working

author: hc <hc@email.ch> 2024-11-20 12:51:33 +0800
committer: hc <hc@email.ch> 2024-11-20 12:51:33 +0800
commit: 853b82126baa1e8e408a10f91053c52626ffad29 (patch)
tree: 2fc1de9695810681ba654aab3c2a4867aacc1ac7 /config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action
parent: b1f88b682624e85b4b743343dfaaeed113b69413 (diff)
1 files changed, 147 insertions, 0 deletions
diff --git a/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action
new file mode 100644
index 0000000..562ebf5
--- /dev/null
+++ b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action
@@ -0,0 +1,147 @@
+sudo apt install pcscd pcsc-tools opensc openssl gnutls-bin
+sudo dnf install -y opensc openssl openssl-pkcs11 yubico-piv-tool yubikey-manager usbutils gnutls-utils #try this first. then sc-hsm-tool and pkcs11-tool.
+sudo dnf install -y pcsc-lite pcsc-lite-ccid
+sudo systemctl start pcscd
+sudo systemctl enable pcscd
+sudo opensc-tool -l
+so-pin 3537363231383830
+userpin 648219
+7535439178124602
+pkcs11-tool --login --login-type so --so-pin 1234123412341234 --change-pin --new-pin 3537363231383830
+opensc-tool -l  # to list devices
+sc-hsm-tool -X -r 1  # -r is device number. to reset the device, you need so pin and userpin
+sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 -r 1
+ykman piv reset  #reset yubikey piv
+find / -name opensc-pkcs11.so
+TESTING BEFORE OPERATION
+  ubuntu ONLY UBUNTU PKCS11 WORKS TO DISPLAY ALL THE REQUIRED DATA AND PASSES ALL TESTS
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --test
+/usr/lib64/opensc-pkcs11.so
+/usr/lib64/pkcs11/opensc-pkcs11.so on fedora
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --list-objects
+OPENSSL_CONF=./hsm.conf openssl engine  
+the following should be printed for openssl
+(dynamic) Dynamic engine loading support
+(pkcs11) pkcs11 engine
+DOCUMNETATION FOR CA + nginx
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 03 --label "serverkey"
+openssl req -engine pkcs11 -keyform engine -new -key "pkcs11:serial=DENK0302043;object=serverkey;type=private;pin-value=648219" -subj "/C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=yourdomain.com" -out server.csr
+  openssl req -text -noout -verify -in server.csr  # to verify the certificate
+openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions server_cert -days 375 -notext -md sha512 -create_serial -in server.csr -out server.crt
+openssl x509 -in server.crt -text -noout | grep -A 1 "Extended Key Usage"  # output web server authentication
+010203040506070801020304050607080102030405060708 yubikey manageemnt, normal key 123456
+brew install gnutls
+yubico-piv-tool -a generate -s 9a -k -A RSA2048 -o yubi_pubkey.pem
+yubico-piv-tool -a verify-pin -a request-certificate -s 9a -i yubi_pubkey.pem -S '/CN=hii Usenamer/O=Example Corp/C=US/' -o yubi.csr
+openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in yubi.csr -out yubi.crt
+openssl x509 -in yubi.crt -text -noout | grep -A 1 "Extended Key Usage"  # output web client authentication
+cp yubi.crt yubi.crt.pem
+yubico-piv-tool -a import-certificate -s 9a -k -i yubi.crt.pem -K PEM
+p11tool --list-tokens
+curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer' https://127.0.0.1 -k
+curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1 -k
+can do curl -v xxxxxxxx as well for more verbose.
+openssl genrsa -out client.key 2048
+openssl req -new -key client.key -out client.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client2"
+openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in client.csr -out client.crt
+openssl x509 -in client.crt -text -noout | grep -A 1 "Extended Key Usage"  # output web client authentication
+curl https://127.0.0.1 --cacert ../../intermediate/certs/chain.crt --cert client.crt --key client.key -k
+STILL WILL HAVE ERROR BECAUSE URL REQUEST IS 127.0.0.1, if this is a public domain, curl checks the url in the cert and the requested url and if they both match, there should be no error when curling without -k 
+openssl version -d  # to find the default config file dir
+copy hsm.conf to the directory
+sudo nano /lib/systemd/system/nginx.service
+  add this to under service
+Environment=LANG=C
+Environment="OPENSSL_CONF=/usr/lib/ssl/hsm.conf"
+sudo systemctl daemon-reload
+pkcs15-tool --list-info
+  to get the serial number value of the device for the key
+p11tool --list-all
+p11tool --login --list-all pkcs11:model=
+ssl_engine pkcs11; # put this after events section, before http.
+    ssl_certificate /home/x/auths2/config/signing_area/server_cert.crt;
+    ssl_certificate_key "engine:pkcs11:pkcs11:serial=DENK0302043;object=serverkey;type=private";
+    ssl_client_certificate /home/x/auths2/intermediate/certs/chain.crt;
+    ssl_verify_client on;
+cat server.crt ../intermediate/certs/intermediate.crt ../certs/root.crt > fullchain.crt
+curl -X POST http://127.0.0.1/generate_verification -k
+curl -X POST -d "verify=wrIFRSJZ" -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/verify -k
+curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/check?string=wrIFRSJZ -k
+#change the check to not require authentication
+https://www.entrust.com/sites/default/files/documentation/integration-guides/nginx-server-nhield-v12-60-11_ig.pdf
+https://docs.nitrokey.com/hsm/linux/certificate-authority
+https://github.com/OpenSC/libp11/blob/5c99a1467e624981181ada75f41315cd1cf13e37/src/eng_parse.c
+  ^ is the pkcs uri for openssl -key
+DOCUMNETATION FOR CA + nginx END
+    yubico
+yubico-piv-tool -a unblock-pin -P 12345678 -N 123456
+123456 pin default
+12345678 pin unlock key default
+010203040506070801020304050607080102030405060708 management key default
+ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so user@ip #then enter the userpin for yubikey
+should work
+openssl dgst -engine pkcs11 -keyform engine -sha256 -sign "pkcs11:id=%01" -out signature.bin txt
+openssl dgst -engine pkcs11 -keyform engine -sha256 -verify "pkcs11:id=%01" -signature signature.bin txt
+openssl dgst -engine pkcs11 -keyform engine -sha256 -verify 01 -signature signature.bin txt  #sign should work as well
+pkcs15-tool --read-public-key 01 > pubkey
+openssl dgst -sha256 -verify pubkey -signature signature.bin txt
+openssl genrsa -out rootCA.key 2048
+openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -subj "/CN=Root CA"
+openssl genrsa -out client.key 2048
+openssl req -new -key client.key -out client.csr -subj "/CN=Client"
+openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days 500 -sha256
+openssl verify -CAfile rootCA.pem client.crt
+#$client.crt: OK
+untested
+pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -L  #list
+yubico-piv-tool -astatus  #list
+pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so --slot-index 1 --login --pin 648219 --list-objects
+  generate the key
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 01 --label "foo"
+  sign the file and create an output
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --id 01 --input-file <input-file> --output-file <signature-file>
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --label "foo" --input-file <input-file> --output-file <signature-file>
+  
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --id 01 --input-file <input-file> --signature-file <signature-file>
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --label "foo" --input-file <input-file> --signature-file <signature-file>
+# Example test command sequence
+echo "Test data" > testdata.txt
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type privkey --sign -i testdata.txt -o signeddata.bin
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type pubkey --verify -i testdata.txt -s signeddata.bin
+pkcs11-tool --module $MODULE --login --pin YOUR_PIN --list-objects
author	hc <hc@email.ch>	2024-11-20 12:51:33 +0800
committer	hc <hc@email.ch>	2024-11-20 12:51:33 +0800
commit	853b82126baa1e8e408a10f91053c52626ffad29 (patch)
tree	2fc1de9695810681ba654aab3c2a4867aacc1ac7 /config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action
parent	b1f88b682624e85b4b743343dfaaeed113b69413 (diff)

diff --git a/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action new file mode 100644 index 0000000..562ebf5 --- /dev/null +++ b/config_files/nitrohsm-ca-docs-complete-and-very-messy/nitrohsm-in-action
@@ -0,0 +1,147 @@
	1
	2	sudo apt install pcscd pcsc-tools opensc openssl gnutls-bin
	3	sudo dnf install -y opensc openssl openssl-pkcs11 yubico-piv-tool yubikey-manager usbutils gnutls-utils #try this first. then sc-hsm-tool and pkcs11-tool.
	4	sudo dnf install -y pcsc-lite pcsc-lite-ccid
	5	sudo systemctl start pcscd
	6	sudo systemctl enable pcscd
	7	sudo opensc-tool -l
	8
	9	so-pin 3537363231383830
	10	userpin 648219
	11
	12	7535439178124602
	13
	14	pkcs11-tool --login --login-type so --so-pin 1234123412341234 --change-pin --new-pin 3537363231383830
	15	opensc-tool -l # to list devices
	16	sc-hsm-tool -X -r 1 # -r is device number. to reset the device, you need so pin and userpin
	17	sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 -r 1
	18	ykman piv reset #reset yubikey piv
	19
	20	find / -name opensc-pkcs11.so
	21
	22	TESTING BEFORE OPERATION
	23	ubuntu ONLY UBUNTU PKCS11 WORKS TO DISPLAY ALL THE REQUIRED DATA AND PASSES ALL TESTS
	24	pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --test
	25	/usr/lib64/opensc-pkcs11.so
	26	/usr/lib64/pkcs11/opensc-pkcs11.so on fedora
	27	pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --list-objects
	28	OPENSSL_CONF=./hsm.conf openssl engine
	29	the following should be printed for openssl
	30	(dynamic) Dynamic engine loading support
	31	(pkcs11) pkcs11 engine
	32
	33
	34	DOCUMNETATION FOR CA + nginx
	35
	36	pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 03 --label "serverkey"
	37	openssl req -engine pkcs11 -keyform engine -new -key "pkcs11:serial=DENK0302043;object=serverkey;type=private;pin-value=648219" -subj "/C=US/ST=YourState/L=YourCity/O=YourOrganization/CN=yourdomain.com" -out server.csr
	38	openssl req -text -noout -verify -in server.csr # to verify the certificate
	39	openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions server_cert -days 375 -notext -md sha512 -create_serial -in server.csr -out server.crt
	40	openssl x509 -in server.crt -text -noout \| grep -A 1 "Extended Key Usage" # output web server authentication
	41
	42	010203040506070801020304050607080102030405060708 yubikey manageemnt, normal key 123456
	43	brew install gnutls
	44	yubico-piv-tool -a generate -s 9a -k -A RSA2048 -o yubi_pubkey.pem
	45	yubico-piv-tool -a verify-pin -a request-certificate -s 9a -i yubi_pubkey.pem -S '/CN=hii Usenamer/O=Example Corp/C=US/' -o yubi.csr
	46	openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in yubi.csr -out yubi.crt
	47	openssl x509 -in yubi.crt -text -noout \| grep -A 1 "Extended Key Usage" # output web client authentication
	48	cp yubi.crt yubi.crt.pem
	49	yubico-piv-tool -a import-certificate -s 9a -k -i yubi.crt.pem -K PEM
	50	p11tool --list-tokens
	51	curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer' https://127.0.0.1 -k
	52	curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1 -k
	53	can do curl -v xxxxxxxx as well for more verbose.
	54
	55	openssl genrsa -out client.key 2048
	56	openssl req -new -key client.key -out client.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client2"
	57	openssl ca -config ../sign_server_and_client_csrs.ini -engine pkcs11 -keyform engine -extensions client_cert -days 375 -notext -md sha512 -create_serial -in client.csr -out client.crt
	58	openssl x509 -in client.crt -text -noout \| grep -A 1 "Extended Key Usage" # output web client authentication
	59	curl https://127.0.0.1 --cacert ../../intermediate/certs/chain.crt --cert client.crt --key client.key -k
	60
	61	STILL WILL HAVE ERROR BECAUSE URL REQUEST IS 127.0.0.1, if this is a public domain, curl checks the url in the cert and the requested url and if they both match, there should be no error when curling without -k
	62
	63	openssl version -d # to find the default config file dir
	64	copy hsm.conf to the directory
	65	sudo nano /lib/systemd/system/nginx.service
	66	add this to under service
	67	Environment=LANG=C
	68	Environment="OPENSSL_CONF=/usr/lib/ssl/hsm.conf"
	69	sudo systemctl daemon-reload
	70
	71	pkcs15-tool --list-info
	72	to get the serial number value of the device for the key
	73	p11tool --list-all
	74	p11tool --login --list-all pkcs11:model=
	75
	76	ssl_engine pkcs11; # put this after events section, before http.
