cacert-gosigner/cmd/signer/main.go

package main

import (
	"flag"
	"fmt"
	"log"
	"os"
	"strings"
	"syscall"

	"git.cacert.org/cacert-gosigner/pkg/config"
	"github.com/ThalesIgnite/crypto11"
	"golang.org/x/term"

	"git.cacert.org/cacert-gosigner/pkg/hsm"
)

var (
	commit  string
	date    string
	version string
)

const (
	defaultTokenLabel       = "localhsm"
	defaultSignerConfigFile = "ca-hierarchy.json"
)

func main() {
	p11Config := &crypto11.Config{}
	var (
		showVersion      bool
		signerConfigFile string
	)

	log.Printf("cacert-gosigner %s (%s) - built %s\n", version, commit, date)

	flag.StringVar(&p11Config.Path, "module", defaultPkcs11Module, "PKCS#11 module")
	flag.StringVar(&p11Config.TokenLabel, "token", defaultTokenLabel, "PKCS#11 token label")
	flag.StringVar(&signerConfigFile, "caconfig", defaultSignerConfigFile, "signer configuration file")
	flag.BoolVar(&showVersion, "version", false, "show version")

	flag.Parse()

	if showVersion {
		return
	}

	log.Printf("using PKCS#11 module %s", p11Config.Path)
	log.Printf("looking for token with label %s", p11Config.TokenLabel)

	configFile, err := os.Open(signerConfigFile)
	if err != nil {
		log.Fatalf("could not open singer configuration file %s: %v", signerConfigFile, err)
	}

	caConfig, err := config.LoadConfiguration(configFile)
	if err != nil {
		log.Fatalf("could not load CA hierarchy: %v", err)
	}

	getPin(p11Config)

	p11Context, err := crypto11.Configure(p11Config)
	if err != nil {
		log.Fatalf("could not configure PKCS#11 library: %v", err)
	}

	defer func(p11Context *crypto11.Context) {
		err := p11Context.Close()
		if err != nil {
			log.Printf("could not close PKCS#11 library context: %v", err)
		}
	}(p11Context)

	err = hsm.EnsureCAKeysAndCertificates(p11Context, caConfig)
	if err != nil {
		log.Fatalf("could not ensure CA keys and certificates exist: %v", err)
	}
}

func getPin(p11Config *crypto11.Config) {
	pin, found := os.LookupEnv("TOKEN_PIN")
	if !found {
		log.Printf("environment variable TOKEN_PIN has not been set")
		if !term.IsTerminal(syscall.Stdin) {
			log.Fatal("stdin is not a terminal")
		}
		fmt.Print("Enter PIN: ")
		bytePin, err := term.ReadPassword(syscall.Stdin)
		if err != nil {
			log.Fatalf("could not read PIN")
		}
		fmt.Println()

		pin = string(bytePin)
	}
	p11Config.Pin = strings.TrimSpace(pin)
}