This article shows in detail how to use OpenSSL to sign critical data with an network HSM. The data can be sensitive log data, license data, or any other data where integrity on transfer must be ensured.
Recently I was challenged in a project to sign some data using OpenSSL on an HSM. In my case it is license data. The data resides on a Linux host, that does not have a hardware security module available.
After short research I found that the Sematicon AG se.SAM N200 Crypto Appliance is available for remote evaluation. Business users can request an evaluation from the Sematicon website. The se.SAM N200 Crypto Appliance is an easy-to-use network HSM offering a PKCS11 interface for OpenSSL 1.1.1 and OpenSSL 3.0 and can sign any data using PKCS11 or REST-API.
This article shows how to use OpenSSL with an PKCS11 engine to generate and sign an X.509 certificate. This is not an easy task, as we need to use the PKCS11 tools to generate a key pair on the SoftHSM2 first. This tutorial is suitable for any self-signed root CA or issuing CA.
Ever wondered what TLS is? You might heard about private- and public-keys, about digital certificates and don’t know what exactly that is and how you can use them? Frankly I was in the same situation and thought I write an blog article regarding these issues to make them a little bit clearer for everyone who needs or wants to learn about it.
To use Transport Layer Security (TLS) a private-public-key-pair, and a X.509 certificate is needed. With the public key, a file or message gets encoded and can only be decoded with the corresponding private key, that’s called asymmetric cryptography. The most common algorithm for the creation of these key pairs are RSA and ECC. Where the digital certificate guarantees the authenticity and integrity of a server or a client.
There are many ressources that shows how to generate a RSA signature and perform a RSA signature verfication process. Nowadays, more and more developers are looking for ECC keys and ECDSA signature, as there are many reasons to consider elliptic curve cryptography (ECC):
Key generation is much faster for ECC keys than for RSA keys
Key operation for ECDSA signature is faster
The EC key size is only 1/10 of comparable RSA keys, so smart cards and HSMs may hold more ECC than RSA keys in their secure memory
The RSA algorithm my be compromized by quantum computer using Shor algorithm
Modern applications like WireGuard and crypto-currencies rely on elliptic curve cryptography
In this walk through I will show the full process to perform a ECDSA signature:
Select a supported ECC curve
Generate a private key (including the public key)
Extract the public key
Convert the ECC public key in DER and PEM format
View the public key content
Generate a hash
Create a signature using the private key and the hash
SoftHSM2 is free and easy o install or compile. But if you search how to use SoftHSM2 for symmetric and asymmetric cryptography or hashing you will notice that the OpenDNSSEC Wiki will not have any hint what mechanisms are supportet. This post will show how to view all SoftHSM mechanisms using pkcs11-tool. This references are based on version 2.6.1 and can be downloaded from OpenDNSSEC website.
To repeat the following steps you need to install or compile the following packages:
OpenSC (includes pkcs11-tool binary)
List all SoftHSM2 mechanisms (AES, DES, DH, DSA, ECDH, ECDSA, HASHES, RSA)
Whenever you generate a public/private key pair in hardware over PKCS#11 you need export the public key to generate an X.509v3 vertificate. pkcs11-tool is a command line tool to test functions and perform crypto operations using a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.
Whenever you need to work with SoftHSM2 there is a need to view all your configured slots and the objects saved on these slots. As softhsm2-util is not very well documented I decided to support the cryptographic community by offering working usage examples of the main tool of SoftHSM2. This post will show how to view all SoftHSM slots and examine all objects on a specific SoftHSM slots. This working examples are based on version 2.6.1 and can be downloaded from OpenDNSSEC website.
List all SoftHSM2 slots
After installation of SoftHSM2 and once you created a few slots you can check your slot configuration with softhsm2-util and its option “–show-slots”
How to generate RSA, ECC and AES keys: pkcs11-tool is a command line tool to test functions and perform crypto operations using a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.
This post is part of #CryptoCorner my contribution to open source cryptography and secure hardware key storage to reduce risks from misunderstood and unsecure implemented key management.
Show slot and token info: pkcs11-tool is a command line tool to test functions and perform operations of a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.
PKCS#11 is a standard interface to create symmetric and asymmetric keys and perform cryptographic operations. It is mainly used to access smart card type of key media or Hardware Security Modules (HSM). Today the interface is implemented in many different applications to use hardware cryptography. PKCS#11 based on the PKCS#11 (Cryptoki) specifications. The complete specifications are available at oasis-open.org.