From: Manjunath Ranganathaiah <manjunath.ranganathaiah@intel.com>
Date: Tue, 11 Sep 2018 16:11:06 +0000 (-0700)
Subject: Add import scripts to base image
X-Git-Tag: 3.0.0~9^2
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=c8719c06244e18355db7c52e5deee4acb398f5f1;p=aaf%2Fsshsm.git

Add import scripts to base image

These scripts imports the CA key to either tpm or
softhsm. Updates the pkcs11 config file and adds
the required config for softhsm

Change-Id: If45cfb514756bf4ab03081d458ed728921fa1d51
Issue-ID: AAF-483
Signed-off-by: Manjunath Ranganathaiah <manjunath.ranganathaiah@intel.com>
---

diff --git a/bin/base/application.sh b/bin/base/application.sh
new file mode 100755
index 0000000..cb7db08
--- /dev/null
+++ b/bin/base/application.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+
+# This script receives 2 arguments
+applicationlibrary=$1
+SoftHSMv2SlotID=$2
+
+# Setting up the pkcs11 config file
+echo "library = ${applicationlibrary}" >> /opt/app/osaaf/local/org.osaaf.aaf.cm.pkcs11
+echo "slot = ${SoftHSMv2SlotID}" >> /opt/app/osaaf/local/org.osaaf.aaf.cm.pkcs11
diff --git a/bin/base/import.sh b/bin/base/import.sh
new file mode 100755
index 0000000..96a2489
--- /dev/null
+++ b/bin/base/import.sh
@@ -0,0 +1,117 @@
+#!/bin/bash
+
+# CA key import script for both tpm and softhsm case
+# required inputs are passed in through mount volume by oom
+
+set -e
+
+#if pkcs11 is not configured exit gracefully
+str=$(awk '/org.osaaf.aaf.cm.pkcs11/{print $0}' /opt/app/osaaf/local/org.osaaf.cm.ca.props)
+if [ ! -z $str ];then
+   echo "Using pkcs11 configuration"
+else
+   echo "Not using pkcs11 configuration"
+   exit 0
+fi
+
+
+#mount path for input files
+mountvolume="/tmp/files"
+#key_id in decimal
+key_id="8738"
+#Key_label used for key import
+key_label="localca"
+#Initial slot number
+slot_no="0"
+#Token name
+token_name="CAToken"
+#cert_id is the input for the application which is hexadecimal equivalent of key_id
+cert_id=$(printf '%x' ${key_id})
+#SoftHSM2 lib location
+applicationlibrary="/usr/local/lib/softhsm/libsofthsm2.so"
+#User pin for the SoftHSM operations
+cd /
+phrase="$(cat ${mountvolume}/passphrase-pin)"
+cp ${mountvolume}/upin.txt.gpg .
+echo "${phrase}" | gpg --batch --yes --passphrase-fd 0 upin.txt.gpg
+upin="$(cat upin.txt)"
+rm -f upin.txt
+rm -f upin.txt.gpg
+#SoPin for the SoftHSM operations
+cp ${mountvolume}/sopin.txt.gpg .
+echo "${phrase}" | gpg --batch --yes --passphrase-fd 0 sopin.txt.gpg
+sopin="$(cat sopin.txt)"
+rm -f sopin.txt
+rm -f sopin.txt.gpg
+
+# Initialize the token and set the perms on the .sh files
+softhsm2-util --init-token --slot ${slot_no} --label "${token_name}" \
+    --pin ${upin} --so-pin ${sopin}
+softhsm2-util --show-slots | grep 'Slot ' | cut -d\           -f2 | head -1 >> slotinfo.txt
+SoftHSMv2SlotID="$(cat slotinfo.txt)"
+rm -rf slotinfo.txt
+
+chmod 755 /sshsm/bin/softhsmconfig.sh
+chmod 755 /sshsm/bin/application.sh
+
+# import the key either to tpm or softhsm
+if [ -f ${mountvolume}/out_parent_public ]; then
+
+    #tpm import password
+    phrase="$(cat ${mountvolume}/passphrase-ipass)"
+    cp ${mountvolume}/ipass.txt.gpg .
+    echo "${phrase}" | gpg --batch --yes --passphrase-fd 0 ipass.txt.gpg
+    ipass="$(cat ipass.txt)"
+    rm -f ipass.txt
+    #TPM handle
+    tpm_handle="$(cat ${mountvolume}/tpm-handle.txt)"
+    # Copy the required input files for the Import tool
+    cp ${mountvolume}/dup* /tpm-util/bin/
+
+    # Run the Import Utility
+    cd /tpm-util/bin
+    ./ossl_tpm_import -H $tpm_handle -dupPub dupPub -dupPriv dupPriv \
+    -dupSymSeed dupSymseed -dupEncKey dupEncKey -pub outPub -priv outPriv \
+    -password $ipass
+
+    # setup tpm-softhsm specific config
+    cd /sshsm/bin
+    ./softhsmconfig.sh $tpm_handle $key_id $key_label $upin $sopin $SoftHSMv2SlotID \
