rpms/bind
7
0
Fork 1
Code Issues Pull Requests Releases Activity
fa1631eef7
bind/setup-named-softhsm.sh
Petr Menšík fa1631eef7 Simplify pkcs11 token generation 
Make default secure enough, no predefined pins are used. Generate pin
and save it into file protected by unix rights. HSM tools will probably
require it anyway. Use smart defaults.
2019-02-20 19:06:03 +01:00

124 lines
2.8 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
#
# This script will initialise token storage of softhsm PKCS11 provider
# in custom location. Is useful to store tokens in non-standard location.
#
# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.
# Recommended use:
# eval $(bash setup-named-softhsm.sh -A)
#
SOFTHSM2_CONF="$1"
TOKENPATH="$2"
GROUPNAME="$3"
# Do not use this script for real keys worth protection
# This is intended for crypto accelerators using PKCS11 interface.
# Uninitialized token would fail any crypto operation.
PIN=1234
SO_PIN=1234
LABEL=rpm
set -e
echo_i()
{
echo "#" $@
}
random()
{
if [ -x "$(which openssl 2>/dev/null)" ]; then
openssl rand -base64 $1
else
dd if=/dev/urandom bs=1c count=$1 | base64
fi
}
usage()
{
echo "Usage: $0 -A [token directory] [group]"
echo " or: $0 <config file> <token directory> [group]"
}
if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then
TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)
fi
if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then
usage >&2
exit 1
fi
if [ "$SOFTHSM2_CONF" = "-A" ]; then
# Automagic mode instead
MODE=secure
SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"
PIN_SOURCE="$TOKENPATH/pin"
SOPIN_SOURCE="$TOKENPATH/so-pin"
TOKENPATH="$TOKENPATH/tokens"
else
MODE=legacy
fi
[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"
umask 0022
if ! [ -f "$SOFTHSM2_CONF" ]; then
cat << SED > "$SOFTHSM2_CONF"
# SoftHSM v2 configuration file
directories.tokendir = ${TOKENPATH}
objectstore.backend = file
# ERROR, WARNING, INFO, DEBUG
log.level = ERROR
# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false
SED
else
echo_i "Config file $SOFTHSM2_CONF already exists" >&2
fi
if [ -n "$PIN_SOURCE" ]; then
touch "$PIN_SOURCE" "$SOPIN_SOURCE"
chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"
if [ -n "$GROUPNAME" ]; then
chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"
chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"
fi
fi
export SOFTHSM2_CONF
if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null
then
echo_i "Token in ${TOKENPATH} is already initialized" >&2
[ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")
[ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")
else
PIN=$(random 6)
SO_PIN=$(random 18)
if [ -n "$PIN_SOURCE" ]; then
echo -n "$PIN" > "$PIN_SOURCE"
echo -n "$SO_PIN" > "$SOPIN_SOURCE"
fi
echo_i "Initializing tokens to ${TOKENPATH}..."
softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'
if [ -n "$GROUPNAME" ]; then
chgrp -R -- "$GROUPNAME" "$TOKENPATH"
chmod -R -- g=rX,o= "$TOKENPATH"
fi
fi
echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""
echo "export PIN_SOURCE=\"$PIN_SOURCE\""
echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""
# These are intentionaly not exported
echo "PIN=\"$PIN\""
echo "SO_PIN=\"$SO_PIN\""
Reference in New Issue View Git Blame Copy Permalink