From 146d05961de6a3c11061cc6d21db6ef5a5783c7c Mon Sep 17 00:00:00 2001
From: iadgovuser26 <iadgovuser26@empire.eclipse.ncsc.mil>
Date: Fri, 7 Jul 2023 19:23:02 +0000
Subject: [PATCH] updated application.settings to use tls

---
 .../src/main/resources/application.properties | 31 +++++--
 package/scripts/aca/aca_bootRun.sh            | 30 +++++++
 package/scripts/pki/ca.conf                   |  4 +-
 package/scripts/pki/pki_chain_gen.sh          |  2 +-
 package/scripts/pki/pki_setup.sh              | 33 +++++---
 package/scripts/pki/pki_update_tls_cert.sh    | 81 +++++++++++++++++++
 6 files changed, 159 insertions(+), 22 deletions(-)
 create mode 100644 package/scripts/aca/aca_bootRun.sh
 create mode 100644 package/scripts/pki/pki_update_tls_cert.sh

diff --git a/HIRS_AttestationCAPortal/src/main/resources/application.properties b/HIRS_AttestationCAPortal/src/main/resources/application.properties
index c1ffcf6a..685784b3 100644
--- a/HIRS_AttestationCAPortal/src/main/resources/application.properties
+++ b/HIRS_AttestationCAPortal/src/main/resources/application.properties
@@ -3,18 +3,26 @@
 #spring.mvc.view.prefix=/WEB-INF/jsp/
 #spring.mvc.view.suffix=.jsp
 
+# Logging Config (tomcat may have further config)
 logging.level.org.springframework=INFO
 logging.level.org.apache.catalina=DEBUG
+
+# Database Config
 spring.jpa.hibernate.ddl-auto=update
 spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
 spring.datasource.username=hirs_db
-spring.datasource.password=hirs_db
 jakarta.persistence.sharedCache.mode = UNSPECIFIED
-
 spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
 #spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
 #spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
 
+# Tomcat Config
+server.tomcat.additional-tld-skip-patterns=*.jar
+server.tomcat.basedir=/opt/embeddedtomcat
+server.servlet.register-default-servlet=true
+server.servlet.context-path=/HIRS_AttestationCAPortal
+spring.mvc.servlet.path=/portal
+
 server.tomcat.accesslog.enabled=true
 server.tomcat.accesslog.directory=logs
 server.tomcat.accesslog.file-date-format=yyyy-MM-dd
@@ -22,10 +30,15 @@ server.tomcat.accesslog.prefix=access_log
 server.tomcat.accesslog.suffix=.log
 server.tomcat.accesslog.rotate=true
 
-server.tomcat.basedir=/opt/embeddedtomcat
-server.servlet.register-default-servlet=true
-server.servlet.context-path=/HIRS_AttestationCAPortal
-spring.mvc.servlet.path=/portal
+# Tomcat TLS support
+server.port=8443
+server.ssl.enabled=true
+server.ssl.trust-store-type=JKS
+server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks
+server.ssl.trust-store-password=53d035ff814c1dd5c7e303f5fa080c18
+server.ssl.key-store-type=JKS
+server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks
+server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384
 
 #jdbc.driverClassName = com.mysql.cj.jdbc.Driver
 #jdbc.url = jdbc:mysql://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
@@ -34,3 +47,9 @@ spring.mvc.servlet.path=/portal
 #entitymanager.packagesToScan: hirs.attestationca.portal.page.controllers
 #spring.jpa.hibernate.ddl-auto=update
 #spring.jpa.show-sql=true
+
+# Passwords get appended here ...
+spring.datasource.password=hirs_db
+server.ssl.trust-store-password=53d035ff814c1dd5c7e303f5fa080c18
+server.ssl.key-store-password=53d035ff814c1dd5c7e303f5fa080c18
+
diff --git a/package/scripts/aca/aca_bootRun.sh b/package/scripts/aca/aca_bootRun.sh
new file mode 100644
index 00000000..83a588f8
--- /dev/null
+++ b/package/scripts/aca/aca_bootRun.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+#####################################################################################
+#
+# Script to run ACA using the gradle spring pluing bootRun command with password set
+#
+#
+####################################################################################
+
+PASS_FILE="/etc/hirs/aca/application.properties"
+
+declare -A props
+
+if [ -f $PASS_FILE ]; then
+  while IFS="=" read -r key value; do
+    echo "key is $key, value is $value"
+    if [ ! -z "$key" ]; then
+        props["$key"]="$value"
+    fi
+  done < "$PASS_FILE"
+else
+  echo "error reading $PASS_FILE"
+  exit 1
+fi
+
+echo "server_ssl_trust-store-password = " ${props["server.ssl.trust-store-password"]}
+echo "server_ssl_key-store-password = " ${props["server.ssl.key-store-password"]}
+
+#./gradlew bootRun --args=--server.ssl.trust-store-password=${props["server.ssl.trust-store-password"]},--server.ssl.key-store-password=${props["server.ssl.key-store-password"]}
+
+./gradlew bootRun --args="--server.ssl.trust-store-password=53d035ff814c1dd5c7e303f5fa080c18 --server.ssl.key-store-password=53d035ff814c1dd5c7e303f5fa080c18"
diff --git a/package/scripts/pki/ca.conf b/package/scripts/pki/ca.conf
index 767cfcf3..74d1b748 100644
--- a/package/scripts/pki/ca.conf
+++ b/package/scripts/pki/ca.conf
@@ -35,7 +35,7 @@ crlDistributionPoints   = URI:https://example.com/crl
 
 [ server_extensions ]
 keyUsage                = critical,digitalSignature,keyEncipherment
-basicConstraints        = CA:false
+basicConstraints        = critical
 extendedKeyUsage        = serverAuth,clientAuth
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always
@@ -46,7 +46,7 @@ crlDistributionPoints   = URI:https://example.com/crl
 keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical,CA:false
+basicConstraints = critical
 keyUsage = critical, digitalSignature
 authorityInfoAccess = caIssuers;URI:https://example.com/certs/
 crlDistributionPoints   = URI:https://example.com/crl
diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh
index bf2dd514..fffa44fc 100644
--- a/package/scripts/pki/pki_chain_gen.sh
+++ b/package/scripts/pki/pki_chain_gen.sh
@@ -72,7 +72,7 @@ ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test root ca"
 INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test intermediate ca"
 LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test ca"
 SIGNER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test signer"
-TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" portal"
+TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="localhost"
 
 # Add check for existing folder and halt if it exists
 if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh
index 6a69f104..2dd83d9f 100644
--- a/package/scripts/pki/pki_setup.sh
+++ b/package/scripts/pki/pki_setup.sh
@@ -6,28 +6,35 @@
 #
 ############################################################################################
 
+PROP_FILE=/etc/hirs/aca/apllication.properties
+
 # Capture location of the script to allow from invocation from any location 
 SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
 # Set HIRS PKI  password
 if [ -z $HIRS_PKI_PWD ]; then
    # Create a 32 character random password
    PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
-   #PKI_PASS="xrb204k"
 fi
 
 # Create an ACA properties file using the new password
-pushd $SCRIPT_DIR &> /dev/null
-  if [ ! -f "/etc/hirs/aca/aca.properties" ]; then
-      if [ -d /opt/hirs/scripts/aca ]; then
-            ACA_SETUP_DIR="/opt/hirs/scripts/aca"
-         else
-            ACA_SETUP_DIR=="$SCRIPT_DIR/../aca"
-      fi
-      echo "ACA_SETUP_DIR is $ACA_SETUP_DIR"
-   sh $ACA_SETUP_DIR/aca_property_setup.sh $PKI_PASS
-  else
-     echo  "aca property file exists, skipping"
-  fi
+#pushd $SCRIPT_DIR &> /dev/null
+#  if [ ! -f "/etc/hirs/aca/aca.properties" ]; then
+#      if [ -d /opt/hirs/scripts/aca ]; then
+#            ACA_SETUP_DIR="/opt/hirs/scripts/aca"
+#         else
+#            ACA_SETUP_DIR="$SCRIPT_DIR/../aca"
+#      fi
+#      echo "ACA_SETUP_DIR is $ACA_SETUP_DIR"
+#   sh $ACA_SETUP_DIR/aca_property_setup.sh $PKI_PASS
+#  else
+#     echo  "aca property file exists, skipping"
+#  fi
+
+# Add password to properties file
+echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
+echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
+
+# Clear out previous pki password and set new password in the application.properties file for embedded tomcat
 
