theparanoids / crypki Goto Github PK

View Code? Open in Web Editor NEW

51.0 14.0 29.0 1.19 MB

A simple service for interacting with an HSM or other PKCS#11 device.

License: Apache License 2.0

Go 96.67% Dockerfile 0.53% Shell 2.80%

cryptography security pkcs11 hsm ca signer

crypki's Introduction

crypki

A simple service for interacting with an HSM or other PKCS#11 device.

Background
Install
Configuration
API
Contribute
License

Background

A simple service for interacting with an HSM or other PKCS #11 device. It supports minting and signing of both SSH and x509 certificates. Crypki is the certificate signing backend for the Athenz RBAC system.

Install

You should be able to run crypki server on any linux platform as long as you have crypki binary and .so file. We have tested it on RHEL 7, Debian 9 & Ubuntu 18.04.

Building crypki from source

Prerequisites:

Go >= 1.20.14

Run:

go install github.com/theparanoids/crypki/cmd/crypki@latest

Usage

To start crypki server clone the repo and run the following commands.

Build docker image

$ docker build -f docker-softhsm/Dockerfile -t crypki-local .

If you want to speed up docker image build process, before running the command above, you can cache the dependencies locally using the following command.

$ go mod vendor

Generate certs and keys required for mutual TLS between the front end-client and the crypki backend server
```
cd docker-softhsm
./gen-crt.sh
```

Start the docker container

docker run -d -p :4443:4443 -v $PWD/log:/var/log/crypki -v $PWD/tls-crt:/opt/crypki/tls-crt:ro -v $PWD/shm:/dev/shm --rm --name crypki -h "localhost" crypki-local

Verify whether the server is up and running

curl -X GET https://localhost:4443/ruok --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Disclaimer: the above installation guidelines are to help you to get started with crypki; they should be used only for testing/development purposes. Please do not use this setup for production, because it is not secure.

Configuration

Take a look at the sample configuration file to see how to configure crypki

API

APIs for crypki are defined under crypki/proto. If you are familiar with or are using grpc, you can directly invoke the rpc methods defined in the proto file.

Examples:

Get all available SSH signing keys

curl -X GET https://localhost:4443/v3/sig/ssh-user-cert/keys --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Get SSH user public signing key (CA public key for ssh-user-cert)

curl -X GET https://localhost:4443/v3/sig/ssh-user-cert/keys/ssh-user-key --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Sign SSH user certificate

curl -X POST -H "Content-Type: application/json" https://localhost:4443/v3/sig/ssh-user-cert/keys/ssh-user-key --data @ssh_csr.json --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Get all available x509 signing keys

curl -X GET https://localhost:4443/v3/sig/x509-cert/keys --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Get x509 public CA certificate

curl -X GET https://localhost:4443/v3/sig/x509-cert/keys/x509-key --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Sign x509 certificate

curl -X POST -H "Content-Type: application/json" https://localhost:4443/v3/sig/x509-cert/keys/x509-key --data @x509_csr.json --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Get blob signing public key

curl -X GET https://localhost:4443/v3/sig/blob/keys/sign-blob-key --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

Sign blob (input is base64 encoded value of raw hash of a blob. example code)

curl -X POST -H "Content-Type: application/json" https://localhost:4443/v3/sig/blob/keys/sign-blob-key --data @sign_blob.json --cert tls-crt/client.crt --key tls-crt/client.key --cacert tls-crt/ca.crt

CA credentials

Extract SSH CA public key for a key identifier

Note: init_hsm.sh extracts the public keys of each key slot from the SoftHSM, and stores inside the container.

Following script exports the public key (in PEM format) of slot user_ssh_pub from the container, and converts it into SSH format.

 docker cp crypki:/opt/crypki/slot_pubkeys/user_ssh_pub.pem ~/tmp/user_ssh_pub.pem 
 ssh-keygen -f ~/tmp/user_ssh_pub.pem -i -mPKCS8

Generate a self-signed X509 CA cert for a key identifier

Generate a self-signed X509 CA cert for key identifier x509-key by gen-cacert binary.

# Get into the shell of crypki container. 
docker exec -ti crypki /bin/bash
# Refer to `/opt/crypki/crypki-softhsm.json` and `init_hsm.sh` to find out the attributes $SLOT_NUMBER, $KEY_LABEL, and $USER_PIN.
# In the example, our keyLabel is host_x509, keyType is 3 and signatureAlgorithm is 11 for `x509-key`.  

echo $USER_PIN > /tmp/user_pin
cat > /tmp/ca_crt_config.json <<EOF
{
"Identifier": "x509-key",
"CommonName": "www.example.com",
"KeyLabel": "host_x509",
"KeyType": 3,
"SignatureAlgo": 11,
"PKCS11ModulePath": "/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so",
"SlotNumber": $SLOT_NUMBER,
"UserPinPath": "/tmp/user_pin"
}
EOF
/usr/bin/gen-cacert -config=/tmp/ca_crt_config.json -out=/tmp/x509-ca.cert
# You will see a newly signed x509 CA certificate printed and written to the `-out` path.

Contribute

Please refer to Contributing.md for information about how to get involved. We welcome issues, questions and pull requests.
You can also contact us for any user and development discussions through our group crypki-dev
Code of Conduct

License

This project is licensed under the terms of the Apache 2.0 open source license. Please refer to LICENSE for the full terms.

crypki's People

Contributors

Stargazers

Watchers

crypki's Issues

`crypki -h` does not provide usual usage

$ crypki -h
2019/06/04 20:08:46 server.go:114: failed to create log file: open /var/log/crypki/server.log: no such file or directory

Broken link to sample config file

The link should go to: https://github.com/yahoo/crypki/blob/master/config/testdata/testconf-good.json

Please change log flags

Two possible changes. Either:

Make the log flags configurable, or
Add -LUTC and -Lmicroseconds to the standard log flags.

One of these two changes would be highly desirable.

The same slot cannot be used for multiple keyUsages.

When using the same slot with multiple keyUsages, crypki returns CKR_USER_ALREADY_LOGGED_IN .

 server.go:149: unable to initialize cert signer: unable to initialize key with identifier "ssh-host-key": error making dummy signer: makeSigner: error in Login: pkcs11: 0x100: CKR_USER_ALREADY_LOGGED_IN

config is like below.

...
    "Keys": [
        {
            "Identifier": "ssh-user-key",
            "KeyLabel": "user_ssh",
            "SlotNumber": 11111,
            "UserPinPath": "slot_pwd.txt"
        },
        {
            "Identifier": "ssh-host-key",
            "KeyLabel": "host_ssh",
            "SlotNumber": 11111,
            "UserPinPath": "slot_pwd.txt"
        },
...

If below line change, it works well.
https://github.com/yahoo/crypki/blob/f33a9e6a39cf9a0466ad1dc84f525852e7498268/pkcs11/p11signer.go#L30

if err = context.Login(session, p11.CKU_USER, userPin); err != nil && !strings.Contains(err.Error(), "CKR_USER_ALREADY_LOGGED_IN") {

Config value of TLSClientAuthMode does not work on TLS server.

The config value of TLSClientAuthMode is fixed on "RequireAndVerifyClientCert"(4) on TLS server whichever value is set.

https://github.com/yahoo/crypki/blob/8e3d5535f79a1a106fcf89e2b9a9a8ce04fff06a/server/server.go#L57

Is it a specification? This configuration is only for grpc?

Not include TokenLabel feature at v1.9.0

v1.9.0 release notes says add TokenLabel support. But I found that v1.9.0 tag is associated with 0606760, not 8613f4d(TokenLabel support), so v1.9.0 doesn't support TokenLabel.

Is there any schedule for the release?
I'm looking forward to release. Thanks.

modulepath in init_hsm.sh appears to point at the wrong location

I'm attempting to follow the README instructions to build the Docker image but am running into an error wheninit_hsm.sh executes.

crypki $> docker build -f docker-softhsm/Dockerfile -t crypki-local .
[+] Building 39.3s (16/16) FINISHED
.....
 => ERROR [stage-1 7/7] RUN mkdir -p /var/log/crypki /opt/crypki /opt/crypki/slot_pubkeys && apt-get update && apt-get install -y softhsm opensc openssl && /bin/bash -x /opt/crypki/init_hsm.sh                              8.9s
------
 > [stage-1 7/7] RUN mkdir -p /var/log/crypki /opt/crypki /opt/crypki/slot_pubkeys && apt-get update && apt-get install -y softhsm opensc openssl && /bin/bash -x /opt/crypki/init_hsm.sh:
#16 0.311 Get:1 http://deb.debian.org/debian sid InRelease [161 kB]
.....
#16 8.893 + /usr/bin/pkcs11-tool --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so --pin 123456 --slot 1037941344 --keypairgen --label user_ssh --key-type EC:prime384v1 --private
#16 8.895 sc_dlopen failed: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so: cannot open shared object file: No such file or directory
#16 8.895 error: Failed to load pkcs11 module
#16 8.895 Aborting.
------
executor failed running [/bin/sh -c mkdir -p /var/log/crypki /opt/crypki /opt/crypki/slot_pubkeys && apt-get update && apt-get install -y softhsm opensc openssl && /bin/bash -x /opt/crypki/init_hsm.sh]: exit code: 1

The file /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so does not exist even after apt-get install -y softhsm opensc openssl successfully completes. Further investigation shows that package actually installs the .so to /usr/lib/softhsm/libsofthsm2.so.

Changing the modulepath in init_hsm.sh allows the script to complete successfully and the image to be created.

Total diff is

diff --git a/docker-softhsm/init_hsm.sh b/docker-softhsm/init_hsm.sh
index 3bd8741..92814bd 100755
--- a/docker-softhsm/init_hsm.sh
+++ b/docker-softhsm/init_hsm.sh
@@ -24,7 +24,7 @@ error() {
 SOPIN=1234
 USERPIN=123456

-modulepath="/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so"
+modulepath="/usr/lib/softhsm/libsofthsm2.so"
 slot_pubkeys_path="/opt/crypki/slot_pubkeys"

 user_ssh_label="user_ssh"

I'm running this on an Apple M1 Macbook Pro, which may be the root cause.

Are others running into this issue as well? I'm happy to submit a PR with this change if so.

add support for `ExtraExtensions` in the CSR decoding

Currently the DecodeRequest function https://github.com/theparanoids/crypki/blob/main/x509cert/encode.go#L16 ignores the ExtraExtensions field of the CSR https://pkg.go.dev/crypto/x509#CertificateRequest.ExtraExtensions. This leads to EKUs specified in the ExtraExtensions of the CSR not being propagated to the generated Certificate and therefore unusable Certificate due to the missing (possibly Critical) EKUs.

Run Docker container

Hi
i trying to run docker container for crypki. After building when i running it i got error:

github.com/theparanoids/crypki/pkcs11.publicRSA(0xc000155640)
/home/runner/work/crypki/crypki/pkcs11/rsa.go:41 +0x31d
github.com/theparanoids/crypki/pkcs11.(*p11Signer).Public(0x0)
/home/runner/work/crypki/crypki/pkcs11/p11signer.go:76 +0x3a
github.com/theparanoids/crypki/x509cert.GenCACert(0xc0001e33e8, {0x7fe4c033beb8, 0xc000155640}, {0xc00011b990, 0x9}, {0xc0001b57d0, 0x2, 0x2}, 0x2, 0x3)
/home/runner/work/crypki/crypki/x509cert/x509.go:55 +0x407
github.com/theparanoids/crypki/pkcs11.getX509CACert({_, _}, {{0xc00011b8e8, 0x8}, 0x26693e95, {0x0, 0x0}, {0xc000144750, 0x15}, {0xc00011b8f0, ...}, ...}, ...)
/home/runner/work/crypki/crypki/pkcs11/signer.go:382 +0x645
github.com/theparanoids/crypki/pkcs11.NewCertSign({0xa75078, 0xc000154f80}, {0xc000140660, 0xc000203000}, {0xc0001d2d80, 0x4, 0x4}, 0x18, {0xc00011b990, 0x9}, ...)
/home/runner/work/crypki/crypki/pkcs11/signer.go:163 +0x4c5
github.com/theparanoids/crypki/server.Main()
/home/runner/work/crypki/crypki/server/server.go:171 +0x5e5
main.main()
/home/runner/work/crypki/crypki/cmd/crypki/main.go:10 +0x17

In server.log -> pkcs11: 0x12: CKR_ATTRIBUTE_TYPE_INVALID

My question is this is a bug or i missing something configure on project?

add instructions on running crypki on Mac with SoftHSM

One can build SoftHSMv2 on Mac and it should be possible to use it as the HSM for the development or testing crypki instance. It would be helpful to have detailed instructions on how to do it.