PKCS#11? - Test with SoftHSM
In many instances PKCS#11 is still the choice of security protocol with many organisations and I need a quick way to fire up a virtual machine to quickly test some of my C/C++ code work when it comes to "working remotely" and when your broadband connection fails (or a slow Monday morning).
So I've been looking around for that magical container image that I could easily deploy and use, and magically it appears to me (thanks Google!) that OpenDNSSec had a software implementation of a generic cryptographic device with PKCS#11 interface, SoftHSM (https://github.com/opendnssec/SoftHSMv2). The good news is that it is free of charge and it would also allow me to test certain C/C++ code to write something generic enough for my own study and testing.
So off I went and decided to give it a try!
I tested deploying SoftHSM on Ubuntu 16.04 LTS. YMMV, but I suggest sticking with some Ubuntu/Debian variant as I do not know of the exact packages required on any RHEL-based system (and I promise to update this post when I have the details).
If you're interested in getting a Dockerfile, you may build your own container using the source files that are available on my github repo - if there is enough demand, I might even host it on the docker hub.
Let's get the basics sorted:
# apt-get install build-essential opensc libssl-dev wget uuid-runtime
That should cover most of the basic packages required for your SoftHSM installation. Next is to download the actual package (I specifically used 2.5.0 and the link is available here):
# wget <link_to_softhsm_release>
Once you've downloaded the tarball, extract the tarball and compile as required:
# tar xvfz <downloaded_tarball> # ./configure # make # make install
This should have installed the packages into /usr/local/lib/softhsm correctly. If you wanted to install it into a different location, a simple "./configure --prefix=<path_to_install>" would have worked in the previous step as well.
And now you're ready!
Let's initialise SoftHSM (remember you'll need to set both the SO and USER PIN):
# softhsm2-util --init-token --slot 0 --label "Test Token" === SO PIN (4-255 characters) === Please enter SO PIN: **** Please reenter SO PIN: **** === User PIN (4-255 characters) === Please enter user PIN: **** Please reenter user PIN: **** The token has been initialized and is reassigned to slot 344882282
If you've follow the guide from the beginning, you'll also note that the pkcs11-tool is included in the opensc package. Let's make sure it shows correctly:
# pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -L Available slots: Slot 0 (0x148e7c6a): SoftHSM slot ID 0x148e7c6a token label : Test Token token manufacturer : SoftHSM project token model : SoftHSM v2 token flags : rng, login required, PIN initialized, token initialized, other flags=0x20 hardware version : 2.5 firmware version : 2.5 serial num : 13199250148e7c6a
Once you have confirmed that the slot matches the slot reassigned to (Tip: 344882282 is 0x148e7c6a in hexadecimal value), you can now go and create a new key:
# pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l -p 1234 -k --id `uuidgen | tr -d -` --label "Test RSA Key" --key-type rsa:2048 Using slot 0 with a present token (0x148e7c6a) Key pair generated: Private Key Object; RSA label: Test RSA Key ID: 171e8b3e4be84668bde3a9a70b8c625f Usage: decrypt, sign, unwrap Public Key Object; RSA 2048 bits label: Test RSA Key ID: 171e8b3e4be84668bde3a9a70b8c625f Usage: encrypt, verify, wrap
And that concludes how to setup SoftHSM. Let me know your thoughts!