Skip to content

OpenSSL Engine implementation using ATECC508 for ECC key storage, ECDSA sign/verify, ECDH, and FIPS Random Number Generator (RNG).

License

Notifications You must be signed in to change notification settings

VitroTech/cryptoauth-openssl-engine

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

78 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Configuration:

Most of the configuration of the library can be done in lib/openssl/eccx08_engine.h or via defines during build

The exception to this is in eccx08_platform.c where key slots are defaulted

If the ATCA_OPENSSL_ENGINE_STATIC_CONFIG define is set to 1 then device and signer certificate definitions will have to be linked into the library at build.

e.g. see the line in the makefile: #LIBATECCSSL_OBJECTS += cert_def_1_signer.c cert_def_2_signer.c

Makfile:

The makefile included in this archive is fairly basic and is not what one would consider appropriate for a package so there is likely some manual configuration that would be needed at this stage

To build the library:

make libateccssl

To run the test program:

make test

To extract certificates (if the engine is added to the openssl.cnf file):

openssl engine ateccx08 -t -post GET_DEVICE_CERT:./device.der openssl engine ateccx08 -t -post GET_SIGNER_CERT:./signer.der

Otherwise you'll have to use an interactive openssl session (see openssl engine -h and engine -vvv for details)

openssl

OpenSSL> engine dynamic -pre SO_PATH:/ -pre LIST_ADD:1 -pre ID:ateccx08 -pre LOAD OpenSSL> engine ateccx08 -t -post GET_DEVICE_CERT:./device.der OpenSSL> engine ateccx08 -t -post GET_SIGNER_CERT:./signer.der

Then to verify the certs:

openssl x509 -in device.der -inform der -text -noout openssl x509 -in signer.der -inform der -text -noout

To set up your openssl.cnf file

Find which openssl.cnf file your instance is using you can:

openssl version -a | grep OPENSSLDIR OPENSSLDIR: "/usr/lib/ssl"

will tell you the base location where openssl is looking for the openssl.cnf file. It may be a symbolic link to another location

ls -l /usr/lib/ssl lrwxrwxrwx 1 root root 14 Apr 24 15:22 certs -> /etc/ssl/certs lrwxrwxrwx 1 root root 20 Jan 31 05:53 openssl.cnf -> /etc/ssl/openssl.cnf

To set up the openssl.cnf to use the engine:

At the top:

openssl_conf = openssl_init

Append to the end:

[ openssl_init ] engines = engine_section

[ engine_section ] ateccx08 = ateccx08_config

[ ateccx08_config ] engine_id = ateccx08

Or if you sym link the libateccssl.so to the engine directory the next line is not needed

dynamic_path = device_key_slot = 0 init = 0

To use the engine in an application you can reference the openssl tests (test/openssl/test_engine.c) but the basic principle is that if the openssl.cnf file is configured correctly all an application really needs to do is add a call to OPENSSL_config if it is not already doing so and then to decide what functionality that the application wants and register it.

About

OpenSSL Engine implementation using ATECC508 for ECC key storage, ECDSA sign/verify, ECDH, and FIPS Random Number Generator (RNG).

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C 91.2%
  • C++ 5.9%
  • Shell 1.3%
  • Python 1.3%
  • Other 0.3%