如何使用 HashiCorp Vault 进行签名

发布于 2025-01-15 00:18:34 字数 3180 浏览 4 评论 0原文

我不知道这个问题是否很简单，我只是不知道如何使用 HashiCorp-Vault 的 Api VaultSharp 进行签名，但我很绝望。

包含示例的完整文档可以在这里找到：https://github.com/rajanadar/VaultSharp 加密和解密工作正常。只有签名是个问题。
加密代码：

public byte[] EncryptData(byte[] data, string keyName)
{
   SecretsEngine transitSecretsEngine = new SecretsEngine
   {
      Type = SecretsEngineType.Transit,
      Path = path
   };

   Client.V1.System.MountSecretBackendAsync(transitSecretsEngine).Wait();
   Client.V1.Secrets.Transit.CreateEncryptionKeyAsync(keyName, new CreateKeyRequestOptions()
   {
      Exportable = true
   }, path).Wait();
     
   EncryptRequestOptions encryptOptions = new EncryptRequestOptions
   {
      Base64EncodedPlainText = Convert.ToBase64String(data),
      ConvergentEncryption = true,
   };

   Secret<EncryptionResponse> encryptionResponse = Client.V1.Secrets.Transit.EncryptAsync(keyName, 
   encryptOptions, path).Result;
   
   string cipherText = encryptionResponse.Data.CipherText;
   return Encoding.Unicode.GetBytes(cipherText);
}

解密代码：

public byte[] DecryptData(string ciphertext, string keyName)
{
   DecryptRequestOptions decryptOptions = new DecryptRequestOptions
   {
      CipherText = ciphertext,
   };
   Secret<DecryptionResponse> decryptionResponse = Client.V1.Secrets.Transit.DecryptAsync(keyName, 
   decryptOptions, path).Result;
   
   return Convert.FromBase64String(decryptionResponse.Data.Base64EncodedPlainText);
}

这是我的签名代码试用版：

public byte[] Sign(byte[] plaintextBytes, string keyName)
{
   byte[] hash = ComputeHash(plaintextBytes,SHA256.Create());
   GCKMS.SignatureOptions options = new GCKMS.SignatureOptions()
   {
      Digest = Convert.ToBase64String(hash),
   };
   Secret<GCKMS.SignatureResponse> result = Client.V1.Secrets.GoogleCloudKMS.SignAsync(keyName, 
   options).Result;
   return Encoding.Unicode.GetBytes(result.Data.Signature);
}

错误是：

VaultSharp.Core.VaultApiException: {"errors":["没有路由处理程序 'gcpkms/sign/Manuel'"]}

最后但并非最不重要的我验证签名的代码：

public bool ValidateSignature(byte[] plaintextByte, byte[] signature, string keyName)
{
   GCKMS.VerificationOptions option = new GCKMS.VerificationOptions
   {
      Digest = Encoding.Unicode.GetString(ComputeHash(plaintextByte)),
      Signature = Encoding.Unicode.GetString(signature)
   };
   Secret<GCKMS.VerificationResponse> result = 
   Client.V1.Secrets.GoogleCloudKMS.VerifyAsync(keyName, option).Result;
   return result.Data.Valid;
}

我不确定，但这可能是因为我没有使用带有路径的 SecretsEngine我找不到任何适用于 GoogleCloudKms 的 SecretsEngine。

有用信息：
我使用Guid.NewGuid().ToString();生成路径。
ComputeHash 是一个自编写的函数，它使用给定的算法计算哈希值。这默认算法为 SHA256。
GCMS 是命名空间VaultSharp.V1.SecretsEngines.GoogleCloudKMS的简短版本

非常欢迎任何想法和建议。
提前致谢！

原文

i don't know if this question is very easy and I just didn't figure it out how to sign with HashiCorp-Vault´s Api VaultSharp, but I am despairing.

The entire Documentation with examples can be found here: https://github.com/rajanadar/VaultSharp
Encryption and Decryption works fine. Only Signing is a problem.
Code for Encryption:

public byte[] EncryptData(byte[] data, string keyName)
{
   SecretsEngine transitSecretsEngine = new SecretsEngine
   {
      Type = SecretsEngineType.Transit,
      Path = path
   };

   Client.V1.System.MountSecretBackendAsync(transitSecretsEngine).Wait();
   Client.V1.Secrets.Transit.CreateEncryptionKeyAsync(keyName, new CreateKeyRequestOptions()
   {
      Exportable = true
   }, path).Wait();
     
   EncryptRequestOptions encryptOptions = new EncryptRequestOptions
   {
      Base64EncodedPlainText = Convert.ToBase64String(data),
      ConvergentEncryption = true,
   };

