Add support for SSL/TLS client authentication #169
Conversation
rvdgracht
changed the title
|
When using an ssl engine with a slow secure key storage, i.e. OPTEE with pkcs11 TA on a stm32mp151 setting up a TLS connection can take some time (I've seen 5 to 50 seconds). Because rauc-hawkbit-updater creates a new connection to the server for EVERY status update and poll, this can be cumbersome. For that I've opened a different pull request with a change that keeps the connection open between request. See PR #170 |
|
Did you see #166? My understanding is that this PR is quite similar. |
There was a problem hiding this comment.
The changes look good to me, although very similar to #166.
This does not support HTTP streaming installation (stream_bundle = true), right? #166 seems to support this, although I don't really see how. I would have expected that the tls-cert, tls-key, tls-ca arguments would be set in RAUC's InstallBundle(). Would you be willing to add client cert authentication support for HTTP streaming installations?
#166 also contains tests for client cert authentication. It would like to have them included here.
If you don't use the HTTP streaming feature, cherry-picking the test without streaming support would be a way forward. #166 could then be rebased to add HTTP streaming support later.
rvdgracht
force-pushed
the
master-tls
branch
from
ba2ee23 to
5d6dc86
Compare
Yes. At the last moment when I was creating the PR.
We're not actually using the streaming installation feature, but I added it anyway. The mtls test is heavily based on the work of @flobz (Florain Bezannier). |
rvdgracht
force-pushed
the
master-tls
branch
from
5d6dc86 to
2ce23ff
Compare
|
#166 isn't stale I'm waiting for @Bastian-Krause final review :) |
|
@rvdgracht Thanks for adding streaming support and testing. Do you want to have a look at the failing tests or should I? |
|
The overall approach looks good to me, once the test failures and the heap-use-after-free are solved, I can fix up some minor Python formatting and maybe simplify a thing or two. Then, this should be ready. |
|
@Bastian-Krause I found and fixed the heap-use-after-free. |
This is preparation for a new authentication method mTLS being introduced in a future commit. Move the SSL options up, so mTLS options can be added before bailing out due to no valid authentication option set. Also move the existence check for auth/gateway token into a new variable, so we can check for them in a combined fashion. Signed-off-by: Robin van der Gracht <robin@protonic.nl> Signed-off-by: Bastian Krause <bst@pengutronix.de>
Add support for mutual TLS authentication. This is the preferred method of authentication for bosch-iot-suite.com's hawkBit instance and the only one that allows keeping the authenticator in a (f)TPM. Optionally, an OpenSSL engine can be configured if required for access to the SSL private key. Signed-off-by: Robin van der Gracht <robin@protonic.nl> Signed-off-by: Bastian Krause <bst@pengutronix.de>
This works by passing the client key and cert on to RAUC's "tls-key"/"tls-cert" properties. Signed-off-by: Robin van der Gracht <robin@protonic.nl> Signed-off-by: Bastian Krause <bst@pengutronix.de>
A future commit will set up a nginx reverse proxy between rauc-hawkbit-updater and hawkbit for mTLS testing. server.forward-headers-strategy=NATIVE makes Hawkbit take the X-Forwarded-For/X-Forwarded-Proto headers into account. Signed-off-by: Florian Bezannier <florian.bezannier@hotmail.fr> Signed-off-by: Robin van der Gracht <robin@protonic.nl> Signed-off-by: Bastian Krause <bst@pengutronix.de>
Inspired by https://eclipse.dev/hawkbit/concepts/authentication/ . The files in test/pki/ were generated by running this command in the repository's root directory: $ test/gen_pki.sh test/pki Signed-off-by: Florian Bezannier <florian.bezannier@hotmail.fr> Signed-off-by: Robin van der Gracht <robin@protonic.nl> Signed-off-by: Bastian Krause <basti@randomprojects.de>
Inspired by https://eclipse.dev/hawkbit/concepts/authentication/, add options to the nginx proxy configuration for mTLS tests and some new infrastructure fixtures to make use of this feature in a future commit. Signed-off-by: Florian Bezannier <florian.bezannier@hotmail.fr> Signed-off-by: Robin van der Gracht <robin@protonic.nl> Signed-off-by: Bastian Krause <bst@pengutronix.de>
Based on the work of Florain Bezannier. Client key and certificate are now provided to rauc_dbus_dummy by rauc-hawkbit-updater through arguments of the InstallBundle method call (for streaming installations). This also removes the need for a separate mTLS rauc_dbus_dummy fixture. Signed-off-by: Robin van der Gracht <robin@protonic.nl> Signed-off-by: Bastian Krause <bst@pengutronix.de>
Bastian-Krause
force-pushed
the
master-tls
branch
from
36b6361 to
3493b80
Compare
|
I have reworked the patches:
|
Add support for mutual TLS authentication. This is the preferred method of authentication for bosch-iot-suite and the only one that allows you to keep the authenticator in a (f)TPM.
Optionally, an Openssl engine can be configured if required for access to the ssl private key.