Attempt to delete key and certificate with the same name.

Nitrokey will override the label of the key with the certificate one. If they are stored with the same id.
2026-01-27 10:18:34 +00:00 · 2021-01-29 13:31:07 -08:00
parent 162c535705
commit 7f9d7eadc9
1 changed files with 18 additions and 0 deletions
--- a/cmd/step-pkcs11-init/main.go
+++ b/cmd/step-pkcs11-init/main.go
@@ -149,6 +149,7 @@ func main() {
 		for _, u := range certUris {
 			if u != "" && !c.NoCerts {
 				checkObject(k, u)
+				checkCertificate(k, u)
 			}
 		}
 		for _, u := range keyUris {
@@ -164,6 +165,11 @@ func main() {
 		if ok {
 			for _, u := range certUris {
 				if u != "" && !c.NoCerts {
+					// Some HSMs like Nitrokey will overwrite the key with the
+					// certificate label.
+					if err := deleter.DeleteKey(u); err != nil {
+						fatal(err)
+					}
 					if err := deleter.DeleteCertificate(u); err != nil {
 						fatal(err)
 					}
@@ -215,6 +221,18 @@ COPYRIGHT
 	os.Exit(1)
 }

+func checkCertificate(k kms.KeyManager, rawuri string) {
+	if cm, ok := k.(kms.CertificateManager); ok {
+		if _, err := cm.LoadCertificate(&apiv1.LoadCertificateRequest{
+			Name: rawuri,
+		}); err == nil {
+			fmt.Fprintf(os.Stderr, "⚠️  Your PKCS #11 module already has a certificate on %s.\n", rawuri)
+			fmt.Fprintln(os.Stderr, "   If you want to delete it and start fresh, use `--force`.")
+			os.Exit(1)
+		}
+	}
+}
+
 func checkObject(k kms.KeyManager, rawuri string) {
 	if _, err := k.GetPublicKey(&apiv1.GetPublicKeyRequest{
 		Name: rawuri,