Security User Guide: Intel® FPGA Programmable Acceleration Card D5005

ID 683877
Date 8/25/2020
Public

3.5.2. HSM Key Creation

If you are using an HSM, you need one token to create and store the root and code signing keys. The following example initializes a token using SoftHSM, with separate security officer and user PINs.

[PACSign_Demo]$ softhsm2-util --init-token --label pac-hsm --so-pin hsm-owner \
--pin pac-afu-signer --free
Output:
Slot 0 has a free/uninitialized token.
The token has been initialized and is reassigned to slot 1441483598

After you create a token, you can create keys in that token. The following example initializes a root and two code signing keys in the token created above, similarly using pkcs11-tool to interact with SoftHSM. The HSM, not PACSign, uses the key ID provided in this example. PACSign uses CSK IDs from a configuration *.json file in PKCS11 mode. You must manage consistency across ID values in the HSM and those used by PACSign. See the PACSign PKCS11 Manager *.json Reference topic for more information on the *.json file format.

  1. Initialize the root key:
    [PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
    --token-label pac-hsm --login --pin pac-afu-signer --keypairgen \
    --mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp256r1 \
    --usage-sign --label root_key --id 0
    Output:
    Key pair generated:
    Private Key Object; EC
    label: root_key
    ID: 00
    Usage: decrypt, sign, unwrap
    Public Key Object; EC EC_POINT 256 bits
    EC_POINT: 0441043d3756347e6c257dac085574cc1cd984cdeee2c1059a0f035dabc3ad6e1950c8717dc7ac8451a90c2471e95f4a69d6517f02f678830280f90a479c76a3e95d64
    EC_PARAMS: 06082a8648ce3d030107
    label: root_key
    ID: 00
    Usage: encrypt, verify, wrap
  2. Initialize the CSK1:
    [PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
    --token-label pac-hsm --login --pin pac-afu-signer --keypairgen \
    --mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp256r1 \
    --usage-sign --label csk_1 --id 1
    Output:
    Key pair generated:
    Private Key Object; EC
    label: csk_1
    ID: 01
    Usage: decrypt, sign, unwrap
    Public Key Object; EC EC_POINT 256 bits
    EC_POINT: 0441041a827c903b5da8478c81fe652208704f0621b984190cd961ee154ac5c3ba772d1caa26964a189262ee31b8e5d77898f293c0589b350103037b664d31adf68924
    EC_PARAMS: 06082a8648ce3d030107
    label: csk_1
    ID: 01
    Usage: encrypt, verify, wrap
  3. Initialize CSK2:
    [PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
    --token-label pac-hsm --login --pin pac-afu-signer --keypairgen \
    --mechanism ECDSA-KEY-PAIR-GEN --key-type EC:secp256r1 \
    --usage-sign --label csk_2 --id 2
    Output:
    Key pair generated:
    Private Key Object; EC
    label: csk_2
    ID: 02
    Usage: decrypt, sign, unwrap
    Public Key Object; EC EC_POINT 256 bits
    EC_POINT: 04410495f7556912d8753cf873be7a54e7d88c28bca672496abd90d9b44cc95cf50df9169b7ad043a7340003a2bf96cb461e0575319b541ceb5d873d06334b30d208cc
    EC_PARAMS: 06082a8648ce3d030107
    label: csk_2
    ID: 02
    Usage: encrypt, verify, wrap
  4. After keys are created in your token, it may be useful to inspect the token to verify the expected keys, labels, and IDs are present.
    [PACSign_Demo]$ pkcs11-tool --module=/usr/local/lib/softhsm/libsofthsm2.so \
    --token-label pac-hsm --login --pin pac-afu-signer -O
    Output:
    Public Key Object; EC EC_POINT 256 bits
    EC_POINT: 04410495f7556912d8753cf873be7a54e7d88c28bca672496abd90d9b44cc95cf50df9169b7ad043a7340003a2bf96cb461e0575319b541ceb5d873d06334b30d208cc
    EC_PARAMS: 06082a8648ce3d030107
    label: csk_2
    ID: 02
    Usage: encrypt, verify, wrap
    Public Key Object; EC EC_POINT 256 bits
    EC_POINT: 0441043d3756347e6c257dac085574cc1cd984cdeee2c1059a0f035dabc3ad6e1950c8717dc7ac8451a90c2471e95f4a69d6517f02f678830280f90a479c76a3e95d64
    EC_PARAMS: 06082a8648ce3d030107
    label: root_key
    ID: 00
    Usage: encrypt, verify, wrap
    Private Key Object; EC
    label: root_key
    ID: 00
    Usage: decrypt, sign, unwrap
    Private Key Object; EC
    label: csk_2
    ID: 02
    Usage: decrypt, sign, unwrap
    Private Key Object; EC
    label: csk_1
    ID: 01
    Usage: decrypt, sign, unwrap
    Public Key Object; EC EC_POINT 256 bits
    EC_POINT: 0441041a827c903b5da8478c81fe652208704f0621b984190cd961ee154ac5c3ba772d1caa26964a189262ee31b8e5d77898f293c0589b350103037b664d31adf68924
    EC_PARAMS: 06082a8648ce3d030107
    label: csk_1
    ID: 01
    Usage: encrypt, verify, wrap