Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Extend PKCS11 server example for certificate handling #476

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Extend PKCS11 server example for certificate handling #476

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b76ae36
Update PKCS11 server examples for using a certificate stored with PKC…
ColtonWilley Dec 13, 2024
bdfb8cf
Cleanup formatting and typo
ColtonWilley Dec 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
223 changes: 133 additions & 90 deletions pkcs11/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,126 +16,150 @@ See [PKCS11.md](./PKCS11.md) in this folder.

1. Change to source code directory of SoftHSM version 2

This tool can be found here: https://github.com/opendnssec/SoftHSMv2
This tool can be found here: https://github.com/opendnssec/SoftHSMv2

```
./autogen.sh
./configure --disable-gost
sudo make install
```
```
./autogen.sh
./configure --disable-gost
sudo make install
```

*Note: May need to install pkg-config and libssl-dev*
*Note: May need to install pkg-config and libssl-dev*

2. Change to wolfssl directory

```
./autogen.sh
./configure --enable-pkcs11
make
sudo make install
```
```
./autogen.sh
./configure --enable-pkcs11
make
sudo make install
```

3. Change to wolfssl-examples/pkcs11 directory

```
./mksofthsm2_conf.sh
export SOFTHSM2_CONF=$PWD/softhsm2.conf
```
```
./mksofthsm2_conf.sh
export SOFTHSM2_CONF=$PWD/softhsm2.conf
```

4. Running tests

`softhsm2-util --init-token --slot 0 --label SoftToken`
`softhsm2-util --init-token --slot 0 --label SoftToken`

* Use PIN: cryptoki
* Use User PIN: cryptoki
* Use PIN: cryptoki
* Use User PIN: cryptoki

Use the slot id from the output:

`export SOFTHSM2_SLOTID=<slotid>`
Use the slot id from the output:

Run the examples:
`export SOFTHSM2_SLOTID=<slotid>`

`./softhsm2.sh`
Run the examples:

`./softhsm2.sh`


## Setting up and testing openCryptoki


1. Change to source code directory of openCryptoki

This tool can be found here: https://github.com/opencryptoki/opencryptoki
This tool can be found here: https://github.com/opencryptoki/opencryptoki

```
./bootstrap.sh
./configure
make
```
```
./bootstrap.sh
./configure
make
```

*Note: May need to install flex, bison and openldap-devel [or libldap2-dev]*
*Note: May need to install flex, bison and openldap-devel [or libldap2-dev]*

2. Setup pkcs11 group and put current user into it

```
sudo groupadd pkcs11
sudo usermod -a -G pkcs11 $USER
```
```
sudo groupadd pkcs11
sudo usermod -a -G pkcs11 $USER
```

3. Install library

```
sudo make install
sudo ldconfig /usr/local/lib
```
```
sudo make install
sudo ldconfig /usr/local/lib
```

4. Start the daemon

`sudo /usr/local/sbin/pkcsslotd`
*Note: May need to logout and login to be able to use pkcsconf.*
`sudo /usr/local/sbin/pkcsslotd`

*Note: May need to logout and login to be able to use pkcsconf.*

5. Setup token
```
echo "87654321
SoftToken" | pkcsconf -I -c 3
```
```
echo "87654321
cryptoki
cryptoki" | pkcsconf -P -c 3
```
```
echo "cryptoki
cryptoki
cryptoki" | pkcsconf -u -c 3
```

```
echo "87654321
SoftToken" | pkcsconf -I -c 3
```

```
echo "87654321
cryptoki
cryptoki" | pkcsconf -P -c 3
```

```
echo "cryptoki
cryptoki
cryptoki" | pkcsconf -u -c 3
```

6. Start daemon if not running already:
`sudo /usr/local/sbin/pkcsslotd`

`sudo /usr/local/sbin/pkcsslotd`

7. Build and install wolfSSL

Change to wolfssl directory and run:
Change to wolfssl directory and run:

```
./autogen.sh
./configure --enable-pkcs11
make
sudo make install
```
```
./autogen.sh
./configure --enable-pkcs11
make
sudo make install
```


8. Running tests

Change to wolfssl-examples/pkcs11 directory:

`./opencryptoki.sh`
Change to wolfssl-examples/pkcs11 directory:

`./opencryptoki.sh`

## Setting up and testing wolfPKCS11

1. Change to source code directory of wolfPKCS11

This tool can be found here: https://github.com/wolfSSL/wolfPKCS11

```
./autogen.sh
./configure
make && sudo make install
./examples/init_token
export WOLFPKCS11_DIR=$(pwd)
```

2. Change to wolfssl directory

```
./autogen.sh
./configure --enable-aescfb --enable-cryptocb --enable-rsapss --enable-keygen --enable-pwdbased --enable-scrypt --enable-pkcs11 --enable-debug 'C_EXTRA_FLAGS=-DWOLFSSL_PUBLIC_MP -DWC_RSA_DIRECT -DWOLFSSL_PKCS11_RW_TOKENS'
make
sudo make install
```
It should be noted WOLFSSL_PKCS11_RW_TOKENS is only needed for adding the keys and certs to the store. Once already in the store this is no longer needed.


## TLS Server Example with PKCS #11 (RSA)
## TLS Server Example with SoftHSM (RSA)

The example `server-tls-pkcs11` is a server that uses a private key that has been stored on the PKCS #11 device.

Expand All @@ -145,41 +169,60 @@ Change this to be the id that you set when importing the key.

1. SoftHSM version 2

Import private key:

`softhsm2-util --import ../certs/server-keyPkcs8.pem --slot $SOFTHSM2_SLOTID --id 0001 --label rsa2048`
Import private key:

Enter PIN: cryptoki
`softhsm2-util --import ../certs/server-keyPkcs8.pem --slot $SOFTHSM2_SLOTID --id 0001 --label rsa2048`

Enter PIN: cryptoki

2. Run server and client

`./server-tls-pkcs11 /usr/local/lib/softhsm/libsofthsm2.so $SOFTHSM2_SLOTID SoftToken cryptoki`
`./server-tls-pkcs11 -lib /usr/local/lib/softhsm/libsofthsm2.so -slot $SOFTHSM2_SLOTID -tokenName SoftToken -userPin cryptoki`

From wolfssl root:
`./examples/client/client`
From wolfssl root:
`./examples/client/client`

## TLS Server Example with PKCS #11 (ECC)
## TLS Server Example with SoftHSM (ECC)

The example `server-tls-pkcs11-ecc` is a server that uses a private key that has been stored on the PKCS #11 device.

The id of the private key is two hex bytes: `0x00, 0x01`
The id of the private key is two hex bytes: `0x00, 0x02`

Change this to be the id that you set when importing the key.

1. SoftHSM version 2

Import private key:

`softhsm2-util --import ../certs/ecc-keyPkcs8.pem --slot $SOFTHSM2_SLOTID --id 0002 --label ecp256`
Import private key:

Enter PIN: cryptoki
`softhsm2-util --import ../certs/ecc-keyPkcs8.pem --slot $SOFTHSM2_SLOTID --id 0002 --label ecp256`

Enter PIN: cryptoki

2. Run server and client

`./server-tls-pkcs11-ecc /usr/local/lib/softhsm/libsofthsm2.so $SOFTHSM2_SLOTID SoftToken cryptoki`
`./server-tls-pkcs11-ecc -lib /usr/local/lib/softhsm/libsofthsm2.so -slot $SOFTHSM2_SLOTID -tokenName SoftToken -userPin cryptoki`

From wolfssl root:
`./examples/client/client -A ./certs/ca-ecc-cert.pem`

## TLS Server Example with wolfPKCS11 (RSA)

The example `server-tls-pkcs11` is a server that uses a private key and optionally a certificate that has been stored on the PKCS #11 device.

1. Import Private Key and Certificate
```
cd $WOLFPKCS11_DIR
./examples/add_rsa_key_file -privId "server-rsa2048" -rsa ../certs/server-key.der
./examples/add_cert_file -privId "server-rsa2048-id" -label "server-rsa2048-label" -cert ../certs/server-cert.der
```

2. Run server and client

`WOLFPKCS11_TOKEN_PATH=$WOLFPKCS11_DIR ./server-tls-pkcs11 -lib $WOLFPKCS11_DIR/src/.libs/libwolfpkcs11.so -tokenName wolfpkcs11 -userPin wolfpkcs11-test -privKeyId server-rsa2048 -certId server-rsa2048-id`

From wolfssl root:

From wolfssl root:
`./examples/client/client -A ./certs/ca-ecc-cert.pem`
`./examples/client/client`


## Support
Expand Down
Loading