|
1 '\" te |
|
2 .\" Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved. |
|
3 .TH openssl 5 "01 Apr 2014" "SunOS 5.12" "Standards, Environments, and Macros" |
|
4 .SH NAME |
|
5 openssl \- OpenSSL cryptographic and Secure Sockets Layer toolkit |
|
6 .SH DESCRIPTION |
|
7 .sp |
|
8 .LP |
|
9 OpenSSL is a cryptography toolkit that implements the Secure Sockets Layer (SSLv2/v3) and Transport Layer Security (TLS v1) network protocols. |
|
10 .sp |
|
11 .LP |
|
12 The following features are omitted from the binaries for issues including but not limited to patents, trademark, and US export restrictions: ECC, IDEA, MDC2, RC3, RC5, 4758_CCA Engine, AEP Engine, Atalla Engine, CHIL Engine, CSWIFT Engine, GMP Engine, NURON Engine, PadLock Engine, Sureware Engine, and UBSEC Engine. |
|
13 .SS "The Dynamic Engine Support" |
|
14 .sp |
|
15 .LP |
|
16 The dynamic engine support has been enabled, which allows an external engine, in the form of a shared library, to be dynamically bound and used by an OpenSSL-based application. |
|
17 .sp |
|
18 .LP |
|
19 Run the following command to see if the dynamic engine is supported: |
|
20 .sp |
|
21 .in +2 |
|
22 .nf |
|
23 $ \fBopenssl engine dynamic\fR |
|
24 (dynamic) Dynamic engine loading support |
|
25 .fi |
|
26 .in -2 |
|
27 .sp |
|
28 |
|
29 .SS "The PKCS#11 Engine" |
|
30 .sp |
|
31 .LP |
|
32 The PKCS#11 engine has been included with ENGINE name \fBpkcs11\fR. The engine was developed in Sun and is not integrated in the OpenSSL project. |
|
33 .sp |
|
34 .LP |
|
35 The PKCS#11 engine is a dynamic engine, and it is configured to use the Oracle Solaris Cryptographic Framework. See \fBcryptoadm\fR(1M) for configuration information. |
|
36 .sp |
|
37 .LP |
|
38 The PKCS#11 engine can support the following set of mechanisms: \fBCKM_AES_CBC\fR, \fBCKM_AES_ECB\fR, \fBCKM_BLOWFISH_CBC\fR, \fBCKM_DES_CBC\fR, \fBCKM_DES_ECB\fR, \fBCKM_DES3_CBC\fR, \fBCKM_DES3_ECB\fR, \fBCKM_DSA\fR, \fBCKM_MD5\fR, \fBCKM_RC4\fR, \fBCKM_RSA_PKCS\fR, \fBCKM_RSA_X_509\fR, \fBCKM_SHA_1\fR, \fBCKM_SHA224\fR, \fBCKM_SHA256\fR, \fBCKM_SHA384\fR, \fBCKM_SHA512\fR, \fBCKM_SHA224_HMAC\fR, \fBCKM_SHA224_HMAC_GENERAL\fR, and \fBCKM_SHA224_KEY_DERIVATION\fR. |
|
39 .sp |
|
40 .LP |
|
41 The set of mechanisms available depends on installed Crypto Framework providers. To see what mechanisms can be offloaded to the Cryptographic Framework through the PKCS#11 engine on a given machine, run the following command: |
|
42 .sp |
|
43 .in +2 |
|
44 .nf |
|
45 $ \fB/usr/bin/openssl engine dynamic -pre SO_PATH:/lib/openssl/engines/64/libpk11.so -pre LOAD -t -c\fR |
|
46 .fi |
|
47 .in -2 |
|
48 .sp |
|
49 |
|
50 .sp |
|
51 .LP |
|
52 In order to verify the use of the PKCS#11 engine and the use of hardware acceleration with the OpenSSL application, you must specify the EVP option. EVP stands for \fBEnVeloPE\fR API, which is the API applications such as Apache use to access OpenSSL cryptography. Use the EVP option to get the most accurate \fBopenssl speed\fR results. |
|
53 .sp |
|
54 .in +2 |
|
55 .nf |
|
56 $ \fB/usr/bin/openssl speed -evp aes-128-cbc -engine pkcs11\fR |
|
57 .fi |
|
58 .in -2 |
|
59 .sp |
|
60 |
|
61 .sp |
|
62 .LP |
|
63 Due to requirements of the PKCS#11 standard regarding \fBfork\fR(2) behavior, some applications that use the OpenSSL EVP interfaces and \fBfork()\fR with active \fBcrypto\fR contexts might experience unexpected behavior. |
|
