From 7eb995d157b8fe6f3b4a1786e727bb148f76297c Mon Sep 17 00:00:00 2001
From: SanginiMiharia <500094896@stu.upes.ac.in>
Date: Fri, 16 Jun 2023 17:35:04 +0530
Subject: [PATCH] Final_Submision

---
 projects/bash_networking_security/SOLUTION    | 11 +++-
 .../bastion_connect.sh                        | 23 ++++++++
 projects/bash_networking_security/cert.pem    |  0
 .../bash_networking_security/tlsHandshake.sh  | 55 ++++++++++++++++++-
 projects/bash_networking_security/vpc.sh      |  8 +--
 5 files changed, 89 insertions(+), 8 deletions(-)
 create mode 100644 projects/bash_networking_security/cert.pem

diff --git a/projects/bash_networking_security/SOLUTION b/projects/bash_networking_security/SOLUTION
index 2edfbaf..0d42a53 100644
--- a/projects/bash_networking_security/SOLUTION
+++ b/projects/bash_networking_security/SOLUTION
@@ -1,16 +1,21 @@
 Local DNS Server IP
 -------------------
-<ip-here>
+10.0.0.2
+
 
 
 
 Default gateway IP
 -------------------
-<ip-here>
+10.0.0.1  
 
 
 
 DHCP IP allocation sys-logs
 -------------------
-<logs-here>
+Jun 15 06:54:19 ip-10-0-0-70 dhclient[359]: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3 (xid=0x24124835)
+Jun 15 06:54:19 ip-10-0-0-70 dhclient[359]: DHCPOFFER of 10.0.0.70 from 10.0.0.1
+Jun 15 06:54:19 ip-10-0-0-70 dhclient[359]: DHCPREQUEST for 10.0.0.70 on eth0 to 255.255.255.255 port 67 (xid=0x35481224)
+Jun 15 06:54:19 ip-10-0-0-70 dhclient[359]: DHCPACK of 10.0.0.70 from 10.0.0.1 (xid=0x24124835)
+
 
diff --git a/projects/bash_networking_security/bastion_connect.sh b/projects/bash_networking_security/bastion_connect.sh
index a9bf588..db0e314 100644
--- a/projects/bash_networking_security/bastion_connect.sh
+++ b/projects/bash_networking_security/bastion_connect.sh
@@ -1 +1,24 @@
 #!/bin/bash
+COMMAND=$3
+
+
+# Check if the KEY_PATH environment variable is set
+if [ -z "$KEY_PATH" ]; then
+  echo "KEY_PATH env var is expected"
+  exit 5
+fi
+
+# Check if the public instance IP is provided
+if [ -z "$1" ]; then
+  echo "Please provide bastion IP address"
+  exit 5
+fi
+
+# If both public and private instance IPs are provided, connect to the private instance via the public instance
+if [ -n "$2" ]; then
+  ssh -ti "$KEY_PATH" ubuntu@"$1" ssh -i "new_key" ubuntu@"$2" "$COMMAND"
+
+# Otherwise, connect to the public instance
+else
+  ssh -i "$KEY_PATH" ubuntu@"$1" 
+fi
diff --git a/projects/bash_networking_security/cert.pem b/projects/bash_networking_security/cert.pem
new file mode 100644
index 0000000..e69de29
diff --git a/projects/bash_networking_security/tlsHandshake.sh b/projects/bash_networking_security/tlsHandshake.sh
index a9bf588..58a84d0 100644
--- a/projects/bash_networking_security/tlsHandshake.sh
+++ b/projects/bash_networking_security/tlsHandshake.sh
@@ -1 +1,54 @@
-#!/bin/bash
+#!/bin/bash -x
+
+
+# Step 1 - Client Hello (Client -> Server)
+RESPONSE=$(curl -X POST -H "Content-Type: application/json" -d '{
+   "version": "1.3",
+   "ciphersSuites": ["TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256"],
+   "message": "Client Hello"
+}' http://54.177.241.19:8080/clienthello)
+
+
+# Step 2 - Server Hello (Server -> Client)
+SESSION_ID=$(jq -r '.sessionID' <<< "$RESPONSE")
+
+echo "$RESPONSE" | jq -r '.serverCert' > cert.pem
+
+
+# Step 3 - Server Certificate Verification
+wget https://devops-feb23.s3.eu-north-1.amazonaws.com/cert-ca-aws.pem -O cert-ca-aws.pem
+
+VERIFICATION=$(openssl verify -CAfile cert-ca-aws.pem cert.pem)
+
+if [ "$VERIFICATION" != "cert.pem: OK" ]; then
+  echo "Server Certificate is invalid"
+  exit 5
+fi
+
+
+# Step 4 - Client-Server master-key exchange
+openssl rand -out masterKey.txt -base64 32
+
+MASTER_KEY=$(openssl smime -encrypt -aes-256-cbc -in masterKey.txt -outform DER cert.pem | base64 -w 0)
+
+
+# Step 5 - Server verification message
+RESPONSE=$(curl -X POST -H "Content-Type: application/json" -d '{
+  "sessionID": "'"$SESSION_ID"'",
+  "masterKey": "'"$MASTER_KEY"'",
+  "sampleMessage": "Hi server, please encrypt me and send to client!"
+}' http://54.177.241.19:8080/keyexchange)
+
+
+# Step 6 - Client verification message
+echo "$RESPONSE" | jq -r '.encryptedSampleMessage' > encSampleMsg.txt
+cat encSampleMsg.txt | base64 -d > encSampleMsgReady.txt
+
+decrypted_sample_msg=$(openssl enc -d -aes-256-cbc -pbkdf2 -kfile masterKey.txt -in encSampleMsgReady.txt)
+
+if [ "$decrypted_sample_msg" != "Hi server, please encrypt me and send to client!" ]; then
+  echo "Server symmetric encryption using the exchanged master-key has failed."
+  exit 6
+else
+  echo "Client-Server TLS handshake has been completed successfully"
+fi
\ No newline at end of file
diff --git a/projects/bash_networking_security/vpc.sh b/projects/bash_networking_security/vpc.sh
index 951abba..3ccfc29 100644
--- a/projects/bash_networking_security/vpc.sh
+++ b/projects/bash_networking_security/vpc.sh
@@ -1,4 +1,4 @@
-REGION=""
-VPC_ID=""
-PUBLIC_INSTANCE_ID=""
-PRIVATE_INSTANCE_ID=""
\ No newline at end of file
+REGION="us-west-1"
+VPC_ID="vpc-0a1b756866503d3ec"
+PUBLIC_INSTANCE_ID="i-0f81cd32138670b85"
+PRIVATE_INSTANCE_ID="i-085da4490d1bb471d"