Re: HTTPS PKCS11 newbie

Patrick Patterson Wed, 17 Sep 2008 11:16:07 -0700

Hi Ricardo:

On September 17, 2008 12:52:23 pm Ricardo Garcia Reis wrote:
> Hey fellows,
>
> I want your help, to implement an integration with SafeNet HSM Hardware. I
> know OpenSSL, but never used with PKCS#11.
>
The Engine interface is your friend :) And WHICH Safenet HSM? Have you taken a 
look at their SDK? They have several good examples in the OpenSSL Appendix 
there that probably do what you want. The other thing that you will need are 
their patches to OpenSSL to make the engine interface able to talk to the 
HSM, or it will never work.


> I have a HTTPS server and wonders how do I inform the certificate,
> privatekey and passphrase for the HTTPS handshake using PKCS#11.
>
> How to change my functions load_key and load_cert to use PKCS#11 ?? Any
> Good Sample ?? I Try OPENSC samples, but ..
>

Did you write this server yourself? If so, then you really should talk to 
Safenet and get the SDK if you don't already have it, and probably a 
development support contract. LibCrystoki and OpenSSL are a bit tricky in how 
they work together :)

Other than that, to get the command line tools working, it should be a matter 
of editing your openssl.cnf file to have something like (if you have a CA3, 
or equivalent - check your documentation):

[ openssl_init ]
engines                 = engine_section
oid_section             = new_oids

[ engine_section ]
lunahsm                 = luna_hsm

[ smartcard_section ]
engine_id               = LunaCA3
init                          = 0

and your /etc/Chrystoki.conf file to have a section that looks like:

EngineLunaCA3 = {
  LibPath = /usr/lunapcm/lib/libCryptoki2.so;
  EngineInit=1:10:11;
}

And then

# login to the HSM
sautil -o -s 1 -i 10:11

# do something with s_client
openssl s_client -connect  remoteserver:443 -engine LunaCA3 -key 
sautil-generated.key -cert \ client-cert.pem

# log out of the HSM
sautil -c -s 1 -i 10:11

But, as I said, it's probably best to talk to SafeNet directly, since the 
entire process of getting the right ".key" file is a bit tricky.

Have fun.

-- 
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Re: HTTPS PKCS11 newbie

Reply via email to