Openssl engine support - revisited #915
Conversation
- Clients can now offload crypto tasks to an external crypto device through the OpenSSL ENGINE API. - The keyfiles can now be treated as PEM or ENGINE keys. - Two new functions were added to libmosquitto to set up the previously mentioned features. - Both mosquitto_sub and mosquitto_pub include support to turn on the mentioned features through command line options. Signed-off-by: Nicolás Pernas Maradei <[email protected]>
Add same OpenSSL engine support to mosquitto (server side) previously added to client side only. Signed-off-by: Nicolás Pernas Maradei <[email protected]>
Some OpenSSL engines (selectable via tls_engine option) may require a password to make use of private keys created with them in the first place. The TPM engine for example, will require a password to access the underlying TPM's Storage Root Key (SRK), which is the root key of a hierarchy of keys associated with a TPM; it is generated within a TPM and is a non-migratable key. Each owned TPM contains a SRK, generated by the TPM at the request of the Owner. [1] By default, the engine will prompt the user to introduce the SRK password before any private keys created with the engine can be used. This could be inconvenient when running on an unattended system. Here's where the new tls_engine_kpass_sha option comes in handy. The user can specify a SHA1 hash of its engine private key password via command line or config file and it will be passed on to the engine directly. This commit adds support for both clients (libmosquitto) and broker. [1] https://goo.gl/qQoXBY Signed-off-by: Nicolás Pernas Maradei <[email protected]>
nicopernas
force-pushed
the
openssl_engine
branch
from
c01767c
to
f26b197
Compare
|
Maybe close #202 ? ;) |
|
Hi, What is the status of this PR and what would be needed to merge it? Regards, |
|
I sent out this PR not too long ago and at that time, everything was working as expected. Not sure why it did not get merged yet. I would guess the lack of automated tests would be the main reason though. |
|
The reason it hasn't been merged yet is because I want to fully understand what I'm merging and other more pressing work has got in the way. It'll be in 1.6. |
|
This is now finally merged in 20894fc , I've modified it a bit to fit in with other changes, but they are mostly cosmetic. Thanks for your contribution! |
These changes were originally proposed on this other PR (#202) about 2 years ago. This is a revisited version, since the original was way behind the
developbranch and I don't have access to the forked repo where the original PR comes from. Please read the motivations behind these changes there.I've extended the original changes with an extra commit on top, to add support for a feature that enables passing on private key passwords to the engine to avoid the user from being prompted. Feel free to ignore it if you think it's not so helpful.
The testing I've done is not great, since I could not find a way to automate the openssl engine part of it. I thought I could come up with a mock-up engine or maybe find one out there but I was not so lucky. What I ended up doing was pretty much the same as with my original PR: setting up a very convoluted environment where I could manually test both clients and broker talking to each other.
The tests included within the repo are all passing with the exception of
./06-bridge-b2br-remapping.pyand./08-ssl-bridge.pywhich are also failing on thedevelopbranch, so I left them out temporarily when running them. I am not disabling them on this PR.The manual testing mentioned above involves a TPM emulator, TrouSerS and a TPM OpenSSL engine. Ideally, I would have used a simpler environment or even a real one (a board with a real TPM) but unfortunately, I don't have access to such HW these days.
TPM emulator
I've downloaded and built this tpm-emulator by following the steps on the README file. I then ran it like this:
TrouSerS
On top of the emulated TPM device, we need the TrouSerS stack (TSS) so the OpenSSL engine can talk to the TPM. I realised the binaries were available in Ubuntu's repos so I got them from there. Make sure to use the
-eoption sotcsdcan communicate to the TPM emulator via socket.TPM tools
We also need the tpm-tools to operate with the TPM. There's a README file included that explains how to build and install them.
Once built and installed, we have to "take ownership" and create a Storage Root Key (SRK) by using the
tpm_takeownershipcommand. The tool prompts for a SRK and owner password - I used the same on both cases for the sake of testing.OpenSSL TPM engine
I've gotten the openssl-tpm-engine and built it following the included instructions. The repo includes a piece of OpenSSL config file (
openssl.cnf.sample) that I used in order to make the engine visible toopenssl. Note thedynamic_pathpoints to wherelibtpm.sowas installed.The TPM engine was then visible and usable:
Keys
I then had to create a few keys. First, a private key using the TPM engine, with the
create_tpm_keycommand (included in openssl-tpm-engine). The SRK password is required.With the TPM private key and making use of the testing CA included with the mosquitto testing code, I created new signing requests and certificates for both clients and server.
Running the actual test
In this case, I am running both
subandpubclients and the broker using the TPM engine. Please note this is not required, as in, only the client side could be using the TPM engine for example. However and for the sake of testing all components at the same time, I'm doing it this way.Also, note how the TPM prompts me for the SRK password every time I want to use the private key generate it with it. This time, I'm using the
tls_engine_kpass_shaoption to avoid that.My super secure SRK password is
nicoand this is theSHA1hash I'm using.I tried to stick with your coding style as much as I could. I'm open to accept any suggestion you may have regarding variable naming, where the code was placed or anything you wanna bring up.
Thanks,
Nico.