Reputation: 415
Expose SoftHSM library to the code running in host machine
I am generating keypairs in SoftHSMv2 using the node-webcrypto-p11 package that is installed locally on my computer. I want to setup a docker container for SoftHSM so that any developer can build the image and run the container using docker file in repo without having to go through the entire steps of building SoftHSM.
I'm currently using this https://github.com/psmiraglia/docker-softhsm to build image and run container for SoftHSM. But I'm not sure how can I access the library inside the container in my code. Currently I'm using the code given below. Is there a method I can access the library with in the container. NOTE: This is just to make the life of other developers not to be used for deployment.
import {
Crypto
} from 'node-webcrypto-p11';
// Need to set the library path from container.
// The given below path is for host machine.
const crypto = new Crypto({
library: "/usr/local/lib/softhsm/libsofthsm2.so",
name: "SoftHSMv2",
slot: 0,
readWrite: true,
pin: "0987654321",
});
Upvotes: 1
Views: 3913
Answers (2)
Reputation: 11
I am also looking for some method to use a remote SoftHSM service. If someone is looking for a complex solution, maybe there is a project that will work properly: https://github.com/vegardit/docker-softhsm2-pkcs11-proxy
Upvotes: 0
Reputation: 2317
As @david-maze said SoftHSMv2 is a just library and it can be used only locally. In Ubuntu 20.04 it's available as a deb package in standard repository.
NOTE SoftHSMv2 is not for production usage at all, it could be used for development purposes as such hardware is very expensive. It has the PKCS11 interface and consequently code for all HSMs which can work with this interface should be the same.
By the way you can use SoftHSMv2 remotely with pkcs11-proxy/daemon https://github.com/SUNET/pkcs11-proxy. Seems it's quite abandoned but still working project. And again it's not production variant.
So how to use it in e.g. Ubuntu 20.04?
On server.
- Install dependencies for building
pkcs11-proxy:
$ apt-get install -y \
ca-certificates \
git-core \
build-essential \
cmake \
libssl-dev \
libseccomp-dev
- Clone code:
$ git clone https://github.com/SUNET/pkcs11-proxy
- Build and make install:
$ cd pkcs11-proxy && \
cmake . && \
make && \
make install
- Install SoftHSM2 with dependencies:
$ apt-get install -y \
softhsm2 \
opensc \
gnutls-bin \
libengine-pkcs11-openssl1.1
- Init slot/token in SoftHSM:
$ softhsm2-util --init-token --slot 0 --label "main" \
--pin "123456" \
--so-pin "78910"
Don't forget to chose better values.
6. Now you can launch pkcs11-proxy:
$ export PKCS11_DAEMON_SOCKET="tcp://0.0.0.0:5657"
$ /usr/local/bin/pkcs11-daemon /usr/lib/softhsm/libsofthsm2.so
On client.
- Again build
pkcs11-proxyor just copylibpkcs11-proxy.solibrary from previous steps:
$ apt-get install -y \
ca-certificates \
git-core \
build-essential \
cmake \
libssl-dev \
libseccomp-dev
$ git clone https://github.com/SUNET/pkcs11-proxy
$ cd pkcs11-proxy && \
cmake . && \
make && \
make install
- Now you can remotely use your SoftHSM over network:
$ export PKCS11_PROXY_SOCKET="tcp://ip_or_domain_of_softhsm:5657"
$ pkcs11-tool --module=/usr/local/lib/libpkcs11-proxy.so -L
Available slots:
Slot 0 (0x5b763d80): SoftHSM slot ID 0x5b763d80
token label : main
token manufacturer : SoftHSM project
token model : SoftHSM v2
token flags : login required, rng, token initialized, PIN initialized, other flags=0x20
hardware version : 2.5
firmware version : 2.5
serial num : 27c11aa55b763d80
pin min/max : 4/255
Slot 1 (0x1): SoftHSM slot ID 0x1
token state: uninitialized
- You also could generate new keys/upload own ones etc through
pkcs11-toolandlibpkcs11-proxy.so:
$ pkcs11-tool --module=/usr/local/lib/libpkcs11-proxy.so -l --keypairgen --key-type rsa:2048 --id 100 --label mykey
Logging in to "main".
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
label: mykey
ID: 0100
Usage: decrypt, sign, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
label: mykey
ID: 0100
Usage: encrypt, verify, wrap
Access: local
$ pkcs11-tool --module=/usr/local/lib/libpkcs11-proxy.so -O -l
Using slot 0 with a present token (0x2561b147)
Logging in to "main".
Please enter User PIN:
Private Key Object; RSA
label: my_key
ID: 0100
Usage: decrypt, sign, unwrap
Access: sensitive
Public Key Object; RSA 2048 bits
label: my_key
ID: 0100
Usage: encrypt, verify, wrap
Access: none
Read pkcs11-tool documentation for getting more info.
TLS encryption is also supported but not stable at least for me https://github.com/SUNET/pkcs11-proxy/blob/master/USAGE#L56
Upvotes: 1
Related Questions
- How to add custom library to docker image
- Running Fabric CA natively - Could not find default `PKCS11` BCCSP
- How to use docker-built library&bin in the host machine
- docker: how to get the code inside the container
- How to install / run service or command on host machine from a docker container
- Docker using host libraries
- docker how do I make host scripts available inside a container
- Mounting shm in Docker container without --privileged option
- Is there any solution to execute binary in container that mount from host?
- Can a docker process access programms on the host with ipc