如何对Net :: HTTP使用自定义OpenSSL引擎 [英] How to use a custom OpenSSL engine for Net::HTTP

问题描述

我正在尝试使用自定义OpenSSL引擎进行客户端证书身份验证所需的加密操作.

I am trying to use a custom OpenSSL engine for crypto operations required for client certificate authentication.

当前，Net :: HTTP仅允许我们传递将用于客户端身份验证的证书和密钥.我们将所有私钥都移至HSM(硬件安全模块")，因此，我们希望插入默认的OpenSSL引擎，而不是默认的OpenSSL引擎.定制的OpenSSL引擎将使用HSM执行私钥签名操作.

Currently Net::HTTP lets us pass only the cert and key which will be used for the client authentication. We are moving all private keys to HSM ("Hardware Security Module") so instead of the default OpenSSL engine we want to plug-in a custom OpenSSL engine. The custom OpenSSL engine will perform private key signing operations using HSM.

当前使用默认引擎，我们的代码如下:

Current with the default engine we have code something like:

http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = uri.scheme == 'https'
http.cert = OpenSSL::X509::Certificate.new(File.read("/tmp/cert.pem"))
http.key = OpenSSL::PKey::RSA.new(File.read('/tmp/key_pointer.pem'))
http.ssl_version = :TLSv1_2
http.open_timeout = open_timeout
http.read_timeout = read_timeout
request = Net::HTTP::Post.new(uri)
request.body = "body goes here"
response = http.request(request)

我尝试搜索如何为Net :: HTTP插入自定义OpenSSL引擎，但找不到任何内容.在客户端证书身份验证的过程中，如何使用自定义引擎进行私钥签名?

I tried searching for how to plug-in a custom OpenSSL engine for Net::HTTP but couldn't find anything. How can we use a custom engine for signing using a private key as part of the client certificate authentication?

推荐答案

我为此进行了解决.由于Net :: HTTP在客户端证书认证期间使用OpenSSL进行加密.我没有通过密钥，而是通过自定义引擎使用了密钥句柄，并且在客户端证书身份验证期间执行的操作(签名)被中继到了HSM.示例代码如下:

I got a work around for this. Since Net::HTTP use OpenSSL for encryption during client certificate authentication. Instead of passing key, I used the key handle by custom engine and operations performed(signing) on that during client certificate authentication were relayed to HSM. Here is how sample code looks like:

http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = uri.scheme == 'https'
http.cert = OpenSSL::X509::Certificate.new(File.read("/tmp/cert.pem"))
OpenSSL::Engine.load
http.key =  OpenSSL::Engine.by_id("EngineId").load_private_key("CKA_LABEL=rsa-private-client-cert-auth-test-9ik98jui98")
http.ssl_version = :TLSv1_2
http.open_timeout = open_timeout
http.read_timeout = read_timeout
request = Net::HTTP::Post.new(uri)
request.body = "body goes here"
response = http.request(request)

这篇关于如何对Net :: HTTP使用自定义OpenSSL引擎的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！