microsoft / azurekeyvaultmanagedhsmengine Goto Github PK

Azure Key Vault and Managed HSM Engine, compatible with OpenSSL

License: MIT License

Bicep 12.04% Shell 1.18% CMake 0.87% C 85.48% Batchfile 0.44%

azurekeyvaultmanagedhsmengine's Introduction

Introduction

The Azure Key Vault and Managed HSM Engine allows OpenSSL-based applications to use RSA/EC private keys protected by Azure Key Vault and Managed HSM. It leverages the OpenSSL engine interface to perform cryptographic operations inside Azure Key Vault and Managed HSM. The goal is to seamlessly onboard OpenSSL-based applications with Azure Key Vault and Managed HSM, for example, NGINX, gRPC etc.

NOTE: Azure Key Vault should ONLY be used for development purposes with small numbers of requests. For production workloads, use Azure Managed HSM. For more information, see Azure Key Vault Service Limits

Blog

Introducing Azure Key Vault and Managed HSM Engine: An Open-Source Project

Getting Started

Linux/Ubuntu

Install dependencies

 sudo apt install -y build-essential
 sudo apt install -y libssl-dev
 sudo apt install -y libcurl4-openssl-dev
 sudo apt install -y libjson-c-dev

Clone Repo

Build

 cd src
 mkdir build
 cd build
 cmake ..
 make
 sudo mkdir -p /usr/lib/x86_64-linux-gnu/engines-1.1/
 sudo cp e_akv.so /usr/lib/x86_64-linux-gnu/engines-1.1/e_akv.so

Test
```
openssl engine -vvv -t e_akv
```

[NOTE] if the openssl version is 3.0 or 3.0+, please reinstall the openssl1.1 For example

$>cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.1 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"

Run the following command

wget http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl-dev_1.1.1f-1ubuntu2.16_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.16_amd64.deb
wget http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/openssl_1.1.1f-1ubuntu2.16_amd64.deb
sudo dpkg -i libssl-dev_1.1.1f-1ubuntu2.16_amd64.deb
sudo dpkg -i libssl1.1_1.1.1f-1ubuntu2.16_amd64.deb
sudo dpkg -i openssl_1.1.1f-1ubuntu2.16_amd64.deb

Windows

Install Visual Studio 2019

Install vcpk in command window "Developer Command Prompt for VS 2019"

c:
cd \
git clone https://github.com/Microsoft/vcpkg.git
cd vcpkg
bootstrap-vcpkg.bat -disableMetrics
vcpkg.exe install json-c:x64-windows-static
vcpkg.exe install curl:x64-windows-static
vcpkg.exe install openssl:x64-windows
mkdir C:\vcpkg\packages\openssl_x64-windows\lib\engines-1_1

Clone Repo

Build

cd src
msbuild e_akv.vcxproj /p:PkgCurl="C:\vcpkg\packages\curl_x64-windows-static" /p:PkgJson="C:\vcpkg\packages\json-c_x64-windows-static" /p:PkgZ="C:\vcpkg\packages\zlib_x64-windows-static" /p:PkgOpenssl="C:\vcpkg\packages\openssl_x64-windows" /p:Configuration=Release;Platform=x64
copy /Y x64\Release\e_akv.dll C:\vcpkg\packages\openssl_x64-windows\lib\engines-1_1\e_akv.dll

Test

C:\vcpkg\packages\openssl_x64-windows\tools\openssl\openssl.exe engine -vvv -t e_akv

NOTE: new vcpkg is using openssl 3.0 and please use vcpkg.json to override openssl version

vcpkg.json
{ 
  "name": "dbkg", 
  "version-string": "1.0.0", 
  "dependencies": [ "zlib", "json-c", "curl", "abseil", "c-ares", "grpc", "protobuf", "re2", "upb", "openssl"],
  "builtin-baseline": "2ac61f87f69f0484b8044f95ab274038fbaf7bdd", 
  "overrides": [ 
     { "name": "openssl", "version-string": "1.1.1n" },
     { "name": "zlib", "version-string": "1.2.13" }
  ] 
} 

vcpkg\vcpkg install --triplet=x64-windows-static
cd D:\AzureKeyVaultManagedHSMEngine\src
set VCPKG_ROOT=D:\vcpkg
msbuild  e_akv.vcxproj /p:PkgOpenssl="%VCPKG_ROOT%\packages\openssl_x64-windows" /p:PkgCurl="%VCPKG_ROOT%\packages\curl_x64-windows-static" /p:PkgJson="%VCPKG_ROOT%\packages\json-c_x64-windows-static" /p:PkgZ="%VCPKG_ROOT%\packages\zlib_x64-windows-static" /p:Configuration=Release;Platform=x64