64 .SS "Using FIPS Mode" |
|
65 .sp |
|
66 .LP |
|
67 FIPS-140 capable OpenSSL is available in Oracle Solaris. |
|
68 .sp |
|
69 .LP |
|
70 The IPS package mediator feature is used to activate the non-FIPS-140 version or the FIPS-140 version of OpenSSL. |
|
71 .sp |
|
72 .LP |
|
73 By default, the non-FIPS-140 version (\fBdefault\fR implementation) is activated. Use the \fBpkg set-mediator\fR command to switch to the FIPS-140 version of OpenSSL: |
|
74 .sp |
|
75 .in +2 |
|
76 .nf |
|
77 # \fBpkg set-mediator -I fips-140 openssl\fR |
|
78 .fi |
|
79 .in -2 |
|
80 .sp |
|
81 |
|
82 .sp |
|
83 .LP |
|
84 To switch back to the default non-FIPS-140 version, use the following command: |
|
85 .sp |
|
86 .in +2 |
|
87 .nf |
|
88 # \fBpkg set-mediator -I default openssl\fR |
|
89 .fi |
|
90 .in -2 |
|
91 .sp |
|
92 |
|
93 .sp |
|
94 .LP |
|
95 Reboot is required to enforce the change system-wide. |
|
96 .sp |
|
97 .LP |
|
98 See \fIManaging Encryption and Certificates in Oracle Solaris 11.2\fR for more details. |
|
99 .sp |
|
100 .LP |
|
101 When the FIPS-140 version of OpenSSL is activated, an application can run in FIPS-140 mode or non-FIPS-140 mode. An application must explicitly call \fBFIPS_mode_set()\fR in order to activate FIPS-140 mode. |
|
102 .SS "Building an OpenSSL Application" |
|
103 .sp |
|
104 .LP |
|
105 To build an OpenSSL application, use the following \fBcc\fR command line options: |
|
106 .sp |
|
107 .in +2 |
|
108 .nf |
|
109 cc [ \fIflag\fR... ] \fIfile\fR... -lcrypto -lssl [ \fIlibrary\fR... ] |
|
110 .fi |
|
111 .in -2 |
|
112 |
|
113 .SS "Accessing RSA Keys in PKCS#11 Keystores" |
|
114 .sp |
|
115 .LP |
|
116 OpenSSL can access RSA keys in PKCS#11 keystores using the following functions of the ENGINE API: |
|
117 .sp |
|
118 .in +2 |
|
119 .nf |
|
120 EVP_PKEY *ENGINE_load_private_key(ENGINE *e, |
|
121 const char *key_id, UI_METHOD *ui_method, |
|
122 void *callback_data) |
|
123 |
|
124 EVP_PKEY *ENGINE_load_public_key(ENGINE *e, |
|
125 const char *key_id, UI_METHOD *ui_method, |
|
126 void *callback_data) |
|
127 .fi |
|
128 .in -2 |
|
129 |
|
130 .sp |
|
131 .LP |
|
132 \fBkey_id\fR, formerly for filenames only, can be now also set to a \fBPKCS#11 URI\fR. The \fBEVP_PKEY\fR structure is newly allocated and caller is responsible to free the structure later. To avoid clashes with existing filenames, \fBfile://\fR prefix for filenames is now also accepted but only when the PKCS#11 engine is in use. The PKCS#11 URI specification follows: |
|
133 .sp |
|
134 .in +2 |
|
135 .nf |
|
136 pkcs11:[token=<label>][:manuf=<label>][;serial=<label>] |
|
137 [;model=<label>][;object=<label>] |
|
138 [;objecttype=(public|private|cert)] |
|
139 [;passphrasedialog=(builtin|exec:<file>)] |
|
140 .fi |
|
141 .in -2 |
|
142 |
|
143 .sp |
|
144 .LP |
|
145 The ordering of keywords is not significant. The PKCS#11 engine uses the keystore for the slot chosen for public key operations, which is \fBmetaslot\fR on a standard configured machine. Currently, the PKCS#11 engine ignores the \fBobjecttype\fR keyword. The only mandatory keyword is \fBobject\fR which is the key object label. For information on how to use a different, possibly hardware, keystore with \fBmetaslot\fR, see \fBlibpkcs11\fR(3LIB). |
|
146 .sp |
|
147 .LP |
|
