diff options
| -rw-r--r-- | README.md | 7 | ||||
| -rwxr-xr-x | create-keys.sh | 20 | ||||
| -rw-r--r-- | environment.sh | 5 | ||||
| -rw-r--r-- | openssl.conf | 2 |
4 files changed, 25 insertions, 9 deletions
@@ -2,7 +2,12 @@ Packages you need (on Debian Jessie, anyway): - sudo apt-get install libengine-pkcs11-openssl opensc opensc-pkcs11 cryptech-alpha + sudo apt-get install opensc cryptech-alpha + sudo apt-get install -t jessie-backports libengine-pkcs11-openssl + +We're using the backported version of libengine-pkcs11-openssl because +we want ECDSA support -- the ancient version that originally shipped +with Jessie only supported RSA. General plan here is to use pkcs11-tool to create keys, then use the pkcs11 OpenSSL engine and OpenSSL command line tool to do vaguely diff --git a/create-keys.sh b/create-keys.sh index 5cfda45..e3630d9 100755 --- a/create-keys.sh +++ b/create-keys.sh @@ -1,11 +1,17 @@ #!/bin/sh - -. ./environment.sh +# pkcs11-tool's naming scheme for key types is buried in code. +# The useful choices in our case appear to be: +# +# rsa:1024 +# rsa:2048 +# EC:prime256v1 +# EC:prime384v1 + +: ${key_type='EC:prime256v1'} -# Not really sure which silly name to use for the EC curve, doc is not great. prime256v1? ansiX9p256r1? secp256r1? -# If I had to guess, ansiX9p256r1, so try that: --key-type EC:ansiX9p256r1 -# Still having trouble with OpenSSL using this key, so revert to RSA for now, try ECDSA again later. +. ./environment.sh -pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 1 --label leader --key-type rsa:2048 -pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 2 --label boris --key-type rsa:2048 -pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 3 --label natasha --key-type rsa:2848 +pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 1 --label leader --key-type "$key_type" +pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 2 --label boris --key-type "$key_type" +pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 3 --label natasha --key-type "$key_type" diff --git a/environment.sh b/environment.sh index f3f5c75..078b5a6 100644 --- a/environment.sh +++ b/environment.sh @@ -14,6 +14,11 @@ export PKCS11_PIN=fnord export OPENSSL_CONF=`pwd`/openssl.conf +# Where to find the engine module this week (its name changes with +# architecture, OpenSSL version, and phase of the moon). + +export ENGINE_MODULE=`dpkg -L libengine-pkcs11-openssl | egrep '/(engine_)?pkcs11[.]so$'` + # If USE_PKCS11SPY is set, it should be an absolute path to the OpenSC # pkcs11-spy.so debugging tool, which we will splice between OpenSSL # and the real PKCS #11 library. This is not something you would want diff --git a/openssl.conf b/openssl.conf index 7f156ce..887e25d 100644 --- a/openssl.conf +++ b/openssl.conf @@ -13,7 +13,7 @@ pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 -dynamic_path = /usr/lib/engines/engine_pkcs11.so +dynamic_path = ${ENV::ENGINE_MODULE} init = 0 # For convenience while testing, we use environment variables to pass |