These examples demonstrate using wolfSSL's PKCS #11 feature for the following algorithms:
- ECC Key Gen, Sign/Verify and ECDHE (Shared Secret)
- RSA Key Gen and Sign/Verify
- AES GCM
This also includes a TLS server example using a PKCS 11 based key.
See PKCS11.md in this folder.
-
Change to source code directory of SoftHSM version 2
This tool can be found here: https://github.com/opendnssec/SoftHSMv2
./autogen.sh ./configure --disable-gost sudo make install
Note: May need to install pkg-config and libssl-dev
-
Change to wolfssl directory
./autogen.sh ./configure --enable-pkcs11 make sudo make install
-
Change to wolfssl-examples/pkcs11 directory
./mksofthsm2_conf.sh export SOFTHSM2_CONF=$PWD/softhsm2.conf
-
Running tests
softhsm2-util --init-token --slot 0 --label SoftToken
- Use PIN: cryptoki
- Use User PIN: cryptoki
Use the slot id from the output:
export SOFTHSM2_SLOTID=<slotid>
Run the examples:
./softhsm2.sh
-
Change to source code directory of openCryptoki
This tool can be found here: https://github.com/opencryptoki/opencryptoki
./bootstrap.sh ./configure make
Note: May need to install flex, bison and openldap-devel [or libldap2-dev]
-
Setup pkcs11 group and put current user into it
sudo groupadd pkcs11 sudo usermod -a -G pkcs11 $USER
-
Install library
sudo make install sudo ldconfig /usr/local/lib
-
Start the daemon
sudo /usr/local/sbin/pkcsslotd
Note: May need to logout and login to be able to use pkcsconf.
-
Setup token
echo "87654321 SoftToken" | pkcsconf -I -c 3
echo "87654321 cryptoki cryptoki" | pkcsconf -P -c 3
echo "cryptoki cryptoki cryptoki" | pkcsconf -u -c 3
-
Start daemon if not running already:
sudo /usr/local/sbin/pkcsslotd
-
Build and install wolfSSL
Change to wolfssl directory and run:
./autogen.sh ./configure --enable-pkcs11 make sudo make install
-
Running tests
Change to wolfssl-examples/pkcs11 directory:
./opencryptoki.sh
The example server-tls-pkcs11
is a server that uses a private key that has been stored on the PKCS #11 device.
The id of the private key is two hex bytes: 0x00, 0x01
Change this to be the id that you set when importing the key.
-
SoftHSM version 2
Import private key:
softhsm2-util --import ../certs/server-keyPkcs8.pem --slot $SOFTHSM2_SLOTID --id 0001 --label rsa2048
Enter PIN: cryptoki
-
Run server and client
./server-tls-pkcs11 /usr/local/lib/softhsm/libsofthsm2.so $SOFTHSM2_SLOTID SoftToken cryptoki
From wolfssl root:
./examples/client/client
The example server-tls-pkcs11-ecc
is a server that uses a private key that has been stored on the PKCS #11 device.
The id of the private key is two hex bytes: 0x00, 0x01
Change this to be the id that you set when importing the key.
-
SoftHSM version 2
Import private key:
softhsm2-util --import ../certs/ecc-keyPkcs8.pem --slot $SOFTHSM2_SLOTID --id 0002 --label ecp256
Enter PIN: cryptoki
-
Run server and client
./server-tls-pkcs11-ecc /usr/local/lib/softhsm/libsofthsm2.so $SOFTHSM2_SLOTID SoftToken cryptoki
From wolfssl root:
./examples/client/client -A ./certs/ca-ecc-cert.pem
For questions please contact wolfSSL support by email at [email protected]