nmav pushed to caml-crush (master). "updated documentation"

notifications at fedoraproject.org notifications at fedoraproject.org
Wed Apr 1 14:33:19 UTC 2015 

>From 081c5e1b241c9c2dc8855df6cc06ffc029964353 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date: Wed, 1 Apr 2015 16:31:54 +0200
Subject: updated documentation


diff --git a/README.fedora b/README.fedora
index 3a2aa9e..be934b4 100644
--- a/README.fedora
+++ b/README.fedora
@@ -9,51 +9,53 @@ module or for applications which support PKCS #11 URLs, via the URL
 
 
 To enable the pkcs11proxyd module with softhsm:
-
-# systemctl enable pkcs11proxyd-softhsm
-# systemctl start pkcs11proxyd-softhsm
+  # systemctl enable pkcs11proxyd-softhsm
+  # systemctl start pkcs11proxyd-softhsm
 
 Now users who are members of the pkcs11proxy group will be able
 to access the isolated softhsm.
 
-# gpasswd -a user pkcs11proxy
-# su user
+  # gpasswd -a user pkcs11proxy
+  # su user
 
-========================
-Initialize using p11tool
-========================
+============================
+Initialize using pkcs11-tool
+============================
 
-If you already have a key/certificate pair you can copy them to the HSM
-$ sudo cat /etc/pkcs11proxyd/pins.txt
-$ p11tool --write --load-privkey key.pem --label server-key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login
-$ p11tool --write --load-certificate cert.pem --label server-cert "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login
+To write a private key and certificate (must be provided in DER format):
+  $ pkcs11-tool --module /usr/lib64/pkcs11/libp11clientsofthsm.so -y privkey -w ./key-rsa.der -l --label server-key --usage-sign --usage-decrypt -d 000102030405
+  $ pkcs11-tool --module /usr/lib64/pkcs11/libp11clientsofthsm.so -y cert -w ./cert-rsa.der -l --label server-cert  -d 000102030405
+  $ openssl x509 -inform der -pubkey -in cert-rsa.der | openssl pkey -pubin -inform pem -outform der -out pub-rsa.der
+  $ pkcs11-tool --module /usr/lib64/pkcs11/libp11clientsofthsm.so -y pubkey -w ./pub-rsa.der -l --label server-pubkey -d 000102030405
 
-Or you can generate the key inside the module:
-$ p11tool --generate-rsa "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login --outfile pubkey.pem --label server-key
-$ certtool --generate-request --load-pubkey pubkey.pem --load-privkey "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken;object=server-key;type=private" --outfile request.pem
 
-You can now list them. You should have 2 objects, the private key, and the certificate.
+To list all objects:
+  $ pkcs11-tool --module /usr/lib64/pkcs11/libp11clientsofthsm.so -l -O
 
-$ p11tool --login --list-all "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken"
+To verify operation:
+  $ echo "test data" >data
+  $ pkcs11-tool --module /usr/lib64/pkcs11/libp11clientsofthsm.so -d 000102030405 --sign -m SHA1-RSA-PKCS -o sig -i data -l --pin XXXX
+  $ openssl dgst -verify pub-rsa.der -keyform der -sha1 -signature sig data
 
+If everything is ok, the PKCS #11 module is ready for operation.
+Note that pkcs11-tool is part of the opensc package. It is recommended that
+the private key should be deleted or be made inaccessible to the softhsm users.
 
-============================
-Initialize using pkcs11-tool
-============================
+========================
+Initialize using p11tool
+========================
 
-To write a private key and certificate (must be provided in DER format):
-$ pkcs11-tool --module /usr/lib64/pkcs11/libp11clientsofthsm.so -y privkey -w ./key-rsa.der -l --label server-key --usage-sign --usage-decrypt
-$ pkcs11-tool --module /usr/lib64/pkcs11/libp11clientsofthsm.so -y cert -w ./cert-rsa.der -l --label server-cert
+If you already have a key/certificate pair you can copy them to the HSM
+  $ sudo cat /etc/pkcs11proxyd/pins.txt
+  $ p11tool --write --load-privkey key.pem --label server-key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login
+  $ p11tool --write --load-certificate cert.pem --label server-cert "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login
 
+Or you can generate the key inside the module:
+  $ p11tool --generate-rsa "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login --outfile pubkey.pem --label server-key
+  $ certtool --generate-request --load-pubkey pubkey.pem --load-privkey "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken;object=server-key;type=private" --outfile request.pem
 
-==============
-Test operation
-==============
+You can now list them. You should have 2 objects, the private key, and the certificate.
 
-To test the key pair operation:
-$ gnutls-serv --echo --x509keyfile "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken;object=server-key;type=private" \
-	--x509certfile "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken;object=server-cert;type=cert"
+  $ p11tool --login --list-all "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken"
 
-$ gnutls-cli localhost -p 5556 --insecure
 
-If the connection succeeded you can use the HSM, using the URLs above
diff --git a/caml-crush.spec b/caml-crush.spec
index a57f939..a5a757e 100644
--- a/caml-crush.spec
+++ b/caml-crush.spec
@@ -2,7 +2,7 @@
 
 Name:           caml-crush
 Version:        1.0.4
-Release:        4%{?dist}
+Release:        5%{?dist}
 Summary:        PKCS#11 filtering proxy
 
 # The pkcs11proxyd server is under CeCILL, while the rest of the libraries are
@@ -153,6 +153,9 @@ install -p -m 644 %{SOURCE9} %{buildroot}%{_sharedstatedir}/pkcs11proxyd/.config
 
 
 %changelog
+* Wed Apr  1 2015 Nikos Mavrogiannopoulos <nmav at redhat.com> - 1.0.4-5
+- Removed default upstream filters and added documentation
+
 * Mon Mar 23 2015 Nikos Mavrogiannopoulos <nmav at redhat.com> - 1.0.4-4
 - do not include the RSA's headers and GPLv3 code to simplify licensing
 
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/caml-crush.git/commit/?h=master&id=081c5e1b241c9c2dc8855df6cc06ffc029964353

More information about the scm-commits mailing list