tigergraph · YipingXiongTG · Dec 7, 2022 · Dec 27, 2022 · Dec 27, 2022 · Jan 3, 2023
diff --git a/tools/kafka_ssl/README.md b/tools/kafka_ssl/README.md
@@ -0,0 +1,59 @@
+# SSL - certificates/keystore/truststore generate
+# SSL - import key/certificate pairs into an existing keystore
+# SSL - import certificate into an existing truststore
+
+# help commands
+1. bash ssl_generate.sh -h
+2. bash ssl_import.sh -h
+
+# help options
+1. bash ssl_generate.sh -gen_keystore -h
+2. bash ssl_import.sh -import_to_keystore -h
+
+# Example
+1. Only generate a Certificate Authority (CA) key and certificate
+  - `bash ssl_generate.sh -gen_CARoot -c kafka-0.tigergraph.com -p 123456`
+    - 'kafka-0.tigergraph.com' is the CN of Certificate Authority (CA)
+    - '123456' is the passphrase of CA private_key
+
+
+2. Only generate a keystore
+  - `bash ssl_generate.sh -gen_keystore -c kafka-0.tigergraph.com -storepass 123456`
+    - 'kafka-0.tigergraph.com' is the Subject CN of keystore
+    - '123456' is the storepass of keystore
+
+
+3. Only generate an empty truststore
+  - `bash ssl_generate.sh -gen_truststore -storepass 123456`
+    - '123456' is the storepass of truststore
+
+
+4. At the same time, generate CARoot/CARoot private_key, keystore, and an empty truststore
+  - `bash ssl_generate.sh -c kafka-0.tigergraph.com`
+    - 'kafka-0.tigergraph.com' is the CN
+    - The default passphrase of CA private_key is 'tiger123'
+    - The default storepass of keystore and truststore is 'tiger123'
+
+
+5. Sign sub-certificates with an existing certificate (CARoot or other Superior certificate)
+  - `bash ssl_generate.sh -gen_subCA -cer ./SSL_OUTPUT/ca-root.crt -cerKey ./SSL_OUTPUT/ca-root.key -p 123456` -c tigergraph
+    - './SSL_OUTPUT/ca-root.crt' is the path of higher-level CA
+    - './SSL_OUTPUT/ca-root.key' is the path of higher-level CA private_key
+    - '123456' is the passphrase of higher-level CA private_key
+    - 'tigergraph' is the CN of your sub-certificate
+
+
+6. Import key/certificate pairs into an existing keystore
+  - `bash ssl_import.sh -import_to_keystore -keystore ./SSL_OUTPUT/server.keystore -cer ./SSL_OUTPUT/ca-root.crt -cerKey ./SSL_OUTPUT/ca-root.key -storepass 123456 -p tiger123`
+    - './SSL_OUTPUT/server.keystore' is the path of your keystore
+    - './SSL_OUTPUT/ca-root.crt' is the certificate path to be imported
+    - './SSL_OUTPUT/ca-root.key' is the certificate private_key path to be imported
+    - '123456' is the storepass of keystore
+    - 'tiger123' is the passphrase of the certificate private_key
+
+
+7. Import certificate into an existing truststore
+  - `bash ssl_import.sh -import_to_truststore -truststore ./SSL_OUTPUT/server.truststore -cer ./SSL_OUTPUT/ca-root.crt -storepass 123456`
+    - './SSL_OUTPUT/server.truststore' is the path of your truststore
+    - './SSL_OUTPUT/ca-root.crt' is the certificate path to be imported
+    - '123456' is the storepass of the truststore
diff --git a/tools/kafka_ssl/generate_ssl_CA/ssl_example.sh b/tools/kafka_ssl/generate_ssl_CA/ssl_example.sh
@@ -0,0 +1,35 @@
+#! /bin/bash
+
+cd $(dirname $0)
+BASE_DIR=$(pwd)
+
+broker_hostname=${1:-kafka-0.tigergraph.com}
+client_hostname=${2:-tigergraph}
+output_path=./SSL_OUTPUT
+
+cleanup() {
+if [ ! -z "${output_path}" -a -d ${output_path} ]; then
+   rm -fr ${output_path}
+fi
+}
+
+# cleanup
+cleanup
+
+## step1: Generate a Certificate Authority (CA) private_key/certificate, keystore and truststore
