V3 json file platform (#631)

* Look for Component Class json on Windows. Update aca-windows * Removed TPM from the ACA on Rocky image, changed container detection * Change healthcheck function on windows. * Remove commented code lines from aca_bootRun.ps1 * Added SWTPM to v3 ACA images. * Add build arg to the aca-windows Dockerfile to select base image tag * Make ACA accessible from localhost
2025-02-20 09:46:14 +00:00 · 2023-12-06 10:20:56 -05:00 · 2023-12-06 10:20:56 -05:00 · 2ab1e548ce
commit 2ab1e548ce
parent 748d7a317f
8 changed files with 99 additions and 44 deletions
--- a/.ci/docker/Dockerfile.aca-rocky
+++ b/.ci/docker/Dockerfile.aca-rocky
@ -21,23 +21,32 @@ ENV HIRS_DNF_ACA_COMPILE="java-17-openjdk-devel"
 ENV HIRS_DNF_ACA_RUN="mariadb-server"
 #   IBM TPM simulator compile
 ENV HIRS_DNF_TPM_COMPILE="tpm2-tools gcc cmake openssl-devel"
+#   IBM TSS compile
+ENV HIRS_DNF_TSS_COMPILE="autoconf automake libtool"
 # Download and install all dependencies at one time
-RUN dnf -y install $(echo "$HIRS_DNF_OS_SETUP") $(echo "$HIRS_DNF_OS_TOOLS") $(echo "$HIRS_DNF_ACA_COMPILE") $(echo "$HIRS_DNF_ACA_RUN") $(echo "$HIRS_DNF_TPM_COMPILE")
+RUN dnf -y install $(echo "$HIRS_DNF_OS_SETUP") $(echo "$HIRS_DNF_OS_TOOLS") $(echo "$HIRS_DNF_ACA_COMPILE") $(echo "$HIRS_DNF_ACA_RUN") $(echo "$HIRS_DNF_TPM_COMPILE") $(echo "$HIRS_DNF_TSS_COMPILE")

-# Set up TPM Simulator
+# Build IBM TPM Simulator
 RUN git clone https://github.com/kgoldman/ibmswtpm2 /ibmswtpm2
 WORKDIR /ibmswtpm2/src
 RUN make
-# The following script allows the TPM to be set up in the docker image.
-# This will install an empty TPM. 
+
+# Build IBM TPM tools
+RUN git clone https://github.com/kgoldman/ibmtss /ibmtss
+WORKDIR /ibmtss/utils
+RUN make -f makefiletpmc
+
+# The following script tests that the SW TPM and TSS were compiled in the docker image. And documents how to start the SW TPM after container launch using both IBM's tss and TPM2-TOOLS.
 RUN echo "#!/bin/bash" > /tmp/tpm_config && \
    echo "/ibmswtpm2/src/tpm_server &" >> /tmp/tpm_config && \
    echo "sleep 5" >> /tmp/tpm_config && \
+    echo "/ibmtss/utils/startup -c" >> /tmp/tpm_config && \
+    echo "tpm2_shutdown" >> /tmp/tpm_config && \
    echo "tpm2_startup -c" >> /tmp/tpm_config && \
+    echo "/ibmtss/utils/shutdown -c" >> /tmp/tpm_config && \
    bash /tmp/tpm_config && \
    rm -rf /tmp/tpm_config

-#EXPOSE 8080 # Only needed if TLS is not working.
 EXPOSE 8443

 # Checkout HIRS
--- a/.ci/docker/Dockerfile.aca-windows
+++ b/.ci/docker/Dockerfile.aca-windows
@ -1,7 +1,13 @@
-FROM mcr.microsoft.com/powershell:latest
+# By default the latest powershell image will be used. That will make the image only compatible with Win11.
+# BASE_IMAGE_TAG can be specified as a docker build argument to choose different tag.
+# List of available tags for Microsoft's powershell docker image: https://mcr.microsoft.com/v2/powershell/tags/list.
+# This Dockerfile requires Powershell 7+. e.g. lts-windowsservercore-1809
+ARG BASE_IMAGE_TAG=latest
+FROM mcr.microsoft.com/powershell:${BASE_IMAGE_TAG}
 LABEL org.opencontainers.image.vendor NSA Laboratory for Advanced Cybersecurity Research
 LABEL org.opencontainers.image.source https://github.com/nsacyber/hirs
 LABEL org.opencontainers.image.description NSA\'s HIRS Attestation Certificate Authority in a Windows-native image. Expose port 8443 to access the portal from outside the container.
+LABEL org.opencontainers.image.base.name mcr.microsoft.com/powershell:${BASE_IMAGE_TAG}

 SHELL ["pwsh", "-Command"]

@ -23,7 +29,7 @@ RUN ls 'C:\Program Files\Java'
 RUN ls 'C:\Program Files\Java\jdk-17\'

 # Download and install Mariadb as a service
-RUN ((New-Object System.Net.WebClient).DownloadFile('https://ftp.osuosl.org/pub/mariadb/mariadb-11.1.2/winx64-packages/mariadb-11.1.2-winx64.msi', 'C:/mariadb-11.1.2-winx64.msi'))
+RUN ((New-Object System.Net.WebClient).DownloadFile('https://archive.mariadb.org/mariadb-11.1.2/winx64-packages/mariadb-11.1.2-winx64.msi', 'C:/mariadb-11.1.2-winx64.msi'))
 RUN Write-Host "Installing MariaDB..."
 # mariadb silent install options https://mariadb.com/kb/en/installing-mariadb-msi-packages-on-windows/
 RUN Start-Process -Wait -FilePath msiexec.exe -ArgumentList @('/i', 'C:\mariadb-11.1.2-winx64.msi', 'ADDLOCAL=ALL', 'REMOVE=HeidiSQL', 'SERVICENAME=MariaDB', '/qn', '/L*V', 'C:/ProgramData/hirs/log/mariadb_install.log')
@ -40,24 +46,69 @@ RUN Start-Process -FilePath 'C:/Git-2.42.0.2-64-bit.exe' -ArgumentList \"/VERYSI
 RUN [Environment]::SetEnvironmentVariable('GCM_INTERACTIVE', 'Never', [System.EnvironmentVariableTarget]::Machine)
 RUN Write-Host "Finished installing Git."

+# Download and install .NET SDK 6
+RUN ((New-Object System.Net.WebClient).DownloadFile('https://dotnet.microsoft.com/download/dotnet/scripts/v1/dotnet-install.ps1', 'C:/dotnet-install.ps1'))
+RUN Write-Host "Installing .NET SDK..."
+RUN pwsh -ExecutionPolicy Bypass C:/dotnet-install.ps1 --channel 6.0
+RUN Write-Host "Finished installing .NET SDK."
+
+# Download and install VS Build Tools from Microsoft
+RUN ((New-Object System.Net.WebClient).DownloadFile('https://aka.ms/vs/17/release/vs_buildtools.exe', 'C:/vs_buildtools.exe'))
+RUN ((New-Object System.Net.WebClient).DownloadFile('https://aka.ms/vs/17/release/channel', 'C:/vs_channel.chman'))
+RUN Write-Host "Installing Visual Studio Build Tools..."
+RUN C:/vs_buildtools.exe --quiet --wait --norestart --nocache --channelUri C:/vs_channel.chman --installChannelUri C:/vs_channel.chman --add Microsoft.VisualStudio.Workload.VCTools --includeRecommended --installPath C:/vsbuildtools
+RUN Write-Host "Finished installing Visual Studio Build Tools."
+
+# Download and extract pre-built openssl
+RUN ((New-Object System.Net.WebClient).DownloadFile('https://download.firedaemon.com/FireDaemon-OpenSSL/openssl-3.1.4.zip', 'C:/openssl-3.1.zip'))
+RUN Expand-Archive C:/openssl-3.1.zip -DestinationPath C:/openssl_files
+WORKDIR C:/openssl_files/openssl-3
+RUN cp -Recurse -Force C:/openssl_files/openssl-3/x64 'C:/Program Files/openssl'
+
+RUN ls 'C:\Program Files\openssl'
+
 # Expose ACA Port
-EXPOSE 8443 8080
+EXPOSE 8443

 # Set Environment Variables
 RUN setx JAVA_HOME 'C:\Program Files\Java\jdk-17'
 RUN setx GIT_HOME 'C:\Program Files\Git'
-RUN setx PATH '%JAVA_HOME%\bin;C:\Program Files\MariaDB 11.1\bin;%GIT_HOME%\bin;%PATH%'
+RUN setx PATH '%JAVA_HOME%\bin;C:\Program Files\MariaDB 11.1\bin;%GIT_HOME%\bin;C:\vsbuildtools\MSBuild\Current\Bin;%LOCALAPPDATA%\Microsoft\dotnet;%PATH%'

 # Echo System Variables
 RUN echo $Env:PATH
 RUN echo $Env:GIT_HOME
 RUN echo $Env:JAVA_HOME

+# Clone ibmswtpm2 and build
+RUN git clone https://github.com/kgoldman/ibmswtpm2.git C:/ibmswtpm2
+## tpm_server.sln is looking for the openssl crypto lib in a fixed location
+RUN cp 'C:/Program Files/openssl/lib/libcrypto.lib' 'C:/ibmswtpm2/tpmvstudio/tpm_server/libcrypto64md.lib'
+WORKDIR C:/ibmswtpm2/tpmvstudio/tpm_server
+#IF MSBUILD NOT ON PATH: RUN /vsbuildtools/MSBuild/Current/Bin/MSBuild.exe .\tpm_server.sln -t:Build -p:Configuration=Release -p:Platform=x64
+RUN MSBuild.exe .\tpm_server.sln -t:Build -p:Configuration=Release -p:Platform=x64
+# RUN Start-Process "C:/ibmswtpm2/tpmvstudio/tpm_server/x64/Release/tpm_server.exe" -WindowStyle Hidden
+
+# Clone ibmtss and build
+RUN git clone https://github.com/kgoldman/ibmtss.git C:/ibmtss
+## Again, This VS project is looking for the openssl crypto library in a fixed location. The paths are imported into multiple subprojects. Easier to edit the paths than attempt to copy the library everywhere.
+RUN ((Get-Content C:/ibmtss/tpmutils/CommonPropertiesx64.props) -replace 'libcrypto64mdd','C:/program files/openssl/lib/libcrypto') | Set-Content C:/ibmtss/tpmutils/CommonPropertiesx64.props
+RUN ((Get-Content C:/ibmtss/tpmutils/CommonPropertiesx64Release.props) -replace 'libcrypto64md','C:/program files/openssl/lib/libcrypto') | Set-Content C:/ibmtss/tpmutils/CommonPropertiesx64Release.props
+WORKDIR C:/ibmtss/tpmutils
+# IF MSBUILD NOT ON PATH: RUN /vsbuildtools/MSBuild/Current/Bin/MSBuild.exe .\tpmutils.sln -t:Build -p:Configuration=Release -p:Platform=x64
+RUN MSBuild.exe .\tpmutils.sln -t:Build -p:Configuration=Release -p:Platform=x64
+
+# Update path with the ibmtss utilities; Have to include previous additions as well
+RUN setx PATH '%JAVA_HOME%\bin;C:\Program Files\MariaDB 11.1\bin;%GIT_HOME%\bin;C:\vsbuildtools\MSBuild\Current\Bin;%LOCALAPPDATA%\Microsoft\dotnet;C:\ibmswtpm2\tpmvstudio\tpm_server\x64\Release;C:\ibmtss\tpmutils\x64\Release;%PATH%'
+
+# Echo PATH after update
+RUN echo $Env:PATH
+
 # Clone HIRS main
 WORKDIR C:/
 RUN git config --global --add core.autocrlf false
 RUN git config --global --add safe.directory '*'
-RUN git clone -b v3_windows-package-scripts https://github.com/nsacyber/hirs.git C:/repo
+RUN git clone -b main https://github.com/nsacyber/hirs.git C:/repo

 # Defensive copy of the repo so it's easy to start fresh if needed
 WORKDIR C:/repo
@ -70,11 +121,23 @@ RUN pwsh -Command pwsh -ExecutionPolicy Bypass ./package/win/aca/aca_win_config.
 # Run bootWar to cache build objects and dependencies
 WORKDIR C:/hirs
 RUN setx GRADLE_OPTS '-Dorg.gradle.daemon=false'
-RUN ./gradlew.bat clean bootWar 2>&1 | tee -a C:/ProgramData/hirs/log/hirs_build.log
+RUN ./gradlew.bat clean bootWar
 RUN cp ./HIRS_AttestationCAPortal/src/main/resources/application.win.properties C:/ProgramData/hirs/aca/

 # Run ACA Setup- PKI and DB
 WORKDIR C:/hirs
 RUN pwsh -Command pwsh -ExecutionPolicy Bypass ./package/win/aca/aca_setup.ps1 -unattended

