed. You can do that with the following command: @@ -342,7 +342,7 @@ keytool -v -delete -alias server -keystore client/src/test/resources/truststore. **Server** ```bash -keytool -v -delete -alias client -keystore shared-server-resources/src/main/resources/truststore.jks -storepass secret +keytool -v -delete -alias client -keystore server/src/main/resources/truststore.jks -storepass secret ``` If you run the client again, you will see that the test passed and that the client received the hello message from the server while based on a certificate which is signed by the Certificate Authority. diff --git a/pom.xml b/pom.xml index dc3d757a..bcf63673 100644 --- a/pom.xml +++ b/pom.xml @@ -10,7 +10,6 @@ 1.0-SNAPSHOT - shared-server-resources server client diff --git a/script/configure-one-way-authentication.sh b/script/configure-one-way-authentication.sh index 4e37c26a..3e4e69ff 100755 --- a/script/configure-one-way-authentication.sh +++ b/script/configure-one-way-authentication.sh @@ -9,11 +9,11 @@ cleanUpExistingCertificatesAndKeystores() { rm -fv client/src/test/resources/identity.jks rm -fv client/src/test/resources/truststore.jks rm -fv root-ca/root-ca.pem - rm -fv shared-server-resources/src/main/resources/identity.jks - rm -fv shared-server-resources/src/main/resources/server.cer - rm -fv shared-server-resources/src/main/resources/server.csr - rm -fv shared-server-resources/src/main/resources/server-signed.cer - rm -fv shared-server-resources/src/main/resources/truststore.jks + rm -fv server/src/main/resources/identity.jks + rm -fv server/src/main/resources/server.cer + rm -fv server/src/main/resources/server.csr + rm -fv server/src/main/resources/server-signed.cer + rm -fv server/src/main/resources/truststore.jks echo 'Finished cleanup' } @@ -21,9 +21,9 @@ cleanUpExistingCertificatesAndKeystores() { createCertificates() { echo 'Starting to create certificates...' - keytool -v -genkeypair -dname "CN=Hakan,OU=Amsterdam,O=Thunderberry,C=NL" -keystore shared-server-resources/src/main/resources/identity.jks -storepass secret -keypass secret -keyalg RSA -keysize 2048 -alias server -validity 3650 -deststoretype pkcs12 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth -ext SubjectAlternativeName:c=DNS:localhost,DNS:raspberrypi.local,IP:127.0.0.1 - keytool -v -exportcert -file shared-server-resources/src/main/resources/server.cer -alias server -keystore shared-server-resources/src/main/resources/identity.jks -storepass secret -rfc - keytool -v -importcert -file shared-server-resources/src/main/resources/server.cer -alias server -keystore client/src/test/resources/truststore.jks -storepass secret -noprompt + keytool -v -genkeypair -dname "CN=Hakan,OU=Amsterdam,O=Thunderberry,C=NL" -keystore server/src/main/resources/identity.jks -storepass secret -keypass secret -keyalg RSA -keysize 2048 -alias server -validity 3650 -deststoretype pkcs12 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth -ext SubjectAlternativeName:c=DNS:localhost,DNS:raspberrypi.local,IP:127.0.0.1 + keytool -v -exportcert -file server/src/main/resources/server.cer -alias server -keystore server/src/main/resources/identity.jks -storepass secret -rfc + keytool -v -importcert -file server/src/main/resources/server.cer -alias server -keystore client/src/test/resources/truststore.jks -storepass secret -noprompt } configureApplicationProperties() { diff --git a/script/configure-two-way-authentication-by-trusting-each-other.sh b/script/configure-two-way-authentication-by-trusting-each-other.sh index ce5c5966..2c0d7df3 100755 --- a/script/configure-two-way-authentication-by-trusting-each-other.sh +++ b/script/configure-two-way-authentication-by-trusting-each-other.sh @@ -9,11 +9,11 @@ cleanUpExistingCertificatesAndKeystores() { rm -fv client/src/test/resources/identity.jks rm -fv client/src/test/resources/truststore.jks rm -fv root-ca/root-ca.pem - rm -fv shared-server-resources/src/main/resources/identity.jks - rm -fv shared-server-resources/src/main/resources/server.cer - rm -fv shared-server-resources/src/main/resources/server.csr - rm -fv shared-server-resources/src/main/resources/server-signed.cer - rm -fv shared-server-resources/src/main/resources/truststore.jks + rm -fv server/src/main/resources/identity.jks + rm -fv server/src/main/resources/server.cer + rm -fv server/src/main/resources/server.csr + rm -fv server/src/main/resources/server-signed.cer + rm -fv server/src/main/resources/truststore.jks echo 'Finished cleanup' } @@ -21,12 +21,12 @@ cleanUpExistingCertificatesAndKeystores() { createCertificates() { echo 'Starting to create certificates...' - keytool -v -genkeypair -dname "CN=Hakan,OU=Amsterdam,O=Thunderberry,C=NL" -keystore shared-server-resources/src/main/resources/identity.jks -storepass secret -keypass secret -keyalg RSA -keysize 2048 -alias server -validity 3650 -deststoretype pkcs12 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth -ext SubjectAlternativeName:c=DNS:localhost,DNS:raspberrypi.local,IP:127.0.0.1 + keytool -v -genkeypair -dname "CN=Hakan,OU=Amsterdam,O=Thunderberry,C=NL" -keystore server/src/main/resources/identity.jks -storepass secret -keypass secret -keyalg RSA -keysize 2048 -alias server -validity 3650 -deststoretype pkcs12 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth -ext SubjectAlternativeName:c=DNS:localhost,DNS:raspberrypi.local,IP:127.0.0.1 keytool -v -genkeypair -dname "CN=$1,OU=Altindag,O=Altindag,C=NL" -keystore client/src/test/resources/identity.jks -storepass secret -keypass secret -keyalg RSA -keysize 2048 -alias client -validity 3650 -deststoretype pkcs12 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth keytool -v -exportcert -file client/src/test/resources/client.cer -alias client -keystore client/src/test/resources/identity.jks -storepass secret -rfc - keytool -v -exportcert -file shared-server-resources/src/main/resources/server.cer -alias server -keystore shared-server-resources/src/main/resources/identity.jks -storepass secret -rfc - keytool -v -importcert -file shared-server-resources/src/main/resources/server.cer -alias server -keystore client/src/test/resources/truststore.jks -storepass secret -noprompt - keytool -v -importcert -file client/src/test/resources/client.cer -alias client -keystore shared-server-resources/src/main/resources/truststore.jks -storepass secret -noprompt + keytool -v -exportcert -file server/src/main/resources/server.cer -alias server -keystore server/src/main/resources/identity.jks -storepass secret -rfc + keytool -v -importcert -file server/src/main/resources/server.cer -alias server -keystore client/src/test/resources/truststore.jks -storepass secret -noprompt + keytool -v -importcert -file client/src/test/resources/client.cer -alias client -keystore server/src/main/resources/truststore.jks -storepass secret -noprompt } configureApplicationProperties() { diff --git a/script/configure-two-way-authentication-by-trusting-root-ca.sh b/script/configure-two-way-authentication-by-trusting-root-ca.sh index fd944b92..9fa7658b 100755 --- a/script/configure-two-way-authentication-by-trusting-root-ca.sh +++ b/script/configure-two-way-authentication-by-trusting-root-ca.sh @@ -10,11 +10,11 @@ cleanUpExistingCertificatesAndKeystores() { rm -fv client/src/test/resources/truststore.jks rm -fv root-ca/identity.jks rm -fv root-ca/root-ca.pem - rm -fv shared-server-resources/src/main/resources/identity.jks - rm -fv shared-server-resources/src/main/resources/server.cer - rm -fv shared-server-resources/src/main/resources/server.csr - rm -fv shared-server-resources/src/main/resources/server-signed.cer - rm -fv shared-server-resources/src/main/resources/truststore.jks + rm -fv server/src/main/resources/identity.jks + rm -fv server/src/main/resources/server.cer + rm -fv server/src/main/resources/server.csr + rm -fv server/src/main/resources/server-signed.cer + rm -fv server/src/main/resources/truststore.jks echo 'Finished cleanup' } @@ -22,23 +22,23 @@ cleanUpExistingCertificatesAndKeystores() { createCertificates() { echo 'Starting to create certificates...' keytool -v -genkeypair -dname "CN=Root-CA,OU=Certificate Authority,O=Thunderberry,C=NL" -keystore root-ca/identity.jks -storepass secret -keypass secret -keyalg RSA -keysize 2048 -alias root-ca -validity 3650 -deststoretype pkcs12 -ext KeyUsage=digitalSignature,keyCertSign -ext BasicConstraints=ca:true,PathLen:3 - keytool -v -genkeypair -dname "CN=Hakan,OU=Amsterdam,O=Thunderberry,C=NL" -keystore shared-server-resources/src/main/resources/identity.jks -storepass secret -keypass secret -keyalg RSA -keysize 2048 -alias server -validity 3650 -deststoretype pkcs12 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth -ext SubjectAlternativeName:c=DNS:localhost,DNS:raspberrypi.local,IP:127.0.0.1 + keytool -v -genkeypair -dname "CN=Hakan,OU=Amsterdam,O=Thunderberry,C=NL" -keystore server/src/main/resources/identity.jks -storepass secret -keypass secret -keyalg RSA -keysize 2048 -alias server -validity 3650 -deststoretype pkcs12 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth -ext SubjectAlternativeName:c=DNS:localhost,DNS:raspberrypi.local,IP:127.0.0.1 keytool -v -genkeypair -dname "CN=$1,OU=Altindag,O=Altindag,C=NL" -keystore client/src/test/resources/identity.jks -storepass secret -keypass secret -keyalg RSA -keysize 2048 -alias client -validity 3650 -deststoretype pkcs12 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth keytool -v -exportcert -file root-ca/root-ca.pem -alias root-ca -keystore root-ca/identity.jks -storepass secret -rfc keytool -v -exportcert -file client/src/test/resources/client.cer -alias client -keystore client/src/test/resources/identity.jks -storepass secret -rfc - keytool -v -exportcert -file shared-server-resources/src/main/resources/server.cer -alias server -keystore shared-server-resources/src/main/resources/identity.jks -storepass secret -rfc - keytool -v -certreq -file shared-server-resources/src/main/resources/server.csr -keystore shared-server-resources/src/main/resources/identity.jks -alias server -keypass secret -storepass secret -keyalg rsa + keytool -v -exportcert -file server/src/main/resources/server.cer -alias server -keystore server/src/main/resources/identity.jks -storepass secret -rfc + keytool -v -certreq -file server/src/main/resources/server.csr -keystore server/src/main/resources/identity.jks -alias server -keypass secret -storepass secret -keyalg rsa keytool -v -certreq -file client/src/test/resources/client.csr -keystore client/src/test/resources/identity.jks -alias client -keypass secret -storepass secret -keyalg rsa keytool -v -importcert -file root-ca/root-ca.pem -alias root-ca -keystore client/src/test/resources/identity.jks -storepass secret -noprompt - keytool -v -importcert -file root-ca/root-ca.pem -alias root-ca -keystore shared-server-resources/src/main/resources/identity.jks -storepass secret -noprompt + keytool -v -importcert -file root-ca/root-ca.pem -alias root-ca -keystore server/src/main/resources/identity.jks -storepass secret -noprompt keytool -v -gencert -infile client/src/test/resources/client.csr -outfile client/src/test/resources/client-signed.cer -keystore root-ca/identity.jks -storepass secret -alias root-ca -validity 3650 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth -rfc - keytool -v -gencert -infile shared-server-resources/src/main/resources/server.csr -outfile shared-server-resources/src/main/resources/server-signed.cer -keystore root-ca/identity.jks -storepass secret -alias root-ca -validity 3650 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth -ext SubjectAlternativeName:c=DNS:localhost,DNS:raspberrypi.local,IP:127.0.0.1 -rfc + keytool -v -gencert -infile server/src/main/resources/server.csr -outfile server/src/main/resources/server-signed.cer -keystore root-ca/identity.jks -storepass secret -alias root-ca -validity 3650 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth -ext SubjectAlternativeName:c=DNS:localhost,DNS:raspberrypi.local,IP:127.0.0.1 -rfc keytool -v -importcert -file client/src/test/resources/client-signed.cer -alias client -keystore client/src/test/resources/identity.jks -storepass secret - keytool -v -importcert -file shared-server-resources/src/main/resources/server-signed.cer -alias server -keystore shared-server-resources/src/main/resources/identity.jks -storepass secret + keytool -v -importcert -file server/src/main/resources/server-signed.cer -alias server -keystore server/src/main/resources/identity.jks -storepass secret keytool -v -importcert -file root-ca/root-ca.pem -alias root-ca -keystore client/src/test/resources/truststore.jks -storepass secret -noprompt - keytool -v -importcert -file root-ca/root-ca.pem -alias root-ca -keystore shared-server-resources/src/main/resources/truststore.jks -storepass secret -noprompt + keytool -v -importcert -file root-ca/root-ca.pem -alias root-ca -keystore server/src/main/resources/truststore.jks -storepass secret -noprompt keytool -v -delete -alias root-ca -keystore client/src/test/resources/identity.jks -storepass secret - keytool -v -delete -alias root-ca -keystore shared-server-resources/src/main/resources/identity.jks -storepass secret + keytool -v -delete -alias root-ca -keystore server/src/main/resources/identity.jks -storepass secret } configureApplicationProperties() { diff --git a/server/pom.xml b/server/pom.xml index be872fff..3d951a24 100644 --- a/server/pom.xml +++ b/server/pom.xml @@ -17,12 +17,6 @@ - - nl.altindag - shared-server-resources - ${project.version} - - org.springframework.boot spring-boot-starter-web diff --git a/shared-server-resources/pom.xml b/shared-server-resources/pom.xml deleted file mode 100644 index 4b0e1133..00000000 --- a/shared-server-resources/pom.xml +++ /dev/null @@ -1,30 +0,0 @@ - - - - - mutual-tls-ssl - nl.altindag - 1.0-SNAPSHOT - - - 4.0.0 - shared-server-resources - jar - - - - - - src/main/resources - - identity.jks - truststore.jks - - false - - - - - diff --git a/shared-server-resources/src/main/resources/placeholder.txt b/shared-server-resources/src/main/resources/placeholder.txt deleted file mode 100644 index e69de29b..00000000