/
entrypoint-functions.sh
executable file
·230 lines (195 loc) · 6.76 KB
/
entrypoint-functions.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
#!/usr/bin/env bash
################################################################################
#
# Entrypoint logic for Hyperledger Fabric based docker images
# intended to be used for testing pkcs11 with gbolo/fabric-* docker images
#
# FEATURES:
# - No pre-made crypto-config required! (Production-like)
# - Ability to Enroll itself Against a Fabric-CA server
# - Fully working pkcs11 implementation with test case before starting daemon
# - Ability to copy in TLSCA certs and Admin certs from ENV vars
# - Ability to run extended entrypoint script specified in ENV var
#
# ENV VARS REQUIRED TO RUN THIS ENTRYPOINT:
# FABRIC_CA_CLIENT_BCCSP_* - bccsp configuration for fabric client to enroll
# FABRIC_CA_CLIENT_URL - url with basicauth to fabric-ca-server to enroll
# MSP_ADMIN_DIR - path to directory containing admin certs
# DAEMON_TYPE - type of deamon running: peer,orderer,ca
#
# ENV VARS THAT ARE OPTIONAL:
# MSP_TLSCACERTS_DIR - path to directory containing tls ca certs
# ENTRYPOINT_EXTENDED - path to script we should run for extra setup
#
################################################################################
#
# FUNCTIONS
#
BROADCAST_MSG() {
local MESSAGE=$1
echo
echo "======================================================================="
echo " > ${MESSAGE}"
echo "======================================================================="
echo
}
VERIFY_RESULT() {
if [ $1 -ne 0 ] ; then
echo "!!!!! ${2:-ERROR} !!!!!"
BROADCAST_MSG "EXITING DUE TO ERROR..."
echo
exit 1
fi
}
TEST_PKCS11() {
BROADCAST_MSG "TESTING PKCS11 LIBRARY"
local TEST_OBJECT_LABEL="EC-TEST"
# support both client and server
local PKCS11_LIB=${FABRIC_CA_CLIENT_BCCSP_PKCS11_LIBRARY:-$FABRIC_CA_SERVER_BCCSP_PKCS11_LIBRARY}
local PKCS11_PIN=${FABRIC_CA_CLIENT_BCCSP_PKCS11_PIN:-$FABRIC_CA_SERVER_BCCSP_PKCS11_PIN}
local PKCS11_LABEL=${FABRIC_CA_CLIENT_BCCSP_PKCS11_LABEL:-$FABRIC_CA_SERVER_BCCSP_PKCS11_LABEL}
# Create new ECDSA Keypair
pkcs11-tool --module ${PKCS11_LIB} \
--pin ${PKCS11_PIN} \
--token-label ${PKCS11_LABEL} \
--label ${TEST_OBJECT_LABEL} --id 0077 \
--login --keypairgen --key-type EC:prime256v1
VERIFY_RESULT $? "Failed to create EC keypair"
# Test Signing
echo
echo "Test signing a file with test key"
echo "TESTING" > /tmp/testcrypto.txt
pkcs11-tool --module ${PKCS11_LIB} \
--pin ${PKCS11_PIN} \
--token-label ${PKCS11_LABEL} \
--label ${TEST_OBJECT_LABEL} --id 0077 \
--login --sign -m ECDSA \
--input-file /tmp/testcrypto.txt \
--output-file /tmp/testcrypto.txt.sig \
--verbose
VERIFY_RESULT $? "Failed to create signature"
rm -rf /tmp/testcrypto.txt*
# TODO: test signature verification, encryt, decrypt
# Delete Test keypair
echo
echo "Deleting test keypair..."
pkcs11-tool --module ${PKCS11_LIB} \
--pin ${PKCS11_PIN} \
--token-label ${PKCS11_LABEL} \
--label ${TEST_OBJECT_LABEL} --id 0077 \
--login --delete-object --type privkey
pkcs11-tool --module ${PKCS11_LIB} \
--pin ${PKCS11_PIN} \
--token-label ${PKCS11_LABEL} \
--label ${TEST_OBJECT_LABEL} --id 0077 \
--login --delete-object --type pubkey
}
CHECK_FOR_EXISTING_PKCS11_FABRIC_KEY() {
BROADCAST_MSG "CHECKING FOR EXISTING PKCS11 FABRIC KEY(S)"
local FABRIC_PRIVKEY_LABEL="BCPRV1"
local PKCS11_OBJECTS=$(pkcs11-tool --module ${FABRIC_CA_CLIENT_BCCSP_PKCS11_LIBRARY} \
--pin ${FABRIC_CA_CLIENT_BCCSP_PKCS11_PIN} \
--token-label ${FABRIC_CA_CLIENT_BCCSP_PKCS11_LABEL} \
--login --list-objects --type privkey)
if [ $? -eq 0 ]; then
local PKCS11_FABRIC_KEYS=$(echo "${PKCS11_OBJECTS}" | grep ${FABRIC_PRIVKEY_LABEL} | wc -l)
if [ $PKCS11_FABRIC_KEYS -gt 0 ]; then
echo "Found ${PKCS11_FABRIC_KEYS} existing Fabric key(s):"
echo "${PKCS11_OBJECTS}"
return $PKCS11_FABRIC_KEYS
else
echo "No existing fabric keys found."
return 0
fi
fi
}
CHECK_FOR_EXISTING_FABRIC_KEY() {
BROADCAST_MSG "CHECKING FOR EXISTING FABRIC LOCAL KEY"
local MSP_PATH=$(GET_MSP_PATH)
if ls ${MSP_PATH}/keystore/*_sk 1> /dev/null 2>&1; then
echo "Found existing Fabric key:"
ls -al ${MSP_PATH}/keystore/*_sk
return 1
else
echo "No existing fabric keys found."
return 0
fi
}
CHECK_FOR_EXISTING_FABRIC_ECERT() {
BROADCAST_MSG "CHECKING FOR EXISTING FABRIC ENROLLMENT CERT"
local MSP_PATH=$(GET_MSP_PATH)
if ls ${MSP_PATH}/signcerts/*.pem 1> /dev/null 2>&1; then
echo "Found existing Fabric Enrollment Certificate:"
ls -al ${MSP_PATH}/signcerts/*.pem
return 1
else
echo "No existing fabric enrollment certificate found."
return 0
fi
}
ENROLL_CLIENT() {
BROADCAST_MSG "ENROLLING CLIENT..."
if [ ${FABRIC_CA_CLIENT_URL:-NOTSET} == "NOTSET" ]; then
echo "Enrollment Error!"
echo "ENV FABRIC_CA_CLIENT_URL IS NOT SET"
exit 1
fi
/usr/local/bin/fabric-ca-client enroll --url "${FABRIC_CA_CLIENT_URL}"
VERIFY_RESULT $? "Error enrolling client against ${FABRIC_CA_CLIENT_URL}"
}
GET_MSP_PATH() {
local MSP_DEFAULT="/etc/hyperledger/fabric/msp"
# TODO: extend the logic here at some point...
if [ ${DAEMON_TYPE} == "peer" ]; then
local MSP_PATH=${FABRIC_CA_CLIENT_MSPDIR:-$MSP_DEFAULT}
elif [ ${DAEMON_TYPE} == "orderer" ]; then
local MSP_PATH=${FABRIC_CA_CLIENT_MSPDIR:-$MSP_DEFAULT}
else
local MSP_PATH="NOTNEEDED"
fi
echo "${MSP_PATH}"
}
COPY_ADMIN_CERTS() {
BROADCAST_MSG "COPYING ADMIN CERTS TO MSP"
if [ ${MSP_ADMIN_DIR:-NOTSET} == "NOTSET" ]; then
echo "MSP Error!"
echo "ENV MSP_ADMIN_DIR IS NOT SET"
exit 1
fi
local MSP_PATH=$(GET_MSP_PATH)
if [ ${MSP_PATH} != "NOTNEEDED" ]; then
echo "copy from ${MSP_ADMIN_DIR}/*.pem to ${MSP_PATH}/admincerts/"
mkdir -p ${MSP_PATH}/admincerts
cp -rp ${MSP_ADMIN_DIR}/*.pem ${MSP_PATH}/admincerts
else
echo "Skipping... only needed for peers and orderers"
fi
}
COPY_TLSCA_CERTS() {
BROADCAST_MSG "COPYING TLSCA CERTS TO MSP"
if [ ${MSP_ADMIN_DIR:-NOTSET} == "NOTSET" ]; then
echo "MSP Error!"
echo "ENV MSP_ADMIN_DIR IS NOT SET"
exit 1
fi
local MSP_PATH=$(GET_MSP_PATH)
if [ ${MSP_PATH} != "NOTNEEDED" ]; then
echo "copy from ${MSP_TLSCACERTS_DIR}/*.pem to ${MSP_PATH}/tlscacerts/"
mkdir -p ${MSP_PATH}/tlscacerts
cp -rp ${MSP_TLSCACERTS_DIR}/*.pem ${MSP_PATH}/tlscacerts/
else
echo "Skipping... only needed for peers and orderers"
fi
}
EXECUTE_ADDITIONAL_SCRIPT() {
local DEFAULT_EXTENDED_SCRIPT=/usr/local/bin/entrypoint-extended.sh
if [ -f ${ENTRYPOINT_EXTENDED:-$DEFAULT_EXTENDED_SCRIPT} ]; then
BROADCAST_MSG "Executing ${ENTRYPOINT_EXTENDED}"
chmod +x ${ENTRYPOINT_EXTENDED}
source ${ENTRYPOINT_EXTENDED}
fi
}
START_DAEMON() {
BROADCAST_MSG "STARTING DAEMON... $@"
exec "$@"
}