summaryrefslogtreecommitdiffstats
path: root/bin
diff options
context:
space:
mode:
Diffstat (limited to 'bin')
-rwxr-xr-xbin/base/build_base_images.sh48
-rw-r--r--bin/base/openssldockerfile69
-rw-r--r--bin/base/xenialdockerfile102
-rwxr-xr-xbin/caservicecontainer/dockerfile5
-rw-r--r--bin/distcenter/Dockerfile7
-rw-r--r--bin/distcenter/README.md17
-rw-r--r--bin/distcenter/README.txt33
-rwxr-xr-xbin/distcenter/entrypoint.sh36
8 files changed, 280 insertions, 37 deletions
diff --git a/bin/base/build_base_images.sh b/bin/base/build_base_images.sh
new file mode 100755
index 0000000..b6f8783
--- /dev/null
+++ b/bin/base/build_base_images.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+set -e
+DIRNAME=`dirname $0`
+DOCKER_BUILD_DIR=`cd $DIRNAME/; pwd`
+echo "DOCKER_BUILD_DIR=${DOCKER_BUILD_DIR}"
+cd ${DOCKER_BUILD_DIR}
+
+BUILD_ARGS="--no-cache"
+ORG="onap"
+VERSION="3.0.0"
+PROJECT="aaf"
+IMAGE="aaf-base"
+DOCKER_REPOSITORY="nexus3.onap.org:10003"
+IMAGE_NAME_XENIAL="${DOCKER_REPOSITORY}/${ORG}/${PROJECT}/${IMAGE}-xenial"
+IMAGE_NAME_OPENSSL_110="${DOCKER_REPOSITORY}/${ORG}/${PROJECT}/${IMAGE}-openssl_1.1.0"
+TIMESTAMP=$(date +"%Y%m%dT%H%M%S")
+
+if [ $HTTP_PROXY ]; then
+ BUILD_ARGS+=" --build-arg HTTP_PROXY=${HTTP_PROXY}"
+fi
+if [ $HTTPS_PROXY ]; then
+ BUILD_ARGS+=" --build-arg HTTPS_PROXY=${HTTPS_PROXY}"
+fi
+echo $BUILD_ARGS
+
+function build_image {
+ echo "Start build docker image: ${IMAGE_NAME_XENIAL}:latest"
+ docker build ${BUILD_ARGS} -t ${IMAGE_NAME_XENIAL}:latest -f xenialdockerfile .
+ echo "Start build docker image: ${IMAGE_NAME_OPENSSL_110}:latest"
+ docker build ${BUILD_ARGS} -t ${IMAGE_NAME_OPENSSL_110}:latest -f openssldockerfile .
+}
+
+function push_image {
+ echo "Start push ${IMAGE_NAME_XENIAL}:latest"
+ docker push ${IMAGE_NAME_XENIAL}:latest
+ echo "Start push ${IMAGE_NAME_XENIAL}:${VERSION}-SNAPSHOT-latest"
+ docker tag ${IMAGE_NAME_XENIAL}:latest ${IMAGE_NAME_XENIAL}:${VERSION}-SNAPSHOT-latest
+ docker push ${IMAGE_NAME_XENIAL}:${VERSION}-SNAPSHOT-latest
+ echo "Start push ${IMAGE_NAME_OPENSSL_110}:latest"
+ docker push ${IMAGE_NAME_OPENSSL_110}:latest
+ echo "Start push ${IMAGE_NAME_OPENSSL_110}:${VERSION}-SNAPSHOT-latest"
+ docker tag ${IMAGE_NAME_OPENSSL_110}:latest ${IMAGE_NAME_OPENSSL_110}:${VERSION}-SNAPSHOT-latest
+ docker push ${IMAGE_NAME_OPENSSL_110}:${VERSION}-SNAPSHOT-latest
+
+}
+
+build_image
+push_image
diff --git a/bin/base/openssldockerfile b/bin/base/openssldockerfile
new file mode 100644
index 0000000..2607473
--- /dev/null
+++ b/bin/base/openssldockerfile
@@ -0,0 +1,69 @@
+FROM ubuntu:xenial
+
+RUN apt-get -y update && \
+ apt-get -y install \
+ autoconf \
+ autoconf-archive \
+ libglib2.0-dev \
+ libdbus-1-dev \
+ automake \
