Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

关于启用mTLS的一些疑问 #42

Closed
zzx-QDU opened this issue Apr 23, 2024 · 14 comments
Closed

关于启用mTLS的一些疑问 #42

zzx-QDU opened this issue Apr 23, 2024 · 14 comments
Assignees
@zhongtianq
Labels
support Assistance or guidance regarding the usage of the project

Comments

@zzx-QDU
Copy link

zzx-QDU commented Apr 23, 2024

Issue Type

Build/Install

Source

binary

Capsule Manager Version

0.2.0b0

Capsule Manager SDK Version

0.2.0b0

Tee Apps Version

0.2.0b0

OS Platform and Distribution

Ubuntu 22.04

Python version

3.10

Bazel version

No response

GCC/Compiler version

No response

What happend and What you expected to happen.

大佬,您好!为了启用mTLS,我用openssl分别生成carol、alice、bob的公私钥、csr文件,ca的key、csr文件和crt文件,然后用ca相关的文件生成carol、alice和bob的证书。
然后正常启动capsule_manager:
    server_cert_path: Some(
        "/home/admin/capsule-manager/resources/carol.crt",
    ),
    server_cert_key_path: Some(
        "/home/admin/capsule-manager/resources/carol.key",
    ),
    client_ca_cert_path: Some(
        "/home/admin/capsule-manager/resources/ca",
    ),
    enable_tls: Some(
        true,
    ),
    mode: Some(
        "simulation",
    ),
}
O, AntGroup
L, HZ
OU, SecretFlow
C, CN
ST, HZ
CN, CapsuleManager
[2024-04-23T06:22:40.489337480+00:00] [capsule_manager] [INFO] Server run at: 0.0.0.0:8888 mode Some("simulation")

但是我在上传密钥时失败
raise _InactiveRpcError(state)  # pytype: disable=not-instantiable
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
	status = StatusCode.UNAVAILABLE
	details = "failed to connect to all addresses; last error: UNKNOWN: ipv4:127.0.0.1:8888: Ssl handshake failed: SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED"
	debug_error_string = "UNKNOWN:Error received from peer  {created_time:"2024-04-23T14:22:50.752018831+08:00", grpc_status:14, grpc_message:"failed to connect to all addresses; last error: UNKNOWN: ipv4:127.0.0.1:8888: Ssl handshake failed: SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED"}"
问题似乎是证书有问题,请问我的证书生成过程有问题吗,或者是必须要真实CA机构签的证书?

感谢帮助!

Reproduction code to reproduce the issue.

alice.yaml:

host: "127.0.0.1:8888"
# (required) str, capsule-manager's tee platform type, sim/sgx/tdx/csv
tee_plat: "sim"
# (optional) capsule-manager's identity constraints
tee_constraints:
  # (optional) str, The measurement of TEE implement internal stuff
  mr_plat:
  # (optional) str, The measurement of TEE instance boot time stuff
  mr_boot:
  # (optional) str, The static measurement of trust application when loading the code
  mr_ta:
  # (optional) str, The measurement or other identity of the trust application signer
  mr_signer:

# (optional) str, root ca cert path
root_ca_file: /home/u22/ca.crt
# (optional) str, sdk's private key path
private_key_file: /home/u22/alice.key
# (optional) List[str], sdk's cert chain path
cert_chain_file: "/home/u22/alice.crt"

common:
   # (required) str, should be generated from cert
   party_id: "OSA5326M7KIG7KFYC2BHWGPMY6UXUK3AW67VFF5UB73DUZ62EVKA"
   # (required) List[str], cert chain files, the order is [cert, mid_ca_cert, root_ca_cert]
   # file num can be 1 if the cert is self-signed
   cert_pems_file: 
     - alice.crt
     - ca.crt
   scheme: "RSA"
   # (required) str, file contains private key
   private_key_file: alice.key


register_data_keys:
  data_keys:
    -
      # (required) str
      resource_uri: breast_cancer_alice
      # (required) str
      data_key_b64: "uhq65rYinNeMuHO1CR272w=="
@zhongtianq zhongtianq self-assigned this Apr 23, 2024
@zhongtianq zhongtianq added the question Further information is requested label Apr 23, 2024
@zhongtianq
Copy link
Collaborator

zhongtianq commented Apr 23, 2024
edited
Loading

@zzx-QDU hi,你的tls的问题由于上下文信息不太够无法确认是什么原因导致的,我这边猜测一些可能的原因。
首先,你需要区分清楚我们文档中提到的机构自签证书与tls证书。它们是两套证书体系,为了方便描述,我们把机构证书/私钥称为alice.crt/alice.key。把客户端用于tls的证书称为client.crt。其中alice.crt为alice自签,client.crt为ca签发,这个ca可以是权威ca机构,也可以是我们自签的一个ca机构。

