将cryptoauthlib设置为Linux系统的PKCS11提供程序
这些说明用于将cryptoauthlib构建、安装和配置为pkcs11提供者。
这些说明适用于带有包管理器的常用Linux系统,比如Ubuntu 24.04。
1. 系统安装需要的工具
请执行以下命令:
$ sudo apt install build-essential -y
$ sudo apt install libtool-bin -y
$ sudo apt install pkg-config -y
$ sudo apt install libssl-dev -y
$ sudo apt install cmake cmake-curses-gui -y
2. 更新系统的libp11,最低版本是0.4.10
获取最新版本的libp11
$ git clone https://github.com/OpenSC/libp11.git
构建配置工具:
$ cd libp11
$ ./bootstrap
$ ./configure
或者可以指定安装目标
$ ./configure --prefix=/usr/local
编译和安装库:
$ make
$ sudo make install
3. 构建和安装支持PKCS11的cryptoauthlib
3.1 安装系统的构建依赖库libudev-dev
# Debian like systems
$ sudo apt install libudev-dev
# RPM based systems
$ yum install libudev-devel
3.2 获取支持PKCS11的cryptoauthlib最新版本
$ git clone https://github.com/MicrochipTech/cryptoauthlib
$ git clone https://gitee.com/flyerink/cryptoauthlib
3.3 使用cmake工具编译Cryptoauthlib库
这里选择的是KIT_HID方式连接芯片
$ cd cryptoauthlib
$ mkdir build | cd build
$ cmake -DBUILD_TESTS=ON -DATCA_PKCS11=ON -DATCA_HAL_KIT_HID=ON ..
如果是使用I2C接口的话,可以使用下面的命令行:
cmake -DBUILD_TESTS=ON -DATCA_PKCS11=ON -DATCA_HAL_I2C=ON ..
编译选项的说明:
- BUILD_TESTS:这里已经把BUILD_TESTS打开了,会自动编译生成测试程序,对当前的硬件用命令行的方式访问。可以用来验证硬件是否有问题。
- ATCA_PKCS11:我们是要编译用于PKCS11的链接库,必须打开。
- ATCA_HAL_I2C:如果使用I2C的HAL驱动需要开启,通常是针对带有I2C接口的目标板。
- DATCA_HAL_KIT_HID:使用USB-HID作为通信接口,通常Microchip提供的开发板都支持这种方式,包括DM320118, DM320109和AT88CK101等。
- ATCA_PRINTF:如果想使用库中提供的atca_printf相关函数,可以把ATCA_PRINTF打开。
3.4 编译并安装
$ make
$ sudo make install
4. 配置cryptoauthlib PKCS11库
在默认情况下,下面几个文件会自动创建:
- /etc/cryptoauthlib/cryptoauthlib.conf
- /var/lib/cryptoauthlib/slot.conf.tmpl
4.1 cryptoauthlib.conf
该文件提供了库的基本配置信息。唯一的变量是“filestore”,在这里,cryptoauthlib将找到设备特定的配置,并在这里存储来自pkcs11操作的目标文件。
4.2 slot.conf.tmpl
这是设备配置文件的模板,cryptoauthlib将使用该模板将设备及其资源映射到pkcs11 tokens和objects中。
设备文件必须命名为<pkcs11_slot_number>.conf
对于单个设备:
$ cd /var/lib/cryptoauthlib
$ cp slot.conf.tmpl 0.conf
然后编辑0.conf以匹配所使用的设备配置:
-
label 标签
设置Token的名称,默认是00ABC。这里设置成MCHP。建议打开 -
interface 接口
允许的值:‘hid’, ‘i2c’
如果使用i2c,请用十六进制指定设备的地址。这是设备格式(高7位定义地址),所以不会出现与i2cdetect地址相同的情况(低7位) -
device 设备名称
-
freeslots 空闲的槽
这是一个插槽列表,当使用创建新对象的pkcs11操作时,库可能会使用这些插槽。当库被初始化时,它将扫描<pkcs11_slot_num>.<device_slot_num>.conf格式的文件,该格式定义了使用该设备资源的对象。 -
object 对象
private,device,0: 指定用于存贮器件私钥的数据槽,通常为0
下面是Trust&Go的示例配置:
# Reserved Configuration for a device
# The objects in this file will be created and marked as undeletable
# These are processed in order. Configuration parameters must be comma
# delimited and may not contain spaces
# Set a label for this slot (optional) - will default to <slot>ABC so
# 0.conf will have a default label 00ABC
label = MCHP
# Configure the device interface for an enabled HAL
# hid,i2c,<address>
# i2c,<address>,<bus>
# spi,<select_line>,<baud>
interface = hid,i2c,0x6a
# Configure the device type - base part number (optional)
device = ATECC608A-TNGTLS
#Configure open slots for additional pkcs11 objects (optional)
#freeslots = 1,2,3
# Manually configure keys into device locations (slots/handles)
# Slot 0 is the primary private key
object = private,device,0
# Slot 10 is the certificate data for the device's public key
object = certificate,device,10
# Slot 11 is the intermedate/signer public key
object = public,signer,11
# Slot 12 is the intermedate/signer certificate data
object = certificate,signer,12
# Slot 15 is a public key
object = public,root,15
TrustFlex的示例配置如下:
# Reserved Configuration for a device
# The objects in this file will be created and marked as undeletable
# These are processed in order. Configuration parameters must be comma
# delimited and may not contain spaces
# Set a label for this slot (optional) - will default to <slot>ABC so
# 0.conf will have a default label 00ABC
label = MCHP
# Configure the device interface for an enabled HAL
# hid,i2c,<address>
# i2c,<address>,<bus>
# spi,<select_line>,<baud>
interface = hid,i2c,0x6C
# Configure the device type - base part number (optional)
device = ATECC608A-TFLEX
#Configure open slots for additional pkcs11 objects (optional)
#freeslots = 1,2,3
# Manually configure keys into device locations (slots/handles)
# Slot 0 is the primary private key
object = private,device,0
# Slot 15 is a public key
object = public,root,15
5. 使用 p11-kit-proxy
这是一个可选步骤,但对于在系统中使用多个pkcs11库非常有用。
详细设置可以在p11-glue中找到
# Debian like systems
$ sudo apt-get install p11-kit
# RPM based systems
$ yum install p11-kit
- 创建或编辑全局配置文件:/etc/pkcs11/pkcs11.conf
# This setting controls whether to load user configuration from the
# \~/.config/pkcs11 directory. Possible values:
# none: No user configuration
# merge: Merge the user config over the system configuration (default)
# only: Only user configuration, ignore system configuration
user-config: merge
- 创建模块配置文件:
用户模块名(仅对单个用户可用):~/.config/pkcs11/modules/cryptoauthlib.module
全局模块名(对整个系统可用):/usr/share/p11-kit/modules/cryptoauthlib.module
module: /usr/lib/libcryptoauth.so
critical: yes
trust-policy: yes
managed: yes
log-calls: no
有关配置文件的详细信息,请参阅configuration documentation
6. 不使用 p11-kit-proxy
OpenSSL(通过上面的libp11项目)和p11tool本身就支持p11-kit-proxy,因此在使用它时不需要额外的设置。如果没有使用p11-kit-proxy,则必须手动配置OpenSSL来使用libp11和cryptoauthlib
这需要编辑默认的openssl.cnf文件。要查找系统使用的文件,请运行以下命令:
$ openssl version -a | grep OPENSSLDIR:
OPENSSLDIR: "/usr/lib/ssl"
这给出了编译openssl以查找openssl.cnf文件的默认路径
在本例中,要编辑的文件是/usr/lib/ssl/openssl.cnf
修改这一行:
[openssl_init]
engines=engine_section
把这部分添加到文件的底部
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
# Wherever the engine installed by libp11 is. For example it could be:
# /usr/lib/arm-linux-gnueabihf/engines-1.1/libpkcs11.so
#dynamic_path = /usr/lib/ssl/engines/libpkcs11.so
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so
MODULE_PATH = /usr/lib/libcryptoauth.so
init = 0
注意修改dynamic_path的路径。
7. 测试
要使用p11tool必须安装gnutls-bin
# Debian like systems
$ sudo apt install gnutls-bin -y
# RPM based systems
$ yum install gnutls-utils
注意: 如果不使用p11-kit-proxy,则必须在p11tool调用中指定提供程序
$ p11tool --provider=/usr/lib/libcryptoauth.so
可以运行下面的命令列出全部的token
$ p11tool --list-tokens
Token 0:
URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
Label: System Trust
Type: Trust module
Flags: uPIN uninitialized
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1
Module: p11-kit-trust.so
Token 1:
URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=238C1864F0211501;token=MCHP
Label: MCHP
Type: Hardware token, Trust module
Flags: RNG, uPIN uninitialized
Manufacturer: Microchip Technology Inc
Model: ATECC608A
Serial: 238C1864F0211501
Module: /usr/lib/libcryptoauth.so
$ p11tool --list-all
warning: no token URL was provided for this operation; the available tokens are:
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=ca-certificates.crt
pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=42BCF333A8BE;token=MCHP
从中可以找到ATECC608A的Token=MCHP.
注意:token后面的值是大小字敏感的,全部应该是大写。
- 获取私钥对应的公钥(如上所述的0.conf文件定义)
$ p11tool --export-pubkey "pkcs11:token=MCHP;object=device;type=private"
warning: --login was not specified and it may be required for this operation.
warning: no --outfile was specified and the public key will be printed on screen.
Token 'MCHP' with URL 'pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=42BCF333A8BE;token=MCHP' requires user PIN
Enter PIN:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE942lHpjOLzt6tKqF0bew/nyCyVnL
h4Vwln6jvDKL/QaoatkdLuH0sCuqWxFEzNVfqQ7LKOoKp+8cSP5yE03aFA==
-----END PUBLIC KEY-----
- 导出公钥并且用OpenSSL解码 Get the public key and decode it using OpenSSL
$ p11tool --export-pubkey "pkcs11:token=MCHP;object=device;type=private" | openssl pkey -pubin -text -noout
warning: --login was not specified and it may be required for this operation.
warning: no --outfile was specified and the public key will be printed on screen.
Public-Key: (256 bit)
pub:
04:f7:0c:d4:ab:51:14:02:83:6b:1b:4d:6b:5d:88:
cd:77:7e:66:c4:ab:80:3a:3c:3f:92:52:2b:34:40:
5c:89:22:cb:39:32:e3:b3:f8:2f:15:2e:cd:f0:01:
57:0c:ad:7c:be:9c:71:bb:ac:a4:cc:5d:8b:45:de:
d1:63:cc:84:17
ASN1 OID: prime256v1
NIST CURVE: P-256
- 使用器件内部的私钥创建CSR
$ openssl req -engine pkcs11 -key "pkcs11:token=MCHP;object=device;type=private" -keyform engine -new -out new_device.csr -subj "/CN=NEW CSR EXAMPLE"
engine "pkcs11" set.
$ cat new_device.csr
-----BEGIN CERTIFICATE REQUEST-----
MIHVMHwCAQAwGjEYMBYGA1UEAwwPTkVXIENTUiBFWEFNUExFMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAE9wzUq1EUAoNrG01rXYjNd35mxKuAOjw/klIrNEBciSLL
OTLjs/gvFS7N8AFXDK18vpxxu6ykzF2LRd7RY8yEF6AAMAoGCCqGSM49BAMCA0kA
MEYCIQDUPeLfPcOwtZxYJDYXPdl2UhpReVn6kK2lKCCX6byM8QIhAIfqfnggtcCi
W21xLAzabr8A4mHyfIIQ1ofYBg8QO9jZ
-----END CERTIFICATE REQUEST-----
- 验证新创建的CSR
$ openssl req -in new_device.csr -verify -text -noout
verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject: CN = NEW CSR EXAMPLE
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:f7:0c:d4:ab:51:14:02:83:6b:1b:4d:6b:5d:88:
cd:77:7e:66:c4:ab:80:3a:3c:3f:92:52:2b:34:40:
5c:89:22:cb:39:32:e3:b3:f8:2f:15:2e:cd:f0:01:
57:0c:ad:7c:be:9c:71:bb:ac:a4:cc:5d:8b:45:de:
d1:63:cc:84:17
ASN1 OID: prime256v1
NIST CURVE: P-256
Attributes:
a0:00
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:d4:3d:e2:df:3d:c3:b0:b5:9c:58:24:36:17:
3d:d9:76:52:1a:51:79:59:fa:90:ad:a5:28:20:97:e9:bc:8c:
f1:02:21:00:87:ea:7e:78:20:b5:c0:a2:5b:6d:71:2c:0c:da:
6e:bf:00:e2:61:f2:7c:82:10:d6:87:d8:06:0f:10:3b:d8:d9
8. 在Linux中使用HID KIT
默认情况下,当使用通过USB-HID进行通信的cryptoauthlib时,如果不使用sudo运行,它们对cryptoauthlib是不可用的。为了解决这个问题,建议通过将90-cryptohid.rules文件添加到/etc/udev/rules来更新/etc/udev/rules.d
文件夹
$ sudo cp cryptoauthlib/lib/hal/90-cryptohid.rules /etc/udev/rules.d
如果系统使用I2C接口时,有可能也会有权限的问题,类似操作。参考:/dev/i2c-1“权限不足报错(有效)解决办法
需要重启系统才能生效。