added script for generating pki keys/certs [no ci]

HIRS_AttestationCAPortal/build.gradle

@@ -102,6 +102,9 @@ ospackage {
       from configurations.runtimeClasspath 
     }
     into ("/opt/hirs/scripts/aca/") {
+     from '../package/scripts/pki/pki_chain_gen.sh'
+     from '../package/scripts/pki/pki_setup.sh'
+     from '../package/scripts/aca/aca_proprty_setup.sh'
      from '../package/conf/tomcat.service'
      from '../package/scripts/install_tomcat.sh'
      from '../package/scripts/aca/certificate_generate.sh'
@@ -132,10 +135,7 @@ ospackage {
  //  }
 
      postInstall file('../package/scripts/common/db_create.sh')
-//     if (System.getenv('HIRS_INSTALL_STATUS').compareTo('fail')==0 ) {
+//   postInstall file('../package/scripts/pki/pki_setup.sh')  
-//       throw new GradleException('MYSQL password error occurred') 
-//     }
-  //    postInstall 'sh /opt/hirs/scripts/common/db_create.sh'
 //  postInstall file('../package/scripts/common/ssl_configure.sh')
   //  postInstall 'mkdir -p /etc/hirs/aca/client_files'
     postInstall 'mkdir -p /etc/hirs/aca/certificates'

package/scripts/aca/aca_property_setup.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Create aca.poperties file
+
+pki_password=$1
+
+rm  -f /etc/hirs/aca.properties 
+aca_prop_file="/etc/hirs/aca.properties"
+
+echo  '# *** ACA Directories ***
+aca.directories.root         = /etc/hirs/
+aca.directories.certificates = ${aca.directories.root}/certificates' > $aca_prop_file
+
+echo  '# *** Certificate and Key Properties ***
+aca.setup.keys.rsa.keySize         =  3072
+aca.setup.keys.ecc.keySize         =  512
+aca.setup.certificates.validity    =  3652
+aca.setup.certificates.subjectName =  HIRS_AttestationCA
+aca.setup.certificates.expiration  =  ${aca.setup.certificates.validity}' >>  $aca_prop_file
+
+echo  '# *** Keystore properties ***
+aca.keyStore.alias     =  HIRS_ACA_KEY
+aca.keyStore.rsa.alias =  hirs_leaf_ca1_rsa_3072_sha384
+aca.keyStore.ecc.alias =  hirs_leaf_ca1_ecc_512_sha384 
+aca.keyStore.location  =  ${aca.directories.certificates}/keyStore.jks
+aca.keyStore.password  =  '$pki_password >> $aca_prop_file
+

package/scripts/common/db_create.sh

@@ -17,27 +17,6 @@ mkdir -p /etc/hirs
 echo "hibernate.connection.username="hirs_db"" > /etc/hirs/hibernate.properties
 echo "hibernate.connection.password=$HIRS_DB_PWD" >> /etc/hirs/hibernate.properties
 
-# Test the root password, error if the password doesnt work
-
-if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then
-    echo "HIRS_MYSQL_ROOT_PWD environment variable not set"
-    mysql -fu root  -e 'quit'  &> /dev/null;
-else
-   echo "Using $HIRS_MYSQL_ROOT_PWD as the mysql root password"
-   $(mysql -u root -p$HIRS_MYSQL_ROOT_PWD -e 'quit'  &> /dev/null);
-fi
-if [ $? -eq 0 ]; then
- echo "root password verified" 
-else
- echo "MYSQL root password was not the default, not supplied,  or was incorrect"
- echo "      please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
- echo "      ********** ACA Mysql setup aborted ********" ;
- exit 1;
-fi
-
-echo "HIRS_DB_PWD is $HIRS_DB_PWD"
-echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD"
-
 # Check if we're in a Docker container
 if [ -f /.dockerenv ]; then
     DOCKER_CONTAINER=true
@@ -73,6 +52,34 @@ while ! mysqladmin ping -h "$localhost" --silent; do
   sleep 1;
 done
 
