package main import ( "flag" "fmt" "log" "os" "strings" "syscall" "git.cacert.org/cacert-gosigner/pkg/config" "github.com/ThalesIgnite/crypto11" "golang.org/x/term" "git.cacert.org/cacert-gosigner/pkg/hsm" ) var ( commit string date string version string ) const ( defaultTokenLabel = "localhsm" defaultSignerConfigFile = "ca-hierarchy.json" ) func main() { p11Config := &crypto11.Config{} var ( showVersion bool signerConfigFile string ) log.Printf("cacert-gosigner %s (%s) - built %s\n", version, commit, date) flag.StringVar(&p11Config.Path, "module", defaultPkcs11Module, "PKCS#11 module") flag.StringVar(&p11Config.TokenLabel, "token", defaultTokenLabel, "PKCS#11 token label") flag.StringVar(&signerConfigFile, "caconfig", defaultSignerConfigFile, "signer configuration file") flag.BoolVar(&showVersion, "version", false, "show version") flag.Parse() if showVersion { return } log.Printf("using PKCS#11 module %s", p11Config.Path) log.Printf("looking for token with label %s", p11Config.TokenLabel) configFile, err := os.Open(signerConfigFile) if err != nil { log.Fatalf("could not open singer configuration file %s: %v", signerConfigFile, err) } caConfig, err := config.LoadConfiguration(configFile) if err != nil { log.Fatalf("could not load CA hierarchy: %v", err) } getPin(p11Config) p11Context, err := crypto11.Configure(p11Config) if err != nil { log.Fatalf("could not configure PKCS#11 library: %v", err) } defer func(p11Context *crypto11.Context) { err := p11Context.Close() if err != nil { log.Printf("could not close PKCS#11 library context: %v", err) } }(p11Context) err = hsm.EnsureCAKeysAndCertificates(p11Context, caConfig) if err != nil { log.Fatalf("could not ensure CA keys and certificates exist: %v", err) } } func getPin(p11Config *crypto11.Config) { pin, found := os.LookupEnv("TOKEN_PIN") if !found { log.Printf("environment variable TOKEN_PIN has not been set") if !term.IsTerminal(syscall.Stdin) { log.Fatal("stdin is not a terminal") } fmt.Print("Enter PIN: ") bytePin, err := term.ReadPassword(syscall.Stdin) if err != nil { log.Fatalf("could not read PIN") } fmt.Println() pin = string(bytePin) } p11Config.Pin = strings.TrimSpace(pin) }