HSM de Nitrokey

El HSM Nitrokey es muy similar al HSM SmartCard, y se utiliza opensc-pkcs11 para administrarlo desde EJBCA. Para obtener instrucciones de instalación, consulte las instrucciones de instalación del HSM Nitrokey. En el siguiente ejemplo, se utiliza opensc instalado desde el repositorio de Nitrokey.

Después de la instalación podrás ver el HSM de Nitrokey:

 user @linux :$ sc-hsm-tool
 Using reader with a card: Nitrokey Nitrokey HSM (DENK01018660000 ) 00 00
 Version : 3.1
 Config options :
 User PIN reset with SO-PIN enabled
 SO-PIN tries left : 15
 User PIN tries left : 3
 user @linux :$ pkcs15-tool -D
 Using reader with a card: Nitrokey Nitrokey HSM (DENK01018660000 ) 00 00
 Tarjeta PKCS# 15 Card [SmartCard-HSM]:
 Version : 0
 Serial number : DENK0101866
 Manufacturer ID: www.CardContact.de
 Flags :
 PIN [UserPIN]
 Object Flags : [ 0x3 ], private , modifiable
 Auth ID : 02
 ID : 01
 <snip>

Puedes generar y probar claves con clientToolBox. Por ejemplo:

 ant clientToolBox
 cd dist/clientToolBox
 ./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so 2048 rsaKey2048 0
 <snip>
 ./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so secp256r1 ecKeysecp256r1 0
 <snip>
 ./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so 1024 testKey 0
 Using Slot Reference Type: Slot Number.
 PKCS11 Token [SunPKCS11-opensc-pkcs11.so-slot0] Password:
 2019 - 04 - 09 15 : 04 : 36 , 374 INFO [org.cesecore.keys.util.SignWithWorkingAlgorithm] Signature algorithm 'SHA1WithRSA' working for provider 'SunPKCS11-opensc-pkcs11.so-slot0 version 10' .
 Created certificate with entry testKey.
 ./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so 0
 Testing of key: testKey
 Private part:
 SunPKCS11-opensc-pkcs11.so-slot0 RSA Clave private RSA key, 1024 bits (id 140137944076096 , token object, sensitive, unextractable)
 RSA key:
 modulus: afc6f4149dc68d368a299cbf15370e36446bebc29770e35a98df974cf6ee033a180297cb6a4491b51e42135f2d5c5498e3ac5997c3c1c9af8d5a9881795c3715cbc330784964777321fcd3eb5c44dc6bdaa465a2f0d86fd6a509706ca5774a78b0b65b7f844231accfc73334664ad7255600dc0e9831578887fa3dab7051e3ed
  exponent: public : 10001
 encryption provider: SunJCE version 10 ; decryption provider: SunPKCS11-opensc-pkcs11.so-slot0 version 10 ; modulus length: 1024 ; length byte 117 La cadena byte . The decoded string is equal to the original!
 Signature test of key testKey: signature length 128 ; first byte 1f; verifying true
 Signings per second: 5
 Decryptions per second: 4

Al utilizar EJBCA, web.properties está preconfigurado con la biblioteca opensc-pkcs11 denominada OpenSC como la biblioteca de tokens criptográficos PKCS#11.