Merge pull request #575 from nsacyber/v3_issue_560-db_tls-fips-fix

Cipher options on openssl pkcs12 export cmds. [no ci]

package/scripts/aca/aca_setup.sh

@@ -23,7 +23,7 @@ help () {
 
 # Process parameters Argument handling 
 POSITIONAL_ARGS=()
-
+ORIGINAL_ARGS=("$@")
 while [[ $# -gt 0 ]]; do
   case $1 in
     -sd|--skip-db)
@@ -62,18 +62,19 @@ mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR
 
 echo "ACA setup log file is $LOG_FILE"
 
-if [ -z $HIRS_MYSQL_ROOT_PWD ]; then 
-    echo "HIRS_MYSQL_ROOT_PWD is not set, using locally generated mysql root password"
-  else 
-    echo "HIRS_MYSQL_ROOT_PWD is set, using previously set mysql root password"
-fi
+#if [ -z $HIRS_MYSQL_ROOT_PWD ]; then 
+#    echo "HIRS_MYSQL_ROOT_PWD is not set, using locally generated mysql root password"
+#  else 
+#    echo "HIRS_MYSQL_ROOT_PWD is set, using previously set mysql root password"
+#fi
 
 if [ "$EUID" -ne 0 ]
       then echo "This script requires root.  Please run as root"
       exit 1
 fi
 
-echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE"
+touch "$LOG_FILE"
+echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" >> "$LOG_FILE"
 
 pushd $SCRIPT_DIR &>/dev/null
 
@@ -103,7 +104,7 @@ if [ -z "${ARG_SKIP_PKI}" ]; then
       exit 1
    fi
    else
-      echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE"
+      echo "ACA PKI setup not run due to command line argument: $ORIGINAL_ARGS" | tee -a "$LOG_FILE"
 fi
 
 if [ -z "${ARG_SKIP_DB}" ]; then
@@ -115,7 +116,7 @@ if [ -z "${ARG_SKIP_DB}" ]; then
     exit 1
    fi
    else
-      echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE"
+      echo "ACA Database setup not run due to command line argument: $ORIGINAL_ARGS" | tee -a "$LOG_FILE"
 fi
 
 echo "ACA setup complete" | tee -a "$LOG_FILE"

package/scripts/pki/pki_chain_gen.sh

@@ -106,9 +106,9 @@ fi
 add_to_stores () {
    CERT_PATH=$1
    ALIAS=${CERT_PATH#*/}    # Use filename without path as an alias
-   echo "Addding $ALIAS to the $TRUSTSTORE and $KEYSTORE" | tee -a "$LOG_FILE" 
+   echo "Adding $ALIAS to the $TRUSTSTORE and $KEYSTORE" | tee -a "$LOG_FILE" 
    # Add the cert and key to the key store. make a p12 file to import into te keystore
-   openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS  >> "$LOG_FILE" 2>&1
+   openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -macalg SHA256 -keypbe AES-256-CBC -certpbe AES-256-CBC -passout pass:$PASS  >> "$LOG_FILE" 2>&1
    # Use the p12 file to import into a java keystore via keytool
    keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" >> "$LOG_FILE" 2>&1 
    # Import the cert into a java trust store via keytool
@@ -172,7 +172,7 @@ create_cert () {
    # remove csr file
    rm -f "$CERT_PATH".csr
    # Add the cert and key to the key store. make a p12 file to import into te keystore
-   openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:$PASS -aes256 -passout pass:$PASS  >> "$LOG_FILE" 2>&1
+   openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:$PASS -aes256 -macalg SHA256 -keypbe AES-256-CBC -certpbe AES-256-CBC -passout pass:$PASS  >> "$LOG_FILE" 2>&1
    # Use the p12 file to import into a java keystore via keytool
    keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" >> "$LOG_FILE" 2>&1 
    # Import the cert into a java trust store via keytool