tests/softhsm_setup - third_party/github.com/stefanberger/swtpm - Git at Google

 #!/usr/bin/env bash

 # For the license, see the LICENSE file in the root directory.

 # This script does not work with softhsm2 2.0.0 but with >= 2.3.0

 if [ -z "$(type -P p11tool)" ]; then
 	echo "Need p11tool from gnutls"
 	exit 77
 fi

 if [ -z "$(type -P softhsm2-util)" ]; then
 	echo "Need softhsm2-util from softhsm2 package"
 	exit 77
 fi

 MYKEY="
 -----BEGIN PRIVATE KEY-----
 MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDGjc47VG+btr7L
 2JSAV48n+ciZBYehMqUXhfouMm+b1GIV8WLgv3ndiAqO1tYzvS8fH0EtCbVQIJdN
 1bhqYFPnKoVdVPqdcU0Z7cQbx5bj6lL8IHujM5e1oQsg6SG0uIJ8pbIauYBC+FiD
 HBkvcBmVTi3K3AZtSU0XjBn6WY+pTfnSNS/3OpSZZykaNaW01u11CA4GR771R5Ls
 rDWpULavYTqR7+E4tOqcko9mtfg/7jIamfCKda7MAa9Xy2IE/S+y+JGtwccFYeY4
 i/n4XFJMGVLf0Q3IWMa4ieMJa3yWafs/m13LomENby8+/lKrXFMv2gJ1u28F0TpR
 Rc9/j0M5rYRBVe/7rmQNJrPZn1A7iK/JMTxF3BAQ3OIbdshyeSdfYmKF7zfT3cEW
 3ryvhkVCD9JRrXibQ75EsFDVGRGCGYHDrUFvtkgecuQPBLNOGxaMuUMROTOiUmDp
 DtynkggCCNxL7KupIO5DtsmieqQ+bsIk4pjNPKfwgkd3njcNIgMCAwEAAQKCAYAM
 aNB65MwU71b9ZovheZd46COhbLcNXBz1W2pHeN+A3cVDmdKUOWNkdRwz0TmSAkDv
 sQRhzDmIyICsXK8p9ttHl2C+dJE1Rd+Lv1CCa/cCR6LoHx+bE55nu6j2ZZu1r9J3
 9+MpyG47wUnG5/qq/Fac/kXeZ+H+8pXe4uK8wtw3uKfke26EBSVEcS4gdTnmE4jD
 x70Yp2NH8TE9mYXBD0pbq7f9ZwCsiqIfJwnPYZAibsCy6OwfuzsxhOlwk0WNCkXU
 mmPUuA1d6xbqKIfcFZRz4VymRcyGRtKMxrpEjO8XUbaZC2SReEDXBPiMZ54mnLwr
 wzGC03fsGiPeMkLfqDSJP+Sjro4B/SnsMkNyV9sf2l4jHkseeZiITlU1r+bYCN9q
 R+Lp5p4NM1wb2HR3+qp6WQNKUad1IoOh0CMPBMw6FginvMsUkJv/Fr7WBJLNN90a
 jIhmriOy683Mj9JYP48k1KhtoYiPcjTmiiE4l4+N2kjB5DzjJSWLuRxKhi66gAEC
 gcEA9/1+gujpN0UKUG84nIEZFq4rYkZ21tLRtsrlr33qxBJXNcKvW8EJvXPOsYm/
 1U1u6qgg4xCWvFPyKirF2a/jtqNAzisDTixW++rf4SU175PhMbYvPsWfyPVRXfbQ
 bDBhcpHA5JkLIq73taIhd/hj3hIxLfObpyHvb1d+W2ubzd8vIW/Jagj+SwYwvqbB
 4SmHqIznHbxiZB4CEQB2p7xXosdteBq6piXqN0e6RXLxYOeQV/meC5tqWCMC55bq
 t1J3AoHBAMz3jDkavG6VjpQloRIEMJ4OHwNjajBQZ8gqjKV6V45KxV241KIUMlue
 Z3dx6fJgt708DTJbLFBcSKG4+IcuHGvDZTn30aTPTnt42a7FQtCc7r+0KTrLACl5
 uH0uL4dNTrpbzoS9rXQYNG3zljCbuhPFxu5qwIeCQpAchIcvwcYWJsXmSu/yQNhA
 1IQnZFBG6b2SLMAUKy08U1I0d363OhkEmq8yjfNOvoB+kzF7MIbpyAoZDkuAsop0
 xFXfuErj1QKBwHa+rhZXGlz5tR+gshXWh0Hh8iojnYHt/rctXl/yxjhOo+29JCSm
 QVizHDTMxcuIQWUhTmYLqnHRLHLeelBrNXldoIlX9UQ4XQpRhBQVskbeo4UfPG4t
 SP574RNCPLihTfgDLL8JPVjFOR2C3c3JZWCPi3b6X/zedfz1gy6ZT0h75uB225Xn
 aoRYGX0g8lMzhJ7DoWMOsnpIGCs18psMx1XNcnCBNACcxRLlSJ86k7QYDXjisLfU
 Gk7LrPdhv1A6rwKBwQC1osXbsQq9QMG6HWKQka/30PHA0e+/YvGlW7eJyVIf4bjn
 ZizgeN9re4ObQRKd3QHWq4nSTyOFD1K6Ji3vtXgwM1bYOPnKgH+/QYg+rcaZEgkt
 T12eIVlCaACKxkwOLf8PfN4VmfVFRVHpAgzdhJMwhHrWuzlknJWaGfuDxVmFzgmM
 JJnR6y91tHXfqvzlewIWIZyQlw7wJl58IcynOX49v2vIyBctP2HogsKz/cQyOqgv
 8qZNWH5f3jxDEV/C1gUCgcEA7m9imZn3RIM5J3mqz2JKdbpobh7N9ulCGIOkGDHo
 1oumVO+D1eSObUDE684keyiSyERlnpQuGZjkbF5585cF+gEXWsxxOHKKZC3CiRFK
 fCgMJtm7S4E5V2B+fTnCFwMK4IBFrTagpVVe9/bTABvaqu3TDlAslGyXBS8ilmz6
 1eRfFRe1aXiqpfm8pB0mH5sALS0EjHu87saAyf2vq7BEZA0NJO/QVhZZI/0tFR8B
 ifNpEJG5p2K2AKnYFw6Dt49S
 -----END PRIVATE KEY-----"

