Tiru's Blog: SoftHsm or HSM

This is to explain how to use SoftHsm before you employing HW based one.

Install on Ubuntu 22 LTS

1. Packages you may need pkg-config, autoconf-archive, libssl-dev, libttol, automake,

2. You can compile softhsm by cloning the repo from https://github.com/opendnssec/SoftHSMv2

3. Also clone https://github.com/OpenSC/libp11.git or you can do "sudo at install opensc-pkcs11"

4. Install "sudo apt install pkcs11-tool"

5. You should have /usr/lib/aarch64-linux-gnu/opensc-pkcs11.so ,

pkcs11-tool --module /PATH-TO/libsofthsm2.so -M

Configuring

My /etc/softhsm2.conf looks like below.

# SoftHSM v2 configuration file
directories.tokendir = /var/lib/softhsm/tokens/
objectstore.backend = file
# ERROR, WARNING, INFO, DEBUG
log.level = ERROR
# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false
# Enable and disable PKCS#11 mechanisms using slots.mechanisms.
slots.mechanisms = ALL
# If the library should reset the state on fork
library.reset_on_fork = false

PKCS11-TOOL usage

Init token

tmarri@tiru:~/src/crypto/hsm/softhsm-2.6.1$ softhsm2-util --init-token --slot 1 --label rsa2k
=== SO PIN (4-255 characters) ===
Please enter SO PIN: ****. #1234
Please reenter SO PIN: ****
=== User PIN (4-255 characters) ===
Please enter user PIN: ****. #1234
Please reenter user PIN: ****
The token has been initialized and is reassigned to slot 1688066487

Mechanism supported:

pkcs11-tool --module /PATH-TO/libsofthsm2.so -M

List slots:

marri@tiru:~/src/crypto/hsm/softhsm-2.6.1$ softhsm2-util --show-slots
Available slots:
Slot 1688066487
Slot info:
Description: SoftHSM slot ID 0x649dd9b7
Manufacturer ID: SoftHSM project
Hardware version: 2.6
Firmware version: 2.6
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.6
Firmware version: 2.6
Serial number: d83cf3bae49dd9b7
Initialized: yes
User PIN init.: yes
Label: rsa2k
Slot 1842849688
Slot info:
Description: SoftHSM slot ID 0x6dd7a798
Manufacturer ID: SoftHSM project
Hardware version: 2.6
Firmware version: 2.6
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.6
Firmware version: 2.6
Serial number: 45a1db9eedd7a798
Initialized: yes
User PIN init.: yes
Label: Key pairs
Slot 2
Slot info:
Description: SoftHSM slot ID 0x2
Manufacturer ID: SoftHSM project
Hardware version: 2.6
Firmware version: 2.6
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.6
Firmware version: 2.6
Serial number:
Initialized: no
User PIN init.: no
Label:

Initialize the default slot which is not initialized yet

pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so --init-token --slot 2 --label tiru

Reinitialize token

pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so -l -p 1234 --token mytoken -O

Initialize uer PIN

pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so -l -p 1234 --token mytoken -O

List objects under given token

tmarri@tiru:~/src/crypto/hsm/data$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so -l -p 1234 --token rsa2k --list-objects
Private Key Object; EC
label: rsa2k_1
ID: 01
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Private Key Object; RSA
label: rsa2k
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Private Key Object; RSA
label:
ID: 04
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
label:
ID: 04
Usage: encrypt, verify, wrap
Access: local
Private Key Object; EC
label:
ID: 01
Usage: decrypt, sign, unwrap, derive
Access: sensitive, always sensitive, never extractable, local
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 0441047c81112f21306d74170e17f967b917239f3ac3ba31fceac4828277f58b169bc7b1749ecce889071f8bff64fb4908975f707faaf06ccc806508e99610a4656257
EC_PARAMS: 06082a8648ce3d030107
label:
ID: 01
Usage: encrypt, verify, wrap, derive
Access: local
Private Key Object; RSA
label: tiru
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2028 bits
label: rsa2k
Usage: encrypt, verify, wrap
Access: local
Private Key Object; RSA
label: rsa2k
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2028 bits
label: rsa2k
Usage: encrypt, verify, wrap
Access: local
Public Key Object; RSA 2028 bits
label: tiru
Usage: encrypt, verify, wrap
Access: local
Private Key Object; RSA
label: tiru
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; EC EC_POINT 384 bits
EC_POINT: 046104c613a092e7a1ea66a566813876c195e0cae17715c0ff6c56fb2f0b6ffe909991f43cf31bdfa2b5423c423c368a9c1431c70492d4694281021cece83e5faf734cbc43c92371903976f049ca3d212cad8e9a51d9657256b12094992aca1fcc17c3
EC_PARAMS: 06052b81040022
label: rsa2k_1
ID: 01
Usage: encrypt, verify, wrap
Access: local
Public Key Object; RSA 2028 bits
label: tiru
Usage: encrypt, verify, wrap
Access: local

