From 2047f38adb5e6724143d53657e7c590adef23514 Mon Sep 17 00:00:00 2001 From: Pramod Raghavendra Jayathirth Date: Mon, 2 Jul 2018 12:06:50 -0700 Subject: Adding the CA service container Adding the dockerfile and required scripts to implement CA service container functionality Issue-ID: AAF-342 Change-Id: I8ea086008d0d8e50bfad3886c741ba21642ac974 Signed-off-by: Pramod Raghavendra Jayathirth --- bin/caservicecontainer/README | 20 +++++++ bin/caservicecontainer/dockerfile | 54 +++++++++++++++++++ bin/caservicecontainer/test.sh | 109 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 183 insertions(+) create mode 100755 bin/caservicecontainer/README create mode 100755 bin/caservicecontainer/dockerfile create mode 100755 bin/caservicecontainer/test.sh diff --git a/bin/caservicecontainer/README b/bin/caservicecontainer/README new file mode 100755 index 0000000..c4c73e8 --- /dev/null +++ b/bin/caservicecontainer/README @@ -0,0 +1,20 @@ + +### Copy the ~/sshsm/test/integration/samplecaservicecontainer to /tmp/samplecaservicecontainer on host machine where the +### containers will be running +### "samplecaservicecontainer" directory is considered as the sample shared volume for now +### The files directory will be mounted on the container +### the bash script test.sh ~/sshsm/test/integration/samplecaservicecontainer/scripts has the steps which are executed by this container as per design. It can be run by the user with sudo rights + +### Build docker image with a base image + +```` +$ docker build -t -f dockerfile . +```` + +### Running the CA service container + +```` +$ docker run -d -v /tmp/run/dbus:/var/run/dbus:rw -v /tmp/samplecaservicecontainer:/tmp/files:rw --name CAServicecontainer +```` + +#### Make sure the TABRMD container is running on the same dbus mountpoint on the host as the CA service container diff --git a/bin/caservicecontainer/dockerfile b/bin/caservicecontainer/dockerfile new file mode 100755 index 0000000..8557181 --- /dev/null +++ b/bin/caservicecontainer/dockerfile @@ -0,0 +1,54 @@ + +# Base Image for the build +FROM rmannfv/aaf-base:xenial + +RUN apt-get update +RUN apt-get install -y softhsm2 +RUN apt-get install -y opensc + +# Files required for the Java application +RUN wget https://www.bouncycastle.org/download/bcprov-jdk15on-159.jar +RUN wget https://www.bouncycastle.org/download/bcpkix-jdk15on-159.jar +RUN wget https://www.bouncycastle.org/download/bcmail-jdk15on-159.jar +RUN wget https://www.bouncycastle.org/download/bcpg-jdk15on-159.jar +RUN wget https://www.bouncycastle.org/download/bctls-jdk15on-159.jar +RUN wget https://www.bouncycastle.org/download/bctest-jdk15on-159.jar +RUN cp ./bcpkix-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/ +RUN cp ./bcprov-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/ +RUN cp ./bcmail-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/ +RUN cp ./bcpg-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/ +RUN cp ./bctls-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext + +# Clone the sshsm repo +RUN git clone https://gerrit.onap.org/r/aaf/sshsm + +# Build SoftHSMv2 +RUN cd sshsm && \ + cd SoftHSMv2 && \ + sh autogen.sh && \ + ./configure --disable-gost && \ + make && \ + make install + +# Create the directory for mounting the shared voulme +RUN mkdir -p /tmp/files + +# Build TPM-Plugin +RUN cd sshsm && \ + chmod 755 TPM2-Plugin/ && \ + cd TPM2-Plugin && \ + chmod 755 bootstrap && \ + sleep 2 && \ + ./bootstrap && \ + ./configure && \ + make && \ + make install && \ + ldconfig && \ + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib + +RUN cd sshsm && \ + cd tpm-util && \ + cd import && \ + make -f sampleMakefile + +COPY ./test.sh / diff --git a/bin/caservicecontainer/test.sh b/bin/caservicecontainer/test.sh new file mode 100755 index 0000000..9ef4cf9 --- /dev/null +++ b/bin/caservicecontainer/test.sh @@ -0,0 +1,109 @@ + +#NOTE - This scripts expects the Init and the Duplicate tools to be already run and the output files to be present at the +# shared volume (input for Import tool) + +#!