Breadcrumbs

Testing with ECC Key (Linux)

  1. Generate the ECC key using p11tool2

›_ Console

 
# p11tool2 slot=2 LoginUser=123456 PubKeyAttr=CKA_LABEL="TestECDSAKey" PrvKeyAttr=CKA_LABEL="TestECDSAKey",CKA_DERIVE=CK_TRUE

GenerateKeyPair=ECC

Once key generation complete then add CKA_ID for both public and private ECC keys using PKCS11# CryptoServer Administration tool. Also make sure to set CKA_DERIVE=CK_TRUE in above command.

  1. Verify that the keys are generated onto the HSM using following command

›_ Console

 
# p11tool2 slot=<Slot_No.> LoginUser=<CryptoUser_PIN> ListObjects

Example

›_ Console

 
[root@Openssl-RHEL9 bin]# ./p11tool2 slot=1 LoginUser=ask ListObjects Enter normal user PIN:

CKO_PUBLIC_KEY:

+ 1.1

CKA_KEY_TYPE	= CKK_ECDSA

CKA_UNIQUE_ID	= 87E13F2D-A49F-497C-B49C-CFEB9725EBEB

CKA_LABEL	= TestECDSAKey

CKA_ID	=

CKO_PRIVATE_KEY:

+ 2.1

CKA_KEY_TYPE	= CKK_ECDSA

CKA_UNIQUE_ID	= F1C1638F-41B3-4447-BF77-22E9EC04F2E5

CKA_SENSITIVE	= CK_TRUE

CKA_EXTRACTABLE	= CK_FALSE

CKA_LABEL	= TestECDSAKey

CKA_ID	=

  1. Generate a certificate request

›_ Console

 
# openssl req -engine pkcs11 -new -key "pkcs11:token=SSLCertNew;object=TestECDSAKey" -keyform engine -out TestECDSACSR.csr
tmp6ta96u81.png
tmpuoil1dig.png

Figure 15: Generate certificate request and Content of generated certificate request

Here SSLCertNew is the token label and TestECDSAKey is the key on the HSM. Provide Cryptouser PIN when prompted.

  1. Create a self-signed certificate based on the generated key

›_ Console

 
# openssl req -engine pkcs11 -new -x509 -days 365 -key "pkcs11:token=SSLCertNew;object=TestECDSAKey" -keyform engine -out TestECDSA.cert

Here SSLCertNew is the token label and TestECDSAKey is the key on the HSM. Provide Cryptouser PIN when prompted.

tmp7ootgrmf.png
tmpc0oi1wal.png

Figure 16: Content of self-signed certificate

  1. Create a sample text file and write any content inside it

›_ Console

 
# touch message.txt
tmpoi1v394h.png

Figure 17: Content of message file

  1. Sign the message file

›_ Console

 
# openssl cms -engine pkcs11 -sign -in message.txt -signer TestECDSA.cert

-inkey "pkcs11:token=SSLCertNew;object=TestECDSAKey" -keyform engine -out signedECDSAmessage.txt

Here SSLCertNew is the token label and TestECDSAKey is the key on the HSM. Provide Cryptouser PIN when prompted.

tmphlkamae1.jpg
tmp4sj9ghzw.jpg
tmpr3nkbj2d.jpg

Figure 18: Content of signed message file

  1. Verify the signed message file

›_ Console

 
# openssl cms -engine pkcs11 -verify -in signedECDSAmessage.txt -CAfile TestECDSA.cert -out originalmessage.txt TestECDSA.cert

  1. Open the content of originalmessage.txt and verify it is same as original content.

tmpzsbcc9c5.png

Figure 19: Content of original message file