Samples

Please check out the samples including nginx, gRPC, and openssl command line. NEW: AZURE CLI Credentials are supported, details in https://github.com/microsoft/AzureKeyVaultManagedHSMEngine/blob/main/samples/openssl/UseAzureCliCredential.md

Contribute

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repositories using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Trademark Notice

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft’s Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party’s policies. Azure Key Vault and Managed HSM Engine is not affiliated with OpenSSL. OpenSSL is a registered trademark owned by OpenSSL Software Foundation.

azurekeyvaultmanagedhsmengine's People

Contributors

Stargazers

Watchers

Forkers

vickm mattsains kudzip carrel-gr chkimes kprunella cbrugal polyakov-vlad jmccanta test-mass-forker-org-1 senthuransivananthan xmams mphypermynds samarya24 hmajdouli

azurekeyvaultmanagedhsmengine's Issues

akv_rsa_priv_enc function should be for signing

Hi,

I think the akv_rsa_priv_enc function should be for signing and not for encryption to be consistent with the rsa_ossl_private_encrypt function in openssl. More specifically the result of akv_rsa_priv_enc should be the message padded with the signature padding (eg. EMSA-PKCS1-V1_5-ENCODE) raised to the private exponent.

The current akv_rsa_priv_enc function seems like it should be named akv_rsa_pub_enc instead.

Thanks,

Alex

Is this engine work with openssl 3.0?

Hello, there.

Is this engine work with openssl 3.0?
I'm worried about this engine uses deprecated functions or not.
If it works with 3.0, is there some method to compile with openssl 3.0?

Doesn't e_akv engine work with openssl ts command?

With liupums's great example, I've got succeed to work nginx ssl with e_akv engine.
Thanks!

I have an another issue, does e_akv engine support openssl ts command?
I run an openssl ts command as follows, and got some error.

Do I have to do something more procedures to it?

openssl ts -reply -queryfile ./index.php.tsq -config ../rootca.conf -engine e_akv -inkey managedHsm:ContosoMHSM2:testrsakey -signer ./tsa.pem -out index.php.tsr
Using configuration from ../rootca.conf
Response is not generated.
139705588585792:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('managedHsm:ContosoMHSM2:testrsakey','r')
139705588585792:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
139705588585792:error:2F09B08A:time stamp routines:TS_CONF_load_key:cannot load private key:../crypto/ts/ts_conf.c:97:

Is OpenSSL 3 support planned?

As stated in another issue, this engine does not support OpenSSL 3. As OpenSSL 1.1.1 is going EOL in September 2023, we wonder whether there is a OpenSSL 3 compatible engine/"AzureKeyVaultManagedHSMProvider"?

engine causes segmantation fault

Hello,
Thanks for great work.

I've tried to use this engine.
At first, I examined your nginx example.
I've do as followed the document sequence.
Then, it occured Segmentation Fault.
Is my procedure is wrong?
Thanks.

If run command with $1 (as documented) cause an error below:

root@tubuntu:~# openssl req -new -x509 -engine e_akv -keyform engine -key vault:
$1:test-rsa-key -out cert.pem
engine "e_akv" set.
cannot load Private Key from engine
139940651017536:error:8010E102:lib(128):akv_load_key_cert:parse key id error:/us
r/local/src/AzureKeyVaultManagedHSMEngine-main/src/dllmain.c:177:
139940651017536:error:26096080:engine routines:ENGINE_load_private_key:failed lo
ading private key:../crypto/engine/eng_pkey.c:77:
unable to load Private Key

is $1 points HSM name?
Then, replace $1 to HSM name cause Segmentation Fault.

root@tubuntu:~# openssl req -new -x509 -engine e_akv -keyform engine -key vault:
managed-hsm-for-tsa:test-rsa-key -out cert.pem
engine "e_akv" set.
Segmentation fault (core dumped)

curl getting "bad header" when invoking call to azure keyvault.

