Skip to content

Latest commit

 

History

History
187 lines (113 loc) · 3.58 KB

README.md

File metadata and controls

187 lines (113 loc) · 3.58 KB

Examples for PKCS #11 with wolfSSL

These examples demonstrate using wolfSSL's PKCS #11 feature for the following algorithms:

  • ECC Key Gen, Sign/Verify and ECDHE (Shared Secret)
  • RSA Key Gen and Sign/Verify
  • AES GCM

This also includes a TLS server example using a PKCS 11 based key.

API Reference

See PKCS11.md in this folder.

Setting up and testing SoftHSM version 2

  1. Change to source code directory of SoftHSM version 2

    This tool can be found here: https://github.com/opendnssec/SoftHSMv2

    ./autogen.sh
    ./configure --disable-gost
    sudo make install
    

    Note: May need to install pkg-config and libssl-dev

  2. Change to wolfssl directory

    ./autogen.sh
    ./configure --enable-pkcs11
    make
    sudo make install
    
  3. Change to wolfssl-examples/pkcs11 directory

    ./mksofthsm2_conf.sh
    export SOFTHSM2_CONF=$PWD/softhsm2.conf
    
  4. Running tests

    softhsm2-util --init-token --slot 0 --label SoftToken

    • Use PIN: cryptoki
    • Use User PIN: cryptoki

    Use the slot id from the output:

    export SOFTHSM2_SLOTID=<slotid>

    Run the examples:

    ./softhsm2.sh

Setting up and testing openCryptoki

  1. Change to source code directory of openCryptoki

    This tool can be found here: https://github.com/opencryptoki/opencryptoki

    ./bootstrap.sh
    ./configure
    make
    

    Note: May need to install flex, bison and openldap-devel [or libldap2-dev]

  2. Setup pkcs11 group and put current user into it

    sudo groupadd pkcs11
    sudo usermod -a -G pkcs11 $USER
    
  3. Install library

    sudo make install
    sudo ldconfig /usr/local/lib
    
  4. Start the daemon

    sudo /usr/local/sbin/pkcsslotd

    Note: May need to logout and login to be able to use pkcsconf.

  5. Setup token

    echo "87654321
    SoftToken" | pkcsconf -I -c 3
    
    echo "87654321
    cryptoki
    cryptoki" | pkcsconf -P -c 3
    
    echo "cryptoki
    cryptoki
    cryptoki" | pkcsconf -u -c 3
    
  6. Start daemon if not running already:

    sudo /usr/local/sbin/pkcsslotd

  7. Build and install wolfSSL

    Change to wolfssl directory and run:

    ./autogen.sh
    ./configure --enable-pkcs11
    make
    sudo make install
    
  8. Running tests

    Change to wolfssl-examples/pkcs11 directory:

    ./opencryptoki.sh

TLS Server Example with PKCS #11 (RSA)

The example server-tls-pkcs11 is a server that uses a private key that has been stored on the PKCS #11 device.

The id of the private key is two hex bytes: 0x00, 0x01

Change this to be the id that you set when importing the key.

  1. SoftHSM version 2

    Import private key:

    softhsm2-util --import ../certs/server-keyPkcs8.pem --slot $SOFTHSM2_SLOTID --id 0001 --label rsa2048

    Enter PIN: cryptoki

  2. Run server and client

    ./server-tls-pkcs11 /usr/local/lib/softhsm/libsofthsm2.so $SOFTHSM2_SLOTID SoftToken cryptoki

    From wolfssl root: ./examples/client/client

TLS Server Example with PKCS #11 (ECC)

The example server-tls-pkcs11-ecc is a server that uses a private key that has been stored on the PKCS #11 device.

The id of the private key is two hex bytes: 0x00, 0x01

Change this to be the id that you set when importing the key.

  1. SoftHSM version 2

    Import private key:

    softhsm2-util --import ../certs/ecc-keyPkcs8.pem --slot $SOFTHSM2_SLOTID --id 0002 --label ecp256

    Enter PIN: cryptoki

  2. Run server and client

    ./server-tls-pkcs11-ecc /usr/local/lib/softhsm/libsofthsm2.so $SOFTHSM2_SLOTID SoftToken cryptoki

    From wolfssl root: ./examples/client/client -A ./certs/ca-ecc-cert.pem

Support

For questions please contact wolfSSL support by email at [email protected]