This project is part of the Luna General Purpose HSMs products suite, and more specifically of the Luna Network HSM product.
This standalone Java application validates a PKC certificate chain built by a Luna Network HSM:
-
It checks the certificate chain against the provided root CA from the trusted source.
-
It checks that any provided Certificate Signing Request (CSR) matches the leaf certificate of the PKC chain.
The Luna root certificate can be retrieved here.
Luna PKCs can be retrieved using the CMU utility, using
-
The Luna Universal Client, and esp.
-
An existing initialized partition
-
The "Crypto Officer" role password.
-
An handle to a private signing key within this partition, as provided by the following kind of command (to be run on the client end, as an administrator/root user; select the slot that represents the existing initialized partition mentionned above if needed, and provide the "Crypto Officer" when requested):
- For a RSA key pair:
cmu generateKeyPair -mech=pkcs -modulusBits=2048 -publicExp=65537 -sign=T -verify=T
- For an ECC key pair:
cmu generateKeyPair -key ECDSA -curveType=3 -sign=T -verify=T
On the client end, as a "Crypto Officer", get the PKC using the handle of the private key created at the previous step (select the slot that represents the existing initialized partition mentionned above if needed, as well as the "Crypto Officer" password, the handle that corresponds to the private key to use and the name of the output file [e.g. 'pkc.p7b'] when requested):
cmu getpkc
A CSR can be created using the following command (select the slot that represents the existing initialized partition mentionned above if needed, and provide the "Crypto Officer" password, as well as the handle that corresponds to the private key to use and the name of the output file [e.g. 'test.csr'] when requested):):
cmu requestcertificate -C=CA -CN=test.com [email protected] -L=Ottawa -O=Thales
Using Maven, with your own development environment including a JDK (11+) and Maven:
mvn clean compile assembly:single
Using Podman:
./build-with-podman.sh
Results are produced in the "target" directory.
The "luna-pkc-validator-1.0.0-jar-with-dependencies.jar" JAR file is a self-sufficient Java archive that contains the validation function and the required dependencies (esp. the BouncyCastle library).
Refer to the usage documentation provided by the tool (running it without any parameter).
java -jar luna-pkc-validator.jar --pkc <pkc-file> {--ca <ca-file> | --req <req-file>}");
--pkc the PKC chain file to check.
--ca the Thales HSM Root CA file.
--req the Certificate Signing Request file.
Note: "luna-pkc-validator.jar" may need to be replaced with something like "luna-pkc-validator-1.0.0-jar-with-dependencies.jar" according to the way the JAR archive is produced by your Maven project.
Once the Luna root certificate(s) and a PKC file have been retrieved (e.g. "pkc.p7b"), the PKC can be checked with the following command:
- For RSA keys:
java -jar target/luna-pkc-validator-1.0.0-jar-with-dependencies.jar --pkc ./tests/rsa-pkc.p7b --ca ./tests/luna-rsa-root-certificate.pem
- For ECC keys:
java -jar target/luna-pkc-validator-1.0.0-jar-with-dependencies.jar --pkc ./tests/ecc-pkc.p7b --ca ./tests/luna-ecc-root-certificate.pem
A client certificate request can be checked with the following command:
- For RSA keys:
java -jar target/luna-pkc-validator-1.0.0-jar-with-dependencies.jar --pkc ./tests/rsa-pkc.p7b --req ./tests/rsa-test.csr
- For ECC keys:
java -jar target/luna-pkc-validator-1.0.0-jar-with-dependencies.jar --pkc ./tests/ecc-pkc.p7b --req ./tests/ecc-test.csr
If you are interested in contributing to this project, please read the Contributing guide.
This software is provided under a permissive license.