I got the CST 3.0.1 tool and compile in windows. The adapt_layer_openssl.c file says to modify it for HSM implementations but its not clear whether cst can be used when the keys are already generated in HSM and OpenSSL is not involved with Keys. Note that we have a separate API to integrate with HSM by sending the hash and retrieve the signature, but not sure if that can be adapted with CST tool.
Did your CST tool able to communicate with HSM through the API's? Have you done any changes in CST tool to communicate with HSM?
I am also working on same concept where CST tool should able to communicate with remote HSM through the standard vendor API's like DigiCert API. DigiCert have their own API's to communicate with HSM which is possible to call the API's from the simple script along with hash value & get the it signed from HSM.
I don't whether this can be possible with CST tool? If you can share your experience, that will be helpful for me.
Thanks.
Thanks Yuri. I will try on 3.1.0 version. I saw the guide but it wasnt clear on whether we can use the pregenerated keys or we need to use OpenSSL to create those HSM keys.
Also is a similar reference available for mkimage tool(to customize with HSM)?
Hello,
Our CST implementation is not intended for HSM using.
Generally customers can refer to Appendix B (Replacing the CST Backend Implementation)
of “CST_UG.pdf” for some recommendations how to implement own solution.
Recent CST (3.1.0) may be loaded, using the following link:
https://www.nxp.com/webapp/Download?colCode=IMX_CST_TOOL
Have a great day,
Yuri
------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer
button. Thank you!