Openssl Pkcs11 Engine Slot
You could also use pkcs11-spy to see what is happening at the interface between engine-pkcs11.so and opensc-pkcs11.so Andreas On 05:06 PM, Adam Zimmerman wrote: Hi Andreasopenssl does work directly, after I make the change you mentioned in your other email (putting the slot number in), as well as setting up a template in my openssl.conf file. Reported by: 'Jeffrey W. Baker' Date: Fri, 14 Jan 2005 19:33:01 UTC. Severity: normal. Done: Andreas Jellinghaus Bug is archived. No further changes may be made. Forwarded to Andreas Jellinghaus.
If you buy a new code signing certificate from SwissSign, you must generate a CSR using a hardware HSM which stores your private key inaccessibly. Unfortunately, this is a new requirement and pure soft certificates (all secrets in a file) are no more allowed.
Fortunately, the SuisseID is such a valid HSM. It can easily be used in your Ubuntu Linux MinGW cross build environment to sign your executables.
Sign CSR With SuisseID Private Key
You need the engine file, in current Ubuntu, this is /usr/lib/ssl/engines/libpkcs11.so from package libengine-pkcs11-openssl, the PKCS#11 library, which is /usr/lib/libcvP11.so provided by SwissSign in package suisseid-pkcs11. You also need pkcs11-tool from package opensc and openssl from package openssl. For code signing, you need osslsigncode from package osslsigncode. Your SuisseID must be initialized using SuisseID Assistant name swisssign-init from package swisssign-init.
If you haven’t run the SuisseID installer, you can also add the SwissSign repository manually:
Install the dependencies:
If you haven’t initialized your SuisseID, do it now. You should have received a TIN / PUK Sheet from SwissSign with the transport PIN (TIN). Run swisssign-init and follow the instructions. Set a PIN, that you will need below.
Compile osslsigncode
Unfortunately, as of July 2018, the version of osslsigncode delivered in Ubuntu 16.04 is of the latest version 1.7.1, but still does not support the options -pkcs11engine and -pkcs11module. So I had to compile my own version of osslsigncode:
Find Key ID
Get a list of all objects in your SuisseID:
This shows all objects found on your SuisseID smart card (which is your HSM), e.g.:
You need the ID of the key with label SwissSign_digSig, here 00903c80c138a20f4b92625a25550a6503273537.
OpenSSL Configuration
You need am openssl configurate file engine.conf:
Generate CSR
Now you have all puzzle pieces to generate the HSM-signed CSR required for getting your SwissSign code signing certificate. Do not forget to plug in your USB SuisseID:
It asks for your PIN and a common name. The comon name will be overwritten in the SwissSign request form anyway. As you see, in option -key you specify a slot number (1, if you have one reader, just try different numbers), and the key ID that you got in the instructions above.
After running the command, a file request.csr is generated, that contains some lines between -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----.
Just copy the content of file request.csr into the CSR field on SuisseSign’s web page, fillout the forms, download the request form, fill it out, sign it and send it to the fullfilment.
Sign Code With SuisseID
After some days, you get a mail containing download link for your certificate from SwissSign. Download it in cer format as certificate.pem.
Something to Sign
You need a windows exe or a dll to test. Simply use my windows cross compilation docker image to generate a windows openssl version in /tmp/test:
Now you have an exe that you can sign in the next step:
Openssl Pkcs11 Engine Slots
Sign a Windows Executable
Use osslsigncode(self-compiled, as explained above) to sign /tmp/test/usr/exe/openssl.exe: