Skip to content

A Besu security module plugin showcasing PKCS11 with SoftHSM

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE-2.0
MIT
LICENSE-MIT
Notifications You must be signed in to change notification settings

usmansaleem/besu-pkcs11-plugin

Repository files navigation

Besu Plugin - PKCS11 SoftHSM

A Besu plugin that provides a custom security module to load the node key from an HSM, such as SoftHSM, using PKCS11 libraries.

GitHub Actions Workflow Status GitHub Release

Build Instructions

You can either use pre-built jar from Assets section in releases or build it yourself.

Note

This project requires Java 21 or later. If it is not available, the gradle build will attempt to download one and use it.

[versions]
besu = "24.8.0"
  • Build the plugin:
./gradlew clean build

The plugin jar will be available at build/libs/besu-pkcs11-plugin-<version>.jar.

Usage

Drop the besu-pkcs11-plugin-<version>.jar in the /plugins folder under Besu installation. This plugin will expose following additional cli options:

--plugin-pkcs11-hsm-config-path=<path>
                             Path to the PKCS11 configuration file
--plugin-pkcs11-hsm-key-alias=<label>
                             Alias or label of the private key that is stored in the HSM
--plugin-pkcs11-hsm-password-path=<path>
                             Path to the file that contains password or PIN to access PKCS11 token

The security module provided by this plugin can be loaded with following cli option:

--security-module=pkcs11-hsm

Docker setup

  • The plugin can be tested as a docker image. The provided Dockerfile is based on Besu's official docker image. It installs following additional package to manage SECP256K1 private keys and SoftHSM:
apt-get install -y --no-install-recommends \
    openssl \
    libssl3 \
    softhsm2 \
    opensc \
    gnutls-bin
  • The Dockerfile uses a custom script entrypoint.sh as entrypoint. This script initializes SoftHSM and generates a private key if required.
  • The Dockerfile copies the plugin jar to /plugins folder.
  • See Besu documentation for further details about other docker options required to run Besu.
  • See the sample Besu config file that defines minimal options required to use the plugin.
  • Following is an example to build the docker image:
docker build --no-cache -t besu-pkcs11:latest .
  • To run Besu node for testing with SoftHSM, Following directories be mounted as volumes. Change the path according to your requirements:
    • ./docker/volumes/data for Besu data. It should be mounted to /var/lib/besu
    • ./docker/volumes/tokens for SoftHSM data. It should be mounted to /var/lib/tokens
    • ./docker/volumes/config for Besu and PKCS11 config files. It MUST be mounted to /etc/besu/config. This directory contains the sample configurations.

Note

To initialize the SoftHSM tokens, the entrypoint script will attempt to generate a SECP256K1 private key and initialize SoftHSM on the first run. The SoftHSM PIN is defined in ./docker/volumes/config/pkcs11-hsm-password.txt. The SO_PIN can be overridden via environment variable, however, it is not required once initialization is done.

  • To run the Besu node:
docker run --rm -it \
    -v ./docker/volumes/data:/var/lib/besu \
    -v ./docker/volumes/tokens:/var/lib/tokens \
    -v ./docker/volumes/config:/etc/besu/config \
    besu-pkcs11:latest --config-file=/etc/besu/config/besu-dev.toml

License

Licensed under either of

at your option. SPDX-License-Identifier: (Apache-2.0 OR MIT)

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

About

A Besu security module plugin showcasing PKCS11 with SoftHSM

Topics

Resources

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE-2.0
MIT
LICENSE-MIT

Stars

Watchers

Forks

Packages

No packages published