From a0865eeaad17733a2d21cc141fba168663c9f539 Mon Sep 17 00:00:00 2001 From: Pramod Raghavendra Jayathirth Date: Mon, 27 Aug 2018 09:05:45 -0700 Subject: Script for SoftHSMv2 fallback mechanism This will facilitate the SoftHSMv2 implementation when TPM is unavailable Change-Id: Ic77627702db514213cece200a259f723e6d66d34 Issue-ID: AAF-414 Signed-off-by: Pramod Raghavendra Jayathirth --- bin/caservicecontainer/README | 27 ++++++-- bin/caservicecontainer/application.sh | 30 +++++++++ bin/caservicecontainer/dockerfile | 36 ++--------- bin/caservicecontainer/import.sh | 88 ++++++++++++++++++++++++++ bin/caservicecontainer/softhsmconfig.sh | 41 ++++++++++++ bin/caservicecontainer/test.sh | 109 -------------------------------- 6 files changed, 183 insertions(+), 148 deletions(-) create mode 100755 bin/caservicecontainer/application.sh create mode 100755 bin/caservicecontainer/import.sh create mode 100755 bin/caservicecontainer/softhsmconfig.sh delete mode 100755 bin/caservicecontainer/test.sh diff --git a/bin/caservicecontainer/README b/bin/caservicecontainer/README index c4c73e8..930d510 100755 --- a/bin/caservicecontainer/README +++ b/bin/caservicecontainer/README @@ -1,9 +1,6 @@ -### Copy the ~/sshsm/test/integration/samplecaservicecontainer to /tmp/samplecaservicecontainer on host machine where the -### containers will be running -### "samplecaservicecontainer" directory is considered as the sample shared volume for now -### The files directory will be mounted on the container -### the bash script test.sh ~/sshsm/test/integration/samplecaservicecontainer/scripts has the steps which are executed by this container as per design. It can be run by the user with sudo rights +### Create a directory /tmp/volume (mkdir -p /tmp/volume) on host. +### This is used as shared volume and mounted inside container ### Build docker image with a base image @@ -11,10 +8,26 @@ $ docker build -t -f dockerfile . ```` -### Running the CA service container +### Running the CA service container - Below command will run and log you into the container ```` -$ docker run -d -v /tmp/run/dbus:/var/run/dbus:rw -v /tmp/samplecaservicecontainer:/tmp/files:rw --name CAServicecontainer +$ docker run -v /tmp/run/dbus:/var/run/dbus:rw -v /tmp/volume:/tmp/files:rw --name -i -t --entrypoint=/bin/bash ```` +### Running the Import utility +```` +$ import.sh +```` #### Make sure the TABRMD container is running on the same dbus mountpoint on the host as the CA service container + +### Expected Input files for SoftHSM operations +### 1. passphrase 2. privkey.pem.gpg 3. ca.cert +### Output - None + +### Expected Input files for TPM Hardware opeartion +### 1. ca.cert 2. duPEncKey 3. dupPriv 4. dupPub 5. dupSymseed 6. tpm_handle (srkhandle) +### Output - None + +### Expected Input for Application's operations +### 1. test.csr 2. CaSign.java(Application file) 3. ca.cert +### Output - test.cert (in /tmp Directory) diff --git a/bin/caservicecontainer/application.sh b/bin/caservicecontainer/application.sh new file mode 100755 index 0000000..1a723ea --- /dev/null +++ b/bin/caservicecontainer/application.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +# This script takes 4 arguments +key_label=$1 +SoftHSMv2SlotID=$2 +upin=$3 +cert_id=$4 + +# Location to fecth SoftHSM library required by application +applicationlibrary="/usr/local/lib/softhsm/libsofthsm2.so" + +# Setting up the java application and running the application +# 1. Create the configuration pkcs11.cfg for the application +touch /tmp/pkcs11.cfg +chmod 755 /tmp/pkcs11.cfg +echo "name = ${key_label}" >> /tmp/pkcs11.cfg +echo "The location of applicationms library is ${applicationlibrary}" +echo "library = ${applicationlibrary}" >> /tmp/pkcs11.cfg +echo "slot = ${SoftHSMv2SlotID}" >> /tmp/pkcs11.cfg + +# 2. Compile the Application +cd /tmp/files +cp test.csr /tmp/test.csr +javac CaSign.java + +# 3. Run the Application +java CaSign ${upin} 0x${cert_id} + +# 4. Verify the generated certificate +openssl verify -verbose -CAfile ca.cert /tmp/test.cert \ No newline at end of file diff --git a/bin/caservicecontainer/dockerfile b/bin/caservicecontainer/dockerfile index bad49d1..7a70dc9 100755 --- a/bin/caservicecontainer/dockerfile +++ b/bin/caservicecontainer/dockerfile @@ -1,6 +1,5 @@ - # Base Image for the build -FROM rmannfv/aaf-base:xenial +FROM nexus3.onap.org:10001/onap/aaf/aaf-base-xenial:latest # Files required for the Java application RUN wget https://www.bouncycastle.org/download/bcprov-jdk15on-159.jar @@ -14,36 +13,9 @@ RUN cp ./bcmail-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/ RUN cp ./bcpg-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext/ RUN cp ./bctls-jdk15on-159.jar /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext -# Clone the sshsm repo -RUN git clone https://gerrit.onap.org/r/aaf/sshsm - -# Build SoftHSMv2 -RUN cd sshsm && \ - cd SoftHSMv2 && \ - sh autogen.sh && \ - ./configure --disable-gost && \ - make && \ - make install - # Create the directory for mounting the shared voulme RUN mkdir -p /tmp/files -# Build TPM-Plugin -RUN cd sshsm && \ - chmod 755 TPM2-Plugin/ && \ - cd TPM2-Plugin && \ - chmod 755 bootstrap && \ - sleep 2 && \ - ./bootstrap && \ - ./configure && \ - make && \ - make install && \ - ldconfig && \ - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib - -RUN cd sshsm && \ - cd tpm-util && \ - cd import && \ - make -f sampleMakefile - -COPY ./test.sh / +COPY ./import.sh / +COPY ./softhsmconfig.sh / +COPY ./application.sh / diff --git a/bin/caservicecontainer/import.sh b/bin/caservicecontainer/import.sh new file mode 100755 index 0000000..f7aaca8 --- /dev/null +++ b/bin/caservicecontainer/import.sh @@ -0,0 +1,88 @@ +#!/bin/bash + +# NOTE - This scripts expects the Init and the Duplicate tools to be already +# run and the output files(listedb in README) to be present at the +# shared volume (input for Import tool) + +set -e + +#Placeholder of Input files to the Import tool which is the output of duplicate tool +sharedvolume="/tmp/files" +#key_id is the parameter expected by SoftHSM +key_id="8738" +#TPM handle +tpm_handle="0x81000011" +#Key_label is the parameter expected by SoftHSM +key_label="ABC" +#UserPin for the SoftHSM operations +upin="123456789" +#SoPin for the SoftHSM operations +sopin="123456789" +#Slot number for the SoftHSM operations. Initially it should be started with 0 +slot_no="0" +#Name for creating the slot used by SoftHSM +token_no="Token1" +#cert_id is the input for the application which is hexadecimal equivalent of key_id +cert_id=$(printf '%x' ${key_id}) + +# 1.Initialize the token/ + softhsm2-util --init-token --slot ${slot_no} --label "${token_name}" \ + --pin ${upin} --so-pin ${sopin} + softhsm2-util --show-slots | grep 'Slot ' | cut -d\ -f2 | head -1 >> slotinfo.txt + SoftHSMv2SlotID="$(cat slotinfo.txt)" + echo "The slot ID used is ${SoftHSMv2SlotID}" + +# 2.Plugin directory for the SoftHSM to load plugin and for further operations +if [ -f ${sharedvolume}/out_parent_public ]; then + + # 2.a Copy the required input files for the Import tool + cp ${sharedvolume}/dup* /tpm-util/bin/ + + # 2.b Run the Import Utility + cd /tpm-util/bin + ./ossl_tpm_import -H $tpm_handle -dupPub dupPub -dupPriv dupPriv \ +-dupSymSeed dupSymseed -dupEncKey dupEncKey -pub outPub -priv outPriv + + cd / + chmod 755 softhsmconfig.sh + ./softhsmconfig.sh $tpm_handle $key_id $key_label $upin $sopin $SoftHSMv2SlotID +else + +# 3 SoftHSM mode implementation + + echo "TPM hardware unavailable. Using SoftHSM implementation" + + cd ${sharedvolume} + + # 3.a Extract the Private key using passphrase + passphrase="$(cat passphrase)" + echo "${passphrase}" + echo "${passphrase}" | gpg --batch --yes --passphrase-fd 0 privkey.pem.gpg + + # 3.b Convert the Private key pem into der format + openssl rsa -in ./privkey.pem -outform DER -out privatekey.der + + # 3.c Load the Private key into SoftHSM + pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} \ + --write-object ./privatekey.der --type privkey --id ${cert_id} --label ${key_label} + +fi + +# 3.a Application operation +cd ${sharedvolume} + +# 3.b Convert the crt to der format +openssl x509 -in ca.cert -outform der -out ca.der + +# 3.c Add the ca certificate +pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} \ +--write-object ./ca.der --type cert --id ${cert_id} + +# 4. Calling the functionalities of the sample application +cd / +chmod 755 application.sh +./application.sh $key_label $SoftHSMv2SlotID $upin $cert_id + +# 5. Cleanup +cd / +rm -rf slotinfo.txt diff --git a/bin/caservicecontainer/softhsmconfig.sh b/bin/caservicecontainer/softhsmconfig.sh new file mode 100755 index 0000000..5464263 --- /dev/null +++ b/bin/caservicecontainer/softhsmconfig.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# This script will take six parameters as input +tpm_handle=$1 +key_id=$2 +key_label=$3 +upin=$4 +sopin=$5 +SoftHSMv2SlotID=$6 + +# export Pluginlibrary's location +pluginlibrary="/usr/local/lib/libtpm2-plugin.so" + +SSHSM_HW_PLUGINS_PARENT_DIR="/tmp/hwparent" +mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR} +echo "The newly assigned plugin directory is ${SSHSM_HW_PLUGINS_PARENT_DIR}" + +# Configuration generation for SoftHSM +# 1.a Create the directory as expected by the SoftHSM to read the files +mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm +mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate +mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01 + +# 1.b Copy the Plugin library and create the required Configuration +cp ${pluginlibrary} ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/plugin.so +touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1 +chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1 +echo "$tpm_handle" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1 + +# 1.c Generate the pkcs11.cfg file required for the SoftHSM operations +touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +echo "key_id:${key_id}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +echo "key_label:${key_label}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +echo "upin:${upin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +echo "sopin:${sopin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg +echo "slot:${SoftHSMv2SlotID}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg + +# 1.d Copy the output of Import utility into the directory where SoftHSMv2 expects +cp /tpm-util/bin/outPriv ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.priv +cp /tpm-util/bin/outPub ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.pub diff --git a/bin/caservicecontainer/test.sh b/bin/caservicecontainer/test.sh deleted file mode 100755 index 9ef4cf9..0000000 --- a/bin/caservicecontainer/test.sh +++ /dev/null @@ -1,109 +0,0 @@ - -#NOTE - This scripts expects the Init and the Duplicate tools to be already run and the output files to be present at the -# shared volume (input for Import tool) - -#!