From fa1631eef77a827e0df168df837e84c2d8790ce5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 20 Feb 2019 18:53:13 +0100
Subject: [PATCH] Simplify pkcs11 token generation

Make default secure enough, no predefined pins are used. Generate pin
and save it into file protected by unix rights. HSM tools will probably
require it anyway. Use smart defaults.
---
 bind.spec              |  3 +-
 setup-named-softhsm.sh | 80 ++++++++++++++++++++++++++++++++++++++----
 2 files changed, 75 insertions(+), 8 deletions(-)

diff --git a/bind.spec b/bind.spec
index cde769e..f7ff9dc 100644
--- a/bind.spec
+++ b/bind.spec
@@ -799,8 +799,7 @@ sed -e '/^tp:.*-pkcs11/ d' -e '/^tp:\s*lwres/ d' \
 %check
 %if %{with PKCS11}
   # Tests require initialization of pkcs11 token
-  export SOFTHSM2_CONF="`pwd`/softhsm2.conf"
-  sh %{SOURCE48} "${SOFTHSM2_CONF}" "`pwd`/softhsm-tokens"
+  eval $(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")
 %endif
 
 %if %{with UNITTEST}
diff --git a/setup-named-softhsm.sh b/setup-named-softhsm.sh
index 7ae0a6d..a13c91e 100755
--- a/setup-named-softhsm.sh
+++ b/setup-named-softhsm.sh
@@ -2,6 +2,11 @@
 #
 # This script will initialise token storage of softhsm PKCS11 provider
 # in custom location. Is useful to store tokens in non-standard location.
+#
+# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
+# Recommended use:
+# eval $(bash setup-named-softhsm.sh -A)
+#
 
 SOFTHSM2_CONF="$1"
 TOKENPATH="$2"
@@ -10,14 +15,55 @@ GROUPNAME="$3"
 # This is intended for crypto accelerators using PKCS11 interface.
 # Uninitialized token would fail any crypto operation.
 PIN=1234
+SO_PIN=1234
+LABEL=rpm
 
 set -e
 
+echo_i()
+{
+	echo "#" $@
+}
+
+random()
+{
+	if [ -x "$(which openssl 2>/dev/null)" ]; then
+		openssl rand -base64 $1
+	else
+		dd if=/dev/urandom bs=1c count=$1 | base64
+	fi
+}
+
+usage()
+{
+	echo "Usage: $0 -A [token directory] [group]"
+	echo "   or: $0 <config file> <token directory> [group]"
+}
+
+if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
+	TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
+fi
+
 if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
-	echo "Usage: $0 <config file> <token directory> [group]" >&2
+	usage >&2
 	exit 1
 fi
 
+if [ "$SOFTHSM2_CONF" = "-A" ]; then
+	# Automagic mode instead
+	MODE=secure
+	SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
+	PIN_SOURCE="$TOKENPATH/pin"
+	SOPIN_SOURCE="$TOKENPATH/so-pin"
+	TOKENPATH="$TOKENPATH/tokens"
+else
+	MODE=legacy
+fi
+
+[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
+
+umask 0022
+
 if ! [ -f "$SOFTHSM2_CONF" ]; then
 cat  << SED > "$SOFTHSM2_CONF"
 # SoftHSM v2 configuration file
@@ -32,19 +78,36 @@ log.level = ERROR
 slots.removable = false
 SED
 else
-	echo "Config file $SOFTHSM2_CONF already exists" >&2
+	echo_i "Config file $SOFTHSM2_CONF already exists" >&2
 fi
 
-[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
+if [ -n "$PIN_SOURCE" ]; then
+	touch "$PIN_SOURCE" "$SOPIN_SOURCE"
+	chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
+	if [ -n "$GROUPNAME" ]; then
+		chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
+		chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
+	fi
+fi
 
 export SOFTHSM2_CONF
 
 if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
 then
-	echo "Token in ${TOKENPATH} is already initialized" >&2
+	echo_i "Token in ${TOKENPATH} is already initialized" >&2
+
+	[ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
+	[ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
 else
-	echo "Initializing tokens to ${TOKENPATH}..."
-	softhsm2-util --init-token --free --label rpm --pin $PIN --so-pin $PIN
+	PIN=$(random 6)
+	SO_PIN=$(random 18)
+	if [ -n "$PIN_SOURCE" ]; then
+		echo -n "$PIN" > "$PIN_SOURCE"
+		echo -n "$SO_PIN" > "$SOPIN_SOURCE"
+	fi
+
+	echo_i "Initializing tokens to ${TOKENPATH}..."
+	softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
 
 	if [ -n "$GROUPNAME" ]; then
 		chgrp -R -- "$GROUPNAME" "$TOKENPATH"
@@ -53,3 +116,8 @@ else
 fi
 
 echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
+echo "export PIN_SOURCE=\"$PIN_SOURCE\""
+echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
+# These are intentionaly not exported
+echo "PIN=\"$PIN\""
+echo "SO_PIN=\"$SO_PIN\""