Comment 10 for bug 588861

Dmitrii Zagorodnov (dmitrii) wrote :

I am attaching a tarball with a stand-alone Java program that exercises BouncyCastle in the same exact way as Walrus does for image decryption. Included with the code are a couple of the JARs it needs and three input files: an encrypted compressed image (originally a ~1-GB Ubuntu image), the manifest for the image, and a cloud private key necessary for decryption. We are unable to reproduce this bug on our setup, but perhaps someone else will be able to, either with the included image or with a different one. To use the included image:

tar zxvf TestWalrusDecryption.tgz
cd TestWalrusDecryption
javac -classpath bcprov-jdk16-145.jar:xalan-2.7.1.jar
java -classpath bcprov-jdk16-145.jar:xalan-2.7.1.jar:. TestWalrusDecryption encrypted.img manifest.xml key.pem

To use with a different image, start with a working Eucalyptus installation and obtain user credentials. Using the credentials bundle (but not necessarily upload or register) an image of your choice. In the directory where bundling took place there will be a manifest file and several encrypted parts. Cat the parts together in the right order to obtain the encrypted image. Finally, extract the cloud private key from the cloud controller as follows:

openssl pkcs12 -in ${EUCALYPTUS}/var/lib/eucalyptus/keys/euca.p12 \
-name eucalyptus -name "eucalyptus" \
-password pass:eucalyptus -passin pass:eucalyptus -passout pass:eucalyptus \
-nodes | \
grep -A30 "friendlyName: eucalyptus" | \
grep -A26 "BEGIN RSA" > ${EUCALYPTUS}/var/lib/eucalyptus/keys/cloud-pk.pem

The cloud-pk.pem file is what you pass as the third parameter.