将 SoftHSM 库暴露给主机上运行的代码
[英]Expose SoftHSM library to the code running in host machine
问题描述
I am generating keypairs in SoftHSMv2 using the node-webcrypto-p11 package that is installed locally on my computer.
我使用本地安装在我的计算机上的node-webcrypto-p11包在 SoftHSMv2 中生成密钥对。 I want to setup a docker container for SoftHSM so that any developer can build the image and run the container using docker file in repo without having to go through the entire steps of building SoftHSM.我想为 SoftHSM 设置一个 docker 容器,以便任何开发人员都可以构建映像并使用 repo 中的 docker 文件运行容器,而无需完成构建 SoftHSM 的整个步骤。
I'm currently using this https://github.com/psmiraglia/docker-softhsm to build image and run container for SoftHSM.我目前正在使用这个https://github.com/psmiraglia/docker-softhsm为 SoftHSM 构建图像和运行容器。 But I'm not sure how can I access the library inside the container in my code.但我不确定如何在我的代码中访问容器内的库。 Currently I'm using the code given below.目前我正在使用下面给出的代码。 Is there a method I can access the library with in the container.有没有一种方法可以访问容器中的库。 NOTE: This is just to make the life of other developers not to be used for deployment.注意:这只是为了让其他开发人员的生命不被用于部署。
import {
Crypto
} from 'node-webcrypto-p11';
// Need to set the library path from container.
// The given below path is for host machine.
const crypto = new Crypto({
library: "/usr/local/lib/softhsm/libsofthsm2.so",
name: "SoftHSMv2",
slot: 0,
readWrite: true,
pin: "0987654321",
});
1 个解决方案
解决方案1
0 2020-06-16 08:46:51
As @david-maze said SoftHSMv2 is a just library and it can be used only locally.正如@david-maze 所说,SoftHSMv2 是一个公正的库,只能在本地使用。 In Ubuntu 20.04 it's available as a deb package in standard repository.在 Ubuntu 20.04 中,它可以作为标准存储库中的 deb 包使用。
NOTE SoftHSMv2 is not for production usage at all, it could be used for development purposes as such hardware is very expensive.注意SoftHSMv2 根本不用于生产用途,它可以用于开发目的,因为此类硬件非常昂贵。 It has the PKCS11 interface and consequently code for all HSMs which can work with this interface should be the same.它具有 PKCS11 接口,因此可以使用该接口的所有 HSM 的代码应该是相同的。
By the way you can use SoftHSMv2 remotely with pkcs11-proxy/daemon https://github.com/SUNET/pkcs11-proxy .顺便说一下,您可以通过pkcs11-proxy/daemon https://github.com/SUNET/pkcs11-proxy远程使用 SoftHSMv2。 Seems it's quite abandoned but still working project.似乎它已被废弃但仍在工作的项目。 And again it's not production variant.同样,它不是生产变体。
So how to use it in eg Ubuntu 20.04?那么如何在例如 Ubuntu 20.04 中使用它呢?
On server.在服务器上。
- Install dependencies for building
pkcs11-proxy:安装用于构建pkcs11-proxy依赖pkcs11-proxy:
$ apt-get install -y \
ca-certificates \
git-core \
build-essential \
cmake \
libssl-dev \
libseccomp-dev
- Clone code:克隆代码:
$ git clone https://github.com/SUNET/pkcs11-proxy
- Build and make install:构建并进行安装:
$ cd pkcs11-proxy && \
cmake . && \
make && \
make install
- Install SoftHSM2 with dependencies:安装带有依赖项的 SoftHSM2:
$ apt-get install -y \
softhsm2 \
opensc \
gnutls-bin \
libengine-pkcs11-openssl1.1
- Init slot/token in SoftHSM: SoftHSM 中的初始化槽/令牌:
$ softhsm2-util --init-token --slot 0 --label "main" \
--pin "123456" \
--so-pin "78910"
Don't forget to chose better values.不要忘记选择更好的值。 6. Now you can launch pkcs11-proxy : 6. 现在您可以启动pkcs11-proxy :
$ export PKCS11_DAEMON_SOCKET="tcp://0.0.0.0:5657"
$ /usr/local/bin/pkcs11-daemon /usr/lib/softhsm/libsofthsm2.so
On client.在客户端。
- Again build
pkcs11-proxyor just copylibpkcs11-proxy.solibrary from previous steps:再次构建pkcs11-proxy或从前面的步骤中复制libpkcs11-proxy.so库:
$ apt-get install -y \
ca-certificates \
git-core \
build-essential \
cmake \
libssl-dev \
libseccomp-dev
$ git clone https://github.com/SUNET/pkcs11-proxy
$ cd pkcs11-proxy && \
cmake . && \
make && \
make install
- Now you can remotely use your SoftHSM over network:现在您可以通过网络远程使用您的 SoftHSM:
$ export PKCS11_PROXY_SOCKET="tcp://ip_or_domain_of_softhsm:5657"
$ pkcs11-tool --module=/usr/local/lib/libpkcs11-proxy.so -L
Available slots:
Slot 0 (0x5b763d80): SoftHSM slot ID 0x5b763d80
token label : main
token manufacturer : SoftHSM project
token model : SoftHSM v2
token flags : login required, rng, token initialized, PIN initialized, other flags=0x20
hardware version : 2.5
firmware version : 2.5
serial num : 27c11aa55b763d80
pin min/max : 4/255
Slot 1 (0x1): SoftHSM slot ID 0x1
token state: uninitialized
- You also could generate new keys/upload own ones etc through
pkcs11-toolandlibpkcs11-proxy.so:您还可以通过pkcs11-tool和libpkcs11-proxy.so生成新密钥/上传自己的密钥等:
$ pkcs11-tool --module=/usr/local/lib/libpkcs11-proxy.so -l --keypairgen --key-type rsa:2048 --id 100 --label mykey
Logging in to "main".
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
label: mykey
ID: 0100
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
label: mykey
ID: 0100
Usage: encrypt, verify, wrap
Access: local
$ pkcs11-tool --module=/usr/local/lib/libpkcs11-proxy.so -O -l
Using slot 0 with a present token (0x2561b147)
Logging in to "main".
Please enter User PIN:
Private Key Object; RSA
label: my_key
ID: 0100
Usage: decrypt, sign, unwrap
Access: sensitive
Public Key Object; RSA 2048 bits
label: my_key
ID: 0100
Usage: encrypt, verify, wrap
Access: none
Read pkcs11-tool documentation for getting more info.阅读pkcs11-tool文档以获取更多信息。 TLS encryption is also supported but not stable at least for me https://github.com/SUNET/pkcs11-proxy/blob/master/USAGE#L56也支持 TLS 加密,但至少对我来说不稳定https://github.com/SUNET/pkcs11-proxy/blob/master/USAGE#L56
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.