148 The token PIN is provided by way of the \fBpassphrasedialog\fR keyword and is either read from the terminal (\fBbuiltin\fR) or from the output of an external command (\fBexec:<file>\fR). The PIN is used to log into the token and by default is deleted from the memory then. The keyword \fBpin\fR is intentionally not provided due to inherent security problems of possible use of a password in the process arguments. |
|
149 .sp |
|
150 .LP |
|
151 Due to fork safety issues the application must re-login if the child continues to use the PKCS#11 engine. It is done inside of the engine automatically if fork is detected and in that case, \fBexec:<file>\fR option of the \fBpassphrasedialog\fR keyword can be used. Alternatively, an environment variable \fBOPENSSL_PKCS11_PIN_CACHING_POLICY\fR can be used to allow the PIN to be cached in memory and reused in the child. It can be set to \fBnone\fR which is the default, \fBmemory\fR to store the PIN in memory, and \fBmlocked-memory\fR to keep the PIN in a locked page using \fBmlock\fR(3C). \fBPRIV_PROC_LOCK_MEMORY\fR privilege is required in that case. |
|
152 .sp |
|
153 .LP |
|
154 Sensitive parts of private keys are never read from the token to the process memory no matter whether the key is tagged with sensitive flag or not. The PKCS#11 engine uses the public components as a search key to get a PKCS#11 object handle to the private key. |
|
155 .sp |
|
156 .LP |
|
157 To use the RSA keys by reference, high level API functions such as \fBRSA_public_decrypt()\fR, \fBEVP_PKEY_set1_RSA()\fR, or \fBEVP_SignInit()\fR must be used. Low level functions might go around the engine and fail to make use of the feature. |
|
158 .SS "Additional Documentation" |
|
159 .sp |
|
160 .LP |
|
161 Extensive additional documentation for OpenSSL modules is available in the \fB/usr/share/man/man1openssl\fR, \fB/usr/share/man/man3openssl\fR, \fB/usr/share/man/man5openssl\fR, and \fB/usr/share/man/man7openssl\fR directories. |
|
162 .sp |
|
163 .LP |
|
164 To view the license terms, attribution, and copyright for OpenSSL, run \fBpkg info --license library/security/openssl\fR. |
|
165 .SH EXAMPLES |
|
166 .LP |
|
167 \fBExample 1 \fRGenerating and Printing a Public Key |
|
168 .sp |
|
169 .LP |
|
170 The following example generates and prints a public key stored in an already initialized PKCS#11 keystore. Notice the use of \fB-engine pkcs11\fR and \fB-inform e\fR. |
|
171 |
|
172 .sp |
|
173 .in +2 |
|
174 .nf |
|
175 $ \fBpktool gencert keystore=pkcs11 label=mykey \ |
|
176 subject="CN=test" keytype=rsa keylen=1024 serial=01\fR |
|
177 $ \fBopenssl rsa -in "pkcs11:object=mykey;passphrasedialog=builtin"\ |
|
178 -pubout -text -engine pkcs11 -inform e\fR |
|
179 .fi |
|
180 .in -2 |
|
181 .sp |
|
182 |
|
183 .SH ATTRIBUTES |
|
184 .sp |
|
185 .LP |
|
186 See \fBattributes\fR(5) for a description of the following attributes: |
|
187 .sp |
|
188 |
|
189 .sp |
|
190 .TS |
|
191 tab(�) box; |
|
192 cw(2.75i) |cw(2.75i) |
|
193 lw(2.75i) |lw(2.75i) |
|
194 . |
|
195 ATTRIBUTE TYPE�ATTRIBUTE VALUE |
|
196 _ |
|
197 Availability�library/security/openssl |
|
198 _ |
|
199 Interface Stability�Volatile |
|
200 .TE |
|
201 |
|
202 .SH SEE ALSO |
|
203 .sp |
|
204 .LP |
|
205 \fBcrle\fR(1), \fBcryptoadm\fR(1M), \fBlibpkcs11\fR(3LIB), \fBattributes\fR(5), \fBprivileges\fR(5) |
|
206 .sp |
|
207 .LP |
|
208 \fB/usr/share/man/man1openssl/openssl.1openssl\fR, \fB/usr/share/man/man1openssl/CRYPTO_num_locks.3openssl\fR, \fB/usr/share/man/man3openssl/engine.3\fR, \fB/usr/share/man/man3openssl/evp.3\fR |