OpenSSL

OpenSSL is a widely used, open-source toolkit that provides a comprehensive set of cryptographic functions, including the ability to generate, manage, and verify digital signatures. As a native signing tool, OpenSSL allows users to sign data, such as files, using private keys, ensuring integrity and authenticity.

Configure OpenSSL for signing with PKCS#11 Engine

OpenSSL is a versatile open-source cryptography library that provides a set of tools and libraries for secure communications and digital signatures. OpenSSL can be integrated with a PKCS#11 Provider using OpenSSL PKCS#11 Engine to sign and verify files.

Prerequisites to sign files using OpenSSL

  • OpenSSL 3.x.x Installed.
  • Setup OpenSSL PKCS#11 engine.

Install OpenSSL

Linux
To install OpenSSL, OpenSSL PKCS11 engine and P11tool, execute the following command:
  • Ubuntu
    sudo apt install -y openssl libengine-pkcs11-openssl gnutls-bin xxd
  • RHEL
    sudo dnf install openssl openssl-pkcs11 gnutls vim-common

Setup and configure PKCS11 library

A configuration file is required for OpenSSL PKCS#11 engine to use AppViewX PKCS#11 library. This file is required in related sign commands.
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
#Path to the OpenSSL PKCS11 Engine
dynamic_path = "<Path to libpkcs11.so>"
MODULE_PATH = <Path to AVXPKCS11.so>
Note:
  • The above openssl.conf file is auto-generated after running the SIGN+_Installer executable. It consists of the required openssl configuration details and the <Path to AVXPKCS11.so> is dynamically generated after installation. This file is required for using openssl with AppViewX PKCS#11 provider to sign and verify files.
  • The libpkcs11.so path depends on the Linux distribution and OpenSSL version and has to be manually entered in the generated openssl.conf file.
    Note: By default, the README File and the openssl.conf file is generated with the default location of libpkcs11.so in Ubuntu 20.04, 22.04, 24.04 and OpenSSL Version 3. Modify the path based on OS or any custom location based on requirement.
    • Ubuntu 20.04, 22.04, 24.04: /usr/lib/x86_64-linux-gnu/engines-3/libpkcs11.so
    • RHEL 9: /usr/lib64/engines-3/libpkcs11.so

Sign software artifacts with OpenSSL using AppViewX PKCS11 library and PKCS#11 Engine

Prerequisites

  1. Configure Openssl to sign using PKCS11 Engine.
  2. Run the AppViewX SIGN+ Installer to install the prerequisites required to sign using AppViewX PKCS#11 Provider.
  3. Modify the configurations in the generated openssl.conf file based on requirements.

Sign with OpenSSL dgst

Sample Command
OPENSSL_CONF=<path_to_openssl_conf_file> openssl dgst -engine pkcs11 -keyform engine -sign
"pkcs11:object=<key_alias_name>;type=private" <digest_algorithm> -out <signed output file>
<file_to_sign>
The <path_to_openssl_conf_file>, <key_alias_name> and <digest algorithm> parameters are auto generated based on the signing policy configurations in the README after running the SIGN+ Installer.

Verify with OpenSSL dgst

Sample Command
  1. Extract the public key from the signing certificate
    openssl x509 -inform der -in <certificate_path> -pubkey -noout > <output_file_path.pem>
    The <certificate_path> parameter is auto generated in the README after running the SIGN+ Installer.
  2. Verify the signed file using the above extracted public key openssl
    openssl dgst -verify <path to public key> -signature <signed output file> <digest algorithm>
<signed_file_to_verify>
    The <digest algorithm> parameter is auto generated in the README after running the SIGN+ Installer.

Sign Authenticode files with Osslsigncode using AppViewX PKCS11 library and PKCS#11 Engine

Osslsigncode is a signing tool based on OpenSSL and cURL used to sign, timestamp and verify Authenticode on Linux. It can be integrated with a PKCS#11 Provider using OpenSSL PKCS#11 Engine to sign and verify files.
Use Osslsigncode to sign and timestamp Authenticode files such as:
  • .arx
  • .cbx
  • .crx
  • .cpl
  • .dbx
  • .deploy
  • .dll
  • .drx
  • .exe
  • .msi
  • .msm
  • .msp
  • .ocx
  • .sys

Prerequisites

  • Configure Openssl to sign using PKCS#11 Engine
  • Run the AppViewX SIGN+ Installer to install the prerequisites required to sign using AppViewX PKCS#11 Provider.

Install Osslsigncode

apt install osslsigncode

Sign with Osslsigncode

osslsigncode sign -pkcs11engine <path_to_libpkcs11.so> -pkcs11module <path_to_AVXPKCS11.so>
-certs <path_to_certificate> -key 'pkcs11:object=<keypair alias>;type=private' -in <file_to
be_signed> -out <output_signed_file> -h <digest algorithm> -t <timestamp_url>
  • <path_to_libpkcs11.so>: Path to openssl engine libpkcs11.so file. By default this is populated with the path of the libpkcs11.so file in Ubuntu 20.04, 22.04, 24.04 and OpenSSL Engine 3.
  • <path_to_AVXPKCS11.so>: Path to AVXPKCS11.so file.
  • <path_to_certificate>: Path to the signing certificate.
  • <keypair alias>: Alias Name of the Signing Certificate.
  • <digest_algorithm>: Specifies the hashing algorithm.
  • <timestamp_url>: Specifies the timestamping URL.
  • <file_to be_signed>: Path to the file to be signed.
  • <output_signed_file>: Path of signed file.
The <path_to_libpkcs11.so>, <path_to_AVXPKCS11.so>, <path_to_certificate>, <keypair alias>, <digest algorithm> and <timestamp_url> parameters are auto generated based on the signing policy configurations in the README after running the SIGN+ Installer.
Note: Osslsigncode throws an error during signing if the output signed file already exists.