CloudHSM

CloudHSM

关注
发信
关注(28)粉丝(399)

ruby-on-rails - 如何使用CloudHSM在Ruby中实现双向TLS(客户端)

在阅读完StackOverflow、Cryptography、InformationSecurity和CloudHSM论坛上的所有CloudHSM主题后,我提出了这个问题,但找不到任何有用的东西。任何想法或代码片段都是有用的。
我们有一个ruby应用程序,它通过x.509证书向web服务器请求,我们应该在cloudhsm中生成/托管私钥。
我一步一步地遵循CloudHSM documentation并配置TLS offloading via NGINX and Apache HTTPD以了解它是如何工作的,现在我正在使用cloudhsm处理相互tls。
我的web服务器需要客户端证书,我可以通过cURL验证:

curl --cert app-selfsigned.crt --key app-selfsigned.key  -k https://127.0.0.1/index.html

我还可以使用这个ruby代码通过磁盘上的证书进行身份验证:
require 'faraday'
require 'openssl'

def ssl_options
  cert_file = File.read "app-selfsigned.crt"
  key_file = File.read "app-selfsigned.key"
  ssl_options = {
    verify: false,
    client_cert: OpenSSL::X509::Certificate.new(cert_file),
    client_key: OpenSSL::PKey::RSA.new(key_file)
  }
end

def connection
  dest = "https://127.0.0.1/"
  connection = Faraday::Connection.new(dest, ssl: ssl_options)
  connection.get
end


irb -I . -r rubytest.rb
connection

curl和ruby测试通过磁盘认证:
ruby-on-rails - 如何使用CloudHSM在Ruby中实现双向TLS(客户端)-LMLPHP
我需要在cloudhsm中托管app-selfsigned.key键,我该怎么做?
1)我可以通过CloudHSM OpenSSL Dynamic Engine来完成吗?如果是,即使在cloudhsm引擎安装(/opt/cloudhsm/lib/libcloudhsm_openssl.so)之后,我是否应该每次在代码中加载并安装引擎?
2)还是应该通过p11-kit or pkcs11-openssl包和p11tool命令或Ruby PKCS 11使用PKCS#11?
3)我应该在我的ruby应用程序中添加任何与n3fips_password相关的东西吗?
下面是我尝试使用cloudhsm的ruby代码(我使用假pem密钥而不是真正的私钥来指向cloudhsm中标签为nginx-selfsigned_imported_key的真正私钥):
require 'faraday'
require 'openssl'

def initialize_openssl
  key_label = "nginx-selfsigned_imported_key"
  # OpenSSL Engine:
  OpenSSL::Engine.load
  e = OpenSSL::Engine.by_id('cloudhsm')
  e.ctrl_cmd("SO_PATH", "/opt/cloudhsm/lib/libcloudhsm_openssl.so")
  e.ctrl_cmd("ID", "cloudhsm")
  e.ctrl_cmd("LOAD")
  e.load_private_key("CKA_LABEL=#{ key_label }")
end

def ssl_options
  cert_file = File.read "app-selfsigned.crt"
  key_file = File.read "app-selfsigned_fake_PEM.key"
  {
    verify: false,
    client_cert: OpenSSL::X509::Certificate.new(cert_file),
    client_key: OpenSSL::PKey::RSA.new(key_file)
  }
end

def connection
  dest = "https://127.0.0.1/"
  Faraday::Connection.new(dest, ssl: ssl_options)
end

def connect
  initialize_openssl
  c = connection
  c.get
end


irb -I . -r rubytest_cloudhsm.rb
initialize_openssl

但我有个错误:
OpenSSL::Engine::EngineError: invalid cmd name
from /root/self-signed/app-selfsigned/rubytest_cloudhsm.rb:9:in `ctrl_cmd'
from /root/self-signed/app-selfsigned/rubytest_cloudhsm.rb:9:in `initialize_openssl'
from (irb):1
from /bin/irb:12:in `<main>'

