NitroHSM support for Dogtag

99-pkiuser-pcsc.rules

/* polkit rule to allow 'pkiuser' to access NitroHSM PCSC interface
 *
 * file name: /etc/polkit-1/rules.d/99-pkiuser-pcsc.rules
 *
 * Resources:
 *  - https://access.redhat.com/blogs/766093/posts/1976313
 *  - https://raymii.org/s/articles/Get_Started_With_The_Nitrokey_HSM.html
 *
 * Installation:
 *  # dnf install opensc pcsc-lite pcsc-tools
 *  # cp 99-pkiuser-pcsc.rules /etc/polkit-1/rules.d/99-pkiuser-pcsc.rules
 *
 * Verify access to NitroHSM.
 *  # pcsc_scan
 *  # sudo -u pkiuser -- opensc-tool --list-readers
 *  # sudo -u pkiuser -- pkcs11-tool --list-slots
 *
 * Reset NitroHSM (WARNING: deletes all objects)
 *  # sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 1234567
 *
 * Install FreeIPA:
 *  # ipa-server-install --hsm-enable --hsm-libfile=/usr/lib64/opensc-pkcs11.so --hsm-modulename=nitrohsm --token-name='UserPIN (SmartCard-HSM)' --token-password=1234567
 *
 */

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "pkiuser") {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        action.lookup("reader").startsWith("Nitrokey Nitrokey HSM") &&
        subject.user == "pkiuser") {
            return polkit.Result.YES;
    }
});

slots

# pkcs11-tool --list-slots
Available slots:
Slot 0 (0x0): Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
  token label        : UserPIN (SmartCard-HSM)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 24.13
  firmware version   : 2.5
  serial num         : DENK0101221
  pin min/max        : 6/15

objects

# pkcs11-tool --list-objects
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
  label:      caSigningCert cert-pki-ca
  subject:    DN: O=HSM.EXAMPLE, CN=Certificate Authority
  ID:         fe170f0b2ac7f260075fe3186e80408c80b49d68
Public Key Object; RSA 2048 bits
  label:      caSigningCert cert-pki-ca
  ID:         fe170f0b2ac7f260075fe3186e80408c80b49d68
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      ocspSigningCert cert-pki-ca
  subject:    DN: O=HSM.EXAMPLE, CN=OCSP Subsystem
  ID:         f4a7c7a4a42d9cfaf24103b5cfd7f3966b0ccd53
Public Key Object; RSA 2048 bits
  label:      ocspSigningCert cert-pki-ca
  ID:         f4a7c7a4a42d9cfaf24103b5cfd7f3966b0ccd53
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      subsystemCert cert-pki-ca
  subject:    DN: O=HSM.EXAMPLE, CN=CA Subsystem
  ID:         bc75f0e96c231c7129dbde01d545437143007d2e
Public Key Object; RSA 2048 bits
  label:      subsystemCert cert-pki-ca
  ID:         bc75f0e96c231c7129dbde01d545437143007d2e
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      auditSigningCert cert-pki-ca
  subject:    DN: O=HSM.EXAMPLE, CN=CA Audit
  ID:         b0354aef0957809636e1d39bae8d7a36f89b0823
Public Key Object; RSA 2048 bits
  label:      auditSigningCert cert-pki-ca
  ID:         b0354aef0957809636e1d39bae8d7a36f89b0823
  Usage:      encrypt, verify

# modutil -dbdir /etc/pki/pki-tomcat/alias -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
           uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.38
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services
          uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB
          uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

  2. nitrohsm
        library name: /usr/lib64/opensc-pkcs11.so
           uri: pkcs11:library-manufacturer=OpenSC%20Project;library-description=OpenSC%20smartcard%20framework;library-version=0.18
         slots: 1 slot attached
        status: loaded

         slot: Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
        token: UserPIN (SmartCard-HSM)
          uri: pkcs11:token=UserPIN%20(SmartCard-HSM);manufacturer=www.CardContact.de;serial=DENK0101221;model=PKCS%2315%20emulated
-----------------------------------------------------------

Dogtag NSSDB (internal)

# certutil -d /etc/pki/pki-tomcat/alias/ -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CT,C,C
auditSigningCert cert-pki-ca                                 ,,P  
Server-Cert cert-pki-ca                                      u,u,u

# certutil -d /etc/pki/pki-tomcat/alias/ -K -f /etc/pki/pki-tomcat/alias/pwdfile.txt 
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      8f2456244c4ea8b861556c027d5fb7e951e898a8   NSS Certificate DB:Server-Cert cert-pki-ca

Dogtag NSSDB (NitroHSM)

# certutil -d /etc/pki/pki-tomcat/alias/ -L -h 'UserPIN (SmartCard-HSM)'

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "UserPIN (SmartCard-HSM)":
UserPIN (SmartCard-HSM):caSigningCert cert-pki-ca            CTu,Cu,Cu
UserPIN (SmartCard-HSM):ocspSigningCert cert-pki-ca          u,u,u
UserPIN (SmartCard-HSM):subsystemCert cert-pki-ca            u,u,u
UserPIN (SmartCard-HSM):auditSigningCert cert-pki-ca         u,u,Pu

# certutil -d /etc/pki/pki-tomcat/alias/ -K -h 'UserPIN (SmartCard-HSM)'
certutil: Checking token "UserPIN (SmartCard-HSM)" in slot "Nitrokey Nitrokey HSM (010000000000000000000000) 00 00"
Enter Password or Pin for "UserPIN (SmartCard-HSM)":
< 0> rsa      fe170f0b2ac7f260075fe3186e80408c80b49d68   caSigningCert cert-pki-ca
< 1> rsa      f4a7c7a4a42d9cfaf24103b5cfd7f3966b0ccd53   ocspSigningCert cert-pki-ca
< 2> rsa      bc75f0e96c231c7129dbde01d545437143007d2e   subsystemCert cert-pki-ca
< 3> rsa      b0354aef0957809636e1d39bae8d7a36f89b0823   auditSigningCert cert-pki-ca

Thanks, this is super useful! I'm looking at FreeIPA and am finding HSM support docs really hard to track down.. there seems to be a feature request from a few years back that's still open..

This is a great starting place. Cheers!

Ah, though I have to ask - is --hsm-enable a flag in a special version of FreeIPA? It isn't supported in 4.6.4 it seems.

not seen in 4.7.90 either, found a workaround, but stuck somewhere else, not sure it's related yet.

Note it is not supported yet. We are working on hsm integration but there are bugs still at dogtag side and in FreeIPA. Options above were from the very early experiments. They would not be exactly the same once finalized.

Right Alexander. I tried with SafeNet Luna HSM with --pki-config-override and some other tweaks but failed.
Hoping to see HSM support in 4.8 release.

@type4ranjan -- can you share your override file and output?

Please share the information on either a new gist or better as an upstream ticket on https://pagure.io/freeipa