mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-01-12 07:52:48 +00:00
79 lines
2.6 KiB
PowerShell
79 lines
2.6 KiB
PowerShell
|
#!/bin/bash
|
||
|
############################################################################################
|
||
|
# Creates 2 Certificate Chains for the ACA:
|
||
|
# 1 RSA 3K SHA 384
|
||
|
# 2 ECC 512 SHA 384
|
||
|
#
|
||
|
############################################################################################
|
||
|
|
||
|
param (
|
||
|
[string]$LOG_FILE = $null,
|
||
|
[string]$PKI_PASS = $null,
|
||
|
[switch]$UNATTENDED = $false
|
||
|
)
|
||
|
|
||
|
$APP_HOME=(Split-Path -parent $PSCommandPath)
|
||
|
$ACA_COMMON_SCRIPT=(Join-Path "$APP_HOME" .. aca aca_common.ps1)
|
||
|
|
||
|
# Load other scripts
|
||
|
. $ACA_COMMON_SCRIPT
|
||
|
|
||
|
# Read aca.properties
|
||
|
read_aca_properties $global:HIRS_DATA_ACA_PROPERTIES_FILE
|
||
|
|
||
|
# Read spring application.properties
|
||
|
read_spring_properties $global:HIRS_DATA_SPRING_PROP_FILE
|
||
|
|
||
|
# Parameter check
|
||
|
if ($LOG_FILE) {
|
||
|
touch $LOG_FILE
|
||
|
$global:LOG_FILE=$LOG_FILE
|
||
|
} else {
|
||
|
set_up_log
|
||
|
}
|
||
|
|
||
|
if (!$PKI_PASS) {
|
||
|
if ($Env:HIRS_PKI_PWD) {
|
||
|
$PKI_PASS=$Env:HIRS_PKI_PWD
|
||
|
} else {
|
||
|
$PKI_PASS=(create_random)
|
||
|
echo "Using randomly generated password for the PKI key password" | WriteAndLog
|
||
|
}
|
||
|
}
|
||
|
|
||
|
mkdir -p $global:HIRS_CONF_DIR 2>&1 > $null
|
||
|
echo "APP_HOME is $APP_HOME" | WriteAndLog
|
||
|
|
||
|
# Check for sudo or root user
|
||
|
if(!(New-Object Security.Principal.WindowsPrincipal(
|
||
|
[Security.Principal.WindowsIdentity]::GetCurrent())
|
||
|
).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
|
||
|
echo "This script requires root. Please run as root" | WriteAndLog
|
||
|
exit 1
|
||
|
}
|
||
|
|
||
|
# Create Cert Chains
|
||
|
if (![System.IO.Directory]::Exists($global:HIRS_DATA_CERTIFICATES_DIR)) {
|
||
|
if ([System.IO.Directory]::Exists($global:HIRS_REL_WIN_PKI_HOME)) {
|
||
|
$PKI_SETUP_DIR=$global:HIRS_REL_WIN_PKI_HOME
|
||
|
} else {
|
||
|
$PKI_SETUP_DIR=$APP_HOME
|
||
|
}
|
||
|
echo "PKI_SETUP_DIR is $PKI_SETUP_DIR" | WriteAndLog
|
||
|
|
||
|
mkdir -F -p $global:HIRS_DATA_CERTIFICATES_DIR 2>&1 > $null
|
||
|
|
||
|
cp $PKI_SETUP_DIR/ca.conf $global:HIRS_DATA_CERTIFICATES_DIR
|
||
|
pwsh -ExecutionPolicy Bypass $PKI_SETUP_DIR/pki_chain_gen.ps1 "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" "$global:LOG_FILE"
|
||
|
pwsh -ExecutionPolicy Bypass $PKI_SETUP_DIR/pki_chain_gen.ps1 "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$global:LOG_FILE"
|
||
|
|
||
|
# Save the password to the ACA properties file.
|
||
|
add_new_aca_property -file:"$global:HIRS_DATA_ACA_PROPERTIES_FILE" -newKeyAndValue:"hirs_pki_password=$PKI_PASS"
|
||
|
|
||
|
# Save connector information to the application properties file.
|
||
|
add_new_spring_property -file:"$global:HIRS_DATA_SPRING_PROP_FILE" -newKeyAndValue:"server.ssl.key-store-password=$PKI_PASS"
|
||
|
add_new_spring_property -file:"$global:HIRS_DATA_SPRING_PROP_FILE" -newKeyAndValue:"server.ssl.trust-store-password=$PKI_PASS"
|
||
|
} else {
|
||
|
echo "$global:HIRS_DATA_CERTIFICATES_DIR exists, skipping" | WriteAndLog
|
||
|
}
|