[LS1046a] Populate x.509 client cert into the Virtual HSM about PKCS#11 feature

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

[LS1046a] Populate x.509 client cert into the Virtual HSM about PKCS#11 feature

1,032件の閲覧回数
carloswei
Contributor II

Hi NXP Layerscape Team,

I want to use the OpenVPN in the PKCS#11 mode. In the OpenVPN client config, the client cert shall be populated into the HSM token.


According to the Secure Object Library based OpenSSL Engine (libeng_secure_obj) in Layerscape Software Development Kit User Guide. (link: https://docs.nxp.com/bundle/GUID-1441E561-3EAD-47FD-A50D-72E1A4E4D69E/page/GUID-1D7DFFBB-9E23-4CDB-B...)


I have generated CSR by the user guide, and I have signed the CSR by our company's CA SaaS, our company's CA SaaS returned a signed client CERT to me. How can I write the client cert to the HSM?
I have tried to use the pkcs11-tool --write-object command line by a method from the https://wiki.onap.org/display/DW/Importing+key+and+certificate+using+pkcs11-tool+and+getting+it+from...


But my layerscape always prompts `error: PKCS11 function C_OpenSession failed: rv = CKR_ARGUMENTS_BAD (0x7)`. I have tried many inputs, but it is still this error.


The log is shown in the following figure:

carloswei_0-1681183107770.png

Note, * there is no pin setting for the HSM token.

 

 

0 件の賞賛
返信
4 返答(返信)

945件の閲覧回数
yipingwang
NXP TechSupport
NXP TechSupport

Please refer to the following update from the AE team.

Did customer try "sobj_app" application to create/generate objects, please refer to this section in LSDK document, https://docs.nxp.com/bundle/GUID-1441E561-3EAD-47FD-A50D-72E1A4E4D69E/page/GUID-94DA27FA-ADB5-432E-8...

 

Can  "sobj_app" meet customer's requirement?

 

LSDK default doesn't support "pkcs11-tool".

0 件の賞賛
返信

928件の閲覧回数
carloswei
Contributor II

carloswei_0-1681803759193.png

I went through the "sobj_app" application's man. The "sobj_app" can only support the objects pair (private key and public key) and public key. I would like to write a cert object to the VirtualHSM, though. How do I add a client certificate to the HSM? 

 

タグ(3)
0 件の賞賛
返信

846件の閲覧回数
yipingwang
NXP TechSupport
NXP TechSupport


For "sobj_app", confirmed with teammate,
#######
As of now, we don't support keeping the certificates in VirtualHSM.
Currently only keys can be stored in here.
#######

0 件の賞賛
返信

754件の閲覧回数
carloswei
Contributor II

OK, got it. I'm supposed to code it by myself. 

0 件の賞賛
返信