mirror of
https://github.com/stefanberger/swtpm.git
synced 2026-01-05 17:46:45 +00:00
b5e7e2a41f
On OS X we need to be able to change /etc/gnutls/pkcs11.conf for p11tool to pick up the softhsm pkcs11 module correctly. We need (password-less) sudo to be able to do this. Unforutnately this test case does not run on Travis since Travis seems to require passwords under some circumstances. Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
266 lines
6.7 KiB
Bash
Executable File
266 lines
6.7 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# For the license, see the LICENSE file in the root directory.
|
|
|
|
# This script does not work with softhsm2 2.0.0 but with >= 2.3.0
|
|
|
|
if [ -z "$(type -P p11tool)" ]; then
|
|
echo "Need p11tool from gnutls"
|
|
exit 77
|
|
fi
|
|
|
|
if [ -z "$(type -P softhsm2-util)" ]; then
|
|
echo "Need softhsm2-util from softhsm2 package"
|
|
exit 77
|
|
fi
|
|
|
|
MYKEY="
|
|
-----BEGIN PRIVATE KEY-----
|
|
MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDGjc47VG+btr7L
|
|
2JSAV48n+ciZBYehMqUXhfouMm+b1GIV8WLgv3ndiAqO1tYzvS8fH0EtCbVQIJdN
|
|
1bhqYFPnKoVdVPqdcU0Z7cQbx5bj6lL8IHujM5e1oQsg6SG0uIJ8pbIauYBC+FiD
|
|
HBkvcBmVTi3K3AZtSU0XjBn6WY+pTfnSNS/3OpSZZykaNaW01u11CA4GR771R5Ls
|
|
rDWpULavYTqR7+E4tOqcko9mtfg/7jIamfCKda7MAa9Xy2IE/S+y+JGtwccFYeY4
|
|
i/n4XFJMGVLf0Q3IWMa4ieMJa3yWafs/m13LomENby8+/lKrXFMv2gJ1u28F0TpR
|
|
Rc9/j0M5rYRBVe/7rmQNJrPZn1A7iK/JMTxF3BAQ3OIbdshyeSdfYmKF7zfT3cEW
|
|
3ryvhkVCD9JRrXibQ75EsFDVGRGCGYHDrUFvtkgecuQPBLNOGxaMuUMROTOiUmDp
|
|
DtynkggCCNxL7KupIO5DtsmieqQ+bsIk4pjNPKfwgkd3njcNIgMCAwEAAQKCAYAM
|
|
aNB65MwU71b9ZovheZd46COhbLcNXBz1W2pHeN+A3cVDmdKUOWNkdRwz0TmSAkDv
|
|
sQRhzDmIyICsXK8p9ttHl2C+dJE1Rd+Lv1CCa/cCR6LoHx+bE55nu6j2ZZu1r9J3
|
|
9+MpyG47wUnG5/qq/Fac/kXeZ+H+8pXe4uK8wtw3uKfke26EBSVEcS4gdTnmE4jD
|
|
x70Yp2NH8TE9mYXBD0pbq7f9ZwCsiqIfJwnPYZAibsCy6OwfuzsxhOlwk0WNCkXU
|
|
mmPUuA1d6xbqKIfcFZRz4VymRcyGRtKMxrpEjO8XUbaZC2SReEDXBPiMZ54mnLwr
|
|
wzGC03fsGiPeMkLfqDSJP+Sjro4B/SnsMkNyV9sf2l4jHkseeZiITlU1r+bYCN9q
|
|
R+Lp5p4NM1wb2HR3+qp6WQNKUad1IoOh0CMPBMw6FginvMsUkJv/Fr7WBJLNN90a
|
|
jIhmriOy683Mj9JYP48k1KhtoYiPcjTmiiE4l4+N2kjB5DzjJSWLuRxKhi66gAEC
|
|
gcEA9/1+gujpN0UKUG84nIEZFq4rYkZ21tLRtsrlr33qxBJXNcKvW8EJvXPOsYm/
|
|
1U1u6qgg4xCWvFPyKirF2a/jtqNAzisDTixW++rf4SU175PhMbYvPsWfyPVRXfbQ
|
|
bDBhcpHA5JkLIq73taIhd/hj3hIxLfObpyHvb1d+W2ubzd8vIW/Jagj+SwYwvqbB
|
|
4SmHqIznHbxiZB4CEQB2p7xXosdteBq6piXqN0e6RXLxYOeQV/meC5tqWCMC55bq
|
|
t1J3AoHBAMz3jDkavG6VjpQloRIEMJ4OHwNjajBQZ8gqjKV6V45KxV241KIUMlue
|
|
Z3dx6fJgt708DTJbLFBcSKG4+IcuHGvDZTn30aTPTnt42a7FQtCc7r+0KTrLACl5
|
|
uH0uL4dNTrpbzoS9rXQYNG3zljCbuhPFxu5qwIeCQpAchIcvwcYWJsXmSu/yQNhA
|
|
1IQnZFBG6b2SLMAUKy08U1I0d363OhkEmq8yjfNOvoB+kzF7MIbpyAoZDkuAsop0
|
|
xFXfuErj1QKBwHa+rhZXGlz5tR+gshXWh0Hh8iojnYHt/rctXl/yxjhOo+29JCSm
