mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-01-25 13:49:54 +00:00
74 lines
3.2 KiB
Bash
Executable File
74 lines
3.2 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
PROVISIONER_DIR="/etc/hirs/provisioner"
|
|
CERTIFICATES="/etc/hirs/certificates/provisioner"
|
|
SITE_CONFIG_FILE="/etc/hirs/hirs-site.config"
|
|
PROVISIONER_PROPERTIES="$PROVISIONER_DIR/provisioner.properties"
|
|
TMP_PROPERTIES="$PROVISIONER_DIR/tmp.properties"
|
|
PROVISIONER_LOG_DIR="/var/log/hirs/provisioner"
|
|
PROVISIONER_LOG_FILE="$PROVISIONER_LOG_DIR/HIRS_Provisioner.log"
|
|
|
|
# ensure log file exists
|
|
mkdir -p $PROVISIONER_LOG_DIR
|
|
touch $PROVISIONER_LOG_FILE
|
|
|
|
|
|
mkdir -p ${CERTIFICATES}/private
|
|
|
|
# certificates and key stores generated by this script.
|
|
CLIENT_PEM=${CERTIFICATES}/private/hirs.client.pem
|
|
CLIENT_CERT=${CERTIFICATES}/hirs.client.cert
|
|
INTERNAL_P12=${CERTIFICATES}/hirs.p12
|
|
KEYSTORE_JKS=${CERTIFICATES}/keyStoreClient.jks
|
|
|
|
# delete the key store if it exists
|
|
if [ -f ${KEYSTORE_JKS} ]; then
|
|
echo "----> Deleting existing key store" | tee -a $PROVISIONER_LOG_FILE
|
|
rm -f ${KEYSTORE_JKS}
|
|
fi
|
|
|
|
# Read site config
|
|
source ${SITE_CONFIG_FILE}
|
|
|
|
# Read a block of raw data bytes from /dev/urandom and convert it to text characters.
|
|
P12_PASSWORD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
|
|
|
|
# generate a key and certificate. The key is the private key used to sign the well known CA cert.
|
|
echo 'Creating 2048 bit key' >> $PROVISIONER_LOG_FILE 2>&1
|
|
openssl req -x509 -nodes -days 3652 -newkey rsa:2048 -keyout ${CLIENT_PEM} -out ${CLIENT_CERT} -subj "/C=US/O=HIRS/OU=Provisioner/CN=$CLIENT_HOSTNAME" >> $PROVISIONER_LOG_FILE 2>&1
|
|
|
|
# export the certificate and key as a p12 file
|
|
echo 'Exporting key' >> $PROVISIONER_LOG_FILE 2>&1
|
|
openssl pkcs12 -export -in ${CLIENT_CERT} -inkey ${CLIENT_PEM} -out ${INTERNAL_P12} -passout pass:${P12_PASSWORD} >> $PROVISIONER_LOG_FILE 2>&1
|
|
|
|
# create a key store using the pk12 file.
|
|
echo 'Configuring key store' >> $PROVISIONER_LOG_FILE 2>&1
|
|
keytool -importkeystore -srckeystore ${INTERNAL_P12} -destkeystore ${KEYSTORE_JKS} -srcstoretype pkcs12 -srcstorepass ${P12_PASSWORD} -deststoretype jks -deststorepass ${P12_PASSWORD} -noprompt >> $PROVISIONER_LOG_FILE 2>&1
|
|
|
|
if [ ! -f ${KEYSTORE_JKS} ]; then
|
|
echo "${KEYSTORE_JKS} was not created" | tee -a $PROVISIONER_LOG_FILE
|
|
exit 1;
|
|
fi
|
|
|
|
grep -v "javax.net.ssl" ${PROVISIONER_PROPERTIES} > ${TMP_PROPERTIES}
|
|
mv ${TMP_PROPERTIES} ${PROVISIONER_PROPERTIES}
|
|
|
|
echo "javax.net.ssl.keyStore=$KEYSTORE_JKS" >> ${PROVISIONER_PROPERTIES}
|
|
echo "javax.net.ssl.trustStore=${CERTIFICATES}/TrustStore.jks" >> ${PROVISIONER_PROPERTIES}
|
|
echo "javax.net.ssl.keyStorePassword=$P12_PASSWORD" >> ${PROVISIONER_PROPERTIES}
|
|
|
|
# Checking for existing HIRS TrustStore
|
|
if [ -f "${CERTIFICATES}/TrustStore.jks" ]; then
|
|
rm -f ${CERTIFICATES}/TrustStore.jks
|
|
fi
|
|
|
|
echo "----> Downloading truststore" | tee -a $PROVISIONER_LOG_FILE
|
|
wget https://"$ATTESTATION_CA_FQDN":"$ATTESTATION_CA_PORT"/HIRS_AttestationCA/client-files/TrustStore.jks --no-check-certificate -P ${CERTIFICATES} >/dev/null 2>/dev/null
|
|
if [ ! -f "${CERTIFICATES}/TrustStore.jks" ]; then
|
|
echo "----> ERROR: Truststore could not be downloaded from $ATTESTATION_CA_FQDN" | tee -a $PROVISIONER_LOG_FILE
|
|
exit 1
|
|
fi
|
|
|
|
sed -i "s/provisioner\.aca\.host\s*=\s*.*/provisioner.aca.host = $ATTESTATION_CA_FQDN/" $PROVISIONER_PROPERTIES
|
|
sed -i "s/provisioner\.aca\.port\s*=\s*.*/provisioner.aca.port = $ATTESTATION_CA_PORT/" $PROVISIONER_PROPERTIES
|