blob: 9ef4cf9cba441b21aff7c5415ebd5a6329154e01 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
#NOTE - This scripts expects the Init and the Duplicate tools to be already run and the output files to be present at the
# shared volume (input for Import tool)
#!/bin/bash
set -e
#Placeholder of Input files to the Import tool which is the output of duplicate tool
duplicatetooldir="/tmp/files/duplicatetoolfiles"
#Pluginlibrary
pluginlibrary="/usr/local/lib/libtpm2-plugin.so"
#key_id is the parameter expected by SoftHSM
key_id="8738"
#TPM handle
tpm_handle="0x81000011"
#Key_label is the parameter expected by SoftHSM
key_label="ABC"
#UserPin for the SoftHSM operations
upin="123456789"
#SoPin for the SoftHSM operations
sopin="123456789"
#Slot number for the SoftHSM operations. Initially it should be started with 0
slot_no="0"
#Name for creating the slot used by SoftHSM
token_no="Token1"
#Location for the application to fecth SoftHSM library
applicationlibrary="/usr/local/lib/softhsm/libsofthsm2.so"
#cert_id is the input for the application which is hexadecimal equivalent of key_id
cert_id=$(printf '%x' ${key_id})
#Plugin directory for the SoftHSM to load plugin and for further operations
if [ ! "$SSHSM_HW_PLUGINS_PARENT_DIR" ]
then
echo "There is no Plugin directory assigned. Hence creating the directory required by SoftHSM"
SSHSM_HW_PLUGINS_PARENT_DIR="/tmp/hwparent"
fi
mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}
echo "The newly assigned plugin directory is ${SSHSM_HW_PLUGINS_PARENT_DIR}"
mkdir -p /var/run/dbus
# Initialize the token
softhsm2-util --init-token --slot ${slot_no} --label "${token_name}" --pin ${upin} --so-pin ${sopin}
softhsm2-util --show-slots | grep 'Slot ' | cut -d\ -f2 | head -1 >> slotinfo.txt
SoftHSMv2SlotID="$(cat slotinfo.txt)"
echo "${SoftHSMv2SlotID}"
# 1. Create the directory as expected by the SoftHSM to read the files
mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm
mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate
mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01
cp ${pluginlibrary} ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/plugin.so
touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
echo "$tpm_handle" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
# 2. Generate the pkcs11.cfg file required for the SoftHSM opeations
touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
echo "${key_id}"
echo "key_id:${key_id}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
echo "${key_label}"
echo "key_label:${key_label}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
echo "upin:${upin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
echo "sopin:${sopin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
echo "sopin is ${sopin}"
echo "slot:${SoftHSMv2SlotID}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
# 3.a Copy the required input files for the Import tool
cp ${duplicatetooldir}/* /sshsm/tpm-util/initandverify
# 3.b Run the Import Utility
cd /sshsm/tpm-util/initandverify
./ImportTpmKey.sh
# 3.c Copy the output of the Import utility to the directory that SoftHSMv2 expects
cp /sshsm/tpm-util/initandverify/outPriv ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.priv
cp /sshsm/tpm-util/initandverify/outPub ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.pub
# Setting up the java application and running the application
# 4. Create the configuration pkcs11.cfg for the application
touch /tmp/pkcs11.cfg
chmod 755 /tmp/pkcs11.cfg
echo "name = ${key_label}" >> /tmp/pkcs11.cfg
echo "${applicationlibrary}"
echo "library = ${applicationlibrary}" >> /tmp/pkcs11.cfg
echo "slot = ${SoftHSMv2SlotID}" >> /tmp/pkcs11.cfg
# 5. Compile the Application
cd /tmp/files/applicationfiles
cp test.csr /tmp/test.csr
javac CaSign.java
# 6. Convert the crt to der format
openssl x509 -in ca.cert -outform der -out ca.der
# 7. Add the ca certificate
pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} --write-object ./ca.der --type cert --id ${cert_id}
# 8. Run the Application
java CaSign ${upin} 0x${cert_id}
# 9. Verify the generated certificate
openssl verify -verbose -CAfile ca.cert /tmp/test.cert
# 10. CleanUp
cd /
rm -rf slotinfo.txt
|