mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-25 16:41:08 +02:00
a087f7b267
Add support for testing `+ent.hsm` and `+ent.hsm.fips1402` Vault editions with `pkcs11` seal types utilizing a shared `softhsm` token. Softhsm2 is a software HSM that will load seal keys from a local disk via pkcs11. The pkcs11 seal implementation is fairly complex as we have to create a one or more shared tokens with various keys and distribute them to all nodes in the cluster before starting Vault. We also have to ensure that each sets labels are unique. We also make a few quality of life updates by utilizing globals for variants that don't often change and update base versions for various scenarios. * Add `seal_pkcs11` module for creating a `pkcs11` seal key using `softhsm2` as our backing implementation. * Require the latest enos provider to gain access to the `enos_user` resource to ensure correct ownership and permissions of the `softhsm2` data directory and files. * Add `pkcs11` seal to all scenarios that support configuring a seal type. * Extract system package installation out of the `vault_cluster` module and into its own `install_package` module that we can reuse. * Fix a bug when using the local builder variant that mangled the path. This likely slipped in during the migration to auto-version bumping. * Fix an issue where restarting Vault nodes with a socket seal would fail because a seal socket sync wasn't available on all nodes. Now we start the socket listener on all nodes to ensure any node can become primary and "audit" to the socket listner. * Remove unused attributes from some verify modules. * Go back to using cheaper AWS regions. * Use globals for variants. * Update initial vault version for `upgrade` and `autopilot` scenarios. * Update the consul versions for all scenarios that support a consul storage backend. Signed-off-by: Ryan Cragun <me@ryan.ec>
83 lines
2.1 KiB
Bash
83 lines
2.1 KiB
Bash
#!/bin/bash
|
|
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
set -e
|
|
|
|
fail() {
|
|
echo "$1" 1>&2
|
|
exit 1
|
|
}
|
|
|
|
[[ -z "$AES_LABEL" ]] && fail "AES_LABEL env variable has not been set"
|
|
[[ -z "$HMAC_LABEL" ]] && fail "HMAC_LABEL env variable has not been set"
|
|
[[ -z "$PIN" ]] && fail "PIN env variable has not been set"
|
|
[[ -z "$SO_PIN" ]] && fail "SO_PIN env variable has not been set"
|
|
[[ -z "$TOKEN_LABEL" ]] && fail "TOKEN_LABEL env variable has not been set"
|
|
[[ -z "$TOKEN_DIR" ]] && fail "TOKEN_DIR env variable has not been set"
|
|
|
|
if ! type softhsm2-util &> /dev/null; then
|
|
fail "unable to locate softhsm2-util in PATH. Have you installed softhsm?"
|
|
fi
|
|
|
|
if ! type pkcs11-tool &> /dev/null; then
|
|
fail "unable to locate pkcs11-tool in PATH. Have you installed opensc?"
|
|
fi
|
|
|
|
# Create an HSM slot and return the slot number in decimal value.
|
|
create_slot() {
|
|
sudo softhsm2-util --init-token --free --so-pin="$SO_PIN" --pin="$PIN" --label="$TOKEN_LABEL" | grep -oE '[0-9]+$'
|
|
}
|
|
|
|
# Find the location of our softhsm shared object.
|
|
find_softhsm_so() {
|
|
sudo find /usr -type f -name libsofthsm2.so -print -quit
|
|
}
|
|
|
|
# Create key a key in the slot. Args: module, key label, id number, key type
|
|
keygen() {
|
|
sudo pkcs11-tool --keygen --usage-sign --private --sensitive --usage-wrap \
|
|
--module "$1" \
|
|
-p "$PIN" \
|
|
--token-label "$TOKEN_LABEL" \
|
|
--label "$2" \
|
|
--id "$3" \
|
|
--key-type "$4"
|
|
}
|
|
|
|
# Create our softhsm slot and keys
|
|
main() {
|
|
local slot
|
|
if ! slot=$(create_slot); then
|
|
fail "failed to create softhsm token slot"
|
|
fi
|
|
|
|
local so
|
|
if ! so=$(find_softhsm_so); then
|
|
fail "unable to locate libsofthsm2.so shared object"
|
|
fi
|
|
|
|
if ! keygen "$so" "$AES_LABEL" 1 'AES:32' 1>&2; then
|
|
fail "failed to create AES key"
|
|
fi
|
|
|
|
if ! keygen "$so" "$HMAC_LABEL" 2 'GENERIC:32' 1>&2; then
|
|
fail "failed to create HMAC key"
|
|
fi
|
|
|
|
# Return our seal configuration attributes as JSON
|
|
cat <<EOF
|
|
{
|
|
"lib": "${so}",
|
|
"slot": "${slot}",
|
|
"pin": "${PIN}",
|
|
"key_label": "${AES_LABEL}",
|
|
"hmac_key_label": "${HMAC_LABEL}",
|
|
"generate_key": "false"
|
|
}
|
|
EOF
|
|
exit 0
|
|
}
|
|
|
|
main
|