diff --git a/cmd/signer/main.go b/cmd/signer/main.go index beca33c..c8e9d5c 100644 --- a/cmd/signer/main.go +++ b/cmd/signer/main.go @@ -21,18 +21,18 @@ const ( func main() { var ( - showVersion bool - signerConfigFile string - setupMode bool + showVersion, setupMode, verbose bool + signerConfigFile string ) - log.SetFlags(log.Ldate | log.Lmicroseconds | log.Lshortfile | log.LUTC) + log.SetFlags(log.Ldate | log.Lmicroseconds | log.LUTC) log.Printf("cacert-gosigner %s (%s) - built %s\n", version, commit, date) flag.StringVar(&signerConfigFile, "caconfig", defaultSignerConfigFile, "signer configuration file") flag.BoolVar(&showVersion, "version", false, "show version") flag.BoolVar(&setupMode, "setup", false, "setup mode") + flag.BoolVar(&verbose, "verbose", false, "verbose output") flag.Parse() @@ -45,16 +45,24 @@ func main() { log.Fatalf("could not open singer configuration file %s: %v", signerConfigFile, err) } + opts := make([]hsm.ConfigOption, 0) + caConfig, err := config.LoadConfiguration(configFile) if err != nil { log.Fatalf("could not load CA hierarchy: %v", err) } + opts = append(opts, hsm.CaConfigOption(caConfig)) if setupMode { log.Print("running in setup mode") + opts = append(opts, hsm.SetupModeOption()) } - ctx := hsm.SetupContext(caConfig, setupMode) + if verbose { + opts = append(opts, hsm.VerboseLoggingOption()) + } + + ctx := hsm.SetupContext(opts...) err = hsm.EnsureCAKeysAndCertificates(ctx) if err != nil { diff --git a/pkg/hsm/context.go b/pkg/hsm/context.go index 03107bd..5731488 100644 --- a/pkg/hsm/context.go +++ b/pkg/hsm/context.go @@ -14,28 +14,67 @@ const ( ctxP11Contexts ctxKey = iota ctxSetupMode ctxSignerConfig + ctxVerboseLogging ) +type ConfigOption func(ctx context.Context) context.Context + +func CaConfigOption(signerConfig *config.SignerConfig) func(context.Context) context.Context { + return func(ctx context.Context) context.Context { + return context.WithValue(ctx, ctxSignerConfig, signerConfig) + } +} + +func SetupModeOption() func(context.Context) context.Context { + return func(ctx context.Context) context.Context { + return context.WithValue(ctx, ctxSetupMode, true) + } +} + +func VerboseLoggingOption() func(ctx context.Context) context.Context { + return func(ctx context.Context) context.Context { + return context.WithValue(ctx, ctxVerboseLogging, true) + } +} + // SetupContext sets global context for HSM operations. -func SetupContext( - signerConfig *config.SignerConfig, - setupMode bool, -) context.Context { +func SetupContext(options ...ConfigOption) context.Context { ctx := context.Background() ctx = context.WithValue(ctx, ctxP11Contexts, make(map[string]*crypto11.Context)) - ctx = context.WithValue(ctx, ctxSignerConfig, signerConfig) - ctx = context.WithValue(ctx, ctxSetupMode, setupMode) + + for _, opt := range options { + ctx = opt(ctx) + } return ctx } func GetSignerConfig(ctx context.Context) *config.SignerConfig { - return ctx.Value(ctxSignerConfig).(*config.SignerConfig) + signerConfig, ok := ctx.Value(ctxSignerConfig).(*config.SignerConfig) + if !ok { + return nil + } + + return signerConfig } func IsSetupMode(ctx context.Context) bool { - return ctx.Value(ctxSetupMode).(bool) + setupMode, ok := ctx.Value(ctxSetupMode).(bool) + if !ok { + return false + } + + return setupMode +} + +func IsVerbose(ctx context.Context) bool { + verbose, ok := ctx.Value(ctxVerboseLogging).(bool) + if !ok { + return false + } + + return verbose } func GetP11Context(ctx context.Context, entry *config.CaCertificateEntry) (*crypto11.Context, error) { diff --git a/pkg/hsm/setup.go b/pkg/hsm/setup.go index c5ecec5..4d9fc01 100644 --- a/pkg/hsm/setup.go +++ b/pkg/hsm/setup.go @@ -16,12 +16,18 @@ func EnsureCAKeysAndCertificates(ctx context.Context) error { return err } - log.Printf("got root CA certificate:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s", - crt.Subject, - crt.Issuer, - crt.NotBefore, - crt.NotAfter, - crt.SerialNumber) + if IsVerbose(ctx) { + log.Printf( + "found root CA certificate %s:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s", + label, + crt.Subject, + crt.Issuer, + crt.NotBefore, + crt.NotAfter, + crt.SerialNumber) + } else { + log.Printf("found root CA certificate %s: %s", label, crt.Subject.CommonName) + } } for _, label = range conf.IntermediaryCAs() { @@ -30,12 +36,18 @@ func EnsureCAKeysAndCertificates(ctx context.Context) error { return err } - log.Printf("got intermediary CA certificate:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s", - crt.Subject, - crt.Issuer, - crt.NotBefore, - crt.NotAfter, - crt.SerialNumber) + if IsVerbose(ctx) { + log.Printf( + "found intermediary CA certificate %s:\n Subject %s\n Issuer %s\n Valid from %s until %s\n Serial %s", + label, + crt.Subject, + crt.Issuer, + crt.NotBefore, + crt.NotAfter, + crt.SerialNumber) + } else { + log.Printf("found intermediary CA certificate %s: %s", label, crt.Subject.CommonName) + } } return nil diff --git a/pkg/hsm/storage.go b/pkg/hsm/storage.go index fb10b12..f2164e5 100644 --- a/pkg/hsm/storage.go +++ b/pkg/hsm/storage.go @@ -46,7 +46,11 @@ func prepareCrypto11Context(ctx context.Context, label string) (*crypto11.Contex } func getPin(p11Config *crypto11.Config) (string, error) { - tokenPinEnv := fmt.Sprintf("TOKEN_PIN_%s", strings.ToUpper(p11Config.TokenLabel)) + tokenPinEnv := strings.ReplaceAll(p11Config.TokenLabel, "-", "_") + tokenPinEnv = strings.ReplaceAll(tokenPinEnv, " ", "_") + tokenPinEnv = strings.ToUpper(tokenPinEnv) + tokenPinEnv = fmt.Sprintf("TOKEN_PIN_%s", tokenPinEnv) + pin, found := os.LookupEnv(tokenPinEnv) if !found { log.Printf("environment variable %s has not been set", tokenPinEnv)