Marek Marcola
Thu, 09 Nov 2006 15:12:20 -0800
Hello,
> I have to connect to a web server with SSL connection and using a hsm
> private key (the key is not exportable): is it possible?
>
> The command I use is:
> openssl s_client -connect myserver.com:443 -cert cert.pem -engine chil
> -key privkey
> (privkey is the name of the key in hsm)
>
> and the error is:
> [7653] nCipher nFast HWCryptoHook 1.10.2cam134 flags=00000010
> bignums=4ll mutexes getpassphrase getphystoken maxmutexes=1
> maxsimultaneous=1000 (hwcrhk 1.10.2cam134 built on Aug 18 2005
> 11:01:09)
> engine "chil" set.
> unable to get private key from 'privkey'
> 7653:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:278:fopen('privkey','r')
> 7653:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:280:
> 7653:error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system
> lib:ssl_rsa.c:693:
>
> openssl seek the key in filesystem but the key is in hsm!
>
> Any idea?
There is very good story of running OpenSSL with NCipher at:
http://www.webcom.it/blog/articles/2006/04/07/ncipher-nethsm-with-openssl-tutorial Based on this article I was able to connect to SSL server with RSA key from HSM. My story is in attached file. Best regards, -- Marek Marcola <[EMAIL PROTECTED]>
OpenSSL and NCipher
-------------------
1) Test and integration:
# openssl version
OpenSSL 0.9.8d 28 Sep 2006
// first test
# openssl engine -t chil
(chil) CHIL hardware engine support
[ unavailable ]
// test getting modulus of some bogus key from HSM
// problems: unable to load shared library and missing dynamic callbacks
# openssl rsa -engine chil -in some-key -inform engine -modulus
can't use that engine
0:error:25066067:DSO support routines:DLFCN_LOAD:could not load the
shared library:dso_dlfcn.c:162:filename(libnfhwcrhk.so): \
libnfhwcrhk.so: cannot open shared object file: No such file or
directory
0:error:25070067:DSO support routines:DSO_load:could not load the
shared library:dso_lib.c:244:
0:error:80067068:CHIL engine:HWCRHK_INIT:dso failure:e_chil.c:539:
0:error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init
failed:eng_table.c:161:
no engine specified
unable to load Private Key
// after setting proper LD_LIBRARY_PATH
// we have only problem with missing dynamic callbacks
# export LD_LIBRARY_PATH=/opt/nfast/toolkits/hwcrhk
# openssl rsa -engine chil -in some-key -inform engine -modulus
can't use that engine
12993:error:81067072:CHIL engine:HWCRHK_INIT:locking
missing:e_chil.c:594:You HAVE to add dynamic locking callbacks via \
CRYPTO_set_dynlock_{create,lock,destroy}_callback()
12993:error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init
failed:eng_table.c:161:
no engine specified
unable to load Private Key
// Here, I've added to file apps/openssl.c dynamic locking
// callbacks, recompile OpenSSL and reinstall.
// Exmples of this callbacks may be found at:
// http://www.nabble.com/When-to-use-CRYPTO_set_locking_callback%28% \
//
29-and-CRYPTO_set_id_callback%28%29--tf2121027.html#a5849882
// I've added callbacks function at beginning of file apps/openssl.c
// and in main() function some code with sets this callbacks
// After that:
# openssl engine -t chil
(chil) CHIL hardware engine support
[ available ]
// and getting bogus key shows only missing key error:
# openssl rsa -engine chil -in some-key -inform engine -modulus
engine "chil" set.
unable to load Private Key
0:error:8006906D:CHIL engine:HWCRHK_LOAD_PRIVKEY:no key:e_chil.c:811:
0:error:26096080:engine routines:ENGINE_load_private_key:failed loading
private key:eng_pkey.c:114:
2) Generate RSA key on HSM:
// getting list of keys
# /opt/nfast/bin/nfkminfo -k
Key summary - 44 keys
AppName pkcs11 Ident
ucd0ad8c9a7f563b7fec38025946079c596c2f942b-e9277e2805652fdf9921419928bf00accbb08093
AppName pkcs11 Ident
umd0ad8c9a7f563b7fec38025946079c596c2f942b-b46b45cc09a0e0e3cdd6e008bd0b2e30f88d2ed7
AppName pkcs11 Ident
ucd0ad8c9a7f563b7fec38025946079c596c2f942b-c393dbb282301dec24d1a3b21f67aeb8994ad0d3
.