+ libtool \
+ autotools-dev \
+ libcppunit-dev \
+ p11-kit \
+ libcurl4-gnutls-dev \
+ libcmocka0 \
+ libcmocka-dev \
+ build-essential \
+ git \
+ pkg-config \
+ vim \
+ gcc \
+ g++ \
+ m4 \
+ curl \
+ wget \
+ liburiparser-dev \
+ libssl-dev \
+ pandoc \
+ opensc \
+ default-jdk
+
+RUN apt-get -y install libgcrypt20-dev
+
+RUN git clone https://github.com/tpm2-software/tpm2-tss.git
+RUN git clone https://github.com/tpm2-software/tpm2-tools.git
+
+RUN cd tpm2-tss && \
+ git checkout 1.2.0 && \
+ ./bootstrap && \
+ ./configure && \
+ make && \
+ make install
+RUN rm -rf tpm2-tss
+
+RUN cd tpm2-tools && \
+ git checkout 2.1.0 && \
+ ./bootstrap && \
+ ./configure && \
+ make && \
+ make install
+RUN rm -rf tpm2-tools
+
+RUN echo "/usr/local/lib" > /etc/ld.so.conf.d/tpm2.conf && \
+ ldconfig
+
+RUN wget https://www.openssl.org/source/openssl-1.1.0.tar.gz
+RUN gzip -d openssl-1.1.0.tar.gz
+RUN tar -xvf openssl-1.1.0.tar
+RUN cd openssl-1.1.0 && \
+ ./config && \
+ make && \
+ make install
+RUN rm -rf openssl-1.1.0
+RUN rm -rf openssl-1.1.0.tar
+RUN rm -rf openssl-1.1.0.tar.gz
+
+RUN echo "/usr/local/lib" > /etc/ld.so.conf.d/openssl.conf && \
+ ldconfig
+RUN openssl version -v
diff --git a/bin/base/xenialdockerfile b/bin/base/xenialdockerfile
new file mode 100644
index 0000000..f28ed0f
--- /dev/null
+++ b/bin/base/xenialdockerfile
@@ -0,0 +1,102 @@
+FROM ubuntu:xenial
+
+RUN apt-get -y update && \
+ apt-get -y install \
+ autoconf \
+ autoconf-archive \
+ libglib2.0-dev \
+ libdbus-1-dev \
+ automake \
+ libtool \
+ autotools-dev \
+ libcppunit-dev \
+ p11-kit \
+ libcurl4-gnutls-dev \
+ libcmocka0 \
+ libcmocka-dev \
+ build-essential \
+ git \
+ pkg-config \
+ vim \
+ gcc \
+ g++ \
+ m4 \
+ curl \
+ wget \
+ liburiparser-dev \
+ libssl-dev \
+ pandoc \
+ softhsm2 \
+ opensc \
+ default-jdk
+
+RUN apt-get -y install libgcrypt20-dev
+
+RUN git clone https://github.com/tpm2-software/tpm2-tss.git
+RUN git clone https://github.com/tpm2-software/tpm2-abrmd.git
+RUN git clone https://github.com/tpm2-software/tpm2-tools.git
+
+RUN cd tpm2-tss && \
+ git checkout 1.2.0 && \
+ ./bootstrap && \
+ ./configure && \
+ make && \
+ make install
+
+RUN cd tpm2-abrmd && \
+ git checkout 1.1.1 && \
+ useradd --system --user-group tss && \
+ ./bootstrap && \
+ ./configure --with-dbuspolicydir=/etc/dbus-1/system.d \
+ --with-udevrulesdir=/etc/udev/rules.d/ \
+ --with-systemdsystemunitdir=/lib/systemd/system && \
+ make && \
+ make install
+
+RUN cd tpm2-tools && \
+ git checkout 2.1.0 && \
+ ./bootstrap && \
+ ./configure && \
+ make && \
+ make install
+
+RUN echo "/usr/local/lib" > /etc/ld.so.conf.d/tpm2.conf && \
+ ldconfig
+
+# Clone the sshsm repo
+RUN git clone https://gerrit.onap.org/r/aaf/sshsm
+
+# Build SoftHSMv2
+RUN cd sshsm && \
+ cd SoftHSMv2 && \
+ sh autogen.sh && \
+ ./configure --disable-gost && \
+ make && \
+ make install
+
+# Build TPM-Plugin
+RUN cd sshsm && \
+ chmod 755 TPM2-Plugin/ && \
+ cd TPM2-Plugin && \
+ chmod 755 bootstrap && \
+ sleep 2 && \
+ ./bootstrap && \
+ ./configure && \
+ make && \
+ make install && \
+ ldconfig && \
+ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib
+
+RUN cd sshsm && \
+ cd tpm-util && \
+ cd import && \
+ make -f sampleMakefile
+
+RUN mkdir tpm-util
+RUN cd tpm-util && \
+ mkdir bin
+RUN cp /sshsm/tpm-util/import/ossl_tpm_import /tpm-util/bin/
+RUN rm -rf tpm2-tss
+RUN rm -rf tpm2-abrmd
+RUN rm -rf tpm2-tools
+RUN rm -rf sshsm
diff --git a/bin/caservicecontainer/dockerfile b/bin/caservicecontainer/dockerfile
index 8557181..bad49d1 100755
--- a/bin/caservicecontainer/dockerfile
+++ b/bin/caservicecontainer/dockerfile
@@ -2,17 +2,12 @@
# Base Image for the build
FROM rmannfv/aaf-base:xenial
-RUN apt-get update
-RUN apt-get install -y softhsm2
-RUN apt-get install -y opensc
-
# Files required for the Java application
RUN wget https://www.bouncycastle.org/download/bcprov-jdk15on-159.jar
RUN wget https://www.bouncycastle.org/download/bcpkix-jdk15on-159.jar
RUN wget https://www.bouncycastle.org/download/bcmail-jdk15on-159.jar
RUN wget https://www.bouncycastle.org/download/bcpg-jdk15on-159.jar
RUN wget https://www.bouncycastle.org/download/bctls-jdk15on-159.jar
-RUN wget https://www.bouncycastle.org/download/bctest-jdk15on-159.jar
RUN cp ./bcpkix-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/
RUN cp ./bcprov-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/
RUN cp ./bcmail-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/
diff --git a/bin/distcenter/Dockerfile b/bin/distcenter/Dockerfile
index f79c7ef..cb6f000 100644
--- a/bin/distcenter/Dockerfile
+++ b/bin/distcenter/Dockerfile
@@ -6,15 +6,12 @@ RUN cd sshsm && \
cd duplicate && \
make -f sampleMakefile
-RUN mkdir /createca
-COPY ./create_ca.sh /createca/
+RUN mkdir -p /distcenter/bin
+COPY ./create_ca.sh /distcenter/bin
RUN mkdir /dup
-RUN mkdir /dup/database
-RUN mkdir /dup/database/host_sample
RUN mkdir /dup/bin
RUN cp sshsm/tpm-util/duplicate/ossl_tpm_duplicate /dup/bin
-RUN cp sshsm/test/integration/samplecaservicecontainer/inittoolfiles/out_parent_public /dup/database/host_sample
ADD entrypoint.sh /entrypoint.sh
ENTRYPOINT [ "/entrypoint.sh" ]
diff --git a/bin/distcenter/README.md b/bin/distcenter/README.md
deleted file mode 100644
index 973cbf9..0000000
--- a/bin/distcenter/README.md
+++ /dev/null
@@ -1,17 +0,0 @@
-Create folder under /tmp/volume/host_sample on host. This will be mounted into the container as shared volume for now.
