• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1############################################################################
2#
3# SoftHSMv2 dual versions
4#
5# Works with CentOS 7
6#
7# The opensc package needs to be installed.
8#
9############################################################################
10#
11# Install a software HSM module for doing the PKCS11 testing of libcoap.
12# Real hardware can be used if you have the appropriate library module.
13#
14# It is assumed that the opensc package is installed.
15#
16# When installing SoftHSMv2 from your system's package manager, check that the
17# OpenSSL version is at least 1.1.0.  If not, then you will need to dual
18# install SoftHSMv2 as below; otherwise you can use the existing SoftHSMv2.
19#
20# SoftHSMv2 is built using OpenSSL, but GnuTLS can use the PKCS11 interface.
21# Note that if the default OpenSSL version is less than 1.1.0, you will need
22# to install a dual stack version of OpenSSL as per HOWTO.dual.openssl.
23#
24# Creates module /usr/local/lib/softhsm/libsofthsm2.so
25#
26
27# Add line below to /etc/security/limits.conf to support memory locking
28
29*               -        memlock         unlimited
30
31# Get the latest SoftHSM
32git clone https://github.com/opendnssec/SoftHSMv2.git
33
34# Build code
35cd SoftHSMv2/
36sh autogen.sh
37PKG_CONFIG_PATH=/opt/openssl/lib/pkgconfig ./configure --enable-silent-rules \
38  --with-crypto-backend=openssl --disable-gost LDFLAGS=-L/opt/openssl/lib \
39  CPPFLAGS=-I/opt/openssl/include --with-openssl=/opt/openssl
40make
41# You may need to comment out constexpr lines (fixes for gcc10) in
42#  src/lib/crypto/PublicKey.h src/lib/crypto/PrivateKey.h if you get
43# compile errors.
44sudo make install
45cd ..
46
47# Make sure p11-kit softhsm modules have the correct module: fully qualified
48# path where the entry is of the form (in particular for GnuTLS) :-
49# /usr/share/p11-kit/modules/softhsm*
50#
51#  module: /usr/local/lib/softhsm/libsofthsm2.so
52
53# The user you are running this as needs to be in the group defined for
54# /var/lib/softhsm/tokens/.  E.g.
55#  $ sudo ls -ld  /var/lib/softhsm/tokens/
56#  drwxrws--- 3 root softhsm 4096 May  3 09:52 /var/lib/softhsm/tokens/
57# which is softhsm in this case (It could be ods). To verify if you are in
58# the correct group
59#  $ id
60# To add user to this group
61#  $ sudo usermod -a -G softhsm <user>
62# and log out and back in again.
63#
64
65############################################################################
66#
67# libp11 (needed for OpenSSL as it provides the PKCS11 engine)
68#
69############################################################################
70#
71# Install a pkcs11 library for OpenSSL to use as an engine.
72# [GnuTLS has this built in]
73#
74
75# Get the latest libp11
76git clone https://github.com/OpenSC/libp11.git
77
78# Build code
79cd libp11
80./bootstrap
81PKG_CONFIG_PATH=/opt/openssl/lib/pkgconfig ./configure \
82  --with-pkcs11-module=/usr/local/lib/softhsm/libsofthsm2.so
83make
84sudo make install
85cd ..
86
87# Verify that pkcs11 is available
88
89/opt/openssl/bin/openssl engine pkcs11 -t
90
91