+# Test the root password, error if the password doesnt work
+
+if [ -z ${HIRS_MYSQL_ROOT_PWD} ]; then
+    echo "HIRS_MYSQL_ROOT_PWD environment variable not set"
+    mysql -fu root  -e 'quit'  &> /dev/null;
+else
+   echo "Using $HIRS_MYSQL_ROOT_PWD as the mysql root password"
+   $(mysql -u root -p$HIRS_MYSQL_ROOT_PWD -e 'quit'  &> /dev/null);
+fi
+if [ $? -eq 0 ]; then
+ echo "root password verified" 
+else
+ echo "MYSQL root password was not the default, not supplied,  or was incorrect"
+ echo "      please set the HIRS_MYSQL_ROOT_PWD system variable and retry."
+ echo "      ********** ACA Mysql setup aborted ********" ;
+ exit 1;
+fi
+
+echo "HIRS_DB_PWD is $HIRS_DB_PWD"
+echo "HIRS_MYSQL_ROOT_PWD is $HIRS_MYSQL_ROOT_PWD"
+
+# Check if we're in a Docker container
+if [ -f /.dockerenv ]; then
+    DOCKER_CONTAINER=true
+else
+    DOCKER_CONTAINER=false
+fi
+
 # Create the hirs_db database
 echo "Creating HIRS Database..." 
 mysql -u root --password=$HIRS_MYSQL_ROOT_PWD < /opt/hirs/scripts/common/db_create.sql

package/scripts/pki/.prop.file

@@ -0,0 +1,9 @@
+# *** ACA Directories ***
+aca.directories.root         = /etc/hirs/
+aca.directories.certificates = ${aca.directories.root}/certificates
+# *** Certificate and Key Properties ***
+aca.setup.keys.rsa.keySize         =  3072
+aca.setup.keys.ecc.keySize         =  512
+aca.setup.certificates.validity    =  3652
+aca.setup.certificates.subjectName =  HIRS_AttestationCA
+aca.setup.certificates.expiration  =  ${aca.setup.certificates.validity}

package/scripts/pki/pki_chain_gen.sh

@@ -1,4 +1,4 @@
-!/bin/bash
+#!/bin/bash
 # Script to generate a PKI Stack (Root, Intermediate, and LEAF CAs) and a Base RIM Signer
 # creates a folder based upon the actor name and places certs under an algoithm specific folder (e.g. rsa_certs)
 # PARAMS: 
@@ -6,49 +6,38 @@
 # 2. Algorithm string (e.g. rsa or ecc)
 # 3. Key Bit Size string (e.g. 2048)
 # 4. Hash Algorithm string (e.g. sha256)
+# 5. PKI password used to protect PKI keys and certs
 #
 # Examples:
-#    make_pki.sh "PC Manufacturer" rsa 2048 sha256 
+#    pki_chain_gen.sh "PC Manufacturer" rsa 2048 sha256 "password" 
-#    make_pki.sh "DISK Manufacturer" ecc 256 sha512
+#    pki_chain_gen.sh "DISK Manufacturer" ecc 256 sha512 "password"
 #
+# A KeyStore and Trust Store are created for by Java Applications. Both will use the supplied password. 
 
 ACTOR=$1
 ACTOR_ALT=${ACTOR// /_}
 ASYM_ALG=$2
 ASYM_SIZE=$3
 HASH_ALG=$4
-ROOT_DN="/C=US/ST=MD/L=Bethseda/O="$ACTOR"/CN="$ACTOR" test root ca"
+PASS=$5
-INT_DN="/C=US/ST=MD/L=Bethseda/O="$ACTOR"/CN="$ACTOR" test intermediate ca"
+ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test root ca"
-LEAF_DN="/C=US/ST=MD/L=Bethseda/O="$ACTOR"/CN="$ACTOR" test ca"
+INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test intermediate ca"
-SIGNER_DN="/C=US/ST=MD/L=Bethseda/O="$ACTOR"/CN="$ACTOR" test signer"
+LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test ca"
-SERVER_DN="/C=US/ST=MD/L=Bethseda/O="$ACTOR"/CN="$ACTOR" aca"
+SIGNER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test signer"
-PASS="xrb204k"
+SERVER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" aca"
-
+# Capture location of the script to allow from invocation from any location
-print_help () {
+SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
- echo "
+TRUSTSTORE=TrustStore.jks
-make_pki.sh - creates a pki certificate chain
+KEYSTORE=KeyStore.jks
-
-Usage:
-  make_pki.sh \"Actor Name\" \"Asymmetric Algorithm\" \"Key Size\" \"Hash Algorithm\"
-
-Required Parameters:
-  Actor Name              Device Manufacturer
-  Asymmetric Algorithm    rsa or ecc
-  Key Size (in bits)      (rsa) 2048, 3072, or 4096
-                          (ecc) 256, 384, or 512
-  Hash Algorithm          sha256, sha384, or sha512
- "
-exit 1;
-}
 