|
|
QVizHDTMxcuIQWUhTmYLqnHRLHLeelBrNXldoIlX9UQ4XQpRhBQVskbeo4UfPG4t
|
|
SP574RNCPLihTfgDLL8JPVjFOR2C3c3JZWCPi3b6X/zedfz1gy6ZT0h75uB225Xn
|
|
aoRYGX0g8lMzhJ7DoWMOsnpIGCs18psMx1XNcnCBNACcxRLlSJ86k7QYDXjisLfU
|
|
Gk7LrPdhv1A6rwKBwQC1osXbsQq9QMG6HWKQka/30PHA0e+/YvGlW7eJyVIf4bjn
|
|
ZizgeN9re4ObQRKd3QHWq4nSTyOFD1K6Ji3vtXgwM1bYOPnKgH+/QYg+rcaZEgkt
|
|
T12eIVlCaACKxkwOLf8PfN4VmfVFRVHpAgzdhJMwhHrWuzlknJWaGfuDxVmFzgmM
|
|
JJnR6y91tHXfqvzlewIWIZyQlw7wJl58IcynOX49v2vIyBctP2HogsKz/cQyOqgv
|
|
8qZNWH5f3jxDEV/C1gUCgcEA7m9imZn3RIM5J3mqz2JKdbpobh7N9ulCGIOkGDHo
|
|
1oumVO+D1eSObUDE684keyiSyERlnpQuGZjkbF5585cF+gEXWsxxOHKKZC3CiRFK
|
|
fCgMJtm7S4E5V2B+fTnCFwMK4IBFrTagpVVe9/bTABvaqu3TDlAslGyXBS8ilmz6
|
|
1eRfFRe1aXiqpfm8pB0mH5sALS0EjHu87saAyf2vq7BEZA0NJO/QVhZZI/0tFR8B
|
|
ifNpEJG5p2K2AKnYFw6Dt49S
|
|
-----END PRIVATE KEY-----"
|
|
|
|
NAME=swtpm-test
|
|
PIN=${PIN:-1234}
|
|
SO_PIN=${SO_PIN:-1234}
|
|
|
|
UNAME_S="$(uname -s)"
|
|
|
|
case "${UNAME_S}" in
|
|
Darwin)
|
|
msg=$(sudo -v -n)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Need password-less sudo rights on OS X to change /etc/gnutls/pkcs11.conf"
|
|
exit 1
|
|
fi
|
|
;;
|
|
esac
|
|
|
|
teardown_softhsm() {
|
|
local configdir=~/.config/softhsm2
|
|
local configfile=${configdir}/softhsm2.conf
|
|
local bakconfigfile=${configfile}.bak
|
|
local tokendir=${configdir}/tokens
|
|
|
|
case "${UNAME_S}" in
|
|
Darwin*)
|
|
if [ -f /etc/gnutls/pkcs11.conf.bak ]; then
|
|
sudo rm -f /etc/gnutls/pkcs11.conf
|
|
sudo mv /etc/gnutls/pkcs11.conf.bak \
|
|
/etc/gnutls/pkcs11.conf &>/dev/null
|
|
fi
|
|
;;
|
|
esac
|
|
|
|
if [ -f "$bakconfigfile" ]; then
|
|
mv "$bakconfigfile" "$configfile"
|
|
else
|
|
rm -f "$configfile"
|
|
fi
|
|
if [ -d "$tokendir" ]; then
|
|
rm -rf "${tokendir}"
|
|
fi
|
|
return 0
|
|
}
|
|
|
|
setup_softhsm() {
|
|
local msg tokenuri keyuri
|
|
local configdir=~/.config/softhsm2
|
|
local configfile=${configdir}/softhsm2.conf
|
|
local bakconfigfile=${configfile}.bak
|
|
local tokendir=${configdir}/tokens
|
|
local rc
|
|
|
|
case "${UNAME_S}" in
|
|
Darwin*)
|
|
if [ -f /etc/gnutls/pkcs11.conf.bak ]; then
|
|
echo "/etc/gnutls/pkcs11.conf.bak already exists; need to 'teardown' first"
|
|
return 1
|
|
fi
|
|
sudo mv /etc/gnutls/pkcs11.conf \
|
|
/etc/gnutls/pkcs11.conf.bak &>/dev/null
|
|
SONAME="$(brew ls --verbose softhsm | grep -E "\.so$")"
|
|
sudo bash -c "echo "load=${SONAME}" > /etc/gnutls/pkcs11.conf"
|
|
;;
|
|
esac
|
|
|
|
if ! [ -d $configdir ]; then
|
|
mkdir -p $configdir
|
|
fi
|
|
mkdir -p ${tokendir}
|
|
|
|
if [ -f $configfile ]; then
|
|
mv "$configfile" "$bakconfigfile"
|
|
fi
|
|
|
|
if ! [ -f $configfile ]; then
|
|
cat <<_EOF_ > $configfile
|
|
directories.tokendir = ${tokendir}
