usmansaleem / besu-pkcs11-plugin

A Besu security module plugin showcasing PKCS11 with SoftHSM
Apache License 2.0
2 stars 0 forks source link
besu besu-plugin blockchain ethereum java

Besu Plugin - PKCS11 SoftHSM

A Besu plugin that provides a custom security module to load the node key from an HSM, such as SoftHSM, using PKCS11 libraries.

GitHub Actions Workflow Status GitHub Release

Build Instructions

You can either use pre-built jar from Assets section in releases or build it yourself.

[!NOTE] This project requires Java 21 or later. If it is not available, the gradle build will attempt to download one and use it.

[versions]
besu = "24.8.0"
./gradlew clean build

The plugin jar will be available at build/libs/besu-pkcs11-plugin-<version>.jar.

Usage

Drop the besu-pkcs11-plugin-<version>.jar in the /plugins folder under Besu installation. This plugin will expose following additional cli options:

--plugin-pkcs11-hsm-config-path=<path>
                             Path to the PKCS11 configuration file
--plugin-pkcs11-hsm-key-alias=<label>
                             Alias or label of the private key that is stored in the HSM
--plugin-pkcs11-hsm-password-path=<path>
                             Path to the file that contains password or PIN to access PKCS11 token

The security module provided by this plugin can be loaded with following cli option:

--security-module=pkcs11-hsm

Docker setup

apt-get install -y --no-install-recommends \
    openssl \
    libssl3 \
    softhsm2 \
    opensc \
    gnutls-bin

[!NOTE] To initialize the SoftHSM tokens, the entrypoint script will attempt to generate a SECP256K1 private key and initialize SoftHSM on the first run. The SoftHSM PIN is defined in ./docker/volumes/config/pkcs11-hsm-password.txt. The SO_PIN can be overridden via environment variable, however, it is not required once initialization is done.

License

Licensed under either of

at your option. SPDX-License-Identifier: (Apache-2.0 OR MIT)

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.