Também está abrangendo software que foi escrito para usar o tpm como provedor pkcs11 em ssh.
Eu gostaria de fazer o OpenSSH funcionar com o OpenSSL, além do openCryptoki (pkcs11), além de um TPM de software. Tanto quanto eu entendi, openCryptoki é capaz de token de software (para fins de teste). Eu gostaria de usar o software openCryptoki TPM que eu li que existe (alternativas parece ser: softhsm, heimdal, tpmd).
Eu instalei: gnutls-bin, opencryptoki, libengine-pkcs11-openssl, libp11-2, libp11-2dev.
Eu fiz o seguinte para começar o openCryptoki:
pkcs11_startup
Aqui está o arquivo pk_config_data :
TRUE|0|Linux 3.5.0-54-generic Linux (TPM)|Linux 3.5.0-54-generic|TRUE|FALSE|TRUE|0|0|1|1|NONE|libpkcs11_tpm.so|ST_Initialize
TRUE|0|Linux 3.5.0-54-generic Linux (Soft)|Linux 3.5.0-54-generic|TRUE|FALSE|FALSE|0|0|1|1|NONE|libpkcs11_sw.so|ST_Initialize
Não encontrei como usar o token de software openCryptoki.
Então eu tentei com o opensc:
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
[ available ]
OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas Jellinghaus">
engine "pkcs11" set.
Invalid slot number: 0
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
3073657032:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
unable to load Private Key
error in req
Então eu tentei com softhsm:
softhsm --init-token --slot 0 --label "softhsmTPM"
The SO PIN must have a length between 4 and 255 characters.
Enter SO PIN: aaaa
The user PIN must have a length between 4 and 255 characters.
Enter user PIN: bbbb
The token has been initialized.
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libsofthsm.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/libsofthsm.so
Loaded: (pkcs11) pkcs11 engine
SoftHSM: Could not open the config file: /etc/softhsm/softhsm.conf
unable to load module /usr/lib/libsofthsm.so
[ unavailable ]
Então eu tentei com um slot não usado:
pkcsconf -s
Slot #0 Info
Description: Linux 3.5.0-54-generic Linux (TPM)
Manufacturer: Linux 3.5.0-54-generic
Flags: 0x5 (TOKEN_PRESENT|HW_SLOT)
Hardware Version: 0.0
Firmware Version: 1.1
Slot #1 Info
Description: Linux 3.5.0-54-generic Linux (Soft)
Manufacturer: Linux 3.5.0-54-generic
Flags: 0x1 (TOKEN_PRESENT)
Hardware Version: 0.0
Firmware Version: 1.1
softhsm --init-token --slot 2 --label "softhsmTPM"
The SO PIN must have a length between 4 and 255 characters.
Enter SO PIN:
The user PIN must have a length between 4 and 255 characters.
Enter user PIN:
Error: The given slot does not exist.
Qualquer que seja a solução, falha, mas sou novo nisso. Alguma ajuda?
Também está abrangendo software que foi escrito para usar o tpm como provedor pkcs11 em ssh.