|
Packit |
8681c6 |
['![Travis CI Build Status](https://travis-ci.org/opencryptoki/opencryptoki.svg?branch=master)'](https://travis-ci.org/opencryptoki/opencryptoki)
|
|
Packit |
8681c6 |
['![Coverity Scan Build Status](https://img.shields.io/coverity/scan/16802.svg)'](https://scan.coverity.com/projects/opencryptoki-opencryptoki)
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
# openCryptoki
|
|
Packit |
8681c6 |
|
|
Packit Service |
8aa27d |
Package version 3.15
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Please see [ChangeLog](ChangeLog) for release specific information.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
## OVERVIEW
|
|
Packit |
8681c6 |
|
|
Packit Service |
8aa27d |
openCryptoki version 3.15 implements the PKCS#11 specification version 3.0.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
This package includes several cryptographic tokens:
|
|
Packit |
8681c6 |
CCA, ICA, TPM , SWToken, ICSF and EP11.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
For a more in-depth overview of openCryptoki, please refer to the
|
|
Packit |
8681c6 |
[HOWTO](doc/opencryptoki-howto.md)
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
## REQUIREMENTS:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- IBM ICA - requires libica library version 3.3.0 or higher for accessing ICA
|
|
Packit |
8681c6 |
hardware crypto on IBM zSeries.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- IBM CCA - requires IBM XCrypto CEX3C card (or higher) and the CEX3C host
|
|
Packit |
8681c6 |
libraries and tools version 4.1 (or higher).
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- TPM - requires a TPM, TPM tools, and TCG software stack.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- SWToken - The software token uses OpenSSL version 1.0.2 or higher.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- ICSF - The Integrated Cryptographic Service Facility (ICSF) token requires
|
|
Packit |
8681c6 |
openldap and openldap client software version 2.4.23 or higher. Lex and Yacc are
|
|
Packit |
8681c6 |
also required to build this token.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- EP11 - The EP11 token is a token that uses the IBM Crypto Express adapters
|
|
Packit |
8681c6 |
(starting with Crypto Express 4S adapters) configured with Enterprise PKCS#11
|
|
Packit |
8681c6 |
(EP11) firmware.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
## BUILD PROCESS
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
The simplest way to compile this package is to enter the source code main
|
|
Packit |
8681c6 |
directory and do the following:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
1. Run the bootstrap.sh script by typing:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
$ ./bootstrap.sh
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
2. Configure the source code by typing:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
$ ./configure
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
If you're planning to install the package into your home directory or to a
|
|
Packit |
8681c6 |
location other than `/usr/local` then add the flag `--prefix=PATH` to
|
|
Packit |
8681c6 |
`configure`. Fox example, if your home directory is `/home/luser` you can
|
|
Packit |
8681c6 |
configure the package to install itself there by invoking:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
$ ./configure --prefix=/home/luser
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
If your stdll headers and libraries are not under any standard path, you will
|
|
Packit |
8681c6 |
need to pass the paths to your files to the configure script. For instance:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
$ CPPFLAGS="-L/path/lib" LDFLAGS="-I/path/include" ./configure
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
See `./configure --help` for info on various options. The default behavior is
|
|
Packit |
8681c6 |
to build a default token implicitly. For the s390 platform, the default token
|
|
Packit |
8681c6 |
is ICA. For other platforms, the default token is the software token. Other
|
|
Packit |
8681c6 |
tokens may be enabled using the corresponding `--enable-<tok>` configuration
|
|
Packit |
8681c6 |
option provided the appropriate libraries are available.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
While running, `configure` prints some messages telling which features is it
|
|
Packit |
8681c6 |
checking for.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
3. Compile the package by typing:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
$ make
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
4. openCryptoki defaults to be usable by anyone who is in the group ``pkcs11``.
|
|
Packit |
8681c6 |
Add the pkcs11 group before installing it, by typing as root the command:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
# groupadd pkcs11
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
In addition, add the necessary user to the pkcs11 group (root doesn't need to
|
|
Packit |
8681c6 |
be in pkcs11 group):
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
# usermod -G pkcs11 <user>
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
5. Type `make install` (as root) to install the programs and any data files and
|
|
Packit |
8681c6 |
documentation. During installation, the following files go to the following
|
|
Packit |
8681c6 |
directories:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
/prefix/sbin/pkcsconf
|
|
Packit |
8681c6 |
/prefix/sbin/pkcsslotd
|
|
Packit |
8681c6 |
/prefix/sbin/pkcsicsf
|
|
Packit |
8681c6 |
/prefix/libdir/libopencryptoki.so
|
|
Packit |
8681c6 |
/prefix/libdir/libopencryptoki.so.0
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/libopencryptoki.so
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/libopencryptoki.so.0
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/libopencryptoki.so.0.0.0
|
|
Packit |
8681c6 |
/prefix/var/lib/opencryptoki
|
|
Packit |
8681c6 |
/prefix/etc/opencryptoki/opencryptoki.conf
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Token objects, which may be optionally built, go to the following locations:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_cca.so
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_cca.so.0
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_cca.so.0.0.0
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_ep11.so
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_ep11.so.0
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_ep11.so.0.0.0
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_ica.so
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_ica.so.0
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_ica.so.0.0.0
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_icsf.so
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_icsf.so.0
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_icsf.so.0.0.0
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_sw.so
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_sw.so.0
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_sw.so.0.0.0
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_tpm.so
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_tpm.so.0
|
|
Packit |
8681c6 |
/prefix/libdir/opencryptoki/stdll/libpkcs11_tpm.so.0.0.0
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
where `prefix` is either `/usr/local` or the PATH that you specified in the
|
|
Packit |
8681c6 |
`--prefix` flag. `libdir` is the name of the library directory, for 32-bit
|
|
Packit |
8681c6 |
libraries it is usually `lib` and for 64-bit libraries it is usually `lib64`.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
To maintain backwards compatibility, some additional symlinks are generated
|
|
Packit |
8681c6 |
(note that these are deprecated and applications should migrate to use the
|
|
Packit |
8681c6 |
LSB-compliant names and locations for libraries and executable):
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
/prefix/lib/opencryptoki/PKCS11_API.so
|
|
Packit |
8681c6 |
- Symlink to /prefix/lib/opencryptoki/libopencryptoki.so
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
/prefix/lib/opencryptoki/stdll/PKCS11_CCA.so
|
|
Packit |
8681c6 |
- Symlink to /prefix/lib/opencryptoki/stdll/libpkcs11_cca.so
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
/prefix/lib/opencryptoki/stdll/PKCS11_EP11.so
|
|
Packit |
8681c6 |
- Symlink to /prefix/lib/opencryptoki/stdll/libpkcs11_ep11.so
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
/prefix/lib/opencryptoki/stdll/PKCS11_ICA.so
|
|
Packit |
8681c6 |
- Symlink to /prefix/lib/opencryptoki/stdll/libpkcs11_ica.so
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
/prefix/lib/opencryptoki/stdll/PKCS11_ICSF.so
|
|
Packit |
8681c6 |
- Symlink to /prefix/lib/opencryptoki/stdll/libpkcs11_icsf.so
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
/prefix/lib/opencryptoki/stdll/PKCS11_SW.so
|
|
Packit |
8681c6 |
- Symlink to /prefix/lib/opencryptoki/stdll/libpkcs11_sw.so
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
/prefix/lib/pkcs11/PKCS11_API.so
|
|
Packit |
8681c6 |
- Symlink to /prefix/lib/opencryptoki/libopencryptoki.so
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
/prefix/lib/pkcs11
|
|
Packit |
8681c6 |
- Directory created if non-existent
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
/prefix/lib/pkcs11/methods
|
|
Packit |
8681c6 |
- Symlink to /prefix/sbin
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
/prefix/lib/pkcs11/stdll
|
|
Packit |
8681c6 |
- Symlink to /prefix/lib/opencryptoki/stdll
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
/prefix/etc/pkcs11
|
|
Packit |
8681c6 |
- Symlink to /prefix/var/lib/opencryptoki
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
If any of these directories do not presently exist, they will be created on
|
|
Packit |
8681c6 |
demand. Note that if `prefix` is `/usr`, then `/prefix/var` and `/prefix/etc`
|
|
Packit |
8681c6 |
resolve to `/var` and `/etc`. On the `make install` stage, if content exists
|
|
Packit |
8681c6 |
in the old `/prefix/etc/pkcs11` directory, it will be migrated to the new
|
|
Packit |
8681c6 |
'/prefix/var/lib/opencryptoki` location.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
If you are installing in your home directory make sure that `/home/luser/bin`
|
|
Packit |
8681c6 |
is in your path. If you're using the bash shell add this line at the end of
|
|
Packit |
8681c6 |
your `.bashrc` file:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
PATH="/home/luser/bin:${PATH}"
|
|
Packit |
8681c6 |
export PATH
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
If you are using csh or tcsh, then use this line instead:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
setenv PATH /home/luser/bin:${PATH}
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
By prepending your home directory to the rest of the PATH you can override
|
|
Packit |
8681c6 |
systemwide installed software with your own custom installation.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
For more installation information, please check [INSTALL](INSTALL).
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
## CONFIGURATION
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
See:
|
|
Packit |
8681c6 |
https://www.ibm.com/support/knowledgecenter/linuxonibm/com.ibm.linux.z.lxce/lxce_stackoverview.html
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Prior to version 3, openCryptoki used `pk_config_data` as its configuration
|
|
Packit |
8681c6 |
file. This file was created upon running `pkcs11_startup`. In version 3,
|
|
Packit |
8681c6 |
`pkcs11_startup` and `pk_config_data` have been removed and replaced with a
|
|
Packit |
8681c6 |
customizable config file named, `opencryptoki.conf`. It contains an entry for
|
|
Packit |
8681c6 |
each token currently supported by openCryptoki. However, only those token, whose
|
|
Packit |
8681c6 |
hardware and software requirements are available on the local system, will show
|
|
Packit |
8681c6 |
up as present and available upon running the `pkcsconf -t` command.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Before using, each token must be first initialized. You can select the token
|
|
Packit |
8681c6 |
with the `-c` command line option; refer to the documentation linked to above
|
|
Packit |
8681c6 |
for further instructions.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Initialize a particular token by running `pkcsconf`:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
$ pkcsconf -I -c
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
In this version of openCryptoki, the default SO PIN is `87654321`. This should
|
|
Packit |
8681c6 |
be changed to a different PIN value before use.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
You can change the SO PIN by running pkcsconf:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
$ pkcsconf -P -c
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
You can initialize and change the user PIN by typing:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
$ pkcsconf -u -c
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
You can later change the user PIN again by typing:
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
$ pkcsconf -p -c
|
|
Packit |
8681c6 |
```
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
## CONTRIBUTING
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
See [CONTRIBUTING.md](CONTRIBUTING.md).
|