9.0_Security_pkcs11(HSM)_embedded
carloscn opened this issue · 0 comments
1. Overview
PKCS#11标准定义了与密码令牌(如硬件安全模块(HSM)和智能卡)的独立于平台的API,并将API本身命名为Cryptoki(来自“加密令牌接口”,发音为“crypto-key” - 但是“PKCS#11”通常用于指代API以及定义它的标准)。 API定义了最常用的加密对像类型(RSA密钥,X.509证书,DES / 三重DES密钥等)以及使用,创建/生成,修改和删除这些对象所需的所有功能。参考:http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html
本文使用NXP LS1046A来对pkcs11进行验证。pkcs11对硬件有所要求,需要智能卡或者HSM。因此,本文会着重整理关于pkcs11如何和HSM进行配置的部分。NXP提供了Virual HSM,其底层使用OPTEE-OS进行实现;中间层使用Secure Object Library,在用户侧使用Cryptoki对其进行封装,用户只需要按照要求调用API即可。总结顺序为:OPTEE-OS-> Secure Object Library(SOL) -> Cryptoki APIs。另外,Secure Object Libray还可以被OpenSSL API作为engine使用。
SOL对HSM要求是:
- 产生密钥对在HSM内部
- 导入私钥进入HSM内部
私钥对于用户侧永远不可见。
OPTEE内部实现框图如图所示:
2. API
2.1 用户侧API(Cryptoki)
用户侧的API来源于Cryptoki,这些API的实际实现来源于libpkcs11.so。在NXP的Layerscape中支持的API的列表为:
| API | Description |
|---|---|
| C_Initialize | Initialize Cryptoki library |
| C_Finalize | Clean up cryptoki related resources |
| C_GetFunctionList | Obtains entry points of Cryptoki library functions. |
| C_GetInfo | Obtains general information about Cryptoki |
| C_GetSlotInfo | Obtains information about a particular slot |
| C_GetTokenInfo | Obtains information about a particular token |
| C_GetSlotList | Obtain list of slots in the system.Only a fixed slot with fixed token is supported. Dynamic slot or token addition is not supported. |
| C_OpenSessionC_CloseSessionC_CloseAllSessions | Opens/Closes a session.* All types of sessions are supported with Token.* Only Token Objects can be created/destroyed, Session Objects are not supported. |
| C_LoginC_Logout | Logs into a token.Logs out from a token |
| C_CreateObject | Creates an object (RSA Keys of size up to 2048bits are supported) |
| C_DestroyObject | Destroys an object |
| C_FindObjectsInitC_FindObjectsC_FindObjectsFinal | Objects search operations.RSA Public and Private key objects of size up to 2048bits are supported.ECDSA Public and Private key objects of size 256 & 384 bits are supported. |
| C_GetAttributeValue | Obtains the value of one or more attributes of the objects. |
| C_GetMechanismList | Obtains List of mechanism supported by token. |
| C_GetMechanismInfo | Obtains the information about a mechanism. |
| C_GenerateKeyPair | Generates a public-key/private-key pair (RSA Keys of size up to 2048bits are supported) |
| C_SignInitC_SignC_SignUpdateC_SignFinal | Initialize a signature operation.Signs single-part data.Continues a multiple-part signature operation.Finishes a multiple-part signature operation.Mechanisms supported:* RSA-based Mechanisms* CKM_RSA_PKCS* CKM_MD5_RSA_PKCS* CKM_SHA1_RSA_PKCS* CKM_SHA256_RSA_PKCS* CKM_SHA384_RSA_PKCS* CKM_SHA512_RSA_PKCS* ECDSA-based Mechanisms (Single Part Only)* CKM_ECDSA* CKM_ECDSA_SHA1 |
| C_DigestInitC_DigestC_DigestUpdateC_DigestFinal | Initializes a message-digesting operation.Digests single-part data.Continues a multiple-part digesting operation.Finishes a multiple-part digesting operation.Mechanisms supported:* CKM_MD5* CKM_SHA1* CKM_SHA256* CKM_SHA384* CKM_SHA512 |
| C_DecryptInitC_Decrypt | Initializes a decryption operation.Decrypts single-part encrypted data.Mechanisms supported:* CKM_RSA_PKCS* CKM_RSA_PKCS_OAEP |
2.2 中间层API (Secure Object Library)
这里面规定了如何:
- Import Keys
- Generate Key.
