tech:notes_hsm
Table des matières
Notes HSM
Todo :
Matériel :
- Nitrokey HSM
Logiciels :
- hsmwiz
- sc-hsm-tool
- Pkcs11Admin
Logiciel pour simuler une HSM
Tuto :
Voir aussi :
- RSA / ECDSA / ECDH (no perfect forward secrecy)
hsmwiz pkcs15-tool --dump opensc-explorer # Si KO faire : hsmwiz explorer
The DKEK must be set during initialization and before any other keys are generated. For a device initialized without a DKEK, keys can never be exported.
#set +o history export HISTCONTROL = ignorespace pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --login-type so --so-pin 3537363231383830 --change-pin --new-pin 0123456789012345
#set +o history export HISTCONTROL = ignorespace sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --label "Nitrokey"
sc-hsm-tool --create-dkek-share dkek-share-1.pbe --pwd-shares-threshold 3 --pwd-shares-total 5
Encrypting Files
The device only supports asymmetric mechanisms. To do file encryption, you will need to generate AES keys locally, which you can encrypt with your RSA public key (this is how the Nitrokey storage key works); or by using ECDH to generate a shared secret from a locally generated public key
ECDH Where possible, e.g. over networks, you should use ephemeral keys, to allow for perfect forward secrecy. Smartcard HSM’s ECDH is only useful when need to repeatedly retrieve the same shared secret, e.g. encrypting files in a hybrid cryptosystem.
Notes
pkcs15-init
Please note, that the SmartCard-HSM is not compatible with the pkcs15-init command. In particular it does not support pkcs15-init to import a key from PKCS#12 files. Doing so will just create certificate objects and the private key metadata, but no key. Please use the Smart Card Shell to import keys and certificates from PKCS#12 files.
Source: https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM
Semble contradictoire avec :
Initialisation / Réinitialiseation (Reset)
Voir DKEK : Device Key Encryption Key
sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 1 # Ou sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219 --dkek-shares 2
Test
pkcs11-tool --test --login --pin 648219
#set +o history export HISTCONTROL = ignorespace hsmwiz format --so-pin 3537363231383830
Ou
pkcs11-tool --init-token --init-pin --so-pin=3537363231383830 --label="test" --pin=648219
Changer PIN
Changer PIN / Débloquer carte
#set +o history export HISTCONTROL = ignorespace pkcs11-tool --login --login-type so --so-pin=3537363231383830 --init-pin --new-pin=648219
Génération d'une clef privée sur puce
#set +o history export HISTCONTROL = ignorespace pkcs11-tool --pin=648219 --keypairgen --key-type rsa:4096 --label "Nom_Clef"
pkcs11-tool -l --keypairgen --key-type EC:secp521r1 --label root
Importer une clef privée existante
TODO
Exporter une clef publique
pkcs15-tool -D pkcs15-tool --read-public-key 0988309300f4f26c1ff2279c09026490df89189e > publickey.pem
Chiffrer avec la clef publique
# Depretated but work with ECC #openssl rsautl -inkey publickey.pem -pubin -encrypt -pkcs -in plop.txt -out plop.enc # Don't work with ECC openssl pkeyutl -inkey c_rsa.pub -pubin -encrypt -in plop.txt -out plop.enc
Pb
$ openssl pkeyutl -inkey c_ecc.pub -pubin -encrypt -in plop.txt -out plop.enc pkeyutl: Error initializing context C0E2525D567F0000:error:03000096:digital envelope routines:evp_pkey_asym_cipher_init:operation not supported for this keytype:../crypto/evp/asymcipher.c:189:
Déchiffrer avec la clef privée
pkcs15-tool -D pkcs15-crypt --decipher --key f144aec7f488e2795069256c64fa27039c1a2ed2 --input plop.enc --pkcs1 --raw > plop.txt
Signer (RSA)
pkcs11-tool --sign --id f144aec7f488e2795069256c64fa27039c1a2ed2 --mechanism RSA-PKCS --input-file plop.txt --output-file plop.txt.sig
Vérifier la signature (RSA)
pkcs11-tool --verif --input-file plop.txt --mechanism RSA-PKCS --signature-file plop.txt.sig
Utiliser la clef privée pour se connecter en SSH
Voir :
Sauvegarder vos clefs privées en les exportant chiffrées
Ne fonctionne que si vous avez
- tous les fichiers nécessaire crées avec la commande
sc-hsm-tool --create-dkek-share - Si vous avez la passphrase associée
- Que si à l'initialisation vous avez utilisé l'option
--dkek-shares 1lors de l'appel àsc-hsm-tool --initialize
sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 --pin 648219
Secrets partagés n-of-m
Voir aussi Crypto - Découper ses clefs en plusieurs morceaux grâce au secret reparti
Génération d'un DKEK
sc-hsm-tool --create-dkek-share dkek-share-1.pbe --pwd-shares-threshold 3 --pwd-shares-total 5
Importation d'un DKEK
sc-hsm-tool --import-dkek-share dkek-share-1.pbe --pwd-shares-total 3
Effacer une clef privée
pkcs11-tool -l --delete-object --type privkey --id 0988309300f4f26c1ff2279c09026490df89189e pkcs11-tool -l --delete-object --type privkey --label 'RSAplop'
Importer un certificat dans la puce
hsmwiz putcrt cert.pem
Déchiffrer les clefs privées
Pb
Unable to select file HHHH: Incorrect parameters in APDU
$ opensc-explorer OpenSC Explorer version 0.22.0 Using reader with a card: HID Global OMNIKEY 3x21 Smart Card Reader [OMNIKEY 3x21 Smart Card Reader] 00 00 OpenSC [3F00]> ls FileID Type Size Unable to select file 2F02: Incorrect parameters in APDU Unable to select file CE01: Incorrect parameters in APDU Unable to select file C401: Incorrect parameters in APDU Unable to select file CE02: Incorrect parameters in APDU Unable to select file C402: Incorrect parameters in APDU Unable to select file CC00: Incorrect parameters in APDU Unable to select file CC01: Incorrect parameters in APDU Unable to select file CC02: Incorrect parameters in APDU
Solution
hsmwiz explore
sc-hsm-tool --create-dkek-share dkek-share-alice.pbe sc-hsm-tool --create-dkek-share dkek-share-bob.pbe openssl base64 -in dkek-share-alice.pbe #set +o history export HISTCONTROL = ignorespace sc-hsm-tool --initialize --so-pin 3537363231383830 --pin=648219 --dkek-shares 2 sc-hsm-tool --import-dkek-share dkek-share-alice.pbe sc-hsm-tool --import-dkek-share dkek-share-bob.pbe
Deciphering DKEK share, please wait... DKEK share imported DKEK shares : 2 DKEK key check value : 4A44853AAAF1253E
Générer une paire de clefs
pkcs11-tool --pin=648219 --keypairgen --key-type rsa:2048
Voir les clefs
pkcs15-tool -D
Exporter la clef privée générée (chiffrée)
#set +o history export HISTCONTROL = ignorespace sc-hsm-tool --wrap-key key-wrap.bin --key-reference 1 --pin=648219
Importation carte backup
sc-hsm-tool --import-dkek-share dkek-share-alice.pbe sc-hsm-tool --import-dkek-share dkek-share-bob.pbe #set +o history export HISTCONTROL = ignorespace sc-hsm-tool --unwrap-key key-wrap.bin --key-reference 1 --pin=648219
PKI
pkcs11-tool -l --keypairgen --key-type EC:secp384r1 --label root
Avoir des informations
sc-hsm-tool pkcs15-tool -D pkcs11-tool -O --id 0 pkcs11-tool -O --id 0988309300f4f26c1ff2279c09026490df89189e
Autres
CA
https://docs.nitrokey.com/fr/hsm/mac/pkcs11-url.html
pkcs15-init --delete-objects privkey,pubkey --id 3 --generate-key rsa/2048 --auth-id 3 --verify
https://docs.nitrokey.com/pro/linux/certificate-authority.html
pkcs11-tool -l --login-type so --keypairgen --key-type EC:brainpoolP512r1 --label root # --id 03 pkcs15-init --delete-objects privkey,pubkey --id 3 --generate-key EC:brainpoolP512r1 --auth-id 3 --verify
$ pkcs11-tool -l --login-type so --keypairgen --key-type EC:brainpoolP512r1 --label root Using slot 0 with a present token (0x0) Logging in to "OpenPGP card (User PIN)". Please enter SO PIN: Key pair generated: Private Key Object; EC label: root ID: b92f272e911188b4d3ca4f60ded406635148f5cc Usage: sign, derive Access: none Public Key Object; EC EC_POINT 2044 bits EC_POINT: 048202002c67b8796615d8f7ade640464c12f398332fa304511baead446daf2c2666e4f6d11133caccbe3af21fad49a69d8a88f66bd5415020c51711dd0326535ab7d85ca084825cbbc6a10abae0084694e8e5b5c68a10da74bcf5d09ceb92915219a44429ae16012ee05517e44abe6abf45d071abc84f0ee4f28d1270b0c7672bb2892f9000000000000000410300000000000071924c5d05000000104021c9d455000031203831203034203243203637204238203739203636203135204438204637202e492e2e2e2e2e2e2c672e79662e2e2e0a4144204536203430203436203443203132204633203938203333203246204133203034203531203142204145204144202e2e40464c2e2e2e332f2e2e512e2e2e0a343420364420414620324320323620363620453420463620443120313120333320434120434320424520334120463220446d2e2c26662e2e2e2e332e2e2e3a2e0a3146204144203439204136203944203841203838204636203642204435203431203530203230204335203137203131202e2e492e2e2e2e2e6b2e4150202e2e2e0a4444203033203236203533203541204237204438203543204130203834203832203543204242204336204131203041202e2e26535a2e2e5c2e2e2e5c2e2e2e2e0a42412045302030382034362039342045382045352042352043362038412031302044412037342042432046 EC_PARAMS: 06092b240303020801010d label: root ID: b92f272e911188b4d3ca4f60ded406635148f5cc Usage: verify, derive Access: none
pkcs11-tool --list-objects --type cert --slot 1 pkcs11-tool --list-objects --type cert --slot 0
Autres
#set +o history export HISTCONTROL = ignorespace pkcs11-tool --module opensc-pkcs11.so --login --pin 648219 --list-slots
Autres
opensc-tool --atr opensc-explorer --mf aid:E82B0601040181C31F0201 pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key keyrsaplop --format pkcs12 --auth-id 3 --verify-pin pkcs11-tool -l --write-object keyrsaplop --type privkey --key-type RSA:3072 --pin 648219 --so-pin 3537363231383830 --login-type so --label "SSH" --usage-sign encrypt, verify sign openssl genrsa -out rsa2048 2048
Autres
load("tools/explore.js");
load("tools/OutlineCore.js");
load("tools/CardOutlineFactory2.0.js");
Elliptic Curve private + public key pair for use with ES512 signatures:
openssl ecparam -genkey -name secp521r1 -noout -out ec512-key-pair.pem
openssl rsa -in key.pem -outform PEM -pubout -out public.pem
openssl ec -in ec512-key-pair.pem -outform PEM -pubout -out public.pem
$ openssl req -x509 -sha512 -days 365 -key ec512-key-pair.pem -in cert.csr -out certificate.pem
Warning: No -copy_extensions given; ignoring any extensions in the request
cat ec512-key-pair.pem certificate.pem > certificated-key.pem
openssl pkcs12 -export -out keyStore.p12 -inkey ec512-key-pair.pem -in certificate.pem
https://support.nitrokey.com/t/nitrokey-hsm-2-import-existing-private-and-public-keys-for-ecdsa/3072
hsmwiz putcrt keyStore.p12
tech/notes_hsm.txt · Dernière modification : de Jean-Baptiste