From a569bda8dba6bb953a9ae51c1ae0f274d3485c70 Mon Sep 17 00:00:00 2001
From: iadgovuser26 <iadgovuser26@empire.eclipse.ncsc.mil>
Date: Mon, 10 Jul 2023 15:57:10 +0000
Subject: [PATCH] Updated cert gen script path for bootRun

---
 package/scripts/pki/ca.conf          |  2 --
 package/scripts/pki/pki_chain_gen.sh | 26 +++++++++++---------------
 package/scripts/pki/pki_setup.sh     |  5 +++--
 3 files changed, 14 insertions(+), 19 deletions(-)

diff --git a/package/scripts/pki/ca.conf b/package/scripts/pki/ca.conf
index 74d1b748..eed05dab 100644
--- a/package/scripts/pki/ca.conf
+++ b/package/scripts/pki/ca.conf
@@ -35,7 +35,6 @@ crlDistributionPoints   = URI:https://example.com/crl
 
 [ server_extensions ]
 keyUsage                = critical,digitalSignature,keyEncipherment
-basicConstraints        = critical
 extendedKeyUsage        = serverAuth,clientAuth
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid:always
@@ -46,7 +45,6 @@ crlDistributionPoints   = URI:https://example.com/crl
 keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment
 subjectKeyIdentifier = hash
 authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical
 keyUsage = critical, digitalSignature
 authorityInfoAccess = caIssuers;URI:https://example.com/certs/
 crlDistributionPoints   = URI:https://example.com/crl
diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh
index fffa44fc..f4dae1ed 100644
--- a/package/scripts/pki/pki_chain_gen.sh
+++ b/package/scripts/pki/pki_chain_gen.sh
@@ -72,7 +72,7 @@ ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test root ca"
 INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test intermediate ca"
 LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test ca"
 SIGNER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test signer"
-TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="localhost"
+TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN=localhost"
 
 # Add check for existing folder and halt if it exists
 if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
@@ -81,7 +81,7 @@ if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
 fi
 
 # Intialize sub folders
-#echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..."
+echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..."
 
 mkdir -p "$ACTOR_ALT" "$ACTOR_ALT"/"$CERT_FOLDER" "$ACTOR_ALT"/ca/certs
 cp ca.conf "$ACTOR_ALT"/.
@@ -101,17 +101,12 @@ create_cert () {
    CERT_PATH="$1"
    ISSUER="$2"
    SUBJ_DN="$3"
+   EXTENSION="$4"
    ISSUER_KEY="$ISSUER".key
    ISSUER_CERT="$ISSUER".pem
    ALIAS=${CERT_PATH#*/}    # Use filename without path as an alias    
 
-   if [ "$CERT_TYPE" == "rim_signer" ]; then
-      EXTENSION="signer_extensions"
-   else
-      EXTENSION="ca_extensions"
-   fi
-
-   echo "Creating cert for "$CERT_TYPE" using $ISSUER_KEY with a DN="$SUBJ_DN"..."
+   echo "Creating cert using "$ISSUER_KEY" with a DN="$SUBJ_DN"..."
 
    if [ "$ASYM_ALG" == "rsa" ]; then 
        openssl req -newkey rsa:"$ASYM_SIZE" \
@@ -122,6 +117,7 @@ create_cert () {
        openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key &> /dev/null
        openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG  -subj "$SUBJ_DN" &> /dev/null    
    fi
+
    openssl ca -config ca.conf \
            -keyfile "$ISSUER_KEY" \
            -md $HASH_ALG \
@@ -149,24 +145,24 @@ create_cert () {
 create_cert_chain () {
 
    # Create an intermediate CA, Sign with Root CA
-   create_cert "$PKI_INT" "$PKI_ROOT" "$INT_DN"
+   create_cert "$PKI_INT" "$PKI_ROOT" "$INT_DN" "ca_extensions"
 
    # Create a Leaf CA (CA1), Sign with intermediate CA
-   create_cert "$PKI_CA1" "$PKI_INT" "$LEAF_DN"1
+   create_cert "$PKI_CA1" "$PKI_INT" "$LEAF_DN"1 "ca_extensions"
 
    # Create a Leaf CA (CA2), Sign with intermediate CA
 
-   create_cert "$PKI_CA2" "$PKI_INT" "$LEAF_DN"2
+   create_cert "$PKI_CA2" "$PKI_INT" "$LEAF_DN"2 "ca_extensions"
 
    # Create a Leaf CA (CA3), Sign with intermediate CA
 
-   create_cert "$PKI_CA3" "$PKI_INT" "$LEAF_DN"3
+   create_cert "$PKI_CA3" "$PKI_INT" "$LEAF_DN"3 "ca_extensions"
 
    # Create a RIM Signer
-   create_cert "$RIM_SIGNER" "$PKI_CA2" "$SIGNER_DN"
+   create_cert "$RIM_SIGNER" "$PKI_CA2" "$SIGNER_DN" "signer_extensions"
 
    # Create a ACA Sever Cert for TLS use
-   create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN"
+   create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN" "server_extensions"
 
    # Create Cert trust store by adding the Intermediate and root certs 
    cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" >  "$TRUST_STORE_FILE"
diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh
index c14d531a..019473df 100644
--- a/package/scripts/pki/pki_setup.sh
+++ b/package/scripts/pki/pki_setup.sh
@@ -10,6 +10,7 @@ PROP_FILE=/etc/hirs/aca/application.properties
 
 # Capture location of the script to allow from invocation from any location 
 SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+echo "SCRIPT_DIR is $SCRIPT_DIR"
 # Set HIRS PKI  password
 if [ -z $HIRS_PKI_PWD ]; then
    # Create a 32 character random password
@@ -35,10 +36,10 @@ popd &> /dev/null
 # Create Cert Chains
 if [ ! -d "/etc/hirs/certificates" ]; then
   
-   if [ -d /opt/hirs/scripts/pki ]; then
+   if [ -d "/opt/hirs/scripts/pki" ]; then
             PKI_SETUP_DIR="/opt/hirs/scripts/pki"
          else
-            PKI_SETUP_DIR=="$SCRIPT_DIR/../pki"
+            PKI_SETUP_DIR="$SCRIPT_DIR"
       fi
       echo "PKI_SETUP_DIR is $PKI_SETUP_DIR"