diff options
Diffstat (limited to 'setup-named-softhsm.sh')
| -rwxr-xr-x | setup-named-softhsm.sh | 124 |
1 files changed, 124 insertions, 0 deletions
diff --git a/setup-named-softhsm.sh b/setup-named-softhsm.sh new file mode 100755 index 0000000..c0f8445 --- /dev/null +++ b/setup-named-softhsm.sh @@ -0,0 +1,124 @@ +#!/bin/sh +# +# This script will initialise token storage of softhsm PKCS11 provider +# in custom location. Is useful to store tokens in non-standard location. +# +# Output can be evaluated from bash, it will prepare it for usage of temporary tokens. +# Quotes around eval are mandatory! +# Recommended use: +# eval "$(bash setup-named-softhsm.sh -A)" +# + +SOFTHSM2_CONF="$1" +TOKENPATH="$2" +GROUPNAME="$3" +# Do not use this script for real keys worth protection +# This is intended for crypto accelerators using PKCS11 interface. +# Uninitialized token would fail any crypto operation. +PIN=1234 +SO_PIN=1234 +LABEL=rpm + +set -e + +echo_i() +{ + echo "#" $@ +} + +random() +{ + if [ -x "$(which openssl 2>/dev/null)" ]; then + openssl rand -base64 $1 + else + dd if=/dev/urandom bs=1c count=$1 | base64 + fi +} + +usage() +{ + echo "Usage: $0 -A [token directory] [group]" + echo " or: $0 <config file> <token directory> [group]" +} + +if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then + TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX) +fi + +if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then + usage >&2 + exit 1 +fi + +if [ "$SOFTHSM2_CONF" = "-A" ]; then + # Automagic mode instead + MODE=secure + SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf" + PIN_SOURCE="$TOKENPATH/pin" + SOPIN_SOURCE="$TOKENPATH/so-pin" + TOKENPATH="$TOKENPATH/tokens" +else + MODE=legacy +fi + +[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH" + +umask 0022 + +if ! [ -f "$SOFTHSM2_CONF" ]; then +cat << SED > "$SOFTHSM2_CONF" +# SoftHSM v2 configuration file + +directories.tokendir = ${TOKENPATH} +objectstore.backend = file + +# ERROR, WARNING, INFO, DEBUG +log.level = ERROR + +# If CKF_REMOVABLE_DEVICE flag should be set +slots.removable = false +SED +else + echo_i "Config file $SOFTHSM2_CONF already exists" >&2 +fi + +if [ -n "$PIN_SOURCE" ]; then + touch "$PIN_SOURCE" "$SOPIN_SOURCE" + chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE" + if [ -n "$GROUPNAME" ]; then + chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE" + chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE" + fi +fi + +export SOFTHSM2_CONF + +if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null +then + echo_i "Token in ${TOKENPATH} is already initialized" >&2 + + [ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE") + [ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE") +else + PIN=$(random 6) + SO_PIN=$(random 18) + if [ -n "$PIN_SOURCE" ]; then + echo -n "$PIN" > "$PIN_SOURCE" + echo -n "$SO_PIN" > "$SOPIN_SOURCE" + fi + + echo_i "Initializing tokens to ${TOKENPATH}..." + softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /' + + if [ -n "$GROUPNAME" ]; then + chgrp -R -- "$GROUPNAME" "$TOKENPATH" + chmod -R -- g=rX,o= "$TOKENPATH" + fi +fi + +echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\"" +echo "export PIN_SOURCE=\"$PIN_SOURCE\"" +echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\"" +# These are intentionaly not exported +echo "PIN=\"$PIN\"" +echo "SO_PIN=\"$SO_PIN\"" |