Simplify pkcs11 token generation
Make default secure enough, no predefined pins are used. Generate pin and save it into file protected by unix rights. HSM tools will probably require it anyway. Use smart defaults.
This commit is contained in:
parent
6fee3d63e9
commit
fa1631eef7
@ -799,8 +799,7 @@ sed -e '/^tp:.*-pkcs11/ d' -e '/^tp:\s*lwres/ d' \
|
||||
%check
|
||||
%if %{with PKCS11}
|
||||
# Tests require initialization of pkcs11 token
|
||||
export SOFTHSM2_CONF="`pwd`/softhsm2.conf"
|
||||
sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens"
|
||||
eval $(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")
|
||||
%endif
|
||||
|
||||
%if %{with UNITTEST}
|
||||
|
@ -2,6 +2,11 @@
|
||||
#
|
||||
# This script will initialise token storage of softhsm PKCS11 provider
|
||||
# in custom location. Is useful to store tokens in non-standard location.
|
||||
#
|
||||
# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
|
||||
# Recommended use:
|
||||
# eval $(bash setup-named-softhsm.sh -A)
|
||||
#
|
||||
|
||||
SOFTHSM2_CONF="$1"
|
||||
TOKENPATH="$2"
|
||||
@ -10,14 +15,55 @@ GROUPNAME="$3"
|
||||
# This is intended for crypto accelerators using PKCS11 interface.
|
||||
# Uninitialized token would fail any crypto operation.
|
||||
PIN=1234
|
||||
SO_PIN=1234
|
||||
LABEL=rpm
|
||||
|
||||
set -e
|
||||
|
||||
echo_i()
|
||||
{
|
||||
echo "#" $@
|
||||
}
|
||||
|
||||
random()
|
||||
{
|
||||
if [ -x "$(which openssl 2>/dev/null)" ]; then
|
||||
openssl rand -base64 $1
|
||||
else
|
||||
dd if=/dev/urandom bs=1c count=$1 | base64
|
||||
fi
|
||||
}
|
||||
|
||||
usage()
|
||||
{
|
||||
echo "Usage: $0 -A [token directory] [group]"
|
||||
echo " or: $0 <config file> <token directory> [group]"
|
||||
}
|
||||
|
||||
if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
|
||||
TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
|
||||
fi
|
||||
|
||||
if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
|
||||
echo "Usage: $0 <config file> <token directory> [group]" >&2
|
||||
usage >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$SOFTHSM2_CONF" = "-A" ]; then
|
||||
# Automagic mode instead
|
||||
MODE=secure
|
||||
SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
|
||||
PIN_SOURCE="$TOKENPATH/pin"
|
||||
SOPIN_SOURCE="$TOKENPATH/so-pin"
|
||||
TOKENPATH="$TOKENPATH/tokens"
|
||||
else
|
||||
MODE=legacy
|
||||
fi
|
||||
|
||||
[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
|
||||
|
||||
umask 0022
|
||||
|
||||
if ! [ -f "$SOFTHSM2_CONF" ]; then
|
||||
cat << SED > "$SOFTHSM2_CONF"
|
||||
# SoftHSM v2 configuration file
|
||||
@ -32,19 +78,36 @@ log.level = ERROR
|
||||
slots.removable = false
|
||||
SED
|
||||
else
|
||||
echo "Config file $SOFTHSM2_CONF already exists" >&2
|
||||
echo_i "Config file $SOFTHSM2_CONF already exists" >&2
|
||||
fi
|
||||
|
||||
[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
|
||||
if [ -n "$PIN_SOURCE" ]; then
|
||||
touch "$PIN_SOURCE" "$SOPIN_SOURCE"
|
||||
chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
|
||||
if [ -n "$GROUPNAME" ]; then
|
||||
chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
|
||||
chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
|
||||
fi
|
||||
fi
|
||||
|
||||
export SOFTHSM2_CONF
|
||||
|
||||
if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
|
||||
then
|
||||
echo "Token in ${TOKENPATH} is already initialized" >&2
|
||||
echo_i "Token in ${TOKENPATH} is already initialized" >&2
|
||||
|
||||
[ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
|
||||
[ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
|
||||
else
|
||||
echo "Initializing tokens to ${TOKENPATH}..."
|
||||
softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN
|
||||
PIN=$(random 6)
|
||||
SO_PIN=$(random 18)
|
||||
if [ -n "$PIN_SOURCE" ]; then
|
||||
echo -n "$PIN" > "$PIN_SOURCE"
|
||||
echo -n "$SO_PIN" > "$SOPIN_SOURCE"
|
||||
fi
|
||||
|
||||
echo_i "Initializing tokens to ${TOKENPATH}..."
|
||||
softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
|
||||
|
||||
if [ -n "$GROUPNAME" ]; then
|
||||
chgrp -R -- "$GROUPNAME" "$TOKENPATH"
|
||||
@ -53,3 +116,8 @@ else
|
||||
fi
|
||||
|
||||
echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
|
||||
echo "export PIN_SOURCE=\"$PIN_SOURCE\""
|
||||
echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
|
||||
# These are intentionaly not exported
|
||||
echo "PIN=\"$PIN\""
|
||||
echo "SO_PIN=\"$SO_PIN\""
|
||||
|
Loading…
Reference in New Issue
Block a user