SAELA
(in collaborazione con
Blia.it
)
Test with OpenSSL, SoftHSMv2 and PKCS#11 engine
Create virtual token
Compile and install into /usr/local SoftHSM version 2 (
github.com/opendnssec/SoftHSMv2
), or apt install softhsm2
Compile and install into /usr/local OpenSSL version 3 and our PKCS#11 Engine from
github.com/opensignature/pkcs11engine
Create soft token with:
mkdir -p $HOME/lib/softhsm/tokens
echo "directories.tokendir = $HOME/lib/softhsm/tokens" > $HOME/lib/softhsm/softhsm2.conf
export SOFTHSM2_CONF=$HOME/lib/softhsm/softhsm2.conf
softhsm2-util --init-token --free --label mytoken1 --pin mysecret1 --so-pin mysopin1
Result:
The token has been initialized and is reassigned to slot 1119524181
Create a key pair with pkcs11-tool (tool provided by OpenSC project):
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l -k --key-type rsa:2048 --id 4142 --label mykey1 --pin mysecret1
Result:
Key pair generated:
Private Key Object; RSA
label: mykey1
ID: 4142
Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
label: mykey1
ID: 4142
Usage: encrypt, verify, wrap
Create certificate
1
:
openssl req -new -x509 -subj "/CN=MyCertTEST" -engine pkcs11 -keyform engine -key "pkcs11:object=mykey1;pin-value=mysecret1" -outform der -out mycert.der
Insert certificate into token:
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l --id 4142 --label mycert1 -y cert -w mycert.der --pin mysecret1
Result:
Created certificate:
Certificate Object, type = X.509 cert
label: mycert1
ID: 4142
OpenSSL
storeutl
command test
Lists readable objects
openssl storeutl -engine pkcs11 'pkcs11:'
Result:
0: Name: mykey1
Public Key ID: AB hex: 4142
1: Name: mycert1
Certificate ID: AB hex: 4142
Lists readable objects and private keys
openssl storeutl -engine pkcs11 'pkcs11:pin-value=mysecret1'
Result:
0: Name: mykey1
Public Key ID: AB hex: 4142
1: Name: mycert1
Certificate ID: AB hex: 4142
2: Name: mykey1
Private Key ID: AB hex: 4142
Get X509 certificate
openssl storeutl -engine pkcs11 'pkcs11:type=cert;object=mycert1'
Result:
0: Certificate
-----BEGIN CERTIFICATE-----
MIICsTCCAZkCFAk4voabdc+LathwHN3VF5UuAxVcMA0GCSqGSIb3DQEBCwUAMBUx
EzARBgNVBAMMCk15Q2VydFRFU1QwHhcNMTkwNDE4MTEyNDU5WhcNMTkwNTE4MTEy
NDU5WjAVMRMwEQYDVQQDDApNeUNlcnRURVNUMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAy4dTcqXh2xPjw9FLYphugLMU5BtKAhbVZolAIatB9F48lvNI
PTevhCTAPq1KHOyfGXQ70v2dnXgXrFa6QKiPJvv7471ZBcaWJ26mVMi0ILybuwwg
V1Znngt8afE9AGXJPYwt+ELxoRHsDeuv7PHN6qhy/LHr8+U0nt6GBO69jnBOcZnj
bOcAo5Xw9odHgeb64bG3aK2/52sZNCXwyyO+/XmI6WCjEUw0PdwltCqkCfGs0Wfp
k2q8qLRDHzVTUMSFwa0XlVJNMJEgRsB18zIXTorUqZtya+pXDH7RIhh1mjcEdhki
XksmSbsNIZIKzgptbZmYTLifoQsAIWsFevrk2QIDAQABMA0GCSqGSIb3DQEBCwUA
A4IBAQBhbqzHcFz9PbnQOMc+f59cOGLwx/uT90A1HuwqQBw2fXkvFbf/IPqd2t0p
eZEcx3qXMVEzHdiyJmS1uXuK3pdJllWdSFt/cGPI7MGQA52TcqzbIHuyCYusMTNJ
q6n8z0BRmRp3LwdB7idtgqjJwFkwARJB2fEgc8OgsGHe4CEDIXupPVTcXHYynf3j
sLA06IHOyI05d+R4/0AJ35wSXqltVsDq39rzXYZZhnuiAVi9YKd3hfaK/IASUENb
z6dQSfWg3v0gQmlPgMpeQzAm6aNvbs9Z92EuckGgjmk+LE5cfF7Din98bgRrbO2K
E1+WsICcs8FgqnS7J9lkyF4cZvls
-----END CERTIFICATE-----
Total found: 1
OpenSSL
dgst
command test
Digest string "hello"
echo "hello" | openssl dgst -sha256 -engine pkcs11 -keyform engine -sign "pkcs11:object=mykey1;pin-value=mysecret1" -out out.sig
Verify digest
echo "hello" | openssl dgst -sha256 -engine pkcs11 -keyform engine -verify "pkcs11:type=public;object=mykey1;pin-value=mysecret1" -signature out.sig
Result:
Verified OK
OpenSSL
pkeyutl
command test
Encrypt string "hello"
echo "hello" | openssl pkeyutl -sha256 -engine pkcs11 -keyform engine -pubin -encrypt -inkey "pkcs11:type=public;object=mykey1;pin-value=mysecret1" -pkeyopt rsa_padding_mode:pkcs1 -out textencoded.bin
Decrypt
openssl pkeyutl -sha256 -engine pkcs11 -keyform engine -decrypt -inkey "pkcs11:type=private;object=mykey1;pin-value=mysecret1" -pkeyopt rsa_padding_mode:pkcs1 -in textencoded.bin
Result:
hello
OpenSSL
s_client
command test
Establish a secure connection with a server that requires clients to present a valid certificate to connect
echo -en "GET /auth/index.php HTTP/1.1\r\nHost: www.saela.eu\r\n\r\n" | openssl s_client -quiet -connect www.saela.eu:443 -ssl_client_engine pkcs11
Result:
[SSL_CLIENT_I_DN]=CN=TEST [SSL_CLIENT_FINGERPRINT]=4db3a7b407f4298719db1c2d0b2615fb2e33f11b
1
Add "module-path=/usr/lib/softhsm/libsofthsm2.so" after "pkcs11:" if MODULE_PATH is not present in openssl.cnf and environment variable PKCS11_MODULE_PATH is empty
Per informazioni scriveteci a:
info@saela.eu