running cst 3.3.2 on ubuntu 23.04

Hello Marek,

unfortunately we are forced to use the newer systems like 22.10 and 23.04 because some tools we use are provided and/or can only run on these versions (and later).
In addition we have to use HSM tokens to store private keys, so cst has to be able to access these tokens, consequently I think I have to compile it, or use cst version 3.3.2 which is not integrated with the provisioning tool 6 (which is the latest version available and contains cst 3.2.0)
Finally, the whole thing needs to be run in batch mode within a pipeline of our CI/DC infrastructure, which runs inside a docker container.

best regards

Max

@mastupristi Can you please share some details how you integrated in CS/CD. We have the same requirement. How you are accessing the HSM through the CST tool? Where HSM is installed, I mean it is connected to build server or some other remote location? 

I have tested signing process with cst-3.3.2 & the softhsm. But we have the API & I don't know how we can call these API with CST tool. 

Please share your experience. Thanks. 

How you are accessing the HSM through the CST tool?

In the .bd file, to be given as input to elftosb (and thus to cst) I specified the "urls" to the HSM token. These urls I derived with the `p11tool` command.

Where HSM is installed, I mean it is connected to build server or some other remote location?

Is connected to the build server

I think the problem is related to the version of openssl, its engines, etc....

best regards

Max

Thanks for reply @mastupristi .

We figured out how CST can help us to sign images with remote HSM with our API's. FYI, CST tool have "Mode = HSM" support that we need to defined in each csf file. Upon execution of cst, it generates the few files which we need to send to signing authority(using API call) to generate the signature. Received signature then insert into CSF binary. 

does it works with openssl 3.0.10?

I tried only with cst-3.3.2. Don't know about earlier version.

maybe we didn't understand each other.

cst 3.3.1 uses (and requires) openssl 1.1.1g
cst 3.3.2 uses (and requires) openssl 1.1.1l

I have ubuntu 23.04 which instead uses (and requires) openssl 3.0.10

so my question (probably rhetorical) is, can one of these versions also work with openssl 3.0.10?

regards

Max

For cst to work in Mode=HSM, you don't need to build the cst tool along with defined OpenSSL version. I am using Ubuntu-18.04 without building the cst tool. PFA document provided by NXP community member.   

Have you ever tried ubuntu 22.04 or newer?

regards

Max

No

so you can't have any idea whether elftosb and cst can work with openssl >= 3.0, especially for use with USB HSM tokens

regards

Max

No, I don't have any idea.