 NAME=swtpm-test
 PIN=${PIN:-1234}
 SO_PIN=${SO_PIN:-1234}

 UNAME_S="$(uname -s)"

 case "${UNAME_S}" in
 Darwin)
 	msg=$(sudo -v -n)
 	if [ $? -ne 0 ]; then
 		echo "Need password-less sudo rights on OS X to change /etc/gnutls/pkcs11.conf"
 		exit 1
 	fi
 	;;
 esac

 teardown_softhsm() {
 	local configdir=~/.config/softhsm2
 	local configfile=${configdir}/softhsm2.conf
 	local bakconfigfile=${configfile}.bak
 	local tokendir=${configdir}/tokens

 	case "${UNAME_S}" in
 	Darwin*)
 		if [ -f /etc/gnutls/pkcs11.conf.bak ]; then
 			sudo rm -f /etc/gnutls/pkcs11.conf
 			sudo mv /etc/gnutls/pkcs11.conf.bak \
 			   /etc/gnutls/pkcs11.conf &>/dev/null
 		fi
 		;;
 	esac

 	if [ -f "$bakconfigfile" ]; then
 		mv "$bakconfigfile" "$configfile"
 	else
 		rm -f "$configfile"
 	fi
 	if [ -d "$tokendir" ]; then
 		rm -rf "${tokendir}"
 	fi
 	return 0
 }

 setup_softhsm() {
 	local msg tokenuri keyuri
 	local configdir=~/.config/softhsm2
 	local configfile=${configdir}/softhsm2.conf
 	local bakconfigfile=${configfile}.bak
 	local tokendir=${configdir}/tokens
 	local rc

