2023-12-06 15:20:56 +00:00
# By default the latest powershell image will be used. That will make the image only compatible with Win11.
# BASE_IMAGE_TAG can be specified as a docker build argument to choose different tag.
# List of available tags for Microsoft's powershell docker image: https://mcr.microsoft.com/v2/powershell/tags/list.
# This Dockerfile requires Powershell 7+. e.g. lts-windowsservercore-1809
ARG BASE_IMAGE_TAG = latest
FROM mcr.microsoft.com/powershell:${BASE_IMAGE_TAG}
2023-11-09 16:54:51 +00:00
LABEL org.opencontainers.image.vendor NSA Laboratory for Advanced Cybersecurity Research
LABEL org.opencontainers.image.source https://github.com/nsacyber/hirs
LABEL org.opencontainers.image.description NSA\' s HIRS Attestation Certificate Authority in a Windows-native image. Expose port 8443 to access the portal from outside the container.
2023-12-06 15:20:56 +00:00
LABEL org.opencontainers.image.base.name mcr.microsoft.com/powershell:${ BASE_IMAGE_TAG }
2023-11-09 16:54:51 +00:00
SHELL [ "pwsh" , "-Command" ]
# Output Powershell Version
# This Dockerfile requires Powershell 7+.
RUN $PSVersionTable
# Set up logging area
RUN mkdir -p C:/ProgramData/hirs/aca
RUN mkdir -p C:/ProgramData/hirs/log
# Download and install Java 17
RUN ( ( New-Object System.Net.WebClient) .DownloadFile( 'https://download.oracle.com/java/17/archive/jdk-17.0.8_windows-x64_bin.exe' , 'C:/jdk-17.0.8_windows-x64_bin.exe' ) )
RUN Write-Host "Installing JDK..."
2024-01-30 19:03:17 +00:00
RUN Start-Process -filepath 'C:/jdk-17.0.8_windows-x64_bin.exe' -Wait -PassThru -ArgumentList "/s"
2023-11-09 16:54:51 +00:00
RUN Write-Host "Finished installing JDK."
2024-01-30 19:03:17 +00:00
RUN ls 'C:\Program Files'
2023-11-09 16:54:51 +00:00
RUN ls 'C:\Program Files\Java'
RUN ls 'C:\Program Files\Java\jdk-17\'
# Download and install Mariadb as a service
2023-12-06 15:20:56 +00:00
RUN ( ( New-Object System.Net.WebClient) .DownloadFile( 'https://archive.mariadb.org/mariadb-11.1.2/winx64-packages/mariadb-11.1.2-winx64.msi' , 'C:/mariadb-11.1.2-winx64.msi' ) )
2023-11-09 16:54:51 +00:00
RUN Write-Host "Installing MariaDB..."
# mariadb silent install options https://mariadb.com/kb/en/installing-mariadb-msi-packages-on-windows/
RUN Start-Process -Wait -FilePath msiexec.exe -ArgumentList @( '/i' , 'C:\mariadb-11.1.2-winx64.msi' , 'ADDLOCAL=ALL' , 'REMOVE=HeidiSQL' , 'SERVICENAME=MariaDB' , '/qn' , '/L*V' , 'C:/ProgramData/hirs/log/mariadb_install.log' )
RUN Write-Host "Finished installing mariadb."
RUN ls 'C:\Program Files'
RUN ls 'C:\Program Files\MariaDB 11.1'
# Download and install Git
RUN ( ( New-Object System.Net.WebClient) .DownloadFile( 'https://github.com/git-for-windows/git/releases/download/v2.42.0.windows.2/Git-2.42.0.2-64-bit.exe' , 'C:/Git-2.42.0.2-64-bit.exe' ) )
RUN Write-Host "Installing Git..."
RUN Start-Process -FilePath 'C:/Git-2.42.0.2-64-bit.exe' -ArgumentList \" /VERYSILENT /NORESTART /NOCANCEL /SP- /CLOSEAPPLICATIONS /RESTARTAPPLICATIONS /o:PathOption= CmdTools /o:BashTerminalOption= ConHost /o:EnableSymlinks= Enabled /COMPONENTS= gitlfs\" -Wait -PassThru
# Disable GCM machine-wide
RUN [ Environment] ::SetEnvironmentVariable( 'GCM_INTERACTIVE' , 'Never' , [ System.EnvironmentVariableTarget] ::Machine)
RUN Write-Host "Finished installing Git."
