Add support for SSL/TLS client authentication #169
Conversation
rvdgracht
changed the title
Add support for mutual TLS authentication. This is the preferred method of authentication for bosch-iot-suite and the only one that allows you to keep the authenticator in a (f)TPM. Optionally, an Openssl engine can be configured if required for access to the ssl private key. Signed-off-by: Robin van der Gracht <robin@protonic.nl>
|
When using an ssl engine with a slow secure key storage, i.e. OPTEE with pkcs11 TA on a stm32mp151 setting up a TLS connection can take some time (I've seen 5 to 50 seconds). Because rauc-hawkbit-updater creates a new connection to the server for EVERY status update and poll, this can be cumbersome. For that I've opened a different pull request with a change that keeps the connection open between request. See PR #170 |
|
Did you see #166? My understanding is that this PR is quite similar. |
There was a problem hiding this comment.
The changes look good to me, although very similar to #166.
This does not support HTTP streaming installation (stream_bundle = true), right? #166 seems to support this, although I don't really see how. I would have expected that the tls-cert, tls-key, tls-ca arguments would be set in RAUC's InstallBundle(). Would you be willing to add client cert authentication support for HTTP streaming installations?
#166 also contains tests for client cert authentication. It would like to have them included here.
If you don't use the HTTP streaming feature, cherry-picking the test without streaming support would be a way forward. #166 could then be rebased to add HTTP streaming support later.
rvdgracht
force-pushed
the
master-tls
branch
from
ba2ee23
to
5d6dc86
Compare
Yes. At the last moment when I was creating the PR.
We're not actually using the streaming installation feature, but I added it anyway. The mtls test is heavily based on the work of @flobz (Florain Bezannier). |
rvdgracht
force-pushed
the
master-tls
branch
from
5d6dc86
to
2ce23ff
Compare
|
#166 isn't stale I'm waiting for @Bastian-Krause final review :) |
|
@rvdgracht Thanks for adding streaming support and testing. Do you want to have a look at the failing tests or should I? |
|
The overall approach looks good to me, once the test failures and the heap-use-after-free are solved, I can fix up some minor Python formatting and maybe simplify a thing or two. Then, this should be ready. |
Signed-off-by: Robin van der Gracht <robin@protonic.nl>
libcairo2-dev is required for building the pycairo wheel which is a dependency for pygobject. Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Dictionaries can't contain multiple items with the same key. This prevents removal of multiple options from the same config section. Signed-off-by: Florian Bezannier <florian.bezannier@hotmail.fr> Signed-off-by: Robin van der Gracht <robin@protonic.nl>
This option makes Hawkbit take the x-forward headers into account. Signed-off-by: Florian Bezannier <florian.bezannier@hotmail.fr> Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Signed-off-by: Florian Bezannier <florian.bezannier@hotmail.fr> Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Signed-off-by: Florian Bezannier <florian.bezannier@hotmail.fr> Signed-off-by: Robin van der Gracht <robin@protonic.nl>
Based on the work of Florain Bezannier. Changes are that the client key and certificate are now provided to the rauc_dbus_dummy by rauc-hawkbit-updater through arguments of the InstallBundle method call (for streaming installations). This also removes the need for a separate mtls rauc_dbus_dummy fixture. Signed-off-by: Robin van der Gracht <robin@protonic.nl>
|
@Bastian-Krause I found and fixed the heap-use-after-free. |
Add support for mutual TLS authentication. This is the preferred method of authentication for bosch-iot-suite and the only one that allows you to keep the authenticator in a (f)TPM.
Optionally, an Openssl engine can be configured if required for access to the ssl private key.