 	case "${UNAME_S}" in
 	Darwin*)
 		if [ -f /etc/gnutls/pkcs11.conf.bak ]; then
 			echo "/etc/gnutls/pkcs11.conf.bak already exists; need to 'teardown' first"
 			return 1
 		fi
 		sudo mv /etc/gnutls/pkcs11.conf \
 			/etc/gnutls/pkcs11.conf.bak &>/dev/null
 		if [ $(id -u) -eq 0 ]; then
 			SONAME="$(sudo -u nobody brew ls --verbose softhsm | \
 				  grep -E "\.so$")"
 		else
 			SONAME="$(brew ls --verbose softhsm | \
 				  grep -E "\.so$")"
 		fi
 		sudo mkdir -p /etc/gnutls &>/dev/null
 		sudo bash -c "echo "load=${SONAME}" > /etc/gnutls/pkcs11.conf"
 		;;
 	esac

 	if ! [ -d $configdir ]; then
 		mkdir -p $configdir
 	fi
 	mkdir -p ${tokendir}

 	if [ -f $configfile ]; then
 		mv "$configfile" "$bakconfigfile"
 	fi

 	if ! [ -f $configfile ]; then
 		cat <<_EOF_ > $configfile
 directories.tokendir = ${tokendir}
 objectstore.backend = file
 log.level = DEBUG
 slots.removable = false
 _EOF_
 	fi

 	msg=$(p11tool --list-tokens 2>&1 | grep "token=${NAME}" | tail -n1)
 	if [ $? -ne 0 ]; then
 		echo "Could not list existing tokens"
 		echo "$msg"
 	fi
 	tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p')

 	if [ -z "$tokenuri" ]; then
 		msg=$(softhsm2-util \
 			--init-token --pin ${PIN} --so-pin ${SO_PIN} \
 			--free --label ${NAME} 2>&1)
 		if [ $? -ne 0 ]; then
 			echo "Could not initialize token"
 			echo "$msg"
 			return 1
 		fi

 		slot=$(echo "$msg" | \
 		       sed -n 's/.* reassigned to slot \([0-9]*\)$/\1/p')
 		if [ -z "$slot" ]; then
 			echo "Could not parse slot number from output."
 			echo "$msg"
 			return 1
 		fi

 		msg=$(softhsm2-util \
 			--slot "$slot" --label mykey --id 01 \
 			--import <(echo "${MYKEY}") --pin ${PIN} 2>&1)
 		if [ $? -ne 0 ]; then
 			echo "Could not import key"
 			echo "$msg"
 			return 1
 		fi

 	fi

 	getkeyuri_softhsm
 	rc=$?

 	if [ $rc -ne 0 ]; then
 		teardown_softhsm
 	fi

 	return $rc
 }

 getkeyuri_softhsm() {
 	local msg tokenuri keyuri

 	msg=$(p11tool --list-tokens 2>&1 | grep "token=${NAME}")
 	if [ $? -ne 0 ]; then
 		echo "Could not list existing tokens"
 		echo "$msg"
 		return 1
 	fi
 	tokenuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p')
 	if [ -z "$tokenuri" ]; then
 		echo "Could not get token URL"
 		echo "$msg"
 		return 1
 	fi
 	msg=$(p11tool --list-all ${tokenuri} 2>&1)
 	if [ $? -ne 0 ]; then
 		echo "Could not list object under token $tokenuri"
 		echo "$msg"
 		return 1
 	fi

 	keyuri=$(echo "$msg" | sed -n 's/.*URL: \([[:print:]*]\)/\1/p')
 	if [ -z "$keyuri" ]; then
 		echo "Could not get key URL"
 		echo "$msg"
 		return 1
 	fi
 	echo "keyuri: $keyuri"
 	return 0
 }

 usage() {
 	cat <<_EOF_
 Usage: $0 [command]

 Supported commands are:

 setup      : Setup the user's account for softhsm and create a
              token and key with a test configuration

 getkeyuri  : Get the key's URL; must be called after setup

 teardown   : Remove the temporary softhsm test configuration

 _EOF_
 }

 main() {
 	local ret

 	if [ $# -lt 1 ]; then
 		usage $0
 		echo -e "Missing command.\n\n"
 		return 1
 	fi
 	case "$1" in
 	setup)
 		setup_softhsm
 		ret=$?
 		;;
 	getkeyuri)
 		getkeyuri_softhsm
 		ret=$?
 		;;
 	teardown)
 		teardown_softhsm
 		ret=$?
 		;;
 	*)
 		echo -e "Unsupported command: $1\n\n"
 		usage $0
 		ret=1
 	esac
 	return $ret
 }

 main "$@"
 exit $?
	#!/usr/bin/env bash

	# For the license, see the LICENSE file in the root directory.

	# This script does not work with softhsm2 2.0.0 but with >= 2.3.0

	if [ -z "$(type -P p11tool)" ]; then
	echo "Need p11tool from gnutls"
	exit 77
	fi

	if [ -z "$(type -P softhsm2-util)" ]; then
	echo "Need softhsm2-util from softhsm2 package"
	exit 77
	fi

