ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-04-07 11:26:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

changed bootRun parameter to --spring.config.location

Browse Source
This commit is contained in:
iadgovuser26 2023-07-18 13:09:11 -04:00
parent 29ba16cdb5
commit 383fefdfef
7 changed files with 110 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
HIRS_AttestationCAPortal/build.gradle
View File

@ -51,11 +51,11 @@ dependencies {
implementation 'org.junit.jupiter:junit-jupiter:5.4.2'
implementation 'org.apache.tomcat.embed:tomcat-embed-jasper:10.1.5'
implementation 'org.glassfish.web:jakarta.servlet.jsp.jstl:3.0.0'
implementation 'jakarta.servlet:jakarta.servlet-api:6.0.0'
implementation 'jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api:3.0.0'
implementation 'jakarta.servlet.jsp:jakarta.servlet.jsp-api:3.0.0'
implementation 'jakarta.el:jakarta.el-api:5.0.0'
// implementation 'org.glassfish.web:jakarta.servlet.jsp.jstl:3.0.0'
// implementation 'jakarta.servlet:jakarta.servlet-api:6.0.0'
// implementation 'jakarta.servlet.jsp.jstl:jakarta.servlet.jsp.jstl-api:3.0.0'
// implementation 'jakarta.servlet.jsp:jakarta.servlet.jsp-api:3.0.0'
// implementation 'jakarta.el:jakarta.el-api:5.0.0'
compileOnly 'org.projectlombok:lombok'

14
HIRS_AttestationCAPortal/src/main/resources/application.properties
View File

@ -17,7 +17,7 @@ spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
#spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
# Tomcat Config
server.tomcat.additional-tld-skip-patterns=*jakarta*.jar, txw2*.jar, *commons*.jar, *annotations*.jar, *checker*.jar, *lombok*.jar, *jsr*.jar, *guava*.jar, *access*.jar, *activation*.jar, *bcprov*.jar, *bcmail*.jar, *bcutil*.jar, *bcpkix*.jar, *json*.jar
server.tomcat.additional-tld-skip-patterns=jakarta.persistence-api*.jar, jakarta.xml.bind-api*.jar, txw2*.jar, *commons*.jar, *annotations*.jar, *checker*.jar, *lombok*.jar, *jsr*.jar, *guava*.jar, *access*.jar, *activation*.jar, *bcprov*.jar, *bcmail*.jar, *bcutil*.jar, *bcpkix*.jar, *json*.jar
server.tomcat.basedir=/opt/embeddedtomcat
server.servlet.register-default-servlet=true
server.servlet.context-path=/HIRS_AttestationCAPortal
@ -30,16 +30,6 @@ server.tomcat.accesslog.prefix=access_log
server.tomcat.accesslog.suffix=.log
server.tomcat.accesslog.rotate=true
# Tomcat TLS support
server.port=8443
server.ssl.enabled=true
server.ssl.trust-store-type=JKS
server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks
server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384
server.ssl.key-store-type=JKS
server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks
server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384
#jdbc.driverClassName = com.mysql.cj.jdbc.Driver
#jdbc.url = jdbc:mysql://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
#jdbc.username = root
@ -48,5 +38,5 @@ server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384
#spring.jpa.hibernate.ddl-auto=update
#spring.jpa.show-sql=true
# Passwords get appended here ...
# DB dfault password.
spring.datasource.password=hirs_db

21
package/scripts/aca/aca_bootRun.sh
View File

@ -6,25 +6,8 @@
#
####################################################################################
PASS_FILE="/etc/hirs/aca/application.properties"
declare -A props
if [ -f $PASS_FILE ]; then
while IFS="=" read -r key value; do
#echo "key is $key, value is $value"
if [ ! -z "$key" ]; then
props["$key"]="$value"
fi
done < "$PASS_FILE"
else
echo "error reading $PASS_FILE"
exit 1
fi
#echo "server_ssl_trust-store-password = " ${props["server.ssl.trust-store-password"]}
#echo "server_ssl_key-store-password = " ${props["server.ssl.key-store-password"]}
CONFIG_FILE="/etc/hirs/aca/application.properties"
echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index"
./gradlew bootRun --args="--server.ssl.trust-store-password=${props["server.ssl.trust-store-password"]} --server.ssl.key-store-password=${props["server.ssl.key-store-password"]}"
./gradlew bootRun --args="--spring.config.location=$CONFIG_FILE"

25
package/scripts/aca/aca_setup.sh
View File

@ -2,36 +2,43 @@
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/application.properties'
CONF_DIR=/etc/hirs/aca
LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
LOG_DIR="/opt/embeddedtomcat/logs/"
LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
echo "LOG_FILE is $LOG_FILE"
if [ "$EUID" -ne 0 ]
then echo "The first time this script is run, this script requires root. Please run as root"
exit 1
fi
mkdir -p /etc/hirs/aca/
echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE"
mkdir -p $CONF_DIR $LOG_DIR
pushd $SCRIPT_DIR
# If setup for development start with basic spring config
if [ -f $PROP_FILE ]; then
cp $PROP_FILE /etc/hirs/aca/.
cp $PROP_FILE $CONF_DIR/.
fi
sh ../db/db_create.sh
sh ../db/db_create.sh $LOG_FILE
if [ $? -eq 0 ]; then
echo "ACA database setup complete"
echo "ACA database setup complete" | tee -a "$LOG_FILE"
else
echo "Error setting up ACA DB"
echo "Error setting up ACA DB" | tee -a "$LOG_FILE"
exit 1
fi
sh ../pki/pki_setup.sh
sh ../pki/pki_setup.sh $LOG_FILE
if [ $? -eq 0 ]; then
echo "ACA PKI setup complete"
echo "ACA PKI setup complete" | tee -a "$LOG_FILE"
else
echo "Error setting up ACA PKI"
echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
exit 1
fi
echo "ACA setup complete"
echo "ACA setup complete" | tee -a "$LOG_FILE"
popd

11
package/scripts/pki/ca.conf
View File

@ -23,6 +23,11 @@ organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ alternate_names ]
DNS.1 = localhost
DNS.2 = localhost.localdomain
DNS.3 = 127.0.0.1
[ ca_extensions ]
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
basicConstraints = critical,CA:true,pathlen:1
@ -38,8 +43,9 @@ keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess = caIssuers;URI:https://example.com/certs
authorityInfoAccess = caIssuers;URI:https://example.com/certs
crlDistributionPoints = URI:https://example.com/crl
subjectAltName = @alternate_names
[ signer_extensions ]
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment
@ -47,5 +53,4 @@ subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
keyUsage = critical, digitalSignature
authorityInfoAccess = caIssuers;URI:https://example.com/certs/
crlDistributionPoints = URI:https://example.com/crl
crlDistributionPoints = URI:https://example.com/crl

