setup_tls.sh: Generate Client CSR through parsec-tool

tgonzalezorlandoarm · gowthamsk-arm · commit bdfcfacc5a46 · 2024-05-15T11:43:12.000+01:00
Signed-off-by: Tomás González &lt;tomasagustin.gonzalezorlando@arm.com&gt;
diff --git a/tests/docker_image/parsec-openssl-provider-test.Dockerfile b/tests/docker_image/parsec-openssl-provider-test.Dockerfile
@@ -29,12 +29,14 @@ ENV PATH="/root/.cargo/bin:/opt/rust/bin:${PATH}"
 # For running tests Parsec is configured with the socket in /tmp/
 ENV PARSEC_SERVICE_ENDPOINT="unix:/tmp/parsec.sock"
 
-RUN git clone https://github.com/parallaxsecond/parsec.git --branch 1.3.0 \
+RUN git clone https://github.com/parallaxsecond/parsec.git --branch main \
     && cd parsec \
     && cargo build --features "mbed-crypto-provider,direct-authenticator"
 
 #TODO: This change is temporary and will be removed after a new parsec-tool version is released
 RUN git clone https://github.com/parallaxsecond/parsec-tool.git --branch main \
     && cd parsec-tool \
+    && cargo install patch-crate \
+    && cargo patch-crate \
     && cargo build \
     && cp target/debug/parsec-tool /opt/rust/bin/parsec-tool
diff --git a/tests/setup_tls.sh b/tests/setup_tls.sh
@@ -8,7 +8,7 @@
 
 
 # Generate the CA key and self signed certificate
-# inputs: 
+# inputs:
 #   certificate directory
 generate_ca_certs() {
     CA_DIRECTORY=$1
@@ -36,7 +36,7 @@ generate_ca_certs() {
 }
 
 # Generate the server key and certificate signed by CA
-# inputs: 
+# inputs:
 #   server directory
 #   certificate directory
 generate_server_certs() {
@@ -85,8 +85,7 @@ generate_server_certs() {
     fi
 }
 
-# ToDo: This function needs to be updated to use the parsec-tool 
-# for key, CSR generation for hardware backed keys. 
+# Use the openssl for key, CSR generation for sofware backed keys.
 # Generate the client key and certificate signed by CA
 # inputs: 
 #   client directory
@@ -107,7 +106,56 @@ generate_client_certs() {
 
         # Generate private key
         openssl genrsa -out "${CLIENT_PRIV_KEY}" 2048 > /dev/null 2>&1
+        if [ $? -ne 0 ]; then
+            echo "FAILED TO GENERATE KEY"
+            exit 1
+        fi
+
+        # Generate certificate request via OpenSSL
+        openssl req -new \
+            -key "${CLIENT_PRIV_KEY}" \
+            -out "${CLIENT_CSR}" \
+            -subj "/C=UK/ST=Parsec /L=Parsec/O=Parsec/CN=parsec_client.com" > /dev/null 2>&1
         if [ $? -ne 0 ]; then 
+            echo "FAILED TO GENERATE CERTIFICATE REQUEST"
+            exit 1
+        fi
+
+         # Generate certificate
+         openssl x509 -req -days 1000 -in "${CLIENT_CSR}" \
+             -CA "${CA_CERTIFICATE}" -CAkey "${CA_PRIV_KEY}" \
+            -CAcreateserial -out "${CLIENT_CERTIFICATE}" > /dev/null 2>&1
+
+        echo "SUCCESS"
+    else
+        echo "SKIPPED"
+    fi
+}
+
+# use the parsec-tool for key, CSR generation for hardware backed keys.
+# Generate the client key and certificate signed by CA
+# inputs:
+#   client directory
+#   certificate directory
+#   certificate request name (without extension)
+#   name of parsec key
+generate_client_certs_parsec() {
+    CLIENT_DIRECTORY=$1
+    CLIENT_CERTIFICATE=${CLIENT_DIRECTORY}/$3.pem
+    CLIENT_CSR=${CLIENT_DIRECTORY}/$3.csr
+    CLIENT_PRIV_KEY=${CLIENT_DIRECTORY}/client_priv_key.pem
+
+    CA_DIRECTORY=$2
+    CA_CERTIFICATE=${CA_DIRECTORY}/ca_cert.pem
+    CA_PRIV_KEY=${CA_DIRECTORY}/ca_priv_key.pem
+
+    if [ ! -f "${CLIENT_CSR}" ]; then
+        mkdir -p "${CLIENT_DIRECTORY}" > /dev/null 2>&1
+        chmod 700 "${CLIENT_DIRECTORY}"
+
+        # Generate private key
+        openssl genrsa -out "${CLIENT_PRIV_KEY}" 2048 > /dev/null 2>&1
+        if [ $? -ne 0 ]; then
             echo "FAILED TO GENERATE KEY"
             exit 1
         fi
@@ -122,10 +170,13 @@ generate_client_certs() {
             exit 1
         fi
 
+        # Generate certificate request via Parsec
+        parsec-tool create-csr --cn parsec_client.com --l Parsec --c UK --st Parsec --o Parsec --key-name $4 > ${CLIENT_CSR}
+
         # Generate certificate
         openssl x509 -req -days 1000 -in "${CLIENT_CSR}" \
             -CA "${CA_CERTIFICATE}" -CAkey "${CA_PRIV_KEY}" \
-            -CAcreateserial -out "${CLIENT_CERTIFICATE}" > /dev/null 2>&1
+            -CAcreateserial -out "${CLIENT_CERTIFICATE}"
         if [ $? -ne 0 ]; then 
             echo "FAILED"
             exit 1
@@ -143,7 +194,11 @@ generate_ca_certs ./tls/ca
 echo -n "Generating server private key and certificate: "
 generate_server_certs ./tls/server ./tls/ca
 
-echo -n "Generating client private key and certificate: "
+echo -n "Generating client certificate: "
+generate_client_certs_parsec ./tls/client ./tls/ca parsec_rsa PARSEC_TEST_RSA_KEY
+generate_client_certs_parsec ./tls/client ./tls/ca parsec_ecdsa PARSEC_TEST_ECDSA_KEY
+
+echo -n "Generating openssl client private key and certificate: "
 generate_client_certs ./tls/client ./tls/ca
 
 echo -n "Generating fake certificate authority private key and certificate: "
