diff --git a/cmd/step-pkcs11-init/main.go b/cmd/step-pkcs11-init/main.go index 4dc15799..7a23c664 100644 --- a/cmd/step-pkcs11-init/main.go +++ b/cmd/step-pkcs11-init/main.go @@ -47,6 +47,7 @@ type Config struct { RootFile string KeyFile string Pin string + PinFile string NoCerts bool EnableSSH bool Force bool @@ -74,6 +75,8 @@ func (c *Config) Validate() error { return errors.New("flag `--root-gen` requires flag `--root-key-obj`") case c.RootFile == "" && c.GenerateRoot && c.RootPath == "": return errors.New("flag `--root-gen` requires `--root-cert-path`") + case c.Pin != "" && c.PinFile != "": + return errors.New("Only set one of pin and pin-file") default: if c.RootFile != "" { c.GenerateRoot = false @@ -108,6 +111,7 @@ func main() { var c Config flag.StringVar(&c.KMS, "kms", kmsuri, "PKCS #11 URI with the module-path and token to connect to the module.") flag.StringVar(&c.Pin, "pin", "", "PKCS #11 PIN") + flag.StringVar(&c.PinFile, "pin-file", "", "PKCS #11 PIN File") // Option 1: Generate new root flag.BoolVar(&c.GenerateRoot, "root-gen", true, "Enable the generation of a root key.") flag.StringVar(&c.RootSubject, "root-name", "PKCS #11 Smallstep Root", "Subject and Issuer of the root certificate.") @@ -147,7 +151,18 @@ func main() { // Initialize windows terminal ui.Init() - if u.Get("pin-value") == "" && u.Get("pin-source") == "" && c.Pin == "" { + switch { + case u.Get("pin-value") != "": + case u.Get("pin-source") != "": + case c.Pin != "": + case c.PinFile != "": + content, err := os.ReadFile(c.PinFile) + if err != nil { + fatal(err) + } + c.Pin = string(content) + + default: pin, err := ui.PromptPassword("What is the PKCS#11 PIN?") if err != nil { fatal(err)