diff --git a/package/scripts/common/db_create.sh b/package/scripts/common/db_create.sh index 82d9440c..b7f1e13a 100644 --- a/package/scripts/common/db_create.sh +++ b/package/scripts/common/db_create.sh @@ -13,6 +13,7 @@ if [ -z $HIRS_DB_PWD ]; then HIRS_DB_PWD="hirs_db" fi # Save hirs_db mysql user password to the properties file +mkdir -p /etc/hirs echo "hibernate.connection.username="hirs_db"" > /etc/hirs/hibernate.properties echo "hibernate.connection.password=$HIRS_DB_PWD" >> /etc/hirs/hibernate.properties diff --git a/package/scripts/pki/ca.conf b/package/scripts/pki/ca.conf new file mode 100644 index 00000000..767cfcf3 --- /dev/null +++ b/package/scripts/pki/ca.conf @@ -0,0 +1,53 @@ +[ ca ] +default_ca = ca_default + +[ ca_default ] +new_certs_dir = ./ca/certs +database = ./ca/db +serial = ./ca/serial.txt +policy = generic_policy +copy_extensions = copy +default_md = sha256 +default_days = 3650 +unique_subject = no + +[ req ] +distinguished_name = generic_policy + +[ generic_policy ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = optional +emailAddress = optional + +[ ca_extensions ] +keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign +basicConstraints = critical,CA:true,pathlen:1 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical,CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign +authorityInfoAccess = caIssuers;URI:https://example.com/certs +crlDistributionPoints = URI:https://example.com/crl + +[ server_extensions ] +keyUsage = critical,digitalSignature,keyEncipherment +basicConstraints = CA:false +extendedKeyUsage = serverAuth,clientAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always +authorityInfoAccess = caIssuers;URI:https://example.com/certs +crlDistributionPoints = URI:https://example.com/crl + +[ signer_extensions ] +keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical,CA:false +keyUsage = critical, digitalSignature +authorityInfoAccess = caIssuers;URI:https://example.com/certs/ +crlDistributionPoints = URI:https://example.com/crl + diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh new file mode 100644 index 00000000..dd5e23b0 --- /dev/null +++ b/package/scripts/pki/pki_chain_gen.sh @@ -0,0 +1,202 @@ +!/bin/bash +# Script to generate a PKI Stack (Root, Intermediate, and LEAF CAs) and a Base RIM Signer +# creates a folder based upon the actor name and places certs under an algoithm specific folder (e.g. rsa_certs) +# PARAMS: +# 1. Actor name string (e.g. "Server Manufacturer") +# 2. Algorithm string (e.g. rsa or ecc) +# 3. Key Bit Size string (e.g. 2048) +# 4. Hash Algorithm string (e.g. sha256) +# +# Examples: +# make_pki.sh "PC Manufacturer" rsa 2048 sha256 +# make_pki.sh "DISK Manufacturer" ecc 256 sha512 +# + +ACTOR=$1 +ACTOR_ALT=${ACTOR// /_} +ASYM_ALG=$2 +ASYM_SIZE=$3 +HASH_ALG=$4 +ROOT_DN="/C=US/ST=MD/L=Bethseda/O="$ACTOR"/CN="$ACTOR" test root ca" +INT_DN="/C=US/ST=MD/L=Bethseda/O="$ACTOR"/CN="$ACTOR" test intermediate ca" +LEAF_DN="/C=US/ST=MD/L=Bethseda/O="$ACTOR"/CN="$ACTOR" test ca" +SIGNER_DN="/C=US/ST=MD/L=Bethseda/O="$ACTOR"/CN="$ACTOR" test signer" +SERVER_DN="/C=US/ST=MD/L=Bethseda/O="$ACTOR"/CN="$ACTOR" aca" +PASS="xrb204k" + +print_help () { + echo " +make_pki.sh - creates a pki certificate chain + +Usage: + make_pki.sh \"Actor Name\" \"Asymmetric Algorithm\" \"Key Size\" \"Hash Algorithm\" + +Required Parameters: + Actor Name Device Manufacturer + Asymmetric Algorithm rsa or ecc + Key Size (in bits) (rsa) 2048, 3072, or 4096 + (ecc) 256, 384, or 512 + Hash Algorithm sha256, sha384, or sha512 + " +exit 1; +} + +# Parameter check +if [ -z "${ACTOR}" ] || [ -z "${ASYM_ALG}" ] || [ -z "${ASYM_SIZE}" ] || [ -z "${HASH_ALG}" ] || [ "${ACTOR}" == "-h" ] || [ "${ACTOR}" == "--help" ]; then + print_help + exit 1; +fi + +if ! { [ $ASYM_ALG == "rsa" ] || [ $ASYM_ALG == "ecc" ]; }; then + echo "$ASYM_ALG is an unsupported assymetric algorithm" + exit 1 +fi + +case $ASYM_SIZE in + 256) KSIZE=256 + ECC_NAME="secp256k1";; + 384) KSIZE=384 + ECC_NAME="secp384r1";; + 512) KSIZE=512 + ECC_NAME="secp521r1";; + 2048) KSIZE=2k;; + 3072) KSIZE=3k;; + 4096) KSIZE=4k;; + *) + echo "$ASYM_SIZE is an unsupported key size" + exit 1;; +esac + +# Use algorithm and key size to create unique file paths and Distinguished names +NAME="$ACTOR $ASYM_ALG $KSIZE $HASH_ALG" +CERT_FOLDER="$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"_certs +PKI_ROOT="$CERT_FOLDER"/"$ACTOR_ALT"_root_ca_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG" +PKI_INT="$CERT_FOLDER"/"$ACTOR_ALT"_intermediate_ca_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG" +PKI_CA1="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca1_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG" +PKI_CA2="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca2_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG" +PKI_CA3="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca3_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG" +RIM_SIGNER="$CERT_FOLDER"/"$ACTOR_ALT"_rim_signer_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG" +TLS_SERVER="$CERT_FOLDER"/"$ACTOR_ALT"_aca_tls_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG" +TRUST_STORE_FILE="$CERT_FOLDER"/"$ACTOR_ALT"_Cert_Chain.pem + +ROOT_DN="/C=US/ST=OR/L=Beaverton/O="$ACTOR"/CN="$NAME" test root ca" +INT_DN="/C=US/ST=OR/L=Beaverton/O="$ACTOR"/CN="$NAME" test intermediate ca" +LEAF_DN="/C=US/ST=OR/L=Beaverton/O="$ACTOR"/CN="$NAME" test ca" +SIGNER_DN="/C=US/ST=OR/L=Beaverton/O="$ACTOR"/CN="$NAME" test signer" +TLS_DN="/C=US/ST=OR/L=Beaverton/O="$ACTOR"/CN="$NAME" portal" + +# Add check for existing folder and halt if it exists +if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then + echo "Folder for $CERT_FOLDER exists, exiting..." + exit 1; +fi + +# Intialize sub folders +echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..." + +mkdir -p "$ACTOR_ALT" "$ACTOR_ALT"/"$CERT_FOLDER" "$ACTOR_ALT"/ca/certs +cp ca.conf "$ACTOR_ALT"/. +pushd "$ACTOR_ALT" +touch ca/db +if [ ! -f "ca/serial.txt" ]; then + echo "01" > ca/serial.txt +fi + +# Function to create an Intermediate Key, CSR, and Certificate +# PARMS: +# 1. Cert Type String +# 2. Issuer Key File Name +# 3. Subject Distinguished Name String + +create_cert () { + CERT_PATH="$1" + ISSUER="$2" + SUBJ_DN="$3" + ISSUER_KEY="$ISSUER".key + ISSUER_CERT="$ISSUER".pem + + if [ "$CERT_TYPE" == "rim_signer" ]; then + EXTENSION="signer_extensions" + else + EXTENSION="ca_extensions" + fi + + echo "Creating cert for "$CERT_TYPE" using $ISSUER_KEY with a DN="$SUBJ_DN"..." + + if [ "$ASYM_ALG" == "rsa" ]; then + openssl req -newkey rsa:"$ASYM_SIZE" \ + -keyout "$CERT_PATH".key \ + -out "$CERT_PATH".csr -subj "$SUBJ_DN" \ + -passout pass:"$PASS" + else + openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key + openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" + fi + openssl ca -config ca.conf \ + -keyfile "$ISSUER_KEY" \ + -md $HASH_ALG \ + -cert "$ISSUER_CERT" \ + -extensions "$EXTENSION" \ + -out "$CERT_PATH".pem \ + -in "$CERT_PATH".csr \ + -passin pass:"$PASS" \ + -batch + #increment the cert serial number + awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt + # remove csr file + rm "$CERT_PATH".csr +} + +create_cert_chain () { + + # Create an intermediate CA, Sign with Root CA + create_cert "$PKI_INT" "$PKI_ROOT" "$INT_DN" + + # Create a Leaf CA (CA1), Sign with intermediate CA + create_cert "$PKI_CA1" "$PKI_INT" "$LEAF_DN"1 + + # Create a Leaf CA (CA2), Sign with intermediate CA + + create_cert "$PKI_CA2" "$PKI_INT" "$LEAF_DN"2 + + # Create a Leaf CA (CA3), Sign with intermediate CA + + create_cert "$PKI_CA3" "$PKI_INT" "$LEAF_DN"3 + + # Create a RIM Signer + create_cert "$RIM_SIGNER" "$PKI_CA2" "$SIGNER_DN" + + # Create a ACA Sever Cert for TLS use + create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN" + + # Create Cert trust store by adding the Intermediate and root certs + cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" > "$TRUST_STORE_FILE" + + echo "Checking signer cert using tust store..." + openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem +} + +if [ "$ASYM_ALG" == "rsa" ]; then + # Create Root CA key pair and self signed cert + openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" + + # Create a self signed CA certificate + openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \ + -extensions ca_extensions -out "$PKI_ROOT".pem \ + -passout pass:"$PASS" + # Create an intermediate CA, 2 Leaf CAs, and Signer Certs + create_cert_chain +fi + +if [ "$ASYM_ALG" == "ecc" ]; then + # Create Root CA key pair and self signed cert + openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key + + # Create a self signed CA certificate + openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \ + -extensions ca_extensions -out "$PKI_ROOT".pem \ + -passout pass:"$PASS" + # Create an intermediate CA, 2 Leaf CAs, and Signer Certs + create_cert_chain +fi + diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh new file mode 100644 index 00000000..5de1b7a3 --- /dev/null +++ b/package/scripts/pki/pki_setup.sh @@ -0,0 +1,22 @@ +#!/bin/bash +############################################################################################ +# Creates 2 Certificate Chains for the ACA: +# 1 RSA 3K SHA 384 +# 2 ECC 512 SHA 384 +# +############################################################################################ + +# Capture location of the script to allow from invocation from any location +scriptDir=$( dirname -- "$( readlink -f -- "$0"; )"; ) + +# Create Cert Chains +rm -rf /etc/hirs/certificates +mkdir -p /etc/hirs/certificates/ + +pushd /etc/hirs/certificates/ + +cp $scriptDir/ca.conf . +sh $scriptDir/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" +sh $scriptDir/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" + +popd