Sign and deploy CodeSafe 5 SDK apps using csadmin
Signing CodeSafe images
All CodeSafe images must be signed before they can be loaded on to an HSM. Entrust recommends that you have two signing keys: one that you use to sign CodeSafe images that are still under development, and one that you only use for signing tested CodeSafe images that are ready for deployment. In this guide, the two recommended keys are referred to as the development signing key and the production signing key, however you can name these keys as required by your particular development organisation.
| Signed CodeSafe images can be loaded to an HSM if the certificate associated with the signing key is also loaded to that HSM. Therefore you must ensure that the certificates associated with development signing keys are never distributed outside of your development organisation. If you develop CodeSafe images for customers who are not part of your development organisation, you should only send them CodeSafe images that have been signed by, and certificates that are associated with, a production signing key. |
You can create as many signing keys as you require. This allows you to use different signing keys to group your CodeSafe images based on whatever criteria you require. For example, you could use different signing keys based on the intended customer or on the functionality of the CodeSafe image.
You must keep track of which key has been used to sign which image and ensure that the end user receives the correct matching certificate and does not receive certificates that they do not require.
The following sections describe the commands used to create the signing keys and certificates followed by a worked example showing the entire process of building, signing, loading, and running a CodeSafe image.
The csadmin utility tool
| The following examples use a Linux machine for the deployment of CodeSafe applications. The same commands can be applied to a Windows machine. |
The csadmin tool is used to manage CodeSafe images throughout the development and deployment process.
It is available as part of the Security World ISO.
It must be installed as instructed in Install the CodeSafe 5 SDK on Linux and Install the CodeSafe 5 SDK on Windows.
You must be logged in as an Administrator or a user with local administrator rights to execute csadmin commands.
You must have /opt/nfast/bin in your PATH environment variable to use csadmin.
Executing csadmin displays the available subcommands:
To view the help text included here while using csadmin, run a command or sub-command with the -h|--help option.
The csadmin tool covers CodeSafe application deployment from both the perspective of a CodeSafe application developer and a CodeSafe application user.
The help text displays the complete set of commands available.
This document details the commands that are specific to CodeSafe developers.
See the User Guide for your HSM to see an overview of the csadmin tool and details of the other commands available.
|
Generate loadable images
CS5 images are generated with csadmin image generate.
Before generating an image, the CodeSafe 5 SDK must be previously installed.
This includes an installation of Python and nfpython suitable to run on the HSM.
To display the generate operation’s usage, execute it with the --help option :
$ csadmin image generate --help
usage: csadmin image generate [-h] --package-name PACKAGE_NAME --version-str VERSION_STR --entry-point ENTRY_POINT --network-conf NETWORK_CONF
--packages-conf PACKAGES_CONF --rootdir ROOTDIR [--verbose] CS5FILE
positional arguments:
CS5FILE The cs5 file to be handled
optional arguments:
-h, --help show this help message and exit
--package-name PACKAGE_NAME
Short name describing the product contents
--version-str VERSION_STR
Version number of this package contents
--entry-point ENTRY_POINT
Full path, within the container, to the entry point application to be executed upon start
--network-conf NETWORK_CONF
Full path, outside the container, to the network config file to be copied into the container meta data
--packages-conf PACKAGES_CONF
Full path, outside the container, to the extra packages config file used to copy additional packages into container rootfs
--rootdir ROOTDIR Directory where the contents of the new container are located
--verbose Print verbose logsGenerating an image requires the name of the CS5 file and the use of the following mandatory command-line arguments:
-
--package-name -
--version-str -
--entry-point -
--network-conf -
--packages-conf -
--rootdir
The following items are also required:
-
A container directory (not necessarily named "container") that points to what would be the SEE machine’s root directory.
This directory must include any files used by the application, including the entry point program, for example:
container/ ├── home └── usr └── bin └── entrypointThe container directory can be located anywhere in the host file system. Ensure you pass the full path to the
generatecommand via the--rootdirargument, as specified in the command usage. -
An entry point program.
