pkcs11 key/cert import for CA use

author Manjunath Ranganathaiah <manjunath.ranganathaiah@intel.com>

Tue, 3 Apr 2018 23:29:45 +0000 (16:29 -0700)

committer Manjunath Ranganathaiah <manjunath.ranganathaiah@intel.com>

Tue, 3 Apr 2018 23:34:03 +0000 (16:34 -0700)
author Manjunath Ranganathaiah <manjunath.ranganathaiah@intel.com>
Tue, 3 Apr 2018 23:29:45 +0000 (16:29 -0700)
committer Manjunath Ranganathaiah <manjunath.ranganathaiah@intel.com>
Tue, 3 Apr 2018 23:34:03 +0000 (16:34 -0700)
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java

index 70f6794..cd8886d 100644 (file)
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
@@ -126,19 +126,21 @@ public class LocalCA extends CA {
                                 try {
                                         Provider p;
                                         KeyStore keyStore;
+                                       FileInputStream fis = null;
                                         if(fileName.endsWith(".pkcs11")) {
                                                 String ksType;
                                                 p = Factory.getSecurityProvider(ksType="PKCS11",params);
                                                 keyStore = KeyStore.getInstance(ksType,p);
                                         } else if(fileName.endsWith(".jks")) {
                                                 keyStore = KeyStore.getInstance("JKS");
+                                               fis = new FileInputStream(f);
                                         } else if(fileName.endsWith(".p12") || fileName.endsWith(".pkcs12")) {
                                                 keyStore = KeyStore.getInstance("PKCS12");
+                                               fis = new FileInputStream(f);
                                         } else {
                                                 throw new CertException("Unknown Keystore type from filename " + fileName);
                                         }
                                         
-                                       FileInputStream fis = new FileInputStream(f);
                                         KeyStore.ProtectionParameter keyPass;
  
                                         try {
@@ -152,9 +154,15 @@ public class LocalCA extends CA {
  
                                                 keyStore.load(fis,ksPass);
                                         } finally {
-                                               fis.close();
+                                               if (fis != null)
+                                                       fis.close();
+                                       }
+                                       Entry entry;
+                                       if(fileName.endsWith(".pkcs11")) {
+                                               entry = keyStore.getEntry(params[0][1]/*alias*/, null);
+                                       } else {
+                                               entry = keyStore.getEntry(params[0][1]/*alias*/, keyPass);
                                         }
-                                       Entry entry = keyStore.getEntry(params[0][1]/*alias*/, keyPass);
                                         if(entry==null) {
                                                 throw new CertException("There is no Keystore entry with name '" + params[0][1] +'\'');
                                         }
diff --git a/conf/CA/cfg.pkcs11 b/conf/CA/cfg.pkcs11

new file mode 100644 (file)

index 0000000..0c12c6b
--- /dev/null
+++ b/conf/CA/cfg.pkcs11
@@ -0,0 +1,3 @@
+name = shsm
+library = /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so 
+slot = 0
diff --git a/conf/CA/p11.sh b/conf/CA/p11.sh

new file mode 100755 (executable)

index 0000000..fdc0a3f
--- /dev/null
+++ b/conf/CA/p11.sh
@@ -0,0 +1,39 @@
+#
+# Import the keys and certs to pkcs11 based softhsm  
+#
+
+if [ "$#" -ne 3 ]; then
+  echo "Usage: p11.sh <user pin> <so pin> <id>"
+  exit 1
+fi
+
+LIB_PATH=/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so
+
+mkdir -p p11key p11crt cacerts
+# Conver the keys and certs to DER format
+# key to der
+openssl rsa -in private/ca.key -outform DER -out p11key/cakey.der
+# cert to der 
+cp certs/ca.crt cacerts
+DLIST=`ls -d intermediate_*`
+for DIR in $DLIST; do
+  cp $DIR/certs/ca.crt cacerts/$DIR.crt
+done
+for CA in `ls cacerts`; do
+  openssl x509 -in cacerts/$CA -outform DER -out p11crt/$CA
+done
+
+# create token directory
+mkdir /var/lib/softhsm/tokens
+# create slot 
+softhsm2-util --init-token --slot 0 --label "ca token" --pin $1 --so-pin $2
+# import key into softhsm
+pkcs11-tool --module $LIB_PATH -l --pin $1 --write-object p11key/cakey.der --type privkey --id $3
+# import certs into softhsm
+for CRT in `ls cacerts`; do
+  pkcs11-tool --module $LIB_PATH -l --pin $1 --write-object p11crt/$CRT --type cert --id $3
+done
+
+rm -r p11key
+rm -r p11crt
+rm -r cacerts
author	Manjunath Ranganathaiah <manjunath.ranganathaiah@intel.com>
	Tue, 3 Apr 2018 23:29:45 +0000 (16:29 -0700)
committer	Manjunath Ranganathaiah <manjunath.ranganathaiah@intel.com>
	Tue, 3 Apr 2018 23:34:03 +0000 (16:34 -0700)
auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java		patch \| blob \| history
conf/CA/cfg.pkcs11	[new file with mode: 0644]	patch \| blob
conf/CA/p11.sh	[new file with mode: 0755]	patch \| blob