I have a doubt whether what I’m trying to achieve is reasonable or not with the Nitrokey Start. I would like to use the key to sign software.
I started investigating the matter, and the first thing I need is to create a self-signed certificate from the RSA signing key.
For this I tried using openssl with pkcs11 engine, using the opensc backend. The problem I’m facing is that I am not sure how to specify the key name in the openssl command :
$ openssl req -engine pkcs11 -new -key "pkcs11:object=1:03" -keyform engine -out req.pem -text -x509 -subj "/CN=my name"
engine "pkcs11" set.
PKCS#11 token PIN:
Key not found.
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
140575120598680:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:124:
unable to load Private Key
I have the following openssl.cnf (as seen on the opensc wiki) :
openssl_conf = openssl_init
engines = engine_section
pkcs11 = pkcs11_section
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/opensc-pkcs11.so
init = 0
I am pushing too far with the Nitrokey Start and do I need a Nitrokey Pro or HSM instead ?
Quick follow-up : the following command seems to have signed the cert :
openssl req -new -engine pkcs11 -key slot_0-id_03 -keyform engine -out req.pem -text -x509 -subj "/CN=my name" -config openssl.cnf
I turns out that I had a part of my config in an environment-driver $OPENSSL_CONF file
So this is solved? Or do you still have a problem here?
The only thing I would like confirmed is the feasibility of using the Nitrokey Start for PKCS11 applications such as code signing. It seems to me that the missing part of PKSC11 support would be the x509 certificate storage. Can you confirm this ?
I have a Nitrokey HSM on order, so eventually this will solve my use case, but I am curious to know if PKCS11 support is achieveable with reasonable efforts.
In general, the Nitrokey Start can indeed import and use a certificate. But honestly, it was broken for a long time in OpenSC (but should work since 0.19 ) and has some limitations because of the hardware. To import a certificate there is a special python script, which should work. Once the certificate is imported, OpenSC should be able to use it though.
I just tested the current master of OpenSC. I could import a key and certificate to the NK Start:
pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key mykey.pem --auth-id 3 --verify-pin --id 3 \
&& pkcs15-init --id 3 --store-certificate mycert.pem
The same works with a .p12 file
pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin
Can you make a quick check on v0.19 as well?
Hopefully the v0.20 will be released soon (since RC releases are done).
Nope, not working So OpenSC 0.20 seems to be mandatory for cert import.