nmav pushed to caml-crush (f22). "updated documentation"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu Apr 2 08:12:47 UTC 2015
>From 081c5e1b241c9c2dc8855df6cc06ffc029964353 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date: Wed, 1 Apr 2015 16:31:54 +0200
Subject: updated documentation
diff --git a/README.fedora b/README.fedora
index 3a2aa9e..be934b4 100644
--- a/README.fedora
+++ b/README.fedora
@@ -9,51 +9,53 @@ module or for applications which support PKCS #11 URLs, via the URL
To enable the pkcs11proxyd module with softhsm:
-
-# systemctl enable pkcs11proxyd-softhsm
-# systemctl start pkcs11proxyd-softhsm
+ # systemctl enable pkcs11proxyd-softhsm
+ # systemctl start pkcs11proxyd-softhsm
Now users who are members of the pkcs11proxy group will be able
to access the isolated softhsm.
-# gpasswd -a user pkcs11proxy
-# su user
+ # gpasswd -a user pkcs11proxy
+ # su user
-========================
-Initialize using p11tool
-========================
+============================
+Initialize using pkcs11-tool
+============================
-If you already have a key/certificate pair you can copy them to the HSM
-$ sudo cat /etc/pkcs11proxyd/pins.txt
-$ p11tool --write --load-privkey key.pem --label server-key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login
-$ p11tool --write --load-certificate cert.pem --label server-cert "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login
+To write a private key and certificate (must be provided in DER format):
+ $ pkcs11-tool --module /usr/lib64/pkcs11/libp11clientsofthsm.so -y privkey -w ./key-rsa.der -l --label server-key --usage-sign --usage-decrypt -d 000102030405
+ $ pkcs11-tool --module /usr/lib64/pkcs11/libp11clientsofthsm.so -y cert -w ./cert-rsa.der -l --label server-cert -d 000102030405
+ $ openssl x509 -inform der -pubkey -in cert-rsa.der | openssl pkey -pubin -inform pem -outform der -out pub-rsa.der
+ $ pkcs11-tool --module /usr/lib64/pkcs11/libp11clientsofthsm.so -y pubkey -w ./pub-rsa.der -l --label server-pubkey -d 000102030405
-Or you can generate the key inside the module:
-$ p11tool --generate-rsa "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login --outfile pubkey.pem --label server-key
-$ certtool --generate-request --load-pubkey pubkey.pem --load-privkey "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken;object=server-key;type=private" --outfile request.pem
-You can now list them. You should have 2 objects, the private key, and the certificate.
+To list all objects:
+ $ pkcs11-tool --module /usr/lib64/pkcs11/libp11clientsofthsm.so -l -O
-$ p11tool --login --list-all "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken"
+To verify operation:
+ $ echo "test data" >data
+ $ pkcs11-tool --module /usr/lib64/pkcs11/libp11clientsofthsm.so -d 000102030405 --sign -m SHA1-RSA-PKCS -o sig -i data -l --pin XXXX
+ $ openssl dgst -verify pub-rsa.der -keyform der -sha1 -signature sig data
+If everything is ok, the PKCS #11 module is ready for operation.
+Note that pkcs11-tool is part of the opensc package. It is recommended that
+the private key should be deleted or be made inaccessible to the softhsm users.
-============================
-Initialize using pkcs11-tool
-============================
+========================
+Initialize using p11tool
+========================
-To write a private key and certificate (must be provided in DER format):
-$ pkcs11-tool --module /usr/lib64/pkcs11/libp11clientsofthsm.so -y privkey -w ./key-rsa.der -l --label server-key --usage-sign --usage-decrypt
-$ pkcs11-tool --module /usr/lib64/pkcs11/libp11clientsofthsm.so -y cert -w ./cert-rsa.der -l --label server-cert
+If you already have a key/certificate pair you can copy them to the HSM
+ $ sudo cat /etc/pkcs11proxyd/pins.txt
+ $ p11tool --write --load-privkey key.pem --label server-key "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login
+ $ p11tool --write --load-certificate cert.pem --label server-cert "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login
+Or you can generate the key inside the module:
+ $ p11tool --generate-rsa "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken" --login --outfile pubkey.pem --label server-key
+ $ certtool --generate-request --load-pubkey pubkey.pem --load-privkey "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken;object=server-key;type=private" --outfile request.pem
-==============
-Test operation
-==============
+You can now list them. You should have 2 objects, the private key, and the certificate.
-To test the key pair operation:
-$ gnutls-serv --echo --x509keyfile "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken;object=server-key;type=private" \
- --x509certfile "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken;object=server-cert;type=cert"
+ $ p11tool --login --list-all "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;token=System%20softtoken"
-$ gnutls-cli localhost -p 5556 --insecure
-If the connection succeeded you can use the HSM, using the URLs above
diff --git a/caml-crush.spec b/caml-crush.spec
index a57f939..a5a757e 100644
--- a/caml-crush.spec
+++ b/caml-crush.spec
@@ -2,7 +2,7 @@
Name: caml-crush
Version: 1.0.4
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: PKCS#11 filtering proxy
# The pkcs11proxyd server is under CeCILL, while the rest of the libraries are
@@ -153,6 +153,9 @@ install -p -m 644 %{SOURCE9} %{buildroot}%{_sharedstatedir}/pkcs11proxyd/.config
%changelog
+* Wed Apr 1 2015 Nikos Mavrogiannopoulos <nmav at redhat.com> - 1.0.4-5
+- Removed default upstream filters and added documentation
+
* Mon Mar 23 2015 Nikos Mavrogiannopoulos <nmav at redhat.com> - 1.0.4-4
- do not include the RSA's headers and GPLv3 code to simplify licensing
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/caml-crush.git/commit/?h=f22&id=081c5e1b241c9c2dc8855df6cc06ffc029964353
More information about the scm-commits
mailing list