+    "/tpm-util/bin/outPriv" "/tpm-util/bin/outPub"
+else
+
+# SoftHSM mode implementation
+
+    echo "TPM hardware unavailable, using SoftHSM implementation"
+
+    # Extract the Private key using passphrase
+    passphrase="$(cat ${mountvolume}/passphrase)"
+    cp ${mountvolume}/privkey.pem.gpg .
+    echo "${passphrase}" | gpg --batch --yes --passphrase-fd 0 privkey.pem.gpg
+
+    # Convert the Private key pem into der format
+    openssl rsa -in ./privkey.pem -outform DER -out privatekey.der
+
+    # Load the Private key into SoftHSM
+    pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} \
+    --write-object ./privatekey.der --type privkey --id ${cert_id} --label ${key_label}
+
+    # Clenup the files
+    rm -f privkey.pem
+    rm -f privatekey.der
+    rm -f privkey.pem.gpg
+
+fi
+
+cd /
+# Convert the crt to der format
+openssl x509 -in ${mountvolume}/ca.cert -outform der -out ca.der
+
+# Add the ca certificate
+pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} \
+--write-object ./ca.der --type cert --id ${cert_id}
+
+rm -f ca.der
+
+# Call app specific script
+/sshsm/bin/application.sh $applicationlibrary $SoftHSMv2SlotID
diff --git a/bin/base/softhsmconfig.sh b/bin/base/softhsmconfig.sh
new file mode 100755
index 0000000..91c76d5
--- /dev/null
+++ b/bin/base/softhsmconfig.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# This script will take six parameters as input
+tpm_handle=$1
+key_id=$2
+key_label=$3
+upin=$4
+sopin=$5
+SoftHSMv2SlotID=$6
+outprivfile=$7
+outpubfile=$8
+
+# export Pluginlibrary's location
+pluginlibrary="/usr/local/lib/libtpm2-plugin.so"
+
+SSHSM_HW_PLUGINS_PARENT_DIR="/tmp/hwparent"
+mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}
+echo "The newly assigned plugin directory is ${SSHSM_HW_PLUGINS_PARENT_DIR}"
+
+# Configuration generation for SoftHSM
+# 1.a Create the directory as expected by the SoftHSM to read the files
+mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm
+mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate
+mkdir -p ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01
+
+# 1.b Copy the Plugin library and create the required Configuration
+cp ${pluginlibrary} ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/plugin.so
+touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
+chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
+echo "$tpm_handle" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/activate/Afile1.id1
+
+# 1.c Generate the pkcs11.cfg file required for the SoftHSM operations
+touch ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+chmod 755 ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "key_id:${key_id}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "key_label:${key_label}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "upin:${upin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "sopin:${sopin}" >> ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+echo "slot:${SoftHSMv2SlotID}" >>  ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/pkcs11.cfg
+
+# 1.d Copy the output of Import utility into the directory where SoftHSMv2 expects
+cp $outprivfile ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.priv
+cp $outpubfile ${SSHSM_HW_PLUGINS_PARENT_DIR}/S01tpm/key01/Kfile1.pub
diff --git a/bin/base/xenialdockerfile b/bin/base/xenialdockerfile
index f28ed0f..b786541 100644
--- a/bin/base/xenialdockerfile
+++ b/bin/base/xenialdockerfile
@@ -96,7 +96,13 @@ RUN mkdir tpm-util
 RUN cd tpm-util && \
   mkdir bin
 RUN cp /sshsm/tpm-util/import/ossl_tpm_import /tpm-util/bin/
+
 RUN rm -rf tpm2-tss
 RUN rm -rf tpm2-abrmd
 RUN rm -rf tpm2-tools
 RUN rm -rf sshsm
+
+RUN mkdir -p /sshsm/bin
+COPY ./import.sh /sshsm/bin
+COPY ./softhsmconfig.sh /sshsm/bin
+COPY ./application.sh /sshsm/bin