OpenSSL

1Set up Luna HSM

2Set up OpenSSL toolkit

1Ensure that the HSM is set up, initialized, provisioned, and ready for deployment. For more information, refer to Luna HSM documentation.

2Create a partition that will be later on used by OpenSSL.

3Create and exchange certificate between the Luna Network HSM and client system. Register client and assign partition to create an NTLS connection.

4Initialize Crypto Officer and Crypto User roles for the registered partition.

5Run the following command to verify that the partition has been successfully registered and configured:

/usr/safenet/lunaclient/bin/lunacm 

Upon successful execution, you should observe an output similar to the example provided below:

lunacm (64-bit) v10.5.1-174. Copyright (c) 2022 Thales Group. All rights reserved. 
Available HSMs:
Slot Id ->                           0
Label ->                             TPA01
Serial Number ->                     1312109862206
Model ->                             LunaSA 7.7.1
Firmware Version ->                  7.7.1
Bootloader Version  ->               1.1.2
Configuration ->                     Luna User Partition With SO (PW) Key Export With Cloning Mode
Slot Description ->                  Net Token Slot
FM HW Status ->                      Non-FM

Note

Refer to Luna HSM documentation for detailed steps on creating NTLS connection, initializing the partitions, and assigning various user roles.

Note

For proper configuration of a PED-based Luna HSM, it is recommended to activate partition policies 22 and 23, allowing for both activation and auto-activation.

1Open the configuration file for your Luna HSM.

2Look for the [Misc] section within the configuration file.

3Add or modify the following setting within the [Misc] section:

RSAKeyGenMechRemap=1

This setting instructs the Luna HSM to redirect older key generation mechanisms to the newly approved mechanism when the HSM is operating in FIPS mode.

1Transfer the downloaded .zip file to your client workstation using pscp, scp, or other secure means

Note

This integration has been certified on the RHEL platform.

2Extract the .zip file into a directory on your client workstation.

3Extract or untar the appropriate client package for your operating system. Do not extract to a new subdirectory; place the files in the client install directory.

tar -xvf cvclient-min.tar

4Run the setenv script to create a new configuration file containing information required by the Luna Cloud HSM service.

source ./setenv

Note

To add the configuration to an already installed UC client, use the –addcloudhsm option when running the setenv script.

5Run the LunaCM utility and verify that the Cloud HSM service is listed.

Note

If your organization requires non-FIPS algorithms for your operations, ensure that the Allow non-FIPS approved algorithms check box is checked. For more information, refer to Supported Mechanisms.

1Download the OpenSSL toolkit from the Thales Customer Support Portal, ensuring it includes Gem Engine support:

• GemEngine v1.6: Doc ID KB0026742

• GemEngine v1.5: Doc ID KB0024584

• GemEngine v1.3: Doc ID KB0017806

• GemEngine v1.2: Doc ID KB0016309

2Familiarize yourself with OpenSSL by referring to the OpenSSL Documentation.

1Extract the Gem Engine toolkit and go to the Gem Engine directory.

2Find the libgem.so or gem.so and sautil binaries in the builds/linux/<distributor>/<bit_version>/<OpenSSL_version> directory. For example: builds/linux/rhel/64/3.0/.

Note

For OpenSSL version 1.1.x onwards, the dynamic engine library is gem.so.

3Use gembuild to locate the OpenSSL Engines directory.

./gembuild locate-engines

4Copy the libgem.so or gem.so to the OpenSSL engines directory to install the Gem Engine. For instance:

cp <gem-engine directory>/builds/linux/rhel/64/3.0/gem.so /usr/lib64/engines-3

5Copy the sautil utility to /usr/local/bin based on your OpenSSL version.

cp <gem-engine directory>/builds/linux/rhel/64/3.0/sautil /usr/local/bin

6Run the sautil utility to ensure all options are listed.

/usr/local/bin/sautil

7Add the openssl and sautil locations to the PATH environment variable if they are not in the system defaults.

export PATH=/usr/local/bin:$PATH

8Add the openssl library location to the LD_LIBRARY_PATH environment variable if not present in system defaults.

export LD_LIBRARY_PATH=/usr/local/lib64:$LD_LIBRARY_PATH

9Verify Gem Engine support.

openssl engine gem -v

1Download and unzip the OpenSSL source from https://www.openssl.org/source/. Pick a version that closely matches your current OpenSSL installation. For example, if you have OpenSSL v1.1.1, download any version within the v1.1.x series.

tar xvfz openssl-x.x.x.tar.gz

2Navigate to the Gem Engine directory to find the engine location for the existing OpenSSL. Note the OpenSSL Engine directory for the next command.

