-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added support for CA hosted in PKCS#11 based token #332
base: master
Are you sure you want to change the base?
Conversation
Pull upstream changes
* Successfully create a CA using a pkcs11 device * Added command line parameter for pkcs11 options * Added a debug function to aid in local debugging (commented out for public consumption) * Only insert engine configuration when using pkcs11 * Ensure PKCS11 config is at the top of openssl configuration * Bringing PKCS#11 documentation up to date
Hi! Great work, thanks for sharing! |
I took a quick look at the merge conflicts and they seem trivial so maybe just start there? If it becomes problematic to merge develop/rebase into the branch then just use this as a guide for a new branch. A fresh branch might be easier to get merged as this has been lingering for a while now. Might be a question best for the maintainer(s) though. |
I have merged this with First of all to use it with Yubikey you need both the Since I found no way to specify I would therefore suggest to add a new environment variable Secondly I want to be able to generate the CA key on an offline machine and then import the CA cert and CA key into two identical Yubikeys with Hope this is useful. Thanks for your work! |
Thank you for this long awaited feature. If anybody is interested to test it with a free Nitrokey, send us an email and we ship it to you. |
This looks very interesting. I'll review it and try to get it into the rep in the next couple days!
Eric Crist
… On Feb 2, 2021, at 2:01 AM, jans23 ***@***.***> wrote:
Thank you for this long awaited feature.
If anybody is interested to test it with a free Nitrokey, send us an email and we ship it to you.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
I have more feedback from the Yubikey tests: I was able to get further without crashing by adding The next step in not crashing was to set Since hardware token setup is so vendor specific: Yubikey vs Nitrokey vs SoftHSM2 ( https://github.com/0xdecaf/easy-rsa/blob/feature/pkcs11-engine-support/PKCS11.md#softhsm2 ), etc. I would suggest to not merge this in it's current form. Maybe go for the simpler taks first to enable to user to use the token at all. As have a way to setup the script to use the pkcs11 token as is and have me worry about how to generate the key in a vendor specific way. If I understand the PKCS11.md documentation I could just set the defines in On other thing to consider is: some PKCS#11 tokens store keypairs only (e.g. loads of tokens based on openpgp card), while some other tokens can store keys+certificate. Should the CA certificate come from a file or should it be read from the token if present? |
Thanks everybody for your efforts! Final port works on my side, using smartcard-HSM with external pinpad reader. Pinpad code won't interfere, as the feature is optional and configurable via @kwinz : I own no Yubikey, yet I can look to include your suggestions. Which model are you using?
I am quite sure you can, as a workaround. Yet, I think we can make it work adding a @jans23 : I own no Nitrokey either, yet the solution should be compatible. If you wish to send one, I would be happy to double check. |
@jans23 Should we send email to info@nitrokey.com ? |
Please do. |
@robpower That sounds great! I have been testing with Yubikey5 Nanos so far, with the PIV applet. They also support openpgp card emulation, which I have not been testing yet. I also have a Yubikey 4 and various other hardware tokens and smartcards at home that I could test with (no Nitrokey yet ;-) ). But I think the Yubikeys are all pretty similar across generations. Thanks for considering the As for backups: the tokens don't allow you to extract the private key. But you can boot off a live CD on an offline computer, generate the keys there on tempfs, and then load the key into two identical tokens before wiping them from RAM. So I have a backup token but the keys will never leave the tokens again. For me that's the ideal solution to have a backup. I don't generate the keys on the token, I import them. Let me know if I can help with anything. |
Introducing PKCS#11 support, mainly restaging and reviewing work of 0xdecaf work from OpenVPN#332. *Successfully create a CA using a pkcs11 device * Added command line parameter for pkcs11 options * Only insert engine configuration when using pkcs11 * Ensure PKCS11 config is at the top of openssl configuration * Bringing PKCS#11 documentation up to date * Adding external pinpad readers support. Co-Authored-By: Tony <0xdecaf@users.noreply.github.com>
Introducing PKCS#11 support, mainly restaging and reviewing work of 0xdecaf work from OpenVPN#332. *Successfully create a CA using a pkcs11 device * Added command line parameter for pkcs11 options * Only insert engine configuration when using pkcs11 * Ensure PKCS11 config is at the top of openssl configuration * Bringing PKCS#11 documentation up to date * Adding external pinpad readers support. Co-Authored-By: Tony <0xdecaf@users.noreply.github.com>
Introducing PKCS#11 support, mainly restaging and reviewing work of 0xdecaf work from OpenVPN#332. *Successfully create a CA using a pkcs11 device * Added command line parameter for pkcs11 options * Only insert engine configuration when using pkcs11 * Ensure PKCS11 config is at the top of openssl configuration * Bringing PKCS#11 documentation up to date * Adding external pinpad readers support. Co-Authored-By: Tony <0xdecaf@users.noreply.github.com>
Introducing PKCS#11 support, mainly restaging and reviewing work of 0xdecaf work from OpenVPN#332. *Successfully create a CA using a pkcs11 device * Added command line parameter for pkcs11 options * Only insert engine configuration when using pkcs11 * Ensure PKCS11 config is at the top of openssl configuration * Bringing PKCS#11 documentation up to date * Adding external pinpad readers support. Co-Authored-By: Tony <0xdecaf@users.noreply.github.com>
Hi again! Sorry for the multiple commit references, last one is the good one. I had been implementing the port and it works fine on my side. I still have some troubles with extra tests I added to travis for pkcs11 using softhsm. I tried to debug it on a fresh VM and it seems a permission problem over both DEBUG: pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 1687927385 --login --pin 1234 --keypairgen --key-type rsa:2048 --label my-test-token --usage-sign --private
pkcs11-tool: unrecognized option '--pin 1234' I am sure I am missing something, so any hint is welcome. @kwinz During the next days I am going to finish the |
Made a new PR (#433), based on this one, using RFC 7512 PKCS#11 URIs to select tokens (and keys). As OpenSSL warns about possible future deprecation of legacy engine_pkcs11 IDs, this solution should guarantee better long-term support, as well as it guarantees more versatility about different tokens. It is currently tested on Nitrokey HSM/SmartcardHSM, Nitrokey Pro, SoftHSM2 and Yubikey 5 NFC. Any feedback is welcome as there still could be some edge to smooth and room for improvement. @0xdecaf thanks for making it possible in the first place. |
Is this superseded by #433 or not ? |
Introduces a new format for the
./pki/private/ca.key
which can specify environment variables to point to the PKCS#11 private key on a specific token.Leveraging
op_test.orig
with a modification to support tests initially. Once this PR is merged, the tests can be migrated to the new framework.Please see
./PKCS11.md
for more details on the changes and please share any useful feedback needed to get this PR merged.