diff options
author | Kiran Kamineni <kiran.k.kamineni@intel.com> | 2018-05-14 14:40:03 -0700 |
---|---|---|
committer | Girish Havaldar <hg0071052@techmahindra.com> | 2018-05-15 04:25:49 +0000 |
commit | 30cd384dd2ea48ad3be9c6595cc1b43fe2318e4a (patch) | |
tree | 23d2f7f99a39b90d1e7d7274ef1007ff6c89ad3c | |
parent | 9f98749e160474ce06214530a4c05dbf3468f5cc (diff) |
Adding updated certs and encryption
Adding new SAN certificates from AAF
Adding encrypted storage for certificates
Moving certificates to different folder during
deployment. certs vs auth
Issue-ID: AAF-284
Change-Id: Ic0c3972556b36f773c7a653059eccd077624e4b6
Signed-off-by: Kiran Kamineni <kiran.k.kamineni@intel.com>
-rwxr-xr-x | sms-service/bin/build_quorum_image.sh | 2 | ||||
-rwxr-xr-x | sms-service/bin/build_sms_image.sh | 12 | ||||
-rw-r--r-- | sms-service/bin/deploy/quorumconfig.json | 5 | ||||
-rwxr-xr-x | sms-service/bin/deploy/sms.sh | 13 | ||||
-rw-r--r-- | sms-service/bin/deploy/smsconfig.json | 7 | ||||
-rw-r--r-- | sms-service/bin/quorumdockerfile | 2 | ||||
-rw-r--r-- | sms-service/bin/smsdockerfile | 6 | ||||
-rw-r--r-- | sms-service/src/sms/auth/aaf-sms.api.simpledemo.onap.org.pr | 32 | ||||
-rw-r--r-- | sms-service/src/sms/auth/auth.go | 57 | ||||
-rw-r--r-- | sms-service/src/sms/certs/aaf-sms.pr | 30 | ||||
-rw-r--r-- | sms-service/src/sms/certs/aaf-sms.pub (renamed from sms-service/src/sms/auth/aaf-sms.api.simpledemo.onap.org.pem) | 47 | ||||
-rw-r--r-- | sms-service/src/sms/certs/aaf_root_ca.cer (renamed from sms-service/src/sms/auth/aaf_root_ca.cer) | 0 | ||||
-rw-r--r-- | sms-service/src/sms/config/config.go | 1 | ||||
-rw-r--r-- | sms-service/src/sms/sms.go | 10 | ||||
-rw-r--r-- | sms-service/src/sms/smsconfig.json.template | 7 | ||||
-rw-r--r-- | sms-service/src/sms/test/loop_test.sh | 26 |
16 files changed, 157 insertions, 100 deletions
diff --git a/sms-service/bin/build_quorum_image.sh b/sms-service/bin/build_quorum_image.sh index b26accf..72932e5 100755 --- a/sms-service/bin/build_quorum_image.sh +++ b/sms-service/bin/build_quorum_image.sh @@ -28,7 +28,7 @@ function generate_binary { } function copy_certificates { - cp ../src/sms/auth/aaf_root_ca.cer . + cp ../src/sms/certs/aaf_root_ca.cer . } function cleanup { diff --git a/sms-service/bin/build_sms_image.sh b/sms-service/bin/build_sms_image.sh index 46685b6..2a98709 100755 --- a/sms-service/bin/build_sms_image.sh +++ b/sms-service/bin/build_sms_image.sh @@ -28,16 +28,16 @@ function generate_binary { } function copy_certificates { - cp ../src/sms/auth/aaf_root_ca.cer . - cp ../src/sms/auth/aaf-sms.api.simpledemo.onap.org.pem . - cp ../src/sms/auth/aaf-sms.api.simpledemo.onap.org.pr . + cp ../src/sms/certs/aaf_root_ca.cer . + cp ../src/sms/certs/aaf-sms.pub . + cp ../src/sms/certs/aaf-sms.pr . } function cleanup { rm sms - rm aaf-sms.api.simpledemo.onap.org.pem - rm aaf-sms.api.simpledemo.onap.org.pr - rm aaf_root_ca.cer + rm aaf-sms.pub + rm aaf-sms.pr + rm aaf_root_ca.cer } function build_image { diff --git a/sms-service/bin/deploy/quorumconfig.json b/sms-service/bin/deploy/quorumconfig.json index d2f647f..696fec6 100644 --- a/sms-service/bin/deploy/quorumconfig.json +++ b/sms-service/bin/deploy/quorumconfig.json @@ -1,7 +1,6 @@ { - "url":"https://sms-service:10443", - "servername":"aaf-sms.api.simpledemo.onap.org", - "cafile":"cert/aaf_root_ca.cer", + "url":"https://aaf-sms.onap:10443", + "cafile":"certs/aaf_root_ca.cer", "clientcert":"client.cert", "clientkey":"client.key", "timeout":"10s" diff --git a/sms-service/bin/deploy/sms.sh b/sms-service/bin/deploy/sms.sh index 3a6153c..a7eca69 100755 --- a/sms-service/bin/deploy/sms.sh +++ b/sms-service/bin/deploy/sms.sh @@ -69,13 +69,14 @@ docker cp vault.json sms-vault:/vault/config/config.json; docker start sms-vault; # Start SMS -docker create --rm --name sms-service --network sms-net \ ---hostname sms-service -p "10443:10443" \ +# Matching hostname with cert name +docker create --rm --name aaf-sms.onap --network sms-net \ +--hostname aaf-sms.onap -p "10443:10443" \ -v sms-service:/sms/auth \ ${SMS_IMG}; -docker cp smsconfig.json sms-service:/sms/smsconfig.json -docker start sms-service +docker cp smsconfig.json aaf-sms.onap:/sms/smsconfig.json +docker start aaf-sms.onap # Start 3 Quorum Clients for i in {0..2} @@ -96,7 +97,7 @@ fi # Shutdown and clean up. if [ "$1" = "stop" ]; then -docker stop sms-vault sms-consul sms-service; +docker stop sms-vault sms-consul aaf-sms.onap; for i in {0..2}; do docker stop sms-quorum-$i done @@ -110,4 +111,4 @@ fi if [ $SS = 0 ]; then echo "Please type ${0} start or ${0} stop" -fi
\ No newline at end of file +fi diff --git a/sms-service/bin/deploy/smsconfig.json b/sms-service/bin/deploy/smsconfig.json index 4c3cf3c..df446eb 100644 --- a/sms-service/bin/deploy/smsconfig.json +++ b/sms-service/bin/deploy/smsconfig.json @@ -1,7 +1,8 @@ { - "cafile": "cert/aaf_root_ca.cer", - "servercert": "cert/aaf-sms.api.simpledemo.onap.org.pem", - "serverkey": "cert/aaf-sms.api.simpledemo.onap.org.pr", + "cafile": "certs/aaf_root_ca.cer", + "servercert": "certs/aaf-sms.pub", + "serverkey": "certs/aaf-sms.pr", + "password": "c2VjcmV0bWFuYWdlbWVudHNlcnZpY2VzZWNyZXRwYXNzd29yZA==", "smsdbaddress": "http://sms-vault:8200" } diff --git a/sms-service/bin/quorumdockerfile b/sms-service/bin/quorumdockerfile index 3b787d7..2874b7a 100644 --- a/sms-service/bin/quorumdockerfile +++ b/sms-service/bin/quorumdockerfile @@ -5,7 +5,7 @@ LABEL version=2.0.0 LABEL maintainer="Girish Havaldar <hg0071052@techmahindra.com>" RUN mkdir -p /quorumclient/auth -ADD aaf_root_ca.cer /quorumclient/cert/aaf_root_ca.cer +ADD aaf_root_ca.cer /quorumclient/certs/aaf_root_ca.cer ADD quorumclient /quorumclient/bin/quorumclient RUN chmod +x /quorumclient/bin/quorumclient diff --git a/sms-service/bin/smsdockerfile b/sms-service/bin/smsdockerfile index 14327dc..19ce84f 100644 --- a/sms-service/bin/smsdockerfile +++ b/sms-service/bin/smsdockerfile @@ -7,9 +7,9 @@ LABEL maintainer="vamshi krishna <vn00480215@techmahindra.com>" EXPOSE 10443 RUN mkdir -p /sms/auth -ADD aaf_root_ca.cer /sms/cert/aaf_root_ca.cer -ADD aaf-sms.api.simpledemo.onap.org.pem /sms/cert/aaf-sms.api.simpledemo.onap.org.pem -ADD aaf-sms.api.simpledemo.onap.org.pr /sms/cert/aaf-sms.api.simpledemo.onap.org.pr +ADD aaf_root_ca.cer /sms/certs/aaf_root_ca.cer +ADD aaf-sms.pub /sms/certs/aaf-sms.pub +ADD aaf-sms.pr /sms/certs/aaf-sms.pr ADD sms /sms/bin/sms RUN chmod +x /sms/bin/sms diff --git a/sms-service/src/sms/auth/aaf-sms.api.simpledemo.onap.org.pr b/sms-service/src/sms/auth/aaf-sms.api.simpledemo.onap.org.pr deleted file mode 100644 index e2204ae..0000000 --- a/sms-service/src/sms/auth/aaf-sms.api.simpledemo.onap.org.pr +++ /dev/null @@ -1,32 +0,0 @@ -Bag Attributes - localKeyID: F5 51 07 8F 6A B5 88 A5 C1 63 25 5E B8 0B 85 EB 6C BD 36 08 - friendlyName: aaf-sms@aaf-sms.onap.org -Key Attributes: <No Attributes> ------BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCwOaxW5b6v24bY -j+5/UlsxvoZr6FQ98y8jKZ9i61oRr1AQWTVNUS+7TwFPvh0Kbn+5JZqwQCAFWZ4i -ghih3LTsF78vhpm3zgmYUiwkd9b5ofJUuiZntE4oCm+rC7atcmoRzWlnVl7/EX4i -dlmrrAr/B1LhkjlqY/1pbZ6OG73LWfpGaMkq6/EI0VEYsgycXt/ibWlItBnwolXP -tchVmVPWnrRFQYKLsGiznuMP4C9Vz4p75hrHhGE2wOxulNEPW92a3aZhFr0B0S+J -ObOupr7vGplt9WlElOCJRd3yg6+sa/wEtI96rCZRAIInf1bnllOmclcOnNwUaMLX -B+Aio9P/AgMBAAECggEAVHvhxmswRujMtegS49FczPVVRkhEksqST541vluse4v7 -q0rJRf7lDjxrGYrAK28cJmwDw/mKIGZ9bHfITVkdF46u5p719Ot/KBpE9VrKojTk -k4AGx3LmgUW3kV31PyP5+/zpSlRbCJefS/BHPwkk4GznbCMJCZtUMwYNnH1qOSFn -MbHH5TRzfsFsF1OALYnXcq+zaUYXVM25hCiQ0pPtsnPcnVO+mV0mWRBQNbPMmV8A -Yy2XqB4fTxIjJ+k28ppmf2Eq9AuISJvwG/T2p+FHkXjNAYrJqUQw5S780499RqXI -6BhIjrjx9Pyb8zUle+3ZN+FbBcs4RHgrgL05ueWe4QKBgQDXLypqRuIRKAXrtAwo -fSCc/pKY9+rHvKQbqqY0eVSb8tZMMLDA0ElQuF3LoWIRJGYnb9PcQN/C+qtyY82Z -bG+iWmdHtrm361H8ry2Mjdo7T65qypHS++RhaUhEHgPQaqXNLcmyruI+EWG6cC7n -hNO3VY1G2xhaSaDF5sja4cjtMQKBgQDRpsDhJuXQb6L7yjDf3lYq3ZqjyY0P66Wo -DaBwnH0I3GFE+jyOfSFNAalLErbXZwD/XSS1dKE3iVrzy9tYCLp4n7TSLVI4n1bz -O8gH9qqbYEG8VhEYfuQF1wKxeqQ4q9fuzDe3dlAQyw80tFCiFvtPls67B5cRR6Di -5f15iBLILwKBgGKWX251r1mA5sWIphFe0rRbBjtDSrPcP6vVUXS1KgiRB5G8tR6B -zzVGYuLKu61y6cKjv4Mnzdz9D9PG2gmy3qqZlLwMgaY8EEIe2FWPIC8QYK7YxFrP -wWDH5a4fukugsPoCQmi1Kz6YpBfREgxMlNtoPOP7uXqURS6mf9uYmn/hAoGBAKuA -6lBFbcKxUHcB1DGOxJaUaiiKfKcFcqKjYxg8K9zPy5KN0nQN0OwZ68/KI2DalmpQ -W/NE0Y2JA6pkna7KlSCQJW+6O4SudIbN5Lj/BFnOyHe1QI71XruYRE/DsAvcJ+zl -ir6+Pok+U9Ydm8i9XCCjkcJWVzJ/khGLa2u78QFpAoGAKwlTP1rQGLMz0uUW8bx9 -EAHUf0IkXgs+qVCvg6gWE96q7l+UncLf4842Rl77uZfJr76yBhwo3ezCA+DQDqmg -JhktLPnaeHJcuTiYI/bXXlNCf56SsY88TxP1UGkbSmYryLAO/fM9nAHH7qj7DWqW -Ng8ecGGlcYcjmKxtWYolR+U= ------END PRIVATE KEY-----
\ No newline at end of file diff --git a/sms-service/src/sms/auth/auth.go b/sms-service/src/sms/auth/auth.go index 038e31d..9f6abde 100644 --- a/sms-service/src/sms/auth/auth.go +++ b/sms-service/src/sms/auth/auth.go @@ -22,21 +22,23 @@ import ( "crypto/tls" "crypto/x509" "encoding/base64" + "encoding/pem" "golang.org/x/crypto/openpgp" "golang.org/x/crypto/openpgp/packet" "io/ioutil" + smsconfig "sms/config" smslogger "sms/log" ) // GetTLSConfig initializes a tlsConfig using the CA's certificate // This config is then used to enable the server for mutual TLS -func GetTLSConfig(caCertFile string) (*tls.Config, error) { +func GetTLSConfig(caCertFile string, certFile string, keyFile string) (*tls.Config, error) { // Initialize tlsConfig once caCert, err := ioutil.ReadFile(caCertFile) - if err != nil { + if smslogger.CheckError(err, "Read CA Cert file") != nil { return nil, err } @@ -49,10 +51,61 @@ func GetTLSConfig(caCertFile string) (*tls.Config, error) { ClientCAs: caCertPool, MinVersion: tls.VersionTLS12, } + + certPEMBlk, err := readPEMBlock(certFile) + if smslogger.CheckError(err, "Read Cert File") != nil { + return nil, err + } + + keyPEMBlk, err := readPEMBlock(keyFile) + if smslogger.CheckError(err, "Read Key File") != nil { + return nil, err + } + + tlsConfig.Certificates = make([]tls.Certificate, 1) + tlsConfig.Certificates[0], err = tls.X509KeyPair(certPEMBlk, keyPEMBlk) + if smslogger.CheckError(err, "Load x509 cert and key") != nil { + return nil, err + } + tlsConfig.BuildNameToCertificate() return tlsConfig, nil } +func readPEMBlock(filename string) ([]byte, error) { + + pemData, err := ioutil.ReadFile(filename) + + if smslogger.CheckError(err, "Read PEM File") != nil { + return nil, err + } + + pemBlock, rest := pem.Decode(pemData) + if len(rest) > 0 { + smslogger.WriteWarn("Pemfile has extra data") + } + + if x509.IsEncryptedPEMBlock(pemBlock) { + pByte, err := base64.StdEncoding.DecodeString(smsconfig.SMSConfig.Password) + if smslogger.CheckError(err, "Decode PEM Password") != nil { + return nil, err + } + + pemData, err = x509.DecryptPEMBlock(pemBlock, pByte) + if smslogger.CheckError(err, "Decrypt PEM Data") != nil { + return nil, err + } + var newPEMBlock pem.Block + newPEMBlock.Type = pemBlock.Type + newPEMBlock.Bytes = pemData + // Converting back to PEM from DER data you get from + // DecryptPEMBlock + pemData = pem.EncodeToMemory(&newPEMBlock) + } + + return pemData, nil +} + // GeneratePGPKeyPair produces a PGP key pair and returns // two things: // A base64 encoded form of the public part of the entity diff --git a/sms-service/src/sms/certs/aaf-sms.pr b/sms-service/src/sms/certs/aaf-sms.pr new file mode 100644 index 0000000..21e1eed --- /dev/null +++ b/sms-service/src/sms/certs/aaf-sms.pr @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,092DAD75B21417FF + +1g81WUZ9gS39NIMr++2E7nLJ5WBZkKjIl0F7rINsaiiLzBHRo5yhlSECwLugFOTi +/X5jHweymAJny7gxxCZykfwwIWixtqyWCXsSfJpOX2VSUcsWWxIfFZQG6Os1HgU4 +XtPn6TgegX1BXgiQDN92tOBcspvVTyMRN+EOaYGj7J4NsJShAsWD7KSotpH63WDD +pBp67ieBaVm4544u66pty76DT5AmZ/Lq7fXsAwTbwZXEVSFCjhoiIKq2d31USmEs +I73+GU1IODFIftKLfTWnU94BWYtvGjmyv0p89LahvhhpuieJAL7883lIE1mXHw9m +1y3VURxSW/OqjUv6cyJWVxLKzplhAfp9VI8lbkQe3n1N++ZC0+brz7ynpBGdElts +DvajPs/doXdPsJMO2DHKLNHLjLnnp0wlJf0MXhwbr2wggveG9izUcmw3cBjumEJz +q0wNODxGS7pPesjbOmAVHjpVORaaTyZS4nkD0iFHA+bZ2Us2M90lfYLBkafx19vA +REBmxjwOWJAAAxn5f2mb6ji48L5nZGpETDnwH91uwS1EVBIvsoDSc2YXVDDYJhkA +lSGT/U6Zi/WZ8oRyFN9vnGMB8yLo3lU2STelNMvE7ou0P5Vo/TnXHZPEh0SBZf/o +tSa7cbKX0TlAd5oGcdq0yMcaXvU/CxVBKsZ4T+RJMChzQ5e1Jl46mi6ZrX7B3S5e +xml9RKHZ0G84c1paEp1GjnUO4z2wFBX/BdSeQ7QNd9J2owRzqE5X0ATeI/p/iSSc +y1AmX8pfakRKxY/Z2PcpSbq/K0TxVzpJMSkUCEQnFrlQJu6Clj2MQH4dq/PfS0r0 +8q28f3DymrvfBqtJp3FDRO2AE02PTILRXMJMQetsosRjfaQ9RUYEZo4EnoPQvjPl +u/UZ//afIr2AX4C5xXEUKSxtaaxcwMqTwf1+r1Ljnv8iq9hq3yZkMWUG3/ttCdcy +SU4fpOrBfwujq3NAKE+JVXr4MmRunjDqLuHrEk2MXebZfs1XgBF0wIka3xrO1iMl +DDKK3KYFmAVlsiC0YaVLldSKpqBKbauPMQAvGnSMmFsQnxGg484z5bf6/OcB0hSB +bxgGzFG/hTAfKsKIYDl/kezUEZZnTnY4DQH1gk5W2QFgi6df9RhO9ZagD2ZQym1M +xkKF+JmpqwSDO7NawXKsVPtXXaPZsT4ZUGeMeeQSGm7EoNQiV/Kih0Qn6zhCwlk4 +hyKD0Ctlelaz+eORATPH/sqaPNkV6bxJ25h+xFTIPSKc/+upsIygkaPFb6v6ypwd +ePFTiZ0ZL8zM+fcmwCTriAXmCiF/SA9WPR5i5yy96sKvjQ69fe4ADVShPEDwWtGH +4j/tVx3nVTeGVYMTZksmu2KfXgQ0lg5K971eVjXzAwf5D27PdQzrV2Lw/ss+ACuR +sJP0Ef5JImboiIN3noYIYInqffsNpXgFTPeukljRkh+GQgghEruXH4CCXKtQg5Ql +DXRSS4mEIDfT+9y5J3ysKqVQSwE3cz1ZCkTRCdXKEzeU5eJZW1r2Bs7V6v0eSJNN +p9qFqEGmW/MebytvEJso9ZzeI7OSyNWUNjUUdQvlZo3Z+eIcSVNUNag02lyYCaXL +-----END RSA PRIVATE KEY----- diff --git a/sms-service/src/sms/auth/aaf-sms.api.simpledemo.onap.org.pem b/sms-service/src/sms/certs/aaf-sms.pub index a8ae076..ac8ec6f 100644 --- a/sms-service/src/sms/auth/aaf-sms.api.simpledemo.onap.org.pem +++ b/sms-service/src/sms/certs/aaf-sms.pub @@ -1,32 +1,33 @@ Bag Attributes - localKeyID: F5 51 07 8F 6A B5 88 A5 C1 63 25 5E B8 0B 85 EB 6C BD 36 08 + localKeyID: 70 BC 84 27 26 2F A9 A1 42 24 D6 1A 3B BA B8 84 A2 6A 69 56 friendlyName: aaf-sms@aaf-sms.onap.org -subject=/C=US/O=ONAP/OU=aaf-sms@aaf-sms.onap.org/OU=OSAAF/CN=aaf-sms.api.simpledemo.onap.org +subject=/C=US/O=ONAP/OU=aaf-sms@aaf-sms.onap.org/OU=OSAAF/CN=aaf-sms issuer=/C=US/O=ONAP/OU=OSAAF/CN=intermediateCA_1 -----BEGIN CERTIFICATE----- -MIIENjCCAx6gAwIBAgIBHDANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJVUzEN +MIIEZzCCA0+gAwIBAgIBJTANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJVUzEN MAsGA1UECgwET05BUDEOMAwGA1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVk -aWF0ZUNBXzEwHhcNMTgwNDI1MTEwOTI1WhcNMTkwNDIwMTEwOTI1WjB5MQswCQYD +aWF0ZUNBXzEwHhcNMTgwNTA4MTIyNTMxWhcNMTkwNTAzMTIyNTMxWjBhMQswCQYD VQQGEwJVUzENMAsGA1UECgwET05BUDEhMB8GA1UECwwYYWFmLXNtc0BhYWYtc21z -Lm9uYXAub3JnMQ4wDAYDVQQLDAVPU0FBRjEoMCYGA1UEAwwfYWFmLXNtcy5hcGku -c2ltcGxlZGVtby5vbmFwLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBALA5rFblvq/bhtiP7n9SWzG+hmvoVD3zLyMpn2LrWhGvUBBZNU1RL7tPAU++ -HQpuf7klmrBAIAVZniKCGKHctOwXvy+GmbfOCZhSLCR31vmh8lS6Jme0TigKb6sL -tq1yahHNaWdWXv8RfiJ2WausCv8HUuGSOWpj/Wltno4bvctZ+kZoySrr8QjRURiy -DJxe3+JtaUi0GfCiVc+1yFWZU9aetEVBgouwaLOe4w/gL1XPinvmGseEYTbA7G6U -0Q9b3ZrdpmEWvQHRL4k5s66mvu8amW31aUSU4IlF3fKDr6xr/AS0j3qsJlEAgid/ -VueWU6ZyVw6c3BRowtcH4CKj0/8CAwEAAaOB+jCB9zAJBgNVHRMEAjAAMBEGCWCG -SAGG+EIBAQQEAwIGwDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQg -U2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQWBBTaf9ELsETQX2tK/ilkzkFwlNx+ -OzBUBgNVHSMETTBLgBQd5lldG54KOKRipsGF8/PP1vGX6qEwpC4wLDEOMAwGA1UE -CwwFT1NBQUYxDTALBgNVBAoMBE9OQVAxCzAJBgNVBAYTAlVTggEBMA4GA1UdDwEB -/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcN -AQELBQADggEBACJFD0XRb6YmL5n0+coxb6y/reG/aCgspiilIgS+DcDNSmUzU7gb -Yn43ZWQtgIepUk3vbv+lO15u7wbaHGWhJ7SAlFXzHgthjvi1wcLZilKdKTRktZa+ -q+v/3VrU8gZkf9sydbOseCA0vGdnO5UHQqMfIo3kpJsNxb2lT6FmdU5GKGellHvi -fkczO1UZnSYGgkpyBV+gU6peDLNDludiq1iD1gLHdSpn3U1pcaFaBg3lFQamEOVH -0vyxl6naD8C8K7wFFbFOJ9LV2dvTB04DmofUNaO9kuqRrLndHcR2b4htCLRHK4O2 -wap2ThiXgiy86zvTZKWt2YTghZUNjaPOpMQ= +Lm9uYXAub3JnMQ4wDAYDVQQLDAVPU0FBRjEQMA4GA1UEAwwHYWFmLXNtczCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOfY6LRP7EuYINoFoROTuuLZMbpD +rX6GxKIsa7Zu+gHC6SC07FrtwxSC7/PRhN+/RFbpmVxZTAyn0NL+lljF3zsSIuNK +Xz26YvKYp9A7hJUBZ0BoKFBEa7NC8Gb9OKLRJiCQucJ7OR/PXY1BDCXxXHJAt56u +JI6YLaGenk0nqqIpW8rIQjh0t89vBBJbkfSGGT4FFj9u1TGJ0hXI8QY5a9aTkXyt +BLxROArUPatw9mal3ZJX4l06OacpDGFSLRKtssG5fjk0dnTs4eox/3OilFs6x1Wn +f6oduIsuaROed7uhX+Do6UROnYr7LA4xXI1Gs9ONNBSE1/ySmiUXJXxB14kCAwEA +AaOCAUIwggE+MAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgbAMDMGCWCGSAGG ++EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYD +VR0OBBYEFHXg1N9VCaxvC/44iUnRuKWrUrdAMFQGA1UdIwRNMEuAFB3mWV0bngo4 +pGKmwYXz88/W8ZfqoTCkLjAsMQ4wDAYDVQQLDAVPU0FBRjENMAsGA1UECgwET05B +UDELMAkGA1UEBhMCVVOCAQEwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsG +AQUFBwMBBggrBgEFBQcDAjBFBgNVHREEPjA8ghthYWYtc21zLnNpbXBsZWRlbW8u +b25hcC5vcmeCD2FhZi1zbXMtZGIub25hcIIMYWFmLXNtcy5vbmFwMA0GCSqGSIb3 +DQEBCwUAA4IBAQA+KKgn7Q0svrdalZ574nhgibWGYnSzkL23RAUv4lkH3HEKAN9d +E961Dp112XFihKg0OFK/toENikj0iPHq09XgU9L/Ni3eaOWw1DP7r86JsQzSvtGa +J3r3T65D5rL+1ejpT6flMY6DG78/wh7OGQaPcSEpypWTi2lXhIrydfH3BQ5cCqvm +adNZS/BgbudIC4T0nOs7PbmzGuJmo7s06vkAhUt/HpGbjTC0xjoqPZWQVfaNzGqR +9YSKyRFvV6EAb7s9i6h15KRRIEItQCWZtKgCJDqYcUma1WJDNuZ2WQwfrUEupioV +BUs+joZT1unGYGhv6l+NPOw9tuPDi47Z8HzP -----END CERTIFICATE----- Bag Attributes: <No Attributes> subject=/C=US/O=ONAP/OU=OSAAF/CN=intermediateCA_1 diff --git a/sms-service/src/sms/auth/aaf_root_ca.cer b/sms-service/src/sms/certs/aaf_root_ca.cer index e9a50d7..e9a50d7 100644 --- a/sms-service/src/sms/auth/aaf_root_ca.cer +++ b/sms-service/src/sms/certs/aaf_root_ca.cer diff --git a/sms-service/src/sms/config/config.go b/sms-service/src/sms/config/config.go index 3901817..30caf82 100644 --- a/sms-service/src/sms/config/config.go +++ b/sms-service/src/sms/config/config.go @@ -29,6 +29,7 @@ type SMSConfiguration struct { CAFile string `json:"cafile"` ServerCert string `json:"servercert"` ServerKey string `json:"serverkey"` + Password string `json:"password"` BackendAddress string `json:"smsdbaddress"` VaultToken string `json:"vaulttoken"` diff --git a/sms-service/src/sms/sms.go b/sms-service/src/sms/sms.go index fea6b10..9fc60bb 100644 --- a/sms-service/src/sms/sms.go +++ b/sms-service/src/sms/sms.go @@ -67,14 +67,16 @@ func main() { smslogger.WriteWarn("TLS is Disabled") err = httpServer.ListenAndServe() } else { - // TODO: Use CA certificate from AAF - tlsConfig, err := smsauth.GetTLSConfig(smsConf.CAFile) - if err != nil { + // Populate TLSConfig with the certificates and privatekey + // information + tlsConfig, err := smsauth.GetTLSConfig(smsConf.CAFile, smsConf.ServerCert, smsConf.ServerKey) + if smslogger.CheckError(err, "Get TLS Configuration") != nil { log.Fatal(err) } httpServer.TLSConfig = tlsConfig - err = httpServer.ListenAndServeTLS(smsConf.ServerCert, smsConf.ServerKey) + // empty strings because tlsconfig already has this information + err = httpServer.ListenAndServeTLS("", "") } if err != nil && err != http.ErrServerClosed { diff --git a/sms-service/src/sms/smsconfig.json.template b/sms-service/src/sms/smsconfig.json.template index b74bdff..1779342 100644 --- a/sms-service/src/sms/smsconfig.json.template +++ b/sms-service/src/sms/smsconfig.json.template @@ -1,7 +1,8 @@ { - "cafile": "auth/aaf_root_ca.cer", - "servercert": "auth/aaf-sms.api.simpledemo.onap.org.pem", - "serverkey": "auth/aaf-sms.api.simpledemo.onap.org.pr", + "cafile": "certs/aaf_root_ca.cer", + "servercert": "certs/aaf-sms.pub", + "serverkey": "certs/aaf-sms.pr", + "password": "c2VjcmV0bWFuYWdlbWVudHNlcnZpY2VzZWNyZXRwYXNzd29yZAo=", "smsdbaddress": "http://localhost:8200", "vaulttoken": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", diff --git a/sms-service/src/sms/test/loop_test.sh b/sms-service/src/sms/test/loop_test.sh index a48c9b1..5fed4d2 100644 --- a/sms-service/src/sms/test/loop_test.sh +++ b/sms-service/src/sms/test/loop_test.sh @@ -6,54 +6,54 @@ PORT=$2 for i in `seq 1 2`; do echo -e "${RED}----------------BEGIN GET STATUS----------------${NC}" - curl -i -w "\n" -H "Accept: application/json" --cacert auth/aaf_root_ca.cer -X GET \ + curl -i -w "\n" -H "Accept: application/json" --cacert certs/aaf_root_ca.cer -X GET \ https://${URL}:${PORT}/v1/sms/quorum/status echo -e "${RED}----------------BEGIN CREATE SECRET DOMAIN------${NC}" - curl -i -w "\n" -H "Accept: application/json" --cacert auth/aaf_root_ca.cer -X POST \ + curl -i -w "\n" -H "Accept: application/json" --cacert certs/aaf_root_ca.cer -X POST \ -d @test/test_create_domain.json https://${URL}:${PORT}/v1/sms/domain echo -e "${RED}----------------BEGIN CREATE SECRET 1-----------${NC}" - curl -i -w "\n" -H "Accept: application/json" --cacert auth/aaf_root_ca.cer -X POST \ + curl -i -w "\n" -H "Accept: application/json" --cacert certs/aaf_root_ca.cer -X POST \ -d @test/test_create_secret1.json https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret echo -e "${RED}----------------BEGIN CREATE SECRET 2-----------${NC}" - curl -i -w "\n" -H "Accept: application/json" --cacert auth/aaf_root_ca.cer -X POST \ + curl -i -w "\n" -H "Accept: application/json" --cacert