Hello, > I have to connect to a web server with SSL connection and using a hsm > private key (the key is not exportable): is it possible? > > The command I use is: > openssl s_client -connect myserver.com:443 -cert cert.pem -engine chil > -key privkey > (privkey is the name of the key in hsm) > > and the error is: > [7653] nCipher nFast HWCryptoHook 1.10.2cam134 flags=00000010 > bignums=4ll mutexes getpassphrase getphystoken maxmutexes=1 > maxsimultaneous=1000 (hwcrhk 1.10.2cam134 built on Aug 18 2005 > 11:01:09) > engine "chil" set. > unable to get private key from 'privkey' > 7653:error:02001002:system library:fopen:No such file or > directory:bss_file.c:278:fopen('privkey','r') > 7653:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:280: > 7653:error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system > lib:ssl_rsa.c:693: > > openssl seek the key in filesystem but the key is in hsm! > > Any idea? There is very good story of running OpenSSL with NCipher at:
http://www.webcom.it/blog/articles/2006/04/07/ncipher-nethsm-with-openssl-tutorial Based on this article I was able to connect to SSL server with RSA key from HSM. My story is in attached file. Best regards, -- Marek Marcola <[EMAIL PROTECTED]>
OpenSSL and NCipher ------------------- 1) Test and integration: # openssl version OpenSSL 0.9.8d 28 Sep 2006 // first test # openssl engine -t chil (chil) CHIL hardware engine support [ unavailable ] // test getting modulus of some bogus key from HSM // problems: unable to load shared library and missing dynamic callbacks # openssl rsa -engine chil -in some-key -inform engine -modulus can't use that engine 0:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(libnfhwcrhk.so): \ libnfhwcrhk.so: cannot open shared object file: No such file or directory 0:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: 0:error:80067068:CHIL engine:HWCRHK_INIT:dso failure:e_chil.c:539: 0:error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed:eng_table.c:161: no engine specified unable to load Private Key // after setting proper LD_LIBRARY_PATH // we have only problem with missing dynamic callbacks # export LD_LIBRARY_PATH=/opt/nfast/toolkits/hwcrhk # openssl rsa -engine chil -in some-key -inform engine -modulus can't use that engine 12993:error:81067072:CHIL engine:HWCRHK_INIT:locking missing:e_chil.c:594:You HAVE to add dynamic locking callbacks via \ CRYPTO_set_dynlock_{create,lock,destroy}_callback() 12993:error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed:eng_table.c:161: no engine specified unable to load Private Key // Here, I've added to file apps/openssl.c dynamic locking // callbacks, recompile OpenSSL and reinstall. // Exmples of this callbacks may be found at: // http://www.nabble.com/When-to-use-CRYPTO_set_locking_callback%28% \ // 29-and-CRYPTO_set_id_callback%28%29--tf2121027.html#a5849882 // I've added callbacks function at beginning of file apps/openssl.c // and in main() function some code with sets this callbacks // After that: # openssl engine -t chil (chil) CHIL hardware engine support [ available ] // and getting bogus key shows only missing key error: # openssl rsa -engine chil -in some-key -inform engine -modulus engine "chil" set. unable to load Private Key 0:error:8006906D:CHIL engine:HWCRHK_LOAD_PRIVKEY:no key:e_chil.c:811: 0:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:114: 2) Generate RSA key on HSM: // getting list of keys # /opt/nfast/bin/nfkminfo -k Key summary - 44 keys AppName pkcs11 Ident ucd0ad8c9a7f563b7fec38025946079c596c2f942b-e9277e2805652fdf9921419928bf00accbb08093 AppName pkcs11 Ident