How can I patch OpenSSL to enable use with the CloudHSM CKM_RSA_AES_KEY_WRAP mechanism?

Last updated: 2020-09-25

I want to use the AWS CloudHSM CKM_RSA_AES_KEY_WRAP mechanism with OpenSSL.

Short description

The OpenSSL cipher -id-aes256-wrap-pad compatible with the CloudHSM PKCS #11 mechanism RSA_AES_KEY_WRAP isn't enabled by default in the OpenSSL command line tool. You can download and install the latest version of OpenSSL, and then patch it to allow the envelope wrapping that is needed for the CKM_RSA_AES_KEY_WRAP mechanism.

Resolution

Follow these instructions to create a local copy of OpenSSL v1.1.0 using bash commands, without removing or altering the clients default installation of OpenSSL.

Note: These instructions use RHEL commands with the root account. You can switch to root using sudo su - and then use the patched version of OpenSSL.

Patching OpenSSL to allow CKM_RSA_AES_KEY_WRAP

1.    Complete all steps as root to be sure that you have the correct permissions for directories and binaries using this command:

sudo su -

2.    Run this command and note the OpenSSL version:

openssl version

3.    Download the latest OpenSSL binaries in the /root/build directory. Run these commands to set up the directories:

mkdir $HOME/build
mkdir -p $HOME/local/ssl
cd $HOME/build

4.    Note the latest OpenSSL version from the download page at https://www.openssl.org/source/.

5.    Download and unpack the binaries using these commands:

Note: Replace openssl-1.1.1d.tar.gz with the latest OpenSSL version from step 4.

curl -O https://www.openssl.org/source/openssl-1.1.1d.tar.gz
tar -zxf openssl-1.1.1d.tar.gz

6.    Install the patch, make gcc tools to patch, and then compile the downloaded binaries:

yum install patch make gcc -y

7.    Copy and paste this block, and then choose enter on your device.

Note: You might need to change the directory if you use a different version than OpenSSL-1.1.1d. You might need to update these commands for newer versions of OpenSSL or this patch may not work.

cat <<-EOF | patch -d $HOME/build/ -p0
diff -ur orig/openssl-1.1.1d/apps/enc.c openssl-1.1.1d/apps/enc.c
--- orig/openssl-1.1.1d/apps/enc.c      
+++ openssl-1.1.1d/apps/enc.c   
@@ -533,6 +533,7 @@
          */

         BIO_get_cipher_ctx(benc, &ctx);
+        EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);

         if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {
             BIO_printf(bio_err, "Error setting cipher %s\n",
EOF

You receive an output confirming successful patching similar to the following:

[root@ip-172-31-20-119 ~]# cat «-EOF | patch -d $HOME/build/ -p0 
diff -ur orig/openssl-1.1.1d/apps/enc.c openssl-1.1.1d/apps/enc.c 
--- orig/openssl-1.1.1d/apps/enc.c 
+++ openssl-l.1.1d/apps/enc.c 
@@ -533,6 +533,7 @@
        */

    BIO_get_cipher_ctx (benc, &ctx) ; 
+        EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW) ; 

    if (!EVP_CipherInit_ex (ctx, cipher, NULL, NULL, NULL, enc) )  {
         BIO_printf (bio_err, "Error setting cipher %s\n" , 
EOF 

patching file openssl-1.1.1d/apps/enc.c

8.    Run this command to compile the OpenSSL enc.c file:

Note: Compiling might take several minutes for each command.

cd $HOME/build/openssl-1.1.1d/
./config --prefix=$HOME/local --openssldir=$HOME/local/ssl
make -j$(grep -c ^processor /proc/cpuinfo)
make install

9.    You successfully installed the latest version of OpenSSL. This version of OpenSSL is dynamically linked to libraries in the $HOME/local/ssl/lib/ directory, and your shell can't run it directly. Set the environment variable LD_LIBRARY_PATH to be sure that the associated libraries are available for OpenSSL.

Tip: Because you need to run OpenSSL-1.1.1d multiple times, create a script named openssl.sh that loads the $HOME/local/ssl/lib/ path before running the binary.

cd $HOME/local/bin/

echo -e '#!/bin/bash \nenv LD_LIBRARY_PATH=$HOME/local/lib/ $HOME/local/bin/openssl "$@"' > ./openssl.sh

10.    Set the execute bit on the script using this command:

chmod 755 ./openssl.sh

11.    To start OpenSSL-1.1.1, run this command:

$HOME/local/bin/openssl.sh

Tip: You can use the $HOME/local/bin/openssl.sh command later for running the patched version of OpenSSL into an environment variable. This allows you to reference the patched version of OpenSSL when you want to run multiple commands.

12.    You receive a command prompt. To verify the OpenSSL version, enter version, and then choose enter on your device.

13.    To set up an alias, run this command, or add it to your .bash_profile:

alias OPENSSL_V111="$HOME/local/bin/openssl.sh"

14.    Follow the instructions to securely transfer keys to CloudHSM with OpenSSL.


Did this article help?


Do you need billing or technical support?