Sign upLogin

GEANT/CAT

View on GitHub
Star
signer/ms_windows_proxy_sign-template

Summary

Maintainability
Test Coverage
#!/bin/bash
#/*
# * *****************************************************************************
# * Contributions to this work were made on behalf of the GÉANT project, a 
# * project that has received funding from the European Union’s Framework 
# * Programme 7 under Grant Agreements No. 238875 (GN3) and No. 605243 (GN3plus),
# * Horizon 2020 research and innovation programme under Grant Agreements No. 
# * 691567 (GN4-1) and No. 731122 (GN4-2).
# * On behalf of the aforementioned projects, GEANT Association is the sole owner
# * of the copyright in all material which was developed by a member of the GÉANT
# * project. GÉANT Vereniging (Association) is registered with the Chamber of 
# * Commerce in Amsterdam with registration number 40535155 and operates in the 
# * UK as a branch of GÉANT Vereniging.
# * 
# * Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands. 
# * UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK
# *
# * License: see the web/copyright.inc.php file in the file structure or
# *          <base_url>/copyright.php after deploying the software
# */

# This script is a part of the eduroam CAT softwareand covered by the approapriate license
# This is an example signer working with pkcs11proxy and accessing hardware or software tokens
# plugged into remote machines. This script is set to use two servers but yoy can define more, if you like.

# PREFIX may come handy if your software is located in one place
PREFIX=/usr/local/share/cat-signer

# LIB is the location which should be searched for libraries and modules
LIB="$PREFIX/lib"

# Set PROXY to addresses and ports on which pkcs11proxy are listening
# For each of the proxies you must define corresponding PIN, KEY_ID and CERTS
PROXY[1]='tcp://1.1.1.1:2345'
PROXY[2]='tcp://1.1.1.2:2346'

# Set PIN to access pins of tokens behind the proxy
PIN[1]='secretpin1';
PIN[2]='secretpin2';

# Set KEY_ID to private key identifiers on the tokens
KEY_ID[1]='keyid1'
KEY_ID[2]='kyid2'

# Set CERTS to issuer certificate chains saved as PEM files
CERTS[1]="path_to_sert_chain1.pem"
CERTS[2]="path_to_sert_chain2.pem"

# Set N to the number of proxy servers set up
N=2

# Set OSSLSIGNCODE to the osslsigncode binary you want to use for signing
OSSLSIGNCODE=$PREFIX/bin/osslsigncode

# Set PKCS11MODULE
PKCS11MODULE="$PREFIX"/lib/libpkcs11-proxy.so

# Set PKCS11ENGINE
PKCS11ENGINE="$PREFIX"/lib/engines/libpkcs11.so

# Set TIMESTAMP_URL to a working timestamping URL or comment it out for no timestamping
TIMESTAMP_URL="http://timestamp.digicert.com"

# Set LOG_FILE to the path to which you want to write logs
LOG_FILE="/var/log/CAT/signer.log"

# comment out the line below if not needed
export LD_LIBRARY_PATH="$LIB"
# --------------------- end of configuration do not change things below ----------

if [ -z "$TIMESTAMP_URL" ] ; then
   timestamp_cmd=""
else
   timestamp_cmd="-t $TIMESTAMP_URL "
fi

rm -f $2

date >> $LOG_FILE
for i in ${!PROXY[*]}
  do
  if PKCS11_PROXY_SOCKET="${PROXY[$i]}" timeout 5 $OSSLSIGNCODE -h sha2 -pass "${PIN[$i]}" -certs "${CERTS[$i]}" -key "${KEY_ID[$i]}" -pkcs11module "$PKCS11MODULE"  -pkcs11engine "$PKCS11ENGINE" $timestamp_cmd -in "$1" -out "$2" >/dev/null 2>&1
  then
    echo signing with proxy $i OK >> $LOG_FILE
    exit 0
  else
    echo signing with proxy $i FAILED >> $LOG_FILE
  fi
done
echo signing FAILED globally >> $LOG_FILE
exit 256