From bc8e209d6ead21b548e18729011bc399116e1c29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Trojnara?= <Michal.Trojnara@stunnel.org>
Date: Thu, 22 Nov 2018 08:01:20 +0100
Subject: [PATCH] ported to SoftHSM2

---
 ChangeLog                               |  1 +
 misc/softhsm-example-token/.gitignore   |  3 --
 misc/softhsm-example-token/README       |  6 ++--
 misc/softhsm-example-token/gen-token.sh | 47 +++++++------------------
 4 files changed, 16 insertions(+), 41 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index e53bcb2..f27ec46 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 === 2.0 (2018-xx-xx)
 
 - ported to OpenSSL 1.1.x
+- ported to SoftHSM2
 - add support for pkcs11-based hardware tokens
 	(Patch from Leif Johansson)
 - improved error reporting of timestamping errors
diff --git a/misc/softhsm-example-token/.gitignore b/misc/softhsm-example-token/.gitignore
index 99c273b..1b52ac6 100644
--- a/misc/softhsm-example-token/.gitignore
+++ b/misc/softhsm-example-token/.gitignore
@@ -1,5 +1,2 @@
-softhsm.conf
 test.*
-openssl.conf
 config.py
-softhsm.*
diff --git a/misc/softhsm-example-token/README b/misc/softhsm-example-token/README
index 0850b01..690843b 100644
--- a/misc/softhsm-example-token/README
+++ b/misc/softhsm-example-token/README
@@ -11,8 +11,8 @@ Type 'make' to generate a softhsm token with a test-key on id a1b2 with PIN-code
 "secret1". To use this token with osslsigncode try something like this (from this 
 directory):
 
-env SOFTHSM_CONF=`pwd`/softhsm.conf ../../osslsigncode sign \
-   -pkcs11engine /usr/lib/engines/engine_pkcs11.so \
-   -pkcs11module /usr/lib/softhsm/libsofthsm.so -key a1b2 -certs test.crt ...
+../../osslsigncode sign \
+   -pkcs11engine /usr/lib/engines-1.1/pkcs11.so \
+   -pkcs11module /usr/lib/libsofthsm2.so -key a1b2 -certs test.crt ...
 
 Use 'secret1' as the password at the prompt.
diff --git a/misc/softhsm-example-token/gen-token.sh b/misc/softhsm-example-token/gen-token.sh
index fdd4d6e..4fd8c2d 100755
--- a/misc/softhsm-example-token/gen-token.sh
+++ b/misc/softhsm-example-token/gen-token.sh
@@ -1,46 +1,23 @@
 #!/bin/bash
 
-P11_ENGINE=/usr/lib/engines/engine_pkcs11.so
-P11_MODULE=/usr/lib/softhsm/libsofthsm.so
+export MODULE_PATH=/usr/lib/libsofthsm2.so
 
-## 
-
-export SOFTHSM_CONF=softhsm.conf
-cat>config.py<<EOF
+cat >config.py <<EOF
 DEBUG = True
 SECRET = "secret1"
-PKCS11MODULE = "$P11_MODULE"
+PKCS11MODULE = "$MODULE_PATH"
 PKCS11PIN = "secret1"
 EOF
-cat>softhsm.conf<<EOF
-0: softhsm.db
-EOF
-cat>openssl.conf<<EOF
-openssl_conf = openssl_def
 
-[openssl_def]
-engines = engine_section
+# initialize the token
+softhsm2-util --delete-token --token osslsigncode
+softhsm2-util --init-token --free --label osslsigncode --pin secret1 --so-pin secret2
 
-[engine_section]
-pkcs11 = pkcs11_section
+# create and print a key pair
+pkcs11-tool --module $MODULE_PATH -l -k --key-type rsa:2048 --id a1b2 --label test --pin secret1
+pkcs11-tool --module $MODULE_PATH -l --pin secret1 -O
 
-[pkcs11_section]
-engine_id = pkcs11
-dynamic_path = $P11_ENGINE
-MODULE_PATH = $P11_MODULE
-PIN = secret1
-init = 0
-
-[req]
-distinguished_name = req_distinguished_name
-
-[req_distinguished_name]
-EOF
-
-export SOFTHSM_CONF=softhsm.conf
-softhsm --slot 0 --label test --init-token --pin secret1 --so-pin secret2
-pkcs11-tool --module $P11_MODULE -l -k --key-type rsa:2048 --slot 0 --id a1b2 --label test --pin secret1
-pkcs11-tool --module $P11_MODULE -l --pin secret1 -O
-openssl req -new -x509 -subj "/cn=TEST" -engine pkcs11 -config openssl.conf -keyform engine -key a1b2 -passin pass:secret1 -out test.crt
+# create and print a certificate
+openssl req -new -x509 -subj "/CN=TEST" -engine pkcs11 -keyform engine -key "pkcs11:token=osslsigncode;object=test;pin-value=secret1" -out test.crt
 openssl x509 -inform PEM -outform DER -in test.crt -out test.der
-pkcs11-tool --module $P11_MODULE -l --slot 0 --id a1b2 --label test -y cert -w test.der --pin secret1
+pkcs11-tool --module $MODULE_PATH -l --id a1b2 --label test -y cert -w test.der --pin secret1