How can I patch OpenSSL to work with the CloudHSM CKM_RSA_AES_KEY_WRAP mechanism?

Short description

To use the -id-aes256-wrap-pad OpenSSL cipher that's compatible with the RSA_AES_KEY_WRAP mechanism for the CloudHSM PKCS #11 library, download and install the latest version of OpenSSL. Then, patch it to allow the envelope wrap that's required for the CKM_RSA_AES_KEY_WRAP mechanism.

Resolution

Note:

• The following resolution doesn't remove or alter the client's default installation of OpenSSL.
• The resolution uses Red Hat Enterprise Linux (RHEL) Bash commands with the AWS account root user.
• The resolution applies only to OpenSSL v1.1.x.

Patch OpenSSL to allow CKM_RSA_AES_KEY_WRAP

Before you patch OpenSSL, run the following command to switch to the account root user:

sudo su -

Complete the following steps:

1. Run the following command, and then note the OpenSSL version:

   openssl version

2. Download the latest OpenSSL binaries in the /root/build directory.

3. Run the following commands to set up the directories:

   mkdir $HOME/build
   mkdir -p $HOME/local/ssl
   cd $HOME/build

4. Note the latest OpenSSL download version on the OpenSSL website.

5. Run the following commands to download and unpack the binaries:

   wget https://www.openssl.org/source/openssl-1.1.1w.tar.gz
   tar -zxf openssl-1.1.1w.tar.gz

   Note: Replace openssl-1.1.1w.tar.gz with the latest OpenSSL version.

6. Run the following command to install the patch, make gcc tools to patch, and compile the downloaded binaries:

   yum install patch make gcc -y

7. Enter the following block, and then press Enter on your device:

   cat <<-EOF | patch -d $HOME/build/ -p 0
   diff -ur orig/openssl-1.1.1w/apps/enc.c openssl-1.1.1w/apps/enc.c
   --- orig/openssl-1.1.1w/apps/enc.c      
   +++ openssl-1.1.1w/apps/enc.c   
   @@ -534,6 +534,7 @@
             */
    
            BIO_get_cipher_ctx(benc, &ctx);
   +        EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
    
            if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {
                BIO_printf(bio_err, "Error setting cipher %s\n",
   EOF

   Note: If you use a version of OpenSSL other than OpenSSL-1.1.1w, then change the directory and update the commands. The patch works only with OpenSSL-1.1.1w.
   Example output that confirms a successful patch:

   [root@ip-172-31-20-119 build]# cat <<-EOF | patch -d $HOME/build/ -p 0
   diff -ur orig/openssl-1.1.1w/apps/enc.c openssl-1.1.1w/apps/enc.c
   --- orig/openssl-1.1.1w/apps/enc.c
   +++ openssl-1.1.1w/apps/enc.c
   @@ -534,6 +534,7 @@
             */
   
            BIO_get_cipher_ctx(benc, &ctx);
   +        EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
   
            if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {
                BIO_printf(bio_err, "Error setting cipher %s\n",
   EOF
   patching file openssl-1.1.1w/apps/enc.c

8. Run the following command to compile the OpenSSL enc.c file:

   cd $HOME/build/openssl-1.1.1w/
   ./config --prefix=$HOME/local --openssldir=$HOME/local/ssl
   make -j$(grep -c ^processor /proc/cpuinfo)
   make install

   Note: It might take several minutes for each command to compile.

The latest version of OpenSSL dynamically links to libraries in the $HOME/local/ssl/lib/ directory, and your shell can't run it directly.

Run OpenSSL in your shell

Complete the following steps:

1. Run the following command to set the LD_LIBRARY_PATH environment variable so that the associated libraries are available for OpenSSL:

   cd $HOME/local/bin/
   echo -e '#!/bin/bash \nenv LD_LIBRARY_PATH=$HOME/local/lib/ $HOME/local/bin/openssl "$@"' > ./openssl.sh

   Note: Because you must run OpenSSL-1.1.1w multiple times, create a script that's named openssl.sh that loads the $HOME/local/ssl/lib/ path before you run the binary.

2. Run the following command to set the execute bit on the script:

   chmod 755 ./openssl.sh

3. Run the following command to start OpenSSL-1.1.1:

   $HOME/local/bin/openssl.sh

   Note: You can use the $HOME/local/bin/openssl.sh command later to run the patched version of OpenSSL into an environment variable. With the patched version of OpenSSL, you can run multiple commands.

4. Enter version, and then press Enter on your device to verify the OpenSSL version on the command prompt.

5. Enter quit, and then press Enter on your device to exit the command prompt.

6. Run the following command to set up an alias:

   alias OPENSSL_V111="$HOME/local/bin/openssl.sh"

   Note: You can also add the alias to your .bash_profile.

7. Use OpenSSL to transfer keys to CloudHSM.