Skip to main content

Quickstart

  1. Get a copy of the Securosys OpenSSL pkcs11-provider bundle. Follow the download instructions to obtain the credentials.

    P11_PROV_VERSION=0.3.0
    CRED=<USERNAME:PASSWORD>

    curl -L -XGET "https://${CRED}@securosys.jfrog.io/artifactory/opensslv3-pkcs11/v${P11_PROV_VERSION}/Securosys_PrimusAPI_OSSLv3-Provider-PKCS11-v${P11_PROV_VERSION}.zip" -o Securosys_PrimusAPI_OSSLv3-Provider-PKCS11-v${P11_PROV_VERSION}.zip
    unzip Securosys_PrimusAPI_OSSLv3-Provider-PKCS11-v${P11_PROV_VERSION}.zip -d /tmp/securosys

  2. Extract the files to /usr/local/lib/ossl-modules/. Change the owner and set the permissions.

    unzip /tmp/securosys/securosys_primusapi_osslv3-provider-pkcs11-executable-v${P11_PROV_VERSION}.zip -d /tmp/securosys/
    sudo mkdir -p /usr/local/lib/ossl-modules
    sudo unzip -j /tmp/securosys/PrimusAPI_OSSLv3-Provider-PKCS11-v${P11_PROV_VERSION}-linux_amd64.zip -d /usr/local/lib/ossl-modules/
    sudo chown root:primus /usr/local/lib/ossl-modules/pkcs11.{so,la,license}
    sudo chmod 444 /usr/local/lib/ossl-modules/pkcs11.{so,la,license}

  3. Get an OpenSSL configuration where the pkcs11-provider is enabled.

    unzip /tmp/securosys/securosys_primusapi_osslv3-provider-pkcs11-configuration-v${P11_PROV_VERSION}.zip
    export OPENSSL_CONF="$(pwd)/openssl.cnf"

  4. Test that the provider is enabled and offers signature algorithms

    openssl list -signature-algorithms

    The output should contain a line for RSA @ pkcs11

    { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ default
    { 1.2.840.10040.4.1, 1.2.840.10040.4.3, 1.3.14.3.2.12, 1.3.14.3.2.13, 1.3.14.3.2.27, DSA, DSA-old, DSA-SHA, DSA-SHA1, DSA-SHA1-old, dsaEncryption, dsaEncryption-old, dsaWithSHA, dsaWithSHA1, dsaWithSHA1-old } @ default
    { 1.3.101.112, ED25519 } @ default
    { 1.3.101.113, ED448 } @ default
    { 1.2.156.10197.1.301, SM2 } @ default
    ECDSA @ default
    HMAC @ default
    SIPHASH @ default
    POLY1305 @ default
    CMAC @ default
    { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ pkcs11
    { 1.3.101.112, ED25519 } @ pkcs11
    { 1.3.101.113, ED448 } @ pkcs11
    ECDSA @ pkcs11

    You can use the OpenSSL storeutl to list the objects stored on your token

    openssl storeutl "pkcs11:token=<YOUR_USER_NAME>;pin-value=<YOUR_PKCS11_PIN>"