-
Notifications
You must be signed in to change notification settings - Fork 33
/
with_utimaco
executable file
·213 lines (177 loc) · 6.06 KB
/
with_utimaco
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
#!/usr/bin/env bash
# Copyright (c) 2020 Mastercard
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Usage: with_xxxx p11command args... ==> execute the command using presets for the token
#
# each platform has its defaults.
#
# if not otherwise specified:
# - default slot is set to 0 (define PKCS11SLOT or PKCS11TOKENLABEL to override)
# - default password is generally set to 'changeit' (define PKCS11PASSWORD to override)
#
# You can set all the PKCS11XXXX variables in a configuration file (sourced by this script).
# Two possibilites:
# - $PWD/.pkcs11rc for a setup bound to a directory
# - $HOME/.pkcs11rc for a user-wide setup
#
# alternate invocations:
#
# SPY=/dev/sdtout with_xxxx p11command args... ==> to interface with pkcs11-spy.so (from OpenSC) and print to stdout
# SPY=p11.log with_xxxx p11command args... ==> to interface with pkcs11-spy.so (from OpenSC) and write logs to p11.log
# NOSLOT with_xxxx p11command args... ==> unset slot and token variables, useful to force interactive mode
# PKCS11TOKENLABEL="abc" with_xxxx p11command args... ==> you can set all PKCS11 variables you like,
# including those that are vendor-specific
#
# Note that SPY mode does not support NSS.
PKCS11PASSWORD=${PKCS11PASSWORD:-changeit}
# Specific to vendor
# Utimaco: since there is no standard install, we are making a few guesses
PKCS11_LIBPATHS=( /usr/lib/pkcs11 /usr/lib /usr/local/lib/pkcs11 /usr/local/lib /opt/utimaco/lib $HOME/utimaco/pkcs11/lib $HOME/utimaco/lib )
# Utimaco: we try to detect setups for either R3 or R2 clients
PKCS11_LIBNAMES=( libcs_pkcs11_R3.so libcs_pkcs11_R2.so )
PKCS11_CFGNAMES=( cs_pkcs11_R3.cfg cs_pkcs11_R2.cfg )
PKCS11_CFGPATHS=( /opt/utimaco /usr/local/etc /etc $HOME/utimaco/pkcs11 $HOME/utimaco )
LIB_ENVVARS=( CS_PKCS11_R2_CFG CS_PKCS11_R3_CFG )
# setup of CS_PKCS11_R2_CFG / CS_PKCS11_R3_CFG
# we expect to find it in /opt/utimaco or in /usr/local/etc
function find_utimaco_cfg_file()
{
for path in ${PKCS11_CFGPATHS[@]}; do
for file in ${PKCS11_CFGNAMES[@]}; do
if [ -e $path/$file ]; then
echo $path/$file
return 0
fi
done
done
echo "NOT_FOUND"
return 1
}
CS_PKCS11_R3_CFG=${CS_PKCS11_R3_CFG:-$(find_utimaco_cfg_file)}
CS_PKCS11_R2_CFG=${CS_PKCS11_R2_CFG:-$(find_utimaco_cfg_file)}
if [ "$CS_PKCS11_R2_CFG" == "NOT_FOUND" -a "$CS_PKCS11_R3_CFG" == "NOT_FOUND" ]; then
echo "***Error: Utimaco configuration file not found, please set CS_PKCS11_R3_CFG/CS_PKCS11_R2_CFG accordingly."
exit 1
fi
########################################################################
# find_p11_lib: a trivial function to find a library.
function find_p11_lib()
{
for path in ${PKCS11_LIBPATHS[@]}; do
for lib in ${PKCS11_LIBNAMES[@]}; do
if [ -e $path/$lib ]; then
echo $path/$lib
return 0
fi
done
done
echo "NOT_FOUND"
return 1
}
# find_shim_lib: find libpkcs11shim.so
function find_shim_lib()
{
lib=libpkcs11shim.so
case "$(uname -s)" in
*)
paths=( /usr/local/lib /usr/lib )
;;
esac
for path in ${paths[@]}; do
if [ -e $path/$lib ]; then
echo $path/$lib
return 0
fi
done
echo "NOT_FOUND"
return 1
}
# find_spy_lib: find pkcs11-spy.so from OpenSC
function find_spy_lib()
{
lib=pkcs11-spy.so
paths=( /usr/lib/$(uname -m)-linux-gnu/pkcs11 /usr/lib64 /usr/local/lib /usr/local/opt/opensc/lib )
for path in ${paths[@]}; do
if [ -e $path/$lib ]; then
echo $path/$lib
return 0
fi
done
echo "NOT_FOUND"
return 1
}
# source .pkcs11rc from local directory, and if not, from $HOME directory
if [ -z "$NORC" ]; then
if [ -e ./.pkcs11rc ]; then
source ./.pkcs11rc
elif [ -e $HOME/.pkcs11rc ]; then
source $HOME/.pkcs11rc
fi
fi
################################################################################
# library
PKCS11LIB=${PKCS11LIB:-$(find_p11_lib)}
if [ "$PKCS11LIB" == "NOT_FOUND" ]; then
echo "***Error: PKCS#11 Library not found, please set PKCS11LIB accordingly."
exit 1
fi
# if SHIM is set, we want to use the libpkcs11shim
#
if [ -n "$SHIM" ]; then
echo "SHIM set, trying to hook libpkcs11shim.so, output goes to $SHIM"
PKCS11SHIM=$PKCS11LIB
PKCS11SHIM_OUTPUT=$SHIM
PKCS11LIB=$(find_shim_lib)
if [ "$PKCS11LIB" == "NOT_FOUND" ]; then
echo "***Error: libpkcs11shim.so Library not found, can't use SHIM option"
exit 1
fi
elif [ -n "$SPY" ]; then
echo "SPY set, trying to hook pkcs11-spy.so, output goes to $SPY"
PKCS11SPY=$PKCS11LIB
PKCS11SPY_OUTPUT=$SPY
PKCS11LIB=$(find_spy_lib)
if [ "$PKCS11LIB" == "NOT_FOUND" ]; then
echo "***Error: pkcs11-spy.so Library not found, can't use SPY option"
exit 1
fi
fi
#if NOSLOT is defined, or if PKCS11TOKENLABEL is defined we skip PKCS11SLOT
#(useful for p11slotinfo invocation)
if [ -z "$NOSLOT" -a -z "$PKCS11TOKENLABEL" ]; then
PKCS11SLOT=${PKCS11SLOT:-0}
fi
# also, if NOSLOT is defined, we unset PKCS11TOKENLABEL and PKCS11SLOT
if [ -n "$NOSLOT" ]; then
unset PKCS11TOKENLABEL PKCS11SLOT
fi
# Note: there is no default value for PKCS11TOKENLABEL
################################################################################
variables=(PKCS11LIB PKCS11NSSDIR PKCS11SLOT PKCS11TOKENLABEL PKCS11PASSWORD \
PKCS11SHIM PKCS11SHIM_OUTPUT PKCS11SPY PKCS11SPY_OUTPUT)
environment=
for v in ${variables[@]}; do
if [ -n "${!v}" ]; then
environment+=("$v=${!v}")
fi
done
for v in ${LIB_ENVVARS[@]}; do
if [ -n "${!v}" ]; then
environment+=("$v=${!v}")
fi
done
quoted=
for item in "$@"; do
quoted+=($(printf "%q" "$item"))
done
eval ${environment[@]} ${quoted[@]}
exit $?