/bin/bash -set -e - -#Placeholder of Input files to the Import tool which is the output of duplicate tool -duplicatetooldir="/tmp/files/duplicatetoolfiles" -#Pluginlibrary -pluginlibrary="/usr/local/lib/libtpm2-plugin.so" -#key_id is the parameter expected by SoftHSM -key_id="8738" -#TPM handle -tpm_handle="0x81000011" -#Key_label is the parameter expected by SoftHSM -key_label="ABC" -#UserPin for the SoftHSM operations -upin="123456789" -#SoPin for the SoftHSM operations -sopin="123456789" -#Slot number for the SoftHSM operations. Initially it should be started with 0 -slot_no="0" -#Name for creating the slot used by SoftHSM -token_no="Token1" -#Location for the application to fecth SoftHSM library -applicationlibrary="/usr/local/lib/softhsm/libsofthsm2.so" -#cert_id is the input for the application which is hexadecimal equivalent of key_id -cert_id=$(printf '%x' ${key_id}) - -#Plugin directory for the SoftHSM to load plugin and for further operations -if [ ! "$SSHSM_HW_PLUGINS_PARENT_DIR" ] -then - echo "There is no Plugin directory assigned. Hence creating the directory required by SoftHSM" - SSHSM_HW_PLUGINS_PARENT_DIR="/tmp/hwparent" -fi - mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR} -echo "The newly assigned plugin directory is ${SSHSM_HW_PLUGINS_PARENT_DIR}" - -mkdir -p /var/run/dbus - -# Initialize the token -softhsm2-util --init-token --slot ${slot_no} --label "${token_name}" --pin ${upin} --so-pin ${sopin} -softhsm2-util --show-slots | grep 'Slot ' | cut -d\ -f2 | head -1 >> slotinfo.txt -SoftHSMv2SlotID="$(cat slotinfo.txt)" -echo "${SoftHSMv2SlotID}" - -# 1. Create the directory as expected by the SoftHSM to read the files -mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm -mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate -mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01 - -cp ${pluginlibrary} ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/plugin.so -touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1 -chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1 -echo "$tpm_handle" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1 - -# 2. Generate the pkcs11.cfg file required for the SoftHSM opeations -touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg -chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg -echo "${key_id}" -echo "key_id:${key_id}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg -echo "${key_label}" -echo "key_label:${key_label}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg -echo "upin:${upin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg -echo "sopin:${sopin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg -echo "sopin is ${sopin}" -echo "slot:${SoftHSMv2SlotID}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg - -# 3.a Copy the required input files for the Import tool -cp ${duplicatetooldir}/* /sshsm/tpm-util/initandverify - -# 3.b Run the Import Utility -cd /sshsm/tpm-util/initandverify -./ImportTpmKey.sh - -# 3.c Copy the output of the Import utility to the directory that SoftHSMv2 expects -cp /sshsm/tpm-util/initandverify/outPriv ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.priv -cp /sshsm/tpm-util/initandverify/outPub ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.pub - -# Setting up the java application and running the application -# 4. Create the configuration pkcs11.cfg for the application -touch /tmp/pkcs11.cfg -chmod 755 /tmp/pkcs11.cfg -echo "name = ${key_label}" >> /tmp/pkcs11.cfg -echo "${applicationlibrary}" -echo "library = ${applicationlibrary}" >> /tmp/pkcs11.cfg -echo "slot = ${SoftHSMv2SlotID}" >> /tmp/pkcs11.cfg - -# 5. Compile the Application -cd /tmp/files/applicationfiles -cp test.csr /tmp/test.csr -javac CaSign.java - -# 6. Convert the crt to der format -openssl x509 -in ca.cert -outform der -out ca.der - -# 7. Add the ca certificate -pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} --write-object ./ca.der --type cert --id ${cert_id} - -# 8. Run the Application -java CaSign ${upin} 0x${cert_id} - -# 9. Verify the generated certificate -openssl verify -verbose -CAfile ca.cert /tmp/test.cert - -# 10. CleanUp -cd / -rm -rf slotinfo.txt -- cgit 1.2.3-korg