diff options
Diffstat (limited to 'raw-wiki-dump/GitRepositories%2Fuser%2Fsra%2Fopenssl-engine.trac')
| -rw-r--r-- | raw-wiki-dump/GitRepositories%2Fuser%2Fsra%2Fopenssl-engine.trac | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/raw-wiki-dump/GitRepositories%2Fuser%2Fsra%2Fopenssl-engine.trac b/raw-wiki-dump/GitRepositories%2Fuser%2Fsra%2Fopenssl-engine.trac new file mode 100644 index 0000000..b9e5d13 --- /dev/null +++ b/raw-wiki-dump/GitRepositories%2Fuser%2Fsra%2Fopenssl-engine.trac @@ -0,0 +1,84 @@ +{{{ +#!htmlcomment + +This page is maintained automatically by a script. Don't modify this page by hand, +your changes will just be overwritten the next time the script runs. Talk to your +Friendly Neighborhood Repository Maintainer if you need to change something here. + +}}} + +{{{ +#!html +<h1>Toys to test Cryptech Alpha HSM with OpenSSL engine API</h1> + +<p>Packages you need (on Debian Jessie, anyway):</p> + +<pre><code>sudo apt-get install opensc cryptech-alpha stunnel micro-httpd w3m +sudo apt-get install -t jessie-backports libengine-pkcs11-openssl +</code></pre> + +<p>We're using the backported version of libengine-pkcs11-openssl because +we want ECDSA support -- the ancient version that originally shipped +with Jessie only supported RSA.</p> + +<p>General plan here is to use pkcs11-tool to create keys, then use the +pkcs11 OpenSSL engine and OpenSSL command line tool to do vaguely +useful things with those keys.</p> + +<h2>Configuration</h2> + +<ul> +<li><p><code>openssl.conf</code> contains two different kinds of OpenSSL voodoo: the +bits needed to configure the engine, and the bits needed to +construct X.509 certificates. The engine configuration uses +environment variables to minimize the number of places where the +same information needs to be configured.</p></li> +<li><p><code>environment.sh</code> is where environment variables are configured, +including the PKCS #11 PIN: you would not want to handle the PIN +this way in production! But it's convenient for a test script.</p></li> +</ul> + +<h2>Scripts</h2> + +<ul> +<li><p><code>create-keys.sh</code> uses <code>pkcs11-tool</code> to create several test keys.</p></li> +<li><p><code>list-keys.sh</code> uses <code>pkcs11-tool</code> to list keys known to the HSM.</p></li> +<li><p><code>delete-keys.sh</code> uses <code>pkcs11-tool</code> to delete the keys which +<code>create-keys.sh</code> created.</p></li> +<li><p><code>issue-certificates.sh</code> generates a small X.509v3 certificate tree. +As a sanity check, it also verifies the issued certificates. +This depends on the keys created by <code>create-keys.sh</code>.</p></li> +<li><p><code>basic-signature.sh</code> performs a basic hash-and-sign of a data file +using the <code>openssl dgst</code> command, writing a detached signature out +as a binary file. As a sanity check, it also verifies the resulting +signature using the public key extracted from the corresponding +certificate (so this depends on <code>issue-certificates.sh</code>).</p></li> +<li><p><code>smime-signature.sh</code> generates and verifies a signed S/MIME message; +this also depends on <code>issue-certificates.sh</code>.</p></li> +<li><p><code>https-server.sh</code> runs a toy https server, using keys and certificates +generated by <code>create-keys.sh</code> and <code>issue-certificates.sh</code>.</p></li> +<li><p><code>https-client.sh</code> uses w3m as a client to talk to the toy server +run by <code>https-server.sh</code> (and therefore has the same dependencies).</p></li> +</ul> + +<h2>References and notes</h2> + +<ul> +<li><a href="https://www.nlnetlabs.nl/downloads/publications/hsm/">https://www.nlnetlabs.nl/downloads/publications/hsm/</a></li> +<li><a href="https://github.com/OpenSC/OpenSC/wiki">https://github.com/OpenSC/OpenSC/wiki</a></li> +<li><a href="https://wiki.openssl.org/index.php/Command_Line_Utilities">https://wiki.openssl.org/index.php/Command_Line_Utilities</a></li> +<li><a href="https://www.openssl.org/docs/man1.0.2/apps/">https://www.openssl.org/docs/man1.0.2/apps/</a></li> +</ul> + +<p>Given the overall state of OpenSSL's documentation, it also helps to +be able to read the OpenSSL source code: in this particular case, the +<code>apps/</code> directory is most likely to be useful. It turns out that many +(not all) places where one of the OpenSSL command line functions allow +one to specify a key format other than <code>PEM</code>, one of the supported +formats is <code>ENGINE</code>, in which case the "filename" is interpreted as a +key selector.</p> +}}} + +[[RepositoryIndex(format=table,glob=user/sra/openssl-engine)]] + +|| Clone `https://git.cryptech.is/user/sra/openssl-engine.git` || |