OpenSSL#

Aviso

Trying to retrieve the private key will crash OpenSSL. This is normal because private keys cannot be extracted from a NetHSM. You may want to retrieve the public key instead (see example below).

Engine#

Aviso

When using an engine (libp11) version of 0.4.12 or older, having an EdDSA key on the NetHSM will cause OpenSSL to not find any key. On version 0.4.12 and older, the engine lists all the keys on the NetHSM when a key is requested. When searching a key by label or id, it is recommended to use version 0.4.13 or newer, or build libp11 from source. The engine binary will be in src/.libs/pkcs11.so.

The OpenSSL engine interface is the old way to implement custom backends for OpenSSL and it is deprecated in OpenSSL 3. This is still the most stable way to use the NetHSM with OpenSSL.

You will need to setup the PKCS#11 module, following these instructions.

Install the engine:

apt install libengine-pkcs11-openssl

Next you need to configure OpenSSL to use the engine. This is done by adding the following lines to your openssl.cnf file:

openssl_conf = openssl_init

[openssl_init]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/libnethsm_pkcs11.so
init = 0

Nota

You can specify to OpenSSL the path of the OpenSSL configuration file using the OPENSSL_CONF environment variable.

Aviso

If the main OpenSSL configuration file is modified to contain only these lines, it could break other programs using OpenSSL. Thus, you may want to create a separate configuration file for the engine.

Replace /usr/lib/x86_64-linux-gnu/pkcs11/libnethsm_pkcs11.so with the path to the PKCS#11 module you installed earlier.

Replace /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so with the path to the OpenSSL engine you installed. The path varies depending on your distribution. The number in engines-3 corresponds to your OpenSSL version. On Debian the path for the OpenSSL 3 engine is /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so; for Fedora it’s /usr/lib64/engines-3/libpkcs11.so.

Now you can use keys on the NetHSM by using PKCS#11 URIs, example:

engine:pkcs11:pkcs11:object=webserver;type=private

This will use the key webserver.

Nota

You can use the p11tool command from GnuTLS <https://gnutls.org/> get the full URI of the keys:

p11tool --provider /usr/lib/x86_64-linux-gnu/pkcs11/libnethsm_pkcs11.so --list-all

Example Command#

Retrieve the public key of an asymmetric key pair on the NetHSM :

openssl pkey -engine pkcs11 -inform ENGINE -in "pkcs11:object=webserver;type=public" -pubout

Provider#

The OpenSSL provider interface is the new way to implement custom backends for OpenSSL. The pkcs11-provider backend is still in an early stage of development.

You will need to setup the PKCS#11 module, following these instructions.

Install the provider. For Fedora a package named pkcs11-provider exists. For other Linux distributions you will need to build it from source.

Then you need to configure OpenSSL to use the provider. This is done by adding the following lines to your openssl.cnf file:

openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
pkcs11 = pkcs11_sect

[pkcs11_sect]
module = /home/sautax/git/pkcs11-provider/src/.libs/pkcs11.so
pkcs11-module-path = /usr/lib/libnethsm_pkcs11.so
activate = 1

Set module to the path of the provider you installed and pkcs11-module-path to the path of the PKCS#11 module you installed.

If you want to set NetHSM as the default provider, you can add default = pkcs11 to the provider_sect section.

Nota

You can specify to OpenSSL the path of the OpenSSL configuration file using the OPENSSL_CONF environment variable.

Aviso

If the main OpenSSL configuration file is modified to contain only these lines, it could break other programs using OpenSSL. Thus, you may want to create a separate configuration file for the provider.

Then you can use keys on the NetHSM by using PKCS#11 URIs, example:

openssl pkey -provider pkcs11 -in "pkcs11:object=rsakey" -pubout

If you set NetHSM as the default provider, you can omit the -provider pkcs11 argument.

Nota

Currently when manually setting a key type in the URI the provider will not be able to find the key. You can omit the ;type=private or ;type=public part of the URI to make it work.