Blob Blame History Raw
#!/bin/sh
#
# This script will initialise token storage of softhsm PKCS11 provider
# in custom location. Is useful to store tokens in non-standard location.

SOFTHSM2_CONF="$1"
TOKENPATH="$2"
GROUPNAME="$3"
# Do not use this script for real keys worth protection
# This is intended for crypto accelerators using PKCS11 interface.
# Uninitialized token would fail any crypto operation.
PIN=1234

set -e

if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
	echo "Usage: $0 <config file> <token directory> [group]" >&2
	exit 1
fi

if ! [ -f "$SOFTHSM2_CONF" ]; then
cat  << SED > "$SOFTHSM2_CONF"
# SoftHSM v2 configuration file

directories.tokendir = ${TOKENPATH}
objectstore.backend = file

# ERROR, WARNING, INFO, DEBUG
log.level = ERROR

# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false
SED
else
	echo "Config file $SOFTHSM2_CONF already exists" >&2
fi

[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"

export SOFTHSM2_CONF

if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
then
	echo "Token in ${TOKENPATH} is already initialized" >&2
else
	echo "Initializing tokens to ${TOKENPATH}..."
	softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN

	if [ -n "$GROUPNAME" ]; then
		chgrp -R -- "$GROUPNAME" "$TOKENPATH"
		chmod -R -- g=rX,o= "$TOKENPATH"
	fi
fi

echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""