Skip to content

Instantly share code, notes, and snippets.

@mkontani

mkontani/process.md

Created June 5, 2021 18:20
Show Gist options
  • Save mkontani/4f095ffda222209586d48e613d44eb42 to your computer and use it in GitHub Desktop.
Save mkontani/4f095ffda222209586d48e613d44eb42 to your computer and use it in GitHub Desktop.
Download ZIP
pkcs11 x openssl on Mac brew
Raw
process.md

setup

install libs

# install softhsm as pkcs11 token
ᐅ brew install softhsm

# install opensc for communicating with pkcs11
ᐅ brew install opensc

# install original-openssl because mac default is LibreSSL
ᐅ brew install openssl

# install engine_pkcs11
ᐅ brew install libp11

edit openssl.conf

# add some sections for apply pkcs11
ᐅ cat /etc/ssl/openssl.conf

openssl_conf = openssl_init
...

[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/local/Cellar/libp11/0.4.11/lib/engines-1.1/libpkcs11.dylib
MODULE_PATH = /usr/local/lib/softhsm/libsofthsm2.so
init = 0

check if pkcs11 available

ᐅ OPENSSL_CONF=/etc/ssl/openssl.cnf /usr/local/opt/openssl/bin/openssl engine -t pkcs11
(pkcs11) pkcs11 engine
     [ available ]

store keypair in pkcs11 token (softhsm)

initialize slot

ᐅ softhsm2-util --init-token --slot 0 --label test --pin 123456 --so-pin 123456

# check slot
ᐅ softhsm2-util --show-slots
Available slots:
Slot 1776036428
    Slot info:
        Description:      SoftHSM slot ID 0x69dc2a4c
        Manufacturer ID:  SoftHSM project
        Hardware version: 2.6
        Firmware version: 2.6
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project
        Model:            SoftHSM v2
        Hardware version: 2.6
        Firmware version: 2.6
        Serial number:    c20d727169dc2a4c
        Initialized:      yes
        User PIN init.:   yes
        Label:            test

gen keypair

ᐅ pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so \
  --pin 123456 --slot 1776036428 --keypairgen --label test --key-type rsa:4096
  
# check keypair
ᐅ pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -OT
Available slots:
Slot 0 (0x69dc2a4c): SoftHSM slot ID 0x69dc2a4c
  token label        : test
  token manufacturer : SoftHSM project
  token model        : SoftHSM v2
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x20
  hardware version   : 2.6
  firmware version   : 2.6
  serial num         : c20d727169dc2a4c
  pin min/max        : 4/255
Public Key Object; RSA 4096 bits
  label:      test
  Usage:      encrypt, verify, wrap
  Access:     local

operate with pkcs11 keypair

# generate self signed cert with pkcs11 priv
ᐅ OPENSSL_CONF=/etc/ssl/openssl.cnf /usr/local/opt/openssl/bin/openssl req -x509 -days 365 -subj '/CN= selfsign/' -sha256 \
    -engine pkcs11 -keyform engine -key slot_1776036428-label_test2 -out test.pem

# generate csr signed by pkcs11 priv
ᐅ OPENSSL_CONF=/etc/ssl/openssl.cnf /usr/local/opt/openssl/bin/openssl req -new -subj '/CN=test/'\
  -sha256 -engine pkcs11 -keyform engine \
  -key slot_1776036428-label_test -out test.csr
engine "pkcs11" set.
Enter PKCS#11 token PIN for test:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment