forked from obgm/libcoap
-
Notifications
You must be signed in to change notification settings - Fork 0
/
HOWTO.dual.softhsm2
89 lines (78 loc) · 2.86 KB
/
HOWTO.dual.softhsm2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
############################################################################
#
# SoftHSMv2 dual versions
#
# Works with CentOS 7
#
# The opensc package needs to be installed.
#
############################################################################
#
# Install a software HSM module for doing the PKCS11 testing of libcoap.
# Real hardware can be used if you have the appropriate library module.
#
# It is assumed that the opensc package is installed.
#
# When installing SoftHSMv2 from your system's package manager, check that the
# OpenSSL version is at least 1.1.0. If not, then you will need to dual
# install SoftHSMv2 as below; otherwise you can use the existing SoftHSMv2.
#
# SoftHSMv2 is built using OpenSSL, but GnuTLS can use the PKCS11 interface.
# Note that if the default OpenSSL version is less than 1.1.0, you will need
# to install a dual stack version of OpenSSL as per HOWTO.dual.openssl.
#
# Creates module /usr/local/lib/softhsm/libsofthsm2.so
#
# Add line below to /etc/security/limits.conf to support memory locking
* - memlock unlimited
# Get the latest SoftHSM
git clone https://github.com/opendnssec/SoftHSMv2.git
# Build code
cd SoftHSMv2/
sh autogen.sh
PKG_CONFIG_PATH=/opt/openssl/lib/pkgconfig ./configure --enable-silent-rules \
--with-crypto-backend=openssl --disable-gost LDFLAGS=-L/opt/openssl/lib \
CPPFLAGS=-I/opt/openssl/include --with-openssl=/opt/openssl
make
# You may need to comment out constexpr lines (fixes for gcc10) in
# src/lib/crypto/PublicKey.h src/lib/crypto/PrivateKey.h if you get
# compile errors.
sudo make install
cd ..
# Make sure p11-kit softhsm modules have the correct module: fully qualified
# path where the entry is of the form (in particular for GnuTLS) :-
# /usr/share/p11-kit/modules/softhsm*
#
# module: /usr/local/lib/softhsm/libsofthsm2.so
# The user you are running this as needs to be in the group defined for
# /var/lib/softhsm/tokens/. E.g.
# $ sudo ls -ld /var/lib/softhsm/tokens/
# drwxrws--- 3 root softhsm 4096 May 3 09:52 /var/lib/softhsm/tokens/
# which is softhsm in this case (It could be ods). To verify if you are in
# the correct group
# $ id
# To add user to this group
# $ sudo usermod -a -G softhsm <user>
# and log out and back in again.
#
############################################################################
#
# libp11 (needed for OpenSSL as it provides the PKCS11 engine)
#
############################################################################
#
# Install a pkcs11 library for OpenSSL to use as an engine.
# [GnuTLS has this built in]
#
# Get the latest libp11
git clone https://github.com/OpenSC/libp11.git
# Build code
cd libp11
./bootstrap
PKG_CONFIG_PATH=/opt/openssl/lib/pkgconfig ./configure \
--with-pkcs11-module=/usr/local/lib/softhsm/libsofthsm2.so
make
sudo make install
cd ..
# Verify that pkcs11 is available
/opt/openssl/bin/openssl engine pkcs11 -t