### Install libp11 library Source: https://github.com/microchiptech/cryptoauthlib/blob/main/app/pkcs11/README.md Installs the compiled libp11 library on the system. ```bash $ sudo make install ``` -------------------------------- ### Install libp11 Source: https://github.com/microchiptech/cryptoauthlib/wiki/PKCS11-Linux-Setup Installs the compiled libp11 library to the system. ```Shell sudo make install ``` -------------------------------- ### C CryptoAuthLib Example Source: https://github.com/microchiptech/cryptoauthlib/blob/main/python/README.md This C code demonstrates initializing the library, getting device revision, and generating random numbers. ```c #include "cryptoauthlib.h" void main() { ATCA_STATUS status; uint8_t revision[4]; uint8_t randomnum[32]; status = atcab_init(cfg_ateccx08a_kitcdc_default); if (status != ATCA_SUCCESS) { printf("Error"); exit(); } status = atcab_info(revision); if (status != ATCA_SUCCESS) { printf("Error"); exit(); } status = atcab_random(randomnum); if (status != ATCA_SUCCESS) { printf("Error"); exit(); } } ``` -------------------------------- ### Install pkcs11-provider Source: https://github.com/microchiptech/cryptoauthlib/wiki/OpenSSL-3.x-Reference Installs the compiled pkcs11-provider to the system. ```Shell $ sudo meson install -C builddir ``` -------------------------------- ### Install Build Dependencies (Debian) Source: https://github.com/microchiptech/cryptoauthlib/wiki/OpenSSL-3.x-Reference Installs Meson, Ninja, and build-essential for compiling the pkcs11-provider on Debian-like systems. ```Shell # Debian like systems $ sudo apt install build-essential $ sudo apt install meson ninja-build ``` -------------------------------- ### Install Build Dependencies (RPM) Source: https://github.com/microchiptech/cryptoauthlib/wiki/OpenSSL-3.x-Reference Installs GCC, Meson, and Ninja for compiling the pkcs11-provider on RPM-based systems. ```Shell # RPM based systems $ sudo dnf install gcc $ sudo yum install meson ninja ``` -------------------------------- ### Install OpenSSL Development Headers (RPM) Source: https://github.com/microchiptech/cryptoauthlib/wiki/OpenSSL-3.x-Reference Installs OpenSSL libraries and development headers on RPM-based systems. ```Shell # RPM based systems $ sudo yum install openssl $ sudo yum install openssl-devel ``` -------------------------------- ### Install p11-kit Source: https://github.com/microchiptech/cryptoauthlib/wiki/PKCS11-Linux-Setup Installs the p11-kit package, which is useful for managing multiple PKCS#11 libraries. Choose the command for your distribution. ```Shell sudo apt-get install p11-kit ``` ```Shell yum install p11-kit ``` -------------------------------- ### Install build dependencies for libp11 (RPM) Source: https://github.com/microchiptech/cryptoauthlib/blob/main/app/pkcs11/README.md Installs the necessary build dependencies for libp11 on RPM-based systems. ```bash # RPM based systems $ yum-builddep engine-pkcs11 ``` -------------------------------- ### Install OpenSSL Dependencies Source: https://github.com/microchiptech/cryptoauthlib/wiki/PKCS11-Linux-Setup Installs OpenSSL libraries and development headers required for building the pkcs11 provider. Use the appropriate command for your distribution. ```Shell sudo apt-get install openssl libssl-dev ``` ```Shell sudo yum install openssl sudo yum install openssl-devel ``` -------------------------------- ### Install pkg-config Source: https://github.com/microchiptech/cryptoauthlib/wiki/PKCS11-Linux-Setup Installs the pkg-config utility, which is necessary for the build process. On RPM-based systems, it is often included with openssl-devel. ```Shell sudo apt-get install pkg-config ``` ```Shell # pkg-config will be already installed as part of openssl-devel ``` -------------------------------- ### Install Meson Build System Dependencies Source: https://github.com/microchiptech/cryptoauthlib/wiki/PKCS11-Linux-Setup Installs Meson, Ninja, and essential build tools for compiling the pkcs11 provider. Adapt the commands based on your Linux distribution. ```Shell sudo apt install build-essential sudo apt install meson ninja-build ``` ```Shell sudo dnf install gcc sudo yum install meson ninja ``` -------------------------------- ### Install tox for Python Testing Source: https://github.com/microchiptech/cryptoauthlib/blob/main/python/tests/README.md Install the tox testing tool using pip. This is the recommended method for running the test suite. ```bash $ pip install tox ``` -------------------------------- ### Install build dependencies for libp11 (Debian) Source: https://github.com/microchiptech/cryptoauthlib/blob/main/app/pkcs11/README.md Installs the necessary build dependencies for libp11 on Debian-based systems. ```bash # Debian like systems $ sudo apt-get build-dep libengine-pkcs11-openssl1.1 ``` -------------------------------- ### Install pytest for Direct Test Execution Source: https://github.com/microchiptech/cryptoauthlib/blob/main/python/tests/README.md Install the pytest framework using pip. This is an alternative to tox for running tests directly. ```bash $ pip install pytest ``` -------------------------------- ### Install Build Dependencies (Debian-like) Source: https://github.com/microchiptech/cryptoauthlib/wiki/PKCS11-Linux-Setup Installs necessary build tools like cmake and udev-dev on Debian-based systems. ```Shell # Debian like systems $ sudo apt-get install cmake udev-dev ``` -------------------------------- ### Install p11-kit on RPM Systems Source: https://github.com/microchiptech/cryptoauthlib/blob/main/app/pkcs11/README.md Installs the p11-kit package using yum. This is a prerequisite for PKCS#11 configuration. ```bash yum install p11-kit ``` -------------------------------- ### Install pkg-config (Debian) Source: https://github.com/microchiptech/cryptoauthlib/wiki/OpenSSL-3.x-Reference Installs the pkg-config utility on Debian-like systems, which is often required for building software that links against libraries. ```Shell # Debian like systems $ sudo apt-get install pkg-config ``` -------------------------------- ### Install libp11 Build Dependencies Source: https://github.com/microchiptech/cryptoauthlib/wiki/PKCS11-Linux-Setup Installs the necessary build dependencies for the libp11 library. Use the command appropriate for your system's package manager. ```Shell sudo apt-get build-dep libengine-pkcs11-openssl1.1 ``` ```Shell yum-builddep engine-pkcs11 ``` -------------------------------- ### Example: Retrieve device serial number Source: https://github.com/microchiptech/cryptoauthlib/blob/main/test/README.md Example of retrieving the device serial number using the 'sernum' command, specifying the ECC608 device and HID I2C interface. ```bash ./cryptoauth_test sernum -d ecc608 -i hid i2c -a 0x6C ``` -------------------------------- ### Install OpenSSL Development Headers (Debian) Source: https://github.com/microchiptech/cryptoauthlib/wiki/OpenSSL-3.x-Reference Installs OpenSSL 3.0+ libraries and development headers on Debian-based systems. ```Shell # Debian like systems $ sudo apt-get install openssl libssl-dev ``` -------------------------------- ### Install p11-kit on Debian Source: https://github.com/microchiptech/cryptoauthlib/blob/main/app/pkcs11/README.md Installs the p11-kit package on Debian-based systems, which is useful for managing multiple PKCS11 libraries. ```bash # Debian like systems $ sudo apt-get install p11-kit ``` -------------------------------- ### Install p11tool on RPM-based systems Source: https://github.com/microchiptech/cryptoauthlib/wiki/P11tool-Reference