Keygen

Using pkcs11-tool

tmarri@tiru:~/src/crypto/hsm/softhsm-2.6.1$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so -L
Available slots:
Slot 0 (0x649dd9b7): SoftHSM slot ID 0x649dd9b7
token label : rsa2k
token manufacturer : SoftHSM project
token model : SoftHSM v2
token flags : login required, rng, token initialized, PIN initialized, other flags=0x20
hardware version : 2.6
firmware version : 2.6
serial num : d83cf3bae49dd9b7
pin min/max : 4/255
Slot 1 (0x6dd7a798): SoftHSM slot ID 0x6dd7a798
token label : Key pairs
token manufacturer : SoftHSM project
token model : SoftHSM v2
token flags : login required, rng, token initialized, PIN initialized, other flags=0x20
hardware version : 2.6
firmware version : 2.6
serial num : 45a1db9eedd7a798
pin min/max : 4/255
Slot 2 (0x2): SoftHSM slot ID 0x2
token state: uninitialized

Example dumping key object info for the given slot "0x649dd9b7" :

pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so -O --slot 0x649dd9b7

Roles

There is User and SO role exist per slot. When ever new slot created and being initialized you will be asked to create PIN for both roles.

Keygen

tmarri@tiru:~/src/crypto/hsm/softhsm-2.6.1$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so --token-label rsa2k --login --pin 1234 --keypairgen --mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp384r1 --usage-sign --label rsa2k_1 --id 1
Key pair generated:
Private Key Object; EC
label: rsa2k_1
ID: 01
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; EC EC_POINT 384 bits
EC_POINT: 046104c613a092e7a1ea66a566813876c195e0cae17715c0ff6c56fb2f0b6ffe909991f43cf31bdfa2b5423c423c368a9c1431c70492d4694281021cece83e5faf734cbc43c92371903976f049ca3d212cad8e9a51d9657256b12094992aca1fcc17c3
EC_PARAMS: 06052b81040022
label: rsa2k_1
ID: 01
Usage: encrypt, verify, wrap
Access: local

Generate EC keypair

tmarri@tiru:/usr$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so --login --login-type user --keypairgen --id 1 --key-type EC:prime256v1
Using slot 0 with a present token (0x649dd9b7)
Logging in to "rsa2k".
Please enter User PIN: <<1234
Key pair generated:
Private Key Object; EC
label:
ID: 01
Usage: decrypt, sign, unwrap, derive
Access: sensitive, always sensitive, never extractable, local
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 0441047c81112f21306d74170e17f967b917239f3ac3ba31fceac4828277f58b169bc7b1749ecce889071f8bff64fb4908975f707faaf06ccc806508e99610a4656257
EC_PARAMS: 06082a8648ce3d030107
label:
ID: 01
Usage: encrypt, verify, wrap, derive
Access: local

Generate RSA keypair

tmarri@tiru:~/src/crypto/hsm/data$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so --login --login-type user --keypairgen --id 4 --key-type rsa:2048
Using slot 0 with a present token (0x649dd9b7)
Logging in to "rsa2k".
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
label:
ID: 04
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
label:
ID: 04
Usage: encrypt, verify, wrap
Access: local

Sign using Asymmetric key

Step1: Generate hash of your file

tmarri@tiru:~/src/crypto/hsm/data$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so --token-label rsa2k --hash --mechanism SHA256 --input-file data.txt --output-file data.hash
Using digest algorithm SHA256

Step2 : Sign the data.hash to data_ec.sign or data_rsa.sign

RSA:

tmarri@tiru:~/src/crypto/hsm/data$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so --slot 0x649dd9b7 -m RSA-PKCS --sign --id 4 -i data.hash -o data_rsa.sig
Logging in to "rsa2k".
Please enter User PIN:
Using signature algorithm RSA-PKCS

tmarri@tiru:~/src/crypto/hsm/data$ ls -l data_rsa.sig
-rw------- 1 tmarri tmarri 256 May 5 11:24 data_rsa.sig

