diff options
author | Jonathan Gathman <jonathan.gathman@att.com> | 2018-04-04 02:43:25 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2018-04-04 02:43:25 +0000 |
commit | c36423577d5b8501af78cc2f8a7db1e43eacdf0d (patch) | |
tree | fc00bf6c20424b51c2c5d115254944c484ebd86a | |
parent | abf7c0e407c97250c07d408c314c5aa1c757263e (diff) | |
parent | 54944fe6c6371e73fb01d3a5a0131d5fb5d6ee36 (diff) |
Merge "pkcs11 key/cert import for CA use"
-rw-r--r-- | auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java | 14 | ||||
-rw-r--r-- | conf/CA/cfg.pkcs11 | 3 | ||||
-rwxr-xr-x | conf/CA/p11.sh | 39 |
3 files changed, 53 insertions, 3 deletions
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java index 70f67940..cd8886da 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java @@ -126,19 +126,21 @@ public class LocalCA extends CA { try { Provider p; KeyStore keyStore; + FileInputStream fis = null; if(fileName.endsWith(".pkcs11")) { String ksType; p = Factory.getSecurityProvider(ksType="PKCS11",params); keyStore = KeyStore.getInstance(ksType,p); } else if(fileName.endsWith(".jks")) { keyStore = KeyStore.getInstance("JKS"); + fis = new FileInputStream(f); } else if(fileName.endsWith(".p12") || fileName.endsWith(".pkcs12")) { keyStore = KeyStore.getInstance("PKCS12"); + fis = new FileInputStream(f); } else { throw new CertException("Unknown Keystore type from filename " + fileName); } - FileInputStream fis = new FileInputStream(f); KeyStore.ProtectionParameter keyPass; try { @@ -152,9 +154,15 @@ public class LocalCA extends CA { keyStore.load(fis,ksPass); } finally { - fis.close(); + if (fis != null) + fis.close(); + } + Entry entry; + if(fileName.endsWith(".pkcs11")) { + entry = keyStore.getEntry(params[0][1]/*alias*/, null); + } else { + entry = keyStore.getEntry(params[0][1]/*alias*/, keyPass); } - Entry entry = keyStore.getEntry(params[0][1]/*alias*/, keyPass); if(entry==null) { throw new CertException("There is no Keystore entry with name '" + params[0][1] +'\''); } diff --git a/conf/CA/cfg.pkcs11 b/conf/CA/cfg.pkcs11 new file mode 100644 index 00000000..0c12c6bf --- /dev/null +++ b/conf/CA/cfg.pkcs11 @@ -0,0 +1,3 @@ +name = shsm +library = /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so +slot = 0 diff --git a/conf/CA/p11.sh b/conf/CA/p11.sh new file mode 100755 index 00000000..fdc0a3f9 --- /dev/null +++ b/conf/CA/p11.sh @@ -0,0 +1,39 @@ +# +# Import the keys and certs to pkcs11 based softhsm +# + +if [ "$#" -ne 3 ]; then + echo "Usage: p11.sh <user pin> <so pin> <id>" + exit 1 +fi + +LIB_PATH=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so + +mkdir -p p11key p11crt cacerts +# Conver the keys and certs to DER format +# key to der +openssl rsa -in private/ca.key -outform DER -out p11key/cakey.der +# cert to der +cp certs/ca.crt cacerts +DLIST=`ls -d intermediate_*` +for DIR in $DLIST; do + cp $DIR/certs/ca.crt cacerts/$DIR.crt +done +for CA in `ls cacerts`; do + openssl x509 -in cacerts/$CA -outform DER -out p11crt/$CA +done + +# create token directory +mkdir /var/lib/softhsm/tokens +# create slot +softhsm2-util --init-token --slot 0 --label "ca token" --pin $1 --so-pin $2 +# import key into softhsm +pkcs11-tool --module $LIB_PATH -l --pin $1 --write-object p11key/cakey.der --type privkey --id $3 +# import certs into softhsm +for CRT in `ls cacerts`; do + pkcs11-tool --module $LIB_PATH -l --pin $1 --write-object p11crt/$CRT --type cert --id $3 +done + +rm -r p11key +rm -r p11crt +rm -r cacerts |