	MYKEY="
	-----BEGIN PRIVATE KEY-----
	MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDGjc47VG+btr7L
	2JSAV48n+ciZBYehMqUXhfouMm+b1GIV8WLgv3ndiAqO1tYzvS8fH0EtCbVQIJdN
	1bhqYFPnKoVdVPqdcU0Z7cQbx5bj6lL8IHujM5e1oQsg6SG0uIJ8pbIauYBC+FiD
	HBkvcBmVTi3K3AZtSU0XjBn6WY+pTfnSNS/3OpSZZykaNaW01u11CA4GR771R5Ls
	rDWpULavYTqR7+E4tOqcko9mtfg/7jIamfCKda7MAa9Xy2IE/S+y+JGtwccFYeY4
	i/n4XFJMGVLf0Q3IWMa4ieMJa3yWafs/m13LomENby8+/lKrXFMv2gJ1u28F0TpR
	Rc9/j0M5rYRBVe/7rmQNJrPZn1A7iK/JMTxF3BAQ3OIbdshyeSdfYmKF7zfT3cEW
	3ryvhkVCD9JRrXibQ75EsFDVGRGCGYHDrUFvtkgecuQPBLNOGxaMuUMROTOiUmDp
	DtynkggCCNxL7KupIO5DtsmieqQ+bsIk4pjNPKfwgkd3njcNIgMCAwEAAQKCAYAM
	aNB65MwU71b9ZovheZd46COhbLcNXBz1W2pHeN+A3cVDmdKUOWNkdRwz0TmSAkDv
	sQRhzDmIyICsXK8p9ttHl2C+dJE1Rd+Lv1CCa/cCR6LoHx+bE55nu6j2ZZu1r9J3
	9+MpyG47wUnG5/qq/Fac/kXeZ+H+8pXe4uK8wtw3uKfke26EBSVEcS4gdTnmE4jD
	x70Yp2NH8TE9mYXBD0pbq7f9ZwCsiqIfJwnPYZAibsCy6OwfuzsxhOlwk0WNCkXU
	mmPUuA1d6xbqKIfcFZRz4VymRcyGRtKMxrpEjO8XUbaZC2SReEDXBPiMZ54mnLwr
	wzGC03fsGiPeMkLfqDSJP+Sjro4B/SnsMkNyV9sf2l4jHkseeZiITlU1r+bYCN9q
	R+Lp5p4NM1wb2HR3+qp6WQNKUad1IoOh0CMPBMw6FginvMsUkJv/Fr7WBJLNN90a
	jIhmriOy683Mj9JYP48k1KhtoYiPcjTmiiE4l4+N2kjB5DzjJSWLuRxKhi66gAEC
	gcEA9/1+gujpN0UKUG84nIEZFq4rYkZ21tLRtsrlr33qxBJXNcKvW8EJvXPOsYm/
	1U1u6qgg4xCWvFPyKirF2a/jtqNAzisDTixW++rf4SU175PhMbYvPsWfyPVRXfbQ
	bDBhcpHA5JkLIq73taIhd/hj3hIxLfObpyHvb1d+W2ubzd8vIW/Jagj+SwYwvqbB
	4SmHqIznHbxiZB4CEQB2p7xXosdteBq6piXqN0e6RXLxYOeQV/meC5tqWCMC55bq
	t1J3AoHBAMz3jDkavG6VjpQloRIEMJ4OHwNjajBQZ8gqjKV6V45KxV241KIUMlue
	Z3dx6fJgt708DTJbLFBcSKG4+IcuHGvDZTn30aTPTnt42a7FQtCc7r+0KTrLACl5
	uH0uL4dNTrpbzoS9rXQYNG3zljCbuhPFxu5qwIeCQpAchIcvwcYWJsXmSu/yQNhA
	1IQnZFBG6b2SLMAUKy08U1I0d363OhkEmq8yjfNOvoB+kzF7MIbpyAoZDkuAsop0
	xFXfuErj1QKBwHa+rhZXGlz5tR+gshXWh0Hh8iojnYHt/rctXl/yxjhOo+29JCSm
	QVizHDTMxcuIQWUhTmYLqnHRLHLeelBrNXldoIlX9UQ4XQpRhBQVskbeo4UfPG4t
	SP574RNCPLihTfgDLL8JPVjFOR2C3c3JZWCPi3b6X/zedfz1gy6ZT0h75uB225Xn
	aoRYGX0g8lMzhJ7DoWMOsnpIGCs18psMx1XNcnCBNACcxRLlSJ86k7QYDXjisLfU
	Gk7LrPdhv1A6rwKBwQC1osXbsQq9QMG6HWKQka/30PHA0e+/YvGlW7eJyVIf4bjn
	ZizgeN9re4ObQRKd3QHWq4nSTyOFD1K6Ji3vtXgwM1bYOPnKgH+/QYg+rcaZEgkt
	T12eIVlCaACKxkwOLf8PfN4VmfVFRVHpAgzdhJMwhHrWuzlknJWaGfuDxVmFzgmM
	JJnR6y91tHXfqvzlewIWIZyQlw7wJl58IcynOX49v2vIyBctP2HogsKz/cQyOqgv
	8qZNWH5f3jxDEV/C1gUCgcEA7m9imZn3RIM5J3mqz2JKdbpobh7N9ulCGIOkGDHo
	1oumVO+D1eSObUDE684keyiSyERlnpQuGZjkbF5585cF+gEXWsxxOHKKZC3CiRFK
	fCgMJtm7S4E5V2B+fTnCFwMK4IBFrTagpVVe9/bTABvaqu3TDlAslGyXBS8ilmz6
	1eRfFRe1aXiqpfm8pB0mH5sALS0EjHu87saAyf2vq7BEZA0NJO/QVhZZI/0tFR8B
	ifNpEJG5p2K2AKnYFw6Dt49S
	-----END PRIVATE KEY-----"