ECDSA:

tmarri@tiru:~/src/crypto/hsm/data$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so --slot 0x649dd9b7 -m ECDSA --sign --id 1 -i data.txt -o data_ec.sig
Logging in to "rsa2k".
Please enter User PIN:
Using signature algorithm ECDSA
tmarri@tiru:~/src/crypto/hsm/data$ ls -l data_ec.sig
-rw------- 1 tmarri tmarri 96 May 5 11:26 data_ec.sig

Verify :

marri@tiru:~/src/crypto/hsm/data$ cat sign.sh
LIB='/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so'
LIB='/home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so'
echo test > myfile

softhsm2-util --init-token --label mytoken --free --pin 0000 --so-pin 1234
pkcs11-tool --module $LIB --token-label mytoken --login --pin 0000 --keypairgen --key-type EC:prime256v1 --usage-sign --label mykey
pkcs11-tool --module $LIB --token-label mytoken --label mykey --read-object --type pubkey --output mykey.pub

pkcs11-tool --module $LIB --token-label mytoken --hash --mechanism SHA256 --input-file myfile --output-file myfile.hash
pkcs11-tool --module $LIB --token-label mytoken --login --pin 0000 --label mykey --sign --mechanism ECDSA --signature-format openssl --input-file myfile.hash --output-file myfile.sig

openssl dgst -sha256 -verify mykey.pub -keyform DER -signature myfile.sig myfile

marri@tiru:~/src/crypto/hsm/data$ ./sign.sh
Slot 3 has a free/uninitialized token.
The token has been initialized and is reassigned to slot 298546351
Key pair generated:
Private Key Object; EC
label: mykey
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 044104aecaa2492cd3dd6f6dfdaedc1e4b07108dd61be1f6001e830954f57712613bdb38f720ba20489584d96fe212579e2641b0452777dfce8723ead583e6fd2de64b
EC_PARAMS: 06082a8648ce3d030107
label: mykey
Usage: encrypt, verify, wrap
Access: local
Using digest algorithm SHA256
Using signature algorithm ECDSA
Verified OK

Integrate with Openssl

Edit sudo /etc/ssl/openssl.cnf, with following changes . You can refer to my openssl.cnf

[openssl_init]
providers = provider_sect
ssl_conf = ssl_sect
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/aarch64-linux-gnu/engines-3/libpkcs11.so
MODULE_PATH = /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so
init = 0

create this file structure

mkdir certs private crl csr newcerts
chmod 400 private
/home/tmarri/src/crypto/hsm/data$ find . -type d../csr./certs./private./crl./newcertsCreate these two files
1. $touch index.txt
2. $echo 1000 > serial

Also make sure you modify the /etc/ssl/openssl.cnf file with apprporiate changes to

[ CA_default ]
dir = /home/tmarri/src/crypto/hsm/data # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/certs/root.ca.cert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
x509_extensions = usr_cert # The extensions to add to the cert

Create X509 certifiati using key in slot-2and rsa2k

URI : 'pkcs11:model=SoftHSM%20v2;token=rsa2k;object=rsa2k_1;pin-value=1234'

marri@tiru:~$ openssl req -engine pkcs11 -new -keyform engine -key 'pkcs11:model=SoftHSM%20v2;token=rsa2k;object=rsa2k_1;pin-value=1234' -x509 -subj "/CN=Tirumala Marri"
Engine "pkcs11" set.
-----BEGIN CERTIFICATE-----
MIIBxTCCAUqgAwIBAgIUGhIL9syLPIio2Xz3s+24etWBJiEwCgYIKoZIzj0EAwIw
GTEXMBUGA1UEAwwOVGlydW1hbGEgTWFycmkwHhcNMjMwNTA0MDIyOTM1WhcNMjMw
NjAzMDIyOTM1WjAZMRcwFQYDVQQDDA5UaXJ1bWFsYSBNYXJyaTB2MBAGByqGSM49
AgEGBSuBBAAiA2IABMYToJLnoepmpWaBOHbBleDK4XcVwP9sVvsvC2/+kJmR9Dzz
G9+itUI8Qjw2ipwUMccEktRpQoECHOzoPl+vc0y8Q8kjcZA5dvBJyj0hLK2OmlHZ
ZXJWsSCUmSrKH8wXw6NTMFEwHQYDVR0OBBYEFC8Q6/Yzh9vu5Gob9BR9aItvL9Gx
MB8GA1UdIwQYMBaAFC8Q6/Yzh9vu5Gob9BR9aItvL9GxMA8GA1UdEwEB/wQFMAMB
Af8wCgYIKoZIzj0EAwIDaQAwZgIxAKgJywUNdS7tzcHp3ZmjFj/iua+Q+a2xCo5R
Y/tRpGr/9mcl16t5kLuw8zyKoRAfswIxAPTe3mpX6dXt0xz4ZMXpI5b5ucLNB6vI
OhC6Yfc57LsZOYhFCJwi9es3FTLOKJhysQ==
-----END CERTIFICATE-----

