cacert-gosigner/cmd/signer/main.go
Jan Dittberner de997913cf Implement configuration and CA hierarchy setup
This commit implements a mechanism to load CA configuration dynamically from
JSON files. Missing keys and certificates can be generated in a PKCS#11 HSM
or Smartcard. Certificates are stored as PEM encoded .crt files in the
filesystem.

The default PKCS#11 module (softhsm2) is now loaded from a platform specific
path using go:build comments.
2022-04-16 22:24:32 +02:00

99 lines
2.2 KiB
Go

package main
import (
"flag"
"fmt"
"log"
"os"
"strings"
"syscall"
"git.cacert.org/cacert-gosigner/pkg/config"
"github.com/ThalesIgnite/crypto11"
"golang.org/x/term"
"git.cacert.org/cacert-gosigner/pkg/hsm"
)
var (
commit string
date string
version string
)
const (
defaultTokenLabel = "localhsm"
defaultSignerConfigFile = "ca-hierarchy.json"
)
func main() {
p11Config := &crypto11.Config{}
var (
showVersion bool
signerConfigFile string
)
log.Printf("cacert-gosigner %s (%s) - built %s\n", version, commit, date)
flag.StringVar(&p11Config.Path, "module", defaultPkcs11Module, "PKCS#11 module")
flag.StringVar(&p11Config.TokenLabel, "token", defaultTokenLabel, "PKCS#11 token label")
flag.StringVar(&signerConfigFile, "caconfig", defaultSignerConfigFile, "signer configuration file")
flag.BoolVar(&showVersion, "version", false, "show version")
flag.Parse()
if showVersion {
return
}
log.Printf("using PKCS#11 module %s", p11Config.Path)
log.Printf("looking for token with label %s", p11Config.TokenLabel)
configFile, err := os.Open(signerConfigFile)
if err != nil {
log.Fatalf("could not open singer configuration file %s: %v", signerConfigFile, err)
}
caConfig, err := config.LoadConfiguration(configFile)
if err != nil {
log.Fatalf("could not load CA hierarchy: %v", err)
}
getPin(p11Config)
p11Context, err := crypto11.Configure(p11Config)
if err != nil {
log.Fatalf("could not configure PKCS#11 library: %v", err)
}
defer func(p11Context *crypto11.Context) {
err := p11Context.Close()
if err != nil {
log.Printf("could not close PKCS#11 library context: %v", err)
}
}(p11Context)
err = hsm.EnsureCAKeysAndCertificates(p11Context, caConfig)
if err != nil {
log.Fatalf("could not ensure CA keys and certificates exist: %v", err)
}
}
func getPin(p11Config *crypto11.Config) {
pin, found := os.LookupEnv("TOKEN_PIN")
if !found {
log.Printf("environment variable TOKEN_PIN has not been set")
if !term.IsTerminal(syscall.Stdin) {
log.Fatal("stdin is not a terminal")
}
fmt.Print("Enter PIN: ")
bytePin, err := term.ReadPassword(syscall.Stdin)
if err != nil {
log.Fatalf("could not read PIN")
}
fmt.Println()
pin = string(bytePin)
}
p11Config.Pin = strings.TrimSpace(pin)
}