-
-Build the container using
-
- docker build --no-cache -t dist-center .
-
-Run it mounting the volume
-
- docker run -v /tmp/volume:/volume dist-center
-
-This will output the following files in /tmp/volume/host_sample
-
- ca.cert
- dupEncKey
- dupPriv
- dupPub
- dupSymseed
diff --git a/bin/distcenter/README.txt b/bin/distcenter/README.txt
new file mode 100644
index 0000000..fe39395
--- /dev/null
+++ b/bin/distcenter/README.txt
@@ -0,0 +1,33 @@
+Create folder under /tmp/volume/host_<host name> for each host (example
+host_sample where sample is the name of the tpm capable host).
+This folder will be mounted into the container as shared volume for now.
+
+Expects the input SRK pulic key "out_parent_public" for each host under
+the corresponding host directory and file "passphrase" under /tmp/volume/
+containing the passphrase to encrypt the key.
+
+example
+
+ /tmp/volume/host_sample/out_parent_public
+ /tmp/volume/passphrase
+
+Build the container using
+
+ docker build --no-cache -t dist-center .
+
+Run it mounting the volume
+
+ docker run -v /tmp/volume:/volume dist-center
+
+This will output the following files in /tmp/volume/host_<host name>
+
+ ca.cert
+ dupEncKey
+ dupPriv
+ dupPub
+ dupSymseed
+
+Encrypted private key and certificate under /tmp/volume
+
+ ca.cert
+ privkey.pem.gpg
diff --git a/bin/distcenter/entrypoint.sh b/bin/distcenter/entrypoint.sh
index 85cdf52..6aac3ca 100755
--- a/bin/distcenter/entrypoint.sh
+++ b/bin/distcenter/entrypoint.sh
@@ -1,12 +1,28 @@
#!/bin/sh
set -e
-cd /createca
-/createca/create_ca.sh
-cd /volume
-DLIST=`ls -d host_*`
-for DIR in $DLIST; do
- echo $DIR
- cp /createca/ca/ca.cert /volume/$DIR
- cd /volume/$DIR
- /dup/bin/ossl_tpm_duplicate -pemfile /createca/ca/privkey.pem -parentPub /dup/database/$DIR/out_parent_public -dupPub dupPub -dupPriv dupPriv -dupSymSeed dupSymseed -dupEncKey dupEncKey
-done
+cd /distcenter
+/distcenter/bin/create_ca.sh
+
+cd /distcenter/data
+DCOUNT=$(ls -d host_* 2> /dev/null | wc -l)
+if [ "$DCOUNT" != "0" ]
+then
+ DLIST=`ls -d host_*`
+ #Iterate over all hosts (host in k8s corresponds node)
+ for DIR in $DLIST; do
+ echo $DIR
+ cp /distcenter/ca/ca.cert /distcenter/data/$DIR
+ cd /distcenter/data/$DIR
+ /dup/bin/ossl_tpm_duplicate -pemfile /distcenter/ca/privkey.pem -parentPub \
+ /distcenter/data/$DIR/out_parent_public -dupPub dupPub -dupPriv dupPriv -dupSymSeed \
+ dupSymseed -dupEncKey dupEncKey
+ done
+else
+ cd /distcenter/ca
+ cat /distcenter/passphrase/passphrase | gpg --no-tty --symmetric -z 9 --require-secmem \
+ --cipher-algo AES256 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 \
+ --s2k-mode 3 --s2k-count 65000000 --compress-algo BZIP2 \
+ --passphrase-fd 0 privkey.pem
+ cp /distcenter/ca/privkey.pem.gpg /distcenter/data
+ cp /distcenter/ca/ca.cert /distcenter/data
+fi