Importing Asymmetric Keys

Import asymmetric keys or key versions, get the public wrapping key, wrap the RSA key material and then import it as a new master encryption key, or as a new key version for an existing master encryption key.

Configuring OpenSSL Patch to Wrap Key Material

Learn how to wrap key material using RSA_OAEP_AES_SHA256 with a supported OpenSSL patch for the CLI.

The OpenSSL -id-aes256-wrap-pad cipher compatible with RSA_AES_KEY_WRAP isn't enabled by default in the OCI CLI. Patch OpenSSL to allow the envelope wrapping that's needed for the CKM_RSA_AES_KEY_WRAP mechanism.

Note

For the "Bring your own key(BYOK)" scenario, you must patch the OpenSSL for RSA_OAEP_AES_SHA256 wrapping.

Perform the following steps to download, compile, and run a new local copy of OpenSSL v1.1.1d using the CLI, without altering the default installation of OpenSSL in the system:

Create directories to store the latest OpenSSL binaries in /root/build.
```
mkdir $HOME/build
mkdir -p $HOME/local/ssl
cd $HOME/build
```
Run the following command and note the OpenSSL version:
```
openssl version
```
Note the latest OpenSSL version at https://www.openssl.org/source/.
Download and unpack the libraries.
Replace openssl-1.1.1d.tar.gz with the latest version from step 3.
```
curl -O https://www.openssl.org/source/openssl-1.1.1d.tar.gz
tar -zxf openssl-1.1.1d.tar.gz
```
Install the patch, make gcc tools to patch, and then compile the binaries.
```
sudo yum install patch make gcc -y
```

Run the following commands:

Note

You might need to update these commands for newer versions of OpenSSL.

cat <<-EOF | patch -d $HOME/build/ -p0
diff -ur orig/openssl-1.1.1d/apps/enc.c openssl-1.1.1d/apps/enc.c
--- orig/openssl-1.1.1d/apps/enc.c      
+++ openssl-1.1.1d/apps/enc.c   
@@ -533,6 +533,7 @@
          */

         BIO_get_cipher_ctx(benc, &ctx);
+        EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);

         if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {
             BIO_printf(bio_err, "Error setting cipher %s\n",
EOF

Confirm successful patching if response is similar to the following:

[root@ip-172-31-20-119 ~]# cat «-EOF | patch -d $HOME/build/ -p0 
diff -ur orig/openssl-1.1.1d/apps/enc.c openssl-1.1.1d/apps/enc.c 
--- orig/openssl-1.1.1d/apps/enc.c 
+++ openssl-l.1.1d/apps/enc.c 
@@ -533,6 +533,7 @@
        */

    BIO_get_cipher_ctx (benc, &ctx) ; 
+        EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW) ; 

    if (!EVP_CipherInit_ex (ctx, cipher, NULL, NULL, NULL, enc) )  {
         BIO_printf (bio_err, "Error setting cipher %s\n" , 
EOF 

patching file openssl-1.1.1d/apps/enc.c

Compile the enc.c file.

Note

Compiling might take several minutes for each command.
```
cd $HOME/build/openssl-1.1.1d/
./config --prefix=$HOME/local --openssldir=$HOME/local/ssl
make -j$(grep -c ^processor /proc/cpuinfo)
make install
```
You have successfully installed the latest version of OpenSSL. This version is dynamically linked to libraries in the $HOME/local/ssl/lib/ directory, and cannot be run directly. Set the environment variable LD_LIBRARY_PATH to ensure that the associated libraries are available to OpenSSL.
Create a script named openssl.sh that loads the $HOME/local/ssl/lib/ path before running the binary. This makes it easier to run OpenSSL multiple times.
```
cd $HOME/local/bin/

echo -e '#!/bin/bash \nenv LD_LIBRARY_PATH=$HOME/local/lib/ $HOME/local/bin/openssl "$@"' > ./openssl.sh
```
Set the execute bit on the script.
```
chmod 755 ./openssl.sh
```
Start OpenSSL with the following command:
```
$HOME/local/bin/openssl.sh
```

Oracle Cloud Infrastructure Documentation

Importing Asymmetric Keys