	77	ssl_certificate /home/x/auths2/config/signing_area/server_cert.crt;
	78	ssl_certificate_key "engine:pkcs11:pkcs11:serial=DENK0302043;object=serverkey;type=private";
	79	ssl_client_certificate /home/x/auths2/intermediate/certs/chain.crt;
	80	ssl_verify_client on;
	81
	82	cat server.crt ../intermediate/certs/intermediate.crt ../certs/root.crt > fullchain.crt
	83
	84	curl -X POST http://127.0.0.1/generate_verification -k
	85	curl -X POST -d "verify=wrIFRSJZ" -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/verify -k
	86	curl -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=hii%20Usenamer;pin-value=123456' https://127.0.0.1/check?string=wrIFRSJZ -k
	87
	88	#change the check to not require authentication
	89
	90	https://www.entrust.com/sites/default/files/documentation/integration-guides/nginx-server-nhield-v12-60-11_ig.pdf
	91	https://docs.nitrokey.com/hsm/linux/certificate-authority
	92	https://github.com/OpenSC/libp11/blob/5c99a1467e624981181ada75f41315cd1cf13e37/src/eng_parse.c
	93	^ is the pkcs uri for openssl -key
	94
	95	DOCUMNETATION FOR CA + nginx END
	96
	97
	98	yubico
	99	yubico-piv-tool -a unblock-pin -P 12345678 -N 123456
	100	123456 pin default
	101	12345678 pin unlock key default
	102	010203040506070801020304050607080102030405060708 management key default
	103	ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so user@ip #then enter the userpin for yubikey
	104
	105
	106	should work
	107	openssl dgst -engine pkcs11 -keyform engine -sha256 -sign "pkcs11:id=%01" -out signature.bin txt
	108	openssl dgst -engine pkcs11 -keyform engine -sha256 -verify "pkcs11:id=%01" -signature signature.bin txt
	109	openssl dgst -engine pkcs11 -keyform engine -sha256 -verify 01 -signature signature.bin txt #sign should work as well
	110	pkcs15-tool --read-public-key 01 > pubkey
	111	openssl dgst -sha256 -verify pubkey -signature signature.bin txt
	112
	113
	114	openssl genrsa -out rootCA.key 2048
	115	openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -subj "/CN=Root CA"
	116	openssl genrsa -out client.key 2048
	117	openssl req -new -key client.key -out client.csr -subj "/CN=Client"
	118	openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days 500 -sha256
	119	openssl verify -CAfile rootCA.pem client.crt
	120	#$client.crt: OK
	121
	122
	123	untested
	124	pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -L #list
	125	yubico-piv-tool -astatus #list
	126	pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so --slot-index 1 --login --pin 648219 --list-objects
	127
	128
	129	generate the key
	130	pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 01 --label "foo"
	131
	132	sign the file and create an output
	133	pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --id 01 --input-file <input-file> --output-file <signature-file>
	134	pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --sign --label "foo" --input-file <input-file> --output-file <signature-file>
	135
	136
	137	pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --id 01 --input-file <input-file> --signature-file <signature-file>
	138	pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --login --pin 648219 --verify --label "foo" --input-file <input-file> --signature-file <signature-file>
	139
	140	# Example test command sequence
	141	echo "Test data" > testdata.txt
	142	pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type privkey --sign -i testdata.txt -o signeddata.bin
	143	pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so --login --pin 648219 --id 01 --type pubkey --verify -i testdata.txt -s signeddata.bin
	144
	145
	146	pkcs11-tool --module $MODULE --login --pin YOUR_PIN --list-objects
	147