Configuring OpenSSL Patch to Wrap Key Material

If you want to wrap your key material using RSA_OAEP_AES_SHA256, then you must patch your CLI with a supported OpenSSL patch.

The OpenSSL -id-aes256-wrap-pad cipher compatible with RSA_AES_KEY_WRAP is not enabled by default in the Command Line Interface (CLI). Patch OpenSSL to allow the envelope wrapping that is needed for the CKM_RSA_AES_KEY_WRAP mechanism.

Note

For the "Bring your own key(BYOK)" scenario, you must patch the OpenSSL for RSA_OAEP_AES_SHA256 wrapping.

Perform the following steps to download, compile, and run a new local copy of OpenSSL v1.1.1d using the CLI, without altering the default installation of OpenSSL in the system:

  1. Create directories to store the latest OpenSSL binaries in /root/build.
    mkdir $HOME/build
    mkdir -p $HOME/local/ssl
    cd $HOME/build
  2. Run the following command and note the OpenSSL version:
    openssl version
  3. Note the latest OpenSSL version at https://www.openssl.org/source/.
  4. Download and unpack the libraries.
    Replace openssl-1.1.1d.tar.gz with the latest version from step 3.
    curl -O https://www.openssl.org/source/openssl-1.1.1d.tar.gz
    tar -zxf openssl-1.1.1d.tar.gz
  5. Install the patch, make gcc tools to patch, and then compile the binaries.
    sudo yum install patch make gcc -y
  6. Run the following commands:
    Note

    You might need to update these commands for newer versions of OpenSSL.
    cat <<-EOF | patch -d $HOME/build/ -p0
    diff -ur orig/openssl-1.1.1d/apps/enc.c openssl-1.1.1d/apps/enc.c
    --- orig/openssl-1.1.1d/apps/enc.c      
    +++ openssl-1.1.1d/apps/enc.c   
    @@ -533,6 +533,7 @@
              */
    
             BIO_get_cipher_ctx(benc, &ctx);
    +        EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
    
             if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {
                 BIO_printf(bio_err, "Error setting cipher %s\n",
    EOF
    Confirm successful patching if response is similar to the following:
    [root@ip-172-31-20-119 ~]# cat «-EOF | patch -d $HOME/build/ -p0 
    diff -ur orig/openssl-1.1.1d/apps/enc.c openssl-1.1.1d/apps/enc.c 
    --- orig/openssl-1.1.1d/apps/enc.c 
    +++ openssl-l.1.1d/apps/enc.c 
    @@ -533,6 +533,7 @@
            */
    
        BIO_get_cipher_ctx (benc, &ctx) ; 
    +        EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW) ; 
    
        if (!EVP_CipherInit_ex (ctx, cipher, NULL, NULL, NULL, enc) )  {
             BIO_printf (bio_err, "Error setting cipher %s\n" , 
    EOF 
    
    patching file openssl-1.1.1d/apps/enc.c
  7. Compile the enc.c file.
    Note

    Compiling might take several minutes for each command.
    cd $HOME/build/openssl-1.1.1d/
    ./config --prefix=$HOME/local --openssldir=$HOME/local/ssl
    make -j$(grep -c ^processor /proc/cpuinfo)
    make install
    You have successfully installed the latest version of OpenSSL. This version is dynamically linked to libraries in the $HOME/local/ssl/lib/ directory, and cannot be run directly. Set the environment variable LD_LIBRARY_PATH to ensure that the associated libraries are available to OpenSSL.
  8. Create a script named openssl.sh that loads the $HOME/local/ssl/lib/ path before running the binary. This makes it easier to run OpenSSL multiple times.
    cd $HOME/local/bin/
    
    echo -e '#!/bin/bash \nenv LD_LIBRARY_PATH=$HOME/local/lib/ $HOME/local/bin/openssl "$@"' > ./openssl.sh
  9. Set the execute bit on the script.
    chmod 755 ./openssl.sh
  10. Start OpenSSL with the following command:
    $HOME/local/bin/openssl.sh