nhyatt/osslsigncode
1
0
Fork 0
mirror of https://github.com/mtrojnar/osslsigncode.git synced 2025-04-05 01:00:11 -05:00
Code Issues Projects Releases Wiki Activity

ported to SoftHSM2

Browse Source
This commit is contained in:
Michał Trojnara 2018-11-22 08:01:20 +01:00
parent 1f9f8df126
commit bc8e209d6e
4 changed files with 16 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@ -1,6 +1,7 @@
=== 2.0 (2018-xx-xx) === 2.0 (2018-xx-xx)
- ported to OpenSSL 1.1.x - ported to OpenSSL 1.1.x
- ported to SoftHSM2
- add support for pkcs11-based hardware tokens - add support for pkcs11-based hardware tokens
(Patch from Leif Johansson) (Patch from Leif Johansson)
- improved error reporting of timestamping errors - improved error reporting of timestamping errors

3
misc/softhsm-example-token/.gitignore vendored
View File

@ -1,5 +1,2 @@
softhsm.conf
test.* test.*
openssl.conf
config.py config.py
softhsm.*

6
misc/softhsm-example-token/README
View File

@ -11,8 +11,8 @@ Type 'make' to generate a softhsm token with a test-key on id a1b2 with PIN-code
"secret1". To use this token with osslsigncode try something like this (from this "secret1". To use this token with osslsigncode try something like this (from this
directory): directory):
env SOFTHSM_CONF=`pwd`/softhsm.conf ../../osslsigncode sign \ ../../osslsigncode sign \
-pkcs11engine /usr/lib/engines/engine_pkcs11.so \ -pkcs11engine /usr/lib/engines-1.1/pkcs11.so \
-pkcs11module /usr/lib/softhsm/libsofthsm.so -key a1b2 -certs test.crt ... -pkcs11module /usr/lib/libsofthsm2.so -key a1b2 -certs test.crt ...
Use 'secret1' as the password at the prompt. Use 'secret1' as the password at the prompt.

45
misc/softhsm-example-token/gen-token.sh
View File

@ -1,46 +1,23 @@
#!/bin/bash #!/bin/bash
P11_ENGINE=/usr/lib/engines/engine_pkcs11.so export MODULE_PATH=/usr/lib/libsofthsm2.so
P11_MODULE=/usr/lib/softhsm/libsofthsm.so
##
export SOFTHSM_CONF=softhsm.conf
cat >config.py <<EOF cat >config.py <<EOF
DEBUG = True DEBUG = True
SECRET = "secret1" SECRET = "secret1"
PKCS11MODULE = "$P11_MODULE" PKCS11MODULE = "$MODULE_PATH"
PKCS11PIN = "secret1" PKCS11PIN = "secret1"
EOF EOF
cat>softhsm.conf<<EOF
0: softhsm.db
EOF
cat>openssl.conf<<EOF
openssl_conf = openssl_def
[openssl_def] # initialize the token
engines = engine_section softhsm2-util --delete-token --token osslsigncode
softhsm2-util --init-token --free --label osslsigncode --pin secret1 --so-pin secret2
[engine_section] # create and print a key pair
pkcs11 = pkcs11_section pkcs11-tool --module $MODULE_PATH -l -k --key-type rsa:2048 --id a1b2 --label test --pin secret1
pkcs11-tool --module $MODULE_PATH -l --pin secret1 -O
[pkcs11_section] # create and print a certificate
engine_id = pkcs11 openssl req -new -x509 -subj "/CN=TEST" -engine pkcs11 -keyform engine -key "pkcs11:token=osslsigncode;object=test;pin-value=secret1" -out test.crt
dynamic_path = $P11_ENGINE
MODULE_PATH = $P11_MODULE
PIN = secret1
init = 0
[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]
EOF
export SOFTHSM_CONF=softhsm.conf
softhsm --slot 0 --label test --init-token --pin secret1 --so-pin secret2
pkcs11-tool --module $P11_MODULE -l -k --key-type rsa:2048 --slot 0 --id a1b2 --label test --pin secret1
pkcs11-tool --module $P11_MODULE -l --pin secret1 -O
openssl req -new -x509 -subj "/cn=TEST" -engine pkcs11 -config openssl.conf -keyform engine -key a1b2 -passin pass:secret1 -out test.crt
openssl x509 -inform PEM -outform DER -in test.crt -out test.der openssl x509 -inform PEM -outform DER -in test.crt -out test.der
pkcs11-tool --module $P11_MODULE -l --slot 0 --id a1b2 --label test -y cert -w test.der --pin secret1 pkcs11-tool --module $MODULE_PATH -l --id a1b2 --label test -y cert -w test.der --pin secret1