Wednesday, August 24, 2022

China Encryption(国密算法)with MySQL

China Encryption Standards 
There are SM1,SM2, SM3, SM4, SM7, SM9, ...etc with China encryption standards.  With international encryption standards, we can leverage encryption libraries from publicly available source(s). For example, one of the most common and popular use encryption library is OpenSSL. 

This tutorial is written to provide steps with one of the "SSL" library having SMx (China Encryption Library) namely BabaSSL with MySQL.  It does not serve as a purpose of the only way adopting China Encryption Standards with MySQL. Applying compatible / Latest OpenSSL library from China Encryption vendor(s)/source(s) may possibly work in similar way as documented in this tutorial.

Environment (for the tutorial sharing) 
1. Compute Resource (VM) 
2. Operating System - Compute VM is provisioned with Oracle Linux 8 
3. MySQL community with 8.0.xis installed via public yum repository 
4. BabaSSL 8.3 [ BabaSSL 8.3.2-dev ] is used. It is based on OpenSSL 1.1.1h dated 22 Sep 2020

Introduction 
MySQL leverages OpenSSL library to provide ciphers with TLS encryption over communication channel.  To allow switching the OpenSSL library with China Standards and MySQL can dynamically use the underlying library feature to enforce the communication using China Encryption Standard.

Steps 
1. Provision VM and OS/packages update 
2. Download BabaSSL 8.3.2 stable source build for compilation 
3. Compile BabaSSL and Install BabaSSL 
4. Install MySQL 8.0.30 (from yum repository) 
5. Configure TLS with SMx for MySQL 
6. Change system service for mysqld with alternate BabaSSL library path 
7. Reload and restart mysqld service 
8. MySQL (mysql) client with BabaSSL library over TLS with SMx connection 

Provision VM and OS / Packages update
Compute Instance (VM) is provisioned with Oracle Linux 8.  Once the VM is provisioned and it is ready for connection, login to the shell terminal and apply update and package updates

Login from terminal as  
```
ssh -i <privatekey>  opc@<public IP> 
# sudo yum update
# sudo yum install wget
```

Download BabaSSL 8.3.2 stable source build for compilation 
To download the 8.3 stable source zip file, execute the following commands and extract the zip file 

```
# wget https://github.com/Tongsuo-Project/Tongsuo/archive/refs/heads/8.3-stable.zip
# unzip 8.3-stable.zip
```

To compile the source, change directory to the unzipped folder 'Tongsuo-8.3-stable" and execute commands as follows :

```
# cd Tongsuo-8.3-stable
# mkdir bld
# ../config
# make
```

The installation will put the BabaSSL into /usr/local/bin and /usr/local/lib64 and corresponding default installation path(s).   

Note : The default installation does not replace any standard OS system own OpenSSL but it puts into /usr/local as alternate installation.

```
# sudo make install
```

Finally, make change to /etc/profile and append the following

```
# export LD_LIBRARY_PATH=/usr/local/lib64:$LD_LIBRARY_PATH
```

Exit the terminal and re-login to the VM 
Launch a SSH connection to the Compute VM with new library path appended (from updated /etc/profile).   
To check BabaSSL and SMx ciphers, execute the following commands and validate if BabaSSL is installed.

```
# openssl version
# openssl -v ciphers|grep SM
```

Output should be displayed as follows :
BabaSSL 8.3.2-dev
OpenSSL 1.1.1h  22 Sep 2020

TLS_SM4_GCM_SM3         TLSv1.3 Kx=any      Au=any  Enc=SM4-GCM(128) Mac=AEAD
TLS_SM4_CCM_SM3         TLSv1.3 Kx=any      Au=any  Enc=SM4-CCM(128) Mac=AEAD

Install MySQL 8.0.30 (from yum repository) 
On SSH terminal, execute the following to install mysql community repository

```
sudo yum install https://dev.mysql.com/get/mysql80-community-release-el8-4.noarch.rpm
sudo yum module disable mysql
sudo dnf install mysql-server
```