2023-12-06 15:20:56 +00:00
# Download and install .NET SDK 6
RUN ( ( New-Object System.Net.WebClient) .DownloadFile( 'https://dotnet.microsoft.com/download/dotnet/scripts/v1/dotnet-install.ps1' , 'C:/dotnet-install.ps1' ) )
RUN Write-Host "Installing .NET SDK..."
RUN pwsh -ExecutionPolicy Bypass C:/dotnet-install.ps1 --channel 6.0
RUN Write-Host "Finished installing .NET SDK."
# Download and install VS Build Tools from Microsoft
RUN ( ( New-Object System.Net.WebClient) .DownloadFile( 'https://aka.ms/vs/17/release/vs_buildtools.exe' , 'C:/vs_buildtools.exe' ) )
RUN ( ( New-Object System.Net.WebClient) .DownloadFile( 'https://aka.ms/vs/17/release/channel' , 'C:/vs_channel.chman' ) )
RUN Write-Host "Installing Visual Studio Build Tools..."
2024-01-30 19:03:17 +00:00
RUN Start-Process -FilePath 'C:/vs_buildtools.exe' -ArgumentList \" --quiet --wait --norestart --nocache --channelUri C:/vs_channel.chman --installChannelUri C:/vs_channel.chman --add Microsoft.VisualStudio.Workload.VCTools --includeRecommended --installPath C:/vsbuildtools\" -Wait -PassThru
2023-12-06 15:20:56 +00:00
RUN Write-Host "Finished installing Visual Studio Build Tools."
# Download and extract pre-built openssl
RUN ( ( New-Object System.Net.WebClient) .DownloadFile( 'https://download.firedaemon.com/FireDaemon-OpenSSL/openssl-3.1.4.zip' , 'C:/openssl-3.1.zip' ) )
RUN Expand-Archive C:/openssl-3.1.zip -DestinationPath C:/openssl_files
WORKDIR C:/openssl_files/openssl-3
RUN cp -Recurse -Force C:/openssl_files/openssl-3/x64 'C:/Program Files/openssl'
RUN ls 'C:\Program Files\openssl'
2023-11-09 16:54:51 +00:00
# Expose ACA Port
2023-12-06 15:20:56 +00:00
EXPOSE 8443
2023-11-09 16:54:51 +00:00
# Set Environment Variables
RUN setx JAVA_HOME 'C:\Program Files\Java\jdk-17'
RUN setx GIT_HOME 'C:\Program Files\Git'
2023-12-06 15:20:56 +00:00
RUN setx PATH '%JAVA_HOME%\bin;C:\Program Files\MariaDB 11.1\bin;%GIT_HOME%\bin;C:\vsbuildtools\MSBuild\Current\Bin;%LOCALAPPDATA%\Microsoft\dotnet;%PATH%'
2023-11-09 16:54:51 +00:00
# Echo System Variables
RUN echo $Env :PATH
RUN echo $Env :GIT_HOME
RUN echo $Env :JAVA_HOME
2023-12-06 15:20:56 +00:00
# Clone ibmswtpm2 and build
RUN git clone https://github.com/kgoldman/ibmswtpm2.git C:/ibmswtpm2
## tpm_server.sln is looking for the openssl crypto lib in a fixed location
RUN cp 'C:/Program Files/openssl/lib/libcrypto.lib' 'C:/ibmswtpm2/tpmvstudio/tpm_server/libcrypto64md.lib'
WORKDIR C:/ibmswtpm2/tpmvstudio/tpm_server
#IF MSBUILD NOT ON PATH: RUN /vsbuildtools/MSBuild/Current/Bin/MSBuild.exe .\tpm_server.sln -t:Build -p:Configuration=Release -p:Platform=x64
RUN MSBuild.exe .\t pm_server.sln -t:Build -p:Configuration= Release -p:Platform= x64
# RUN Start-Process "C:/ibmswtpm2/tpmvstudio/tpm_server/x64/Release/tpm_server.exe" -WindowStyle Hidden
# Clone ibmtss and build
RUN git clone https://github.com/kgoldman/ibmtss.git C:/ibmtss
## Again, This VS project is looking for the openssl crypto library in a fixed location. The paths are imported into multiple subprojects. Easier to edit the paths than attempt to copy the library everywhere.
