Download and install the latest version of OpenSSL. Then, patch it to allow the envelope wrap that's needed for the CKM_RSA_AES_KEY_WRAP mechanism.
Follow these steps to use Bash commands to create a local copy of OpenSSL v1.1.0.
-
Run this command to complete all steps as the root user to be sure that you have the correct permissions for directories and binaries:
sudo su -
-
Run this command, and then note the OpenSSL version:
openssl version
-
Download the latest OpenSSL binaries in the /root/build directory. Run these commands to set up the directories:
mkdir $HOME/buildmkdir -p $HOME/local/ssl
cd $HOME/build
-
Note the latest OpenSSL download version from the OpensSSL website.
-
Download and then unpack the binaries using these commands:
Note: Replace openssl-1.1.1d.tar.gz with the latest OpenSSL version from step 4.
curl -O https://www.openssl.org/source/openssl-1.1.1d.tar.gztar -zxf openssl-1.1.1d.tar.gz
-
Install the patch, make gcc tools to patch, and then compile the downloaded binaries:
yum install patch make gcc -y
-
Copy and paste this block, and then choose enter on your device.
Note: You might need to change the directory if you use a different version than OpenSSL-1.1.1d. You might need to update these commands for newer versions of OpenSSL or this patch might not work.
cat <<-EOF | patch -d $HOME/build/ -p0diff -ur orig/openssl-1.1.1d/apps/enc.c openssl-1.1.1d/apps/enc.c
--- orig/openssl-1.1.1d/apps/enc.c
+++ openssl-1.1.1d/apps/enc.c
@@ -533,6 +533,7 @@
*/
BIO_get_cipher_ctx(benc, &ctx);
+ EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {
BIO_printf(bio_err, "Error setting cipher %s\n",
EOF
You receive an output that confirms a successful patch similar to the following:
[root@ip-172-31-20-119 ~]# cat <<-EOF | patch -d $HOME/build/ -p0 diff -ur orig/openssl-1.1.1d/apps/enc.c openssl-1.1.1d/apps/enc.c
--- orig/openssl-1.1.1d/apps/enc.c
+++ openssl-l.1.1d/apps/enc.c
@@ -533,6 +533,7 @@
*/
BIO_get_cipher_ctx (benc, &ctx) ;
+ EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW) ;
if (!EVP_CipherInit_ex (ctx, cipher, NULL, NULL, NULL, enc) ) {
BIO_printf (bio_err, "Error setting cipher %s\n" ,
EOF
patching file openssl-1.1.1d/apps/enc.c
-
Run this command to compile the OpenSSL enc.c file:
Note: It might take several minutes for each command to compile.
cd $HOME/build/openssl-1.1.1d/./config --prefix=$HOME/local --openssldir=$HOME/local/ssl
make -j$(grep -c ^processor /proc/cpuinfo)
make install
You successfully installed the latest version of OpenSSL. This version of OpenSSL is dynamically linked to libraries in the $HOME/local/ssl/lib/ directory, and your shell can't run it directly.
-
Set the environment variable LD_LIBRARY_PATH to be sure that the associated libraries are available for OpenSSL.
Tip: Because you must run OpenSSL-1.1.1d multiple times, before you run the binary, create a script named openssl.sh that loads the $HOME/local/ssl/lib/ path.
cd $HOME/local/bin/
echo -e '#!/bin/bash \nenv LD_LIBRARY_PATH=$HOME/local/lib/ $HOME/local/bin/openssl "$@"' > ./openssl.sh
-
Use this command to set the execute bit on the script:
chmod 755 ./openssl.sh
-
To start OpenSSL-1.1.1, run this command:
$HOME/local/bin/openssl.sh
Tip: You can use the $HOME/local/bin/openssl.sh command later to run the patched version of OpenSSL into an environment variable. This allows you to reference the patched version of OpenSSL to run multiple commands.
-
You receive a command prompt. To verify the OpenSSL version, enter version, and then choose enter on your device.
-
To exit the command prompt, enter quit, and then choose enter on your device.
-
To set up an alias, run this command, or add it to your .bash_profile:
alias OPENSSL_V111="$HOME/local/bin/openssl.sh"
-
Follow the instructions to securely transfer keys to CloudHSM with OpenSSL.