Merge "Adding the CA service container"

3 files changed, 183 insertions, 0 deletions

diff --git a/bin/caservicecontainer/README b/bin/caservicecontainer/README
new file mode 100755
index 0000000..c4c73e8
--- /dev/null
+++ b/bin/caservicecontainer/README
@@ -0,0 +1,20 @@
+
+### Copy the ~/sshsm/test/integration/samplecaservicecontainer to /tmp/samplecaservicecontainer on host machine where the
+### containers will be running
+### "samplecaservicecontainer" directory is considered as the sample shared volume for now
+### The files directory will be mounted on the container
+### the bash script test.sh ~/sshsm/test/integration/samplecaservicecontainer/scripts has the steps which are executed by this container as per design. It can be run by the user with sudo rights
+
+### Build docker image with a base image
+
+````
+$ docker build -t <image name> -f dockerfile .
+````
+
+### Running the CA service container
+
+````
+$ docker run -d -v /tmp/run/dbus:/var/run/dbus:rw -v /tmp/samplecaservicecontainer:/tmp/files:rw --name CAServicecontainer <image name>
+````
+
+#### Make sure the TABRMD container is running on the same dbus mountpoint on the host as the CA service container
diff --git a/bin/caservicecontainer/dockerfile b/bin/caservicecontainer/dockerfile
new file mode 100755
index 0000000..8557181
--- /dev/null
+++ b/bin/caservicecontainer/dockerfile
@@ -0,0 +1,54 @@
+
+# Base Image for the build
+FROM rmannfv/aaf-base:xenial
+
+RUN apt-get update
+RUN apt-get install -y softhsm2
+RUN apt-get install -y opensc
+
+# Files required for the Java application
+RUN wget https://www.bouncycastle.org/download/bcprov-jdk15on-159.jar
+RUN wget https://www.bouncycastle.org/download/bcpkix-jdk15on-159.jar
+RUN wget https://www.bouncycastle.org/download/bcmail-jdk15on-159.jar
+RUN wget https://www.bouncycastle.org/download/bcpg-jdk15on-159.jar
+RUN wget https://www.bouncycastle.org/download/bctls-jdk15on-159.jar
+RUN wget https://www.bouncycastle.org/download/bctest-jdk15on-159.jar
+RUN cp ./bcpkix-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/
+RUN cp ./bcprov-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/
+RUN cp ./bcmail-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/
+RUN cp ./bcpg-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/
+RUN cp ./bctls-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext
+
+# Clone the sshsm repo
+RUN git clone https://gerrit.onap.org/r/aaf/sshsm
+
+# Build SoftHSMv2
+RUN cd sshsm && \
+  cd SoftHSMv2 && \
+  sh autogen.sh && \
+  ./configure --disable-gost && \
+  make && \
+  make install
+
+# Create the directory for mounting the shared voulme
+RUN mkdir -p /tmp/files
+
+# Build TPM-Plugin
+RUN cd sshsm && \
+  chmod 755 TPM2-Plugin/ && \
+  cd TPM2-Plugin && \
+  chmod 755 bootstrap && \
+  sleep 2 && \
+  ./bootstrap && \
+  ./configure && \
+  make && \
+  make install && \
+  ldconfig && \
+  export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib
+
+RUN cd sshsm && \
+  cd tpm-util && \
+  cd import && \
+  make -f sampleMakefile
+
+COPY ./test.sh /
diff --git a/bin/caservicecontainer/test.sh b/bin/caservicecontainer/test.sh
new file mode 100755
index 0000000..9ef4cf9
--- /dev/null
+++ b/bin/caservicecontainer/test.sh
@@ -0,0 +1,109 @@
+
+#NOTE - This scripts expects the Init and the Duplicate tools to be already run and the output files to be present at the
+# shared volume (input for Import tool)
+
+#!/bin/bash
+set -e
+
+#Placeholder of Input files to the Import tool which is the output of duplicate tool
+duplicatetooldir="/tmp/files/duplicatetoolfiles"
+#Pluginlibrary
+pluginlibrary="/usr/local/lib/libtpm2-plugin.so"
+#key_id is the parameter expected by SoftHSM
+key_id="8738"
+#TPM handle
+tpm_handle="0x81000011"
