From ab25fc1565584ba09e6873f3588f30222b0f2fc0 Mon Sep 17 00:00:00 2001 From: Richard Retanubun Date: Wed, 12 Jul 2023 13:46:50 -0400 Subject: [PATCH] feat(espsecure): Allow prompting for HSM PIN in read_hsm_config If hsm_config does not contain "credentials" the user will be prompted for the HSM PIN. This avoids the need to have HSM PINs typed in config files which is not a good security practice. ADJUNCT: Updated documentation to reflect new usage Closes https://github.com/espressif/esptool/pull/900 --- docs/en/espsecure/index.rst | 3 +++ espsecure/esp_hsm_sign/__init__.py | 9 ++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/docs/en/espsecure/index.rst b/docs/en/espsecure/index.rst index c4b26766c..c03b3478e 100644 --- a/docs/en/espsecure/index.rst +++ b/docs/en/espsecure/index.rst @@ -50,6 +50,9 @@ HSM config file An HSM config file is required with the fields (``pkcs11_lib``, ``credentials``, ``slot``, ``label``, ``label_pubkey``) populated corresponding to the HSM used. +To access an HSM token of a selected slot, you will also need to pass in the token User PIN and thus you will be prompted to type in the User PIN. +Alternatively, you could also add a ``credentials`` field in the HSM config file to store the (plaintext) User PIN to automate the signing workflow. + Below is a sample HSM config file (``hsm_config.ini``) for using `SoftHSMv2 `_ as an external HSM: :: # hsm_config.ini diff --git a/espsecure/esp_hsm_sign/__init__.py b/espsecure/esp_hsm_sign/__init__.py index baf88241a..d255116ad 100644 --- a/espsecure/esp_hsm_sign/__init__.py +++ b/espsecure/esp_hsm_sign/__init__.py @@ -6,6 +6,7 @@ import configparser import os import sys +from getpass import getpass try: import pkcs11 @@ -31,11 +32,17 @@ def read_hsm_config(configfile): if not config.has_section(section): raise configparser.NoSectionError(section) - section_options = ["pkcs11_lib", "credentials", "slot", "label"] + section_options = ["pkcs11_lib", "slot", "label"] for option in section_options: if not config.has_option(section, option): raise configparser.NoOptionError(option, section) + # If the config file does not contain the "credentials" option, + # prompt the user for the HSM PIN + if not config.has_option(section, "credentials"): + hsm_pin = getpass("Please enter the PIN of your HSM:\n") + config.set(section, "credentials", hsm_pin) + return config[section]