|
|
objectstore.backend = file
|
|
log.level = DEBUG
|
|
slots.removable = false
|
|
_EOF_
|
|
fi
|
|
|
|
msg=$(p11tool --list-tokens 2>&1 | grep "token=${NAME}" | tail -n1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Could not list existing tokens"
|
|
echo "$msg"
|
|
fi
|
|
tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p')
|
|
|
|
if [ -z "$tokenuri" ]; then
|
|
msg=$(softhsm2-util \
|
|
--init-token --pin ${PIN} --so-pin ${SO_PIN} \
|
|
--free --label ${NAME} 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Could not initialize token"
|
|
echo "$msg"
|
|
return 1
|
|
fi
|
|
|
|
slot=$(echo "$msg" | \
|
|
sed -n 's/.* reassigned to slot \([0-9]*\)$/\1/p')
|
|
if [ -z "$slot" ]; then
|
|
echo "Could not parse slot number from output."
|
|
echo "$msg"
|
|
return 1
|
|
fi
|
|
|
|
msg=$(softhsm2-util \
|
|
--slot "$slot" --label mykey --id 01 \
|
|
--import <(echo "${MYKEY}") --pin ${PIN} 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Could not import key"
|
|
echo "$msg"
|
|
return 1
|
|
fi
|
|
|
|
fi
|
|
|
|
getkeyuri_softhsm
|
|
rc=$?
|
|
|
|
if [ $rc -ne 0 ]; then
|
|
teardown_softhsm
|
|
fi
|
|
|
|
return $rc
|
|
}
|
|
|
|
getkeyuri_softhsm() {
|
|
local msg tokenuri keyuri
|
|
|
|
msg=$(p11tool --list-tokens 2>&1 | grep "token=${NAME}")
|
|
if [ $? -ne 0 ]; then
|
|
echo "Could not list existing tokens"
|
|
echo "$msg"
|
|
return 1
|
|
fi
|
|
tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p')
|
|
if [ -z "$tokenuri" ]; then
|
|
echo "Could not get token URL"
|
|
echo "$msg"
|
|
return 1
|
|
fi
|
|
msg=$(p11tool --list-all ${tokenuri} 2>&1)
|
|
if [ $? -ne 0 ]; then
|
|
echo "Could not list object under token $tokenuri"
|
|
echo "$msg"
|
|
return 1
|
|
fi
|
|
|
|
keyuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p')
|
|
if [ -z "$keyuri" ]; then
|
|
echo "Could not get key URL"
|
|
echo "$msg"
|
|
return 1
|
|
fi
|
|
echo "keyuri: $keyuri"
|
|
return 0
|
|
}
|
|
|
|
usage() {
|
|
cat <<_EOF_
|
|
Usage: $0 [command]
|
|
|
|
Supported commands are:
|
|
|
|
setup : Setup the user's account for softhsm and create a
|
|
token and key with a test configuration
|
|
|
|
getkeyuri : Get the key's URL; must be called after setup
|
|
|
|
teardown : Remove the temporary softhsm test configuration
|
|
|
|
_EOF_
|
|
}
|
|
|
|
main() {
|
|
local ret
|
|
|
|
if [ $# -lt 1 ]; then
|
|
usage $0
|
|
echo -e "Missing command.\n\n"
|
|
return 1
|
|
fi
|
|
case "$1" in
|
|
setup)
|
|
setup_softhsm
|
|
ret=$?
|
|
;;
|
|
getkeyuri)
|
|
getkeyuri_softhsm
|
|
ret=$?
|
|
;;
|
|
teardown)
|
|
teardown_softhsm
|
|
ret=$?
|
|
;;
|
|
*)
|
|
echo -e "Unsupported command: $1\n\n"
|
|
usage $0
|
|
ret=1
|
|
esac
|
|
return $ret
|
|
}
|
|
|
|
main "$@"
|
|
exit $?
|