PKCS 11
The Web Services PKCS #11 Library allows you to run PKCS #11 applications from a WSOP client.
The client machine that the PKCS #11 tar is installed to does not require any existing WSOP or Security World Software to be present.
Installation
To install PKCS #11:
-
Sign in as a user with root privileges.
-
Change to the root directory.
-
Extract the PKCS #11 tar to the root directory. This installs all the files required by PKCS #11 to
/opt/nfast/wsop/pkcs11
.tar –xzf /path/to/pkcs11-1.0.0.tar.gz
-
If you are installing the PKCS #11 library for the first time, go to the
/opt/nfast/wsop/pkcs11/conf
folder and copy theexample_pkcs11wsop.cfg
file topkcs11wsop.cfg
.If you are reinstalling or updating the PKCS #11 library and do not want to overwrite your existing
pkcs11wsop.cfg
file, you can skip this step. -
If required, change the log file destination or grant permission to the appropriate user to write to the default log folder:
/opt/nfast/wsop/pkcs11/log
. For help changing the logging path, see Change log to file destination.
Configuration
Configure PKCS #11 using the /opt/nfast/wsop/pkcs11/conf/pkcs11wsop.cfg
file.
The pkcs11wsop.cfg
file contains an example PKCS #11 configuration.
To use this file, you need to alter it to point to the correct certificate locations.
Default PKCS #11 configuration
The PKCS #11 library is installed with a default configuration. Entrust recommends reviewing and updating the initial configuration before the library is called to ensure that all configuration settings are appropriate for the deployment environment.
Pay special attention to the TLS connection and logging to ensure that the system is used securely.
Ensure that the configuration file and the certificate, root certificate, and key files have restrictive access control, so that only the application using the PKCS #11 client library has access to these files.
TLS certificate
CERT <path to TLS certificate>
Set this to the file path of the client TLS certificate.
TLS client authentication
AUTH <path to TLS CA Certificate for Mutual Authentication>
Set this to the server root certificate, which forms the trust anchor for authenticating the server’s certificates received during TLS handshake.
Logging level
The LOGLEVEL
field in the configuration file controls the PKCS #11 library logging.
The available log levels are:
-
0(None)
-
1(Panic)
-
2(Error)
-
3(Warning)
-
4(Info)
-
5(Debug)
-
6(Trace)
By default, the PKCS #11 logging level is set at 4 (Info).
Higher log levels include all logs from lower levels.
If the logging level is set to 4(Info)
, you only get log events with Info, Warning, Error, and Panic.
If the logging level is set to 6(Trace)
it enables all the log levels.
To turn off logging set LOGLEVEL
to 0(None)
.
LOGLEVEL 4
Logs that are not at TRACE level have the message prefixed with standard fields:
-
Timestamp with format [yyyy-mm-dd hh:mm:ss]
-
Level (one of DEBUG INFO WARNING PANIC)
-
PKCS #11 library name
-
Process ID
Logs at TRACE level add fields for thread ID and session handle in prefix:
-
Timestamp with format [yyyy-mm-dd hh:mm:ss]
-
Level (TRACE)
-
PKCS #11 library name
-
Process ID
-
Thread ID
-
PKCS #11 session handle (zero if not used)
Change log to file destination
By default, PKCS #11 outputs the logs to /opt/nfast/wsop/pkcs11/log/pkcs11wsop.log
.
To change the default path set LOGFILEPATH
to any valid path.
LOGFILEPATH pkcs11wsop.log
To enable logging for a user, change the path to a Linux user path so that the user has write permission to the folder.
LOGFILEPATH /home/<username>/log/pkcs11wsop.log
Enable logging to console
By default, PKCS #11 has console logging disabled.
In order to enable this, set LOGSTDOUT
to 1
in the configuration file.
LOGSTDOUT 1
Enable logging to syslog
You can direct PKCS #11 logs to a syslog server.
The configuration directives enable you to activate the output to syslog.
By default this configuration is disabled.
In order to enable this, set LOGSYS
to 1
in the configuration file.
LOGSYS 1
Retry WSOP communication
Since the PKCS #11 library operates over a network connection, it is possible that network fluctuations could cause an internal request to the WSOP server to fail. To ensure the reliability and robustness of PKCS #11 applications, the request can be retried.
You can configure the maximum number of retries for each request and the delay (in seconds) between each retry. For example:
MAXRETRIES 5
RETRYDELAY 10
If either entry is not provided, its default will be used.
-
For
MAXRETRIES
, the default is5
and the maximum number is256
.To disable retries, set
MAXRETRIES
to0
. -
For
RETRYDELAY
, the default is10
seconds. There is no maximum value but higher values will reduce performance on unstable systems. Only integer values are supported.To disable the retry delay, set
RETRYDELAY
to0
. This will cause retries to occur consecutively without delay.
Server/client mutual authentication
For details on the TLS connection setup, see WSOP TLS setup.
Utility tools
In WSOP 3.0 and later versions, you can use four example programs to obtain information about Softcards:
ckinfo
|
Version of the PKCS#11 library. |
cklist
|
Objects created on the Softcard. |
ckmechinfo
|
Supported mechanisms. |
softcardtool
|
Version of the tool that generated the Softcard. Run these programs with the following commands: |
/opt/nfast/wsop/pkcs11/bin/ckinfo-dynamic --library /opt/nfast/wsop/pkcs11/lib/libpkcs11wsop.so
/opt/nfast/wsop/pkcs11/bin/ckmechinfo-dynamic --library /opt/nfast/wsop/pkcs11/lib/libpkcs11wsop.so
/opt/nfast/wsop/pkcs11/bin/cklist-dynamic --library /opt/nfast/wsop/pkcs11/lib/libpkcs11wsop.so
/opt/nfast/wsop/pkcs11/bin/softcardtool -g --name=<new-softcard-name>
Softcard generation tool
Because PKCS #11 does not directly support Softcard generation, a command line tool is available at /opt/nfast/wsop/pkcs11/bin/softcardtool
The Softcard tool uses the same configuration file as the PKCS #11 library for the WSOP server secure connection. For more information, see Configuration.
To generate a new Softcard, navigate to the /opt/nfast/wsop/pkcs11
folder and run the following command:
./bin/softcardtool -g --name=<new-softcard-name>
When prompted, enter a new passphrase for the Softcard.
Special characters for name and passphrase are not supported. |
To verify the WSOP server connection, run the tool with the verbose and list options:
./bin/softcardtool -vl
To delete a softcard, remove all keys associated with the softcard and use the following command:
./bin/softcardtool -d --ID=<deleted-softcard-ID>
To see all the available options, run
./bin/softcardtool --help
Usage softcardtool [OPTION]
Options:
-g, --generate generate a new softcard
-d, --delete delete softcard by ID
-l, --list list softcards
-v, --verbose verbose output
-n, --name NAME name of softcard to generate
-i, --id ID ID of softcard to delete
Supported functions
The following sections list the PKCS #11 functions supported by the PKCS #11 library. For a list of supported mechanisms, see Mechanisms.
General purpose functions
The following functions perform as described in the PKCS #11 specification:
-
C_Finalize
-
C_GetInfo
-
C_GetFunctionList
-
C_Initialize
.
Slot and token management functions
The following functions perform as described in the PKCS #11 specification:
-
C_GetSlotInfo
-
C_GetTokenInfo
-
C_GetMechanismList
-
C_GetMechanismInfo
-
C_GetSlotList
.
C_GetSlotList
returns a list of slot IDs.
You cannot make any assumptions about the values of these handles.
These handles are not equivalent to the slot numbers returned by WSOP.
Standard session management functions
The following functions perform as described in the PKCS #11 specification:
-
C_OpenSession
-
C_CloseSession
-
C_CloseAllSessions
-
C_Login
-
C_Logout
-
C_GetSessionInfo
Object management functions
The following functions perform as described in the PKCS #11 specification:
-
C_CreateObject
-
C_DestroyObject
-
C_GetAttributeValue
-
C_FindObjectsInit
-
C_FindObjects
-
C_FindObjectsFinal
C_FindObjects only returns objects that are supported by the PKCS #11 library.
It does not list keys with the CKO_PUBLIC or CKO_PRIVATE object class.
|
Encryption functions
The following functions perform as described in the PKCS #11 specification:
-
C_EncryptInit
-
C_Encrypt
-
C_EncryptFinal
Objects
The following table lists the objects currently supported by the PKCS #11 library.
Object | Notes |
---|---|
|
|
|
|
|
|
Mechanisms
The following table lists the mechanisms currently supported by the PKCS #11 library and the functions available to each one.
Mechanism | Encrypt & Decrypt | Sign & Verify | SR & VR | Digest | Gen. Key/Key Pair | Wrap & Unwrap | Derive Key |
---|---|---|---|---|---|---|---|
|
Y |
— |
— |
— |
— |
— |
— |
|
Y |
— |
— |
— |
— |
— |
— |
|
— |
— |
— |
— |
Y |
— |
— |
In this table:
-
Y
indicates that the function is supported by the mechanism. -
—
indicates that the function is not supported by the mechanism.
These mechanisms support multiples of three different key sizes: 16, 24, and 32 bytes.
Attributes
All templates used to create objects or generate keys must contain the following attributes because there is currently no PKCS #11 library support for session objects or wrapping:
Object Attributes | Required | Notes |
---|---|---|
|
Y |
Must be |
|
Y |
Must be |
Data object creation is supported:
Data Object Attributes | Required | Notes |
---|---|---|
|
Y |
Must be |
|
N |
|
|
N |
|
|
N |
The X.509 public object certificate creation is supported:
X.509 Certificate Attributes | Required | Notes |
---|---|---|
|
Y |
Must be |
|
Y |
Must be |
|
Y |
|
|
Y |
|
|
N |
|
|
N |
|
|
N |
The PKCS #11 library supports generation of CKK_AES keys. To be useful in the PKCS #11 library CKA_ENCRYPT
and CKA_DECRYPT
should be set to CK_TRUE
:
AES key Attributes | Required | Notes |
---|---|---|
|
Y |
Must be |
|
Y |
Must be |
|
Y |
|
|
Y |
|
|
Y |
Should be |
|
Y |
Should be |
|
N |
Function not used in PKCS #11 library |
|
N |
Function not used in PKCS #11 library |
|
N |
Function not used in PKCS #11 library |
|
N |
Function not used in PKCS #11 library |
You should set these attributes to false while creating an object, if provided:
-
CKA_DERIVE
-
CKA_EXTRACTABLE
-
CKA_COPYABLE
-
CKA_TRUSTED
-
CKA_UNWRAP
-
CKA_WRAP
-
CKA_WRAP_WITH_TRUSTED
You should set these attributes to true while creating an object, if provided:
-
CKA_ALWAYS_SENSITIVE
-
CKA_NEVER_EXTRACTABLE
-
CKA_LOCAL
-
CKA_SENSITIVE
The attributes not listed above or in tables are currently not supported.
The PKCS #11 library only supports token objects, not session objects. |