|
|
9647ab |
#!/bin/sh
|
|
|
9647ab |
#
|
|
|
9647ab |
|
|
|
9647ab |
# in custom location. Is useful to store tokens in non-standard location.
|
|
|
fa1631 |
#
|
|
|
fa1631 |
# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
|
|
|
bd6e8b |
# Quotes around eval are mandatory!
|
|
|
fa1631 |
# Recommended use:
|
|
|
bd6e8b |
# eval "$(bash setup-named-softhsm.sh -A)"
|
|
|
fa1631 |
#
|
|
|
9647ab |
|
|
|
9647ab |
SOFTHSM2_CONF="$1"
|
|
|
9647ab |
TOKENPATH="$2"
|
|
|
9647ab |
GROUPNAME="$3"
|
|
|
9647ab |
# Do not use this script for real keys worth protection
|
|
|
9647ab |
# This is intended for crypto accelerators using PKCS11 interface.
|
|
|
9647ab |
# Uninitialized token would fail any crypto operation.
|
|
|
9647ab |
PIN=1234
|
|
|
fa1631 |
SO_PIN=1234
|
|
|
fa1631 |
LABEL=rpm
|
|
|
9647ab |
|
|
|
9647ab |
set -e
|
|
|
9647ab |
|
|
|
fa1631 |
echo_i()
|
|
|
fa1631 |
{
|
|
|
fa1631 |
echo "#" $@
|
|
|
fa1631 |
}
|
|
|
fa1631 |
|
|
|
fa1631 |
random()
|
|
|
fa1631 |
{
|
|
|
fa1631 |
if [ -x "$(which openssl 2>/dev/null)" ]; then
|
|
|
fa1631 |
openssl rand -base64 $1
|
|
|
fa1631 |
else
|
|
|
fa1631 |
dd if=/dev/urandom bs=1c count=$1 | base64
|
|
|
fa1631 |
fi
|
|
|
fa1631 |
}
|
|
|
fa1631 |
|
|
|
fa1631 |
usage()
|
|
|
fa1631 |
{
|
|
|
fa1631 |
echo "Usage: $0 -A [token directory] [group]"
|
|
|
fa1631 |
echo " or: $0 <config file> <token directory> [group]"
|
|
|
fa1631 |
}
|
|
|
fa1631 |
|
|
|
fa1631 |
if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
|
|
|
fa1631 |
TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
|
|
|
fa1631 |
fi
|
|
|
fa1631 |
|
|
|
9647ab |
if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
|
|
|
fa1631 |
usage >&2
|
|
|
9647ab |
exit 1
|
|
|
9647ab |
fi
|
|
|
9647ab |
|
|
|
fa1631 |
if [ "$SOFTHSM2_CONF" = "-A" ]; then
|
|
|
fa1631 |
# Automagic mode instead
|
|
|
fa1631 |
MODE=secure
|
|
|
fa1631 |
SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
|
|
|
fa1631 |
PIN_SOURCE="$TOKENPATH/pin"
|
|
|
fa1631 |
SOPIN_SOURCE="$TOKENPATH/so-pin"
|
|
|
fa1631 |
TOKENPATH="$TOKENPATH/tokens"
|
|
|
fa1631 |
else
|
|
|
fa1631 |
MODE=legacy
|
|
|
fa1631 |
fi
|
|
|
fa1631 |
|
|
|
fa1631 |
[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
|
|
|
fa1631 |
|
|
|
fa1631 |
umask 0022
|
|
|
fa1631 |
|
|
|
9647ab |
if ! [ -f "$SOFTHSM2_CONF" ]; then
|
|
|
9647ab |
cat << SED > "$SOFTHSM2_CONF"
|
|
|
9647ab |
# SoftHSM v2 configuration file
|
|
|
9647ab |
|
|
|
9647ab |
directories.tokendir = ${TOKENPATH}
|
|
|
9647ab |
objectstore.backend = file
|
|
|
9647ab |
|
|
|
9647ab |
# ERROR, WARNING, INFO, DEBUG
|
|
|
9647ab |
log.level = ERROR
|
|
|
9647ab |
|
|
|
9647ab |
# If CKF_REMOVABLE_DEVICE flag should be set
|
|
|
9647ab |
slots.removable = false
|
|
|
9647ab |
SED
|
|
|
9647ab |
else
|
|
|
fa1631 |
echo_i "Config file $SOFTHSM2_CONF already exists" >&2
|
|
|
9647ab |
fi
|
|
|
9647ab |
|
|
|
fa1631 |
if [ -n "$PIN_SOURCE" ]; then
|
|
|
fa1631 |
touch "$PIN_SOURCE" "$SOPIN_SOURCE"
|
|
|
fa1631 |
chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
|
|
|
fa1631 |
if [ -n "$GROUPNAME" ]; then
|
|
|
fa1631 |
chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
|
|
|
fa1631 |
chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
|
|
|
fa1631 |
fi
|
|
|
fa1631 |
fi
|
|
|
9647ab |
|
|
|
9647ab |
export SOFTHSM2_CONF
|
|
|
9647ab |
|
|
|
9647ab |
if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
|
|
|
9647ab |
then
|
|
|
fa1631 |
echo_i "Token in ${TOKENPATH} is already initialized" >&2
|
|
|
fa1631 |
|
|
|
fa1631 |
[ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
|
|
|
fa1631 |
[ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
|
|
|
9647ab |
else
|
|
|
fa1631 |
PIN=$(random 6)
|
|
|
fa1631 |
SO_PIN=$(random 18)
|
|
|
fa1631 |
if [ -n "$PIN_SOURCE" ]; then
|
|
|
fa1631 |
echo -n "$PIN" > "$PIN_SOURCE"
|
|
|
fa1631 |
echo -n "$SO_PIN" > "$SOPIN_SOURCE"
|
|
|
fa1631 |
fi
|
|
|
fa1631 |
|
|
|
fa1631 |
echo_i "Initializing tokens to ${TOKENPATH}..."
|
|
|
fa1631 |
softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
|
|
|
9647ab |
|
|
|
9647ab |
if [ -n "$GROUPNAME" ]; then
|
|
|
9647ab |
chgrp -R -- "$GROUPNAME" "$TOKENPATH"
|
|
|
9647ab |
chmod -R -- g=rX,o= "$TOKENPATH"
|
|
|
9647ab |
fi
|
|
|
9647ab |
fi
|
|
|
9647ab |
|
|
|
9647ab |
echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
|
|
|
fa1631 |
echo "export PIN_SOURCE=\"$PIN_SOURCE\""
|
|
|
fa1631 |
echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
|
|
|
fa1631 |
|
|
|
fa1631 |
echo "PIN=\"$PIN\""
|
|
|
fa1631 |
echo "SO_PIN=\"$SO_PIN\""
|