Breadcrumbs

Testing with RSA Key

  1. Generate the RSA key using p11tool2

›_ Console

 
# p11tool2 slot=2 LoginUser=123456 PubKeyAttr=CKA_LABEL="TestRSAKey" PrvKeyAttr=CKA_LABEL="TestRSAKey" GenerateKeyPair=RSA

  1. Verify that the keys are generated onto the HSM using the following command

›_ Console

 
# p11tool2 LoginUser=<cryptouser_password> ListObjects

Example

›_ Console

 
# p11tool2 slot=2 LoginUser=123456 ListObjects

CKO_PUBLIC_KEY:

+ 1.1
CKA_KEY_TYPE	= CKK_RSA
CKA_LABEL	= TestRSAKey
CKA_ID	=

CKO_PRIVATE_KEY:

+ 2.1
CKA_KEY_TYPE = CKK_RSA
CKA_SENSITIVE = CK_TRUE
CKA_EXTRACTABLE = CK_FALSE
CKA_LABEL = TestRSAKey
CKA_ID

  1. Generate a self-signed certificate

›_ Console

 
# openssl req -engine pkcs11 -new -key "pkcs11:token=OpensslSlot;object= TestRSAKey" -keyform engine -out TestRSACSR.csr

Here, OpensslSlot is the token label and TestRSAKey is the key on the HSM. Provide Cryptouser PIN when prompted.

tmpp9b4356p.jpg

Figure 5:Certificate request output

tmpvx5pgfxd.png

Figure 6:Content of certificate request file

  1. Create the self-signed certificate based on the generated key

›_ Console

 
# openssl req -engine pkcs11 -new -x509 -days 365 -key "pkcs11:token=OpensslSlot;object=TestRSAKey" -keyform engine -out TestRSA.cert

Here, OpensslSlot is the token label and TestRSAKey is the key on the HSM. Provide Cryptouser PIN when prompted.

tmptqequpmk.jpg

Figure 7: Self signed certificate generation output

tmp2wi1zzoy.png

Figure 8: Content of self-signed certificate file

  1. Create a sample text file with any content inside it

›_ Console

 
# touch message.txt
tmpdy7uz8e5.png

Figure 9: Content of message.txt

  1. Sign the message file

›_ Console

 
# openssl cms -engine pkcs11 -sign -in message.txt -signer TestRSA.cert - inkey "pkcs11:token=OpensslSlot;object=TestRSAKey" -keyform engine -out signedRSAmessage.txt

Here, OpensslSlot is the token label and TestRSAKey is the key on the HSM. Provide Cryptouser PIN when prompted.

tmpzl2s1x9n.jpg
tmp2bwwbpln.jpg

Figure 10: Content of signed message file

  1. Encrypt the signed message file

›_ Console

 
# openssl cms -engine pkcs11 -encrypt -in signedRSAmessage.txt-out encryptedRSAsignedmessage.txt TestRSA.cert
tmp1t8bzzr7.jpg

Figure 11: Content of encrypted signed message file

  1. Decrypt the encrypted signed message file

›_ Console

 
# openssl cms -engine pkcs11 -decrypt -in encryptedRSAsignedmessage.txt - inkey "pkcs11:token=OpensslSlot;object=TestRSAKey" -keyform engine -out decryptedRSAsignedmessage.txt

Here, OpensslSlot is the token label and TestRSAKey is the key on the HSM. Provide Cryptouser PIN when prompted.

tmpfzm1ivw_.jpg

Figure 12: Content of decrypted signed message file

  1. Verify the decrypted signed message file

›_ Console

 
# openssl cms -engine pkcs11 -verify -in decryptedRSAsignedmessage.txt - CAfile TestRSA.cert -out originalmessage.txt TestRSA.cert
tmpfdnvfqbj.jpg

Figure 13: Output of openssl verification command

tmprodf279q.jpg

Figure 14: Content of original message file