#!/usr/bin/env bash # Check if we're in a Docker container if [ -f /.dockerenv ]; then DOCKER_CONTAINER=true else DOCKER_CONTAINER=false fi # variables for the CA certificates CA_PATH=/etc/hirs/certificates CA_KEYSTORE=${CA_PATH}/TrustStore.jks # variables for the ACA certificates ACA_CERTS=/etc/hirs/aca/certificates ACA_KEY=${ACA_CERTS}/aca.key ACA_CRT=${ACA_CERTS}/aca.crt ACA_P12=${ACA_CERTS}/aca.p12 ACA_JKS=${ACA_CERTS}/keyStore.jks ACA_CONF=${ACA_CERTS}/aca.conf # generate the OpenSSL conf file echo "[req]" >> ${ACA_CONF} echo "req_extensions=aca" >> ${ACA_CONF} echo "distinguished_name=distname" >> ${ACA_CONF} echo "" >> ${ACA_CONF} echo "[aca]" >> ${ACA_CONF} echo "keyUsage=critical,keyCertSign" >> ${ACA_CONF} echo "basicConstraints=critical,CA:true" >> ${ACA_CONF} echo "subjectKeyIdentifier=hash" >> ${ACA_CONF} echo "" >> ${ACA_CONF} echo "[distname]" >> ${ACA_CONF} echo "# empty" >> ${ACA_CONF} # generate the ACA signing key and self-signed certificate openssl req -x509 -config ${ACA_CONF} -extensions aca -days 3652 -set_serial 01 -subj "/C=US/O=HIRS/OU=Attestation CA/CN=$HOSTNAME" -newkey rsa:2048 -nodes -keyout ${ACA_KEY} -out ${ACA_CRT} # if the trust store already has an older HIRS_ACA_KEY in it, remove it keytool -list -keystore ${CA_KEYSTORE} -storepass password -alias HIRS_ACA_KEY rc=$? if [[ $rc = 0 ]]; then keytool -delete -alias HIRS_ACA_KEY -storepass password -keystore ${CA_KEYSTORE} fi # load the generated certificate into the CA trust store keytool -import -keystore ${CA_KEYSTORE} -storepass password -file ${ACA_CRT} -noprompt -alias HIRS_ACA_KEY # export the cert and key to a p12 file openssl pkcs12 -export -in ${ACA_CRT} -inkey ${ACA_KEY} -out ${ACA_P12} -passout pass:password # create a key store using the p12 file keytool -importkeystore -srckeystore ${ACA_P12} -destkeystore ${ACA_JKS} -srcstoretype pkcs12 -srcstorepass password -deststoretype jks -deststorepass password -noprompt -alias 1 -destalias HIRS_ACA_KEY # set the password in the aca properties file sed -i "s/aca\.keyStore\.password\s*=/aca.keyStore.password=password/" /etc/hirs/aca/aca.properties # copy the trust store to the ACA cp ${CA_KEYSTORE} /etc/hirs/aca/client-files/ # start up the tomcat service # Guess where Tomcat is installed and what it's called: if [ -d /usr/share/tomcat6 ] ; then TOMCAT_SERVICE=tomcat6 elif [ -d /usr/share/tomcat ] ; then TOMCAT_SERVICE=tomcat else echo "Can't find Tomcat installation" exit 1 fi # restart tomcat after updating the trust store. if [ $DOCKER_CONTAINER = true ]; then # If in Docker container, avoid services that invoke the D-Bus if [[ $(ss -t -l -n | grep -q LISTEN.*:::8009) -eq 0 ]]; then echo "Tomcat is running, so we restart it." /usr/libexec/tomcat/server stop # Wait for Tomcat to stop completely and prevent port bind collisions while [ -z $(tail -n 1 /var/log/tomcat/catalina.$(date +"%Y-%m-%d").log | grep "Destroying ProtocolHandler \[\"http-bio-8443\"\]") ]; do : done (/usr/libexec/tomcat/server start) & # Wait for Tomcat to boot completely until [ "`curl --silent --connect-timeout 1 -I http://localhost:8080 | grep 'Coyote'`" != "" ]; do : done fi else /sbin/service ${TOMCAT_SERVICE} restart; fi