Sign without having the private key

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Sign without having the private key

Timo Lange
Hey all,

I have a question similar to http://openssl.6102.n7.nabble.com/private-key-not-available-for-client-cert-cb-td79369.html, that I am actively following, but though it differs in detail.

What I want to achieve is the following:
My client applications runs inside a container and needs to establish a mutual TLS connection to a server.
The client certificate is available in the container.
The root certificate, as well as the client private key is not available inside the container, but stored in a HSM.
For sure the private key may never leave the HSM and also the root certificate should not.

The application cannot directly interfere with the HSM through standardized mechanisms as it is not accessible from inside the container.
For doing so a proprietary interprocess-communication is required.

I now want something like a "verify callback" and a "sign callback".

The "verify callback" would be needed in order to verify the server certificate against the root certificate. It seems to be easy using: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cert_verify_callback.html

I need the same, something like a "sign callback" also for the private key, when a signature is required during handshake. Such that requests from openSSL to sign something can be forwarded through the inter-process-communication into the HSM. So that the actual signing happens there.
This would only be required during handshake. For the actual encryption symmetric keys can be used, such that the encryption takes place in the openSSL library, not in the HSM.

I assume I need to write a custom ENGINE, but failed with all my approaches.

Can someone give me brief hint on where to start and which API to look at first?

Thanks a lot!
Timo

Reply | Threaded
Open this post in threaded view
|

Re: Sign without having the private key

Dmitry Belyavsky-3
Dear Timo,

For 1.0* versions it was possible to provide custom RSA_METHOD and EC_METHOD and implement an IPC callback. 
I think it still should work for 1.1.1

It may be also useful to take a look at the async API.

On Mon, Jan 11, 2021 at 6:56 PM Timo Lange <[hidden email]> wrote:
Hey all,

I have a question similar to http://openssl.6102.n7.nabble.com/private-key-not-available-for-client-cert-cb-td79369.html, that I am actively following, but though it differs in detail.

What I want to achieve is the following:
My client applications runs inside a container and needs to establish a mutual TLS connection to a server.
The client certificate is available in the container.
The root certificate, as well as the client private key is not available inside the container, but stored in a HSM.
For sure the private key may never leave the HSM and also the root certificate should not.

The application cannot directly interfere with the HSM through standardized mechanisms as it is not accessible from inside the container.
For doing so a proprietary interprocess-communication is required.

I now want something like a "verify callback" and a "sign callback".

The "verify callback" would be needed in order to verify the server certificate against the root certificate. It seems to be easy using: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cert_verify_callback.html

I need the same, something like a "sign callback" also for the private key, when a signature is required during handshake. Such that requests from openSSL to sign something can be forwarded through the inter-process-communication into the HSM. So that the actual signing happens there.
This would only be required during handshake. For the actual encryption symmetric keys can be used, such that the encryption takes place in the openSSL library, not in the HSM.

I assume I need to write a custom ENGINE, but failed with all my approaches.

Can someone give me brief hint on where to start and which API to look at first?

Thanks a lot!
Timo



--
SY, Dmitry Belyavsky
Reply | Threaded
Open this post in threaded view
|

RE: Sign without having the private key

Michael Wojcik
In reply to this post by Timo Lange
> From: openssl-users <[hidden email]> On Behalf Of Timo Lange
> Sent: Monday, 11 January, 2021 10:56

> The root certificate, as well as the client private key is not available inside
> the container, but stored in a HSM.
> For sure the private key may never leave the HSM

OK.

> and also the root certificate should not.

This doesn't make any sense. Certificates are not sensitive data, and it's inconvenient, if not impossible (depending on application software and HSM firmware) to split certificate chain validation across the host machine and the HSM.

Using the HSM as a certificate trust anchor *store* might make sense, depending on the use case. But the certificate would have to be extracted from the HSM by the application at runtime and made available to OpenSSL (or whatever's handling chain validation) so the peer's entity certificate can be verified.

> The application cannot directly interfere with the HSM through standardized mechanisms
> as it is not accessible from inside the container.
> For doing so a proprietary interprocess-communication is required.

That certainly seems like unnecessary complexity, but I'll assume there's some valid justification for it.

> I assume I need to write a custom ENGINE, but failed with all my approaches.

You *could* write a custom engine, which you'd then have to rewrite as a custom provider when support for OpenSSL 1.1.1 ends and you need to move to OpenSSL 3.0 or its successor.

However, you could also hide your IPC mechanism under a PKCS#11 implementation, and just use OpenSSL's PKCS#11 engine. PKCS#11 is the standard mechanism for talking to an HSM, and nothing says it can't involve IPC in the middle.

That is: OpenSSL -> pkcs11 engine -> your IPC client (written as a PKCS#11 library) -> some communications channel -> your IPC server -> real PKCS#11 library for your HSM. You could implement the IPC client and server using an open-source PKCS#11 shim such as pkcs11-helper. This area has been discussed recently on this list.

However, now you have the problem of securing the IPC channel. This is an architecture I'd be reluctant to endorse, given the complexity and attack surface.

--
Michael Wojcik
Reply | Threaded
Open this post in threaded view
|

Sign without having the private key

Timo Lange
In reply to this post by Dmitry Belyavsky-3
Hi all,

thanks for the input so far.
What I have been playing with is something like this:
RSA_METHOD *meth = RSA_meth_dup(RSA_get_default_method());
RSA_meth_set1_name(meth, "myrsa");
RSA_meth_set_sign(meth, sign);
RSA_meth_set_verify(meth, verify);
RSA_set_default_method(meth);

with sign and verify being functions that I implemented.
But non of these two is ever invoked.
If I also set the init and final callbacks, they are properly executed.

Any ideas?

Br, Timo


Von: openssl-users <[hidden email]> im Auftrag von Dmitry Belyavsky <[hidden email]>
Gesendet: Montag, 11. Januar 2021 19:00
An: [hidden email] <[hidden email]>
Betreff: Re: Sign without having the private key
 
Dear Timo,

For 1.0* versions it was possible to provide custom RSA_METHOD and EC_METHOD and implement an IPC callback. 
I think it still should work for 1.1.1

It may be also useful to take a look at the async API.

On Mon, Jan 11, 2021 at 6:56 PM Timo Lange <[hidden email]> wrote:
Hey all,

I have a question similar to http://openssl.6102.n7.nabble.com/private-key-not-available-for-client-cert-cb-td79369.html, that I am actively following, but though it differs in detail.

What I want to achieve is the following:
My client applications runs inside a container and needs to establish a mutual TLS connection to a server.
The client certificate is available in the container.
The root certificate, as well as the client private key is not available inside the container, but stored in a HSM.
For sure the private key may never leave the HSM and also the root certificate should not.

The application cannot directly interfere with the HSM through standardized mechanisms as it is not accessible from inside the container.
For doing so a proprietary interprocess-communication is required.

I now want something like a "verify callback" and a "sign callback".

The "verify callback" would be needed in order to verify the server certificate against the root certificate. It seems to be easy using: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cert_verify_callback.html

I need the same, something like a "sign callback" also for the private key, when a signature is required during handshake. Such that requests from openSSL to sign something can be forwarded through the inter-process-communication into the HSM. So that the actual signing happens there.
This would only be required during handshake. For the actual encryption symmetric keys can be used, such that the encryption takes place in the openSSL library, not in the HSM.

I assume I need to write a custom ENGINE, but failed with all my approaches.

Can someone give me brief hint on where to start and which API to look at first?

Thanks a lot!
Timo



--
SY, Dmitry Belyavsky