/bin/bash +set -e + +#Placeholder of Input files to the Import tool which is the output of duplicate tool +duplicatetooldir="/tmp/files/duplicatetoolfiles" +#Pluginlibrary +pluginlibrary="/usr/local/lib/libtpm2-plugin.so" +#key_id is the parameter expected by SoftHSM +key_id="8738" +#TPM handle +tpm_handle="0x81000011" +#Key_label is the parameter expected by SoftHSM +key_label="ABC" +#UserPin for the SoftHSM operations +upin="123456789" +#SoPin for the SoftHSM operations +sopin="123456789" +#Slot number for the SoftHSM operations. Initially it should be started with 0 +slot_no="0" +#Name for creating the slot used by SoftHSM +token_no="Token1" +#Location for the application to fecth SoftHSM library +applicationlibrary="/usr/local/lib/softhsm/libsofthsm2.so" +#cert_id is the input for the application which is hexadecimal equivalent of key_id +cert_id=$(printf '%x' ${key_id}) + +#Plugin directory for the SoftHSM to load plugin and for further operations +if [ ! "$SSHSM_HW_PLUGINS_PARENT_DIR" ] +then + echo "There is no Plugin directory assigned. Hence creating the directory required by SoftHSM" + SSHSM_HW_PLUGINS_PARENT_DIR="/tmp/hwparent" +fi + mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR} +echo "The newly assigned plugin directory is ${SSHSM_HW_PLUGINS_PARENT_DIR}" + +mkdir -p /var/run/dbus + +# Initialize the token +softhsm2-util --init-token --slot ${slot_no} --label "${token_name}" --pin ${upin} --so-pin ${sopin} +softhsm2-util --show-slots | grep 'Slot ' | cut -d\ -f2 | head -1 >> slotinfo.txt +SoftHSMv2SlotID="$(cat slotinfo.txt)" +echo "${SoftHSMv2SlotID}" + +# 1. Create the directory as expected by the SoftHSM to read the files +mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm +mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate +mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01 + +cp ${pluginlibrary} ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/plugin.so +touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1 +chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1 +echo "$tpm_handle" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1 + +# 2. Generate the pkcs11.cfg file required for the SoftHSM opeations +touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +echo "${key_id}" +echo "key_id:${key_id}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +echo "${key_label}" +echo "key_label:${key_label}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +echo "upin:${upin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +echo "sopin:${sopin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +echo "sopin is ${sopin}" +echo "slot:${SoftHSMv2SlotID}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg + +# 3.a Copy the required input files for the Import tool +cp ${duplicatetooldir}/* /sshsm/tpm-util/initandverify + +# 3.b Run the Import Utility +cd /sshsm/tpm-util/initandverify +./ImportTpmKey.sh + +# 3.c Copy the output of the Import utility to the directory that SoftHSMv2 expects +cp /sshsm/tpm-util/initandverify/outPriv ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.priv +cp /sshsm/tpm-util/initandverify/outPub ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.pub + +# Setting up the java application and running the application +# 4. Create the configuration pkcs11.cfg for the application +touch /tmp/pkcs11.cfg +chmod 755 /tmp/pkcs11.cfg +echo "name = ${key_label}" >> /tmp/pkcs11.cfg +echo "${applicationlibrary}" +echo "library = ${applicationlibrary}" >> /tmp/pkcs11.cfg +echo "slot = ${SoftHSMv2SlotID}" >> /tmp/pkcs11.cfg + +# 5. Compile the Application +cd /tmp/files/applicationfiles +cp test.csr /tmp/test.csr +javac CaSign.java + +# 6. Convert the crt to der format +openssl x509 -in ca.cert -outform der -out ca.der + +# 7. Add the ca certificate +pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} --write-object ./ca.der --type cert --id ${cert_id} + +# 8. Run the Application +java CaSign ${upin} 0x${cert_id} + +# 9. Verify the generated certificate +openssl verify -verbose -CAfile ca.cert /tmp/test.cert + +# 10. CleanUp +cd / +rm -rf slotinfo.txt -- cgit 1.2.3-korg