+#Key_label is the  parameter expected by SoftHSM
+key_label="ABC"
+#UserPin for the SoftHSM operations
+upin="123456789"
+#SoPin for the SoftHSM operations
+sopin="123456789"
+#Slot number for the SoftHSM operations. Initially it should be started with 0
+slot_no="0"
+#Name for creating the slot used by SoftHSM
+token_no="Token1"
+#Location for the application to fecth SoftHSM library
+applicationlibrary="/usr/local/lib/softhsm/libsofthsm2.so"
+#cert_id is the input for the application which is hexadecimal equivalent of key_id
+cert_id=$(printf '%x' ${key_id})
+
+#Plugin directory for the SoftHSM to load plugin and for further operations
+if [ ! "$SSHSM_HW_PLUGINS_PARENT_DIR" ]
+then
+    echo "There is no Plugin directory assigned. Hence creating the directory required by SoftHSM"
+    SSHSM_HW_PLUGINS_PARENT_DIR="/tmp/hwparent"
+fi
+    mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}
+echo "The newly assigned plugin directory is ${SSHSM_HW_PLUGINS_PARENT_DIR}"
+
+mkdir -p /var/run/dbus
+
+# Initialize the token
+softhsm2-util --init-token --slot ${slot_no} --label "${token_name}" --pin ${upin} --so-pin ${sopin}
+softhsm2-util --show-slots | grep 'Slot ' | cut -d\           -f2 | head -1 >> slotinfo.txt
+SoftHSMv2SlotID="$(cat slotinfo.txt)"
+echo "${SoftHSMv2SlotID}"
+
+# 1. Create the directory as expected by the SoftHSM to read the files
+mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm
+mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate
+mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01
+
+cp ${pluginlibrary} ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/plugin.so
+touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
+chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
+echo "$tpm_handle" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
+
+# 2. Generate the pkcs11.cfg file required for the SoftHSM opeations
+touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "${key_id}"
+echo "key_id:${key_id}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "${key_label}"
+echo "key_label:${key_label}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "upin:${upin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "sopin:${sopin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "sopin is ${sopin}"
+echo "slot:${SoftHSMv2SlotID}" >>  ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+
+# 3.a Copy the required input files for the Import tool
+cp ${duplicatetooldir}/* /sshsm/tpm-util/initandverify
+
+# 3.b Run the Import Utility
+cd /sshsm/tpm-util/initandverify
+./ImportTpmKey.sh
+
+# 3.c Copy the output of the Import utility to the directory that SoftHSMv2 expects
+cp /sshsm/tpm-util/initandverify/outPriv ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.priv
+cp /sshsm/tpm-util/initandverify/outPub ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.pub
+
+# Setting up the java application and running the application
+# 4. Create the configuration pkcs11.cfg for the application
+touch /tmp/pkcs11.cfg
+chmod 755 /tmp/pkcs11.cfg
+echo "name = ${key_label}" >> /tmp/pkcs11.cfg
+echo "${applicationlibrary}"
+echo "library = ${applicationlibrary}" >> /tmp/pkcs11.cfg
+echo "slot = ${SoftHSMv2SlotID}" >> /tmp/pkcs11.cfg
+
+# 5. Compile the Application
+cd /tmp/files/applicationfiles
+cp test.csr /tmp/test.csr
+javac CaSign.java
+
+# 6. Convert the crt to der format
+openssl x509 -in ca.cert -outform der -out ca.der
+
+# 7. Add the ca certificate
+pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} --write-object ./ca.der --type cert --id ${cert_id}
+
+# 8. Run the Application
+java CaSign ${upin} 0x${cert_id}
+
+# 9. Verify the generated certificate
+openssl verify -verbose -CAfile ca.cert /tmp/test.cert
+
+# 10. CleanUp
+cd /
+rm -rf slotinfo.txt