From 5c463c23da4f2821bd5eda6195aba7b8c8ee46db Mon Sep 17 00:00:00 2001
From: Ignatious Johnson Christopher <ijohnson@juniper.net>
Date: Tue, 14 Feb 2017 00:50:23 -0800
Subject: [PATCH] Added subject alternative names with list of

physical ip's and vip's in the certificates, so that the
same certificate can be used to secure all the ip's of
keystone nodes and their vips, similarly for all api-servers
ip's and their vip's.

Change-Id: I964763ae73ce46e2f8f7459ec69640851a480887
Closes-Bug: 1663076
---
 .../common/scripts/create-ssl-certs.sh        | 30 +++++++++++++++----
 .../config/scripts/create-api-ssl-certs.sh    |  5 ++--
 .../scripts/create-keystone-ssl-certs.sh      |  5 ++--
 3 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/contrail_provisioning/common/scripts/create-ssl-certs.sh b/contrail_provisioning/common/scripts/create-ssl-certs.sh
index b8b35e26..7d817c55 100755
--- a/contrail_provisioning/common/scripts/create-ssl-certs.sh
+++ b/contrail_provisioning/common/scripts/create-ssl-certs.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 #
 # Copyright (c) 2016 Juniper Networks, Inc. All rights reserved.
 #
@@ -19,7 +19,7 @@ fi
   TOUCH="/bin/touch"
   RM="/bin/rm"
   CP="/bin/cp"
-  ECHO="/bin/echo"
+  ECHO="/bin/echo -e"
   CAT="/bin/cat"
   CHOWN="/bin/chown"
 }
@@ -28,6 +28,14 @@ argc=$#
 NODE_IP=$1
 SSL_PATH=$2
 CERT_FILE_PREFIX=$3
+SAN=$4
+
+SANS=$SAN,$NODE_IP
+IFS=',' read -ra SAN_LIST <<< "$SANS"
+for i in "${!SAN_LIST[@]}"; do
+    SAN_IPS=$(echo "$SAN_IPS\nIP.$(($i+2)) = ${SAN_LIST[$i]}")
+done
+
 
 main() {
     if [ "$argc" -lt 3 ]; then
@@ -63,18 +71,18 @@ main() {
     $MKDIR certs
 	$TOUCH database.txt database.txt.attr serial.txt
 	$ECHO 01 > serial.txt
-	$OPENSSL ca -policy policy_anything -config cfg/openssl.cfg -cert cacert/ca.cer -in req/client.csr -keyfile key/privatep8.key -days 3650 -out certs/client.crt -batch
+	$OPENSSL ca -policy policy_anything -config cfg/openssl.cfg -cert cacert/ca.cer -in req/client.csr -keyfile key/privatep8.key -days 3650 -extensions v3_req -out certs/client.crt -batch
 
 	$RM -f database.*
 	$TOUCH database.txt database.txt.attr 
-    $OPENSSL ca -policy policy_anything -config cfg/openssl.cfg -cert cacert/ca.cer -in req/server.csr -keyfile key/privatep8.key -days 3650 -out certs/server.crt -batch
+    $OPENSSL ca -policy policy_anything -config cfg/openssl.cfg -cert cacert/ca.cer -in req/server.csr -keyfile key/privatep8.key -days 3650 -extensions v3_req -out certs/server.crt -batch
     $RM -f database.*
     $RM -f serial.txt 
 #Convert from PEM to DER both Ca cert and Ca signed Cert
 
-	$OPENSSL x509 -in certs/client.crt -inform PEM -outform DER -out client.der
+	$OPENSSL x509 -in certs/client.crt -inform PEM -outform DER -out client.der -extensions v3_req
 		
-	$OPENSSL x509 -in cacert/ca.cer -inform PEM -outform DER -out ca.der
+	$OPENSSL x509 -in cacert/ca.cer -inform PEM -outform DER -out ca.der -extensions v3_req
 
 #Create Root and server pem files 
 	
@@ -149,6 +157,7 @@ default_keyfile                 = privkey.pem
 distinguished_name              = req_distinguished_name
 attributes                      = req_attributes
 x509_extensions = v3_ca # The extentions to add to the self signed cert
+req_extensions = v3_req
 [ req_distinguished_name ]
 countryName                             = Country Name (2 letter code)
 countryName_min                         = 2
@@ -170,6 +179,15 @@ emailAddress                            = Email Address
 emailAddress_default                    = admin@juniper.com
 emailAddress_max                        = 40
 
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+$SAN_IPS
+
 # SET-ex3                               = SET extension number 3
 [ req_attributes ]
 challengePassword                       = A challenge password
diff --git a/contrail_provisioning/config/scripts/create-api-ssl-certs.sh b/contrail_provisioning/config/scripts/create-api-ssl-certs.sh
index d37c99e9..78f5cb06 100755
--- a/contrail_provisioning/config/scripts/create-api-ssl-certs.sh
+++ b/contrail_provisioning/config/scripts/create-api-ssl-certs.sh
@@ -6,14 +6,15 @@
 
 argc=$#
 API_VIP=$1
+SANS=$2
 SSL_PATH=/etc/contrail/ssl/
 CERT_FILE_PREFIX=contrail
 
 if [ "$argc" -eq 0 ]; then
     echo "Usage: $0 API_VIP";
-    echo "Example: $0 10.1.1.100";
+    echo "Example: $0 10.1.1.100 20.1.1.100,10.1.1.1,20.1.1.1";
     exit 1;
 fi
 
 #Generate Certs
-create-ssl-certs.sh $API_VIP $SSL_PATH $CERT_FILE_PREFIX
+create-ssl-certs.sh $API_VIP $SSL_PATH $CERT_FILE_PREFIX $SANS
diff --git a/contrail_provisioning/openstack/scripts/create-keystone-ssl-certs.sh b/contrail_provisioning/openstack/scripts/create-keystone-ssl-certs.sh
index 1afe2206..9fcaff2d 100755
--- a/contrail_provisioning/openstack/scripts/create-keystone-ssl-certs.sh
+++ b/contrail_provisioning/openstack/scripts/create-keystone-ssl-certs.sh
@@ -5,14 +5,15 @@
 # Script to generate Self Signed Certificates for keystone
 argc=$#
 KEYSTONE_VIP=$1
+SANS=$2
 SSL_PATH=/etc/keystone/ssl/
 CERT_FILE_PREFIX=keystone
 
 if [ "$argc" -eq 0 ]; then
     echo "Usage: $0 KEYSTONE_VIP";
-    echo "Example: $0 10.1.1.100";
+    echo "Example: $0 10.1.1.100 20.1.1.100,10.1.1.1,20.1.1.1";
     exit 1;
 fi
 
 #Generate Certs
-create-ssl-certs.sh $KEYSTONE_VIP $SSL_PATH $CERT_FILE_PREFIX
+create-ssl-certs.sh $KEYSTONE_VIP $SSL_PATH $CERT_FILE_PREFIX $SANS