1c87c5fbaSopenharmony_ci############################################################################
2c87c5fbaSopenharmony_ci#
3c87c5fbaSopenharmony_ci# SoftHSMv2 dual versions
4c87c5fbaSopenharmony_ci#
5c87c5fbaSopenharmony_ci# Works with CentOS 7
6c87c5fbaSopenharmony_ci#
7c87c5fbaSopenharmony_ci# The opensc package needs to be installed.
8c87c5fbaSopenharmony_ci#
9c87c5fbaSopenharmony_ci############################################################################
10c87c5fbaSopenharmony_ci#
11c87c5fbaSopenharmony_ci# Install a software HSM module for doing the PKCS11 testing of libcoap.
12c87c5fbaSopenharmony_ci# Real hardware can be used if you have the appropriate library module.
13c87c5fbaSopenharmony_ci#
14c87c5fbaSopenharmony_ci# It is assumed that the opensc package is installed.
15c87c5fbaSopenharmony_ci#
16c87c5fbaSopenharmony_ci# When installing SoftHSMv2 from your system's package manager, check that the
17c87c5fbaSopenharmony_ci# OpenSSL version is at least 1.1.0.  If not, then you will need to dual
18c87c5fbaSopenharmony_ci# install SoftHSMv2 as below; otherwise you can use the existing SoftHSMv2.
19c87c5fbaSopenharmony_ci#
20c87c5fbaSopenharmony_ci# SoftHSMv2 is built using OpenSSL, but GnuTLS can use the PKCS11 interface.
21c87c5fbaSopenharmony_ci# Note that if the default OpenSSL version is less than 1.1.0, you will need
22c87c5fbaSopenharmony_ci# to install a dual stack version of OpenSSL as per HOWTO.dual.openssl.
23c87c5fbaSopenharmony_ci#
24c87c5fbaSopenharmony_ci# Creates module /usr/local/lib/softhsm/libsofthsm2.so
25c87c5fbaSopenharmony_ci#
26c87c5fbaSopenharmony_ci
27c87c5fbaSopenharmony_ci# Add line below to /etc/security/limits.conf to support memory locking
28c87c5fbaSopenharmony_ci
29c87c5fbaSopenharmony_ci*               -        memlock         unlimited
30c87c5fbaSopenharmony_ci
31c87c5fbaSopenharmony_ci# Get the latest SoftHSM
32c87c5fbaSopenharmony_cigit clone https://github.com/opendnssec/SoftHSMv2.git
33c87c5fbaSopenharmony_ci
34c87c5fbaSopenharmony_ci# Build code
35c87c5fbaSopenharmony_cicd SoftHSMv2/
36c87c5fbaSopenharmony_cish autogen.sh
37c87c5fbaSopenharmony_ciPKG_CONFIG_PATH=/opt/openssl/lib/pkgconfig ./configure --enable-silent-rules \
38c87c5fbaSopenharmony_ci  --with-crypto-backend=openssl --disable-gost LDFLAGS=-L/opt/openssl/lib \
39c87c5fbaSopenharmony_ci  CPPFLAGS=-I/opt/openssl/include --with-openssl=/opt/openssl
40c87c5fbaSopenharmony_cimake
41c87c5fbaSopenharmony_ci# You may need to comment out constexpr lines (fixes for gcc10) in
42c87c5fbaSopenharmony_ci#  src/lib/crypto/PublicKey.h src/lib/crypto/PrivateKey.h if you get
43c87c5fbaSopenharmony_ci# compile errors.
44c87c5fbaSopenharmony_cisudo make install
45c87c5fbaSopenharmony_cicd ..
46c87c5fbaSopenharmony_ci
47c87c5fbaSopenharmony_ci# Make sure p11-kit softhsm modules have the correct module: fully qualified
48c87c5fbaSopenharmony_ci# path where the entry is of the form (in particular for GnuTLS) :-
49c87c5fbaSopenharmony_ci# /usr/share/p11-kit/modules/softhsm*
50c87c5fbaSopenharmony_ci#
51c87c5fbaSopenharmony_ci#  module: /usr/local/lib/softhsm/libsofthsm2.so
52c87c5fbaSopenharmony_ci
53c87c5fbaSopenharmony_ci# The user you are running this as needs to be in the group defined for
54c87c5fbaSopenharmony_ci# /var/lib/softhsm/tokens/.  E.g.
55c87c5fbaSopenharmony_ci#  $ sudo ls -ld  /var/lib/softhsm/tokens/
56c87c5fbaSopenharmony_ci#  drwxrws--- 3 root softhsm 4096 May  3 09:52 /var/lib/softhsm/tokens/
57c87c5fbaSopenharmony_ci# which is softhsm in this case (It could be ods). To verify if you are in
58c87c5fbaSopenharmony_ci# the correct group
59c87c5fbaSopenharmony_ci#  $ id
60c87c5fbaSopenharmony_ci# To add user to this group
61c87c5fbaSopenharmony_ci#  $ sudo usermod -a -G softhsm <user>
62c87c5fbaSopenharmony_ci# and log out and back in again.
63c87c5fbaSopenharmony_ci#
64c87c5fbaSopenharmony_ci
65c87c5fbaSopenharmony_ci############################################################################
66c87c5fbaSopenharmony_ci#
67c87c5fbaSopenharmony_ci# libp11 (needed for OpenSSL as it provides the PKCS11 engine)
68c87c5fbaSopenharmony_ci#
69c87c5fbaSopenharmony_ci############################################################################
70c87c5fbaSopenharmony_ci#
71c87c5fbaSopenharmony_ci# Install a pkcs11 library for OpenSSL to use as an engine.
72c87c5fbaSopenharmony_ci# [GnuTLS has this built in]
73c87c5fbaSopenharmony_ci#
74c87c5fbaSopenharmony_ci
75c87c5fbaSopenharmony_ci# Get the latest libp11
76c87c5fbaSopenharmony_cigit clone https://github.com/OpenSC/libp11.git
77c87c5fbaSopenharmony_ci
78c87c5fbaSopenharmony_ci# Build code
79c87c5fbaSopenharmony_cicd libp11
80c87c5fbaSopenharmony_ci./bootstrap
81c87c5fbaSopenharmony_ciPKG_CONFIG_PATH=/opt/openssl/lib/pkgconfig ./configure \
82c87c5fbaSopenharmony_ci  --with-pkcs11-module=/usr/local/lib/softhsm/libsofthsm2.so
83c87c5fbaSopenharmony_cimake
84c87c5fbaSopenharmony_cisudo make install
85c87c5fbaSopenharmony_cicd ..
86c87c5fbaSopenharmony_ci
87c87c5fbaSopenharmony_ci# Verify that pkcs11 is available
88c87c5fbaSopenharmony_ci
89c87c5fbaSopenharmony_ci/opt/openssl/bin/openssl engine pkcs11 -t
90c87c5fbaSopenharmony_ci
91