SOURCE="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"

export MY_BOOTSTRAP_SERVER_ENV=localhost:29092

export MY_SCHEMA_REGISTRY_URL_ENV="http://ckp_tester:test_secret@localhost:8081"

export MY_SCHEMA_REGISTRY_SSL_URL_ENV="https://ckp_tester:test_secret@$(hostname -f):8082"

export MY_SCHEMA_REGISTRY_SSL_CA_LOCATION_ENV=$TLS/ca-cert

export MY_SCHEMA_REGISTRY_SSL_CERTIFICATE_LOCATION_ENV=$TLS/client.pem

export MY_SCHEMA_REGISTRY_SSL_KEY_LOCATION_ENV=$TLS/client.key

source $SOURCE/../.env

export SOURCE="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"

export TLS=$SOURCE/../conf/tls

for file in $(ls $TLS);do

rm $TLS/$file

echo "Creating ca-cert..."

$SOURCE/gen-ssl-certs.sh ca $TLS/ca-cert $(hostname -f)

echo "Creating server cert..."

$SOURCE/gen-ssl-certs.sh -k server $TLS/ca-cert $TLS/ $(hostname -f) $(hostname -f)

echo "Creating client cert..."

$SOURCE/gen-ssl-certs.sh client $TLS/ca-cert $TLS/ $(hostname -f) $(hostname -f)

echo "Creating key ..."

openssl rsa -in $TLS/client.key -out $TLS/client.key -passin pass:abcdefgh

if [[ "$1" == "-k" ]]; then

USE_KEYTOOL=1

shift

USE_KEYTOOL=0

OP="$1"

CA_CERT="$2"

PFX="$3"

HOST="$4"

C=NN

ST=NN

L=NN

O=NN

OU=NN

CN="$HOST"

PASS="abcdefgh"

VALIDITY=10000

set -e

export LC_ALL=C

if [[ $OP == "ca" && ! -z "$CA_CERT" && ! -z "$3" ]]; then

CN="$3"

openssl req -new -x509 -newkey rsa:2048 -sha256 -keyout ${CA_CERT}.key -out $CA_CERT -days $VALIDITY -passin "pass:$PASS" -passout "pass:$PASS" <<EOF

elif [[ $OP == "server" && ! -z "$CA_CERT" && ! -z "$PFX" && ! -z "$CN" ]]; then

#Step 1

echo "############ Generating key"

keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}server.keystore.jks -alias localhost -validity $VALIDITY -genkey -keyalg RSA <<EOF

#Step 2

echo "############ Adding CA"

keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}server.truststore.jks -alias CARoot -import -file $CA_CERT <<EOF

#Step 3

echo "############ Export certificate"

keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}server.keystore.jks -alias localhost -certreq -file ${PFX}cert-file -ext san=ip:127.0.0.1

echo "############ Sign certificate"

openssl x509 -req -CA $CA_CERT -CAkey ${CA_CERT}.key -in ${PFX}cert-file -out ${PFX}cert-signed -days $VALIDITY -CAcreateserial -passin "pass:$PASS"

mv $SOURCE/.srl $TLS/ca-cert.srl

echo "############ Import CA"

keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}server.keystore.jks -alias CARoot -import -file $CA_CERT <<EOF

echo "############ Import signed CA"

keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}server.keystore.jks -alias localhost -import -file ${PFX}cert-signed

elif [[ $OP == "client" && ! -z "$CA_CERT" && ! -z "$PFX" && ! -z "$CN" ]]; then

if [[ $USE_KEYTOOL == 1 ]]; then

echo "############ Creating client truststore"

[[ -f ${PFX}client.truststore.jks ]] || keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}client.truststore.jks -alias CARoot -import -file $CA_CERT <<EOF

echo "############ Generating key"

keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}client.keystore.jks -alias localhost -validity $VALIDITY -genkey -keyalg RSA <<EOF

echo "########### Export certificate"

keytool -storepass "$PASS" -keystore ${PFX}client.keystore.jks -alias localhost -certreq -file ${PFX}cert-file -ext san=ip:127.0.0.1

echo "########### Sign certificate"

openssl x509 -req -CA ${CA_CERT} -CAkey ${CA_CERT}.key -in ${PFX}cert-file -out ${PFX}cert-signed -days $VALIDITY -CAcreateserial -passin pass:$PASS

mv $SOURCE/.srl $TLS/ca-cert.srl

echo "########### Import CA"

keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}client.keystore.jks -alias CARoot -import -file ${CA_CERT} <<EOF

echo "########### Import signed CA"

keytool -storepass "$PASS" -keypass "$PASS" -keystore ${PFX}client.keystore.jks -alias localhost -import -file ${PFX}cert-signed

else

# Standard OpenSSL keys

echo "############ Generating key"

openssl genrsa -des3 -passout "pass:$PASS" -out ${PFX}client.key 2048

echo "############ Generating request"

openssl req -passin "pass:$PASS" -passout "pass:$PASS" -key ${PFX}client.key -new -out ${PFX}client.req \

<<EOF

echo "########### Signing key"

openssl x509 -req -passin "pass:$PASS" -in ${PFX}client.req -CA $CA_CERT -CAkey ${CA_CERT}.key -CAserial ${CA_CERT}.srl -out ${PFX}client.pem -days $VALIDITY

fi

echo "Usage: $0 ca <ca-cert-file> <CN>"

echo " $0 [-k] server|client <ca-cert-file> <file_prefix> <hostname>"

echo ""

echo " -k = Use keytool/Java Keystore, else standard SSL keys"

exit 1

ckp_tester: test_secret, Testers

disallowed: no_access

SchemaRegistry {

org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required

file="/conf/schema-registry/login.properties";

};

{

"topic": "test-topic",

"bootstrap.servers": "$MY_BOOTSTRAP_SERVER_ENV",

"schema.registry.url": "$MY_SCHEMA_REGISTRY_URL_ENV",

"avro-https": {

"schema.registry.url": "$MY_SCHEMA_REGISTRY_SSL_URL_ENV",

"schema.registry.ssl.ca.location": "$MY_SCHEMA_REGISTRY_SSL_CA_LOCATION_ENV",

"schema.registry.ssl.certificate.location": "$MY_SCHEMA_REGISTRY_SSL_CERTIFICATE_LOCATION_ENV",

"schema.registry.ssl.key.location": "$MY_SCHEMA_REGISTRY_SSL_KEY_LOCATION_ENV"

},

"avro-basic-auth": {

"schema.registry.basic.auth.user.info": "ckp_tester:test_secret",

"sasl.username": "ckp_tester",

"sasl.password": "test_secret"

}

}

-----BEGIN CERTIFICATE-----

MIIDpjCCAo4CCQDsov561tiF8zANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMC

Tk4xCzAJBgNVBAgMAk5OMQswCQYDVQQHDAJOTjELMAkGA1UECgwCTk4xCzAJBgNV

BAsMAk5OMSIwIAYDVQQDDBlSeWFucy1NYWNCb29rLVByby0zLmxvY2FsMS0wKwYJ

KoZIhvcNAQkBFh5yeWFuQFJ5YW5zLU1hY0Jvb2stUHJvLTMubG9jYWwwHhcNMTgw

ODMwMTMwNjUxWhcNNDYwMTE1MTMwNjUxWjCBlDELMAkGA1UEBhMCTk4xCzAJBgNV

BAgMAk5OMQswCQYDVQQHDAJOTjELMAkGA1UECgwCTk4xCzAJBgNVBAsMAk5OMSIw

IAYDVQQDDBlSeWFucy1NYWNCb29rLVByby0zLmxvY2FsMS0wKwYJKoZIhvcNAQkB

Fh5yeWFuQFJ5YW5zLU1hY0Jvb2stUHJvLTMubG9jYWwwggEiMA0GCSqGSIb3DQEB

AQUAA4IBDwAwggEKAoIBAQDcfci/SCZl9PlBCB1bY9gn8pJjhyuzIXHnqMYxyRTF

UGF1fvzDYfdaOrI8CCghgHgz8A9yPylwRxUWguchiZwpeHinvnAlLIgjPb0WiUW+

W6TCD7ZsATN5iULcKTYJQrcVD/rcdZwFz7IPgce1nN3vPApkpiK4bvHMABsSq5D/

T7ADhCFnTsjaY7eXuh3aYdVz1AYgNClM8TrQTLtp5YnfbGbBPCSGMv2LoVEPEarc

Xv8bEEmsLejiX84Ka6avRiUilsVTttUjKA8SLR5WnVmVcuORuWKfmU3vi61geaud

EyIdg9Lv1cLhxvf7Ajx4ytaYJ/ZH0IqHpfgUA+DnFdvNAgMBAAEwDQYJKoZIhvcN

AQELBQADggEBAJ82qUDhr8GPfz23k7CK43jKv9V43zz3yoHurc1ax1fChundowDb

1DxS/tRJ+XZlgKZ2uQpZLlE4zowKVyMyP1TMIhDwR7HAe82yY4lF2066n5R68KnC

CS9xC/iUfzI7jI/o9SYg/Zu1y6iJevme2ScgrtCW2XMdBTtXsBixe6PrqYrWQ5xJ

qIg+Nn6i1fUFfI4r6yQZbqOU9MvrijK8yVBorydCX3FkEt2FPTMWAmPeRHsfzinp

oXmCa7/hu/tP0EGTtDnOW1C7/NcqU/DICc42VTWwwFcpkX9YX95P9DhfxLk3SsYQ

AuPO7LwYK/0r9nC6M+oKFIR6PWkXAuJyzEU=

-----END CERTIFICATE-----

-----BEGIN ENCRYPTED PRIVATE KEY-----

MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQI2xYiShHEDL0CAggA

MB0GCWCGSAFlAwQBKgQQu5GZ0dORuGTb+t/iX9QkcASCBNAP8zuYKSvS6peueTkb

vW/LIw8yQk8jjlUT9RAvCKHVKdNMDn27dJn1jO4IHyQEMSs2/zUdN1oqcpLBiqH5

WUI2vSE9r+dxHDM4EosfH/yvxH60aGdjZsQyXYbIHdq7ZUh4jf+d15muLEUUlpuv

8MOnzzql8TZgqN0mHMHaOXpff4ga4yFR276HW3o4bbQxI4E9/ywPeaXhJDuQdDtD

qB4+zf2wYjeBqpg4eQxu8QZsDU9FTETcCa1grX3WDnd+h8FrrG7/zToPqBToFlow

A4+PmHGt+zOn52iPnhAotiF4ynAbZwQoZ0W1aWUwCrZKmaov7djVO0PfnkL4GQ9k

0SEZHgM4tS4qT4wRYrmDTlAH/3/M9vBUAdqHQnY9Ln75++efTNB0t1bTRIebBr65

rTigyuJgLXtxbBeX1DyC2S4C6oKp7T4dlWX0f1Ie6ZVHxe8KlUS96fTXpPDqCk60

Lox7F+WCz73txc2w8yoSz18KJ/ukpD2KzcV5UqfRGfoXvFMGT2o0FAlKYMeoZwD8

d50KLqPXCimD/TIL5mpj9cfwj9GADIi676SxuY78MbfI6oaZR8fKuHws552s5Zvn

wVqrfifF6IuqpimqOtigLfd63c+5xJ5GDV8TavkzgO69J4nqSHPImQDxfsXtRfdo

XUAf3X9vCAzlhNYKnf57QWjLp7IRSDxmpzs7kpOCGPtjwSCYBH27+h60qTbZaTpR

Tnhy4D/3329mFg70SRqOU+9Nui7rbFwbyasJgDeKEidHVNA9WrV6Z+mKjTcimt4N

JnjToYYtbxh/99Cu+yu46vrQdtQ4+A49lFOksEe4NUJdRU7FKC+e1Ro1je4tQqX/

l6rtZcRrLa1Yt9s7GVf0mX7p74zAYObAh5s67+upwsvgpqk/V2EdpAGeFZ3mq3fA

MuAYnzlp4PC9RFBzI8B3YAdzP4iVwY+bsrdiywR93vR6nSwRwIQwsXn5PyDxoyVZ

U0e4DL8Ow+pEMHTlOOORRk2frIr1QJ5dYlbC8mnGFZ8NXpA/1/Wqa0/plWij07Rq

zXgwjTbJTruD/z7Ew3QzkfT88fZkyZ3LvOwFsNgiPrdwxPFOu/EHKQhDZytOFRdn

ybBYufehj79VLttp7jKXK30GOICjPBZs0IvdG08Kd0SU0wPMA4QRN3zOwngpfc/6

2iUa3KKk/s7Qc4aZT94c4xj4m7cPk1DHSHrBla9JIyGb0UX//ZDDT3ESZhkazi/F

TrgDqHGbtakP0ha1fA0O5HASDzLHbbgnDE+qQH0UlyoLiYKomuoQ8RBpaJN0bve9

7uWQV7qFZroMi34nrogRJKVXU0z56r8rueJ/OIE+bWHKF9b5ZEEFXcnfLnRplcyr

kcySoMuGwPoN41gj9lks5gIk3Q2600zHG92y2Q8ZmTpm5TpLkS+E2srLxdA+tXBn

Jje0xrLI9APPXMD0nj5hxd1zrH+cvFNR/ikUcZ4nAB69EixDvvPVFmvSLa9cGd4h

N+F73nEL15gHI0j14A1FmjM67ZuEg9uELy4gfap+tTf9FNpx3qgqTzE5UqM4tnTm

dHLG35+Rtb2XTdO0WLds/PTbdWBdhv1aOoVlrLlEGS4UwAu8rOnEykpIrlDs5lIR

e2Ym44ra7s6QxuGP/2pVHXDq1Q==

-----END ENCRYPTED PRIVATE KEY-----

96DDBE878BD1CB9C

-----BEGIN NEW CERTIFICATE REQUEST-----

MIIC6zCCAdMCAQAwZTELMAkGA1UEBhMCTk4xCzAJBgNVBAgTAk5OMQswCQYDVQQH

EwJOTjELMAkGA1UEChMCTk4xCzAJBgNVBAsTAk5OMSIwIAYDVQQDExlSeWFucy1N

YWNCb29rLVByby0zLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC

AQEAm2mT+5qhtsxHdA1ot8G54WK8/Bzkqt9IKLT+j0Zy/MyTqS6U+hrD9mSXIFLs

xRD88/EwYe7uUQXLm2C8o/eJNJkMcpDj40tPhbI6uAdDRdcMr/Uf7h7PxJxBwl36

rmAzYN2hg+UTSCvCkpBioxN093xpGeWBxrCSVYaNAtYj/GgnPsI4QW4hUeHtH1Xl

gMqB8+DtJKU9E/CF2RPGEYMLbcoi0uvXOStnLVVx7ZJSaLVT1klcTof04wPyQ8x4

LXvAjDbhSYgGZIf2FOueCs/0QJtiUAzXhOkrcVn38sn6opVeeVlpde5WnDRFZ5b6

cOYGJ/7wzitdJqxZ2rMGlaitUQIDAQABoEEwPwYJKoZIhvcNAQkOMTIwMDAPBgNV

HREECDAGhwR/AAABMB0GA1UdDgQWBBTnQ5+RysrPg144asYVxAeQc49aRTANBgkq

hkiG9w0BAQsFAAOCAQEACtOKH/f9SiH7PUAimCF/16Wm7AaaFt3bV8kJPkALi9jx

btWFKChhiz/3WLFlRGpzxbtJEuAJspjm7EuY/WcgJMg+opT7DXtKzWEGz79L8G9T

VM9tI2UmWFJK0Zvv53rBCGzmbAWCE2Rn0efLHJtwzdld9+soYZd8mgVJQhn9Hzef

g1B6DH23vvp2i9f18oqxuxDdFxjIhkWdnRAYJV5h6ede85Dyugh6Slw3cx8TMRcM

pIwhjRMTzaslXmEGs44TCEfc7+lsjWnLqRKpErdD4MXEeUGYtkULCvMVrKqVLSm4

a0PJU+6xG1fvPJW6e9SxLt8jmycdRNUkg8Sebq9Pog==

-----END NEW CERTIFICATE REQUEST-----