Test with OpenSSL, SoftHSMv2 and PKCS#11 engine
Create virtual token
- Compile and install into /usr/local SoftHSM version 2 ( github.com/opendnssec/SoftHSMv2), or apt install softhsm2
- Compile and install into /usr/local OpenSSL version 3 and our PKCS#11 Engine from github.com/opensignature/pkcs11engine
-
Create soft token with:
mkdir -p $HOME/lib/softhsm/tokensResult:
echo "directories.tokendir = $HOME/lib/softhsm/tokens" > $HOME/lib/softhsm/softhsm2.conf
export SOFTHSM2_CONF=$HOME/lib/softhsm/softhsm2.conf
softhsm2-util --init-token --free --label mytoken1 --pin mysecret1 --so-pin mysopin1
The token has been initialized and is reassigned to slot 1119524181 -
Create a key pair with pkcs11-tool (tool provided by OpenSC project):
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l -k --key-type rsa:2048 --id 4142 --label mykey1 --pin mysecret1Result:Key pair generated:
Private Key Object; RSA
label: mykey1
ID: 4142
Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
label: mykey1
ID: 4142
Usage: encrypt, verify, wrap -
Create certificate 1:
openssl req -new -x509 -subj "/CN=MyCertTEST" -engine pkcs11 -keyform engine -key "pkcs11:object=mykey1;pin-value=mysecret1" -outform der -out mycert.der -
Insert certificate into token:
pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l --id 4142 --label mycert1 -y cert -w mycert.der --pin mysecret1Result:Created certificate:
Certificate Object, type = X.509 cert
label: mycert1
ID: 4142
OpenSSL storeutl command test
-
Lists readable objects
openssl storeutl -engine pkcs11 'pkcs11:'Result:0: Name: mykey1
Public Key ID: AB hex: 4142
1: Name: mycert1
Certificate ID: AB hex: 4142
-
Lists readable objects and private keys
openssl storeutl -engine pkcs11 'pkcs11:pin-value=mysecret1'Result:0: Name: mykey1
Public Key ID: AB hex: 4142
1: Name: mycert1
Certificate ID: AB hex: 4142
2: Name: mykey1
Private Key ID: AB hex: 4142 -
Get X509 certificate
openssl storeutl -engine pkcs11 'pkcs11:type=cert;object=mycert1'Result:0: Certificate
-----BEGIN CERTIFICATE-----
MIICsTCCAZkCFAk4voabdc+LathwHN3VF5UuAxVcMA0GCSqGSIb3DQEBCwUAMBUx
EzARBgNVBAMMCk15Q2VydFRFU1QwHhcNMTkwNDE4MTEyNDU5WhcNMTkwNTE4MTEy
NDU5WjAVMRMwEQYDVQQDDApNeUNlcnRURVNUMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAy4dTcqXh2xPjw9FLYphugLMU5BtKAhbVZolAIatB9F48lvNI
PTevhCTAPq1KHOyfGXQ70v2dnXgXrFa6QKiPJvv7471ZBcaWJ26mVMi0ILybuwwg
V1Znngt8afE9AGXJPYwt+ELxoRHsDeuv7PHN6qhy/LHr8+U0nt6GBO69jnBOcZnj
bOcAo5Xw9odHgeb64bG3aK2/52sZNCXwyyO+/XmI6WCjEUw0PdwltCqkCfGs0Wfp
k2q8qLRDHzVTUMSFwa0XlVJNMJEgRsB18zIXTorUqZtya+pXDH7RIhh1mjcEdhki
XksmSbsNIZIKzgptbZmYTLifoQsAIWsFevrk2QIDAQABMA0GCSqGSIb3DQEBCwUA
A4IBAQBhbqzHcFz9PbnQOMc+f59cOGLwx/uT90A1HuwqQBw2fXkvFbf/IPqd2t0p
eZEcx3qXMVEzHdiyJmS1uXuK3pdJllWdSFt/cGPI7MGQA52TcqzbIHuyCYusMTNJ
q6n8z0BRmRp3LwdB7idtgqjJwFkwARJB2fEgc8OgsGHe4CEDIXupPVTcXHYynf3j
sLA06IHOyI05d+R4/0AJ35wSXqltVsDq39rzXYZZhnuiAVi9YKd3hfaK/IASUENb
z6dQSfWg3v0gQmlPgMpeQzAm6aNvbs9Z92EuckGgjmk+LE5cfF7Din98bgRrbO2K
E1+WsICcs8FgqnS7J9lkyF4cZvls
-----END CERTIFICATE-----
Total found: 1
OpenSSL dgst command test
-
Digest string "hello"
echo "hello" | openssl dgst -sha256 -engine pkcs11 -keyform engine -sign "pkcs11:object=mykey1;pin-value=mysecret1" -out out.sig
-
Verify digest
echo "hello" | openssl dgst -sha256 -engine pkcs11 -keyform engine -verify "pkcs11:type=public;object=mykey1;pin-value=mysecret1" -signature out.sigResult:
Verified OK
OpenSSL pkeyutl command test
-
Encrypt string "hello"
echo "hello" | openssl pkeyutl -sha256 -engine pkcs11 -keyform engine -pubin -encrypt -inkey "pkcs11:type=public;object=mykey1;pin-value=mysecret1" -pkeyopt rsa_padding_mode:pkcs1 -out textencoded.bin
-
Decrypt
openssl pkeyutl -sha256 -engine pkcs11 -keyform engine -decrypt -inkey "pkcs11:type=private;object=mykey1;pin-value=mysecret1" -pkeyopt rsa_padding_mode:pkcs1 -in textencoded.binResult:
hello
OpenSSL s_client command test
-
Establish a secure connection with a server that requires clients to present a valid certificate to connect
echo -en "GET /auth/index.php HTTP/1.1\r\nHost: www.saela.eu\r\n\r\n" | openssl s_client -quiet -connect www.saela.eu:443 -ssl_client_engine pkcs11Result:
[SSL_CLIENT_I_DN]=CN=TEST [SSL_CLIENT_FINGERPRINT]=4db3a7b407f4298719db1c2d0b2615fb2e33f11b
1 Add "module-path=/usr/lib/softhsm/libsofthsm2.so" after "pkcs11:" if MODULE_PATH is not present in openssl.cnf and environment variable PKCS11_MODULE_PATH is empty