Code Monkey home page Code Monkey logo

azurekeyvaultmanagedhsmengine's Issues

Is this engine work with openssl 3.0?

Hello, there.

Is this engine work with openssl 3.0?
I'm worried about this engine uses deprecated functions or not.
If it works with 3.0, is there some method to compile with openssl 3.0?

Running on a VM without a managed identity causes a segfault

I built the engine on an azure VM using the default "Linux (ubuntu 20.04)" image, and ran it as follows:

echo hello | openssl dgst -d -sha1 -engine e_akv -keyform engine -sign vault:my-vault:my-key -out sign.out

The result was:

engine "e_akv" set.
Segmentation fault (core dumped)

Then, In the Azure portal, I went to the VM resource, selected Identity, System assigned, and selected On, and saved. I reran the above command and the result was:

engine "e_akv" set.
[e] AkvGetKey curl.c(416) no kty defined in returned json:
{
   "error": {
     "code": "Forbidden",
     "message": "The user, group or application 'appid=<uuid>;oid=<uuid>;iss=https:\/\/sts.windows.net\/<uuid>\/' does not have keys get permission on key vault 'vault-name;location=westus'. For help resolving this issue, please see https:\/\/go.microsoft.com\/fwlink\/?linkid=2125287",
     "innererror": {
       "code": "AccessDenied"
     }
   }
 }

cannot load key file from engine
140131011724608:error:8010E103:lib(128):akv_load_key_cert:load public key error:/home/azureuser/AzureKeyVaultManagedHSMEngine/src/dllmain.c:203:
140131011724608:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:77:
unable to load key file
BIO[0x56271ad96d80]: Free - FILE pointer

This is a more user-friendly error message and closer to what I was expecting before the managed identity was enabled.

You should be able to reproduce this easily, but here's the versions of everything I was using:

this repo: 9e89f8d
openssl: OpenSSL 1.1.1f 31 Mar 2020
libjson-c-dev: 0.13.1+dfsg-7ubuntu0.3
libssl-dev: 1.1.1f-1ubuntu2.11
libcurl4-openssl-dev: 7.68.0-1ubuntu2.7
cmake version 3.16.3

Use CLI Credentials to connect to Managed HSM

Hi folks @liupums @chkimes @mattsains, This repo is what exactly I was looking for, for using openssl to access the Managed HSM or Key Vault.

Is there a way to use CLI Credentials to use the Managed HSM for signing? Currently it depends on Managed Identity. I have given access to my login as Managed HSM Crypto User to /keys and that should suffice to accessing the managed HSM. Could you please help? (Azure SDK for Python's hello_world.py example can use AzureCLICredential to create keys in HSM, and sign is also an operation supported by the SDK (as per documentation). Thanks.

Here is a screenshot:

image

Doesn't e_akv engine work with openssl ts command?

With liupums's great example, I've got succeed to work nginx ssl with e_akv engine.
Thanks!

I have an another issue, does e_akv engine support openssl ts command?
I run an openssl ts command as follows, and got some error.

Do I have to do something more procedures to it?

openssl ts -reply -queryfile ./index.php.tsq -config ../rootca.conf -engine e_akv -inkey managedHsm:ContosoMHSM2:testrsakey -signer ./tsa.pem -out index.php.tsr
Using configuration from ../rootca.conf
Response is not generated.
139705588585792:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('managedHsm:ContosoMHSM2:testrsakey','r')
139705588585792:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
139705588585792:error:2F09B08A:time stamp routines:TS_CONF_load_key:cannot load private key:../crypto/ts/ts_conf.c:97:

akv_rsa_priv_enc function should be for signing

Hi,

I think the akv_rsa_priv_enc function should be for signing and not for encryption to be consistent with the rsa_ossl_private_encrypt function in openssl. More specifically the result of akv_rsa_priv_enc should be the message padded with the signature padding (eg. EMSA-PKCS1-V1_5-ENCODE) raised to the private exponent.

The current akv_rsa_priv_enc function seems like it should be named akv_rsa_pub_enc instead.

Thanks,

Alex

Is OpenSSL 3 support planned?

As stated in another issue, this engine does not support OpenSSL 3. As OpenSSL 1.1.1 is going EOL in September 2023, we wonder whether there is a OpenSSL 3 compatible engine/"AzureKeyVaultManagedHSMProvider"?

curl getting "bad header" when invoking call to azure keyvault.

I am not able to do a simple sign operation as shown in your examples - just get an unknown vault error. I put some debugging instructions in the code and I see that it is getting a bad request error (400). It says the request as an invalid header name.

I then dumped out the headers before the curl request and I see the following 4 (albeit redacted) headers:

d] AkvGetKey curl.c(461) header: Accept: application/json
[d] AkvGetKey curl.c(461) header: Content-Type: application/json
[d] AkvGetKey curl.c(461) header: Authorization: Bearer {
"accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL3BiYS1wb3J0YWwudmF1bHQuYXp1cmUubmV0LyIsImlzcyI6Imh0dHBz.....
-BTK_Wn6zMjKqraHa9u9VmKxY3bu48kYiLg90I3ogND83BdYIVJxH7mcQ9eG6yBCjuQK89Nq-oM5QZnCkItg-HGB_qy7wwyqdDMuIODjftQ68Frn8cAZM3MoMHbjDE9YxXQtEYLcbXlsEewDzhGVvYwgJEY4wd9dctHQ",
"expiresOn": "2023-08-28 18:17:29.000000",
"tenant": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx",
"tokenType": "Bearer"
}

And the text from the https:// output is:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Header</h2>
<hr><p>HTTP Error 400. The request has an invalid header name.</p>
</BODY></HTML>

I don't know exactly what needs to be in the header or the format of the header. Perhaps the "token type" for the Authorization header? I got that token by grabbing the output this way:

AZURE_CLI_ACCESS_TOKEN=``az account get-access-token --output json --tenant xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --resource https://xxxxxxxxx.vault.azure.net/``
(those ```` are single back-ticks - the formatter here is messing with things)

Can someone help me understand what I have done wrong or perhaps the azure key vault/managed hsm has changed things?

Oh,and all I was trying to do is get the public key for the key vault key:
openssl pkey -engine e_akv -inform engine -in "vault:vaultname:keyname" -pubout -text -out /tmp/leafpubkey.pem

engine causes segmantation fault

Hello,
Thanks for great work.

I've tried to use this engine.
At first, I examined your nginx example.
I've do as followed the document sequence.
Then, it occured Segmentation Fault.
Is my procedure is wrong?
Thanks.

  • If run command with $1 (as documented) cause an error below:
root@tubuntu:~# openssl req -new -x509 -engine e_akv -keyform engine -key vault:
$1:test-rsa-key -out cert.pem
engine "e_akv" set.
cannot load Private Key from engine
139940651017536:error:8010E102:lib(128):akv_load_key_cert:parse key id error:/us
r/local/src/AzureKeyVaultManagedHSMEngine-main/src/dllmain.c:177:
139940651017536:error:26096080:engine routines:ENGINE_load_private_key:failed lo
ading private key:../crypto/engine/eng_pkey.c:77:
unable to load Private Key
  • is $1 points HSM name?
  • Then, replace $1 to HSM name cause Segmentation Fault.
root@tubuntu:~# openssl req -new -x509 -engine e_akv -keyform engine -key vault:
managed-hsm-for-tsa:test-rsa-key -out cert.pem
engine "e_akv" set.
Segmentation fault (core dumped)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.