The OpenSSL package contains a command line tool, openssl, that can be used to test the openssl package and to generate keys and certificates. This command can either execute a single command at a time, or run in interactive mode where successive commands are issued to a prompt. Under eCos it only runs in interactive mode, taking commands and issuing responses to the serial console.
The openssl tool will only build and run in the full configuration and additionally needs the RAM filesystem. If passwords are to be supplied, the serial line support described earlier should be enabled.
The command executable is created and saved in the INSTALL_DIR/bin directory. Both the original ELF file and an SREC file, openssl.srec are saved here. To run the command transfer the SREC file to your TFTP server and download and run it under RedBoot. You should see something similar to the following:
RedBoot> load openssl.srec Using default protocol (TFTP) Entry point: 0x20040040, address range: 0x20040000-0x201e76ec RedBoot> go [cyg_net_init] Init: mbinit(0x00000000) [cyg_net_init] Init: cyg_net_init_devs(0x00000000) Init device 'dm9000_eth0' [cyg_net_init] Init: loopattach(0x00000000) [cyg_net_init] Init: ifinit(0x00000000) [cyg_net_init] Init: domaininit(0x00000000) [cyg_net_init] Init: cyg_net_add_domain(0x201e51b0) New domain internet at 0x00000000 [cyg_net_init] Init: cyg_net_add_domain(0x201e2c4c) New domain route at 0x00000000 [cyg_net_init] Init: call_route_init(0x00000000) [cyg_net_init] Done mount /ram set current directory to /ram load openssl.cnf into /ram/openssl.cnf initialise network interfaces BOOTP[eth0] op: REPLY htype: Ethernet hlen: 6 hops: 0 xid: 0x0 secs: 0 flags: 0x0 hw_addr: 00:03:47:df:32:a8 client IP: 192.168.7.20 my IP: 192.168.7.20 server IP: 192.168.7.22 gateway IP: 192.168.0.1 options: subnet mask: 255.255.0.0 IP broadcast: 192.168.255.255 gateway: 192.168.0.1 [eth_drv_ioctl] Warning: Driver can't set multi-cast mode [eth_drv_ioctl] Warning: Driver can't set multi-cast mode [eth_drv_ioctl] Warning: Driver can't set multi-cast mode Start OpenSSL OpenSSL> version OpenSSL 1.0.0c 2 Dec 2010 OpenSSL>
The RAM filesystem is mounted and /ram is set as the current directory. It is therefore possible to test the generation of keys and certificates into files:
OpenSSL> req -x509 -nodes -days 36500 -subj "/C=GB/ST=England/L=Cambridge/O=eCosCentric/CN=ecoscentric.com" \ -newkey rsa:1024 -keyout mycert.pem -out mycert.pem Generating a 1024 bit RSA private key ....................++++++ ........++++++ writing new private key to 'mycert.pem' ----- OpenSSL>
If you want to enter passwords without reflection, you need to enable the TERMIOS support described above.
The eCos hosted openssl command serves as a test for OpenSSL functionality, and is a good check that the library is complete. However, it is of little practical use and has some limitations. While is possible to generate key files and certificates, it is not then easy to get then off the board for future use, unless they are stored to an external medium such as an SD card. It is recommended, instead, that a host based version of openssl be used to do this. Files may then be imported via removable media, or written to the RAM filesystem as described above. Another limitation is that if you run the s_server command, you cannot terminate it. Under Unix/Linux this command relies on catching the signal generated by a Ctrl-C to terminate; there is no support for this under eCos and the only way to terminate this command is to reboot and reload openssl.