umd0ad8c9a7f563b7fec38025946079c596c2f942b-b46b45cc09a0e0e3cdd6e008bd0b2e30f88d2ed7 AppName pkcs11 Ident ucd0ad8c9a7f563b7fec38025946079c596c2f942b-c393dbb282301dec24d1a3b21f67aeb8994ad0d3 . . // generate new RSA key # /opt/nfast/bin/generatekey hwcrhk protect: Protected by? (module, token) [token] > module type: Key type? (RSA, DSA, DH) [RSA] > RSA size: Key size? (bits, minimum 1024) [1024] > OPTIONAL: pubexp: Public exponent for RSA key (in hex)? [] > ident: Key identifier? [] > test2 nvram: Store blob in NVRAM (will require administrator cardset)? (yes/no) [no] > key generation parameters: operation Operation to perform generate application Application hwcrhk protect Protected by module verify Verify security of key yes type Key type RSA size Key size 1024 pubexp Public exponent for RSA key (in hex) ident Key identifier test2 nvram Store blob in NVRAM (will require administrator cardset) no Key successfully generated. Path to key: /opt/nfast/kmdata/local/key_hwcrhk_rsa-test2 // list keys with my new key: # /opt/nfast/bin/nfkminfo -k Key summary - 45 keys AppName pkcs11 Ident ucd0ad8c9a7f563b7fec38025946079c596c2f942b-e9277e2805652fdf9921419928bf00accbb08093 AppName pkcs11 Ident umd0ad8c9a7f563b7fec38025946079c596c2f942b-b46b45cc09a0e0e3cdd6e008bd0b2e30f88d2ed7 AppName pkcs11 Ident ucd0ad8c9a7f563b7fec38025946079c596c2f942b-c393dbb282301dec24d1a3b21f67aeb8994ad0d3 . . AppName hwcrhk Ident rsa-test2 <-- my new RSA key to use // get my new key modulus - for test: # openssl rsa -engine chil -in rsa-test2 -inform engine -modulus -noout engine "chil" set. Modulus=D14731D19EF32A3D458EE61B219A0E01950B16478C39ED5E7B8C1F5820E5A4C01.... 3) Generate certificate request for may new key (of name rsa-test2): # openssl req -new -engine chil -key rsa-test2 -keyform engine -out rsa-test2-csr.pem engine "chil" set. Country Name (2 letter code) [AU]:PL State or Province Name (full name) [Some-State]:Warsaw Locality Name (eg, city) []:Warsaw Organization Name (eg, company) [Internet Widgits Pty Ltd]:MALKOM Organizational Unit Name (eg, section) []:MALKOM Admin Common Name (eg, YOUR name) []:rsa-test2 4) After certification I have certificate in file rsa-test2-crt.pem 5) Connecting to SSL server with may HSM RSA key: # openssl s_client -connect 10.100.2.30:10443 -engine chil -key rsa-test2 -keyform engine -cert rsa-test2-crt.pem -CAfile cacert.pem engine "chil" set Security world: Usable 1 module(s) . . . -----END CERTIFICATE----- subject=/C=PL/ST=Warsaw/L=Warsaw/O=Malkom/OU=Malkom Admin/CN=VPN Server issuer=/C=PL/ST=Warsaw/L=Warsaw/O=Malkom/OU=Malkom CA/CN=Malkom Certificate Authority/[EMAIL PROTECTED] --- Acceptable client certificate CA names /C=PL/ST=Warsaw/L=Warsaw/O=Malkom/OU=Malkom CA/CN=Malkom Certificate Authority/[EMAIL PROTECTED] --- SSL handshake has read 1401 bytes and written 2252 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: 0D446DDA8E99FCE87D4DD860B7A66D6C0798D72D1F253846DB7DA3EBBD78E0F090FDA8B613B66087D93A28DB66A818DD Key-Arg : None Start Time: 1163111559 Timeout : 300 (sec) Verify return code: 0 (ok) --- 6) In may SSL server log I have information of authenticated client: 2006-11-09 23:31:34 [INF][3438/3086476992]: peer cert issuer: /countryName=PL/stateOrProvinceName=Warsaw/localityName=Warsaw/organizationName=Malkom/organizationalUnitName=Malkom CA/commonName=Malkom Certificate Authority/[EMAIL PROTECTED] 2006-11-09 23:31:34 [INF][3438/3086476992]: peer cert subject: /countryName=PL/stateOrProvinceName=Warsaw/localityName=Warsaw/organizationName=MALKOM/organizationalUnitName=MALKOM Admin/commonName=rsa-test2 2006-11-09 23:31:34 [INF][3438/3086476992]: certificate verify: ok