Installs the gnutls-utils package on RPM-based systems, which provides the p11tool utility. ```Shell # RPM based systems $ yum install gnutls-utils ``` -------------------------------- ### Install p11tool on Debian-like systems Source: https://github.com/microchiptech/cryptoauthlib/wiki/P11tool-Reference Installs the necessary gnutls-bin package on Debian-based systems to use p11tool. ```Shell # Debian like systems $ sudo apt-get install gnutls-bin ``` -------------------------------- ### Install build dependencies for cryptoauthlib (RPM) Source: https://github.com/microchiptech/cryptoauthlib/blob/main/app/pkcs11/README.md Installs CMake and libudev development files for building cryptoauthlib on RPM-based systems. ```bash # RPM based systems $ yum install cmake $ yum install libudev-devel ``` -------------------------------- ### Install CryptoAuthLib Python Module Source: https://github.com/microchiptech/cryptoauthlib/blob/main/python/README.md Use pip to install the CryptoAuthLib Python module. To upgrade, use the -U flag. ```bash pip install cryptoauthlib ``` ```bash pip install -U cryptoauthlib ``` ```bash pip uninstall cryptoauthlib ``` -------------------------------- ### Configure CryptoAuthLib HAL and Device Support Source: https://github.com/microchiptech/cryptoauthlib/blob/main/README.md This example shows the minimum defines required in `atca_config.h` for CryptoAuthLib. It includes enabling I2C HAL and ATECC608 support. Ensure this file is present in your project. ```c /* Cryptoauthlib Configuration File */ #ifndef ATCA_CONFIG_H #define ATCA_CONFIG_H /* Include HALS */ #define ATCA_HAL_I2C /* Included device support */ #define ATCA_ATECC608_SUPPORT /* \brief How long to wait after an initial wake failure for the POST to * complete. * If Power-on self test (POST) is enabled, the self test will run on waking * from sleep or during power-on, which delays the wake reply. */ #ifndef ATCA_POST_DELAY_MSEC #define ATCA_POST_DELAY_MSEC 25 #endif #endif // ATCA_CONFIG_H ``` -------------------------------- ### Install gnutls-bin for p11tool Source: https://github.com/microchiptech/cryptoauthlib/blob/main/app/pkcs11/README.md Installs the gnutls-bin package, which includes the p11tool utility for testing PKCS#11 devices. This command is for Debian-like systems. ```bash sudo apt-get install gnutls-bin ``` -------------------------------- ### Python CryptoAuthLib Initialization and Usage Source: https://github.com/microchiptech/cryptoauthlib/blob/main/python/README.md This Python code mirrors the C example, showing library loading, initialization, device info retrieval, and random number generation. ```python from cryptoauthlib import * ATCA_SUCCESS = 0x00 revision = bytearray(4) randomnum = bytearray(32) # Locate and load the compiled library load_cryptoauthlib() assert ATCA_SUCCESS == atcab_init(cfg_ateccx08a_kithid_default()) assert ATCA_SUCCESS == atcab_info(revision) print(''.join(['%02X ' % x for x in revision])) assert ATCA_SUCCESS == atcab_random(randomnum) print(''.join(['%02X ' % x for x in randomnum])) ``` -------------------------------- ### Get atcab_info() Documentation Source: https://github.com/microchiptech/cryptoauthlib/blob/main/python/README.md Demonstrates how to use Python's built-in help() function to view documentation for specific CryptoAuthLib functions. ```python >>> help(cryptoauthlib.atcab_info) Help on function atcab_info in module cryptoauthlib.atcab: atcab_info(revision) Used to get the device revision number. (DevRev) Args: revision 4-byte bytearray receiving the revision number from the device. (Expects bytearray) Returns: Status code ``` -------------------------------- ### Install build dependencies for cryptoauthlib (Debian) Source: https://github.com/microchiptech/cryptoauthlib/blob/main/app/pkcs11/README.md Installs CMake and libudev development files for building cryptoauthlib on Debian-based systems. ```bash # Debian like systems $ sudo apt-get install cmake libudev-dev ``` -------------------------------- ### Install cryptoauthlib Python Module Source: https://github.com/microchiptech/cryptoauthlib/wiki/Greengrass-HSI Install the cryptoauthlib Python module using pip. This is a prerequisite for using the Python-based configuration tools. ```bash pi@raspberrypi:~ $ pip install cryptoauthlib ``` -------------------------------- ### Build pkcs11-provider Source: https://github.com/microchiptech/cryptoauthlib/wiki/PKCS11-Linux-Setup Configures and compiles the pkcs11-provider using Meson. To link with OpenSSL installed in a custom path, set PKG_CONFIG_PATH, CFLAGS, or LDFLAGS environment variables. ```Shell meson setup builddir meson compile -C builddir ``` -------------------------------- ### Build and Install Cryptoauthlib with PKCS11 Support Source: https://github.com/microchiptech/cryptoauthlib/wiki/PKCS11-TNGTLS Configures, builds, and installs the cryptoauthlib with support for I2C, PKCS#11, TNGTLS, ATECC608A, and OpenSSL. Ensure to adjust CMake flags based on specific needs. ```Shell $ cd cryptoauthlib $ mkdir build $ cd build $ cmake -DBUILD_TESTS=ON -DATCA_HAL_I2C=ON -DATCA_PKCS11=ON -DATCA_TNGTLS_SUPPORT=ON -DATCA_ATECC608A_SUPPORT=ON -DATCA_OPENSSL=ON ../ $ cmake --build . $ sudo make install ``` ```Shell $ sudo cmake --build . --target install ``` -------------------------------- ### Export public key with p11-kit setup Source: https://github.com/microchiptech/cryptoauthlib/wiki/P11tool-Reference Exports the public key associated with a private key using p11tool. Assumes p11-kit is configured. The public key is printed to standard output if --outfile is not specified. ```Shell $ p11tool --export-pubkey "pkcs11:token=0123EE;object=device;type=private" warning: --login was not specified and it may be required for this operation. warning: no --outfile was specified and the public key will be printed on screen. -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9wzUq1EUAoNrG01rXYjNd35mxKuA Ojw/klIrNEBciSLLOTLjs/gvFS7N8AFXDK18vpxxu6ykzF2LRd7RY8yEFw== -----END PUBLIC KEY----- ``` -------------------------------- ### Install udev Development Package on Ubuntu Source: https://github.com/microchiptech/cryptoauthlib/blob/main/README.md Install the udev development package required for Linux HID HAL files on Ubuntu. This command should be run in a terminal window. ```bash sudo apt-get install libudev-dev ``` -------------------------------- ### Get pkcs11-provider Source Source: https://github.com/microchiptech/cryptoauthlib/wiki/OpenSSL-3.x-Reference Clones the latest version of the pkcs11-provider from its GitHub repository. ```Shell $ git clone https://github.com/latchset/pkcs11-provider.git ``` -------------------------------- ### Configure ATCACERT Support in CMake Source: https://github.com/microchiptech/cryptoauthlib/blob/main/lib/atcacert/CMakeLists.txt This snippet enables ATCACERT support by finding all C and H files in the current directory and adding them to the cryptoauth target. It also handles installation if a default include path is set. ```cmake cmake_minimum_required(VERSION 3.10.0) project(atcacertsupport C) if(ATCACERT_SUPPORT) file(GLOB ATCACERT_SRC "*.c") file(GLOB ATCACERT_INC "*.h") # Compile directly with the rest of the sources target_sources(cryptoauth PRIVATE ${ATCACERT_SRC}) if(DEFAULT_INC_PATH) install(FILES ${ATCACERT_INC} DESTINATION ${DEFAULT_INC_PATH}/atacert COMPONENT Development) endif() endif() ``` -------------------------------- ### Verify Initialization with p11tool Source: https://github.com/microchiptech/cryptoauthlib/wiki/Greengrass-HSI After configuration, use