./gembuild locate-engines

3Run gembuild config, providing the necessary inputs to compile the engine.

./gembuild config --openssl-source=<Path to extracted OpenSSL source directory> --openssl-engines=<Path to Engine directory from step 2> --config-bits=64

4Install the OpenSSL development package on the system if it is not already installed. If the OpenSSL headers directory is not in the default location /usr/include, use the --openssl-includes option. If the libcrypto.so file is not in the default libs location, use the --openssl-libs option. For GemEngine 1.6, you can specify the major version of the OpenSSL build using the new option --openssl-api=<major>. Here are examples:

--openssl-api=3.0

--openssl-api=1.1.1

5Install the required EC header files.

./gembuild openssl-ec-headers

6Compile the engine.

./gembuild engine-build

Note

If you encounter an issue, refer to the Troubleshooting section.

7Install the Gem Engine.

./gembuild engine-install

8Verify Gem Engine support.

openssl engine gem -v

9Compile and install sautil. By default, it will be installed to /usr/local/bin/sautil. If you prefer a different location, you can either use the --sautil-prefix option during compilation or specify the desired directory with the ./gembuild sautil-install command.

./gembuild sautil-build
./gembuild sautil-install

1Download openssl-x.x.xx.tar.gz.

tar xvfz openssl-x.x.xx.tar.gz

2Download and extract the OpenSSL FIPS module if FIPS is enabled. Otherwise, proceed to the next step.

tar xvfz openssl-fips-2.0.x.tar.gz

Note

This step is applicable until OpenSSL v1.0.2 and can be omitted for the latest OpenSSL versions.

3Extract the Gem Engine toolkit, access the Gem Engine directory, and then execute the gembuild config command, making sure to include the --prefix option.

Note

If you are using OpenSSL v1.0.2 with the FIPS module, incorporate --openssl-fips-source=<Path to openssl-fips-2.0.x> into the gembuild config command: ./gembuild config --openssl-source=<Path to extracted OpenSSL source directory> --prefix=/usr/local --config-bits=64

Note

If you are utilizing GemEngine v1.3 or a later version to construct and install OpenSSL v1.0.2, make sure to include --compat-102 in the command mentioned above. It's important to note that GemEngine v1.6 no longer supports OpenSSL v1.0.2. Instead, it introduces a new option, --openssl-api=<major>, where <major> signifies the major version of the OpenSSL build. For example, --openssl-api=3.0 or --openssl-api=1.1.1.

4Proceed to compile and install the FIPS module, if FIPS is enabled. Otherwise, move on to next step. Please note that this step is relevant for OpenSSL v1.0.2 and can be skipped for the latest OpenSSL versions.

./gembuild openssl-fips-build
./gembuild openssl-fips-install

5Compile and install OpenSSL using the toolkit.

./gembuild openssl-build
./gembuild openssl-install

6Compile and install the Gem dynamic engine and verify the engine.

./gembuild engine-build
./gembuild engine-install
/usr/local/ssl/bin/openssl engine gem -v

If you encounter any known issues, refer to the Troubleshooting section.

7Compile and install sautil.

./gembuild sautil-build
./gembuild sautil-install

Note

The sautil tool will be installed in the directory <prefix>/sautil/bin/sautil, where <prefix> is the directory specified in a previous step using the --prefix option. If you wish to choose a different location, use the --sautil-prefix option when running the /gembuild sautil-install command.

8Add openssl and sautil locations to the PATH environment variable. For example:

export PATH=/usr/local/ssl/bin:/usr/local/sautil/bin:$PATH

9Add the openssl library location to the LD_LIBRARY_PATH environment variable. For example:

export LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH

1Open your terminal and type the following command to find the location where OpenSSL is installed:

openssl version -d

Make note of the OpenSSL directory location, indicated by OPENSSLDIR: "/usr/local/ssl".

2Run the following command to discover the directory containing the Gem Engine files libgem.so or gem.so:

./gembuild locate-engines

Make note of this directory as it holds the Gem Engine files.

3Ensure OpenSSL is set via the PATH environment variable. Verify with which openssl to ensure the correct configuration file is accessed.

4Modify the openssl.cnf file as follows:

# Insert near the top of the file openssl.cnf:
openssl_conf = openssl_init

# Insert at the bottom of the file openssl.cnf:
[ openssl_init ]
engines = engine_section

[ engine_section ]
gem = gem_section

[ gem_section ]
dynamic_path = /usr/local/ssl/lib/engines/libgem.so
default_algorithms = ALL

Note

Ensure the correct dynamic engine library is provided in dynamic_path.

5Confirm that the Gem Engine is loaded as the default engine.

openssl engine -v

6Check the application by generating a certificate request without using the engine parameter.

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

1Open the /etc/Chrystoki.conf file and include the following GemEngine section:

GemEngine = {
    LibPath = /usr/safenet/lunaclient/lib/libCryptoki2.so;
    LibPath64 = /usr/safenet/lunaclient/lib/libCryptoki2_64.so;
    EnableDsaGenKeyPair = 1;
    EnableRsaGenKeyPair = 1;
    DisablePublicCrypto = 1;
    EnableRsaSignVerify = 1;
    EnableLoadPubKey = 1;
    EnableLoadPrivKey = 1;
    DisableCheckFinalize = 1;
    DisableEcdsa = 1;
    DisableDsa = 0;
    DisableRand = 0;
    EngineInit = <slot_id>:10:11;
}

Note

Replace <slot_id> with the actual value of the physical or virtual slot.

2Run the sautil utility to initiate a persistent sautil session on the Luna HSM slot:

/usr/local/bin/sautil -v -s <slot_id> -i 10:11 -o -q

Note

If a persistent session is not required, alternative methods for login can be found in the README-GEM-CONFIG file located in the <GemEngine_Directory>/docs folder.

1Create a text file to store the partition crypto officer password:

echo <partition_password> > <path_to_my_passfile>/passfile

2Open the /<ChrystokiConfigurationFile_Directory>/Chrystoki.conf file and insert the following in the GemEngine section:

   GemEngine = {
       LibPath = <path to LibCryptoki2.so>;
       LibPath64 = <path to LibCryptoki2_64.so>;
       EnableDsaGenKeyPair = 1;
       EnableRsaGenKeyPair = 1;
       DisablePublicCrypto = 1;
       EnableRsaSignVerify = 1;
       EnableLoadPubKey = 1;
       EnableLoadPrivKey = 1;
       DisableCheckFinalize = 1;
       DisableEcdsa = 1;
       DisableDsa = 0;
       DisableRand = 0;
       EngineInit = "<Partition Label>":0:0:passfile=<path_to_my_passfile>/passfile;
       EnableLoginInit = 1;
   }

3Replace <Partition Label> with your partition label, and ensure that passfile points to the correct path for the file containing the Crypto Officer password.

4In the Misc section of Chrystoki.conf, add the following flag and save the changes. Do not remove the default values already present in the Misc section:

   Misc = {
     FinalizeOnClose = 1;
   }

1Open the <OPENSSLDIR>/openssl.cnf file in a text editor, and within the [CA_default] section, make the following changes:

dir              = /usr/local/ssl
new_certs_dir    = $dir/certs

Note

You can customize the dir parameter, but ensure to use the correct path in subsequent steps.

2If the directory for saving certificates doesn't exist, create it:

mkdir -p /usr/local/ssl/certs

3Create the text files /usr/local/ssl/index.txt and /usr/local/ssl/serial.

4Open /usr/local/ssl/serial, insert the value 01 at the top of the file, and press the Enter key. Save the changes to the file.

5Generate a 2048-bit private key for the Certificate Authority (CA) using the Gem Engine. The key is generated on the Luna HSM’s partition:

openssl genrsa -engine gem 2048

6List the generated key pair using the cmu utility:

<LunaClient_Installation_Directory>/bin/cmu list

Example:

/usr/safenet/lunaclient/bin/cmu list

7Provide the partition password when prompted and take note of the private key label for the CA keys.

8Generate a CA certificate using the key created in a previous step for signing other certificates:

openssl req -engine gem -new -x509 -days 365 -key rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd -keyform engine -out /usr/local/ssl/certs/ca.cer

Note

Replace rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd with the object label for the CA private key on Luna HSM or Luna Cloud HSM.

