From e9de07fdbd2927d3e11ec8c53e78d08747fe0351 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Mon, 22 Jun 2026 12:16:39 +0200 Subject: [PATCH] Remove eval and xtrace from PKCS11 key generation script MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove unnecessary eval from crudini variable assignments — direct command substitution works the same without shell interpretation of the result. Remove -x from set -xe to prevent echoing of HSM PIN values to stdout/logs. Quote variable expansions in barbican-manage arguments. Jira: OSPRH-31726 Co-Authored-By: Claude Opus 4.6 Signed-off-by: Martin Schuppert --- templates/barbican/bin/generate_pkcs11_keys.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/barbican/bin/generate_pkcs11_keys.sh b/templates/barbican/bin/generate_pkcs11_keys.sh index 7fe89ef8..93200ac7 100755 --- a/templates/barbican/bin/generate_pkcs11_keys.sh +++ b/templates/barbican/bin/generate_pkcs11_keys.sh @@ -13,15 +13,15 @@ # See the License for the specific language governing permissions and # limitations under the License. # -set -xe +set -e {{- if and (index . "PKCS11Enabled") .PKCS11Enabled }} -eval mkek_label=$(crudini --get /etc/barbican/barbican.conf.d/01-custom.conf p11_crypto_plugin mkek_label) +mkek_label=$(crudini --get /etc/barbican/barbican.conf.d/01-custom.conf p11_crypto_plugin mkek_label) echo "Creating MKEK label $mkek_label" -barbican-manage hsm check_mkek --label $mkek_label || barbican-manage hsm gen_mkek --label $mkek_label +barbican-manage hsm check_mkek --label "$mkek_label" || barbican-manage hsm gen_mkek --label "$mkek_label" -eval hmac_label=$(crudini --get /etc/barbican/barbican.conf.d/01-custom.conf p11_crypto_plugin hmac_label) +hmac_label=$(crudini --get /etc/barbican/barbican.conf.d/01-custom.conf p11_crypto_plugin hmac_label) echo "Creating HMAC label $hmac_label" -barbican-manage hsm check_hmac --label $hmac_label || barbican-manage hsm gen_hmac --label $hmac_label +barbican-manage hsm check_hmac --label "$hmac_label" || barbican-manage hsm gen_hmac --label "$hmac_label" {{- end }}