| #!/bin/bash |
| |
| # NOTE - This scripts expects the Init and the Duplicate tools to be already |
| # run and the output files(listed in README) to be present at the |
| # shared volume (input for Import tool) |
| # It also requires the following ENVIRONMENT variables to be set |
| # SECRETS_FOLDER - containing the srk_handl and prk_passwd files in base64 |
| # DATA_FOLDER - containing the files that are produced from the distcenter |
| |
| set -e |
| |
| #Primary Key Password used by TPM Plugin to load keys |
| export TPM_PRK_PASSWORD="$(cat ${SECRETS_FOLDER}/prk_passwd | base64 -d)" |
| #Handle to the aforementioned Primary Key |
| SRK_HANDLE="$(cat ${SECRETS_FOLDER}/srk_handle | base64 -d)" |
| #key_id is the parameter expected by SoftHSM |
| key_id="8738" |
| #Key_label is the parameter expected by SoftHSM |
| key_label="ABC" |
| #UserPin for the SoftHSM operations |
| upin="123456789" |
| #SoPin for the SoftHSM operations |
| sopin="123456789" |
| #Slot number for the SoftHSM operations. Initially it should be started with 0 |
| slot_no="0" |
| #Name for creating the slot used by SoftHSM |
| token_no="Token1" |
| #cert_id is the input for the application which is hexadecimal equivalent of key_id |
| cert_id=$(printf '%x' ${key_id}) |
| #Set working dir |
| WORKDIR=$PWD |
| |
| # 1.Initialize the token/ |
| softhsm2-util --init-token --slot ${slot_no} --label "${token_name}" \ |
| --pin ${upin} --so-pin ${sopin} |
| softhsm2-util --show-slots | grep 'Slot ' | cut -d\ -f2 | head -1 >> slotinfo.txt |
| SoftHSMv2SlotID="$(cat slotinfo.txt)" |
| echo "The slot ID used is ${SoftHSMv2SlotID}" |
| |
| # 2.Plugin directory for the SoftHSM to load plugin and for further operations |
| if [ -f ${DATA_FOLDER}/out_parent_public ]; then |
| |
| # 2.a Copy the required input files for the Import tool |
| cp ${DATA_FOLDER}/dup* /tpm-util/bin/ |
| |
| # 2.b Run the Import Utility |
| cd /tpm-util/bin |
| ./ossl_tpm_import -H $SRK_HANDLE -dupPub dupPub -dupPriv dupPriv \ |
| -dupSymSeed dupSymseed -dupEncKey dupEncKey -pub outPub -priv outPriv \ |
| -password $TPM_PRK_PASSWORD |
| |
| cd $WORKDIR |
| ./softhsmconfig.sh $SRK_HANDLE $key_id $key_label $upin $sopin $SoftHSMv2SlotID |
| else |
| |
| # 3 SoftHSM mode implementation |
| |
| echo "TPM hardware unavailable. Using SoftHSM implementation" |
| |
| cd ${DATA_FOLDER} |
| |
| # 3.a Extract the Private key using passphrase |
| passphrase="$(cat passphrase)" |
| echo "${passphrase}" |
| echo "${passphrase}" | gpg --batch --yes --passphrase-fd 0 privkey.pem.gpg |
| |
| # 3.b Convert the Private key pem into der format |
| openssl rsa -in ./privkey.pem -outform DER -out privatekey.der |
| |
| # 3.c Load the Private key into SoftHSM |
| pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} \ |
| --write-object ./privatekey.der --type privkey --id ${cert_id} --label ${key_label} |
| |
| fi |
| |
| # 3.a Application operation |
| cd ${DATA_FOLDER} |
| |
| # 3.b Convert the crt to der format |
| openssl x509 -in ca.cert -outform der -out ca.der |
| |
| # 3.c Add the ca certificate |
| pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --pin ${upin} \ |
| --write-object ./ca.der --type cert --id ${cert_id} |
| |
| # 4. Calling the functionalities of the sample application |
| cd $WORKDIR |
| ./application.sh $key_label $SoftHSMv2SlotID $upin $cert_id |
| |
| # 5. Cleanup |
| cd $WORKDIR |
| rm -rf slotinfo.txt |