   Secret<EncryptionResponse> encryptionResponse = Client.V1.Secrets.Transit.EncryptAsync(keyName, 
   encryptOptions, path).Result;
   
   string cipherText = encryptionResponse.Data.CipherText;
   return Encoding.Unicode.GetBytes(cipherText);
}

Code for Decryption:

public byte[] DecryptData(string ciphertext, string keyName)
{
   DecryptRequestOptions decryptOptions = new DecryptRequestOptions
   {
      CipherText = ciphertext,
   };
   Secret<DecryptionResponse> decryptionResponse = Client.V1.Secrets.Transit.DecryptAsync(keyName, 
   decryptOptions, path).Result;
   
   return Convert.FromBase64String(decryptionResponse.Data.Base64EncodedPlainText);
}

Here is my Code Trial for signing:

public byte[] Sign(byte[] plaintextBytes, string keyName)
{
   byte[] hash = ComputeHash(plaintextBytes,SHA256.Create());
   GCKMS.SignatureOptions options = new GCKMS.SignatureOptions()
   {
      Digest = Convert.ToBase64String(hash),
   };
   Secret<GCKMS.SignatureResponse> result = Client.V1.Secrets.GoogleCloudKMS.SignAsync(keyName, 
   options).Result;
   return Encoding.Unicode.GetBytes(result.Data.Signature);
}

The Error is:

VaultSharp.Core.VaultApiException: {"errors":["no handler for route
'gcpkms/sign/Manuel'"]}

Last but not least my Code for validating the signature:

public bool ValidateSignature(byte[] plaintextByte, byte[] signature, string keyName)
{
   GCKMS.VerificationOptions option = new GCKMS.VerificationOptions
   {
      Digest = Encoding.Unicode.GetString(ComputeHash(plaintextByte)),
      Signature = Encoding.Unicode.GetString(signature)
   };
   Secret<GCKMS.VerificationResponse> result = 
   Client.V1.Secrets.GoogleCloudKMS.VerifyAsync(keyName, option).Result;
   return result.Data.Valid;
}

I am not sure but this could be because I don't use a SecretsEngine with a Path. I could not find any SecretsEngine for GoogleCloudKms.

Useful information:

I generate the Path with Guid.NewGuid().ToString();.
ComputeHash is a self written Function that computes the Hash with a give Algorithm. The
default algorithm is SHA256.
GCMS is a short version of the Namespace VaultSharp.V1.SecretsEngines.GoogleCloudKMS

Any ideas and suggestions are very welcome.
Thanks in advance!

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

岁月流歌 2025-01-22 00:18:34

尽管 Vault 提供了方便的 Transit 签名，但您使用的 C# 包装器不支持它。

Google KMS 确实提供签名，但其界面更复杂：您必须自己进行哈希并跟踪密钥版本。

我建议你在 API 包装器上玩个把戏：

将加密和解密代码按原样
写入 Transit 后端就好像它是 KV 存储版本 1
通过 < a href="https://www.vaultproject.io/api-docs/secret/transit#sign-data" rel="nofollow noreferrer">将您的负载作为 input 参数发送

你还得在将数据发送到 Vault 之前对其进行 Base64 处理，以避免二进制编码问题。

因此假设：

您想要对文本 StackOverflow 进行签名
中转后端安装在 transit 下
您的签名密钥名为 my-key

这应该让你开始：

var value = new Dictionary<string, object> { "input", Convert.ToBase64String(Encoding.UTF8.GetBytes("StackOverflow")) } };
var writtenValue = await vaultClient.V1.Secrets.KeyValue.V1.WriteSecretAsync("sign/my-key", value, "transit");

Although Vault offers convenient signature with Transit, the C# wrapper you are using does not support it.

Google KMS does offer signature, but its interface is more complex: you have to do the hash yourself and keep track of the key versions.

What I suggest is that you play a trick on your API wrapper:

Leave your encryption and decryption code as-is
Write to the the Transit backend as if it was a KV store version 1
Get your signature by sending your payload as the input parameter

You still have to base64 your data before sending it to Vault, to avoid binary encoding issues.

So assuming that:

You want to sign the text StackOverflow
The transit back-end is mounted under transit
Your signature key is named my-key

This should get you started:

var value = new Dictionary<string, object> { "input", Convert.ToBase64String(Encoding.UTF8.GetBytes("StackOverflow")) } };
var writtenValue = await vaultClient.V1.Secrets.KeyValue.V1.WriteSecretAsync("sign/my-key", value, "transit");

回复收藏 0 原文

~没有更多了~