All Products
Search
Document Center

Use the OpenSSL Dynamic Engine

Last Updated: Apr 08, 2021

This topic describes how to use the OpenSSL Dynamic Engine via command line. You could also use the dynamic engine via OpenSSL programmatic interfaces in your applications.

Prerequisites

Before you start using OpenSSL Dynamic Engine, make sure that OpenSSL supports dynamic engine loading.

You can use the following command to verify whether it is supported:

 openssl engine -c

If OpenSSL supports dynamic engine loading, you will get a response that is similar to the following:

 "(dynamic) Dynamic engine loading support"

RSA encryption and decryption procedure

  1. Run the following commands to export environment variables. Replace HSMusername with the username of the CU type user, and replace password with the corresponding password.

    export LD_LIBRARY_PATH=/opt/hsm/lib/:$LD_LIBRARY_PATH
    export n3fips_password=<HSMusername>:<password>
  2. Run the following command to turn on interactive mode:

    openssl
  3. Run the following commands to load the dynamic engine:

    engine -t dynamic -pre SO_PATH:/opt/hsm/lib/libhsm_openssl.so -pre ID:hsm_openssl -pre LIST_ADD:1 -pre LOAD

    If the command runs successfully, the following response is displayed:

    Loaded: (hsm_openssl) Cavium hardware engine support
  4. Run the following command to generate an asymmetric key:

    genrsa -engine hsm_openssl

    If the command runs successfully, the dynamic OpenSSL engine has a method of encoding the key handle into a format called the fake PEM format. You can store the content in a file path, for example, /root/openssl/priv.key.

    -----BEGIN RSA PRIVATE KEY-----
    ****IQIBAAKCAQEAp2R756S3q1/Aa0htOSXovkakVI3ePqkMY4I/AM7j6ZO4lf1b
    l58v0zUqk8c9Eknf8VclGrMz8vqEOMWWXUM6xc4Jq6HRhBbp/SdqTlSW+6WjYcG3
    nMP5PxBIuWLazjS7Mte3n3NSK+qS2jIeUdhr+OPhCdeQfxsDbc9CTz97NNDnoARR
    64nZ/mMTBHXW5dkbgOmTE3plCqB0NctTwXgF3C6z+6/vASJEdXseFV7GS5vATNf4
    i7uEkIIx0791Ped0+3yoBZ31XuAQKcspEab+z3cRdvjUb0YluYF00WDu3D/5bBYW
    0epo6l1r83EhqeAhOviUqQLwMJoLeUxif8RpNQIDAQABAoIBAQDq/Pzu6vz87h8A
    AAAAAAAA6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8
    /O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8
    /O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8
    /O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8
    /O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8/O7q/Pzu6vz87ur8
    /O7q/PzuAgEAAgEAAgEAAgEA****
    -----END RSA PRIVATE KEY-----
  5. Run the following command to export the public key:

    rsa -in /root/openssl/priv.key -pubout -out /root/openssl/pub.pem
  6. Run the following commands to encrypt a file helloworld.txt:

    Notice

    This operation must be performed in non-interactive mode. In this example, the content of the file is hello world!

    openssl rsautl -encrypt -inkey /root/openssl/pub.pem -pubin -in /root/openssl/helloworld.txt -out /root/openssl/helloworld.txt.enc
  7. Run the following commands to decrypt a file helloworld.txt.enc:

    Notice

    This operation must be performed in interactive mode and the dynamic engine must have been loaded.

    rsautl -decrypt -inkey /root/openssl/priv.key -in /root/openssl/helloworld.txt.enc -out /root/openssl/helloworld.txt.dec