I am not able to do a simple sign operation as shown in your examples - just get an unknown vault error. I put some debugging instructions in the code and I see that it is getting a bad request error (400). It says the request as an invalid header name.

I then dumped out the headers before the curl request and I see the following 4 (albeit redacted) headers:

d] AkvGetKey curl.c(461) header: Accept: application/json
[d] AkvGetKey curl.c(461) header: Content-Type: application/json
[d] AkvGetKey curl.c(461) header: Authorization: Bearer {
"accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL3BiYS1wb3J0YWwudmF1bHQuYXp1cmUubmV0LyIsImlzcyI6Imh0dHBz.....
-BTK_Wn6zMjKqraHa9u9VmKxY3bu48kYiLg90I3ogND83BdYIVJxH7mcQ9eG6yBCjuQK89Nq-oM5QZnCkItg-HGB_qy7wwyqdDMuIODjftQ68Frn8cAZM3MoMHbjDE9YxXQtEYLcbXlsEewDzhGVvYwgJEY4wd9dctHQ",
"expiresOn": "2023-08-28 18:17:29.000000",
"tenant": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx",
"tokenType": "Bearer"
}

And the text from the https:// output is:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Header</h2>
<hr><p>HTTP Error 400. The request has an invalid header name.</p>
</BODY></HTML>

I don't know exactly what needs to be in the header or the format of the header. Perhaps the "token type" for the Authorization header? I got that token by grabbing the output this way:

AZURE_CLI_ACCESS_TOKEN=``az account get-access-token --output json --tenant xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --resource https://xxxxxxxxx.vault.azure.net/``
(those ```` are single back-ticks - the formatter here is messing with things)

Can someone help me understand what I have done wrong or perhaps the azure key vault/managed hsm has changed things?

Oh,and all I was trying to do is get the public key for the key vault key:
openssl pkey -engine e_akv -inform engine -in "vault:vaultname:keyname" -pubout -text -out /tmp/leafpubkey.pem

Running on a VM without a managed identity causes a segfault

I built the engine on an azure VM using the default "Linux (ubuntu 20.04)" image, and ran it as follows:

echo hello | openssl dgst -d -sha1 -engine e_akv -keyform engine -sign vault:my-vault:my-key -out sign.out

The result was:

engine "e_akv" set.
Segmentation fault (core dumped)

Then, In the Azure portal, I went to the VM resource, selected Identity, System assigned, and selected On, and saved. I reran the above command and the result was:

engine "e_akv" set.
[e] AkvGetKey curl.c(416) no kty defined in returned json:
{
   "error": {
     "code": "Forbidden",
     "message": "The user, group or application 'appid=<uuid>;oid=<uuid>;iss=https:\/\/sts.windows.net\/<uuid>\/' does not have keys get permission on key vault 'vault-name;location=westus'. For help resolving this issue, please see https:\/\/go.microsoft.com\/fwlink\/?linkid=2125287",
     "innererror": {
       "code": "AccessDenied"
     }
   }
 }

cannot load key file from engine
140131011724608:error:8010E103:lib(128):akv_load_key_cert:load public key error:/home/azureuser/AzureKeyVaultManagedHSMEngine/src/dllmain.c:203:
140131011724608:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:../crypto/engine/eng_pkey.c:77:
unable to load key file
BIO[0x56271ad96d80]: Free - FILE pointer

This is a more user-friendly error message and closer to what I was expecting before the managed identity was enabled.

You should be able to reproduce this easily, but here's the versions of everything I was using:

this repo: 9e89f8d
openssl: OpenSSL 1.1.1f 31 Mar 2020
libjson-c-dev: 0.13.1+dfsg-7ubuntu0.3
libssl-dev: 1.1.1f-1ubuntu2.11
libcurl4-openssl-dev: 7.68.0-1ubuntu2.7
cmake version 3.16.3

Use CLI Credentials to connect to Managed HSM

Hi folks @liupums @chkimes @mattsains, This repo is what exactly I was looking for, for using openssl to access the Managed HSM or Key Vault.

Is there a way to use CLI Credentials to use the Managed HSM for signing? Currently it depends on Managed Identity. I have given access to my login as Managed HSM Crypto User to /keys and that should suffice to accessing the managed HSM. Could you please help? (Azure SDK for Python's hello_world.py example can use AzureCLICredential to create keys in HSM, and sign is also an operation supported by the SDK (as per documentation). Thanks.

Here is a screenshot: