From 4c52f0d264f9142e2970d2ba66dbc792866ccdd9 Mon Sep 17 00:00:00 2001 From: Erik Jaegervall Date: Fri, 1 Mar 2024 16:10:39 +0100 Subject: [PATCH] Remove token/certificate scripts from kuksa.val And instead refer to kuksa-common --- doc/KUKSA.val_server/jwt.md | 12 ++-- jwt/README.md | 16 ++--- kuksa_certificates/README.md | 37 ++-------- kuksa_certificates/genCerts.sh | 67 ------------------ kuksa_certificates/jwt/README.md | 9 +-- kuksa_certificates/jwt/createToken.py | 74 -------------------- kuksa_certificates/jwt/recreateJWTkeyPair.sh | 23 ------ 7 files changed, 23 insertions(+), 215 deletions(-) delete mode 100755 kuksa_certificates/genCerts.sh delete mode 100755 kuksa_certificates/jwt/createToken.py delete mode 100755 kuksa_certificates/jwt/recreateJWTkeyPair.sh diff --git a/doc/KUKSA.val_server/jwt.md b/doc/KUKSA.val_server/jwt.md index 5e4b1cc5b..d08511966 100644 --- a/doc/KUKSA.val_server/jwt.md +++ b/doc/KUKSA.val_server/jwt.md @@ -19,7 +19,7 @@ How does this work? First the access rights are describe in JSON, an example tok "*": "rw" } } -``` +``` This are the rules to create a valid KUKSA.val token @@ -44,13 +44,13 @@ This are the rules to create a valid KUKSA.val token "Vehicle.OBD.*": "r" } } - ``` + ``` The tokens are protected using public key cryptography using the RS256 mechanism. This is basically an RSA encrypted SHA256 hash of the token contents. The private key is used to create the signature and the public key needs to be provided to the KUKSA.val server so it can validate tokens. It will only accept tokens that are signed by the corresponding private key. -In [kuksa_certificates/jwt](../../kuksa_certificates/jwt) is a helper script to create a valid token out of the json input like so +In [kuksa-common/jwt](https://github.com/eclipse-kuksa/kuksa-common/blob/main/jwt/) is a helper script to create a valid token out of the json input like so ``` -$ ./createToken.py sometoken.json +$ ./createToken.py sometoken.json Reading private key from jwt.key Reading JWT payload from sometoken.json Writing signed key to sometoken.json.token @@ -58,9 +58,9 @@ Writing signed key to sometoken.json.token This uses `jwt.key` in the same folder as private key. The corresponding public key `jwt.key.pub` will be copied to the `build/src` folder during a cmake build. -If you wish to create a new key pair, [kuksa_certificates/jwt](../../kuksa_certificates/jwt) contains a script for that +If you wish to create a new key pair, [kuksa-common/jwt](https://github.com/eclipse-kuksa/kuksa-common/blob/main/jwt/) contains a script for that ``` -$ ./recreateJWTkeyPair.sh +$ ./recreateJWTkeyPair.sh Recreating KUKSA.val key pair used for JWT verification ------------------------------------------------------- diff --git a/jwt/README.md b/jwt/README.md index f84f0030d..1663983c2 100644 --- a/jwt/README.md +++ b/jwt/README.md @@ -1,5 +1,8 @@ # Databroker Example Tokens +*NOTE: The tokens here are copies of the tokens stored in [kuksa-common](https://github.com/eclipse-kuksa/kuksa-common/tree/main/jwt)!* + + This directory contains example tokens for demo and test purposes for KUKSA.val Databroker. For more information on token format see [documentation](../doc/KUKSA.val_data_broker/authorization.md). @@ -15,14 +18,5 @@ For more information on token format see [documentation](../doc/KUKSA.val_data_b ## Create new tokens -Tokens can be generated as described in [documentation](../kuksa_certificates/README.md). -Note that token generation must take place from the directory containing `createToken.py` - -An example is shown below: - -``` -~/kuksa.val/kuksa_certificates/jwt$ python -m createToken ../../jwt/actuate-provide-all.json -Reading private key from jwt.key -Reading JWT payload from ../../jwt/actuate-provide-all.json -Writing signed access token to ../../jwt/actuate-provide-all.token -``` +Helper scripts and documentation on how to generate new keys and tokens exist in +[kuksa-common](https://github.com/eclipse-kuksa/kuksa-common/tree/main/jwt). diff --git a/kuksa_certificates/README.md b/kuksa_certificates/README.md index b431dcc78..291a02978 100644 --- a/kuksa_certificates/README.md +++ b/kuksa_certificates/README.md @@ -3,12 +3,15 @@ This directory contains example keys, tokens and certificates that can be used for testing clients and servers in this repository. Many of the clients and servers in this repository use keys, tokens and certificates from this directory by default. +*Note that the primary storage location for keys, tokens and certificates usable for KUKSA Databroker* +*is [kuksa-common](https://github.com/eclipse-kuksa/kuksa-common/tree/main).* +*Files that also exist here should be considered as copies.* ## Keys and Certificates for TLS connections This directory contain a set of example certificates, used by the KUKSA-project during development and testing. They may or may not be useful for your test environment. -If needed you can customize `genCerts.sh` and generate keys and certificates that fits your environment. +If needed you can customize the [genCerts.sh](https://github.com/eclipse-kuksa/kuksa-common/blob/main/tls/genCerts.sh) script and generate keys and certificates that fits your environment. See the [KUKSA.val TLS documentation](../doc/tls.md) for general information on the KUKSA.val TLS concept. @@ -24,23 +27,7 @@ This directory contains the following files with cryptographical information. | `Server.pem` | Client certificate chain, valid for 365 days, currently not needed as mutual authentication is not supported. | If the certificates have expired or you by any other reason need to regenerate keys or certificates you can use -the `genCerts.sh` cript as described below. - -### Generating Keys and Certificates for TLS Connections - -Execute the script - -``` -> ./genCerts.sh -``` - -This creates `Client.pem` and `Server.pem` valid for 365 days since the day of generation. -If you want to also generate new keys, then delete the keys you want to regenerate before running the script. -This will trigger the script to generate new keys before generating the corresponding certificate. -If you want to regenerate `CA.pem` you must first delete it. - -**NOTE: The script genCerts.sh may not be suitable to use for generating keys and certificates for your production environment! ** -**NOTE: Please consult with your Project Security Manager (or similar) on how your keys and certificates shall be generated! ** +the [genCerts.sh](https://github.com/eclipse-kuksa/kuksa-common/blob/main/tls/genCerts.sh) as described in kuksa-common [documentation](https://github.com/eclipse-kuksa/kuksa-common/blob/main/tls/README.md). ## Java Web Tokens (JWT) @@ -57,15 +44,5 @@ The following example tokens exist: Note that the tokens have limited validity, if expired the `*.json` files need to be updated and the `*.json.token` files regenerated. -Two helper scripts exist for generating keys and tokens - -* [recreateJWTkeyPair.sh](jwt/recreateJWTkeyPair.sh) to regenerate the JWT keys used for signing -* [createToken.py](jwt/createToken.py) to create signed tokens, requires `*.json` files as parameters - -Example use: - - -```bash -$ pip3 install -r requirements.txt -$ ./createToken.py all-read-write.json -``` +Two helper scripts exist for generating keys and tokens, please see +[kuksa-common documentation](https://github.com/eclipse-kuksa/kuksa-common/tree/main/jwt) diff --git a/kuksa_certificates/genCerts.sh b/kuksa_certificates/genCerts.sh deleted file mode 100755 index 4058975d2..000000000 --- a/kuksa_certificates/genCerts.sh +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/sh - - -genCAKey() { - openssl genrsa -out CA.key 2048 -} - - -genCACert() { - openssl req -key CA.key -new -out CA.csr -subj "/C=CA/ST=Ontario/L=Ottawa/O=Eclipse.org Foundation, Inc./CN=localhost-ca/emailAddress=kuksa-dev@eclipse.org" - openssl x509 -signkey CA.key -in CA.csr -req -days 3650 -out CA.pem -} - -genKey() { - openssl genrsa -out $1.key 2048 -} - -# This method (and how it is called) contains some hacks to pass name verification -# CN is called as per argument -# We also include that as subjectAltName -# We add localhost and 127.0.0.1 as subjectAltName as they are common host names used in test -# Also Server/Client as that can be a work-around (by setting tls-server-name in e.g. kuksa-client) -# as some TLS client integrations cannot handle name verification towards IP-addresses -# (Only client for now in KUKSA.val that has problem with IP host validation is the kuksa-client gRPC integration) -genCert() { - tmp="$(mktemp)" - printf "subjectAltName=DNS:%s, DNS:localhost, IP:127.0.0.1" "$1" > "$tmp" - openssl req -new -key $1.key -out $1.csr -passin pass:"temp" -subj "/C=CA/ST=Ontario/L=Ottawa/O=Eclipse.org Foundation, Inc./CN=$1/emailAddress=kuksa-dev@eclipse.org" - openssl x509 -req -in $1.csr -extfile "$tmp" -CA CA.pem -CAkey CA.key -CAcreateserial -days 365 -out $1.pem - openssl verify -CAfile CA.pem $1.pem - rm "$tmp" -} - -set -e -# Check if the CA is available, else make CA certificates -if [ -f "CA.key" ]; then - echo "Existing CA.key will be used" -else - echo "No CA.key found, will generate new key" - genCAKey - rm -f CA.pem - echo "" -fi - -# Check if the CA.pem is available, else generate a new CA.pem -if [ -f "CA.pem" ]; then - echo "CA.pem will not be regenerated" -else - echo "No CA.pem found, will generate new CA.pem" - genCACert - echo "" -fi - - -for i in Server Client; -do - if [ -f $i.key ]; then - echo "Existing $i.key will be used" - else - echo "No $i.key found, will generate new key" - genKey $i - fi - echo "" - echo "Generating $i.pem" - genCert $i - echo "" -done diff --git a/kuksa_certificates/jwt/README.md b/kuksa_certificates/jwt/README.md index 418bd2813..088f41160 100644 --- a/kuksa_certificates/jwt/README.md +++ b/kuksa_certificates/jwt/README.md @@ -1,12 +1,13 @@ # KUKSA Server JWT Tokens This directory contains example tokens for communication with the KUKSA Server. -Corresponding tokens for Databroker can be found [here](../../jwt). +Corresponding tokens for Databroker can be found in +[kuksa-common](https://github.com/eclipse-kuksa/kuksa-common/tree/main/jwt) and local copies [here](../../jwt). -The script [createToken.py](createToken.py) can be used to generate new tokens if needed. +The script [createToken.py](https://github.com/eclipse-kuksa/kuksa-common/blob/main/jwt/createToken.py) can be used to generate new tokens if needed. For historical reasons KUKSA Server tokens use a different pattern for token names. -If you generate new tokens for KUKSA Server you must first run the script and then rename the generated token. +If you generate new tokens for KUKSA Server you must first run the script and then rename the generated token, or specify output name with the `--output` parameter. ## Example: Re-generate token with new expiry date @@ -14,7 +15,7 @@ The current example tokens expire at 2025-12-31. To generate new ones you must f the corresponding `*.json files. Then do: ``` -./createToken.py single-read.json +createToken.py single-read.json mv single-read.token single-read.json.token ``` diff --git a/kuksa_certificates/jwt/createToken.py b/kuksa_certificates/jwt/createToken.py deleted file mode 100755 index e5342e702..000000000 --- a/kuksa_certificates/jwt/createToken.py +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/env python3 - -######################################################################## -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -######################################################################## - - -import argparse -import sys -from os import path - -import json -import jwt - - -def error_exit(msg): - print(msg, file=sys.stderr) - sys.exit(1) - - -def createJWTToken(input_filename, priv_key, output_filename=None): - print("Reading JWT payload from {}".format(input_filename)) - with open(input_filename, "r") as file: - payload = json.load(file) - - encoded = jwt.encode(payload, priv_key, algorithm="RS256") - - if output_filename is None: - output_filename = input_filename[:-5] if input_filename.endswith(".json") else input_filename - output_filename += ".token" - - print("Writing signed access token to {}".format(output_filename)) - with open(output_filename, "w") as output: - output.write(encoded) - - -def main(): - parser = argparse.ArgumentParser() - parser.add_argument("files", help="Read JWT payload from these files", nargs="+") - script_dir = path.abspath(path.dirname(__file__)) - default_key_filename = path.join(script_dir, "jwt.key") - - parser.add_argument("--key", help="Private key location", dest="priv_key_filename", default=default_key_filename) - parser.add_argument("--output", help="Name of the output file to store token to", dest="output") - args = parser.parse_args() - - if args.output is not None and len(args.files) > 1: - error_exit(""" - Both --output option and multiple files have been specified. - Output filename can be specified for single input file only! - """) - - print("Reading private key from {}".format("jwt.key")) - with open(args.priv_key_filename, "r") as file: - priv_key = file.read() - - for input_file in args.files: - createJWTToken(input_file, priv_key, args.output) - - -if __name__ == "__main__": - main() diff --git a/kuksa_certificates/jwt/recreateJWTkeyPair.sh b/kuksa_certificates/jwt/recreateJWTkeyPair.sh deleted file mode 100755 index 874be28a6..000000000 --- a/kuksa_certificates/jwt/recreateJWTkeyPair.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh - -# Copyright Robert Bosch GmbH, 2020. Part of the Eclipse Kuksa Project. -# -# All rights reserved. This configuration file is provided to you under the -# terms and conditions of the Eclipse Distribution License v1.0 which -# accompanies this distribution, and is available at -# http://www.eclipse.org/org/documents/edl-v10.php - - - -echo "Recreating kuksa.val key pair used for JWT verification" -echo "-------------------------------------------------------" - - -printf "\nCreating private key\n" -ssh-keygen -t rsa -b 4096 -m PEM -f jwt.key -q -N "" - -printf "\nCreating public key\n" -openssl rsa -in jwt.key -pubout -outform PEM -out jwt.key.pub - -printf '\nYou can use the PRIVATE key "jwt.key" to generate new tokens using https://jwt.io or the "createToken.py" script.\n' -echo 'You need to give the PUBLIC key "jwt.key.pub" to the kuksa.val server, so it can verify correctly signed JWT tokens.'