how to generate x.509 certificate using PKCS11 (HSM, sobj_app)

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决

how to generate x.509 certificate using PKCS11 (HSM, sobj_app)

跳至解决方案
6,634 次查看
dongyeonkim01
Contributor I

hi.

we are building and testing lsdk 20.04 and I have a question

 

how to generate certificate using PKCS11??

I checked pkcs11_app, sobj_app module already but I couldn't found generate certificate 

 

1. How do I check the private key or the public key that is the HSM key??

2. How do I generate X.509 certificate using PKCS11 API??

2-1. Alternatively, if I cannot create X.509 using the Pkcs11 API, how do I generate a X.509 certificate?

 

 

best regards

 

0 项奖励
回复
1 解答
6,560 次查看
yipingwang
NXP TechSupport
NXP TechSupport

In Screenshot 1 - EC Keypair is generated with label "Device_Key"

In Screenshot 2 - Objects 4 and 5 shown are Keys with Label "Device_key33"

which is different from the keypair generated

-I think they are confusing the handle number 4 & 5 generated (as shown in

Screenshot 1) with Object 4 and Object 5 (in Screenshot 2).

-They are completely different, handle 4 & 5 are specific to sobj_app only,

Those will not be same when found from Object 4 and 5.

In Screenshot 4 & 5 - PKCS#11 engine has been configured correctly.

In Screenshot 3 - When using the same key from openssl, It is throwing

errors which is showing that the Token is not configured correctly.

-It means they have not done the steps given in

https://docs.nxp.com/bundle/GUID-487B2E69-BB19-42CB-AC38-7EF18C0FE3AE/page/G

UID-CBD773D9-CE43-4D3D-9CD4-63DE2092424F.html

-These steps are not in sequence, but on high level, token needs to be

initialized first to use the object from that token.

 

So you need to initialize the token and most probably it will solve your

problem.

在原帖中查看解决方案

0 项奖励
回复
8 回复数
6,620 次查看
yipingwang
NXP TechSupport
NXP TechSupport

In the LSDK User Guide (e.g. version 2012). Please refers to the following

commands for certificate generation.

section 6.5.3.3.1 Secure Object Library based OpenSSL Engine

(libeng_secure_obj)

...

This section describes how to use the command line to create a self-signed certificate for "NXP Semiconductor". The key of the certificate is generated in the Secure Object HSM and will not exportable.

As per the following examples, generate a private key in the HSM with sobj_app, This will also create a fake PEM file "dev_key.pem" having information to get the required key from HSM.

Following command is generating RSA key-pair.

$: sobj_app -G -m rsa-pair -s 2048 -l "Test_Key" -i 1 -w dev_key.pem

ECDSA key-pair can also be generated using following command:

$: sobj_app -G -m ec-pair -c prime256v1 -l "ecc_256" -i 30 -w dev_key.pem

To generate a certificate with key in the Secure Object module, the

following commands can be used:

$ openssl req -new -key dev_key.pem -out req.pem -text -x509 -subj "/CN=NXP Semiconductor"

$ openssl x509 -signkey dev_key.pem -in req.pem -out cert.pem

The first command creates a self-signed Certificate for "NXP Semiconductor".

The signing is done using the key specified by the fake PEM file.

The second command creates a self-signed certificate for the request, the private key used to sign the certificate is the same private key used to create the request.

0 项奖励
回复
6,608 次查看
dongyeonkim01
Contributor I

Thank you for your reply.

 

I have additional questions.

Testing IPSEC and TLS. A certificate will be sent during the test. A private key is required to sign.

we want generate and save private key in secure storage

but The way you suggested is to write a private key on the file and use it, which is different from what we want.
we want to create a certificate using the private key stored in the secure store.


1. How do I use my private key to sign an openssl certificate that uses pkcs?
2. How do I access my private key with pkcs?

0 项奖励
回复
6,596 次查看
yipingwang
NXP TechSupport
NXP TechSupport

1. How do I use my private key to sign an openssl certificate that uses pkcs?
Ans: Customer have option of integrating PKCS#11 library with p11tool which is an opensource utility which works with any PKCS#11 provider.

With this customer can generate an RSA keypair and can import already available keys and do other functions as explained in “6.5.3.1 Using PKCS#11 APIs” in LSDK20.12 User Guide PDF

Regarding Signing an openssl certificate, please refer to “6.5.3.3.2 PKCS#11 based OpenSSL Engine (Third-party OpenSC/libp11)” in LSDK20.12 User guide.

2. How do I access my private key with pkcs?
Ans:  customer can access the private key using p11tool which will be using our PKCS#11 library in backend.

0 项奖励
回复
6,591 次查看
dongyeonkim01
Contributor I

I tried already access private key and signing cert with p11tool library 

but i got return "cannot load Private Key from engine" 

dongyeonkim01_0-1630476404119.png

dongyeonkim01_1-1630476421836.png

 

0 项奖励
回复
6,585 次查看
yipingwang
NXP TechSupport
NXP TechSupport

Please try to get full logs from object creation using p11tool command which

is leading to the error.

Also get the logs of "openssl engine pkcs11 -t".

 

uboot and linux boot log will be helpful as well, just to confirm the

version of the OS and firmware.

0 项奖励
回复
6,573 次查看
dongyeonkim01
Contributor I

our OS system is lsdk 20.04

and this is my process

1. generated key pair

dongyeonkim01_0-1630903376362.png

2. check URL

dongyeonkim01_1-1630903402183.png

 

3. create cert and getting error

dongyeonkim01_2-1630903451988.png

 

* openssl engine pkcs11 -t

dongyeonkim01_3-1630903520994.png

* /etc/ssl/openssl.cnf

dongyeonkim01_0-1630906345003.png

 

 

 

 

0 项奖励
回复
6,561 次查看
yipingwang
NXP TechSupport
NXP TechSupport

In Screenshot 1 - EC Keypair is generated with label "Device_Key"

In Screenshot 2 - Objects 4 and 5 shown are Keys with Label "Device_key33"

which is different from the keypair generated

-I think they are confusing the handle number 4 & 5 generated (as shown in

Screenshot 1) with Object 4 and Object 5 (in Screenshot 2).

-They are completely different, handle 4 & 5 are specific to sobj_app only,

Those will not be same when found from Object 4 and 5.

In Screenshot 4 & 5 - PKCS#11 engine has been configured correctly.

In Screenshot 3 - When using the same key from openssl, It is throwing

errors which is showing that the Token is not configured correctly.

-It means they have not done the steps given in

https://docs.nxp.com/bundle/GUID-487B2E69-BB19-42CB-AC38-7EF18C0FE3AE/page/G

UID-CBD773D9-CE43-4D3D-9CD4-63DE2092424F.html

-These steps are not in sequence, but on high level, token needs to be

initialized first to use the object from that token.

 

So you need to initialize the token and most probably it will solve your

problem.

0 项奖励
回复
6,062 次查看
liziyi
Contributor I

hi,

  I trying to initialize the token, but I didn't know the original SO PIN, for more details please see https://community.nxp.com/t5/QorIQ/How-to-initialize-TEE-BASED-TOKEN-in-lx2160-ardb/td-p/1412342

Best regards.

0 项奖励
回复