OpenSSL with SafeNet ProtectServer engine

Wed, 02 Dec 2009 07:46:19 -0800 

Hi everyone,

 

I am trying to use OpenSSL's EVP interface with as engine a SafeNet
(formerly Eracom) ProtectServer HSM.

 

I have received from SafeNet a patched version of OpenSSL 0.9.8d. This
patch is called "ERAC-3.30-openssl-0.9.8d.patch". I am working on Ubuntu
Linux with kernel version 2.6.28-13-generic, and I use SafeNet
ProtectToolkit C version 3.32.00.

 

I have successfully built the patched OpenSSL library. However when I
try to use the SafeNet engine it seems the actual engine library cannot
be found. Can anyone help?

 

 

Here are the steps I have performed:

 

1)       I have stored the patched OpenSSL 0.9.8d source code at
following location:

 

/home/user/Desktop/openssl-0.9.8d-patched-safenet

 

2)       I have built the patched OpenSSL source code using the
instructions in the readme.txt file that came with the patch. This
worked fine. The result of the build was following directory structure:

 

/opt/test/bin

      c_rehash

openssl

/opt/test/include

      /openssl [directory with .h files]

/opt/test/lib

      /engines [empty directory]

libcrypto.so

libssl.a

libssl.so.0.9.8

libcrypto.a

libcrypto.so.0.9.8

libssl.so

/pkgconfig [directory with .pc files]

/opt/test/ssl

      /certs [empty directory]

      /engines [empty directory]

      /man

            /man1

            /man3

            /man5

            /man7

      /misc [directory with some executables]

      openssl.cnf

      /private [empty directory]

 

     It seems all engine directories are empty, so I don't have an
engine for the ProtectServer HSM. Is this normal?

 

3)       I have generated an RSA key pair on the ProtectServer HSM using
the ctkmu tool:

 

ctkmu c -s0 -t rsa -n CA -a PTxSV

 

4)       I now try to create a keylink for this file:

 

/opt/test/bin$ ./openssl genrsa -engine ERACOM -hwkey 0/CA > CA.keylink

 

However I receive following error (also when executed as root user):

 

bash: CA.keylink: Permission denied

 

Then I tried following command:

 

/opt/test/bin$ ./openssl genrsa -engine ERACOM

 

            And I received following error:

            

Invalid engine "ERACOM"

12740: error: 25066067: DSO support routines: DLFCN_LOAD: could not load
the shared library: dso_dlfcn.c:16: filename
(/usr/lib/ssl/engines/libERACOM.so): no such file or directory

 

Thanks,


Frederik

Reply via email to