Security User Guide: Intel® Programmable Acceleration Card with Intel® Arria® 10 GX FPGA

ID 683453
Date 3/06/2020
Public
Document Table of Contents

3.5.2. HSM Key Creation

If you are using an HSM, you need one token to create and store the root and code signing keys. The following example initializes a token using SoftHSM, with separate security officer and user PINs.

[PACSign_Demo]$ softhsm2-util --init-token --label pac-hsm --so-pin hsm-owner \
--pin pac-afu-signer --free
Output:
Slot 0 has a free/uninitialized token.
The token has been initialized and is reassigned to slot 1441483598

After you create a token, you can create keys in that token. The following example initializes a root and two code signing keys in the token created above, similarly using pkcs11-tool to interact with SoftHSM. The HSM, not PACSign, uses the key ID provided in this example. PACSign uses CSK IDs from a configuration *.json file in PKCS11 mode. You must manage consistency across ID values in the HSM and those used by PACSign. See the PACSign PKCS11 Manager *.json Reference topic for more information on the *.json file format.

  1. Initialize the root key:
    [PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
    --token-label pac-hsm --login --pin pac-afu-signer --keypairgen \
    --mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp256r1 \
    --usage-sign --label root_key --id 0
    Output:
    Key pair generated:
    Private Key Object; EC
    label: root_key
    ID: 00
    Usage: decrypt, sign, unwrap
    Public Key Object; EC EC_POINT 256 bits
    EC_POINT: 0441043d3756347e6c257dac085574cc1cd984cdeee2c1059a0f035dabc3ad6e1950c8717dc7ac8451a90c2471e95f4a69d6517f02f678830280f90a479c76a3e95d64
    EC_PARAMS: 06082a8648ce3d030107
    label: root_key
    ID: 00
    Usage: encrypt, verify, wrap
  2. Initialize the CSK1:
    [PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
    --token-label pac-hsm --login --pin pac-afu-signer --keypairgen \
    --mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp256r1 \
    --usage-sign --label csk_1 --id 1
    Output:
    Key pair generated:
    Private Key Object; EC
    label: csk_1
    ID: 01
    Usage: decrypt, sign, unwrap
    Public Key Object; EC EC_POINT 256 bits
    EC_POINT: 0441041a827c903b5da8478c81fe652208704f0621b984190cd961ee154ac5c3ba772d1caa26964a189262ee31b8e5d77898f293c0589b350103037b664d31adf68924
    EC_PARAMS: 06082a8648ce3d030107
    label: csk_1
    ID: 01
    Usage: encrypt, verify, wrap
  3. Initialize CSK2:
    [PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
    --token-label pac-hsm --login --pin pac-afu-signer --keypairgen \
    --mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp256r1 \
    --usage-sign --label csk_2 --id 2
    Output:
    Key pair generated:
    Private Key Object; EC
    label: csk_2
    ID: 02
    Usage: decrypt, sign, unwrap
    Public Key Object; EC EC_POINT 256 bits
    EC_POINT: 04410495f7556912d8753cf873be7a54e7d88c28bca672496abd90d9b44cc95cf50df9169b7ad043a7340003a2bf96cb461e0575319b541ceb5d873d06334b30d208cc
    EC_PARAMS: 06082a8648ce3d030107
    label: csk_2
    ID: 02
    Usage: encrypt, verify, wrap
  4. After keys are created in your token, it may be useful to inspect the token to verify the expected keys, labels, and IDs are present.
    [PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
    --token-label pac-hsm --login --pin pac-afu-signer -O
    Output:
    Public Key Object; EC EC_POINT 256 bits
    EC_POINT: 04410495f7556912d8753cf873be7a54e7d88c28bca672496abd90d9b44cc95cf50df9169b7ad043a7340003a2bf96cb461e0575319b541ceb5d873d06334b30d208cc
    EC_PARAMS: 06082a8648ce3d030107
    label: csk_2
    ID: 02
    Usage: encrypt, verify, wrap
    Public Key Object; EC EC_POINT 256 bits
    EC_POINT: 0441043d3756347e6c257dac085574cc1cd984cdeee2c1059a0f035dabc3ad6e1950c8717dc7ac8451a90c2471e95f4a69d6517f02f678830280f90a479c76a3e95d64
    EC_PARAMS: 06082a8648ce3d030107
    label: root_key
    ID: 00
    Usage: encrypt, verify, wrap
    Private Key Object; EC
    label: root_key
    ID: 00
    Usage: decrypt, sign, unwrap
    Private Key Object; EC
    label: csk_2
    ID: 02
    Usage: decrypt, sign, unwrap
    Private Key Object; EC
    label: csk_1
    ID: 01
    Usage: decrypt, sign, unwrap
    Public Key Object; EC EC_POINT 256 bits
    EC_POINT: 0441041a827c903b5da8478c81fe652208704f0621b984190cd961ee154ac5c3ba772d1caa26964a189262ee31b8e5d77898f293c0589b350103037b664d31adf68924
    EC_PARAMS: 06082a8648ce3d030107
    label: csk_1
    ID: 01
    Usage: encrypt, verify, wrap