Startup mysqld service (without China Standards), change password and check the connections tatus

- Startup mysqld service
```
sudo systemctl start mysqld
```

- Check temp root password and lookup the temporary root password
```
# sudo cat /var/log/mysqld.log|grep temp
```

- login with 'mysql' client with the temporary password
# mysql –uroot –h127.0.0.1 –p

- change the password accordingly
```
mysql > set password=‘…..’;
mysql > status
```












 The SSL output shown from the status screen as 'Cipher in use is TLS_AES_256_GCM_SHA384.

Configure TLS with SMx for MySQL 
Modify /etc/my.cnf to append the TLS setting with SMx cipher.

```
require_secure_transport=ON
tls_ciphersuites=TLS_SM4_GCM_SM3:TLS_SM4_CCM_SM3
tls_version=TLSv1.3
```

Change system service for mysqld with alternate BabaSSL library path 
Update the mysqld.service and add ENVIRONMENT line with LD_LIBRARY_PATH to adopt BabaSSL
```
sudo vi /etc/systemd/system/multi-user.target.wants/mysqld.service
```

lookup the line “Environment=MYSQLD_PARENT_PID=1” and add the following line after
```
Environment=LD_LIBRARY_PATH=/usr/local/lib64
```

Reload and restart mysqld service 

Execute the following commands to reload system services and startup mysqld
```
sudo systemctl daemon-reload
sudo systemctl restart mysqld
```
Check on mysqd.log from /var/log/mysqld.log 
The Encryption connections message should be displayed correctly





The log message shows TLS connection is configured.

MySQL (mysql) client with BabaSSL library over TLS with SMx connection 

To login MySQL via TLS with SMx connection, the 'mysql' client must be running with BabaSSL library.  Make sure the LD_LIBRARY_PATH has /usr/local/lib64 and login mysql client to MySQL Server

```
mysql -uroot -h127.0.0.1 -P3306 -p -e "status;"
```



















The status screen shows the SSL connection using Cipher in use is TLS_SM4_GCM_SM3.  

Execute the following SQL command with mysql client 

```
mysql > show variables like '%tls%';
mysql > show status like '%tls%';
```
Output can be as follows :


mysql> show variables like '%tls%';

+------------------------+---------------------------------+

| Variable_name          | Value                           |

+------------------------+---------------------------------+

| admin_tls_ciphersuites |                                 |

| admin_tls_version      | TLSv1.2,TLSv1.3                 |

| tls_ciphersuites       | TLS_SM4_GCM_SM3:TLS_SM4_CCM_SM3 |

| tls_version            | TLSv1.3                         |

+------------------------+---------------------------------+

4 rows in set (0.00 sec)

mysql> show status like '%tls%';

+--------------------------+---------------------------------+

| Variable_name            | Value                           |

+--------------------------+---------------------------------+

| Current_tls_ca           | ca.pem                          |

| Current_tls_capath       |                                 |

| Current_tls_cert         | server-cert.pem                 |

| Current_tls_cipher       |                                 |

| Current_tls_ciphersuites | TLS_SM4_GCM_SM3:TLS_SM4_CCM_SM3 |

| Current_tls_crl          |                                 |

| Current_tls_crlpath      |                                 |

| Current_tls_key          | server-key.pem                  |

| Current_tls_version      | TLSv1.3                         |

| Tls_library_version      | OpenSSL 1.1.1h  22 Sep 2020     |

+--------------------------+---------------------------------+

10 rows in set (0.01 sec)



MySQL Server/Client on the VM is running with BabaSSL 8.3.2 using SMx TLS connection.


References 
https://zhuanlan.zhihu.com/p/132352160 
https://github.com/Tongsuo-Project/Tongsuo
https://dev.mysql.com/downloads/repo/yum/

No comments:

Post a Comment