Webserver PKCS11 Examples (#149)

* adjust apache webserver example to new nethsm api * adjust nginx webserver example to new nethsm api * webserver example: generate private key on nethsm instead of externally & importing it
Nitrokey · Dec 8, 2023 · ed449b6 · ed449b6
1 parent d5ee946
commit ed449b6
Show file tree

Hide file tree

Showing 4 changed files with 98 additions and 28 deletions.
diff --git a/container/apache/generate.sh b/container/apache/generate.sh
@@ -1,20 +1,55 @@
-#!/bin/sh
+#!/bin/bash
 
 set -e
 
-openssl req -x509 -newkey rsa:2048 -keyout ./_privatekey.pem -out ./_certificate.pem -days 365 -nodes -subj "/C=US/ST=California/L=San Francisco/O=Your Company/OU=Your Department/CN=yourdomain.com"
-
 HOST='localhost:8443'
+ADMIN_ACCOUNT='admin'
+ADMIN_ACCOUNT_PWD='adminadmin'
+
+OPENSSL_PKCS11_ENGINE_PATH="/usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so"
+NETHSM_PKCS11_LIBRARY_PATH="/usr/lib/x86_64-linux-gnu/pkcs11/libnethsm_pkcs11.so"
+
+
+CREDENTIALS="${ADMIN_ACCOUNT}:${ADMIN_ACCOUNT_PWD}"
+
+#Use here-documents to temporarily store the OpenSSL configuration. After this command the temporary file will be available at /dev/fd/3.
+exec 3<<< "
+openssl_conf = openssl_init
+
+[openssl_init]
+engines = engine_section
 
-curl -k -u admin:Administrator -i -X DELETE \
-  https://$HOST/api/v1/keys/webserver
+[engine_section]
+pkcs11 = pkcs11_section
 
-curl -k -i -w '\n' -u admin:Administrator -X PUT \
-  'https://'$HOST'/api/v1/keys/webserver?mechanisms=RSA_Decryption_RAW,RSA_Decryption_PKCS1,RSA_Decryption_OAEP_MD5,RSA_Decryption_OAEP_SHA1,RSA_Decryption_OAEP_SHA224,RSA_Decryption_OAEP_SHA256,RSA_Decryption_OAEP_SHA384,RSA_Decryption_OAEP_SHA512,RSA_Signature_PKCS1,RSA_Signature_PSS_MD5,RSA_Signature_PSS_SHA1,RSA_Signature_PSS_SHA224,RSA_Signature_PSS_SHA256,RSA_Signature_PSS_SHA384,RSA_Signature_PSS_SHA512' \
-  -H 'Content-Type: application/x-pem-file' \
-  --data-binary '@_privatekey.pem'
+[pkcs11_section]
+engine_id = pkcs11
+dynamic_path = ${OPENSSL_PKCS11_ENGINE_PATH}
+MODULE_PATH = ${NETHSM_PKCS11_LIBRARY_PATH}
+init = 0
+"
 
-curl -k -i -w '\n' -u admin:Administrator -X PUT \
-  'https://'$HOST'/api/v1/keys/webserver/cert' \
-  -H 'Content-Type: application/x-pem-file' \
+curl --include --insecure --user $CREDENTIALS --request DELETE \
+  "https://${HOST}/api/v1/keys/webserver"
+
+curl --include --insecure --user $CREDENTIALS --request POST \
+  "https://${HOST}/api/v1/keys/generate" \
+  --header 'Content-Type: application/json' \
+  --data '
+    {
+      "mechanisms": ["RSA_Decryption_RAW", "RSA_Decryption_PKCS1", "RSA_Decryption_OAEP_MD5", "RSA_Decryption_OAEP_SHA1", "RSA_Decryption_OAEP_SHA224", "RSA_Decryption_OAEP_SHA256", "RSA_Decryption_OAEP_SHA384", "RSA_Decryption_OAEP_SHA512", "RSA_Signature_PKCS1", "RSA_Signature_PSS_MD5", "RSA_Signature_PSS_SHA1", "RSA_Signature_PSS_SHA224", "RSA_Signature_PSS_SHA256", "RSA_Signature_PSS_SHA384", "RSA_Signature_PSS_SHA512"],
+      "type": "RSA",
+      "length": 2048,
+      "id": "webserver"
+    }  
+  '
+
+export OPENSSL_CONF="/dev/fd/3"
+
+openssl req -new -x509 -out ./_certificate.pem -days 365 -subj "/CN=yourdomain.com" -engine pkcs11 -keyform engine -key "pkcs11:object=webserver;type=public"
+
+curl -k -i -w '\n' -u $CREDENTIALS -X PUT \
+  "https://${HOST}/api/v1/keys/webserver/cert" \
+  -H 'Content-Type: application/octet-stream' \
   --data-binary '@_certificate.pem'
+
diff --git a/container/apache/p11nethsm.conf b/container/apache/p11nethsm.conf
@@ -5,7 +5,7 @@ slots:
     description: Local HSM (docker)
     operator:
       username: "operator"
-      password: "opPassphrase"
+      password: "operatoroperator"
     instances:
-      - url: "https://192.168.178.177:8443/api/v1"
+      - url: "https://localhost:8443/api/v1"
         danger_insecure_cert: true
diff --git a/container/nginx/generate.sh b/container/nginx/generate.sh
@@ -1,20 +1,55 @@
-#!/bin/sh
+#!/bin/bash
 
 set -e
 
-openssl req -x509 -newkey rsa:2048 -keyout ./_privatekey.pem -out ./_certificate.pem -days 365 -nodes -subj "/C=US/ST=California/L=San Francisco/O=Your Company/OU=Your Department/CN=yourdomain.com"
-
 HOST='localhost:8443'
+ADMIN_ACCOUNT='admin'
+ADMIN_ACCOUNT_PWD='adminadmin'
+
+OPENSSL_PKCS11_ENGINE_PATH="/usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so"
+NETHSM_PKCS11_LIBRARY_PATH="/usr/lib/x86_64-linux-gnu/pkcs11/libnethsm_pkcs11.so"
+
+
+CREDENTIALS="${ADMIN_ACCOUNT}:${ADMIN_ACCOUNT_PWD}"
+
+#Use here-documents to temporarily store the OpenSSL configuration. After this command the temporary file will be available at /dev/fd/3.
+exec 3<<< "
+openssl_conf = openssl_init
+
+[openssl_init]
+engines = engine_section
 
-curl -k -u admin:Administrator -i -X DELETE \
-  https://$HOST/api/v1/keys/webserver
+[engine_section]
+pkcs11 = pkcs11_section
 
-curl -k -i -w '\n' -u admin:Administrator -X PUT \
-  'https://'$HOST'/api/v1/keys/webserver?mechanisms=RSA_Decryption_RAW,RSA_Decryption_PKCS1,RSA_Decryption_OAEP_MD5,RSA_Decryption_OAEP_SHA1,RSA_Decryption_OAEP_SHA224,RSA_Decryption_OAEP_SHA256,RSA_Decryption_OAEP_SHA384,RSA_Decryption_OAEP_SHA512,RSA_Signature_PKCS1,RSA_Signature_PSS_MD5,RSA_Signature_PSS_SHA1,RSA_Signature_PSS_SHA224,RSA_Signature_PSS_SHA256,RSA_Signature_PSS_SHA384,RSA_Signature_PSS_SHA512' \
-  -H 'Content-Type: application/x-pem-file' \
-  --data-binary '@_privatekey.pem'
+[pkcs11_section]
+engine_id = pkcs11
+dynamic_path = ${OPENSSL_PKCS11_ENGINE_PATH}
+MODULE_PATH = ${NETHSM_PKCS11_LIBRARY_PATH}
+init = 0
+"
 
-curl -k -i -w '\n' -u admin:Administrator -X PUT \
-  'https://'$HOST'/api/v1/keys/webserver/cert' \
-  -H 'Content-Type: application/x-pem-file' \
+curl --include --insecure --user $CREDENTIALS --request DELETE \
+  "https://${HOST}/api/v1/keys/webserver"
+
+curl --include --insecure --user $CREDENTIALS --request POST \
+  "https://${HOST}/api/v1/keys/generate" \
+  --header 'Content-Type: application/json' \
+  --data '
+    {
+      "mechanisms": ["RSA_Decryption_RAW", "RSA_Decryption_PKCS1", "RSA_Decryption_OAEP_MD5", "RSA_Decryption_OAEP_SHA1", "RSA_Decryption_OAEP_SHA224", "RSA_Decryption_OAEP_SHA256", "RSA_Decryption_OAEP_SHA384", "RSA_Decryption_OAEP_SHA512", "RSA_Signature_PKCS1", "RSA_Signature_PSS_MD5", "RSA_Signature_PSS_SHA1", "RSA_Signature_PSS_SHA224", "RSA_Signature_PSS_SHA256", "RSA_Signature_PSS_SHA384", "RSA_Signature_PSS_SHA512"],
+      "type": "RSA",
+      "length": 2048,
+      "id": "webserver"
+    }  
+  '
+
+export OPENSSL_CONF="/dev/fd/3"
+
+openssl req -new -x509 -out ./_certificate.pem -days 365 -subj "/CN=yourdomain.com" -engine pkcs11 -keyform engine -key "pkcs11:object=webserver;type=public"
+
+curl -k -i -w '\n' -u $CREDENTIALS -X PUT \
+  "https://${HOST}/api/v1/keys/webserver/cert" \
+  -H 'Content-Type: application/octet-stream' \
   --data-binary '@_certificate.pem'
+
diff --git a/container/nginx/p11nethsm.conf b/container/nginx/p11nethsm.conf
@@ -3,7 +3,7 @@ slots:
     description: Local HSM (docker)
     operator:
       username: "operator"
-      # password: "opPassphrase"
+      password: "operatoroperator"
     instances:
-      - url: "https://192.168.3.161:8443/api/v1"
+      - url: "https://localhost:8443/api/v1"
         danger_insecure_cert: true