the p11tool --list-all command to verify that the required objects (private key, public key, root public key) have been successfully created and are accessible on the device. ```bash pi@raspberrypi:~ $ p11tool --list-all Object 0: URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=9F9CB19FF7BF;token=0123EE;object=device;type=private Type: Private key Label: device Flags: CKA_PRIVATE; CKA_SENSITIVE; ID: Object 1: URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=9F9CB19FF7BF;token=0123EE;object=device;type=public Type: Public key Label: device ID: Object 2: URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=9F9CB19FF7BF;token=0123EE;object=root;type=public Type: Public key Label: root ID: ``` -------------------------------- ### Bootstrap and configure libp11 Source: https://github.com/microchiptech/cryptoauthlib/blob/main/app/pkcs11/README.md Runs the build configuration tools for libp11 after cloning the repository. ```bash cd libp11 ./bootstrap ./configure ``` -------------------------------- ### Configure and Build libp11 Source: https://github.com/microchiptech/cryptoauthlib/wiki/PKCS11-Linux-Setup Prepares and compiles the libp11 library. This involves running bootstrap, configure, and make commands. ```Shell cd libp11 ./bootstrap ./configure make ``` -------------------------------- ### Build pkcs11-provider Source: https://github.com/microchiptech/cryptoauthlib/wiki/OpenSSL-3.x-Reference Sets up the build directory and compiles the pkcs11-provider using Meson and Ninja. ```Shell $ meson setup builddir $ meson compile -C builddir ``` -------------------------------- ### Create and Copy Slot Configuration File Source: https://github.com/microchiptech/cryptoauthlib/wiki/PKCS11-Linux-Setup Demonstrates how to create a device-specific configuration file by copying the template and naming it according to the PKCS#11 slot number. ```Shell $ cd /var/lib/cryptoauthlib $ cp slot.conf.tmpl 0.conf ``` -------------------------------- ### Copy and configure device slot file Source: https://github.com/microchiptech/cryptoauthlib/blob/main/app/pkcs11/README.md Demonstrates how to copy the slot configuration template and name it for a specific device slot. ```bash $ cd /var/lib/cryptoauthlib $ cp slot.conf.tmpl 0.conf ``` -------------------------------- ### List All PKCS11 Tokens Source: https://github.com/microchiptech/cryptoauthlib/wiki/Greengrass-HSI Use this command to list all available PKCS11 tokens and their details. Useful for verifying device detection. ```bash pi@raspberrypi:~ $ p11tool --list-all Object 0: URL: pkcs11:model=ATECC608A;manufacturer=Microchip%20Technology%20Inc;serial=9F9CB19FF7BF;token=0123EE;object=device;type=private Type: Private key Label: device Flags: CKA_PRIVATE; CKA_SENSITIVE; ID: ``` -------------------------------- ### Install PKCS#11 Utilities Source: https://github.com/microchiptech/cryptoauthlib/blob/main/app/pkcs11/README.md Installs the necessary gnutls-utils package for PKCS#11 operations on RPM-based systems. ```bash yum install gnutls-utils ``` -------------------------------- ### Configure Device with config.py Source: https://github.com/microchiptech/cryptoauthlib/wiki/Greengrass-HSI Use the config.py script to program the device with a default configuration, similar to the p11tool --initialize command. This script can be modified for custom configurations and may prompt for I2C address confirmation. ```bash pi@raspberrypi:~ $ python cryptoauthtools/python/examples/config.py -i i2c Configuring the device with an example configuration Serial number: 01 23 1D 8B 27 08 91 E4 EE Reading the Lock Status Config Zone: Unlocked Data Zone: Unlocked Getting the I2C Address Current Address: C0 The AT88CK590 Kit does not support changing the I2C addresses of devices. If