OpenSSL 3.x Reference
Install the build dependendencies for pkcs11 provider in the system
-
Openssl 3.0+ libraries and development headers:
# Debian like systems $ sudo apt-get install openssl libssl-dev# RPM based systems $ sudo yum install openssl $ sudo yum install openssl-devel -
Install Meason for pkcs11 provider build
# Debian like systems $ sudo apt install build-essential $ sudo apt install meson ninja-build# RPM based systems $ sudo dnf install gcc $ sudo yum install meson ninja -
pkg-config
# Debian like systems $ sudo apt-get install pkg-config# RPM based systems # pkg-config will be already installed as part of openssl-devel
-
get the latest version of pkcs11-provider
$ git clone https://github.com/latchset/pkcs11-provider.git
-
Build pkcs11-provider
$ meson setup builddir $ meson compile -C builddir
To link with OpenSSL installed in a custom path, set PKG_CONFIG_PATH, or CFLAGS/LDFLAGS envvars accordingly at the meson setup step. For example, let's assume OpenSSL is installed under an absolute path $OPENSSL_DIR.
If you rely on pkg-config, point PKG_CONFIG_PATH to a directory where libcrypto.pc or openssl.pc can be found.
- Install pkcs11-provider
$ sudo meson install -C builddir
OpenSSL (via pkcs11-provider) supports p11-kit-proxy natively and does not require additional set up. If p11-kit-proxy is not being used then OpenSSL will have to be manually configured to use libp11 and cryptoauthlib
This requires editing the default openssl.cnf file. To locate the file being used by the system run the following command:
$ openssl version -a | grep OPENSSLDIR:
OPENSSLDIR: "/usr/lib/ssl"This gives the default path where openssl is compiled to find the openssl.cnf file
In this case the file to edit will be /usr/lib/ssl/openssl.cnf
This line must be placed at the top, before any sections are defined:
openssl_conf = openssl_init
This should be added to the bottom of the file:
[openssl_init]
providers = provider_sect
# List of providers to load
[provider_sect]
default = default_sect
pkcs11 = pkcs11_sect
[pkcs11_sect]
module = /usr/lib/x86_64-linux-gnu/ossl-modules/pkcs11.so
pkcs11-module-path = /usr/lib/libcryptoauth.so
activate = 1
[default_sect]
activate = 1
$ openssl req -provider pkcs11 -key "pkcs11:token=MCHP;object=ec256pvt;type=private" -new -out new_device.csr -subj "/CN=NEW CSR EXAMPLE"
$ cat new_device.csr
-----BEGIN CERTIFICATE REQUEST-----
MIHUMHwCAQAwGjEYMBYGA1UEAwwPTkVXIENTUiBFWEFNUExFMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAE9AmWq0Jl2bE9Gwb9dr3QzCqflqL2dxIhjvT+TzTzV3yx
gC6KuE8dZ7siDw3nT+wUW+l8Qne4YOB7+RCubXk3l6AAMAoGCCqGSM49BAMCA0gA
MEUCIQDrgc81yagztxoDpl0KagjZ2ZxdAszGSL7jgTpkZqzrGwIgYhD4Gj+Rt3ZD
ZP+CfGX8u7QjJR6q1bqT0VIubFlDX7w=
-----END CERTIFICATE REQUEST----- $ openssl req -provider pkcs11 -in new_device.csr -verify -text -noout
Certificate request self-signature verify OK
Certificate Request:
Data:
Version: 1 (0x0)
Subject: CN = NEW CSR EXAMPLE
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:f4:09:96:ab:42:65:d9:b1:3d:1b:06:fd:76:bd:
d0:cc:2a:9f:96:a2:f6:77:12:21:8e:f4:fe:4f:34:
f3:57:7c:b1:80:2e:8a:b8:4f:1d:67:bb:22:0f:0d:
e7:4f:ec:14:5b:e9:7c:42:77:b8:60:e0:7b:f9:10:
ae:6d:79:37:97
ASN1 OID: prime256v1
NIST CURVE: P-256
Attributes:
(none)
Requested Extensions:
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:45:02:21:00:eb:81:cf:35:c9:a8:33:b7:1a:03:a6:5d:0a:
6a:08:d9:d9:9c:5d:02:cc:c6:48:be:e3:81:3a:64:66:ac:eb:
1b:02:20:62:10:f8:1a:3f:91:b7:76:43:64:ff:82:7c:65:fc:
bb:b4:23:25:1e:aa:d5:ba:93:d1:52:2e:6c:59:43:5f:bc
