Provide internal tool to prepare softhsm token storage

2018-01-09 22:18:28 +01:00 · 2018-01-09 22:18:28 +01:00 · 9647ab2c58
commit 9647ab2c58
parent 661d72987e
2 changed files with 64 additions and 6 deletions
--- a/bind.spec
+++ b/bind.spec
@ -61,7 +61,7 @@ Source44: named-chroot-setup.service
 Source45: named-sdb-chroot-setup.service
 Source46: named-setup-rndc.service
 Source47: named-pkcs11.service
-Source48: softhsm2.conf.in
+Source48: setup-named-softhsm.sh

 # Common patches
 Patch10: bind-9.5-PIE.patch
@ -534,14 +534,10 @@ popd
 %endif

 %check
-:
 %if %{PKCS11}
  # Tests require initialization of pkcs11 token
-  mkdir softhsm-tokens
-  sed -e "s,@TOKENPATH@,`pwd`/softhsm-tokens," %{SOURCE48} > softhsm2.conf
  export SOFTHSM2_CONF="`pwd`/softhsm2.conf"
-  echo "Initializing tokens to `pwd`/softhsm-tokens..."
-  softhsm2-util --init-token --free --label rpm --pin 1234 --so-pin 1234
+  sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens"
 %endif

 %if %{unittest}
@ -574,6 +570,7 @@ if [ "`whoami`" = 'root' ]; then
 else
  echo 'only root can run the tests (they require an ifconfig).'
 %endif
+:

 %install
 rm -rf ${RPM_BUILD_ROOT}
@ -652,6 +649,10 @@ mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir}
 install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh
 install -m 755 %{SOURCE42} ${RPM_BUILD_ROOT}%{_libexecdir}/generate-rndc-key.sh

+%if %{PKCS11}
+install -m 755 %{SOURCE48} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.sh
+%endif
+
 install -m 644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/named
 mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig
 install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/named
@ -1140,6 +1141,7 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_sbindir}/named-pkcs11
 %{_unitdir}/named-pkcs11.service
 %{_mandir}/man8/named-pkcs11.8*
+%{_libexecdir}/setup-named-softhsm.sh

 %files pkcs11-utils
 %defattr(-,root,root,-)
@ -1203,6 +1205,7 @@ rm -rf ${RPM_BUILD_ROOT}
 %changelog
 * Tue Jan 02 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-4
 - Enable unit tests with kyua tool (#1532694)
+- Provide internal tool to prepare softhsm token storage

 * Fri Dec 15 2017 Petr Menšík <pemensik@redhat.com> - 32:9.11.2-3
 - Own python3-bind isc directory (#1522944)
--- a/setup-named-softhsm.sh
+++ b/setup-named-softhsm.sh
@ -0,0 +1,55 @@
+#!/bin/sh
+#
+# This script will initialise token storage of softhsm PKCS11 provider
+# in custom location. Is useful to store tokens in non-standard location.
+
+SOFTHSM2_CONF="$1"
+TOKENPATH="$2"
+GROUPNAME="$3"
+# Do not use this script for real keys worth protection
+# This is intended for crypto accelerators using PKCS11 interface.
+# Uninitialized token would fail any crypto operation.
+PIN=1234
+
+set -e
+
+if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
+	echo "Usage: $0 <config file> <token directory> [group]" >&2
+	exit 1
+fi
+
+if ! [ -f "$SOFTHSM2_CONF" ]; then
+cat  << SED > "$SOFTHSM2_CONF"
+# SoftHSM v2 configuration file
+
+directories.tokendir = ${TOKENPATH}
+objectstore.backend = file
+
+# ERROR, WARNING, INFO, DEBUG
+log.level = ERROR
+
+# If CKF_REMOVABLE_DEVICE flag should be set
+slots.removable = false
+SED
+else
+	echo "Config file $SOFTHSM2_CONF already exists" >&2
+fi
+
+[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
+
+export SOFTHSM2_CONF
+
+if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
+then
+	echo "Token in ${TOKENPATH} is already initialized" >&2
+else
+	echo "Initializing tokens to ${TOKENPATH}..."
+	softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN
+
+	if [ -n "$GROUPNAME" ]; then
+		chgrp -R -- "$GROUPNAME" "$TOKENPATH"
+		chmod -R -- g=rX,o= "$TOKENPATH"
+	fi
+fi
+
+echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""