+# Add ACA TLS certification path to container OS
+# Allows the Invoke-WebRequest command in the HEALTHCHECK to work with TLS
+RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_intermediate_ca_rsa_3k_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
+RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_intermediate_ca_ecc_512_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
+RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_root_ca_rsa_3k_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
+RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_root_ca_ecc_512_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
+RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_leaf_ca3_rsa_3k_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
+RUN Get-Item "C:/ProgramData/hirs/certificates/HIRS/ecc_512_sha384_certs/HIRS_leaf_ca3_ecc_512_sha384.pem" | Import-Certificate -CertStoreLocation "Cert:\LocalMachine\Root"
+
+# The container will report a health state based on when embedded tomcat finishes loading. If the ACA isn't loaded after the timeout, the container will report that it is unhealthy.
+HEALTHCHECK --start-period=50s --interval=1s --timeout=90s CMD pwsh -Command try { $response = Invoke-WebRequest -Uri https://localhost:8443; if ($response.StatusCode -eq 200) { return 0 } else { return 1 }; } catch { return 1 }
+
 CMD ["pwsh", "-Command", "pwsh -ExecutionPolicy Bypass C:/hirs/package/win/aca/aca_bootRun.ps1"]
--- a/.ci/docker/compose-acceptance-test.yml
+++ b/.ci/docker/compose-acceptance-test.yml
@ -1,15 +1,16 @@
 version: "3.9"
 services:
  aca:  # policy settings not saved, will have a clean database/default policy on each boot for now
-    image: ghcr.io/nsacyber/hirs/aca:alpha2
+    image: ghcr.io/nsacyber/hirs/aca
    container_name: aca
    ports:
      - "8443:8443"
    networks:
      hat_network:
        ipv4_address: 172.16.1.75
+      nat:
  hat:
-    image: ghcr.io/nsacyber/hirs/hat:alpha4
+    image: ghcr.io/nsacyber/hirs/hat
    container_name: hat
    ports:
       - 53:53/tcp
@ -28,4 +29,6 @@ networks:
    ipam:
      config:
        - subnet: 172.16.1.0/24
-          gateway: 172.16.1.1
+          gateway: 172.16.1.1
+  nat:
+    external: true
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/ComponentClass.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/ComponentClass.java
@ -29,8 +29,11 @@ import java.nio.file.Path;
 public class ComponentClass {
    private static final String TCG_COMPONENT_REGISTRY = "2.23.133.18.3.1";
    private static final String SMBIOS_COMPONENT_REGISTRY = "2.23.133.18.3.3";
-    private static final Path JSON_PATH = FileSystems.getDefault()
-            .getPath("/etc", "hirs", "aca", "default-properties", "component-class.json");
+    private static final Path WINDOWS_JSON_PATH = FileSystems.getDefault().getPath(
+                "C:/", "ProgramData", "hirs", "aca", "default-properties", "component-class.json");
+    private static final Path JSON_PATH = WINDOWS_JSON_PATH.toFile().exists() ? WINDOWS_JSON_PATH :
+            FileSystems.getDefault().getPath(
+                "/etc", "hirs", "aca", "default-properties", "component-class.json");

    private static final String OTHER_STRING = "Other";
    private static final String UNKNOWN_STRING = "Unknown";
--- a/package/scripts/db/mysql_util.sh
+++ b/package/scripts/db/mysql_util.sh
@ -12,8 +12,7 @@ SQL_SERVICE="mariadb"
 check_for_container () {
  PRINT_STATUS=$1
  # Check if we're in a Docker container
-  if [[ $(cat /proc/1/cgroup | head -n 1) == *"docker"* ]]; then  
-  #if [ -f /.dockerenv ]; then
+  if [[ $(cat /proc/1/cgroup | head -n 1) == *"docker"* ]] || [ -f /.dockerenv ]; then  
    DOCKER_CONTAINER=true
    if [[ $PRINT_STATUS == "-p" ]]; then echo "ACA is running in a container..." | tee -a "$LOG_FILE"; fi
  else
--- a/package/win/aca/aca_bootRun.ps1
+++ b/package/win/aca/aca_bootRun.ps1
@ -57,16 +57,6 @@ if ($path) {
    $DEPLOYED_WAR = $path
 }

-# if ($ALG -eq "RSA") {
-   # $CERT_CHAIN=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_RSA_PATH 'HIRS_rsa_3k_sha384_Cert_Chain.pem')
-   # $CLIENT_DB_P12=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_RSA_PATH 'HIRS_db_client_rsa_3k_sha384.p12')
-   # $ALIAS="hirs_aca_tls_rsa_3k_sha384"
-# } elseif ($ALG -eq "ECC") {
-   # $CERT_CHAIN=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_ECC_PATH 'HIRS_ecc_512_sha384_Cert_Chain.pem')
-   # $CLIENT_DB_P12=(Join-Path $global:HIRS_DATA_CERTIFICATES_HIRS_ECC_PATH 'HIRS_db_client_ecc_512_sha384.p12')
-   # $ALIAS="hirs_aca_tls_ecc_512_sha384"
-# }
-
 if (![System.IO.Directory]::Exists($global:HIRS_DATA_CERTIFICATES_HIRS_DIR)) {
     echo "$global:HIRS_DATA_CERTIFICATES_HIRS_DIR directory does not exist. Please run aca_setup\.ps1 and try again."
     exit 1;
@ -80,19 +70,7 @@ if (!$DEPLOYED_WAR) {
 	$DEPLOYED_WAR='./HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war'
 }

-# Run the embedded tomcat server with Web TLS enabled and database client TLS enabled by overrding critical parameters
-# Note "&" is a sub parameter continuation, space represents a new parameter. Spaces and quotes matter.
-# hibernate.connection.url is used for the DB connector which established DB TLS connectivity
-# server.ssl arguments support the embeded tomcats use of TLS for the ACA Portal
-
-#$CONNECTOR_PARAMS="--hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&user="+$global:ACA_PROPERTIES.'hirs_db_username'+"&password="+$global:ACA_PROPERTIES.'hirs_db_password'+"&sslMode=VERIFY_CA&serverSslCert=$CERT_CHAIN&keyStoreType=PKCS12&keyStorePassword="+$global:ACA_PROPERTIES.'hirs_pki_password'+"&keyStore=$CLIENT_DB_P12" | ChangeBackslashToForwardSlash
-
-#$WEB_TLS_PARAMS="--server.ssl.key-store-password="+$global:ACA_PROPERTIES.'hirs_pki_password'+ 
-#" --server.ssl.trust-store-password="+$global:ACA_PROPERTIES.'hirs_pki_password' | ChangeBackslashToForwardSlash
-
 $SPRING_PROP_FILE_FORWARDSLASHES=($global:HIRS_DATA_SPRING_PROP_FILE | ChangeBackslashToForwardSlash)
-#echo $CONNECTOR_PARAMS
-#echo $WEB_TLS_PARAMS
 if ($w -or $war) {
 	echo "Booting the ACA from a war file..." | WriteAndLog
 	java -jar $DEPLOYED_WAR --spring.config.location=$SPRING_PROP_FILE_FORWARDSLASHES
--- a/package/win/aca/aca_common.ps1
+++ b/package/win/aca/aca_common.ps1
@ -30,7 +30,7 @@ $global:HIRS_DATA_CERTIFICATES_HIRS_RSA_PATH=(Join-Path $HIRS_DATA_CERTIFICATES_
 $global:HIRS_DATA_CERTIFICATES_HIRS_ECC_PATH=(Join-Path $HIRS_DATA_CERTIFICATES_HIRS_DIR "ecc_512_sha384_certs")
 $global:HIRS_DATA_LOG_DIR=(Join-Path $global:HIRS_DATA_DIR "log")
 $global:HIRS_DATA_INSTALL_LOG_NAME=(Join-Path $global:HIRS_DATA_LOG_DIR ("hirs_aca_install_"+(Get-Date -Format "yyyy-MM-dd")+'.log'))
-$global:HIRS_DATA_JSON_DIR=(Join-Path $global:HIRS_DATA_DIR "json")
+$global:HIRS_CONF_DEFAULT_PROPERTIES_DIR=(Join-Path $global:HIRS_CONF_DIR "default-properties")
 #         Db Configuration files
 $global:DB_CONF=(Join-Path $Env:ProgramFiles 'MariaDB 11.1' 'data' 'my.ini')
 #         Default Server Side Certificates
--- a/package/win/aca/aca_setup.ps1
+++ b/package/win/aca/aca_setup.ps1
@ -21,10 +21,10 @@ echo ("Running with these arguments: "+($PSBoundParameters | Out-String)) | Writ

 # Read aca.properties
 mkdir -F -p $global:HIRS_CONF_DIR 2>&1 > $null
-mkdir -F -p $global:HIRS_DATA_JSON_DIR 2>&1 > $null
+mkdir -F -p $global:HIRS_CONF_DEFAULT_PROPERTIES_DIR 2>&1 > $null
 mkdir -F -p $global:HIRS_DATA_LOG_DIR 2>&1 > $null
-#cp $COMP_JSON $global:HIRS_JSON_DIR
-#cp $VENDOR_TABLE $global:HIRS_JSON_DIR
+cp $COMP_JSON $global:HIRS_CONF_DEFAULT_PROPERTIES_DIR
+cp $VENDOR_TABLE $global:HIRS_CONF_DEFAULT_PROPERTIES_DIR
 touch $global:HIRS_DATA_ACA_PROPERTIES_FILE  # create it, if it doesn't exist
 read_aca_properties $global:HIRS_DATA_ACA_PROPERTIES_FILE