逐行添加:
ruby-on-rails - 如何使用CloudHSM在Ruby中实现双向TLS(客户端)-LMLPHP
CloudHSM的Ruby错误:
ruby-on-rails - 如何使用CloudHSM在Ruby中实现双向TLS(客户端)-LMLPHP
调试日志
已成功安装OpenSSL动态引擎:
export n3fips_password=<Crypto User Username>:<CU Password>
openssl engine -tt cloudhsm
# (cloudhsm) CloudHSM hardware engine support
#       SDK Version: 2.03
# [ available ]
openssl engine -vvvv dynamic -pre SO_PATH:/opt/cloudhsm/lib/libcloudhsm_openssl.so -pre ID:cloudhsm -pre LOAD
# (dynamic) Dynamic engine loading support
# [Success]: SO_PATH:/opt/cloudhsm/lib/libcloudhsm_openssl.so
# [Success]: ID:cloudhsm
# [Success]: LOAD
# Loaded: (cloudhsm) CloudHSM hardware engine support
openssl speed -engine cloudhsm
# SDK Version: 2.03
# engine "cloudhsm" set.
# Doing md2 for 3s on 16 size blocks:
# 557992 md2's in 2.99s
openssl version
# OpenSSL 1.0.2k-fips  26 Jan 2017
rpm -qa | grep -i openssl
# openssl-1.0.2k-16.amzn2.1.1.x86_64
# openssl-libs-1.0.2k-16.amzn2.1.1.x86_64

OpenSSL CloudHSM动态引擎共享对象位于正确的位置:
ls -ltrha /usr/lib64/openssl/engines/libcloudhsm.so
lrwxrwxrwx 1 root root 40 Aug  7 09:56 /usr/lib64/openssl/engines/libcloudhsm.so -> /opt/cloudhsm/lib/libcloudhsm_openssl.so

libcloudhsm_openssl.so:
ruby-on-rails - 如何使用CloudHSM在Ruby中实现双向TLS(客户端)-LMLPHP
操作系统:
cat /etc/os-release
# NAME="Amazon Linux"
# VERSION="2"
# ID="amzn"
# ID_LIKE="centos rhel fedora"
# VERSION_ID="2"
# PRETTY_NAME="Amazon Linux 2"
# ANSI_COLOR="0;33"
# CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
# HOME_URL="https://amazonlinux.com/"
uname -a
# Linux hsm.example.net 4.14.133-113.112.amzn2.x86_64 #1 SMP Tue Jul 30 18:29:50 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux


rpm -qa | grep -i cloudhsm-client
# cloudhsm-client-2.0.3-3.el7.x86_64
# cloudhsm-client-dyn-2.0.3-3.el6.x86_64

我可以使用或不使用CloudHSM引擎检查私钥和公钥:
app-selfsigned.crt: Public Key
app-selfsigned.key: Private key has been exported from CloudHSM
app-selfsigned_fake_PEM.key: Fake private key pointing to real private key inside CloudHSM generated by getCaviumPrivKey -k 14 -out app-selfsigned_fake_PEM.key


# Test without CloudHSM:
openssl s_server -cert app-selfsigned.crt -key app-selfsigned.key
# Using default temp DH parameters
# ACCEPT
openssl s_server -cert app-selfsigned.crt -key app-selfsigned_fake_PEM.key
# Using default temp DH parameters
# ACCEPT


# Test with CloudHSM engine
openssl s_server -cert app-selfsigned.crt -key app-selfsigned.key -engine cloudhsm
# SDK Version: 2.03
# engine "cloudhsm" set.
# Using default temp DH parameters
# ACCEPT
openssl s_server -cert app-selfsigned.crt -key app-selfsigned_fake_PEM.key -engine cloudhsm
# SDK Version: 2.03
# engine "cloudhsm" set.
# Using default temp DH parameters
# ACCEPT

