{"id":26397294,"url":"https://github.com/thalesgroup/luna-pkc-validator","last_synced_at":"2025-03-17T12:17:19.948Z","repository":{"id":248491434,"uuid":"827288796","full_name":"ThalesGroup/luna-pkc-validator","owner":"ThalesGroup","description":"A tool to validate a PKC certificate chain built by a Luna HSM.","archived":false,"fork":false,"pushed_at":"2025-03-14T19:41:52.000Z","size":15954,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-03-14T20:34:42.422Z","etag":null,"topics":["cryptographic-software","cryptography-tools","hsm","luna","public-key-certificate","thales","validation-tool"],"latest_commit_sha":null,"homepage":"https://thalesdocs.com","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ThalesGroup.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-07-11T11:05:49.000Z","updated_at":"2025-03-14T19:41:56.000Z","dependencies_parsed_at":"2025-03-15T05:01:21.797Z","dependency_job_id":null,"html_url":"https://github.com/ThalesGroup/luna-pkc-validator","commit_stats":null,"previous_names":["thalesgroup/luna-pkc-validator"],"tags_count":2,"template":false,"template_full_name":"ThalesGroup/template-project","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThalesGroup%2Fluna-pkc-validator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThalesGroup%2Fluna-pkc-validator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThalesGroup%2Fluna-pkc-validator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThalesGroup%2Fluna-pkc-validator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ThalesGroup","download_url":"https://codeload.github.com/ThalesGroup/luna-pkc-validator/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244031135,"owners_count":20386534,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptographic-software","cryptography-tools","hsm","luna","public-key-certificate","thales","validation-tool"],"created_at":"2025-03-17T12:17:19.248Z","updated_at":"2025-03-17T12:17:19.936Z","avatar_url":"https://github.com/ThalesGroup.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Luna PKC Validator\n\nThis project is part of the [Luna General Purpose HSMs](https://cpl.thalesgroup.com/encryption/hardware-security-modules/general-purpose-hsms) products suite, and more specifically of the [Luna Network HSM](https://cpl.thalesgroup.com/encryption/hardware-security-modules/network-hsms) product. \n\n## Introduction\n\nThis standalone Java application validates a PKC certificate chain built by a Luna Network HSM:\n\n- It checks the certificate chain against the provided root CA from the trusted source.\n\n- It checks that any provided Certificate Signing Request (CSR) matches the leaf certificate of the PKC chain.\n\nThe Luna root certificate can be retrieved [here](https://thalesdocs.com/gphsm/luna/7/docs/network/Content/admin_partition/confirm/confirm_hsm.htm).\n\nLuna PKCs can be retrieved using the [CMU](https://www.thalesdocs.com/gphsm/luna/7/docs/network/Content/Utilities/cmu/cmu.htm) utility, using\n- The [Luna Universal Client](https://thalesdocs.com/gphsm/luna/7/docs/network/Content/Utilities/Preface.htm), and esp.\n\n  - The [Luna Shell (Lush)](https://thalesdocs.com/gphsm/luna/7/docs/network/Content/lunash/Preface.htm)\n\n  - The [Luna client management tool (LunaCM)](https://thalesdocs.com/gphsm/luna/7/docs/network/Content/lunacm/Preface.htm)\n\n- An existing initialized partition\n  - See [here for the creation of the partition (on the appliance)](https://thalesdocs.com/gphsm/luna/7/docs/network/Content/lunacm/commands/partition/partition_create.htm))\n  - See [here for the initialization of the partition (on the appliance)](https://thalesdocs.com/gphsm/luna/7/docs/network/Content/lunash/commands/partition/partition_init.htm)\n  - See [here for the initialization of the \"Crypto Officer\" role (on the client end)](https://thalesdocs.com/gphsm/luna/7/docs/network/Content/lunacm/commands/role/role_init.htm)\n\n- The \"Crypto Officer\" role password.