Dec 15 2016 PKCS11 Proxy

The pkcs11-proxy is a way to tunnel PKCS11 over TCP (TLS). This page explains how to build and install PKCS11 proxy on the novena. There are various forks of this on github. We're going to use the SUNET fork since it support TLS-PSK for authentication out of the box. The proxy does not currently support different word length on each side of the tunnel so to use it with the novena platform your PKCS11 client must be 32 bit.

Why would you want this?

Not all applications will run on the arm-based novena. For instance not all parts of opendnssec is not fully ported to arm (and probably never will be).

Building PKCS11 proxy

# apt-get -y install git cmake libssl-dev
# git clone https://github.com/SUNET/pkcs11-proxy
# cd pkcs11-proxy
# mkdir build
# cd build
# cmake ..
# make
# make install

Setting up pkcs11 proxy on the novena

Next create a pre-shared secret for TLS authentication...

# (echo -n "psk:"`xxd -l 16 -p /dev/random`; echo) > psk.txt

The resulting file (psk.txt) needs to be present both on the server and client side of the PKCS11 tunnel so copy it (or its one-line content) to the client side of your proxy.

Now start a pkcs11 proxy daemon:

# env PKCS11_PROXY_TLS_PSK_FILE="psk.txt" PKCS11_DAEMON_SOCKET="tls://<your ip>:4444" pkcs11-daemon /usr/lib/libpkcs11.so

Now on another machine (where pkcs11-proxy has been installed) access the remote token via

# env PKCS11_PROXY_TLS_PSK_FILE="psk.txt" PKCS11_PROXY_SOCKET="tls://<your ip>:4444" pkcs11-tool --module /usr/local/lib/libpkcs11-proxy.so -I

Tracing PKCS11 calls

If you want to trace the PKCS11 calls you can use pkcs11spy from the opensc package. If you install opensc look for an SO called pkcs11-spy.so. On the novena it is in /usr/lib/arm-linux-gnueabihf/pkcs11-spy.so. To use it set your environment variable PKCS11SPY to your real PKCS11 library and use pkcs11-spy.so instead. For instance to use PCKCS11 spy on the server side of the PKCS11 proxy start the pkcs11-daemon thus:

# env PKCS11_PROXY_TLS_PSK_FILE="psk.txt" PKCS11SPY="/usr/lib/libpkcs11.so" PKCS11_DAEMON_SOCKET="tls://<your ip>:4444" pkcs11-daemon /usr/lib/arm-linux-gnueabihf/pkcs11-spy.so

This should now generate lots of output when you run PKCS11 calls over the tunnel.