Como usar o OpenSSL com o openCryptoki e o software TPM?

3

Eu gostaria de fazer o OpenSSH funcionar com o OpenSSL, além do openCryptoki (pkcs11), além de um TPM de software. Tanto quanto eu entendi, openCryptoki é capaz de token de software (para fins de teste). Eu gostaria de usar o software openCryptoki TPM que eu li que existe (alternativas parece ser: softhsm, heimdal, tpmd).

Eu instalei: gnutls-bin, opencryptoki, libengine-pkcs11-openssl, libp11-2, libp11-2dev.

Eu fiz o seguinte para começar o openCryptoki:

pkcs11_startup

Aqui está o arquivo pk_config_data :

TRUE|0|Linux 3.5.0-54-generic Linux (TPM)|Linux 3.5.0-54-generic|TRUE|FALSE|TRUE|0|0|1|1|NONE|libpkcs11_tpm.so|ST_Initialize 
TRUE|0|Linux 3.5.0-54-generic Linux (Soft)|Linux 3.5.0-54-generic|TRUE|FALSE|FALSE|0|0|1|1|NONE|libpkcs11_sw.so|ST_Initialize 

Não encontrei como usar o token de software openCryptoki.

Então eu tentei com o opensc:

OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so 
(dynamic) Dynamic engine loading support 
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so 
[Success]: ID:pkcs11 
[Success]: LIST_ADD:1 
[Success]: LOAD 
[Success]: MODULE_PATH:/usr/lib/opensc-pkcs11.so 
Loaded: (pkcs11) pkcs11 engine 
     [ available ] 

OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas Jellinghaus"> 
engine "pkcs11" set. 
Invalid slot number: 0 
PKCS11_get_private_key returned NULL 
cannot load Private Key from engine 
3073657032:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: 
unable to load Private Key 
error in req 

Então eu tentei com softhsm:

softhsm --init-token --slot 0 --label "softhsmTPM"
The SO PIN must have a length between 4 and 255 characters. 
Enter SO PIN: aaaa
The user PIN must have a length between 4 and 255 characters. 
Enter user PIN: bbbb
The token has been initialized. 

OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libsofthsm.so 
(dynamic) Dynamic engine loading support 
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so 
[Success]: ID:pkcs11 
[Success]: LIST_ADD:1 
[Success]: LOAD 
[Success]: MODULE_PATH:/usr/lib/libsofthsm.so 
Loaded: (pkcs11) pkcs11 engine 
SoftHSM: Could not open the config file: /etc/softhsm/softhsm.conf 
unable to load module /usr/lib/libsofthsm.so 
     [ unavailable ] 

Então eu tentei com um slot não usado:

pkcsconf -s 
Slot #0 Info 
    Description: Linux 3.5.0-54-generic Linux (TPM) 
    Manufacturer: Linux 3.5.0-54-generic 
    Flags: 0x5 (TOKEN_PRESENT|HW_SLOT) 
    Hardware Version: 0.0 
    Firmware Version: 1.1 
Slot #1 Info 
    Description: Linux 3.5.0-54-generic Linux (Soft) 
    Manufacturer: Linux 3.5.0-54-generic 
    Flags: 0x1 (TOKEN_PRESENT) 
    Hardware Version: 0.0 
    Firmware Version: 1.1 

softhsm --init-token --slot 2 --label "softhsmTPM"
The SO PIN must have a length between 4 and 255 characters. 
Enter SO PIN: 
The user PIN must have a length between 4 and 255 characters. 
Enter user PIN: 
Error: The given slot does not exist. 

Qualquer que seja a solução, falha, mas sou novo nisso. Alguma ajuda?

    
por lalebarde 07.10.2014 / 00:22

1 resposta

-1

link

Também está abrangendo software que foi escrito para usar o tpm como provedor pkcs11 em ssh.

    
por 10.01.2015 / 18:17