81
package/scripts/pki/pki_chain_gen.sh
View File

@ -20,6 +20,7 @@ ASYM_ALG=$2
ASYM_SIZE=$3
HASH_ALG=$4
PASS=$5
LOG_FILE=$6
ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test root ca"
INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test intermediate ca"
LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test ca"
@ -32,13 +33,17 @@ KEYSTORE=KeyStore.jks
# Parameter check
if [ -z "${ACTOR}" ] || [ -z "${ASYM_ALG}" ] || [ -z "${ASYM_SIZE}" ] || [ -z "${HASH_ALG}" ] || [ "${ACTOR}" == "-h" ] || [ "${ACTOR}" == "--help" ]; then
echo "parameter missing to pki_chain_gen.sh, exiting pki setup"
echo "parameter missing to pki_chain_gen.sh, exiting pki setup" | tee -a "$LOG_FILE"
exit 1;
fi
if ! { [ $ASYM_ALG == "rsa" ] || [ $ASYM_ALG == "ecc" ]; }; then
echo "$ASYM_ALG is an unsupported assymetric algorithm, exiting pki setup"
exit 1
echo "$ASYM_ALG is an unsupported assymetric algorithm, exiting pki setup" | tee -a "$LOG_FILE"
exit 1;
fi
if [ -z ${LOG_FILE} ]; then
LOG_FILE="/dev/null"
fi
case $ASYM_SIZE in
@ -52,7 +57,7 @@ case $ASYM_SIZE in
3072) KSIZE=3k;;
4096) KSIZE=4k;;
*)
echo "$ASYM_SIZE is an unsupported key size, exiting pki setup"
echo "$ASYM_SIZE is an unsupported key size, exiting pki setup" | tee -a "$LOG_FILE"
exit 1;;
esac
@ -72,25 +77,41 @@ ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test root ca"
INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test intermediate ca"
LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test ca"
SIGNER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test signer"
TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN=localhost"
TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" portal"
# Add check for existing folder and halt if it exists
if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
echo "Folder for $CERT_FOLDER exists, exiting..."
echo "Folder for $CERT_FOLDER exists, exiting..." | tee -a "$LOG_FILE"
exit 1;
fi
# Intialize sub folders
echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..."
echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..." | tee -a "$LOG_FILE"
mkdir -p "$ACTOR_ALT" "$ACTOR_ALT"/"$CERT_FOLDER" "$ACTOR_ALT"/ca/certs
cp ca.conf "$ACTOR_ALT"/.
pushd "$ACTOR_ALT" &> /dev/null
touch ca/db
touch openssl-san.cnf
if [ ! -f "ca/serial.txt" ]; then
echo "01" > ca/serial.txt
echo "01" > ca/serial.txt | tee -a "$LOG_FILE"
fi
# Function to add Cert to Truststore and key to Keystore
add_to_stores () {
CERT_PATH=$1
ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
echo "Addding $ALIAS to the $TRUSTSTORE and $KEYSTORE" | tee -a "$LOG_FILE"
# Add the cert and key to the key store. make a p12 file to import into te keystore
openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
# Use the p12 file to import into a java keystore via keytool
keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1
# Import the cert into a java trust store via keytool
keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
# Remove the temp p1 file.
rm tmpkey.p12
}
# Function to create an Intermediate Key, CSR, and Certificate
# PARMS:
# 1. Cert Type String
@ -106,16 +127,16 @@ create_cert () {
ISSUER_CERT="$ISSUER".pem
ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
echo "Creating cert using "$ISSUER_KEY" with a DN="$SUBJ_DN"..."
echo "Creating cert using "$ISSUER_KEY" with a DN="$SUBJ_DN"..." | tee -a "$LOG_FILE"
if [ "$ASYM_ALG" == "rsa" ]; then
openssl req -newkey rsa:"$ASYM_SIZE" \
-keyout "$CERT_PATH".key \
-out "$CERT_PATH".csr -subj "$SUBJ_DN" \
-passout pass:"$PASS" &> /dev/null
-passout pass:"$PASS" >> "$LOG_FILE" 2>&1
else
openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key &> /dev/null
openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" &> /dev/null
openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key >> "$LOG_FILE" 2>&1
openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
fi
openssl ca -config ca.conf \
@ -127,17 +148,18 @@ create_cert () {
-in "$CERT_PATH".csr \
-passin pass:"$PASS" \
-batch \
-notext &> /dev/null
-notext >> "$LOG_FILE" 2>&1
# Increment the cert serial number
awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt &> /dev/null
SERIAL=$(awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt)
echo "Cert Serial Number = $SERIAL" >> "$LOG_FILE";
# remove csr file
rm -f "$CERT_PATH".csr
# Add the cert and key to the key store. make a p12 file to import into te keystore
openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -passout pass:$PASS
openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
# Use the p12 file to import into a java keystore via keytool
keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" &> /dev/null
keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1
# Import the cert into a java trust store via keytool
keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" &> /dev/null
keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
# Remove the temp p1 file.
rm tmpkey.p12
}
@ -168,30 +190,35 @@ create_cert_chain () {
cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" > "$TRUST_STORE_FILE"
# echo "Checking signer cert using tust store..."
openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem
openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem | tee -a "$LOG_FILE"
}
if [ "$ASYM_ALG" == "rsa" ]; then
if [ "$ASYM_ALG" == "rsa" ]; then
# Create Root CA key pair and self signed cert
openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" &> /dev/null
echo "Generating RSA Root CA ...." | tee -a "$LOG_FILE"
openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
# Create a self signed CA certificate
openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
-extensions ca_extensions -out "$PKI_ROOT".pem \
-passout pass:"$PASS" &> /dev/null
-passout pass:"$PASS" >> "$LOG_FILE" 2>&1
# Add the CA root cert to the Trust and Key stores
add_to_stores $PKI_ROOT
# Create an intermediate CA, 2 Leaf CAs, and Signer Certs
create_cert_chain
create_cert_chain
fi
if [ "$ASYM_ALG" == "ecc" ]; then
# Create Root CA key pair and self signed cert
openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key
echo "Generating Ecc Root CA ...." | tee -a "$LOG_FILE"
openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1
# Create a self signed CA certificate
openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
-extensions ca_extensions -out "$PKI_ROOT".pem \
-passout pass:"$PASS"
-passout pass:"$PASS" >> "$LOG_FILE" 2>&1
# Add the CA root cert to the Trust and Key stores
add_to_stores $PKI_ROOT
# Create an intermediate CA, 2 Leaf CAs, and Signer Certs
create_cert_chain
fi
fi

53
package/scripts/pki/pki_setup.sh
View File

@ -7,14 +7,15 @@
############################################################################################
PROP_FILE=/etc/hirs/aca/application.properties
LOG_FILE=$1
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
echo "SCRIPT_DIR is $SCRIPT_DIR"
echo "SCRIPT_DIR is $SCRIPT_DIR" | tee -a "$LOG_FILE"
# Check for sudo or root user
if [ "$EUID" -ne 0 ]
then echo "The first time this script is run, this script requires root. Please run as root"
then echo "The first time this script is run, this script requires root. Please run as root" | tee -a "$LOG_FILE"
exit 1
fi
@ -22,24 +23,12 @@ fi
if [ -z $HIRS_PKI_PWD ]; then
# Create a 32 character random password
PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
echo "Using randomly generated password" | tee -a "$LOG_FILE"
else
PKI_PASS=$HIRS_PKI_PWD
echo "Using system supplied password" | tee -a "$LOG_FILE"
fi
# Create an ACA properties file using the new password
#pushd $SCRIPT_DIR &> /dev/null
# if [ ! -f "/etc/hirs/aca/aca.properties" ]; then
# if [ -d /opt/hirs/scripts/aca ]; then
# ACA_SETUP_DIR="/opt/hirs/scripts/aca"
# else
# ACA_SETUP_DIR="$SCRIPT_DIR/../aca"
# fi
# echo "ACA_SETUP_DIR is $ACA_SETUP_DIR"
# sh $ACA_SETUP_DIR/aca_property_setup.sh $PKI_PASS
# else
# echo "aca property file exists, skipping"
# fi
popd &> /dev/null
# Create Cert Chains
if [ ! -d "/etc/hirs/certificates" ]; then
@ -48,24 +37,28 @@ if [ ! -d "/etc/hirs/certificates" ]; then
else
PKI_SETUP_DIR="$SCRIPT_DIR"
fi
echo "PKI_SETUP_DIR is $PKI_SETUP_DIR"
echo "PKI_SETUP_DIR is $PKI_SETUP_DIR" | tee -a "$LOG_FILE"
mkdir -p /etc/hirs/certificates/ | tee -a "$LOG_FILE"
mkdir -p /etc/hirs/certificates/
pushd /etc/hirs/certificates/ &> /dev/null
cp $PKI_SETUP_DIR/ca.conf .
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS"
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS"
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" "$LOG_FILE"
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
popd &> /dev/null
# Add/Replace password to properties file
if [ -f $PROP_FILE ]; then
sed -i '/server.ssl.key-store-password/d' $PROP_FILE
sed -i '/server.ssl.trust-store-password/d' $PROP_FILE
fi
# Add tomcat TLS support to the application.properties file
echo "# Tomcat TLS support">> $PROP_FILE
echo "server.port=8443">> $PROP_FILE
echo "server.ssl.enabled=true">> $PROP_FILE
echo "server.ssl.trust-store-type=JKS">> $PROP_FILE
echo "server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks">> $PROP_FILE
echo "server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
echo "server.ssl.key-store-type=JKS">> $PROP_FILE
echo "server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks">> $PROP_FILE
echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
else
echo "/etc/hirs/certificates exists, skipping"
echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE"
fi