Skip to content

Instantly share code, notes, and snippets.

@stuartbain

stuartbain/setup.md

Forked from mkontani/setup.md
Created May 8, 2022 18:14
Show Gist options
  • Save stuartbain/7c3fa5a4cb072626fc784e82f162262e to your computer and use it in GitHub Desktop.
Save stuartbain/7c3fa5a4cb072626fc784e82f162262e to your computer and use it in GitHub Desktop.
Download ZIP
softhsm x crypki (HSM signer) on Mac brew
Raw
setup.md

setup softhsm

install tools

brew install softhsm opensc

softhsm configs

config file

ᐅ cat /usr/local/Cellar/softhsm/2.6.1/.bottle/etc/softhsm/softhsm2.conf

## SoftHSM v2 configuration file

directories.tokendir = /usr/local/var/lib/softhsm/tokens/
objectstore.backend = file

# ERROR, WARNING, INFO, DEBUG
log.level = ERROR

# If CKF_REMOVABLE_DEVICE flag should be set
slots.removable = false

# Enable and disable PKCS#11 mechanisms using slots.mechanisms.
slots.mechanisms = ALL

# If the library should reset the state on fork
library.reset_on_fork = false

module path

ᐅ ls /usr/local/lib/softhsm/libsofthsm2.so

generate keypairs

# initialize slot
$ softhsm2-util --init-token --slot 0 --label test --pin 123456 --so-pin 123456

# generate keypair
$ pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so --pin 123456 --slot 1776036428 --keypairgen --label test1 --key-type EC:prime384v1

# check slot and tokens
$ pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -OT
Available slots:
Slot 0 (0x69dc2a4c): SoftHSM slot ID 0x69dc2a4c
  token label        : test
  token manufacturer : SoftHSM project
  token model        : SoftHSM v2
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x20
  hardware version   : 2.6
  firmware version   : 2.6
  serial num         : c20d727169dc2a4c
  pin min/max        : 4/255
Slot 1 (0x1): SoftHSM slot ID 0x1
  token state:   uninitialized
Using slot 0 with a present token (0x69dc2a4c)
Public Key Object; EC  EC_POINT 384 bits
  EC_POINT:   046104cd10b5dd2e22ea9a939123b1bb33a9757e53a45216a85c1c305f8910dabb3720c78a7eeb876aa9fe7fa7fb8aae5875527716015c144fa01217fa77f08b7ed5f41c2837aea0e538d5b7b6a486287401f93c6e304953a19ddb5513acd992f3ec4c
  EC_PARAMS:  06052b81040022
  label:      test1
  Usage:      encrypt, verify, wrap, derive
  Access:     local

# check slot number
ᐅ softhsm2-util --show-slots
Available slots:
Slot 1776036428
    Slot info:
        Description:      SoftHSM slot ID 0x69dc2a4c
        Manufacturer ID:  SoftHSM project
        Hardware version: 2.6
        Firmware version: 2.6
        Token present:    yes

setup crypki(signer with hsm)

install

# generate binary
$ git clone https://github.com/theparanoids/crypki.git && cd crypki
$ go build -o crypki-bin ./cmd/crypki/main.go

# generate init cert
$ ./docker-softhsm/gen-crt.sh

# generate pincode
echo 123456 > slot_pwd.txt

# generate configfile (replace slotnumber)
$ cat test.conf
{
    "KeyUsages": [
        {
            "Endpoint": "/sig/ssh-user-cert",
            "Identifiers": [
                "ssh-user-key"
            ]
        },
        {
            "Endpoint": "/sig/x509-cert",
            "Identifiers": [
                "x509-key"
            ]
        },
        {
            "Endpoint": "/sig/ssh-host-cert",
            "Identifiers": [
                "ssh-host-key"
            ]
        },
        {
            "Endpoint": "/sig/blob",
            "Identifiers": [
                "sign-blob-key"
            ]
        }
    ],
    "Keys": [
        {
            "Identifier": "ssh-user-key",
            "KeyLabel": "test1",
            "SlotNumber": 1776036428,
            "UserPinPath": "/Users/mkontani/git/github/crypki/slot_pwd.txt"
        },
        {
            "Country": "US",
            "CreateCACertIfNotExist": true,
            "Identifier": "x509-key",
            "KeyLabel": "test1",
            "KeyType": 2,
            "SignatureAlgo": 3,
            "Locality": "Example",
            "Organization": "Example! Inc.",
            "OrganizationalUnit": "Example",
            "SlotNumber": 1776036428,
            "State": "Some-State",
            "UserPinPath": "/Users/mkontani/git/github/crypki/slot_pwd.txt",
            "X509CACertLocation": "/Users/mkontani/git/github/crypki/x509_ca.crt"
        },
        {
            "Identifier": "ssh-host-key",
            "KeyLabel": "test1",
            "SlotNumber": 1776036428,
            "UserPinPath": "/Users/mkontani/git/github/crypki/slot_pwd.txt"
        },
        {
            "Identifier": "sign-blob-key",
            "KeyLabel": "test1",
            "SlotNumber": 1776036428,
            "UserPinPath": "/Users/mkontani/git/github/crypki/slot_pwd.txt"
        }
    ],
    "ModulePath": "/usr/local/lib/softhsm/libsofthsm2.so",
    "TLSCACertPath": "/Users/mkontani/git/github/crypki/tls-crt/ca.crt",
    "TLSClientAuthMode": 4,
    "TLSServerCertPath": "/Users/mkontani/git/github/crypki/tls-crt/server.crt",
    "TLSServerKeyPath": "/Users/mkontani/git/github/crypki/tls-crt/server.key"
}

run crypki

ᐅ ./crypki-bin -config test.conf -logfile ./server.log

request sign

ᐅ curl -s -X POST -H "Content-Type: application/json" https://localhost:4443/v3/sig/x509-cert/keys/x509-key \
  --data @docker-softhsm/x509_csr.json --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt \
   | jq -r .cert | openssl x509 -noout -text
   
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            70:8f:82:b9:37:8c:ff:64:17:7d:e3:47:15:87:6e:87
    Signature Algorithm: ecdsa-with-SHA384
        Issuer: C=US, ST=Some-State, L=Example, O=Example! Inc., OU=Example, CN=www.example.com   
        ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment