Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
Symptom
By default, the -id-aes256-wrap-pad algorithm is not enabled in OpenSSL. To wrap a key, upgrade OpenSSL to the latest version and patch it first.
Solution
Use bash commands to create a local copy of the existing OpenSSL. You do not need to delete or modify the default OpenSSL client installation configurations.
- Switch to the root user.
sudo su -
- Run the following command and record the OpenSSL version:
openssl version
- Run the following commands to create the /root/build directory. This directory will be used to store the latest OpenSSL binary file.
mkdir $HOME/build
mkdir -p $HOME/local/ssl
cd $HOME/build
- Download the latest OpenSSL version from https://www.openssl.org/source/.
- Download and decompress the binary file.
- Replace openssl-1.1.1d.tar.gz with the latest OpenSSL version downloaded in step 4.
curl -O https://www.openssl.org/source/openssl-1.1.1d.tar.gz
tar -zxf openssl-1.1.1d.tar.gz
- Use the gcc tool to patch the version, and compile the downloaded binary file.
yum install patch make gcc -y
If you are using a version other than OpenSSL-1.1.1d, you may need to change the directory and commands used, or this patch may not work properly.
- Run the following commands:
sed -i "/BIO_get_cipher_ctx(benc, &ctx);/a\ EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);" $HOME/build/openssl-1.1.1d/apps/enc.c
- Run the following commands to compile the OpenSSL enc.c file:
cd $HOME/build/openssl-1.1.1d/
./config --prefix=$HOME/local --openssldir=$HOME/local/ssl
make -j$(grep -c ^processor /proc/cpuinfo)
make install
- Configure the environment variable LD_LIBRARY_PATH to ensure that required libraries are available for OpenSSL. The latest version of OpenSSL has been dynamically linked to the binary file in the $HOME/local/ssl/lib/ directory, and cannot be directly executed in shell.
- Create a script named openssl.sh to load the $HOME/local/ssl/lib/ path before running the binary file.
cd $HOME/local/bin/
echo -e '#!/bin/bash \nenv LD_LIBRARY_PATH=$HOME/local/lib/ $HOME/local/bin/openssl "$@"' > ./openssl.sh
- Run the following command to configure an execute bit on the script:
chmod 755 ./openssl.sh
- Run the following command to start the patched OpenSSL version:
$HOME/local/bin/openssl.sh
KMS Related FAQs
- What Is Key Management Service?
- What Is a Customer Master Key?
- What Is a Default Key?
- What Are the Differences Between a Custom Key and a Default Key?
- What Is a Data Encryption Key?
- Why Cannot I Delete a CMK Immediately?
- Which Cloud Services Can Use KMS for Encryption?
- How Do Huawei Cloud Services Use KMS to Encrypt Data?
- What Are the Benefits of Envelope Encryption?
- Is There a Limit on the Number of Custom Keys That I Can Create on KMS?
- Can I Export a CMK from KMS?
- Can I Decrypt My Data if I Permanently Delete My Custom Key?
- How Do I Use the Online Tool to Encrypt or Decrypt Small Volumes of Data?
- Can I Update CMKs Created by KMS-Generated Key Materials?
- When Should I Use a CMK Created with Imported Key Materials?
- What Should I Do When I Accidentally Delete Key Materials?
- How Are Default Keys Generated?
- What Should I Do If I Do Not Have the Permissions to Perform Operations on KMS?
- Why Can't I Wrap Asymmetric Keys by Using -id-aes256-wrap-pad in OpenSSL?
- Key algorithms supported by KMS
- What Should I Do If KMS Failed to Be Requested and Error Code 401 Is Displayed?
- What Is the Relationship Between the Ciphertext and Plaintext Returned by the encrypt-data API?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbotmore
