Merge pull request #604 from nsacyber/v3_issue_598-ubuntu

Add Ubuntu support for V3

.ci/docker/Dockerfile.ubuntu22ci

@@ -0,0 +1,19 @@
+FROM ubuntu:22.04
+
+RUN apt-get update -y && apt-get upgrade -y && apt-get clean -y
+
+# Install packages for building HIRS ACA
+RUN apt-get -y install openjdk-17-jdk  mariadb-server
+RUN apt-get -y install git curl nano cron
+
+# Ports needed for system-level tests
+EXPOSE 8080
+EXPOSE 8443
+
+# Checkout HIRS main branch and run gradlew to install gradlew dependencies, then delete HIRS
+# Use '--depth=1' so as to not download the history of all commits
+RUN git clone -b main --depth=1 https://github.com/nsacyber/HIRS.git /hirsTemp
+WORKDIR "/hirsTemp"
+RUN /bin/bash -c './gradlew clean build'
+WORKDIR "/"
+RUN rm -rf /hirsTemp

HIRS_AttestationCAPortal/build.gradle

@@ -94,16 +94,16 @@ ospackage {
     }
 
     // Post Install
-    postInstall 'sh /opt/hirs/aca/scripts/aca/aca_setup.sh -u'
+    postInstall 'bash /opt/hirs/aca/scripts/aca/aca_setup.sh -u'
     // add chrontab to run ACA at boot
     postInstall 'echo "@reboot root /opt/hirs/aca/scripts/aca/aca_bootRun.sh -w" >> /etc/crontab'
     // run ACA after install
     postInstall '/opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &'
     postInstall 'chmod +x /opt/hirs/aca/scripts/aca/*'
-    postInstall 'sh /opt/hirs/aca/scripts/aca/check_for_aca.sh'
+    postInstall 'bash /opt/hirs/aca/scripts/aca/check_for_aca.sh'
 
     // Uninstall
-    preUninstall 'sh /opt/hirs/aca/scripts/aca/aca_remove_setup.sh'
+    preUninstall 'bash /opt/hirs/aca/scripts/aca/aca_remove_setup.sh'
     postUninstall 'rm -rf /etc/hirs'
 
     buildRpm {
@@ -111,6 +111,7 @@ ospackage {
     }
 
     buildDeb {
+        packageName = 'hirs-attestationca'
         arch = 'amd64'
     }
 }

package/scripts/aca/aca_check_setup.sh

@@ -37,7 +37,15 @@ DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
 DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
 ALL_CHECKS_PASSED=true
 ALL_CERTS_PASSED=true
+
 source $SCRIPT_DIR/../db/mysql_util.sh
+source /etc/os-release 
+
+# Setup distro specifc paths and variables
+if [ $ID = "ubuntu" ]; then 
+   DB_SRV_CONF="/etc/mysql/mariadb.conf.d/50-server.cnf"
+   DB_CLIENT_CONF="/etc/mysql/mariadb.conf.d/50-client.cnf"
+fi
 
 # Check for Admin privileges
 if [ "$EUID" -ne 0 ]; then
@@ -69,16 +77,24 @@ done
 echo "Checking HIRS ACA Setup on this device..."
 # Check if aca setup was performed
   # Check is RPM was installed via RPM package 
-  rpm -q --quiet HIRS_AttestationCA
+  if [ $ID = "rhel" ]; then
+     echo "RHEL distro detected"
+     rpm -q --quiet HIRS_AttestationCA
+    elif [ $ID = 'ubuntu' ]; then
+     echo "Ubuntu distro detected"
+     dpkg -l "hirs-attestationca" > /dev/null
+   else
+    echo "Unsupported OS Distro encountered"
+  fi
   if [ $? -eq 0 ]; then
-      echo "HIRS ACA was installed via rpm package on this device"
+      echo "HIRS ACA was installed via an OS package on this device"
       if [[ $(cat /etc/crontab | grep -c hirs/aca) > 0 ]]; then 
            echo "  HIRS ACA is set to start on boot via crontab file"
         else
            echo "  HIRS ACA is NOT set to start on boot via crontab file"
       fi
     else
-      echo "HIRS ACA was NOT installed via rpm package on this device" 
+      echo "HIRS ACA was NOT installed via an OS package on this device" 
   fi
 
