Using the given passphrase, encrypt the private key and copy out.
Use the public key from the mount for generating out files.
Change-Id: I5de42ad4c8a781201ed559b04b1457fe9e661e42
Issue-ID: AAF-376
Signed-off-by: Manjunath Ranganathaiah <manjunath.ranganathaiah@intel.com>
RUN mkdir /createca
COPY ./create_ca.sh /createca/
RUN mkdir /dup
-RUN mkdir /dup/database
-RUN mkdir /dup/database/host_sample
RUN mkdir /dup/bin
RUN cp sshsm/tpm-util/duplicate/ossl_tpm_duplicate /dup/bin
-RUN cp sshsm/test/integration/samplecaservicecontainer/inittoolfiles/out_parent_public /dup/database/host_sample
ADD entrypoint.sh /entrypoint.sh
ENTRYPOINT [ "/entrypoint.sh" ]
+++ /dev/null
-Create folder under /tmp/volume/host_sample on host. This will be mounted into the container as shared volume for now.
-
-Build the container using
-
- docker build --no-cache -t dist-center .
-
-Run it mounting the volume
-
- docker run -v /tmp/volume:/volume dist-center
-
-This will output the following files in /tmp/volume/host_sample
-
- ca.cert
- dupEncKey
- dupPriv
- dupPub
- dupSymseed
--- /dev/null
+Create folder under /tmp/volume/host_<host name> for each host (example
+host_sample where sample is the name of the tpm capable host).
+This folder will be mounted into the container as shared volume for now.
+
+Expects the input SRK pulic key "out_parent_public" for each host under
+the corresponding host directory and file "passphrase" under /tmp/volume/
+containing the passphrase to encrypt the key.
+
+example
+
+ /tmp/volume/host_sample/out_parent_public
+ /tmp/volume/passphrase
+
+Build the container using
+
+ docker build --no-cache -t dist-center .
+
+Run it mounting the volume
+
+ docker run -v /tmp/volume:/volume dist-center
+
+This will output the following files in /tmp/volume/host_<host name>
+
+ ca.cert
+ dupEncKey
+ dupPriv
+ dupPub
+ dupSymseed
+
+Encrypted private key and certificate under /tmp/volume
+
+ ca.cert
+ privkey.pem.gpg
set -e
cd /createca
/createca/create_ca.sh
+cd /createca/ca
+cat /volume/passphrase | gpg --no-tty --symmetric -z 9 --require-secmem \
+ --cipher-algo AES256 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 \
+ --s2k-mode 3 --s2k-count 65000000 --compress-algo BZIP2 \
+ --passphrase-fd 0 privkey.pem
+cp /createca/ca/privkey.pem.gpg /volume
+cp /createca/ca/ca.cert /volume
+
cd /volume
DLIST=`ls -d host_*`
for DIR in $DLIST; do
echo $DIR
cp /createca/ca/ca.cert /volume/$DIR
cd /volume/$DIR
- /dup/bin/ossl_tpm_duplicate -pemfile /createca/ca/privkey.pem -parentPub /dup/database/$DIR/out_parent_public -dupPub dupPub -dupPriv dupPriv -dupSymSeed dupSymseed -dupEncKey dupEncKey
+ /dup/bin/ossl_tpm_duplicate -pemfile /createca/ca/privkey.pem -parentPub \
+ /volume/$DIR/out_parent_public -dupPub dupPub -dupPriv dupPriv -dupSymSeed \
+ dupSymseed -dupEncKey dupEncKey
done