为了确保在CloudHSM中请求正确的密钥,我为通过NGINX卸载TLS配置了app-selfsigned.crtapp-selfsigned_fake_PEM.key
/etc/nginx/nginx.conf文件:
ssl_engine cloudhsm;
ssl_certificate "/etc/pki/nginx/app-selfsigned.crt";
ssl_certificate_key "/etc/pki/nginx/private/app-selfsigned_fake_PEM.key";


nginx -t
# SDK Version: 2.03
# nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
# nginx: configuration file /etc/nginx/nginx.conf test is successful
systemctl start nginx && systemctl status nginx
# Aug 13 11:21:33 hsm.example.net nginx[13046]: SDK Version: 2.03

通过openssl检查证书文件:
openssl x509 -in app-selfsigned.crt -text -noout
# Serial Number: c7:c4:07:a6:78:22:2e:ff
# Subject: C=AA, ST=AA, L=AA, O=AA, OU=AA, CN=a.com/[email protected]

通过Firefox进行证书检查:
ruby-on-rails - 如何使用CloudHSM在Ruby中实现双向TLS(客户端)-LMLPHP
通过key_mgmt_util和CloudHSM_mgmt_util检查CloudHSM中的私钥:
/opt/cloudhsm/bin/key_mgmt_util
loginHSM -u CU -s CUADMIN -p CUPASSWORD
findSingleKey -k 14
# Cfm3FindSingleKey returned: 0x00 : HSM Return: SUCCESS
getKeyInfo -k 14
# Cfm3GetKey returned: 0x00 : HSM Return: SUCCESS
# Owned by user: 6


/opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
enable_e2e
loginHSM CU CUADMIN CUPASSWORD

getAttribute 14 0
# OBJ_ATTR_CLASS
# 0x00000003
# 3: Private key in a public–private key pair.
getAttribute 14 2
# OBJ_ATTR_PRIVATE
# 0x00000001
# 1: True. This attribute indicates whether unauthenticated users can list the attributes of the key. Since the CloudHSM PKCS#11 provider currently does not support public sessions, all keys (including public keys in a public-private key pair) have this attribute set to 1.
getAttribute 14 3
# OBJ_ATTR_LABEL
# nginx-selfsigned_imported_key
getAttribute 14 256
# OBJ_ATTR_KEY_TYPE
# 0x00000000
# 0: RSA.

如果您在另一种语言中使用CloudHSM mutual TLS,请将您的代码粘贴到这里,这样我就可以得到这个想法并用Ruby实现它。
提前谢谢。

最佳答案

对于以后看到这个问题的人,下面是一个使用Amazon CloudHSM的Ruby代码示例:

require 'openssl'
require 'base64'

FAKE_KEY = "/root/ruby/ruby_key_inside_hsm/ruby_hsm_fake_private.key"
REAL_KEY = "/root/ruby/ruby_key_inside_hsm/ruby_hsm_real_private_exported.key"
PUB_KEY = "/root/ruby/ruby_key_inside_hsm/pubkey.pem"

STR = "test string"

def encrypt(str)
  pubkey = OpenSSL::PKey::RSA.new(File.read(PUB_KEY))
  Base64.encode64(pubkey.public_encrypt(str))
end

def decrypt(str, key)
  OpenSSL::Engine.load
  privkey = OpenSSL::PKey::RSA.new(File.read(key))
  privkey.private_decrypt(Base64.decode64(str))
end


def estr
  encrypt(STR)
end

def real_dec
  decrypt(estr, REAL_KEY)
end

def hsm_dec
  OpenSSL::Engine.load
  OpenSSL::Engine.by_id('cloudhsm')
  decrypt(estr, FAKE_KEY)
end

现在我们正在努力将其添加到生产环境中。

关于ruby-on-rails - 如何使用CloudHSM在Ruby中实现双向TLS(客户端),我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/57475901/

10-12 01:52
Powered by LMLPHP ©2024 CloudHSM 0.030738