Build and sign example SEE machines on Windows
Prerequisites
-
Visual Studio 2017 buildtools
-
CMAKE version 3.9 or newer
-
Ninja build system latest version
-
Visual Studio 2017 workload-vctools
Building Windows CodeSafe C, CSEE, and NETSEE examples
-
Start the Developer Command Prompt for VS 2017 as Administrator from the Start menu.
-
Navigate to the following directory:
cd "c:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\Common7\Tools"
-
Install the MSVC C and C++ compiler
cl.exe
. -
Execute
VsDevCmd.bat
:VsDevCmd.bat
-
Run cl:
cl
-
Because the default is 32bit mode, the version displayed will show x86. Change to 64bit
cl
Compiler:cd "c:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Auxiliary\Build"
-
Execute
vcvars64.bat
:vcvars64.bat
-
Run
cl
and verify that the x64 version is displayed:cl
you can build the following examples in the same VS2017 Command window:
CS5 images for Python examples
Build the following images in the VS2017 Command window configured in Building Windows CodeSafe C, CSEE, and NETSEE examples.
You do not need to build host-side and module-side Python examples separately.
They are both built into examples\python\n5\netsee\<example>\
.
c:\>mkdir examples\python
c:\>cd c:\examples\python\
c:\examples\python>cmake -G "Ninja" "c:\Program Files\nCipher\nfast\python3\csd5\examples"
c:\examples\python>ninja
For example:
c:\examples\python\n5\netsee\tickets>dir
Volume in drive C is OS
Volume Serial Number is 582A-CFB6 Directory of c:\examples\python\n5\netsee\tickets 03/21/2023 12:32 PM <DIR> .
03/21/2023 12:32 PM <DIR> ..
03/21/2023 12:32 PM <DIR> hostside
03/21/2023 12:32 PM <DIR> module
0 File(s) 0 bytes
4 Dir(s) 906,165,829,632 bytes free
Sign CodeSafe images
Signing CodeSafe Images requires a Security World and Operator Card Set (OCS). |
-
Insert the OCS card.
-
Create a certificate signing request (CSR) that should be sent to Entrust to be signed:
c:\ca_ids\>csadmin ids create --keyname testdeveloperkey --x509cname developer.entrust.com --x509country US --x509province FL --x509locality Shakopee --x509org Entrust --x509orgunit "Entrust CodeSafe" Generate key 'testdeveloperkey' ... Loading `TestOCS': Module 1: 0 cards of 1 read Module 1 slot 0: empty Card reading complete. OK Generate a CSR in 'testdeveloperkey.csr' ... OK Created CSR file 'testdeveloperkey.csr'. Please send it to Entrust Support
The developer ID creation in this example was done with TestOCS
, quorum of 1/1. Exact output may vary slightly with different OCS quorums. -
Send the resulting CSR to customer support to be signed by Entrust. You must obtain the signed developer ID certificate in order to sign and load an application.
For more detailed information on Developer IDs and CSRs, see Sign and deploy CodeSafe 5 SDK apps using csadmin.
