tidy SafeNet instructions, test signing keys

mode51software · Mar 5, 2021 · e01793c · e01793c
1 parent 2a39ada
commit e01793c
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 11 deletions.
diff --git a/SETUP.md b/SETUP.md
@@ -276,6 +276,10 @@ This is because the corresponding PKCS#11 "CKA_ID" object attribute can contain
 
 `openssl ca -days 3650 -md sha512 -notext -extensions v3_intermediate_ca -engine pkcs11 -keyform engine -keyfile "pkcs11:id=%01" -in safenet-inter-02.ca.csr.pem -out safenet-inter-02.ca.cert.pem -cert safenet-root-01.ca.cert.pem -noemailDN`
 
+###### Convert to DER
+
+`openssl x509 -in ./safenet-inter-02.ca.cert.pem -outform DER -out safenet-inter-02.ca.cert.der`
+
 
 ###### Gen Root and Intermediate CA ECDSA Keys
 
@@ -307,20 +311,23 @@ This is because the corresponding PKCS#11 "CKA_ID" object attribute can contain
 
 `openssl ca -days 3650 -md sha512 -notext -extensions v3_intermediate_ca -engine pkcs11 -keyform engine -keyfile "pkcs11:id=%03" -in safenet-inter-04.ca.csr.pem -out safenet-inter-04.ca.cert.pem -cert safenet-root-03.ca.cert.pem -noemailDN`
 
+###### Convert to DER
+
+`openssl x509 -in ./safenet-inter-04.ca.cert.pem -outform DER -out safenet-inter-04.ca.cert.der`
 
 ##### Encryption
 
 ###### Create RSA key
-`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --keypairgen --key-type rsa:2048 --label RSATestKey0020 --id "0020"`
+`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --keypairgen --key-type rsa:2048 --label RSATestKey0020 --id 5`
 
 ###### Create EC key
-`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --keypairgen --key-type EC:secp384r1 --label ECTestKey0014 --id 30303134`
+`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --keypairgen --key-type EC:secp384r1 --label ECTestKey0014 --id 6`
 
 ###### Encryption test
-`openssl pkeyutl -encrypt -engine pkcs11 -keyform engine -inkey "pkcs11:id=0007;type=public;" -in ./test.txt -out ./testsafe.enc`
+`openssl pkeyutl -encrypt -engine pkcs11 -keyform engine -inkey "pkcs11:id=%05;type=public;" -in ./test.txt -out ./testsafe.enc`
 
 ###### Decryption test
-`openssl pkeyutl -decrypt -engine pkcs11 -keyform engine -inkey "pkcs11:id=0007;type=private;" -in ./testsafe.enc -out ./testsafe.dec`
+`openssl pkeyutl -decrypt -engine pkcs11 -keyform engine -inkey "pkcs11:id=%05;type=private;" -in ./testsafe.enc -out ./testsafe.dec`
 
 
 ### Entrust nShield

diff --git a/pkg/pkcs11client/pkcs11client_test.go b/pkg/pkcs11client/pkcs11client_test.go
@@ -17,13 +17,21 @@ var pkcs11Client Pkcs11Client
 
 // test signing
 var caFiles = CASigningRequest{
-	csrFile: "../../data/localhost512.csr.der",
-	//	caPubkeyFile: "../../data/softhsm-inter-0002.ca.pub.pem",
-	caPubkeyFile: "../../data/safenet-inter-0016.ca.pub.pem",
-	//	caCertFile:   "../../data/softhsm-inter-0002.ca.cert.der",
-	caCertFile: "../../data/safenet-inter-0016.ca.cert.der",
+	csrFile:      "../../data/localhost512.csr.der",
+	caPubkeyFile: "../../data/softhsm-inter-0002.ca.pub.pem", // softhsm inter CA pubkey
+	//caPubkeyFile: "../../data/safenet-inter-04.ca.pub.pem",	// safenet inter CA pubkey
+	caCertFile: "../../data/softhsm-inter-0002.ca.cert.der", // softhsm inter CA cert
+	//caCertFile: "../../data/safenet-inter-04.ca.cert.der",	// safenet inter CA cert
 }
 
+// test signing key
+const keyLabelForSigning = "RSATestCAInterKey0002" // softhsm test CA
+//const keyLabelForSigning= "ECTestCAInterKey04"	// safenet test CA
+
+// test signing hash algo
+const keySigningAlgo = x509.SHA512WithRSA // softhsm RSA key
+//const keySigningAlgo = x509.ECDSAWithSHA512		// safenet EC key
+
 // test encryption
 var keyConfig = KeyConfig{Label: "RSATestKey0020", Type: pkcs11.CKK_RSA}
 
@@ -88,9 +96,9 @@ func TestCASigner(t *testing.T) {
 				var caSigner HsmSigner
 				caSigner.Serial = int64(rand.Uint64())
 				caSigner.PublicKey = caPubKey
-				caSigner.KeyConfig.Label = "RSATestCAInterKey0002"
+				caSigner.KeyConfig.Label = keyLabelForSigning
 				caSigner.Pkcs11Client = &pkcs11Client
-				caSigner.SignatureAlgo = x509.SHA512WithRSA //ECDSAWithSHA512
+				caSigner.SignatureAlgo = keySigningAlgo
 
 				if signedCsr, err := GenSignedCert(csr, caCert, &caSigner); err != nil {
 					t.Fatal(err)