microsoft / azurekeyvaultmanagedhsmengine Goto Github PK
View Code? Open in Web Editor NEWAzure Key Vault and Managed HSM Engine, compatible with OpenSSL
License: MIT License
Azure Key Vault and Managed HSM Engine, compatible with OpenSSL
License: MIT License
Hello, there.
Is this engine work with openssl 3.0?
I'm worried about this engine uses deprecated functions or not.
If it works with 3.0, is there some method to compile with openssl 3.0?
I built the engine on an azure VM using the default "Linux (ubuntu 20.04)" image, and ran it as follows:
echo hello | openssl dgst -d -sha1 -engine e_akv -keyform engine -sign vault:my-vault:my-key -out sign.out
The result was:
engine "e_akv" set.
Segmentation fault (core dumped)
Then, In the Azure portal, I went to the VM resource, selected Identity, System assigned, and selected On, and saved. I reran the above command and the result was:
engine "e_akv" set.
[e] AkvGetKey curl.c(416) no kty defined in returned json:
{
"error": {
"code": "Forbidden",
"message": "The user, group or application 'appid=<uuid>;oid=<uuid>;iss=https:\/\/sts.windows.net\/<uuid>\/' does not have keys get permission on key vault 'vault-name;location=westus'. For help resolving this issue, please see https:\/\/go.microsoft.com\/fwlink\/?linkid=2125287",
"innererror": {
"code": "AccessDenied"
}
}
}
cannot load key file from engine
140131011724608:error:8010E103:lib(128):akv_load_key_cert:load public key error:/home/azureuser/AzureKeyVaultManagedHSMEngine/src/dllmain.c:203:
140131011724608:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:77:
unable to load key file
BIO[0x56271ad96d80]: Free - FILE pointer
This is a more user-friendly error message and closer to what I was expecting before the managed identity was enabled.
You should be able to reproduce this easily, but here's the versions of everything I was using:
this repo: 9e89f8d
openssl: OpenSSL 1.1.1f 31 Mar 2020
libjson-c-dev: 0.13.1+dfsg-7ubuntu0.3
libssl-dev: 1.1.1f-1ubuntu2.11
libcurl4-openssl-dev: 7.68.0-1ubuntu2.7
cmake version 3.16.3
Hi folks @liupums @chkimes @mattsains, This repo is what exactly I was looking for, for using openssl to access the Managed HSM or Key Vault.
Is there a way to use CLI Credentials to use the Managed HSM for signing? Currently it depends on Managed Identity. I have given access to my login as Managed HSM Crypto User to /keys and that should suffice to accessing the managed HSM. Could you please help? (Azure SDK for Python's hello_world.py example can use AzureCLICredential to create keys in HSM, and sign is also an operation supported by the SDK (as per documentation). Thanks.
Here is a screenshot:
With liupums's great example, I've got succeed to work nginx ssl with e_akv engine.
Thanks!
I have an another issue, does e_akv engine support openssl ts command?
I run an openssl ts command as follows, and got some error.
Do I have to do something more procedures to it?
openssl ts -reply -queryfile ./index.php.tsq -config ../rootca.conf -engine e_akv -inkey managedHsm:ContosoMHSM2:testrsakey -signer ./tsa.pem -out index.php.tsr
Using configuration from ../rootca.conf
Response is not generated.
139705588585792:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('managedHsm:ContosoMHSM2:testrsakey','r')
139705588585792:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
139705588585792:error:2F09B08A:time stamp routines:TS_CONF_load_key:cannot load private key:../crypto/ts/ts_conf.c:97:
Hi,
I think the akv_rsa_priv_enc function should be for signing and not for encryption to be consistent with the rsa_ossl_private_encrypt function in openssl. More specifically the result of akv_rsa_priv_enc should be the message padded with the signature padding (eg. EMSA-PKCS1-V1_5-ENCODE) raised to the private exponent.
The current akv_rsa_priv_enc function seems like it should be named akv_rsa_pub_enc instead.
Thanks,
Alex
As stated in another issue, this engine does not support OpenSSL 3. As OpenSSL 1.1.1 is going EOL in September 2023, we wonder whether there is a OpenSSL 3 compatible engine/"AzureKeyVaultManagedHSMProvider"?
I am not able to do a simple sign operation as shown in your examples - just get an unknown vault error. I put some debugging instructions in the code and I see that it is getting a bad request error (400). It says the request as an invalid header name.
I then dumped out the headers before the curl request and I see the following 4 (albeit redacted) headers:
d] AkvGetKey curl.c(461) header: Accept: application/json
[d] AkvGetKey curl.c(461) header: Content-Type: application/json
[d] AkvGetKey curl.c(461) header: Authorization: Bearer {
"accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL3BiYS1wb3J0YWwudmF1bHQuYXp1cmUubmV0LyIsImlzcyI6Imh0dHBz.....
-BTK_Wn6zMjKqraHa9u9VmKxY3bu48kYiLg90I3ogND83BdYIVJxH7mcQ9eG6yBCjuQK89Nq-oM5QZnCkItg-HGB_qy7wwyqdDMuIODjftQ68Frn8cAZM3MoMHbjDE9YxXQtEYLcbXlsEewDzhGVvYwgJEY4wd9dctHQ",
"expiresOn": "2023-08-28 18:17:29.000000",
"tenant": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx",
"tokenType": "Bearer"
}
And the text from the https:// output is:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Header</h2>
<hr><p>HTTP Error 400. The request has an invalid header name.</p>
</BODY></HTML>
I don't know exactly what needs to be in the header or the format of the header. Perhaps the "token type" for the Authorization header? I got that token by grabbing the output this way:
AZURE_CLI_ACCESS_TOKEN=``az account get-access-token --output json --tenant xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --resource https://xxxxxxxxx.vault.azure.net/``
(those ```` are single back-ticks - the formatter here is messing with things)
Can someone help me understand what I have done wrong or perhaps the azure key vault/managed hsm has changed things?
Oh,and all I was trying to do is get the public key for the key vault key:
openssl pkey -engine e_akv -inform engine -in "vault:vaultname:keyname" -pubout -text -out /tmp/leafpubkey.pem
Hello,
Thanks for great work.
I've tried to use this engine.
At first, I examined your nginx example.
I've do as followed the document sequence.
Then, it occured Segmentation Fault.
Is my procedure is wrong?
Thanks.
root@tubuntu:~# openssl req -new -x509 -engine e_akv -keyform engine -key vault:
$1:test-rsa-key -out cert.pem
engine "e_akv" set.
cannot load Private Key from engine
139940651017536:error:8010E102:lib(128):akv_load_key_cert:parse key id error:/us
r/local/src/AzureKeyVaultManagedHSMEngine-main/src/dllmain.c:177:
139940651017536:error:26096080:engine routines:ENGINE_load_private_key:failed lo
ading private key:../crypto/engine/eng_pkey.c:77:
unable to load Private Key
root@tubuntu:~# openssl req -new -x509 -engine e_akv -keyform engine -key vault:
managed-hsm-for-tsa:test-rsa-key -out cert.pem
engine "e_akv" set.
Segmentation fault (core dumped)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.