Je voudrais faire fonctionner OpenSSH avec OpenSSL plus openCryptoki (pkcs11) plus un logiciel TPM. Pour autant que je sache, openCryptoki est capable de jeton logiciel (à des fins de test). Je voudrais utiliser le logiciel TPM openCryptoki dont j'ai lu l'existence (les alternatives se présentent comme suit: softhsm, heimdal, tpmd).
J'ai installé: gnutls-bin, opencryptoki, libengine-pkcs11-openssl, libp11-2, libp11-2dev.
J'ai fait ce qui suit pour démarrer openCryptoki:
pkcs11_startup
Voici le pk_config_data
fichier:
TRUE|0|Linux 3.5.0-54-generic Linux (TPM)|Linux 3.5.0-54-generic|TRUE|FALSE|TRUE|0|0|1|1|NONE|libpkcs11_tpm.so|ST_Initialize
TRUE|0|Linux 3.5.0-54-generic Linux (Soft)|Linux 3.5.0-54-generic|TRUE|FALSE|FALSE|0|0|1|1|NONE|libpkcs11_sw.so|ST_Initialize
Je n'ai pas trouvé comment utiliser le jeton de logiciel openCryptoki.
Puis j'ai essayé avec opensc:
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
[ available ]
OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas Jellinghaus">
engine "pkcs11" set.
Invalid slot number: 0
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
3073657032:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
unable to load Private Key
error in req
Puis j'ai essayé avec softhsm:
softhsm --init-token --slot 0 --label "softhsmTPM"
The SO PIN must have a length between 4 and 255 characters.
Enter SO PIN: aaaa
The user PIN must have a length between 4 and 255 characters.
Enter user PIN: bbbb
The token has been initialized.
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libsofthsm.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/libsofthsm.so
Loaded: (pkcs11) pkcs11 engine
SoftHSM: Could not open the config file: /etc/softhsm/softhsm.conf
unable to load module /usr/lib/libsofthsm.so
[ unavailable ]
Ensuite, j'ai essayé avec un emplacement inutilisé:
pkcsconf -s
Slot #0 Info
Description: Linux 3.5.0-54-generic Linux (TPM)
Manufacturer: Linux 3.5.0-54-generic
Flags: 0x5 (TOKEN_PRESENT|HW_SLOT)
Hardware Version: 0.0
Firmware Version: 1.1
Slot #1 Info
Description: Linux 3.5.0-54-generic Linux (Soft)
Manufacturer: Linux 3.5.0-54-generic
Flags: 0x1 (TOKEN_PRESENT)
Hardware Version: 0.0
Firmware Version: 1.1
softhsm --init-token --slot 2 --label "softhsmTPM"
The SO PIN must have a length between 4 and 255 characters.
Enter SO PIN:
The user PIN must have a length between 4 and 255 characters.
Enter user PIN:
Error: The given slot does not exist.
Quelle que soit la solution que j'essaie, cela échoue, mais je suis un nouveau dans ce domaine. De l'aide?