feat(espsecure): Allow prompting for HSM PIN in read_hsm_config

If hsm_config does not contain "credentials" the user will be
prompted for the HSM PIN.

This avoids the need to have HSM PINs typed in config files
which is not a good security practice.

ADJUNCT: Updated documentation to reflect new usage

Closes #900

docs/en/espsecure/index.rst

@@ -50,6 +50,9 @@ HSM config file
 An HSM config file is required with the fields (``pkcs11_lib``, ``credentials``, ``slot``, ``label``, ``label_pubkey``)
 populated corresponding to the HSM used.
 
+To access an HSM token of a selected slot, you will also need to pass in the token User PIN and thus you will be prompted to type in the User PIN.
+Alternatively, you could also add a ``credentials`` field in the HSM config file to store the (plaintext) User PIN to automate the signing workflow.
+
 Below is a sample HSM config file (``hsm_config.ini``) for using `SoftHSMv2 <https://github.com/opendnssec/SoftHSMv2>`_ as an external HSM: ::
 
     # hsm_config.ini

espsecure/esp_hsm_sign/__init__.py

@@ -6,6 +6,7 @@
 import configparser
 import os
 import sys
+from getpass import getpass
 
 try:
     import pkcs11
@@ -31,11 +32,17 @@ def read_hsm_config(configfile):
     if not config.has_section(section):
         raise configparser.NoSectionError(section)
 
-    section_options = ["pkcs11_lib", "credentials", "slot", "label"]
+    section_options = ["pkcs11_lib", "slot", "label"]
     for option in section_options:
         if not config.has_option(section, option):
             raise configparser.NoOptionError(option, section)
 
+    # If the config file does not contain the "credentials" option,
+    # prompt the user for the HSM PIN
+    if not config.has_option(section, "credentials"):
+        hsm_pin = getpass("Please enter the PIN of your HSM:\n")
+        config.set(section, "credentials", hsm_pin)
+
     return config[section]