How can I patch OpenSSL to work with the CloudHSM CKM_RSA_AES_KEY_WRAP mechanism?

Short description

The OpenSSL cipher -id-aes256-wrap-pad that's compatible with the CloudHSM PKCS #11 mechanism RSA_AES_KEY_WRAP isn't enabled by default in the OpenSSL command line tool.

Download and install the latest version of OpenSSL. Then, patch it to allow the envelope wrap that's required for the CKM_RSA_AES_KEY_WRAP mechanism.

Resolution

Follow these steps to use Bash commands to create a local copy of OpenSSL v1.1.0.

Note:

• These steps don't remove or alter the client's default installation of OpenSSL.
• These instructions use RHEL commands with the AWS account root user. Use the sudo su - command to switch to the root user. Then, use the patched version of OpenSSL.
• These instructions apply to OpenSSL v1.1.x only.

Patch OpenSSL to allow CKM_RSA_AES_KEY_WRAP

1. Run the following command to complete all steps as the root user to be sure that you have the correct permissions for directories and binaries:

   sudo su -

2. Run the following command, and then note the OpenSSL version:

   openssl version

3. Download the latest OpenSSL binaries in the /root/build directory. Run the following commands to set up the directories:

   mkdir $HOME/buildmkdir -p $HOME/local/ssl
   cd $HOME/build

4. Note the latest OpenSSL download version from the OpenSSL website.

5. Download and then unpack the binaries. Use the following commands:
   Note: Replace openssl-1.1.1d.tar.gz with the latest OpenSSL version from step 4.

   wget https://www.openssl.org/source/openssl-1.1.1d.tar.gz
   tar -zxf openssl-1.1.1d.tar.gz

6. Install the patch, make gcc tools to patch, and then compile the downloaded binaries:

   yum install patch make gcc -y

7. Copy and paste this block, and then choose enter on your device.
   Note: If you use a version of OpenSSL other than OpenSSL-1.1.1d, then change the directory and update the commands. This patch works only with OpenSSL-1.1.1d.

   cat <<-EOF | patch -d $HOME/build/ -p 0
   diff -ur orig/openssl-1.1.1d/apps/enc.c openssl-1.1.0d/apps/enc.c
   --- orig/openssl-1.1.1d/apps/enc.c      
   +++ openssl-1.1.1d/apps/enc.c   
   @@ -533,6 +533,7 @@
             */
    
            BIO_get_cipher_ctx(benc, &ctx);
   +        EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
    
            if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {
                BIO_printf(bio_err, "Error setting cipher %s\n",
   EOF
   

   You receive an output that confirms a successful patch similar to the following:

   [root@ip-172-31-20-119 ~]# cat <<-EOF | patch -d $HOME/build/ -p 0
   diff -ur orig/openssl-1.1.0d/apps/enc.c openssl-1.1.0d/apps/enc.c 
   --- orig/openssl-1.1.0d/apps/enc.c 
   +++ openssl-l.1.1d/apps/enc.c 
   @@ -533,6 +533,7 @@
           */
    
       BIO_get_cipher_ctx (benc, &ctx) ; 
   +        EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW) ; 
    
       if (!EVP_CipherInit_ex (ctx, cipher, NULL, NULL, NULL, enc) )  {
            BIO_printf(bio_err, "Error setting cipher %s\n", 
   EOF 
    
   patching file openssl-1.1.1d/apps/enc.c
   

8. Run this command to compile the OpenSSL enc.c file:
   Note: It might take several minutes for each command to compile.

   cd $HOME/build/openssl-1.1.1d/./config --prefix=$HOME/local --openssldir=$HOME/local/ssl
   make -j$(grep -c ^processor /proc/cpuinfo)
   make install

   You successfully installed the latest version of OpenSSL. This version of OpenSSL is dynamically linked to libraries in the $HOME/local/ssl/lib/ directory, and your shell can't run it directly.

9. Set the environment variable LD_LIBRARY_PATH to be sure that the associated libraries are available for OpenSSL.
   Note: Because you must run OpenSSL-1.1.1d multiple times, before you run the binary, create a script named openssl.sh that loads the $HOME/local/ssl/lib/ path.

   cd $HOME/local/bin/
   echo -e '#!/bin/bash \nenv LD_LIBRARY_PATH=$HOME/local/lib/ $HOME/local/bin/openssl "$@"' > ./openssl.sh

10. Use this command to set the execute bit on the script:

    chmod 755 ./openssl.sh

11. To start OpenSSL-1.1.1, run this command:

    $HOME/local/bin/openssl.sh

    Note: You can use the $HOME/local/bin/openssl.sh command later to run the patched version of OpenSSL into an environment variable. With the patched version of OpenSSL, you can run multiple commands.

12. You receive a command prompt. To verify the OpenSSL version, enter version, and then choose enter on your device.

13. To exit the command prompt, enter quit, and then choose enter on your device.

14. To set up an alias, run this command, or add it to your .bash_profile:

    alias OPENSSL_V111="$HOME/local/bin/openssl.sh"

15. Follow the instructions to securely transfer keys to CloudHSM with OpenSSL.

Related information

Supported mechanisms for the PKCS #11 library for AWS CloudHSM Client SDK 5