帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

How do you sign with PKCS11 and CST?

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

How do you sign with PKCS11 and CST?

‎08-05-2024 01:22 AM
2,115 次查看
kjasim
Contributor I
Hi,

I am using version 3.4.1 of the CST and attempting to sign using the PKCS11 library. However the CST provided does not have the `back-end_hsm` folder and when running the command:

cst --verbose -b pkcs11 -i csf_fit.txt -o csf_fit.bin

I receive the following error:

Install SRK
Install CSFK

[ERROR] CST: Error loading pkcs11 engine: could not load the shared library

I have created this hsm.cfg file as specified and placed it in the current directory.

{
    module = "/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-client.so";
    pin = "123456";
    slot = 0;
    objects = (
        { file = "./CSF1_1_sha256_2048_65537_v3_usr_crt.pem";
        id = "ec705018e9bf8ad60096e13cb2f0fbad";
        },
        { file = "./IMG1_1_sha256_2048_65537_v3_usr_crt.pem";
        id = "a0c8cac03985fb6dced29c97dc83aef7";
        });
};

Could you please provide me with the correct steps to sign using the PKCS11 library?

Thank you for your help.
0 项奖励
回复
6 回复数

‎08-05-2024 09:23 PM
2,033 次查看
Rita_Wang
NXP TechSupport
NXP TechSupport

I help create new case in our system 00640914, our security engineer will support you there. Thanks.

回复

‎08-07-2024 12:46 AM
1,972 次查看
kjasim
Contributor I

Hello, thank you for your reply. could you please add me to the ticket as I cannot see it. Thank you

0 项奖励
回复

‎08-08-2024 01:11 AM
1,944 次查看
Rita_Wang
NXP TechSupport
NXP TechSupport

I see that our security engineer gave you update by email:

Please refer to the section <Using Code-Signing Tool with Hardware Security Module> of CST-UG and the Dockerfile.hsm in the CST.

You can check it, if no update tell us, I will tell he to send to you again.

0 项奖励
回复

‎08-08-2024 02:45 AM
1,932 次查看
kjasim
Contributor I

Hello, I had a look at the documentation and it mentions building using the pkcs11 backend which is not present in the version of the CST I have, can you send me cst 3.4.0 please so I can build otherwise the guide doesn't work.

0 项奖励
回复

‎08-08-2024 05:02 PM
1,919 次查看
podo
Contributor I

I follow this document, it works fine.

 

https://community.nxp.com/t5/i-MX-Processors-Knowledge-Base/HSM-Code-Signing-Journey/ta-p/1882244

 

回复

‎08-13-2024 01:12 AM
1,816 次查看
kjasim
Contributor I

Hello,

Thank you for the reply. I already had a link for this documentation however following the documentation I was unable to compile or get it to work.

I do not appear to have the correct folders for pkcs11. There seems to be a "back-end_hsm" folder which is missing, this seems to be deprecated, is this correct? https://community.nxp.com/t5/i-MX-Processors/Removal-of-PKCS-11-functionality-in-CST-tool/m-p/143202...

Is there any other documentation detailing how to compile the project with pkcs11 support enabled.

0 项奖励
回复