certs/aaf_root_ca.cer -X POST \ -d @test/test_create_secret2.json https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret echo -e "${RED}----------------BEGIN CREATE SECRET 3-----------${NC}" - curl -i -w "\n" -H "Accept: application/json" --cacert auth/aaf_root_ca.cer -X POST \ + curl -i -w "\n" -H "Accept: application/json" --cacert certs/aaf_root_ca.cer -X POST \ -d @test/test_create_secret3.json https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret echo -e "${RED}----------------BEGIN LIST SECRET---------------${NC}" - curl -i -w "\n" -H "Accept: application/json" --cacert auth/aaf_root_ca.cer -X GET \ + curl -i -w "\n" -H "Accept: application/json" --cacert certs/aaf_root_ca.cer -X GET \ https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret echo -e "${RED}----------------BEGIN GET SECRET 1--------------${NC}" - curl -i -w "\n" -H "Accept: application/json" --cacert auth/aaf_root_ca.cer -X GET \ + curl -i -w "\n" -H "Accept: application/json" --cacert certs/aaf_root_ca.cer -X GET \ https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret1 echo -e "${RED}----------------BEGIN GET SECRET 2--------------${NC}" - curl -i -w "\n" -H "Accept: application/json" --cacert auth/aaf_root_ca.cer -X GET \ + curl -i -w "\n" -H "Accept: application/json" --cacert certs/aaf_root_ca.cer -X GET \ https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret2 echo -e "${RED}----------------BEGIN GET SECRET 3--------------${NC}" - curl -i -w "\n" -H "Accept: application/json" --cacert auth/aaf_root_ca.cer -X GET \ + curl -i -w "\n" -H "Accept: application/json" --cacert certs/aaf_root_ca.cer -X GET \ https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret3 echo -e "${RED}----------------BEGIN DELETE SECRET 1-----------${NC}" - curl -i -w "\n" -H "Accept: application/json" --cacert auth/aaf_root_ca.cer -X DELETE \ + curl -i -w "\n" -H "Accept: application/json" --cacert certs/aaf_root_ca.cer -X DELETE \ https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret1 echo -e "${RED}----------------BEGIN DELETE SECRET 2-----------${NC}" - curl -i -w "\n" -H "Accept: application/json" --cacert auth/aaf_root_ca.cer -X DELETE \ + curl -i -w "\n" -H "Accept: application/json" --cacert certs/aaf_root_ca.cer -X DELETE \ https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret2 echo -e "${RED}----------------BEGIN DELETE SECRET 3-----------${NC}" - curl -i -w "\n" -H "Accept: application/json" --cacert auth/aaf_root_ca.cer -X DELETE \ + curl -i -w "\n" -H "Accept: application/json" --cacert certs/aaf_root_ca.cer -X DELETE \ https://${URL}:${PORT}/v1/sms/domain/curltestdomain/secret/curltestsecret3 echo -e "${RED}----------------BEGIN DELETE SECRET DOMAIN------${NC}" - curl -i -w "\n" -H "Accept: application/json" --cacert auth/aaf_root_ca.cer -X DELETE \ + curl -i -w "\n" -H "Accept: application/json" --cacert certs/aaf_root_ca.cer -X DELETE \ https://${URL}:${PORT}/v1/sms/domain/curltestdomain done |