krill icon indicating copy to clipboard operation
krill copied to clipboard

Published 20 hours ago verified publisher icon NLnetLabs

HSM support testing with a Nitrokey HSM

Open TheEnbyperor opened this issue 3 years ago • 1 comments

Config file; the weird lib_path is due to NixOS shenanigans

admin_token = "abc"
data_dir = "/home/q/Documents/krill/tmp/data"
service_uri = "https://localhost:3000/"
log_level = "trace"
log_type = "stderr"

[[signers]]
name = "nitrokey"
type = "PKCS#11"
lib_path = "/nix/store/pvwicpg7hyi15awb105g41z02qq2g6hf-opensc-0.22.0/lib/opensc-pkcs11.so"
slot = 0
user_pin = "<snip>"
login = true

Krill startup:

2021-12-12 16:46:55 [INFO] [krill::commons::crypto::signing::dispatch::krillsigner] Configuring signer 'nitrokey' (type: PKCS#11, default: true, one_off: false)
2021-12-12 16:46:55 [INFO] [krill::commons::crypto::signing::dispatch::krillsigner] Configuring signer 'OpenSSL one-off signer' (type: OpenSSL, default: false, one_off: true)

Adding CA:

krillc add --ca test_ca

2021-12-12 16:46:57 [TRACE] [krill::commons::crypto::signing::signers::pkcs11::context] Loading PKCS#11 library '"/nix/store/pvwicpg7hyi15awb105g41z02qq2g6hf-opensc-0.22.0/lib/opensc-pkcs11.so"'
2021-12-12 16:46:57 [TRACE] [krill::commons::crypto::signing::signers::pkcs11::context] Loaded PKCS#11 library '"/nix/store/pvwicpg7hyi15awb105g41z02qq2g6hf-opensc-0.22.0/lib/opensc-pkcs11.so"
2021-12-12 16:47:01 [INFO] [krill::commons::crypto::signing::signers::pkcs11::signer] Using PKCS#11 token 'test (UserPIN) (model: PKCS#15 emulated, vendor: www.CardContact.de)' in slot 0 of server 'OpenSC Project (Cryptoki v0.22)' via library '/nix/store/pvwicpg7hyi15awb105g41z02qq2g6hf-opensc-0.22.0/lib/opensc-pkcs11.so'
2021-12-12 16:47:17 [DEBUG] [krill::commons::crypto::signing::dispatch::signerrouter] Signer 'nitrokey' is ready and new, binding
2021-12-12 16:47:17 [DEBUG] [krill::commons::crypto::signing::dispatch::signerrouter] Signer 'nitrokey' bound to signer handle 'af404500-8d1e-4d03-8b2d-91e2f4669edd'
2021-12-12 16:47:17 [INFO] [krill::commons::crypto::signing::dispatch::signerrouter] Signer 'nitrokey' is ready for use
2021-12-12 16:47:25 [DEBUG] [krill::commons::eventsourcing::store] Processing command id 'af404500-8d1e-4d03-8b2d-91e2f4669edd' version 'any' details 'Add key with key id '416CEA71C596FB07E2E36A46804294E64402EB88' and internal key id 'dd0596e76f20eb44186bee61c517ee6c4c5f6231''

Registering with publisher:

krillc repo request --ca test_ca > req.xml
krillc pubserver publishers add --request req.xml > res.xml
krillc repo configure --ca test_ca --response res.xml

Registering with testbed

krillc parents request --ca test_ca > req2.xml
krillc parents add --ca test_ca --response res2.xml --parent testbed

Keys in HSM afterwards:

pkcs11-tool -l -O
Using slot 0 with a present token (0x0)
Logging in to "test (UserPIN)".
Please enter User PIN:
Private Key Object; RSA
  label:      Krill
  ID:         7fbf38626b374d328934d6c2f742fc5cacd6962a
  Usage:      sign
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
  label:      Krill
  ID:         7fbf38626b374d328934d6c2f742fc5cacd6962a
  Usage:      encrypt, verify, wrap
  Access:     none
Private Key Object; RSA
  label:      Krill
  ID:         dd0596e76f20eb44186bee61c517ee6c4c5f6231
  Usage:      sign
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
  label:      Krill
  ID:         dd0596e76f20eb44186bee61c517ee6c4c5f6231
  Usage:      encrypt, verify, wrap
  Access:     none
Private Key Object; RSA
  label:      Krill
  ID:         b7ce8c28de436fa21fb94aba209941e5f80147d0
  Usage:      sign
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
  label:      Krill
  ID:         b7ce8c28de436fa21fb94aba209941e5f80147d0
  Usage:      encrypt, verify, wrap
  Access:     none
Private Key Object; RSA
  label:      Krill
  ID:         0ea138c474c0d96b68187c6e50ca5c7dd62860a8
  Usage:      sign
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
  label:      Krill
  ID:         0ea138c474c0d96b68187c6e50ca5c7dd62860a8
  Usage:      encrypt, verify, wrap
  Access:     none
Private Key Object; RSA
  label:      Krill
  ID:         8a855c060081658c050452006553a617550736ed
  Usage:      sign
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
  label:      Krill
  ID:         8a855c060081658c050452006553a617550736ed
  Usage:      encrypt, verify, wrap
  Access:     none
Profile object 11308976
  profile_id:          '4'

OpenSSL dir contains only one key:

> ls data/keys/
CFFE44E89F76B072B147B6669DF4B9290B8FFC8D

Happy to report that Krill appears to work totally fine with a Nitrokey!

TheEnbyperor avatar Dec 12 '21 17:12 TheEnbyperor

@TheEnbyperor,

Thankyou very much for this feedback!

Ximon

ximon18 avatar Dec 12 '21 17:12 ximon18

HSM support was delivered with the Krill v0.10.0 release.

ximon18 avatar Sep 06 '22 08:09 ximon18