Hello,
> I have to connect to a web server with SSL connection and using a hsm
> private key (the key is not exportable): is it possible?
> 
> The command I use is:
> openssl s_client -connect myserver.com:443 -cert cert.pem -engine chil
> -key privkey
> (privkey is the name of the key in hsm)
> 
> and the error is:
> [7653] nCipher nFast HWCryptoHook 1.10.2cam134 flags=00000010
> bignums=4ll mutexes getpassphrase getphystoken maxmutexes=1
> maxsimultaneous=1000 (hwcrhk 1.10.2cam134 built on Aug 18 2005
> 11:01:09)
> engine "chil" set.
> unable to get private key from 'privkey'
> 7653:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:278:fopen('privkey','r')
> 7653:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:280:
> 7653:error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system
> lib:ssl_rsa.c:693:
> 
> openssl seek the key in filesystem but the key is in hsm!
> 
> Any idea?
There is very good story of running OpenSSL with NCipher at:

http://www.webcom.it/blog/articles/2006/04/07/ncipher-nethsm-with-openssl-tutorial

Based on this article I was able to connect to SSL server with RSA
key from HSM. My story is in attached file.

Best regards,
-- 
Marek Marcola <[EMAIL PROTECTED]>
OpenSSL and NCipher
-------------------

1) Test and integration:
        # openssl version
        OpenSSL 0.9.8d 28 Sep 2006

        // first test
        # openssl engine -t chil
        (chil) CHIL hardware engine support
                [ unavailable ]

        // test getting modulus of some bogus key from HSM
        // problems: unable to load shared library and missing dynamic callbacks
        # openssl rsa -engine chil -in some-key -inform engine -modulus
        can't use that engine
        0:error:25066067:DSO support routines:DLFCN_LOAD:could not load the 
shared library:dso_dlfcn.c:162:filename(libnfhwcrhk.so): \
                libnfhwcrhk.so: cannot open shared object file: No such file or 
directory
        0:error:25070067:DSO support routines:DSO_load:could not load the 
shared library:dso_lib.c:244:
        0:error:80067068:CHIL engine:HWCRHK_INIT:dso failure:e_chil.c:539:
        0:error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init 
failed:eng_table.c:161:
        no engine specified
        unable to load Private Key

        // after setting proper LD_LIBRARY_PATH
        // we have only problem with missing dynamic callbacks
        # export LD_LIBRARY_PATH=/opt/nfast/toolkits/hwcrhk
        # openssl rsa -engine chil -in some-key -inform engine -modulus
        can't use that engine
        12993:error:81067072:CHIL engine:HWCRHK_INIT:locking 
missing:e_chil.c:594:You HAVE to add dynamic locking callbacks via \
                CRYPTO_set_dynlock_{create,lock,destroy}_callback()
        12993:error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init 
failed:eng_table.c:161:
        no engine specified
        unable to load Private Key

        // Here, I've added to file apps/openssl.c dynamic locking
        // callbacks, recompile OpenSSL and reinstall.
        // Exmples of this callbacks may be found at:
        //   http://www.nabble.com/When-to-use-CRYPTO_set_locking_callback%28% \
        //              
29-and-CRYPTO_set_id_callback%28%29--tf2121027.html#a5849882
        // I've added callbacks function at beginning of file apps/openssl.c
        // and in main() function some code with sets this callbacks
        // After that:
        # openssl engine -t chil
        (chil) CHIL hardware engine support
                [ available ]

        // and getting bogus key shows only missing key error:
        # openssl rsa -engine chil -in some-key -inform engine -modulus
        engine "chil" set.
        unable to load Private Key
        0:error:8006906D:CHIL engine:HWCRHK_LOAD_PRIVKEY:no key:e_chil.c:811:
        0:error:26096080:engine routines:ENGINE_load_private_key:failed loading 
private key:eng_pkey.c:114:

2) Generate RSA key on HSM:
        // getting list of keys
        # /opt/nfast/bin/nfkminfo -k
        Key summary - 44 keys
         AppName pkcs11  Ident 
ucd0ad8c9a7f563b7fec38025946079c596c2f942b-e9277e2805652fdf9921419928bf00accbb08093
         AppName pkcs11  Ident 
umd0ad8c9a7f563b7fec38025946079c596c2f942b-b46b45cc09a0e0e3cdd6e008bd0b2e30f88d2ed7
         AppName pkcs11  Ident 
ucd0ad8c9a7f563b7fec38025946079c596c2f942b-c393dbb282301dec24d1a3b21f67aeb8994ad0d3
        .
        .

        // generate new RSA key
        # /opt/nfast/bin/generatekey hwcrhk
        protect: Protected by? (module, token) [token] > module
        type: Key type? (RSA, DSA, DH) [RSA] > RSA
        size: Key size? (bits, minimum 1024) [1024] >
        OPTIONAL: pubexp: Public exponent for RSA key (in hex)? []
        >
        ident: Key identifier? [] > test2
        nvram: Store blob in NVRAM (will require administrator cardset)? 
(yes/no) [no]
        >
        key generation parameters:
         operation    Operation to perform                                      
generate
         application  Application                                               
hwcrhk
         protect      Protected by                                              
module
         verify       Verify security of key                                    
yes
         type         Key type                                                  
RSA
         size         Key size                                                  
1024
         pubexp       Public exponent for RSA key (in hex)
         ident        Key identifier                                            
test2
         nvram        Store blob in NVRAM (will require administrator cardset)  
no
        Key successfully generated.
        Path to key: /opt/nfast/kmdata/local/key_hwcrhk_rsa-test2

        // list keys with my new key:
        # /opt/nfast/bin/nfkminfo -k
        Key summary - 45 keys
         AppName pkcs11  Ident 
ucd0ad8c9a7f563b7fec38025946079c596c2f942b-e9277e2805652fdf9921419928bf00accbb08093
         AppName pkcs11  Ident 
umd0ad8c9a7f563b7fec38025946079c596c2f942b-b46b45cc09a0e0e3cdd6e008bd0b2e30f88d2ed7
         AppName pkcs11  Ident 
ucd0ad8c9a7f563b7fec38025946079c596c2f942b-c393dbb282301dec24d1a3b21f67aeb8994ad0d3
        .
        .
         AppName hwcrhk  Ident rsa-test2  <-- my new RSA key to use

        // get my new key modulus - for test:
        # openssl rsa -engine chil -in rsa-test2 -inform engine -modulus -noout
        engine "chil" set.
        
Modulus=D14731D19EF32A3D458EE61B219A0E01950B16478C39ED5E7B8C1F5820E5A4C01....

3) Generate certificate request for may new key (of name rsa-test2):
        # openssl req -new -engine chil -key rsa-test2 -keyform engine -out 
rsa-test2-csr.pem
        engine "chil" set.
        Country Name (2 letter code) [AU]:PL
        State or Province Name (full name) [Some-State]:Warsaw
        Locality Name (eg, city) []:Warsaw
        Organization Name (eg, company) [Internet Widgits Pty Ltd]:MALKOM
        Organizational Unit Name (eg, section) []:MALKOM Admin
        Common Name (eg, YOUR name) []:rsa-test2

4) After certification I have certificate in file rsa-test2-crt.pem

5) Connecting to SSL server with may HSM RSA key:
        # openssl s_client -connect 10.100.2.30:10443 -engine chil -key 
rsa-test2 -keyform engine -cert rsa-test2-crt.pem -CAfile cacert.pem
        engine "chil" set
        Security world: Usable 1 module(s)
        .
        .
        .
        -----END CERTIFICATE-----
        subject=/C=PL/ST=Warsaw/L=Warsaw/O=Malkom/OU=Malkom Admin/CN=VPN Server
        issuer=/C=PL/ST=Warsaw/L=Warsaw/O=Malkom/OU=Malkom CA/CN=Malkom 
Certificate Authority/[EMAIL PROTECTED]
        ---
        Acceptable client certificate CA names
        /C=PL/ST=Warsaw/L=Warsaw/O=Malkom/OU=Malkom CA/CN=Malkom Certificate 
Authority/[EMAIL PROTECTED]
        ---
        SSL handshake has read 1401 bytes and written 2252 bytes
        ---
        New, TLSv1/SSLv3, Cipher is AES256-SHA
        Server public key is 2048 bit
        Compression: NONE
        Expansion: NONE
        SSL-Session:
            Protocol  : TLSv1
            Cipher    : AES256-SHA
            Session-ID:
            Session-ID-ctx:
            Master-Key: 
0D446DDA8E99FCE87D4DD860B7A66D6C0798D72D1F253846DB7DA3EBBD78E0F090FDA8B613B66087D93A28DB66A818DD
            Key-Arg   : None
            Start Time: 1163111559
            Timeout   : 300 (sec)
            Verify return code: 0 (ok)
        ---

6) In may SSL server log I have information of authenticated client:
        2006-11-09 23:31:34 [INF][3438/3086476992]: peer cert issuer: 
/countryName=PL/stateOrProvinceName=Warsaw/localityName=Warsaw/organizationName=Malkom/organizationalUnitName=Malkom
 CA/commonName=Malkom Certificate Authority/[EMAIL PROTECTED]
        2006-11-09 23:31:34 [INF][3438/3086476992]: peer cert subject: 
/countryName=PL/stateOrProvinceName=Warsaw/localityName=Warsaw/organizationName=MALKOM/organizationalUnitName=MALKOM
 Admin/commonName=rsa-test2
        2006-11-09 23:31:34 [INF][3438/3086476992]: certificate verify: ok

Reply via email to