Build and sign example SEE machines on Windows

Prerequisites

  • Visual Studio 2017 buildtools

  • CMAKE version 3.9 or newer

  • Ninja build system latest version

  • Visual Studio 2017 workload-vctools

Building Windows CodeSafe C, CSEE, and NETSEE examples

  1. Start the Developer Command Prompt for VS 2017 as Administrator from the Start menu.

  2. Navigate to the following directory:

    cd "c:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\Common7\Tools"
  3. Install the MSVC C and C++ compiler cl.exe.

  4. Execute VsDevCmd.bat:

    VsDevCmd.bat
  5. Run cl:

    cl
  6. Because the default is 32bit mode, the version displayed will show x86. Change to 64bit cl Compiler:

    cd "c:\Program Files (x86)\Microsoft Visual Studio\2017\BuildTools\VC\Auxiliary\Build"
  7. Execute vcvars64.bat:

    vcvars64.bat
  8. Run cl and verify that the x64 version is displayed:

    cl

you can build the following examples in the same VS2017 Command window:

Host-side examples

c:\>mkdir examples\host

c:\>cd c:\examples\host\

c:\examples\host>cmake -G Ninja -DCMAKE_C_COMPILER=cl -DCMAKE_CXX_COMPILER=cl "c:\Program Files\nCipher\nfast\c\csd5\examples"

c:\examples\host>ninja

Module-side examples

c:\>mkdir examples\module

c:\>cd c:\examples\module\

c:\examples\module>cmake -G "Ninja" -DCMAKE_TOOLCHAIN_FILE="c:\Program Files\nCipher\nfast\c\csd5\cmake\codesafe-toolchain-nshield5-csee.cmake" "c:\Program Files\nCipher\nfast\c\csd5\examples"

c:\examples\module>ninja

CS5 images for Python examples

Build the following images in the VS2017 Command window configured in Building Windows CodeSafe C, CSEE, and NETSEE examples. You do not need to build host-side and module-side Python examples separately. They are both built into examples\python\n5\netsee\<example>\.

c:\>mkdir examples\python

c:\>cd c:\examples\python\

c:\examples\python>cmake -G "Ninja" "c:\Program Files\nCipher\nfast\python3\csd5\examples"

c:\examples\python>ninja

For example:

c:\examples\python\n5\netsee\tickets>dir
Volume in drive C is OS
Volume Serial Number is 582A-CFB6 Directory of c:\examples\python\n5\netsee\tickets 03/21/2023  12:32 PM    <DIR>          .
03/21/2023  12:32 PM    <DIR>          ..
03/21/2023  12:32 PM    <DIR>          hostside
03/21/2023  12:32 PM    <DIR>          module
               0 File(s)              0 bytes
               4 Dir(s)  906,165,829,632 bytes free

Sign CodeSafe images

Signing CodeSafe Images requires a Security World and Operator Card Set (OCS).
  1. Insert the OCS card.

  2. Create a certificate signing request (CSR) that should be sent to Entrust to be signed:

    c:\ca_ids\>csadmin ids create --keyname testdeveloperkey --x509cname developer.entrust.com --x509country US --x509province FL --x509locality Shakopee --x509org Entrust --x509orgunit "Entrust CodeSafe"
    Generate key 'testdeveloperkey' ...
    
    Loading `TestOCS':
     Module 1: 0 cards of 1 read
     Module 1 slot 0: empty
    Card reading complete.
    
    OK
    Generate a CSR in 'testdeveloperkey.csr' ...
    OK
    Created CSR file 'testdeveloperkey.csr'. Please send it to Entrust Support
    The developer ID creation in this example was done with TestOCS, quorum of 1/1. Exact output may vary slightly with different OCS quorums.
  3. Send the resulting CSR to customer support to be signed by Entrust. You must obtain the signed developer ID certificate in order to sign and load an application.

    For more detailed information on Developer IDs and CSRs, see Sign and deploy CodeSafe 5 SDK apps using csadmin.

  4. Create the ASK on the HSM (the name of the key in this example is test-ask). The following example specifies the key to be protected by the module. However, end users are encouraged to protect the key with an OCS:

    c:\ca_ids>C:\Progra~1\nCipher\nfast\bin\generatekey.exe --module=1 simple type=ECDSA curve=NISTP521 ident=test-ask plainname=test-ask
    protect: Protected by? (token, module) [token] > module
    nvram: Blob in NVRAM (needs ACS)? (yes/no) [no] >
    key generation parameters:
     operation    Operation to perform       generate
     application  Application                simple
     protect      Protected by               module
     verify       Verify security of key     yes
     type         Key type                   ECDSA
     ident        Key identifier             test-ask
     plainname    Key name                   test-ask
     nvram        Blob in NVRAM (needs ACS)  no
     curve        Elliptic curve             NISTP521
    Key successfully generated.
    Path to key: C:\ProgramData\nCipher\Key Management Data\local\key_simple_test-ask
  5. Confirm that the keys were created in the previous step:

    c:\ca_ids>nfkminfo -k
    Key list - 2 keys
     AppName simple               Ident test-ask
     AppName simple               Ident testdeveloperkey
  6. Sign the netsee\tickets example. You need the signed cert.pem from customer support for this step and the OCS card must be inserted for signing.

    c:\examples\module\n5\netsee\tickets_netsee\module>csadmin image sign --askeyname test-ask --devkeyname testdeveloperkey --devcert c:\ca_ids\testdeveloperid_cert.pem --out seetickets_netsee-signed-with-hsm.cs5 seetickets_netsee.cs5
    INFO: Reading CS5 file contents...
    INFO: Getting key handle from HSM...
    
    INFO: Signing the Application Signing Key...
    INFO: hashing contents using 'SHA512Hash'
    INFO: Obtaining public key data from HSM...
    INFO: Storing public key data on CS5 file...
    INFO: Getting key handle from HSM...
    INFO: Requesting signature from HSM...
    INFO: Saving CS5 file to disk...
    INFO: file 'seetickets_netsee.cs5' was signed successfully!
    
    Directory of c:\examples\module\n5\netsee\tickets_netsee\module
    
    02/16/2023  03:53 PM        27,167,860 seetickets_netsee-signed-with-hsm.cs5
                   1 File(s)     27,167,860 bytes
                   0 Dir(s)  775,613,321,216 bytes free
  7. Install the developer ID certificate chain from Entrust using csadmin ids add:

    csadmin ids add entrust_developerid_cert_chain.pem
    FEDC-BA09-8765        SUCCESS
    
    csadmin ids list
    FEDC-BA09-8765        SUCCESS
    Certificates:
    {'serialNumber': '1', 'subject': 'Common Name: developer.entrust.com, Organizational Unit: Entrust CodeSafe, Organization: Entrust, Locality: Shakopee, State/Province: Minnesota, Country: US', 'keyid': 'abcdef12345678900987654321fedcbaabcdef12', 'authKeyid': '0987654321fedcbaabcdef123456789009876543', 'notBefore': '2023-01-01 12:34:56+00:00', 'notAfter': '2024-01-01 12:34:56+00:00'}
    {'serialNumber': '2', 'subject': 'Common Name: developer.entrust.com, Organizational Unit: Entrust CodeSafe, Organization: Entrust, Locality: Shakopee, State/Province: Minnesota, Country: US', 'keyid': '1234567890abcdeffedcba098765432112345678', 'authKeyid': 'fedcba09876543211234567890abcdeffedca098', 'notBefore': '2023-01-01 12:34:56+00:00', 'notAfter': '2024-01-01 12:34:56+00:00'}
  8. Execute netsee\tickets:

    c:\examples\module\n5\netsee\tickets_netsee\module>csadmin load seetickets_netsee-signed-with-hsm.cs5
    FEDC-BA09-8765: Uploading seetickets_netsee-signed-with-hsm.cs5
    FEDC-BA09-8765: creating machine
    FEDC-BA09-8765        SUCCESS
    UUID: fedcba09-8765-4321-1234-567890abcdef
    
    c:\examples\module\n5\netsee\tickets_netsee\module>cd c:\examples\host\n5\netsee\tickets_netsee\hostside
    
    c:\examples\host\n5\netsee\tickets_netsee\hostside>nopclearfail -aO
    Module 1, command ClearUnitEx: OK
    
    c:\examples\host\n5\netsee\tickets_netsee\hostside>csadmin start -u fedcba09-8765-4321-1234-567890abcdef
    FEDC-BA09-8765        SUCCESS
    IP ADDRESS: ffff::fff:ffff:ffff:ffff
    
    c:\examples\host\n5\netsee\tickets_netsee\hostside>csadmin list
    FEDC-BA09-8765
    UUID                                    State     Name                IP Address
    ----------------------------------------------------------------------------------------------
    fedcba09-8765-4321-1234-567890abcdef    RUNNING   seetickets_netsee   ffff::fff:ffff:ffff:ffff
    
    
    c:\examples\host\n5\netsee\tickets_netsee\hostside>hosttickets_netsee.exe -p 8888 -U fedcba09-8765-4321-1234-567890abcdef -i ffff::fff:ffff:ffff:ffff%10 -c c:\examples\module\n5\netsee\tickets_netsee\module\seetickets_netsee-signed-with-hsm.cs5
    WSAStartup() Success.
    HostSide>Enter string to be encrypted (8 characters maximum): hello
    HostSide>Reading Identities from container
    HostSide>Generating RSA keypair
    HostSide>Creating World: init status was 0 (OK)
    HostSide>Sending ticket for private RSA key to module
    HostSide>Sending key blob to module
    HostSide>Sending cipher-text to module
    HostSide>decrypted cipher text received from SEE machine:
    "hello"
    HostSide>Thank you for watching. The end.