46 lines
1.6 KiB
Plaintext
46 lines
1.6 KiB
Plaintext
|
Testing PKCS11 support
|
||
|
----------------------
|
||
|
|
||
|
# Install SoftHSM and OpenSC
|
||
|
|
||
|
I got SoftHSM via MacPorts, and OpenSC from https://github.com/OpenSC/OpenSC#downloads
|
||
|
|
||
|
You need both; softhsm2-util cannot import certificates.
|
||
|
|
||
|
# Initialize SoftHSM
|
||
|
|
||
|
$ softhsm2-util --init-token --slot 0 --label "TestToken" --pin 1234 --so-pin 4567
|
||
|
The token has been initialized and is reassigned to slot 2006661923
|
||
|
|
||
|
# Create a new RSA key and certificate
|
||
|
|
||
|
$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -subj "/CN=MyCertTEST" -nodes
|
||
|
|
||
|
# Import the RSA key pair into the SoftHSM token
|
||
|
|
||
|
$ softhsm2-util --import key.pem --slot 2006661923 --label "testkey" --id 1212 --pin 1234
|
||
|
|
||
|
# Convert the certificate to DER and import it into SoftHSM token
|
||
|
|
||
|
$ openssl x509 -in cert.pem -out cert.der -outform DER
|
||
|
$ pkcs11-tool --module /opt/local/lib/softhsm/libsofthsm2.so -l --id 1212 --label "testcert" -y cert -w cert.der --pin 1234
|
||
|
|
||
|
# Export the RSA public key convert to PEM, and show in SSH format
|
||
|
# (I'm sure this could be done simpler from the original key.pem, but what the heck.)
|
||
|
|
||
|
pkcs11-tool --module /opt/local/lib/softhsm/libsofthsm2.so --slot 2006661923 --read-object --type pubkey --id 1212 -o key.der
|
||
|
openssl rsa -pubin -inform DER -in key.der -outform PEM -out key.pub.pem
|
||
|
ssh-keygen -f key.pub.pem -m pkcs8 -i
|
||
|
|
||
|
# Install that public key at Gerrit (or your git server of choice)
|
||
|
|
||
|
# Have an ~/.ssh/config with a host entry for your git server using the SoftHSM library as PKCS11 provider:
|
||
|
|
||
|
Host gitserver
|
||
|
Hostname git.eclipse.org
|
||
|
Port 29418
|
||
|
User ...
|
||
|
PKCS11Provider /opt/local/lib/softhsm/libsofthsm2.so
|
||
|
|
||
|
# Fetch from your git server! When asked for the PIN, enter 1234.
|