slawek/azure-storage-emulator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: enhance certificate generation functions and add make_account_cert for streamlined server cert creation

Browse Source
This commit is contained in:
Sławek Koszewski
2026-03-03 11:54:47 +01:00
parent 3a068149a7
commit 3b9c295a35
2 changed files with 148 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

138
cert-functions.sh
View File

@@ -1,8 +1,8 @@
function make_ca() { function make_ca() {
# Use the provided directory argument or default to AZURITE_DIR if not provided # Use the provided directory argument or default to AZURITE_DIR if not provided
local CERT_DIR="${1:-$AZURITE_DIR}" local CERT_DIR="$1"
if [[ ! -d "$CERT_DIR" ]]; then if [[ -z "$CERT_DIR" || ! -d "$CERT_DIR" ]]; then
echo "ERROR: Certificate directory $CERT_DIR does not exist." echo "ERROR: Certificate directory $CERT_DIR does not exist."
return 1 return 1
fi fi
@@ -20,33 +20,94 @@ function make_ca() {
-subj "/CN=Azurite CA" \ -subj "/CN=Azurite CA" \
-text \ -text \
-addext "basicConstraints=critical,CA:TRUE,pathlen:0"; then -addext "basicConstraints=critical,CA:TRUE,pathlen:0"; then
echo "Error: Failed to generate CA certificate and key." >&2 echo "ERROR: Failed to generate CA certificate and key." >&2
return 1 return 1
fi fi
fi fi
return 0
}
function _is_ip() {
if [[ "$1" =~ ^[0-9]{1,3}(\.[0-9]{1,3}){3}$ ]]; then
return 0
else
return 1
fi
}
function _is_dns() {
if [[ "$1" =~ ^[a-z0-9-]+(\.[a-z0-9-]+)*$ ]]; then
return 0
else
return 1
fi
} }
function make_server_cert() { function make_server_cert() {
local ACCOUNT_NAME="${1:-devstoreaccount1}" local CERT_DIR="$1"
local CERT_DIR="${2:-$AZURITE_DIR}" local CERT_SUBJECT_NAME="$2"
shift 2
if [[ ! -d "$CERT_DIR" ]]; then if [[ -z "$CERT_DIR" || ! -d "$CERT_DIR" ]]; then
echo "ERROR: Certificate directory $CERT_DIR does not exist." echo "ERROR: Certificate directory $CERT_DIR does not exist."
return 1 return 1
fi fi
if [[ -z "$CERT_SUBJECT_NAME" ]]; then
echo "ERROR: Subject name is required." >&2
return 1
fi
if ! _is_dns "$CERT_SUBJECT_NAME"; then
echo "ERROR: Invalid subject name '$CERT_SUBJECT_NAME'. Must be a valid DNS name." >&2
return 1
fi
if [[ ! -f "$CERT_DIR/ca_cert.pem" || ! -f "$CERT_DIR/ca_key.pem" ]]; then
echo "ERROR: CA certificate and key not found in $CERT_DIR. Please call make_ca first." >&2
return 1
fi
# Calculate the "account" name from the subject name, the hostname part before the first dot
local CERT_NAME="${CERT_SUBJECT_NAME%%.*}"
# Start with the subjectAltName extension containing the main DNS name
local SANS=("DNS:${CERT_SUBJECT_NAME}")
# Combine the remaining arguments into a single string for the subjectAltName extension
while [[ $# -gt 0 ]]; do
if _is_ip "$1"; then
SANS+=("IP:$1")
elif _is_dns "$1"; then
SANS+=("DNS:$1")
else
echo "ERROR: Invalid SAN entry '$1'" >&2
return 1
fi
shift
done
# Join the SAN entries with commas for the OpenSSL command
local SANS_EXT="subjectAltName=$(IFS=,; echo "${SANS[*]}")"
echo "Generating server certificate for '$CERT_SUBJECT_NAME' with SANs:"
for san in "${SANS[@]}"; do
echo " - $san"
done
# Generate server certificate and key if they don't exist # Generate server certificate and key if they don't exist
if [[ ! -f "$CERT_DIR/${ACCOUNT_NAME}_cert.pem" || ! -f "$CERT_DIR/${ACCOUNT_NAME}_key.pem" ]]; then if [[ ! -f "$CERT_DIR/${CERT_NAME}_cert.pem" || ! -f "$CERT_DIR/${CERT_NAME}_key.pem" ]]; then
echo "Generating server certificate and key..." echo "Generating server certificate and key..."
if ! openssl req \ if ! openssl req \
-newkey rsa:4096 \ -newkey rsa:4096 \
-keyout "$CERT_DIR/${ACCOUNT_NAME}_key.pem" \ -keyout "$CERT_DIR/${CERT_NAME}_key.pem" \
-nodes \ -nodes \
-subj "/CN=${ACCOUNT_NAME}.blob.core.windows.net" \ -subj "/CN=${CERT_NAME}.blob.core.windows.net" \
-addext "basicConstraints=critical,CA:FALSE" \ -addext "basicConstraints=critical,CA:FALSE" \
-addext "keyUsage=digitalSignature,keyEncipherment" \ -addext "keyUsage=digitalSignature,keyEncipherment" \
-addext "extendedKeyUsage=serverAuth,clientAuth" \ -addext "extendedKeyUsage=serverAuth,clientAuth" \
-addext "subjectAltName=DNS:${ACCOUNT_NAME}.blob.core.windows.net,DNS:${ACCOUNT_NAME}.queue.core.windows.net,DNS:${ACCOUNT_NAME}.table.core.windows.net,DNS:${ACCOUNT_NAME}.blob.localhost,DNS:${ACCOUNT_NAME}.queue.localhost,DNS:${ACCOUNT_NAME}.table.localhost,DNS:localhost,IP:127.0.0.1" \ -addext "$SANS_EXT" \
| openssl x509 \ | openssl x509 \
-req \ -req \
-CA "$CERT_DIR/ca_cert.pem" \ -CA "$CERT_DIR/ca_cert.pem" \
@@ -55,9 +116,60 @@ function make_server_cert() {
-copy_extensions copyall \ -copy_extensions copyall \
-days 365 \ -days 365 \
-text \ -text \
-out "$CERT_DIR/${ACCOUNT_NAME}_cert.pem"; then -out "$CERT_DIR/${CERT_NAME}_cert.pem"; then
echo "Error: Failed to generate server certificate and key." >&2 echo "ERROR: Failed to generate server certificate and key." >&2
exit 1 return 1
fi fi
fi fi
return 0
}
function make_pfx() {
local CERT_DIR="$1"
local CERT_NAME="$2"
local PFX_PASSWORD="${3:-}"
if [[ -z "$CERT_DIR" || ! -d "$CERT_DIR" ]]; then
echo "ERROR: Certificate directory $CERT_DIR does not exist."
return 1
fi
if [[ -z "$CERT_NAME" ]]; then
echo "ERROR: Certificate name is required." >&2
return 1
fi
if [[ ! -f "$CERT_DIR/${CERT_NAME}_cert.pem" || ! -f "$CERT_DIR/${CERT_NAME}_key.pem" ]]; then
echo "ERROR: Server certificate and key not found in $CERT_DIR. Please call make_server_cert first." >&2
return 1
fi
if [[ ! -f "$CERT_DIR/ca_cert.pem" || ! -f "$CERT_DIR/ca_key.pem" ]]; then
echo "ERROR: CA certificate and key not found in $CERT_DIR. Please call make_ca first." >&2
return 1
fi
if [[ -z "$PFX_PASSWORD" ]]; then
PFX_PASSWORD="changeit"
fi
if [[ ! -f "$CERT_DIR/${CERT_NAME}.pfx" ]]; then
echo "Generating PKCS#12 (PFX) file..."
# Avoid exposing the password in the command line by passing it via stdin to openssl
if ! printf "%s\n" "$PFX_PASSWORD" | openssl pkcs12 \
-export -out "$CERT_DIR/${CERT_NAME}.pfx" \
-inkey "$CERT_DIR/${CERT_NAME}_key.pem" \
-in "$CERT_DIR/${CERT_NAME}_cert.pem" \
-certfile "$CERT_DIR/ca_cert.pem" \
-passout pass:stdin; then
echo "ERROR: Failed to generate PKCS#12 (PFX) file." >&2
return 1
fi
else
echo "PKCS#12 (PFX) file already exists, aborting generation."
return 1
fi
return 0
} }

26
entrypoint.sh
View File

@@ -5,6 +5,23 @@ set -e
# Include certificate generation functions. # Include certificate generation functions.
. /app/cert-functions.sh . /app/cert-functions.sh
function make_account_cert() {
local CERT_DIR="$1"
local ACCOUNT_NAME="${2:-devstoreaccount1}"
# -addext "subjectAltName=DNS:${ACCOUNT_NAME}.blob.core.windows.net,DNS:${ACCOUNT_NAME}.queue.core.windows.net,DNS:${ACCOUNT_NAME}.table.core.windows.net,DNS:${ACCOUNT_NAME}.blob.localhost,DNS:${ACCOUNT_NAME}.queue.localhost,DNS:${ACCOUNT_NAME}.table.localhost,DNS:localhost,IP:127.0.0.1"
make_server_cert "$CERT_DIR" "${ACCOUNT_NAME}.blob.core.windows.net" \
"${ACCOUNT_NAME}.queue.core.windows.net" \
"${ACCOUNT_NAME}.table.core.windows.net" \
"${ACCOUNT_NAME}.blob.localhost" \
"${ACCOUNT_NAME}.queue.localhost" \
"${ACCOUNT_NAME}.table.localhost" \
"localhost" \
"127.0.0.1"
return $?
}
# Setup default storage location, account name and accounts file path. # Setup default storage location, account name and accounts file path.
AZURITE_STORAGE="${AZURITE_STORAGE:-/storage}" AZURITE_STORAGE="${AZURITE_STORAGE:-/storage}"
@@ -61,20 +78,21 @@ if ! make_ca "$AZURITE_STORAGE"; then
exit 1 exit 1
fi fi
if ! make_server_cert "$ACCOUNT_NAME" "$AZURITE_STORAGE"; then if ! make_account_cert "$AZURITE_STORAGE" "$ACCOUNT_NAME"; then
echo "Error: Failed to create server certificate and key." >&2 echo "Error: Failed to create server certificate and key." >&2
exit 1 exit 1
fi fi
if [[ -z "$NO_CADDY" ]]; then
# Generate a Caddyfile configuration based on the account name and storage directory. # Generate a Caddyfile configuration based on the account name and storage directory.
sed -E "s/__ACCOUNT_NAME__/${ACCOUNT_NAME}/g; s|__AZURITE_STORAGE__|${AZURITE_STORAGE}|g" /app/Caddyfile.example > "$AZURITE_STORAGE/Caddyfile" sed -E "s/__ACCOUNT_NAME__/${ACCOUNT_NAME}/g; s|__AZURITE_STORAGE__|${AZURITE_STORAGE}|g" /app/Caddyfile.example > "$AZURITE_STORAGE/Caddyfile"
if [[ -z "$NO_CADDY" ]]; then
# Start Caddy in the background to handle HTTPS requests and route them to Azurite. # Start Caddy in the background to handle HTTPS requests and route them to Azurite.
caddy start --config "$AZURITE_STORAGE/Caddyfile" # Use start not run, start does not block the shell process. caddy start --config "$AZURITE_STORAGE/Caddyfile" # Use start not run, start does not block the shell process.
HOST_ARGS=("--blobHost" "127.0.0.1" "--queueHost" "127.0.0.1" "--tableHost" "127.0.0.1")
else
HOST_ARGS=("--blobHost" "0.0.0.0" "--queueHost" "0.0.0.0" "--tableHost" "0.0.0.0")
fi fi
HOST_ARGS=("--blobHost" "127.0.0.1" "--queueHost" "127.0.0.1" "--tableHost" "127.0.0.1")
PORT_ARGS=("--blobPort" "10000" "--queuePort" "10001" "--tablePort" "10002") PORT_ARGS=("--blobPort" "10000" "--queuePort" "10001" "--tablePort" "10002")
# Start Azurite with the appropriate arguments based on the configuration. # Start Azurite with the appropriate arguments based on the configuration.