Visible to Intel only — GUID: fhh1569343943186
Ixiasoft
Visible to Intel only — GUID: fhh1569343943186
Ixiasoft
3.5.2. HSM Key Creation
If you are using an HSM, you need one token to create and store the root and code signing keys. The following example initializes a token using SoftHSM, with separate security officer and user PINs.
[PACSign_Demo]$ softhsm2-util --init-token --label pac-hsm --so-pin hsm-owner \ --pin pac-afu-signer --freeOutput:
Slot 0 has a free/uninitialized token. The token has been initialized and is reassigned to slot 1441483598
After you create a token, you can create keys in that token. The following example initializes a root and two code signing keys in the token created above, similarly using pkcs11-tool to interact with SoftHSM. The HSM, not PACSign, uses the key ID provided in this example. PACSign uses CSK IDs from a configuration *.json file in PKCS11 mode. You must manage consistency across ID values in the HSM and those used by PACSign. See the PACSign PKCS11 Manager *.json Reference topic for more information on the *.json file format.
- Initialize the root key:
[PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \ --token-label pac-hsm --login --pin pac-afu-signer --keypairgen \ --mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp256r1 \ --usage-sign --label root_key --id 0
Output:Key pair generated: Private Key Object; EC label: root_key ID: 00 Usage: decrypt, sign, unwrap Public Key Object; EC EC_POINT 256 bits EC_POINT: 0441043d3756347e6c257dac085574cc1cd984cdeee2c1059a0f035dabc3ad6e1950c8717dc7ac8451a90c2471e95f4a69d6517f02f678830280f90a479c76a3e95d64 EC_PARAMS: 06082a8648ce3d030107 label: root_key ID: 00 Usage: encrypt, verify, wrap
- Initialize the CSK1:
[PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \ --token-label pac-hsm --login --pin pac-afu-signer --keypairgen \ --mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp256r1 \ --usage-sign --label csk_1 --id 1
Output:Key pair generated: Private Key Object; EC label: csk_1 ID: 01 Usage: decrypt, sign, unwrap Public Key Object; EC EC_POINT 256 bits EC_POINT: 0441041a827c903b5da8478c81fe652208704f0621b984190cd961ee154ac5c3ba772d1caa26964a189262ee31b8e5d77898f293c0589b350103037b664d31adf68924 EC_PARAMS: 06082a8648ce3d030107 label: csk_1 ID: 01 Usage: encrypt, verify, wrap
- Initialize CSK2:
[PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \ --token-label pac-hsm --login --pin pac-afu-signer --keypairgen \ --mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp256r1 \ --usage-sign --label csk_2 --id 2
Output:Key pair generated: Private Key Object; EC label: csk_2 ID: 02 Usage: decrypt, sign, unwrap Public Key Object; EC EC_POINT 256 bits EC_POINT: 04410495f7556912d8753cf873be7a54e7d88c28bca672496abd90d9b44cc95cf50df9169b7ad043a7340003a2bf96cb461e0575319b541ceb5d873d06334b30d208cc EC_PARAMS: 06082a8648ce3d030107 label: csk_2 ID: 02 Usage: encrypt, verify, wrap
- After keys are created in your token, it may be useful to inspect the token to verify the expected keys, labels, and IDs are present.
[PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \ --token-label pac-hsm --login --pin pac-afu-signer -O
Output:Public Key Object; EC EC_POINT 256 bits EC_POINT: 04410495f7556912d8753cf873be7a54e7d88c28bca672496abd90d9b44cc95cf50df9169b7ad043a7340003a2bf96cb461e0575319b541ceb5d873d06334b30d208cc EC_PARAMS: 06082a8648ce3d030107 label: csk_2 ID: 02 Usage: encrypt, verify, wrap Public Key Object; EC EC_POINT 256 bits EC_POINT: 0441043d3756347e6c257dac085574cc1cd984cdeee2c1059a0f035dabc3ad6e1950c8717dc7ac8451a90c2471e95f4a69d6517f02f678830280f90a479c76a3e95d64 EC_PARAMS: 06082a8648ce3d030107 label: root_key ID: 00 Usage: encrypt, verify, wrap Private Key Object; EC label: root_key ID: 00 Usage: decrypt, sign, unwrap Private Key Object; EC label: csk_2 ID: 02 Usage: decrypt, sign, unwrap Private Key Object; EC label: csk_1 ID: 01 Usage: decrypt, sign, unwrap Public Key Object; EC EC_POINT 256 bits EC_POINT: 0441041a827c903b5da8478c81fe652208704f0621b984190cd961ee154ac5c3ba772d1caa26964a189262ee31b8e5d77898f293c0589b350103037b664d31adf68924 EC_PARAMS: 06082a8648ce3d030107 label: csk_1 ID: 01 Usage: encrypt, verify, wrap