From c8719c06244e18355db7c52e5deee4acb398f5f1 Mon Sep 17 00:00:00 2001 From: Manjunath Ranganathaiah Date: Tue, 11 Sep 2018 09:11:06 -0700 Subject: Add import scripts to base image These scripts imports the CA key to either tpm or softhsm. Updates the pkcs11 config file and adds the required config for softhsm Change-Id: If45cfb514756bf4ab03081d458ed728921fa1d51 Issue-ID: AAF-483 Signed-off-by: Manjunath Ranganathaiah --- bin/base/application.sh | 10 ++++ bin/base/import.sh | 117 ++++++++++++++++++++++++++++++++++++++++++++++ bin/base/softhsmconfig.sh | 43 +++++++++++++++++ bin/base/xenialdockerfile | 6 +++ 4 files changed, 176 insertions(+) create mode 100755 bin/base/application.sh create mode 100755 bin/base/import.sh create mode 100755 bin/base/softhsmconfig.sh diff --git a/bin/base/application.sh b/bin/base/application.sh new file mode 100755 index 0000000..cb7db08 --- /dev/null +++ b/bin/base/application.sh @@ -0,0 +1,10 @@ +#!/bin/bash + + +# This script receives 2 arguments +applicationlibrary=$1 +SoftHSMv2SlotID=$2 + +# Setting up the pkcs11 config file +echo "library = ${applicationlibrary}" >> /opt/app/osaaf/local/org.osaaf.aaf.cm.pkcs11 +echo "slot = ${SoftHSMv2SlotID}" >> /opt/app/osaaf/local/org.osaaf.aaf.cm.pkcs11 diff --git a/bin/base/import.sh b/bin/base/import.sh new file mode 100755 index 0000000..96a2489 --- /dev/null +++ b/bin/base/import.sh @@ -0,0 +1,117 @@ +#!/bin/bash + +# CA key import script for both tpm and softhsm case +# required inputs are passed in through mount volume by oom + +set -e + +#if pkcs11 is not configured exit gracefully +str=$(awk '/org.osaaf.aaf.cm.pkcs11/{print $0}' /opt/app/osaaf/local/org.osaaf.cm.ca.props) +if [ ! -z $str ];then + echo "Using pkcs11 configuration" +else + echo "Not using pkcs11 configuration" + exit 0 +fi + + +#mount path for input files +mountvolume="/tmp/files" +#key_id in decimal +key_id="8738" +#Key_label used for key import +key_label="localca" +#Initial slot number +slot_no="0" +#Token name +token_name="CAToken" +#cert_id is the input for the application which is hexadecimal equivalent of key_id +cert_id=$(printf '%x' ${key_id}) +#SoftHSM2 lib location +applicationlibrary="/usr/local/lib/softhsm/libsofthsm2.so" +#User pin for the SoftHSM operations +cd / +phrase="$(cat ${mountvolume}/passphrase-pin)" +cp ${mountvolume}/upin.txt.gpg . +echo "${phrase}" | gpg --batch --yes --passphrase-fd 0 upin.txt.gpg +upin="$(cat upin.txt)" +rm -f upin.txt +rm -f upin.txt.gpg +#SoPin for the SoftHSM operations +cp ${mountvolume}/sopin.txt.gpg . +echo "${phrase}" | gpg --batch --yes --passphrase-fd 0 sopin.txt.gpg +sopin="$(cat sopin.txt)" +rm -f sopin.txt +rm -f sopin.txt.gpg + +# Initialize the token and set the perms on the .sh files +softhsm2-util --init-token --slot ${slot_no} --label "${token_name}" \ + --pin ${upin} --so-pin ${sopin} +softhsm2-util --show-slots | grep 'Slot ' | cut -d\ -f2 | head -1 >> slotinfo.txt +SoftHSMv2SlotID="$(cat slotinfo.txt)" +rm -rf slotinfo.txt + +chmod 755 /sshsm/bin/softhsmconfig.sh +chmod 755 /sshsm/bin/application.sh + +# import the key either to tpm or softhsm +if [ -f ${mountvolume}/out_parent_public ]; then + + #tpm import password + phrase="$(cat ${mountvolume}/passphrase-ipass)" + cp ${mountvolume}/ipass.txt.gpg . + echo "${phrase}" | gpg --batch --yes --passphrase-fd 0 ipass.txt.gpg + ipass="$(cat ipass.txt)" + rm -f ipass.txt + #TPM handle + tpm_handle="$(cat ${mountvolume}/tpm-handle.txt)" + # Copy the required input files for the Import tool + cp ${mountvolume}/dup* /tpm-util/bin/ + + # Run the Import Utility + cd /tpm-util/bin + ./ossl_tpm_import -H $tpm_handle -dupPub dupPub -dupPriv dupPriv \ + -dupSymSeed dupSymseed -dupEncKey dupEncKey -pub outPub -priv outPriv \ + -password $ipass + + # setup tpm-softhsm