Get started
This guide provides a general overview to get you started using DigiCert®TrustCore SDK on various Linux systems. Ensure your host system meets the system requirements and has downloaded the necessary tools for your target platform.
System requirements
Notice
All sample scripts in this guide have been built and tested on a host using Ubuntu 18.04 with x86_64 architecture.
For Ubuntu 18.04 x86_64 hosts, ensure these prerequisites are met:
CMake Version 3.5 or higher.
cmake --version
If CMake is not installed:
sudo apt-get update && sudo apt-get install cmake
If CMake version is less than 3.5:
sudo apt-get remove cmake sudo apt-get update && sudo apt-get install cmake
Note
For more CMake versions, go to https://cmake.org/download/.
Required packages are
gcc-multilib
,build-essential
,libc6
,libc6-dev
,libc6-dev-i386
.sudo apt-get update && sudo apt-get install gcc-multilib build-essential libc6 libc6-dev libc6-dev-i386
Set required environment variables.
# Replace <path/to/mocn-mss> with the actual path to your mocn-mss directory export MSS_SRC_PKG=<path/to/mocn-mss>
Symmetric key encryption
TrustCore SDK provides robust support for various symmetric encryption algorithms, ensuring a versatile and secure framework for cryptographic operations.
Supported Algorithms
TrustCore SDK includes support for numerous symmetric key encryption algorithms such as AES in different modes (CBC, ECB, GCM, etc.), DES, 3DES, and more. These algorithms provide a strong foundation for securing data across various applications and systems.
Example: AES Encryption in CBC Mode
This section demonstrates the implementation of symmetric key encryption and decryption using the AES algorithm in CBC mode. While the example focuses on AES, the principles can be applied to other symmetric algorithms supported by TrustCore SDK.
Source Code
For practical implementation, refer to the example source code provided in TrustCore SDK:
${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_aes_example.c
This example includes detailed code snippets showing how to initialize the encryption settings, perform the encryption and decryption processes, and clean up resources.
Additional Information
For a deeper understanding of how to utilize these encryption capabilities, please visit the detailed guide at:
Symmetric Key Encryption Algorithms
This guide provides comprehensive information on setting up and using the various encryption algorithms within the TrustCore SDK.
Info: For specific API details and additional cryptographic parameters, refer to the Crypto Interface API reference.
Building and Verifying Examples
To build and run the AES encryption example, follow the steps outlined in the Build and Verify Crypto Interface example section. This will ensure that you can verify the correct implementation of the cryptographic operations in your environment.
AEAD Algorithms
In addition to standard symmetric encryption, TrustCore SDK supports Advanced Encryption Standard (AES) algorithms for Authenticated Encryption with Associated Data (AEAD), such as AES-GCM. These algorithms provide both encryption and authentication, ensuring the integrity and confidentiality of the data.
For more details on AEAD implementation using AES-GCM, including setting up and processing Additional Authenticated Data (AAD), refer to:
Explore the example source code in the file:
${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_aes_gcm_example.c
Asymmetric key encryption
TrustCore SDK offers comprehensive support for asymmetric key algorithms, including RSA, ECC, and DSA, and provides essential tools for secure encryption, digital signatures, and key management.
Note: For all examples and more detailed operations, follow the steps outlined in the Build and Verify Crypto Interface example section to compile and test the provided examples.
Obtaining keys
This section guides you through various methods of obtaining keys for asymmetric encryption, including key generation, key setting, key deserialization, or using a custom key BLOB from DigiCert.
For detailed steps on key management and instantiation, refer to the Obtaining Key section.
Example source code for generating ECC, RSA, and DSA keys is available at:
${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_keygen_example.c
For comprehensive API documentation, consult the Crypto Interface API reference.
RSA encryption and decryption
Learn how to execute RSA encryption and decryption using PKCS #1 v1.5 and PKCS-OAEP padding modes. Detailed guidance and example codes are provided in TrustCore SDK documentation.
The source code for RSA encryption and decryption can be found at:
${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_rsa_example.c
RSA signature and verification
Explore the methods for RSA signature creation and verification in PKCS #1 v1.5 and EMSA-PSS modes. This section provides insights into the secure signing and verification processes.
Source code for RSA signature and verification is available at:
${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_rsa_example.c ${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_rsa_pss_example.c
ECC supported curves
Selecting the appropriate domain parameters and defining the curve are crucial steps in ECC. For guidance on selecting and using ECC supported curves, refer to ECC Supported Curves.
ECDSA signature and verification
The section on ECDSA covers both the signing and verification processes. It provides details on APIs that facilitate raw ECDSA signing and those that include message hashing in addition to signing.
For API details and example usage, refer to the Crypto Interface API reference.
Source code for ECDSA operations is located at:
${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_ecc_example.c
ECDH key exchange
ECDH key exchange allows two parties to establish a shared secret securely. This section guides you through generating a shared secret using your private key and the public key of another party.
Example source code for ECDH key exchange is available at:
${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_ecdh_example.c
DSA signature and verification
Understanding DSA signature creation and verification is essential for secure digital communications. This section provides detailed information on the process and APIs involved.
For more information on DSA operations, refer to the DSA Signature and Verification section.
Diffie-Hellman key exchange
The Diffie-Hellman key exchange section explains how two parties can securely establish a shared secret to enable encrypted communication. This process is vital for secure exchanges in various cryptographic protocols.
The source code for Diffie-Hellman key exchange can be found at:
${MSS_SRC_PKG}/src/crypto_interface/example/crypto_interface_dh_example.c
Advanced encryption and key exchange techniques
For advanced topics like AEAD algorithms, ECDSA, and ECDH key exchange, refer to the detailed sections in the TrustCore SDK documentation. Example codes and API references are provided to facilitate implementation.
For more specific operations like certificate enrollment and SCEP client setup, follow the detailed instructions provided in the respective sections. Remember to configure and utilize the environment variables and scripts correctly for successful execution.
Build and verify Crypto Interface example
TrustCore SDK provides a comprehensive example implementation of Crypto Interface, complete with a runnable executable. This allows you to see the practical application of the cryptographic functionalities offered by TrustCore SDK.
Location of source code
Source code for all cryptographic examples can be found in the package directory, detailed below:
${MSS_SRC_PKG}/src/crypto_interface/example
Build the examples
To compile Crypto Interface examples, use the provided script. This script sets up the necessary environment and compiles the source files into an executable. Run the following command in a Linux environment or its equivalent .bat script in a Windows environment:
${MSS_SRC_PKG}/scripts/build_cryptointerface_example.sh
Run the examples
Once the build is complete, you can run the examples to see the Crypto Interface in action. To execute the compiled examples, use the following script:
${MSS_SRC_PKG}/scripts/run_cryptointerface_example.sh
This script initiates the example executable, allowing you to test various cryptographic operations and see the results in real-time. Upon running the examples, the output will be displayed in the console. This output demonstrates how the cryptographic operations are performed using the TrustCore SDK, providing a clear insight into the functionality and performance of the cryptographic implementations.
Additional resources
For additional help and troubleshooting, refer to the detailed documentation provided with the TrustCore SDK or contact DigiCert support for more in-depth guidance and technical assistance.
This hands-on approach ensures that developers can effectively understand and implement the cryptographic features offered by the TrustCore SDK in their own applications, reinforcing security and functionality.
NanoCert SCEP client
Build and verify SCEP client example
To compile the NanoCert Client using the src/scep/tools/scepc.c
sample, execute the following script:
${MSS_SRC_PKG}/scripts/scep/build_scep_client_ncrypto_sw.sh --gdb --debug --digicert
Download and extract the scep_certs_digicert_iot.zip
into the appropriate directory by running:
unzip scep_certs_digicert_iot.zip -d <path to ${MSS_SRC_PKG}>
Configuring DigiCert ONE® IOT SCEP server
Set the following environment variables for your SCEP service:
SERVER_URL
=${Set with your SCEP service URL}
CHALLENGE_PW
=${Set to SCEP service credentials}
In DigiCert® IoT Trust Manager, navigate to the enrollment profile, locate the SCEP enroll/re-enroll URI, and find the challenge password in manage passcode.
To view all available command-line options for the SCEP client, run:
${MSS_SRC_PKG}/bin/scep_client --help # Example output LOG_OUTPUT: MSS WARNING NOT A PRODUCTION BUILD: MOCANA DEBUG CONSOLE HAS BEEN ENABLED. Usage: ./bin/scep_client <options> options: -scepc_serverURL <URL> specifies the scep server url -scepc_serverType <server type> specifies the scep server type <MOC | EBCA | ECDSA | WIN2003 | WIN2008 | WIN2012 | WIN2016> -scepc_challengePass <password> specifies the challenge password -scepc_filePath <path to files> specifies the directory path to the cert files -scepc_genKey specifies that the private key is to be generated -scepc_keyType <key type> specifies key type to be used for key generation <RSA | ECDSA> -scepc_keySize <key size> specifies key size to be used for key generation -scepc_csr_conf specifies the configuration file name to generate CSR -scepc_oldCert specifies the earlier issued certificate which is used to sign the CSR -scepc_oldKey specifies the private key blob file file name which is used to sign CSR -scepc_pkiOperation specifies the PKI operation <enroll | renew | rekey | getca | getcacaps | getcacertchain | getcrl | publishcrl | revokecert> # Default operation for scepc_pkiOperation is enroll
Note: The default operation for scepc_pkiOperation
is enroll.
Get a copy of the CA certificate
To fetch a copy of the Certificate Authority (CA) certificate, use the scepc_serverURL
option and set the scepc_pkiOperation
to getca
. An example command is:
${MSS_SRC_PKG}/bin/scep_client -scepc_serverURL ${set_server_URL} -scepc_serverType GEN_POST -scepc_filePath scep_certs_digicert_iot -scepc_pkiOperation getca
Certificate enrollment
For certificate enrollment, connect to the server using the scepc_serverURL
option and provide the challenge password:
${MSS_SRC_PKG}/bin/scep_client -scepc_serverURL ${set_server_URL} -scepc_serverType GEN_POST -scepc_filePath scep_certs_digicert_iot -scepc_keyType RSA -scepc_keySize 2048 -scepc_csr_conf sample_scep_csr.cnf -scepc_genKey -scepc_challengePass ${set_challenge_password}
Other PKI Operations
Perform other PKI operations by specifying the required operation in the command. This includes renewing and rekeying certificates, where you should set the scepc_oldCert
and scepc_oldPemKey
as needed.
Build and verify SCEP sample
To build the NanoCert using src/scep/tools/scep_sample_api.c
, run:
${MSS_SRC_PKG}/scripts/scep/build_scep_sample_ncrypto_sw.sh --gdb --debug --digicert
Again, ensure the scep_certs_digicert_iot.zip
is downloaded and unzipped in the correct directory as previously described.
SCEP sample: Certificate enrollment and other operations
The sample facilitates the certificate enrollment process by connecting to the SCEP server and handling the necessary PKI operations. Generate a key pair and CSR using the specified configuration file, then submit the enrollment request. Upon successful completion, a DER-formatted certificate is received.
Note: When dealing with “renew” and “rekey” PKI operations, ensure to set the scepc_oldCert
and scepc_oldPemKey
accordingly to facilitate these operations.
An example command for certificate enrollment would look similar to this:
${MSS_SRC_PKG}/bin/scep_sample -scepc_serverURL ${set_server_URL} -scepc_serverType GEN_POST -scepc_filePath scep_certs_digicert_iot -scepc_keyType RSA -scepc_keySize 2048 -scepc_csr_conf sample_scep_csr.cnf -scepc_challengePass ${set_challenge_password}