The current implementation has been tested with the following:
- libp11 0.4.11 (2020-Oct-11)
- OpenSSL 1.1.1 (2018-Sep-11)
The HSE PKCS11 module is compiled for aarch64
, and depends on both libp11 and OpenSSL.
As such, libp11 and OpenSSL need to be cross-compiled for aarch64
, as well.
Take note that the paths provided in the following sections are provided simply as examples, and can be changed to fit your build environment.
Before you begin cross-compiling, make sure you have a cross-compiler installed, which fits
your desired target system's architecture. Furthermore, you should export a CROSS_COMPILE
environment variable, which will be auto-detected by the makefiles of the projects. Your
CROSS_COMPILE
env var should resemble the following:
export CROSS_COMPILE=<path/to/cross/compiler>/aarch64-linux-gnu-
Going forth, it will be assumed you have set your CROSS_COMPILE
env var.
First, you will need the source code, which you can download from the project's GitHub page:
https://github.com/OpenSC/libp11/releases
Next, you'll need to configure the build system for aarch64
cross-compilation:
./configure --host=aarch64-linux-gnu --prefix=$HOME/libp11-aarch64
--host
will (confusingly) specify the target architecture, while --prefix
will indicate a directory
separate from your host's file system in which to place the cross-compiled files. The path provided for
--prefix
is an example.
You can now build libp11:
make
sudo make install
You can find the compiled files under $HOME/libp11-aarch64
.
First, you will need the source code, which can be download from the project's website:
https://www.openssl.org/source/old/1.1.1/
Next, you'll need to configure the build system for aarch64
cross-compilation:
./Configure linux-aarch64 --prefix=$HOME/openssl-aarch64
As before, --prefix
will indicate a directory separate from your host's file system in which to place the
cross-compiled files. The path provided is an example.
You can now build OpenSSL:
make
sudo make install
You can find the compiled files under $HOME/openssl-aarch64
.
Assuming you have set your CROSS_COMPILE
env var, compilation is straight-forward. From the pkcs11-hse
repo, run:
make
and the pkcs11-hse.so
file will be compiled. This is the module that is the middle man in communication
between OpenSSL/libp11 and HSE.
A usage example is provided in the repo under examples/
. The sample application will link against
OpenSSL (libcrypto) and libp11 (libp11) to use functions provided by both. In short,
what the application does is:
- initialize libp11 with the pkcs11-hse.so module
- find the slot and token corresponding to HSE
- use openssl to generate an RSA key pair
- store the key pair in HSE
- enumerate the stored keys
- remove the key pair from HSE
Since the application must be linked against both libcrypto and libp11, the directories in which the cross-compiled OpenSSL and libp11 are stored must be specified:
make OPENSSL_DIR=$HOME/openssl-aarch64 LIBP11_DIR=$HOME/libp11-aarch64
Moreover, since the application is dynamically linked, both libcrypto and libp11 must
be present in the target's file system, (usually) under /usr/lib/
. In this case, you can
use the files under openssl-aarch64/lib/
and libp11-aarch64/lib/
, and copy
the libp11.so.*
and libcrypto.so.*
files to the target's /usr/lib/
directory.
Afterwards, you can run the example on the target system:
./pkcs-keyop <path>/pkcs11-hse.so
The application will output a message for each step described previously.
First, you will need the source code, which can be download from the project's GitHub page:
https://github.com/OpenSC/OpenSC/releases
This release has been tested with OpenSC-0.21.0. Make sure to install the pre-requisites beforehand:
sudo apt-get install pcscd libccid libpcsclite-dev libssl-dev libreadline-dev autoconf automake build-essential docbook-xsl xsltproc libtool pkg-config
Next, you'll need to configure the build system for aarch64
cross-compilation. You'll also need to
have cross-compiled OpenSSL beforehand, since OpenSC needs to link against it:
./bootstrap
./configure --host=aarch64-linux --prefix=$HOME/opensc-aarch64-test --enable-openssl \
CC= <path>/<to>/<cross>/<compiler>/aarch64-linux-gnu-gcc \
LDFLAGS=-g -Wl,-rpath,$HOME/openssl-aarch64/lib \
OPENSSL_LIBS=-lcrypto -L$HOME/openssl-aarch64/lib \
OPENSSL_CFLAGS=-I$HOME/openssl-aarch64/include
As before, --prefix
will indicate a directory separate from your host's file system in which to place the
cross-compiled files. The path provided is an example.
You can now build OpenSC:
make
sudo make install
You can find the compiled files under $HOME/opensc-aarch64
. You'll need to place opensc-aarch64/lib/libopensc.so.7.0.0
in the target's lib
directory (e.g. in /usr/lib
); opensc-aarch64/bin/pkcs11-tool
can be placed
anywhere on the target (e.g. /home/<user>
).
You can use pkcs11-tool
to load RSA keys (public/pair), EC keys (public) and AES keys. The --id
switch corresponds
to the key's number (00
), slot (06
) and catalog (01
), in hexadecimal, from the HSE Key Catalog. Some examples:
./pkcs11-tool --module ~/pkcs11-hse.so --write-object /<path>/rsa_keypair.der --type privkey --id 000601 --label "HSE-RSAPRIV-KEY"
./pkcs11-tool --module ~/pkcs11-hse.so --write-object /<path>/rsa_keypub.der --type pubkey --id 000501 --label "HSE-RSAPUB-KEY"
./pkcs11-tool --module ~/pkcs11-hse.so --write-object /<path>/ec_keypub.der --type pubkey --id 000401 --label "HSE-ECPUB-prime256v1-KEY"
./pkcs11-tool --module ~/pkcs11-hse.so --write-object /<path>/aes.key --type secrkey --key-type AES:256 --id 000101 --label "HSE-AES-256-KEY"
The tool will display a message if the key import operation is successful.