Build own CA

1. Create directory structure

1. Generate keys

2. Gerate CRT

tmarri@tiru:~/src/crypto/hsm/data$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so -l --keypairgen --key-type rsa:4096 --id 01 --label "SSL Root CA 01"
Using slot 0 with a present token (0x11cb74af)
Logging in to "mytoken".
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
label: SSL Root CA 01
ID: 01
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 4096 bits
label: SSL Root CA 01
ID: 01
Usage: encrypt, verify, wrap
Access: local

tmarri@tiru:~/src/crypto/hsm/data$
tmarri@tiru:~/src/crypto/hsm/data$
tmarri@tiru:~/src/crypto/hsm/data$ pkcs11-tool --module /home/tmarri/src/crypto/hsm/softhsm-2.6.1/src/lib/.libs/libsofthsm2.so -l --keypairgen --key-type rsa:4096 --id 02 --label "SSL Root CA 01"
Using slot 0 with a present token (0x11cb74af)
Logging in to "mytoken".
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
label: SSL Root CA 01
ID: 02
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 4096 bits
label: SSL Root CA 01
ID: 02
Usage: encrypt, verify, wrap
Access: local

Generate root CS using key 01:

openssl req -new -x509 -days 7300 -sha512 -extensions v3_ca -engine pkcs11 -keyform engine -key 298546351:01 -out certs/root.ca.cert.pem

tmarri@tiru:~/src/crypto/hsm/data$ openssl req -new -x509 -days 7300 -sha512 -extensions v3_ca -engine pkcs11 -keyform engine -key 'pkcs11:model=SoftHSM%20v2;token=mytoken;object=SSL Root CA 01;pin-value=1234' -out certs/root.ca.cert.pem

Engine "pkcs11" set.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
California [California]:
xxx []:San jOse
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxxxx
Organizational Unit Name (eg, section) []:SW
Common Name (e.g. server FQDN or YOUR name) []:Tirumala
Email Address []:xxxx@xxxx.com

tmarri@tiru:~/src/crypto/hsm/data$ openssl x509 -in certs/root.ca.cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
23:d6:08:5a:60:69:e8:8d:00:fd:6d:e1:3a:0e:e5:cd:65:d0:4a:b2
Signature Algorithm: sha512WithRSAEncryption
Issuer: C = US, ST = California, O = Internet Widgits Pty Ltd, OU = SW, CN = Tiru, emailAddress = tiru@tiru.com
Validity
Not Before: May 12 18:56:30 2023 GMT
Not After : May 7 18:56:30 2043 GMT
Subject: C = US, ST = California, O = Internet Widgits Pty Ltd, OU = SW, CN = Tiru, emailAddress = tiru@tiru.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:b3:fc:57:ca:fa:32:c3:49:08:af:77:4d:d3:0e:
0f:c7:ce:ff:be:0e:6a:be:da:e5:1b:54:0a:2d:c3:
4a:6f:38:52:cd:57:b2:27:4f:fb:0f:c2:ef:c6:bb:
be:b0:d8:dc:40:80:57:f3:c0:25:c8:3d:38:b6:61:
32:4e:16:82:22:8a:d8:1a:cc:bf:e8:f9:e2:89:cc:
f9:d0:f4:f4:bb:bd:a1:91:ba:df:a3:d2:c0:03:df:
63:df:8b:ef:be:61:6e:a7:2e:c6:f1:33:21:e0:f0:
97:65:3a:b4:1f:a0:ee:2f:dd:ce:d3:22:7e:b0:5c:
3f:bb:5c:f9:43:fa:30:b5:b8:f6:76:f2:3e:52:15:
77:28:66:89:c8:fb:52:ae:e5:23:d9:b5:d1:12:61:
08:68:76:ef:46:a9:ae:c7:bd:81:a0:a7:24:5d:b7:
a5:3b:a4:f8:c6:b2:10:1f:19:47:7b:37:3b:2b:57:
c0:0b:87:44:e0:a4:10:fc:10:aa:9f:15:b2:f2:b4:
07:94:2e:42:a4:04:a6:09:37:bb:75:d5:00:85:a5:
64:2d:07:d7:51:4a:4b:86:fd:3c:e1:cc:c6:d9:5b:
1d:ee:78:99:bc:d2:62:6b:82:3a:df:8b:a5:b2:a9:
6a:25:4f:e1:b6:60:5c:2a:69:43:31:7a:a2:25:8b:
94:5f:33:1c:eb:21:fe:10:b6:43:ee:43:f2:ba:89:
f0:ea:f3:3a:4f:c1:29:42:52:b5:bf:4c:51:9c:cd:
84:c6:43:fd:8d:36:ee:68:6c:d7:bf:31:94:c0:f4:
ee:29:0b:02:40:17:33:f0:e3:e5:33:4b:ef:f2:f4:
91:87:14:3d:61:74:ed:55:df:12:ab:d8:ab:38:8c:
3f:89:fa:bf:f3:c3:80:7c:1a:08:6c:c6:f0:11:55:
1e:fa:88:be:b4:2a:68:96:78:83:ba:5d:90:4c:e3:
64:56:d6:a4:67:c9:90:62:af:41:07:1e:6a:ab:42:
be:10:5a:05:19:5c:d2:37:fa:f2:9e:fe:f7:11:86:
c7:36:db:e7:3a:c2:6c:db:85:31:21:ad:47:5f:d7:
f1:17:fd:75:35:cc:b6:a2:23:6e:02:b5:1c:42:01:
ce:6a:aa:20:d2:5e:1e:24:c5:2f:68:6b:63:2e:3c:
54:88:eb:98:7a:d1:90:03:25:09:17:2e:f2:4a:54:
6c:54:89:d6:4e:8e:4d:11:98:38:fd:a0:e3:a1:5f:
f4:6d:68:a8:f7:af:40:5c:9b:05:91:92:c9:1d:6f:
27:cf:9f:9a:07:de:80:68:b4:0a:b4:ed:96:7f:fb:
61:e6:50:9c:0e:28:b3:ac:04:59:14:25:1d:02:17:
03:73:5d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
BD:18:E1:B1:B0:E1:6B:94:9F:69:42:C1:FB:7D:23:56:CD:30:31:E6
X509v3 Authority Key Identifier:
BD:18:E1:B1:B0:E1:6B:94:9F:69:42:C1:FB:7D:23:56:CD:30:31:E6
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha512WithRSAEncryption
Signature Value:
63:a4:52:15:e4:9a:93:b2:32:80:6f:f5:29:74:37:f2:85:5f:
4d:a1:40:45:65:a1:c6:f7:7f:72:d4:47:09:87:84:81:c3:c1:
86:7f:7e:82:46:13:63:ed:05:54:2a:5f:47:a6:ca:48:5d:2d:
71:fc:bc:8e:e7:19:f8:63:1d:05:70:7a:34:de:bf:f0:38:e1:
c2:74:35:30:83:1a:fc:e4:10:c7:c2:fa:fe:fc:ab:6b:c7:e5:
0d:12:16:a1:d9:b3:14:b7:c0:25:ae:41:1f:27:53:55:52:32:
85:e7:73:f8:ab:80:be:f3:9f:66:1c:81:27:17:e4:69:51:58:
8e:e6:fa:b8:6f:2d:e9:d3:77:98:7b:3d:ea:25:8a:16:41:3a:
11:3e:83:88:36:c9:2b:d3:7f:bc:c2:c2:62:29:d9:05:bd:66:
50:3d:81:9a:b8:04:e8:c9:92:04:84:ac:1f:41:ba:b6:11:94:
07:98:b1:aa:01:e7:97:3d:d3:df:62:fa:3e:62:6f:98:66:b0:
dd:1d:11:c3:38:d9:5b:bf:ec:30:09:e3:8c:e9:51:62:19:00:
43:83:16:e8:1b:86:e5:19:4d:14:96:87:cf:c5:f4:94:be:f0:
98:24:2d:72:de:5d:ec:2f:75:f2:f8:7d:b8:33:3a:f9:8e:51:
08:c4:54:1e:39:3c:43:9b:9e:e7:2b:f5:09:17:4d:4c:82:1d:
e1:53:62:5e:dc:61:e8:40:dc:03:84:9b:2b:40:43:98:e9:9d:
78:bb:a9:74:38:f8:9b:44:f0:8f:8f:d8:c4:4f:b7:27:b2:07:
86:d2:dc:45:a1:b5:bf:47:fd:71:eb:35:06:99:e4:38:c9:e8:
1b:12:54:db:05:b2:52:ea:63:a8:a9:72:18:15:97:a0:93:0c:
ec:2f:b4:a0:8a:31:77:64:e4:3b:43:04:ce:b4:86:d1:73:dc:
25:82:0a:b1:b6:ec:99:72:02:48:97:bb:6a:a2:d9:5f:f2:6d:
5a:d7:68:f7:21:a5:d3:83:f6:fb:bb:aa:e3:06:78:3e:8d:1c:
50:79:5e:65:10:7f:d8:19:bf:af:59:33:18:3a:34:3c:49:22:
57:bf:8f:9f:07:d9:21:3c:8d:82:c2:d2:17:f7:21:ba:ca:95:
1f:61:0b:0b:27:0f:00:03:87:12:7a:bf:b5:37:27:f7:3e:85:
54:fd:f2:0a:d7:dd:eb:6e:c0:7f:c4:a0:33:6d:43:5a:8d:45:
d9:48:1b:fa:9b:e0:7d:e0:ac:5b:f0:38:d9:e8:73:a9:f1:f6:
fc:c4:9f:c5:65:4d:28:5d:26:14:11:61:46:61:72:30:3e:50:
78:f0:66:75:a8:cd:46:78

