aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xbin/base/application.sh10
-rwxr-xr-xbin/base/import.sh117
-rwxr-xr-xbin/base/softhsmconfig.sh43
-rw-r--r--bin/base/xenialdockerfile6
4 files changed, 176 insertions, 0 deletions
diff --git a/bin/base/application.sh b/bin/base/application.sh
new file mode 100755
index 0000000..cb7db08
--- /dev/null
+++ b/bin/base/application.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+
+# This script receives 2 arguments
+applicationlibrary=$1
+SoftHSMv2SlotID=$2
+
+# Setting up the pkcs11 config file
+echo "library = ${applicationlibrary}" >> /opt/app/osaaf/local/org.osaaf.aaf.cm.pkcs11
+echo "slot = ${SoftHSMv2SlotID}" >> /opt/app/osaaf/local/org.osaaf.aaf.cm.pkcs11
diff --git a/bin/base/import.sh b/bin/base/import.sh
new file mode 100755
index 0000000..96a2489
--- /dev/null
+++ b/bin/base/import.sh
@@ -0,0 +1,117 @@
+#!/bin/bash
+
+# CA key import script for both tpm and softhsm case
+# required inputs are passed in through mount volume by oom
+
+set -e
+
+#if pkcs11 is not configured exit gracefully
+str=$(awk '/org.osaaf.aaf.cm.pkcs11/{print $0}' /opt/app/osaaf/local/org.osaaf.cm.ca.props)
+if [ ! -z $str ];then
+ echo "Using pkcs11 configuration"
+else
+ echo "Not using pkcs11 configuration"
+ exit 0
+fi
+
+
+#mount path for input files
+mountvolume="/tmp/files"
+#key_id in decimal
+key_id="8738"
+#Key_label used for key import
+key_label="localca"
+#Initial slot number
+slot_no="0"
+#Token name
+token_name="CAToken"
+#cert_id is the input for the application which is hexadecimal equivalent of key_id
+cert_id=$(printf '%x' ${key_id})
+#SoftHSM2 lib location
+applicationlibrary="/usr/local/lib/softhsm/libsofthsm2.so"
+#User pin for the SoftHSM operations
+cd /
+phrase="$(cat ${mountvolume}/passphrase-pin)"
+cp ${mountvolume}/upin.txt.gpg .
+echo "${phrase}" | gpg --batch --yes --passphrase-fd 0 upin.txt.gpg
+upin="$(cat upin.txt)"
+rm -f upin.txt
+rm -f upin.txt.gpg
+#SoPin for the SoftHSM operations
+cp ${mountvolume}/sopin.txt.gpg .
+echo "${phrase}" | gpg --batch --yes --passphrase-fd 0 sopin.txt.gpg
+sopin="$(cat sopin.txt)"
+rm -f sopin.txt
+rm -f sopin.txt.gpg
+
+# Initialize the token and set the perms on the .sh files
+softhsm2-util --init-token --slot ${slot_no} --label "${token_name}" \
+ --pin ${upin} --so-pin ${sopin}
+softhsm2-util --show-slots | grep 'Slot ' | cut -d\ -f2 | head -1 >> slotinfo.txt
+SoftHSMv2SlotID="$(cat slotinfo.txt)"
+rm -rf slotinfo.txt
+
+chmod 755 /sshsm/bin/softhsmconfig.sh
+chmod 755 /sshsm/bin/application.sh
+
+# import the key either to tpm or softhsm
+if [ -f ${mountvolume}/out_parent_public ]; then
+
+ #tpm import password
+ phrase="$(cat ${mountvolume}/passphrase-ipass)"
+ cp ${mountvolume}/ipass.txt.gpg .
+ echo "${phrase}" | gpg --batch --yes --passphrase-fd 0 ipass.txt.gpg
+ ipass="$(cat ipass.txt)"
+ rm -f ipass.txt
+ #TPM handle
+ tpm_handle="$(cat ${mountvolume}/tpm-handle.txt)"
+ # Copy the required input files for the Import tool
+ cp ${mountvolume}/dup* /tpm-util/bin/
+
+ # Run the Import Utility
+ cd /tpm-util/bin
+ ./ossl_tpm_import -H $tpm_handle -dupPub dupPub -dupPriv dupPriv \
+ -dupSymSeed dupSymseed -dupEncKey dupEncKey -pub outPub -priv outPriv \
+ -password $ipass
+
+ # setup tpm-softhsm specific config
+ cd /sshsm/bin
+ ./softhsmconfig.sh $tpm_handle $key_id $key_label $upin $sopin $SoftHSMv2SlotID \
+ "/tpm-util/bin/outPriv" "/tpm-util/bin/outPub"
+else
+
+# SoftHSM mode implementation
+
+ echo "TPM hardware unavailable, using SoftHSM implementation"
+
+ # Extract the Private key using passphrase
+ passphrase="$(cat ${mountvolume}/passphrase)"
+ cp ${mountvolume}/privkey.pem.gpg .
+ echo "${passphrase}" | gpg --batch --yes --passphrase-fd 0 privkey.pem.gpg
+
+ # Convert the Private key pem into der format
+ openssl rsa -in ./privkey.pem -outform DER -out privatekey.der
+
+ # Load the Private key into SoftHSM
+ pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} \
+ --write-object ./privatekey.der --type privkey --id ${cert_id} --label ${key_label}
+
+ # Clenup the files
+ rm -f privkey.pem
+ rm -f privatekey.der
+ rm -f privkey.pem.gpg
+
+fi
+
+cd /
+# Convert the crt to der format
+openssl x509 -in ${mountvolume}/ca.cert -outform der -out ca.der
+
+# Add the ca certificate
+pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} \
+--write-object ./ca.der --type cert --id ${cert_id}
+
+rm -f ca.der
+
+# Call app specific script
+/sshsm/bin/application.sh $applicationlibrary $SoftHSMv2SlotID
diff --git a/bin/base/softhsmconfig.sh b/bin/base/softhsmconfig.sh
new file mode 100755
index 0000000..91c76d5
--- /dev/null
+++ b/bin/base/softhsmconfig.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# This script will take six parameters as input
+tpm_handle=$1
+key_id=$2
+key_label=$3
+upin=$4
+sopin=$5
+SoftHSMv2SlotID=$6
+outprivfile=$7
+outpubfile=$8
+
+# export Pluginlibrary's location
+pluginlibrary="/usr/local/lib/libtpm2-plugin.so"
+
+SSHSM_HW_PLUGINS_PARENT_DIR="/tmp/hwparent"
+mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}
+echo "The newly assigned plugin directory is ${SSHSM_HW_PLUGINS_PARENT_DIR}"
+
+# Configuration generation for SoftHSM
+# 1.a Create the directory as expected by the SoftHSM to read the files
+mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm
+mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate
+mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01
+
+# 1.b Copy the Plugin library and create the required Configuration
+cp ${pluginlibrary} ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/plugin.so
+touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
+chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
+echo "$tpm_handle" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
+
+# 1.c Generate the pkcs11.cfg file required for the SoftHSM operations
+touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "key_id:${key_id}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "key_label:${key_label}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "upin:${upin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "sopin:${sopin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "slot:${SoftHSMv2SlotID}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+
+# 1.d Copy the output of Import utility into the directory where SoftHSMv2 expects
+cp $outprivfile ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.priv
+cp $outpubfile ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.pub
diff --git a/bin/base/xenialdockerfile b/bin/base/xenialdockerfile
index f28ed0f..b786541 100644
--- a/bin/base/xenialdockerfile
+++ b/bin/base/xenialdockerfile
@@ -96,7 +96,13 @@ RUN mkdir tpm-util
RUN cd tpm-util && \
mkdir bin
RUN cp /sshsm/tpm-util/import/ossl_tpm_import /tpm-util/bin/
+
RUN rm -rf tpm2-tss
RUN rm -rf tpm2-abrmd
RUN rm -rf tpm2-tools
RUN rm -rf sshsm
+
+RUN mkdir -p /sshsm/bin
+COPY ./import.sh /sshsm/bin
+COPY ./softhsmconfig.sh /sshsm/bin
+COPY ./application.sh /sshsm/bin