From 1d4a06e610aa247396240d748773d550a0691d98 Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Sun, 26 Jul 2020 17:28:19 +0200
Subject: [PATCH] hack: add script to regenerate certificates

Certificates were originally added in c000cb64712349141596318dea2a8de2462c8f81,
but did not include a script to generate them. Current versions of Go expect
certificates to use SAN instead of Common Name fields, so updating the script
to include those;

    x509: certificate relies on legacy Common Name field, use SANs or temporarily
    enable Common Name matching with GODEBUG=x509ignoreCN=0

Some fields were updated to be a bit more descriptive (instead of "replaceme"),
and the `-text` option was used to include a human-readable variant of the
content.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2fea30f14603613b40d8ce37c8ea7951f87abd1b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 hack/generate-test-certs.sh | 87 +++++++++++++++++++++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100755 hack/generate-test-certs.sh

diff --git a/hack/generate-test-certs.sh b/hack/generate-test-certs.sh
new file mode 100755
index 0000000000..2a53479039
--- /dev/null
+++ b/hack/generate-test-certs.sh
@@ -0,0 +1,87 @@
+#!/bin/bash
+set -eu
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
+
+# integration/testdata/https (and integration-cli/fixtures/https, which has symlinks to these files)
+OUT_DIR="${SCRIPT_DIR}/../integration/testdata/https"
+
+# generate CA
+echo 01 > "${OUT_DIR}/ca.srl"
+openssl genrsa -out "${OUT_DIR}/ca-key.pem"
+
+openssl req \
+	-new \
+	-x509 \
+	-days 3652 \
+	-subj "/C=US/ST=CA/L=SanFrancisco/O=Moby-project/OU=ci/CN=moby-ci/name=moby/emailAddress=moby@example.org" \
+	-nameopt compat \
+	-text \
+	-key "${OUT_DIR}/ca-key.pem" \
+	-out "${OUT_DIR}/ca.pem"
+
+# Now that we have a CA, create a server key and certificate signing request.
+# Make sure that `"Common Name (e.g. server FQDN or YOUR name)"` matches the hostname you will use
+# to connect or just use '*' for a certificate valid for any hostname:
+
+openssl genrsa -out server-key.pem
+openssl req -new \
+	-subj "/C=US/ST=CA/L=SanFrancisco/O=Moby-project/OU=ci/CN=server/name=moby/emailAddress=moby@example.org" \
+	-text \
+	-key "${OUT_DIR}/server-key.pem" \
+	-out "${OUT_DIR}/server.csr"
+
+# Options for server certificate
+cat > "${OUT_DIR}/server-options.cfg" << 'EOF'
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+extendedKeyUsage=serverAuth
+subjectAltName=DNS:*,DNS:localhost,IP:127.0.0.1,IP:::1
+EOF
+
+# Generate the certificate and sign with our CA
+openssl x509 \
+	-req \
+	-days 3652 \
+	-extfile "${OUT_DIR}/server-options.cfg" \
+	-CA "${OUT_DIR}/ca.pem" \
+	-CAkey "${OUT_DIR}/ca-key.pem" \
+	-nameopt compat \
+	-text \
+	-in "${OUT_DIR}/server.csr" \
+	-out "${OUT_DIR}/server-cert.pem"
+
+# For client authentication, create a client key and certificate signing request
+openssl genrsa -out "${OUT_DIR}/client-key.pem"
+openssl req -new \
+	-subj "/C=US/ST=CA/L=SanFrancisco/O=Moby-project/OU=ci/CN=client/name=moby/emailAddress=moby@example.org" \
+	-text \
+	-key "${OUT_DIR}/client-key.pem" \
+	-out "${OUT_DIR}/client.csr"
+
+# Options for client certificate
+cat > "${OUT_DIR}/client-options.cfg" << 'EOF'
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+extendedKeyUsage=clientAuth
+subjectAltName=DNS:*,DNS:localhost,IP:127.0.0.1,IP:::1
+EOF
+
+# Generate the certificate and sign with our CA:
+openssl x509 \
+	-req \
+	-days 3652 \
+	-extfile "${OUT_DIR}/client-options.cfg" \
+	-CA "${OUT_DIR}/ca.pem" \
+	-CAkey "${OUT_DIR}/ca-key.pem" \
+	-nameopt compat \
+	-text \
+	-in "${OUT_DIR}/client.csr" \
+	-out "${OUT_DIR}/client-cert.pem"
+
+rm "${OUT_DIR}/ca.srl"
+rm "${OUT_DIR}/ca-key.pem"
+rm "${OUT_DIR}"/*.cfg
+rm "${OUT_DIR}"/*.csr