security_configuration_files

These are example configuration files to be used with tests and examples.

The certificates have been generated using OpenSSL according to OpenSSL Cookbook and Signing certificates.

PEM pass phrase in the file password: password123

Create Permissions CA files permissions_ca.cert.pem and permissions_ca_private_key.pem with elliptic curves:
openssl ecparam -name prime256v1 -out ec_parameters.pem
_
openssl req -x509 -newkey param:ec_parameters.pem -keyout permissions_ca_private_key.pem -passout file:password -out permissions_ca.cert.pem -days 999999 -subj "/O=Example Organization/CN=permissions_ca_common_name"\

Inspect the certificate:
openssl x509 -text -in permissions_ca.cert.pem -noout
_

Sign configuration documents:
openssl smime -sign -in governance_unsigned.xml -text -out governance.p7s -signer permissions_ca.cert.pem -inkey permissions_ca_private_key.pem -passin file:password
_
openssl smime -sign -in permissions_unsigned.xml -text -out permissions.p7s -signer permissions_ca.cert.pem -inkey permissions_ca_private_key.pem -passin file:password
_

Create Identity CA files identity_ca.cert.pem and identity_ca_private_key.pem:
openssl req -x509 -newkey param:ec_parameters.pem -keyout identity_ca_private_key.pem -passout file:password -out identity_ca.cert.pem -days 999999 -subj "/O=Example Organization/CN=identity_ca_common_name"
_

Create a certificate request and make the Identity CA sign it. This creates the participant's private key key.pem and the identity certificate cert.pem. WARNING: password-encrypted private keys are not yet supported for identity certificates, so we use the -nodes option for the example, which is not advised:
openssl req -newkey param:ec_parameters.pem -keyout key.pem -nodes -out identity_certificate_request.pem -subj "/O=Example Organization/CN=participant1_common_name"
_
openssl x509 -req -days 999999 -in identity_certificate_request.pem -CA identity_ca.cert.pem -CAkey identity_ca_private_key.pem -passin file:password -out cert.pem -set_serial 1
_

Using Hardware Security Module (PKCS#11 / Cryptoki)

Provisioning Method 1: Generate keys using OpenSSL on CPU as usual

Initialize an emulated HSM. We call it example_token

$ softhsm2-util --init-token --free --label example_token --pin 1234 --so-pin 12345

$ softhsm2-util --show-slots

Slot 2046880677
    Slot info:
        Description:      SoftHSM slot ID 0x7a00eba5                            
        Manufacturer ID:  SoftHSM project
        Hardware version: 2.6
        Firmware version: 2.6
        Token present:    yes
    Token info:
        Manufacturer ID:  SoftHSM project
        Model:            SoftHSM v2
        Hardware version: 2.6
        Firmware version: 2.6
        Serial number:    da58e2f47a00eba5
        Initialized:      yes
        User PIN init.:   yes
        Label:            example_token

We need a 256-bit Elliptic Curve Key for the prime256v1 curve, as generated above, in key.pem.

softhsm2-util --import key.pem --token example_token --pin 1234 --label test_private_key --id f00d

Use the pkcs11-dump utility to check what we imported:

$ pkcs11-dump dump /usr/lib/softhsm/libsofthsm2.so 2046880677 1234

Provisioning Method 2: Generate keys in HSM

The advantage of this method is that the private key never leaves the HSM.

Ask HSM to generate a key pair

$ pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --token-label ec_key --pin 1234 --keypairgen --key-type EC:prime256v1 --label id_key --id d00f

Extract the public key to a Certificate Signing Request.

TODO (openssl)

Sign the CSR using Identity CA's cert and private key

TODO (openssl)