package hsm import ( "context" "errors" "fmt" "log" "os" "strings" "syscall" "github.com/ThalesIgnite/crypto11" "golang.org/x/term" ) func prepareCrypto11Context(ctx context.Context, label string) (*crypto11.Context, error) { storage, ok := GetSignerConfig(ctx).KeyStorage[label] if !ok { return nil, fmt.Errorf("could not find storage definition with label %s", label) } var ( err error p11Context *crypto11.Context ) p11Config := &crypto11.Config{ Path: storage.Module, TokenLabel: storage.Label, } log.Printf("using PKCS#11 module %s", p11Config.Path) log.Printf("looking for token with label %s", p11Config.TokenLabel) p11Config.Pin, err = getPin(p11Config) if err != nil { return nil, err } p11Context, err = crypto11.Configure(p11Config) if err != nil { return nil, fmt.Errorf("could not configure PKCS#11 library: %v", err) } return p11Context, nil } func getPin(p11Config *crypto11.Config) (string, error) { tokenPinEnv := fmt.Sprintf("TOKEN_PIN_%s", strings.ToUpper(p11Config.TokenLabel)) pin, found := os.LookupEnv(tokenPinEnv) if !found { log.Printf("environment variable %s has not been set", tokenPinEnv) if !term.IsTerminal(syscall.Stdin) { return "", errors.New("stdin is not a terminal") } fmt.Printf("Enter PIN for token %s: ", p11Config.TokenLabel) bytePin, err := term.ReadPassword(syscall.Stdin) if err != nil { return "", errors.New("could not read PIN") } fmt.Println() pin = string(bytePin) } return strings.TrimSpace(pin), nil }