Available HSM Models for Code Signing

Can you please let me know how it is with CST4.0?

Regards

Harvey

I tried CST 4.0 but it did not work, it seems to fail to load the PKCS11 module (x64).

khayashida@US01LPT12909 MINGW64 /c/cst
$ export PKCS11_MODULE_PATH=C:\\Program\ Files\\SafeNet\\LunaClient\\cryptoki.dll

khayashida@US01LPT12909 MINGW64 /c/cst
$ export PKCS11_PIN=********

khayashida@US01LPT12909 MINGW64 /c/cst
$ gdb ./mingw64/bin/cst.exe
GNU gdb (GDB) 15.1
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-w64-mingw32".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./mingw64/bin/cst.exe...
(gdb) r  -b pkcs11 --verbose -o u-boot_csf.bin -i u-boot.csf
Starting program: C:\cst\mingw64\bin\cst.exe -b pkcs11 --verbose -o u-boot_csf.bin -i u-boot.csf
[New Thread 21416.0x72d8]
[New Thread 21416.0x6878]
[New Thread 21416.0x1f58]
Install SRK
Install no CAK

Thread 1 received signal SIGSEGV, Segmentation fault.
0x00007ff743fe30bf in bind_engine ()

I was hoping to build cst.exe and get a stack trace, but could not build it because I could not run docker on mingw64.

khayashida@US01LPT12909 MINGW64 /c/cst/src
$ ƒdocker run -it -v $(pwd):/home/$USER/cst cst:build /bin/bash C:\Program Files\Docker\Docker\resources\bin\docker.exe: Error response from daemon: Mount denied:
The source path "C:/cst/src;C"
doesn't exist and is not known to Docker.
See 'C:\Program Files\Docker\Docker\resources\bin\docker.exe run --help'.

The HSM used is the Luna HSM. You can download it from here, but you need an account to access it. Sharing the client from us may have a licensing issue.

https://thalesdocs.com/gphsm/luna/7/docs/network/Content/CRN/Luna/client/10-7-2.htm

It also generates the segmentation error for YubiKey FIPS 5. The PKCS11 module for YubiKey can be downloaded here.

https://developers.yubico.com/yubico-piv-tool/Releases/

If you do not have these HSMs, you can still try the PKCS11 modules to see if it crashes in the bind_engine function. If it can load YubiKey modules, I would expect it to be able to load Luna HSM modules as well.

I made more investigation using Yubico PIV Tool, I was able to successfully load the PKCS#11 module without any issue, see below: (I don't have Yubikey attached to my machine so the specified token is not found, the goal is to check if CST loads properly the PKCS#11 module).

C:\Yubico\Yubico PIV Tool\bin>cst.exe -b pkcs11 -i bootimage.csf -o signed_flash.bin
[DEBUG] engine_ctx_init()
[DEBUG] ENGINE_load_builtin_engines()
[DEBUG] ENGINE_new()
[DEBUG] getenv(PKCS11_MODULE_PATH)
The value of PKCS11_MODULE_PATH is: C:\Yubico\Yubico PIV Tool\bin\libykcs11.dll
[DEBUG] bind_engine()
[DEBUG] ENGINE_init()
[DEBUG] engine_ctx_init() -> success
No matching initialized token was found for certificate
No matching initialized token was found for certificate
The certificate was not found at: pkcs11:token=CST-HSM-DEMO;object=SRK1_sha384_secp384r1_ca;type=cert;pin-value=12345678
00000000:error:42800065:pkcs11 engine:ERR_ENG_error:object not found:eng_back.c:764:

[ERROR] CST: Unable to read pkcs11:token=CST-HSM-DEMO;object=SRK1_sha384_secp384r1_ca;type=cert;pin-value=12345678

C:\Yubico\Yubico PIV Tool\bin>
Please note that I'm running cst.exe with Administrator privileges and placing cst.exe in the same path with libykcs11.dll (probably libykcs11.dll depends on libcrypto-3-x64.dll).

Please add some debug messages and try again. To build for mingw64:

OSTYPE=mingw64 ./scripts/build.sh -F

I did more testing in other environments; CST may indeed sporadically fail in Windows. Please try the attached patch and share feedback.

Regards

Harvey

Hi Harvey,

Could you share me the patched cst.exe for Mingw 64bit?

Building the CST is not my goal.

Katsutoshi

I ran CST with Admin and got the same result.

When I run the build, I get an error with the libp11 build. Please see the attached config.log for the build log.

I set OPENSSL_VERSION="3.4.1" in the build.sh file.

Please refer to src/BUILD.md for building instructions. That's the only build environment that we test.

Regards

Harvey

As mentioned above, the Docker build fails. Does this require Linux? I have no experience with Docker, so this is a hurdle for me. Could you provide me with a patched cst.exe?

Will send you one for testing purpose only.

Regards

Harvey

I'm attaching the file again as reCAPTCHA deleted it.

I am very busy right now, so I am unable to try out CST. I hope to find some time in the next week or two.