Merge "Script for SoftHSMv2 fallback mechanism"

6 files changed, 183 insertions, 148 deletions

diff --git a/bin/caservicecontainer/README b/bin/caservicecontainer/README
index c4c73e8..930d510 100755
--- a/bin/caservicecontainer/README
+++ b/bin/caservicecontainer/README
@@ -1,9 +1,6 @@
 
-### Copy the ~/sshsm/test/integration/samplecaservicecontainer to /tmp/samplecaservicecontainer on host machine where the
-### containers will be running
-### "samplecaservicecontainer" directory is considered as the sample shared volume for now
-### The files directory will be mounted on the container
-### the bash script test.sh ~/sshsm/test/integration/samplecaservicecontainer/scripts has the steps which are executed by this container as per design. It can be run by the user with sudo rights
+### Create a directory /tmp/volume (mkdir -p /tmp/volume) on host.
+### This is used as shared volume and mounted inside container
 
 ### Build docker image with a base image
 
@@ -11,10 +8,26 @@
 $ docker build -t <image name> -f dockerfile .
 ````
 
-### Running the CA service container
+### Running the CA service container - Below command will run and log you into the container
 
 ````
-$ docker run -d -v /tmp/run/dbus:/var/run/dbus:rw -v /tmp/samplecaservicecontainer:/tmp/files:rw --name CAServicecontainer <image name>
+$ docker run -v /tmp/run/dbus:/var/run/dbus:rw -v /tmp/volume:/tmp/files:rw --name <container name> -i -t --entrypoint=/bin/bash <image name>
 ````
 
+### Running the Import utility
+````
+$ import.sh
+````
 #### Make sure the TABRMD container is running on the same dbus mountpoint on the host as the CA service container
+
+### Expected Input files for SoftHSM operations
+### 1. passphrase 2. privkey.pem.gpg 3. ca.cert
+### Output - None
+
+### Expected Input files for TPM Hardware opeartion
+### 1. ca.cert 2. duPEncKey 3. dupPriv 4. dupPub 5. dupSymseed 6. tpm_handle (srkhandle)
+### Output - None
+
+### Expected Input for Application's operations
+### 1. test.csr 2. CaSign.java(Application file) 3. ca.cert
+### Output - test.cert (in /tmp Directory)
diff --git a/bin/caservicecontainer/application.sh b/bin/caservicecontainer/application.sh
new file mode 100755
index 0000000..1a723ea
--- /dev/null
+++ b/bin/caservicecontainer/application.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# This script takes 4 arguments
+key_label=$1
+SoftHSMv2SlotID=$2
+upin=$3
+cert_id=$4
+
+# Location to fecth SoftHSM library required by application
+applicationlibrary="/usr/local/lib/softhsm/libsofthsm2.so"
+
+# Setting up the java application and running the application
+# 1. Create the configuration pkcs11.cfg for the application
+touch /tmp/pkcs11.cfg
+chmod 755 /tmp/pkcs11.cfg
+echo "name = ${key_label}" >> /tmp/pkcs11.cfg
+echo "The location of applicationms library is ${applicationlibrary}"
+echo "library = ${applicationlibrary}" >> /tmp/pkcs11.cfg
+echo "slot = ${SoftHSMv2SlotID}" >> /tmp/pkcs11.cfg
+
+# 2. Compile the Application
+cd /tmp/files
+cp test.csr /tmp/test.csr
+javac CaSign.java
+
+# 3. Run the Application
+java CaSign ${upin} 0x${cert_id}
+
+# 4. Verify the generated certificate
+openssl verify -verbose -CAfile ca.cert /tmp/test.cert
\ No newline at end of file
diff --git a/bin/caservicecontainer/dockerfile b/bin/caservicecontainer/dockerfile
index bad49d1..7a70dc9 100755
--- a/bin/caservicecontainer/dockerfile
+++ b/bin/caservicecontainer/dockerfile
@@ -1,6 +1,5 @@
-
 # Base Image for the build
-FROM rmannfv/aaf-base:xenial
+FROM nexus3.onap.org:10001/onap/aaf/aaf-base-xenial:latest
 
 # Files required for the Java application
 RUN wget https://www.bouncycastle.org/download/bcprov-jdk15on-159.jar
@@ -14,36 +13,9 @@ RUN cp ./bcmail-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/
 RUN cp ./bcpg-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/
 RUN cp ./bctls-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext
 
-# Clone the sshsm repo
-RUN git clone https://gerrit.onap.org/r/aaf/sshsm
-
-# Build SoftHSMv2
-RUN cd sshsm && \
-  cd SoftHSMv2 && \
-  sh autogen.sh && \
-  ./configure --disable-gost && \
-  make && \
-  make install
-
 # Create the directory for mounting the shared voulme
 RUN mkdir -p /tmp/files
 
-# Build TPM-Plugin
-RUN cd sshsm && \
-  chmod 755 TPM2-Plugin/ && \
-  cd TPM2-Plugin && \
-  chmod 755 bootstrap && \
-  sleep 2 && \
-  ./bootstrap && \
-  ./configure && \
-  make && \
-  make install && \
-  ldconfig && \
-  export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib
-
-RUN cd sshsm && \
-  cd tpm-util && \
-  cd import && \
-  make -f sampleMakefile
-
-COPY ./test.sh /
+COPY ./import.sh /
+COPY ./softhsmconfig.sh /
+COPY ./application.sh /
diff --git a/bin/caservicecontainer/import.sh b/bin/caservicecontainer/import.sh
new file mode 100755
index 0000000..f7aaca8
--- /dev/null
+++ b/bin/caservicecontainer/import.sh
@@ -0,0 +1,88 @@
+#!/bin/bash
+
+# NOTE - This scripts expects the Init and the Duplicate tools to be already
+# run and the output files(listedb in README) to be present at the
+# shared volume (input for Import tool)
+
+set -e
+
+#Placeholder of Input files to the Import tool which is the output of duplicate tool
+sharedvolume="/tmp/files"
+#key_id is the parameter expected by SoftHSM
+key_id="8738"
+#TPM handle
+tpm_handle="0x81000011"
+#Key_label is the  parameter expected by SoftHSM
+key_label="ABC"
+#UserPin for the SoftHSM operations
+upin="123456789"
+#SoPin for the SoftHSM operations
+sopin="123456789"
+#Slot number for the SoftHSM operations. Initially it should be started with 0
+slot_no="0"
+#Name for creating the slot used by SoftHSM
+token_no="Token1"
+#cert_id is the input for the application which is hexadecimal equivalent of key_id
+cert_id=$(printf '%x' ${key_id})
+
+# 1.Initialize the token/
+    softhsm2-util --init-token --slot ${slot_no} --label "${token_name}" \
+    --pin ${upin} --so-pin ${sopin}
+    softhsm2-util --show-slots | grep 'Slot ' | cut -d\           -f2 | head -1 >> slotinfo.txt
+    SoftHSMv2SlotID="$(cat slotinfo.txt)"
+    echo "The slot ID used is ${SoftHSMv2SlotID}"
+
+# 2.Plugin directory for the SoftHSM to load plugin and for further operations
+if [ -f ${sharedvolume}/out_parent_public ]; then
+
+    # 2.a Copy the required input files for the Import tool
+    cp ${sharedvolume}/dup* /tpm-util/bin/
+
+    # 2.b Run the Import Utility
+    cd /tpm-util/bin
+    ./ossl_tpm_import -H $tpm_handle -dupPub dupPub -dupPriv dupPriv \
+-dupSymSeed dupSymseed -dupEncKey dupEncKey -pub outPub -priv outPriv
+
+    cd /
+    chmod 755 softhsmconfig.sh
+    ./softhsmconfig.sh $tpm_handle $key_id $key_label $upin $sopin $SoftHSMv2SlotID
+else
+
+# 3 SoftHSM mode implementation
+
+    echo "TPM hardware unavailable. Using SoftHSM implementation"
+
+    cd ${sharedvolume}
+
+    # 3.a Extract the Private key using passphrase
+    passphrase="$(cat passphrase)"
+    echo "${passphrase}"
+    echo "${passphrase}" | gpg --batch --yes --passphrase-fd 0 privkey.pem.gpg
+
+    # 3.b Convert the Private key pem into der format
+    openssl rsa -in ./privkey.pem -outform DER -out privatekey.der
+
+    # 3.c Load the Private key into SoftHSM
+    pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} \
+    --write-object ./privatekey.der --type privkey --id ${cert_id} --label ${key_label}
+
+fi
+
+# 3.a Application operation
+cd ${sharedvolume}
+
+# 3.b Convert the crt to der format
+openssl x509 -in ca.cert -outform der -out ca.der
+
+# 3.c Add the ca certificate
+pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} \
+--write-object ./ca.der --type cert --id ${cert_id}
+
+# 4. Calling the functionalities of the sample application
+cd /
+chmod 755 application.sh
+./application.sh $key_label $SoftHSMv2SlotID $upin $cert_id
+
+# 5. Cleanup
+cd /
+rm -rf slotinfo.txt
diff --git a/bin/caservicecontainer/softhsmconfig.sh b/bin/caservicecontainer/softhsmconfig.sh
new file mode 100755
index 0000000..5464263
--- /dev/null
+++ b/bin/caservicecontainer/softhsmconfig.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+# This script will take six parameters as input
+tpm_handle=$1
+key_id=$2
+key_label=$3
+upin=$4
+sopin=$5
+SoftHSMv2SlotID=$6
+
+# export Pluginlibrary's location
+pluginlibrary="/usr/local/lib/libtpm2-plugin.so"
+
+SSHSM_HW_PLUGINS_PARENT_DIR="/tmp/hwparent"
+mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}
+echo "The newly assigned plugin directory is ${SSHSM_HW_PLUGINS_PARENT_DIR}"
+
+# Configuration generation for SoftHSM
+# 1.a Create the directory as expected by the SoftHSM to read the files
+mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm
+mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate
+mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01
+
+# 1.b Copy the Plugin library and create the required Configuration
+cp ${pluginlibrary} ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/plugin.so
+touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
+chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
+echo "$tpm_handle" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
+
+# 1.c Generate the pkcs11.cfg file required for the SoftHSM operations
+touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "key_id:${key_id}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "key_label:${key_label}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "upin:${upin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "sopin:${sopin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "slot:${SoftHSMv2SlotID}" >>  ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+
