HIRS/package/scripts/aca/certificate_generate.sh

91 lines
3.3 KiB
Bash

#!/usr/bin/env bash
# Check if we're in a Docker container
if [ -f /.dockerenv ]; then
DOCKER_CONTAINER=true
else
DOCKER_CONTAINER=false
fi
# variables for the CA certificates
CA_PATH=/etc/hirs/certificates
CA_KEYSTORE=${CA_PATH}/TrustStore.jks
# variables for the ACA certificates
ACA_CERTS=/etc/hirs/aca/certificates
ACA_KEY=${ACA_CERTS}/aca.key
ACA_CRT=${ACA_CERTS}/aca.crt
ACA_P12=${ACA_CERTS}/aca.p12
ACA_JKS=${ACA_CERTS}/keyStore.jks
ACA_CONF=${ACA_CERTS}/aca.conf
# generate the OpenSSL conf file
echo "[req]" >> ${ACA_CONF}
echo "req_extensions=aca" >> ${ACA_CONF}
echo "distinguished_name=distname" >> ${ACA_CONF}
echo "" >> ${ACA_CONF}
echo "[aca]" >> ${ACA_CONF}
echo "keyUsage=critical,keyCertSign" >> ${ACA_CONF}
echo "basicConstraints=critical,CA:true" >> ${ACA_CONF}
echo "subjectKeyIdentifier=hash" >> ${ACA_CONF}
echo "" >> ${ACA_CONF}
echo "[distname]" >> ${ACA_CONF}
echo "# empty" >> ${ACA_CONF}
# generate the ACA signing key and self-signed certificate
openssl req -x509 -config ${ACA_CONF} -extensions aca -days 3652 -set_serial 01 -subj "/C=US/O=HIRS/OU=Attestation CA/CN=$HOSTNAME" -newkey rsa:2048 -nodes -keyout ${ACA_KEY} -out ${ACA_CRT}
# if the trust store already has an older HIRS_ACA_KEY in it, remove it
keytool -list -keystore ${CA_KEYSTORE} -storepass password -alias HIRS_ACA_KEY
rc=$?
if [[ $rc = 0 ]]; then
keytool -delete -alias HIRS_ACA_KEY -storepass password -keystore ${CA_KEYSTORE}
fi
# load the generated certificate into the CA trust store
keytool -import -keystore ${CA_KEYSTORE} -storepass password -file ${ACA_CRT} -noprompt -alias HIRS_ACA_KEY
# export the cert and key to a p12 file
openssl pkcs12 -export -in ${ACA_CRT} -inkey ${ACA_KEY} -out ${ACA_P12} -passout pass:password
# create a key store using the p12 file
keytool -importkeystore -srckeystore ${ACA_P12} -destkeystore ${ACA_JKS} -srcstoretype pkcs12 -srcstorepass password -deststoretype jks -deststorepass password -noprompt -alias 1 -destalias HIRS_ACA_KEY
# set the password in the aca properties file
sed -i "s/aca\.keyStore\.password\s*=/aca.keyStore.password=password/" /etc/hirs/aca/aca.properties
# copy the trust store to the ACA
cp ${CA_KEYSTORE} /etc/hirs/aca/client-files/
# start up the tomcat service
# Guess where Tomcat is installed and what it's called:
if [ -d /usr/share/tomcat6 ] ; then
TOMCAT_SERVICE=tomcat6
elif [ -d /usr/share/tomcat ] ; then
TOMCAT_SERVICE=tomcat
else
echo "Can't find Tomcat installation"
exit 1
fi
# restart tomcat after updating the trust store.
if [ $DOCKER_CONTAINER = true ]; then
# If in Docker container, avoid services that invoke the D-Bus
if [[ $(ss -t -l -n | grep -q LISTEN.*:::8009) -eq 0 ]]; then
echo "Tomcat is running, so we restart it."
/usr/libexec/tomcat/server stop
# Wait for Tomcat to stop completely and prevent port bind collisions
while [ -z $(tail -n 1 /var/log/tomcat/catalina.$(date +"%Y-%m-%d").log | grep "Destroying ProtocolHandler \[\"http-bio-8443\"\]") ]; do
:
done
(/usr/libexec/tomcat/server start) &
# Wait for Tomcat to boot completely
until [ "`curl --silent --connect-timeout 1 -I http://localhost:8080 | grep 'Coyote'`" != "" ]; do
:
done
fi
else
/sbin/service ${TOMCAT_SERVICE} restart;
fi