SoftHSM Simple Starting Commands
Install SoftHSM from the website.
make sure that the right configuration location is set, mine was /etc/softhsm...
softhsm2-util --init-token --slot 0 --label "My token 1"
This will initalise a partion for you.
Then you will want to interact with the HSM, you need to do this through the PKCS11 interface.
One way to do this is to install the module:
apt-get install opensc
Once you have that installed, you can issue the following command:
pkcs11-tool --help
pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -L This for instance will list the slots on your partition that you created.
Generating a key on the partition:
pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -l --keypairgen --key-type rsa:2048 --usage-decrypt --usage-sign --usage-sign -w -k --label matthewskeys
Deleting a key on the partition:
pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -b --type pubkey --label matthewskeys
Create some data:
echo "data to sign (max 100 bytes)" > data
Sign the data within the HSM itself:
pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -s --label matthew -m SHA1-RSA-PKCS -l -i data -o data.sig
PKCS11-tool cannot verify a signature, this has to be done by openssl. The same can be true about encryption, this also has to be done with openssl and then it can be decrypted with pkcs11-tool.
When you’re exporting the public key like so:
pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -r --label matthew --type pubkey > id_rsa.der
Remember that it is in der format, so you’re going to have to reformat this to .pub.
openssl rsa -inform DER -outform PEM -in $SIGN_KEY.der -pubin > $SIGN_KEY.pub
Now in order to verify the signature that you created earlier, you can run this command:
openssl dgst -keyform PEM -verify id_rsa.pub -sha1 -signature data.sig data
This command should result in a message similar to ‘Verification: OK’. Now, in order to make sure that that is correct, if we go back to our data file, and we add additional data, so that it has been “tampered” with, and we re-run the command above, we should get ‘Verification: Failed’.
Now let’s create some data so that we can encrypt it with the public key that we have taken off of the HSM, and we will decrypt it with the private key that is stored on the HSM.
echo "This is some data that I would like to be able to decrypt with the private key that is stored on the SoftHSM" > dataToEncrypt
openssl rsautl -encrypt -inkey id_rsa.pub -in dataToEncrypt -pubin -out data.crypt
This will then encrypt the data with RSA-PKCS as the signing mechanism.
Then we want to be able to decrypt this data. So we will do this with the following command against the SoftHSM:
pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so --label matthew --decrypt -m RSA-PKCS -i data.crypt
This should then out the following:
This is some data that I would like to be able to decrypt with the private key that is stored on the SoftHSM
Importing a private key into the HSM, so that you can keep the public key on your person. This means that any decryption operation will have to go through the HSM in order to be decrypted.
openssl genrsa -out privkey.pem 2048
openssl rsa -in privkey.pem -outform PEM -pubout -out publickey.pem
openssl pkcs8 -topk8 -inform PEM -outform DER -in privkey.pem -out privkey.der -nocrypt
pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so -w privkey.der --label importedkey -id 1111 -l
pkcs11-tool --module /usr/local/lib/softhsm/libsofthsm2.so --id 1111 --decrypt -m RSA-PKCS -i data.crypt