下面简单给一下生成过程作为参考:

  1. 生成ca根密钥,自签获得ca根证书
openssl genrsa -out ca.key 3072
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
  1. 服务端生成密钥和csr
openssl genrsa -out server.key 3072
openssl req -new -sha256 -key server.key -out server.csr
  1. 客户端生成密钥和csr
openssl genrsa -out client.key 3072
openssl req -new -sha256 -key client.key -out client.csr

4.设置签发策略,将策略写入ca.ext文件中
文件内容示例:

subjectKeyIdentifier=hash
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
DNS.3 = capsule-manager
  1. ca签发证书
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile ca.ext
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650 -sha256 -extfile ca.ext

签发完成之后,服务端证书/私钥在capsule-manager中使用,客户端证书/私钥在sdk侧使用。
另外,因为tls本身的安全要求,我们用tls访问的时候必须以域名的方式访问,在示例中我们对服务端的证书已经签发了域名capsule-manager(根据实际情况替换)。可以在/etc/hosts中做个域名的映射,用域名访问服务。

@zzx-QDU
Copy link
Author

zzx-QDU commented Apr 24, 2024

非常感谢!我重新生成证书后握手没有失败,但是alice和bob的机构ID验证失败。
sdc.error.CapsuleManagerError: CapsuleManager server error code: 13, error message: err code: Assert err; err detail: party_id OSA5326M7KIG7KFYC2BHWGPMY6UXUK3AW67VFF5UB73DUZ62EVKA is wrong derived from public key; location: [line = 109, file = capsule-manager/src/server.rs]

我试着将ID换成用ca.crt生成的机构ID,却能成功上传。请问可能是什么原因导致的?

@zhongtianq
Copy link
Collaborator

非常感谢!我重新生成证书后握手没有失败,但是alice和bob的机构ID验证失败。 sdc.error.CapsuleManagerError: CapsuleManager server error code: 13, error message: err code: Assert err; err detail: party_id OSA5326M7KIG7KFYC2BHWGPMY6UXUK3AW67VFF5UB73DUZ62EVKA is wrong derived from public key; location: [line = 109, file = capsule-manager/src/server.rs]

我试着将ID换成用ca.crt生成的机构ID,却能成功上传。请问可能是什么原因导致的?

common配置下的证书仍然需要使用alice.crt,与party_id是对应的。

@zzx-QDU
Copy link
Author

zzx-QDU commented Apr 24, 2024

是对应的
common:

party_id: "MBIXLYH4DYVZJTD7AAW23HQMTNYTILKOMGS3R4T6SNLEA72P63ZA"

cert_pems_file:
- alice.crt
- ca.crt
scheme: "RSA"

private_key_file: alice.key

@zzx-QDU
Copy link
Author

zzx-QDU commented Apr 24, 2024

我试着只写alice.crt,相应的报错是说ID是错误的。

@zhongtianq
Copy link
Collaborator

是对应的 common:

party_id: "MBIXLYH4DYVZJTD7AAW23HQMTNYTILKOMGS3R4T6SNLEA72P63ZA"

cert_pems_file: - alice.crt - ca.crt scheme: "RSA"

private_key_file: alice.key

common下不要把ca.crt填进去,这是两套证书体系,alice.crt并不是ca.crt签发出来的,它们不构成证书链关系

@zhongtianq
Copy link
Collaborator

我试着只写alice.crt,相应的报错是说ID是错误的。

可以贴一下完整的配置文件吗?

