From 19904d9aca94471f60b49d7093908b21c4e926cc Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Mon, 15 Feb 2021 00:04:31 +0000 Subject: PKCS #11 --- pelican/content/Dashboard.md | 6 +++--- pelican/content/GettingStartedNovena.md | 2 +- pelican/content/OpenDNSSEC.md | 2 +- pelican/content/ReleaseNotes.md | 10 +++++----- pelican/content/RoughV1.md | 8 ++++---- 5 files changed, 14 insertions(+), 14 deletions(-) (limited to 'pelican') diff --git a/pelican/content/Dashboard.md b/pelican/content/Dashboard.md index 931b102..63ff4ad 100644 --- a/pelican/content/Dashboard.md +++ b/pelican/content/Dashboard.md @@ -10,7 +10,7 @@ Date: 2016-12-15 22:44 | Done | AES / KEY WRAP | | | | Wrap/Bkup | #17 | | | ECDSA p256 | secondary | Yes | | | | | | ECDSA p384 | secondary | ? | | | | -| Testing | PKCS!#11 | Yes | Yes | Yes | Yes | #14 | +| Testing | PKCS#11 | Yes | Yes | Yes | Yes | #14 | | Done | RSA | Yes | Yes | Yes | | #16 | | Done | SHA-1 | | | Yes | | | | Done | SHA-256 | Yes | Yes | Yes | | | @@ -27,8 +27,8 @@ Date: 2016-12-15 22:44 |AES/KEY WRAP | Rob | Done | #17 | |SHA-256 | Joachim | Done | | |TRNG | FT | Done | #15 | -|PKCS!#11 | Rob | Late May | | -|PKCS!#11 PIN | Rob | Mid June | #14 | +|PKCS#11 | Rob | Late May | | +|PKCS#11 PIN | Rob | Mid June | #14 | |Packaging | Paul, Rob | Done | | diff --git a/pelican/content/GettingStartedNovena.md b/pelican/content/GettingStartedNovena.md index 72fead7..a6f3294 100644 --- a/pelican/content/GettingStartedNovena.md +++ b/pelican/content/GettingStartedNovena.md @@ -132,7 +132,7 @@ $ sudo apt-get update $ sudo apt-get upgrade ``` -## Setting up PKCS!#11 +## Setting up PKCS#11 The PKCS11 token is in /usr/lib/libpkcs11.so. In order to start using it you need to set a pin and an SO pin. This you do with p11util thus: diff --git a/pelican/content/OpenDNSSEC.md b/pelican/content/OpenDNSSEC.md index 39698f1..57ca6d2 100644 --- a/pelican/content/OpenDNSSEC.md +++ b/pelican/content/OpenDNSSEC.md @@ -39,7 +39,7 @@ cryptech> masterkey set EFBEADDE ^C ``` -Leave `cryptech_muxd` running, so that the PKCS !#11 library can use it to talk to the HSM. +Leave `cryptech_muxd` running, so that the PKCS #11 library can use it to talk to the HSM. ## Configure OpenDNSSEC diff --git a/pelican/content/ReleaseNotes.md b/pelican/content/ReleaseNotes.md index 8db8024..12fbf10 100644 --- a/pelican/content/ReleaseNotes.md +++ b/pelican/content/ReleaseNotes.md @@ -12,14 +12,14 @@ Modified: 2017-05-13 19:18 * New keystore implementation. Basically a very small flash filesystem, including basic wear leveling. Maximum number of keys varies depending on key size and how many options are attached, but for any reasonable use it should hold on the order of 2,000 keys at least. * In-memory keystore moved to HSM (previously was in memory of the client library), uses same API as flash keystore. * RPC mechanism extended to support the new keystores (`hal_rpc_pkey_match()`, `hal_rpc_pkey_set_attributes()`, etc). -* PKCS !#11 code rewritten to use libhal attribute mechanism, sqlite3 database gone. +* PKCS #11 code rewritten to use libhal attribute mechanism, sqlite3 database gone. * Verilog implementations of ECDSA base point multipliers for P-256 and P-384 curves, key generation and signing significantly faster than with software ECDSA implementation. * Key backup mechanism: two more RPC functions, and a Python script `cryptech_backup` to drive the process. -* Private key representation changed to PKCS !#8 format (a self-identifying uniform format with optional encryption, supported by many other tools). Key backup uses encrypted form of PKCS !#8. +* Private key representation changed to PKCS #8 format (a self-identifying uniform format with optional encryption, supported by many other tools). Key backup uses encrypted form of PKCS #8. * Default build of client software now uses a multiplexer daemon `cryptech_muxd` which allows multiple clients to talk to the HSM at once (packages such as OpenDNSSEC which uses multiple daemons talking to the same HSM need this). Software can still be built for direct connection to HSM but it is no longer the default. * New trivial script `cryptech_console` to talk to the HSM's management port via the multiplexer daemon; `cryptech_upload` now supports both direct connection and connection via the multiplexer daemon. -* Python client implementations of libhal RPC mechanism and PKCS !#11 now installed as `cryptech.libhal` and `cryptech.py11`, respectively. -* Python PKCS !#11 client hacked to play nicely with `pkcs11-spy` debugging tool. +* Python client implementations of libhal RPC mechanism and PKCS #11 now installed as `cryptech.libhal` and `cryptech.py11`, respectively. +* Python PKCS #11 client hacked to play nicely with `pkcs11-spy` debugging tool. * RTOS replaced by simple non-preemptive (voluntary yield) tasking system, eliminating a huge morass of potential race conditions, debugging nightmares, priority inversions, and similar horrors. Lack of preemption means that console acess may have to wait for something else to yield the ARM CPU, but it's more than worth it to get rid of all the stability problems the RTOS was causing. * [source:/user/sra/openssl-engine Sample code for using the HSM as an OpenSSL engine] is available. This only works with RSA for the moment, due to apparent limitations of the engine implementation. @@ -33,4 +33,4 @@ Getting started with 3.0: * Start the multiplexer daemon `cryptech_muxd`. -At this point, you should be able to use the PKCS !#11 library, the `cryptech_backup` script, and so forth. +At this point, you should be able to use the PKCS #11 library, the `cryptech_backup` script, and so forth. diff --git a/pelican/content/RoughV1.md b/pelican/content/RoughV1.md index 2126f91..19e15d3 100644 --- a/pelican/content/RoughV1.md +++ b/pelican/content/RoughV1.md @@ -87,12 +87,12 @@ Verilog. * Interface to Red - * PKCS!#8 - * PKCS!#11 + * PKCS#8 + * PKCS#11 * PGP Support * X.509 and PGP -* PKCS!#11 for POLA resistance -* No PKCS!#10 because it will take a year +* PKCS#11 for POLA resistance +* No PKCS#10 because it will take a year * Backup may be just dump/restore of the whole FPGA/CoreState -- cgit v1.2.3