Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Various nits trying SoftHSM #217

Merged
merged 1 commit into from
Oct 29, 2021
Merged

Various nits trying SoftHSM #217

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
41 changes: 27 additions & 14 deletions config/DEVELOPMENT.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,42 +22,55 @@ or Application Default Credentials locally (remember to `gcloud application-defa

fulcio may also be used with a pkcs11 capable device such as a SoftHSM. You will also need `pkcs11-tool`

On debian you can install the necessary tools with:

```
apt-get install softhsm2 opensc
```

To configure a SoftHSM:

Create a `config/crypto11.conf` file:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

line 43 uses .cfg, which way do you want it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are two configs 😅

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default location of the config file is /etc/softhsm2.conf. This location can be change by setting the environment variable.

export SOFTHSM2_CONF=/home/user/config.file
Details on the configuration can be found in "man softhsm2.conf".

decent walk through here (although looks like you don't need to build from source in your case):
https://wiki.opendnssec.org/plugins/servlet/mobile?contentId=3211298#content/view/3211298


```
```json
{
"Path" : "/usr/lib64/softhsm/libsofthsm.so",
"TokenLabel": "fulcio",
"Pin" : "2324"
"Path" : "/usr/lib/softhsm/libsofthsm2.so",
"TokenLabel": "fulcio",
"Pin" : "2324"
}
```

And a `config/softhsm2.conf`
And a `config/softhsm2.cfg`

```
directories.tokendir = /tmp/tokens
objectstore.backend = file
log.level = INFO
```

Export the `config/softhsm2.conf`
Make sure `/tmp/tokens` exists

```shell
mkdir /tmp/tokens
```

Export the `config/softhsm2.cfg`

```shell
export SOFTHSM2_CONF=`pwd`/config/softhsm2.cfg
```

### Start a SoftHSM instance

```
softhsm2-util --init-token --slot 0 --label fulcio
```shell
# Note: these pins match config/crypto11.conf above
softhsm2-util --init-token --slot 0 --label fulcio --pin 2324 --so-pin 2324
```

### Create keys within the SoftHSM

```
pkcs11-tool --module /usr/lib64/softhsm/libsofthsm.so --login --login-type user --keypairgen --id 1 --label PKCS11CA --key-type EC:secp384r1
```shell
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --login --login-type user --keypairgen --id 1 --label PKCS11CA --key-type EC:secp384r1
```

* Note: you can import existing keys and import using pkcs11-tool, see pkcs11-tool manual for details
Expand All @@ -67,11 +80,11 @@ pkcs11-tool --module /usr/lib64/softhsm/libsofthsm.so --login --login-type user
Now that your keys are generated, you can use the fulcio `createca` command to generate a Root CA. This command
will also store the generated Root CA into the HSM by the delegated id passed to `--hsm-caroot-id`

```
```shell
fulcio createca --org=acme --country=UK --locality=SomeTown --province=SomeProvince --postal-code=XXXX --street-address=XXXX --hsm-caroot-id 99 --out myrootCA.pem
```

`fuclio createca` will return a root certificate if used with the `-o` flag. If you plan to run fuclio with a CTFE,
`fulcio createca` will return a root certificate if used with the `-o` flag. If you plan to run fulcio with a CTFE,
then you will need to configure the root certificate as the trust chain. This can be done as follows::

Copy your root certification from the above step `myrootCA.pem` and then set this within your `ct.cfg` as follows:
Expand All @@ -89,7 +102,7 @@ config {

### Run PKCS11CA

```
```shell
fulcio serve --ca pkcs11ca --hsm-caroot-id 99
```

Expand All @@ -99,7 +112,7 @@ fulcio serve --ca pkcs11ca --hsm-caroot-id 99
---
**NOTE**

FuclioCA has only been validated against a SoftHSM. In theory this should also work with all PKCS11 compliant
fulcioCA has only been validated against a SoftHSM. In theory this should also work with all PKCS11 compliant
HSM's, but to date we have only tested against a SoftHSM.

---
Expand Down
4 changes: 2 additions & 2 deletions config/crypto11.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"Path" : "/usr/lib64/softhsm/libsofthsm.so",
"TokenLabel": "test",
"Path" : "/usr/lib/softhsm/libsofthsm2.so",
"TokenLabel": "fulcio",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This mismatch was an annoying diff from the README

"Pin" : "2324"
}