- Erase Object.
- Manufacturing Key APIs:
- Get MP Public key.
- Sign using MP Private Key
- Get MP Tag.
用户甚至可以直接使用Secure Object Library来操作HSM/Token。NXP提供了sobj_app用来直接访问Secure Object Library:
3. Secure Object集成
3.1 Cryptoki
Cryptoki可以分为两个访问方法
- 命令行(p11tool, softhsm2-utils)
- API调用
命令行的p11tool比较常用,该命令行参数在https://www.gnutls.org/manual/html_node/p11tool-Invocation.html 。如果是ubuntu系统可以通过sudo apt install gnutls-bin来安装p11tool
We have tested this library with p11tool for following operations:
- Listing tokens: p11tool --list-tokens
- Initializing token: p11tool --initialize
- Initializing User pin: p11tool --initialize-pin
- Initializing SO pin: p11tool --initialize-so-pin
- Generating RSA Key: p11tool --generate-rsa
- Importing RSA Key: p11tool --write --load-privkey <rsa_key.pem>
NXP把p11tool又包装了一层pkcs11_app工具,可以参考:https://docs.nxp.com/bundle/GUID-1441E561-3EAD-47FD-A50D-72E1A4E4D69E/page/GUID-E9CE3DC0-9C77-45C4-BE72-0E86FC5233ED.html#GUID-E9CE3DC0-9C77-45C4-BE72-0E86FC5233ED__UL_DDX_JML_XCB
这里涉及了一些具体的签名和验签操作。
3.2 OpenSSL
OpenSSL通过SOL可以实现使用Engine进行加解密,进而可以调用到NXP的CAAM来对加密算法加速运算。有两种方法可以实现使用OpenSSL的API来访问Secure Objects:
- 使用Secure Object Library 基于 OpenSSL Engine (libeng_secure_obj)
- 使用PKCS#11基于OpenSSL引擎(第三方的OpenSC/libp11)
3.2.1 使用libeng_secure_obj (非PKCS#11)
如果engine基于SOL,是有限制的,只能是:
- RSA Private Encryption.
- RSA Private Decryption.
- ECDSA Signing Operation.
OpenSSL不能够通过调用接口产生RSA Keys。这个Key需要通过sobj_app预置到HSM中。OpenSSL只能使用HSM中的key。
3.2.1.1 配置openssl
如果使用命令行的openssl,我们需要对openssl进行配置,在openssl.cnf中 (often in /etc/ssl/openssl.cnf) 的最前面:
openssl_conf = conf_section
如果配置RSA相应的配置,Add following section at bottom of file:
[conf_section]
engines = engine_section
[engine_section]
secure_obj = sobj_section
[sobj_section]
engine_id = eng_secure_obj
dynamic_path = <path where lib_eng_secure_obj.so is placed>
default_algorithms = RSA
init = 1如果配置ECC,配置:default_algorithms = RSA, EC
测试:
To verify that the engine is properly operating, you can use the following example:
root@Ubuntu:~#
root@Ubuntu:~# openssl engine
(dynamic) Dynamic engine loading support
(eng_secure_obj) secure object OpenSSL Engine.
root@Ubuntu:~#
root@Ubuntu:~#
If you do not update the OpenSSL configuration file, specify the engine configuration explicitly.
$: openssl engine -t dynamic -pre SO_PATH:<path-to-libeng_secure_obj.so> -pre ID:eng_secure_obj -pre LIST_ADD:1 -pre LOAD
root@Ubuntu:~#
root@Ubuntu:~# openssl engine -t dynamic -pre SO_PATH:/usr/lib/aarch64-linux-gnu/openssl-1.0.0/
engines/libeng_secure_obj.so -pre ID:eng_secure_obj -pre LIST_ADD:1 -pre LOAD
(dynamic) Dynamic engine loading support
[Success] : SO_PATH:/usr/lib/aarch64-linux-gnu/openssl-1.0.0/engines/libeng_secure_obj.SO
[Success] : ID:eng_secure_obj
[Success] : LIST_ADD:1
[Success] : LOAD
LOADED: (eng_secure_obj) Secure object OpenSSL Engine.