+bash ssl_generate.sh
+
+## step2: generate and sign Kafka broker private_key/certificate
+bash ssl_generate.sh -gen_subCA -cer ${output_path}/ca-root.crt -cerKey ${output_path}/ca-root.key -c ${broker_hostname}
+
+## step3: import CA key/certificate pairs to keystore
+bash ssl_import.sh -import_to_keystore -keystore ${output_path}/server.keystore -cer ${output_path}/ca-root.crt -cerKey ${output_path}/ca-root.key
+
+## step4: import Kafka broker private_key/certificate in keystore
+bash ssl_import.sh -import_to_keystore -keystore ${output_path}/server.keystore -cer ${output_path}/${broker_hostname}.crt -cerKey ${output_path}/${broker_hostname}.key
+
+## step5: generate and sign client private_key/certificate
+bash ssl_generate.sh -gen_subCA -cer ${output_path}/ca-root.crt -cerKey ${output_path}/ca-root.key -c ${client_hostname}
+
+## step6: import CA certificate in trustStore
+bash ssl_import.sh -import_to_truststore -truststore ${output_path}/server.truststore -cer ${output_path}/ca-root.crt
diff --git a/tools/kafka_ssl/generate_ssl_CA/ssl_generate.sh b/tools/kafka_ssl/generate_ssl_CA/ssl_generate.sh
@@ -0,0 +1,223 @@
+#!/bin/bash
+
+cd $(dirname $0)
+BASE_DIR=$(pwd)
+
+source_file() {
+  file=$1
+  msg="$2"
+  src_flag=$3
+  if [ -f "$file" ]; then
+    if [ "$src_flag" != "false" ]; then
+      source $file
+    fi
+  else
+    echo $(tput setaf 1) "[ERROR   ]: $msg" $(tput sgr0)
+    exit 1
+  fi
+}
+
+# source all functions
+source_file utils/pretty_print "File utils/pretty_print NOT found, exit" true
+source_file utils/env_utils "File utils/env_utils NOT found, exit" true
+source_file utils/ssl_utils "File utils/ssl_utils NOT found, exit" true
+
+OSG=$(get_os)
+OS=$(echo "$OSG" | cut -d' ' -f1)
+version=$(echo "$OSG" | cut -d' ' -f2)
+OSV="$OS$(echo "$version" | cut -d'.' -f1)"
+
+generate_root=${BASE_DIR}/SSL_OUTPUT
+CN=kafka-0.tigergraph.com
+storetype=jks
+pass=tiger123
+storepass=tiger123
+storeName=""
+CA=""
+CAkey=""
+
+CARoot_flag=""
+subCA_flag=""
+genKeystore_flag=""
+genTruststore_flag=""
+help_flag=""
+
+opt_string="hip:c:s:o:n:"
+opt_long_string="help,gen_CARoot,gen_subCA,gen_keystore,gen_truststore,passphrase:,output:,storepass:,storetype:,cer:,cerKey:,CN:,name:"
+ARGS=`getopt -a -o $opt_string --long $opt_long_string -- "$@"`
+
+if [ $? != 0 ] ; then exit 1 ; fi
+eval set -- "${ARGS}"
+while :
+do
+    case $1 in
+        -h|--help)
+            help_flag=true
+            ;;
+        --gen_CARoot)
+            CARoot_flag=true
+            ;;
+        --gen_subCA)
+            subCA_flag=true
+            ;;
+        --gen_keystore)
+            genKeystore_flag=true
+            ;;
+        --gen_truststore)
+            genTruststore_flag=true
+            ;;
+        --cer)
+            CA=`path_conver $2`
+            shift
+            ;;
+        --cerKey)
+            CAkey=`path_conver $2`
+            shift
+            ;;
+        -o|--output)
+            generate_root=$2
+            if [ ! -d ${generate_root} ]; then
+              warn "The path '$generate_root' does not exist"
+              prog "start creating output directory..."
+              mkdir -p $generate_root
+            fi
+            generate_root=`path_conver $generate_root`
+            shift
+            ;;
+        -p|--passphrase)
+            pass=$2
+            if [ ${#pass} -lt 6 ];then
+              error "Password is too short - must be at least 6 characters."
+              exit 1
+            fi
+            shift
+            ;;
+        --storepass)
+            storepass=$2
+            shift
+            ;;
+        -c|--CN)
+            CN=$2
+            shift
+            ;;
+        -s|--storetype)
+            storetype=$2
+            shift
+            ;;
+        -n|--name)
+            storeName=$2
+            shift
+            ;;
+        -i|--install)
+            SETUP_JDK=true
+            SETUP_OPENSSL=true
+            ;;
+        --)
+            shift
+            break
+            ;;
+        *)
+            error "${bldred}Invalid option, the correct usage is described below: $txtrst"
+            generate_help
+            ;;
+    esac
+shift
+done
+
+if [[ ! -z $help_flag ]]; then
+  if [[ ! -z $CARoot_flag ]]; then
+    general_usage gen_CARoot
+  elif [[ ! -z $subCA_flag ]]; then
+    general_usage gen_subCA
+  elif [[ ! -z $genKeystore_flag ]]; then
+    general_usage gen_keystore
+  elif [[ ! -z $genTruststore_flag ]]; then
+    general_usage gen_truststore
+  else
+    generate_help
+  fi
+  exit 0
+else
+  # this script only support rhel/centos
+  prog "Checking operation system (OS) version ..."
+  check_os $OS $version
+
+  prog "Checking root/sudo ..."
+  check_root
+
+  # Using option '-i/--install' will install openjdk-1.8.0 and openssl,
+  # otherwise openjdk-1.8.0 and openssl will not be installed
+  # install openJDK
+  install_openJDK
+  # install openssl
+  install_openssl
+
+  # If the command is empty, --gen_CARoot, --gen_keystore, and --gen_truststore are executed by default
+  total_flag=($CARoot_flag $genKeystore_flag $subCA_flag $genTruststore_flag)
+  if [[ -z $(IFS=,; echo "${total_flag[*]}") ]]; then
+    CARoot_flag=true
+    genKeystore_flag=true
+    genTruststore_flag=true
+    note "The input command is empty."
+    note "'--gen_CARoot', '--gen_keystore', and '--gen_truststore' are executed by default."
+  fi
+
+  # generate root CA
+  if [[ ! -z $CARoot_flag ]]; then
+    prog "root-CA output directory: $generate_root"
+    prog "root-CA CN: $CN"
+    CA=${generate_root}/ca-root.crt
+    CAkey=${generate_root}/ca-root.key
+
+    check_file ${CA} 0
+    check_file ${CAkey} 0
+    generate_CARoot $generate_root $CN $pass
+  fi
+
+  # generate keystore
+  if [[ ! -z $genKeystore_flag ]]; then
+    if [[ -z $storeName ]]; then
+      keystoreName=server.keystore
+    else
+      keystoreName=${storeName}.keystore
+    fi
+    prog "keystore output directory: $generate_root"
+    prog "Keystore -Dname CN: $CN"
+    prog "keystore name: $keystoreName"
+    generate_keystore ${generate_root} ${storepass} ${CN} ${storetype} ${keystoreName}
+    keystore=${generate_root}/${keystoreName}
+    prog "Generate keystore: $keystore"
+    note "View keystore: keytool -list -v -keystore $keystore -storepass $pass"
+  fi
+
+  # generate a sub-certificate using the keytool
+  if [[ ! -z $subCA_flag ]]; then
+    prog "Subordinate-CA output directory: $generate_root"
+    if [[ -z "$CA" || -z "$CAkey" ]]; then
+      error "Missing options: '-cer' or '-cerKey', exiting..."
+      general_usage gen_subCA
+      exit 1
+    fi
+
+    check_cert $CA $CAkey $pass
+    generate_sub_cert $generate_root $CA $CAkey $pass $CN
+    prog "Generate subordinate-CA: ${CN}.crt successfully"
+  fi
+
+  # generate truststore
+  if [[ ! -z ${genTruststore_flag:-} ]]; then
+    if [[ -z $storeName ]]; then
+      truststoreName=server.truststore
+    else
+      truststoreName=${storeName}.truststore
+    fi
+    truststore="${generate_root}/${truststoreName}"
+    if [ ! -f "${truststore}" ]; then
+      prog "Generate truststore: ${truststore}"
+      generate_truststore "${generate_root}" "${truststoreName}" "${storepass}" "${storetype}"
+    else
+      warn "${truststore} already exists, skipping generation!"
+    fi
+    note "View truststore: keytool -list -v -keystore ${truststore} -storepass ${storepass}"
+  fi
+fi