Nitrokey HSM EC setup
Following up from my previous writeup on creating an EC CA, let’s talk about key security.
Hardware security modules are physical devices that manage keys. Generally, the rule is that they let you use the keys for operations (e.g. signing) given correct authentication, but don’t let you extract the raw key material. This means that if you’re holding the HSM, you know that no one else is currently abusing your key (though they may have done so in the past).
Searching for reasonably-priced options, I found the Nitrokey HSM. Open source hardware, firmware, and software. Supports EC keys. Supports lots of keys. Supports Linux. Awesome.
Below are the steps to get the Nitrokey HSM to a working state where it can generate an EC key pair, and (self-)sign a cert with it. Hopefully many of these go away in the future, as support percolates into release versions and distribution packages.
Hardware & setup
These instructions were developed and tested on a Raspberry Pi. Base setup instructions are here. You’ll also need a Nitrokey HSM, obviously.
sudo apt-get install pcscd libpcsclite-dev libssl-dev libreadline-dev autoconf automake build-essential docbook-xsl xsltproc libtool pkg-config git
You’ll need a newer version of libccid than currently exists in Raspbian Jessie (1.4.22 > 1.4.18). You can download it for your platform here, or use the commands below for an RPi.
wget http://http.us.debian.org/debian/pool/main/c/ccid/libccid_1.4.22-1_armhf.deb sudo dpkg -i libccid_1.4.22-1_armhf.deb
engine_pkcs11 requires >= 0.3.1. Raspbian Jessie has 0.2.8. Debian sid has a package, but you need the dev package as well, so you might as well build it.
git clone https://github.com/OpenSC/libp11.git cd libp11 ./bootstrap ./configure make sudo make install cd ..
EC requires engine_pkcs11 >= 0.2.0. Raspbian Jessie has 0.1.8. Debian sid also has a package that I haven’t tested.
git clone https://github.com/OpenSC/engine_pkcs11.git cd engine_pkcs11 ./bootstrap ./configure make sudo make install cd ..
As of writing (2016/Mar/26), working support for the Nitrokey HSM requires a build of OpenSC that hasn’t made it into a package yet (0.16.0). They’ve also screwed up their repository branching, so master is behind the release branch and won’t work.
git clone — branch opensc-0.16.0 https://github.com/OpenSC/OpenSC.git cd OpenSC ./bootstrap ./configure make sudo make install cd ..
Initialize the device
If this tells you that it can’t find the device, you probably forgot to update libccid, and need to start over. You’ll need to set an SO PIN and PIN the first time. The SO PIN should be 16 characters, and the PIN 6. Both should be all digits. They can technically be hex, but some apps get confused if they see letters.
Generate a test EC key pair
/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so---login --keypairgen --key-type EC:prime256v1 --label test
Generate a self-signed cert
openssl OpenSSL> engine -t -pre SO_PATH:/usr/lib/arm-linux-gnueabihf/openssl-1.0.0/engines/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/pkcs11/opensc-pkcs11.so dynamic ... OpenSSL> req -engine pkcs11 -new -keyform engine -out cert.pem -text -x509 -days 3640 -key label_test -subj '/CN=test'
If you now have a cert.pem file, you’re golden. If you see “error in req”, you probably have a bad version of OpenSC.
Now, delete the file, re-initialize the device, and you’re good to go.
More instructions on various Nitrokey HSM operations can be found here.
Instructions for running a complete certificate authority (CA) with your Nitrokey are here.