Using YubiHSM2 FIPS with EJBCA

[Lixin Liu]

Hi,

 

After a few days struggle, I am getting a bit closer to use YubiHSM2 with EJBCA. I have the HSM

plugged into the server USB port and run the yubihsm-connector from the server directly. Then

use VM to access the connection with yubihsm-shell and pkcs11 API.

 

Here are some issues I encountered:

 

1. The space to store certificate (in either PEM or DER format) is very limited, total under 2KB

include spaces for id, label, etc.

 

As I would like to use RSA4096 key, I have to trim of some extra x509 extension text to fit it in the

space and can only use DER form. The certificate and private key pair have the same ID and label

to use for signing.

 

yubihsm> list objects 0

Found 8 object(s)

id: 0x0001, type: authentication-key, sequence: 0

id: 0x0003, type: wrap-key, sequence: 0

id: 0x0004, type: authentication-key, sequence: 0

id: 0x0005, type: authentication-key, sequence: 0

id: 0x0006, type: asymmetric-key, sequence: 1

id: 0x0006, type: opaque, sequence: 1

id: 0x4295, type: asymmetric-key, sequence: 0

id: 0x4295, type: opaque, sequence: 2

 

yubihsm> get objectinfo 0 0x4295 asymmetric-key

id: 0x4295, type: asymmetric-key, algorithm: rsa2048, label: "gridcanada", length: 896, domains: 3, sequence: 0, origin: generated, capabilities: exportable-under-wrap:sign-attestation-certificate:sign-pkcs:sign-pss

yubihsm> get objectinfo 0 0x4295 opaque

id: 0x4295, type: opaque, algorithm: opaque-x509-certificate, label: "gridcanada", length: 1302, domains: 3, sequence: 2, origin: imported, capabilities: exportable-under-wrap

 

yubihsm> get objectinfo 0 0x0006 asymmetric-key

id: 0x0006, type: asymmetric-key, algorithm: rsa4096, label: "Online", length: 1792, domains: 3, sequence: 1, origin: imported, capabilities: decrypt-pkcs:export-wrapped:exportable-under-wrap:set-option:sign-attestation-certificate:sign-ecdsa:sign-eddsa:sign-hmac:sign-pkcs:sign-pss:unwrap-data

yubihsm> get objectinfo 0 0x0006 opaque

id: 0x0006, type: opaque, algorithm: opaque-x509-certificate, label: "Online", length: 1639, domains: 3, sequence: 1, origin: imported, capabilities: exportable-under-wrap

 

I can use either "gridcanada" or "Online" label to sign certificate. "gridcanada" was generated by HSM itself

and "Online" was imported from OS. The intension is to use imported cert/key.

 

2. Using CentOS 7 with pkcs11-tool tests appears to have issues and I am unable to determine what is the cause

 

# pkcs11-tool --module /usr/lib64/pkcs11/yubihsm_pkcs11.so -l --pin 0001password -O

Using slot 0 with a present token (0x0)

Secret Key Object; unknown key algorithm 3646243370

  label:      Wrap key

  ID:         0003

  Usage:      wrap, unwrap

Private Key Object; RSA

  label:      gridcanada

  ID:         4295

  Usage:      sign

Public Key Object; RSA 2048 bits

  label:      gridcanada

  ID:         4295

  Usage:      verify

Certificate Object; type = X.509 cert

  label:      gridcanada

warning: PKCS11 function C_GetAttributeValue(SUBJECT) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

 

  ID:         4295

Private Key Object; RSA

  label:      Online

  ID:         0006

  Usage:      decrypt, sign

Public Key Object; RSA 4096 bits

  label:      Online

  ID:         0006

  Usage:      encrypt, verify

Certificate Object; type = X.509 cert

  label:      Online

warning: PKCS11 function C_GetAttributeValue(SUBJECT) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

 

  ID:         0006

 

I don't get the waring from Ubuntu 21.04 VM. I wonder this is due to the default OpenSSL version on CentOS 7.

3. Testing with EJBCA and I am finding that signature is SHA1withRSA only, not SHA256 or SHA512.

 

$ ./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so 0 1:5 Online sign

PKCS11 Token [SunPKCS11-yubihsm_pkcs11.so-slot0] Password:

2021-09-29 09:36:57,701 INFO  [org.cesecore.keys.util.SignWithWorkingAlgorithm] Signature algorithm 'SHA1WithRSA' working for provider 'SunPKCS11-yubihsm_pkcs11.so-slot0 version 1.8'.

Test client started, tail info and error files in this directory for output.

Statistic will be written to standard output each 10 second.

The test was started at Wed Sep 29 09:36:57 PDT 2021

1 threads will be started and 5 number of tests will be performed. Each thread will wait between 0 and -1 milliseconds between each test.

 

Total # of successfully performed tests:            5

Total # of failed tests:                            0

# of tests completed each second:                   1.10011

# of tests completed each second in last period:    1.10011

 

Relative average time for different tasks (all should sum up to 1):

sign verify:                                        0.03080308

sign operation:                                     0.95577556

sign preparation:                                   4.40044E-4

Time spent with test client work:                   0.012981298

 

Absolute extremes:

Min time for job 'sign verify' (ms):                4 (Wed Sep 29 09:37:02 PDT 2021)

Max time per job 'sign verify' (ms):                95 (Wed Sep 29 09:36:58 PDT 2021)

Min time for job 'sign operation' (ms):             865 (Wed Sep 29 09:36:58 PDT 2021)

Max time per job 'sign operation' (ms):             872 (Wed Sep 29 09:37:01 PDT 2021)

Min time for job 'sign preparation' (ms):           0 (Wed Sep 29 09:36:58 PDT 2021)

Max time per job 'sign preparation' (ms):           2 (Wed Sep 29 09:36:57 PDT 2021)

Test exited with 0 number of failures.

 

Is this because of Java 8? EJBCA does not support Java 11 at the moment. Hope someone can help.

 

One warning: when using "yubihsm-setup ejbca", make sure using "-d" option. Otherwise, the default

authkey will be delete and it is impossible to reset the HSM in software. Only delete the default key

after it is ready for production.

 

Thanks,

 

Lixin.