Create secondary cert with second key

tmarri@tiru:~/src/crypto/hsm/data$ openssl req -engine pkcs11 -keyform engine -key 298546351:02 -new -sha512 -out csr/issue.ca.csr
Engine "pkcs11" set.
Enter PKCS#11 token PIN for mytoken:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
California [California]:
Saratoga []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:SW
Common Name (e.g. server FQDN or YOUR name) []:Tiru
Email Address []:tiru@tiru.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:

Sign with root CA:

tmarri@tiru:~/src/crypto/hsm/data$ openssl ca -engine pkcs11 -keyform engine -keyfile 298546351:01 -extensions v3_intermediate_ca -days 3650 -notext -md sha512 -in csr/issue.ca.csr -out certs/issue.ca.cert.pem
Engine "pkcs11" set.
Using configuration from /usr/lib/ssl/openssl.cnf
Enter PKCS#11 token PIN for mytoken:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: May 12 19:41:54 2023 GMT
Not After : May 9 19:41:54 2033 GMT
Subject:
countryName = US
stateOrProvinceName = California
organizationName = Internet Widgits Pty Ltd
organizationalUnitName = SW
commonName = Tiru
emailAddress = tiru@tiru.com
X509v3 extensions:
X509v3 Subject Key Identifier:
33:D2:7A:9B:39:2D:9D:47:4F:19:40:91:D6:B0:58:EE:77:44:D1:8B
X509v3 Authority Key Identifier:
BD:18:E1:B1:B0:E1:6B:94:9F:69:42:C1:FB:7D:23:56:CD:30:31:E6
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until May 9 19:41:54 2033 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

combine cert chain & verify

tmarri@tiru:~/src/crypto/hsm/data$ cat certs/issue.ca.cert.pem certs/root.ca.cert.pem > certs/spki.cert.pem

tmarri@tiru:~/src/crypto/hsm/data$ openssl x509 -in certs/spki.cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4096 (0x1000)
Signature Algorithm: sha512WithRSAEncryption
Issuer: C = US, ST = California, O = Internet Widgits Pty Ltd, OU = SW, CN = Tiru, emailAddress = tiru@tiru.com
Validity
Not Before: May 12 19:41:54 2023 GMT
Not After : May 9 19:41:54 2033 GMT
Subject: C = US, ST = California, O = Internet Widgits Pty Ltd, OU = SW, CN = Tiru, emailAddress = tiru@tiru.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:9f:23:5b:fb:6c:66:b4:ec:72:ec:a5:ed:69:ba:
92:d5:78:34:47:d8:13:f8:0b:09:7b:ed:0f:2b:1a:

-------------

p11tool list all certs

marri@tiru:~/src/crypto/hsm/data$ p11tool --provider /usr/local/lib/softhsm/libsofthsm2.so --list-all
warning: no token URL was provided for this operation; the available tokens are:

pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=d83cf3bae49dd9b7;token=rsa2k
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=45a1db9eedd7a798;token=Key%20pairs
pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=a70324c3fd3e0fc4;token=tiru

tmarri@tiru:~/src/crypto/hsm/data$ p11tool --provider /usr/local/lib/softhsm/libsofthsm2.so --list-all 'pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken'
Object 0:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken;id=%01;object=mytoken;type=cert
Type: X.509 Certificate (RSA-4096)
Expires: Tue May 5 13:35:14 2043
Label: mytoken
Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED;
ID: 01

Object 1:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken;id=%01;object=mytoken;type=cert
Type: X.509 Certificate (RSA-4096)
Expires: Tue May 5 13:35:14 2043
Label: mytoken
Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED;
ID: 01

Object 2:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken;id=%01;object=mytoken;type=cert
Type: X.509 Certificate (RSA-4096)
Expires: Tue May 5 13:35:14 2043
Label: mytoken
Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED;
ID: 01

Object 3:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken;id=%01;object=SSL%20Root%20CA%2001;type=public
Type: Public key (RSA-4096)
Label: SSL Root CA 01
Flags: CKA_WRAP/UNWRAP;
ID: 01

Object 4:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken;id=%02;object=SSL%20Root%20CA%2001;type=public
Type: Public key (RSA-4096)
Label: SSL Root CA 01
Flags: CKA_WRAP/UNWRAP;
ID: 02

Object 5:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken;type=cert
Type: X.509 Certificate
Label:
ID:

Object 6:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken;id=%01;object=mytoken;type=cert
Type: X.509 Certificate (RSA-4096)
Expires: Tue May 5 13:35:14 2043
Label: mytoken
Flags: CKA_CERTIFICATE_CATEGORY=CA; CKA_TRUSTED;
ID: 01

Write cert to HSM:

pkcs11-tool -l --pin '1234' --module /usr/local/lib/softhsm/libsofthsm2.so --write-object certs/root.ca.cert.pem --type cert --label mytoken

List private objects with p11tool:

tmarri@tiru:~/src/crypto/hsm/data$ p11tool --provider /usr/local/lib/softhsm/libsofthsm2.so --list-tokens
Token 0:
	URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken
	Label: mytoken
	Type: Generic token
	Flags: RNG, Requires login
	Manufacturer: SoftHSM project
	Model: SoftHSM v2
	Serial: b654d88b91cb74af
	Module: 


Token 1:
	URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=d83cf3bae49dd9b7;token=rsa2k
	Label: rsa2k
	Type: Generic token
	Flags: RNG, Requires login
	Manufacturer: SoftHSM project
	Model: SoftHSM v2
	Serial: d83cf3bae49dd9b7
	Module: 


Token 2:
	URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=45a1db9eedd7a798;token=Key%20pairs
	Label: Key pairs
	Type: Generic token
	Flags: RNG, Requires login
	Manufacturer: SoftHSM project
	Model: SoftHSM v2
	Serial: 45a1db9eedd7a798
	Module: 


Token 3:
	URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=a70324c3fd3e0fc4;token=tiru
	Label: tiru
	Type: Generic token
	Flags: RNG, Requires login, uPIN uninitialized
	Manufacturer: SoftHSM project
	Model: SoftHSM v2
	Serial: a70324c3fd3e0fc4
	Module:

p11tool --provider /usr/local/lib/softhsm/libsofthsm2.so --login --list-all 'pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b654d88b91cb74af;token=mytoken'

Useful Links

https://github.com/mylamour/blog/issues/80

https://www.ssltrust.com/help/setup-guides/internal-pki-openssl-nitrokey-hsm

Tiru's Blog

Pages

Wednesday, May 3, 2023

SoftHsm howto

Install on Ubuntu 22 LTS

Configuring

PKCS11-TOOL usage

Keygen

Roles

Keygen

Integrate with Openssl

Labels

About Me

Pages

Labels

Favorites

Followers