RUN ( ( Get-Content C:/ibmtss/tpmutils/CommonPropertiesx64.props) -replace 'libcrypto64mdd' ,'C:/program files/openssl/lib/libcrypto' ) | Set-Content C:/ibmtss/tpmutils/CommonPropertiesx64.props
RUN ( ( Get-Content C:/ibmtss/tpmutils/CommonPropertiesx64Release.props) -replace 'libcrypto64md' ,'C:/program files/openssl/lib/libcrypto' ) | Set-Content C:/ibmtss/tpmutils/CommonPropertiesx64Release.props
WORKDIR C:/ibmtss/tpmutils
# IF MSBUILD NOT ON PATH: RUN /vsbuildtools/MSBuild/Current/Bin/MSBuild.exe .\tpmutils.sln -t:Build -p:Configuration=Release -p:Platform=x64
RUN MSBuild.exe .\t pmutils.sln -t:Build -p:Configuration= Release -p:Platform= x64
# Update path with the ibmtss utilities; Have to include previous additions as well
RUN setx PATH '%JAVA_HOME%\bin;C:\Program Files\MariaDB 11.1\bin;%GIT_HOME%\bin;C:\vsbuildtools\MSBuild\Current\Bin;%LOCALAPPDATA%\Microsoft\dotnet;C:\ibmswtpm2\tpmvstudio\tpm_server\x64\Release;C:\ibmtss\tpmutils\x64\Release;%PATH%'
# Echo PATH after update
RUN echo $Env :PATH
2023-11-09 16:54:51 +00:00
# Clone HIRS main
WORKDIR C:/
RUN git config --global --add core.autocrlf false
RUN git config --global --add safe.directory '*'
2023-12-06 15:20:56 +00:00
RUN git clone -b main https://github.com/nsacyber/hirs.git C:/repo
2023-11-09 16:54:51 +00:00
# Defensive copy of the repo so it's easy to start fresh if needed
WORKDIR C:/repo
RUN cp -Recurse -Force C:/repo C:/hirs
# Ensure Windows configuration files are in place before build.
WORKDIR C:/hirs
RUN pwsh -Command pwsh -ExecutionPolicy Bypass ./package/win/aca/aca_win_config.ps1
# Run bootWar to cache build objects and dependencies
WORKDIR C:/hirs
RUN setx GRADLE_OPTS '-Dorg.gradle.daemon=false'
2023-12-06 15:20:56 +00:00
RUN ./gradlew.bat clean bootWar
2023-11-09 16:54:51 +00:00
RUN cp ./HIRS_AttestationCAPortal/src/main/resources/application.win.properties C:/ProgramData/hirs/aca/
# Run ACA Setup- PKI and DB
WORKDIR C:/hirs
RUN pwsh -Command pwsh -ExecutionPolicy Bypass ./package/win/aca/aca_setup.ps1 -unattended
2023-12-06 15:20:56 +00:00
# Add ACA TLS certification path to container OS
# Allows the Invoke-WebRequest command in the HEALTHCHECK to work with TLS
RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_intermediate_ca_rsa_3k_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_intermediate_ca_ecc_512_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_root_ca_rsa_3k_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_root_ca_ecc_512_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_leaf_ca3_rsa_3k_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_leaf_ca3_ecc_512_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
# The container will report a health state based on when embedded tomcat finishes loading. If the ACA isn't loaded after the timeout, the container will report that it is unhealthy.
HEALTHCHECK --start-period= 50s --interval= 1s --timeout= 90s CMD pwsh -Command try { $response = Invoke-WebRequest -Uri https://localhost:8443; if ( $response .StatusCode -eq 200) { return 0 } else { return 1 } ; } catch { return 1 }
2023-11-09 16:54:51 +00:00
CMD [ "pwsh" , "-Command" , "pwsh -ExecutionPolicy Bypass C:/hirs/package/win/aca/aca_bootRun.ps1" ]