rpms / bind

Clone
Source Code
GIT

Blame setup-named-softhsm.sh

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta c9s-sig-hyperscale
  1.   ad76423202011e1a254f57ac35160a17767adebd
  2.   setup-named-softhsm.sh
Blob History Raw
9647ab 
#!/bin/sh
9647ab 
#
9647ab 
# This script will initialise token storage of softhsm PKCS11 provider
9647ab 
# in custom location. Is useful to store tokens in non-standard location.
fa1631 
#
fa1631 
# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
fa1631 
# Recommended use:
fa1631 
# eval $(bash setup-named-softhsm.sh -A)
fa1631 
#
9647ab
9647ab 
SOFTHSM2_CONF="$1"
9647ab 
TOKENPATH="$2"
9647ab 
GROUPNAME="$3"
9647ab 
# Do not use this script for real keys worth protection
9647ab 
# This is intended for crypto accelerators using PKCS11 interface.
9647ab 
# Uninitialized token would fail any crypto operation.
9647ab 
PIN=1234
fa1631 
SO_PIN=1234
fa1631 
LABEL=rpm
9647ab
9647ab 
set -e
9647ab
fa1631 
echo_i()
fa1631 
{
fa1631 
	echo "#" $@
fa1631 
}
fa1631
fa1631 
random()
fa1631 
{
fa1631 
	if [ -x "$(which openssl 2>/dev/null)" ]; then
fa1631 
		openssl rand -base64 $1
fa1631 
	else
fa1631 
		dd if=/dev/urandom bs=1c count=$1 | base64
fa1631 
	fi
fa1631 
}
fa1631
fa1631 
usage()
fa1631 
{
fa1631 
	echo "Usage: $0 -A [token directory] [group]"
fa1631 
	echo "   or: $0 <config file> <token directory> [group]"
fa1631 
}
fa1631
fa1631 
if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
fa1631 
	TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
fa1631 
fi
fa1631
9647ab 
if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
fa1631 
	usage >&2
9647ab 
	exit 1
9647ab 
fi
9647ab
fa1631 
if [ "$SOFTHSM2_CONF" = "-A" ]; then
fa1631 
	# Automagic mode instead
fa1631 
	MODE=secure
fa1631 
	SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
fa1631 
	PIN_SOURCE="$TOKENPATH/pin"
fa1631 
	SOPIN_SOURCE="$TOKENPATH/so-pin"
fa1631 
	TOKENPATH="$TOKENPATH/tokens"
fa1631 
else
fa1631 
	MODE=legacy
fa1631 
fi
fa1631
fa1631 
[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
fa1631
fa1631 
umask 0022
fa1631
9647ab 
if ! [ -f "$SOFTHSM2_CONF" ]; then
9647ab 
cat  << SED > "$SOFTHSM2_CONF"
9647ab 
# SoftHSM v2 configuration file
9647ab
9647ab 
directories.tokendir = ${TOKENPATH}
9647ab 
objectstore.backend = file
9647ab
9647ab 
# ERROR, WARNING, INFO, DEBUG
9647ab 
log.level = ERROR
9647ab
9647ab 
# If CKF_REMOVABLE_DEVICE flag should be set
9647ab 
slots.removable = false
9647ab 
SED
9647ab 
else
fa1631 
	echo_i "Config file $SOFTHSM2_CONF already exists" >&2
9647ab 
fi
9647ab
fa1631 
if [ -n "$PIN_SOURCE" ]; then
fa1631 
	touch "$PIN_SOURCE" "$SOPIN_SOURCE"
fa1631 
	chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
fa1631 
	if [ -n "$GROUPNAME" ]; then
fa1631 
		chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
fa1631 
		chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
fa1631 
	fi
fa1631 
fi
9647ab
9647ab 
export SOFTHSM2_CONF
9647ab
9647ab 
if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
9647ab 
then
fa1631 
	echo_i "Token in ${TOKENPATH} is already initialized" >&2
fa1631
fa1631 
	[ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
fa1631 
	[ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
9647ab 
else
fa1631 
	PIN=$(random 6)
fa1631 
	SO_PIN=$(random 18)
fa1631 
	if [ -n "$PIN_SOURCE" ]; then
fa1631 
		echo -n "$PIN" > "$PIN_SOURCE"
fa1631 
		echo -n "$SO_PIN" > "$SOPIN_SOURCE"
fa1631 
	fi
fa1631
fa1631 
	echo_i "Initializing tokens to ${TOKENPATH}..."
fa1631 
	softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
9647ab
9647ab 
	if [ -n "$GROUPNAME" ]; then
9647ab 
		chgrp -R -- "$GROUPNAME" "$TOKENPATH"
9647ab 
		chmod -R -- g=rX,o= "$TOKENPATH"
9647ab 
	fi
9647ab 
fi
9647ab
9647ab 
echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
fa1631 
echo "export PIN_SOURCE=\"$PIN_SOURCE\""
fa1631 
echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
fa1631 
# These are intentionaly not exported
fa1631 
echo "PIN=\"$PIN\""
fa1631 
echo "SO_PIN=\"$SO_PIN\""

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation