1# Common Certificate Attributes
2TRUST_DOMAIN_FQDN := example.com
3DEFAULT_BITS := 2048
4DEFAULT_MD := sha512
5ORGANIZATIONAL_UNIT := example
6ORGANIZATION := example
7ROOT_DAYS := 3650
8INTERMEDIATE_DAYS := 3650
9LEAF_DAYS := 1
10GOOS ?= $(shell go env GOOS)
11GOARCH ?= $(shell go env GOARCH)
12
13
14# Template Locations
15OPENSSL_TMPL := ./certs/openssl.cnf.tmpl
16LAYOUT_TMPL := ./certs/layout.tmpl
17
18build: modules
19 @mkdir -p bin
20 GOOS=$(GOOS) GOARCH=$(GOARCH) CGO_ENABLED=0 go build \
21 -o ./bin/in-toto main.go
22
23modules:
24 @go mod tidy
25
26clean: clean-certs clean-test-files spiffe-infra-down
27 @rm -rf ./bin
28
29clean-certs:
30 @rm -rf ./certs/*.pem ./certs/*.srl ./certs/*.cnf
31
32clean-test-files:
33 @rm -rf ./test/tmp
34 @rm -rf ./untar.link
35 @rm -rf ./.srl
36
37test: go-test test-verify test-spiffe-verify
38
39go-test:
40 @go test ./...
41
42test-sign: build generate_layout
43 # Running test-sign
44 cd ./test/tmp; ../../bin/in-toto sign -f ./test.layout -k ../../certs/example.com.layout.key.pem -o ./signed.layout
45
46test-record: build generate_layout
47 # Running record start
48 cd ./test/tmp; ../../bin/in-toto record start -n write-code -c ../../certs/example.com.write-code.cert.pem -k ../../certs/example.com.write-code.key.pem -d .
49 # Record running step
50 cd ./test/tmp; echo goodbye > foo.py
51 # Running record stop
52 cd ./test/tmp; ../../bin/in-toto record stop -n write-code -c ../../certs/example.com.write-code.cert.pem -p foo.py -k ../../certs/example.com.write-code.key.pem -d .
53
54test-run: build generate_layout
55 # Running write code step
56 @./bin/in-toto run -n write-code -c ./certs/example.com.write-code.cert.pem -k ./certs/example.com.write-code.key.pem -p ./test/tmp/foo.py -d ./test/tmp -l ./test/tmp/ -- /bin/sh -c "echo hello > ./test/tmp/foo.py"
57 # Running package step
58 @./bin/in-toto run -n package -c ./certs/example.com.package.cert.pem -k ./certs/example.com.package.key.pem -m ./test/tmp/foo.py -p ./test/tmp/foo.tar.gz -d ./test/tmp -l ./test/tmp/ -- tar zcvf ./test/tmp/foo.tar.gz ./test/tmp/foo.py
59
60test-verify: test-sign test-run
61 # Running test verify
62 cd ./test/tmp; ../../bin/in-toto verify -l ./signed.layout -k ../../certs/example.com.layout.cert.pem -i ../../certs/example.com.intermediate.cert.pem -d .
63
64test-spiffe-run: test-spiffe-sign
65 # Running write code step
66 docker exec -u 1000 -w /test/tmp -it intoto-runner in-toto run --spiffe-workload-api-path unix:///run/spire/sockets/agent.sock -n write-code -p foo.py -d . -- sh -c "echo hello > foo.py"
67 # Running package step
68 docker exec -u 1001 -w /test/tmp -it intoto-runner in-toto run --spiffe-workload-api-path unix:///run/spire/sockets/agent.sock -n package -m foo.py -p foo.tar.gz -d . -- tar zcvf foo.tar.gz foo.py
69
70test-spiffe-verify: test-spiffe-sign test-spiffe-run
71 # Running test verify
72 docker exec -it -w /test/tmp intoto-runner /bin/in-toto verify -l ./spiffe.signed.layout -k ./layout-svid.pem -d .
73
74test-spiffe-sign: build spiffe-test-generate-layout
75 docker exec -it -w /test/tmp intoto-runner /bin/in-toto sign -f ./spiffe.test.layout -k ./layout-key.pem -o ./spiffe.signed.layout
76
77spiffe-test-generate-layout: spiffe-infra-up
78 # Get key layout from the root cert
79 $(eval rootca := $(shell ./bin/in-toto key layout ./test/tmp/layout-bundle.pem | sed -e 's/\\n/\\\\n/g'))
80 cat $(LAYOUT_TMPL) | sed -e 's#{{ROOTCA}}#$(rootca)#' > ./test/tmp/spiffe.test.layout
81 docker-compose -f ./test-infra/docker-compose.yaml up -d intoto-runner
82 sleep 5 # sleep to ensure the intoto-runner is fully up and connected to spire
83
84spiffe-infra-up: build
85 @mkdir -p ./test/tmp
86 @chmod 777 ./test/tmp
87 ./test-infra/infra-up.sh
88 ./test-infra/mint-cert.sh layout
89
90spiffe-infra-down:
91 ./test-infra/infra-down.sh
92
93generate_layout: build leaf_certs
94 @mkdir -p ./test/tmp
95 # get key layout from the root cert
96 $(eval rootca := $(shell ./bin/in-toto key layout ./certs/root.cert.pem | sed -e 's/\\n/\\\\n/g'))
97 cat $(LAYOUT_TMPL) | sed -e 's#{{ROOTCA}}#$(rootca)#' > ./test/tmp/test.layout
98
99root-cert:
100 # Generate root cert openssl conf file
101 $(call generate_openssl_conf,root)
102
103 # Create Root Key
104 @openssl genrsa -out ./certs/root.key.pem
105
106 # Create Root Cert
107 @openssl req -subj "/C=/ST=/L=/O=$(ORGANIZATION)/OU=$(ORGANIZATIONAL_UNIT)CN=root/" -days $(ROOT_DAYS) -x509 -new \
108 -key "./certs/root.key.pem" -out "./certs/root.cert.pem" \
109 -config ./certs/$(TRUST_DOMAIN_FQDN).root.openssl.cnf \
110 -extensions v3-root
111
112intermediate_cert: root-cert
113 # Generate intermediate cert openssl conf file
114 $(call generate_openssl_conf,intermediate)
115
116 # Create intermediate key
117 @openssl genrsa -out ./certs/$(TRUST_DOMAIN_FQDN).intermediate.key.pem
118
119 # Generate intermediate CSR
120 @openssl req -subj "/C=/ST=/L=/O=$(ORGANIZATION)/OU=$(ORGANIZATIONAL_UNIT)CN=$(TRUST_DOMAIN_FQDN)" -new \
121 -key ./certs/$(TRUST_DOMAIN_FQDN).intermediate.key.pem \
122 -out ./certs/$(TRUST_DOMAIN_FQDN).intermediate.csr.pem \
123 -config ./certs/$(TRUST_DOMAIN_FQDN).intermediate.openssl.cnf \
124 -extensions v3-intermediate
125
126 # Sign Intermediate CSR Using Root Certificate
127 @openssl x509 -days $(INTERMEDIATE_DAYS) -req \
128 -CAcreateserial \
129 -CA ./certs/root.cert.pem \
130 -CAkey ./certs/root.key.pem \
131 -in ./certs/$(TRUST_DOMAIN_FQDN).intermediate.csr.pem \
132 -out ./certs/$(TRUST_DOMAIN_FQDN).intermediate.cert.pem \
133 -extfile ./certs/$(TRUST_DOMAIN_FQDN).intermediate.openssl.cnf \
134 -extensions v3-intermediate
135
136 # Verify intermediate cert was signed by root cert
137 @openssl verify -CAfile ./certs/root.cert.pem ./certs/$(TRUST_DOMAIN_FQDN).intermediate.cert.pem
138
139leaf_certs: intermediate_cert
140 $(call generate_leaf_cert,layout)
141 $(call generate_leaf_cert,write-code)
142 $(call generate_leaf_cert,package)
143
144define generate_leaf_cert
145 # Generate leaf cert openssl conf file
146 $(call generate_openssl_conf,$(1))
147
148 # Generate leaf signing key
149 @openssl genrsa -out ./certs/$(TRUST_DOMAIN_FQDN).$(1).key.pem
150
151 # Generate leaf CSR
152 openssl req -new \
153 -key ./certs/$(TRUST_DOMAIN_FQDN).$(1).key.pem \
154 -out ./certs/$(TRUST_DOMAIN_FQDN).$(1).csr.pem \
155 -config ./certs/$(TRUST_DOMAIN_FQDN).$(1).openssl.cnf \
156 -extensions v3-leaf
157
158 # Sign leaf CSR Using intermediate Certificate
159 @openssl x509 -days $(LEAF_DAYS) -req \
160 -CAcreateserial \
161 -CA ./certs/$(TRUST_DOMAIN_FQDN).intermediate.cert.pem \
162 -CAkey ./certs/$(TRUST_DOMAIN_FQDN).intermediate.key.pem \
163 -in ./certs/$(TRUST_DOMAIN_FQDN).$(1).csr.pem \
164 -out ./certs/$(TRUST_DOMAIN_FQDN).$(1).cert.pem \
165 -extfile ./certs/$(TRUST_DOMAIN_FQDN).$(1).openssl.cnf \
166 -extensions v3-leaf
167
168 # Create cert bundle for trust domain
169 cat ./certs/root.cert.pem ./certs/$(TRUST_DOMAIN_FQDN).intermediate.cert.pem > ./certs/$(TRUST_DOMAIN_FQDN).bundle.cert.pem
170
171 # Verify leaf cert chain
172 @openssl verify -CAfile ./certs/$(TRUST_DOMAIN_FQDN).bundle.cert.pem ./certs/$(TRUST_DOMAIN_FQDN).$(1).cert.pem
173endef
174
175define generate_openssl_conf
176 @cat $(OPENSSL_TMPL) | sed -e 's/{{TRUST_DOMAIN_FQDN}}/$(TRUST_DOMAIN_FQDN)/' | \
177 sed -e 's/{{ORGANIZATIONAL_UNIT}}/$(ORGANIZATIONAL_UNIT)/' | \
178 sed -e 's/{{ORGANIZATION}}/$(ORGANIZATION)/' | \
179 sed -e 's/{{DEFUALT_BITS}}/$(DEFAULT_BITS)/' | \
180 sed -e 's/{{DEFAULT_MD}}/$(DEFAULT_MD)/' | \
181 sed -e 's/{{SPIFFE_PATH}}/$(1)/' > certs/$(TRUST_DOMAIN_FQDN).$(1).openssl.cnf
182endef
183
184.PHONY: help
185all: help
186help: Makefile
187 @echo
188 @echo " Choose a command run in in-toto-golang:"
189 @echo
190 @sed -n 's/^##//p' $< | column -t -s ':' | sed -e 's/^/ /'
191 @echo
View as plain text