.
// generate new RSA key
# /opt/nfast/bin/generatekey hwcrhk
protect: Protected by? (module, token) [token] > module
type: Key type? (RSA, DSA, DH) [RSA] > RSA
size: Key size? (bits, minimum 1024) [1024] >
OPTIONAL: pubexp: Public exponent for RSA key (in hex)? []
>
ident: Key identifier? [] > test2
nvram: Store blob in NVRAM (will require administrator cardset)?
(yes/no) [no]
>
key generation parameters:
operation Operation to perform
generate
application Application
hwcrhk
protect Protected by
module
verify Verify security of key
yes
type Key type
RSA
size Key size
1024
pubexp Public exponent for RSA key (in hex)
ident Key identifier
test2
nvram Store blob in NVRAM (will require administrator cardset)
no
Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_hwcrhk_rsa-test2
// list keys with my new key:
# /opt/nfast/bin/nfkminfo -k
Key summary - 45 keys
AppName pkcs11 Ident
ucd0ad8c9a7f563b7fec38025946079c596c2f942b-e9277e2805652fdf9921419928bf00accbb08093
AppName pkcs11 Ident
umd0ad8c9a7f563b7fec38025946079c596c2f942b-b46b45cc09a0e0e3cdd6e008bd0b2e30f88d2ed7
AppName pkcs11 Ident
ucd0ad8c9a7f563b7fec38025946079c596c2f942b-c393dbb282301dec24d1a3b21f67aeb8994ad0d3
.
.
AppName hwcrhk Ident rsa-test2 <-- my new RSA key to use
// get my new key modulus - for test:
# openssl rsa -engine chil -in rsa-test2 -inform engine -modulus -noout
engine "chil" set.
Modulus=D14731D19EF32A3D458EE61B219A0E01950B16478C39ED5E7B8C1F5820E5A4C01....
3) Generate certificate request for may new key (of name rsa-test2):
# openssl req -new -engine chil -key rsa-test2 -keyform engine -out
rsa-test2-csr.pem
engine "chil" set.
Country Name (2 letter code) [AU]:PL
State or Province Name (full name) [Some-State]:Warsaw
Locality Name (eg, city) []:Warsaw
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MALKOM
Organizational Unit Name (eg, section) []:MALKOM Admin
Common Name (eg, YOUR name) []:rsa-test2
4) After certification I have certificate in file rsa-test2-crt.pem
5) Connecting to SSL server with may HSM RSA key:
# openssl s_client -connect 10.100.2.30:10443 -engine chil -key
rsa-test2 -keyform engine -cert rsa-test2-crt.pem -CAfile cacert.pem
engine "chil" set
Security world: Usable 1 module(s)
.
.
.
-----END CERTIFICATE-----
subject=/C=PL/ST=Warsaw/L=Warsaw/O=Malkom/OU=Malkom Admin/CN=VPN Server
issuer=/C=PL/ST=Warsaw/L=Warsaw/O=Malkom/OU=Malkom CA/CN=Malkom
Certificate Authority/[EMAIL PROTECTED]
---
Acceptable client certificate CA names
/C=PL/ST=Warsaw/L=Warsaw/O=Malkom/OU=Malkom CA/CN=Malkom Certificate
Authority/[EMAIL PROTECTED]
---
SSL handshake has read 1401 bytes and written 2252 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key:
0D446DDA8E99FCE87D4DD860B7A66D6C0798D72D1F253846DB7DA3EBBD78E0F090FDA8B613B66087D93A28DB66A818DD
Key-Arg : None
Start Time: 1163111559
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
6) In may SSL server log I have information of authenticated client:
2006-11-09 23:31:34 [INF][3438/3086476992]: peer cert issuer:
/countryName=PL/stateOrProvinceName=Warsaw/localityName=Warsaw/organizationName=Malkom/organizationalUnitName=Malkom
CA/commonName=Malkom Certificate Authority/[EMAIL PROTECTED]
2006-11-09 23:31:34 [INF][3438/3086476992]: peer cert subject:
/countryName=PL/stateOrProvinceName=Warsaw/localityName=Warsaw/organizationName=MALKOM/organizationalUnitName=MALKOM
Admin/commonName=rsa-test2
2006-11-09 23:31:34 [INF][3438/3086476992]: certificate verify: ok