Ruby 如何使用 CloudHSM 实现双向 TLS(客户端)
How to use CloudHSM to implement mutual TLS ( client side ) in Ruby
我在阅读了 Whosebug、密码学、信息安全和 CloudHSM 论坛上的所有 CloudHSM 主题后提出了这个问题,但找不到任何有用的信息。任何想法或代码片段都有帮助。
我们有一个 Ruby 应用程序正在通过 X.509 证书请求 Web 服务器,我们应该 generate/host CloudHSM 中的私钥。
我按照 CloudHSM documentation step by step and configured TLS offloading via NGINX and Apache HTTPD 了解它是如何工作的,现在我正在使用 CloudHSM 进行双向 TLS。
我的网络服务器需要客户端证书,我可以通过 cURL 验证:
curl --cert app-selfsigned.crt --key app-selfsigned.key -k https://127.0.0.1/index.html
我还可以使用此 Ruby 代码通过磁盘上的证书进行身份验证:
require 'faraday'
require 'openssl'
def ssl_options
cert_file = File.read "app-selfsigned.crt"
key_file = File.read "app-selfsigned.key"
ssl_options = {
verify: false,
client_cert: OpenSSL::X509::Certificate.new(cert_file),
client_key: OpenSSL::PKey::RSA.new(key_file)
}
end
def connection
dest = "https://127.0.0.1/"
connection = Faraday::Connection.new(dest, ssl: ssl_options)
connection.get
end
irb -I . -r rubytest.rb
connection
cURL 和 Ruby 通过磁盘上的认证进行测试:
我需要在 CloudHSM 中托管 app-selfsigned.key
密钥,我该怎么做?
1) 我可以通过 CloudHSM OpenSSL Dynamic Engine 做到这一点吗?如果是,即使安装了 cloudhsm 引擎 (/opt/cloudhsm/lib/libcloudhsm_openssl.so
),我是否应该在我的代码中每次都加载和安装引擎?
2) 或者我应该通过 p11-kit or pkcs11-openssl
包和 p11tool
命令或 Ruby PKCS#11 使用 PKCS#11?
3) 我是否应该在我的 Ruby 应用程序中添加任何与 n3fips_password
相关的内容?
这是 Ruby 代码,我正在尝试将其与 CloudHSM 一起使用(我使用 FAKE PEM 密钥而不是真正的私钥来指向带有标签 nginx-selfsigned_imported_key
的真实私钥CloudHSM):
require 'faraday'
require 'openssl'
def initialize_openssl
key_label = "nginx-selfsigned_imported_key"
# OpenSSL Engine:
OpenSSL::Engine.load
e = OpenSSL::Engine.by_id('cloudhsm')
e.ctrl_cmd("SO_PATH", "/opt/cloudhsm/lib/libcloudhsm_openssl.so")
e.ctrl_cmd("ID", "cloudhsm")
e.ctrl_cmd("LOAD")
e.load_private_key("CKA_LABEL=#{ key_label }")
end
def ssl_options
cert_file = File.read "app-selfsigned.crt"
key_file = File.read "app-selfsigned_fake_PEM.key"
{
verify: false,
client_cert: OpenSSL::X509::Certificate.new(cert_file),
client_key: OpenSSL::PKey::RSA.new(key_file)
}
end
def connection
dest = "https://127.0.0.1/"
Faraday::Connection.new(dest, ssl: ssl_options)
end
def connect
initialize_openssl
c = connection
c.get
end
irb -I . -r rubytest_cloudhsm.rb
initialize_openssl
但我得到这个错误:
OpenSSL::Engine::EngineError: invalid cmd name
from /root/self-signed/app-selfsigned/rubytest_cloudhsm.rb:9:in `ctrl_cmd'
from /root/self-signed/app-selfsigned/rubytest_cloudhsm.rb:9:in `initialize_openssl'
from (irb):1
from /bin/irb:12:in `<main>'
逐行添加:
Ruby CloudHSM 错误:
调试日志
OpenSSL 动态引擎已成功安装:
export n3fips_password=<Crypto User Username>:<CU Password>
openssl engine -tt cloudhsm
# (cloudhsm) CloudHSM hardware engine support
# SDK Version: 2.03
# [ available ]
openssl engine -vvvv dynamic -pre SO_PATH:/opt/cloudhsm/lib/libcloudhsm_openssl.so -pre ID:cloudhsm -pre LOAD
