#!/usr/bin/env bash # For the license, see the LICENSE file in the root directory. # This script does not work with softhsm2 2.0.0 but with >= 2.3.0 if [ -z "$(type -P p11tool)" ]; then echo "Need p11tool from gnutls" exit 77 fi if [ -z "$(type -P softhsm2-util)" ]; then echo "Need softhsm2-util from softhsm2 package" exit 77 fi MYKEY=" -----BEGIN PRIVATE KEY----- MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDGjc47VG+btr7L 2JSAV48n+ciZBYehMqUXhfouMm+b1GIV8WLgv3ndiAqO1tYzvS8fH0EtCbVQIJdN 1bhqYFPnKoVdVPqdcU0Z7cQbx5bj6lL8IHujM5e1oQsg6SG0uIJ8pbIauYBC+FiD HBkvcBmVTi3K3AZtSU0XjBn6WY+pTfnSNS/3OpSZZykaNaW01u11CA4GR771R5Ls rDWpULavYTqR7+E4tOqcko9mtfg/7jIamfCKda7MAa9Xy2IE/S+y+JGtwccFYeY4 i/n4XFJMGVLf0Q3IWMa4ieMJa3yWafs/m13LomENby8+/lKrXFMv2gJ1u28F0TpR Rc9/j0M5rYRBVe/7rmQNJrPZn1A7iK/JMTxF3BAQ3OIbdshyeSdfYmKF7zfT3cEW 3ryvhkVCD9JRrXibQ75EsFDVGRGCGYHDrUFvtkgecuQPBLNOGxaMuUMROTOiUmDp DtynkggCCNxL7KupIO5DtsmieqQ+bsIk4pjNPKfwgkd3njcNIgMCAwEAAQKCAYAM aNB65MwU71b9ZovheZd46COhbLcNXBz1W2pHeN+A3cVDmdKUOWNkdRwz0TmSAkDv sQRhzDmIyICsXK8p9ttHl2C+dJE1Rd+Lv1CCa/cCR6LoHx+bE55nu6j2ZZu1r9J3 9+MpyG47wUnG5/qq/Fac/kXeZ+H+8pXe4uK8wtw3uKfke26EBSVEcS4gdTnmE4jD x70Yp2NH8TE9mYXBD0pbq7f9ZwCsiqIfJwnPYZAibsCy6OwfuzsxhOlwk0WNCkXU mmPUuA1d6xbqKIfcFZRz4VymRcyGRtKMxrpEjO8XUbaZC2SReEDXBPiMZ54mnLwr wzGC03fsGiPeMkLfqDSJP+Sjro4B/SnsMkNyV9sf2l4jHkseeZiITlU1r+bYCN9q R+Lp5p4NM1wb2HR3+qp6WQNKUad1IoOh0CMPBMw6FginvMsUkJv/Fr7WBJLNN90a jIhmriOy683Mj9JYP48k1KhtoYiPcjTmiiE4l4+N2kjB5DzjJSWLuRxKhi66gAEC gcEA9/1+gujpN0UKUG84nIEZFq4rYkZ21tLRtsrlr33qxBJXNcKvW8EJvXPOsYm/ 1U1u6qgg4xCWvFPyKirF2a/jtqNAzisDTixW++rf4SU175PhMbYvPsWfyPVRXfbQ bDBhcpHA5JkLIq73taIhd/hj3hIxLfObpyHvb1d+W2ubzd8vIW/Jagj+SwYwvqbB 4SmHqIznHbxiZB4CEQB2p7xXosdteBq6piXqN0e6RXLxYOeQV/meC5tqWCMC55bq t1J3AoHBAMz3jDkavG6VjpQloRIEMJ4OHwNjajBQZ8gqjKV6V45KxV241KIUMlue Z3dx6fJgt708DTJbLFBcSKG4+IcuHGvDZTn30aTPTnt42a7FQtCc7r+0KTrLACl5 uH0uL4dNTrpbzoS9rXQYNG3zljCbuhPFxu5qwIeCQpAchIcvwcYWJsXmSu/yQNhA 1IQnZFBG6b2SLMAUKy08U1I0d363OhkEmq8yjfNOvoB+kzF7MIbpyAoZDkuAsop0 xFXfuErj1QKBwHa+rhZXGlz5tR+gshXWh0Hh8iojnYHt/rctXl/yxjhOo+29JCSm QVizHDTMxcuIQWUhTmYLqnHRLHLeelBrNXldoIlX9UQ4XQpRhBQVskbeo4UfPG4t SP574RNCPLihTfgDLL8JPVjFOR2C3c3JZWCPi3b6X/zedfz1gy6ZT0h75uB225Xn aoRYGX0g8lMzhJ7DoWMOsnpIGCs18psMx1XNcnCBNACcxRLlSJ86k7QYDXjisLfU Gk7LrPdhv1A6rwKBwQC1osXbsQq9QMG6HWKQka/30PHA0e+/YvGlW7eJyVIf4bjn ZizgeN9re4ObQRKd3QHWq4nSTyOFD1K6Ji3vtXgwM1bYOPnKgH+/QYg+rcaZEgkt T12eIVlCaACKxkwOLf8PfN4VmfVFRVHpAgzdhJMwhHrWuzlknJWaGfuDxVmFzgmM JJnR6y91tHXfqvzlewIWIZyQlw7wJl58IcynOX49v2vIyBctP2HogsKz/cQyOqgv 8qZNWH5f3jxDEV/C1gUCgcEA7m9imZn3RIM5J3mqz2JKdbpobh7N9ulCGIOkGDHo 1oumVO+D1eSObUDE684keyiSyERlnpQuGZjkbF5585cF+gEXWsxxOHKKZC3CiRFK fCgMJtm7S4E5V2B+fTnCFwMK4IBFrTagpVVe9/bTABvaqu3TDlAslGyXBS8ilmz6 1eRfFRe1aXiqpfm8pB0mH5sALS0EjHu87saAyf2vq7BEZA0NJO/QVhZZI/0tFR8B ifNpEJG5p2K2AKnYFw6Dt49S -----END PRIVATE KEY-----" NAME=swtpm-test PIN=${PIN:-1234} SO_PIN=${SO_PIN:-1234} UNAME_S="$(uname -s)" case "${UNAME_S}" in Darwin) msg=$(sudo -v -n) if [ $? -ne 0 ]; then echo "Need password-less sudo rights on OS X to change /etc/gnutls/pkcs11.conf" exit 1 fi ;; esac teardown_softhsm() { local configdir=~/.config/softhsm2 local configfile=${configdir}/softhsm2.conf local bakconfigfile=${configfile}.bak local tokendir=${configdir}/tokens case "${UNAME_S}" in Darwin*) if [ -f /etc/gnutls/pkcs11.conf.bak ]; then sudo rm -f /etc/gnutls/pkcs11.conf