Linux.yaroslavl.ru
Содержание:
Usage
This is an example playbook:
--- - hosts: all roles: - weareinteractive.openssl vars: openssl_keys: - name: foobar.com.key key: "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDhSsYh36iAShzd\nNM0dSxiVXFe3WCZbePTQSNQ0hnFyBF1AfQKzpo9kFP3h+/IxzUNcPREAqOjmIfl4\ndVTXicyqVrqwt1su90+DitRmvYU0e4PDAA9pwQAxdT1qGBnzBFMgs/JpwQNQetCz\nzISDYn0QbaBGLXs6+UkDGyKu8LCX/T0vOLQ/LecDleZrXf6ubqK7H9SGtGsPLlDw\nonAe+KKieDYJlfHX9omaC953fp8aKDA7V5g/3KbkhsERDl6b/++fNjlestgnZMms\nYdDsM6MzBlt+3f0YQQXzVsmO8LGJxLMSMEmmg76e1VegPq+FyjMQp8r+8i2y/Tvz\nadL0bnivAgMBAAECggEBAKhbp4rCx/nu6HkKL0n3x4w+cLJrpmZvEovgEOybl4V7\n62/4u58jFj7VTRCmpcw/t1njrKQQldL8iqBRFjDoIlEc9PCAZRzI5dvIUIfikvuw\nXbvIfLwr5YgQM+/nyOSJU9G5h6st+NsYnIPwjwpb/FfdhItNC6z7g2tVyOpwpZc9\n2WwJadASIew3GOSd3gLoZLiO+r6XdPc//VcAxaNhu1B5RMHpQxeKa7KQ9T3CzCj4\nTBvIxV5LKAiGMlE26WZR7X2xkLzWswCsk8SAv9ulqbuKlSoPMh86BadM5H6SeGuP\ncsTcTGgoAmhbNmUN/j3lOjHJed7oUKEQGVgGIh4W1OkCgYEA+ECUtXl/sQzUiAYz\nKy556wb31v31D+tVftYU5BzwB/YO7T1ApY1/Bzs/KbnXiKu3eb3IyfEVe/CTcyE9\nhTrJJr5b6Nesa4n0PMpxHfZbWloGoewyfVl7Dgu6/KFctKFm17QcFSG7NsGraE6L\nBQ80gWo94Fyt1nXN9+myUeKga5sCgYEA6FLAgUFS7ykFA0bh5MLV1Q9IZav86Hky\nOmgM1ysd/B9ObRAxKaQezvK+4uyaUW55d8pQZJE2YQo84KPX1wFiAPkR5dwm/C1J\nuH9fz5OycXTUS0LJYGFLmeyKSQ4N+V+8Ex5laFqhHXE8Rzpi/QbYuf4V2EDPlY4g\n6kQgtzS/qn0CgYAQfDlj062nFDMI1WCQfYWbFdtfa33akMYcphq9Cy7lWHGlT2v7\nkmndERIgszac3MpSS0gKIPhMQq2H960eK8kvyXRRAgFxIrgVUVwxoSpv1YqbNhQk\nPsztIdpI7G47kHxD1rIGtTa5bCL1ykFxFJFoBqYVQBJLK4eB7wLobSQ6AQKBgEiB\n+z7cCmxGGyBosPvaqy4x9OB2ixprKPf9nXRSKquTgcCcOxvJ8yuXq2fbfFZJ6nMu\nm2SnxZcHwPRDbovWDKZNFf7tdOVjpQyGBHsel6S9V7ydfYgtFZFWt9oRHt9jt6kn\n5XJqRrqPqsZ4PIjH6EA0QtEZeTAuCavT03oaZm9pAoGBAPVuxRWNqfF7fWbLZiHG\nq3ykwooYtbSfixRe2y/h7IHrQyCbAEG/V2FBPKTNhh0zwHpRTS4PFRL3h+ZQNYrr\n/n+zN/OJl/75P53NDlZ5n1m1eYPMbVjDvvTDDdWqkESLUvTRT7JnyiXApRY0EWTA\nArNAJBxDBD66sa5BM9hZV9fG\n-----END PRIVATE KEY-----\n" openssl_certs: - name: foobar.com.crt cert: "-----BEGIN CERTIFICATE-----\nMIIDuTCCAqGgAwIBAgIJAO7EaRwLzPYyMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV\nBAYTAkRFMRAwDgYDVQQIDAdCYXZhcmlhMQ8wDQYDVQQHDAZNdW5pY2gxEDAOBgNV\nBAoMB0ZvbyBCYXIxEzARBgNVBAMMCmZvb2Jhci5jb20xGjAYBgkqhkiG9w0BCQEW\nC2Zvb0BiYXIuY29tMB4XDTE0MDgwMjE1NTMxNloXDTI0MDczMDE1NTMxNlowczEL\nMAkGA1UEBhMCREUxEDAOBgNVBAgMB0JhdmFyaWExDzANBgNVBAcMBk11bmljaDEQ\nMA4GA1UECgwHRm9vIEJhcjETMBEGA1UEAwwKZm9vYmFyLmNvbTEaMBgGCSqGSIb3\nDQEJARYLZm9vQGJhci5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB\nAQDhSsYh36iAShzdNM0dSxiVXFe3WCZbePTQSNQ0hnFyBF1AfQKzpo9kFP3h+/Ix\nzUNcPREAqOjmIfl4dVTXicyqVrqwt1su90+DitRmvYU0e4PDAA9pwQAxdT1qGBnz\nBFMgs/JpwQNQetCzzISDYn0QbaBGLXs6+UkDGyKu8LCX/T0vOLQ/LecDleZrXf6u\nbqK7H9SGtGsPLlDwonAe+KKieDYJlfHX9omaC953fp8aKDA7V5g/3KbkhsERDl6b\n/++fNjlestgnZMmsYdDsM6MzBlt+3f0YQQXzVsmO8LGJxLMSMEmmg76e1VegPq+F\nyjMQp8r+8i2y/TvzadL0bnivAgMBAAGjUDBOMB0GA1UdDgQWBBTMI1BoL1dh9tov\nQxJHM6GnZfBhMTAfBgNVHSMEGDAWgBTMI1BoL1dh9tovQxJHM6GnZfBhMTAMBgNV\nHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQALezxaXABZEQE6RDmtfBE7jdGy\nxWJVLxSoH0+YNNVXDYNCwNdDMBbjcH6B//aaGLc6Zqif7+HlRfmr4SVfjIP8UQZR\nSQ2s/tcftR6Wp2aadIdUZZkIvmaWvyFfBrrm8F6Ot22Y8EIgjSl/y4kewM6qD1MY\nxC7qAwze2k0yPqVdAXFYJh/+thRTV4YA9R8OCVVRO4xoEOGsTOsHQYH7+/lR3U+o\nbmBu+k1pPK+LYCoQyIrIB6xHqRYf4nHirxlbu4+aAY1Rc57Okbk68g6ThA27r8Ay\n/14Fu1Ry6NAq/1zeSzX4JrFQOlZDNtqF0UXgph2RehMZjtQG2b4B8gLpwPRe\n-----END CERTIFICATE-----\n" openssl_self_signed: - name: fooboar.org subject: C: DE ST: Bavaria L: Munich O: Foo Bar Inc CN: foobar.org emailAddress: null@foobar.org openssl_keys_path: /etc/my-ssl/private openssl_certs_path: /etc/my-ssl/certs openssl_default_key_owner: root openssl_default_key_group: root openssl_default_cert_owner: root openssl_default_cert_group: root openssl_config: default_bits: 2048 countryName_default: DE stateOrProvinceName_default: Bavaria localityName_default: Munich organizationName_default: 'My Organization' organizationalUnitName_default: 'My Organization Unit' commonName_default: 'foobar.com' openssl_cacert_import: yes openssl_generate_csr: yes
Using the provider
After the provider has been registered all that is necessary to use it to get the SSLContext:
The SSLContext can then be used as normal, and should provide a drop in replacement for JSSE.
Building
The java side of the project uses maven and can be build as normal (). The native code should be build
as part of the standard build process.
Windows
To do the Windows build you need to run the build from a visual studio native tools command prompt. If you want to build
the 32 bit natives you must use the 32 bit prompt (and have JAVA_HOME pointed to a 32 bit JVM), otherwise both the prompt
and the JVM must be 64 bit.
Configuring Your Environment
-
- Install OpenSSL, ideally both 32 and 64 bit versions.
- Optional: Configure a and permanent environment variable.
-
Next ensure you have both a 32 and 64 bit JDK installed.
- It seems to be easiest to download the zips.
-
Make sure you install the native tools for the command prompt too.
Building 32-bit Natives
Navigate to the executable. Generally you can navigate to this through
the start menu. For Visual Studio 2019 Community the location is
.
Once the command prompt is open make sure you set your to the 32-bit JDK. Then update the
environment variable to include the OpenSSL headers.
Example:
Building 64-bit Natives
Navigate to the executable. Generally you can navigate to this through
the start menu. For Visual Studio 2019 Community the location is
.
Once the command prompt is open make sure you set your to the 64-bit JDK. Then update the
environment variable to include the OpenSSL headers.
Example:
Maven artifact
There are two Maven artifacts to choose between, which one you use will depend on your use case:
The artifact does not contain any native code. To use it you will need to either place the native library
somewhere that it can be found by , or include a maven artifact that has the library packaged (such as one of
the platform specific artifacts built by this project).
The artifact contains binaries for Mac, Linux and Windows (all for x86_64). If no other version of these
native libraries is found then these will be extracted to a temporary directory and loaded. This should allow it to run without
having to worry about how to deal with the native code.
Installing the native library
If you are running on x86_64 Mac, Windows or Linux then you can use the out of the box support provided by the
artifact.
There are two different native libraries that must be loaded, the binary provided by this project, and OpenSSL
itself. is loaded through a standard java.lang.System.loadLibrary() invocation, so should be located somewhere
where it can be discovered by the JVM. Alternatively you can specify the system property
to specify the full path to the library.
OpenSSL is loaded dynamically, and its location can be specified by the system property. If
this property is not present the standard system library search path with be used instead. Because the library is loaded
dynamically it should be possible to use different versions of OpenSSL without needed to recompile.
Variables
Here is a list of all the default variables for this role, which are also available in .
--- # openssl_keys: # - name: mykey.key # key: "mykeycontents" # - name: myotherkey.key # cert: "myotherkeycontents" # mode: "0664" # owner: "www-data" # group: "www-data" # openssl_certs: # - name: mycert.crt # cert: "mycertcontents" # - name: myothercert.crt # cert: "myothercertcontents" # mode: "0664" # owner: "www-data" # group: "www-data" # openssl_self_signed: # - name: foobar.com # subject: # C: DE # ST: Bavaria # L: Munich # O: Foo Bar Inc # CN: foobar.org # emailAddress: null@foobar.org # openssl_config: # default_bits: 2048 # countryName_default: DE # stateOrProvinceName_default: Bavaria # localityName_default: Munich # organizationName_default: 'My Organization' # organizationalUnitName_default: 'My Organization Unit' # commonName_default: 'foobar.com' # openssl_config_template: templates/openssl.cnf.j2 # keys to import openssl_keys: [] # certificates to import openssl_certs: [] # path to certificates openssl_certs_path: /etc/ssl/certs # path to keys openssl_keys_path: /etc/ssl/private # default key owner openssl_default_key_owner: ssl-cert # default key group openssl_default_key_group: root # default cert owner openssl_default_cert_owner: root # default cert group openssl_default_cert_group: root # self signed certificates openssl_self_signed: [] # config variables openssl_config: {} # config template to install, relative to the ansible repository root openssl_config_template: # generate a CSR for each self signed certificate openssl_generate_csr: no # path to certificate signing requests openssl_csrs_path: /etc/ssl/csrs # should CAcert certificates be downloaded and added to the keyring? openssl_cacert_import: no # overrides for the file checksum when the CACert root certificates are downloaded. # must be the output of 'sha256sum <name of certificate>' openssl_cacert_class_one_key_sha256: 'c0e0773a79dceb622ef6410577c19c1e177fb2eb9c623a49340de3c9f1de2560' openssl_cacert_class_three_key_sha256: 'f5badaa5da1cc05b110a9492455a2c2790d00c7175dcf3a7bcb5441af71bf84f'