Openssl engine support - revisited #915
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
These changes were originally proposed on this other PR (#202) about 2 years ago. This is a revisited version, since the original was way behind the
develop
branch and I don't have access to the forked repo where the original PR comes from. Please read the motivations behind these changes there.I've extended the original changes with an extra commit on top, to add support for a feature that enables passing on private key passwords to the engine to avoid the user from being prompted. Feel free to ignore it if you think it's not so helpful.
The testing I've done is not great, since I could not find a way to automate the openssl engine part of it. I thought I could come up with a mock-up engine or maybe find one out there but I was not so lucky. What I ended up doing was pretty much the same as with my original PR: setting up a very convoluted environment where I could manually test both clients and broker talking to each other.
The tests included within the repo are all passing with the exception of
./06-bridge-b2br-remapping.py
and./08-ssl-bridge.py
which are also failing on thedevelop
branch, so I left them out temporarily when running them. I am not disabling them on this PR.The manual testing mentioned above involves a TPM emulator, TrouSerS and a TPM OpenSSL engine. Ideally, I would have used a simpler environment or even a real one (a board with a real TPM) but unfortunately, I don't have access to such HW these days.
TPM emulator
I've downloaded and built this tpm-emulator by following the steps on the README file. I then ran it like this:
TrouSerS
On top of the emulated TPM device, we need the TrouSerS stack (TSS) so the OpenSSL engine can talk to the TPM. I realised the binaries were available in Ubuntu's repos so I got them from there. Make sure to use the
-e
option sotcsd
can communicate to the TPM emulator via socket.TPM tools
We also need the tpm-tools to operate with the TPM. There's a README file included that explains how to build and install them.
Once built and installed, we have to "take ownership" and create a Storage Root Key (SRK) by using the
tpm_takeownership
command. The tool prompts for a SRK and owner password - I used the same on both cases for the sake of testing.OpenSSL TPM engine
I've gotten the openssl-tpm-engine and built it following the included instructions. The repo includes a piece of OpenSSL config file (
openssl.cnf.sample
) that I used in order to make the engine visible toopenssl
. Note thedynamic_path
points to wherelibtpm.so
was installed.The TPM engine was then visible and usable:
Keys
I then had to create a few keys. First, a private key using the TPM engine, with the
create_tpm_key
command (included in openssl-tpm-engine). The SRK password is required.With the TPM private key and making use of the testing CA included with the mosquitto testing code, I created new signing requests and certificates for both clients and server.
Running the actual test
In this case, I am running both
sub
andpub
clients and the broker using the TPM engine. Please note this is not required, as in, only the client side could be using the TPM engine for example. However and for the sake of testing all components at the same time, I'm doing it this way.Also, note how the TPM prompts me for the SRK password every time I want to use the private key generate it with it. This time, I'm using the
tls_engine_kpass_sha
option to avoid that.My super secure SRK password is
nico
and this is theSHA1
hash I'm using.I tried to stick with your coding style as much as I could. I'm open to accept any suggestion you may have regarding variable naming, where the code was placed or anything you wanna bring up.
Thanks,
Nico.