Breadcrumbs

Testing with ECDSA Key

  1. Generate the ECDSA key using p11tool2

›_ Console

 
# p11tool2 slot=2 LoginUser=123456 PubKeyAttr=CKA_LABEL="TestECDSAKey" PrvKeyAttr=CKA_LABEL="TestECDSAKey",CKA_DERIVE=CK_TRUE GenerateKeyPair=ECC

Once key generation is complete then add CKA_ID for both public and private ECDSA keys using PKCS11# CryptoServer Administration tool. Also, make sure to set CKA_DERIVE=CK_TRUE in above command.

  1. Verify that the keys are generated onto the HSM using the following command

›_ Console

 
# p11tool2 slot=<Slot_No.> LoginUser=<CryptoUser_PIN> ListObjects

Example

›_ Console

 
# p11tool2 slot=2 LoginUser=123456 ListObjects

CKO_PUBLIC_KEY:

+ 1.1
CKA_KEY_TYPE	= CKK_ECDSA
CKA_LABEL	= TestECDSAKey
CKA_ID	= 0x56 (V)

CKO_PRIVATE_KEY:

+ 2.1
CKA_KEY_TYPE	= CKK_ECDSA
CKA_SENSITIVE	= CK_TRUE
CKA_EXTRACTABLE	= CK_FALSE
CKA_LABEL = TestECDSAKey
CKA_ID = 0x56 (V)

  1. Generate a certificate request

›_ Console

 
# openssl req -engine pkcs11 -new -key "pkcs11:token=OpensslSlot;object=TestECDSAKey" -keyform engine -out TestECDSACSR.csr
tmp4_dnjvgy.jpg
tmpgk0oi54x.jpg

Figure 15: Certificate request command output and the Content of certificate request file

Here, OpensslSlot is the token label and TestECDSAKey is the key on the HSM. Provide Cryptouser PIN when prompted.

  1. Create a self-signed certificate based on the generated key

›_ Console

 
# openssl req -engine pkcs11 -new -x509 -days 365 -key "pkcs11:token=OpensslSlot;object=TestECDSAKey" -keyform engine -out TestECDSA.cert

Here, OpensslSlot is the token label and TestECDSAKey is the key on the HSM. Provide Cryptouser PIN when prompted.

tmpps0ko7s4.png
tmpa2g506kt.jpg

Figure 16: Self signed certificate generation output and content of certificate file

  1. Create a sample text file and write any content inside it

›_ Console

 
# touch message.txt
tmpxfafin6e.jpg

Figure 17: Content of message file

  1. Sign the message file

›_ Console

 
# openssl cms -engine pkcs11 -sign -in message.txt -signer TestECDSA.cert-inkey "pkcs11:token=OpensslSlot;object=TestECDSAKey" -keyform engine -out signedECDSAmessage.txt

Here, OpensslSlot is the token label and TestECDSAKey is the key on the HSM. Provide Cryptouser PIN when prompted.

tmp9_5cn9oi.jpg

Figure 18: Content of signed message file

  1. Encrypt the signed message file

›_ Console

 
# openssl cms -engine pkcs11 -encrypt -in signedECDSAmessage.txt -out encryptedECDSAsignedmessage.txt TestECDSA.cert
tmpp7jhvumr.jpg

Figure 19: Content of encrypted signed message file

  1. Decrypt the encrypted signed message file

›_ Console

 
# openssl cms -engine pkcs11 -decrypt -in encryptedECDSAsignedmessage.txt -inkey "pkcs11:token=OpensslSlot;object=TestECDSAKey" -keyform engine -out decryptedECDSAsignedmessage.txt

Here, OpensslSlot is the token label and TestECDSAKey is the key on the HSM. Provide Cryptouser PIN when prompted.

tmp4dlmf18q.jpg

Figure 20: Content of decrypted signed message file

  1. Verify the decrypted signed message file

›_ Console

 
# openssl cms -engine pkcs11 -verify -in decryptedECDSAsignedmessage.txt - CAfile TestECDSA.cert -out originalmessage.txt TestECDSA.cert
tmpudpqbj67.jpg

Figure 21: Output of openssl verify command

  1. Open the content of originalmessage.txt and verify it is the same as original content.

tmpk969qd6l.jpg

Figure 22: Content of original message file