[3f00958] | 1 | #!/bin/bash |
---|
| 2 | |
---|
| 3 | # Initialize the SoftHSM token with the given label |
---|
| 4 | function init_token |
---|
| 5 | { |
---|
| 6 | local token_label="${1}" |
---|
| 7 | |
---|
| 8 | ${softhsm} --init-token --slot 0 --label "${token_label}" \ |
---|
| 9 | --so-pin "${so_pin}" --pin "${GNUTLS_PIN}" |
---|
| 10 | } |
---|
| 11 | |
---|
| 12 | # Put a private key into the token with the given label |
---|
| 13 | function store_privkey |
---|
| 14 | { |
---|
| 15 | local token="${1}" |
---|
| 16 | local keyfile="${2}" |
---|
| 17 | local label="${3}" |
---|
| 18 | |
---|
[5eb4544] | 19 | p11tool --provider=${SOFTHSM_LIB} --login --write --label "${label}" \ |
---|
[3f00958] | 20 | --load-privkey "${keyfile}" "${token}" |
---|
| 21 | } |
---|
| 22 | |
---|
| 23 | # Put a certificate into the token with the given label |
---|
| 24 | function store_cert |
---|
| 25 | { |
---|
| 26 | local token="${1}" |
---|
| 27 | local certfile="${2}" |
---|
| 28 | local label="${3}" |
---|
| 29 | |
---|
[5eb4544] | 30 | p11tool --provider=${SOFTHSM_LIB} --login --write --no-mark-private \ |
---|
[3f00958] | 31 | --label "${label}" --load-certificate "${certfile}" "${token}" |
---|
| 32 | } |
---|
| 33 | |
---|
| 34 | # Get the URL of the SoftHSM token |
---|
| 35 | function get_token_url |
---|
| 36 | { |
---|
| 37 | local label="${1}" |
---|
[5eb4544] | 38 | p11tool --provider=${SOFTHSM_LIB} --list-tokens | \ |
---|
[3f00958] | 39 | grep -o -P "(?<=URL:\s)(.*token=${label}.*)$" |
---|
| 40 | } |
---|
| 41 | |
---|
| 42 | # Get the PKCS #11 URL for the object with the given name |
---|
| 43 | # Usage: get_object_url TOKEN OBJECTNAME |
---|
| 44 | function get_object_url |
---|
| 45 | { |
---|
[5eb4544] | 46 | p11tool --provider=${SOFTHSM_LIB} --list-all --login "${1}" | \ |
---|
[3f00958] | 47 | grep -o -P "(?<=URL:\s)(.*object=${2}.*)$" |
---|
| 48 | } |
---|
| 49 | |
---|
| 50 | # Initialize the token and store the given key and certificate |
---|
| 51 | # Usage: prepare_token TOKEN_LABEL PRIVKEY CERTIFICATE |
---|
| 52 | function prepare_token |
---|
| 53 | { |
---|
| 54 | local token_label="${1}" |
---|
| 55 | local privkey="${2}" |
---|
| 56 | local certificate="${3}" |
---|
| 57 | |
---|
| 58 | init_token "${token_label}" |
---|
| 59 | token=$(get_token_url ${token_label}) |
---|
| 60 | store_privkey "${token}" "${privkey}" "${key_label}" |
---|
| 61 | store_cert "${token}" "${certificate}" "${cert_label}" |
---|
| 62 | } |
---|
| 63 | |
---|
| 64 | |
---|
| 65 | |
---|
| 66 | # try to find SoftHSM |
---|
[5eb4544] | 67 | softhsm="$(basename ${SOFTHSM})" |
---|
| 68 | |
---|
| 69 | if [ "${softhsm}" = "softhsm" ]; then |
---|
| 70 | softhsm_libname="libsofthsm.so" |
---|
| 71 | # fail if SOFTHSM_CONF is not set |
---|
| 72 | if [ -z "${SOFTHSM_CONF}" ]; then |
---|
| 73 | echo "ERROR: SOFTHSM_CONF not set!" 1>&2 |
---|
| 74 | exit 1 |
---|
| 75 | else |
---|
| 76 | export SOFTHSM_CONF |
---|
| 77 | fi |
---|
| 78 | echo "using SOFTHSM_CONF=\"${SOFTHSM_CONF}\"" |
---|
| 79 | elif [ "${softhsm}" = "softhsm2-util" ]; then |
---|
| 80 | softhsm_libname="libsofthsm2.so" |
---|
| 81 | # fail if SOFTHSM2_CONF is not set |
---|
| 82 | if [ -z "${SOFTHSM2_CONF}" ]; then |
---|
| 83 | echo "ERROR: SOFTHSM2_CONF not set!" 1>&2 |
---|
| 84 | exit 1 |
---|
| 85 | else |
---|
| 86 | export SOFTHSM2_CONF |
---|
| 87 | fi |
---|
| 88 | else |
---|
| 89 | # no SoftHSM |
---|
| 90 | echo "No SoftHSM!" >&2 |
---|
| 91 | exit 77 |
---|
| 92 | fi |
---|
| 93 | |
---|
[aeaf28b] | 94 | if [ -z "${SOFTHSM_LIB}" ]; then |
---|
| 95 | # Try to find the libsofthsm[2] module in some common locations. |
---|
| 96 | softhsm_searchpath=(/usr/lib64/pkcs11 /usr/lib/softhsm /usr/lib/x86_64-linux-gnu/softhsm /usr/lib /usr/lib64/softhsm) |
---|
| 97 | for i in ${softhsm_searchpath[@]} ""; do |
---|
| 98 | SOFTHSM_LIB="${i}/${softhsm_libname}" |
---|
| 99 | echo "checking ${SOFTHSM_LIB} ..." |
---|
| 100 | if [ -f "${SOFTHSM_LIB}" ]; then |
---|
| 101 | echo "found!" |
---|
| 102 | export SOFTHSM_LIB |
---|
| 103 | break; |
---|
| 104 | fi |
---|
| 105 | done |
---|
| 106 | else |
---|
| 107 | echo "using ${SOFTHSM_LIB} (set by user)" |
---|
| 108 | fi |
---|
[5eb4544] | 109 | |
---|
| 110 | if [ ! -f "${SOFTHSM_LIB}" ]; then |
---|
| 111 | echo "${softhsm_libname} not found!" >&2 |
---|
| 112 | exit 77 |
---|
| 113 | fi |
---|
[3f00958] | 114 | |
---|
| 115 | case "${1}" in |
---|
| 116 | (init) |
---|
| 117 | init="true" |
---|
| 118 | # If SoftHSM is not available, there's nothing to init. Just |
---|
| 119 | # exit. |
---|
| 120 | if [ -z "${softhsm}" ]; then |
---|
| 121 | echo "SoftHSM not found, PKCS #11 test(s) will be skipped." |
---|
| 122 | exit 0 |
---|
| 123 | fi |
---|
| 124 | ;; |
---|
| 125 | (*) |
---|
| 126 | # Skip the test case if SoftHSM is not available. |
---|
| 127 | if [ -z "${softhsm}" ]; then |
---|
| 128 | echo "SoftHSM not found, skipping test." |
---|
| 129 | exit 77 |
---|
| 130 | fi |
---|
| 131 | ;; |
---|
| 132 | esac |
---|
| 133 | |
---|
| 134 | set -e |
---|
| 135 | |
---|
| 136 | # variables for token configuration |
---|
| 137 | token_label="mod_gnutls-test" |
---|
| 138 | so_pin="123456" |
---|
| 139 | export GNUTLS_PIN="1234" |
---|
| 140 | key_label="privkey" |
---|
| 141 | cert_label="certificate" |
---|
| 142 | |
---|
| 143 | if [ "${init}" = "true" ]; then |
---|
| 144 | prepare_token "${token_label}" "${2}" "${3}" |
---|
| 145 | exit 0 |
---|
| 146 | fi |
---|
| 147 | |
---|
| 148 | token=$(get_token_url ${token_label}) |
---|
| 149 | |
---|
| 150 | # environment variables for the Apache configuration |
---|
| 151 | export P11_KEY_URL="$(get_object_url ${token} ${key_label})" |
---|
| 152 | export P11_CERT_URL="$(get_object_url ${token} ${cert_label})" |
---|
| 153 | export P11_PIN="${GNUTLS_PIN}" |
---|