1#!/bin/bash
2
3# Copyright 2023 Google LLC.
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# https://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
16set -eux
17
18SOFTHSM2_MODULE="/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so"
19TOKEN_NAME="Demo Token"
20OBJECT_LABEL="Demo Object"
21PIN="0000"
22
23install_dependencies() {
24 # Install PKCS #11 related dependencies.
25 # 1. softhsm2 is a software based HSM that implements the PKCS #11 spec.
26 # 2. libp11-kit-dev contains a shared library at we will use to interact with
27 # PKCS #11 device module, as well as pkcs11-tool which will be used for
28 # interacting with the PKCS #11 module.
29 # 3. gnutls-bin contains p11-tool which we will use to create PKCS #11 URIs.
30 sudo apt install softhsm2 libp11-kit-dev gnutls-bin opensc
31}
32
33setup_pkcs11_module() {
34 # Make softhsm2 discoverable by PKCS #11 tools.
35 sudo mkdir -p /etc/pkcs11/modules && echo "module: /usr/lib/softhsm/libsofthsm2.so" | sudo tee -a /etc/pkcs11/modules/softhsm.module
36
37 # Create folder for storing PKCS #11 objects
38 mkdir -p $HOME/.config/softhsm2/tokens
39
40 cat <<EOF > $HOME/.config/softhsm2/softhsm2.conf
41directories.tokendir = $HOME/.config/softhsm2/tokens/
42objectstore.backend = file
43log.level = INFO
44slots.removable = true
45EOF
46
47
48 pkcs11-tool --init-token --label "$TOKEN_NAME" --module $SOFTHSM2_MODULE --slot 0 --so-pin $PIN
49 SLOT=$(pkcs11-tool --list-slots --module $SOFTHSM2_MODULE | grep -Eo "0x[A-Fa-f0-9]+" | head -n 1)
50 pkcs11-tool --module $SOFTHSM2_MODULE --token-label "$TOKEN_NAME" --login --init-pin --pin $PIN --so-pin $PIN
51
52
53 BUILD_DIR=$(mktemp -d)
54 pushd $BUILD_DIR
55
56 openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj "/C=US/ST=WA/L=Sea/O=My Inc/OU=DevOps/CN=www.example.com/emailAddress=dev@www.example.com"
57 openssl x509 -pubkey -noout -in cert.pem > public_key.pem
58
59 openssl x509 -in cert.pem -out cert.der -outform der
60 openssl rsa -in key.pem -outform DER -out private_key.der
61 openssl rsa -inform pem -in public_key.pem -outform der -out public_key.der -pubin
62
63 pkcs11-tool --module $SOFTHSM2_MODULE --slot $SLOT --write-object cert.der --type cert --label "$OBJECT_LABEL" --login --pin $PIN
64 pkcs11-tool --module $SOFTHSM2_MODULE --slot $SLOT --write-object private_key.der --type privkey --label "$OBJECT_LABEL" --login --pin $PIN
65 pkcs11-tool --module $SOFTHSM2_MODULE --slot $SLOT --write-object public_key.der --type pubkey --label "$OBJECT_LABEL" --login --pin $PIN
66
67 rm -rf $BUILD_DIR
68
69 popd
70}
71
72if [ $# -eq 0 ]; then
73 install_dependencies
74 setup_pkcs11_module
75fi
View as plain text