Hi Willy,
Not seeing how to get the SafeNet patch working I switched to the approach you mention just a few hours ago. And indeed, this approach seems to be working fine. I am now able to connect to the ProtectServer HSM through OpenSSL and perform cryptographic operations. Thanks a lot for giving the assurance that this is indeed the right way to do it! Kind regards, Frederik ________________________________ From: Willy Weisz [mailto:we...@vcpc.univie.ac.at] Sent: Thursday, December 03, 2009 12:25 AM To: openssl-users@openssl.org Cc: Frederik Mennes Subject: Re: OpenSSL with SafeNet ProtectServer engine Hi Frederik, the patch you mention was - according to my knowledge - never an officially released one, and it doesn't work, not only because of the wrong directory where the shared library is stored. Unfortunately it seems that no one at Safenet except for a single person seems to know how to use a ProtectServer HSM with openssl in the Linux world . And he isn't the one sitting behind the support desk of the Customer Connection Center. I got from him the solution: You must use openSSL's dynamic engine facility. For this you need the 2 products of the openSC project <http://www.opensc-project.org> <http://www.opensc-project.org> engine_pkcs11 and libp11. The addition to the configuration file looks somthing like: [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib64/engines/engine_pkcs11.so MODULE_PATH = /opt/PTK/lib/libcryptoki.so init = 0 PIN = xxxxxxx Use lib instead of lib64 if you have a 32-bit architecture; libcrytoky.so is a symbolic link. If the last line (PIN) isn't there you must enter the PIN when calling openssl. The openssl command must contain the options: -engine pkcs11 -keyform engine -key slot_yourSlotNumber-label_yourHSMslotLabel I hope this helps - it works for me. Regards Willy Am 02.12.2009 16:27, schrieb Frederik Mennes: Hi everyone, I am trying to use OpenSSL's EVP interface with as engine a SafeNet (formerly Eracom) ProtectServer HSM. I have received from SafeNet a patched version of OpenSSL 0.9.8d. This patch is called "ERAC-3.30-openssl-0.9.8d.patch". I am working on Ubuntu Linux with kernel version 2.6.28-13-generic, and I use SafeNet ProtectToolkit C version 3.32.00. I have successfully built the patched OpenSSL library. However when I try to use the SafeNet engine it seems the actual engine library cannot be found. Can anyone help? Here are the steps I have performed: I have stored the patched OpenSSL 0.9.8d source code at following location: /home/user/Desktop/openssl-0.9.8d-patched-safenet I have built the patched OpenSSL source code using the instructions in the readme.txt file that came with the patch. This worked fine. The result of the build was following directory structure: /opt/test/bin c_rehash openssl /opt/test/include /openssl [directory with .h files] /opt/test/lib /engines [empty directory] libcrypto.so libssl.a libssl.so.0.9.8 libcrypto.a libcrypto.so.0.9.8 libssl.so /pkgconfig [directory with .pc files] /opt/test/ssl /certs [empty directory] /engines [empty directory] /man /man1 /man3 /man5 /man7 /misc [directory with some executables] openssl.cnf /private [empty directory] It seems all engine directories are empty, so I don't have an engine for the ProtectServer HSM. Is this normal? I have generated an RSA key pair on the ProtectServer HSM using the ctkmu tool: ctkmu c -s0 -t rsa -n CA -a PTxSV I now try to create a keylink for this file: /opt/test/bin$ ./openssl genrsa -engine ERACOM -hwkey 0/CA > CA.keylink However I receive following error (also when executed as root user): bash: CA.keylink: Permission denied Then I tried following command: /opt/test/bin$ ./openssl genrsa -engine ERACOM And I received following error: Invalid engine "ERACOM" 12740: error: 25066067: DSO support routines: DLFCN_LOAD: could not load the shared library: dso_dlfcn.c:16: filename (/usr/lib/ssl/engines/libERACOM.so): no such file or directory Thanks, Frederik -- ----------------------------------------------------------- Willy Weisz European Centre for Parallel Computing at Vienna (VCPC) Computational Science Center Nordbergstrasse 15/C312 A-1090 Wien Tel: (+43 1) 4277 - 39424 Fax: (+43 1) 4277 - 9394 Mobile: +43 699 10109546 e-mail: we...@vcpc.univie.ac.at
