Test with OpenSSL, SoftHSMv2 and PKCS#11 engine

Create virtual token

  • Compile and install into /usr/local SoftHSM version 2 ( github.com/opendnssec/SoftHSMv2), or apt install softhsm2
  • Compile and install into /usr/local OpenSSL version 3 and our PKCS#11 Engine from github.com/opensignature/pkcs11engine
  • Create soft token with:
    mkdir -p $HOME/lib/softhsm/tokens
    echo "directories.tokendir = $HOME/lib/softhsm/tokens" > $HOME/lib/softhsm/softhsm2.conf
    export SOFTHSM2_CONF=$HOME/lib/softhsm/softhsm2.conf
    softhsm2-util --init-token --free --label mytoken1 --pin mysecret1 --so-pin mysopin1
    Result:
    The token has been initialized and is reassigned to slot 1119524181
  • Create a key pair with pkcs11-tool (tool provided by OpenSC project):
    pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l -k --key-type rsa:2048 --id 4142 --label mykey1 --pin mysecret1
    Result:
    Key pair generated:
    Private Key Object; RSA
      label: mykey1
      ID:    4142
      Usage: decrypt, sign, unwrap
    Public Key Object; RSA 2048 bits
      label: mykey1
      ID:    4142
      Usage: encrypt, verify, wrap
  • Create certificate 1:
    openssl req -new -x509 -subj "/CN=MyCertTEST" -engine pkcs11 -keyform engine -key "pkcs11:object=mykey1;pin-value=mysecret1" -outform der -out mycert.der
  • Insert certificate into token:
    pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -l --id 4142 --label mycert1 -y cert -w mycert.der --pin mysecret1
    Result:
    Created certificate:
    Certificate Object, type = X.509 cert
      label: mycert1
      ID:    4142

OpenSSL storeutl command test

  • Lists readable objects
    openssl storeutl -engine pkcs11 'pkcs11:'
    Result:
    0: Name: mykey1
    Public Key ID: AB hex: 4142
    1: Name: mycert1
    Certificate ID: AB hex: 4142
  • Lists readable objects and private keys
    openssl storeutl -engine pkcs11 'pkcs11:pin-value=mysecret1'
    Result:
    0: Name: mykey1
    Public Key ID: AB hex: 4142
    1: Name: mycert1
    Certificate ID: AB hex: 4142
    2: Name: mykey1
    Private Key ID: AB hex: 4142
  • Get X509 certificate
    openssl storeutl -engine pkcs11 'pkcs11:type=cert;object=mycert1'
    Result:
    0: Certificate
    -----BEGIN CERTIFICATE-----
    MIICsTCCAZkCFAk4voabdc+LathwHN3VF5UuAxVcMA0GCSqGSIb3DQEBCwUAMBUx
    EzARBgNVBAMMCk15Q2VydFRFU1QwHhcNMTkwNDE4MTEyNDU5WhcNMTkwNTE4MTEy
    NDU5WjAVMRMwEQYDVQQDDApNeUNlcnRURVNUMIIBIjANBgkqhkiG9w0BAQEFAAOC
    AQ8AMIIBCgKCAQEAy4dTcqXh2xPjw9FLYphugLMU5BtKAhbVZolAIatB9F48lvNI
    PTevhCTAPq1KHOyfGXQ70v2dnXgXrFa6QKiPJvv7471ZBcaWJ26mVMi0ILybuwwg
    V1Znngt8afE9AGXJPYwt+ELxoRHsDeuv7PHN6qhy/LHr8+U0nt6GBO69jnBOcZnj
    bOcAo5Xw9odHgeb64bG3aK2/52sZNCXwyyO+/XmI6WCjEUw0PdwltCqkCfGs0Wfp
    k2q8qLRDHzVTUMSFwa0XlVJNMJEgRsB18zIXTorUqZtya+pXDH7RIhh1mjcEdhki
    XksmSbsNIZIKzgptbZmYTLifoQsAIWsFevrk2QIDAQABMA0GCSqGSIb3DQEBCwUA
    A4IBAQBhbqzHcFz9PbnQOMc+f59cOGLwx/uT90A1HuwqQBw2fXkvFbf/IPqd2t0p
    eZEcx3qXMVEzHdiyJmS1uXuK3pdJllWdSFt/cGPI7MGQA52TcqzbIHuyCYusMTNJ
    q6n8z0BRmRp3LwdB7idtgqjJwFkwARJB2fEgc8OgsGHe4CEDIXupPVTcXHYynf3j
    sLA06IHOyI05d+R4/0AJ35wSXqltVsDq39rzXYZZhnuiAVi9YKd3hfaK/IASUENb
    z6dQSfWg3v0gQmlPgMpeQzAm6aNvbs9Z92EuckGgjmk+LE5cfF7Din98bgRrbO2K
    E1+WsICcs8FgqnS7J9lkyF4cZvls
    -----END CERTIFICATE-----
    Total found: 1

OpenSSL dgst command test

  • Digest string "hello"
    echo "hello" | openssl dgst -sha256 -engine pkcs11 -keyform engine -sign "pkcs11:object=mykey1;pin-value=mysecret1" -out out.sig
  • Verify digest
    echo "hello" | openssl dgst -sha256 -engine pkcs11 -keyform engine -verify "pkcs11:type=public;object=mykey1;pin-value=mysecret1" -signature out.sig
    Result:
    Verified OK

OpenSSL pkeyutl command test

  • Encrypt string "hello"
    echo "hello" | openssl pkeyutl -sha256 -engine pkcs11 -keyform engine -pubin -encrypt -inkey "pkcs11:type=public;object=mykey1;pin-value=mysecret1" -pkeyopt rsa_padding_mode:pkcs1 -out textencoded.bin
  • Decrypt
    openssl pkeyutl -sha256 -engine pkcs11 -keyform engine -decrypt -inkey "pkcs11:type=private;object=mykey1;pin-value=mysecret1" -pkeyopt rsa_padding_mode:pkcs1 -in textencoded.bin
    Result:
    hello

OpenSSL s_client command test

  • Establish a secure connection with a server that requires clients to present a valid certificate to connect
    echo -en "GET /auth/index.php HTTP/1.1\r\nHost: www.saela.eu\r\n\r\n" | openssl s_client -quiet -connect www.saela.eu:443 -ssl_client_engine pkcs11
    Result:
    [SSL_CLIENT_I_DN]=CN=TEST [SSL_CLIENT_FINGERPRINT]=4db3a7b407f4298719db1c2d0b2615fb2e33f11b



1  Add "module-path=/usr/lib/softhsm/libsofthsm2.so" after "pkcs11:" if MODULE_PATH is not present in openssl.cnf and environment variable PKCS11_MODULE_PATH is empty