 # Check install setup pki files
@@ -92,7 +108,6 @@ echo "Checking HIRS ACA Setup on this device..."
 
 source /etc/hirs/aca/aca.properties;
 
-
 check_pwds () {
 
 PRESENT=true
@@ -121,13 +136,13 @@ check_mysql_setup () {
   # make sure mysql is running and restart if its not...
   check_mysql
   # Check DB server/client TLS setup.
-  if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then
+  if [[ $(cat "$DB_SRV_CONF" | grep -c "HIRS") < 1 ]]; then
      echo "   Mysql server ($DB_SRV_CONF) is NOT configured for Server Side TLS"
      ALL_CHECKS_PASSED=false
    else
      echo "   Mysql server ($DB_SRV_CONF) is configured for Server Side TLS"
   fi
-  if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then
+  if [[ $(cat "$DB_CLIENT_CONF" | grep -c "HIRS") < 1 ]]; then
       echo "   Mysql client ($DB_CLIENT_CONF)is NOT configured for command line use of TLS without provding key/cert ino the commandline"
       ALL_CHECKS_PASSED=false
     else
@@ -240,12 +255,18 @@ check_db () {
     mysql -u hirs_db --password=$hirs_db_password -e "SHOW DATABASES;";
     echo "Privileges for the hirs_db user:"
     mysql -u hirs_db --password=$hirs_db_password -e "SHOW GRANTS FOR 'hirs_db'@'localhost'" 
+    echo "MYSQL Log:"
+    mysql -u root --password=$mysql_admin_password -e "SHOW GLOBAL VARIABLES LIKE 'log_error'" 
   fi
   
 }
 
 # Check selinux status and files that require specific contexts
 check_selinux () {
+   if [ $ID = "ubuntu" ]; then
+     echo "Skipping selinux check on ubuntu"
+     return
+   fi
    SELINUXSTATUS=$(getenforce)
    DB_SRV_CONTEXT=$(ls -Z $DB_SRV_CONF)
    DB_CLIENT_CONTEXT=$(ls -Z $DB_CLIENT_CONF)
@@ -283,4 +304,4 @@ if [ $ALL_CHECKS_PASSED = true  ]; then
   echo "ACA setup checks passed!"
 else
   echo "ACA setup checks failed."
-fi
+fi

package/scripts/aca/aca_remove_setup.sh

@@ -22,7 +22,7 @@ check_mysql_root
 
 # remove the hrs-db and hirs_db user
 pushd $SCRIPT_DIR/../db/  &>/dev/null
-sh db_drop.sh $DB_ADMIN_PWD
+./db_drop.sh $DB_ADMIN_PWD
 popd  &>/dev/null
 
 # remove pki files and config files if not installed by rpm
@@ -36,4 +36,4 @@ echo "Removing the ACA crontab"
 sed -i '/aca_bootRun.sh/d' /etc/crontab
 echo "Shutting down the aca..."
 ps axf | grep HIRS_AttestationCAPortal.war | grep -v grep | awk '{print "kill " $1}' | sh  >/dev/null 2>&1
-echo "ACA setup removal complete."
+echo "ACA setup removal complete."

package/scripts/aca/aca_setup.sh

@@ -25,7 +25,7 @@ help () {
   echo "     -u  | --unattended   Run unattended"
   echo "     -h  | --help   Print this Help."
   echo "     -sp | --skip-pki run the setup without pki setup."
-  echo "     -sb | --skip-db run the setup without database setup."
+  echo "     -sd | --skip-db run the setup without database setup."
   echo
 }
 
@@ -97,7 +97,7 @@ if [ -z $HIRS_PKI_PWD ]; then
 fi
 
 if [ -z "${ARG_SKIP_PKI}" ]; then
-   sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND
+   ../pki/pki_setup.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND
    if [ $? -eq 0 ]; then 
         echo "ACA PKI  setup complete" | tee -a "$LOG_FILE"
       else
@@ -109,7 +109,7 @@ if [ -z "${ARG_SKIP_PKI}" ]; then
 fi
 
 if [ -z "${ARG_SKIP_DB}" ]; then
-   sh ../db/db_create.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND
+   ../db/db_create.sh $LOG_FILE $PKI_PASS $ARG_UNATTEND
    if [ $? -eq 0 ]; then
       echo "ACA database setup complete" | tee -a "$LOG_FILE"
     else
@@ -122,4 +122,4 @@ fi
 
 echo "ACA setup complete" | tee -a "$LOG_FILE"
 
-popd &>/dev/null
+popd &>/dev/null

package/scripts/db/db_create.sh

@@ -8,6 +8,7 @@
 ################################################################################
 
 LOG_FILE=$1
+DB_LOG_FILE="/var/log/mariadb/mariadb.log"
 PKI_PASS=$2
 UNATTENDED=$3
 RSA_PATH=rsa_3k_sha384_certs
@@ -17,7 +18,7 @@ SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
 SPRING_PROP_FILE="/etc/hirs/aca/application.properties"
 ACA_PROP_FILE="/etc/hirs/aca/aca.properties"
 DB_ADMIN_PWD=""
-# Db Configuration files
+# Db Configuration fileis, use RHELpaths as default
 DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
 DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
 # Default Server Side Certificates
@@ -29,16 +30,29 @@ SSL_DB_CLIENT_CHAIN="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_rsa_3k
 SSL_DB_CLIENT_CERT="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.pem"; 
 SSL_DB_CLIENT_KEY="/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.key";
 
-touch $ACA_PROP_FILE
-touch $LOG_FILE
-touch $DB_SRV_CONF
-
 # Make sure required paths exist
 mkdir -p /etc/hirs/aca/
 mkdir -p /var/log/hirs/
 
 source $SCRIPT_DIR/mysql_util.sh
 source $ACA_PROP_FILE 
+source /etc/os-release 
+
+# Setup distro specifc paths and variables
+if [ $ID = "ubuntu" ]; then 
+   DB_SRV_CONF="/etc/mysql/mariadb.conf.d/50-server.cnf"
+   DB_CLIENT_CONF="/etc/mysql/mariadb.conf.d/50-client.cnf"
+   mkdir -p /var/log/mariadb >> /dev/null
+   if [[ $(cat "$DB_SRV_CONF" | grep -c "log-error") < 1 ]]; then
+       echo "log_error=/var/log/mariadb/mariadb.log" >> $DB_SRV_CONF
+       echo "tls_version = TLSv1.2,TLSv1.3" >> $DB_SRV_CONF
+  fi
+fi
+
+touch $ACA_PROP_FILE
+touch $LOG_FILE
+touch $DB_SRV_CONF
+touch $DB_LOG_FILE
 
 check_mysql_root_pwd () {
  
@@ -90,8 +104,8 @@ check_mysql_root_pwd () {
 }
 
 set_mysql_server_tls () {
-  # Check DB server setup. If ssl params dont exist then we need to add them.
-  if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then
+  # Check DB server setup. If HIRS ssl params dont exist then we need to add them.
+  if [[ $(cat "$DB_SRV_CONF" | grep -c "HIRS") < 1 ]]; then
     # Add TLS files to my.cnf
     echo "Updating $DB_SRV_CONF with ssl parameters..." | tee -a "$LOG_FILE"
     echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF"
@@ -100,10 +114,12 @@ set_mysql_server_tls () {
     # Make sure mysql can access them
     chown mysql:mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
     # Make selinux contexts for config files, if selinux is enabled
-    selinuxenabled
-    if [ $? -eq 0 ]; then
-       semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF  > /dev/null #adds the context type to file
-       restorecon -v -F $DB_SRV_CONF      > /dev/null                 # changes the file's context type
+    if [ $ID = "rhel" ]; then 
+        selinuxenabled
+        if [ $? -eq 0 ]; then
+           semanage fcontext -a -t mysqld_etc_t $DB_SRV_CONF  > /dev/null #adds the context type to file
+           restorecon -v -F $DB_SRV_CONF      > /dev/null                 # changes the file's context type
+       fi
     fi
   else
        echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE"
@@ -112,17 +128,19 @@ set_mysql_server_tls () {
 
 set_mysql_client_tls () {
 # Update ACA property file with client cert info, if not there already
-if [[ $(cat "$DB_CLIENT_CONF" | grep -c "ssl") < 1 ]]; then 
+if [[ $(cat "$DB_CLIENT_CONF" | grep -c "HIRS") < 1 ]]; then 
   echo "Updating $DB_CLIENT_CONF with ssl parameters..." | tee -a "$LOG_FILE"
   echo "ssl_ca=$SSL_DB_CLIENT_CHAIN" >> $DB_CLIENT_CONF
   echo "ssl_cert=$SSL_DB_CLIENT_CERT" >> $DB_CLIENT_CONF
   echo "ssl_key=$SSL_DB_CLIENT_KEY" >> $DB_CLIENT_CONF
   chown mysql:mysql $SSL_DB_CLIENT_CHAIN $SSL_DB_CLIENT_CERT $SSL_DB_CLIENT_KEY 
   # Make selinux contexts for config files, if selinux is enabled
-  selinuxenabled
-  if [ $? -eq 0 ]; then
-      semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null  #adds the context type to file
-      restorecon -F $DB_CLIENT_CONF                         > /dev/null #changes the file's context type
+   if [ $ID = "rhel" ]; then 
+      selinuxenabled
+      if [ $? -eq 0 ]; then
+          semanage fcontext -a -t mysqld_etc_t $DB_CLIENT_CONFf > /dev/null  #adds the context type to file
+         restorecon -F $DB_CLIENT_CONF                         > /dev/null #changes the file's context type
+      fi
   fi                           
 fi
 }
@@ -130,7 +148,8 @@ fi
 # Process HIRS DB USER
 set_hirs_db_pwd () {
 
-   RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -e "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
+  RESULT="$(mysql -u root --password=$DB_ADMIN_PWD -e "SELECT EXISTS(SELECT 1 FROM mysql.user WHERE user = 'hirs_db')")"
+
    if [ "$RESULT" = 1 ]; then
       echo "hirs-db user exists"
       HIRS_DB_PWD=$hirs_db_password
@@ -157,7 +176,8 @@ create_hirs_db_with_tls () {
   else
      mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/db_create.sql
      mysql -u root --password=$DB_ADMIN_PWD < $MYSQL_DIR/secure_mysql.sql
-     mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
+#     mysql -u root --password=$DB_ADMIN_PWD -e "ALTER USER 'hirs_db'@'localhost' IDENTIFIED BY '"$HIRS_DB_PWD"'; FLUSH PRIVILEGES;";
+     mysql -u root --password=$DB_ADMIN_PWD -e "SET PASSWORD FOR 'hirs_db'@'localhost' = PASSWORD('"$HIRS_DB_PWD"'); FLUSH PRIVILEGES;";
   fi
 }
 
@@ -196,6 +216,7 @@ check_for_container -p
 set_mysql_server_tls
 set_mysql_client_tls
 start_mysqlsd
+check_mysql
 check_mysql_root_pwd
 set_hirs_db_pwd
 create_hirs_db_with_tls

package/scripts/db/db_drop.sh

@@ -1,13 +1,14 @@
 #!/bin/bash
 
-SRV_CNF=/etc/my.cnf.d/mariadb-server.cnf
-CLIENT_CNF=/etc/my.cnf.d/client.cnf
+DB_SRV_CONF=/etc/my.cnf.d/mariadb-server.cnf
+DB_CLIENT_CONF=/etc/my.cnf.d/client.cnf
 SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )";)
 LOG_FILE=/dev/null
 DB_ADMIN_PWD=$1
 
 #source /etc/hirs/aca/aca.properties;
 source $SCRIPT_DIR/mysql_util.sh
+source /etc/os-release 
 
 # Check for sudo or root user, not actually needed but a good idea 
 if [ "$EUID" -ne 0 ]
@@ -15,6 +16,12 @@ if [ "$EUID" -ne 0 ]
      exit 1
 fi
 
+# Setup distro specifc paths and variables
+if [ $ID = "ubuntu" ]; then 
+   DB_SRV_CONF="/etc/mysql/mariadb.conf.d/50-server.cnf"
+   DB_CLIENT_CONF="/etc/mysql/mariadb.conf.d/50-client.cnf"
+fi
+
 if [ -d /opt/hirs/scripts/db ]; then
     MYSQL_DIR="/opt/hirs/scripts/db"
   else
@@ -44,8 +51,8 @@ fi
 # Remove key , cert and truststore entries from client.cnf andf mariadb.cnf
 
 echo "Removing hirs cert references from mariadb configuration files"
-grep -v "hirs" $SRV_CNF > tmpfile && mv tmpfile $SRV_CNF
-grep -v "hirs" $CLIENT_CNF > tmpfile && mv tmpfile $CLIENT_CNF
+grep -v "hirs" $DB_SRV_CONF > tmpfile && mv tmpfile $DB_SRV_CONF
+grep -v "hirs" $DB_CLIENT_CONF > tmpfile && mv tmpfile $DB_CLIENT_CONF
 
 echo "restarting mariadb"
 

package/scripts/db/mysql_util.sh

@@ -12,7 +12,7 @@ SQL_SERVICE="mariadb"
 check_for_container () {
   PRINT_STATUS=$1
   # Check if we're in a Docker container
-  if [[ $(cat /proc/1/sched | head -n 1) == *"bash"* ]]; then  
+  if [[ $(cat /proc/1/cgroup | head -n 1) == *"docker"* ]]; then  
   #if [ -f /.dockerenv ]; then
     DOCKER_CONTAINER=true
     if [[ $PRINT_STATUS == "-p" ]]; then echo "ACA is running in a container..." | tee -a "$LOG_FILE"; fi
@@ -40,8 +40,13 @@ check_mariadb_install () {
 # Starts mariadb during intial install 
 start_mysqlsd () {
   PRINT_STATUS=$1
+  PROCESS="mysqld"
+  source /etc/os-release 
+  if [ $ID = "ubuntu" ]; then 
+     PROCESS="mariadb"
+  fi
    # Check if mysql is already running, if not initialize
-   if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
+   if [[ $(pgrep -c -u mysql $PROCESS) -eq 0 ]]; then
    # Check if running in a container
       if [ $DOCKER_CONTAINER  = true ]; then
       # if in Docker container, avoid services that invoke the D-Bus
@@ -52,13 +57,12 @@ start_mysqlsd () {
            chown -R mysql:mysql /var/lib/mysql/ >> "$LOG_FILE"
          fi
          if [[ $PRINT_STATUS == "-p" ]]; then echo "Starting mysql..."; fi
-           touch /var/log/mariadb/mariadb.log
-           chown mysql:mysql /var/log/mariadb/mariadb.log >> "$LOG_FILE";
-           /usr/bin/mysqld_safe & >> "$LOG_FILE"; 
-           echo "Attempting to start mariadb"
+         /usr/bin/mysqld_safe  --skip-syslog  >> "$LOG_FILE" &
+         chown -R mysql:mysql /var/lib/mysql/ >> "$LOG_FILE"
+         echo "Attempting to start mariadb"
          else #not a container
            systemctl enable $SQL_SERVICE & >> "$LOG_FILE";
-            systemctl start $SQL_SERVICE & >> "$LOG_FILE";
+           systemctl start $SQL_SERVICE & >> "$LOG_FILE";
          fi
      else # mysql process is running
      # check if mysql service is running
@@ -70,22 +74,22 @@ start_mysqlsd () {
        fi
      fi # non contanier mysql start
    fi   
-  # Wait for mysql to start before continuing.
-  if [[ $PRINT_STATUS == "-p" ]]; then  echo "Checking mysqld status..."| tee -a "$LOG_FILE"; fi
-  while ! mysqladmin ping -h "$localhost" --silent; do
-  sleep 1;
-  done
-
- if [[ $PRINT_STATUS == "-p" ]]; then  echo "mysqld is running."| tee -a "$LOG_FILE"; fi
 }
 
