Skip to content

Commit 600bc32

Browse files
author
“sahmad154”
committed
Remove system OpenSSL and add engine verification
- Remove pre-installed OpenSSL packages (openssl, libssl-dev) before building - Add PKCS#11 engine verification after linking - Align with working production setup flow (ci-setup-environment.sh) - Ensures only patched OpenSSL 3.0.5 is available in container - Eliminates version conflicts between system and custom OpenSSL
1 parent a627abd commit 600bc32

File tree

1 file changed

+26
-4
lines changed

1 file changed

+26
-4
lines changed

native-platform/scripts/setup-pkcs11-openssl.sh

Lines changed: 26 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -18,17 +18,22 @@ echo "[setup-pkcs11-openssl] Starting OpenSSL ${OPENSSL_VERSION} setup with PKCS
1818
if [ -f "${INSTALL_PREFIX}/bin/openssl" ]; then
1919
INSTALLED_VERSION=$(${INSTALL_PREFIX}/bin/openssl version 2>/dev/null | awk '{print $2}')
2020
if [ "$INSTALLED_VERSION" = "$OPENSSL_VERSION" ]; then
21-
echo "[setup-pkcs11-openssl] OpenSSL ${OPENSSL_VERSION} already installed"
22-
echo "[setup-pkcs11-openssl] NOTE: System libssl3 remains for system tools, custom OpenSSL in /usr/local for P12 patch"
21+
echo "[setup-pkcs11-openssl] OpenSSL ${OPENSSL_VERSION} with PKCS#11 patch already installed"
2322
exit 0
2423
else
2524
echo "[setup-pkcs11-openssl] Found OpenSSL $INSTALLED_VERSION, will replace with $OPENSSL_VERSION"
26-
# Remove old version
25+
# Remove old version from /usr/local
2726
rm -f ${INSTALL_PREFIX}/bin/openssl
2827
rm -f ${INSTALL_PREFIX}/lib/libssl.* ${INSTALL_PREFIX}/lib/libcrypto.*
2928
fi
3029
fi
3130

31+
# Remove pre-installed system OpenSSL to avoid conflicts
32+
echo "[setup-pkcs11-openssl] Removing pre-installed system OpenSSL..."
33+
apt-get remove -y openssl libssl-dev 2>/dev/null || true
34+
apt-get autoremove -y 2>/dev/null || true
35+
echo "[setup-pkcs11-openssl] System OpenSSL removed"
36+
3237
# Download OpenSSL
3338
if [ ! -d "$OPENSSL_DIR" ]; then
3439
echo "[setup-pkcs11-openssl] Downloading OpenSSL ${OPENSSL_VERSION}..."
@@ -93,7 +98,24 @@ ldconfig
9398
# Create symlink for PKCS#11 engine (OpenSSL looks in ENGINESDIR=/usr/local/lib64/engines-3)
9499
echo "[setup-pkcs11-openssl] Creating PKCS#11 engine symlink..."
95100
mkdir -p /usr/local/lib64/engines-3
96-
ln -sf /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so /usr/local/lib64/engines-3/pkcs11.so
101+
102+
# Detect architecture and create appropriate symlink
103+
if [ -f "/usr/lib/aarch64-linux-gnu/engines-3/pkcs11.so" ]; then
104+
ln -sf /usr/lib/aarch64-linux-gnu/engines-3/pkcs11.so /usr/local/lib64/engines-3/pkcs11.so
105+
echo "[setup-pkcs11-openssl] ✓ PKCS#11 engine linked (aarch64)"
106+
elif [ -f "/usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so" ]; then
107+
ln -sf /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so /usr/local/lib64/engines-3/pkcs11.so
108+
echo "[setup-pkcs11-openssl] ✓ PKCS#11 engine linked (x86_64)"
109+
else
110+
echo "[setup-pkcs11-openssl] ✗ WARNING: PKCS#11 engine not found for this architecture"
111+
fi
112+
113+
# Verify PKCS#11 engine is available
114+
if ${INSTALL_PREFIX}/bin/openssl engine -t -c pkcs11 2>&1 | grep -q "pkcs11"; then
115+
echo "[setup-pkcs11-openssl] ✓ PKCS#11 engine verified and available"
116+
else
117+
echo "[setup-pkcs11-openssl] ✗ WARNING: PKCS#11 engine not detected by OpenSSL"
118+
fi
97119

98120
# Verify installation
99121
FINAL_VERSION=$(${INSTALL_PREFIX}/bin/openssl version 2>/dev/null | awk '{print $2}')

0 commit comments

Comments
 (0)