This is the program that runs when the SEE container is started (on launcher start). It must be made executable so it can be launched accordingly. In the previous example, the entry point program is in
container/usr/bin/entrypoint. -
A network configuration file. (See Example network-conf.json file.)
The valid range for
container_portis 1024 - 65535. -
A file with extra packages information. (See Example extra-packages-conf.json file)
Example csadmin image generate operation
$ csadmin image generate --package-name "MyCodeSafeApp" --entry-point /usr/bin/entrypoint --network-conf network-conf.json --packages-conf extra-packages-conf.json --version-str 1.0 --rootdir container/ myapp.cs5
INFO: creating content package
INFO: Creating content tar ball
INFO: Creating copy of source file: network-conf.json into dest: cs5_build/meta/network-conf.json
INFO: Creating copy of source file: extra-packages-conf.json into dest: cs5_build/meta/extra-packages-conf.json
INFO: Creating compressed tar ball cs5_build/extra-packages.tar.gz out of cs5_build/extra-packages
INFO: Creating compressed tar ball cs5_build/container.tar.gz out of container/
INFO: Creating uncompressed tar ball content.tar out of cs5_build
INFO: creating cs5 file myapp.cs5
INFO: adding content hash to the package
INFO: File myapp.cs5 was created successfully!--entry-point points to the full path of the executable program relative to the container’s root.
Example extra-packages-conf.json file
{
"packages": [{
"package": "python",
"description": "python 3.8 binaries",
"host_path": "python3/csd5/ppc64/usr/bin",
"machine_path": "usr/bin",
"exclude": ""
},
{
"package": "python",
"description": "python 3.8 libraries",
"host_path": "python3/csd5/ppc64/usr/lib/python3.8",
"machine_path": "python3",
"exclude": ""
},
{
"package": "binaries",
"description": "binaries for script support 1.0.0",
"host_path": "c/csd5/rootfs/bin",
"machine_path": "bin",
"exclude": ""
}
]
}Sign images
CodeSafe images are signed with csadmin image sign.
A signing key must be created before the CS5 file is signed, because signing must be done using HSM-protected keys.
csadmin image sign --help
usage: csadmin image sign [-h] --askeyname ASKEYNAME --devkeyname DEVKEYNAME --devcert DEVCERT [--startdate STARTDATE] [--expirydate EXPIRYDATE]
[--out OUT] [--verbose]
CS5FILE
positional arguments:
CS5FILE The cs5 file to be signed
options:
-h, --help show this help message and exit
--askeyname ASKEYNAME
Name (ident) of the application signing key
--devkeyname DEVKEYNAME
Name (ident) of the developer signing key
--devcert DEVCERT The signed developer certificate PEM file
--startdate STARTDATE
Start of validity period for the signed ASK cert in Unix time (default: no start date)
--expirydate EXPIRYDATE
End of validity period for the signed ASK cert in Unix time (default: no expiration date)
--out OUT Name of the output file. If not specified, the cs5 file is overwritten.
--verbose Print verbose logsFor more information, see Signing CodeSafe images.
Create a developer ID certificate
Developer ID certificates are created with csadmin ids create.
This command generates a developer ID key with the given name (if it doesn’t exist already) and a certificate signing request so a certificate can be generated (see Signing CodeSafe images):
$ csadmin ids create --help
usage: csadmin ids create [-h] --keyname KEYNAME [-m MODULE] --x509cname COMMON_NAME [--x509country COUNTRY]
[--x509province STATE_OR_PROVINCE] [--x509locality LOCALITY] --x509org ORGANIZATION [--x509orgunit ORGANIZATIONAL_UNIT] [--verbose]
options:
-h, --help show this help message and exit
--keyname KEYNAME Name for the certificate's key.
-m MODULE, --module MODULE
Module to generate the key with.
--x509cname COMMON_NAME
The CN part of the key's DN.
--x509country COUNTRY
The C part of the key's DN.
--x509province STATE_OR_PROVINCE
The ST part of the key's DN.
--x509locality LOCALITY
The L part of the key's DN.
--x509org ORGANIZATION
The O part of the key's DN.
--x509orgunit ORGANIZATIONAL_UNIT
The OU part of the key's DN.
--verbose Print verbose logsExample CodeSafe developer process
The examples in this chapter show how various csadmin commands can be used to create a signed CodeSafe image for deployment.
For details of the csadmin tool (See The csadmin utility tool)
Create developer ID keys
To sign CodeSafe images, you must create a developer ID for your development organisation and obtain a matching certificate from Entrust. You can obtain a certificate by creating a Certificate Signing Request (CSR) file and sending it to Entrust Support who will process the CSR and return a signed certificate to you.
| Entrust strongly recommend that you create at least two developer IDs: a 'development' ID for signing CodeSafe images that are still in development, and a 'production' ID for signing images that are ready to be deployed. |
The csadmin ids create command provides the functionality to generate a developer ID key if it does not already exist, as well as the CSR file in a single step.
| Keep track of which certificate matches each developer ID key. When you send a signed CodeSafe image to a customer you will need to also send them the matching certificate for them to be able to load the image on their HSM. |
The developer ID keys only need to be created once. The certificates matching them have a limited validity period and will need to be refreshed before they expire.
| When you refresh a certificate you must send it to anyone who received a copy of a SEE machine that is signed by the key matching that certificate. Users of SEE machines require a valid certificate every time they start the SEE machine. |
To refresh a certificate, use the csadmin ids create command with an existing key.
This creates a CSR file for the existing key, which should be sent to
Entrust Support who will process the CSR and return a new signed certificate.
The integrity of the signing process relies on the procedural steps being followed to secure a CodeSafe application image.
For this reason, developer ID keys are OCS protected and therefore to sign a CodeSafe application a quorum of OCS cards and associated passphrases must be available for the signing.
| Only use your 'production' developer ID key to sign fully tested CodeSafe images that you know to be ready for deployment. |
Generate an HSM-protected developer ID key and CSR
csadmin ids create --keyname developerid --x509cname developer.entrust.com --x509country US --x509province Minnesota --x509locality Shakopee --x509org "CodeSafe App Development" --x509orgunit "Entrust CodeSafe"
Generate key 'testdeveloperkey' ...
Loading `TestOCS':
Module 1: 0 cards of 1 read
Module 1 slot 0: empty
Card reading complete.
OK
Generate a CSR in 'testdeveloperkey.csr' ...
OK
Created CSR file 'testdeveloperkey.csr'. Please send it to Entrust Support| This creates the CSR file in the location where the command was run. |
keyname must conform with character set restrictions.
For more information, see the ident entry in the Key properties table in the Key generation options and parameters chapter of the User Guide for your nShield 5 HSM.
|
This developer ID creation was done with TestOCS, quorum of 1/1.
Exact output might vary slightly with different OCS quorums.
|
Send the resulting CSR to customer support to be signed by Entrust.
Load your certificate
When you receive your signed certificate chain back from Entrust Support, load the developer ID certificate chain in the HSM using csadmin ids add.
You can use csadmin ids list to view the loaded certificate.
$ csadmin ids add entrust_developerid_cert_chain.pem
FEDC-BA09-8765 SUCCESS
$ csadmin ids list
FEDC-BA09-8765 SUCCESS
Certificates:
{'serialNumber': '1', 'subject': 'Common Name: developer.entrust.com, Organizational Unit: Entrust CodeSafe, Organization: Entrust, Locality: Shakopee, State/Province: Minnesota, Country: US', 'keyid': 'abcdef12345678900987654321fedcbaabcdef12', 'authKeyid': '0987654321fedcbaabcdef123456789009876543', 'notBefore': '2023-01-01 12:34:56+00:00', 'notAfter': '2024-01-01 12:34:56+00:00'}
{'serialNumber': '2', 'subject': 'Common Name: developer.entrust.com, Organizational Unit: Entrust CodeSafe, Organization: Entrust, Locality: Shakopee, State/Province: Minnesota, Country: US', 'keyid': '1234567890abcdeffedcba098765432112345678', 'authKeyid': 'fedcba09876543211234567890abcdeffedca098', 'notBefore': '2023-01-01 12:34:56+00:00', 'notAfter': '2024-01-01 12:34:56+00:00'}