🔐OpenSSL

OpenSSL is a library for general-purpose cryptography. OpenSSL is also an open-source command line tool that is commonly used to generate private keys, create CSRs, install your SSL/TLS certificate, and identify certificate information.

Build + Install

#!/bin/bash -xe

#For X86
export ARCH=""
export CROSS_COMPILE=""
export OPENSSL_TARGET=""

#For arm64, source toolchain and set the below config
<<ARM64
export ARCH=arm64
export CROSS_COMPILE="aarch64-linux-gnu-"
export OPENSSL_TARGET=linux-aarch64
ARM64

echo "Download OpenSSL 1.1.1g"
wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz

echo "untaring... openSSL"
tar -xf  openssl-1.1.1g.tar.gz
cd openssl-1.1.1g

echo "Configuring OpenSSL"
./Configure ${OPENSSL_TARGET} shared -pg -fPIC --cross-compile-prefix=$CROSS_COMPILE --prefix=/tmp/openssl11 --openssldir=/tmp/openssl11/etc/ssl

echo "Building ..."
make -j8

echo "Installing ...."
make install_sw DESTDIR=<path to staging dir>

Successful compilation directs output into 3 directories

Ubuntu@staging/tmp/openssl11
❯ tree 2
.
├── bin
│   ├── c_rehash
│   └── openssl
├── include
│   └── openssl
└── lib
    ├── engines-1.1
    ├── libcrypto.a
    ├── libcrypto.so -> libcrypto.so.1.1
    ├── libcrypto.so.1.1
    ├── libssl.a
    ├── libssl.so -> libssl.so.1.1
    ├── libssl.so.1.1
    └── pkgconfig

export LD_LIBRARY_PATH=<path till lib dir>
./bin/openssl version -a

Commands

These commands are for "secp384r1" curve. The same applies to other supported curves.

# check the version of openssl
openssl version -a

# Get a random number
openssl rand -hex 64

# Generate Private key for secp384 curve
openssl ecparam -genkey -name secp384r1 -out privatekey.pem

# Generate Certificate for a given private key 
openssl req -new -sha256 -key privatekey.pem -out csr.csr -subj "/C=US/ST=FL/L=Orlando/O=Foo LLC/OU=IT/CN=www.example.com"

# Generate Public key for given private key and certificate.
openssl req -x509 -sha256 -days 365 -key privatekey.pem -in csr.csr -out publickey.pem

# Start server instance on port 8443
openssl s_server -tls1_3 -accept 8443 -cert publickey.pem -curves secp384r1 -key privatekey.pem

# Connect to the server with the client
openssl s_client -tls1_3 -curves secp384r1 -connect <server_ip>:8443 

• -engine <engine name> : Accelarate with specified engine

• -tls1_3 : Use TLSv1.3 for communication

• -quiet: less verbose

• -rand <path to node > : use the specified random number from node instead of kernel entrophy

API's

Leverage custom engine

OpenSSL provides flexibility to offload operations onto custom HW. The below code leverages the engine to perform all OpenSSL operations

ENGINE_load_builtin_engines();
ENGINE *e = ENGINE_by_id("engine name");
// Make the engine's implementations the default implementations
ENGINE_init(e)
ENGINE_set_default_digests(e)
// Set default engine
ENGINE_set_default(e, ENGINE_METHOD_ALL);
// Free the engine
ENGINE_free(e);
ENGINE_cleanup();

Load custom Random numbers

// seed PRNG
if (RAND_load_file("/dev/<node>", 256) < 64) {
      printf("Can't seed PRNG!\n");
      return -1;
}

Allocate, Initialize and Generate key pair

// Allocates memory for key pair
EC_KEY *eckey=EC_KEY_new();
// Assign curve to the keypair
EC_GROUP *ecgroup= EC_GROUP_new_by_curve_name(NID_secp384r1);
// Map the keypair and curve
set_group_status = EC_KEY_set_group(eckey,ecgroup);
// Generate key pair, it will offload to engine,
// performs 2 PM operations.
gen_status = EC_KEY_generate_key(eckey);

//Free the handlers
EC_GROUP_free(ecgroup);
EC_KEY_free(eckey);

Sign Key

// Sign the key with given hash
ECDSA_SIG *signature;
signature = ECDSA_do_sign(hash, strlen(hash), eckey);

// Free Signature
ECDSA_SIG_free(signature);

Verify Signed Key

// Verify Signature
verify_status = ECDSA_do_verify(hash, strlen(hash), signature, eckey);

Point Multiplication

// Perform point multiplication
ret = EC_POINT_mul(ecgroup, pub_key, privKeyBN, NULL, NULL, ctx);

Engine

OpenSSL provides flexibility to offload operations onto custom HW. openssl command searches for the custom engine library (so) in

• default : /usr/lib/engines-1.1/

• OpenSSL : <path to openssl>/lib/engines-1.1/

Check Custom Engine

openssl engine <engine name>

-engine <engine name>

Benchmarking

# Benchmark all curves ecdsa operations
openssl speed -elapsed ecdsa

# Benchmark single curve ecdsa operations
openssl speed -elapsed ecdsap384

# Benchmark all curves point multiplication
openssl speed -elapsed ecdh

# Benchmark single curve point multiplication
openssl speed -elapsed ecdhp384

• -elapsed gives wall clock time ( actual time lapse ). Without elapsed it measures only active CPU time.

• -multi <n> : runs on multiple instances on multiple cores.