documentation and sample pkcs11 token

2025-04-04 17:00:11 -05:00 · 2015-02-26 14:18:00 +01:00 · 2015-02-26 14:18:00 +01:00 · 67ef46984f
commit 67ef46984f
parent 89af05898e
5 changed files with 75 additions and 0 deletions
--- a/misc/softhsm-example-token/.gitignore
+++ b/misc/softhsm-example-token/.gitignore
@ -0,0 +1,5 @@
+softhsm.conf
+test.*
+openssl.conf
+config.py
+softhsm.*
--- a/misc/softhsm-example-token/README
+++ b/misc/softhsm-example-token/README
@ -0,0 +1,17 @@
+
+This directory contains a basic setup for testing pkcs11-support. If you get 
+this to work you have a decent chance of using your real HSM or hardware token.
+
+You need the following packages (ubuntu/debian names):
+
+ - libengine-pkcs11-openssl
+ - softhsm
+
+Type 'make' to generate a softhsm token with a test-key on id a1b2 with PIN-code
+"secret1". To use this token with osslsigncode try something like this (from this 
+directory):
+
+env SOFTHSM_CONF=`pwd`/softhsm.conf ../../osslsigncode sign \
+   -pkcs11 /usr/lib/softhsm/libsofthsm.so -key a1b2 -certs test.crt ...
+
+Use 'secret1' as the password at the prompt.
--- a/misc/softhsm-example-token/README-PKCS11
+++ b/misc/softhsm-example-token/README-PKCS11
--- a/misc/softhsm-example-token/gen-token.sh
+++ b/misc/softhsm-example-token/gen-token.sh
@ -0,0 +1,46 @@
+#!/bin/bash
+
+P11_ENGINE=/usr/lib/engines/engine_pkcs11.so
+P11_MODULE=/usr/lib/softhsm/libsofthsm.so
+
+## 
+
+export SOFTHSM_CONF=softhsm.conf
+cat>config.py<<EOF
+DEBUG = True
+SECRET = "secret1"
+PKCS11MODULE = "$P11_MODULE"
+PKCS11PIN = "secret1"
+EOF
+cat>softhsm.conf<<EOF
+0: softhsm.db
+EOF
+cat>openssl.conf<<EOF
+openssl_conf = openssl_def
+
+[openssl_def]
+engines = engine_section
+
+[engine_section]
+pkcs11 = pkcs11_section
+
+[pkcs11_section]
+engine_id = pkcs11
+dynamic_path = $P11_ENGINE
+MODULE_PATH = $P11_MODULE
+PIN = secret1
+init = 0
+
+[req]
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+EOF
+
+export SOFTHSM_CONF=softhsm.conf
+softhsm --slot 0 --label test --init-token --pin secret1 --so-pin secret2
+pkcs11-tool --module $P11_MODULE -l -k --key-type rsa:2048 --slot 0 --id a1b2 --label test --pin secret1
+pkcs11-tool --module $P11_MODULE -l --pin secret1 -O
+openssl req -new -x509 -subj "/cn=TEST" -engine pkcs11 -config openssl.conf -keyform engine -key a1b2 -passin pass:secret1 -out test.crt
+openssl x509 -inform PEM -outform DER -in test.crt -out test.der
+pkcs11-tool --module $P11_MODULE -l --slot 0 --id a1b2 --label test -y cert -w test.der --pin secret1
--- a/misc/softhsm-example-token/makefile
+++ b/misc/softhsm-example-token/makefile
@ -0,0 +1,7 @@
+all: clean token
+
+clean:
+	@rm -f softhsm.* test.* openssl.conf config.py
+
+token:
+	./gen-token.sh