\n\n- An handle to a private signing key within this partition, as provided by the following kind of command (to be run on the client end, as an administrator/root user; select the slot that represents the existing initialized partition mentionned above if needed, and provide the \"Crypto Officer\" when requested):\n\n  - For a RSA key pair:\n```\ncmu generateKeyPair -mech=pkcs -modulusBits=2048 -publicExp=65537 -sign=T -verify=T\n```\n  - For an ECC key pair:\n```\ncmu generateKeyPair -key ECDSA -curveType=3 -sign=T -verify=T\n```\n\nOn the client end, as a \"Crypto Officer\", get the PKC using the handle of the private key created at the previous step (select the slot that represents the existing initialized partition mentionned above if needed, as well as the \"Crypto Officer\" password, the handle that corresponds to the private key to use and the name of the output file [e.g. 'pkc.p7b'] when requested):\n\n```\ncmu getpkc\n```\n\nA CSR can be created using the following command (select the slot that represents the existing initialized partition mentionned above if needed, and provide the \"Crypto Officer\" password, as well as the handle that corresponds to the private key to use and the name of the output file [e.g. 'test.csr'] when requested):):\n\n```\ncmu requestcertificate -C=CA -CN=test.com -E=test@test.com -L=Ottawa -O=Thales\n```\n\n## Build\n\nUsing Maven, with your own development environment including a JDK (11+) and Maven:\n\n```\nmvn clean compile assembly:single\n```\n\nUsing Podman:\n\n```\n./build-with-podman.sh\n```\n\nResults are produced in the \"target\" directory.\n\nThe \"luna-pkc-validator-1.0.0-jar-with-dependencies.jar\" JAR  file is a self-sufficient Java archive that contains the validation function and the required dependencies (esp. the BouncyCastle library).\n\n## Run\n\nRefer to the usage documentation provided by the tool (running it without any parameter).\n\n```\njava -jar luna-pkc-validator.jar --pkc \u003cpkc-file\u003e {--ca \u003cca-file\u003e | --req \u003creq-file\u003e}\");\n  --pkc  the PKC chain file to check.\n  --ca   the Thales HSM Root CA file.\n  --req  the Certificate Signing Request file.\n```\n\nNote: \"luna-pkc-validator.jar\" may need to be replaced with something like \"luna-pkc-validator-1.0.0-jar-with-dependencies.jar\" according to the way the JAR archive is produced by your Maven project.\n\n## Test\n\n### Check a PKC\n\nOnce the Luna root certificate(s) and a PKC file have been retrieved (e.g. \"pkc.p7b\"), the PKC can be checked with the following command:\n\n- For RSA keys:\n\n```\njava -jar target/luna-pkc-validator-1.0.0-jar-with-dependencies.jar --pkc ./tests/rsa-pkc.p7b --ca ./tests/luna-rsa-root-certificate.pem\n```\n\n- For ECC keys:\n\n```\njava -jar target/luna-pkc-validator-1.0.0-jar-with-dependencies.jar --pkc ./tests/ecc-pkc.p7b --ca ./tests/luna-ecc-root-certificate.pem\n```\n\n### Check a CSR\n\nA client certificate request can be checked with the following command:\n\n- For RSA keys:\n\n```\njava -jar target/luna-pkc-validator-1.0.0-jar-with-dependencies.jar --pkc ./tests/rsa-pkc.p7b --req ./tests/rsa-test.csr\n\n```\n\n- For ECC keys:\n\n```\njava -jar target/luna-pkc-validator-1.0.0-jar-with-dependencies.jar --pkc ./tests/ecc-pkc.p7b --req ./tests/ecc-test.csr\n```\n\n## Contributing\n\nIf you are interested in contributing to this project, please read the [Contributing guide](CONTRIBUTING.md).\n\n## License\n\nThis software is provided under a [permissive license](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthalesgroup%2Fluna-pkc-validator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthalesgroup%2Fluna-pkc-validator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthalesgroup%2Fluna-pkc-validator/lists"}