How can I patch OpenSSL to enable use with the CloudHSM CKM_RSA_AES_KEY_WRAP mechanism?

4 minute read

I want to use the AWS CloudHSM CKM_RSA_AES_KEY_WRAP mechanism with OpenSSL.

Short description

The OpenSSL cipher -id-aes256-wrap-pad compatible with the CloudHSM PKCS #11 mechanism RSA_AES_KEY_WRAP isn't enabled by default in the OpenSSL command line tool.

Download and install the latest version of OpenSSL. Then, patch it to allow the envelope wrap that's needed for the CKM_RSA_AES_KEY_WRAP mechanism.


Follow these steps to use Bash commands to create a local copy of OpenSSL v1.1.0.


  • These steps don't remove or alter the clients default installation of OpenSSL.
  • These instructions use RHEL commands with the root user account. Use the sudo su - command to switch to the root user. Then, use the patched version of OpenSSL.
  • These instructions apply to OpenSSL v1.1.x only.

Patch OpenSSL to allow CKM_RSA_AES_KEY_WRAP

  1. Run this command to complete all steps as the root user to be sure that you have the correct permissions for directories and binaries:

    sudo su -
  2. Run this command, and then note the OpenSSL version:

    openssl version
  3. Download the latest OpenSSL binaries in the /root/build directory. Run these commands to set up the directories:

    mkdir $HOME/buildmkdir -p $HOME/local/ssl
    cd $HOME/build
  4. Note the latest OpenSSL download version from the OpensSSL website.

  5. Download and then unpack the binaries using these commands:
    Note: Replace openssl-1.1.1d.tar.gz with the latest OpenSSL version from step 4.

    curl -O -zxf openssl-1.1.1d.tar.gz
  6. Install the patch, make gcc tools to patch, and then compile the downloaded binaries:

    yum install patch make gcc -y
  7. Copy and paste this block, and then choose enter on your device.
    Note: You might need to change the directory if you use a different version than OpenSSL-1.1.1d. You might need to update these commands for newer versions of OpenSSL or this patch might not work.

    cat <<-EOF | patch -d $HOME/build/ -p0diff -ur orig/openssl-1.1.1d/apps/enc.c openssl-1.1.1d/apps/enc.c
    --- orig/openssl-1.1.1d/apps/enc.c      
    +++ openssl-1.1.1d/apps/enc.c   
    @@ -533,6 +533,7 @@
             BIO_get_cipher_ctx(benc, &ctx);
    +        EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
             if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {
                 BIO_printf(bio_err, "Error setting cipher %s\n",

    You receive an output that confirms a successful patch similar to the following:

    [root@ip-172-31-20-119 ~]# cat <<-EOF | patch -d $HOME/build/ -p0 diff -ur orig/openssl-1.1.1d/apps/enc.c openssl-1.1.1d/apps/enc.c 
    --- orig/openssl-1.1.1d/apps/enc.c 
    +++ openssl-l.1.1d/apps/enc.c 
    @@ -533,6 +533,7 @@
        BIO_get_cipher_ctx (benc, &ctx) ; 
    +        EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW) ; 
        if (!EVP_CipherInit_ex (ctx, cipher, NULL, NULL, NULL, enc) )  {
             BIO_printf (bio_err, "Error setting cipher %s\n" , 
    patching file openssl-1.1.1d/apps/enc.c
  8. Run this command to compile the OpenSSL enc.c file:
    Note: It might take several minutes for each command to compile.

    cd $HOME/build/openssl-1.1.1d/./config --prefix=$HOME/local --openssldir=$HOME/local/ssl
    make -j$(grep -c ^processor /proc/cpuinfo)
    make install

    You successfully installed the latest version of OpenSSL. This version of OpenSSL is dynamically linked to libraries in the $HOME/local/ssl/lib/ directory, and your shell can't run it directly.

  9. Set the environment variable LD_LIBRARY_PATH to be sure that the associated libraries are available for OpenSSL.
    Tip: Because you must run OpenSSL-1.1.1d multiple times, before you run the binary, create a script named that loads the $HOME/local/ssl/lib/ path.

    cd $HOME/local/bin/
    echo -e '#!/bin/bash \nenv LD_LIBRARY_PATH=$HOME/local/lib/ $HOME/local/bin/openssl "$@"' > ./
  10. Use this command to set the execute bit on the script:

    chmod 755 ./
  11. To start OpenSSL-1.1.1, run this command:


    Tip: You can use the $HOME/local/bin/ command later to run the patched version of OpenSSL into an environment variable. This allows you to reference the patched version of OpenSSL to run multiple commands.

  12. You receive a command prompt. To verify the OpenSSL version, enter version, and then choose enter on your device.

  13. To exit the command prompt, enter quit, and then choose enter on your device.

  14. To set up an alias, run this command, or add it to your .bash_profile:

    alias OPENSSL_V111="$HOME/local/bin/"
  15. Follow the instructions to securely transfer keys to CloudHSM with OpenSSL.

Related information

Supported mechanisms

AWS OFFICIALUpdated a month ago