1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
# p11p-daemon is a PKCS #11 proxy
## Install dependencies
### p11-kit
$ sudo apt install p11-kit
Or, if your p11-kit package is too old (<0.23.15):
$ sudo apt install pkg-config libffi-dev
$ curl -LO https://github.com/p11-glue/p11-kit/releases/download/0.23.16.1/p11-kit-0.23.16.1.tar.gz
$ curl -LO https://github.com/p11-glue/p11-kit/releases/download/0.23.16.1/p11-kit-0.23.16.1.tar.gz.sig
$ gpg --verify p11-kit-0.23.16.1.tar.gz.sig
$ tar xf p11-kit-0.23.16.1.tar.gz && cd p11-kit
$ ./configure --without-libtasn1
$ make all check
$ sudo make install
### Erlang/OTP 19
Ideally, your OS distribution has Erlang/OTP 19.x:
$ sudo apt install erlang
An alternative -- which hurts because how would you verify kerl --
would be:
$ curl -LO https://raw.githubusercontent.com/kerl/kerl/master/kerl
$ : pray that you got the right bits!
$ chmod +x kerl
$ sudo apt install libncurses5-dev
$ ./kerl build 19.2
$ mkdir ~/kerl
$ ./kerl install 19.2 ~/kerl/19.2
$ . ~/kerl/19.2/activate
## Compile p11p-daemon
If you don't have rebar3 installed, install it. See
https://www.rebar3.org/docs/ .
If you don't have rebar3 in PATH, add it.
Example:
$ export PATH=$PATH:~/.cache/rebar3/bin
Compile:
$ cd p11p-daemon
$ make
## Configure
For now, see config/sys.config for how to configure virtual tokens,
each with one or more PKCS #11 modules, i.e. shared libraries.
## Run
To start an Erlang shell running the p11p application:
$ make shell
Quit by typing in "q()." in the shell.
To start a "release", running in the background and logging to files
under _build/default/rel/p11p/log:
$ make start
A socket per configured token, /run/user/$EUID/p11p/$TOKEN-$PID, can
now be used by a client.
Example using p11tool:
$ P11_KIT_SERVER_ADDRESS=unix:path=/run/user/1000/p11p/vtoken0-26585 P11_KIT_DEBUG=none p11tool --provider /usr/lib/pkcs11/p11-kit-client.so --list-tokens
Token 0:
URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=b4a861d362dbd386;token=mytoken
Label: mytoken
Type: Generic token
Manufacturer: SoftHSM project
Model: SoftHSM v2
Serial: b4a861d362dbd386
Module: (null)
To stop the Erlang shell:
$ make stop
## Known bugs and limitations
- Multiple p11 applications using the same vtoken in a given
p11p-daemon will result in undefined behaviour.
TODO: Make this work, or prohibit it by rejecting a second user of
the same vtoken.
## Bug reports, questions, comments
linus+p11p@sunet.se
|
