#!/bin/sh

#

# This script will initialise token storage of softhsm PKCS11 provider

# in custom location. Is useful to store tokens in non-standard location.

#

# Output can be evaluated from bash, it will prepare it for usage of temporary tokens.

# Quotes around eval are mandatory!

# Recommended use:

# eval "$(bash setup-named-softhsm.sh -A)"

#

SOFTHSM2_CONF="$1"

TOKENPATH="$2"

GROUPNAME="$3"

# Do not use this script for real keys worth protection

# This is intended for crypto accelerators using PKCS11 interface.

# Uninitialized token would fail any crypto operation.

PIN=1234

SO_PIN=1234

LABEL=rpm

set -e

echo_i()

{

	echo "#" $@

}

random()

{

	if [ -x "$(which openssl 2>/dev/null)" ]; then

		openssl rand -base64 $1

	else

		dd if=/dev/urandom bs=1c count=$1 | base64

	fi

}

usage()

{

	echo "Usage: $0 -A [token directory] [group]"

	echo "   or: $0 <config file> <token directory> [group]"

}

if [ "$SOFTHSM2_CONF" = "-A" -a -z "$TOKENPATH" ]; then

	TOKENPATH=$(mktemp -d /var/tmp/softhsm-XXXXXX)

fi

if [ -z "$SOFTHSM2_CONF" -o -z "$TOKENPATH" ]; then

	usage >&2

	exit 1

fi

if [ "$SOFTHSM2_CONF" = "-A" ]; then

	# Automagic mode instead

	MODE=secure

	SOFTHSM2_CONF="$TOKENPATH/softhsm2.conf"

	PIN_SOURCE="$TOKENPATH/pin"

	SOPIN_SOURCE="$TOKENPATH/so-pin"

	TOKENPATH="$TOKENPATH/tokens"

else

	MODE=legacy

fi

[ -d "$TOKENPATH" ] || mkdir -p "$TOKENPATH"

umask 0022

if ! [ -f "$SOFTHSM2_CONF" ]; then

cat  << SED > "$SOFTHSM2_CONF"

# SoftHSM v2 configuration file

directories.tokendir = ${TOKENPATH}

objectstore.backend = file

# ERROR, WARNING, INFO, DEBUG

log.level = ERROR

# If CKF_REMOVABLE_DEVICE flag should be set

slots.removable = false

SED

else

	echo_i "Config file $SOFTHSM2_CONF already exists" >&2

fi

if [ -n "$PIN_SOURCE" ]; then

	touch "$PIN_SOURCE" "$SOPIN_SOURCE"

	chmod 0600 "$PIN_SOURCE" "$SOPIN_SOURCE"

	if [ -n "$GROUPNAME" ]; then

		chgrp "$GROUPNAME" "$PIN_SOURCE" "$SOPIN_SOURCE"

		chmod g+r "$PIN_SOURCE" "$SOPIN_SOURCE"

	fi

fi

export SOFTHSM2_CONF

if softhsm2-util --show-slots | grep 'Initialized:[[:space:]]*yes' > /dev/null

then

	echo_i "Token in ${TOKENPATH} is already initialized" >&2

	[ -f "$PIN_SOURCE" ] && PIN=$(cat "$PIN_SOURCE")

	[ -f "$SOPIN_SOURCE" ] && SO_PIN=$(cat "$SOPIN_SOURCE")

else

	PIN=$(random 6)

	SO_PIN=$(random 18)

	if [ -n "$PIN_SOURCE" ]; then

		echo -n "$PIN" > "$PIN_SOURCE"

		echo -n "$SO_PIN" > "$SOPIN_SOURCE"

	fi

	echo_i "Initializing tokens to ${TOKENPATH}..."

	softhsm2-util --init-token --free --label "$LABEL" --pin "$PIN" --so-pin "$SO_PIN" | sed -e 's/^/# /'

	if [ -n "$GROUPNAME" ]; then

		chgrp -R -- "$GROUPNAME" "$TOKENPATH"

		chmod -R -- g=rX,o= "$TOKENPATH"

	fi

fi

echo "export SOFTHSM2_CONF=\"$SOFTHSM2_CONF\""

echo "export PIN_SOURCE=\"$PIN_SOURCE\""

echo "export SOPIN_SOURCE=\"$SOPIN_SOURCE\""

# These are intentionaly not exported

echo "PIN=\"$PIN\""

echo "SO_PIN=\"$SO_PIN\""