From e01793cd8778825e4ba8fe3e698fb6da827cbf37 Mon Sep 17 00:00:00 2001
From: Chris Newman <chris@mode51.software>
Date: Fri, 5 Mar 2021 23:43:50 +0000
Subject: [PATCH] tidy SafeNet instructions, test signing keys

---
 SETUP.md                              | 15 +++++++++++----
 pkg/pkcs11client/pkcs11client_test.go | 22 +++++++++++++++-------
 2 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/SETUP.md b/SETUP.md
index 88c40a1..f15470e 100644
--- a/SETUP.md
+++ b/SETUP.md
@@ -276,6 +276,10 @@ This is because the corresponding PKCS#11 "CKA_ID" object attribute can contain
 
 `openssl ca -days 3650 -md sha512 -notext -extensions v3_intermediate_ca -engine pkcs11 -keyform engine -keyfile "pkcs11:id=%01" -in safenet-inter-02.ca.csr.pem -out safenet-inter-02.ca.cert.pem -cert safenet-root-01.ca.cert.pem -noemailDN`
 
+###### Convert to DER
+
+`openssl x509 -in ./safenet-inter-02.ca.cert.pem -outform DER -out safenet-inter-02.ca.cert.der`
+
 
 ###### Gen Root and Intermediate CA ECDSA Keys
 
@@ -307,20 +311,23 @@ This is because the corresponding PKCS#11 "CKA_ID" object attribute can contain
 
 `openssl ca -days 3650 -md sha512 -notext -extensions v3_intermediate_ca -engine pkcs11 -keyform engine -keyfile "pkcs11:id=%03" -in safenet-inter-04.ca.csr.pem -out safenet-inter-04.ca.cert.pem -cert safenet-root-03.ca.cert.pem -noemailDN`
 
+###### Convert to DER
+
+`openssl x509 -in ./safenet-inter-04.ca.cert.pem -outform DER -out safenet-inter-04.ca.cert.der`
 
 ##### Encryption
 
 ###### Create RSA key
-`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --keypairgen --key-type rsa:2048 --label RSATestKey0020 --id "0020"`
+`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --keypairgen --key-type rsa:2048 --label RSATestKey0020 --id 5`
 
 ###### Create EC key
-`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --keypairgen --key-type EC:secp384r1 --label ECTestKey0014 --id 30303134`
+`pkcs11-tool --module=/opt/apps/safenet/dpod/current/libs/64/libCryptoki2.so --login --login-type user --slot 3 --keypairgen --key-type EC:secp384r1 --label ECTestKey0014 --id 6`
 
 ###### Encryption test
-`openssl pkeyutl -encrypt -engine pkcs11 -keyform engine -inkey "pkcs11:id=0007;type=public;" -in ./test.txt -out ./testsafe.enc`
+`openssl pkeyutl -encrypt -engine pkcs11 -keyform engine -inkey "pkcs11:id=%05;type=public;" -in ./test.txt -out ./testsafe.enc`
 
 ###### Decryption test
-`openssl pkeyutl -decrypt -engine pkcs11 -keyform engine -inkey "pkcs11:id=0007;type=private;" -in ./testsafe.enc -out ./testsafe.dec`
+`openssl pkeyutl -decrypt -engine pkcs11 -keyform engine -inkey "pkcs11:id=%05;type=private;" -in ./testsafe.enc -out ./testsafe.dec`
 
 
 ### Entrust nShield
diff --git a/pkg/pkcs11client/pkcs11client_test.go b/pkg/pkcs11client/pkcs11client_test.go
index 2d3344b..a1a75db 100644
--- a/pkg/pkcs11client/pkcs11client_test.go
+++ b/pkg/pkcs11client/pkcs11client_test.go
@@ -17,13 +17,21 @@ var pkcs11Client Pkcs11Client
 
 // test signing
 var caFiles = CASigningRequest{
-	csrFile: "../../data/localhost512.csr.der",
-	//	caPubkeyFile: "../../data/softhsm-inter-0002.ca.pub.pem",
-	caPubkeyFile: "../../data/safenet-inter-0016.ca.pub.pem",
-	//	caCertFile:   "../../data/softhsm-inter-0002.ca.cert.der",
-	caCertFile: "../../data/safenet-inter-0016.ca.cert.der",
+	csrFile:      "../../data/localhost512.csr.der",
+	caPubkeyFile: "../../data/softhsm-inter-0002.ca.pub.pem", // softhsm inter CA pubkey
+	//caPubkeyFile: "../../data/safenet-inter-04.ca.pub.pem",	// safenet inter CA pubkey
+	caCertFile: "../../data/softhsm-inter-0002.ca.cert.der", // softhsm inter CA cert
+	//caCertFile: "../../data/safenet-inter-04.ca.cert.der",	// safenet inter CA cert
 }
 
+// test signing key
+const keyLabelForSigning = "RSATestCAInterKey0002" // softhsm test CA
+//const keyLabelForSigning= "ECTestCAInterKey04"	// safenet test CA
+
+// test signing hash algo
+const keySigningAlgo = x509.SHA512WithRSA // softhsm RSA key
+//const keySigningAlgo = x509.ECDSAWithSHA512		// safenet EC key
+
 // test encryption
 var keyConfig = KeyConfig{Label: "RSATestKey0020", Type: pkcs11.CKK_RSA}
 
@@ -88,9 +96,9 @@ func TestCASigner(t *testing.T) {
 				var caSigner HsmSigner
 				caSigner.Serial = int64(rand.Uint64())
 				caSigner.PublicKey = caPubKey
-				caSigner.KeyConfig.Label = "RSATestCAInterKey0002"
+				caSigner.KeyConfig.Label = keyLabelForSigning
 				caSigner.Pkcs11Client = &pkcs11Client
-				caSigner.SignatureAlgo = x509.SHA512WithRSA //ECDSAWithSHA512
+				caSigner.SignatureAlgo = keySigningAlgo
 
 				if signedCsr, err := GenSignedCert(csr, caCert, &caSigner); err != nil {
 					t.Fatal(err)