From 9647ab2c5811f5f42e0ab92e82ec1676ea73280c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Tue, 9 Jan 2018 22:18:28 +0100 Subject: [PATCH] Provide internal tool to prepare softhsm token storage --- bind.spec | 15 +++++++----- setup-named-softhsm.sh | 55 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+), 6 deletions(-) create mode 100755 setup-named-softhsm.sh diff --git a/bind.spec b/bind.spec index 002a2b5..4603d1e 100644 --- a/bind.spec +++ b/bind.spec @@ -61,7 +61,7 @@ Source44: named-chroot-setup.service Source45: named-sdb-chroot-setup.service Source46: named-setup-rndc.service Source47: named-pkcs11.service -Source48: softhsm2.conf.in +Source48: setup-named-softhsm.sh # Common patches Patch10: bind-9.5-PIE.patch @@ -534,14 +534,10 @@ popd %endif %check -: %if %{PKCS11} # Tests require initialization of pkcs11 token - mkdir softhsm-tokens - sed -e "s,@TOKENPATH@,`pwd`/softhsm-tokens," %{SOURCE48} > softhsm2.conf export SOFTHSM2_CONF="`pwd`/softhsm2.conf" - echo "Initializing tokens to `pwd`/softhsm-tokens..." - softhsm2-util --init-token --free --label rpm --pin 1234 --so-pin 1234 + sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens" %endif %if %{unittest} @@ -574,6 +570,7 @@ if [ "`whoami`" = 'root' ]; then else echo 'only root can run the tests (they require an ifconfig).' %endif +: %install rm -rf ${RPM_BUILD_ROOT} @@ -652,6 +649,10 @@ mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir} install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh install -m 755 %{SOURCE42} ${RPM_BUILD_ROOT}%{_libexecdir}/generate-rndc-key.sh +%if %{PKCS11} +install -m 755 %{SOURCE48} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.sh +%endif + install -m 644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/named mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig/named @@ -1140,6 +1141,7 @@ rm -rf ${RPM_BUILD_ROOT} %{_sbindir}/named-pkcs11 %{_unitdir}/named-pkcs11.service %{_mandir}/man8/named-pkcs11.8* +%{_libexecdir}/setup-named-softhsm.sh %files pkcs11-utils %defattr(-,root,root,-) @@ -1203,6 +1205,7 @@ rm -rf ${RPM_BUILD_ROOT} %changelog * Tue Jan 02 2018 Petr Menšík - 32:9.11.2-4 - Enable unit tests with kyua tool (#1532694) +- Provide internal tool to prepare softhsm token storage * Fri Dec 15 2017 Petr Menšík - 32:9.11.2-3 - Own python3-bind isc directory (#1522944) diff --git a/setup-named-softhsm.sh b/setup-named-softhsm.sh new file mode 100755 index 0000000..7ae0a6d --- /dev/null +++ b/setup-named-softhsm.sh @@ -0,0 +1,55 @@ +#!/bin/sh +# +# This script will initialise token storage of softhsm PKCS11 provider +# in custom location. Is useful to store tokens in non-standard location. + +SOFTHSM2_CONF="$1" +TOKENPATH="$2" +GROUPNAME="$3" +# Do not use this script for real keys worth protection +# This is intended for crypto accelerators using PKCS11 interface. +# Uninitialized token would fail any crypto operation. +PIN=1234 + +set -e + +if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then + echo "Usage: $0 [group]" >&2 + exit 1 +fi + +if ! [ -f "$SOFTHSM2_CONF" ]; then +cat << SED > "$SOFTHSM2_CONF" +# SoftHSM v2 configuration file + +directories.tokendir = ${TOKENPATH} +objectstore.backend = file + +# ERROR, WARNING, INFO, DEBUG +log.level = ERROR + +# If CKF_REMOVABLE_DEVICE flag should be set +slots.removable = false +SED +else + echo "Config file $SOFTHSM2_CONF already exists" >&2 +fi + +[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH" + +export SOFTHSM2_CONF + +if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null +then + echo "Token in ${TOKENPATH} is already initialized" >&2 +else + echo "Initializing tokens to ${TOKENPATH}..." + softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN + + if [ -n "$GROUPNAME" ]; then + chgrp -R -- "$GROUPNAME" "$TOKENPATH" + chmod -R -- g=rX,o= "$TOKENPATH" + fi +fi + +echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""