yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
0b3a43371a4bcc99577594de0a685249d676a567
doc-exports/docs/kms/umn/dew_01_0186.html
qinweiwei 3e4721c813 KMS UMN 20251111 version 
Reviewed-by: Rogal, Marcel <mrogal@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: qinweiwei <qinweiwei@huawei.com>
Co-committed-by: qinweiwei <qinweiwei@huawei.com>
2026-01-19 09:05:54 +00:00

35 lines
5.8 KiB
HTML
Raw Blame History

<a name="dew_01_0186"></a><a name="dew_01_0186"></a>
<h1 class="topictitle1">Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?</h1>
<div id="body0000001151868946"><div class="section" id="dew_01_0186__section857573962412"><h4 class="sectiontitle">Symptom</h4><p id="dew_01_0186__p15645941162417">By default, the -id-aes256-wrap-pad algorithm is not enabled in OpenSSL. To wrap a key, upgrade OpenSSL to the latest version and patch it first.</p>
</div>
<div class="section" id="dew_01_0186__section1985831414254"><h4 class="sectiontitle">Solution</h4><p id="dew_01_0186__p4289716112519">Use bash commands to create a local copy of the existing OpenSSL. You do not need to delete or modify the default OpenSSL client installation configurations.</p>
<ol id="dew_01_0186__ol1850161282618"><li id="dew_01_0186__li1950191222611"><span>Switch to the <strong id="dew_01_0186__b599881311714">root</strong> user.</span><p><p id="dew_01_0186__p29334108279"><strong id="dew_01_0186__b832627153118">sudo su -</strong></p>
</p></li><li id="dew_01_0186__li810852122615"><span>Run the following command and record the OpenSSL version:</span><p><p id="dew_01_0186__p1191064152715"><strong id="dew_01_0186__b1185261013112">openssl version</strong></p>
</p></li><li id="dew_01_0186__li732434016271"><span>Run the following commands to create the <strong id="dew_01_0186__b583516981814">/root/build</strong> directory. This directory will be used to store the latest OpenSSL binary file.</span><p><p id="dew_01_0186__p2469112411282"><strong id="dew_01_0186__b1414784563114">mkdir $HOME/build</strong></p>
<p id="dew_01_0186__p3170114011317"><strong id="dew_01_0186__b215212455318">mkdir -p $HOME/local/ssl</strong></p>
<p id="dew_01_0186__p11399916172815"><strong id="dew_01_0186__b181531245103111">cd $HOME/build</strong></p>
</p></li><li id="dew_01_0186__li831410228281"><a name="dew_01_0186__li831410228281"></a><a name="li831410228281"></a><span>Download the latest OpenSSL version from https://www.openssl.org/source/.</span></li><li id="dew_01_0186__li358765815287"><span>Download and decompress the binary file.</span></li><li id="dew_01_0186__li4594614192912"><span>Replace <strong id="dew_01_0186__b138221915141917">openssl-1.1.1d.tar.gz</strong> with the latest OpenSSL version downloaded in <a href="#dew_01_0186__li831410228281">step 4</a>.</span><p><p id="dew_01_0186__p4590129113012"><strong id="dew_01_0186__b13508144623211">curl -O https://www.openssl.org/source/openssl-1.1.1d.tar.gz</strong></p>
<p id="dew_01_0186__p16375103643219"><strong id="dew_01_0186__b8509646183220">tar -zxf openssl-1.1.1d.tar.gz</strong></p>
</p></li><li id="dew_01_0186__li4480182713305"><span>Use the <strong id="dew_01_0186__b198581732010">gcc</strong> tool to patch the version, and compile the downloaded binary file.</span><p><div class="p" id="dew_01_0186__p132741953203018"><strong id="dew_01_0186__b6884132332">yum install patch make gcc -y</strong><div class="note" id="dew_01_0186__note17360153233110"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="dew_01_0186__p1936063253115">If you are using a version other than OpenSSL-1.1.1d, you may need to change the directory and commands used, or this patch may not work properly.</p>
</div></div>
</div>
</p></li><li id="dew_01_0186__li1372812253115"><span>Run the following commands:</span><p><pre class="screen" id="dew_01_0186__screen16720101673617">sed -i "/BIO_get_cipher_ctx(benc, &amp;ctx);/a\ EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);" $HOME/build/openssl-1.1.1d/apps/enc.c</pre>
</p></li><li id="dew_01_0186__li33661158193116"><span>Run the following commands to compile the OpenSSL <strong id="dew_01_0186__b475111017299">enc.c</strong> file:</span><p><p id="dew_01_0186__p75156123317"><strong id="dew_01_0186__b1917419185387">cd $HOME/build/openssl-1.1.1d/</strong></p>
<p id="dew_01_0186__p450228133810"><strong id="dew_01_0186__b151761186387">./config --prefix=$HOME/local --openssldir=$HOME/local/ssl</strong></p>
<p id="dew_01_0186__p146071410163819"><strong id="dew_01_0186__b11177201813818">make -j$(grep -c ^processor /proc/cpuinfo)</strong></p>
<p id="dew_01_0186__p12732115719325"><strong id="dew_01_0186__b4177201823813">make install</strong></p>
</p></li><li id="dew_01_0186__li847044183312"><span>Configure the environment variable <strong id="dew_01_0186__b171124515302">LD_LIBRARY_PATH</strong> to ensure that required libraries are available for OpenSSL. The latest version of OpenSSL has been dynamically linked to the binary file in the<strong id="dew_01_0186__b12402412314"> $HOME/local/ssl/lib/</strong> directory, and cannot be directly executed in shell.</span></li><li id="dew_01_0186__li568744023310"><span>Create a script named <strong id="dew_01_0186__b13355122393410">openssl.sh</strong> to load the <strong id="dew_01_0186__b128771127163411">$HOME/local/ssl/lib/</strong> path before running the binary file.</span><p><p id="dew_01_0186__p1464112513382"><strong id="dew_01_0186__b125511819154015">cd $HOME/local/bin/</strong></p>
<p id="dew_01_0186__p144114243312"><strong id="dew_01_0186__b105521019144010">echo -e '#!/bin/bash \nenv LD_LIBRARY_PATH=$HOME/local/lib/ $HOME/local/bin/openssl "$@"' &gt; ./openssl.sh</strong></p>
</p></li><li id="dew_01_0186__li14491465345"><span>Run the following command to configure an execute bit on the script:</span><p><p id="dew_01_0186__p10225930173420"><strong id="dew_01_0186__b2055142853419">chmod 755 ./openssl.sh</strong></p>
</p></li><li id="dew_01_0186__li83318235340"><span>Run the following command to start the patched OpenSSL version:</span><p><p id="dew_01_0186__p12221174173614"><strong id="dew_01_0186__b226885014010">$HOME/local/bin/openssl.sh</strong></p>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="dew_01_0092.html">FAQs</a></div>
</div>
</div>
View Git Blame Copy Permalink