[available]
root@Ubuntu:~#
3.2.1.2 使用openssl
RSA
Following commands can be used to generate RSA/ECDSA key-pair and use them in signing any data and verifying the signatures generated.
$: sobj_app -G -m rsa-pair -s 2048 -l "rsa_gen_2048" -i 1 -w rsa_2048.pem ## Generating RSA key-pair ##
$: openssl rsa -in rsa_2048.pem -pubout -out rsa_pub_2048.pem ## Taking out Public Key for verifying signature ##
$: openssl dgst -sha1 -sign rsa_2048.pem -out sig.data data ## Generating Signature "sig.data" of "data" ##
$: openssl dgst -sha1 -verify rsa_pub_2048.pem -signature sig.data data ## Verifying the signature using Public Key ##
注意,这个地方并没有使用PKCS#11,只是普通的签名算法和验签算法。
ECDSA
Same thing can be done for ECDSA keys of prime256v1 by using following commands:
$: sobj_app -G -m ec-pair -c prime256v1 -l "ecc_256" -i 2 -w ec256.pem
$: openssl ec -in ec256.pem -pubout -out ec_pub_256.pem
$: openssl dgst -sha1 -sign ec256.pem -out sig.data data
$: openssl dgst -sha1 -verify ec_pub_256.pem -signature sig.data data
For ECDSA secp384r1 curve us following commands:
$: sobj_app -G -m ec-pair -c secp384r1 -l "ecc_384" -i 3 -w ec384.pem
$: openssl ec -in ec384.pem -pubout -out ec_pub_384.pem
$: openssl dgst -sha1 -sign ec384.pem -out sig.data data
$: openssl dgst -sha1 -verify ec_pub_384.pem -signature sig.data data
x.509
下面描述一下怎么创建一个self-sign的cert。这个key由HSM产生并且无法暴露出来。
As per the following examples, generate a private key in the HSM with sobj_app, This will also create a fake PEM file “dev_key.pem” having information to get the required key from HSM.
Following command is generating RSA key-pair:
$: sobj_app -G -m rsa-pair -s 2048 -l "Test_Key" -i 1 -w dev_key.pem
ECDSA key-pair can also be generated using following command:
$: sobj_app -G -m ec-pair -c prime256v1 -l "ecc_256" -i 30 -w dev_key.pem
产生一个cert用SOL:
// The first command creates a self-signed Certificate for “NXP Semiconductor". The signing is done using the key specified by the fake PEM file.
$ openssl req -new -key dev_key.pem -out req.pem -text -x509 -subj "/CN=NXP Semiconductor"
// creates a self-signed certificate for the request, the private key used to sign the certificate is the same private key used to create the request.
$ openssl x509 -signkey dev_key.pem -in req.pem -out cert.pem
3.2.2 使用OpenSC/libp11
libp11对PKCS#11 API进行了比较薄的封装,参考https://github.com/OpenSC/libp11 。这个仓库提供了:
- 相比于PKCS#11的库更高一层的封装。他的设计主要意图是和使用OpenSSL的应用集成在一起;
- OpenSSL库的pkcs11 engine插件
对于Ubuntu系统可以sudo apt-get install libengine-pkcs11-openssl。上面的命令可以安装libpkcs11.so (pkcs11 engine) 到/usr/lib/aarch64-linux-gnu/engines-1.1/libpkcs11.so。
同样需要更改openssl的配置文件:
openssl_conf = openssl_init
This should be added to the bottom of the file:
[openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/aarch64-linux-gnu/engines-1.1/libpkcs11.so
MODULE_PATH = /usr/lib/libpkcs11.so
init = 0
- dynamic_path:pkcs11 engine的插件
- MODULE_PATH: NXP PKCS#11 library
- engine_id: arbitrary identifier for OpenSSL applications to select the engine by the identifier.
如何测试
To verify that the engine is properly operating you can use the following example.
$ openssl engine pkcs11 -t
(pkcs11) pkcs11 engine
[ available ]
使用p11tool
下面的测试用例是使用命令行产生一个自签的cert,这个key产生一个token,并且key不能被导出。sudo apt-get install gnutls-bin
NXP提供的sobj_app也可以查看由p11tool产生的key:
注意,有两个libpkcs11.so,一个是NXP的,一个是openssl engine用的:
- NXP: /usr/lib/libpkcs11.so
- OP engine: /usr/lib/aarch64-linux-gnu/engines-1.1/libpkcs11.so
The following commands utilize p11tool for that.
$ p11tool --provider <path-to-NXP-PKCS-library>/libpkcs11.so --list-privkeys
root@localhost:~# p11tool --provider /root/libpkcs11.so --list-privkeys
Object 0:
URL: pkcs11:model=;manufacturer=NXP;serial=1;token=TEE_BASED_TOKEN;%01%00%00%00;object=Device_Key3;type=private
Type: Private Key
Label: Device Key3
Flags: CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
ID: 01:00:00:00
Object 1:
URL: pkcs11:model=;manufacturer=NXP;serial=1;token=TEE_BASED_TOKEN;%01%00%00%00;object=Device_Key2;type=private
Type: Private Key
Label: Device Key2
Flags: CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
ID: 01:00:00:00
Object 0:
URL: pkcs11:model=;manufacturer=NXP;serial=1;token=TEE_BASED_TOKEN;%01%00%00%00;object=Device_Key3;type=private
Type: Private Key
Label: Device Key
Flags: CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
ID: 01:00:00:00
root@localhost:~#
产生一个在PKCS#11里面的证书:
$ openssl req -engine pkcs11 -new -key
"pkcs11:model=;manufacturer=NXP;serial=1;token=TEE_BASED_TOKEN;id=%01%00%00%00;object=Device_Key3
;type=private" -keyform engine -out req.pem -text -x509 -subj "/CN=NXP Semiconductor"
4. Example OpenVPN
OpenVPN https://openvpn.net/vpn-server-resources/support-of-pkcs11-physical-tokens-for-openvpn-connect/
Here are the steps to use OpenVPN with PKCS#11 in Ubuntu:
- Install OpenVPN: Open a terminal window and run the following command to install OpenVPN:
sudo apt-get install openvpn - Install PKCS#11 library: Install the PKCS#11 library for your token. The library is usually provided by the manufacturer of the token. You can download the library from the manufacturer's website and install it on your system. For example, if you are using a YubiKey, you can download the YubiKey PKCS#11 library from the Yubico website.
- Configure OpenVPN: Create an OpenVPN configuration file and specify the PKCS#11 library path and the certificate and key for your PKCS#11 token. You can use the following sample configuration file as a starting point:
client dev tun proto udp remote vpn.example.com 1194 resolv-retry infinite nobind persist-key persist-tun pkcs11-providers /usr/local/lib/libykcs11.so pkcs11-id "pkcs11:object=YubiKey;type=private" comp-lzo verb 3
In this example, /usr/local/lib/libykcs11.so is the path to the YubiKey PKCS#11 library, and YubiKey is the name of the object that contains the private key in the token.
- Start OpenVPN: Open a terminal window and run the following command to start OpenVPN using the configuration file that you have created:
sudo openvpn --config /path/to/config-file.ovpn
Replace /path/to/config-file.ovpn with the path to your OpenVPN configuration file.
That's it! OpenVPN will now use the PKCS#11 token for secure authentication and key management.
4.1 启动 tee-supplicant
由于NXP的layerscape是使用optee模拟的HSM,因此需要在用户侧启动tee服务程序:tee-supplicant &
运行xtest 测试OPTEE 是否可以正常运行。
4.2 在HSM中产生key
产生Key名字叫做com_rsa_2048:sobj_app -G -m rsa-pair -s 2048 -l "comrsa2048" -i 2
查看Key
root@localhost:/# p11tool --provider /usr/lib/libpkcs11.so --list-privkeys
4.3 配置OpenVPN
配置OpenVPN有两种方式:
- 传统的证书方式
- PKCS#11方式
OpenVPN开始SSL模式,有个互相challenge的过程。因此,必须提供ca.cert证书,作为client和server之间的互信。
4.3.1 传统的证书方式
客户端需要:
- /opt/easy-rsa/pki/ca.crt (CA证书)
- /opt/easy-rsa/pki/issued/client.crt (被CA签过的client公钥证书)
- /opt/easy-rsa/pki/private/client.key (client端的RSA私钥)
这几个证书的生成过程如图所示:
CSR生成
ca.crt是需要手动拷贝的,需要从ca.crt的服务器上获取,csr的生成需要:
https://myssl.com/csr_create.html
实际上产生的命令如下:
openssl req -new -SHA256 -newkey rsa:2048 -nodes -keyout mlts.tech.key -out mlts.tech.csr -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=multibeans/OU=ite dept/CN=mlts.tech"
这个命令会生输出:
- mlts.tech.key (PEM格式的私钥)
- mlts.tech.csr (发给CA服务器的CSR)
这里生成CSR必须要私钥信息,因为CSR需要签名信息,公钥信息也会被放置到CSR里面。
服务器CA返回CERT
服务器端(CA服务器)会对CSR文件进行校验,签署,这里模拟CA服务器的命令:
openssl x509 -req -days 365 -in mlts.tech.csr -signkey server.key -out client.crt
服务器需要用自己的server.key对csr进行签名和转换,输出client.crt,然后把client.crt转给client端。有的CA可能为了防攻击还需要申请者提供CA.cert以确保自身的身份需要验证。
curl https://xxx.xxxx.com/cert/sign \
--request POST \
--cert scripts/CA_Client.crt \
--key scripts/CA_Client.key \
--cacert <> \
--header 'Content-Type: application/json' \
--data-raw '{"csr":"'"$str"'"}'
以上是一个CSR请求证书的示例,通过HTTPS做CERT。
4.3.2 PKCS#11
OpenVPN 中通过修改配置来接入 PKCS#11 认证,分别为 pkcs11-providers 、pkcs11-id 属性赋值。libhpkcs11.so 为HSM提供的 PKCS#11 共享库,pkcs11-id 值在使用过程 中通过调用命令openvpn show-pkcs11-help libhpkcs11.so来动态读取。
要配置 OpenVPN 客户端使用 PKCS#11 进行身份验证,您需要执行以下步骤:
安装 PKCS#11 库:首先,需要为硬件令牌安装适当的 PKCS#11 库。您可以查看令牌制造商提供的文档以确定要使用哪个库以及如何将其安装到您的系统上。NXP的令牌就在/usr/lib/libpkcs11.so中。
配置 OpenVPN 以使用 PKCS#11:接下来,需要配置 OpenVPN 以使用 PKCS#11 进行身份验证。这涉及修改 OpenVPN 配置文件以包含适当的 PKCS#11 指令。这是一个示例配置:
client
dev tun
proto udp
remote <server-ip> <server-port>
pkcs11-providers /usr/lib/libpkcs11.so
pkcs11-id '<object-name>'
pkcs11-pin '<pin>'
<cert>
-----BEGIN CERTIFICATE-----
<certificate-data>
-----END CERTIFICATE-----
</cert>
4.3.2.1 remote
需要在host里面添加:120.78.72.155 sz.vehicle.vpn.autox.tech。这个就是remote地址。
4.3.2.2 pkcs11-providers
这个就是PKCS#11的库,NXP的Layerscape的目录是在:/usr/lib/libpkcs11.so
4.3.2.3 pkcs11-id
PKCS#11驱动目前不支持生成密钥的功能。一个密钥对可以通过sobj_app生成。with the identifier of the object containing the private key and certificate on the hardware token.
sobj_app -G -m rsa-pair -s 2048 -l "rsa_gen_2048" -i 1 -w rsa_2048.pem
通过命令来查看:
pkcs11-tool --module /usr/lib/libpkcs11.so --list-objects
4.3.2.4 pkcs11-pin
存在HSM内部的私钥的password,如果有的话需要指定。with the PIN needed to access the token.
4.3.2.5 cert
OpenVPN配置文件中的<cert>标记指的是将用于身份验证的客户端证书。这通常是由OpenVPN服务器配置为信任的CA(证书颁发机构)签署的用户特定证书。当使用PKCS#11进行身份验证时,客户端证书和私钥存储在硬件令牌上,PKCS#11库提供对它们的访问。在OpenVPN配置中,可以在<cert>标签之间包含证书数据,也可以指定包含证书数据的文件的路径。
生成RSA key在HSM中
按照步骤我们先生成一个RSA 2048的key放入HSM,名字就是doge
sobj_app -G -m rsa-pair -s 2048 -l "doge" -i 1 -w doge_fake.pem
同时也生成一个doge_fake.pem文件,该文件并不是真正的私钥,
读出对应的RSA 2048的公钥:
pkcs11-tool --module /usr/lib/libpkcs11.so --read-object --type pubkey --label doge -o doge_public.key
使用openssl接入engine产生CSR
配置openssl
openssl需要配置,在/etc/ssl/openssl.cnf中在文件头部添加:
openssl_conf = openssl_init
[openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/aarch64-linux-gnu/engines-1.1/libpkcs11.so
MODULE_PATH = /usr/lib/libpkcs11.so
init = 0
在环境变量中使能配置文件路径:export OPENSSL_CONF=/etc/ssl/openssl.cnf
检测之后,代表pkcs11的engine已经在openssl启动:
使用openssl生成CSR
接下来使用openssl生成CSR:
token的名字通过pkcs11-tool --module /usr/lib/libpkcs11.so --list-token查找,object的名字通过pkcs11-tool --module /usr/lib/libpkcs11.so --list-objects查找。
openssl req -engine pkcs11 -keyform engine -key "pkcs11:token=TEE_BASED_TOKEN;object=doge" -new -out doge.csr
接下来就开始输入CSR的一些信息:
生成了doge.csr
向CA请求csr签名获取证书
根据公司的业务不同,CSR的请求接口形式上可能有差异,但最终公司CA进行核查后,CA 会根据 CSR 中的信息创建服务器证书,使用私钥对其进行签名,然后将证书发送给自己。CA 还会向您发送一个根 CA 证书和一个中间 CA 证书(如果适用)。所以一个CSR可以获取:
- 根CA证书 (从CA网站获取)
- 中间CA证书(如果有的话)
- Client证书
本公司的API使用的https的接口,因此需要为https指定HTTPS的cert、key、ca_cert。bash脚本如下:
# !/bin/bash
echo "[INFO] sync time"
# ntpdate cn.pool.ntp.org && hwclock --systohc
OUT_CERT_NAME=doge_client.cert
readonly CA_CERT_URL="https://dxxxxxxxxxx=pem"
readonly CERT=/root/.client_certs/sign_server.crt
readonly KEY=/root/.client_certs/sign_server.key
# get CA cert
echo "[INFO] Get CA root certificate from HTTPS"
CA_FILE="$(mktemp /tmp/tmp.autox-ca-XXXXXX.crt)"
JSON_FILE="$(mktemp /tmp/tmp.sec-gateway-XXXXXX.json)"
curl -sk "$CA_CERT_URL" -o "$CA_FILE"
if [ $? -eq 0 ]; then
echo "[INFO] get root certificate done!"
else
echo "[ERR] failed on curl -sk "$CA_CERT_URL" -o "$CA_FILE""
exit -1
fi
# pass the CSR text
echo "[INFO] POST the CSR via HTTPS"
CSR=`cat doge.csr`
CSR_JSON=`echo "{}" | jq --arg csr "${CSR}" '{"csr": $csr}'`
echo ${CSR_JSON}
echo "request CA sign"
curl https://xxxxxxxxxxxxxxxxx/cert/sign \
--request POST \
--cert ${CERT} \
--key ${KEY} \
--cacert ${CA_FILE} \
--header "Content-Type: application/json" \
--data-raw "${CSR_JSON}" \
--output temp.json
if [ $? -eq 0 ]; then
echo ""
echo "[INFO] curl client certificate done!"
else
echo ""
echo "[ERR] failed on curl client certificate!"
exit -1
fi
jq ".cert" temp.json | sed -e 's/\\n/\n/g' -e 's/\"//g' > ${OUT_CERT_NAME}
if [ $? -eq 0 ]; then
echo ""
echo "[INFO] transform the cert to pem done| out is ${OUT_CERT_NAME}!"
else
echo ""
echo "[ERR] failed on transform the cert to pem!"
exit -1
fi
cat ${OUT_CERT_NAME}
trap 'rm -fr "$JSON_FILE" "$CA_FILE"' EXIT
rm -rf temp.json
echo "[INFO] Done!"将证书import进入HSM
pkcs11-tool --module /usr/lib/libpkcs11.so --write-object doge_client.cert --type cert --label doge
pkcs11-tool --module /usr/lib/libpkcs11.so -l --pin 123456 --write-object ./doge_client.der --type cert --id 2222
pkcs11-tool --module /usr/lib/libpkcs11.so --write-object ./doge_client.der --type cert --id 8 --label doge
p11tool --provider /usr/lib/libpkcs11.so --list-privkeys
pkcs11-tool --module /usr/lib/libpkcs11.so --pin 123456 --write-object ./dev_key.der --type privkey --id 2222
pkcs11-tool --module /usr/lib/libpkcs11.so --write-object ./doge_client.der --type cert --login --pin "123456" --slot "0" --id "1" --label "doge"
pkcs11-tool --module /usr/lib/libpkcs11.so --write-object doge_client.der --type cert --slot "0" --id "01000000" --label "doge"
p11tool --provider /usr/lib/libpkcs11.so --list-cert
p11tool --provider /usr/lib/libpkcs11.so --list-privKeys
附录:PKCS#11常用操作指南
显示关于cryptoki版本的信息,以及PKCS#11驱动1。
root@localhost:~# pkcs11-tool --module /usr/lib/libpkcs11.so --show-info
关于可用插槽的信息。列出的插槽取决于p11nethsm.conf配置文件中的插槽阵列的配置。
root@localhost:~# pkcs11-tool --module /usr/lib/libpkcs11.so --list-slots
生成密钥,产生一个密钥对并将其存储在VirtualHSM上。
PKCS#11驱动目前不支持这个功能。一个密钥对可以通过nitropy 或REST API请求生成。要了解更多关于如何生成密钥的信息,请参考
生成密钥<../operation.html#generate-key>_ 章。
显示NetHSM上Key Store 中的密钥和证书的信息。
root@localhost:~# pkcs11-tool --module /usr/lib/libpkcs11.so --list-objects
从NetHSM上的Key Store 读取密钥和证书。不可能从NetHSM上读取私钥。
一个密钥对的公钥可以读作如下。
$ pkcs11-tool --module /usr/lib/libpkcs11.so --read-object --type pubkey --label comrsa2048 -o comrsa2048_public.key
一个密钥对的证书可以读作以下内容。
$ pkcs11-tool --module /usr/lib/libpkcs11.so --read-object --type cert --label comrsa2048 -o comrsa2048_public.cert
返回的证书或公钥是ASN.1编码的。这些数据可以用dumpasn1 工具进行解码,因为它包含DER格式的数据。DER格式可以用OpenSSL转换为PEM格式。
将密钥和证书写入NetHSM上的Key Store 。
钥匙对的私钥可以写成如下形:
$ pkcs11-tool --module /usr/lib/libpkcs11.so --write-object secret.key --type privkey --label
一个密钥对的公钥可以写成如下。
$ pkcs11-tool --module p11nethsm.so --write-object public.key --type pubkey --label myFirstKey
一个密钥对的证书可以写成以下样子。
$ pkcs11-tool --module p11nethsm.so --write-object cert.pub --type cert --label myFirstKey
NetHSM可以为存储在NetHSM的Key Store中的私钥签署数据。对于使用RSA和ECDSA密钥的签名,必须先计算出摘要。
要计算一个摘要,首先需要数据。一个信息的创建方法如下。
$ echo 'NetHSM rulez!' | pkcs11-tool --module p11nethsm.so \
--sign \
--mechanism SHA512-RSA-PKCS-PSS \
--output-file sig.data \
--label myFirstKey
创建的签名可以用OpenSSL进行验证,方法如下。
$ echo 'NetHSM rulez!' | openssl dgst -keyform PEM \
-verify public.pem \
-sha512 \
-sigopt rsa_padding_mode:pss \
-sigopt rsa_pss_saltlen:-1 \
-signature sig.data
openssl req -engine pkcs11 -new -key "pkcs11:model=;manufacturer=NXP;serial=1;token=TEE_BASED_TOKEN;id=%01%00%00%00;object=Device_Key3; type=private" -keyform engine -out req.pem -text -x509 -subj "/CN=NXP Semiconductor"
Ref
https://support.pervices.com/application-notes/pvan-7/