OLD | NEW |
---|---|
1 #!/bin/sh | 1 #!/bin/sh |
2 | 2 |
3 if [ -z "$1" ]; then | 3 if [ -z "$1" ]; then |
4 USERNAME="chronos" | 4 USERNAME="chronos" |
5 else | 5 else |
6 USERNAME="$1" | 6 USERNAME="$1" |
7 fi | 7 fi |
8 | 8 |
9 PKCS11_GROUP="pkcs11" | 9 PKCS11_GROUP="pkcs11" |
10 | 10 |
11 OPENCRYPTOKI_DIR="/var/lib/opencryptoki" | 11 OPENCRYPTOKI_DIR="/var/lib/opencryptoki" |
12 USER_TOKEN_LINK="$OPENCRYPTOKI_DIR/tpm/$USERNAME" | 12 USER_TOKEN_LINK="$OPENCRYPTOKI_DIR/tpm/$USERNAME" |
13 ROOT_TOKEN_LINK="$OPENCRYPTOKI_DIR/tpm/root" | 13 ROOT_TOKEN_LINK="$OPENCRYPTOKI_DIR/tpm/root" |
14 | 14 |
15 USER_TOKEN_DIR="/home/$USERNAME/user/.tpm" | 15 USER_TOKEN_DIR="/home/$USERNAME/user/.tpm" |
16 | 16 |
17 if [ -e "$USER_TOKEN_DIR/PUBLIC_ROOT_KEY.pem" -a \ | 17 log() { |
18 ! -e "$USER_TOKEN_DIR/PRIVATE_ROOT_KEY.pem" ]; then | 18 if [ -t 1 ]; then |
19 # A token with a public key but no private key is a sign that | 19 echo "$@" 1>&2 |
20 # initialization timed out. The only way to recover seems to be to wipe | 20 else |
21 # out the whole token and try again. | 21 logger -t $(basename "$0") "$@" |
22 logger "PKCS#11 token appears to be broken, deleting: $USER_TOKEN_DIR/*" | 22 fi |
23 rm -rf "$USER_TOKEN_DIR"/* | 23 } |
24 | |
25 if [ ! -f "$USER_TOKEN_DIR/PUBLIC_ROOT_KEY.pem" ]; then | |
26 log "No PKCS#11 token found for $USERNAME." | |
27 else | |
28 if [ -e "$USER_TOKEN_DIR/PRIVATE_ROOT_KEY.pem" -a \ | |
29 -e "$USER_TOKEN_DIR/TOK_OBJ/70000000" ]; then | |
Chris Masone
2010/08/25 00:33:13
-f or -e, be consistent.
| |
30 log "PKCS#11 token for $USERNAME looks ok." | |
31 else | |
32 # If these files are missing, it's a sign that initialization timed out. | |
33 # The only way to recover seems to be to wipe out the whole token and try | |
34 # again. | |
35 log "PKCS#11 token for $USERNAME appears to be broken, deleting:" \ | |
36 "$USER_TOKEN_DIR/*" | |
37 rm -rf "$USER_TOKEN_DIR"/* | |
38 fi | |
24 fi | 39 fi |
25 | 40 |
26 # Ensure the directories exist | 41 # Ensure the directories exist |
27 mkdir -p "$OPENCRYPTOKI_DIR/tpm" | 42 mkdir -p "$OPENCRYPTOKI_DIR/tpm" |
28 chown -R "root:$PKCS11_GROUP" "$OPENCRYPTOKI_DIR" | 43 chown -R "root:$PKCS11_GROUP" "$OPENCRYPTOKI_DIR" |
29 | 44 |
30 # Ensure that they point to the user volume | 45 # Ensure that they point to the user volume |
31 [ -L "$USER_TOKEN_LINK" ] || \ | 46 [ -L "$USER_TOKEN_LINK" ] || \ |
32 ln -sf "$USER_TOKEN_DIR" "$USER_TOKEN_LINK" | 47 ln -sf "$USER_TOKEN_DIR" "$USER_TOKEN_LINK" |
33 [ -L "$ROOT_TOKEN_LINK" ] || \ | 48 [ -L "$ROOT_TOKEN_LINK" ] || \ |
34 ln -sf "./$USERNAME" "$ROOT_TOKEN_LINK" | 49 ln -sf "./$USERNAME" "$ROOT_TOKEN_LINK" |
35 | 50 |
36 # Always remove the old token entry. | 51 # Always remove the old token entry. |
37 rm -f /var/lib/opencryptoki/pk_config_data | 52 rm -f /var/lib/opencryptoki/pk_config_data |
38 | 53 |
39 # Creating this directory because if it's not there, token initialization | 54 # Creating this directory because if it's not there, token initialization |
40 # will neither create it nor populate it. | 55 # will neither create it nor populate it. |
41 mkdir -p "$USER_TOKEN_DIR/TOK_OBJ" | 56 mkdir -p "$USER_TOKEN_DIR/TOK_OBJ" |
42 | 57 |
43 # Configure the tpm as a token | 58 # Configure the tpm as a token |
44 pkcs_slot 0 tpm | 59 pkcs_slot 0 tpm |
45 | 60 |
46 # Make sure the user can access their own data | 61 # Make sure the user can access their own data |
47 chown -R "$USERNAME:$PKCS11_GROUP" "$USER_TOKEN_DIR" | 62 chown -R "$USERNAME:$PKCS11_GROUP" "$USER_TOKEN_DIR" |
OLD | NEW |