From 64feca4f2c6f55f5e6d6ea5edb7bbf0ad8a38bc2 Mon Sep 17 00:00:00 2001
From: Boris Glimcher <Boris.Glimcher@emc.com>
Date: Fri, 7 Jun 2024 00:33:13 +0300
Subject: [PATCH] fix(sztp): add keys and certs generation

Signed-off-by: Boris Glimcher <Boris.Glimcher@emc.com>
---
 .gitignore       |  2 ++
 sztp/generate.sh | 52 +++++++++++++++++++++++++++++++++++++++++++-----
 2 files changed, 49 insertions(+), 5 deletions(-)
 create mode 100644 .gitignore

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..41e75af
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+sztp/generated-client/
+sztp/generated-server/
diff --git a/sztp/generate.sh b/sztp/generate.sh
index 2dd2408..5b5da63 100755
--- a/sztp/generate.sh
+++ b/sztp/generate.sh
@@ -2,6 +2,40 @@
 
 set -euxo pipefail
 
+MYTMPDIR="$(mktemp -d)"
+trap 'rm -rf -- "$MYTMPDIR"' EXIT
+
+curl -kL https://watsen.net/support/sztpd-simulator-0.0.11.tgz | tar -zxvf - -C ${MYTMPDIR}/
+pushd ${MYTMPDIR}/sztpd-simulator/pki
+echo "DNS.2 = bootstrap" >> sztpd1/sbi/end-entity/openssl.cnf
+echo "DNS.3 = web" >> sztpd1/sbi/end-entity/openssl.cnf
+echo "DNS.4 = redirecter" >> sztpd1/sbi/end-entity/openssl.cnf
+make pki
+# SBI Port certificates
+cat sztpd1/sbi/end-entity/my_cert.pem sztpd1/sbi/intermediate2/my_cert.pem > ${MYTMPDIR}/sztpd-simulator/cert_chain.pem
+openssl crl2pkcs7 -nocrl -certfile ${MYTMPDIR}/sztpd-simulator/cert_chain.pem -outform DER -out ${MYTMPDIR}/sztpd-simulator/cert_chain.cms
+# client cert DevID trust anchors
+cat client/root-ca/my_cert.pem client/intermediate1/my_cert.pem client/intermediate2/my_cert.pem > ${MYTMPDIR}/sztpd-simulator/ta_cert_chain.pem
+openssl crl2pkcs7 -nocrl -certfile ${MYTMPDIR}/sztpd-simulator/ta_cert_chain.pem -outform DER -out ${MYTMPDIR}/sztpd-simulator/ta_cert_chain.cms
+# ???
+cat sztpd1/sbi/root-ca/my_cert.pem sztpd1/sbi/intermediate1/my_cert.pem > ${MYTMPDIR}/sztpd-simulator/opi.pem
+popd
+
+# copy locally for server
+rm -rf ./generated-server
+mkdir -p ./generated-server
+cp ${MYTMPDIR}/sztpd-simulator/pki/sztpd1/sbi/end-entity/private_key.der ./generated-server/
+cp ${MYTMPDIR}/sztpd-simulator/pki/sztpd1/sbi/end-entity/public_key.der ./generated-server/
+cp ${MYTMPDIR}/sztpd-simulator/cert_chain.cms ./generated-server/
+cp ${MYTMPDIR}/sztpd-simulator/ta_cert_chain.cms ./generated-server/
+
+# copy remotely for clients
+rm -rf ./generated-client
+mkdir -p ./generated-client
+cp ${MYTMPDIR}/sztpd-simulator/opi.pem ./generated-client/opi.pem
+cp ${MYTMPDIR}/sztpd-simulator/pki/client/end-entity/my_cert.pem ./generated-client/opi_cert.pem
+cp ${MYTMPDIR}/sztpd-simulator/pki/client/end-entity/private_key.pem ./generated-client/opi_private_key.pem
+
 declare -a names
 
 for vendor in nvidia intel marvell
@@ -17,10 +51,10 @@ do
 done
 
 names+=(SBI_PRI_KEY_B64 SBI_PUB_KEY_B64 SBI_EE_CERT_B64 CLIENT_CERT_TA_B64)
-export SBI_PRI_KEY_B64=$(openssl enc -base64 -A -in         private_key.der)
-export SBI_PUB_KEY_B64=$(openssl enc -base64 -A -in         public_key.der)
-export SBI_EE_CERT_B64=$(openssl enc -base64 -A -in         cert_chain.cms)
-export CLIENT_CERT_TA_B64=$(openssl enc -base64 -A -in      ta_cert_chain.cms)
+export SBI_PRI_KEY_B64=$(openssl enc -base64 -A -in    ./generated-server/private_key.der)
+export SBI_PUB_KEY_B64=$(openssl enc -base64 -A -in    ./generated-server/public_key.der)
+export SBI_EE_CERT_B64=$(openssl enc -base64 -A -in    ./generated-server/cert_chain.cms)
+export CLIENT_CERT_TA_B64=$(openssl enc -base64 -A -in ./generated-server/ta_cert_chain.cms)
 
 names+=(SZTPD_INIT_ADDR SZTPD_INIT_PORT SZTPD_NBI_PORT SZTPD_SBI_PORT)
 export SZTPD_INIT_ADDR=$(awk '/SZTPD_INIT_ADDR:/{print $2}' ../docker-compose.yml)
@@ -30,4 +64,12 @@ export SZTPD_SBI_PORT=$(awk '/SZTPD_SBI_PORT:/{print $2}' ../docker-compose.yml)
 
 envsubst "$(printf '${%s} ' ${names[@]})" < template.json > config.json
 
-diff template.json config.json
+diff template.json config.json || true
+
+echo "Now COPY client files to the remote clients:"
+echo scp ./generated-client/opi*.pem root@172.22.3.2:/mnt/
+
+# curl --fail -H Accept:application/yang-data+json http://127.0.0.1:$SZTPD_NBI_PORT/.well-known/host-meta || exit 1
+# curl --fail -i -X GET --user my-admin@example.com:my-secret -H 'Accept:application/yang-data+json' http://bootstrap:"${SZTPD_INIT_PORT}"/restconf/ds/ietf-datastores:running
+# curl --fail -i -X PUT --user my-admin@example.com:my-secret --data @./config.json -H 'Content-Type:application/yang-data+json' http://127.0.0.1:"${SZTPD_INIT_PORT}"/restconf/ds/ietf-datastores:running
+# curl --fail -i -X GET --user my-admin@example.com:my-secret -H 'Accept:application/yang-data+json' http://bootstrap:"${SZTPD_INIT_PORT}"/restconf/ds/ietf-datastores:running