I am trying to create a websocket client in my c++ project. i was trying to use libwebsockets library to implement the same. websocket server is ssl enabled. I got this working by hard coding the ssl cert and key. Now I need to get the private key from HSM which supports pkcs11 format.
Libwebsockets doesnt have in built support for pkcs11. I dont see much documentation/help available to perform this step. I tried exploring opencryptoki but i could not get clear steps to carry out this step. Do you have any documentation to carry out this?
or is there any other library other than libwebsockets which can satisfy my requirement?
Added libwebsockets dependency to my c++ project. following their documentation and some samples provided here https://github.com/warmcat/libwebsockets/tree/main/minimal-examples i was able to get it working with certs passed as hardcode file path.
added opencryptoki library as dependency. This is for pkcs11 support to set the private key to ssl config of libwebsocket. but not sure how to do it. Also integrated cryptoauth library to obtain the private key from HSM.
can someone help me with this integration?
First you need to understand what library you are using for SSL in libwebsockets.
Once you figure that out, then for example you can setup/configure libwebsockets to use OpenSSL.
I see on its github page: https://github.com/warmcat/libwebsockets
That libwebsockets supports TLS using these libs: mbedtls (including v3), openssl (including v3), wolfssl, boringssl, libressl
Now for example if you want to use OpenSSL then there is a pkcs11 engine available for openssl , which you can configure and then in that engine's config you will have to specify HSM details, so after doing all this, internal cryptography required to perform SSL will be done through HSM.
Generally most HSM vendors provide pkcs11 library which you have to specify in the engine_pkcs11's (this is a openssl engine) config:
https://developers.yubico.com/YubiHSM2/Usage_Guides/OpenSSL_with_pkcs11_engine.html
thats an example where you can see this happening:
[pkcs11_section] MODULE_PATH = /path/to/yubihsm_pkcs11.{so|dylib}