Sign Mender Artifacts with mender-artifact and OpenSSL using PKCS11 library

Mender is a secure software update system designed to handle large number of devices. It has a simple client-server architecture allowing central management of deployments to all devices.

Integrate Mender and DigiCert® Software Trust Manager PKCS11 using OpenSSL.

Note

Mender only supports the follows keys and algorithms for signing.

Keys stored on:

Disk
HSM

Signing algorithms:

RSA (at least 3072 bits recommended)
ECDSA with curve P-256.

Prerequisites

macOS or Linux operating system
OpenSSL (version 1.xx)
Software Trust Manager PKCS11 library
Configure your credentials
Set up mender-artifact
A artifact.mender file to be signed
Public key

Install and configure OpenSSL version 1.xx

OpenSSL version 1.xx is a Mender requirement.

Install OpenSSL version 1.xx based on your operating system..

Download and configure PKCS11 library

A configuration file is required for OpenSSL PKCS#11 engine to use Software Trust Manager PKCS11 library. This file is required in related sign commands.

Download PKCS11 library

To download the Software Trust Manager PKCS11 library:

Sign in to DigiCert ONE.
Navigate to Software Trust Manager > Resources > Client tool repository.
Select your operating system.
Click the download icon next to Software Trust Manager PKCS#11 Library.

Create configuration file

To create the configuration file for PKCS11:

Open an integrated development environment (IDE) or plain text editor.
Name the file as openssl.conf.
Copy and paste the following text for your operating system into the editor:

Example 3. Linux

openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]

#Path to the OpenSSL PKCS11 Engine
dynamic_path = "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so"

MODULE_PATH = <Path to smpkcs11.so>

Example 4. macOS

openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]

#Path to the OpenSSL PKCS11 Engine
dynamic_path = "/usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11"

MODULE_PATH = <Path to smpkcs11.so/smpkcs11.DLL>

Set environment variable for dc-openssl.conf

Configure OpenSSL to use our configuration file using an environment variable: OPENSSL_CONF.

To set the OPENSSL_CONF environment variable, add:

Tip

OpenSSL does not support the following characters in sign commands: ; ! ‘ ( ) [ &

To avoid errors, remove unsupported characters from file paths before attempting to sign.

Sign

Copy the file to the desired location to permit signing.

To sign and replace the artifact file, use:

:~/mender/test$ ./mender-artifact sign --key-pkcs11 "pkcs11:object=<keypair alias>;type=private" artifact.mender

To sign and create new artifact file, use:

:~/mender/test$ ./mender-artifact sign --key-pkcs11 "pkcs11:object=<keypair alias>;type=private" artifact.mender

To force new signature on signed artifact, use:

:~/mender/test$ ./mender-artifact sign -f --key-pkcs11 "pkcs11:object=<keypair alias>;type=private" artifact.mender

Verify signature

To verify a signature using the public key file, use:

:~/mender/test$ ./mender-artifact  validate --key <keypair public key>.pem artifact.mender

Output:

Artifact file 'artifact.mender' validated successfully