How to sign data with OpenSSL on an HSM

This article shows in detail how to use OpenSSL to sign critical data with an network HSM. The data can be sensitive log data, license data, or any other data where integrity on transfer must be ensured.

Recently I was challenged in a project to sign some data using OpenSSL on an HSM. In my case it is license data. The data resides on a Linux host, that does not have a hardware security module available.

After short research I found that the Sematicon AG se.SAM N200 Crypto Appliance is available for remote evaluation. Business users can request an evaluation from the Sematicon website. The se.SAM N200 Crypto Appliance is an easy-to-use network HSM offering a PKCS11 interface for OpenSSL 1.1.1 and OpenSSL 3.0 and can sign any data using PKCS11 or REST-API.

How to sign data with OpenSSL on an HSM weiterlesen

Generate an OpenSSL X.509 certificate with SoftHSM2

This article shows how to use OpenSSL with an PKCS11 engine to generate and sign an X.509 certificate. This is not an easy task, as we need to use the PKCS11 tools to generate a key pair on the SoftHSM2 first. This tutorial is suitable for any self-signed root CA or issuing CA.

Generate an OpenSSL X.509 certificate with SoftHSM2 weiterlesen

First Steps with OpenSSL for signature and encryption

Ever wondered what TLS is? You might heard about private- and public-keys, about digital certificates and don’t know what exactly that is and how you can use them? Frankly I was in the same situation and thought I write an blog article regarding these issues to make them a little bit clearer for everyone who needs or wants to learn about it.

To use Transport Layer Security (TLS) a private-public-key-pair, and a X.509 certificate is needed. With the public key, a file or message gets encoded and can only be decoded with the corresponding private key, that’s called asymmetric cryptography. The most common algorithm for the creation of these key pairs are RSA and ECC. Where the digital certificate guarantees the authenticity and integrity of a server or a client.

First Steps with OpenSSL for signature and encryption weiterlesen

Full working ECDSA signature with OpenSSL

There are many ressources that shows how to generate a RSA signature and perform a RSA signature verfication process. Nowadays, more and more developers are looking for ECC keys and ECDSA signature, as there are many reasons to consider elliptic curve cryptography (ECC):

  • Key generation is much faster for ECC keys than for RSA keys
  • Key operation for ECDSA signature is faster
  • The EC key size is only 1/10 of comparable RSA keys, so smart cards and HSMs may hold more ECC than RSA keys in their secure memory
  • The RSA algorithm my be compromized by quantum computer using Shor algorithm
  • Modern applications like WireGuard and crypto-currencies rely on elliptic curve cryptography

In this walk through I will show the full process to perform a ECDSA signature:

  1. Select a supported ECC curve
  2. Generate a private key (including the public key)
  3. Extract the public key
  4. Convert the ECC public key in DER and PEM format
  5. View the public key content
  6. Generate a hash
  7. Create a signature using the private key and the hash
  8. View the content of the signature
  9. Verify the signature

This all is done with two commands only:

  • OpenSSL (in my case version 1.1.1d)
  • dumpasn1 (installed by Linux package dumpasn1)

OpenSSL ECDSA signature & verification

Full working ECDSA signature with OpenSSL weiterlesen

SoftHSM2: What crypto mechanisms and ciphers are supported?

SoftHSM2 is free and easy o install or compile. But if you search how to use SoftHSM2 for symmetric and asymmetric cryptography or hashing you will notice that the OpenDNSSEC Wiki will not have any hint what mechanisms are supportet. This post will show how to view all SoftHSM mechanisms using pkcs11-tool. This references are based on version 2.6.1 and can be downloaded from OpenDNSSEC website.

To repeat the following steps you need to install or compile the following packages:

  • OpenSC (includes pkcs11-tool binary)
  • SoftHSM2

List all SoftHSM2 mechanisms (AES, DES, DH, DSA, ECDH, ECDSA, HASHES, RSA)

SoftHSM2: What crypto mechanisms and ciphers are supported? weiterlesen

Simple start with Yubico PKCS#11 library

In this demo I will use a fresh installed YubiKey 5 NFC token, using YubiKey Manager for Windows you easily can change token settings and modify the configuration of the token.

With the same tool you can change the PIN and PUK of the token. The default PIN is “123456” and the default PUK for YubiKey PIV token is “12345678”. In this demo I will not change the default values.

Simple start with Yubico PKCS#11 library weiterlesen

Export a RSA / ECC public key with OpenSC pkcs11-tool

Whenever you generate a public/private key pair in hardware over PKCS#11 you need export the public key to generate an X.509v3 vertificate. pkcs11-tool is a command line tool to test functions and perform crypto operations using a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.

Export a RSA / ECC public key with OpenSC pkcs11-tool weiterlesen

SoftHSM2 view slot info and objects on a specific slot

Whenever you need to work with SoftHSM2 there is a need to view all your configured slots and the objects saved on these slots. As softhsm2-util is not very well documented I decided to support the cryptographic community by offering working usage examples of the main tool of SoftHSM2. This post will show how to view all SoftHSM slots and examine all objects on a specific SoftHSM slots. This working examples are based on version 2.6.1 and can be downloaded from OpenDNSSEC website.

List all SoftHSM2 slots

After installation of SoftHSM2 and once you created a few slots you can check your slot configuration with softhsm2-util and its option “–show-slots”

SoftHSM2 view slot info and objects on a specific slot weiterlesen

Generate RSA, ECC and AES keys with OpenSC pkcs11-tool

How to generate RSA, ECC and AES keys: pkcs11-tool is a command line tool to test functions and perform crypto operations using a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.

This post is part of #CryptoCorner my contribution to open source cryptography and secure hardware key storage to reduce risks from misunderstood and unsecure implemented key management.

Generate RSA, ECC and AES keys with OpenSC pkcs11-tool weiterlesen

Show slot and token info with OpenSC pkcs11-tool

Show slot and token info: pkcs11-tool is a command line tool to test functions and perform operations of a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.

PKCS#11 is a standard interface to create symmetric and asymmetric keys and perform cryptographic operations. It is mainly used to access smart card type of key media or Hardware Security Modules (HSM). Today the interface is implemented in many different applications to use hardware cryptography. PKCS#11 based on the PKCS#11 (Cryptoki) specifications. The complete specifications are available at oasis-open.org.

Show slot and token info with OpenSC pkcs11-tool weiterlesen