From 3b9c295a35a8951802997c29abfcebc83f238e8b Mon Sep 17 00:00:00 2001 From: Slawomir Koszewski Date: Tue, 3 Mar 2026 11:54:47 +0100 Subject: [PATCH] feat: enhance certificate generation functions and add make_account_cert for streamlined server cert creation --- cert-functions.sh | 138 +++++++++++++++++++++++++++++++++++++++++----- entrypoint.sh | 28 ++++++++-- 2 files changed, 148 insertions(+), 18 deletions(-) diff --git a/cert-functions.sh b/cert-functions.sh index cc30dbd..45dafcc 100644 --- a/cert-functions.sh +++ b/cert-functions.sh @@ -1,8 +1,8 @@ function make_ca() { # Use the provided directory argument or default to AZURITE_DIR if not provided - local CERT_DIR="${1:-$AZURITE_DIR}" + local CERT_DIR="$1" - if [[ ! -d "$CERT_DIR" ]]; then + if [[ -z "$CERT_DIR" || ! -d "$CERT_DIR" ]]; then echo "ERROR: Certificate directory $CERT_DIR does not exist." return 1 fi @@ -20,33 +20,94 @@ function make_ca() { -subj "/CN=Azurite CA" \ -text \ -addext "basicConstraints=critical,CA:TRUE,pathlen:0"; then - echo "Error: Failed to generate CA certificate and key." >&2 + echo "ERROR: Failed to generate CA certificate and key." >&2 return 1 fi fi + + return 0 +} + +function _is_ip() { + if [[ "$1" =~ ^[0-9]{1,3}(\.[0-9]{1,3}){3}$ ]]; then + return 0 + else + return 1 + fi +} + +function _is_dns() { + if [[ "$1" =~ ^[a-z0-9-]+(\.[a-z0-9-]+)*$ ]]; then + return 0 + else + return 1 + fi } function make_server_cert() { - local ACCOUNT_NAME="${1:-devstoreaccount1}" - local CERT_DIR="${2:-$AZURITE_DIR}" + local CERT_DIR="$1" + local CERT_SUBJECT_NAME="$2" + shift 2 - if [[ ! -d "$CERT_DIR" ]]; then + if [[ -z "$CERT_DIR" || ! -d "$CERT_DIR" ]]; then echo "ERROR: Certificate directory $CERT_DIR does not exist." return 1 fi + if [[ -z "$CERT_SUBJECT_NAME" ]]; then + echo "ERROR: Subject name is required." >&2 + return 1 + fi + + if ! _is_dns "$CERT_SUBJECT_NAME"; then + echo "ERROR: Invalid subject name '$CERT_SUBJECT_NAME'. Must be a valid DNS name." >&2 + return 1 + fi + + if [[ ! -f "$CERT_DIR/ca_cert.pem" || ! -f "$CERT_DIR/ca_key.pem" ]]; then + echo "ERROR: CA certificate and key not found in $CERT_DIR. Please call make_ca first." >&2 + return 1 + fi + + # Calculate the "account" name from the subject name, the hostname part before the first dot + local CERT_NAME="${CERT_SUBJECT_NAME%%.*}" + + # Start with the subjectAltName extension containing the main DNS name + local SANS=("DNS:${CERT_SUBJECT_NAME}") + + # Combine the remaining arguments into a single string for the subjectAltName extension + while [[ $# -gt 0 ]]; do + if _is_ip "$1"; then + SANS+=("IP:$1") + elif _is_dns "$1"; then + SANS+=("DNS:$1") + else + echo "ERROR: Invalid SAN entry '$1'" >&2 + return 1 + fi + shift + done + + # Join the SAN entries with commas for the OpenSSL command + local SANS_EXT="subjectAltName=$(IFS=,; echo "${SANS[*]}")" + + echo "Generating server certificate for '$CERT_SUBJECT_NAME' with SANs:" + for san in "${SANS[@]}"; do + echo " - $san" + done + # Generate server certificate and key if they don't exist - if [[ ! -f "$CERT_DIR/${ACCOUNT_NAME}_cert.pem" || ! -f "$CERT_DIR/${ACCOUNT_NAME}_key.pem" ]]; then + if [[ ! -f "$CERT_DIR/${CERT_NAME}_cert.pem" || ! -f "$CERT_DIR/${CERT_NAME}_key.pem" ]]; then echo "Generating server certificate and key..." if ! openssl req \ -newkey rsa:4096 \ - -keyout "$CERT_DIR/${ACCOUNT_NAME}_key.pem" \ + -keyout "$CERT_DIR/${CERT_NAME}_key.pem" \ -nodes \ - -subj "/CN=${ACCOUNT_NAME}.blob.core.windows.net" \ + -subj "/CN=${CERT_NAME}.blob.core.windows.net" \ -addext "basicConstraints=critical,CA:FALSE" \ -addext "keyUsage=digitalSignature,keyEncipherment" \ -addext "extendedKeyUsage=serverAuth,clientAuth" \ - -addext "subjectAltName=DNS:${ACCOUNT_NAME}.blob.core.windows.net,DNS:${ACCOUNT_NAME}.queue.core.windows.net,DNS:${ACCOUNT_NAME}.table.core.windows.net,DNS:${ACCOUNT_NAME}.blob.localhost,DNS:${ACCOUNT_NAME}.queue.localhost,DNS:${ACCOUNT_NAME}.table.localhost,DNS:localhost,IP:127.0.0.1" \ + -addext "$SANS_EXT" \ | openssl x509 \ -req \ -CA "$CERT_DIR/ca_cert.pem" \ @@ -55,9 +116,60 @@ function make_server_cert() { -copy_extensions copyall \ -days 365 \ -text \ - -out "$CERT_DIR/${ACCOUNT_NAME}_cert.pem"; then - echo "Error: Failed to generate server certificate and key." >&2 - exit 1 + -out "$CERT_DIR/${CERT_NAME}_cert.pem"; then + echo "ERROR: Failed to generate server certificate and key." >&2 + return 1 fi fi + + return 0 +} + +function make_pfx() { + local CERT_DIR="$1" + local CERT_NAME="$2" + local PFX_PASSWORD="${3:-}" + + if [[ -z "$CERT_DIR" || ! -d "$CERT_DIR" ]]; then + echo "ERROR: Certificate directory $CERT_DIR does not exist." + return 1 + fi + + if [[ -z "$CERT_NAME" ]]; then + echo "ERROR: Certificate name is required." >&2 + return 1 + fi + + if [[ ! -f "$CERT_DIR/${CERT_NAME}_cert.pem" || ! -f "$CERT_DIR/${CERT_NAME}_key.pem" ]]; then + echo "ERROR: Server certificate and key not found in $CERT_DIR. Please call make_server_cert first." >&2 + return 1 + fi + + if [[ ! -f "$CERT_DIR/ca_cert.pem" || ! -f "$CERT_DIR/ca_key.pem" ]]; then + echo "ERROR: CA certificate and key not found in $CERT_DIR. Please call make_ca first." >&2 + return 1 + fi + + if [[ -z "$PFX_PASSWORD" ]]; then + PFX_PASSWORD="changeit" + fi + + if [[ ! -f "$CERT_DIR/${CERT_NAME}.pfx" ]]; then + echo "Generating PKCS#12 (PFX) file..." + # Avoid exposing the password in the command line by passing it via stdin to openssl + if ! printf "%s\n" "$PFX_PASSWORD" | openssl pkcs12 \ + -export -out "$CERT_DIR/${CERT_NAME}.pfx" \ + -inkey "$CERT_DIR/${CERT_NAME}_key.pem" \ + -in "$CERT_DIR/${CERT_NAME}_cert.pem" \ + -certfile "$CERT_DIR/ca_cert.pem" \ + -passout pass:stdin; then + echo "ERROR: Failed to generate PKCS#12 (PFX) file." >&2 + return 1 + fi + else + echo "PKCS#12 (PFX) file already exists, aborting generation." + return 1 + fi + + return 0 } diff --git a/entrypoint.sh b/entrypoint.sh index 2810542..4995bca 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -5,6 +5,23 @@ set -e # Include certificate generation functions. . /app/cert-functions.sh +function make_account_cert() { + local CERT_DIR="$1" + local ACCOUNT_NAME="${2:-devstoreaccount1}" + # -addext "subjectAltName=DNS:${ACCOUNT_NAME}.blob.core.windows.net,DNS:${ACCOUNT_NAME}.queue.core.windows.net,DNS:${ACCOUNT_NAME}.table.core.windows.net,DNS:${ACCOUNT_NAME}.blob.localhost,DNS:${ACCOUNT_NAME}.queue.localhost,DNS:${ACCOUNT_NAME}.table.localhost,DNS:localhost,IP:127.0.0.1" + + make_server_cert "$CERT_DIR" "${ACCOUNT_NAME}.blob.core.windows.net" \ + "${ACCOUNT_NAME}.queue.core.windows.net" \ + "${ACCOUNT_NAME}.table.core.windows.net" \ + "${ACCOUNT_NAME}.blob.localhost" \ + "${ACCOUNT_NAME}.queue.localhost" \ + "${ACCOUNT_NAME}.table.localhost" \ + "localhost" \ + "127.0.0.1" + + return $? +} + # Setup default storage location, account name and accounts file path. AZURITE_STORAGE="${AZURITE_STORAGE:-/storage}" @@ -61,20 +78,21 @@ if ! make_ca "$AZURITE_STORAGE"; then exit 1 fi -if ! make_server_cert "$ACCOUNT_NAME" "$AZURITE_STORAGE"; then +if ! make_account_cert "$AZURITE_STORAGE" "$ACCOUNT_NAME"; then echo "Error: Failed to create server certificate and key." >&2 exit 1 fi -# Generate a Caddyfile configuration based on the account name and storage directory. -sed -E "s/__ACCOUNT_NAME__/${ACCOUNT_NAME}/g; s|__AZURITE_STORAGE__|${AZURITE_STORAGE}|g" /app/Caddyfile.example > "$AZURITE_STORAGE/Caddyfile" - if [[ -z "$NO_CADDY" ]]; then + # Generate a Caddyfile configuration based on the account name and storage directory. + sed -E "s/__ACCOUNT_NAME__/${ACCOUNT_NAME}/g; s|__AZURITE_STORAGE__|${AZURITE_STORAGE}|g" /app/Caddyfile.example > "$AZURITE_STORAGE/Caddyfile" # Start Caddy in the background to handle HTTPS requests and route them to Azurite. caddy start --config "$AZURITE_STORAGE/Caddyfile" # Use start not run, start does not block the shell process. + HOST_ARGS=("--blobHost" "127.0.0.1" "--queueHost" "127.0.0.1" "--tableHost" "127.0.0.1") +else + HOST_ARGS=("--blobHost" "0.0.0.0" "--queueHost" "0.0.0.0" "--tableHost" "0.0.0.0") fi -HOST_ARGS=("--blobHost" "127.0.0.1" "--queueHost" "127.0.0.1" "--tableHost" "127.0.0.1") PORT_ARGS=("--blobPort" "10000" "--queuePort" "10001" "--tablePort" "10002") # Start Azurite with the appropriate arguments based on the configuration.