 # Parameter check 
 if [ -z "${ACTOR}" ] || [ -z "${ASYM_ALG}" ] || [ -z "${ASYM_SIZE}" ] || [ -z "${HASH_ALG}" ] || [ "${ACTOR}" == "-h" ] || [ "${ACTOR}" == "--help" ]; then
-   print_help
+   echo "parameter missing to pki_chain_gen.sh, exiting pki setup"
    exit 1;
 fi
 
 if ! { [ $ASYM_ALG == "rsa" ] || [ $ASYM_ALG == "ecc" ]; }; then
-       echo "$ASYM_ALG is an unsupported assymetric algorithm"
+       echo "$ASYM_ALG is an unsupported assymetric algorithm, exiting pki setup"
        exit 1
 fi
 
@@ -63,7 +52,7 @@ case $ASYM_SIZE in
      3072) KSIZE=3k;;
      4096) KSIZE=4k;;
      *) 
-       echo "$ASYM_SIZE is an unsupported key size"
+       echo "$ASYM_SIZE is an unsupported key size, exiting pki setup"
        exit 1;;
 esac
 
@@ -77,13 +66,13 @@ PKI_CA2="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca2_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
 PKI_CA3="$CERT_FOLDER"/"$ACTOR_ALT"_leaf_ca3_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
 RIM_SIGNER="$CERT_FOLDER"/"$ACTOR_ALT"_rim_signer_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
 TLS_SERVER="$CERT_FOLDER"/"$ACTOR_ALT"_aca_tls_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"
-TRUST_STORE_FILE="$CERT_FOLDER"/"$ACTOR_ALT"_Cert_Chain.pem
+TRUST_STORE_FILE="$CERT_FOLDER"/"$ACTOR_ALT"_"$ASYM_ALG"_"$KSIZE"_"$HASH_ALG"_Cert_Chain.pem
 
-ROOT_DN="/C=US/ST=OR/L=Beaverton/O="$ACTOR"/CN="$NAME" test root ca"
+ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test root ca"
-INT_DN="/C=US/ST=OR/L=Beaverton/O="$ACTOR"/CN="$NAME" test intermediate ca"
+INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test intermediate ca"
-LEAF_DN="/C=US/ST=OR/L=Beaverton/O="$ACTOR"/CN="$NAME" test ca"
+LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test ca"
-SIGNER_DN="/C=US/ST=OR/L=Beaverton/O="$ACTOR"/CN="$NAME" test signer"
+SIGNER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" test signer"
-TLS_DN="/C=US/ST=OR/L=Beaverton/O="$ACTOR"/CN="$NAME" portal"
+TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" portal"
 
 # Add check for existing folder and halt if it exists
 if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
@@ -92,7 +81,7 @@ if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
 fi
 
 # Intialize sub folders
-echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..."
+#echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..."
 