+# 1.d Copy the output of Import utility into the directory where SoftHSMv2 expects
+cp /tpm-util/bin/outPriv ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.priv
+cp /tpm-util/bin/outPub ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.pub
diff --git a/bin/caservicecontainer/test.sh b/bin/caservicecontainer/test.sh
deleted file mode 100755
index 9ef4cf9..0000000
--- a/bin/caservicecontainer/test.sh
+++ /dev/null
@@ -1,109 +0,0 @@
-
-#NOTE - This scripts expects the Init and the Duplicate tools to be already run and the output files to be present at the
-# shared volume (input for Import tool)
-
-#!/bin/bash
-set -e
-
-#Placeholder of Input files to the Import tool which is the output of duplicate tool
-duplicatetooldir="/tmp/files/duplicatetoolfiles"
-#Pluginlibrary
-pluginlibrary="/usr/local/lib/libtpm2-plugin.so"
-#key_id is the parameter expected by SoftHSM
-key_id="8738"
-#TPM handle
-tpm_handle="0x81000011"
-#Key_label is the  parameter expected by SoftHSM
-key_label="ABC"
-#UserPin for the SoftHSM operations
-upin="123456789"
-#SoPin for the SoftHSM operations
-sopin="123456789"
-#Slot number for the SoftHSM operations. Initially it should be started with 0
-slot_no="0"
-#Name for creating the slot used by SoftHSM
-token_no="Token1"
-#Location for the application to fecth SoftHSM library
-applicationlibrary="/usr/local/lib/softhsm/libsofthsm2.so"
-#cert_id is the input for the application which is hexadecimal equivalent of key_id
-cert_id=$(printf '%x' ${key_id})
-
-#Plugin directory for the SoftHSM to load plugin and for further operations
-if [ ! "$SSHSM_HW_PLUGINS_PARENT_DIR" ]
-then
-    echo "There is no Plugin directory assigned. Hence creating the directory required by SoftHSM"
-    SSHSM_HW_PLUGINS_PARENT_DIR="/tmp/hwparent"
-fi
-    mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}
-echo "The newly assigned plugin directory is ${SSHSM_HW_PLUGINS_PARENT_DIR}"
-
-mkdir -p /var/run/dbus
-
-# Initialize the token
-softhsm2-util --init-token --slot ${slot_no} --label "${token_name}" --pin ${upin} --so-pin ${sopin}
-softhsm2-util --show-slots | grep 'Slot ' | cut -d\           -f2 | head -1 >> slotinfo.txt
-SoftHSMv2SlotID="$(cat slotinfo.txt)"
-echo "${SoftHSMv2SlotID}"
-
-# 1. Create the directory as expected by the SoftHSM to read the files
-mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm
-mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate
-mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01
-
-cp ${pluginlibrary} ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/plugin.so
-touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
-chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
-echo "$tpm_handle" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
-
-# 2. Generate the pkcs11.cfg file required for the SoftHSM opeations
-touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
-chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
-echo "${key_id}"
-echo "key_id:${key_id}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
-echo "${key_label}"
-echo "key_label:${key_label}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
-echo "upin:${upin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
-echo "sopin:${sopin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
-echo "sopin is ${sopin}"
-echo "slot:${SoftHSMv2SlotID}" >>  ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
-
-# 3.a Copy the required input files for the Import tool
-cp ${duplicatetooldir}/* /sshsm/tpm-util/initandverify
-
-# 3.b Run the Import Utility
-cd /sshsm/tpm-util/initandverify
-./ImportTpmKey.sh
-
-# 3.c Copy the output of the Import utility to the directory that SoftHSMv2 expects
-cp /sshsm/tpm-util/initandverify/outPriv ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.priv
-cp /sshsm/tpm-util/initandverify/outPub ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.pub
-
-# Setting up the java application and running the application
-# 4. Create the configuration pkcs11.cfg for the application
-touch /tmp/pkcs11.cfg
-chmod 755 /tmp/pkcs11.cfg
-echo "name = ${key_label}" >> /tmp/pkcs11.cfg
-echo "${applicationlibrary}"
-echo "library = ${applicationlibrary}" >> /tmp/pkcs11.cfg
-echo "slot = ${SoftHSMv2SlotID}" >> /tmp/pkcs11.cfg
-
-# 5. Compile the Application
-cd /tmp/files/applicationfiles
-cp test.csr /tmp/test.csr
-javac CaSign.java
-
-# 6. Convert the crt to der format
-openssl x509 -in ca.cert -outform der -out ca.der
-
-# 7. Add the ca certificate
-pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} --write-object ./ca.der --type cert --id ${cert_id}
-
-# 8. Run the Application
-java CaSign ${upin} 0x${cert_id}
-
-# 9. Verify the generated certificate
-openssl verify -verbose -CAfile ca.cert /tmp/test.cert
-
-# 10. CleanUp
-cd /
-rm -rf slotinfo.txt