	NAME=swtpm-test
	PIN=${PIN:-1234}
	SO_PIN=${SO_PIN:-1234}

	UNAME_S="$(uname -s)"

	case "${UNAME_S}" in
	Darwin)
	msg=$(sudo -v -n)
	if [ $? -ne 0 ]; then
	echo "Need password-less sudo rights on OS X to change /etc/gnutls/pkcs11.conf"
	exit 1
	fi
	;;
	esac

	teardown_softhsm() {
	local configdir=~/.config/softhsm2
	local configfile=${configdir}/softhsm2.conf
	local bakconfigfile=${configfile}.bak
	local tokendir=${configdir}/tokens

	case "${UNAME_S}" in
	Darwin*)
	if [ -f /etc/gnutls/pkcs11.conf.bak ]; then
	sudo rm -f /etc/gnutls/pkcs11.conf
	sudo mv /etc/gnutls/pkcs11.conf.bak \
	/etc/gnutls/pkcs11.conf &>/dev/null
	fi
	;;
	esac

	if [ -f "$bakconfigfile" ]; then
	mv "$bakconfigfile" "$configfile"
	else
	rm -f "$configfile"
	fi
	if [ -d "$tokendir" ]; then
	rm -rf "${tokendir}"
	fi
	return 0
	}

	setup_softhsm() {
	local msg tokenuri keyuri
	local configdir=~/.config/softhsm2
	local configfile=${configdir}/softhsm2.conf
	local bakconfigfile=${configfile}.bak
	local tokendir=${configdir}/tokens
	local rc

