Add -verbose flag, implement config options

cmd/signer/main.go

@@ -21,18 +21,18 @@ const (
 
 func main() {
 	var (
-		showVersion      bool
-		signerConfigFile string
-		setupMode        bool
+		showVersion, setupMode, verbose bool
+		signerConfigFile                string
 	)
 
-	log.SetFlags(log.Ldate | log.Lmicroseconds | log.Lshortfile | log.LUTC)
+	log.SetFlags(log.Ldate | log.Lmicroseconds | log.LUTC)
 
 	log.Printf("cacert-gosigner %s (%s) - built %s\n", version, commit, date)
 
 	flag.StringVar(&signerConfigFile, "caconfig", defaultSignerConfigFile, "signer configuration file")
 	flag.BoolVar(&showVersion, "version", false, "show version")
 	flag.BoolVar(&setupMode, "setup", false, "setup mode")
+	flag.BoolVar(&verbose, "verbose", false, "verbose output")
 
 	flag.Parse()
 
@@ -45,16 +45,24 @@ func main() {
 		log.Fatalf("could not open singer configuration file %s: %v", signerConfigFile, err)
 	}
 
+	opts := make([]hsm.ConfigOption, 0)
+
 	caConfig, err := config.LoadConfiguration(configFile)
 	if err != nil {
 		log.Fatalf("could not load CA hierarchy: %v", err)
 	}
+	opts = append(opts, hsm.CaConfigOption(caConfig))
 
 	if setupMode {
 		log.Print("running in setup mode")
+		opts = append(opts, hsm.SetupModeOption())
 	}
 
-	ctx := hsm.SetupContext(caConfig, setupMode)
+	if verbose {
+		opts = append(opts, hsm.VerboseLoggingOption())
+	}
+
+	ctx := hsm.SetupContext(opts...)
 
 	err = hsm.EnsureCAKeysAndCertificates(ctx)
 	if err != nil {

pkg/hsm/context.go

@@ -14,28 +14,67 @@ const (
 	ctxP11Contexts ctxKey = iota
 	ctxSetupMode
 	ctxSignerConfig
+	ctxVerboseLogging
 )
 
+type ConfigOption func(ctx context.Context) context.Context
+
+func CaConfigOption(signerConfig *config.SignerConfig) func(context.Context) context.Context {
+	return func(ctx context.Context) context.Context {
+		return context.WithValue(ctx, ctxSignerConfig, signerConfig)
+	}
+}
+
+func SetupModeOption() func(context.Context) context.Context {
+	return func(ctx context.Context) context.Context {
+		return context.WithValue(ctx, ctxSetupMode, true)
+	}
+}
+
+func VerboseLoggingOption() func(ctx context.Context) context.Context {
+	return func(ctx context.Context) context.Context {
+		return context.WithValue(ctx, ctxVerboseLogging, true)
+	}
+}
+
 // SetupContext sets global context for HSM operations.
-func SetupContext(
-	signerConfig *config.SignerConfig,
-	setupMode bool,
-) context.Context {
+func SetupContext(options ...ConfigOption) context.Context {
 	ctx := context.Background()
 
 	ctx = context.WithValue(ctx, ctxP11Contexts, make(map[string]*crypto11.Context))
-	ctx = context.WithValue(ctx, ctxSignerConfig, signerConfig)
-	ctx = context.WithValue(ctx, ctxSetupMode, setupMode)
+
+	for _, opt := range options {
+		ctx = opt(ctx)
+	}
 
 	return ctx
 }
 
 func GetSignerConfig(ctx context.Context) *config.SignerConfig {
-	return ctx.Value(ctxSignerConfig).(*config.SignerConfig)
+	signerConfig, ok := ctx.Value(ctxSignerConfig).(*config.SignerConfig)
+	if !ok {
+		return nil
+	}
+
+	return signerConfig
 }
 
 func IsSetupMode(ctx context.Context) bool {
-	return ctx.Value(ctxSetupMode).(bool)
+	setupMode, ok := ctx.Value(ctxSetupMode).(bool)
+	if !ok {
+		return false
+	}
+
+	return setupMode
+}
+
+func IsVerbose(ctx context.Context) bool {
+	verbose, ok := ctx.Value(ctxVerboseLogging).(bool)
+	if !ok {
+		return false
+	}
+
+	return verbose
 }
 
 func GetP11Context(ctx context.Context, entry *config.CaCertificateEntry) (*crypto11.Context, error) {

pkg/hsm/setup.go

@@ -16,12 +16,18 @@ func EnsureCAKeysAndCertificates(ctx context.Context) error {
 			return err
 		}
 
-		log.Printf("got root CA certificate:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s",
-			crt.Subject,
-			crt.Issuer,
-			crt.NotBefore,
-			crt.NotAfter,
-			crt.SerialNumber)
+		if IsVerbose(ctx) {
+			log.Printf(
+				"found root CA certificate %s:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s",
+				label,
+				crt.Subject,
+				crt.Issuer,
+				crt.NotBefore,
+				crt.NotAfter,
+				crt.SerialNumber)
+		} else {
+			log.Printf("found root CA certificate %s: %s", label, crt.Subject.CommonName)
+		}
 	}
 
 	for _, label = range conf.IntermediaryCAs() {
@@ -30,12 +36,18 @@ func EnsureCAKeysAndCertificates(ctx context.Context) error {
 			return err
 		}
 
-		log.Printf("got intermediary CA certificate:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s",
-			crt.Subject,
-			crt.Issuer,
-			crt.NotBefore,
-			crt.NotAfter,
-			crt.SerialNumber)
+		if IsVerbose(ctx) {
+			log.Printf(
+				"found intermediary CA certificate %s:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s",
+				label,
+				crt.Subject,
+				crt.Issuer,
+				crt.NotBefore,
+				crt.NotAfter,
+				crt.SerialNumber)
+		} else {
+			log.Printf("found intermediary CA certificate %s: %s", label, crt.Subject.CommonName)
+		}
 	}
 
 	return nil

pkg/hsm/storage.go

@@ -46,7 +46,11 @@ func prepareCrypto11Context(ctx context.Context, label string) (*crypto11.Contex
 }
 
 func getPin(p11Config *crypto11.Config) (string, error) {
-	tokenPinEnv := fmt.Sprintf("TOKEN_PIN_%s", strings.ToUpper(p11Config.TokenLabel))
+	tokenPinEnv := strings.ReplaceAll(p11Config.TokenLabel, "-", "_")
+	tokenPinEnv = strings.ReplaceAll(tokenPinEnv, " ", "_")
+	tokenPinEnv = strings.ToUpper(tokenPinEnv)
+	tokenPinEnv = fmt.Sprintf("TOKEN_PIN_%s", tokenPinEnv)
+
 	pin, found := os.LookupEnv(tokenPinEnv)
 	if !found {
 		log.Printf("environment variable %s has not been set", tokenPinEnv)