 popd &> /dev/null
 
diff --git a/package/scripts/pki/pki_update_tls_cert.sh b/package/scripts/pki/pki_update_tls_cert.sh
new file mode 100644
index 00000000..cd124bff
--- /dev/null
+++ b/package/scripts/pki/pki_update_tls_cert.sh
@@ -0,0 +1,81 @@
+#!/bin/bash
+
+CN=$1
+PASS=$2
+ACTOR="HIRS"
+ACTOR_ALT=${ACTOR// /_}
+ASYM_ALG="rsa"
+ASYM_SIZE=3072
+KSIZE="3k"
+HASH_ALG="sha384"
+CERT_FOLDER="/etc/hirs/certificates/HIRS/$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"_certs
+#CERT_FOLDER="."
+EXTENSION="server_extensions"
+TRUSTSTORE="/etc/hirs/certificates/HIRS/TrustStore.jks"
+
+echo "CERT_FOLDER is $CERT_FOLDER"
+
+
+if [ -z "${CN}" ] || [ -z "${PASS}" ] || [ "${CN}" == "-h" ] || [ "${CN}" == "--help" ]; then
+   echo "parameter missing to pki_tls_update.sh, exiting"
+   exit 1;
+fi
+
+TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN=$CN"
+
+TLS_SERVER="$CERT_FOLDER"/"$ACTOR_ALT"_aca_tls_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
+PKI_CA3="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca3_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
+
+echo "TLS_SERVER is $TLS_SERVER"
+create_cert () {
+   CERT_PATH="$1"
+   ISSUER="$2"
+   SUBJ_DN="$3"
+   ISSUER_KEY="$ISSUER".key
+   ISSUER_CERT="$ISSUER".pem
+   ALIAS=${CERT_PATH#*/}    # Use filename without path as an alias
+
+   pushd /etc/hirs/certificates/HIRS
+
+#   if [ "$CERT_TYPE" == "rim_signer" ]; then
+#      EXTENSION="signer_extensions"
+#   else
+#      EXTENSION="ca_extensions"
+#   fi
+
+   echo "Updating cert for "$CERT_PATH".pem using $ISSUER_KEY with a DN="$SUBJ_DN" using $EXTENSION."
+
+  if [ "$ASYM_ALG" == "rsa" ]; then
+       openssl req -newkey rsa:"$ASYM_SIZE" \
+            -keyout "$CERT_PATH".key \
+            -out "$CERT_PATH".csr  -subj "$SUBJ_DN" \
+            -passout pass:"$PASS" 
+#&> /dev/null
+   else
+       openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key &> /dev/null
+       openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG  -subj "$SUBJ_DN" &> /dev/null
+   fi
+   openssl ca -config ca.conf \
+           -keyfile "$ISSUER_KEY" \
+           -md $HASH_ALG \
+           -cert "$ISSUER_CERT" \
+           -extensions "$EXTENSION" \
+           -out "$CERT_PATH".pem \
+           -in "$CERT_PATH".csr \
+           -passin pass:"$PASS" \
+           -batch \
+           -notext                          
+    popd
+
+#&> /dev/null
+   # Increment the cert serial number
+   awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt &> /dev/null
+   # remove csr file
+   rm -f "$CERT_PATH".csr
+   # remove all cert from TrustStore.jks
+   keytool -delete -noprompt -alias hirs_aca_tls_rsa_3k_sha384 -keystore $TRUSTSTORE -storepass $PASS
+   # insert new cert into TrustStore.jks with same alias 
+   keytool -import -file ""$CERT_PATH".pem" -alias hirs_aca_tls_rsa_3k_sha384 -keystore $TRUSTSTORE -storepass $PASS
+}
+
+create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN"