Changes to encrypt and copy out private key

Using the given passphrase, encrypt the private key and copy out.
Use the public key from the mount for generating out files.

Change-Id: I5de42ad4c8a781201ed559b04b1457fe9e661e42
Issue-ID: AAF-376
Signed-off-by: Manjunath Ranganathaiah <manjunath.ranganathaiah@intel.com>

diff --git a/bin/distcenter/Dockerfile b/bin/distcenter/Dockerfile
index f79c7ef..afa5b7d 100644 (file)
--- a/bin/distcenter/Dockerfile
+++ b/bin/distcenter/Dockerfile
@@ -9,12 +9,9 @@ RUN cd sshsm && \
 RUN mkdir /createca
 COPY ./create_ca.sh /createca/
 RUN mkdir /dup
-RUN mkdir /dup/database
-RUN mkdir /dup/database/host_sample
 RUN mkdir /dup/bin
 
 RUN cp sshsm/tpm-util/duplicate/ossl_tpm_duplicate /dup/bin
-RUN cp sshsm/test/integration/samplecaservicecontainer/inittoolfiles/out_parent_public /dup/database/host_sample
 
 ADD entrypoint.sh /entrypoint.sh
 ENTRYPOINT [ "/entrypoint.sh" ]

diff --git a/bin/distcenter/README.md b/bin/distcenter/README.md
deleted file mode 100644 (file)
index 973cbf9..0000000
--- a/bin/distcenter/README.md
+++ /dev/null
@@ -1,17 +0,0 @@
-Create folder under /tmp/volume/host_sample on host. This will be mounted into the container as shared volume for now.
-
-Build the container using
-
-  docker build --no-cache -t dist-center .
-
-Run it mounting the volume
-
- docker run -v /tmp/volume:/volume dist-center
-
-This will output the following files in /tmp/volume/host_sample
-
-  ca.cert
-  dupEncKey
-  dupPriv
-  dupPub
-  dupSymseed

diff --git a/bin/distcenter/README.txt b/bin/distcenter/README.txt
new file mode 100644 (file)
index 0000000..fe39395
--- /dev/null
+++ b/bin/distcenter/README.txt
@@ -0,0 +1,33 @@
+Create folder under /tmp/volume/host_<host name> for each host (example
+host_sample where sample is the name of the tpm capable host).
+This folder will be mounted into the container as shared volume for now.
+
+Expects the input SRK pulic key "out_parent_public" for each host under
+the corresponding host directory and file "passphrase" under /tmp/volume/
+containing the passphrase to encrypt the key.
+
+example
+
+  /tmp/volume/host_sample/out_parent_public
+  /tmp/volume/passphrase
+
+Build the container using
+
+  docker build --no-cache -t dist-center .
+
+Run it mounting the volume
+
+ docker run -v /tmp/volume:/volume dist-center
+
+This will output the following files in /tmp/volume/host_<host name>
+
+  ca.cert
+  dupEncKey
+  dupPriv
+  dupPub
+  dupSymseed
+
+Encrypted private key and certificate under /tmp/volume
+
+  ca.cert
+  privkey.pem.gpg

diff --git a/bin/distcenter/entrypoint.sh b/bin/distcenter/entrypoint.sh
index 85cdf52..641c529 100755 (executable)
--- a/bin/distcenter/entrypoint.sh
+++ b/bin/distcenter/entrypoint.sh
@@ -2,11 +2,21 @@
 set -e
 cd /createca
 /createca/create_ca.sh
+cd /createca/ca
+cat /volume/passphrase | gpg --no-tty --symmetric -z 9 --require-secmem \
+  --cipher-algo AES256 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 \
+  --s2k-mode 3 --s2k-count 65000000 --compress-algo BZIP2 \
+  --passphrase-fd 0 privkey.pem
+cp /createca/ca/privkey.pem.gpg /volume
+cp /createca/ca/ca.cert /volume
+
 cd /volume
 DLIST=`ls -d host_*`
 for DIR in $DLIST; do
   echo $DIR
   cp /createca/ca/ca.cert /volume/$DIR
   cd /volume/$DIR
-  /dup/bin/ossl_tpm_duplicate -pemfile /createca/ca/privkey.pem  -parentPub /dup/database/$DIR/out_parent_public -dupPub dupPub -dupPriv dupPriv -dupSymSeed dupSymseed -dupEncKey dupEncKey
+  /dup/bin/ossl_tpm_duplicate -pemfile /createca/ca/privkey.pem  -parentPub \
+  /volume/$DIR/out_parent_public -dupPub dupPub -dupPriv dupPriv -dupSymSeed \
+  dupSymseed -dupEncKey dupEncKey
 done