 mkdir -p "$ACTOR_ALT" "$ACTOR_ALT"/"$CERT_FOLDER" "$ACTOR_ALT"/ca/certs
 cp ca.conf "$ACTOR_ALT"/.
@@ -114,6 +103,7 @@ create_cert () {
    SUBJ_DN="$3"
    ISSUER_KEY="$ISSUER".key
    ISSUER_CERT="$ISSUER".pem
+   ALIAS=${CERT_PATH#*/}    # Use filename without path as an alias    
 
    if [ "$CERT_TYPE" == "rim_signer" ]; then
       EXTENSION="signer_extensions"
@@ -127,10 +117,10 @@ create_cert () {
        openssl req -newkey rsa:"$ASYM_SIZE" \
             -keyout "$CERT_PATH".key \
             -out "$CERT_PATH".csr  -subj "$SUBJ_DN" \
-            -passout pass:"$PASS"
+            -passout pass:"$PASS" &> /dev/null
    else
-       openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key
+       openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key &> /dev/null
-       openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG  -subj "$SUBJ_DN"    
+       openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG  -subj "$SUBJ_DN" &> /dev/null    
    fi
    openssl ca -config ca.conf \
            -keyfile "$ISSUER_KEY" \
@@ -140,11 +130,20 @@ create_cert () {
            -out "$CERT_PATH".pem \
            -in "$CERT_PATH".csr \
            -passin pass:"$PASS" \
-           -batch
+           -batch \
-   #increment the cert serial number
+           -notext                          &> /dev/null
-   awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt
+   # Increment the cert serial number
+   awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt &> /dev/null
    # remove csr file
-   rm "$CERT_PATH".csr
+   rm -f "$CERT_PATH".csr
+   # Add the cert and key to the key store. make a p12 file to import into te keystore
+   openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -passout pass:$PASS
+   # Use the p12 file to import into a java keystore via keytool
+   keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" &> /dev/null
+   # Import the cert into a java trust store via keytool
+   keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem  -noprompt -alias "$ALIAS" &> /dev/null
+   # Remove the temp p1 file.
+   rm tmpkey.p12
 }
 
 create_cert_chain () {
@@ -170,20 +169,20 @@ create_cert_chain () {
    create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN"
 
    # Create Cert trust store by adding the Intermediate and root certs 
-   cat "$PKI_CA1.pem" "$PKI_CA2.pem"  "$PKI_INT.pem" "$PKI_ROOT.pem" >  "$TRUST_STORE_FILE"
+   cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" >  "$TRUST_STORE_FILE"
 
-   echo "Checking signer cert using tust store..." 
+ # echo "Checking signer cert using tust store..." 
    openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem
 }
 
 if [ "$ASYM_ALG" == "rsa" ]; then 
    # Create Root CA key pair and self signed cert
-    openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE"
+   openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" &> /dev/null
 
    # Create a self signed CA certificate
    openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
           -extensions ca_extensions -out "$PKI_ROOT".pem \
-          -passout pass:"$PASS"
+          -passout pass:"$PASS"   &> /dev/null
    # Create an intermediate CA, 2 Leaf CAs, and Signer Certs 
    create_cert_chain
 fi

package/scripts/pki/pki_setup.sh

@@ -7,7 +7,18 @@
 ############################################################################################
 
 # Capture location of the script to allow from invocation from any location 
-scriptDir=$( dirname -- "$( readlink -f -- "$0"; )"; )
+SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+# Set HIRS PKI  password
+if [ -z $HIRS_PKI_PWD ]; then
+   # Create a 32 character random password
+   PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
+   #PKI_PASS="xrb204k"
+fi
+
+# Create an ACA proerties file using the new password
+pushd $SCRIPT_DIR &> /dev/null
+sh ../aca/aca_property_setup.sh $PKI_PASS
+popd &> /dev/null
 
 # Create Cert Chains
 rm -rf /etc/hirs/certificates
@@ -15,8 +26,8 @@ mkdir -p /etc/hirs/certificates/
 
 pushd  /etc/hirs/certificates/
 
-cp $scriptDir/ca.conf .
+cp $SCRIPT_DIR/ca.conf .
-sh $scriptDir/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384"
+sh $SCRIPT_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS"
-sh $scriptDir/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384"
+sh $SCRIPT_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" 
 
 popd

test.sh

@@ -0,0 +1,5 @@
+echo "
+# *** ACA Directories ***
+aca.directories.root         = /etc/hirs/
+aca.prop.file=aca.directories.root/aca.properties
+aca.directories.certificates = root/certificates"