nmav pushed to caml-crush (master). "Added readme file"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu Mar 26 16:07:00 UTC 2015
>From 4df7b1d8ae6928021def01fce03205633991264f Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date: Thu, 26 Mar 2015 16:51:28 +0100
Subject: Added readme file
diff --git a/README.fedora b/README.fedora
new file mode 100644
index 0000000..969445f
--- /dev/null
+++ b/README.fedora
@@ -0,0 +1,43 @@
+========================================
+Deploy a software isolated HSM in Fedora
+========================================
+
+The caml-crush package includes a software isolated softhsm, which
+is available as a PKCS #11 module. That is accesible via /usr/lib64/pkcs11/libsofthsm2.so
+module or for applications which support PKCS #11 URLs, via the URL
+"pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken".
+
+
+To enable the pkcs11proxyd module with softhsm:
+
+# systemctl enable pkcs11proxyd-softhsm
+# systemctl start pkcs11proxyd-softhsm
+
+Now users who are members of the pkcs11proxy group will be able
+to access the isolated softhsm.
+
+# gpasswd -a user pkcs11proxy
+# su user
+
+If you already have a key/certificate pair you can copy them to the HSM
+$ sudo cat /etc/pkcs11proxyd/pins.txt
+$ p11tool --write --load-privkey key.pem --label server-key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login
+$ p11tool --write --load-certificate cert.pem --label server-cert "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login
+
+Or you can generate the key inside the module:
+$ p11tool --generate-rsa "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login --outfile pubkey.pem --label server-key
+$ certtool --generate-request --load-pubkey pubkey.pem --load-privkey "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken;object=server-key;type=private" --outfile request.pem
+
+
+You can now list them. You should have 2 objects, the private key, and the certificate.
+
+$ p11tool --login --list-all "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken"
+
+To test the key pair operation:
+$ gnutls-serv --echo --x509keyfile "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken;object=server-key;type=private" \
+ --x509certfile "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken;object=server-cert;type=cert"
+
+$ gnutls-cli localhost -p 5556 --insecure
+
+If the connection succeeded you can use the HSM, using the URLs above
+
diff --git a/caml-crush.spec b/caml-crush.spec
index 754c4e7..a57f939 100644
--- a/caml-crush.spec
+++ b/caml-crush.spec
@@ -123,7 +123,7 @@ install -p -m 644 %{SOURCE8} %{buildroot}%{_sharedstatedir}/pkcs11proxyd/.config
install -p -m 644 %{SOURCE9} %{buildroot}%{_sharedstatedir}/pkcs11proxyd/.config/pkcs11/modules
%files
-%doc README.md ISSUES.md
+%doc README.md ISSUES.md README.fedora
%license LICENSE.txt
%{_libdir}/pkcs11/libp11client.so
%{_sbindir}/pkcs11proxyd
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/caml-crush.git/commit/?h=master&id=4df7b1d8ae6928021def01fce03205633991264f
More information about the scm-commits
mailing list