9Create directories for generating certificate requests for the sender and receiver:

mkdir /usr/local/ssl/certs/sender
mkdir /usr/local/ssl/certs/receiver

10Generate a certificate request for the sender:

openssl req -engine gem -newkey rsa:2048 -out /usr/local/ssl/certs/sender/sender.txt

Note

The sender's request is used to generate the sender's certificate signed by the CA.

11List the generated key pair using the cmu utility:

/usr/safenet/lunaclient/bin/cmu list

12Provide the partition password when prompted and note down the private key label of sender keys.

13Generate a certificate request for the receiver:

openssl req -engine gem -newkey rsa:2048 -out /usr/local/ssl/certs/receiver/receiver.txt

Note

The receiver's request is used to generate the receiver's certificate signed by the CA.

14List the generated key pair using the cmu utility:

/usr/safenet/lunaclient/bin/cmu list

15Provide the partition password when prompted and note down the private key label of receiver keys.

16Sign the certificate request of the sender by CA:

openssl ca -engine gem -policy policy_anything -cert /usr/local/ssl/certs/ca.cer -in /usr/local/ssl/certs/sender/sender.txt -keyfile rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd -keyform engine -out /usr/local/ssl/certs/sender/sender.cer

Note

Replace rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd with the object label for the CA private key on Luna HSM or Luna Cloud HSM created in a previous step.

17Sign the certificate request for the receiver by CA:

openssl ca -engine gem -policy policy_anything -cert /usr/local/ssl/certs/ca.cer -in /usr/local/ssl/certs/receiver/receiver.txt -keyfile rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd -keyform engine -out /usr/local/ssl/certs/receiver/receiver.cer

Note

Replace rsa-private-a55e015d94ee6c4a559dfab7c39a2069d4064bcd with the object label for the CA private key on Luna HSM or Luna Cloud HSM created in a previous step.

1Create a text file named message.txt.

2Sign the message.txt file using the sender’s private key.

openssl cms -engine gem -sign -in message.txt -signer /usr/local/ssl/certs/sender/sender.cer -inkey rsa-private-7dfdb3caaf25a63b3d8a81d2a3b51668decafe0f -keyform engine -out sendmail.msg

Note

Replace rsa-private-7dfdb3caaf25a63b3d8a81d2a3b51668decafe0f with the object label for the sender's private key.

3Encrypt the sendmail.msg using the receiver’s public key.

openssl cms -engine gem -encrypt -in sendmail.msg -out sendmail_enc.msg /usr/local/ssl/certs/receiver/receiver.cer

4Decrypt the sendmail_enc.msg using the receiver’s private key.

openssl cms -engine gem -decrypt -in sendmail_enc.msg -inkey rsa-private-ec0fcb1ce9114662556caab35fc2baf0565752ec -keyform engine -out sendmail_dec.msg

Note

Replace rsa-private-ec0fcb1ce9114662556caab35fc2baf0565752ec with the object label for the receiver's private key.

5Verify the signature of sendmail_dec.msg using the sender’s public key.

openssl cms -engine gem -verify -in sendmail_dec.msg -CAfile /usr/local/ssl/certs/ca.cer -out out.txt /usr/local/ssl/certs/sender/sender.cer

6Open out.txt and compare its contents with message.txt. Both files should contain the same message, confirming successful cryptographic operations.

7Close the sautil session if you are using Luna HSM slot.

/usr/local/bin/sautil -c -s <slot_id> -i 10:11 -q

The integration of OpenSSL with Luna HSM or Luna Cloud HSM using Gem Engine on UNIX is now complete.

1Go to the OpenSSL toolkit directory within <engine-directory>\builds\win. Extract the contents of sautil-win64-openssl-x.x.xx.tar.gz and ssl-win64-openssl-x.x.xx.tar.gz into the C:\ directory.

2Enhance your system environment by adding C:\cygwin\usr\local\sautil\bin and C:\cygwin\usr\local\ssl\bin to the system path. You can achieve this through Control Panel -> System -> Change Settings -> Advanced -> Environment Variables -> System Variables.

Note

While this step is recommended for convenience, it is not mandatory.

3Establish a centralized working directory by creating the C:\ssl directory for your Windows installation.

4In the newly created working directory, generate an openssl.cnf file. Copy and paste the provided text into openssl.cnf, saving it as C:\ssl\openssl.cnf:

# SSLeay example configuration file.
# This is mostly being used for generation of certificate requests.
RANDFILE = .rnd

####################################################################
[ ca ]
default_ca = CA_default    # The default ca section

####################################################################
[ CA_default ]
certs = certs                     # Directory for issued certificates
crl_dir = crl                     # Directory for certificate revocation lists (CRL)
database = index.txt              # Database index file
new_certs_dir = certs             # Default directory for new certificates
certificate = cacert.pem          # File path for the CA certificate
serial = serial.txt               # File containing the current serial number
crl = crl.pem                     # File containing the current Certificate Revocation List (CRL)
private_key = private\cakey.pem   # File path for the private key
RANDFILE = private\private.rnd    # File path for private random number file
x509_extensions = x509v3_extensions # Extensions to add to the certificate
default_days = 365                # Duration for which certificates are valid (in days)
default_crl_days = 30             # Duration before the next Certificate Revocation List (CRL)
default_md = md5                  # Message Digest algorithm to use
preserve = no                     # Maintain passed DN (Distinguished Name) ordering


# Define the policy for matching attributes in the certificate request
# For CA type, the listed attributes must match, and optional
# and supplied fields are exactly that :-)

policy = policy_match

# Define the matching criteria for CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = optional


# Define the policy for 'anything' type
# At this point, list all acceptable 'object' types.

[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional


####################################################################
# Certificate Request Configuration
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes

# Distinguished Name fields for the certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (city, for example)
organizationName = Organization Name (company, for example)
organizationalUnitName = Organizational Unit Name (section, for example)
commonName = Common Name (domain name of your website, for example)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40

# Additional request attributes
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20

# Extensions for the certificate request
[ x509v3_extensions ]
# Add more extensions as needed
# under ASN.1, the 0 bit would be encoded as 80
# nsCertType = 0x40
# nsBaseUrl
# nsRevocationUrl
# nsRenewalUrl
# nsCaPolicyUrl
# nsSslServerName
# nsCertSequence
# nsCertExt
# nsDataType

Note

Ensure proper configuration using the openssl.cnf file.

5Set the OpenSSL configuration file path. Execute the following command in the command prompt:

set OPENSSL_CONF=C:\ssl\openssl.cnf

1Open the crystoki.ini file and append the following configuration to the GemEngine section:

[GemEngine]
LibPath = <Luna Client Installation Directory>\cryptoki.dll
LibPath64 = <Luna Client Installation Directory>\cryptoki.dll
EnableDsaGenKeyPair = 1
EnableRsaGenKeyPair = 1
DisablePublicCrypto = 1
EnableRsaSignVerify = 1
EnableLoadPubKey = 1
EnableLoadPrivKey = 1
DisableCheckFinalize = 1
DisableEcdsa = 1
DisableDsa = 0
DisableRand = 0
EngineInit = <slot_id>:10:11

Note

Ensure to replace <Luna Client Installation Directory> with the actual path and <slot_id> with the specific slot ID.

2Run the sautil utility to initiate a persistent session on the Luna HSM slot:

C:\OpenSSL\sautil\bin>sautil -v -s <slot_id> -i 10:11 –o –q

Note

Refer to the README-GEM-CONFIG file in <GemEngine_Directory>\docs for additional login methods and session details.

1Create a text file named passfile in <path_to_my_passfile> and save the partition password in it.

2Open the crystoki.ini file and insert the following configuration into the GemEngine section:

[GemEngine]
LibPath = <Path to cryptoki.dll>
LibPath64 = <Path to cryptoki.dll>
EnableDsaGenKeyPair = 1
EnableRsaGenKeyPair = 1
DisablePublicCrypto = 1
EnableRsaSignVerify = 1
EnableLoadPubKey = 1
EnableLoadPrivKey = 1
DisableCheckFinalize = 1
DisableEcdsa = 1
DisableDsa = 0
DisableRand = 0
EngineInit = "myTokenLabel":0:0:passfile=<path_to_my_passfile>\passfile
EnableLoginInit = 1

Replace <Path to cryptoki.dll> and <path_to_my_passfile> with the actual paths and labels relevant to your configuration.

1Set the OPESSL_CONF path to specify the configuration file for OpenSSL:

set OPESSL_CONF=<Path to openssl.conf>

2Create the necessary directories for OpenSSL operations:

C:\ssl>mkdir keys
C:\ssl>mkdir requests
C:\ssl>mkdir certs

3Create the index.txt file, an empty (zero-byte) text file located at C:\ssl\index.txt.

4Create the serial.txt file by opening C:\ssl\serial.txt, adding the string 01 on the first line, and then saving the file.

5Transfer the libeay32.dll and ssleay32.dll libraries to the folder housing the sautil.exe file. Skip this step if you're utilizing Gem Engine version 1.3 or higher.

6Generate a 2048-bit private key on the Luna HSM using Gem Engine for subsequent CA creation. This action generates the RSA 2048-bit key on either the Luna HSM partition or the Luna Cloud HSM service.

C:\ssl>openssl genrsa -engine gem 2048

7List the generated key pair using the cmu utility:

C:\ssl> <LunaClient_Installation_Directory>\Cmu.exe list

Example:

C:\ssl> C:\Program Files\SafeNet\LunaClient\Cmu.exe list

Provide the partition password when prompted.

8Create a CA certificate based on the generated key:

C:\ssl> openssl req -engine gem -new -x509 -days 365 -key rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e -keyform engine -out certs/ca.cer

Here, rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e refers to the object label for the CA private key on the Luna HSM or Luna Cloud HSM service created in a previous step.

9Create a certificate request for the sender. This sender request is used to generate the sender’s certificate signed by the CA.

C:\ssl> openssl req -engine gem -newkey rsa:2048 -out requests/sender.txt

10List the generated key pair using the cmu utility:

C:\ssl> <LunaClient_Installation_Directory>\Cmu.exe list

Example:

C:\ssl> C:\Program Files\SafeNet\LunaClient\Cmu.exe list

11Provide the partition password when prompted.

12Create a certificate request for the receiver. This receiver request is used to generate the receiver’s certificate signed by the CA.

C:\ssl> openssl req -engine gem -newkey rsa:2048 -out requests/receiver.txt

13List the generated key pair using the cmu utility:

C:\ssl> <LunaClient_Installation_Directory>\Cmu.exe list

Example:

C:\ssl> C:\Program Files\SafeNet\LunaClient\Cmu.exe list

14Provide the partition password when prompted.

15Use the CA to sign the certificate request for the sender:

C:\ssl> openssl ca -engine gem -policy policy_anything -cert certs/ca.cer -in requests/sender.txt -keyfile rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e -keyform engine -out certs/sender.cer

Here, rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e represents the object label for the CA private key on the Luna HSM or HSM on Luna Cloud HSM service created in step 6.

16Use the CA to sign the certificate request for the receiver:

C:\ssl> openssl ca -engine gem -policy policy_anything -cert certs/ca.cer -in requests/receiver.txt -keyfile rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e -keyform engine -out certs/receiver.cer

Again, rsa-private-08bde9331fa3be515d2e7db9dd1e28b36b50632e denotes the object label for the CA private key on the Luna HSM or HSM on Luna Cloud HSM service created in a previous step.

1Create a text file named message.txt in the C:\ssl directory.

2Sign the message.txt using the sender’s private key.

C:\ssl>openssl cms -engine gem -sign -in message.txt -signer certs\sender.cer -inkey rsa-private-605ddfab1e95bfac36eec44f291647e8a3ff5f64 -keyform engine -out sendmail.msg

Note

Replace rsa-private-605ddfab1e95bfac36eec44f291647e8a3ff5f64 with the object label for the sender’s private key on Luna HSM or Luna Cloud HSM service.

3Encrypt sendmail.msg using the receiver’s public key.

C:\ssl>openssl cms -engine gem -encrypt -in sendmail.msg -out sendmail_enc.msg certs\receiver.cer

4Decrypt sendmail_enc.msg using the receiver’s private key.

C:\ssl>openssl cms -engine gem -decrypt -in sendmail_enc.msg -inkey rsa-private-a216d3b9276268459598f163ff7163aa30cbd3d0 -keyform engine -out sendmail_dec.msg

Note

Replace rsa-private-a216d3b9276268459598f163ff7163aa30cbd3d0 with the object label for the receiver’s private key on Luna HSM or Luna Cloud HSM service.

5Verify the signature of sendmail_dec.msg using the sender’s public key.

C:\ssl>openssl cms -engine gem -verify -in sendmail_dec.msg -CAfile certs\ca.cer -out out.txt certs\sender.cer

6Open out.txt and compare its contents with message.txt.

7Close the session with sautil, if you are using Luna HSM partition.

C:\OpenSSL\sautil\bin>sautil -c -s <slot_id> -i 10:11 –q

1Create a text file named message.txt to serve as the content for your secure communication.

Note

The keys for both the sender and receiver are securely stored on the Luna HSM. Utilize the object label of keys on the Luna HSM partition for decrypting and signing messages.

2Sign the message.txt file using the sender's private key stored on the Luna HSM.

openssl cms -engine gem -sign -in message.txt -signer /usr/local/ssl/certs/sender/sender.cer -inkey rsa-private-613247c58f0ca0d7f2bb5a14efb2c7d53ed45322 -keyform engine -out sendmail.msg

Here, rsa-private-613247c58f0ca0d7f2bb5a14efb2c7d53ed45322 is the object label for the sender’s private key on the Luna HSM.

3Encrypt the signed file sendmail.msg using the receiver's public key:

a. Generate an AES key:

openssl rand -engine gem -hex 32 > encryption_aes.key

b. Encrypt the signed message using the generated AES key:

openssl enc -aes-256-cbc -a -pbkdf2 -k encryption_aes.key -in sendmail.msg -out sendmail.enc

c. Encrypt the AES key using the receiver's public key:

openssl rsautl -encrypt -oaep -engine gem -in encryption_aes.key -out encryption_aes.enc -certin -inkey /usr/local/ssl/certs/receiver/receiver.cer

4Transmit both the encrypted message (sendmail.enc) and the encrypted AES key to the receiver for secure communication.

5Decrypt the received AES key (encryption_aes.enc) using the private key and then decrypt the encrypted message (sendmail.enc) using the decrypted AES key:

a. Decrypt the AES key using the Receiver’s Private Key:

openssl rsautl -decrypt -oaep -engine gem -in encryption_aes.enc -out encryption_aes.key -inkey rsa-private-489393ff23d93012ab85d859cf3386ef42fcc186 -keyform engine

Here, rsa-private-489393ff23d93012ab85d859cf3386ef42fcc186 is the object label for the receiver’s private key on the Luna HSM.

b. Decrypt the signed message using the decrypted AES key:

openssl enc -aes-256-cbc -d -a -pbkdf2 -k encryption_aes.key -in sendmail.enc -out sendmail.dec

6Verify the signature of the decrypted message (sendmail.dec) using the public key associated with the sender’s certificate.

openssl cms -engine gem -verify -in sendmail.dec -CAfile /usr/local/ssl/certs/ca.cer -out sendmail.txt /usr/local/ssl/certs/sender/sender.cer

7Open the sendmail.txt file and compare its contents with the original message.txt. Both files should have the same message, confirming the successful completion of all cryptographic operations.

1Traverse to the toolkit and untar the luna-samples file.

2Under luna-samples, locate sautil. Within sautil, find the sautil.c file.

3Open sautil.c, search for #define LUNA_OSSL_ECDSA (1), and disable it.

4Save and close the file.

5Run the following commands in the sautil directory under luna-samples:

./configure.sh
make

6Verify that /usr/local/sautil/bin/sautil is installed on your system.

1Open the e_gem.c file in the vi editor:

vi /home/gemengine-1.3/engine/e_gem.c

2At line 934, comment the function as follows:

//luna_fini_p11();

3Save and close the file.

4Remove gem.so from the OpenSSL engine directory:

rm -rf /usr/local/ssl/lib/engines-1.1/gem.so

5Recompile gem.so:

./gembuild engine-build
./gembuild engine-install

6Rerun the OpenSSL sign operation command that previously encountered the segmentation fault. The certificate signing process should now complete without displaying any segmentation faults.

openssl req -engine gem -new -x509 -days 365 -key rsa-private-d6b5261ac7f89d6b3b80d4c0f8aea11f185b95a1 -keyform engine -out /usr/local/ssl/certs/ca.cer
engine "gem" set.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:IN
State or Province Name (full name) []:Uttar Pradesh
Locality Name (for example, city) []:Noida
Organization Name (for example, company) []:Thales
Organizational Unit Name (for example, section) []:HSM
Common Name (for example, your websites domain name) []:ca.example.com
Email Address []: