Skip to main content

Getting started with OpenSSL v3.x

Securosys HSM Integration Guide - PKCS #11

  1. Get a copy of the Securosys OpenSSL pkcs11-provider bundle. Follow the download instructions to obtain the credentials.

    USER=robot.reader.openssl
    CRED=REPLACE_ME
    P11_PROV_VERSION=latest
    curl -L -XGET "https://${USER}:${CRED}@securosys.jfrog.io/artifactory/opensslv3-pkcs11/${VERSION}/Securosys_PrimusAPI_OSSLv3-Provider-PKCS11-${VERSION}.zip" -o Securosys_PrimusAPI_OSSLv3-Provider-PKCS11-${VERSION}.zip

  2. Extract the files to /usr/local/lib/ossl-modules/, change the owner and set the permissions.

    sudo mkdir -p /tmp/securosys/providers /usr/local/lib/ossl-modules
    sudo unzip /tmp/securosys/securosys_primusapi_osslv3-provider-pkcs11-executable-${P11_PROV_VERSION}.zip -d /tmp/securosys/providers/
    sudo dpkg -i /tmp/securosys/providers/PrimusAPI_OSSLv3-Provider-PKCS11-${P11_PROV_VERSION}-debian10_amd64.deb
    sudo chown root:primus /usr/local/lib/ossl-modules/pkcs11.{so,la,license}
    sudo chmod 444 /usr/local/lib/ossl-modules/pkcs11.{so,la,license}

  3. Get an OpenSSL configuration where the pkcs11-provider is enabled.

    sudo unzip /tmp/securosys/securosys_primusapi_osslv3-provider-pkcs11-configuration-${P11_PROV_VERSION}.zip
    export OPENSSL_CONF="$(pwd)/openssl.cnf"
    # use a permanent location

  4. Test that the provider is enabled and offers signature algorithms

    openssl list -signature-algorithms

    The output should contain a line for RSA @ pkcs11

    { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ default
    { 1.2.840.10040.4.1, 1.2.840.10040.4.3, 1.3.14.3.2.12, 1.3.14.3.2.13, 1.3.14.3.2.27, DSA, DSA-old, DSA-SHA, DSA-SHA1, DSA-SHA1-old, dsaEncryption, dsaEncryption-old, dsaWithSHA, dsaWithSHA1, dsaWithSHA1-old } @ default
    { 1.3.101.112, ED25519 } @ default
    { 1.3.101.113, ED448 } @ default
    { 1.2.156.10197.1.301, SM2 } @ default
    ECDSA @ default
    HMAC @ default
    SIPHASH @ default
    POLY1305 @ default
    CMAC @ default
    { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ pkcs11
    { 1.3.101.112, ED25519 } @ pkcs11
    { 1.3.101.113, ED448 } @ pkcs11
    ECDSA @ pkcs11

    You can use the OpenSSL storeutl to list the objects stored on your token (HSM)

    openssl storeutl "pkcs11:token=<YOUR_USER_NAME>;pin-value=<YOUR_PKCS11_PIN>"

Further content: