config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147


sudo apt install pcscd pcsc-tools opensc openssl gnutls-bin
sudo dnf install -y opensc openssl openssl-pkcs11 yubico-piv-tool yubikey-manager usbutils gnutls-utils #try this first. then sc-hsm-tool and pkcs11-tool.
sudo dnf install -y pcsc-lite pcsc-lite-ccid
sudo systemctl start pcscd
sudo systemctl enable pcscd
sudo opensc-tool -l

so-pin 3537363231383830
userpin 648219

7535439178124602

pkcs11-tool --login --login-type so --so-pin 1234123412341234 --change-pin --new-pin 3537363231383830
opensc-tool -l  # to list devices
sc-hsm-tool -X -r 1  # -r is device number. to reset the device, you need so pin and userpin
sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 -r 1
ykman piv reset  #reset yubikey piv

find / -name opensc-pkcs11.so

TESTING BEFORE OPERATION
  ubuntu ONLY UBUNTU PKCS11 WORKS TO DISPLAY ALL THE REQUIRED DATA AND PASSES ALL TESTS
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --test
/usr/lib64/opensc-pkcs11.so
/usr/lib64/pkcs11/opensc-pkcs11.so on fedora
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --list-objects
OPENSSL_CONF=./hsm.conf openssl engine  
the following should be printed for openssl
(dynamic) Dynamic engine loading support
(pkcs11) pkcs11 engine


DOCUMNETATION FOR CA + nginx

pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 03 --label "serverkey"
openssl req -engine pkcs11 -keyform engine -new -key "pkcs11:serial=DENK0302043;object=serverkey;type=private;pin-value=648219" -subj "/C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=yourdomain.com" -out server.csr
  openssl req -text -noout -verify -in server.csr  # to verify the certificate
openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions server_cert -days 375 -notext -md sha512 -create_serial -in server.csr -out server.crt
openssl x509 -in server.crt -text -noout | grep -A 1 "Extended Key Usage"  # output web server authentication

010203040506070801020304050607080102030405060708 yubikey manageemnt, normal key 123456
brew install gnutls
yubico-piv-tool -a generate -s 9a -k -A RSA2048 -o yubi_pubkey.pem
yubico-piv-tool -a verify-pin -a request-certificate -s 9a -i yubi_pubkey.pem -S '/CN=hii Usenamer/O=Example Corp/C=US/' -o yubi.csr
openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in yubi.csr -out yubi.crt
openssl x509 -in yubi.crt -text -noout | grep -A 1 "Extended Key Usage"  # output web client authentication
cp yubi.crt yubi.crt.pem
yubico-piv-tool -a import-certificate -s 9a -k -i yubi.crt.pem -K PEM
p11tool --list-tokens
curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer' https://127.0.0.1 -k
curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1 -k
can do curl -v xxxxxxxx as well for more verbose.

openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client2"
openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in client.csr -out client.crt
openssl x509 -in client.crt -text -noout | grep -A 1 "Extended Key Usage"  # output web client authentication
curl https://127.0.0.1 --cacert ../../intermediate/certs/chain.crt --cert client.crt --key client.key -k

STILL WILL HAVE ERROR BECAUSE URL REQUEST IS 127.0.0.1, if this is a public domain, curl checks the url in the cert and the requested url and if they both match, there should be no error when curling without -k 

openssl version -d  # to find the default config file dir
copy hsm.conf to the directory
sudo nano /lib/systemd/system/nginx.service
  add this to under service
Environment=LANG=C
Environment="OPENSSL_CONF=/usr/lib/ssl/hsm.conf"
sudo systemctl daemon-reload

pkcs15-tool --list-info
  to get the serial number value of the device for the key
p11tool --list-all
p11tool --login --list-all pkcs11:model=

ssl_engine pkcs11; # put this after events section, before http.
    ssl_certificate /home/x/auths2/config/signing_area/server_cert.crt;
    ssl_certificate_key "engine:pkcs11:pkcs11:serial=DENK0302043;object=serverkey;type=private";
    ssl_client_certificate /home/x/auths2/intermediate/certs/chain.crt;
    ssl_verify_client on;

cat server.crt ../intermediate/certs/intermediate.crt ../certs/root.crt > fullchain.crt

curl -X POST http://127.0.0.1/generate_verification -k
curl -X POST -d "verify=wrIFRSJZ" -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/verify -k
curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/check?string=wrIFRSJZ -k

#change the check to not require authentication

https://www.entrust.com/sites/default/files/documentation/integration-guides/nginx-server-nhield-v12-60-11_ig.pdf
https://docs.nitrokey.com/hsm/linux/certificate-authority
https://github.com/OpenSC/libp11/blob/5c99a1467e624981181ada75f41315cd1cf13e37/src/eng_parse.c
  ^ is the pkcs uri for openssl -key

DOCUMNETATION FOR CA + nginx END


    yubico
yubico-piv-tool -a unblock-pin -P 12345678 -N 123456
123456 pin default
12345678 pin unlock key default
010203040506070801020304050607080102030405060708 management key default
ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so user@ip #then enter the userpin for yubikey


should work
openssl dgst -engine pkcs11 -keyform engine -sha256 -sign "pkcs11:id=%01" -out signature.bin txt
openssl dgst -engine pkcs11 -keyform engine -sha256 -verify "pkcs11:id=%01" -signature signature.bin txt
openssl dgst -engine pkcs11 -keyform engine -sha256 -verify 01 -signature signature.bin txt  #sign should work as well
pkcs15-tool --read-public-key 01 > pubkey
openssl dgst -sha256 -verify pubkey -signature signature.bin txt


openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -subj "/CN=Root CA"
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/CN=Client"
openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days 500 -sha256
openssl verify -CAfile rootCA.pem client.crt
#$client.crt: OK


untested
pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -L  #list
yubico-piv-tool -astatus  #list
pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so --slot-index 1 --login --pin 648219 --list-objects


  generate the key
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 01 --label "foo"

  sign the file and create an output
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --id 01 --input-file <input-file> --output-file <signature-file>
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --label "foo" --input-file <input-file> --output-file <signature-file>

  
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --id 01 --input-file <input-file> --signature-file <signature-file>
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --label "foo" --input-file <input-file> --signature-file <signature-file>

# Example test command sequence
echo "Test data" > testdata.txt
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type privkey --sign -i testdata.txt -o signeddata.bin
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type pubkey --verify -i testdata.txt -s signeddata.bin


pkcs11-tool --module $MODULE --login --pin YOUR_PIN --list-objects