@zzx-QDU
Copy link
Author

zzx-QDU commented Apr 24, 2024

host: "127.0.0.1:8888"
tee_plat: "sim"
tee_constraints:
mr_plat:
mr_boot:
mr_ta:
mr_signer:

root_ca_file: /home/u22/ca.crt
private_key_file: /home/u22/alice.key
cert_chain_file: "/home/u22/alice.crt"

common:

party_id: "MBIXLYH4DYVZJTD7AAW23HQMTNYTILKOMGS3R4T6SNLEA72P63ZA"

cert_pems_file:
- alice.crt
- ca.crt
scheme: "RSA"

private_key_file: alice.key

register_data_keys:
data_keys:
-
resource_uri: breast_cancer_alice
data_key_b64: "uhq65rYinNeMuHO1CR272w=="

@zhongtianq
Copy link
Collaborator

麻烦用```将内容包起来,否则看不清楚

@zzx-QDU
Copy link
Author

zzx-QDU commented Apr 24, 2024

“host: "127.0.0.1:8888"
tee_plat: "sim"
tee_constraints:
mr_plat:
mr_boot:
mr_ta:
mr_signer:

root_ca_file: /home/u22/ca.crt
private_key_file: /home/u22/alice.key
cert_chain_file: "/home/u22/alice.crt"

common:

party_id: "MBIXLYH4DYVZJTD7AAW23HQMTNYTILKOMGS3R4T6SNLEA72P63ZA"

cert_pems_file:

  • alice.crt
  • ca.crt
    scheme: "RSA"

private_key_file: alice.key

register_data_keys:
data_keys:

resource_uri: breast_cancer_alice
data_key_b64: "uhq65rYinNeMuHO1CR272w=="”

@zzx-QDU
Copy link
Author

zzx-QDU commented Apr 24, 2024

不好意思 本来我想截图或者直接上传文件,但是都上传失败。

@zhongtianq
Copy link
Collaborator

zhongtianq commented Apr 24, 2024
edited
Loading

发送的配置文件内容用的前后都用```包起来,可以避免格式混乱。像我下面这样,给个示例:

# (required) str, capsule-manager's ip:port
host: "capsule-manager:8888"
# (required) str, capsule-manager's tee platform type, sim/sgx/tdx/csv
tee_plat: "sim"
# (optional) capsule-manager's identity constraints
tee_constraints:
  # (optional) str, The measurement of TEE implement internal stuff
  mr_plat:
  # (optional) str, The measurement of TEE instance boot time stuff
  mr_boot:
  # (optional) str, The static measurement of trust application when loading the code
  mr_ta: 
  # (optional) str, The measurement or other identity of the trust application signer
  mr_signer:

# (optional) str, root ca cert path
root_ca_file: ca.crt
# (optional) str, sdk's private key path
private_key_file: client.key
# (optional) List[str], sdk's cert chain path
cert_chain_file: 
  - client.crt

common:
  # (required) str, should be generated from cert
  party_id: "xxxx"
  # (required) List[str], cert chain files, the order is [cert, mid_ca_cert, root_ca_cert]
  # file num can be 1 if the cert is self-signed
  cert_pems_file:
    - alice.crt
  scheme: "RSA"
  # (required) file contains private key
  private_key_file: alice.key

看起来你这边依然将tls证书和机构自签证书混用了。
tls证书我这边命名为client.crt,对应的私钥是client.key,机构证书是alice.crt,不要把他们混用。

你的配置文件中我看到几个问题:
cert_chain_file: 这是一个list,不要配置成一个str,它是tls证书列表,目前就填client.crt一个就行,因为没有中间ca。
common中的cert_pems_file:不要填入ca.crt, ca.crt是tls证书,与机构证书没有任何关联

@zhongtianq zhongtianq added support Assistance or guidance regarding the usage of the project and removed question Further information is requested labels Apr 24, 2024
@zzx-QDU
Copy link
Author

zzx-QDU commented Apr 24, 2024

大佬,真的非常感谢!是我脑抽了,一直没有理解TLS证书和机构证书是两套同时存在的证书。

@zzx-QDU zzx-QDU closed this as completed Apr 24, 2024
@zhongtianq
Copy link
Collaborator

感谢提问,这块看起来还是比较多的人会confuse,后续我们也尽力在文档中更加明确这些定义

@joaquinboss joaquinboss mentioned this issue Jun 18, 2024
Closed
@zimu-yuxi zimu-yuxi mentioned this issue Jul 12, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zhongtianq zhongtianq

Labels
support Assistance or guidance regarding the usage of the project
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zzx-QDU @zhongtianq