Skip to content

Commit 77b8a62

Browse files
flihpflihp
committed
Update default input & output file paths to match next OKOS release.
OKOS is now putting all inputs that must be writable (the ca-state directory) in /var/lib/oks and all read-only inputs in /usr/share/oks. All outputs generated by oks will land in /var/lib/oks as well.
1 parent dbb5cba commit 77b8a62

File tree

2 files changed

+18
-17
lines changed

2 files changed

+18
-17
lines changed

script/write-output

+1-5
Original file line numberDiff line numberDiff line change
@@ -12,11 +12,7 @@ set -euo pipefail
1212
command_on_path mkisofs
1313
command_on_path cdrecord
1414

15-
CA_STATE="ca-state"
16-
OUTPUT="output"
17-
18-
info "copying ca-state dir to \"$OUTPUT\""
19-
cp -R "$CA_STATE" "$OUTPUT"/
15+
OUTPUT="/var/lib/oks"
2016

2117
TMP_DIR=$(mktemp --directory)
2218
trap 'rm -rf -- "$TMP_DIR"' EXIT

src/main.rs

+17-12
Original file line numberDiff line numberDiff line change
@@ -36,8 +36,13 @@ const PASSWD_PROMPT: &str = "Enter YubiHSM Password: ";
3636
const PASSWD_NEW: &str = "Enter new password: ";
3737
const PASSWD_NEW_2: &str = "Enter password again to confirm: ";
3838

39+
const INPUT_PATH: &str = "/usr/share/oks";
40+
const VERIFIER_PATH: &str = "/usr/share/oks/verifier.json";
41+
42+
const OUTPUT_PATH: &str = "/var/lib/oks";
43+
const STATE_PATH: &str = "/var/lib/oks/ca-state";
44+
3945
const GEN_PASSWD_LENGTH: usize = 16;
40-
const VERIFIER_FILE: &str = "verifier.json";
4146

4247
// when we write out signed certs to the file system this suffix is appended
4348
const CERT_SUFFIX: &str = "cert.pem";
@@ -55,11 +60,11 @@ struct Args {
5560
verbose: bool,
5661

5762
/// Directory where we put certs and attestations
58-
#[clap(long, env, default_value = "output")]
63+
#[clap(long, env, default_value = OUTPUT_PATH)]
5964
output: PathBuf,
6065

6166
/// Directory where we put KeySpec, CA state and backups
62-
#[clap(long, env, default_value = "ca-state")]
67+
#[clap(long, env, default_value = STATE_PATH)]
6368
state: PathBuf,
6469

6570
/// 'usb' or 'http'
@@ -96,10 +101,10 @@ enum Command {
96101
/// is equivalent to executing `hsm initialize`, `hsm generate`,
97102
/// `ca initialize`, and `ca sign`.
98103
Ceremony {
99-
#[clap(long, env, default_value = "input")]
104+
#[clap(long, env, default_value = INPUT_PATH)]
100105
csr_spec: PathBuf,
101106

102-
#[clap(long, env, default_value = "input")]
107+
#[clap(long, env, default_value = INPUT_PATH)]
103108
key_spec: PathBuf,
104109

105110
/// Path to the YubiHSM PKCS#11 module
@@ -126,7 +131,7 @@ enum CaCommand {
126131
/// Initialize an OpenSSL CA for the given key.
127132
Initialize {
128133
/// Spec file describing the CA signing key
129-
#[clap(long, env, default_value = "input")]
134+
#[clap(long, env, default_value = INPUT_PATH)]
130135
key_spec: PathBuf,
131136

132137
/// Path to the YubiHSM PKCS#11 module
@@ -141,7 +146,7 @@ enum CaCommand {
141146
/// Use the CA associated with the provided key spec to sign the
142147
/// provided CSR.
143148
Sign {
144-
#[clap(long, env, default_value = "input")]
149+
#[clap(long, env, default_value = INPUT_PATH)]
145150
csr_spec: PathBuf,
146151
},
147152
}
@@ -175,7 +180,7 @@ enum HsmCommand {
175180
#[clap(flatten)]
176181
auth_method: AuthInputArg,
177182

178-
#[clap(long, env, default_value = "input")]
183+
#[clap(long, env, default_value = INPUT_PATH)]
179184
key_spec: PathBuf,
180185
},
181186

@@ -195,13 +200,13 @@ enum HsmCommand {
195200
/// Restore a previously split aes256-ccm-wrap key
196201
// assume default auth for passwd, chose share src: stdio / cdr
197202
Restore {
198-
#[clap(long, env, default_value = "input")]
203+
#[clap(long, env, default_value = INPUT_PATH)]
199204
backups: PathBuf,
200205

201206
#[clap(flatten)]
202207
share_method: ShareInputArg,
203208

204-
#[clap(long, env, default_value = "input/verifier.json")]
209+
#[clap(long, env, default_value = "/usr/share/oks/verifier.json")]
205210
verifier: PathBuf,
206211
},
207212

@@ -350,7 +355,7 @@ fn do_ceremony<P: AsRef<Path>>(
350355
let (shares, verifier) = wrap.split(&mut hsm)?;
351356
let verifier = serde_json::to_string(&verifier)?;
352357
debug!("JSON: {}", verifier);
353-
let verifier_path = args.output.join(VERIFIER_FILE);
358+
let verifier_path = args.output.join(VERIFIER_PATH);
354359
debug!(
355360
"Serializing verifier as json to: {}",
356361
verifier_path.display()
@@ -754,7 +759,7 @@ fn main() -> Result<()> {
754759
let (shares, verifier) = wrap.split(&mut hsm)?;
755760
let verifier = serde_json::to_string(&verifier)?;
756761
debug!("JSON: {}", verifier);
757-
let verifier_path = args.output.join(VERIFIER_FILE);
762+
let verifier_path = args.output.join(VERIFIER_PATH);
758763
debug!(
759764
"Serializing verifier as json to: {}",
760765
verifier_path.display()

0 commit comments

Comments
 (0)