mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-24 23:26:50 +00:00
74ed0005a1
Co-Authored-By: apldev4 <apl.dev4@jhuapl.edu>
91 lines
3.3 KiB
Bash
91 lines
3.3 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# Check if we're in a Docker container
|
|
if [ -f /.dockerenv ]; then
|
|
DOCKER_CONTAINER=true
|
|
else
|
|
DOCKER_CONTAINER=false
|
|
fi
|
|
|
|
# variables for the CA certificates
|
|
CA_PATH=/etc/hirs/certificates
|
|
CA_KEYSTORE=${CA_PATH}/TrustStore.jks
|
|
|
|
# variables for the ACA certificates
|
|
ACA_CERTS=/etc/hirs/aca/certificates
|
|
ACA_KEY=${ACA_CERTS}/aca.key
|
|
ACA_CRT=${ACA_CERTS}/aca.crt
|
|
ACA_P12=${ACA_CERTS}/aca.p12
|
|
ACA_JKS=${ACA_CERTS}/keyStore.jks
|
|
ACA_CONF=${ACA_CERTS}/aca.conf
|
|
|
|
# generate the OpenSSL conf file
|
|
echo "[req]" >> ${ACA_CONF}
|
|
echo "req_extensions=aca" >> ${ACA_CONF}
|
|
echo "distinguished_name=distname" >> ${ACA_CONF}
|
|
echo "" >> ${ACA_CONF}
|
|
echo "[aca]" >> ${ACA_CONF}
|
|
echo "keyUsage=critical,keyCertSign" >> ${ACA_CONF}
|
|
echo "basicConstraints=critical,CA:true" >> ${ACA_CONF}
|
|
echo "subjectKeyIdentifier=hash" >> ${ACA_CONF}
|
|
echo "" >> ${ACA_CONF}
|
|
echo "[distname]" >> ${ACA_CONF}
|
|
echo "# empty" >> ${ACA_CONF}
|
|
|
|
# generate the ACA signing key and self-signed certificate
|
|
openssl req -x509 -config ${ACA_CONF} -extensions aca -days 3652 -set_serial 01 -subj "/C=US/O=HIRS/OU=Attestation CA/CN=$HOSTNAME" -newkey rsa:2048 -nodes -keyout ${ACA_KEY} -out ${ACA_CRT}
|
|
|
|
# if the trust store already has an older HIRS_ACA_KEY in it, remove it
|
|
keytool -list -keystore ${CA_KEYSTORE} -storepass password -alias HIRS_ACA_KEY
|
|
rc=$?
|
|
if [[ $rc = 0 ]]; then
|
|
keytool -delete -alias HIRS_ACA_KEY -storepass password -keystore ${CA_KEYSTORE}
|
|
fi
|
|
|
|
# load the generated certificate into the CA trust store
|
|
keytool -import -keystore ${CA_KEYSTORE} -storepass password -file ${ACA_CRT} -noprompt -alias HIRS_ACA_KEY
|
|
|
|
# export the cert and key to a p12 file
|
|
openssl pkcs12 -export -in ${ACA_CRT} -inkey ${ACA_KEY} -out ${ACA_P12} -passout pass:password
|
|
|
|
# create a key store using the p12 file
|
|
keytool -importkeystore -srckeystore ${ACA_P12} -destkeystore ${ACA_JKS} -srcstoretype pkcs12 -srcstorepass password -deststoretype jks -deststorepass password -noprompt -alias 1 -destalias HIRS_ACA_KEY
|
|
|
|
# set the password in the aca properties file
|
|
sed -i "s/aca\.keyStore\.password\s*=/aca.keyStore.password=password/" /etc/hirs/aca/aca.properties
|
|
|
|
# copy the trust store to the ACA
|
|
cp ${CA_KEYSTORE} /etc/hirs/aca/client-files/
|
|
|
|
# start up the tomcat service
|
|
|
|
# Guess where Tomcat is installed and what it's called:
|
|
if [ -d /usr/share/tomcat6 ] ; then
|
|
TOMCAT_SERVICE=tomcat6
|
|
elif [ -d /usr/share/tomcat ] ; then
|
|
TOMCAT_SERVICE=tomcat
|
|
else
|
|
echo "Can't find Tomcat installation"
|
|
exit 1
|
|
fi
|
|
|
|
# restart tomcat after updating the trust store.
|
|
if [ $DOCKER_CONTAINER = true ]; then
|
|
# If in Docker container, avoid services that invoke the D-Bus
|
|
if [[ $(ss -t -l -n | grep -q LISTEN.*:::8009) -eq 0 ]]; then
|
|
echo "Tomcat is running, so we restart it."
|
|
/usr/libexec/tomcat/server stop
|
|
# Wait for Tomcat to stop completely and prevent port bind collisions
|
|
while [ -z "$(tail -n 1 /var/log/tomcat/catalina.$(date +"%Y-%m-%d").log | grep "Destroying ProtocolHandler \[\"http-bio-8443\"\]")" ]; do
|
|
:
|
|
done
|
|
(/usr/libexec/tomcat/server start) &
|
|
# Wait for Tomcat to boot completely
|
|
until [ "`curl --silent --connect-timeout 1 -I http://localhost:8080 | grep 'Coyote'`" != "" ]; do
|
|
:
|
|
done
|
|
fi
|
|
else
|
|
/sbin/service ${TOMCAT_SERVICE} restart;
|
|
fi
|