Build and sign example SEE machines on Windows

Prerequisites

Visual Studio 2017 buildtools
CMAKE version 3.9 or newer
Ninja build system latest version
Visual Studio 2017 workload-vctools

Building Windows CodeSafe C, CSEE, and NETSEE examples

Start the Developer Command Prompt for VS 2017 as Administrator from the Start menu.

Navigate to the following directory:

cd "c:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\Common7\Tools"

Install the MSVC C and C++ compiler cl.exe.
Execute VsDevCmd.bat:
```
VsDevCmd.bat
```
Run cl:
```
cl
```
Because the default is 32bit mode, the version displayed will show x86. Change to 64bit cl Compiler:
```
cd "c:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Auxiliary\Build"
```
Execute vcvars64.bat:
```
vcvars64.bat
```
Run cl and verify that the x64 version is displayed:
```
cl
```

you can build the following examples in the same VS2017 Command window:

Host-side examples

c:\>mkdir examples\host

c:\>cd c:\examples\host\

c:\examples\host>cmake -G Ninja -DCMAKE_C_COMPILER=cl -DCMAKE_CXX_COMPILER=cl "c:\Program Files\nCipher\nfast\c\csd5\examples"

c:\examples\host>ninja

Module-side examples

c:\>mkdir examples\module

c:\>cd c:\examples\module\

c:\examples\module>cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="c:\Program Files\nCipher\nfast\c\csd5\cmake\codesafe-toolchain-nshield5-csee.cmake" "c:\Program Files\nCipher\nfast\c\csd5\examples"

c:\examples\module>ninja

CS5 images for Python examples

Build the following images in the VS2017 Command window configured in Building Windows CodeSafe C, CSEE, and NETSEE examples. You do not need to build host-side and module-side Python examples separately. They are both built into examples\python\n5\netsee\<example>\.

c:\>mkdir examples\python

c:\>cd c:\examples\python\

c:\examples\python>cmake -G "Ninja" "c:\Program Files\nCipher\nfast\python3\csd5\examples"

c:\examples\python>ninja

For example:

c:\examples\python\n5\netsee\tickets>dir
Volume in drive C is OS
Volume Serial Number is 582A-CFB6 Directory of c:\examples\python\n5\netsee\tickets 03/21/2023  12:32 PM    <DIR>          .
03/21/2023  12:32 PM    <DIR>          ..
03/21/2023  12:32 PM    <DIR>          hostside
03/21/2023  12:32 PM    <DIR>          module
               0 File(s)              0 bytes
               4 Dir(s)  906,165,829,632 bytes free

Sign CodeSafe images

Signing CodeSafe Images requires a Security World and Operator Card Set (OCS).

Insert the OCS card.

Create a certificate signing request (CSR) that should be sent to Entrust to be signed:

c:\ca_ids\>csadmin ids create --keyname testdeveloperkey --x509cname developer.entrust.com --x509country US --x509province FL --x509locality Shakopee --x509org Entrust --x509orgunit "Entrust CodeSafe"
Generate key 'testdeveloperkey' ...

Loading `TestOCS':
 Module 1: 0 cards of 1 read
 Module 1 slot 0: empty
Card reading complete.

OK
Generate a CSR in 'testdeveloperkey.csr' ...
OK
Created CSR file 'testdeveloperkey.csr'. Please send it to Entrust Support

The developer ID creation in this example was done with TestOCS, quorum of 1/1. Exact output may vary slightly with different OCS quorums.

Send the resulting CSR to customer support to be signed by Entrust. You must obtain the signed developer ID certificate in order to sign and load an application.

For more detailed information on Developer IDs and CSRs, see Sign and deploy CodeSafe 5 SDK apps using csadmin.

Create the ASK on the HSM (the name of the key in this example is test-ask). The following example specifies the key to be protected by the module. However, end users are encouraged to protect the key with an OCS:

c:\ca_ids>C:\Progra~1\nCipher\nfast\bin\generatekey.exe --module=1 simple type=ECDSA curve=NISTP521 ident=test-ask plainname=test-ask
protect: Protected by? (token, module) [token] > module
nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
key generation parameters:
 operation    Operation to perform       generate
 application  Application                simple
 protect      Protected by               module
 verify       Verify security of key     yes
 type         Key type                   ECDSA
 ident        Key identifier             test-ask
 plainname    Key name                   test-ask
 nvram        Blob in NVRAM (needs ACS)  no
 curve        Elliptic curve             NISTP521
Key successfully generated.
Path to key: C:\ProgramData\nCipher\Key Management Data\local\key_simple_test-ask

Confirm that the keys were created in the previous step:

c:\ca_ids>nfkminfo -k
Key list - 2 keys
 AppName simple               Ident test-ask
 AppName simple               Ident testdeveloperkey

Sign the netsee\tickets example. You need the signed cert.pem from customer support for this step and the OCS card must be inserted for signing.

c:\examples\module\n5\netsee\tickets_netsee\module>csadmin image sign --askeyname test-ask --devkeyname testdeveloperkey --devcert c:\ca_ids\testdeveloperid_cert.pem --out seetickets_netsee-signed-with-hsm.cs5 seetickets_netsee.cs5
INFO: Reading CS5 file contents...
INFO: Getting key handle from HSM...

INFO: Signing the Application Signing Key...
INFO: hashing contents using 'SHA512Hash'
INFO: Obtaining public key data from HSM...
INFO: Storing public key data on CS5 file...
INFO: Getting key handle from HSM...
INFO: Requesting signature from HSM...
INFO: Saving CS5 file to disk...
INFO: file 'seetickets_netsee.cs5' was signed successfully!

Directory of c:\examples\module\n5\netsee\tickets_netsee\module

02/16/2023  03:53 PM        27,167,860 seetickets_netsee-signed-with-hsm.cs5
               1 File(s)     27,167,860 bytes
               0 Dir(s)  775,613,321,216 bytes free

Install the developer ID certificate chain from Entrust using csadmin ids add:

csadmin ids add entrust_developerid_cert_chain.pem
FEDC-BA09-8765        SUCCESS

csadmin ids list
FEDC-BA09-8765        SUCCESS
Certificates:
{'serialNumber': '1', 'subject': 'Common Name: developer.entrust.com, Organizational Unit: Entrust CodeSafe, Organization: Entrust, Locality: Shakopee, State/Province: Minnesota, Country: US', 'keyid': 'abcdef12345678900987654321fedcbaabcdef12', 'authKeyid': '0987654321fedcbaabcdef123456789009876543', 'notBefore': '2023-01-01 12:34:56+00:00', 'notAfter': '2024-01-01 12:34:56+00:00'}
{'serialNumber': '2', 'subject': 'Common Name: developer.entrust.com, Organizational Unit: Entrust CodeSafe, Organization: Entrust, Locality: Shakopee, State/Province: Minnesota, Country: US', 'keyid': '1234567890abcdeffedcba098765432112345678', 'authKeyid': 'fedcba09876543211234567890abcdeffedca098', 'notBefore': '2023-01-01 12:34:56+00:00', 'notAfter': '2024-01-01 12:34:56+00:00'}

Execute netsee\tickets:

c:\examples\module\n5\netsee\tickets_netsee\module>csadmin load seetickets_netsee-signed-with-hsm.cs5
FEDC-BA09-8765: Uploading seetickets_netsee-signed-with-hsm.cs5
FEDC-BA09-8765: creating machine
FEDC-BA09-8765        SUCCESS
UUID: fedcba09-8765-4321-1234-567890abcdef

c:\examples\module\n5\netsee\tickets_netsee\module>cd c:\examples\host\n5\netsee\tickets_netsee\hostside

c:\examples\host\n5\netsee\tickets_netsee\hostside>nopclearfail -aO
Module 1, command ClearUnitEx: OK

c:\examples\host\n5\netsee\tickets_netsee\hostside>csadmin start -u fedcba09-8765-4321-1234-567890abcdef
FEDC-BA09-8765        SUCCESS
IP ADDRESS: ffff::fff:ffff:ffff:ffff

c:\examples\host\n5\netsee\tickets_netsee\hostside>csadmin list
FEDC-BA09-8765
UUID                                    State     Name                IP Address
----------------------------------------------------------------------------------------------
fedcba09-8765-4321-1234-567890abcdef    RUNNING   seetickets_netsee   ffff::fff:ffff:ffff:ffff


c:\examples\host\n5\netsee\tickets_netsee\hostside>hosttickets_netsee.exe -p 8888 -U fedcba09-8765-4321-1234-567890abcdef -i ffff::fff:ffff:ffff:ffff%10 -c c:\examples\module\n5\netsee\tickets_netsee\module\seetickets_netsee-signed-with-hsm.cs5
WSAStartup() Success.
HostSide>Enter string to be encrypted (8 characters maximum): hello
HostSide>Reading Identities from container
HostSide>Generating RSA keypair
HostSide>Creating World: init status was 0 (OK)
HostSide>Sending ticket for private RSA key to module
HostSide>Sending key blob to module
HostSide>Sending cipher-text to module
HostSide>decrypted cipher text received from SEE machine:
"hello"
HostSide>Thank you for watching. The end.