mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-18 20:47:58 +00:00
Merge pull request #575 from nsacyber/v3_issue_560-db_tls-fips-fix
Cipher options on openssl pkcs12 export cmds. [no ci]
This commit is contained in:
commit
0231a01a48
@ -23,7 +23,7 @@ help () {
|
|||||||
|
|
||||||
# Process parameters Argument handling
|
# Process parameters Argument handling
|
||||||
POSITIONAL_ARGS=()
|
POSITIONAL_ARGS=()
|
||||||
|
ORIGINAL_ARGS=("$@")
|
||||||
while [[ $# -gt 0 ]]; do
|
while [[ $# -gt 0 ]]; do
|
||||||
case $1 in
|
case $1 in
|
||||||
-sd|--skip-db)
|
-sd|--skip-db)
|
||||||
@ -62,18 +62,19 @@ mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR
|
|||||||
|
|
||||||
echo "ACA setup log file is $LOG_FILE"
|
echo "ACA setup log file is $LOG_FILE"
|
||||||
|
|
||||||
if [ -z $HIRS_MYSQL_ROOT_PWD ]; then
|
#if [ -z $HIRS_MYSQL_ROOT_PWD ]; then
|
||||||
echo "HIRS_MYSQL_ROOT_PWD is not set, using locally generated mysql root password"
|
# echo "HIRS_MYSQL_ROOT_PWD is not set, using locally generated mysql root password"
|
||||||
else
|
# else
|
||||||
echo "HIRS_MYSQL_ROOT_PWD is set, using previously set mysql root password"
|
# echo "HIRS_MYSQL_ROOT_PWD is set, using previously set mysql root password"
|
||||||
fi
|
#fi
|
||||||
|
|
||||||
if [ "$EUID" -ne 0 ]
|
if [ "$EUID" -ne 0 ]
|
||||||
then echo "This script requires root. Please run as root"
|
then echo "This script requires root. Please run as root"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE"
|
touch "$LOG_FILE"
|
||||||
|
echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" >> "$LOG_FILE"
|
||||||
|
|
||||||
pushd $SCRIPT_DIR &>/dev/null
|
pushd $SCRIPT_DIR &>/dev/null
|
||||||
|
|
||||||
@ -103,7 +104,7 @@ if [ -z "${ARG_SKIP_PKI}" ]; then
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE"
|
echo "ACA PKI setup not run due to command line argument: $ORIGINAL_ARGS" | tee -a "$LOG_FILE"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "${ARG_SKIP_DB}" ]; then
|
if [ -z "${ARG_SKIP_DB}" ]; then
|
||||||
@ -115,7 +116,7 @@ if [ -z "${ARG_SKIP_DB}" ]; then
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE"
|
echo "ACA Database setup not run due to command line argument: $ORIGINAL_ARGS" | tee -a "$LOG_FILE"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "ACA setup complete" | tee -a "$LOG_FILE"
|
echo "ACA setup complete" | tee -a "$LOG_FILE"
|
||||||
|
@ -106,9 +106,9 @@ fi
|
|||||||
add_to_stores () {
|
add_to_stores () {
|
||||||
CERT_PATH=$1
|
CERT_PATH=$1
|
||||||
ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
|
ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
|
||||||
echo "Addding $ALIAS to the $TRUSTSTORE and $KEYSTORE" | tee -a "$LOG_FILE"
|
echo "Adding $ALIAS to the $TRUSTSTORE and $KEYSTORE" | tee -a "$LOG_FILE"
|
||||||
# Add the cert and key to the key store. make a p12 file to import into te keystore
|
# Add the cert and key to the key store. make a p12 file to import into te keystore
|
||||||
openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
|
openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -macalg SHA256 -keypbe AES-256-CBC -certpbe AES-256-CBC -passout pass:$PASS >> "$LOG_FILE" 2>&1
|
||||||
# Use the p12 file to import into a java keystore via keytool
|
# Use the p12 file to import into a java keystore via keytool
|
||||||
keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" >> "$LOG_FILE" 2>&1
|
keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" >> "$LOG_FILE" 2>&1
|
||||||
# Import the cert into a java trust store via keytool
|
# Import the cert into a java trust store via keytool
|
||||||
@ -172,7 +172,7 @@ create_cert () {
|
|||||||
# remove csr file
|
# remove csr file
|
||||||
rm -f "$CERT_PATH".csr
|
rm -f "$CERT_PATH".csr
|
||||||
# Add the cert and key to the key store. make a p12 file to import into te keystore
|
# Add the cert and key to the key store. make a p12 file to import into te keystore
|
||||||
openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:$PASS -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
|
openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:$PASS -aes256 -macalg SHA256 -keypbe AES-256-CBC -certpbe AES-256-CBC -passout pass:$PASS >> "$LOG_FILE" 2>&1
|
||||||
# Use the p12 file to import into a java keystore via keytool
|
# Use the p12 file to import into a java keystore via keytool
|
||||||
keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" >> "$LOG_FILE" 2>&1
|
keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" >> "$LOG_FILE" 2>&1
|
||||||
# Import the cert into a java trust store via keytool
|
# Import the cert into a java trust store via keytool
|
||||||
|
Loading…
Reference in New Issue
Block a user