Jan Dittberner
de997913cf
This commit implements a mechanism to load CA configuration dynamically from JSON files. Missing keys and certificates can be generated in a PKCS#11 HSM or Smartcard. Certificates are stored as PEM encoded .crt files in the filesystem. The default PKCS#11 module (softhsm2) is now loaded from a platform specific path using go:build comments.
99 lines
2.2 KiB
Go
99 lines
2.2 KiB
Go
package main
|
|
|
|
import (
|
|
"flag"
|
|
"fmt"
|
|
"log"
|
|
"os"
|
|
"strings"
|
|
"syscall"
|
|
|
|
"git.cacert.org/cacert-gosigner/pkg/config"
|
|
"github.com/ThalesIgnite/crypto11"
|
|
"golang.org/x/term"
|
|
|
|
"git.cacert.org/cacert-gosigner/pkg/hsm"
|
|
)
|
|
|
|
var (
|
|
commit string
|
|
date string
|
|
version string
|
|
)
|
|
|
|
const (
|
|
defaultTokenLabel = "localhsm"
|
|
defaultSignerConfigFile = "ca-hierarchy.json"
|
|
)
|
|
|
|
func main() {
|
|
p11Config := &crypto11.Config{}
|
|
var (
|
|
showVersion bool
|
|
signerConfigFile string
|
|
)
|
|
|
|
log.Printf("cacert-gosigner %s (%s) - built %s\n", version, commit, date)
|
|
|
|
flag.StringVar(&p11Config.Path, "module", defaultPkcs11Module, "PKCS#11 module")
|
|
flag.StringVar(&p11Config.TokenLabel, "token", defaultTokenLabel, "PKCS#11 token label")
|
|
flag.StringVar(&signerConfigFile, "caconfig", defaultSignerConfigFile, "signer configuration file")
|
|
flag.BoolVar(&showVersion, "version", false, "show version")
|
|
|
|
flag.Parse()
|
|
|
|
if showVersion {
|
|
return
|
|
}
|
|
|
|
log.Printf("using PKCS#11 module %s", p11Config.Path)
|
|
log.Printf("looking for token with label %s", p11Config.TokenLabel)
|
|
|
|
configFile, err := os.Open(signerConfigFile)
|
|
if err != nil {
|
|
log.Fatalf("could not open singer configuration file %s: %v", signerConfigFile, err)
|
|
}
|
|
|
|
caConfig, err := config.LoadConfiguration(configFile)
|
|
if err != nil {
|
|
log.Fatalf("could not load CA hierarchy: %v", err)
|
|
}
|
|
|
|
getPin(p11Config)
|
|
|
|
p11Context, err := crypto11.Configure(p11Config)
|
|
if err != nil {
|
|
log.Fatalf("could not configure PKCS#11 library: %v", err)
|
|
}
|
|
|
|
defer func(p11Context *crypto11.Context) {
|
|
err := p11Context.Close()
|
|
if err != nil {
|
|
log.Printf("could not close PKCS#11 library context: %v", err)
|
|
}
|
|
}(p11Context)
|
|
|
|
err = hsm.EnsureCAKeysAndCertificates(p11Context, caConfig)
|
|
if err != nil {
|
|
log.Fatalf("could not ensure CA keys and certificates exist: %v", err)
|
|
}
|
|
}
|
|
|
|
func getPin(p11Config *crypto11.Config) {
|
|
pin, found := os.LookupEnv("TOKEN_PIN")
|
|
if !found {
|
|
log.Printf("environment variable TOKEN_PIN has not been set")
|
|
if !term.IsTerminal(syscall.Stdin) {
|
|
log.Fatal("stdin is not a terminal")
|
|
}
|
|
fmt.Print("Enter PIN: ")
|
|
bytePin, err := term.ReadPassword(syscall.Stdin)
|
|
if err != nil {
|
|
log.Fatalf("could not read PIN")
|
|
}
|
|
fmt.Println()
|
|
|
|
pin = string(bytePin)
|
|
}
|
|
p11Config.Pin = strings.TrimSpace(pin)
|
|
}
|