you are not using an AT88CK590 kit you may continue without errors otherwise exit and specify a compatible (0xC0) address. Continue (Y/n): Y New Address: B0 Program Configuration Programming ATECC608A Configuration Success Verifying Configuration Success Locking Configuration Locked Activating Configuration Activated Generating New Keys Key 0 Success: 24 A4 6B 79 13 25 68 5B 41 CA EE 6B 70 7D 34 B0 52 87 63 41 5B 90 FB 33 D0 95 31 69 4F 8B C5 55 F6 A4 0F A5 89 C4 44 E8 ED 14 53 E6 B1 1B 24 9D 47 2E 25 7E 56 E3 28 85 6B DD AF FB 67 F0 0F 02 Key 2 Success: 9B 40 D3 95 DE A1 82 74 17 88 0D 15 B5 7E 4A 11 54 D8 BC 69 2F 70 CD DE F2 7C E2 9D D9 76 BD 43 FD 18 76 F9 79 4F 08 8E F0 07 08 DF AC EE F4 A8 8A C4 7C 17 37 0A BC DA 9A D8 29 A8 60 A2 41 E5 Key 3 Success: C3 86 EA 09 C4 CD B0 E9 42 F6 22 79 63 8E B4 F1 9B AA 43 80 7E CA 94 E6 8D 17 22 40 94 82 91 F3 14 10 61 E9 D6 3A DD D7 35 34 3A 81 D9 E8 47 30 B5 1E 32 E5 A9 D4 3E 27 DA 32 AF 85 98 23 43 2D Key 7 Success: 7B 4B E6 3E 95 22 A2 2B 59 0A 18 0B FA C0 38 D2 CB 50 5D 3D 3A 50 C1 09 97 13 DF CD 79 79 E5 EC 9A 82 68 FC 9D B5 4A 35 DC 93 CB B6 97 6A AB 9F 61 A9 9F 2C 19 79 85 8E 78 BA 85 74 4D D7 75 C4 Device Successfully Configured ``` -------------------------------- ### Build libp11 library Source: https://github.com/microchiptech/cryptoauthlib/blob/main/app/pkcs11/README.md Compiles the libp11 library after configuration. ```bash $ make ``` -------------------------------- ### Initialize CryptoAuthLib Module Source: https://github.com/microchiptech/cryptoauthlib/blob/main/python/README.md Loads the cryptoauthlib library and initializes the device connection. ```python load_cryptoauthlib() assert ATCA_SUCCESS == atcab_init(cfg_ateccx08a_kithid_default()) ``` -------------------------------- ### Initialize cal_buffer with CAL_BUF_INIT Source: https://github.com/microchiptech/cryptoauthlib/blob/main/lib/atcacert/MIGRATION.md Demonstrates the initialization of a `cal_buffer` structure using the `CAL_BUF_INIT` macro. This is used to provide data buffers to atcacert APIs, including the buffer size and a pointer to the buffer. ```c uint8_t signer_ca_public_key[64] = { 0 }; cal_buffer signer_ca_public_key_buf = CAL_BUF_INIT(sizeof(signer_ca_public_key), signer_ca_public_key); status = atcacert_read_cert(&cert_def, &signer_ca_public_key_buf, cert, &cert_size); ``` -------------------------------- ### Run cryptoauth_test with command line arguments Source: https://github.com/microchiptech/cryptoauthlib/blob/main/test/README.md Launch the cryptoauth_test application with command line arguments. Specify the command, device, interface, and optional interface options. ```bash build> ./cryptoauth_test -d -i [] ``` -------------------------------- ### Build Cryptoauthlib with CMake Source: https://github.com/microchiptech/cryptoauthlib/wiki/Configuration After configuration, use this command to build the Cryptoauthlib project. Ensure you are in the build directory. ```bash cd cryptoauthlib/build cmake --build . ``` -------------------------------- ### Run Pytest Tests Source: https://github.com/microchiptech/cryptoauthlib/blob/main/python/tests/README.md Execute tests using pytest with verbose output. This requires pytest to be installed and PYTHONPATH to be configured. ```bash $ pytest -vv ``` -------------------------------- ### Get Device Revision Number Source: https://github.com/microchiptech/cryptoauthlib/wiki/PKCS11-TNGTLS Retrieves the device revision number using the 'info' command within the cryptoauth_test application. ```Shell $ info ``` -------------------------------- ### Clone cryptoauthtools Repository Source: https://github.com/microchiptech/cryptoauthlib/wiki/Greengrass-HSI Clone the cryptoauthtools project from GitHub. This repository contains example scripts for interacting with Microchip security devices. ```bash pi@raspberrypi:~ $ git clone https://github.com/MicrochipTech/cryptoauthtools.git ``` -------------------------------- ### Configure Build with CMake Source: https://github.com/microchiptech/cryptoauthlib/wiki/PKCS11-Linux-Setup Runs CMake to configure the build process for cryptoauthlib after navigating into the source directory. ```Shell $ cd cryptoauthlib $ cmake . ``` -------------------------------- ### Troubleshoot PKCS11 Initialization Error Source: https://github.com/microchiptech/cryptoauthlib/wiki/Greengrass-HSI This output indicates a failure during PKCS11 initialization, often due to device communication issues. Check the device connection and configuration. ```bash pi@raspberrypi:~ $ p11tool --list-all p11-kit: ateccx08: module failed to initialize: An error occurred on the device pkcs11_init: PKCS #11 initialization error. warning: no token URL was provided for this operation; the available tokens are: ``` -------------------------------- ### List PKCS#11 Tokens Source: https://github.com/microchiptech/cryptoauthlib/wiki/PKCS11-TNGTLS Lists available PKCS#11 tokens using the p11tool. This command verifies that the PKCS#11 integration is correctly set up. ```Shell $ p11tool --list-tokens ``` -------------------------------- ### OpenSSL Below 3.0 PKCS#11 Engine Configuration Source: https://github.com/microchiptech/cryptoauthlib/wiki/PKCS11-Linux-Setup Add these lines to the end of your openssl.cnf file to configure OpenSSL versions below 3.0 to use the PKCS#11 engine. Adjust the dynamic_path and MODULE_PATH to match your installation. ```INI [openssl_init] engines=engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 # Wherever the engine installed by libp11 is. For example it could be: # /usr/lib/arm-linux-gnueabihf/engines-1.1/libpkcs11.so dynamic_path = /usr/lib/ssl/engines/libpkcs11.so MODULE_PATH = /usr/lib/libcryptoauth.so init = 0 ``` -------------------------------- ### Configure cryptoauthlib with PKCS11 support Source: https://github.com/microchiptech/cryptoauthlib/blob/main/app/pkcs11/README.md Configures the cryptoauthlib build process to enable PKCS11 support using CMake. ```bash cd cryptoauthlib cmake -DATCA_PKCS11=ON . ``` -------------------------------- ### Initialize Cryptoauthlib Device with P11tool Source: https://github.com/microchiptech/cryptoauthlib/wiki/Greengrass-HSI Initialize the cryptoauthlib device using p11tool with a specified serial number and label. You will be prompted for the Security Officer's PIN. ```bash pi@raspberrypi:~ $ p11tool --initialize "pkcs11:serial=9F9CB19FF7BF" --label greengrass Enter Security Officer's PIN: Initializing token... atcab_is_locked(config): 0 atcab_info: 0 atcab_write_config_zone: 0 atcab_lock_config_zone: 0 atcab_is_locked(data): 0 atcab_lock_data_zone: 0 atcab_genkey(0): 0 atcab_genkey(2): 0 atcab_genkey(3): 0 atcab_genkey(7): 0 done Token was successfully initialized; use --initialize-pin and --initialize-so-pin to set or reset PINs ``` -------------------------------- ### Print Private and Public Key Details Source: https://github.com/microchiptech/cryptoauthlib/wiki/OpenSSL-and-ATECC-Sign-Verify Displays the private and public components of an EC key from a PEM file. Useful for inspecting key material and understanding its structure. ```bash openssl ec -in key.pem -noout -text ``` -------------------------------- ### Configure Cryptoauthlib with CMake Source: https://github.com/microchiptech/cryptoauthlib/wiki/Configuration Use this command to configure the Cryptoauthlib build with specific options. Ensure you are in the cryptoauthlib directory. ```bash cd cryptoauthlib mkdir build cd build cmake -DATCA_ATECC608A_SUPPORT=ON -DATCA_TFLEX_SUPPORT=on -DATCA_OPENSSL=ON -DATCA_HAL_KIT_HID=ON ../ ```