# (dynamic) Dynamic engine loading support
# [Success]: SO_PATH:/opt/cloudhsm/lib/libcloudhsm_openssl.so
# [Success]: ID:cloudhsm
# [Success]: LOAD
# Loaded: (cloudhsm) CloudHSM hardware engine support
openssl speed -engine cloudhsm
# SDK Version: 2.03
# engine "cloudhsm" set.
# Doing md2 for 3s on 16 size blocks:
# 557992 md2's in 2.99s
openssl version
# OpenSSL 1.0.2k-fips 26 Jan 2017
rpm -qa | grep -i openssl
# openssl-1.0.2k-16.amzn2.1.1.x86_64
# openssl-libs-1.0.2k-16.amzn2.1.1.x86_64
OpenSSL CloudHSM 动态引擎共享对象位于正确的位置:
ls -ltrha /usr/lib64/openssl/engines/libcloudhsm.so
lrwxrwxrwx 1 root root 40 Aug 7 09:56 /usr/lib64/openssl/engines/libcloudhsm.so -> /opt/cloudhsm/lib/libcloudhsm_openssl.so
libcloudhsm_openssl.so:
OS:
cat /etc/os-release
# NAME="Amazon Linux"
# VERSION="2"
# ID="amzn"
# ID_LIKE="centos rhel fedora"
# VERSION_ID="2"
# PRETTY_NAME="Amazon Linux 2"
# ANSI_COLOR="0;33"
# CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
# HOME_URL="https://amazonlinux.com/"
uname -a
# Linux hsm.example.net 4.14.133-113.112.amzn2.x86_64 #1 SMP Tue Jul 30 18:29:50 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
rpm -qa | grep -i cloudhsm-client
# cloudhsm-client-2.0.3-3.el7.x86_64
# cloudhsm-client-dyn-2.0.3-3.el6.x86_64
我可以在有或没有 CloudHSM 引擎的情况下检查私钥和 public 密钥:
app-selfsigned.crt: Public Key
app-selfsigned.key: Private key has been exported from CloudHSM
app-selfsigned_fake_PEM.key: Fake private key pointing to real private key inside CloudHSM generated by getCaviumPrivKey -k 14 -out app-selfsigned_fake_PEM.key
# Test without CloudHSM:
openssl s_server -cert app-selfsigned.crt -key app-selfsigned.key
# Using default temp DH parameters
# ACCEPT
openssl s_server -cert app-selfsigned.crt -key app-selfsigned_fake_PEM.key
# Using default temp DH parameters
# ACCEPT
# Test with CloudHSM engine
openssl s_server -cert app-selfsigned.crt -key app-selfsigned.key -engine cloudhsm
# SDK Version: 2.03
# engine "cloudhsm" set.
# Using default temp DH parameters
# ACCEPT
openssl s_server -cert app-selfsigned.crt -key app-selfsigned_fake_PEM.key -engine cloudhsm
# SDK Version: 2.03
# engine "cloudhsm" set.
# Using default temp DH parameters
# ACCEPT
为了确保我在 CloudHSM 中请求正确的密钥,我配置了 app-selfsigned.crt
和 app-selfsigned_fake_PEM.key
以通过 NGINX 进行 TLS 卸载:
/etc/nginx/nginx.conf:
ssl_engine cloudhsm;
ssl_certificate "/etc/pki/nginx/app-selfsigned.crt";
ssl_certificate_key "/etc/pki/nginx/private/app-selfsigned_fake_PEM.key";
nginx -t
# SDK Version: 2.03
# nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
# nginx: configuration file /etc/nginx/nginx.conf test is successful
systemctl start nginx && systemctl status nginx
# Aug 13 11:21:33 hsm.example.net nginx[13046]: SDK Version: 2.03
通过 OpenSSL 检查证书文件:
openssl x509 -in app-selfsigned.crt -text -noout
# Serial Number: c7:c4:07:a6:78:22:2e:ff
# Subject: C=AA, ST=AA, L=AA, O=AA, OU=AA, CN=a.com/emailAddress=a@a.com
通过 Firefox 检查证书:
通过 key_mgmt_util 和 cloudhsm_mgmt_util 检查 CloudHSM 内的私钥:
/opt/cloudhsm/bin/key_mgmt_util
loginHSM -u CU -s CUADMIN -p CUPASSWORD
findSingleKey -k 14
# Cfm3FindSingleKey returned: 0x00 : HSM Return: SUCCESS
getKeyInfo -k 14
# Cfm3GetKey returned: 0x00 : HSM Return: SUCCESS
# Owned by user: 6
/opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
enable_e2e
loginHSM CU CUADMIN CUPASSWORD
getAttribute 14 0
# OBJ_ATTR_CLASS
# 0x00000003
# 3: Private key in a public–private key pair.
getAttribute 14 2
# OBJ_ATTR_PRIVATE
# 0x00000001
# 1: True. This attribute indicates whether unauthenticated users can list the attributes of the key. Since the CloudHSM PKCS#11 provider currently does not support public sessions, all keys (including public keys in a public-private key pair) have this attribute set to 1.
getAttribute 14 3
# OBJ_ATTR_LABEL
# nginx-selfsigned_imported_key
getAttribute 14 256
# OBJ_ATTR_KEY_TYPE
# 0x00000000
# 0: RSA.
如果您使用另一种语言的 CloudHSM 双向 TLS,请在此处粘贴您的代码,以便我理解并在 Ruby 中实现它。
提前致谢。
对于后来看到此问题的任何人,这里有一个示例 Ruby 代码适用于 Amazon CloudHSM:
require 'openssl'
require 'base64'
FAKE_KEY = "/root/ruby/ruby_key_inside_hsm/ruby_hsm_fake_private.key"
REAL_KEY = "/root/ruby/ruby_key_inside_hsm/ruby_hsm_real_private_exported.key"
PUB_KEY = "/root/ruby/ruby_key_inside_hsm/pubkey.pem"
STR = "test string"
def encrypt(str)
pubkey = OpenSSL::PKey::RSA.new(File.read(PUB_KEY))
Base64.encode64(pubkey.public_encrypt(str))
end
def decrypt(str, key)
OpenSSL::Engine.load
privkey = OpenSSL::PKey::RSA.new(File.read(key))
privkey.private_decrypt(Base64.decode64(str))
end
def estr
encrypt(STR)
end
def real_dec
decrypt(estr, REAL_KEY)
end
def hsm_dec
OpenSSL::Engine.load
OpenSSL::Engine.by_id('cloudhsm')
decrypt(estr, FAKE_KEY)
end
目前我们正在努力将其添加到生产环境中。
我在阅读了 Whosebug、密码学、信息安全和 CloudHSM 论坛上的所有 CloudHSM 主题后提出了这个问题,但找不到任何有用的信息。任何想法或代码片段都有帮助。
我们有一个 Ruby 应用程序正在通过 X.509 证书请求 Web 服务器,我们应该 generate/host CloudHSM 中的私钥。
我按照 CloudHSM documentation step by step and configured TLS offloading via NGINX and Apache HTTPD 了解它是如何工作的,现在我正在使用 CloudHSM 进行双向 TLS。
我的网络服务器需要客户端证书,我可以通过 cURL 验证:
curl --cert app-selfsigned.crt --key app-selfsigned.key -k https://127.0.0.1/index.html
我还可以使用此 Ruby 代码通过磁盘上的证书进行身份验证:
require 'faraday'
require 'openssl'
def ssl_options
cert_file = File.read "app-selfsigned.crt"
key_file = File.read "app-selfsigned.key"
ssl_options = {
verify: false,
client_cert: OpenSSL::X509::Certificate.new(cert_file),
client_key: OpenSSL::PKey::RSA.new(key_file)
}
end
def connection
dest = "https://127.0.0.1/"
connection = Faraday::Connection.new(dest, ssl: ssl_options)
connection.get
end
irb -I . -r rubytest.rb
connection
cURL 和 Ruby 通过磁盘上的认证进行测试:
我需要在 CloudHSM 中托管 app-selfsigned.key
密钥,我该怎么做?
1) 我可以通过 CloudHSM OpenSSL Dynamic Engine 做到这一点吗?如果是,即使安装了 cloudhsm 引擎 (/opt/cloudhsm/lib/libcloudhsm_openssl.so
),我是否应该在我的代码中每次都加载和安装引擎?
2) 或者我应该通过 p11-kit or pkcs11-openssl
包和 p11tool
命令或 Ruby PKCS#11 使用 PKCS#11?
3) 我是否应该在我的 Ruby 应用程序中添加任何与 n3fips_password
相关的内容?
这是 Ruby 代码,我正在尝试将其与 CloudHSM 一起使用(我使用 FAKE PEM 密钥而不是真正的私钥来指向带有标签 nginx-selfsigned_imported_key
的真实私钥CloudHSM):
require 'faraday'
require 'openssl'
def initialize_openssl
key_label = "nginx-selfsigned_imported_key"
# OpenSSL Engine:
OpenSSL::Engine.load
e = OpenSSL::Engine.by_id('cloudhsm')
e.ctrl_cmd("SO_PATH", "/opt/cloudhsm/lib/libcloudhsm_openssl.so")
e.ctrl_cmd("ID", "cloudhsm")
e.ctrl_cmd("LOAD")
e.load_private_key("CKA_LABEL=#{ key_label }")
end
def ssl_options
cert_file = File.read "app-selfsigned.crt"
key_file = File.read "app-selfsigned_fake_PEM.key"
{
verify: false,
client_cert: OpenSSL::X509::Certificate.new(cert_file),
client_key: OpenSSL::PKey::RSA.new(key_file)
}
end
def connection
dest = "https://127.0.0.1/"
Faraday::Connection.new(dest, ssl: ssl_options)
end
def connect
initialize_openssl
c = connection
c.get
end
irb -I . -r rubytest_cloudhsm.rb
initialize_openssl
但我得到这个错误:
OpenSSL::Engine::EngineError: invalid cmd name
from /root/self-signed/app-selfsigned/rubytest_cloudhsm.rb:9:in `ctrl_cmd'
from /root/self-signed/app-selfsigned/rubytest_cloudhsm.rb:9:in `initialize_openssl'
from (irb):1
from /bin/irb:12:in `<main>'
逐行添加:
Ruby CloudHSM 错误:
调试日志
OpenSSL 动态引擎已成功安装:
export n3fips_password=<Crypto User Username>:<CU Password>
openssl engine -tt cloudhsm
# (cloudhsm) CloudHSM hardware engine support
# SDK Version: 2.03
# [ available ]
openssl engine -vvvv dynamic -pre SO_PATH:/opt/cloudhsm/lib/libcloudhsm_openssl.so -pre ID:cloudhsm -pre LOAD
# (dynamic) Dynamic engine loading support
# [Success]: SO_PATH:/opt/cloudhsm/lib/libcloudhsm_openssl.so
# [Success]: ID:cloudhsm
# [Success]: LOAD
# Loaded: (cloudhsm) CloudHSM hardware engine support
openssl speed -engine cloudhsm
# SDK Version: 2.03
# engine "cloudhsm" set.
# Doing md2 for 3s on 16 size blocks:
# 557992 md2's in 2.99s
openssl version
# OpenSSL 1.0.2k-fips 26 Jan 2017
rpm -qa | grep -i openssl
# openssl-1.0.2k-16.amzn2.1.1.x86_64
# openssl-libs-1.0.2k-16.amzn2.1.1.x86_64
OpenSSL CloudHSM 动态引擎共享对象位于正确的位置:
ls -ltrha /usr/lib64/openssl/engines/libcloudhsm.so
lrwxrwxrwx 1 root root 40 Aug 7 09:56 /usr/lib64/openssl/engines/libcloudhsm.so -> /opt/cloudhsm/lib/libcloudhsm_openssl.so
libcloudhsm_openssl.so:
OS:
cat /etc/os-release
# NAME="Amazon Linux"
# VERSION="2"
# ID="amzn"
# ID_LIKE="centos rhel fedora"
# VERSION_ID="2"
# PRETTY_NAME="Amazon Linux 2"
# ANSI_COLOR="0;33"
# CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
# HOME_URL="https://amazonlinux.com/"
uname -a
# Linux hsm.example.net 4.14.133-113.112.amzn2.x86_64 #1 SMP Tue Jul 30 18:29:50 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
rpm -qa | grep -i cloudhsm-client
# cloudhsm-client-2.0.3-3.el7.x86_64
# cloudhsm-client-dyn-2.0.3-3.el6.x86_64
我可以在有或没有 CloudHSM 引擎的情况下检查私钥和 public 密钥:
app-selfsigned.crt: Public Key
app-selfsigned.key: Private key has been exported from CloudHSM
app-selfsigned_fake_PEM.key: Fake private key pointing to real private key inside CloudHSM generated by getCaviumPrivKey -k 14 -out app-selfsigned_fake_PEM.key
# Test without CloudHSM:
openssl s_server -cert app-selfsigned.crt -key app-selfsigned.key
# Using default temp DH parameters
# ACCEPT
openssl s_server -cert app-selfsigned.crt -key app-selfsigned_fake_PEM.key
# Using default temp DH parameters
# ACCEPT
# Test with CloudHSM engine
openssl s_server -cert app-selfsigned.crt -key app-selfsigned.key -engine cloudhsm
# SDK Version: 2.03
# engine "cloudhsm" set.
# Using default temp DH parameters
# ACCEPT
openssl s_server -cert app-selfsigned.crt -key app-selfsigned_fake_PEM.key -engine cloudhsm
# SDK Version: 2.03
# engine "cloudhsm" set.
# Using default temp DH parameters
# ACCEPT
为了确保我在 CloudHSM 中请求正确的密钥,我配置了 app-selfsigned.crt
和 app-selfsigned_fake_PEM.key
以通过 NGINX 进行 TLS 卸载:
/etc/nginx/nginx.conf:
ssl_engine cloudhsm;
ssl_certificate "/etc/pki/nginx/app-selfsigned.crt";
ssl_certificate_key "/etc/pki/nginx/private/app-selfsigned_fake_PEM.key";
nginx -t
# SDK Version: 2.03
# nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
# nginx: configuration file /etc/nginx/nginx.conf test is successful
systemctl start nginx && systemctl status nginx
# Aug 13 11:21:33 hsm.example.net nginx[13046]: SDK Version: 2.03
通过 OpenSSL 检查证书文件:
openssl x509 -in app-selfsigned.crt -text -noout
# Serial Number: c7:c4:07:a6:78:22:2e:ff
# Subject: C=AA, ST=AA, L=AA, O=AA, OU=AA, CN=a.com/emailAddress=a@a.com
通过 Firefox 检查证书:
通过 key_mgmt_util 和 cloudhsm_mgmt_util 检查 CloudHSM 内的私钥:
/opt/cloudhsm/bin/key_mgmt_util
loginHSM -u CU -s CUADMIN -p CUPASSWORD
findSingleKey -k 14
# Cfm3FindSingleKey returned: 0x00 : HSM Return: SUCCESS
getKeyInfo -k 14
# Cfm3GetKey returned: 0x00 : HSM Return: SUCCESS
# Owned by user: 6
/opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
enable_e2e
loginHSM CU CUADMIN CUPASSWORD
getAttribute 14 0
# OBJ_ATTR_CLASS
# 0x00000003
# 3: Private key in a public–private key pair.
getAttribute 14 2
# OBJ_ATTR_PRIVATE
# 0x00000001
# 1: True. This attribute indicates whether unauthenticated users can list the attributes of the key. Since the CloudHSM PKCS#11 provider currently does not support public sessions, all keys (including public keys in a public-private key pair) have this attribute set to 1.
getAttribute 14 3
# OBJ_ATTR_LABEL
# nginx-selfsigned_imported_key
getAttribute 14 256
# OBJ_ATTR_KEY_TYPE
# 0x00000000
# 0: RSA.
如果您使用另一种语言的 CloudHSM 双向 TLS,请在此处粘贴您的代码,以便我理解并在 Ruby 中实现它。
提前致谢。
对于后来看到此问题的任何人,这里有一个示例 Ruby 代码适用于 Amazon CloudHSM:
require 'openssl'
require 'base64'
FAKE_KEY = "/root/ruby/ruby_key_inside_hsm/ruby_hsm_fake_private.key"
REAL_KEY = "/root/ruby/ruby_key_inside_hsm/ruby_hsm_real_private_exported.key"
PUB_KEY = "/root/ruby/ruby_key_inside_hsm/pubkey.pem"
STR = "test string"
def encrypt(str)
pubkey = OpenSSL::PKey::RSA.new(File.read(PUB_KEY))
Base64.encode64(pubkey.public_encrypt(str))
end
def decrypt(str, key)
OpenSSL::Engine.load
privkey = OpenSSL::PKey::RSA.new(File.read(key))
privkey.private_decrypt(Base64.decode64(str))
end
def estr
encrypt(STR)
end
def real_dec
decrypt(estr, REAL_KEY)
end
def hsm_dec
OpenSSL::Engine.load
OpenSSL::Engine.by_id('cloudhsm')
decrypt(estr, FAKE_KEY)
end
目前我们正在努力将其添加到生产环境中。