 # Basic check for marai db status, attempts restart if not running
 check_mysql () {
+ PROCESS="mysqld"
+   source /etc/os-release 
+   if [ $ID = "ubuntu" ]; then 
+       PROCESS="mariadb"
+   fi
+
  echo "Checking mysqld status..."
   if [ $DOCKER_CONTAINER  = true ]; then
-       if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
+       if [[ $(pgrep -c -u mysql $PROCESS ) -eq 0 ]]; then
           echo "mariadb not running , attempting to restart"
-          /usr/bin/mysqld_safe & >> "$LOG_FILE"
+          chown mysql:mysql /var/log/mariadb/mariadb.log >> "$LOG_FILE";
+          /usr/bin/mysqld_safe  --skip-syslog  >> "$LOG_FILE" &
        fi
   else  # not in a contianer
     DB_STATUS=$(systemctl status mysql |grep 'running' | wc -l )
@@ -95,12 +99,24 @@ check_mysql () {
     fi
   fi
 
- # Wait for mysql to start before continuing.
 
-  while ! mysqladmin ping -h "$localhost" --silent; do
-     sleep 1;
+# Wait for mysql to start before continuing.
+  count=1;
+  if [[ $PRINT_STATUS == "-p" ]]; then  echo "Testing mysqld connection..."| tee -a "$LOG_FILE"; fi
+
+  until mysqladmin ping -h "localhost" --silent ; do
+  ((count++))
+  if [[ $count -gt 20 ]]; then
+     break;
+  fi
+  sleep 1;
   done
-  echo "   Mariadb is running."
+   if [[ $count -gt 20 ]]; then
+     echo "Timed out waiting for Mariadb to respond"
+     exit 1;
+   else
+     echo "Mariadb started"
+  fi
 }
 
 # Check for mysql root password , abort if not available 
@@ -163,5 +179,5 @@ mysqld_reboot () {
   mysql -u root --password=$DB_ADMIN_PWD -e "SHUTDOWN"
   sleep 2
   check_for_container
-  start_mysqlsd
-}
+  start_mysqlsd >> "$LOG_FILE";
+}

package/scripts/pki/pki_chain_gen.sh

@@ -225,6 +225,9 @@ create_cert_chain () {
          -srcstorepass $PASS -destkeystore $DB_CLIENT.jks -deststoretype JKS -deststorepass $PASS >> "$LOG_FILE" 2>&1
 }
 
+# Needed for older versions of openssl
+   #openssl rand -writerand .rnd
+
 if [ "$ASYM_ALG" == "rsa" ]; then
    # Create Root CA key pair and self signed cert
    echo "Generating RSA Root CA ...." | tee -a "$LOG_FILE"
@@ -255,4 +258,4 @@ if [ "$ASYM_ALG" == "ecc" ]; then
     add_to_stores $PKI_ROOT
     # Create an intermediate CA, 2 Leaf CAs, and Signer Certs 
    create_cert_chain
-fi
+fi

package/scripts/pki/pki_setup.sh

@@ -42,8 +42,8 @@ if [ -z "$PKI_PASS" ]; then
 fi
 
 # Check for sudo or root user 
-if [ "$EUID" -ne 0 ]
-        then echo "This script requires root.  Please run as root" | tee -a "$LOG_FILE"
+if [ "$EUID" -ne 0 ]; then 
+   echo "This script requires root.  Please run as root" | tee -a "$LOG_FILE"
         exit 1
 fi
 
@@ -61,8 +61,8 @@ if [ ! -d "/etc/hirs/certificates" ]; then
 
   pushd  /etc/hirs/certificates/ &> /dev/null
   cp $PKI_SETUP_DIR/ca.conf .
-  sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" "$LOG_FILE"
-  sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
+    $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" "$LOG_FILE"
+    $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
   popd &> /dev/null
 
   echo "hirs_pki_password="$PKI_PASS >>  $ACA_PROP

test.sh

@@ -1,5 +0,0 @@
-echo "
-# *** ACA Directories ***
-aca.directories.root         = /etc/hirs/
-aca.prop.file=aca.directories.root/aca.properties
-aca.directories.certificates = root/certificates"