1# 2# Using PKCS11 with libcoap. 3# 4# This HOWTO works for CentOS 7. 5# 6# As CentOS 7 uses OpenSSL prior to 1.1.0, dual OpenSSL support needs to be 7# set up and used for libcoap. See HOWTO.dual.openssl for setting this up. 8# 9# It also is possible that you want to use GnuTLS - and want to use a later 10# version. HOWTO.dual.gnutls for setting this up. 11# 12# OpenSSL and GnuTLS are currently supported 13# 14 15############################################################################ 16# 17# Testing examples 18# 19############################################################################ 20# 21# Update PKCS11 token with certificates and keys 22# 23# Assumption is that you already have the following PEM files 24# ca-cert.pem - The certificate of the CA that signed Server and Client 25# server-cert.pem - Contains the server certificate in PEM format 26# server-key.pem - Contains the server private key in PEM format 27# client-cert.pem - Contains the server certificate in PEM format 28# client-key.pem - Contains the server private key in PEM format 29# 30# Tokens will be stored under /var/lib/softhsm/tokens/ 31# 32# The user you are running this as needs to be in the group defined for 33# /var/lib/softhsm/tokens/. E.g. 34# $ sudo ls -ld /var/lib/softhsm/tokens/ 35# drwxrws--- 3 root softhsm 4096 May 3 09:52 /var/lib/softhsm/tokens/ 36# which is softhsm in this case (It could be ods). To verify if you are in 37# the correct group 38# $ id 39# To add user to this group 40# $ sudo usermod -a -G softhsm <user> 41# and log out and back in again. 42# 43 44# Set libsofthsm2.so to use (may be /usr/lib/softhsm/libsofthsm2.so) 45LIBSOFTHSM=/usr/local/lib/softhsm/libsofthsm2.so 46 47# Initialize Soft HSM token 48# Note: slot 0 is re-allocated to slot XXX. This is presented as a decimal 49# number, the hex equivalent (leading 0x) can be used for any slot options.. 50# Set SO PIN to 4321, user PIN to 1234 51softhsm2-util --init-token --slot 0 --label "token-0" --pin 1234 --so-pin 4321 52 53# CA Certificate (different id to Server/Client Public Certificate) 54# (GnuTLS requires this to be trusted) 55p11tool --so-login --load-certificate ca-cert.pem --write --label ca-cert \ 56 --set-so-pin 4321 --id cc00 --mark-trusted "pkcs11:token=token-0" 57 58# Server Private Key 59openssl pkcs8 -topk8 -inform PEM -outform PEM -in server-key.pem \ 60 -out server-key.pk8 -nocrypt 61softhsm2-util --import server-key.pk8 --label "server-key" --id aa00 \ 62 --pin 1234 --token "token-0" 63 64# Server Public Certificate 65# (Use different id to private key, but not the same as CA/Client cert) 66openssl x509 -in server-cert.pem -out server-cert.der -outform DER 67pkcs11-tool --module $LIBSOFTHSM --pin 1234 \ 68 --write-object ./server-cert.der --type cert --id aa01 \ 69 --label "server-cert" --token-label "token-0" 70 71# Client Private Key 72openssl pkcs8 -topk8 -inform PEM -outform PEM -in client-key.pem \ 73 -out client-key.pk8 -nocrypt 74softhsm2-util --import client-key.pk8 --label "client-key" --id bb00 \ 75 --pin 1234 --token "token-0" 76 77# Client Public Certificate 78# (Use different id to private key, but not the same as CA/Client cert) 79openssl x509 -in client-cert.pem -out client-cert.der -outform DER 80pkcs11-tool --module $LIBSOFTHSM --pin 1234 \ 81 --write-object ./client-cert.der --type cert --id bb01 \ 82 --label "client-cert" --token-label "token-0" 83 84# Verify token is correctly populated 85pkcs11-tool --module=$LIBSOFTHSM -t 86pkcs11-tool --module=$LIBSOFTHSM --list-objects \ 87 --pin 1234 --token-label "token-0" 88p11tool --list-all pkcs11:model=SoftHSM%20v2 89 90# 91# Run coap-server using PKCS11 (-C option may need to be -C cert.der) 92# 93coap-server -C 'pkcs11:token=token-0;id=%cc%00?pin-value=1234' \ 94 -c 'pkcs11:token=token-0;id=%aa%01?pin-value=1234' \ 95 -j 'pkcs11:token=token-0;id=%aa%00?pin-value=1234' -v9 96 97# or 98coap-server -C 'pkcs11:token=token-0;id=%cc%00' \ 99 -c 'pkcs11:token=token-0;id=%aa%01' \ 100 -j 'pkcs11:token=token-0;id=%aa%00' -J 1234 -v9 101 102# or 103coap-server -C 'pkcs11:token=token-0;object=ca-cert' \ 104 -c 'pkcs11:token=token-0;object=server-cert' \ 105 -j 'pkcs11:token=token-0;object=server-key' -J 1234 -v9 106 107# 108# Run coap-client using PKCS11 (-C option may need to be -C cert.der) 109# 110coap-client -C 'pkcs11:token=token-0;id=%cc%00?pin-value=1234' \ 111 -c 'pkcs11:token=token-0;id=%bb%01?pin-value=1234' \ 112 -j 'pkcs11:token=token-0;id=%bb%00?pin-value=1234' -v9 coaps://[::1] 113 114# or 115coap-client -C 'pkcs11:token=token-0;id=%cc%00' \ 116 -c 'pkcs11:token=token-0;id=%bb%01' \ 117 -j 'pkcs11:token=token-0;id=%bb%00' -J 1234 -v9 coaps://[::1] 118 119# or 120coap-client -C 'pkcs11:token=token-0;object=ca-cert' \ 121 -c 'pkcs11:token=token-0;object=client-cert' \ 122 -j 'pkcs11:token=token-0;object=client-key' -J 1234 -v9 coaps://[::1] 123 124# 125# Client and Server using RPK (GnuTLS only) 126# 127coap-server -M 'pkcs11:token=token-0;object=server-key' -J 1234 -v9 128# and 129coap-client -M 'pkcs11:token=token-0;object=client-key' -J 1234 -v9 coaps://[::1] 130