diff options
Diffstat (limited to 'config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action')
| -rw-r--r-- | config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action | 147 |
1 files changed, 147 insertions, 0 deletions
diff --git a/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action new file mode 100644 index 0000000..562ebf5 --- /dev/null +++ b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action @@ -0,0 +1,147 @@ + +sudo apt install pcscd pcsc-tools opensc openssl gnutls-bin +sudo dnf install -y opensc openssl openssl-pkcs11 yubico-piv-tool yubikey-manager usbutils gnutls-utils #try this first. then sc-hsm-tool and pkcs11-tool. +sudo dnf install -y pcsc-lite pcsc-lite-ccid +sudo systemctl start pcscd +sudo systemctl enable pcscd +sudo opensc-tool -l + +so-pin 3537363231383830 +userpin 648219 + +7535439178124602 + +pkcs11-tool --login --login-type so --so-pin 1234123412341234 --change-pin --new-pin 3537363231383830 +opensc-tool -l # to list devices +sc-hsm-tool -X -r 1 # -r is device number. to reset the device, you need so pin and userpin +sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 -r 1 +ykman piv reset #reset yubikey piv + +find / -name opensc-pkcs11.so + +TESTING BEFORE OPERATION + ubuntu ONLY UBUNTU PKCS11 WORKS TO DISPLAY ALL THE REQUIRED DATA AND PASSES ALL TESTS +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --test +/usr/lib64/opensc-pkcs11.so +/usr/lib64/pkcs11/opensc-pkcs11.so on fedora +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --list-objects +OPENSSL_CONF=./hsm.conf openssl engine +the following should be printed for openssl +(dynamic) Dynamic engine loading support +(pkcs11) pkcs11 engine + + +DOCUMNETATION FOR CA + nginx + +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 03 --label "serverkey" +openssl req -engine pkcs11 -keyform engine -new -key "pkcs11:serial=DENK0302043;object=serverkey;type=private;pin-value=648219" -subj "/C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=yourdomain.com" -out server.csr + openssl req -text -noout -verify -in server.csr # to verify the certificate +openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions server_cert -days 375 -notext -md sha512 -create_serial -in server.csr -out server.crt +openssl x509 -in server.crt -text -noout | grep -A 1 "Extended Key Usage" # output web server authentication + +010203040506070801020304050607080102030405060708 yubikey manageemnt, normal key 123456 +brew install gnutls +yubico-piv-tool -a generate -s 9a -k -A RSA2048 -o yubi_pubkey.pem +yubico-piv-tool -a verify-pin -a request-certificate -s 9a -i yubi_pubkey.pem -S '/CN=hii Usenamer/O=Example Corp/C=US/' -o yubi.csr +openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in yubi.csr -out yubi.crt +openssl x509 -in yubi.crt -text -noout | grep -A 1 "Extended Key Usage" # output web client authentication +cp yubi.crt yubi.crt.pem +yubico-piv-tool -a import-certificate -s 9a -k -i yubi.crt.pem -K PEM +p11tool --list-tokens +curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer' https://127.0.0.1 -k +curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1 -k +can do curl -v xxxxxxxx as well for more verbose. + +openssl genrsa -out client.key 2048 +openssl req -new -key client.key -out client.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client2" +openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in client.csr -out client.crt +openssl x509 -in client.crt -text -noout | grep -A 1 "Extended Key Usage" # output web client authentication +curl https://127.0.0.1 --cacert ../../intermediate/certs/chain.crt --cert client.crt --key client.key -k + +STILL WILL HAVE ERROR BECAUSE URL REQUEST IS 127.0.0.1, if this is a public domain, curl checks the url in the cert and the requested url and if they both match, there should be no error when curling without -k + +openssl version -d # to find the default config file dir +copy hsm.conf to the directory +sudo nano /lib/systemd/system/nginx.service + add this to under service +Environment=LANG=C +Environment="OPENSSL_CONF=/usr/lib/ssl/hsm.conf" +sudo systemctl daemon-reload + +pkcs15-tool --list-info + to get the serial number value of the device for the key +p11tool --list-all +p11tool --login --list-all pkcs11:model= + +ssl_engine pkcs11; # put this after events section, before http. + ssl_certificate /home/x/auths2/config/signing_area/server_cert.crt; + ssl_certificate_key "engine:pkcs11:pkcs11:serial=DENK0302043;object=serverkey;type=private"; + ssl_client_certificate /home/x/auths2/intermediate/certs/chain.crt; + ssl_verify_client on; + +cat server.crt ../intermediate/certs/intermediate.crt ../certs/root.crt > fullchain.crt + +curl -X POST http://127.0.0.1/generate_verification -k +curl -X POST -d "verify=wrIFRSJZ" -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/verify -k +curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/check?string=wrIFRSJZ -k + +#change the check to not require authentication + +https://www.entrust.com/sites/default/files/documentation/integration-guides/nginx-server-nhield-v12-60-11_ig.pdf +https://docs.nitrokey.com/hsm/linux/certificate-authority +https://github.com/OpenSC/libp11/blob/5c99a1467e624981181ada75f41315cd1cf13e37/src/eng_parse.c + ^ is the pkcs uri for openssl -key + +DOCUMNETATION FOR CA + nginx END + + + yubico +yubico-piv-tool -a unblock-pin -P 12345678 -N 123456 +123456 pin default +12345678 pin unlock key default +010203040506070801020304050607080102030405060708 management key default +ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so user@ip #then enter the userpin for yubikey + + +should work +openssl dgst -engine pkcs11 -keyform engine -sha256 -sign "pkcs11:id=%01" -out signature.bin txt +openssl dgst -engine pkcs11 -keyform engine -sha256 -verify "pkcs11:id=%01" -signature signature.bin txt +openssl dgst -engine pkcs11 -keyform engine -sha256 -verify 01 -signature signature.bin txt #sign should work as well +pkcs15-tool --read-public-key 01 > pubkey +openssl dgst -sha256 -verify pubkey -signature signature.bin txt + + +openssl genrsa -out rootCA.key 2048 +openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -subj "/CN=Root CA" +openssl genrsa -out client.key 2048 +openssl req -new -key client.key -out client.csr -subj "/CN=Client" +openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days 500 -sha256 +openssl verify -CAfile rootCA.pem client.crt +#$client.crt: OK + + +untested +pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -L #list +yubico-piv-tool -astatus #list +pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so --slot-index 1 --login --pin 648219 --list-objects + + + generate the key +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 01 --label "foo" + + sign the file and create an output +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --id 01 --input-file <input-file> --output-file <signature-file> +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --label "foo" --input-file <input-file> --output-file <signature-file> + + +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --id 01 --input-file <input-file> --signature-file <signature-file> +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --label "foo" --input-file <input-file> --signature-file <signature-file> + +# Example test command sequence +echo "Test data" > testdata.txt +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type privkey --sign -i testdata.txt -o signeddata.bin +pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type pubkey --verify -i testdata.txt -s signeddata.bin + + +pkcs11-tool --module $MODULE --login --pin YOUR_PIN --list-objects + |