Select slot/token and env for library in configuration

[psztoch]

On shared HSM PKCS#11 driver lists a lot of slots (in example from 0 to 54). Is it possible to add configuration parameter to select a permanent slot? Additional identification using the token label would be the peak of expectations.

The ability to set environment variables would also be convenient as some PKCS libraries sometimes require additional settings.

provider-p1-library /usr/local/lib64/libcs_pkcs11_R2.so
provider-p1-slot 17
provider-p1-token-label my_label
provider-p1-env SOME_ENV=some_value

[alonbl]

Hello,

When you generate a key you select the certificate, the selection stores certificate identification based on the label, after selection only this token is used based on label search. The slot is dynamic so it is a bad idea. Basically the current implementation is exactly what you expect.

For environment, it is not standard. Why do you need it? Why can’t you create a wrapper script that sets environment and exec the program?

Regards, Alon

[psztoch]

1. Shared network HSM are available via PKCS#11 library. On one HSM you have a lot of slots. Every slot has own PIN. If you can't limit slots, getting through SCD LEARN is quite a challenge. Perhaps, in addition, something also does not work exactly as it is supposed to work with HSM Utimaco.

2. Of course we can make wrapper script for your software... But with 40 servers and different users, the setup will be confusing. Better to have one configuration file. Also imagine an example where 2 different providers need different ENV settings.

[alonbl]

Hi,

1. The certificate objects should be public objects, private keys should be private objects, hence for SCD LEARN you get no PIN request to list the objects. I guess for some reason you have put your certificates as private? Why?

2. I do not understand... just install in your setup the following script as scd:

/usr/bin/gnupg-pkcs11-scd-env

#!bin/sh
. "$HOME/.gnupg/scd.env"
exec /usr/bin/gnupg-pkcs11-scd

Then put ~/.gnupg/scd-env with exports as you wish per user.

You already have ~/.gnupg/gpg-agent.conf And... ~/.gnupg/gnupg-pkcs11-scd.conf I do not think that having ~/.gnupg/scd.env adds complexity... :)

Regards, Alon

[psztoch]

Ad.1. Expensive network HSM are usually configured as I said. Access to the slot is after logging in.

Unfortunately, there is no virtualization here and everyone can see all the slots. And he only has access to one.

It is not possible to change the current state of affairs. Nobody touches the few critical slots where the certification centers operate. Nevertheless, if I would like to keep the key to signing DEB and RPM packages safely, I need GPG and I have to adapt to the current state of affairs.

Ad. 2. Theoretically yes, but I found an extra parameter to be useful and would simplify the setup.

[alonbl]

1: pkcs11-helper was designed to abstract the slot numbers which are opaque in PKCS#11. If you want to head this way, please help to review and process [1] which adds the ability to apply additional parameters into the provider without breaking the API. Then add a patch in pkcs11-helper to accept a token filter per provider and scan only these tokens based on their descriptions. Then add a patch in gnupg-pkcs11-scd to leverage this.

My recommendation is to go standard... store the certificate as a public object, this has no impact on the private key safety.

2: Won't happen. Environment is non-standard for PKCS#11 nor it is provider specific. Use the wrapper... process a comment within gnupg-pkcs11-scd.conf if you want.

[1] https://github.com/OpenSC/pkcs11-helper/pull/37

On Wed, Sep 15, 2021 at 10:52 PM Przemysław Sztoch @.***> wrote:

Ad.1. Expensive network HSM are usually configured as I said. Access to the slot is after logging in.

Unfortunately, there is no virtualization here and everyone can see all the slots. And he only has access to one.

It is not possible to change the current state of affairs. Nobody touches the few critical slots where the certification centers operate. Nevertheless, if I would like to keep the key to signing DEB and RPM packages safely, I need GPG and I have to adapt to the current state of affairs.

Ad. 2. Theoretically yes, but I found an extra parameter to be useful and would simplify the setup.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/alonbl/gnupg-pkcs11-scd/issues/33#issuecomment-920329789, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJURLIA2RYIOIVP2TUUXNTUCD2PPANCNFSM5EATUHXQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[psztoch]

Ad.1. I accept your arguments. Possible filtering of physical slots should be implemented at the PKCS # 11 driver level. And it's Utimaco that should take care of it. Without this, each application server unnecessarily loads the HSM and scans all slots.

When I gave up -cert-private config setting everything started to run better. I have the impression that -cert-private is not working well with HSM Utimaco PKCS #11.

3. A new problem has arisen for me to solve. After many tries, I cannot export the existing PGP subkey to load it into the HSM. I have already generated a subkey and I would like to use it. How do I do that. I am asking for advice.

[alonbl]

If everything works without certificate private flags, this means that your certificates are public as they should be, and you added this flag just to complicate yourself...

Loading an existing private key into HSM is not trivial...

1. Convert GPG private key into PKCS#1/PKCS#8 PEM format
2. Load (1) to the HSM using pkcs11-tool as a private object and choose unique CKA_ID.
3. Enroll a self-signed certificate based on (2)
4. Load (3) to the HSM using pkcs11-tool as a public object and use the same CKA_ID of (2), choose some meaningful CKA_LABEL.
5. Use gnupg-pkcs11-scd to enroll the key into the keyring.

However, I do not recommend importing unprotected keys into HSM, you cannot guarantee that this key will not be exposed in both past and future, hence better is to generate a new key using the HSM.

[psztoch]

Points 2, 3, and 4 look simple. But I can't pass point 1.

[psztoch]

ad. 1 I have this algorithm: gpg --edit-key AAAAAA gpg> passwd (...) turn off password gpg> quit gpg --export-secret-keys AAAAAA| openpgp2ssh AAAAAA> rsa-pem.key