sudo mv /etc/gnutls/pkcs11.conf.bak \ /etc/gnutls/pkcs11.conf &>/dev/null fi ;; esac if [ -f "$bakconfigfile" ]; then mv "$bakconfigfile" "$configfile" else rm -f "$configfile" fi if [ -d "$tokendir" ]; then rm -rf "${tokendir}" fi return 0 } setup_softhsm() { local msg tokenuri keyuri local configdir=~/.config/softhsm2 local configfile=${configdir}/softhsm2.conf local bakconfigfile=${configfile}.bak local tokendir=${configdir}/tokens local rc case "${UNAME_S}" in Darwin*) if [ -f /etc/gnutls/pkcs11.conf.bak ]; then echo "/etc/gnutls/pkcs11.conf.bak already exists; need to 'teardown' first" return 1 fi sudo mv /etc/gnutls/pkcs11.conf \ /etc/gnutls/pkcs11.conf.bak &>/dev/null if [ $(id -u) -eq 0 ]; then SONAME="$(sudo -u nobody brew ls --verbose softhsm | \ grep -E "\.so$")" else SONAME="$(brew ls --verbose softhsm | \ grep -E "\.so$")" fi sudo mkdir -p /etc/gnutls &>/dev/null sudo bash -c "echo "load=${SONAME}" > /etc/gnutls/pkcs11.conf" ;; esac if ! [ -d $configdir ]; then mkdir -p $configdir fi mkdir -p ${tokendir} if [ -f $configfile ]; then mv "$configfile" "$bakconfigfile" fi if ! [ -f $configfile ]; then cat <<_EOF_ > $configfile directories.tokendir = ${tokendir} objectstore.backend = file log.level = DEBUG slots.removable = false _EOF_ fi msg=$(p11tool --list-tokens 2>&1 | grep "token=${NAME}" | tail -n1) if [ $? -ne 0 ]; then echo "Could not list existing tokens" echo "$msg" fi tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p') if [ -z "$tokenuri" ]; then msg=$(softhsm2-util \ --init-token --pin ${PIN} --so-pin ${SO_PIN} \ --free --label ${NAME} 2>&1) if [ $? -ne 0 ]; then echo "Could not initialize token" echo "$msg" return 1 fi slot=$(echo "$msg" | \ sed -n 's/.* reassigned to slot \([0-9]*\)$/\1/p') if [ -z "$slot" ]; then echo "Could not parse slot number from output." echo "$msg" return 1 fi msg=$(softhsm2-util \ --slot "$slot" --label mykey --id 01 \ --import <(echo "${MYKEY}") --pin ${PIN} 2>&1) if [ $? -ne 0 ]; then echo "Could not import key" echo "$msg" return 1 fi fi getkeyuri_softhsm rc=$? if [ $rc -ne 0 ]; then teardown_softhsm fi return $rc } getkeyuri_softhsm() { local msg tokenuri keyuri msg=$(p11tool --list-tokens 2>&1 | grep "token=${NAME}") if [ $? -ne 0 ]; then echo "Could not list existing tokens" echo "$msg" return 1 fi tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p') if [ -z "$tokenuri" ]; then echo "Could not get token URL" echo "$msg" return 1 fi msg=$(p11tool --list-all ${tokenuri} 2>&1) if [ $? -ne 0 ]; then echo "Could not list object under token $tokenuri" echo "$msg" return 1 fi keyuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p') if [ -z "$keyuri" ]; then echo "Could not get key URL" echo "$msg" return 1 fi echo "keyuri: $keyuri" return 0 } usage() { cat <<_EOF_ Usage: $0 [command] Supported commands are: setup : Setup the user's account for softhsm and create a token and key with a test configuration getkeyuri : Get the key's URL; must be called after setup teardown : Remove the temporary softhsm test configuration _EOF_ } main() { local ret if [ $# -lt 1 ]; then usage $0 echo -e "Missing command.\n\n" return 1 fi case "$1" in setup) setup_softhsm ret=$? ;; getkeyuri) getkeyuri_softhsm ret=$? ;; teardown) teardown_softhsm ret=$? ;; *) echo -e "Unsupported command: $1\n\n" usage $0 ret=1 esac return $ret } main "$@" exit $?