Improve the building of the docker images and document them

README.md

@@ -45,3 +45,31 @@ RUSTFLAGS="-C target-feature=-crt-static" cargo build --release
 ## Debug Options
 
 Set the `RUST_LOG` env variable to `trace`, `debug`, `info`, `warn` or `err` to change the logging level.
+
+## Docker examples
+
+For testing and development purposes there are two examples using the PKCS11 driver with Nginx and Apache.
+
+They require each a certificate built with the `container/<server>/generate.sh`.
+
+They can be built with:
+
+```bash
+# Building the images 
+docker build -t nginx-testing -f container/nginx/Dockerfile .
+docker build -t apache-testing -f container/apache/Dockerfile .
+```
+
+Assuming that a NetHSM is runnig on localhost:8443, they can then be run with :
+
+```bash
+docker run --net=host nginx-testing:latest
+docker run --net=host apache-testing:latest
+```
+
+The NetHSM is expected to have be provisionned with the following configuration:
+
+```bash
+nitropy nethsm --host localhost:8443 --no-verify-tls provision -u 0123456789 -a Administrator
+nitropy nethsm --host localhost:8443 --no-verify-tls add-user -n Operator -u operator -p opPassphrase -r Operator
+```

container/apache/Dockerfile

@@ -1,14 +1,12 @@
-FROM rust:1.72-bookworm AS builder
+FROM docker.io/rust:1.72-bookworm AS builder
 
 WORKDIR /rust
 
-ADD .git/ /tmp/repo
-
-RUN git clone -s /tmp/repo build
+ADD '.' /rust/build
 
 RUN cd build && cargo build --release
 
-FROM httpd:2.4
+FROM docker.io/httpd:2.4
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
   libengine-pkcs11-openssl \

container/apache/generate.sh

@@ -4,10 +4,9 @@ set -e
 
 HOST='localhost:8443'
 ADMIN_ACCOUNT='admin'
-ADMIN_ACCOUNT_PWD='adminadmin'
+ADMIN_ACCOUNT_PWD='Administrator'
 
-OPENSSL_PKCS11_ENGINE_PATH="/usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so"
-NETHSM_PKCS11_LIBRARY_PATH="/usr/lib/x86_64-linux-gnu/pkcs11/libnethsm_pkcs11.so"
+NETHSM_PKCS11_LIBRARY_PATH="target/release/libnethsm_pkcs11.so"
 
 
 CREDENTIALS="${ADMIN_ACCOUNT}:${ADMIN_ACCOUNT_PWD}"
@@ -24,7 +23,6 @@ pkcs11 = pkcs11_section
 
 [pkcs11_section]
 engine_id = pkcs11
-dynamic_path = ${OPENSSL_PKCS11_ENGINE_PATH}
 MODULE_PATH = ${NETHSM_PKCS11_LIBRARY_PATH}
 init = 0
 "
@@ -46,7 +44,7 @@ curl --include --insecure --user $CREDENTIALS --request POST \
 
 export OPENSSL_CONF="/dev/fd/3"
 
-openssl req -new -x509 -out ./_certificate.pem -days 365 -subj "/CN=yourdomain.com" -engine pkcs11 -keyform engine -key "pkcs11:object=webserver;type=public"
+P11NETHSM_CONFIG_FILE="p11nethsm.conf" openssl req -new -x509 -out ./_certificate.pem -days 365 -subj "/CN=yourdomain.com" -engine pkcs11 -keyform engine -key "pkcs11:object=webserver;type=public"
 
 curl -k -i -w '\n' -u $CREDENTIALS -X PUT \
   "https://${HOST}/api/v1/keys/webserver/cert" \

container/apache/httpd.conf

@@ -1,6 +1,7 @@
 ServerRoot "/usr/local/apache2"
-Listen 80
-Listen 443
+# Listen 80
+# Listen 443
+Listen 8081
 LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
 LoadModule mpm_event_module modules/mod_mpm_event.so
 LoadModule authn_file_module modules/mod_authn_file.so
@@ -87,7 +88,7 @@ Include conf/extra/proxy-html.conf
 SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin
 </IfModule>
-<VirtualHost *:443>
+<VirtualHost *:8081>
       DocumentRoot /usr/local/apache2/htdocs
       SSLEngine on
       SSLCertificateFile /certs/certificate.pem

container/apache/p11nethsm.conf

@@ -5,7 +5,7 @@ slots:
     description: Local HSM (docker)
     operator:
       username: "operator"
-      password: "operatoroperator"
+      password: "opPassphrase"
     instances:
       - url: "https://localhost:8443/api/v1"
         danger_insecure_cert: true

container/nginx/Dockerfile

@@ -1,14 +1,12 @@
-FROM rust:1.70-buster AS builder
+FROM docker.io/rust:1.70-buster AS builder
 
 WORKDIR /rust
 
-ADD .git/ /tmp/repo
-
-RUN git clone -s /tmp/repo build
+ADD '.' /rust/build
 
 RUN cd build && cargo build --release
 
-FROM nginx:stable
+FROM docker.io/nginx:stable
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
   libengine-pkcs11-openssl \

container/nginx/default.conf

@@ -1,5 +1,6 @@
 server {
-    listen       443 ssl;
+#    listen       433 ssl;
+    listen       8081 ssl;
     server_name  localhost;
 
     ssl_certificate      /certs/certificate.pem;

container/nginx/generate.sh

@@ -4,10 +4,9 @@ set -e
 
 HOST='localhost:8443'
 ADMIN_ACCOUNT='admin'
-ADMIN_ACCOUNT_PWD='adminadmin'
+ADMIN_ACCOUNT_PWD='Administrator'
 
-OPENSSL_PKCS11_ENGINE_PATH="/usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so"
-NETHSM_PKCS11_LIBRARY_PATH="/usr/lib/x86_64-linux-gnu/pkcs11/libnethsm_pkcs11.so"
+NETHSM_PKCS11_LIBRARY_PATH="target/release/libnethsm_pkcs11.so"
 
 
 CREDENTIALS="${ADMIN_ACCOUNT}:${ADMIN_ACCOUNT_PWD}"
@@ -24,7 +23,6 @@ pkcs11 = pkcs11_section
 
 [pkcs11_section]
 engine_id = pkcs11
-dynamic_path = ${OPENSSL_PKCS11_ENGINE_PATH}
 MODULE_PATH = ${NETHSM_PKCS11_LIBRARY_PATH}
 init = 0
 "
@@ -46,7 +44,7 @@ curl --include --insecure --user $CREDENTIALS --request POST \
 
 export OPENSSL_CONF="/dev/fd/3"
 
-openssl req -new -x509 -out ./_certificate.pem -days 365 -subj "/CN=yourdomain.com" -engine pkcs11 -keyform engine -key "pkcs11:object=webserver;type=public"
+P11NETHSM_CONFIG_FILE="p11nethsm.conf" openssl req -new -x509 -out ./_certificate.pem -days 365 -subj "/CN=yourdomain.com" -engine pkcs11 -keyform engine -key "pkcs11:object=webserver;type=public"
 
 curl -k -i -w '\n' -u $CREDENTIALS -X PUT \
   "https://${HOST}/api/v1/keys/webserver/cert" \

container/nginx/p11nethsm.conf

@@ -3,7 +3,7 @@ slots:
     description: Local HSM (docker)
     operator:
       username: "operator"
-      password: "operatoroperator"
+      password: "opPassphrase"
     instances:
       - url: "https://localhost:8443/api/v1"
         danger_insecure_cert: true