Merge pull request #46 from SUNET/print_certs_startup

added ./data/ca_root_certs for easy access to global common root certs

.github/workflows/ubuntu.yaml

@@ -12,7 +12,7 @@ jobs:
           sudo apt-get update
           sudo apt-get install git python3-dev python3-pip docker-compose flit curl -y
           bash -c 'export PATH="$PATH:$HOME/.local/bin" && \
-          export CA_URL=https://ca:8005 && \
+          export CA_URL=https://ca && \
           export CA_DNS_NAME=ca && \
           export ACME_ROOT=/acme && \
           export PKCS11_SIGN_API_TOKEN=xyz && \

containers/ca/Dockerfile

@@ -2,7 +2,7 @@ FROM debian:bookworm-20231009-slim@sha256:ceffa8e71bafc0190f915774b9696a0b6cb626
 
 MAINTAINER [email protected]
 
-EXPOSE 8005/tcp
+EXPOSE 443/tcp
 
 # Metadata
 LABEL version="1.03"
@@ -86,4 +86,4 @@ HEALTHCHECK --interval=120s --timeout=15s --retries=1 --start-period=30s \
 # ENTRYPOINT ["uvicorn", "src.pkcs11_ca_service.main:app", "--ssl-keyfile", "tls_key.key", "--ssl-certfile", "tls_certificate.pem", "--ssl-version", "2", "--log-config", "./logging.json", "--host", "0.0.0.0", "--port", "8005", "--workers", "1", "--header", "server:pkcs11_ca"]
 # ENTRYPOINT ["uvicorn", "src.pkcs11_ca_service.main:app", "--log-config", "./logging.json", "--host", "0.0.0.0", "--port", "8005", "--workers", "1", "--header", "server:pkcs11_ca"]
 
-CMD sh -c '. .venv/bin/activate && uvicorn src.pkcs11_ca_service.main:app --ssl-keyfile tls_key.key --ssl-certfile tls_certificate.pem --ssl-version 2 --log-config ./logging.json --host 0.0.0.0 --port 8005 --workers 1 --header server:pkcs11_ca'
+CMD sh -c '. .venv/bin/activate && uvicorn src.pkcs11_ca_service.main:app --ssl-keyfile tls_key.key --ssl-certfile tls_certificate.pem --ssl-version 2 --log-config ./logging.json --host 0.0.0.0 --port 443 --workers 1 --header server:pkcs11_ca'

deploy.sh

@@ -12,7 +12,7 @@ then
 Try with default ENV vars below:
 
 # The URL and DNS name for the PKCS11 CA
-export CA_URL="https://ca:8005"
+export CA_URL="https://ca"
 export CA_DNS_NAME="ca"
 
 # The ACME root url endpoint
@@ -105,7 +105,6 @@ then
     exit 1
 fi
 
-
 # Check openssl
 which openssl > /dev/null
 if [ $? -ne 0 ]
@@ -122,6 +121,32 @@ then
     exit 1
 fi
 
+# Check docker
+which docker > /dev/null
+if [ $? -ne 0 ]
+then
+    echo "docker not found, for example, install with sudo apt-get install docker.io"
+    echo "sudo usermod -a -G docker $USER"
+    echo "logout and in now for docker group to work"
+    exit 1
+fi
+
+# Check docker-compose
+which docker-compose > /dev/null
+if [ $? -ne 0 ]
+then
+    echo "docker-compose not found, install with pip3 install docker-compose"
+    exit 1
+fi
+
+# Check sudo
+which sudo > /dev/null
+if [ $? -ne 0 ]
+then
+    echo "sudo not found, install with sudo apt-get install sudo"
+    exit 1
+fi
+
 # Generate trusted keys
 mkdir -p data/trusted_keys
 if [ ! -f data/trusted_keys/privkey1.key ]
@@ -175,24 +200,6 @@ if os.environ["CA_URL"] not in ["https://ca:8005", "https://ca:443", "https://ca
     chmod 644 data/tls_key*.key
 fi
 
-# Check docker
-which docker > /dev/null
-if [ $? -ne 0 ]
-then
-    echo "docker not found, install with sudo apt-get install docker.io"
-    echo "sudo usermod -a -G docker $USER"
-    echo "logout and in now for docker group to work"
-    exit 1
-fi
-
-# Check docker-compose
-which docker-compose > /dev/null
-if [ $? -ne 0 ]
-then
-    echo "docker-compose not found, install with pip3 install docker-compose"
-    exit 1
-fi
-
 # Check code
 echo "Checking code package"
 
@@ -256,12 +263,15 @@ fi
 
 echo "Using 'sudo' to set correct directory ownership"
 # Remove git create folder files
+docker-compose -f docker-compose.yml down || exit 1 # Stop service if running
 sudo rm -f data/hsm_tokens/.empty || exit 1 # if sudo is not installed ot failed
 sudo rm -f data/db_data/.empty
-sudo mkdir -p data/hsm_tokens data/db_data
-sudo chown -R $USER data/hsm_tokens data/db_data/
+sudo rm -f data/ca_root_certs/.empty
+sudo mkdir -p data/hsm_tokens data/db_data data/ca_root_certs
+sudo chown -R $USER data/hsm_tokens data/db_data data/ca_root_certs
 docker-compose build || exit 1
 sudo chown -R 1500 data/hsm_tokens
+sudo chown -R 1500 data/ca_root_certs
 sudo chown -R 999 data/db_data
 
 docker-compose -f docker-compose.yml up -d || exit 1

docker-compose.yml

@@ -7,7 +7,7 @@ services:
       context: .
       dockerfile: containers/ca/Dockerfile
     ports:
-      - "8005:8005"
+      - "443:443"
     depends_on:
       - "postgres"
     restart: always
@@ -21,6 +21,7 @@ services:
     # cpus: "1.75"
     volumes:
       - ./data/hsm_tokens:/var/lib/softhsm/tokens
+      - ./data/ca_root_certs:/etc/pkcs11_ca/ca_root_certs/
     tmpfs:
       - /dev/shm:ro,noexec,nosuid,nodev
     environment:
@@ -40,7 +41,7 @@ services:
     # build:
     # context: .
     # dockerfile: containers/postgres/Dockerfile
-    image: postgres:15.4-bookworm@sha256:2e89ed90224245851ea2b01e0b20c4b893e69141eb36e7a1cece7fb9e19f21f0
+    image: postgres:16.0-bookworm@sha256:3648b6c2ac30de803a598afbaaef47851a6ee1795d74b4a5dcc09a22513b15c9
     restart: always
     # read_only: true
     # cap_drop: [ALL]

src/pkcs11_ca_service/startup.py

@@ -9,13 +9,23 @@
 from python_x509_pkcs11.pkcs11_handle import PKCS11Session
 
 from .base import DataBaseObject, DataClassObject
+from .ca import CaInput
 from .config import (
+    ACME_SIGNER_KEY_LABEL,
+    CMC_CERT_ISSUING_KEY_LABEL,
+    CMC_ROOT_KEY_LABEL,
+    CMC_SIGNING_KEY_LABEL,
     DB_MODULE,
     DB_TABLE_MODULES,
     PKCS11_BACKEND,
     ROOT_CA_KEY_LABEL,
     ROOT_CA_KEY_TYPE,
+    TIMESTAMP_CERT_KEY_LABEL,
+    TIMESTAMP_ROOT_KEY_LABEL,
+    TIMESTAMP_SIGNING_KEY_LABEL,
 )
+from .pkcs11_key import Pkcs11KeyInput
+from .route_functions import ca_request, pkcs11_key_request
 
 
 def _load_db_data_classes() -> List[DataClassObject]:
@@ -112,6 +122,34 @@ async def _pkcs11_startup(db_obj: DataBaseObject) -> bool:
     return True
 
 
+async def write_root_certs_to_disk() -> None:
+    """Write global root cers to file for easy access"""
+
+    for cert in [
+        ACME_SIGNER_KEY_LABEL,
+        CMC_ROOT_KEY_LABEL,
+        CMC_SIGNING_KEY_LABEL,
+        CMC_CERT_ISSUING_KEY_LABEL,
+        TIMESTAMP_ROOT_KEY_LABEL,
+        TIMESTAMP_SIGNING_KEY_LABEL,
+        TIMESTAMP_CERT_KEY_LABEL,
+    ]:
+        cert_pkcs11_key = await pkcs11_key_request(Pkcs11KeyInput(key_label=cert))
+        cert_obj = await ca_request(CaInput(pkcs11_key=cert_pkcs11_key.serial))
+
+        if os.path.isfile(f"/etc/pkcs11_ca/ca_root_certs/{cert}.crt"):
+            with open(f"/etc/pkcs11_ca/ca_root_certs/{cert}.crt", encoding="utf-8") as cert_file:
+                cert_data = cert_file.read()
+            if cert_data.strip() != cert_obj.pem.strip():
+                print(f"ERROR: Cert for pkcs11 key {cert} is not the same as /etc/pkcs11_ca/ca_root_certs/{cert}.crt")
+                sys.exit(1)
+
+            continue
+
+        with open(f"/etc/pkcs11_ca/ca_root_certs/{cert}.crt", "w", encoding="utf-8") as cert_file:
+            cert_file.write(cert_obj.pem + "\n")
+
+
 async def startup() -> None:
     """Startup main function
 
@@ -133,3 +171,5 @@ async def startup() -> None:
     # Check pkcs11 with database
     if not await _pkcs11_startup(db_obj):
         sys.exit(1)
+
+    await write_root_certs_to_disk()