| Skip Navigation Links | |
| Exit Print View | |
 | man pages section 5: Standards, Environments, and Macros Oracle Solaris 11 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
| man pages section 5: Standards, Environments, and Macros Oracle Solaris 11 Information Library |
- OpenSSL cryptographic and Secure Sockets Layer toolkit
OpenSSL is a cryptography toolkit that implements the Secure Sockets Layer (SSLv2/v3)and Transport Layer Security (TLS v1) network protocols.
The following features are omitted from the binaries for issues including but not limited to patents, trademark, and USexport restrictions: ECC, IDEA, MDC2, RC3, RC5, 4758_CCA Engine, AEP Engine,Atalla Engine, CHIL Engine, CSWIFT Engine, GMP Engine, NURON Engine, PadLock Engine, Sureware Engine, and UBSEC Engine.
A new PKCS#11 engine has been included with ENGINE namepkcs11. Theengine was developed in Sun and is not integrated in the OpenSSLproject.
The PKCS#11 engine is configured to use the Oracle Solaris Cryptographic Framework.Seecryptoadm(1M) for configuration information.
The PKCS#11 engine can support the following set of mechanisms:CKM_AES_CBC,CKM_AES_ECB,CKM_BLOWFISH_CBC,CKM_DES_CBC,CKM_DES_ECB,CKM_DES3_CBC,CKM_DES3_ECB,CKM_DSA,CKM_MD5,CKM_RC4,CKM_RSA_PKCS,CKM_RSA_X_509,CKM_SHA_1,CKM_SHA224,CKM_SHA256,CKM_SHA384, andCKM_SHA512.
The set of mechanisms available depends on installed Crypto Framework providers. Tosee what mechanisms can be offloaded to the Cryptographic Framework through thePKCS#11 engine on a given machine, run the following command:
/usr/sfw/bin/openssl engine pkcs11 -vvv -t -c
Due to requirements of the PKCS#11 standard regardingfork(2) behavior, some applicationsthat use the OpenSSL EVP interfaces andfork() with activecrypto contexts mightexperience unexpected behavior.
The dynamic engine support has been enabled, which allows an external engine,in the form of a shared library, to be dynamically bound andused by an OpenSSL-based application.
Run the following command to see if the dynamic engine is supported:
$openssl engine dynamic(dynamic) Dynamic engine loading support
This engine is implemented as a separate shared library, and it canbe used by an OpenSSL application through the OpenSSL dynamic engine support. This engine was developed in Sun and is not integrated inthe OpenSSL project.
Files for thedevcrypto engine library are:
/lib/openssl/engines/libdevcrypto.so /lib/openssl/engines/64/libdevcrypto.so
Thedevcrypto engine accesses only the kernel hardware providers from the OracleSolaris Cryptographic Framework. To see the hardware provider information on a system,use thecryptoadm(1M) command.
Thedevcrypto engine supports the following set of mechanisms:CKM_AES_CBC,CKM_AES_CTR,CKM_AES_ECB,CKM_BLOWFISH_CBC,CKM_DES_CBC,CKM_DES_ECB,CKM_DES3_CBC,CKM_DES3_ECB, andCKM_RC4.
The set of mechanisms available depends on hardware providers installed and enabledin the Cryptographic Framework. To see what mechanisms are supported by thedevcrypto engine on a particular machine, run the following command:
$openssl engine dynamic -pre SO_PATH:/lib/openssl/engines/libdevcrypto.so\-pre LOAD -t -c
Currently a FIPS-140 certified mode is not available in Oracle Solaris.
To build an OpenSSL application, use the followingcc command line options:
cc [flag... ]file... -lcrypto -lssl [library... ]
OpenSSL can access RSA keys in PKCS#11 keystores using the following functionsof the ENGINE API:
EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, UI_METHOD *ui_method, void *callback_data)EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id, UI_METHOD *ui_method, void *callback_data)
key_id, formerly for filenames only, can be now also set to aPKCS#11 URI. TheEVP_PKEY structure is newly allocated and caller is responsible tofree the structure later. To avoid clashes with existing filenames,file:// prefix forfilenames is now also accepted but only when the PKCS#11 engine isin use. The PKCS#11 URI specification follows:
pkcs11:[token=<label>][:manuf=<label>][;serial=<label>] [;model=<label>][;object=<label>] [;objecttype=(public|private|cert)] [;passphrasedialog=(builtin|exec:<file>)]
The ordering of keywords is not significant. The PKCS#11 engine uses thekeystore for the slot chosen for public key operations, which ismetasloton a standard configured machine. Currently, the PKCS#11 engine ignores theobjecttypekeyword. The only mandatory keyword isobject which is the key object label.For information on how to use a different, possibly hardware, keystore withmetaslot, seelibpkcs11(3LIB).
The token PIN is provided by way of thepassphrasedialog keyword andis either read from the terminal (builtin) or from the output ofan external command (exec:<file>). The PIN is used to log into thetoken and by default is deleted from the memory then. The keywordpinis intentionally not provided due to inherent security problems of possible useof a password in the process arguments.
Due to fork safety issues the application must re-login if the childcontinues to use the PKCS#11 engine. It is done inside of theengine automatically if fork is detected and in that case,exec:<file> optionof thepassphrasedialog keyword can be used. Alternatively, an environment variableOPENSSL_PKCS11_PIN_CACHING_POLICY canbe used to allow the PIN to be cached in memory andreused in the child. It can be set tonone which isthe default,memory to store the PIN in memory, andmlocked-memory tokeep the PIN in a locked page usingmlock(3C).PRIV_PROC_LOCK_MEMORY privilege isrequired in that case.
Sensitive parts of private keys are never read from the token tothe process memory no matter whether the key is tagged with sensitiveflag or not. The PKCS#11 engine uses the public components as asearch key to get a PKCS#11 object handle to the private key.
To use the RSA keys by reference, high level API functions suchasRSA_public_decrypt(),EVP_PKEY_set1_RSA(), orEVP_SignInit() must be used. Low level functions mightgo around the engine and fail to make use of the feature.
Extensive additional documentation for OpenSSL modules is available in the/usr/share/man/man1openssl,/usr/share/man/man3openssl,/usr/share/man/man5openssl, and/usr/share/man/man7openssl directories.
To view the license terms, attribution, and copyright for OpenSSL, runpkg info --license library/security/openssl.
Example 1 Generating and Printing a Public Key
The following example generates and prints a public key stored in analready initilized PKCS#11 keystore. Notice the use of-engine pkcs11 and-inform e.
$ pktool gencert keystore=pkcs11 label=mykey \ subject="CN=test" keytype=rsa keylen=1024 serial=01$ openssl rsa -in "pkcs11:object=mykey;passphrasedialog=builtin"\ -pubout -text -engine pkcs11 -inform e
Seeattributes(5) for a description of the following attributes:
|
crle(1),cryptoadm(1M),libpkcs11(3LIB),attributes(5),privileges(5)
/usr/share/man/man1openssl/openssl.1openssl,/usr/share/man/man1openssl/CRYPTO_num_locks.3openssl,/usr/share/man/man3openssl/engine.3,/usr/share/man/man3openssl/evp.3
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.Legal Notices |   |