specific config + cd /sshsm/bin + ./softhsmconfig.sh $tpm_handle $key_id $key_label $upin $sopin $SoftHSMv2SlotID \ + "/tpm-util/bin/outPriv" "/tpm-util/bin/outPub" +else + +# SoftHSM mode implementation + + echo "TPM hardware unavailable, using SoftHSM implementation" + + # Extract the Private key using passphrase + passphrase="$(cat ${mountvolume}/passphrase)" + cp ${mountvolume}/privkey.pem.gpg . + echo "${passphrase}" | gpg --batch --yes --passphrase-fd 0 privkey.pem.gpg + + # Convert the Private key pem into der format + openssl rsa -in ./privkey.pem -outform DER -out privatekey.der + + # Load the Private key into SoftHSM + pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} \ + --write-object ./privatekey.der --type privkey --id ${cert_id} --label ${key_label} + + # Clenup the files + rm -f privkey.pem + rm -f privatekey.der + rm -f privkey.pem.gpg + +fi + +cd / +# Convert the crt to der format +openssl x509 -in ${mountvolume}/ca.cert -outform der -out ca.der + +# Add the ca certificate +pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} \ +--write-object ./ca.der --type cert --id ${cert_id} + +rm -f ca.der + +# Call app specific script +/sshsm/bin/application.sh $applicationlibrary $SoftHSMv2SlotID diff --git a/bin/base/softhsmconfig.sh b/bin/base/softhsmconfig.sh new file mode 100755 index 0000000..91c76d5 --- /dev/null +++ b/bin/base/softhsmconfig.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +# This script will take six parameters as input +tpm_handle=$1 +key_id=$2 +key_label=$3 +upin=$4 +sopin=$5 +SoftHSMv2SlotID=$6 +outprivfile=$7 +outpubfile=$8 + +# export Pluginlibrary's location +pluginlibrary="/usr/local/lib/libtpm2-plugin.so" + +SSHSM_HW_PLUGINS_PARENT_DIR="/tmp/hwparent" +mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR} +echo "The newly assigned plugin directory is ${SSHSM_HW_PLUGINS_PARENT_DIR}" + +# Configuration generation for SoftHSM +# 1.a Create the directory as expected by the SoftHSM to read the files +mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm +mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate +mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01 + +# 1.b Copy the Plugin library and create the required Configuration +cp ${pluginlibrary} ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/plugin.so +touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1 +chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1 +echo "$tpm_handle" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1 + +# 1.c Generate the pkcs11.cfg file required for the SoftHSM operations +touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +echo "key_id:${key_id}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +echo "key_label:${key_label}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +echo "upin:${upin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +echo "sopin:${sopin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +echo "slot:${SoftHSMv2SlotID}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg + +# 1.d Copy the output of Import utility into the directory where SoftHSMv2 expects +cp $outprivfile ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.priv +cp $outpubfile ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.pub diff --git a/bin/base/xenialdockerfile b/bin/base/xenialdockerfile index f28ed0f..b786541 100644 --- a/bin/base/xenialdockerfile +++ b/bin/base/xenialdockerfile @@ -96,7 +96,13 @@ RUN mkdir tpm-util RUN cd tpm-util && \ mkdir bin RUN cp /sshsm/tpm-util/import/ossl_tpm_import /tpm-util/bin/ + RUN rm -rf tpm2-tss RUN rm -rf tpm2-abrmd RUN rm -rf tpm2-tools RUN rm -rf sshsm + +RUN mkdir -p /sshsm/bin +COPY ./import.sh /sshsm/bin +COPY ./softhsmconfig.sh /sshsm/bin +COPY ./application.sh /sshsm/bin -- cgit 1.2.3-korg