-
Create the ASK on the HSM (the name of the key in this example is
test-ask
). The following example specifies the key to be protected by the module. However, end users are encouraged to protect the key with an OCS:c:\ca_ids>C:\Progra~1\nCipher\nfast\bin\generatekey.exe --module=1 simple type=ECDSA curve=NISTP521 ident=test-ask plainname=test-ask protect: Protected by? (token, module) [token] > module nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] > key generation parameters: operation Operation to perform generate application Application simple protect Protected by module verify Verify security of key yes type Key type ECDSA ident Key identifier test-ask plainname Key name test-ask nvram Blob in NVRAM (needs ACS) no curve Elliptic curve NISTP521 Key successfully generated. Path to key: C:\ProgramData\nCipher\Key Management Data\local\key_simple_test-ask
-
Confirm that the keys were created in the previous step:
c:\ca_ids>nfkminfo -k Key list - 2 keys AppName simple Ident test-ask AppName simple Ident testdeveloperkey
-
Sign the
netsee\tickets
example. You need the signedcert.pem
from customer support for this step and the OCS card must be inserted for signing.c:\examples\module\n5\netsee\tickets_netsee\module>csadmin image sign --askeyname test-ask --devkeyname testdeveloperkey --devcert c:\ca_ids\testdeveloperid_cert.pem --out seetickets_netsee-signed-with-hsm.cs5 seetickets_netsee.cs5 INFO: Reading CS5 file contents... INFO: Getting key handle from HSM... INFO: Signing the Application Signing Key... INFO: hashing contents using 'SHA512Hash' INFO: Obtaining public key data from HSM... INFO: Storing public key data on CS5 file... INFO: Getting key handle from HSM... INFO: Requesting signature from HSM... INFO: Saving CS5 file to disk... INFO: file 'seetickets_netsee.cs5' was signed successfully! Directory of c:\examples\module\n5\netsee\tickets_netsee\module 02/16/2023 03:53 PM 27,167,860 seetickets_netsee-signed-with-hsm.cs5 1 File(s) 27,167,860 bytes 0 Dir(s) 775,613,321,216 bytes free
-
Install the developer ID certificate chain from Entrust using
csadmin ids add
:csadmin ids add entrust_developerid_cert_chain.pem FEDC-BA09-8765 SUCCESS csadmin ids list FEDC-BA09-8765 SUCCESS Certificates: {'serialNumber': '1', 'subject': 'Common Name: developer.entrust.com, Organizational Unit: Entrust CodeSafe, Organization: Entrust, Locality: Shakopee, State/Province: Minnesota, Country: US', 'keyid': 'abcdef12345678900987654321fedcbaabcdef12', 'authKeyid': '0987654321fedcbaabcdef123456789009876543', 'notBefore': '2023-01-01 12:34:56+00:00', 'notAfter': '2024-01-01 12:34:56+00:00'} {'serialNumber': '2', 'subject': 'Common Name: developer.entrust.com, Organizational Unit: Entrust CodeSafe, Organization: Entrust, Locality: Shakopee, State/Province: Minnesota, Country: US', 'keyid': '1234567890abcdeffedcba098765432112345678', 'authKeyid': 'fedcba09876543211234567890abcdeffedca098', 'notBefore': '2023-01-01 12:34:56+00:00', 'notAfter': '2024-01-01 12:34:56+00:00'}
-
Execute
netsee\tickets
:c:\examples\module\n5\netsee\tickets_netsee\module>csadmin load seetickets_netsee-signed-with-hsm.cs5 FEDC-BA09-8765: Uploading seetickets_netsee-signed-with-hsm.cs5 FEDC-BA09-8765: creating machine FEDC-BA09-8765 SUCCESS UUID: fedcba09-8765-4321-1234-567890abcdef c:\examples\module\n5\netsee\tickets_netsee\module>cd c:\examples\host\n5\netsee\tickets_netsee\hostside c:\examples\host\n5\netsee\tickets_netsee\hostside>nopclearfail -aO Module 1, command ClearUnitEx: OK c:\examples\host\n5\netsee\tickets_netsee\hostside>csadmin start -u fedcba09-8765-4321-1234-567890abcdef FEDC-BA09-8765 SUCCESS IP ADDRESS: ffff::fff:ffff:ffff:ffff c:\examples\host\n5\netsee\tickets_netsee\hostside>csadmin list FEDC-BA09-8765 UUID State Name IP Address ---------------------------------------------------------------------------------------------- fedcba09-8765-4321-1234-567890abcdef RUNNING seetickets_netsee ffff::fff:ffff:ffff:ffff c:\examples\host\n5\netsee\tickets_netsee\hostside>hosttickets_netsee.exe -p 8888 -U fedcba09-8765-4321-1234-567890abcdef -i ffff::fff:ffff:ffff:ffff%10 -c c:\examples\module\n5\netsee\tickets_netsee\module\seetickets_netsee-signed-with-hsm.cs5 WSAStartup() Success. HostSide>Enter string to be encrypted (8 characters maximum): hello HostSide>Reading Identities from container HostSide>Generating RSA keypair HostSide>Creating World: init status was 0 (OK) HostSide>Sending ticket for private RSA key to module HostSide>Sending key blob to module HostSide>Sending cipher-text to module HostSide>decrypted cipher text received from SEE machine: "hello" HostSide>Thank you for watching. The end.