Getting Started with OpenSSL pkcs11-provider
-
Get a copy of the Securosys OpenSSL pkcs11-provider bundle. Follow the download instructions to obtain the credentials.
P11_PROV_VERSION=0.3.0
CRED=<USERNAME:PASSWORD>
curl -L -XGET "https://${CRED}@securosys.jfrog.io/artifactory/opensslv3-pkcs11/v${P11_PROV_VERSION}/Securosys_PrimusAPI_OSSLv3-Provider-PKCS11-v${P11_PROV_VERSION}.zip" -o Securosys_PrimusAPI_OSSLv3-Provider-PKCS11-v${P11_PROV_VERSION}.zip
unzip Securosys_PrimusAPI_OSSLv3-Provider-PKCS11-v${P11_PROV_VERSION}.zip -d /tmp/securosys -
Extract the files to
/usr/local/lib/ossl-modules/
. Change the owner and set the permissions.unzip /tmp/securosys/securosys_primusapi_osslv3-provider-pkcs11-executable-v${P11_PROV_VERSION}.zip -d /tmp/securosys/
sudo mkdir -p /usr/local/lib/ossl-modules
sudo unzip -j /tmp/securosys/PrimusAPI_OSSLv3-Provider-PKCS11-v${P11_PROV_VERSION}-linux_amd64.zip -d /usr/local/lib/ossl-modules/
sudo chown root:primus /usr/local/lib/ossl-modules/pkcs11.{so,la,license}
sudo chmod 444 /usr/local/lib/ossl-modules/pkcs11.{so,la,license} -
Get an OpenSSL configuration where the pkcs11-provider is enabled.
unzip /tmp/securosys/securosys_primusapi_osslv3-provider-pkcs11-configuration-v${P11_PROV_VERSION}.zip
export OPENSSL_CONF="$(pwd)/openssl.cnf" -
Test that the provider is enabled and offers signature algorithms
openssl list -signature-algorithms
The output should contain a line for RSA @ pkcs11
{ 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ default
{ 1.2.840.10040.4.1, 1.2.840.10040.4.3, 1.3.14.3.2.12, 1.3.14.3.2.13, 1.3.14.3.2.27, DSA, DSA-old, DSA-SHA, DSA-SHA1, DSA-SHA1-old, dsaEncryption, dsaEncryption-old, dsaWithSHA, dsaWithSHA1, dsaWithSHA1-old } @ default
{ 1.3.101.112, ED25519 } @ default
{ 1.3.101.113, ED448 } @ default
{ 1.2.156.10197.1.301, SM2 } @ default
ECDSA @ default
HMAC @ default
SIPHASH @ default
POLY1305 @ default
CMAC @ default
{ 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ pkcs11
{ 1.3.101.112, ED25519 } @ pkcs11
{ 1.3.101.113, ED448 } @ pkcs11
ECDSA @ pkcs11You can use the OpenSSL
storeutl
to list the objects stored on your tokenopenssl storeutl "pkcs11:token=<YOUR_USER_NAME>;pin-value=<YOUR_PKCS11_PIN>"