diff options
Diffstat (limited to 'bin')
-rwxr-xr-x | bin/caservicecontainer/CaSignMultiThread.java | 308 | ||||
-rwxr-xr-x | bin/caservicecontainer/README | 14 | ||||
-rwxr-xr-x | bin/caservicecontainer/dockerfile | 9 | ||||
-rwxr-xr-x | bin/caservicecontainer/gencsr.sh | 4 | ||||
-rwxr-xr-x | bin/caservicecontainer/multithreadapplication.sh | 28 | ||||
-rwxr-xr-x | bin/caservicecontainer/multithreadimport.sh | 93 |
6 files changed, 454 insertions, 2 deletions
diff --git a/bin/caservicecontainer/CaSignMultiThread.java b/bin/caservicecontainer/CaSignMultiThread.java new file mode 100755 index 0000000..93be446 --- /dev/null +++ b/bin/caservicecontainer/CaSignMultiThread.java @@ -0,0 +1,308 @@ +/* + * Copyright 2018 Intel Corporation, Inc + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +import java.security.*; +import sun.security.pkcs11.*; +import javax.crypto.spec.SecretKeySpec; +import java.util.*; +import sun.security.pkcs11.*; +import java.security.interfaces.*; +import javax.net.ssl.*; +import javax.crypto.spec.*; +import java.io.*; +import java.security.cert.*; +import java.security.spec.*; +import sun.security.x509.*; +import java.security.KeyStore.PrivateKeyEntry; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.math.BigInteger; +import java.security.InvalidKeyException; +import java.security.Key; +import java.security.KeyManagementException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.security.Security; +import java.security.SignatureException; +import java.security.UnrecoverableKeyException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.Date; +import java.util.Random; + +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.bouncycastle.asn1.ASN1EncodableVector; +import org.bouncycastle.asn1.ASN1InputStream; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.DERSequence; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x500.X500NameBuilder; +import org.bouncycastle.asn1.x500.style.BCStyle; +import org.bouncycastle.asn1.x509.BasicConstraints; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.KeyPurposeId; +import org.bouncycastle.asn1.x509.KeyUsage; +import org.bouncycastle.asn1.x509.SubjectKeyIdentifier; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.cert.CertIOException; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.X509v3CertificateBuilder; +import org.bouncycastle.cert.bc.BcX509ExtensionUtils; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.util.io.pem.PemReader; +import org.bouncycastle.util.io.pem.PemObject; +import org.bouncycastle.asn1.pkcs.CertificationRequest; +import org.bouncycastle.asn1.x509.ExtendedKeyUsage; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.asn1.x509.GeneralNames; +import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; + +import javax.xml.bind.DatatypeConverter; +import java.security.cert.X509Certificate; +import java.io.StringWriter; + +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import static java.nio.file.StandardCopyOption.*; + +class ThreadDemo extends Thread { + private String threadName; + private PrivateKey key; + private X509Certificate caCert; + + ThreadDemo( String name, PrivateKey privateKey, X509Certificate cacert) { + threadName = name; + key = privateKey; + caCert = cacert; + } + + public static final KeyPurposeId[] ASN_WebUsage = new KeyPurposeId[] { + KeyPurposeId.id_kp_serverAuth, + KeyPurposeId.id_kp_clientAuth}; + + public void run() { + + System.out.println("Running " + threadName); + try { + String threadname = threadName+".csr"; + System.out.println(threadName); + File csrf = new File(threadname); + Reader pemcsr = new FileReader(csrf); + PemReader reader = new PemReader(pemcsr); + PemObject pem = reader.readPemObject(); + PKCS10CertificationRequest csr = new PKCS10CertificationRequest(pem.getContent()); + + X500NameBuilder x500NameBld = new X500NameBuilder(BCStyle.INSTANCE); + x500NameBld.addRDN(BCStyle.C, "US"); + x500NameBld.addRDN(BCStyle.ST, "CA"); + x500NameBld.addRDN(BCStyle.L, "local"); + x500NameBld.addRDN(BCStyle.O, "onap"); + x500NameBld.addRDN(BCStyle.CN, "test.onap.ca"); + X500Name issuer = x500NameBld.build(); + + GregorianCalendar gc = new GregorianCalendar(); + Date start = gc.getTime(); + gc.add(GregorianCalendar.DAY_OF_MONTH, 1000); + Date end = gc.getTime(); + + X509Certificate x509; + byte[] serialish = new byte[24]; + SecureRandom random = new SecureRandom(); + BigInteger bi; + bi = new BigInteger(serialish); + X509v3CertificateBuilder xcb = new X509v3CertificateBuilder(issuer, bi, + start, end, csr.getSubject(), csr.getSubjectPublicKeyInfo()); + + JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); + xcb.addExtension(Extension.basicConstraints, + false, new BasicConstraints(false)) + .addExtension(Extension.keyUsage, + true, new KeyUsage(KeyUsage.digitalSignature + | KeyUsage.keyEncipherment)) + .addExtension(Extension.extendedKeyUsage, + true, new ExtendedKeyUsage(ASN_WebUsage)) + + .addExtension(Extension.authorityKeyIdentifier, + false, extUtils.createAuthorityKeyIdentifier(caCert)) + .addExtension(Extension.subjectKeyIdentifier, + false, extUtils.createSubjectKeyIdentifier(caCert.getPublicKey())); + + ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WithRSA").build(key); + + x509 = new JcaX509CertificateConverter().getCertificate(xcb.build(sigGen)); + StringWriter sw = new StringWriter(); + sw.write("-----BEGIN CERTIFICATE-----\n"); + sw.write(DatatypeConverter.printBase64Binary(x509.getEncoded()).replaceAll("(.{64})", "$1\n")); + sw.write("\n-----END CERTIFICATE-----\n"); + FileWriter fw = new FileWriter(threadName +".cert"); + fw.write(sw.toString()); + fw.close(); + + System.out.println("Done - Signed certificate is "+ threadName +".cert"); + System.out.println("Thread: " + threadName); + } + catch (Exception e) { + System.out.println("Thread " + threadName + " interrupted."); + e.printStackTrace(); + System.exit(-1); + } + System.out.println("Thread " + threadName + " exiting." + " upon Successful completion"); + } +} + +public class CaSignMultiThread { + + public static void main(String[] args) throws Exception { + + if ( args.length < 2 ) + System.out.println("Arguments mismatch, Usage: CaSign <pin> <alias>"); + for(int i = 0; i < args.length; i++) { + System.out.println(args[i]); + } + // Set up the Sun PKCS 11 provider + String configName = "pkcs11.cfg"; + Provider p = new SunPKCS11(configName); + //Provider p = Security.getProvider("SunPKCS11-pkcs11Test"); + if (p==null) { + throw new RuntimeException("could not get security provider for"); + } + Security.addProvider(p); + // Load the key store + char[] pin = args[0].toCharArray(); + KeyStore keyStore = KeyStore.getInstance("PKCS11", p); + keyStore.load(null, pin); + + Enumeration<String> aliases = keyStore.aliases(); + while(aliases.hasMoreElements()){ + String alias = aliases.nextElement(); + System.out.println(alias + ": " + keyStore.getKey(alias,args[0].toCharArray())); + } + PrivateKeyEntry privateKeyEntry = (PrivateKeyEntry) keyStore.getEntry(args[1], null); + PrivateKey privateKey = privateKeyEntry.getPrivateKey(); + + X509Certificate caCert = (X509Certificate) privateKeyEntry.getCertificate(); + RSAPublicKey publicKey = (RSAPublicKey) caCert.getPublicKey(); + + Security.addProvider(new BouncyCastleProvider()); + + // Set the number of thread that application need to create + int threadCount = 9; + ThreadDemo[] T = new ThreadDemo[threadCount]; + + for (int i = 0; i<threadCount; i++) { + + String command0 = "./gencsr.sh "+ i; + System.out.println(command0); + try { + Process p0 = Runtime.getRuntime().exec(command0); + BufferedReader stdInput = new BufferedReader(new + InputStreamReader(p0.getInputStream())); + BufferedReader stdError = new BufferedReader(new + InputStreamReader(p0.getErrorStream())); + } catch (IOException e) { + System.out.println("The Error is : "); + e.printStackTrace(); + } + } + + String command1 = "chmod 777 *.csr"; + System.out.println(command1); + try { + Process p1 = Runtime.getRuntime().exec(command1); + BufferedReader stdInput = new BufferedReader(new + InputStreamReader(p1.getInputStream())); + BufferedReader stdError = new BufferedReader(new + InputStreamReader(p1.getErrorStream())); + } catch (IOException e) { + System.out.println("The Error is : "); + e.printStackTrace(); + } + + for (int i = 0; i<threadCount; i++) { + + T[i] = new ThreadDemo("Thread" + Integer.toString(i), privateKey, caCert); + T[i].start(); + System.out.println("THe threads are started with execution"); + } + + int count = Thread.activeCount(); + System.out.println("-------------currently active threads = " + count); + + for (int i = 0; i<threadCount; i++) { + T[i].join(); + System.out.println("The Threads are being joined"); + } + + String command2 = "chmod 777 *.cert"; + System.out.println(command2); + try { + + Process p2 = Runtime.getRuntime().exec(command2); + BufferedReader stdInput = new BufferedReader(new + InputStreamReader(p2.getInputStream())); + BufferedReader stdError = new BufferedReader(new + InputStreamReader(p2.getErrorStream())); + } + catch (IOException e) { + System.out.println("The Error is : "); + e.printStackTrace(); + } + + for (int i = 0; i<threadCount; i++) { + + String command3 = "openssl verify -verbose -CAfile ca.cert " + "Thread" + Integer.toString(i) + ".cert"; + try { + Process p3 = Runtime.getRuntime().exec(command3); + + BufferedReader stdInput = new BufferedReader(new + InputStreamReader(p3.getInputStream())); + + BufferedReader stdError = new BufferedReader(new + InputStreamReader(p3.getErrorStream())); + + // read the output from the command + while ((command3 = stdInput.readLine()) != null) { + System.out.println(command3); + } + // read any errors from the attempted command + while ((command3 = stdError.readLine()) != null) { + System.out.println(command3); + System.out.println("Here is the standard error of the command (if any):\n"); + } + } catch (IOException e) { + System.out.println("The exception is "); + e.printStackTrace(); + } + } + } +} + diff --git a/bin/caservicecontainer/README b/bin/caservicecontainer/README index 930d510..0d874c7 100755 --- a/bin/caservicecontainer/README +++ b/bin/caservicecontainer/README @@ -5,19 +5,29 @@ ### Build docker image with a base image ```` -$ docker build -t <image name> -f dockerfile . +$ docker build -t <imagename> -f dockerfile . ```` ### Running the CA service container - Below command will run and log you into the container ```` -$ docker run -v /tmp/run/dbus:/var/run/dbus:rw -v /tmp/volume:/tmp/files:rw --name <container name> -i -t --entrypoint=/bin/bash <image name> +$ docker run -d -e DATA_FOLDER=<Location of shared directory> -v /tmp/run/dbus:/var/run/dbus:rw -v /tmp/volume:/tmp/files:rw --name <containername> -i -t --entrypoint=/bin/bash <imagename> +```` + +### Login to the container +```` +$ docker exec -it <containername> /bin/bash ```` ### Running the Import utility ```` $ import.sh ```` + +### Running the Import utility with stress test with multithreading +```` +$ ./testca/test/multithreadimport.sh +```` #### Make sure the TABRMD container is running on the same dbus mountpoint on the host as the CA service container ### Expected Input files for SoftHSM operations diff --git a/bin/caservicecontainer/dockerfile b/bin/caservicecontainer/dockerfile index 9fdbc30..89f7fef 100755 --- a/bin/caservicecontainer/dockerfile +++ b/bin/caservicecontainer/dockerfile @@ -15,9 +15,18 @@ RUN cp ./bctls-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext # Create the directory for running things in this container RUN mkdir -p /testca/bin +RUN mkdir -p /testca/tests/multithread COPY import.sh /testca/bin COPY softhsmconfig.sh /testca/bin COPY application.sh /testca/bin COPY CaSign.java /testca/bin COPY test.csr /testca/bin + +# Files for Stress testing operations +COPY multithreadapplication.sh /testca/tests/multithread +COPY softhsmconfig.sh /testca/tests/multithread +COPY CaSignMultiThread.java /testca/tests/multithread +COPY multithreadapplication.sh /testca/tests/multithread +COPY multithreadimport.sh /testca/tests/multithread +COPY gencsr.sh /testca/tests/multithread diff --git a/bin/caservicecontainer/gencsr.sh b/bin/caservicecontainer/gencsr.sh new file mode 100755 index 0000000..0e09f7b --- /dev/null +++ b/bin/caservicecontainer/gencsr.sh @@ -0,0 +1,4 @@ +#!/bin/bash +thread_count=$1 +openssl req -nodes -sha1 -newkey rsa:2048 -keyout Thread$thread_count.key -out Thread$thread_count.csr -days 365 -subj "/C=US/ST=CA/L=SantaClara/O=ONAP/CN=<name>" +chmod +x * diff --git a/bin/caservicecontainer/multithreadapplication.sh b/bin/caservicecontainer/multithreadapplication.sh new file mode 100755 index 0000000..3b3c5de --- /dev/null +++ b/bin/caservicecontainer/multithreadapplication.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# This script takes 4 arguments +key_label=$1 +SoftHSMv2SlotID=$2 +upin=$3 +cert_id=$4 + +# Location to fecth SoftHSM library required by application +applicationlibrary="/usr/local/lib/softhsm/libsofthsm2.so" + +# Setting up the java application and running the application +# 1. Create the configuration pkcs11.cfg for the application +# Remove any existing cfg file first from the CWD +rm -f pkcs11.cfg +touch pkcs11.cfg +chmod 755 pkcs11.cfg +echo "name = ${key_label}" >> pkcs11.cfg +echo "The location of applicationms library is ${applicationlibrary}" +echo "library = ${applicationlibrary}" >> pkcs11.cfg +echo "slot = ${SoftHSMv2SlotID}" >> pkcs11.cfg + +# 2. Compile the Application +# CaSign requires test.csr to be available in CWD +javac CaSignMultiThread.java + +# 3. Run the Application +java CaSignMultiThread ${upin} 0x${cert_id} diff --git a/bin/caservicecontainer/multithreadimport.sh b/bin/caservicecontainer/multithreadimport.sh new file mode 100755 index 0000000..9b092ff --- /dev/null +++ b/bin/caservicecontainer/multithreadimport.sh @@ -0,0 +1,93 @@ +#!/bin/bash + +# NOTE - This scripts expects the Init and the Duplicate tools to be already +# run and the output files(listed in README) to be present at the +# shared volume (input for Import tool) +# It also requires the following ENVIRONMENT variables to be set +# SECRETS_FOLDER - containing the srk_handl and prk_passwd files in base64 +# DATA_FOLDER - containing the files that are produced from the distcenter + +set -e + +#Primary Key Password used by TPM Plugin to load keys +export TPM_PRK_PASSWORD="$(cat ${SECRETS_FOLDER}/prk_passwd | base64 -d)" +#Handle to the aforementioned Primary Key +SRK_HANDLE="$(cat ${SECRETS_FOLDER}/srk_handle | base64 -d)" +#key_id is the parameter expected by SoftHSM +key_id="8738" +#Key_label is the parameter expected by SoftHSM +key_label="ABC" +#UserPin for the SoftHSM operations +upin="123456789" +#SoPin for the SoftHSM operations +sopin="123456789" +#Slot number for the SoftHSM operations. Initially it should be started with 0 +slot_no="0" +#Name for creating the slot used by SoftHSM +token_no="Token1" +#cert_id is the input for the application which is hexadecimal equivalent of key_id +cert_id=$(printf '%x' ${key_id}) +#Set working dir +WORKDIR=$PWD +#Process count for the Stress test +count="15" + +# 1.Initialize the token/ + softhsm2-util --init-token --slot ${slot_no} --label "${token_name}" \ + --pin ${upin} --so-pin ${sopin} + softhsm2-util --show-slots | grep 'Slot ' | cut -d\ -f2 | head -1 >> slotinfo.txt + SoftHSMv2SlotID="$(cat slotinfo.txt)" + echo "The slot ID used is ${SoftHSMv2SlotID}" + +# 2.Plugin directory for the SoftHSM to load plugin and for further operations +if [ -f ${DATA_FOLDER}/out_parent_public ]; then + + # 2.a Copy the required input files for the Import tool + cp ${DATA_FOLDER}/dup* /tpm-util/bin/ + + # 2.b Run the Import Utility + cd /tpm-util/bin + ./ossl_tpm_import -H $SRK_HANDLE -dupPub dupPub -dupPriv dupPriv \ + -dupSymSeed dupSymseed -dupEncKey dupEncKey -pub outPub -priv outPriv \ + -password $TPM_PRK_PASSWORD + + cd $WORKDIR + ./softhsmconfig.sh $SRK_HANDLE $key_id $key_label $upin $sopin $SoftHSMv2SlotID +else + +# 3 SoftHSM mode implementation + + echo "TPM hardware unavailable. Using SoftHSM implementation" + + cd ${DATA_FOLDER} + + # 3.a Extract the Private key using passphrase + cat passphrase | gpg --batch --yes --passphrase-fd 0 privkey.pem.gpg + + # 3.b Convert the Private key pem into der format + openssl rsa -in ./privkey.pem -outform DER -out privatekey.der + + # 3.c Load the Private key into SoftHSM + pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} \ + --write-object ./privatekey.der --type privkey --id ${cert_id} --label ${key_label} + +fi + +# 3.a Application operation +cd ${DATA_FOLDER} + +# 3.b Convert the crt to der format +openssl x509 -in ca.cert -outform der -out ca.der +cp ca.cert /testca/tests/multithread/ + +# 3.c Add the ca certificate +pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} \ +--write-object ./ca.der --type cert --id ${cert_id} + +# 4. Calling the functionalities of the sample application +cd $WORKDIR +./multithreadapplication.sh $key_label $SoftHSMv2SlotID $upin $cert_id + +# 5. Cleanup +cd $WORKDIR +rm -rf slotinfo.txt |