From 4c48eea00420dff7a46104c0cf0b9a550362c34b Mon Sep 17 00:00:00 2001 From: Manjunath Ranganathaiah Date: Fri, 27 Jul 2018 15:10:11 -0700 Subject: Changes to encrypt and copy out private key Using the given passphrase, encrypt the private key and copy out. Use the public key from the mount for generating out files. Change-Id: I5de42ad4c8a781201ed559b04b1457fe9e661e42 Issue-ID: AAF-376 Signed-off-by: Manjunath Ranganathaiah --- bin/distcenter/Dockerfile | 3 --- bin/distcenter/README.md | 17 ----------------- bin/distcenter/README.txt | 33 +++++++++++++++++++++++++++++++++ bin/distcenter/entrypoint.sh | 12 +++++++++++- 4 files changed, 44 insertions(+), 21 deletions(-) delete mode 100644 bin/distcenter/README.md create mode 100644 bin/distcenter/README.txt diff --git a/bin/distcenter/Dockerfile b/bin/distcenter/Dockerfile index f79c7ef..afa5b7d 100644 --- a/bin/distcenter/Dockerfile +++ b/bin/distcenter/Dockerfile @@ -9,12 +9,9 @@ RUN cd sshsm && \ RUN mkdir /createca COPY ./create_ca.sh /createca/ RUN mkdir /dup -RUN mkdir /dup/database -RUN mkdir /dup/database/host_sample RUN mkdir /dup/bin RUN cp sshsm/tpm-util/duplicate/ossl_tpm_duplicate /dup/bin -RUN cp sshsm/test/integration/samplecaservicecontainer/inittoolfiles/out_parent_public /dup/database/host_sample ADD entrypoint.sh /entrypoint.sh ENTRYPOINT [ "/entrypoint.sh" ] diff --git a/bin/distcenter/README.md b/bin/distcenter/README.md deleted file mode 100644 index 973cbf9..0000000 --- a/bin/distcenter/README.md +++ /dev/null @@ -1,17 +0,0 @@ -Create folder under /tmp/volume/host_sample on host. This will be mounted into the container as shared volume for now. - -Build the container using - - docker build --no-cache -t dist-center . - -Run it mounting the volume - - docker run -v /tmp/volume:/volume dist-center - -This will output the following files in /tmp/volume/host_sample - - ca.cert - dupEncKey - dupPriv - dupPub - dupSymseed diff --git a/bin/distcenter/README.txt b/bin/distcenter/README.txt new file mode 100644 index 0000000..fe39395 --- /dev/null +++ b/bin/distcenter/README.txt @@ -0,0 +1,33 @@ +Create folder under /tmp/volume/host_ for each host (example +host_sample where sample is the name of the tpm capable host). +This folder will be mounted into the container as shared volume for now. + +Expects the input SRK pulic key "out_parent_public" for each host under +the corresponding host directory and file "passphrase" under /tmp/volume/ +containing the passphrase to encrypt the key. + +example + + /tmp/volume/host_sample/out_parent_public + /tmp/volume/passphrase + +Build the container using + + docker build --no-cache -t dist-center . + +Run it mounting the volume + + docker run -v /tmp/volume:/volume dist-center + +This will output the following files in /tmp/volume/host_ + + ca.cert + dupEncKey + dupPriv + dupPub + dupSymseed + +Encrypted private key and certificate under /tmp/volume + + ca.cert + privkey.pem.gpg diff --git a/bin/distcenter/entrypoint.sh b/bin/distcenter/entrypoint.sh index 85cdf52..641c529 100755 --- a/bin/distcenter/entrypoint.sh +++ b/bin/distcenter/entrypoint.sh @@ -2,11 +2,21 @@ set -e cd /createca /createca/create_ca.sh +cd /createca/ca +cat /volume/passphrase | gpg --no-tty --symmetric -z 9 --require-secmem \ + --cipher-algo AES256 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 \ + --s2k-mode 3 --s2k-count 65000000 --compress-algo BZIP2 \ + --passphrase-fd 0 privkey.pem +cp /createca/ca/privkey.pem.gpg /volume +cp /createca/ca/ca.cert /volume + cd /volume DLIST=`ls -d host_*` for DIR in $DLIST; do echo $DIR cp /createca/ca/ca.cert /volume/$DIR cd /volume/$DIR - /dup/bin/ossl_tpm_duplicate -pemfile /createca/ca/privkey.pem -parentPub /dup/database/$DIR/out_parent_public -dupPub dupPub -dupPriv dupPriv -dupSymSeed dupSymseed -dupEncKey dupEncKey + /dup/bin/ossl_tpm_duplicate -pemfile /createca/ca/privkey.pem -parentPub \ + /volume/$DIR/out_parent_public -dupPub dupPub -dupPriv dupPriv -dupSymSeed \ + dupSymseed -dupEncKey dupEncKey done -- cgit 1.2.3-korg