	case "${UNAME_S}" in
	Darwin*)
	if [ -f /etc/gnutls/pkcs11.conf.bak ]; then
	echo "/etc/gnutls/pkcs11.conf.bak already exists; need to 'teardown' first"
	return 1
	fi
	sudo mv /etc/gnutls/pkcs11.conf \
	/etc/gnutls/pkcs11.conf.bak &>/dev/null
	if [ $(id -u) -eq 0 ]; then
	SONAME="$(sudo -u nobody brew ls --verbose softhsm \| \
	grep -E "\.so$")"
	else
	SONAME="$(brew ls --verbose softhsm \| \
	grep -E "\.so$")"
	fi
	sudo mkdir -p /etc/gnutls &>/dev/null
	sudo bash -c "echo "load=${SONAME}" > /etc/gnutls/pkcs11.conf"
	;;
	esac

	if ! [ -d $configdir ]; then
	mkdir -p $configdir
	fi
	mkdir -p ${tokendir}

	if [ -f $configfile ]; then
	mv "$configfile" "$bakconfigfile"
	fi

	if ! [ -f $configfile ]; then
	cat <<_EOF_ > $configfile
	directories.tokendir = ${tokendir}
	objectstore.backend = file
	log.level = DEBUG
	slots.removable = false
	_EOF_
	fi

	msg=$(p11tool --list-tokens 2>&1 \| grep "token=${NAME}" \| tail -n1)
	if [ $? -ne 0 ]; then
	echo "Could not list existing tokens"
	echo "$msg"
	fi
	tokenuri=$(echo "$msg" \| sed -n 's/.URL: \([[:print:]]\)/\1/p')

	if [ -z "$tokenuri" ]; then
	msg=$(softhsm2-util \
	--init-token --pin ${PIN} --so-pin ${SO_PIN} \
	--free --label ${NAME} 2>&1)
	if [ $? -ne 0 ]; then
	echo "Could not initialize token"
	echo "$msg"
	return 1
	fi

	slot=$(echo "$msg" \| \
	sed -n 's/.* reassigned to slot \([0-9]*\)$/\1/p')
	if [ -z "$slot" ]; then
	echo "Could not parse slot number from output."
	echo "$msg"
	return 1
	fi

	msg=$(softhsm2-util \
	--slot "$slot" --label mykey --id 01 \
	--import <(echo "${MYKEY}") --pin ${PIN} 2>&1)
	if [ $? -ne 0 ]; then
	echo "Could not import key"
	echo "$msg"
	return 1
	fi

	fi

	getkeyuri_softhsm
	rc=$?

	if [ $rc -ne 0 ]; then
	teardown_softhsm
	fi

	return $rc
	}

	getkeyuri_softhsm() {
	local msg tokenuri keyuri

	msg=$(p11tool --list-tokens 2>&1 \| grep "token=${NAME}")
	if [ $? -ne 0 ]; then
	echo "Could not list existing tokens"
	echo "$msg"
	return 1
	fi
	tokenuri=$(echo "$msg" \| sed -n 's/.URL: \([[:print:]]\)/\1/p')
	if [ -z "$tokenuri" ]; then
	echo "Could not get token URL"
	echo "$msg"
	return 1
	fi
	msg=$(p11tool --list-all ${tokenuri} 2>&1)
	if [ $? -ne 0 ]; then
	echo "Could not list object under token $tokenuri"
	echo "$msg"
	return 1
	fi

	keyuri=$(echo "$msg" \| sed -n 's/.URL: \([[:print:]]\)/\1/p')
	if [ -z "$keyuri" ]; then
	echo "Could not get key URL"
	echo "$msg"
	return 1
	fi
	echo "keyuri: $keyuri"
	return 0
	}

	usage() {
	cat <<_EOF_
	Usage: $0 [command]

	Supported commands are:

	setup : Setup the user's account for softhsm and create a
	token and key with a test configuration

	getkeyuri : Get the key's URL; must be called after setup

	teardown : Remove the temporary softhsm test configuration

	_EOF_
	}

	main() {
	local ret

	if [ $# -lt 1 ]; then
	usage $0
	echo -e "Missing command.\n\n"
	return 1
	fi
	case "$1" in
	setup)
	setup_softhsm
	ret=$?
	;;
	getkeyuri)
	getkeyuri_softhsm
	ret=$?
	;;
	teardown)
	teardown_softhsm
	ret=$?
	;;
	*)
	echo -e "Unsupported command: $1\n\n"
	usage $0
	ret=1
	esac
	return $ret
	}

	main "$@"
	exit $?